Solution: WLAN Authentication

Problem

Wireless LANs provide an excellent way for companies to reduce the installation and management of the physical networks. And users love Wireless LAN because it makes them more productive.

Unfortunately Wireless LAN security is seriously flawed, and the resulting publicity has made many people hesitant about implementing Wireless LAN systems.

New standards have now been widely adopted by network equipment manufacturers that significantly improve security of Wireless LAN networks. These standards -
802.11i and WPA2, including EAP and 802.1X - enable the use of a central authentication server, session key rotation and user authentication based on digital certificates and public key cryptography.

Adoption of these new standards has been slow because of the complexity of deploying and managing the client security, including keys, certificates and security settings.

Solution

Raak Smart Cards and USB Tokens provide a convenient and highly secure method for authenticating to a Wireless LAN. Raak’s solution works with all major Radius vendors.

The solution requires minimal configuration by the end user, and is ready to use with an EAP-TLS compatible certificate.

Together with a standard 802.1X compliant access point and an 802.1X compliant authentication server this solution enables a highly secure Wireless LAN implementation.

Benefits

• Standards Compliant : Supports the latest WLAN security standards, including WPA2, 802.1X and EAP-TLS.
• Supports All Major Vendors: Supports Radius servers from Microsoft (Windows 2000, 2003), Funk (Steelbelted Radius, Odyssey), Meetinghouse (Aegis), and other vendors supporting EAP-TLS.
• Ready to Use: Every Raak smart card and token is printed and configured for the end-user, and is ready to use right out of the box.
• Session Key Rotation: After (re)authentication, new session keys are generated to securely encrypt the wireless link between the client and access point.
• Transparent Re-authentication: After the PIN has been entered, re-authentication requires no more user interaction enabling transparent roaming between access points, and short re-authentication cycles for the Radius server.
• Portability: Raak smart cards and tokens allows the user to carry the digital certificates and their corresponding cryptographic data with them for use with multiple computers in multiple locations.
• Two factor authentication: A user needs both the physical Smart Card or USB Smart Token and the Smart Card PIN code in order to authenticate. This protects against misuse even if the card is lost or stolen.

How it works

The WLAN user has a digital certificate stored on a Smart Card or USB Token. When the user’s computer connects to an access point, the access point initiates an EAP-TLS (Transport Layer Security) authentication session with the, typically with a RADIUS authentication server. The user’s client software interacts with the authentication server, the user enters his PIN, the keys on the smart card are verified, and the access point is notified when the authentication session succeeds.

All major RADIUS vendors support the EAP-TLS protocol, including Windows 2003 server, Funk’s Odyssey and Steel Belted Radius servers, Interlink’s RAD series servers and Meetinghouse Data Communications’ Aegis server.

All major WLAN client vendors support the EAP-TLS protocol witht he support of smart cards, including Microsoft, Cisco, Funk and Meetinghouse Data Communications.