The reader can understand the association mechanism between a WLAN station and Access point for 802.1X authentication here — <Wireless Capture Example – EAP Handshake – Part 1> and the EAP exchange mechanism in 802.1X here — <Wireless Capture Example – EAP Handshake – Part 2>.
The final phase of the 802.1X authentication mechanism is the 4-way EAPOL handshake. At the end of the EAP exchange, the WLAN station and the Access Point both have the Pairwise Master Key Material. The 4-way EAPOL handshake is the same as in the PSK mechanism and is shown below
- EAPOL Message 1 – The Access Point sends the AP Nonce (ANonce) to the wireless LAN station
- EAPOL Message 2 – The Station after receipt of the ANonce has all the material to generate the PTK at its end. it computes the keys and responds to the Access Point with the Station Nonce (SNonce) and a MIC value computed over the EAPOL frame. The WPA Key data is the WPA information element added to the EAPOL frame
- EAPOL Message 3 -The Access Point on receipt of the SNonce computes the keys at its end, verifies the MIC and responds to the WLAN station with the Group Temporal Key and receive sequence counter for Group Temporal key. The “install Key bit” and “Key ACK bit” is set and a MIC computed over the EAPOL frame is sent to the WLAN Station
- EAPOL Message 4 – The Station finally sends message 4 with a MIC calculation. The WLAN station contains the relevant keys at this juncture and can configure the keys to its hardware. The Access Point on receipt of the EAPOL Message 4 computes the MIC and verifies it. If the MIC calculation succeeds – it goes ahead and installs the key
- At any point during the EAPOL frame exchange if the MIC verification fails – the EAPOL frame is discarded and the station is disassociated from the Access Point.
In addition to the introduction of WPA/WPA2 authentication mechanisms to improve user authentication, the encryption mechanisms were also upgraded in the 802.11i specification. TKIP encryption was introduced as an intermediate encryption mechanism to address WEp fallacies. AES Encryption mechanism was introduced as a Robust Security network encryption scheme. Further articles look into both these mechanisms