Pages

Friday, February 1, 2013

What is Wi-Fi Protected Setup (WPS)

Nowadays Wi-Fi is common in many houses and offices.But Configuring the AP is not easy for new users. If they want to configure the better security such a way that others don't use your Wi-Fi ,we should configure Higher security methods like WPA/WPA2. If they use open security others can easily access your network.

        To overcome this problem Wi-Fi introduced the concept of Wi-Fi Protected Setup(WPS) which is the easy way to configure your new Wi-Fi setup securely without understanding higher security methods like WPA/WPA2.

Wi-Fi Protected Setup certification started from  January  2007.

WPS uses WPA2 Personal method and is compatible with legacy devices that are  CERTIFIED for WPA/WPA2 Personal.


Products certified for WPS offer users at least one of three easy setup solutions
1. Personal Information Number (PIN)
2. Push Button Configuration (PBC)
3. Near-Field Communication (NFC)

WPS are tested and certified to include both PIN and PBC configurations in APs, and at a minimum, PIN in client devices.


Traditional Way of Connecting WLAN 



1. User activates the AP by connecting it to a power source and to a wired network from a computer 
2. User launches a web browser to log into an administrative page and access the AP .
3. User assigns a network name to set the SSID 
4. Navigates to a security settings page to select the type of security to be used.
5. User will  enter a passphrase which the AP will use to generate the security key .
6. The user configures the device to connect  the network through WLAN application on the device, 
7. The client device presents the user with the network names (SSIDs) of all WLANs it finds in the vicinity. 
       The user selects the appropriate network name (created in Step 3) and connects to the network
8. The user is then prompted to enter the passphrase created in Step 5 . 
9. The client and the AP exchange security credentials and the new device is securely connected to the   
     WLAN. 




With WPS we will get below benefits.


          1.  In most cases, WPS eliminates for the user Steps 2-5 of the legacy method.
          2.  it simplifies some of the remaining tasks required of the user, such as the establishment of a               
              passphrase.
          3. Ensures that the SSID and WPA2 security key are properly configured
          4 .Adding new devices is  based upon a discovery protocol that is consistent across vendors
          5. Registrar will issue the credentials of devices being enrolled on the network. Usually AP will be  
             registrar on the network.
          6. When a new device that support  for WPS comes within range of an active AP, its presence is  
              detected, communicated to the Registrar 
          7.  the user is prompted to initiate the action that authorizes the issuance of registration credentials.

1. Personal Information Number (PIN)


  • Usually called as PIN method
  • PIN is provided for each device that will join the network
  • A fixed label may be placed on a device to identify the PIN for the user, or a dynamic PIN can be generated and shown on the device’s display
  • The PIN is used to ensure that the device that the user intends to add to the network is the one that is added and to help avoid accidental or malicious attempts of others to add unintended devices to the network
  • User accesses the Registrar through a GUI on the AP, or via a Web browser or UI on another device on the network
  • User enters client’s PIN into the Registrar via UI or Web browser
  • AP validates the PIN and connects to the network through Registrar, Most the cases AP acts as Registrar.

2. Push Button Configuration (PBC)


  • Usually called as Push method
  • Network name (SSID) is generated automatically for the AP and broadcast for discovery by clients
  • User pushes buttons on both the AP and client device
  • Then AP automatically  connect to the AP and join the network. 

3. Near-Field Communication (NFC)

  • This is optional feature of WPS for connecting the network
  • Network name (SSID) is generated automatically for the AP and broadcast for discovery by clients
  • User touches an NFC-enabled client device to the NFC target mark on the AP or brings the client within close proximity of it, approximately 10cm.
  • The Registrar reads the client’s identifying credentials from an NFC token embedded in the device
  • Then AP automatically  connect to the AP and join the network. 
  • Testing for NFC began in 2008



Tuesday, January 29, 2013

LWAPP Protocol Basics


In this topic i am planning to cover LWAPP protocol which is basic protocol for all controller based communications. For  CAPWAP protocol also base is LWAPP protocol. Now all the vendors are using CAPWAP/LWAPP protocol for communicating between Controller and APs.


