Huawei WLAN Authentication and Enc

Huawei WLAN Authentication and Encryption Feature Internal

2012-9-25 1/13

Huawei WLAN Authentication and Encryption

The Huawei integrated Wireless Local Area Network (WLAN) solution can provide

all-round services for municipalities at various levels and enterprises and institutions in all walks

of life. These services include wireless access, authentication, charging, security auditing,

intelligent O&M, and network plan and design. This solution is widely used in various scenarios

such as the campus, office area, hotel, government, bank, energy source, transportation, medical

care, and wireless city.

The Huawei WLAN authentication and encryption feature is a feature of the Huawei

integrated WLAN solution. The Huawei WLAN authentication and encryption feature ensures the

security of air interface key data using advanced encryption algorithms such as Rivest Cipher 4

(RC4), Advanced Encryption Standard (AES), and SMS4, and authenticates users using the portal,

802.1x, or WLAN Authentication and Privacy Infrastructure (WAPI), preventing user data from

being stolen and user privacy from leaking, making the WLAN as secure as the wired network,

and laying the firm foundation for mobile networks.

1. Overview

WLAN wireless data is transmitted over the air and can be received any proper device.

Therefore, WLAN wireless data security has always been of great concern since the emergence of

WLAN, and authentication and encryption technologies have been developed and improved. A

series of security mechanisms has been developed, including Wired Equivalent Privacy (WEP) at

the initial stage, Wi-Fi Protected Access (WPA), WPA2, and the Chinese standard WAPI. Huawei

launches an integrated authentication and encryption solution to protect users' wireless data

security in various WLAN networks, including small home networks, campus networks, enterprise

networks and even the widely covered carrier networks.

The commonly used WLAN authentication and encryption methods are WEP,

WPA/WPA2, WAPI, web, and MAC address authentication and encryption. WEP: WEP is a

WLAN authentication and encryption method developed at the initial stage. It supports two


2012-9-25 2/13

authentication modes: open system authentication and shared key authentication.

WPA/WPA2: WPA substitutes the WEP standard before IEEE 802.11i is published. It

performs only some of the functions defined in IEEE 802.11i. WPA2 performs all the functions

defined in IEEE 802.11i. Compared with WPA, the AES in Counter with CBC-MAC (CCM)

mode is added. CBC-MAC is Ciphy Block Chaing Message Authentication Code for short.

WPA and WPA2 support two authentication modes: pre-shared key (PSK) authentication and

802.1x authentication. PSK is the simplified WPA/WPA2 without 802.1x. In the PSK mode,

authentication is performed between a user and the AC using pre-shared keys. Similar to WEP, the

pair wise master key (PMK) is pre-installed, but all the keys used for encryption and other

functions are generated dynamically. Therefore, WPA/WPA2 is a powerful security solution.

802.1x: Based on IEEE 802.11 for WLAN access, 802.1x is first introduced to solve the

problem of access authentication of WLAN users. It prevents unauthenticated users or devices

from accessing the Local Area Network (LAN) or the Metropolitan Area Network (MAN) through

access interfaces. The 802.1x authentication defines only an implementation framework to

authenticate the user identity. To implement the authentication process, you need to use other

protocols. The 802.1x authentication is also called the dot1x authentication.

WAPI: WAPI is a Chinese national standard and it consists of two parts: WLAN

Authentication Infrastructure (WAI) and WLAN Privacy Infrastructure (WPI). WAI authenticates

user identity and WPI provides the encryption function to protect data transmitted on WLANs.

WAPI can provide higher security for the WLAN system.

The portal authentication is also called the web authentication or DHCP+WEB

authentication. DHCP is short for Dynamic Host Configuration Protocol. The client uses the web

browser such as Internet Explorer to enter user names and passwords on the authentication page.

Then the web server completes user authentication. In the MAC address authentication mode, a

client sends its MAC address as the identity information to an access device. Clients do not need

the client software in MAC address authentication. Table 1 lists Huawei WLAN authentication

and encryption feature in details.

Table 1: Huawei WLAN authentication and encryption feature

Authentication

Mode

Description

WEP

The WEP is one part of the IEEE 802.11 standard that is passed in

September, 1999, and ensures confidentiality using the Rivest

Cipher 4 (RC4) serial stream encryption technology.


2012-9-25 3/13

The WEP supports the open system authentication and shared key

authentication.

The WEP is a technology for encrypting group information between

the access points (APs) and client using RC4. After the key is

configured, the key cannot be automatically updated. The password

can be easily cracked. Therefore, the WEP authentication is seldom

used currently.

The open system authentication is the most frequently used

authentication for carrier networks, and is generally used with the

portal authentication.

