1

8

9

16

17

18

15

24

19

25

26

27

20

22

23

21

3

4

5 6 7

11

10

12 13 14

14

2

Wi-Fi Authentication DemystifiedTutorial

Across Down2. EAPoverLAN6. Conveysdatabetweenpoints8. Pipediameter9. Numberof802.11anon-

overlappingchannels11.Receive/sendradiosignal13.ExtensibleAuthentication

Protocol15.Endofthelinkthatresponds

17. Amountofdatasentinagiventime

18.Managesaddressingandprotocolinformation

21 109Hz22.OnlyWi-FiPowerPlay24.SupersedesWEPfor802.1126.Contiguousfrequencies27.Oppositeoftransmitter

1. Highestperformingaccessdevice

3. Packetrequestinginformation4. Xirruslanguage5. Circuitrytointerpretand

execute 7. Pathforsignals10.Fragmentofdata12.Specificationimplementing

TKIPandAES

14.EndoflinkinitiatingEAPauthentication

15.Typeofmediumin802.1116.Numberof802.11b/gnon-

overlappingchannels19.One-millioncyclespersecond20.Rateatwhicharepeating

eventoccurs23.Standardforport-based

accesscontrol25.Instituteofengineers

2 ©2008Xirrus,Inc.AllRightsReserved.

Wi-Fi Authentication Demystified

ContentsIntroduction.............................................................................3

TheHistoryofAuthentication.....................................................4

AuthenticationFramework.........................................................5

WirelessInfrastructure..............................................................7

RoamingandAuthentication......................................................9

Recommendations..................................................................10

LeadingArchitecture...............................................................11

AboutXirrus...........................................................................11

©2008Xirrus,Inc.AllRightsReserved. 3

IntroductionAuthenticationisacriticalpartofanynetworksecuritypolicy.Authenticationvalidatestheidentityofauser

or device,which is an important point asmostpeopleonly lookat authenticationasauthenticating the

client.Whenusingamutualauthenticationscheme,notonlyistheclientauthenticated,butsoisthenetwork

itself.Thisprocessallowsthefirstdevicetoauthenticatethesecondandtheseconddevicetoauthenticate

thefirst. Initialwirelessauthenticationusedawirelessencryptionmethod,knownasWEPtoprovidethe

authentication.Theideabeingthatifbothsideshadacommonencryptionkeyitwouldserveasawayto

provideproperauthentication.However,WEPwascrackedandasaresultitwasnolongerconsideredtobe

sufficientasanauthenticationorencryptionmethod.

TheoverallgoalofWi-Fiauthenticationistoensurethatanauthorizeddevicedoesnotconnecttounauthorized

accessdevices, suchasa rogueAP.RogueAPsare unauthorizeddevices that havebeendetected in a

network.Roguescanbeeitherbenign,suchasneighboringAPsornewlyaddeddevicesorathreatwhen

addedtothenetworkformaliciousreasons.TheserogueAPscancreatenumerousissuesforthenetwork,

forexample:

Anattackcalledman-in-the-middlecanoccurinwhichtherogueinsertthemselvesbetweenauthorized1.

devicesandcollectinformationandcredentialsfromtheuserandthenetwork.

Anattackcalledreplay-attackinwhichavaliddatatransmissionismaliciouslyorfraudulentlyrepeated2.

or delayedby theattacker. Theseattackscanbedesigned tosteal informationoreffect thenormal

operation,suchasadenialofserviceattack.

Typical Wi-Fi Infrastructure

In a typical Wi-Fi infrastructure, stations associate to an Access Point. The Access Point is the Authenticator and interfaces with the Authentication Server to validate the stationsidentity and then allow access to the network.

Router AuthenticationServer

EthernetSwitch

Authenticator Authenticator

Wireless Stations(Supplicant)

Wi-Fi Authentication Demystified Tutorial

4 ©2008Xirrus,Inc.AllRightsReserved.

