Upload
phuc-hoang
View
55
Download
3
Embed Size (px)
Citation preview
Huawei WLAN Authentication and Encryption Feature Internal
2012-9-25 1/13
Huawei WLAN Authentication and Encryption
The Huawei integrated Wireless Local Area Network (WLAN) solution can provide
all-round services for municipalities at various levels and enterprises and institutions in all walks
of life. These services include wireless access, authentication, charging, security auditing,
intelligent O&M, and network plan and design. This solution is widely used in various scenarios
such as the campus, office area, hotel, government, bank, energy source, transportation, medical
care, and wireless city.
The Huawei WLAN authentication and encryption feature is a feature of the Huawei
integrated WLAN solution. The Huawei WLAN authentication and encryption feature ensures the
security of air interface key data using advanced encryption algorithms such as Rivest Cipher 4
(RC4), Advanced Encryption Standard (AES), and SMS4, and authenticates users using the portal,
802.1x, or WLAN Authentication and Privacy Infrastructure (WAPI), preventing user data from
being stolen and user privacy from leaking, making the WLAN as secure as the wired network,
and laying the firm foundation for mobile networks.
1. Overview
WLAN wireless data is transmitted over the air and can be received any proper device.
Therefore, WLAN wireless data security has always been of great concern since the emergence of
WLAN, and authentication and encryption technologies have been developed and improved. A
series of security mechanisms has been developed, including Wired Equivalent Privacy (WEP) at
the initial stage, Wi-Fi Protected Access (WPA), WPA2, and the Chinese standard WAPI. Huawei
launches an integrated authentication and encryption solution to protect users' wireless data
security in various WLAN networks, including small home networks, campus networks, enterprise
networks and even the widely covered carrier networks.
The commonly used WLAN authentication and encryption methods are WEP,
WPA/WPA2, WAPI, web, and MAC address authentication and encryption. WEP: WEP is a
WLAN authentication and encryption method developed at the initial stage. It supports two
Huawei WLAN Authentication and Encryption Feature Internal
2012-9-25 2/13
authentication modes: open system authentication and shared key authentication.
WPA/WPA2: WPA substitutes the WEP standard before IEEE 802.11i is published. It
performs only some of the functions defined in IEEE 802.11i. WPA2 performs all the functions
defined in IEEE 802.11i. Compared with WPA, the AES in Counter with CBC-MAC (CCM)
mode is added. CBC-MAC is Ciphy Block Chaing Message Authentication Code for short.
WPA and WPA2 support two authentication modes: pre-shared key (PSK) authentication and
802.1x authentication. PSK is the simplified WPA/WPA2 without 802.1x. In the PSK mode,
authentication is performed between a user and the AC using pre-shared keys. Similar to WEP, the
pair wise master key (PMK) is pre-installed, but all the keys used for encryption and other
functions are generated dynamically. Therefore, WPA/WPA2 is a powerful security solution.
802.1x: Based on IEEE 802.11 for WLAN access, 802.1x is first introduced to solve the
problem of access authentication of WLAN users. It prevents unauthenticated users or devices
from accessing the Local Area Network (LAN) or the Metropolitan Area Network (MAN) through
access interfaces. The 802.1x authentication defines only an implementation framework to
authenticate the user identity. To implement the authentication process, you need to use other
protocols. The 802.1x authentication is also called the dot1x authentication.
WAPI: WAPI is a Chinese national standard and it consists of two parts: WLAN
Authentication Infrastructure (WAI) and WLAN Privacy Infrastructure (WPI). WAI authenticates
user identity and WPI provides the encryption function to protect data transmitted on WLANs.
WAPI can provide higher security for the WLAN system.
The portal authentication is also called the web authentication or DHCP+WEB
authentication. DHCP is short for Dynamic Host Configuration Protocol. The client uses the web
browser such as Internet Explorer to enter user names and passwords on the authentication page.
