7. WPA in action - AP "Enterprise"

Updated June 30, 2003

Figure 3 shows the Belkin AP when I selected the WPA (with RADIUS server) option.

Figure 3: WPA (Radius) Authentication

You can see that setup for this "Enterprise" mode of WPA isn't that much more complicated. All you need to enter is the IP address of the RADIUS server, its port number (the default of 1812 is entered for you), and the RADIUS key (similar to the WPA password).

Belkin also lets you specify the Re-Key Interval, which is the rate that the AP or RADIUS server pushes a new Group Key out to all clients. The Re-Keying process is part of WPA's enhanced security and is the WPA equivalent of automatically changing the WEP key for an AP and all stations in a WLAN on a periodic basis. Setting of the Re-Key Interval is also supported by some APs in WPA-PSK mode, while others - like the Belkin - rely on a non-adjustable Re-Key Interval instead.

The configuration of the RADIUS server is beyond the scope of this NTK, but basically, it replaces the single password with per-user authentication. Figure 4 illustrates this mode, where the AP just passes the authentication request to a RADIUS server instead of performing the authentication itself. The server then checks the user's credentials against its records, grants or denies network access accordingly, and then issues the Group Key to all stations so that they can begin encryption and sending / receiving data.

Figure 4: WPA "Enterprise" Authentication
(Diagram from Wi-Fi Alliance Networld+Interop 2003 Media Presentation
Used by permission)

There's nothing special you need to do at the RADIUS server itself to support WPA, since the wireless client WPA authentication looks the same as any other client's. This assumes, however, that the server supports 802.1X authentication and the desired EAP (Extensible Authentication Protocol) l types. I'll go into this more in the next section, which describes the Client end of WPA.