Forthesereasonsandmorenotlisted,ithelpstohidetheusers’identityfrombeingexposedfromasnifferor

othertypeofeavesdropperonthenetwork.Thereareadditionalbenefitstoauthentication,suchasencryption

keymanagement,whichautomaticallyexpiresuserpasswordsandforcesthemtochangecredentials,like

usernameandpasswordonaregularbasis.Authenticationiscriticalforprotectingcorporateandpersonal

information, scaling andmanaging large groups of users atmultiple locations normally requires the use

ofdynamicauthenticationprocess. Inaddition to justauthorizingaccess to thenetwork it alsoprovides

accountingandauditing informationofeveryconnectionoccurring in thenetwork.Allof this isextremely

importantinprovingcompliancewithregulationssuchasHIPPAandPCI.ManyformsofAuthenticationalso

allowforextendedcontroloverend-useraccess,suchastime-of-dayorrestrictedguest-accesspolicies.

The History of AuthenticationMostpeoplearefamiliarwithRADIUS,whichstandsforRemoteAuthenticationDial-InUserServiceandhas

beenaroundsincethedaysofdial-upnetworkaccess.TheRADIUSserversitsonthewirednetworkand

completes theprocessofauthentication.TheRADIUSservicehas threecomponents:Theauthentication

server,suchasMicrosoft’sIAS.TheRADIUSclient,inthewirelessworldthisistheAPortheWLANSwitchand

theSupplicant.ThesupplicantistheWi-Ficlienttobeauthenticated.Thesupplicantforwardsauthentication

informationtotheRADIUSclient,whichinturnsforwardsthisinformationtotheRADIUSserver.Theserverwill

authorizeordenyaccesstothenetwork.InadditiontheRADIUSservermayreturnconfigurationinformation

totheAP,suchasplacingtheWi-FiuserinaspecificVLAN.

RADIUS

Value Description0 Access-Request2 Access-Accept3 Access-Reject4 Accounting-Request5 Accounting-Response11 Access-Challenge12 Status-Server (experimental)13 Status-Client (experimental)255 Reserved

Value(1 or

more Bytes)

Length(1 Byte)

Type(1 Byte)Values=1 to 63

. . .

Attribute Field

Attribute 1 Attribute ...NCode(1 Byte)

Identifier(1 Byte)

Authenticator Field contains challenge text and MD5 hashed responses(passwords)

Length(2 Bytes)

Authenticator(16 Bytes)

RADIUS (RFC 2138) defines the backend authentication process between the Authenticator and Authentication Server. RADIUS Attributes carry specific authentication, authorization, information and configuration detail for the Access request and response types.

Example Attributes include: – User Name (Type Field = 1)– Password (Type Field = 2)

Items such as which VLAN the user is to be assigned to or what wireless user group policies to use can be defined by the use of Vendor Specific Attributes (VSAs) (Type Field = 26).

ARADIUSservercanalsoaccessthingslikeanactivedirectoryserviceorotherdirectoryserviceontheback

endof thenetworktoenforcepolicies.ThisallowsRADIUStobe implementedwithouthavingtorecreate

accountinformationthatmayalreadyexistinanotherdirectory.

©2008Xirrus,Inc.AllRightsReserved. 5

In1999,the802.11standardwasadoptedwhichcontainedacoupleofmethodsforbasicauthentication.One

wascalled“openauthentication”whichwasnotreallyauthenticationatall.Openauthenticationbasically

allowsWi-Fiassociationtoall802.11compliantdevices.AsecondmethodwasWEPandstoodforWired

EquivalentPrivacy.Thisformofauthentication,knownas“sharedkeyWEPauthentication”allowedashared

WEPkeytobeusedforauthenticatinguserstoaccessthenetwork.InMay2001,anIEEETaskGroupknown

as802.11ibeganworkonnewenhancedsecuritystandardsfor802.11.ByAugust2001,WEPwascracked

creatingalargesecuritybreachandadverselyimpactingtheadoptionofWi-Fiintheenterprise.Atthispoint

WEPbecameknownasWeakEncryptionProtocol.

NeedingimprovedsecurityandnotbeingabletowaitforthedevelopingIEEEstandard,theWi-FiAlliance

announcedinOctober2002anewsecuritystandardcalledWPA,whichstandsforWi-FiProtectedAccess.

Itwasasecurityenhancementbasedontheworkbeingdonebythe IEEE802.11iTaskGroup.WPAwas

quicklyputinplacetocorrecttheproblemswithWEP.Thiswasaccomplishedviatheimplementationofan

authenticationframeworkandstrongerencryptionmodes,andthe802.11iaddendumwasfinallyratified.

Authentication FrameworkTherewerethreebasicbuildingblocksthatledupto802.11i.First,therewasEAP,whichstandsforExtensible

Authentication Protocol. EAP is a framework for authentication, allowing for a number of authentication

methodstobeused.

