Wlan—the process of STA accessing the wireless network and how STA accesses the network through 802.1x

Enterprise 2023-08-19 18:27:30 views: null

Table of contents

Process of STA accessing the network

Procedure for STAs to access the network through 802.1x

wireless association

User Access Authentication

Authentication initialization

Create a TLS channel

 Authenticating wireless users in the channel

generate encryption key

STA obtains address

Wireless user authentication offline and disassociation

Process of STA accessing the network

The process of STA accessing the network mainly includes:

1. STA associates wireless signals (scanning, link authentication, association)

2. Perform access authentication for STA (WPA/WPA2-PSK, WPA/WPA2-802.1x, WEP authentication)

3. Encrypt subsequent data packets through encryption algorithms (WEP, TKIP, CCMP algorithms)

4. The STA obtains an address through DHCP to access the Internet

5. STA goes offline after authentication

6. STA disassociates the signal

Procedure for STAs to access the network through 802.1x

802.1x theory and 802.1x wired access process

Explanation of 802.1x authentication and MAC authentication

Wlan authentication and encryption algorithm

Wlan Security - Authentication and Encryption (WPA and WPA2)

802.1X authentication process passed (PEAP-EAP-MS-CHAPv2 authentication method for authentication)

1. STA associated wireless signal

2. Perform PEAP authentication on STA

It is mainly divided into three stages: authentication initialization, establishment of TLS channel, and authentication of wireless users in the channel

3. Production data encryption key

The material for generating the key is extracted from the message of successful Radius authentication after 802.1x authentication

4. The STA can obtain the address and perform network access

The data is encrypted and integrity verified through the dynamic key combined with the TKIP/CCMP encryption algorithm

5. The user goes offline after authentication

6. Wireless disassociation

Brief introduction of PEAP

PEAP itself does not specify the authentication method, but only establishes a TLS encrypted channel between the requester and the authentication server

Use other authentication methods of EAP (EAP-MS-CHAPv2) to authenticate users in this TLS tunnel

CHAPv2 is two-way authentication, CHAP is one-way authentication

However, this method requires the authentication server to apply for a digital certificate as its own identity verification certificate, and the requester installs a CA root certificate to verify the legitimacy of the server's identity

wireless association

Wireless association is mainly divided into three parts

Scanning: divided into active scanning and passive passive scanning (for STA)

Link authentication: there are non-authentication and WEP authentication; the authentication here will definitely pass, just to prove that it is a wireless device)

Association: The terminal negotiates parameters with the AP, sends a connection request, and enters access authentication

User Access Authentication

Authentication initialization

The authentication client is STA, the access device is AC, and the authentication server is Radius server

  1. The client sends an authentication access request
  2. The access device requires the user to provide a user name (encapsulated in EPOL-Packet)
  3. The client sends the user name to the access device (encapsulated in EPOL-Packet)
  4. The access device encapsulates this packet in a Radius packet and sends it to the authentication server

After the authentication server receives the username, the server will initiate a TLS channel establishment request

Create a TLS channel

  1. The server decides to use PEAP for user access authentication, and initiates a request to establish a TLS channel tunnel (the access switch decapsulates the Radius packet, then encapsulates EPOL and sends it to the user)
  2. After the user receives it, they will send a Client hello message; including their own TLS version, and the encryption set they support, to negotiate which encryption algorithm to use to encrypt the TLS tunnel, and also carry random numbers (used to generate encrypted tunnels later) key) (the access switch decapsulates the EPOL packet, then encapsulates the Radius packet and sends it to the server)
  3. The Radius server will select the best encryption algorithm that both parties can support for tunnel encryption; then check whether the TLS version supports it and generate a random number (if the TLS version does not support it, the authentication will fail); then send a Server hello message containing its own TLS version The server certificate, random number, and selected encryption algorithm are sent to the user (the user verifies the server through the certificate)
  4. After the terminal receives it, it will verify whether the server's certificate is legal . After the verification is successful, it will generate a random key string (which is also used to generate encryption keys like random numbers), and then use the public key of the server certificate as the random key Encrypt the string and send it to the server
  5. The server decrypts with the private key to obtain a random key string; then the server calculates the encryption key used by the TLS tunnel based on the random key string, the terminal random number, and the server random number combined with the previously negotiated algorithm; then tells the terminal to use this encryption algorithm and key
  6. The terminal responds to it after agreeing, and the TLS channel is established successfully

The role of the server certificate

1. The legitimacy of the terminal verification certificate

2. After passing the legality, it is used for the terminal to encrypt the key string randomly generated by itself through the certificate public key

Precautions

Windows7 only supports the verification of public certificates. If the server uses a private certificate or the certificate expires, Windows7 may fail the verification

You can cancel the certificate verification in Windows, or replace the server's certificate with a public certificate

 Authenticating wireless users in the channel

Authenticate users by using CHAPv2 (two-way authentication)

Purple server authenticates user Blue user authenticates server

  1. The server requests the user's username
  2. User submits username to server
  3. The server generates a 16-byte random number and sends it to the terminal
  4. After the terminal receives it, it also generates a random number, and then uses two random numbers, the user name, and the password corresponding to the user name to calculate a 24-byte ciphertext, and combines the ciphertext with the 16-byte random number generated by itself. send to server
  5. After receiving the random number from the client, the server generates a 24-byte ciphertext based on the two random numbers, the user name configured on the server and the corresponding password; compare it with the received ciphertext, if they are consistent, it means that the user authentication has passed , the server authenticates that the user is legal; at this time, the user also needs to verify whether the server is legal, so the server calculates the previously calculated 24-byte ciphertext (two random numbers, user names, and passwords are calculated for this ciphertext) send to client
  6. After the client receives this ciphertext, it also calculates the previously encrypted 24-byte ciphertext, and compares the result with the received ciphertext. server
  7. After receiving it, the server sends an EAP authentication success message; it contains the MPPE key (Microsoft's point-to-point encryption, which contains PMK to generate PKT data encryption key)

Billing as needed (billing after authentication is passed)

generate encryption key

All messages exchanged at this stage are encrypted.

Use PMK in MPPE to perform 4-way handshake with AC to generate corresponding PTK (realized by exchanging EAPOL-KEY messages)

Then set the corresponding PTK to the corresponding network card to do data encryption and decryption

STA obtains address

The STA requests an IP address through DHCP, and the DHCP message is not encrypted.

Subsequent access to the Internet message after the address is encrypted (data encryption is performed through the generated encryption key combined with the TKIP/CCMP algorithm)

Wireless user authentication offline and disassociation

The wireless user cancels the DHCP address, cancels the Radius accounting, and goes offline

Guess you like

Origin blog.csdn.net/m0_49864110/article/details/132320544
Recommended
Ranking
[Algorithm] greedy _ program scheduling issues
Spring 控制反转(IOC)
Data structure-6.6 figure
Indicates that the class or member method has abstract properties
Huawei v5 server installed Linux operating system
Postgresql source code analysis - creating ordinary tables
Chapter 10 Evaluation Classification Results
Cloud service Ubuntu 20.04 version uses Nginx to deploy static web pages
Java Exercise 17.1
Solve the problem that git cannot automatically push submission in IDEA Push failed: Failed with error: Could not read from remote repository.
Daily
More
2024-05-09(32)
2024-05-08(18)
2024-05-07(34)
2024-05-06(6)
2024-05-05(0)
2024-05-04(18)
2024-05-03(8)
2024-05-02(0)
2024-05-01(4)
2024-04-30(36)

Code World

© 2018 codetd.com