Table of contents
Process of STA accessing the network
Procedure for STAs to access the network through 802.1x
Authenticating wireless users in the channel
Wireless user authentication offline and disassociation
Process of STA accessing the network
The process of STA accessing the network mainly includes:
1. STA associates wireless signals (scanning, link authentication, association)
2. Perform access authentication for STA (WPA/WPA2-PSK, WPA/WPA2-802.1x, WEP authentication)
3. Encrypt subsequent data packets through encryption algorithms (WEP, TKIP, CCMP algorithms)
4. The STA obtains an address through DHCP to access the Internet
5. STA goes offline after authentication
6. STA disassociates the signal
Procedure for STAs to access the network through 802.1x
802.1x theory and 802.1x wired access process
Explanation of 802.1x authentication and MAC authentication
Wlan authentication and encryption algorithm
Wlan Security - Authentication and Encryption (WPA and WPA2)
802.1X authentication process passed (PEAP-EAP-MS-CHAPv2 authentication method for authentication)
1. STA associated wireless signal
2. Perform PEAP authentication on STA
It is mainly divided into three stages: authentication initialization, establishment of TLS channel, and authentication of wireless users in the channel
3. Production data encryption key
The material for generating the key is extracted from the message of successful Radius authentication after 802.1x authentication
4. The STA can obtain the address and perform network access
The data is encrypted and integrity verified through the dynamic key combined with the TKIP/CCMP encryption algorithm
5. The user goes offline after authentication
6. Wireless disassociation
Brief introduction of PEAP
PEAP itself does not specify the authentication method, but only establishes a TLS encrypted channel between the requester and the authentication server
Use other authentication methods of EAP (EAP-MS-CHAPv2) to authenticate users in this TLS tunnel
CHAPv2 is two-way authentication, CHAP is one-way authentication
However, this method requires the authentication server to apply for a digital certificate as its own identity verification certificate, and the requester installs a CA root certificate to verify the legitimacy of the server's identity
wireless association
Wireless association is mainly divided into three parts
Scanning: divided into active scanning and passive passive scanning (for STA)
Link authentication: there are non-authentication and WEP authentication; the authentication here will definitely pass, just to prove that it is a wireless device)
Association: The terminal negotiates parameters with the AP, sends a connection request, and enters access authentication
User Access Authentication
Authentication initialization
The authentication client is STA, the access device is AC, and the authentication server is Radius server
- The client sends an authentication access request
- The access device requires the user to provide a user name (encapsulated in EPOL-Packet)
- The client sends the user name to the access device (encapsulated in EPOL-Packet)
- The access device encapsulates this packet in a Radius packet and sends it to the authentication server
After the authentication server receives the username, the server will initiate a TLS channel establishment request
Create a TLS channel
- The server decides to use PEAP for user access authentication, and initiates a request to establish a TLS channel tunnel (the access switch decapsulates the Radius packet, then encapsulates EPOL and sends it to the user)
- After the user receives it, they will send a Client hello message; including their own TLS version, and the encryption set they support, to negotiate which encryption algorithm to use to encrypt the TLS tunnel, and also carry random numbers (used to generate encrypted tunnels later) key) (the access switch decapsulates the EPOL packet, then encapsulates the Radius packet and sends it to the server)
- The Radius server will select the best encryption algorithm that both parties can support for tunnel encryption; then check whether the TLS version supports it and generate a random number (if the TLS version does not support it, the authentication will fail); then send a Server hello message containing its own TLS version The server certificate, random number, and selected encryption algorithm are sent to the user (the user verifies the server through the certificate)
- After the terminal receives it, it will verify whether the server's certificate is legal . After the verification is successful, it will generate a random key string (which is also used to generate encryption keys like random numbers), and then use the public key of the server certificate as the random key Encrypt the string and send it to the server
- The server decrypts with the private key to obtain a random key string; then the server calculates the encryption key used by the TLS tunnel based on the random key string, the terminal random number, and the server random number combined with the previously negotiated algorithm; then tells the terminal to use this encryption algorithm and key
- The terminal responds to it after agreeing, and the TLS channel is established successfully
The role of the server certificate
1. The legitimacy of the terminal verification certificate
2. After passing the legality, it is used for the terminal to encrypt the key string randomly generated by itself through the certificate public key
Precautions
Windows7 only supports the verification of public certificates. If the server uses a private certificate or the certificate expires, Windows7 may fail the verification
You can cancel the certificate verification in Windows, or replace the server's certificate with a public certificate
Authenticating wireless users in the channel
Authenticate users by using CHAPv2 (two-way authentication)
Purple server authenticates user Blue user authenticates server
- The server requests the user's username
- User submits username to server
- The server generates a 16-byte random number and sends it to the terminal
- After the terminal receives it, it also generates a random number, and then uses two random numbers, the user name, and the password corresponding to the user name to calculate a 24-byte ciphertext, and combines the ciphertext with the 16-byte random number generated by itself. send to server
- After receiving the random number from the client, the server generates a 24-byte ciphertext based on the two random numbers, the user name configured on the server and the corresponding password; compare it with the received ciphertext, if they are consistent, it means that the user authentication has passed , the server authenticates that the user is legal; at this time, the user also needs to verify whether the server is legal, so the server calculates the previously calculated 24-byte ciphertext (two random numbers, user names, and passwords are calculated for this ciphertext) send to client
- After the client receives this ciphertext, it also calculates the previously encrypted 24-byte ciphertext, and compares the result with the received ciphertext. server
- After receiving it, the server sends an EAP authentication success message; it contains the MPPE key (Microsoft's point-to-point encryption, which contains PMK to generate PKT data encryption key)
Billing as needed (billing after authentication is passed)
generate encryption key
All messages exchanged at this stage are encrypted.
Use PMK in MPPE to perform 4-way handshake with AC to generate corresponding PTK (realized by exchanging EAPOL-KEY messages)
Then set the corresponding PTK to the corresponding network card to do data encryption and decryption
STA obtains address
The STA requests an IP address through DHCP, and the DHCP message is not encrypted.
Subsequent access to the Internet message after the address is encrypted (data encryption is performed through the generated encryption key combined with the TKIP/CCMP algorithm)
Wireless user authentication offline and disassociation
The wireless user cancels the DHCP address, cancels the Radius accounting, and goes offline