Wi-Fi Hotspot Deployment
What is a Hotspot?
A public Hotspot is essentially a public area in the usable range of a wireless network that is
intended for anyone, either pay or no charge, to have the capability to access the Internet for any
purpose, including connecting to their home corporate Intranet. Anyone with a compatible wireless
network devices such as PDAs, cell phones, notebook computers, or handheld games can connect
to the Internet or private intranet, send and receive email, and download files.
The sheer number of people emailing, chatting, shopping, uploading and downloading files, surfing
the web, and playing games across the Internet is phenomenal and increasing, offering Wireless
network connections bring customers into a place of business and/or lead them to choose one place
of business over another.
For example, business travelers can work from their hotel rooms, special events staff can update
schedules, locations, results, and specialized content to their customers without installing kiosks
and having lines queued up waiting for a terminal to become available. Employees can work from a
local coffee shop while enjoying a café latte or cup of tea. These benefits offer a revenue
opportunity for both the service provider and the owner of the site.
Hotspot Component Overview
• Mobile Station(s)
• Access Points(s)
• Switches
• Routers
• Network Access Controller
• Web Server
• AAA Server
• WAN backhaul (DSL, T-1)
• Internet Service Provider (ISP)
• Wireless ISP (WISP)
Public Wi-Fi Hotspot Deployment
WLAN offers a great opportunity for the subscribers to gain wireless high-speed access while on the
go and for service providers to stimulate growth in the wireless data market. To gain acceptance
among the subscribers, a public WLAN service needs to meet two key requirements:
Consistent coverage. Hotspots have to be in easily identifiable locations and in sufficient
number to enable users to quickly locate a hotspot in urban areas and in some key locations,
like airports, major hotels and conference centers.
Easy access. The service has to be easy to use and not require users to enter lengthy
information, such as credit card numbers, every time they want to establish a connection.
The current WLAN market for public access is characterized by fragmentation among operators and
the coexistence of different business models. Such deployment of WLAN infrastructure does not
encourage users to subscribe for a service that is often available at a very limited number of locations.
Business users who need connectivity while traveling often end up with a high number of
subscriptions to manage. At the same time, it is unlikely that a single provider will emerge as the
dominant one, controlling a large portion of the hotspots within a country.
The state of WLAN deployment today
Universal Access Method (UAM). According to the Wi-Fi Alliance, the most prevalent form of access today is
based on UAM e-commerce.
The UAM sign-on usage model:
A Hotspot intercepts and redirects a user’s web browser to a local web server secured by TLS.
The user’s identity is authenticated to the UAM login page typically by entering a name and password.
Strengths of UAM:
Ease of deployment.
Minimal requirements on mobile clients (web browser support) is needed to gain access.
Drawbacks of UAM:
User’s with VPN settings that do not allow them to access a local web server.
Session redirection has proven to be a security flaw that may expose user’s credentials, credit card.
UAM security limitations can be overcome by using Wi-Fi Protected Access. Wi-Fi CERTIFIED products
with Wi-Fi Protected Access protect the client and the network by using IEEE 802.1X authentication to
mutually authenticate the AP and mobile client and provides security through encryption with TKIP.
Understanding Customer’s Expectations
Customer cost expectations
Performance expectations
Security expectations
Availability and reliability expectations
Customer cost expectations
To bill or not to bill; Depends on the environment;
Hotels and coffee shops will usually charge
Trade shows or special events probably will not charge
Performance Expectations
Hotspots are advertised to have high-speed connectivity, so
design with high-speed at the minimum:
Design a minimum of 100Kb/s transfer rate per user
Security expectations
Users are aware of security vulnerability & malicious acts on the network
The wireless service provider should secure the link
The user’s responsibility to provide security at the application level
Personal firewalls
Usually will not have personal firewall loaded
Availability and Reliability Expectations
Customers will expect wireless connection to work at all times
Biggest perception effects are ease of network connectivity
Be aware of things that may cause a problem
New network loads unforeseen during deployment
New access points transmitting on a conflicting channel
New construction on or in Hotspot
Building improvements (lead-based paint on antennas)
Maintain consistent Hotspot availability
Monitor the network frequently
Look for usage patterns
Watch how your network performs
Fully understand the availability and reliability of the Hotspot
3 Key Factors Calculating a Hotspot’s Bandwidth Requirement
Physical size
Determine how many wireless Access Points (access points) must be
deployed
Number of users
This number, along with their usage patterns, will determine the bandwidth
required to provide a minimum of 100kbps per active user
Usage models
The types of applications the users will run while connected to the Hotspot
Example: 200Kbps X 5 simultaneous users = 1,000Kbps = 1.0 Mbps bandwidth needed
Size, Number of Users, and User Types Effects Requirements
Coffee shop
One access point will usually cover a typical shop’s physical area
Fewer than five simultaneous users at any time
applications used will be e-mail, web surfing and on-line chat
5 X 100kbps = 500kbps would be needed
Hotel
A hotel could require 20 or more access points depending on the the user base
User density in conference rooms might require more access points
Users are business type; email, corp. intranets, web-surfing and file downloads
A T1 (1.5 Mbps) or higher bandwidth Internet connection will be required
Convention center
Vast amount of space and a large user population
Possibility of high user density in the conference sessions
Fifty or more access points to cover large area and provide for users
Email, corporate intranet access, web-surfing and file downloads
Special, event-specific content
10s to 100s of Mbps of bandwidth required for this scenario
Hotspot Functionality and Network Components
Features & Functionality Hotspot’s Need to Provide.
Enabling access to the wireless link
Providing the mobile station with information about the wireless network
Creating an association with the mobile station
Providing access to the local network
Providing data packet transfer services
Disassociation from with the mobile station
Provisioning the Hotspot
Page redirection function
Mobile station authentication
User authorization
Layer 3 (IP) Address Management
Providing an IP address for the mobile device
Private to public address translation if necessary
Providing Domain Name Services (DNS)
Providing information about gateways
Providing access to Hotspot LAN
Providing access to the WAN
Protecting user data privacy
Provide accounting information (keep track of user network usage)
One of Many Possible Hotspot Configurations
Hotspot Wiring Layout
Access Points Enable Wireless Access
WiFi Access Points “BEACON” WLAN Information, Without Option
WiFi Access Points “ADVERTISE” Their SSID, Optionally
Broadcasting SSID not mandatory or necessary to establish a connection
Setting SSID Advertise to “off” is a security method, although not a robust one
An MS Can Proactively Get Information From An Access Point One Of Two Ways
Send Probe Request to discover
Send a Request for Association
Hotspots always want to advertise their SSID so that
potential users can easily find their Hotspot network.
Device and User Authentication
802.11 uses WEP in two ways
Device Authentication
Data encryption
WEP can be used for authentication, but you must also use it for encryption
WEP can be used for encryption, but not for authentication
Not using WEP for authentication is called “Open Authentication”
Using WEP for authentication is called “Pre-shared key Authentication”
If you know the shared-secret, then your OK to use the network
The same key is used for authentication and encryption
WEP only provides device authentication, it does not provide user authentication
When TKIP or AES encryption is used, Open Authentication is the only mode allowed
WPA and AES include user authentication mechanisms (802.1X EAP)
Device Authorization & Access to the Local Network
The mobile station (MS) authorized to connect to the network
Means it associated with the access point and can send/receive packets thru that association
Authentication is required for authorization
This enables association in 802.11
Association is not required in order to exchange management frames
Association is required to pass packets through the access point to other network components
WEP-enabled wireless networks rely on the access point to authorize clients
WEP is not used in Hotspots, therefore Open Authentication is in effect
Mobile stations are authorized and associated at request
When Hotspots use WPA or AES, authorization generally comes from an AAA server
When the Mobile Station has an association, it can send/receive data frames on Hotspot network
The access point is now essentially a bridge between the wireless and wired networks
802.11 Privacy and Security Options
WEP & WEP2 (Wired Equivalent Privacy): Client matches access point secret key.
Encryption key keeps the same value long enough to be easily broken
User Authentication largely missing
WiFi Protected Access (WPA) & WPA2: A subset of the 802.11i draft that was ready for market.
802.1x/EAP-TLS/TKIP/RADIUS, AAA Server for user authentication
Only subsets missing from 802.11i are Secure IBSS, Secure fast handoff, Secure de-authentication and
disassociation, as well as enhanced encryption protocols such as AES-CCMP.
EAP: The Extensible Authentication Protocol, a method of conducting an authentication conversation.
Extensible Authentication Protocol over LAN (EAPOL): 802.1x standard encapsulation for LAN MAC service.
RADIUS: Remote Access Dial In User Service; provides standard Authentication, Authorization and Accounting.
802.1x Architecture: 802.1x port-based access control.
Provides a controlled wireless network with user identification, centralized authentication, and dynamic key
management, which actually rectifies drawbacks in the WEP security, when using WEP
VPN (Virtual Private Network): Used to protect enterprise remote-access worker’s connections.
Creates a secure virtual "tunnel" from the end-user's computer through the through the Internet, all the way to
the corporation's servers and systems
Although considered the most secure, not very scalable to large numbers of personnel
Effect Of Security Mechanisms On Performance
IEEE 802.11 & 802.1x Security Levels
(Security Levels 1 through 5 based on 802.11 standards
Security Levels 6 through 8 based on 802.1x standards)
1 No Security
2 MAC Address Authentication
3 WEP Shared-key Authentication
4 WEP Authentication/40-bit WEP Encryption
5 WEP Authentication/128-bit WEP Encryption
6 EAP-TLS/PKI Authentication/Digital Certificates
7 EAP-TLS Authentication/40-bit WEP Encryption
8 EAP-TLS Authentication/128-bit WEP Encryption
Switch/Hub
Standard Switch or Hub:
Provides multiple ports for connectivity to the Hotspot’s
backhaul
Sophisticated Switch with VLAN-capabilities:
Physically separate ports
Connect two or more ports together
Route packets from one port to another
Tag packets based on source or destination port
Provide Specific Quality of Service to Identified Users:
Apply special treatment to specific users
Reduce services to another
Network Access Controller
Network Access Controller (NAC)
Controls access to the the network by user authentication or smart filtering
Page redirection, Network usage tracking for accounting and billing
Two very popular NACs are sold by Bluesocket and Nomadix
Address Allocation Manager
A Dynamic Host Configuration Protocol (DHCP) server
Provides the MS and network components unique IP addresses
Also provides information such as the IP addresses of what gateway and DNS servers to use
Public IP addresses
Routable IP addresses that allow communication to Internet devices
Hard to obtain and costly when leased from an ISP
Private IP addresses
Most Hotspots will choose to use private IP addresses for mobile stations on their LANs
Private IP’s are not routable, to communicate on the Internet a Network Address/Port Translator is used
Network Address/Port Translator
Translates private IP addresses to public IP address
Maps many private IP addresses to single public IP address by
changing the IP port that is used with the public address.
Make sure that your NAPT device supports multiple simultaneous VPN connections to the same
VPN server. This service will be important to your enterprise customers. When testing the NAPT
device or when specifying it for purchase, make sure that this requirement is met when using the
most popular tunneling protocols (GRE, PPTP, L2TP, IPSec). If possible, test multiple VPN support
using the most popular VPN products (e.g. Cisco, Microsoft, CheckPoint, Nortel, Netstructure).
WAN Access Gateway/Router
The point of exit from the Hotspot to the ISP
The function of providing access to a WAN
The type of backhaul to the ISP determines type
ADSL, T1, T3, E1 and E3.
Consult your ISP for advice on best WAN Access Router choices to
match the ISP’s service and equipment.
LAN - WAN Backhaul - Internet Service Provider (ISP)
The Hotspot LAN
Typically implemented with CAT5 Ethernet cable
Network interfaces supporting Fast Ethernet or even Gigabit Ethernet
Access points and other Hotspot network components connected with switches or routers
Access points configured for L2 roaming cannot pass network traffic through a router
WAN Backhaul Connecting the Hotspot to the Internet
Low cost DSL or high bandwidth Leased Line for the WAN Backhaul?
