User's Guide
Table Of Contents
AUTHENTICATION 
The authentication process begins with one of two local authentication procedures and may 
optionally include a remote authentication for additional security. A pre-authentication MAC 
address filter (Access Control List) can be used to prevent devices from authentication attempts, 
but is difficult to manage scale and MAC address substitution is supported on almost all wireless 
network interface cards (NICs). 
Local authentication choices are open or shared key. Open system implies that any device may 
successfully authenticate after exchanging some basic information. Shared key requires that the 
device know the same static encryption keys as the Access Point. When the AP receives an 
authentication request from the device, it sends an unencrypted data message as a challenge. The 
device is required to encrypt the message with the known (shared) key and send it to the Access 
Point. If the AP is able to correctly decipher the encrypted message, the device is considered to 
have passed the local authentication process. Since an eavesdropper could intercept both the 
unencrypted and encrypted message and derive the pseudorandom key stream, this 
authentication method is considered less secure than open system because an open system with 
encryption enabled will not perform the key exchange and will deny communication to the 
devices that don’t know the correct key (can’t decipher the data). 
Remote authentication provides additional network security by allowing credentials-based 
checks (username/password, certificate, smart card, etc.) to validate a device or user beyond a 
shared key. 
 Remote Authentication Protocol 
Device Å EAP Æ Access Point Å RADIUS (EAP encapsulation)Æ RADIUS or AAA server 
The remote authentication process begins after the device has locally authenticated and 
associated to the AP. The 5 typical EAP types are (in order of growing strength) MD5, LEAP, 
TLS, TTLS and PEAP. EAP exchange occurs unencrypted but not unprotected and the Access 
Point should only allow EAP traffic between the device and the network during this process. If 
remote authentication fails five times, the Access Point disassociates the device to prevent 
prolonged attacks (the device can associate again later). Authentications where a username/password is 
exchanged are more secure because the user and not the device is authenticated (device could be stolen). 
The Access Point translates some information contained in the EAP packet and generates a 
RADIUS packet (with EAP encapsulation type) to the RADIUS server. Credential information 
over the wire between the RADIUS server and the AP is protected by the RADIUS secret, 
which hashes the info in the RADIUS exchange. The RADIUS server must have an entry for 
client (access point) and device (user) or it will fail the request. Note: most Bluetooth Access 
Points currently support the standard RADIUS protocol, not EAP encapsulated in RADIUS 
(since Bleutooth devices don’t use EAP over the air). 
65