WPA/WPA2-PS

K

The WPA is short for Wi-Fi Protected Access, and is a commercial

standard introduced by the Wi-Fi alliance. The WPA implements

most part of the IEEE 802.11i standard, and is a transitional scheme

that replaces the WEP before the 802.11i is completely established.

The WPA uses the Temporal Key Integrity Protocol (TKIP) for data

encryption.

The WPA2 is a completely-established 802.11i standard and the

second version of the WPA. The WPA2 uses Counter Mode with

CBC-MAC Protocol (CCMP) for data encryption.

The WPA/WPA2-PSK requires a key to be input in advance at each

WLAN node, for example, the AP, wireless controller, and network

adapter. A WLAN client can access the WLAN if its shared key is

the same as that configured on the WLAN server. The shared key is

used only for authentication but not for encryption. Therefore, it will

not bring security risks as the 802.11 pre-shared key authentication.

Do not install the client because it is seldom used and no personnel

is available for maintaining the password required by WPA/WPA2.

WPA/WPA2-80 The 802.1x defines only the authentication frame but not a complete


2012-9-25 4/13

2.1x set of authentication rules. Specific authentications require other

protocols, such as Extensible Authentication Protocol (EAP),

Lightweight Extensible Authentication Protocol (LEAP), EAP-TLS,

EAP-TTLS, and PEAP. TLS is Transport Layer Security for short

and TTLS is Tunneled Transport Layer Security for short.

Generally specific client software must be installed. However, if a

user performs only the admission control but not the policy control,

all common operating systems such as ISO, Android, and Windows

supports 802.1x, and the client does not need to be installed.

The 802.1X is frequently used in enterprise networks and seldom

used in carrier networks.

WAPI

The WAPI is the Chinese national WLAN standard GB15629.11.

This standard includes the new WAPI security mechanism that is

composed of WLAN Authentication Infrastructure (WAI) and

WLAN Privacy Infrastructure (WPI).

The WAPI provides the certificate-based and pre-shared-key-based

key management methods.

Unlike the WAP, the WAPI authenticates both users and APs, and

uses SMS4 instead of CCMP as the encryption algorithm for better

security.

WAPI is a national standard, and must be supported in markets

inside China but is seldom used in markets outside China.

Portal

The portal authentication is also called the web authentication or the

DHCP+WEB authentication. It uses the standard web browser such

as Internet Explorer, and does not need special client software.

The client obtains the IP address before authentication. Layer 3

devices such as routers can be available between the user and the

access server.


2012-9-25 5/13

The portal authentication is frequently used on carrier networks and

enterprise networks.

Mac

In the MAC address authentication, a client sends its MAC address

as the identity information to an access device.

The MAC address authentication does not require user name and

password to be entered for login, and is used in scenarios without

high security requirements.

Real-name

authentication

The real-name authentication is a comprehensive authentication

solution provided by Huawei. In this authentication, each user uses

the real name to log in to the WLAN.

This authentication is used in scenarios with high security

requirements such as the court and educational institution so that

users can be tracked down.

2. Application

The Huawei WLAN authentication and encryption and Huawei integrated solution can

provide WLAN networks with high security, delicate policy control, and intelligent O&M for

customers. The Huawei WLAN authentication and encryption feature supports leading

authentication and encryption protocols in the industry, and provide various combined

authentication solutions, such as the solution for the carrier WLAN, for customers based on

scenarios. On the carrier WLAN, the open system authentication plus portal authentication are

used. After a user connects to the carrier WLAN, the portal server automatically displays an

authentication service page. After the user is authenticated, the user can visit the WLAN.

Generally advertisements are displayed on the authentication service page and the MAC binding

function is pushed. After the user selects the MAC binding function, the user can use the MAC

authentication to visit the carrier WLAN network next time without the necessity to enter the user

name and password.


2012-9-25 6/13

2.1 TKIP/CCMP Encryption Algorithm

The TKIP is an encryption protocol at the link layer provided by 802.11i to remove major

defects in Wired Equivalent Privacy (WEP) design. The major drawback of the WEP is that the

random seed of the WEP is composed of the initial vector (IV) and the WEP key.

To guard against attacks on the IN, the TKIP is improved in the following points:

1. The sender device calculates the message integrity code (MIC) to ensure the

information integrity. The plain text, source address, and destination address are

included in the MIC calculation. The calculation result is encrypted using the MIC

key.

2. The packet sequence number is used to prevent replay. The sequence number is

contained in the WEP IV.

3. The Fast Packet Keying algorithm is used to generate the packet encryption key by

combining the temporary key and packet sequence number.