Then the web server completes user authentication. In the MAC address authentication mode, a
client sends its MAC address as the identity information to an access device. Clients do not need
the client software in MAC address authentication. Table 1 lists Huawei WLAN authentication
and encryption feature in details.
Table 1: Huawei WLAN authentication and encryption feature
Authentication
Mode
Description
WEP
The WEP is one part of the IEEE 802.11 standard that is passed in
September, 1999, and ensures confidentiality using the Rivest
Cipher 4 (RC4) serial stream encryption technology.
Huawei WLAN Authentication and Encryption Feature Internal
2012-9-25 3/13
The WEP supports the open system authentication and shared key
authentication.
The WEP is a technology for encrypting group information between
the access points (APs) and client using RC4. After the key is
configured, the key cannot be automatically updated. The password
can be easily cracked. Therefore, the WEP authentication is seldom
used currently.
The open system authentication is the most frequently used
authentication for carrier networks, and is generally used with the
portal authentication.
WPA/WPA2-PS
K
The WPA is short for Wi-Fi Protected Access, and is a commercial
standard introduced by the Wi-Fi alliance. The WPA implements
most part of the IEEE 802.11i standard, and is a transitional scheme
that replaces the WEP before the 802.11i is completely established.
The WPA uses the Temporal Key Integrity Protocol (TKIP) for data
encryption.
The WPA2 is a completely-established 802.11i standard and the
second version of the WPA. The WPA2 uses Counter Mode with
CBC-MAC Protocol (CCMP) for data encryption.
The WPA/WPA2-PSK requires a key to be input in advance at each
WLAN node, for example, the AP, wireless controller, and network
adapter. A WLAN client can access the WLAN if its shared key is
the same as that configured on the WLAN server. The shared key is
used only for authentication but not for encryption. Therefore, it will
not bring security risks as the 802.11 pre-shared key authentication.
Do not install the client because it is seldom used and no personnel
is available for maintaining the password required by WPA/WPA2.
WPA/WPA2-80 The 802.1x defines only the authentication frame but not a complete
Huawei WLAN Authentication and Encryption Feature Internal
2012-9-25 4/13
2.1x set of authentication rules. Specific authentications require other
protocols, such as Extensible Authentication Protocol (EAP),
Lightweight Extensible Authentication Protocol (LEAP), EAP-TLS,
EAP-TTLS, and PEAP. TLS is Transport Layer Security for short
and TTLS is Tunneled Transport Layer Security for short.
Generally specific client software must be installed. However, if a
user performs only the admission control but not the policy control,
all common operating systems such as ISO, Android, and Windows
supports 802.1x, and the client does not need to be installed.
The 802.1X is frequently used in enterprise networks and seldom
used in carrier networks.
WAPI
The WAPI is the Chinese national WLAN standard GB15629.11.
This standard includes the new WAPI security mechanism that is
composed of WLAN Authentication Infrastructure (WAI) and
WLAN Privacy Infrastructure (WPI).
The WAPI provides the certificate-based and pre-shared-key-based
key management methods.
Unlike the WAP, the WAPI authenticates both users and APs, and
uses SMS4 instead of CCMP as the encryption algorithm for better
security.
WAPI is a national standard, and must be supported in markets
inside China but is seldom used in markets outside China.
Portal
The portal authentication is also called the web authentication or the
DHCP+WEB authentication. It uses the standard web browser such
as Internet Explorer, and does not need special client software.
The client obtains the IP address before authentication. Layer 3
devices such as routers can be available between the user and the
access server.
Huawei WLAN Authentication and Encryption Feature Internal
2012-9-25 5/13
The portal authentication is frequently used on carrier networks and
enterprise networks.
Mac
In the MAC address authentication, a client sends its MAC address
as the identity information to an access device.
The MAC address authentication does not require user name and
password to be entered for login, and is used in scenarios without
high security requirements.
