The research within Information Technology has been subject to a tremendous speed-up in the latest years, mainly due to the reduced prices of the related technology and, consequently, to a strongly increased interest of the users. This causes a positive feedback loop, since many companies decide to invest more money in such area, reducing further the prices and accelerating this process.
One of the major issues in this big race has been the concept “Be connected always and everywhere”, which translated in an increased development of public networks on one side and in a further growth of big corporation networks on the other side. The common factors of these big areas are mobility, which implies wireless networks, and availability of services, which also means access to more or less important information.
Increased size, mobility and availability of services on networks that become bigger and bigger increases tremendously the importance of data-security. Trust, authentication, and authorization have become vital key words within the design of big, mobile networks.
IEEE 802.1X, also known as “Port Based Network Access Control” is a means for providing authentication and authorization for big networks that offer the possibility to many devices to attach to them, making their services available.
Table of Contents
1 INTRODUCTION
1.1 WIRELESS LANS
1.2 SECURITY
1.3 METHODOLOGY AND ACHIEVED RESULTS FOR THE THESIS WORK
1.4 TYPICAL OPERATIONAL ENVIRONMENT
2 HIPERLAN 2
2.1 OVERVIEW
2.2 PROTOCOL ARCHITECTURE
2.2.1 The Physical layer
2.2.2 The DLC layer: basic data transport function
2.2.3 The DLC layer: RLC sublayer
2.2.4 The packet based convergence layer
2.3 HIPERLAN 2 SECURITY FEATURES
2.3.1 Key exchange
2.3.2 Encryption
2.3.3 Authentication
3. IEEE 802.1X
3.1 GENERAL CONCEPTS AND ARCHITECTURAL FRAMEWORK
3.2 PACKET FORMAT AND PROTOCOL EXCHANGE
3.3 IMPLEMENTATION ISSUES
3.4 DEPLOYMENT OF IEEE 802.1X IN WIRELESS LANS
4 EAP
4.1 EAP-TLS
4.2 EAP-GSS AND OTHER EXTENSIONS
5 RADIUS
5.1 RADIUS’S GENERAL FEATURES
5.2 BASIC OPERATIONS
5.3 RADIUS PACKETS
5.4 RADIUS ATTRIBUTES
5.4.1 User related attributes
5.4.2 NAS related attributes
5.4.3 Service related attributes
5.4.4 Session specific attributes
5.5 RADIUS EAP EXTENSIONS
5.5.1 EAP-Message
5.5.2 Message-Authenticator
5.6 RADIUS AND IEEE 802.1X
6 ANALYSIS METHODOLOGY
6.1 THE PROTOCOLS
6.2 THE OPERATION
6.3 THE PROTOCOL EXCHANGE AND THE AUTHENTICATION METHODS
6.4 THE SOFTWARE REQUIREMENTS
6.5 WHY IEEE 802.1X AND HIPERLAN/2
7 IEEE 802.1X AND HIPERLAN/2: THE PROTOCOLS
7.1 IEEE 802.1X AS A PART OF THE HL/2 PROTOCOL ARCHITECTURE
7.2 INTERACTION BETWEEN THE HL/2 AND IEEE 802.1X
7.2.1 First Step: basic assumptions
7.2.2 Second step: interface to the protocols
7.2.3 Third step: using LLC
7.2.4 Fourth step: completing the model
7.2.5 Complete model
8 IEEE 802.1X AND HIPERLAN/2: THE OPERATION
8.1 THE ASSOCIATION PROCEDURE
8.2 THE CONTROLLED AND UNCONTROLLED PORT
8.2.1 Management operations
8.2.2 Solution
9 IEEE 802.1X AND HIPERLAN/2: PROTOCOL EXCHANGE AND AUTHENTICATION METHODS
9.1 AUTHENTICATION METHODS: BASIC ISSUES
9.1.1 Challenge-response
9.1.2 Mutual authentication
9.2 BASIC AUTHENTICATION SCHEMAS
9.2.1 Strong participation of the authenticator.
9.2.2 Less participation of the authenticator
9.2.3 Minimal participation of the authenticator
9.3 AUTHENTICATION EXCHANGE
9.4 A CERTIFICATE-BASED AUTHENTICATION METHOD: A MODEST PROPOSAL
9.4.1 The protocol exchange
9.4.2 The format of the EAP packet
9.4.3 Issues
10 THE SOFTWARE REQUIREMENTS AND ARCHITECTURE
10.1 GENERAL ISSUES
10.2 SOFTWARE ARCHITECTURE ON THE MT-SIDE
10.2.1 A simple software architecture for the MT