The Service Provider needs to accurately calculate the bandwidth requirements
Gather an idea of, statistically, how many users will be requiring a full 100Kbps simultaneously
Collect data at existing Hotspots or base on customer information
Keep track of the number of customers that sign up for Internet access at a hotel
After the Hotspot is functional, the best thing to do is monitor network usage trends
Internet Service Provider – ISP
ISPs provides connection between the Hotspot and the Internet or other WAN
ISPs can provide WISP services and in some cases do (AT&T, T-Mobile, and Verizon)
When the ISP and WISP are not the same, the WISP will select the appropriate ISP
The connection to the ISP from a Hotspot should be a high speed connection (DSL, T1or T3)
Wireless Internet Service Provider – WISP
Services provided by WISPs:
Hotspot Design Access control and monitoring
Wi-Fi Hotspot Management Provisioning
Remote Hotspot Health Monitoring Managing hardware/software updates
Network Configuration Management User Account Management
Authentication Security
Accounting & Billing WAN Access
WISPs do not necessarily have to own the physical Hotspot locations
WISPs and location owners will sometimes establish business relationships
In some cases, owners will establish service contracts with several WISPs
Authentication Authorization and Accounting (AAA) Server
A generic term for a component that provides authentication, authorization and accounting
Authentication The process of identifying a unit that wishes to engage in a transaction
Authentication can be mutual, using an authentication protocol as EAP-TTLS or PEAP
Authorization is the enablement of access to specific resources
Once authenticated, authorization can take place by enabling a port on a switch
The port enabled might provide access to Web services, databases etc.
Accounting refers to tracking resource utilization
Utilization data can be used for billing, performance tuning or other reasons
Typically, the AAA server resides on-site at the WISP location or at the Hotspot
Other times, the AAA services are distributed between servers at multiple locations
The distributed servers communicate with each other to provide a complete set of services
RADIUS (Remote Authentication Dial In User Service) is a standardized protocol used to
communicate with and between AAA servers and AAA agents. Support for this protocol is
widely available in the industry.
Understanding Wireless Environments
Understanding Wireless Environments
A wireless network can be successfully installed with due dilegence:
• Investigate site requirements regarding the type of Hotspot implementation
• Perform a Site Survey to assess the challenges
• Evaluate the site for coverage and placement of access points
• Choose your equipment carefully to match the Hotspot’s environment
• Take appropriate precautions to insure the proper level of wireless security.
Performing an RF Site Survey
Most important part of any wireless implementation
Require three pieces of equipment to perform
Test/Standard access point
Site Survey/RF Analyzer software
Notebook computer or PDA
RF site surveys require patience and a keen eye for detail
Ovens, portable phone systems, wireless video monitors, and metal walls
Do not appear on the RF Analyzer
Cordless phones, microwaves cause interference only when in use
You should perform a site survey at a time when the network will most likely be in use. If
possible, several visits to the site will help make sure that no additional sources of
interference are present. Make a log of any activity including channel, MAC address, and
signal strength.
Types of RF Interference
Direct interference
Reflection
Other 802.11 devices; Performance most noticeable
Indirect interference
Non-802.11 devices are also free to operate in this spectrum
Primarily burst devices, difficult to detect, shows up as high floor noise
Refracting
Path interference
Reflection, Refraction, Diffraction, Scattering
Line of Sight interference
Signal absorption from interfering objects ( walls, furniture and trees)
Diffracting
Scattering
Once the installation is complete, the survey should be completed
again to look for possible problems that were missed during the initial
survey. It is quite likely that once saturated with RF, the environment
will become much more complex and noisy.
Performance Considerations
Distance (between transmitter and receiver)
Stepping down data rates act to lower generated errors
Pro-active methods used by the protocols to deal with signal interference
(RTS/CTS) reserves the channel before transmission of data frames
Overhead of protocol
Site Coverage & Roaming
Prior to performing the site survey determine the coverage requirements
Complete coverage of facility is usually not required
stairwells and hallways
bathrooms
Roaming requires a flat network or Mobile IP
Mobile IP is rarely implemented
Important to maintain a flat network in areas were users are roaming
Especially important applications like VPNs, email, and SSL
Access Point Cell Size, Layout & Placement
Appropriate AP Placement
Consider the data from the RF survey coupled with security requirements
Surveying from “Out to In” will help to not over-cover
Consider the access points channel layout and cell size
Only 3 non-interfering (non-overlapping) channels available for usage in 802.11b
Be familiar with the sphere of RF radiated by a given Access Point,
Access point density
Small Environments (Coffee Shops)
Concerns are more of coverage in usage areas & Backhaul throughput
Large Environments (hotels, airports, and offices)
AP density may need to increase to service a larger set of users
Increasing AP density
lowering the power output allows for more access points in a given area
Allows for more users to be serviced with higher throughput
Channel infrastructure layout considerations
802.11a utilizes the 5 GHz frequency spectrum and is more limited in the effective coverage distance than
802.11g (2.4 GHz) due to the frequency and power limitations. You will need about 2 to 3 times as many 802.11a
access points to cover the same area as 802.11g.
Types of Access Points
Small Office/Home Office (SOHO)
low-manageability
SOHO manufacturers are LinkSys, D-Link, Buffalo (Melco) and Netgear
Enterprise
high-manageability and highly-interoperable devices
Designed to work in very large networks with multiple access points
Support roaming users and various security capabilities
Enterprise manufacturers are Symbol, Cisco, Proxim and 2Wire
Switched
A new category of access points are known as Fat
Abundance of processing power
Support dozens of antennas spread throughout an area
Reduces the number of devices that need to be managed
More Expensive and require a lot of power and maintenance.
Symbol Mobius line and Extreme Summit 300-48
Access Point Features to Look For
RF Power should be adjustable
Many SOHO Access Points this feature is not available
Enterprise access points will support a power range of 5-100 milliWatts
Multiple Antenna Types
Antenna diversity settable to on or off
The radio system chooses the signal with the best reception
Some access points come with hard-wired antennas, impossible to switch
antennas
Remote Management
Access points should have some form of remote manageability, such as SSH2 or
HTTPS
SNMP Support
SNMP support is a must for any Enterprise-level solution
Power Over Ethernet (PoE)
PoE can be a cost effective feature for a Hotspot implementation
Long and Short Preamble Support
First generation was a 144-bit preamble
Help wireless receivers prepare for the acquisition of wireless signals
To enable higher transmission rates a shorter, 56-bit preamble was introduced
Short preamble will not support clients with long preambles
Using long preambles will support legacy Mobile Stations.
When an access point provides a configuration choice of long or short
preamble, choosing long preambles will provide interoperability with mobile
stations that still use legacy NICs.
Hotspot Security in Brief
Signal available to anyone
Make sure that your Hotspot supports the appropriate level of security
Remember that any encryption will have processing overhead associated with it
RF encryption technologies:
WEP (Wired Equivalency Protocol)
Dynamic WEP
TKIP
WPA
AES
Summary
Wireless networks present unique challenges due to the complex characteristics
of Radio Frequency transmissions. Most network administrators have little
history planning, installing, and managing RF networks and therefore must be
careful to always;
• Understand the environment and its needs
• Perform site surveys to spot potential trouble areas and clarify layout
• Chose the appropriate equipment to complement the site
• Keep in mind the unique requirements of wireless networks such as security
SECURITY
802.11 Wireless Security Protection
802.11 specification addresses protection for the radio link layer only
Communications link between the mobile station and the access point
802.11 specification does not specify security beyond the access point
Responsibility of the Hotspot provider to insure that the wireless links are secure
Types of Attacks
Network setup and security should consider these threats
• Unauthorized association to the access point
• Rogue access points
• Man-in-the-middle
• Eavesdropping
• MAC Spoofing
• Denial of Service
Unauthorized association to access points and rogue Access Points are problems
specific to wireless networks.
Eavesdropping, MAC Spoofing and Denial of Service are also found in wired
networks.
Security Technologies Background
The primary requirements for a secure network include;
Controlling access
Maintaining user privacy
Data integrity
Protecting against well-known types attacks
Technology (either hardware or software) functions to implement
Authentication
Authorization
Confidentiality
Data Integrity
Key management
Protection against well known attacks: MAC spoofing, man-in-the-middle, etc.
Security Options
“Wired Equivalent Privacy” (WEP) protocol
First security specification
Serious weaknesses that rendered it virtually unusable
802.11 Task Force formed the 802.11 Task Group i (TGi)
“Robust Secure Network” (RSN) and is also known as 802.11i
More complex encryption algorithm and automatic key management
New requirement means that already deployed equipment cannot be upgraded
Wi-Fi Alliance concluded it necessary to provide a migration path
“Wi-Fi Protected Access” (WPA) specification and later WPA2
Developed by using finished portions of the 802.11i specification
Wired Equivalent Privacy (WEP)
Original 802.11 security specification
Designed to secure the radio link layer by protecting the data over the wireless area
Does not provide protection beyond the access point
Limitations from lack of a secure encryption method
Limitations from practical key management protocol
WEP is based on knowledge, by the communicating parties, of a secret key
The secret key can be used as credential in the authentication phase and encryption
The key is entered manually into the access point and in all the clients
Once a shared key is in place, it remains the same until it is manually changed
This lack of automatic key management makes WEP easy prey for hackers
WEP has three major security objectives
Provide device authentication, confidentiality, and message integrity
Authentication must take place before mobile station allowed to associate, send traffic
Authentication is provided through two modes:
Open Authentication and Shared-Key Authentication
WEP Encryption
The sending unit first generates a 24-bit Initialization Vector (IV)
The IV is used in conjunction with the 40-bit or 104-bit WEP secret key to form the WEP
encryption key.
The WEP key is then fed to an RC4 engine which uses it to generate an encryption keystream
the same length as the body of the frame plus the length of the IV, 64 or 128 bits respectively
(24 bits + 40 bits = 64 bits or 24 bits + 104bits = 128 bits).
Finally, the key stream is XORed with the frame’s body (the frame header is not included) and
the IV to generate the ciphered stream.
Because the IV is generated by the sending unit, it must be sent to the receiver outside of the
encrypted area of the frame.
WEP’s Integrity Feature
The goal is to provide a way for a frame receiver to determine if a frame has been tampered with.
The frame sender is required to calculate a hash value (32-bit CRC) of the data frame.
Append it prior to frame encryption.
The hash value is called the Integrity Check Value (ICV). Because the ICV is encrypted.
WEP Weaknesses
Inability to maintain the shared key secret
Lack of automated key management
WEP’s key is manual, every user needs to know
Secret key can be easily cracked from captured packets
WEP reuses encryption keys after 20,000 packets
Lets eavesdroppers know when the reuse is taking place
Part of the key, the IV, is sent unencrypted
Track of the IV and know when the key is been reused
Allows multiple packet captures encrypted with the same key
The same key is used for authentication and packet encryption
The shared mode exposes the text used to challenge the MS in both clear and encrypted modes
Weak keys are used in the RC4 algorithm
Weak keys have patterns in the first and third bytes that cause corresponding patterns in the first few
bytes of the generated RC4 key stream
A hacker uses the IV and exposed key stream to identify potential weak keys
No lack of forgery and replay protection
Dynamic Key Exchange (DKE)
An attempt to overcome the lack of automatic key management in WEP
Lacks interoperability
All implementations require an AAA server
WEP, by itself, is not appropriate for Hotspots. Even if WEP used a strong encryption
algorithm, WEP’s lack of an automated key management mechanism makes it impractical to use
in Hotspots. DKE does not help either due to its lack of adoption and interoperability issues.