Real-name
authentication
The real-name authentication is a comprehensive authentication
solution provided by Huawei. In this authentication, each user uses
the real name to log in to the WLAN.
This authentication is used in scenarios with high security
requirements such as the court and educational institution so that
users can be tracked down.
2. Application
The Huawei WLAN authentication and encryption and Huawei integrated solution can
provide WLAN networks with high security, delicate policy control, and intelligent O&M for
customers. The Huawei WLAN authentication and encryption feature supports leading
authentication and encryption protocols in the industry, and provide various combined
authentication solutions, such as the solution for the carrier WLAN, for customers based on
scenarios. On the carrier WLAN, the open system authentication plus portal authentication are
used. After a user connects to the carrier WLAN, the portal server automatically displays an
authentication service page. After the user is authenticated, the user can visit the WLAN.
Generally advertisements are displayed on the authentication service page and the MAC binding
function is pushed. After the user selects the MAC binding function, the user can use the MAC
authentication to visit the carrier WLAN network next time without the necessity to enter the user
name and password.
Huawei WLAN Authentication and Encryption Feature Internal
2012-9-25 6/13
2.1 TKIP/CCMP Encryption Algorithm
The TKIP is an encryption protocol at the link layer provided by 802.11i to remove major
defects in Wired Equivalent Privacy (WEP) design. The major drawback of the WEP is that the
random seed of the WEP is composed of the initial vector (IV) and the WEP key.
To guard against attacks on the IN, the TKIP is improved in the following points:
1. The sender device calculates the message integrity code (MIC) to ensure the
information integrity. The plain text, source address, and destination address are
included in the MIC calculation. The calculation result is encrypted using the MIC
key.
2. The packet sequence number is used to prevent replay. The sequence number is
contained in the WEP IV.
3. The Fast Packet Keying algorithm is used to generate the packet encryption key by
combining the temporary key and packet sequence number.
4. The 802.1x EAPoL Key protocol is used to update the temporary key and MIC key.
The TKIP is better than the WEP. However, the TKIP is also based on the stream password,
and cannot eliminate security concerns. The CCMP is a security protocol that is based on AES
block password and developed by the IEEE work group. The CCMP provides the encryption,
authentication, integrity check, and anti-replay functions. It is based on the CCM that uses the
AES algorithm and combines the Counter Mode (CTR) for encryption and CBC-MAC for
authentication and integrity to ensure the integrity of MPDU data and IEEE802.11 MPDU header.
2.2 802.1x Authentication
The 802.1x protocol is a network access control protocol based on ports. On the WLAN,
ports generally refer to MAC addresses at the logical layer. This protocol provides an
authentication process frame. In this frame, the system consists of the authentication requester,
authentication point, and authentication server. They respectively correspond to the client, access
server, and AAA server. The authentication point is only responsible for the authentication and
exchange process at the link layer, and does not maintain any user information. Any authentication
request is forwarded to the authentication server, for example, RADIUS, for actual handling.
Huawei WLAN Authentication and Encryption Feature Internal
2012-9-25 7/13
The EAP over LAN (EAPOL) protocol defined by 802.1x is used between the authentication
requester and the authentication point. The back end transmits EAP packets through RADIUS
encapsulation. The 802.1x protocol requires any data to be authenticated. Unauthorized
connection ports transmit only authentication frames, and abandon all non-EAPOL frames. Data
frames can be forwarded on after the authentication succeeds. Figure 1 shows the entity protocol
stacks of the 802.1x authentication system.
Figure 1: Entity protocol stacks of the 802.1x authentication system
Authentication Requester
Client
Authentication Point
Access Server
Authentication Server
AAA Server
On the WLAN, most authentication service gateways of wireless users are configured on the
AC. Otherwise, for example, when service gateways are configured on the Broadband Remote
Access Server (BRAS), wireless users are the same as the wired users for service gateways. In the
802.1x authentication mode, authentication service gateways are configured on the AC and the
local forwarding and concentrated forwarding of user data are supported.