10.2.2 A complete architecture for the MT
10.3 SOFTWARE ARCHITECTURE ON THE AP-SIDE
11 THE IMPLEMENTATION
11.1 BASIC FEATURES OF THE PROTOTYPE
11.2 THE MT-SIDE IMPLEMENTATION
11.3 THE AP-SIDE IMPLEMENTATION
12 TESTING
12.1 THE TESTBED
12.2 THE TESTING METHODOLOGY AND RESULTS
12.2.1 The RADIUS communication
12.2.2 Communication between supplicant and authenticator
12.2.3 Testing of the state machines
12.2.4 Testing results: summary
13 CONCLUSIONS AND FINAL REMARKS
13.1 SUMMARY
13.2 ACHIEVED RESULTS
13.3 FUTURE WORK
Research Objectives & Topics
The primary objective of this thesis is to analyze the IEEE 802.1X authentication standard and investigate its integration into HIPERLAN type 2 (HIPERLAN/2) wireless networks. The research aims to design a solution for integrating these standards, address implementation challenges, and develop a working prototype for validation.
- Analysis of IEEE 802.1X and HIPERLAN/2 protocol standards.
- Methodological approach for the integration of link-layer authentication in wireless LANs.
- Design of software architectures for Mobile Terminals (MT) and Access Points (AP).
- Implementation and testing of a basic IEEE 802.1X prototype.
Excerpt from the Book
1.2 Security
Nowadays Security becomes a very important issue. One consequence is that many existing protocols, which were not originally endowed with security facilities, have now been added with further protocol layers and add-ons, in order to allow their use in hostile environments. The expansion of open networks, such as the Internet, makes data communications more subject to threats; the probability of an attack grows as the importance and the amount of data travelling on networks increases.
Security is today mainly perceived as a feature, which endow higher-level protocols with, although sometimes it is required to protect communication on the lower level. Security services on high-level protocols imply a bigger awareness of the user and the necessity to adapt applications. On the other hand a finer granularity can be obtained, up to be able to protect data on a per document basis, such adapting the cost of the security algorithm to the actual value of the data being transmitted. Furthermore, the protection is ensured from source to destination, thus obtaining an end-to-end protection.
IEEE 802.1X, which is one of the main topics of this thesis, defines a protocol to achieve authentication before allowing access to network services. The authentication occurs at the first point of attachment to a LAN and not somewhere in the core of it. This has implication in terms of increased security, reduced complexity, greater scalability and availability.
Security is a common and very important issue of wireless LAN; users perceive a connection without wires as particularly unsecured, although the real difference from normal wired networks lies at the physical layer. As previously hinted at, the medium through which a WLAN sends data is the air, which means that it has non-defined boundaries and that it is unprotected from outside signals. These features lead basically to two kinds of attack, which are typical of the wireless medium. Eavesdropping is a kind of passive attack that consists in listening to the communication that is happening on the medium. Because there are no real boundaries of the wireless medium, this kind of attack can be easily performed by having a transceiver, which is able to demodulate correctly the signals being transmitted on the network.
Summary of Chapters
1 INTRODUCTION: Provides a general overview of wireless LANs, security topics, and the specific methodology and environment for the thesis project.
