The Nuts & Bolts of Purple Air
 
WARNING: Techie Talk to follow!

Williams College Wireless provides convenience and mobility, but it also presents several security challenges. Security for 802.11 networks can be broken down into three categories: the authentication framework, the authentication algorithm, and data frame encryption. The technology behind Purple Air focuses on the authentication framework and data frame encryption.

network diagram

Current authentication in the 802.11 standard is focused more on WLAN connectivity than on verifying user or station identity. For enterprise wireless security to scale to hundreds or thousands of users, the current method of authentication must be replaced by an authentication framework that supports centralized secure user authentication.

Williams uses 802.1x on the network to better protect users from security breaches. Since wireless traffic is sent over the air, it is easy for someone to intercept the traffic; 802.1x encrypts this traffic so that it is more difficult to translate data. Encrypted traffic may still be intercepted, but it cannot be easily decoded.

The 802.1x standard is designed to enhance the security of wireless local area networks (WLANs) that follow the IEEE 802.11 standard. 802.1X provides an authentication framework for wireless LANs, allowing a user to be authenticated by a central authority. The actual algorithm that is used to determine whether a user is authentic is left open and multiple algorithms are possible.

Purple Air utilizes a protocol within the WiFi protected access enterprise certification software (WPA/WPA2) called the Protected Extensible Authentication Protocol (PEAP), for message exchange during the authentication process.

PEAPv0/EAP-MSCHAPv2 is the technical term for what people most commonly refer to as “PEAP”.  There are many variations of PEAP.  Behind EAP-TLS, PEAPv0/EAP-MSCHAPv2 is the second most widely supported EAP standard in the world and is one of the reasons we chose to deploy it.

When connecting to Purple Air with 802.1X, a user (known as the supplicant) requests access to an access point (known as the authenticator). The access point forces the user (actually, the user’s client software) into an unauthorized state that allows the client to send only a PEAP start message. The access point returns a PEAP message requesting the user’s identity. The client returns the identity, which is then forwarded by the access point to the authentication server, which uses an algorithm to authenticate the user and then returns an accept or reject message back to the access point. Assuming an accept was received, the access point changes the client’s state to authorized and normal traffic can now take place.

Anyone with a Williams account can use 802.1x; however, there are restrictions on client technology:

OIT supports the following Operating Systems with 802.1x:
Microsoft Windows XP/Vista
Macintosh Mac OS 10.4.1 (Tiger) or later.

Other unsupported operating systems, such as Ubuntu, will work with Purple Air.

Williams’ implementation of 802.1x technology requires a wireless network card that supports Wi-Fi Protected Access (WPA\WPA2).  Please refer to our online support page for additional information.

More Information about Wireless Networking:

Some of the above information was drawn from Wikipedia. Wikipedia copyright notice.

Comments are closed.