PDF of this tutorialAP - access point - the network access device for an 802.11 wireless network. It contains a radio receiver/transmitter. It may be an 802.1x authenticator.
CA - certification authority - an entity that issues digital certificates (especially X.509 certificates) and vouches for the binding between the data items in a certificate.
CRL - certificate revocation list - a data structure that enumerates digital certificates that have been invalidated by their issuer prior to when they were scheduled to expire.
EAP - extensible authentication protocol - a protocol used between a user station and an authenticator or authentication server. It acts as a transport for authentication methods or types. It, in turn may be encapsulated in other protocols, such as 802.1x and RADIUS.
EAP-LEAP - (Lightweight Extensible Authentication Protocol) - is a Cisco proprietary EAP-Type. It is designed to overcome some basic wireless authentication concerns through Mutual Authentication and the use of dynamic WEP keys.
EAP-PEAP - (Protected Extensible Authentication Protocol) - is a two-phase authentication like EAP-TLS. In the first phase the Authentication Server is authenticated to the Supplicant using an X.509 certificate. Using TLS, a secure channel is established through which any other EAP-Type can be used to authenticate the Supplicant to the Authentication Server during the second phase. A certificate is only required at the Authentication Server. EAP-PEAP also supports identity hiding where the Authenticator is only aware of the anonymous username used to establish the TLS channel during the first phase but not the individual user authenticated during the second phase.
EAP-TLS - (Transport Layer Security) - is an EAP-Type for authentication based upon X.509 certificates. Because it requires both the Supplicant and the Authentication Server to have certificates, it provides explicit Mutual Authentication and is resilient to man-in-the-middle attacks. After successful authentication a secure TLS link is established to securely communicate a unique session key from the Authentication Server to the Authenticator. Because X.509 certificates are required on the Supplicant, EAP-TLS presents significant management complexities.
EAP-TTLS - (Tunneled TLS) - is an EAP-Type for authentication that employs a two-phase authentication process. In the first phase the Authentication Server is authenticated to the Supplicant using an X.509 certificate. Using TLS, a secure channel is established through which the Supplicant can be authenticated to the Authentication Server using legacy PPP authentication protocols such as PAP, CHAP, and MS-CHAP. EAP-TTLS has the advantage over EAP-TLS that it only requires a certificate at the Authentication Server. It also makes possible forwarding of Supplicant requests to a legacy RADIUS server. EAP-TTLS also supports identity hiding where the Authenticator is only aware of the anonymous username used to establish the TLS channel during the first phase but not the individual user authenticated during the second phase.
SPEKE - Simple Password-authenticated Exponential Key Exchange - an authentication method, based on a Diffie-Hellman key exchange, that provides strong authentication using small passwords. SPEKE does not require a certificate for either client or server. SPEKE protects passwords and user information during the authentication dialog, allowing customers to take advantage of existing password models. It may be implemented as an EAP method, and does not require any PKI support or certificate infrastructure.
TKIP - Temporal Key Integrity Protocol a protocol being considered for standardization in the draft IEEE 802.11i standard as a replacement for WEP. It has been endorsed by the Wi-Fi Alliance for use in Wi-Fi Protected Access (WPA).
WEP - Wired Equivalent Privacy - a protocol utilized by the IEEE 802.11 standard for protecting the session between a user station and an Access Point. Since the publication of IEEE 802.11-1999, WEP has been demonstrated to be easily crackable.
ZKPP - Zero Knowledge Password Proof - the process by which strong password authentication methods may enable two parties to prove to each other that they know a password without revealing anything about the password to an eavesdropper listening in on the exchange.
802.1X - The IEEE 802.1X standard, Port Based Network Access Control, defines a mechanism for port-based network access control that makes use of the physical access characteristics of IEEE 802 LAN infrastructure. It provides a means of authenticating and authorizing devices attached to a LAN port that has point-to-point connection characteristics. The 802.1X specification includes a number of features aimed specifically at supporting the use of Port Access Control in IEEE 802.11 Wireless LANs (WLANs). These include the ability for a WLAN Access Point to distribute or obtain global key information to/from attached stations, following successful authentication.
authentication - the process of verifying a claimed identity.
authentication server - in 802.1x, an entity that provides an authentication service to an authenticator. This service determines, from the credentials provided by the supplicant, whether the supplicant is authorized to access the services provided by the authenticator.
authenticator - in 802.1x, an entity at one end of a point-to-point LAN segment that facilitates authentication of the entity attached to the other end of that link.
authorization - the process of granting permission to access and utilize a network service.
Diffie-Hellman key exchange - The Diffie-Hellman key agreement protocol (also called exponential key agreement) was developed by Diffie and Hellman in 1976 and published in the groundbreaking paper "New Directions in Cryptography." The protocol allows two users to exchange a secret key over an insecure medium without any prior secrets. Interlink Networks' implementation of the SPEKE authentication method uses a hash of the password as the Diffie-Hellman generator. This prevents man-in-the-middle attacks.
rogue access point - any access point that is operated by some party other than the service provider who operates a local network and that impersonates an access point operated by the service provider.
strong password authentication methods - any of a family of authentication methods that provide strong authentication using small passwords.
supplicant - in 802.1x, an entity at one end of a point-to-point LAN segment that is being authenticated by an authenticator attached to the other end of that link.
user - a person or software process that accesses network services and uses network resources.
user station - the system or device by which a user accesses a network service.
