2. This section provides an overview of the components and the
processes involved in establishing 802.11 wireless connections to
802.1X authenticating infrastructure networks.
THE AUTHENTICATION
PROCESS - WIRELESS
Volvo IT
3. Association with the Wireless AP and
Link-Layer Authentication
When a wireless network adapter is turned on, it begins to scan across the wireless
frequencies (spectrum) for wireless APs and other wireless clients. Scanning is an active
process in which the wireless adapter sends Probe-Request frames on all channels of the
ISM frequency range and listens for the Probe-Response frames sent by wireless APs and
other wireless clients. After scanning, Windows instructs the wireless adapter to connect to a
network, based on the configured preferences.
This choice is made automatically by using the SSID of a known or preferred wireless
network and the wireless AP with the best signal strength (the highest signal-to-noise ratio).
Next, the wireless client negotiates the use of a logical wireless port with the chosen wireless
AP. This process is known as association.
The wireless client’s configuration settings determine whether the wireless client prefers to
connect with infrastructure or ad-hoc mode networks. By default, a wireless client running
Windows Vista, Windows XP, or Windows Server 2003 prefers infrastructure mode wireless
networks over ad-hoc mode wireless networks. If the signal strength of the wireless AP is too
low, if the error rate is too high, or if instructed by the operating system, the wireless client
scans for other wireless APs to determine whether a different wireless AP can provide a
stronger signal to the same wireless network. If so, the wireless client negotiates a
connection with that wireless AP. This process is known as roaming.
Volvo IT
4. 802.1x Authentication Phases - Wireless
1. Scanning 7. Access-Accept
2. Association 8. 802.1X Controlled Port
3. Access Request 9. DHCP Address Request
4. EAP 10. Group Policy Applied
5. Authentication 11. Network Access
6. Authorization
Volvo IT
5. Phase 1: Scanning
The client scans for an AP using a Probe Request.
Volvo IT
6. Phase 2: Association
The client associates with the AP:
– The AP registers the client’s MAC address and assigns a
unique virtual port that is mapped to that MAC address.
– The client registers the MAC address of the AP as the only
device to which it is permitted to associate (until such time that
is disassociates and then reassociates with another AP or
wireless device).
Volvo IT
7. Phase 3: Access Request
Using its 802.1X uncontrolled port, the AP forwards a RADIUS
Access-Request message to the RADIUS (IAS) server.
Note
TCP/IP frames generates by the wireless client can only be
sent to the network through the controlled port.
The client cannot send frames using the controlled port until it
is authenticated and authorized.
Volvo IT
9. Phase 4: EAP
If the server running IAS does not reject the Access-Request, the
EAP authentication method is negotiated between the client and
IAS.
After the negotiation is complete, the AP forwards messages
between the client and the server running IAS.
Note
There are many EAP authentication types.
Both EAP-TLS and PEAP-MS-CHAPv2 are supported natively in
Windows Server 2003, Windows XP, and Windows Vista.
Note
When PEAP is used, a TLS session is first created between the access
client and the server running IAS; authentication then occurs through
the secure TLS session.
Volvo IT
10. Phase 5: Authentication
After the EAP authentication method is agreed upon between the client and IAS, the server
running IAS sends its server certificate chain to the client computer as proof of identity.
The client computer uses the IAS server certificate to authenticate the server running IAS.
Successful PEAP-MS-CHAPv2 authentication requires that the client trusts the server
running IAS after validating the IAS server certificate chain.
For the client to trust the server running IAS, the root CA certificate of the issuing CA of the
server certificate must be installed in the Trust Root Certification Authorities certificate store
on client computer.
After the client authenticates the server, the client sends password-based user credentials
to the server running IAS, which verifies the client credentials against the user accounts
database in Active Directory.
– If the credentials are not valid, IAS sends an Access-Reject message to the AP in
response to the connection request.
– If the credentials are valid, the server running IAS proceeds to the Authorization phase.
Volvo IT
11. Phase 6: Authorization
The server running IAS performs authorization, as follows:
a. IAS checks the users or computer account dial-in properties
in Active Directory.
b. IAS then attempts to find a remote access policy that
matches the connection request.
If a matching remote access policy is found, IAS authorizes
the connection request based on that policy.
Volvo IT
12. Phase 7: Access-Accept
If the authorization is successful, IAS sends the AP an Access-
Accept message.
If authorization is not successful, IAS sends an Access-Reject
message.
Volvo IT
14. Phase 8: 802.1X Controlled Port
As part of authentication, 802.1X dynamically generates session
keys from which it further derives encryption keys to secure the
wireless connection.
The encryption keys are configured on both the wireless AP and
the client; all subsequent data traffic is protected.
The wireless AP enables the controlled port;
traffic from the wireless client is allowed to traverse the port.
Volvo IT
15. Phase 9: DHCP Address Request
The client sends a DHCP address request through the 802.1X
controlled port to the network.
If a DHCP server responds, the client obtains an IP address.
Volvo IT
16. Phase 10: Group Policy Applied
If configured, updated Group Policy is applied on the client during
domain logon operation;
this includes the Wireless Network (IEEE802.11) Policies
Group Policy extension.
Note
For computer already configured with Wireless Network (IEEE 802.11) Policies, Group
Policy is applied when the computer is started, and whenever an updated policy is
downloaded.
If Group Policy is updated on the server while the computer is turned off, the last known
policy (which might be stale) is immediately applied when the computer is started.
If the 802.1X settings on the computer enable IAS to authorize the computer for network
access, updated policies are downloaded and applied when the computer connects to
the network, prior to user authentication.
If 802.1X settings on the computer cannot enable IAS to authorize the computer for
network access at startup, then application of updated policies occurs immediately after
user authentication.
Volvo IT
17. Phase 11: Network Access
The client is able to access network resources, contingent upon
any applied restrictions.
Volvo IT