Overview

        LWAPP is a generic protocol defining how Wireless Termination Points   communicate with Access Controllers.  Wireless Termination Points and   Access Controllers may communicate either by means of Layer 2   protocols or by means of a routed IP network.


LWAPP goals
  •   Centralization of the bridging, forwarding, authentication and policy enforcement
  •   Permit shifting of the higher level protocol processing burden away from the WTP
  •   Providing a generic encapsulation and transport mechanism
Note :

  WTP -Wireless Termination Points . Llike APs.
  AC   - Acess Controller . Like Controllers or Wireless Switchesor WLAN appliance  

State machine of LWAPP


LWAPP communication will happen with below messages

LWAPP discovery

     L2: MAC level Broadcast domain

     L3:
        No need of same subnet
        Discovery request
        Limited broad cast(255.255.255.255)
       Well Known Multicast
       Unicast IP address
       Discovery Response is always Unicast message


LWAPP Packets are classified into two types.

LWAPP data messages
For waded Wireless frames

LWAPP control messages
Control channel is series of Control messages between AC and WTP assosiated with session ID and key.


LWAPP control messages

1. Discovery
2. Control Channel management
3. WTP configuration management
4. Mobile session management
5. Firmware management

Control message format


      0                   1                   2                   3
      0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
     |  Message Type |    Seq Num    |      Msg Element Length                           |
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
     |                           Session ID                                                                      |
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
     |      Msg Element [0..N]                    |
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+





All LWAPP control messages

    Description                                                      Value
Discovery Request                                             1
Discovery Response                                          2
Join Request                                                      3
Join Response                                                   4
Join ACK                                                         5
Join Confirm                                                     6
Unused                                                            7-9
Configure Request                                           10
Configure Response                                        11
Configuration Update Request                         12
Configuration Update Response                      13
WTP Event Request                                       14
WTP Event Respons                                      15
Change State Event Request                           16
Change State Event Response                         17
Unused                                                           18-21

   Echo Request                                                 22
Echo Response                                               23
Image Data Request                                        24
Image Data Response                                     25
Reset Request                                                26
Reset Response                                              27
Unused                                                           28-29
Key Update Request                                      30
Key Update Response                                    31
Primary Discovery Request                             32
Primary Discovery Response                          33
Data Transfer Request                                    34
Data Transfer Response                                 35
Clear Config Indication                                  36
WLAN Config Request                                 37
WLAN Config Response                              38
Mobile Config Request                                  39
Mobile Config Response                               40




Discovery

a. Discovery Request:
Necessary step even for static AC also
Wait MaxDiscoveryInterval

b. Discovery Response
Wait Discovery Interval and select one of ACs move to joining state


c. Primary Discovery Request
Check Preferred AC availability
If it is connected to Another AC and configured with primary AC

d. Primary Discovery Response
Advertises availability and services
Connect to Primary AC



Control Channel management

a.Join Request

It is used as MTU discovery Mechanism
With unknown MTU path discovery ,Initial Join Request with 1596bytes.
It will try with 15961500bytes.
If valid certificate generates session key and context for session.
Note : Join Request consists of certificate and Wnonce must be considered as invalid.



b. Join Response

Capable and willing to provide service
Heartbeat timer initiated ,expiration deletion of AC-WTP session.
Timer refreshed on Echo Request.
Valid PSK-MIC responds with Join ACK.





C. Join ACK

WTP to AC , a mean of Key confirmation

D. Join confirm

AC to WTC , a mean of Key confirmation
It will put NeighbourDeadInterval expiration will give Echo request.
Note : This two happen with Pre shared key only.




e. Echo Request

Keep alive mechanism

f. Echo Response

AC should reset Heartbeat timer.
If not received AC consider WTP not reachable.

g. Key Update Request

WTP to AC to initiate re-keying phase
Includes new session unique identifier.


h. Keyupdate Response

Includes session ID,PSK-MIC element.

i. Keyupdate ACK

By WTP used for key derivation process
Those session keys used in encryption

j . KeyUpdate confirm

Closes re-keying loop.

h. KeyUpadate Trigger

AC to make WTP to start keyupdate request.