802.11i & AES
IEEE 802.11 Task Group “i” (a.k.a, 802.11i)
802.11’s solution to WEP’s flaws is the Robust Security Network (RSN)
Advanced Encryption Standard (AES) for encryption and 802.1X for A.A.A. and key management
AES is a very strong encryption algorithm with no known flaws
AES is computationally intensive and would consume most access points
Entry-level PDAs would most likely not have the necessary computational power
AES is designed to replace current FIPS encryption specification, DES. AES
AES specifies the use of the Rijndael algorithm
WPA/TKIP
WPA is a migration path for improved security at sites with less powerful access points
Developed by the Wi-Fi Alliance as an interim solution to 802.11 security requirements
Based on Draft 3.0 of the 802.11i standard
WPA is not part of the 802.11i standard
TKIP also developed for interim security
Temporal Key Integrity Protocol (TKIP)
Designed as a wrapper around WEP’s weakness
Provides a migration path to more secure WLANs using existing hardware
TKIP requires more computing power than WEP but less than AES-based RSN and WPA2
TKIP can be implemented as an upgrade to software and/or firmware
TKIP, while it uses RC4 (the same algorithm as WEP), it adds the following security mprovements:
New per-packet key mixing function
New message integrity check (MIC) named Michael
Longer initialization vector (from 24 bits in WEP to 48 bits in TKIP)
New re-keying mechanism (session key renewed on a regular basis)
TKIP begins a session with a 128-bit temporal key that is known to the MS and the access point
Key changes after every 10,000 packets transmitted
Session keys are used to generate per-packet keys
Per-packet keys are generated using a combination function that uses the temporal session key,
the mobile station’s MAC address, and the IV.
Framework - 802.1X
A specification that describes an architectural framework for an
authentication and authorization mechanism that is based on port access control
802.1X is part of a family of standards for local and metropolitan area networks
and is being adopted by the IEEE 802.11’s Task Group “i” as the basis for
Wi-Fi’s new security model
802.1X is based on the Extensible Authentication Protocol (EAP)
EAP provides the ability for network administrators to choose from several
authentication methods
802.1x
802.1x provides the specifications for authentication and authorization
• How the access control mechanism operates
• Levels of access control supported as well as port behavior at each level
• Requirements for protocol between supplicant and authenticator
• Requirements for protocol between authenticator and authentication server
• Procedure for how authentication and authorization are used to support net access control
• Encoding of Protocol Data Units (PDUs) used in authentication & authorization protocol xchges
• Requirements for port-based access control management
• Requirements for remote management using SMT
• Requirements for equipment claiming conformance to the 802.1X standard.
Port-based Network Access Control
802.1X controls access to a network by limiting what services a client system can access from
another system (e.g. an access point) through a specific port.
A port is a point of attachment to the LAN, in a wired network, an example of a port would be a
MAC bridge port or the physical ports in a router, in a wireless network, an example of a port is
an “association” between a station (notebook computer) and an access point.
Authentication Framework - EAP
EAP is a generic authentication framework that supports a wide variety of
authentication protocols.
EAP was originally developed for use with PPTP
802.1X uses EAP as part of its network access control mechanism for wireless
networks, this is why EAP can be used over a wide variety of data links
Support for authentication selection policies is implementation-dependent and some devices
may not support this at all while others may have extensive support. There are many EAP
authentication protocols, the most prevalent being: MD5, LEAP, TLS, TTLS, and PEAP
EAP Authentication Methods
MD5 - Message Digest 5
MD5 is the simplest of EAP’s authentication methods, and least secure over a wireless network
MD5 is a one-way authentication method of supplicant (Mobile Station) to network (access point)
Uses a hash of a password and challenge string to provide proof of identity
MD5’s main drawbacks include storage of the password in clear text mode for the authenticator
to access and one-way authentication method
Only the Mobile Station is authenticated leaving it vulnerable to man-in-the-middle attacks
MD5 provides no key management, attackers can still sniff your network and crack WEP keys
Support for MD5 is mandatory in the EAP specification.
EAP - The actual authentication method used is determined through a negotiation process
between the MS to be authenticated and the authentication server. The actual protocol used is
selected through a negotiation between the MS and the access point. Peer devices make the
authentication selection based on protocols supported and policies configured.
EAP Authentication Methods
LEAP - Lightweight EAP
LEAP is an EAP authentication method developed by Cisco that supports mutual authentication
Uses the MS username and password and access point credentials for authentication by RADIUS
Upon authentication, LEAP generates one-time WEP keys for session usage
Using LEAP, each user connected to a wireless network uses a unique WEP key
Session keys can be renewed by using the RADIUS timeout feature that causes the user to re-login
Re-logins can take place without user intervention or knowledge
LEAP’s vulnerability comes from its use of MS-CHAPv1 for mutual authentication
MS-CHAPv1 is known to be vulnerable to attacks
LEAP’s drawback is that it works end-to-end on Cisco-based networks only
Other vendors have added support for LEAP to their server ends broadening LEAP’s interoperability
Does not help in a Hotspot environment where you want to support a broad set of system configurations
TLS - Transport Level Security
TLS is an IETF standardized authentication method that uses X.509 certificates for mutual authentication
TLS’s generation, distribution and general management of certificates needs Public Key Infrastructure (PKI)
To transmit PKI information, TLS relays on Secure Sockets Layer (SSL)
TLS generates per session WEP keys and provides for MS re-authentication and re-keying automatically
The main TLS drawback comes from its requirement for the client to hold a certificate
Managing certificates for large numbers of clients can be a very difficult task
EAP Authentication Methods
TTLS – Tunneled TLS
TTLS pioneered by Funk Software and now an IETF standard
In TTLS, the MS identifies itself with username/password and the ap continues to use certificates
TTLS is able to transmit credentials in a secure manner by using an SSL established tunnel
Because it uses a secure tunnel, TTLS is able to support multiple challenge-response mechanisms
CHAP, MS-CHAPv1, MS-CHAPv2, PAP/Token Card or EAP)
TTLS implements the different authentication methods by exchanging “attribute-value-pairs” (AVPs)
Another advantage of TTLS over TLS is that the user identity is not exposed to eavesdroppers
TTLS is considered very secure, has been implemented by several vendors and widely deployed
Not be embraced by all as the definitive 802.11 authentication method
TTLS’ main rival is Protected EAP (PEAP)
Protected EAP - PEAP
PEAP, pioneered by Microsoft*, Cisco*, and RSN is now an IETF standard
In PEAP, as in TTLS, the MS identifies itself with username/password and the ap continues to use certificates
PEAP uses the client-to-RADIUS tunnel to establish a second EAP exchange, allows support of all EAP
authentication methods
WPA
WPA is a subset of the 802.11i standard leaving out the specifications for Independent Basic
Service Set, pre-authentication and the use of AES
WPA supports WEP with TKIP enhancements for encryption, implemented in software
and/or firmware
WPA supports two modes of authentication operation; Enterprise and Pre-Shared Key (PSK)
Enterprise mode requires a RADIUS server for authentication and key distribution
PSK was introduced as a means of authentication for networks that lack an authentication
server
PSK mode, the pre-shared key is used only for authentication and not for packet encryption
For data privacy, WPA uses TKIP
Session keys are generated from this pre-shared (master) key and renewed on a regular
basis
Per-packet keys are in turn generated from the session keys using a mixing function
For data integrity, WPA adds a message integrity check (MIC) called Michael, provided
through TKIP
WPA Benefits/WPA Deployment
Issues
WPA has several major benefits over WEP and RSN:
• Provides better security than WEP
• Requires changes to software/firmware only
• Provides a solution that can be implemented with existing hardware
• Allows WEP-based clients to operate in mixed-WPA/WEP networks (compromises security)
• Support will be integrated into most major Operating Systems. There has been a download for MS
Windows available at Microsoft’s Web site since June 2003.
Some of the most noted issues you should consider when deploying WPA include:
• Requires firmware upgrades for stations. This means that Hotspots will need to support customers
who have upgraded their device to WPA and those who have not.
• WPA does not support pre-authentication
• Roaming with WPA is not possible, stations must re-authenticate. This can take on the order of 600
milliseconds. Vendors will probably support roaming by caching credentials but this
solution will most likely not work across different vendor’s hardware.
• Requires new client capabilities (802.1X and WPA) in supplicant
• Requires firmware upgrades for stations and access points
WPA2
WPA2 adds support for AES and roaming and uses CCM for header and data integrity
WPA2 also supports pre-authentication, reducing the ap-to-ap re-authentication time from
about 600 milliseconds to 30 milliseconds.
WPA2 Limitations
• Requires hardware accelerated AES. This will require new aps, and in some cases, new
NICs/wireless client hardware.
• Requires new client capabilities (802.1X and WPA2) in supplicants
Hotspot Design Characteristics
Architectural Tenets
The guidelines for designing and deploying a hotspot are based on the
following principles:
Usability. The client should be able to gain access to hotspot services based on user and operator policies,
independently of the specific details of the hotspot implementation.
Simplified client provisioning. Users should be presented with a consistent AAA interface, regardless of
location or network operator, which is intuitive to use, while providing service information to more experienced
users. The sign-on experience should be independent of, or agnostic to, variations in network back-ends.
Common login. Different authentication credentials from different service providers should be accepted and
the user should be authenticated directly with the home service provider with common AAA mechanisms.
One-bill roaming. A roaming infrastructure should allow users to get connected at hotspots managed by
different operators, while being authenticated by their home service provider and charged for aggregate use on
a single bill.
Security. Both users and network operators should receive a high level of assurance throughout each
session.
Mutual authentication to protect user and network. The client should be allowed to verify the AP and/or
network credentials before divulging its own.
Secure tunnels for back-end authentication. The visited network operator should not require disclosure of
authentication credentials, to preserve confidentiality of account information. Only the home service provider
should have access to clients’ credentials.
Architectural Tenets
Support VPN for remote enterprise access. Hotspots should provide compatibility with
VPN tunneling for corporate users during connections from public hotspots.
Scalability. The recommended framework should provide a blueprint for independent
hotspots and hotspot networks of different sizes.
Accommodate various wireless topologies. The network topology should be planned on
the basis of the local network requirements for access and backhaul that can accommodate
the best wireless technology.
Ability to share infrastructure safely. Different network operators and service providers
should be able to use the same WLAN infrastructure and to segregate internal business traffic
from commercial traffic.
Support advanced services efficiently. Hotspot networks should be planned to support
advanced services when they will become available.
Unified accounting framework. Hotspot operators and service providers need to support
flexible billing models, which include prepaid and postpaid roaming, pay-for-use and contract
plans (either flat-fee or with limited usage). Data and financial clearinghouses and AAA
aggregators and intermediaries may facilitate the establishment and management of roaming
partnerships.
Guidelines for Public Hotspots
The key element in this blueprint is the adoption of Wi-Fi Protected Access.
WLAN hotspots are essentially 802.11-based IP networks and, as such, it is strongly
recommended to use of core protocols developed in the IEEE (such as 802.1X) and IETF.
This eliminates the need for proprietary or domain-specific protocols to be used over the WLAN
interface and facilitates the establishment of a consistent user experience across service
providers and the development of a roaming infrastructure.
Design Recommendations for Hotspots
Wi-Fi Protected Access should be adopted as soon as feasible to provide mutual authentication with the home SP and session
security. The framework must accommodate older UAM authentication models while providing coexistence and longer-term
migration to more robust schemes based on Wi-Fi Protected Access/802.1X.
Preserve support for VPN users to support the large number of remote corporate users who use VPN to access their intranet from
public networks. In particular, care must be taken to ensure that NAT functionality does not adversely affect VPN, by implementing
features defined in RFC 3022.
If integration of services requires internetworking with another network (such as a cellular operator’s core data network), we
strongly advocate a loose coupling between the WLAN hotspot and core network. In other words, WLANs should be seen as
standalone networks based on IEEE and IETF core protocols as opposed to radio access networks, and should not require the use of
domain-specific mobility management protocols over the client’s WLAN interface (for example, GPRS Mobility Management or GMM).
This helps harmonize the interfaces of different WLAN networks (both public hotspots and enterprise networks) and promotes roaming
interoperability for clients. Convergence on IP protocols will result in more uniform support of advanced services among different
wireless technologies.
Key distribution between home providers and visited networks for wireless link layer encryption should be secured and
cryptographically bound to authentication and session information. Use of IPsec tunnels between RADIUS servers managed by
roaming peers is recommended.