EAP/EAPOL Frame Format

Value Description 1 Identity 2 Notification 3 NAK 4 MD5 Challenge

5 One Time Password6 Generic Token Card13 TLS

Value Description 1 Request 2 Response 3 Success 4 Failure

Value Description 0 EAP Packet 1 EAPOL Start 2 EAPOL Logoff 3 EAPOL Key 4 EAPOL Alert

EAPOL Packet

EAP Packet

ProtocolVersion(1 Byte)

1

PacketType

(1 Byte)Packet Body

Code(1 Byte)

ID(1 Byte) DataType

(1 Byte)

Destination MAC(6 Bytes)

Source MAC(6 Bytes)

BodyLength

(2 Bytes)# of Bytes

Length(2 Bytes)# of Bytes

EAPOL (EAP Over LAN) is used by 802.1X to encapsulate the EAP protocol. The EAP protocol defines a number of methods for authentication.

EthertypeCode

(2 Bytes)0x888e

6 ©2008Xirrus,Inc.AllRightsReserved.

Oneofthosemethodsis802.1x,aportlevelauthenticationmethodoriginallydesignedforwirednetworks.

802.1x,EAP,andadditionalencryptionmodesTKIPandAESwereallcomponentsofthe802.11istandard.

802.11i Security

Phase 1

Phase 2

Phase 3

Phase 4

Station

Security Discovery/Negotiation

802.1X Authentication

Key Management RADIUS Key Distribution

Data Confidentiality and Integrity

802.11i is the official security standard for 802.11 Wireless LANs as ratified by the IEEE in 2004. Its operation consists of 4 primary phases to establish secure communications. Phase 2 and portion of Phase 3 are addressed in this poster; Phase 4 and a portion of Phase 3 are addressed in the companion Wi-Fi Encryption poster.

Authenticator AuthenticationServer

Additionally, mutual authentication and key exchange processes were added to the standard. All these

additions allowed the authentication process to scale and also provided for dynamic key creation and

updating,providingfasterclientauthenticationandroaming.

©2008Xirrus,Inc.AllRightsReserved. 7

802.11i Packet Exchange

EAPOL Key 4

EAPOL Key 2

EAPOL Key 3

EAP-Success

EAPOL Key 1

RADIUS Access Accept

RADIUS Access Challenge

RADIUS Access Request

RADIUS Access Request

EAP-Request (Challenge)

EAP-Response (Credentials)

EAP-Response (Identity)

EAP-Request (Identity)

EAPOL-Start (Start Process)

Association Response

Association Request

Authentication Response

Authentication Request

Probe Response

Probe Request

Supplicant Authenticator AuthenticationServer

Port Unauthorized

1. The authentication process starts with a virtual port in the Array set to “unauthorized” such that only authentication protocols are forwarded.

7. 802.11i adds 4-way handshake to generate and verify encryption keys for the supplicant station (see Wi-Fi Encryption Poster).

8. Upon successful authentication and key exchange, the Access Point allows traffic to be forwarded from the station to the network.

6. If the station has the correct credentials, a RADIUS Access Accept packet is returned, which also includes a Master Key used by WPA to generate unique per user encryption keys (see Wi-Fi Encryption Poster).

802.11i Packet Exchange describes the wireless authentication process, and begins with a supplicant (the wireless station) associating to the access point and initiating an 802.1X exchange.

5. An EAP packet with the encryptedchallenge text is sent back to the Server.

4. An EAP packet with challenge text is sent from the Authentication Server.

3. The users identity is passed to the Authenticator and then forwarded to the Authentication Server.

2. The station starts the authentication process with an EAPOL Start message.

Port Authorized

Port Unauthorized

EAP-Logoff

Wireless InfrastructureNow let’s talkabouthowauthenticationworks ina

Wi-Finetworktoday.Atahigh level, theWi-Ficlient

associatestoanAP,alsoknownastheauthenticator.

The station then sends an authentication request

to the authenticator. The authenticator is designed

so that prior to proper authentication all standard

packetsarediscarded.WhileinthisstatetheAPwill

onlyforwardEAPpackets.Thesepacketsareallowed

totransversetothewiredsideinordertoreachthe

authenticationserver.Next,theclientsandserveruse

theEAPpacketstocompleteafour-wayhandshake.