4. The 802.1x EAPoL Key protocol is used to update the temporary key and MIC key.

The TKIP is better than the WEP. However, the TKIP is also based on the stream password,

and cannot eliminate security concerns. The CCMP is a security protocol that is based on AES

block password and developed by the IEEE work group. The CCMP provides the encryption,

authentication, integrity check, and anti-replay functions. It is based on the CCM that uses the

AES algorithm and combines the Counter Mode (CTR) for encryption and CBC-MAC for

authentication and integrity to ensure the integrity of MPDU data and IEEE802.11 MPDU header.

2.2 802.1x Authentication

The 802.1x protocol is a network access control protocol based on ports. On the WLAN,

ports generally refer to MAC addresses at the logical layer. This protocol provides an

authentication process frame. In this frame, the system consists of the authentication requester,

authentication point, and authentication server. They respectively correspond to the client, access

server, and AAA server. The authentication point is only responsible for the authentication and

exchange process at the link layer, and does not maintain any user information. Any authentication

request is forwarded to the authentication server, for example, RADIUS, for actual handling.


2012-9-25 7/13

The EAP over LAN (EAPOL) protocol defined by 802.1x is used between the authentication

requester and the authentication point. The back end transmits EAP packets through RADIUS

encapsulation. The 802.1x protocol requires any data to be authenticated. Unauthorized

connection ports transmit only authentication frames, and abandon all non-EAPOL frames. Data

frames can be forwarded on after the authentication succeeds. Figure 1 shows the entity protocol

stacks of the 802.1x authentication system.

Figure 1: Entity protocol stacks of the 802.1x authentication system

Authentication Requester

Client

Authentication Point

Access Server

Authentication Server

AAA Server

On the WLAN, most authentication service gateways of wireless users are configured on the

AC. Otherwise, for example, when service gateways are configured on the Broadband Remote

Access Server (BRAS), wireless users are the same as the wired users for service gateways. In the

802.1x authentication mode, authentication service gateways are configured on the AC and the

local forwarding and concentrated forwarding of user data are supported.

The 802.1x authentication is secure and reliable, can be easily implemented and flexibly

applied, and meet industry standards. Therefore, it is frequently used on carrier or enterprise

networks merging 3G and WLAN. Secure and reliable: In the wireless LAN environment, 802.1x

is combined with EAP-TLS and EAP-TTLS to dynamically allocate WEP certificate keys,

eliminating the security loopholes in wireless LAN access. Easily implemented and flexibly

applied: The 802.1x retains the traditional AAA authentication network architecture, and can use

existing RADIUS devices and easily implement and flexibly control the authentication granularity.

In this authentication mode, user access, user IDs or connected devices can be authenticated for


2012-9-25 8/13

different users. Industry standards: The IEEE standard has the same source as the Ethernet

standard, and can implement seamless merging with the Ethernet technology. The Windows,

Linux, IOS, and Android operating systems running on clients support the 802.1x protocol.

2.3 Portal Authentication

The portal authentication is also called the web authentication. When a user needs to use

other information on the Internet, the user must pass the authentication on a portal website before

using Internet resources. The user can visit an existing portal server and enter the user name and

password for authentication. The user can also directly visit other external networks through

HTTP. However, any external network URL visited before authentication is forcibly pushed to the

portal server.

On the WLAN, most authentication service gateways of wireless users are configured on the

AC. Otherwise, for example, when service gateways are located on the BRAS, wireless users are

the same as the wired users for service gateways. In the portal authentication mode, authentication

service gateways are configured on the AC and the local forwarding and concentrated forwarding

of user data are supported. The Huawei WLAN product version V2R2 passes the TR5 review by

the end of October.

The portal authentication includes the Layer 2 authentication and Layer 3 authentication. The

differences between the Layer 2 authentication and Layer 3 authentication are that in the Layer 2

authentication, the MAC address of the server to which a user is to visit cannot be obtained and

the ARP detection cannot be performed to check whether a user is online. The Layer 2

authentication and Layer 3 authentication processes are the same. Figure 2 shows the process.

Figure 2: Portal authentication (web authentication) process


2012-9-25 9/13

C l i e n t DHCP ServerAccess Server

Web Authentication

Server

6

AAA Server

The process is as follows:

1 to 4: A dynamic user obtains the MAC address through DHCP (a static user can manually

configure the MAC address).

5: The user visits the authentication page of the web authentication server, and enters the user

name and password to log in.

6: The portal authentication server notifies the access server of the user information through

internal protocols.

7: The access server authenticates the user on the corresponding AAA server.

8: The AAA server sends back the authentication result to the access server.

9: The access server notifies the web authentication server of the authentication result.

10: The web authentication server displays the authentication result on the HTTP

authentication page to notify the user of the result.


2012-9-25 10/13

11: The user accesses network resources normally after the authentication succeeds.

