802.1X Authentication – Generation of Master Key

The 802.1X authentication mechanism is an upper layer authentication mechanism and comprises of a supplicant (802.11 Station), Authenticator (Access Point) and Authentication Server (e.g. RADIUS). Numerous methods of upper layer authentication are specified in various RFCs. Some examples are provided be below

  1. EAP-TLS
  2. EAP-TTLS
  3. EAP-GTC
  4. PEAP-MSCHAPv2
  5. LEAP etc

The 802.1X mechanism involves the following steps

  1. An EAP- Request Identity sent by the Authenticator (AP)
  2. An EAP-Request Identity Response is sent by the 802.11 Station
  3. The EAP-Request Identity Response contains an identifier of the supplicant on the 802.11 Station
  4. The Authenticator forwards the identity response from the 802.11 Station in a Radius Access-request packet to the Radius server.
  5. The RADIUS server provides a list of EAP methods to the authenticator as a RADIUS Access challenge
  6. The Authenticator (AP) forwards the Radius Access challenge to the 802.11 Station as an EAP packet
  7. If the 802.11 station accepts the EAP method sent by the Authentication server – further authentication will proceed
  8. If the 802.11 station does not accept the EAP methods sent by the Authentication server- it will send a NAK message with a list of EAP methods it supports
  9. Both Authentication server and the 802.11 Station need to accept a particular EAP method of Authentication prior to exchanging EAP handshake frames leading to the generation of the Pairwise Master Key
  10. At the end of the EAP handshake the AP and the 802.11 have the Pairwise Master Key- Material with them.
  11. The last packet in the EAP handshake is an EAP Success message

FIG: EAP authentication providing the Pair-wise Master Key for EAPOL handshake

Pre-Shared Key Mechanism – Generation of Master Key

Leave a Reply

Your email address will not be published. Required fields are marked *