The result of which is the authenticator and client

define session keys, and finally, the authenticator

movesitsportintoanauthorizedmodeandnormal

accesstothenetworkensues.

As mentioned before, the 802.1x framework uses

EAP to exchange information; however there are

several typesofEAPmethodsused today.Sevenof

these types are approved for interoperability by the

Wi-Fi Alliance. The first is EAP-TLS,which requires a

server-site certificate and a client-site certificate for

credentials.ThesecondmostpopulartypeisEAP-TTLS

wherebyausermusthaveaserver-sitecertificate,and

usesjustausernameandpassword.Typicallyathird-

partysupplicantisneededforthismethod.

Wireless Authentication Framework

Wi-Fi Authentication (802.11i) is built on top of 802.1X and EAP.

EAP (RFC 3748)Extensible

AuthenticationProtocol

IEEE 802.1X Wired port-based

authenticationuses EAP and EAPOL

as the underlyingauthentication protocol

IEEE 802.11i wireless authentication

extends 802.1X to a wireless network and

generates a Master Key.The Master Key is used by

the Access Point and station to derive per session keys

8 ©2008Xirrus,Inc.AllRightsReserved.

Thenext type,andprobablymostcommonlydeployed isEAP-PEAP,whichstands forProtectedEAP. In this

method,theserver-sitecertificateisrequired,theclient-sitecertificateisoptional,andastandardusername

andpassword isused.AdvantageofPEAP is it can leverageusernameandpasswordsalreadydefined in

Windows Active Directory. Another type commonly seen is EAP-PEAP-GTC, which stands for Generic Token

Card.Itisaphysicaltokenthatisusedintheauthenticationprocess.Likewise,EAP-SIMusesaSIMcard,a

SubscriberIdentityModule,foraGSMmobilehandset.ThelasttwotypesareCiscoauthoredandproprietary

protocols. One is LEAP (Lightweight Extensible Authentication Protocols), which was widely used early on,

but isnot recommendedanymoreduetoadictionaryattackthatcanbeeasilyharnessedagainst it.LEAP

didnot requirecertificatesonbothsidesof the linkasonlyapasswordwasneeded.TofixLEAP, fast-EAP

was deployed. It is still password based and also does not require certificates on either side of the link.

EAP Types

Server Side Client Side User Credentials User Database Security EAP Type Description Certificate Certificate Used Access Issues

EAP-PEAP Protected EAP Required Optional Windows XP, 2000, CE, Windows Domains, (widely used) Username/Passwords and Active Directory other 3rd party Supplicants EAP-TLS EAP with Transport Layer Security Required Required Certificate Windows Domains, User Identity Active Directory, Exposed Novel NDS OTP EAP-TTLS EAP with Tunneled Transport Required None Password Windows Domains, Layer Security Active Directory EAP-PEAP-GTC Protected EAP with Generic Required None Windows, Novell NDS, Token Card One Time Password Token EAP-SIM EAP – Subscriber Identity Module Required None Subscriber Identity Module (SIM). Uses SIM card found in (SIM Card) GSM mobile phone handsets LEAP Lightweight EAP. Not recommended None None Password Windows Domains, Dictionary Attack due to dictionary attacks Active Directory User Identity Exposed Fast EAP Cisco EAP based on PEAP None None Password Windows Domains, Active Directory

RADIUSalsohas theability tousewhatarecalledVSA,orvendorspecificattributes.Byusing theVSA’s

informationcanbepassedfromtheRADIUSservertotheauthenticator,orAP.Thisinformationcanbeused

forassigningausedgrouporVLANassignmentsopoliciescanbeappliedtotheenduserconnectingtothe

network.

Anothertypeofauthenticationavailableisweb-basedauthentication,typicallyusedtoallowtemporaryusers

orgueststogainrestrictedaccesstothenetwork.Thisprocessisusedinmanyplaces,butcommonlyseen

inhotels.Whenauseropenstheirwebbrowser,theyareredirectedtoawebpagewheretheycanentera

usernameandpassword.AuthenticationisthengrantednormallyfromRADIUSserverandthesessioncan

continueortheirconnectionmayberedirectedbacktoanotherwebpage.Webpagescanbehosteddirectly

intheXirrusWi-FiArraywhereitcanbeimplementedonaperSSID-basis.