2 HIPERLAN 2: Illustrates basic concepts of the HIPERLAN 2 standard, including protocol architecture and security features.
3. IEEE 802.1X: Details the IEEE 802.1X Port Based Network Access Control standard, focusing on its architectural framework and deployment.
4 EAP: Discusses the Extensible Authentication Protocol (EAP) and its fundamental extensions like EAP-TLS and EAP-GSS.
5 RADIUS: Describes the RADIUS protocol, its operations, attributes, and its critical role in EAP-supported authentication.
6 ANALYSIS METHODOLOGY: Outlines the methodological aspects considered for integrating IEEE 802.1X and HIPERLAN/2.
7 IEEE 802.1X AND HIPERLAN/2: THE PROTOCOLS: Analyzes the theoretical interaction between the two protocols at the architecture level.
8 IEEE 802.1X AND HIPERLAN/2: THE OPERATION: Explores operational modifications required for the association procedure and port control.
9 IEEE 802.1X AND HIPERLAN/2: PROTOCOL EXCHANGE AND AUTHENTICATION METHODS: Examines authentication exchanges and proposes a certificate-based method.
10 THE SOFTWARE REQUIREMENTS AND ARCHITECTURE: Defines the requirements for the software modules and proposes architectures for MTs and APs.
11 THE IMPLEMENTATION: Describes the development of the prototype, including its components and Windows-based implementation details.
12 TESTING: Details the testing methodology, the experimental testbed setup, and summaries of the results.
13 CONCLUSIONS AND FINAL REMARKS: Summarizes the thesis work, highlights achieved results, and provides suggestions for future research.
Keywords
IEEE 802.1X, HIPERLAN/2, Network Security, Port Based Network Access Control, EAP, RADIUS, Wireless LAN, Authentication, Authorization, Protocol Integration, Software Architecture, Prototype Development, Mobile Terminal, Access Point, Data Security
Frequently Asked Questions
What is the core focus of this master thesis?
The thesis focuses on the integration of the IEEE 802.1X authentication standard into HIPERLAN/2-based wireless local area networks to enhance security and access control.
Which standards and protocols are central to this research?
The research primarily centers on the IEEE 802.1X standard for port-based access control, the HIPERLAN/2 wireless standard, the Extensible Authentication Protocol (EAP), and the RADIUS authentication protocol.
What is the primary research goal?
The main goal is to propose a model for integrating IEEE 802.1X into a HIPERLAN/2 network environment to perform secure authentication and access control, followed by designing and testing a functional prototype.
What scientific methodology was applied?
The study utilized an analytical approach to evaluate protocol compatibility, followed by designing specific software architectures for Mobile Terminals and Access Points and implementing a proof-of-concept prototype in a Windows environment.
What topics are covered in the main section?
The main part covers the theoretical analysis of protocols, the integration methodology, software requirements, the design of the authentication exchange, and the practical implementation and testing of the IEEE 802.1X prototype.
Which keywords define this work?
Key terms include IEEE 802.1X, HIPERLAN/2, network security, EAP, RADIUS, wireless LAN, and authentication.
Why is IEEE 802.1X preferred for centralization?
IEEE 802.1X allows for the centralization of the authentication function, which relieves the Access Points of intensive computation and enables policy-based decisions via a centralized Authentication Server.
What are the challenges of using EAP-TLS in wireless networks?
The research notes that while EAP-TLS offers strong security, it may not be the optimal solution for wireless networks due to performance and implementation complexities, leading the author to suggest alternatives.
How were the controlled and uncontrolled ports simulated?
Since the HIPERLAN/2 standard does not provide native hooks for this, the simulation was achieved by acting on the network interface driver to filter packet types and directions based on the authorization status.
- Quote paper
- Amleset Kelati (Author), 2001, Application of IEEE 802.1X in HiperLAN type 2, Munich, GRIN Verlag, https://www.grin.com/document/323219