Backhaul requirements should be determined on the basis of actual or expected traffic. However, we recommend at minimum a
broadband connection (e.g. DSL, cable modem, or T1/E1) be present at all hotspots.
An industry-standard approach to AAA should be adopted to facilitate the establishment of roaming agreements. This allows
service providers to extend the availability of WLAN services beyond their own infrastructure and enhance their own footprint with that
of their roaming partners.
Standards-based AAA implementations allow users the flexibility to use wireless networks anytime, anywhere.
Architectural Considerations for One-bill Roaming
Availability of roaming among different service providers at public hotspots is key to attracting more customers for WLAN
services. Setting up roaming agreements, however, is time consuming and expensive because a large number of players with
different business models and different protocol and system legacies need to seamlessly work together to offer smooth AAA
and consistent service.
At a minimum a roaming relationship involves a home service provider (e.g., fixed or cellular operator, or a WISP) and a
hotspot operator (which may be also a service provider). The hotspot operator needs to provide the subscriber with a quick and
easy way to obtain connectivity, transfer the authentication credentials to the service provider, collect all the billing
information for authorized users and transmit the billing information to the home provider or a data clearing house for
settlement. The home provider authenticates the users against its subscribers’ database, authorizes access and later bills the
subscriber.
This basic framework is complicated by the fragmentation of the public hotspot market and the need to provide wide
coverage to the user. To be able to offer a wide domestic and international footprint to the user, a service provider would need
to enter bilateral roaming agreements with a large number of hotspot operators. This is a time-consuming process that requires
considerable effort.
To simplify the establishment of roaming relationships, the adoption of open standards discussed above is the first crucial
step. Intermediaries may streamline the process by providing aggregation of service, data clearing and financial settlement.
These services effectively allow the hotspot operator to have a wholesale roaming relationship with a wide number of SPs and
enable SPs to increase their footprint without having to negotiate individual deals with hotspot operators.
One-bill Roaming
1. The Mobile Client represents the user’s equipment (typically a
laptop computer, cell phone, or PDA) that is used to access the
802.11 network.
2. The 802.11 Access Point terminates the air (radio) interface to
and from the mobile client.
3. The Access Controller is the entity that verifies authorization
and enforces access control for authenticated users and segregates
traffic of non-authenticated (guest) users.
4. The Visited Network AAA Server (AAA-V) serves as an AAA
proxy for inbound roaming customers.
5. The Home Provider AAA Server (AAA-H) serves as the
RADIUS server authenticating the mobile client user. User
credentials are disclosed only to the AAA-H. The home SP and
visited network operator AAA servers also participate in
transactions involving the reconciliation of billing and settlement
records—both online and offline— and done either mutually, or
via an intermediate settlement entity.
6. The Web Server is an optional component that could serve one
or more of the following functions: browser-based login portal,
local value-added services portal for guests and authenticated
users, portal for new subscriptions, and redirector for other
services.
7. The Roaming Intermediary (INT) represents a wide variety of
AAA and billing intermediaries which provide translations of Figure shows the core elements that will enable
RADIUS billing records into other formats and can be a key
element in resolving legacy issues.
roaming among public hotspots:
Billing records and usage metrics
The framework presented here is compatible with several billing models available to users including
prepaid, pay-for-use, and postpaid (subscription-based) models likely to be the most common.
Charging metrics could be based on fixed or flat rates, on usage (time, volume and/or number of
connections) or specific services used. Regardless of the billing model, roaming users should be able to
connect to a visited network as they do when they connect to their home network.
Ideally, charges associated with WLAN roaming usage would appear in an integrated single bill as is
the case for cellular voice roaming today.
Billing metrics and formats across operators vary today, and there are no agreed upon standards in the
industry.
The SP billing metrics (e.g., number of connections, flat fee, time metered, volume metered) often
depend on how the SP bundles WLAN access with other services it offers.
For example, a cellular operator may be more inclined to charge by the minute while an ISP might
prefer per-connection charges.
The establishment of an industry wide standard for billing formats should support legacy systems
which are needed for billing other services offered and to minimize the incremental investment to
deploy.
Billing records and usage metrics
Until a prevailing metric or a billing format emerges, the best path to maximize flexibility for service
providers and to facilitate integration with different backend systems is to rely on RADIUS records as the
common protocol for WLAN services, with clearinghouses or other intermediaries translating RADIUS
records into formats that are compatible with the service providers billing systems, when necessary.
To support different pricing models, all the available data should be collected into detailed usage records,
This will allow service providers (and by extension intermediaries and network operators) to charge on their
preferred basis, including length of connection, traffic volume, in addition to flat-fee and per-connection
charges.
In the cases where the SPs charge on a different basis, the proper billing information can be derived from the
detailed usage records because they have the complete accounting data for a billed session.
Authentication and Security; Wi-Fi Protected Access
The documented security vulnerabilities of the initial 802.11 security standard, WEP, and the need to communicate
the keys to the client before establishing a connection, have resulted in wide use of UAM. UAM typically provides the
initial authentication, while leaving the user responsible for session security. This approach typically translates into use
of VPN among remote corporate users, and no security for those users that do not have VPN at their disposal.
Leaving security as a responsibility for the user drastically limits the options available, as the most effective solutions
involve the adoption of the same standards on both the client side and the hotspot infrastructure.
The convergence on the same AAA and security standards in the public hotspot networks is even more important than
in enterprise networks as many more players are involved, and users are expected to use multiple networks managed
by different operators, in addition to their enterprise and residential networks.
Wi-Fi Protected Access provides much needed improvement over UAM in addressing security concerns while
offering compatibility with more advanced services. As an added advantage, WPA provides a common solution that
can be implemented in enterprise and residential networks as well public access networks. Wi-Fi Protected Access
provides a mobile client framework for consistency in network discovery, selection and authentication, which paves
the way for seamless roaming across different types of WLAN networks.
TKIP to generate dynamic per-user encryption keys.
802.1X to provide the authentication framework
EAP methods to perform mutual authentication
RADIUS to offer AAA functionality
PEAP or TTLS to secure EAP-based authentication methods
Authentication and Security; Wi-Fi Protected Access
Wi-Fi Protected Access and VPNs can work together to provide robust authentication and session protection for
public wireless access. Wi-Fi Protected Access offers a more comprehensive wireless security solution, which includes
mutual authentication and dynamic encryption keys.VPNs are still needed for session protection when accessing
enterprise intranets from public networks and as such compatibility with Wi-Fi Protected Access is required to ensure
wide adoption of WLAN services among business users.
Wi-Fi Protected Access implementation in public hotspots has to satisfy specific requirements, which arise from the
need to share AAA messages among different partners and to preserve confidentiality along the authentication path.
802.1X provides this functionality as it supports extensible end-to-end authentication between the mobile client and
the home provider’s AAA-H. When the EAP channel is established between the mobile client and the AAA-H, there is
no need for the visited network’s AP, AC, or AAA-V to support the specific EAP method or credential types used by
the home provider. This feature provides great flexibility to the client and service providers. With the use of PEAP or
TTLS tunneling, the information transmitted to the AAA-H remains confidential to the home provider, thus allowing
the establishment of roaming relationships that do not require the home provider to disclose subscriber information to
the visited network operator.
With PEAP, common session key derivation, distribution, and configuration solutions can be defined for a variety of
credential types, including certificates, usernames/passwords, and SIM cards. Industry agreement over acceptable
credential types and most suitable authentication methods will make it easier for cellular carriers and network
operators to support a variety of roaming scenarios across different network types. PEAP and TKIP provide valuable
support for interoperability and roaming, as it addresses the 3GPP user security requirements defined in TR 22.934,
Release 6.
Alternatives such as TTLS, which has similar functionality, can also be used without significantly sacrificing
interoperability, because of the end-to-end properties of EAP. However, PEAP is likely to be more widely deployed on
client platforms due to native operating system integration.
Wi-Fi Protected Access-based Authentication
Figure depicts a typical protocol stack for Wi-Fi Protected Access-based authentication in a public
hotspot.
The framework permits an AP to block all unauthenticated traffic from accessing the Internet or
other service networks, until the mobile client is authenticated by a provider, i.e. the visited network
in prepaid or pay-for-use billing models, or the home SP in subscription-based billing models.
EAP-SIM
EAP-SIM is an authentication method which has a special relevance for public hotspots, as it
allows a SIM-card based user authentication across WLAN and GPRS/EGPRS wireless networks
(a method known as EAP Authentication and Key Agreement (EAP-AKA) offers a similar
solution for USIM cards used in 3G-WCDMA networks).
In EAP-SIM, the GPRS/EGPRS SIM authentication parameters are exchanged in the EAP
messages with added mutual authentication that improves upon GSM security. This mechanism
allows re-use of GSM and GPRS/EGPRS SIM cards and preserves cellular service providers’
infrastructure elements like the Home Location Register (HLR).
The use of PEAP with EAP-SIM and other EAP methods allow for a consistent level of security,
independent of the EAP method and providing strong keying material and mutual authentication,
data origin authentication, session encryption, dynamic key distribution (through RADIUS)
between the EAP Client, NAS (network access server) and the EAP server.
The visited network only needs an 802.1X-compliant authentication framework to offer EAP-
SIM to roaming partners, which will then authenticate the user against their HLR. The EAP-SIM
method can be developed using the Microsoft EAP framework.
Wi-Fi Protected Access as a Defense Against Security Threats
Wi-Fi Protected Access offers a compelling solution to security threat challenges. Wi-Fi
Protected Access’s defense against rogue APs provides a good example.
A rogue AP has complete control over the channel of information flow and can perform a
wide variety of attacks including eavesdropping, message insertion, message modification,
DNS-based attacks, etc. Link-level encryption does not protect against this class of attacks
if the attacker is one of the endpoints of the encrypted channel.
There are two basic strategies to defend against rogue AP attacks. One is to tunnel all
traffic using a VPN client and a client-hosted firewall. If executed properly, this defense
limits the rogue AP to denial-of-service attacks. However, the VPN approach requires a
VPN infrastructure in the network and on the client, plus robust configuration of the client
firewall. These are non-trivial requirements. Wi-Fi Protected Access provides an alternative
strategy which is both more powerful and more easily deployable.
With mutual authentication, the client is required to authenticate the network so the client
has confidence in the network it is connecting to. This also enables the client to refuse a
connection to a rogue AP when it does not recognize the network identity. Note that the
latter approach is only effective if subsequent use of the connection is cryptographically
bound to the initial network authentication.
Migration to Wi-Fi Protected Access
Although we require adoption of Wi-Fi Protected Access in conjunction with 802.1X, we also
recognize that until 802.1X-capable clients are widely deployed, there will be a market
requirement to support the legacy UAM.
When 802.1X is used, browser redirection can be useful to help resolve authentication failures
and to permit the establishment of new accounts. Therefore, the recommended hotspot AAA
framework supports the coexistence of UAM and 802.1 X-based authentication in one hotspot.
To support both 802.1X and UAM, each AP supports two different SSIDs, one corresponding
to 802.1X and one to UAM. With current AP hardware, only one of these SSIDs associated with
the Wi-Fi Protected Access VLAN can be advertised by the AP, but the other SSID for the UAM
VLAN could be discovered via the 802.11 probe request/response mechanism.
When APs with full VLAN support become available, both SSIDs can be broadcast on different
beacons. The open SSID, associated with UAM-based access, would not require any link-layer
security, but the authentication controller (AC) would limit user access to the local web server
until the user obtains authorization to use the network.
Subsequent enforcement of access control for the UAM method is likely to be based on the
client’s MAC address, which is not very robust. Attackers can easily configure their own
equipment with the same MAC address and masquerade as legitimate users, stealing their
bandwidth. This is one business incentive for network providers to migrate users away from the
UAM as soon as possible.
The Road Ahead
Expect rapid evolution of public hotspot network requirements to support advanced usage models and
services.
