WPA2-Enterpeise security goes beyond simply using a passphrase (or password) for connecting to the Wi-Fi. WPA2-Enterpeise involves three primary components:
- 802.1X authentication protocol – the standard that defines port-based access control
- An authentication (RADIUS) server – queries a user database and validates the user’s credentials
- Extensible Authentication Protocol (EAP) – provides a secure method to send identifying information for network authentication
There are several EAP types that can be used depending on the desired level of security. The two most common are:
- EAP-PEAP-MSCHAPv2 – credentials (identity) based authentication
- EAP-TLS – certificate based authentication
EAP types that employ TLS require the use of a digital certificate on both the authentication server and the client device, which can become expensive and complex to manage. The most common EAP type used is EAP-PEAP-MSCHAPv2, as it is supported by most operating systems, and doesn’t require the use of certificates.
There are three different players involved when using 802.1X/EAP, these include:
- The supplicant (client device seeking authentication)
- The authenticator (the AP or wireless controller, which provides the wireless connection)
- The authentication server (the RADIUS server that validates the user credentials)
The image below is a basic representation of the process when EAP-PEAP-MSCHAPv2 is used:
For a client device to be authenticated and allowed to access the WiFi network, several steps must first occur, these include:
- 802.11 Authentication and Association – an “Open System Authentication” must take place first, without this and the ensuing association, 802.1X/EAP cannot start. This step is like connecting an ethernet cable between a switch and a PC to confirm the physical link.
- Mutual Authentication – the supplicant (client device) and the authentication server complete the mutual 802.1X/EAP authentication, and the authentication server passes the Pairwise Master Key (PMK) to the authenticator.
- PMK Matching – the supplicant and the authenticator match the PMKs and then generates the pairwise transient key (PTK).
- 4-Way Handshake – messages exchanged between the authenticator and the supplicant to generate encryption keys which will be used to encrypt the actual data sent over the Wi-Fi.
Each time a client device attempts to connect to a WiFi network that uses WPA2 Enterprise security, all the above steps must be taken. And while authenticating in this manner is more secure than using a passphrase or password, it also can take significantly more time to complete; and latency sensitive applications (like voice) may be negatively impacted. To limit this impact, modern WiFi networks have a couple of techniques that can shorten the 802.1X/EAP authentication process when reconnecting to the same AP, and when roaming to other APs on the network, these include:
- PMK Caching – the AP will cache the PMK identifier of the EAP exchange, and upon subsequent authentications, the EAP exchange process (steps 2 and 3 above) will be eliminated
- Fast Roaming (802.11r) – allows encryption keys to be stored on all APs in a network, eliminating the need for a client device to perform the EAP exchange process (steps 2 and 3) and the 4-Way Handshake (step 4) every time it roams to a new AP within the network
To demonstrate the 802.1X/EAP authentication process, including the time-saving techniques listed above, lets look at the following three packet captures:
Full 802.1X/EAP Authentication
- packets 3, 5, 6, and 8 pertain to the 802.11 Authentication and Association (step 1)
- packets 10 – 46 pertain to the Mutual Authentication process (step 2) and the PMK Matching process (step 3)
- packets 47, 48, 50, and 52 pertain to the 4-Way Handshake process (step 4)
- the total connection time = 247 ms (the time it took from the first authentication packet to the first transmitted data packet)
802.1X/EAP Authentication w/ PMK Caching
- packets 780, 782, 783, and 785 pertain to the 802.11 Authentication and Association (step 1)
- notice the Mutual Authentication process (step 2) and MK Matching process (step 3) were skipped – the magic of PMK Caching
- packets 787 – 792 pertain to the 4-Way Handshake process (step 4)
- the total connection time = 90 ms (the time it took from the first authentication packet to the first transmitted data packet)
802.1X/EAP Authentication w/ Fast Roaming (802.11r)
- packets 3753 – 3758 pertain to the 802.11 Authentication and Association (step 1)
- notice the Mutual Authentication process (step 2), the PMK Matching process (step 3), and the 4-Way Handshake (step 4) were skipped – the magic of Fast Roaming (802.11r)
- the total connection time = 68 ms (the time it took from the first authentication packet to the first transmitted data packet)