The portal authentication can provide convenient management functions. Portal websites can

develop advertisement and community services and personalized businesses. In this manner,

carriers, device providers, and content and service providers can form an Internet content union.

The portal authentication is frequently used on carrier or enterprise WLANs.

2.4 Real-Name Authentication

The security of WLAN is crucial for the large-scale deployment and widespread application

of WLAN, particularly in sensitive scenarios such as government department and schools. Huawei

introduces the real name authentication system for such scenarios, making the tracing and auditing

of floating personnel easier. The real-name authentication takes the mobile number as the real

name and the network account. Figure 3 shows the real-name authentication process.

Figure 3: Real-name authentication process

HUAWEI TECHNOLOGIES CO., LTD. Page 1

SRUN AAA

LSW

IP backbone network

(1) A visitor enters the enterprise for visit and communication.

(5) The system sends the network account and password to the visitor service mobile phone.

(2) The visitor connects to the WLAN. The self-service portal page is displayed.

(3) The visitor enters the mobile number for registration and applies for the network password.

AC

portal

Enterprise

employeeEnterprise

visitor

Enterprise WLAN

(4) The administrator authenticates the mobile number and the visitor.

Third-Party SMS

Message Platform

5

6

(6) The visitor enters and submits the account and password, and uses the network after authentication.

The real-name authentication makes the following tasks easier:

Tracing and auditing visitors

Providing online self-services for visitors

Obtaining accounts and passwords automatically using Short Message Service (SMS)


2012-9-25 11/13

messages

Appointing a customer or reserving a meeting

Sending account passwords or reserved meeting notifications to appointed customers in

emails at specified time

2.5 WAPI Authentication

The WAPI is the Chinese national WLAN standard GB15629.11. This standard includes the

new WAPI security mechanism. WAPI is an access control method based on Triple-Element Peer

Authentication (TePA). It implements two-way authentication, and supports certificate

authentication and pre-shared key authentication. It also supports unicast and multicast, and can be

widely used in wired and wireless networks. However, WAPI is commercially immature, and is

seldom used in markets outside China.

3. Ordering Information

The authentication and encryption feature is bound to WLAN devices, and do not need to be

separately purchased. To order the feature, you must order the device at the same time. For details,

contact the local sales office. Table 2 lists the ordering information.

Table 2: Ordering information of authentication and encryption feature

Device Description

AP devices

AP6010SN/DN Built-in antenna. Indoor installation mode, 100 mW, and supporting

802.11b/g/n and the authentication and encryption feature.

AP7110DN External antenna. Adopting leading technology, 3x3 MIMO, and

supporting 802.11b/g/n and the authentication and encryption feature.

AP6310SN Indoor high power Data Access Service (DAS) product. 100 mW, and

supporting 802.11b/g/n and the authentication and encryption feature.

AP6510DN Outdoor dual-frequency standard AP device. 2.4 GHz 500 mW/5 GHz


2012-9-25 12/13

125 mW, and supporting 802.11b/g/n and the authentication and

encryption feature.

AP6610DN

Outdoor dual-frequency bridge AP device. 2.4 GHz 500 mW/5 GHz 125

mW, and supporting upstream optical interfaces, 802.11b/g/n and the

authentication and encryption feature.

AC devices

AC6605

AC6605-26-PWR host. 20 GE interfaces, 4 combo interfaces, 2 SFP+

ports, and supporting the authentication and encryption feature. The

license must be configured.

S9300/S7700 SPU

ACU-H80D2ACMPS00-Wireless access control board. This device is not

separately for sale. The license must be configured. The authentication

and encryption feature must be configured.

Authentication server

Deep blue srun300 This device supports the 802.1x, portal, MAC, and WAPI authentication,

and traffic-based and duration-based charging.

TSM This device supports the 802.1x, portal, MAC, and WAPI authentication

and the policy control.

SMS message platform

Third-party SMS message

platform/SMS message

modem

Integrate the third-party SMS message platforms or purchase the SMS

message modems based on the site requirements, for example, those

produced by Montnets or Maixuntong.

4. Huawei and Partners

Huawei and partners can help you enhance network authentication and secure deployment

experience, and speed up the establishment, O&M, innovation, and growth of the WLAN. Huawei

has a professional team for secure authentication technology and a senior team for WLAN design.


2012-9-25 13/13

These teams can create a clear and replicable WLAN network with easy O&M and optimize

services and enhance performance for you, helping you increase operation efficiency, save funds,

reduce risks, and achieve success.

5. More Information

For more information about Huawei WLAN authentication and encryption feature, visit

www.huawei.com/cn/enterprise or contact the local sales office.

Documents

Huawei WLAN Authentication and Enc