The 802.1x authentication is secure and reliable, can be easily implemented and flexibly
applied, and meet industry standards. Therefore, it is frequently used on carrier or enterprise
networks merging 3G and WLAN. Secure and reliable: In the wireless LAN environment, 802.1x
is combined with EAP-TLS and EAP-TTLS to dynamically allocate WEP certificate keys,
eliminating the security loopholes in wireless LAN access. Easily implemented and flexibly
applied: The 802.1x retains the traditional AAA authentication network architecture, and can use
existing RADIUS devices and easily implement and flexibly control the authentication granularity.
In this authentication mode, user access, user IDs or connected devices can be authenticated for
Huawei WLAN Authentication and Encryption Feature Internal
2012-9-25 8/13
different users. Industry standards: The IEEE standard has the same source as the Ethernet
standard, and can implement seamless merging with the Ethernet technology. The Windows,
Linux, IOS, and Android operating systems running on clients support the 802.1x protocol.
2.3 Portal Authentication
The portal authentication is also called the web authentication. When a user needs to use
other information on the Internet, the user must pass the authentication on a portal website before
using Internet resources. The user can visit an existing portal server and enter the user name and
password for authentication. The user can also directly visit other external networks through
HTTP. However, any external network URL visited before authentication is forcibly pushed to the
portal server.
On the WLAN, most authentication service gateways of wireless users are configured on the
AC. Otherwise, for example, when service gateways are located on the BRAS, wireless users are
the same as the wired users for service gateways. In the portal authentication mode, authentication
service gateways are configured on the AC and the local forwarding and concentrated forwarding
of user data are supported. The Huawei WLAN product version V2R2 passes the TR5 review by
the end of October.
The portal authentication includes the Layer 2 authentication and Layer 3 authentication. The
differences between the Layer 2 authentication and Layer 3 authentication are that in the Layer 2
authentication, the MAC address of the server to which a user is to visit cannot be obtained and
the ARP detection cannot be performed to check whether a user is online. The Layer 2
authentication and Layer 3 authentication processes are the same. Figure 2 shows the process.
Figure 2: Portal authentication (web authentication) process
Huawei WLAN Authentication and Encryption Feature Internal
2012-9-25 9/13
C l i e n t DHCP ServerAccess Server
Web Authentication
Server
6
AAA Server
The process is as follows:
1 to 4: A dynamic user obtains the MAC address through DHCP (a static user can manually
configure the MAC address).
5: The user visits the authentication page of the web authentication server, and enters the user
name and password to log in.
6: The portal authentication server notifies the access server of the user information through
internal protocols.
7: The access server authenticates the user on the corresponding AAA server.
8: The AAA server sends back the authentication result to the access server.
9: The access server notifies the web authentication server of the authentication result.
10: The web authentication server displays the authentication result on the HTTP
authentication page to notify the user of the result.
Huawei WLAN Authentication and Encryption Feature Internal
2012-9-25 10/13
11: The user accesses network resources normally after the authentication succeeds.
The portal authentication can provide convenient management functions. Portal websites can
develop advertisement and community services and personalized businesses. In this manner,
carriers, device providers, and content and service providers can form an Internet content union.
The portal authentication is frequently used on carrier or enterprise WLANs.
2.4 Real-Name Authentication
The security of WLAN is crucial for the large-scale deployment and widespread application
of WLAN, particularly in sensitive scenarios such as government department and schools. Huawei
introduces the real name authentication system for such scenarios, making the tracing and auditing
of floating personnel easier. The real-name authentication takes the mobile number as the real
name and the network account. Figure 3 shows the real-name authentication process.
Figure 3: Real-name authentication process
HUAWEI TECHNOLOGIES CO., LTD. Page 1
SRUN AAA
LSW
IP backbone network
(1) A visitor enters the enterprise for visit and communication.
(5) The system sends the network account and password to the visitor service mobile phone.
