First, we briefly describe the IEEE 802.11 WLAN topologies. Then, we illustrate the authentication architecture of the 802.1X specification as well as the typical 802.1X authentication message exchange, and an introduction of RADIUS. Finally, we present Linux iptables function, which will be used for ad-hoc network access control.
2.1 The IEEE 802.11 Wireless LAN Topologies
The 802.11 architecture is comprised of several components and services. The station (STA) is the most basic component of the wireless network. A station could be a laptop PC, handheld device, or an Access Point. Typically the 802.11 functions are implemented in the hardware and software of a network interface card and all stations support the 802.11 station service of authentication, de-authentication, privacy, and data delivery. The basic service set (BSS) is the basic building block of WLAN and there are two types of network topologies, as shown in Figure 2-1, independent BSS, and infrastructure BSS.
Figure 2-1: The IEEE 802.11 Network Topologies
Independent basic service set is a set of stations, which have recognized each other and are connected directly via the wireless media in a peer-to-peer fashion, and also is referred to as an ad-hoc network. Some stations may not be able to communicate with every other station due to the range limitations.
In the infrastructure basic service set, stations must be connected with a central serving node, access point, to communicate with others and only through the AP they can communicate with each other no matter how close they are.
Besides, as shown in Figure 2-2, multiple BSS can be combined to form an Extended Service Set (ESS) to provide a larger radio coverage area, which contributes to roaming convenience. In ESS, APs act as bridges and there is a server maintaining the IP information and Internet access control of a station.
Figure 2-2: The Extended Service Set (ESS)
In each BSS, the BSSID (BSS Identity) is the MAC address of wireless interface of an AP. The SSID (Service Set Identity) is a string identifier and can be viewed as the wireless network name of an AP or APs. [3]
2.2 The IEEE 802.1X Authentication
The IEEE 802.1X [4] provides a port-based network access control mechanism for user authentication, unlike the IEEE 802.11 authentication services, open system authentication and shared key authentication, focus on device authentication. Almost all vendors implement 802.1X for APs addressing the security vulnerabilities of WEP (Wired Equivalent Privacy) and 802.1X also plays a major role in the IEEE 802.11i which specifies security mechanism for WiFi.
802.1X architecture has defined three components, as shown in Figure 2-3. The supplicant is the user machine requesting for network resource access. Upon detection of the new supplicant, the port of the authenticator will be enabled and set to the “unauthorized”
state. In this state, only 802.1X traffic will be allowed; other traffic, such as DHCP and HTTP, will be blocked at the data link layer. It maintains no user information and just translates authentication messages between supplicant and authentication server. There needs an authentication server, for instance a RADIUS server, implementing various authentication mechanisms.
Figure 2-3: The IEEE 802.1X Architecture
802.1X is a framework based on Extensible Authentication Protocol (EAP) [5]. EAP provides many authentication methods above it. The following are some EAP authentication methods.
EAP-MD5: MD5-Challenge is analogical to the CHAP protocol. It requires that the
challenge should be successfully encoded with a shared secret. However, the MD5 hash function is vulnerable of dictionary attacks, and doesn’t support mutual authentication.
EAP-TLS: Transport Layer Security (TLS) can be used to establish a trusted
communication tunnel over an unknown network subject to eavesdropping. It provides mutual authentication through certificate exchange. However, it needs to have a well-built Public Key Infrastructure (PKI) to generate and distribute certificate.
EAP-TTLS and EAP-PEAP: Both of them work similarly. First, they establish a TLS
tunnel similar to EAP-TLS. Then, the TLS tunnel is used to encrypt an older authentication protocol that authenticates users to the network. Certificates are required only for outer authentication. The difference between TTLS and PEAP is how they handle the inner authentication. TTLS uses the tunnel to exchange AVPs (attribute-value pairs) while PEAP uses the tunnel to start a second EAP authentication method.
EAP-MSCHAPv2: Microsoft CHAP version 2 (MSCHAPv2) can be used as inner
authentication method of PEAP. It was designed to address the shortcomings of MSCHAP and provided mutual authentication.