Fast and seamless inter-access point handoffs. Current WLAN access at hotspots is often limited to a
single AP present on the premises. If multiple APs are deployed, inter-AP handoff may be slow or the
mobile client may have to be re-authenticated when associating with a different AP. For today’s prevailing
usage models (laptop access to check email or connect to Internet/intranet) this is not a severe limitation as
users are typically stationary.
Fast and lossless handovers across APs will become a requirement with the availability of a wider range
of devices such as Wi-Fi enabled PDAs and mobile phones, and the introduction of advanced services such
as messaging, real-time multimedia streaming, and data application portals.
Improvements in hand-off support are being addressed in IEEE study groups to make possible seamless
and fast inter-AP handoffs within the Wi-Fi Protected Access framework.
Mobility management in hotspots. Requirements for mobility management in public WLANs are still not
fully defined. Most hotspots currently are deployed as one large IP subnet. In these topologies support for
mobility management is provided by Layer 2 (MAC level) mechanisms such as fast re-authentication, pre-
authentication and transfer of MAC layer states such as QoS across APs.
In the future mobile IP will be required. Protocols such as Session Initiated Protocol (SIP) may be
appropriate for targeted applications such as Voice over IP (VoIP).
Public Key-based Authentication and Authorization
Password-based authentication currently dominates in public WLAN access, as it is easy to
implement and familiar to users, but it can open security holes for wireless connectivity.
Password-based authentication also suffers from poor usability with inconsistent
interfaces, typically requiring users to remember multiple passwords for access to multiple
networks.
Symmetric key based authentication methods, such as password-based authentication, can
be exposed to security vulnerabilities which arise from the need for third-party key
establishment. With symmetric keys, each session key established between the mobile client
and the authentication server must be shared directly and uniquely by the authentication
server with the AP the mobile client associates with. Transfer of session keys hop-by-hop
from the authentication server to an AP exposes the key to man-in-the-middle attacks.
It is therefore believed that the long term solution is one based on asymmetric (private-
public) keys and that appropriate measures should be taken to minimize or mitigate attacks
on symmetric key based deployments.
The use of public key-based certificates with attributes for dynamic service provisioning
and authorization will promote a more homogeneous framework for network access whether
in the home, enterprise, or public hotspots. Intel supports the creation and adoption of
standards that will lead to more robust authentication tokens.
Mobile Client Provisioning Considerations
Users often arrive at a hotspot location without any previous knowledge of the required
information to access and utilize the network and services. This process is complicated and
cumbersome today, as each service provider and network operator presents different interfaces
and requires different information from subscribers.
To improve the overall user experience, we recommend the adoption of a client provisioning
system that supports the AAA requirements for common login.
This client provisioning system should enable the client to automatically associate to a network
that is unknown and discover the required information to access the network and associated
services.
This information must be kept current by the provisioning system and updates should be sent to
the client during associations or during sign-up at the hotspot.
A consistent client provisioning framework for signup, renewal and authentication that users can
use across devices, hotspot locations, service providers and network types (e.g. public, enterprise
or residential) needs to be adopted by the industry.
In addition, the client provisioning system must provide transparent support for 802.1X
authentication and be capable of addressing problems that may arise during the authentication
process.
Network and Services Discovery
As infrastructure sharing among different networks becomes more widely used,
mobile clients will need to have more advanced hotspot discovery capabilities to
enable identification of available networks, obtain information about available
services, and select the appropriate network automatically (if desired).
The establishment of a common yet extensible standard-based framework for hotspot
discovery, selection of service providers, and provisioning of service is necessary to
provide this functionality across different visited networks.
If there is a single hotspot operator which has a bilateral roaming arrangement with
the user’s home operator (Home SP), network selection is trivial. If two or more
hotspot operators (i.e., two or more advertised SSIDs) offer service, the mobile client
must first select the SSID associated with the desired hotspot operator, and then
proceed with the SP selection as usual.
The user may also need to select the broker or roaming aggregator, as the hotspot
operator(s) may have roaming arrangements with the home SP via multiple
intermediaries, whose services (including QoS) and charges may be different.
Advertisement
An industry-wide accepted solution for network and service discovery has not yet emerged,
however ongoing work indicates several solutions can be implemented successfully, including:
Advertisement using the EAP framework. While suitable for light weight
dissemination of SP information, this solution cannot be used for direct
advertisement by the home SP.
Advertisement within beacon frames. Beacon frames are overloaded with SP
information. The approach has several drawbacks: the information is not
authenticated, only limited information can be transmitted, its radio use is
inefficient, and it might require changes to client firmware.
Advertisement through the virtual AP framework. A variant of the previous
approach, it can advertise information relevant to each SSID.
Advertisement through PEAP. This solution offers a more robust post
association framework, which includes a secure provisioning service and can
provide detailed information and supports configuration by the home SP.
Network selection can then occur either by explicit SSID preference or by overloading the
Network Access Identifier (NAI) of the service providers (SP) in the SSIDs. This selection
process can be automated if supported by the client provisioning system.
Summary and Conclusions
WLAN is one of the most exciting new wireless technologies today, allowing secure and robust high-speed
wireless access at work, at home and while traveling. It works with laptops, PDAs and soon be included with
cellular phones, and it is employed in a rapidly increasing number of locations, including enterprises, airports,
hospitals, homes, restaurants, warehouses, marinas and even Recreational Vehicle parks.
To support the growing enthusiasm for the technology among users a common framework to make WLAN
convenient, easy to use and secure must be defined and adopted.
Key recommendations for enterprise and public hotspot networks are centered on the adoption of Wi-Fi
Protected Access (Wi-Fi Protected Access) with 802.1X, EAP and RADIUS to ensure robust mutual
authentication and TKIP and PEAP to preserve confidentiality during authentication. Wi-Fi Protected Access will
also promote the development of AAA interfaces that will increase ease of use and be compatible across
different Wi-Fi networks (office, hotspots and home). It is recommended to use robust authentication credentials,
such as X.509 certificates, for increased security and ease of use.
We expect that provide guest access and mobility management on enterprise networks will be commonplace,
taking full advantage of the productivity gains WLANs can provide. These capabilities require support for virtual
LAN, multiple SSIDs in a single AP, intra-IP and inter-IP subnet mobility, and the availability of mobility aware
applications, fast handoffs, VPN auto launch and secure ad hoc connections.
In public hotspot networks the adoption of Wi-Fi Protected Access is crucial to provide security with login
consistency to subscribers. In public hotspots it will be necessary to complement Wi-Fi Protected Access with
Universal Access Method compatibility through the early adoption stage and continued support for VPN use. The
adoption of IP-based standards for AAA and mobility will enable one-bill roaming and, eventually, seamless
roaming both within WLAN networks and interworking with WWAN and other networks.
Managing the Hotspot
Best Practices
Make sure to provide a solution that will not upgrade right away by installing mixed-mode access points
Mix-mode access points support WEP & WPA requirements and thus provide a transition path to WPA
Be aware that mix-mode is not endorsed by the Wi-Fi Alliance because It compromises WPA security
In an enterprise environment, where a single IT department controls deployment, it is easier to deploy
WPA
Public Hotspots must take a more diverse set of customer requirements into consideration
For public Hotspots, stay away from cheaper, SOHO access points
Lack processing power for newer encryption algorithms and support for authentication methods )
Install access points that support VLANs, this will facilitate the support of multiple access methods
Use SSL (Secure Socket Layer) or SHTTP (Secure HTTP) to protect personal information or credit cards
Wireless Gateways tend to enforce this security mode
Users needing to access corporate networks, VPN will still be the best method to secure their
connections
802.11i will only protect the wireless connection from the mobile station to the access point
Purchase equipment that can be easily upgraded to the new WPA, WPA 2.0 and RSN (802.11i) standards
Managing the Hotspot
Consumer expectation of reliability and performance will make fierce competition
among wireless providers
Hotspots with a reputation for problems will rapidly lose business
Design a remote management capability that provides monitoring and direct access to
equipment
Physically visiting your Hotspot sites can be an expensive and time-consuming
Account for physical travel to sites to replace or repair equipment
Include contracting to 3rd parties, sourcing locally by hiring regional specialists, or
allocating travel budget
Develop a strategy to rollout upgrades for bug fixes and new technologies and
capabilities
Firmware upgrades that you can’t upgrade remotely
Devlope an appropriate change control policy and upgrade path
The key to any site management strategy is to have well-established goals and find cost effective ways to meet
them. Also, the RF environment can change from day to day, often without your knowledge or control. Active
monitoring is important for finding rouge access points, conflicts from new devices like microwaves or phones,
and attempts to bypass your site’s security.
Management Considerations
The primary goal of any Hotspot provider’s management strategy is to have data on a day to day
basis that a site is still up and running
Contract a 3rd party periodically audit in order to verify they are functioning as planned
Using a Copy Exact approach, all of your procedures, installation methodologies, equipment, revision control,
and maintenance processes are the same regardless of location
Security and monitoring of sites for access and activity is paramount in avoiding litigation
Management Tools
Site management tools addressing the health of the network from the wired & wireless networking side
Strategies need to be implemented to allow visibility into your remote network environments
Design a strategy to reach your equipment in the private address space
Avoid mistakes, pinging a device is not a sufficient measure to insure it is operating properly
Without visibility into your network to the device level you can never be sure of the state of the network
Implement proper monitoring capabilities this will assure that you can perform upgrades and remote changes
Enterprise applications
Enterprise business users make up the majority of recurring revenue for Hotspots
Business class users are the most demanding on a wireless infrastructure
Use of products like VPNs, Personal Firewalls, and Real-Time applications
Restricting activities should heavily consider the business user
There are three categories of business applications:
VPN and security
Real-Time applications
Real-Time Batch applications
EAP Authentication Methods
TTLS – Tunneled TLS
TTLS pioneered by Funk Software and now an IETF standard
In TTLS, the MS identifies itself with username/password and the ap continues to use certificates
TTLS is able to transmit credentials in a secure manner by using an SSL established tunnel
Because it uses a secure tunnel, TTLS is able to support multiple challenge-response mechanisms
CHAP, MS-CHAPv1, MS-CHAPv2, PAP/Token Card or EAP)
TTLS implements the different authentication methods by exchanging “attribute-value-pairs” (AVPs)
Another advantage of TTLS over TLS is that the user identity is not exposed to eavesdroppers
TTLS is considered very secure, has been implemented by several vendors and widely deployed
Not be embraced by all as the definitive 802.11 authentication method
TTLS’ main rival is Protected EAP (PEAP)
Protected EAP - PEAP
PEAP, pioneered by Microsoft*, Cisco*, and RSN is now an IETF standard
In PEAP, as in TTLS, the MS identifies itself with username/password and the ap continues to use certificates
PEAP uses the client-to-RADIUS tunnel to establish a second EAP exchange, allows support of all EAP
authentication methods
WPA
WPA is a subset of the 802.11i standard leaving out the specifications for Independent Basic
Service Set, pre-authentication and the use of AES
WPA supports WEP with TKIP enhancements for encryption, implemented in software
and/or firmware
WPA supports two modes of authentication operation; Enterprise and Pre-Shared Key (PSK)
Enterprise mode requires a RADIUS server for authentication and key distribution
PSK was introduced as a means of authentication for networks that lack an authentication
server
PSK mode, the pre-shared key is used only for authentication and not for packet encryption
For data privacy, WPA uses TKIP
Session keys are generated from this pre-shared (master) key and renewed on a regular
basis
Per-packet keys are in turn generated from the session keys using a mixing function
For data integrity, WPA adds a message integrity check (MIC) called Michael, provided
through TKIP
WPA Benefits/WPA Deployment
Issues
WPA has several major benefits over WEP and RSN:
• Provides better security than WEP
• Requires changes to software/firmware only
• Provides a solution that can be implemented with existing hardware
• Allows WEP-based clients to operate in mixed-WPA/WEP networks (compromises security)
• Support will be integrated into most major Operating Systems. There has been a download for MS
Windows available at Microsoft’s Web site since June 2003.
Some of the most noted issues you should consider when deploying WPA include:
• Requires firmware upgrades for stations. This means that Hotspots will need to support customers
who have upgraded their device to WPA and those who have not.