(2) The visitor connects to the WLAN. The self-service portal page is displayed.
(3) The visitor enters the mobile number for registration and applies for the network password.
AC
portal
Enterprise
employeeEnterprise
visitor
Enterprise WLAN
(4) The administrator authenticates the mobile number and the visitor.
Third-Party SMS
Message Platform
5
6
(6) The visitor enters and submits the account and password, and uses the network after authentication.
The real-name authentication makes the following tasks easier:
Tracing and auditing visitors
Providing online self-services for visitors
Obtaining accounts and passwords automatically using Short Message Service (SMS)
Huawei WLAN Authentication and Encryption Feature Internal
2012-9-25 11/13
messages
Appointing a customer or reserving a meeting
Sending account passwords or reserved meeting notifications to appointed customers in
emails at specified time
2.5 WAPI Authentication
The WAPI is the Chinese national WLAN standard GB15629.11. This standard includes the
new WAPI security mechanism. WAPI is an access control method based on Triple-Element Peer
Authentication (TePA). It implements two-way authentication, and supports certificate
authentication and pre-shared key authentication. It also supports unicast and multicast, and can be
widely used in wired and wireless networks. However, WAPI is commercially immature, and is
seldom used in markets outside China.
3. Ordering Information
The authentication and encryption feature is bound to WLAN devices, and do not need to be
separately purchased. To order the feature, you must order the device at the same time. For details,
contact the local sales office. Table 2 lists the ordering information.
Table 2: Ordering information of authentication and encryption feature
Device Description
AP devices
AP6010SN/DN Built-in antenna. Indoor installation mode, 100 mW, and supporting
802.11b/g/n and the authentication and encryption feature.
AP7110DN External antenna. Adopting leading technology, 3x3 MIMO, and
supporting 802.11b/g/n and the authentication and encryption feature.
AP6310SN Indoor high power Data Access Service (DAS) product. 100 mW, and
supporting 802.11b/g/n and the authentication and encryption feature.
AP6510DN Outdoor dual-frequency standard AP device. 2.4 GHz 500 mW/5 GHz
Huawei WLAN Authentication and Encryption Feature Internal
2012-9-25 12/13
125 mW, and supporting 802.11b/g/n and the authentication and
encryption feature.
AP6610DN
Outdoor dual-frequency bridge AP device. 2.4 GHz 500 mW/5 GHz 125
mW, and supporting upstream optical interfaces, 802.11b/g/n and the
authentication and encryption feature.
AC devices
AC6605
AC6605-26-PWR host. 20 GE interfaces, 4 combo interfaces, 2 SFP+
ports, and supporting the authentication and encryption feature. The
license must be configured.
S9300/S7700 SPU
ACU-H80D2ACMPS00-Wireless access control board. This device is not
separately for sale. The license must be configured. The authentication
and encryption feature must be configured.
Authentication server
Deep blue srun300 This device supports the 802.1x, portal, MAC, and WAPI authentication,
and traffic-based and duration-based charging.
TSM This device supports the 802.1x, portal, MAC, and WAPI authentication
and the policy control.
SMS message platform
Third-party SMS message
platform/SMS message
modem
Integrate the third-party SMS message platforms or purchase the SMS
message modems based on the site requirements, for example, those
produced by Montnets or Maixuntong.
4. Huawei and Partners
Huawei and partners can help you enhance network authentication and secure deployment
experience, and speed up the establishment, O&M, innovation, and growth of the WLAN. Huawei
has a professional team for secure authentication technology and a senior team for WLAN design.
Huawei WLAN Authentication and Encryption Feature Internal
2012-9-25 13/13
These teams can create a clear and replicable WLAN network with easy O&M and optimize
services and enhance performance for you, helping you increase operation efficiency, save funds,
reduce risks, and achieve success.
5. More Information
For more information about Huawei WLAN authentication and encryption feature, visit
www.huawei.com/cn/enterprise or contact the local sales office.