©2008Xirrus,Inc.AllRightsReserved. 9

Web-based Authentication

Captive Portal Original URL

Authenticator AuthenticationServer

1. A user associates to an open Wi-Fi network2. User’s web session is captured and redirected to a

landing page in the Access Point3. The user is prompted for a username and password4. The Access Point uses these credentials to

authenticate the user with the Authentication Server5. Access is granted and the user’s original URL

is reloaded

Web-Based Authentication eliminates need to configure client software but requires manual entry of username/password. It is not used toconfigure an encrypted wireless link.

Roaming and AuthenticationClientsusing802.11icanpre-authenticatewithmultipleaccesspointsatthesametimeprovidingforfaster

roamingmethodsacrossthenetwork.ThesecurityassociationgeneratessomethingcalledthePairwiseMaster

Key(orPMK)whichistheresultofthefour-wayhandshakediscussedbefore.ThePMKcanbecachedbythe

clientandnetworkAPanticipating the fact that theclientwill roamfromoneAP toanother.Whenaclient

attemptstoroamtoanotherAP,theycanrequestthePMKIDtheywereusingbeforeorthattheyhaveintheir

cache.Asaresultofthiscachedkeythefull802.1xexchangeisnotrequired,thussavingconsiderableamounts

oftime.ThisfeatureisfullysupportedbyXirrusWi-FiArraysandiscrucialforthingslikevoiceroamingtime

needstobeasshortaspossible.

802.11i Fast Roaming

Stations can pre-authenticatewith new Access Pointprior to roaming

AuthenticationServer

EthernetSwitch

Supplicant

Authenticator

Access Points can share Pairwise Master Keys (PMK) in advance of stations roaming to themStations can use existing PMK when roaming to a new Access Point that has pre-shared it with prior Access PointIf Access Point has PMK, only the 4-way handshake needs to take place, otherwise full 802.11X exchange takes place

Pre-Authenticate

thenRoam

PMK Caching

10 ©2008Xirrus,Inc.AllRightsReserved.

RecommendationsOurrecommendationforauthenticationisasfollows:

Use802.11iandWPA-2forthestrongestsecuritythat’savailabletoday,aswellasPEAPwithMS-chap��

foreasiestadministrationwherenoclientsitecertificatesareneeded.Itusesthebuilt-inWindowsuser

nameandpasswordthattheuserisalreadyassignedforthedomain.

Useanauthenticationserver toenforceaccesspolicies like time-of-dayaccess. Italsonotifieswhat��

resourcesVLANusershaveaccesstoonthewirednetwork.Web-basedauthenticationisagreatwayto

alloweasyaccessontotheWi-Finetwork.

Lastly,replicationandavailabilityofyourauthenticationserverisimportant.RADIUSserversneedtobe��

capableofhandlingthepeakloadingintermsofthenumberofusersthatauthenticatetoitatthesame

time.AlsothelocationofyourRADIUSservershouldnotbelocatednearaslowwanlinkoraremotesite

whereitmighttaketimeandlatencybeforetheauthenticationprocesscompletes.

©2008Xirrus,Inc.AllRightsReserved. 11

Leading ArchitectureXirrusplannedfor thesuccessofWi-Fibydevelop-

ing an award-winning Wi-Fi architecture powerful

enoughtohandlehigh-bandwidthapplicationstoday

and modular enough to be upgraded for future

enhancements.

WiththeWi-FiArray,Xirrusdeliverstheonly‘Power

Play’ architecture in Wi-Fi networking with the

most bandwidth and coverage per cable drop in

the industry. Xirrus Wi-Fi Arrays deliver up to 8x

the bandwidth of a single access point and are

compact, easy-to-install, ceiling-mounted devices.

No other current-generation Wi-Fi technology can

deliverthebandwidthorthroughputofXirrusArrays

becausetheyarelimitedto2radiosproducingonly

108Mbpsofsharedbandwidth.