• WPA does not support pre-authentication
• Roaming with WPA is not possible, stations must re-authenticate. This can take on the order of 600
milliseconds. Vendors will probably support roaming by caching credentials but this
solution will most likely not work across different vendor’s hardware.
• Requires new client capabilities (802.1X and WPA) in supplicant
• Requires firmware upgrades for stations and access points
WPA2
WPA2 adds support for AES and roaming and uses CCM for header and data integrity
WPA2 also supports pre-authentication, reducing the ap-to-ap re-authentication time from
about 600 milliseconds to 30 milliseconds.
WPA2 Limitations
• Requires hardware accelerated AES. This will require new aps, and in some cases, new
NICs/wireless client hardware.
• Requires new client capabilities (802.1X and WPA2) in supplicants
Hotspot Design Characteristics
Architectural Tenets
The guidelines for designing and deploying a hotspot are based on the
following principles:
Usability. The client should be able to gain access to hotspot services based on user and operator policies,
independently of the specific details of the hotspot implementation.
Simplified client provisioning. Users should be presented with a consistent AAA interface, regardless of
location or network operator, which is intuitive to use, while providing service information to more experienced
users. The sign-on experience should be independent of, or agnostic to, variations in network back-ends.
Common login. Different authentication credentials from different service providers should be accepted and
the user should be authenticated directly with the home service provider with common AAA mechanisms.
One-bill roaming. A roaming infrastructure should allow users to get connected at hotspots managed by
different operators, while being authenticated by their home service provider and charged for aggregate use on
a single bill.
Security. Both users and network operators should receive a high level of assurance throughout each
session.
Mutual authentication to protect user and network. The client should be allowed to verify the AP and/or
network credentials before divulging its own.
Secure tunnels for back-end authentication. The visited network operator should not require disclosure of
authentication credentials, to preserve confidentiality of account information. Only the home service provider
should have access to clients’ credentials.
Architectural Tenets
Support VPN for remote enterprise access. Hotspots should provide compatibility with
VPN tunneling for corporate users during connections from public hotspots.
Scalability. The recommended framework should provide a blueprint for independent
hotspots and hotspot networks of different sizes.
Accommodate various wireless topologies. The network topology should be planned on
the basis of the local network requirements for access and backhaul that can accommodate
the best wireless technology.
Ability to share infrastructure safely. Different network operators and service providers
should be able to use the same WLAN infrastructure and to segregate internal business traffic
from commercial traffic.
Support advanced services efficiently. Hotspot networks should be planned to support
advanced services when they will become available.
Unified accounting framework. Hotspot operators and service providers need to support
flexible billing models, which include prepaid and postpaid roaming, pay-for-use and contract
plans (either flat-fee or with limited usage). Data and financial clearinghouses and AAA
aggregators and intermediaries may facilitate the establishment and management of roaming
partnerships.
Guidelines for Public Hotspots
The key element in this blueprint is the adoption of Wi-Fi Protected Access.
WLAN hotspots are essentially 802.11-based IP networks and, as such, it is strongly
recommended to use of core protocols developed in the IEEE (such as 802.1X) and IETF.
This eliminates the need for proprietary or domain-specific protocols to be used over the WLAN
interface and facilitates the establishment of a consistent user experience across service
providers and the development of a roaming infrastructure.
Design Recommendations for Hotspots
Wi-Fi Protected Access should be adopted as soon as feasible to provide mutual authentication with the home SP and session
security. The framework must accommodate older UAM authentication models while providing coexistence and longer-term
migration to more robust schemes based on Wi-Fi Protected Access/802.1X.
Preserve support for VPN users to support the large number of remote corporate users who use VPN to access their intranet from
public networks. In particular, care must be taken to ensure that NAT functionality does not adversely affect VPN, by implementing
features defined in RFC 3022.
If integration of services requires internetworking with another network (such as a cellular operator’s core data network), we
strongly advocate a loose coupling between the WLAN hotspot and core network. In other words, WLANs should be seen as
standalone networks based on IEEE and IETF core protocols as opposed to radio access networks, and should not require the use of
domain-specific mobility management protocols over the client’s WLAN interface (for example, GPRS Mobility Management or GMM).
This helps harmonize the interfaces of different WLAN networks (both public hotspots and enterprise networks) and promotes roaming
interoperability for clients. Convergence on IP protocols will result in more uniform support of advanced services among different
wireless technologies.
Key distribution between home providers and visited networks for wireless link layer encryption should be secured and
cryptographically bound to authentication and session information. Use of IPsec tunnels between RADIUS servers managed by
roaming peers is recommended.
Backhaul requirements should be determined on the basis of actual or expected traffic. However, we recommend at minimum a
broadband connection (e.g. DSL, cable modem, or T1/E1) be present at all hotspots.
An industry-standard approach to AAA should be adopted to facilitate the establishment of roaming agreements. This allows
service providers to extend the availability of WLAN services beyond their own infrastructure and enhance their own footprint with that
of their roaming partners.
Standards-based AAA implementations allow users the flexibility to use wireless networks anytime, anywhere.
Architectural Considerations for One-bill Roaming
Availability of roaming among different service providers at public hotspots is key to attracting more customers for WLAN
services. Setting up roaming agreements, however, is time consuming and expensive because a large number of players with
different business models and different protocol and system legacies need to seamlessly work together to offer smooth AAA
and consistent service.
At a minimum a roaming relationship involves a home service provider (e.g., fixed or cellular operator, or a WISP) and a
hotspot operator (which may be also a service provider). The hotspot operator needs to provide the subscriber with a quick and
easy way to obtain connectivity, transfer the authentication credentials to the service provider, collect all the billing
information for authorized users and transmit the billing information to the home provider or a data clearing house for
settlement. The home provider authenticates the users against its subscribers’ database, authorizes access and later bills the
subscriber.
This basic framework is complicated by the fragmentation of the public hotspot market and the need to provide wide
coverage to the user. To be able to offer a wide domestic and international footprint to the user, a service provider would need
to enter bilateral roaming agreements with a large number of hotspot operators. This is a time-consuming process that requires
considerable effort.
To simplify the establishment of roaming relationships, the adoption of open standards discussed above is the first crucial
step. Intermediaries may streamline the process by providing aggregation of service, data clearing and financial settlement.
These services effectively allow the hotspot operator to have a wholesale roaming relationship with a wide number of SPs and
enable SPs to increase their footprint without having to negotiate individual deals with hotspot operators.
One-bill Roaming
1. The Mobile Client represents the user’s equipment (typically a
laptop computer, cell phone, or PDA) that is used to access the
802.11 network.
2. The 802.11 Access Point terminates the air (radio) interface to
and from the mobile client.
3. The Access Controller is the entity that verifies authorization
and enforces access control for authenticated users and segregates
traffic of non-authenticated (guest) users.
4. The Visited Network AAA Server (AAA-V) serves as an AAA
proxy for inbound roaming customers.
5. The Home Provider AAA Server (AAA-H) serves as the
RADIUS server authenticating the mobile client user. User
credentials are disclosed only to the AAA-H. The home SP and
visited network operator AAA servers also participate in
transactions involving the reconciliation of billing and settlement
records—both online and offline— and done either mutually, or
via an intermediate settlement entity.
6. The Web Server is an optional component that could serve one
or more of the following functions: browser-based login portal,
local value-added services portal for guests and authenticated
users, portal for new subscriptions, and redirector for other
services.
7. The Roaming Intermediary (INT) represents a wide variety of
AAA and billing intermediaries which provide translations of Figure shows the core elements that will enable
RADIUS billing records into other formats and can be a key
element in resolving legacy issues.
roaming among public hotspots:
Billing records and usage metrics
The framework presented here is compatible with several billing models available to users including
prepaid, pay-for-use, and postpaid (subscription-based) models likely to be the most common.
Charging metrics could be based on fixed or flat rates, on usage (time, volume and/or number of
connections) or specific services used. Regardless of the billing model, roaming users should be able to
connect to a visited network as they do when they connect to their home network.
Ideally, charges associated with WLAN roaming usage would appear in an integrated single bill as is
the case for cellular voice roaming today.
Billing metrics and formats across operators vary today, and there are no agreed upon standards in the
industry.
The SP billing metrics (e.g., number of connections, flat fee, time metered, volume metered) often
depend on how the SP bundles WLAN access with other services it offers.
For example, a cellular operator may be more inclined to charge by the minute while an ISP might
prefer per-connection charges.
The establishment of an industry wide standard for billing formats should support legacy systems
which are needed for billing other services offered and to minimize the incremental investment to
deploy.
Billing records and usage metrics
Until a prevailing metric or a billing format emerges, the best path to maximize flexibility for service
providers and to facilitate integration with different backend systems is to rely on RADIUS records as the
common protocol for WLAN services, with clearinghouses or other intermediaries translating RADIUS
records into formats that are compatible with the service providers billing systems, when necessary.
To support different pricing models, all the available data should be collected into detailed usage records,
This will allow service providers (and by extension intermediaries and network operators) to charge on their
preferred basis, including length of connection, traffic volume, in addition to flat-fee and per-connection
charges.
In the cases where the SPs charge on a different basis, the proper billing information can be derived from the
detailed usage records because they have the complete accounting data for a billed session.
Authentication and Security; Wi-Fi Protected Access
The documented security vulnerabilities of the initial 802.11 security standard, WEP, and the need to communicate
the keys to the client before establishing a connection, have resulted in wide use of UAM. UAM typically provides the
initial authentication, while leaving the user responsible for session security. This approach typically translates into use
of VPN among remote corporate users, and no security for those users that do not have VPN at their disposal.
Leaving security as a responsibility for the user drastically limits the options available, as the most effective solutions
involve the adoption of the same standards on both the client side and the hotspot infrastructure.
The convergence on the same AAA and security standards in the public hotspot networks is even more important than
in enterprise networks as many more players are involved, and users are expected to use multiple networks managed
by different operators, in addition to their enterprise and residential networks.
Wi-Fi Protected Access provides much needed improvement over UAM in addressing security concerns while
offering compatibility with more advanced services. As an added advantage, WPA provides a common solution that
can be implemented in enterprise and residential networks as well public access networks. Wi-Fi Protected Access
provides a mobile client framework for consistency in network discovery, selection and authentication, which paves
the way for seamless roaming across different types of WLAN networks.
TKIP to generate dynamic per-user encryption keys.
802.1X to provide the authentication framework
EAP methods to perform mutual authentication
RADIUS to offer AAA functionality
PEAP or TTLS to secure EAP-based authentication methods
Authentication and Security; Wi-Fi Protected Access
Wi-Fi Protected Access and VPNs can work together to provide robust authentication and session protection for
public wireless access. Wi-Fi Protected Access offers a more comprehensive wireless security solution, which includes
mutual authentication and dynamic encryption keys.VPNs are still needed for session protection when accessing
enterprise intranets from public networks and as such compatibility with Wi-Fi Protected Access is required to ensure
wide adoption of WLAN services among business users.
Wi-Fi Protected Access implementation in public hotspots has to satisfy specific requirements, which arise from the
need to share AAA messages among different partners and to preserve confidentiality along the authentication path.
802.1X provides this functionality as it supports extensible end-to-end authentication between the mobile client and
the home provider’s AAA-H. When the EAP channel is established between the mobile client and the AAA-H, there is
no need for the visited network’s AP, AC, or AAA-V to support the specific EAP method or credential types used by
the home provider. This feature provides great flexibility to the client and service providers. With the use of PEAP or
TTLS tunneling, the information transmitted to the AAA-H remains confidential to the home provider, thus allowing
the establishment of roaming relationships that do not require the home provider to disclose subscriber information to
the visited network operator.
With PEAP, common session key derivation, distribution, and configuration solutions can be defined for a variety of
credential types, including certificates, usernames/passwords, and SIM cards. Industry agreement over acceptable
credential types and most suitable authentication methods will make it easier for cellular carriers and network
operators to support a variety of roaming scenarios across different network types. PEAP and TKIP provide valuable
support for interoperability and roaming, as it addresses the 3GPP user security requirements defined in TR 22.934,
Release 6.