2.3 Typical 802.1X Authentication Message Exchange
There is an example of typical 802.1X authentication message change on 802.11 WLAN, as shown in Figure 2-4. Once station scans and then associates with an AP, the supplicant will send the EAPoL-Start message to trigger the EAP transaction. The authenticator issues the
EAP-Request / Identity message and the supplicant replies with the EAP-Response / Identity message. Then the response will be translated by the AP to the RADIUS server as a Radius-Access-Request packet. According to the type of EAP method required, the RADIUS server encapsulates the EAP request for that method in a Radius-Access-Challenge packet to the AP. When it reaches the AP, the EAP request is extracted and passed to the supplicant.
Depending on various EAP methods, there are different numbers of authentication message exchange.
Figure 2-4: The typical 802.1X authentication message exchange
If the RADIUS server grants access by the Radius-Access-Accept packet, then the AP issues the EAP-Success message and authorizes the port. After receiving the EAP-Success message, the supplicant usually delivers the DHCP request to get his IP. The packet of DHCP
won’t be blocked by the AP at data link layer any more. Then, gain the IP and enjoy Internet.
Otherwise, the RADIUS server sends the Radius-Access-Reject packet, and then the AP issues the EAP-Failure message and keeps the port unauthorized. When the supplicant has finished accessing the network resources, it can send the EAP-Logoff message to put the port back into the unauthorized state.
Figure 2-5 shows the typical 802.1X authentication using EAP-MD5 message exchange, which is the basic authentication method.
Figure 2-5: The typical 802.1X authentication using EAP-MD5 message exchange
2.4 RADIUS
Remote Authentication Dial In User Service (RADIUS) [6] is an AAA (Authentication, Authorization and Accounting) protocol for network access or IP mobility. You enter a username and password in order to connect on the Internet. Before access the network is
link-layer protocol, for instance AP through 802.11, then to a RADIUS server over the RADIUS protocol. The RADIUS server checks that the information is correct using authentication schemes like EAP.
RADIUS is also commonly used for accounting purposes [7]. The NAS can use RADIUS accounting packets to notify the RADIUS server of events such as the user’s session starting time, ending time, volume of data transferred and reason for session ending. The primary purpose of the data is so that the user can be billed accordingly. RADIUS uses UDP instead of TCP as transport protocol with port 1812 for Authentication and 1813 for Accounting.
Next, we describe some attributes in RADIUS we used in 802.1X authentication [8] and accounting service in our system.
In IEEE 802.1X, the supplicant typically provides its identity via an EAP-Response / Identity message. Where available, the supplicant identity is included in the User-Name attribute in the RADIUS Access-Request messages. Called-Station-Id attribute is used to store the bridge or Access Point MAC address. But in IEEE 802.11, where the SSID is known, it SHOULD be appended to the AP MAC address. Calling-Station-Id attribute is the supplicant MAC address.
In RADIUS accounting message, Acct-Session-Time attribute indicates how many seconds the user has received service. Acct-Terminate-Cause attribute shows how the session was terminated. Besides, the total packets and volume of data transferred during the session is recorded in Acct-Input-Octets, Acct-Output-Octets, Acct-Input-Packets and Acct-Output-Packets.
2.5 Introduction of Linux Netfilter/iptables
Netfilter [9] is a framework inside the Linux kernel for intercepting and manipulating network packets. Software inside the framework enables packet filtering, network address translation (NAT) and other packet mangling. Netfilter is a set of hooks inside the Linux kernel that allows kernel modules to register callback functions with the network stack. A registered callback function is then called back for every packet that traverses the respective hook within the network stack.
iptables is the name of the user space tool by which administrators create rules for the packet filtering and NAT modules. iptables is a standard part of Linux 2.6.x kernel series. We can use netfilter/iptables to build internet firewalls based on stateless and stateful packet filtering and apply NAT and masquerading for sharing internet access.
There are three tables in Linux iptables, filter, nat and mangle. The filter table is designed to filter packets; the nat table can perform source address masquerading and destination redirection; the mangle table is used for mangling packets, like modifying the TTL and TOS.
In our system, we focus on filter and nat tables. Each of them has three chains; filter table holds INPUT, OUTPUT, FORWARD chains and nat table holds PREROUTING, POSTROUTING, OUTPUT chains.
The packet flow of our system in iptables is shown in Figure 2-6. When packets arrive, the packets of unauthorized users will be redirected to the proxy server in local host by the nat table PREROUTING chain. The filter table FORWARD chain controls all forwarding traffic in network layer. Finally, the nat table POSTROUTING chain masquerades the address for IP sharing.
Figure 2-6: The packet flow of our system in iptables