Xirrus Wi-Fi Array

Redundant Gigabit Ethernet Uplinks

Multiple Wi-Fi Radios Produce864Mbps of Bandwidth

High Gain Directional Antennas Increase Range

SectoredAntenna

SectoredAntenna

Wi-FiRadio

Wi-FiRadio

Wi-FiRadio

Wi-FiRadio

Wi-FiRadio

Wi-FiRadio

Wi-FiRadio

Wi-FiRadio

Wi-FiRadioWi-Fi

Radio

Wi-FiRadio

Wi-FiRadio

Wi-FiRadio

Wi-FiRadio

Wi-FiRadio

SectoredAntenna

SectoredAntenna

SectoredAntenna

SectoredAntenna

SectoredAntenna

SectoredAntenna

SectoredAntenna

SectoredAntenna

SectoredAntenna

Wi-Fi Controller

50% Sector Overlap

EthernetSwitch

SectoredAntenna

No other current-generation Wi-Fi technology can deliver the bandwidth or throughput of Xirrus Wi-Fi Arrays.

Byintegratingthesekeycomponents:theWi-Ficontroller,GigabitEthernetSwitch,Gigabituplinks,multiple

accesspoints,sectoredantennasystem,Wi-FistatefulfirewallandWi-Fithreatsensorintoasingledevice,

XirrusArraysareabletoprovideacentrally-managedplatformthatdeliversunparalleledrange,clientcapacity

andperformance,alongwithbetterRFmanagementandroamingforvoice,videoanddataapplications—all

inasingledevicethatisfullyupgradeableto802.11n.

About XirrusXirrus,Inc.isaprivatelyheldfirmheadquarteredinWestlakeVillage,California.Foundedbythesameteam

that created Xircom (acquired by Intel in 2001), Xirrus has developed the next generation in enterprise

wirelessLANarchitecturescenteredaroundtheaward-winningArray.

Backedby leadingventurecapital firmsU.S.VenturePartnersandAugustCapital,Xirrusbringsaproven

managementteamandpatentedapproachtodeliveringtheperformance,scalabilityandsecurityneededto

deployatruewirelessextensionofthewiredEthernetnetworkcapableofdeliveringTriplePlay(voice,video,

data)enablement.

Xirrus,Inc.

www.xirrus.comsales@xirrus.com

2101CorporateCenterDriveThousandOaks,CA91320,USA1.800.947.7871TollFreeintheUSA+1.805.262.1600Sales+1.805.262.1601Fax

Copyright©2008,Xirrus,Inc.AllRightsReserved.XirrusandtheXirruslogoaretrademarksofXirrus,Inc.Allothertrademarksbelongtotheirrespectiveowners.Protectedbypatent#USD526,973S.Otherpatentspending.

S

H

A

R

E

D

M

E

D

I

U

M

T

U

W

WP

A

8

E

P

8

0

2

1

X

C

O

N

T

R

O

L

L

E

R

2

T

I

F

1

A

R

R

A

Y

C

R

G

1

R

-

A

T

A

H

I

E

E

E

T

N

H

M

H

Z

C

S

H

T

H

R

E

E

S

E

X

I

R

R

I

A

N

O

P

I

G

E

U

E

V

N

E

E

G

X

C

E

A

A

A

U

T

H

E

N

T

I

C

A

T

O

R

E

L

N

P

P

R

R

A

T

U

F

R

E

Q

U

E

N

C

Y

P

R

O

B

E

R

E

Q

U

E

S

T

U

M

O

A

N

S

L

N

N

D

P

A

C

K

E

T

W I D T

C

H

A

N

N

E

L

1

8

9

16

17

18

15

24

19

25

26

27

20

22

23

21

3

4

5 6 7

11

10

12 13 14

14

2

Wi-Fi Authentication Demystified Crossword Puzzle—Answer Key

Across Down2. EAPoverLAN6. Conveysdatabetweenpoints8. Pipediameter9. Numberof802.11anon-overlapping

channels11.Receive/sendradiosignal13.ExtensibleAuthenticationProtocol15.Endofthelinkthatresponds17. Amountofdatasentinagiventime18.Managesaddressingandprotocol

information21 109Hz22.OnlyWi-FiPowerPlay24.SupersedesWEPfor802.1126.Contiguousfrequencies27.Oppositeoftransmitter

1. Highestperformingaccessdevice3. Packetrequestinginformation4. Xirruslanguage5. Circuitrytointerpretandexecute 7. Pathforsignals10.Fragmentofdata12.SpecificationimplementingTKIP

andAES14.EndoflinkinitiatingEAP

authentication15.Typeofmediumin802.1116.Numberof802.11b/g

non-overlappingchannels19.One-millioncyclespersecond20.Rateatwhicharepeatingevent

occurs23.Standardforport-basedaccess

control25.Instituteofengineers