Alternatives such as TTLS, which has similar functionality, can also be used without significantly sacrificing
interoperability, because of the end-to-end properties of EAP. However, PEAP is likely to be more widely deployed on
client platforms due to native operating system integration.
Wi-Fi Protected Access-based Authentication
Figure depicts a typical protocol stack for Wi-Fi Protected Access-based authentication in a public
hotspot.
The framework permits an AP to block all unauthenticated traffic from accessing the Internet or
other service networks, until the mobile client is authenticated by a provider, i.e. the visited network
in prepaid or pay-for-use billing models, or the home SP in subscription-based billing models.
EAP-SIM
EAP-SIM is an authentication method which has a special relevance for public hotspots, as it
allows a SIM-card based user authentication across WLAN and GPRS/EGPRS wireless networks
(a method known as EAP Authentication and Key Agreement (EAP-AKA) offers a similar
solution for USIM cards used in 3G-WCDMA networks).
In EAP-SIM, the GPRS/EGPRS SIM authentication parameters are exchanged in the EAP
messages with added mutual authentication that improves upon GSM security. This mechanism
allows re-use of GSM and GPRS/EGPRS SIM cards and preserves cellular service providers’
infrastructure elements like the Home Location Register (HLR).
The use of PEAP with EAP-SIM and other EAP methods allow for a consistent level of security,
independent of the EAP method and providing strong keying material and mutual authentication,
data origin authentication, session encryption, dynamic key distribution (through RADIUS)
between the EAP Client, NAS (network access server) and the EAP server.
The visited network only needs an 802.1X-compliant authentication framework to offer EAP-
SIM to roaming partners, which will then authenticate the user against their HLR. The EAP-SIM
method can be developed using the Microsoft EAP framework.
Wi-Fi Protected Access as a Defense Against Security Threats
Wi-Fi Protected Access offers a compelling solution to security threat challenges. Wi-Fi
Protected Access’s defense against rogue APs provides a good example.
A rogue AP has complete control over the channel of information flow and can perform a
wide variety of attacks including eavesdropping, message insertion, message modification,
DNS-based attacks, etc. Link-level encryption does not protect against this class of attacks
if the attacker is one of the endpoints of the encrypted channel.
There are two basic strategies to defend against rogue AP attacks. One is to tunnel all
traffic using a VPN client and a client-hosted firewall. If executed properly, this defense
limits the rogue AP to denial-of-service attacks. However, the VPN approach requires a
VPN infrastructure in the network and on the client, plus robust configuration of the client
firewall. These are non-trivial requirements. Wi-Fi Protected Access provides an alternative
strategy which is both more powerful and more easily deployable.
With mutual authentication, the client is required to authenticate the network so the client
has confidence in the network it is connecting to. This also enables the client to refuse a
connection to a rogue AP when it does not recognize the network identity. Note that the
latter approach is only effective if subsequent use of the connection is cryptographically
bound to the initial network authentication.
Migration to Wi-Fi Protected Access
Although we require adoption of Wi-Fi Protected Access in conjunction with 802.1X, we also
recognize that until 802.1X-capable clients are widely deployed, there will be a market
requirement to support the legacy UAM.
When 802.1X is used, browser redirection can be useful to help resolve authentication failures
and to permit the establishment of new accounts. Therefore, the recommended hotspot AAA
framework supports the coexistence of UAM and 802.1 X-based authentication in one hotspot.
To support both 802.1X and UAM, each AP supports two different SSIDs, one corresponding
to 802.1X and one to UAM. With current AP hardware, only one of these SSIDs associated with
the Wi-Fi Protected Access VLAN can be advertised by the AP, but the other SSID for the UAM
VLAN could be discovered via the 802.11 probe request/response mechanism.
When APs with full VLAN support become available, both SSIDs can be broadcast on different
beacons. The open SSID, associated with UAM-based access, would not require any link-layer
security, but the authentication controller (AC) would limit user access to the local web server
until the user obtains authorization to use the network.
Subsequent enforcement of access control for the UAM method is likely to be based on the
client’s MAC address, which is not very robust. Attackers can easily configure their own
equipment with the same MAC address and masquerade as legitimate users, stealing their
bandwidth. This is one business incentive for network providers to migrate users away from the
UAM as soon as possible.
The Road Ahead
Expect rapid evolution of public hotspot network requirements to support advanced usage models and
services.
Fast and seamless inter-access point handoffs. Current WLAN access at hotspots is often limited to a
single AP present on the premises. If multiple APs are deployed, inter-AP handoff may be slow or the
mobile client may have to be re-authenticated when associating with a different AP. For today’s prevailing
usage models (laptop access to check email or connect to Internet/intranet) this is not a severe limitation as
users are typically stationary.
Fast and lossless handovers across APs will become a requirement with the availability of a wider range
of devices such as Wi-Fi enabled PDAs and mobile phones, and the introduction of advanced services such
as messaging, real-time multimedia streaming, and data application portals.
Improvements in hand-off support are being addressed in IEEE study groups to make possible seamless
and fast inter-AP handoffs within the Wi-Fi Protected Access framework.
Mobility management in hotspots. Requirements for mobility management in public WLANs are still not
fully defined. Most hotspots currently are deployed as one large IP subnet. In these topologies support for
mobility management is provided by Layer 2 (MAC level) mechanisms such as fast re-authentication, pre-
authentication and transfer of MAC layer states such as QoS across APs.
In the future mobile IP will be required. Protocols such as Session Initiated Protocol (SIP) may be
appropriate for targeted applications such as Voice over IP (VoIP).
Public Key-based Authentication and Authorization
Password-based authentication currently dominates in public WLAN access, as it is easy to
implement and familiar to users, but it can open security holes for wireless connectivity.
Password-based authentication also suffers from poor usability with inconsistent
interfaces, typically requiring users to remember multiple passwords for access to multiple
networks.
Symmetric key based authentication methods, such as password-based authentication, can
be exposed to security vulnerabilities which arise from the need for third-party key
establishment. With symmetric keys, each session key established between the mobile client
and the authentication server must be shared directly and uniquely by the authentication
server with the AP the mobile client associates with. Transfer of session keys hop-by-hop
from the authentication server to an AP exposes the key to man-in-the-middle attacks.
It is therefore believed that the long term solution is one based on asymmetric (private-
public) keys and that appropriate measures should be taken to minimize or mitigate attacks
on symmetric key based deployments.
The use of public key-based certificates with attributes for dynamic service provisioning
and authorization will promote a more homogeneous framework for network access whether
in the home, enterprise, or public hotspots. Intel supports the creation and adoption of
standards that will lead to more robust authentication tokens.
Mobile Client Provisioning Considerations
Users often arrive at a hotspot location without any previous knowledge of the required
information to access and utilize the network and services. This process is complicated and
cumbersome today, as each service provider and network operator presents different interfaces
and requires different information from subscribers.
To improve the overall user experience, we recommend the adoption of a client provisioning
system that supports the AAA requirements for common login.
This client provisioning system should enable the client to automatically associate to a network
that is unknown and discover the required information to access the network and associated
services.
This information must be kept current by the provisioning system and updates should be sent to
the client during associations or during sign-up at the hotspot.
A consistent client provisioning framework for signup, renewal and authentication that users can
use across devices, hotspot locations, service providers and network types (e.g. public, enterprise
or residential) needs to be adopted by the industry.
In addition, the client provisioning system must provide transparent support for 802.1X
authentication and be capable of addressing problems that may arise during the authentication
process.
Network and Services Discovery
As infrastructure sharing among different networks becomes more widely used,
mobile clients will need to have more advanced hotspot discovery capabilities to
enable identification of available networks, obtain information about available
services, and select the appropriate network automatically (if desired).
The establishment of a common yet extensible standard-based framework for hotspot
discovery, selection of service providers, and provisioning of service is necessary to
provide this functionality across different visited networks.
If there is a single hotspot operator which has a bilateral roaming arrangement with
the user’s home operator (Home SP), network selection is trivial. If two or more
hotspot operators (i.e., two or more advertised SSIDs) offer service, the mobile client
must first select the SSID associated with the desired hotspot operator, and then
proceed with the SP selection as usual.
The user may also need to select the broker or roaming aggregator, as the hotspot
operator(s) may have roaming arrangements with the home SP via multiple
intermediaries, whose services (including QoS) and charges may be different.
Advertisement
An industry-wide accepted solution for network and service discovery has not yet emerged,
however ongoing work indicates several solutions can be implemented successfully, including:
Advertisement using the EAP framework. While suitable for light weight
dissemination of SP information, this solution cannot be used for direct
advertisement by the home SP.
Advertisement within beacon frames. Beacon frames are overloaded with SP
information. The approach has several drawbacks: the information is not
authenticated, only limited information can be transmitted, its radio use is
inefficient, and it might require changes to client firmware.
Advertisement through the virtual AP framework. A variant of the previous
approach, it can advertise information relevant to each SSID.
Advertisement through PEAP. This solution offers a more robust post
association framework, which includes a secure provisioning service and can
provide detailed information and supports configuration by the home SP.
Network selection can then occur either by explicit SSID preference or by overloading the
Network Access Identifier (NAI) of the service providers (SP) in the SSIDs. This selection
process can be automated if supported by the client provisioning system.
Summary and Conclusions
WLAN is one of the most exciting new wireless technologies today, allowing secure and robust high-speed
wireless access at work, at home and while traveling. It works with laptops, PDAs and soon be included with
cellular phones, and it is employed in a rapidly increasing number of locations, including enterprises, airports,
hospitals, homes, restaurants, warehouses, marinas and even Recreational Vehicle parks.
To support the growing enthusiasm for the technology among users a common framework to make WLAN
convenient, easy to use and secure must be defined and adopted.
Key recommendations for enterprise and public hotspot networks are centered on the adoption of Wi-Fi
Protected Access (Wi-Fi Protected Access) with 802.1X, EAP and RADIUS to ensure robust mutual
authentication and TKIP and PEAP to preserve confidentiality during authentication. Wi-Fi Protected Access will
also promote the development of AAA interfaces that will increase ease of use and be compatible across
different Wi-Fi networks (office, hotspots and home). It is recommended to use robust authentication credentials,
such as X.509 certificates, for increased security and ease of use.
We expect that provide guest access and mobility management on enterprise networks will be commonplace,
taking full advantage of the productivity gains WLANs can provide. These capabilities require support for virtual
LAN, multiple SSIDs in a single AP, intra-IP and inter-IP subnet mobility, and the availability of mobility aware
applications, fast handoffs, VPN auto launch and secure ad hoc connections.
In public hotspot networks the adoption of Wi-Fi Protected Access is crucial to provide security with login
consistency to subscribers. In public hotspots it will be necessary to complement Wi-Fi Protected Access with
Universal Access Method compatibility through the early adoption stage and continued support for VPN use. The
adoption of IP-based standards for AAA and mobility will enable one-bill roaming and, eventually, seamless
roaming both within WLAN networks and interworking with WWAN and other networks.
