A Look at WPA2-Enterprise (802.1X/EAP) Security (with PCAP examples)

ByTodd Smith

WPA2-Enterpeise security goes beyond simply using a passphrase (or password) for connecting to the Wi-Fi. WPA2-Enterpeise involves three primary components:

  1. 802.1X authentication protocol – the standard that defines port-based access control
  2. An authentication (RADIUS) server – queries a user database and validates the user’s credentials
  3. Extensible Authentication Protocol (EAP) – provides a secure method to send identifying information for network authentication

There are several EAP types that can be used depending on the desired level of security.  The two most common are:

  • EAP-PEAP-MSCHAPv2 – credentials (identity) based authentication
  • EAP-TLS – certificate based authentication

EAP types that employ TLS require the use of a digital certificate on both the authentication server and the client device, which can become expensive and complex to manage. The most common EAP type used is EAP-PEAP-MSCHAPv2, as it is supported by most operating systems, and doesn’t require the use of certificates.

There are three different players involved when using 802.1X/EAP, these include:

  1. The supplicant (client device seeking authentication)
  2. The authenticator (the AP or wireless controller, which provides the wireless connection)
  3. The authentication server (the RADIUS server that validates the user credentials)

The image below is a basic representation of the process when EAP-PEAP-MSCHAPv2 is used:

For a client device to be authenticated and allowed to access the WiFi network, several steps must first occur, these include:

  1. 802.11 Authentication and Association – an “Open System Authentication” must take place first, without this and the ensuing association, 802.1X/EAP cannot start. This step is like connecting an ethernet cable between a switch and a PC to confirm the physical link.
  2. Mutual Authentication – the supplicant (client device) and the authentication server complete the mutual 802.1X/EAP authentication, and the authentication server passes the Pairwise Master Key (PMK) to the authenticator.
  3. PMK Matching – the supplicant and the authenticator match the PMKs and then generates the pairwise transient key (PTK).
  4. 4-Way Handshake – messages exchanged between the authenticator and the supplicant to generate encryption keys which will be used to encrypt the actual data sent over the Wi-Fi.

Each time a client device attempts to connect to a WiFi network that uses WPA2 Enterprise security, all the above steps must be taken.  And while authenticating in this manner is more secure than using a passphrase or password, it also can take significantly more time to complete; and latency sensitive applications (like voice) may be negatively impacted.  To limit this impact, modern WiFi networks have a couple of techniques that can shorten the 802.1X/EAP authentication process when reconnecting to the same AP, and when roaming to other APs on the network, these include:

  • PMK Caching – the AP will cache the PMK identifier of the EAP exchange, and upon subsequent authentications, the EAP exchange process (steps 2 and 3 above) will be eliminated
  • Fast Roaming (802.11r) – allows encryption keys to be stored on all APs in a network, eliminating the need for a client device to perform the EAP exchange process (steps 2 and 3) and the 4-Way Handshake (step 4) every time it roams to a new AP within the network

To demonstrate the 802.1X/EAP authentication process, including the time-saving techniques listed above, lets look at the following three packet captures:

Full 802.1X/EAP Authentication

  • packets 3, 5, 6, and 8 pertain to the 802.11 Authentication and Association (step 1)
  • packets 10 – 46 pertain to the Mutual Authentication process (step 2) and the PMK Matching process (step 3)
  • packets 47, 48, 50, and 52 pertain to the 4-Way Handshake process (step 4)
  • the total connection time = 247 ms (the time it took from the first authentication packet to the first transmitted data packet)

802.1X/EAP Authentication w/ PMK Caching

  • packets 780, 782, 783, and 785 pertain to the 802.11 Authentication and Association (step 1)
  • notice the Mutual Authentication process (step 2) and MK Matching process (step 3) were skipped – the magic of PMK Caching
  • packets 787 – 792 pertain to the 4-Way Handshake process (step 4)
  • the total connection time = 90 ms (the time it took from the first authentication packet to the first transmitted data packet)

802.1X/EAP Authentication w/ Fast Roaming (802.11r)

  • packets 3753 – 3758 pertain to the 802.11 Authentication and Association (step 1)
  • notice the Mutual Authentication process (step 2), the PMK Matching process (step 3), and the 4-Way Handshake (step 4) were skipped – the magic of Fast Roaming (802.11r)
  • the total connection time = 68 ms (the time it took from the first authentication packet to the first transmitted data packet)