Managing the Hotspot
Best Practices
Make sure to provide a solution that will not upgrade right away by installing mixed-mode access points
Mix-mode access points support WEP & WPA requirements and thus provide a transition path to WPA
Be aware that mix-mode is not endorsed by the Wi-Fi Alliance because It compromises WPA security
In an enterprise environment, where a single IT department controls deployment, it is easier to deploy
WPA
Public Hotspots must take a more diverse set of customer requirements into consideration
For public Hotspots, stay away from cheaper, SOHO access points
Lack processing power for newer encryption algorithms and support for authentication methods )
Install access points that support VLANs, this will facilitate the support of multiple access methods
Use SSL (Secure Socket Layer) or SHTTP (Secure HTTP) to protect personal information or credit cards
Wireless Gateways tend to enforce this security mode
Users needing to access corporate networks, VPN will still be the best method to secure their
connections
802.11i will only protect the wireless connection from the mobile station to the access point
Purchase equipment that can be easily upgraded to the new WPA, WPA 2.0 and RSN (802.11i) standards
Managing the Hotspot
Consumer expectation of reliability and performance will make fierce competition
among wireless providers
Hotspots with a reputation for problems will rapidly lose business
Design a remote management capability that provides monitoring and direct access to
equipment
Physically visiting your Hotspot sites can be an expensive and time-consuming
Account for physical travel to sites to replace or repair equipment
Include contracting to 3rd parties, sourcing locally by hiring regional specialists, or
allocating travel budget
Develop a strategy to rollout upgrades for bug fixes and new technologies and
capabilities
Firmware upgrades that you can’t upgrade remotely
Devlope an appropriate change control policy and upgrade path
The key to any site management strategy is to have well-established goals and find cost effective ways to meet
them. Also, the RF environment can change from day to day, often without your knowledge or control. Active
monitoring is important for finding rouge access points, conflicts from new devices like microwaves or phones,
and attempts to bypass your site’s security.
Management Considerations
The primary goal of any Hotspot provider’s management strategy is to have data on a day to day
basis that a site is still up and running
Contract a 3rd party periodically audit in order to verify they are functioning as planned
Using a Copy Exact approach, all of your procedures, installation methodologies, equipment, revision control,
and maintenance processes are the same regardless of location
Security and monitoring of sites for access and activity is paramount in avoiding litigation
Management Tools
Site management tools addressing the health of the network from the wired & wireless networking side
Strategies need to be implemented to allow visibility into your remote network environments
Design a strategy to reach your equipment in the private address space
Avoid mistakes, pinging a device is not a sufficient measure to insure it is operating properly
Without visibility into your network to the device level you can never be sure of the state of the network
Implement proper monitoring capabilities this will assure that you can perform upgrades and remote changes
Enterprise applications
Enterprise business users make up the majority of recurring revenue for Hotspots
Business class users are the most demanding on a wireless infrastructure
Use of products like VPNs, Personal Firewalls, and Real-Time applications
Restricting activities should heavily consider the business user
There are three categories of business applications:
VPN and security
Real-Time applications
Real-Time Batch applications
Network Requirements
Coffee Shop Network Design
Equipment Selection
There are only four major hardware components in the coffee shop Hotspot:
1. Access point
2. Switch
3. Wireless Gateway
4. DSL Router
The model of the DSL Router is normally determined by the service provider so you
only have to research and buy three of the four hardware components. The table below
shows some choices. These are not an endorsed, only presented as examples.
Coffee Shop Hotspot Summary
The small coffee shop Hotspot provides a simple and
straightforward example of how to implement a Hotspot. It also
highlights the fact that the industry is moving towards total
hardware integration. For example, the Nomadix* AG-2000w is a
network component that provides most of the functions required
in a Hotspot. The next example we show is for a more complex
Hotspot, a convention center.
Convention Center Hotspot
The convention center Hotspot is more complex than the
small coffee shop Hotspot previously presented.
Rather than attempt to completely describe the deployment
as we did above, we’ll provide an overview of the steps
required and the design decisions that will need to be made.
Site Goals and User Model
In this scenario, we are setting up a wireless network for the attendees at a conference/tradeshow.
The conference organizers would like attendees to be able to get wireless network service in all
session rooms, in the keynote hall, and in the front entryway where tables and seating have been set
up, but not in the exhibition hall areas, to avoid conflicting with wireless demos being shown.
The expected number of attendees is around 3000. Each individual conference session may hold
upwards of 100 people.
Users should be able to move between session rooms without losing their network connection.
In this scenario, we are making the assumption that 65% of the attendees have a wireless devices
40% of them will be using the network or 26% of the total attendees.
Overall just under 800 people active simultaneously, 25 people active in any conference session.
3,000 total attendees X 0.65 = 1,950 attendees with wireless access
1,950 attendees with wireless access X 0.40 = 780 attendees with access on the network
780 attendees with access on the network/3,000 total attendees = 0.26 -> 26%
The expected network usage is web browsing to the convention’s information site, general
web surfing, and accessing corporate e-mail (requiring VPN to connect to the corporate
intranet).
Site Survey
First, conduct a Site Survey:
Here we want to determine whether there are any existing wireless networks, or wireless networks
from neighboring sites that might overlap, or any devices, like microwave ovens or portable phones
that may cause signal conflicts.
We need to look for barriers, such as walls or other obstacles that might impact signals, and for
areas that might be difficult to cover with the circular coverage area of a typical access point
antenna, such as long, narrow hallways.
This will help us determine where the access points can be located, also consider:
Placing them where they are not easily accessible, to avoid tampering or theft.
Consider accessibility of power and network connectivity
The convention center has no existing wireless network.
No microwaves or other buildings present a conflict, all 3 802.11b channels are available.
Pillars in the main hallways are where the access points can be mounted.
Access points will be hung from the ceiling in the session rooms.
The venue provides an Ethernet drop in each of the session rooms, but not the hallway.
Access Point Layout
There is a narrow front entryway, with session rooms on either side of large exhibit halls.
The left exhibit hall will hold the keynote sessions, the right room is for exhibitors and
demos.
There will be large numbers of users in small areas, session rooms and/or front entryway.
A small number of a.p.s might cover the physical area of the Hotspot, but not the capacity.
More a.p.s will be used with reduced signal strength, allowing a higher density of a.p.s.
Channels 1, 6, and 11 are used to avoid conflicts with overlapping access point zones.
The keynote area is not fully covered because of the location of the presenter’s stage.
We need only cover the seating area, but even with 6 access points, if most of the attendees
come to the keynote, and our usage percentages are accurate, we may not have the
capacity necessary to service all the users.
(We are constrained by the number of available channels and how much we can
reduce the power of the access points.)
Convention Center Wireless Coverage
Security/Authorization
Wireless network access will be free to attendees.
There will be no login/authorization required since badges are
required to enter the building.
Only registered attendees will have physical access to the Hotspot,
except maybe the sidewalks in front of the building.
There will be no WEP or other security required.
Site Management
We want to be able to monitor the health of the network
Bandwidth usage
Watch for introduction of viruses
Malicious users
We will want to choose access points, network gateways, and other network
components that include an SNMP capability to facilitate this.
We will use a network manager, such as HP OpenView to provide a centralized
management console.
It would also be a good idea during the course of the event to do regular RF
audits using tools like AirMagnet WLAN Analyzer or WildPackets Airopeek.
Billing
Wireless service will be provided to the attendees for free.
Design Issues
Network Topology
The user base for this Hotspot will be highly mobile.
To allow roaming (moving from access point to access point), a “flat” network is required
This will require VLANs to allow enough network capacity.
A NAT device will be utilized to handle the number of public IP addresses required.
Power
This network will only exist for a short time, during the duration of the event.
Not cost-effective for new power installs, and don’t want be limited by existing outlets.
So we’ll select an access point model that gets power over the network (PoE).
Run Ethernet cables to the a.p. locations to provide access to the backhaul network.
Performance
To give the users a “broadband” experience doing the types of applications we expect,
roughly 100Kbps of bandwidth is desired.
An 802.11b a.p.’s maximum bandwidth is roughly 5Mbps of real throughput.
This means about 50 users per access point.
There are 28 access points in the convention center design.
If there is a perfect distribution of users and access points (which there won’t be), this
means 1,400 simultaneous users at 100Kbps. The target is 780 users (26% of
3,000). Depending on how accurate the numbers are, we are currently providing
nearly double the capacity we think we’ll need. This gives us plenty of breathing
room if our assumptions turn out to be incorrect.
If all 28 access points are operating at 5Mbps, then an OC-3 (155Mbps) backhaul will be
required. This assumes that all 50 users on the access point are simultaneously
downloading at all times.
If we assume half are actively downloading (vs. just reading content), then we’ll need
about 70Mbps which can be achieved (plus extra) with two T3 lines.
Using two T3s (or equivalent) also would provide redundancy.
Ideally, each T3 would come from a different service provider, in order to avoid possible
outages due to service provider downtime.
Conclusions
Hotspots come in many sizes and shapes and usually with their own set of
challenges.
Gathering requirements, doing a site survey and choosing the right
equipment are the three most important factors for success.
As in any other worthwhile project, make sure you spend enough time getting
an understanding of what you need to deliver.
As wireless Hotspots become more popular, the number of users at your
Hotspot is likely to increase. Make sure you plan for the next revolution in
communications.
Appendix A –
Sample Hotspot Site Survey Diagrams
Appendix A – Sample Hotspot Site Survey Diagrams
E
Site Index: US1104
N S Site Survey 12/08/2003
Location: Amarillo, Texas
W
-64
SUBWAY
Truck Fueling Canopy
-59
-49 SD
-50 Antenna to be mounted
Telecom 250 mw
LADDER onto a mounting pole,
Room/ to roof Amp NEMA
which should be
DMARK Cat-5 R 10
un 50 AP2K fo -42 mounted close as
fe et LM ot possible to Southwest
R SD
corner, outside of
Appendix A –
N10 CNTL-001
1 R
RING-0104
I-40
644
RC
M
ALAR
F
O F NE
roofline wall. NEMA
LI
E
IDL
-50 8 db Omni
enclosure should be
mounted on inside of
roofline wall. Sample Hotspot
Site Survey
-52 Diagrams
25 Truck -60
-63 Lanes
30 Truck
Lanes
-70 NOTE: Burgandy -Numbers are Signal Strength Reference Levels produced from the RF Site Survey Utilizing Airmagnet.
An 11mbps connection is sustained with signal strength levels of -1 to -75. The lower the number, the better the signal.
-70
HOTEL
Appendix A –
Sample Hotspot
Site Survey
Diagrams
Appendix A –
Sample
Hotspot Site
Survey
Diagrams
Appendix B - Vendor Hotspot
Diagram References
Appendix B - Vendor Hotspot Diagram References
Appendix B - Vendor Hotspot Diagram References
Appendix B - Vendor Hotspot Diagram References
Appendix B - Vendor Hotspot Diagram References
Appendix B - Vendor Hotspot Diagram References
Appendix B - Vendor Hotspot Diagram References
Appendix B - Vendor Hotspot Diagram References
Appendix B - Vendor Hotspot Diagram References
Appendix B - Vendor Hotspot Diagram References
Appendix C - Miscellaneous
Hotspot-related
Appendix C - Miscellaneous Hotspot-related
Site Survey Kit List
1 SP-BP-001 Site Survey Battery Pack
1 SP-RSA Rotary Attenuator
1 SP-MSW Measuring Wheel
Appendix C - 1
1
SP-TC-001
SP-DT-001
Travel Case
Duct Tape
Miscellaneous 100 SP-ZIPTIES Zip Ties
2 SP-CMD-001 Colored Marking Dots
Hotspot-related 1 SP-LCT-330K Coax Crimper Kit
20 SP-CONPAC Loose Connectors (LMR195 and LMR400)
2 SP-COAX Coax Seal
2 CAF28777 Rubber Ducks - 2 dBi Omni
2 CAF94146 3 dBi Omni - Low Profile
2 CAF94568 6 dBi Omni - Mast Mount Indoor/Outdoor
Sparco Site Survey 2 CAF95950 9 dBi Patch Antenna
Kit – SP-SSKIT-001 1
1
S2402DS36RTN
ESS-PRO
Diversity Omni Low Profile Antenna
Ekahau Site Survey Professional Software
1 SP-FG24008 8 dBi Omni
1 AIR-AP1231 Cisco 1231 AP
1 AIR-LMC352 Cisco LMC352
802.11a Non-overlapping Channels
Appendix C -
Miscellaneous
Hotspot-related
Mixed 802.11a with 802.11b/g Cells
Appendix C -
Miscellaneous
Hotspot-related
Appendix C - Miscellaneous Hotspot-related
Appendix C - Miscellaneous Hotspot-related
Appendix C - Miscellaneous Hotspot-related
802.11 radio specifications
Appendix C - Miscellaneous Hotspot-related
See Sparco
University for
PDF of US
Spectrum.