[MAS]

Overview of Wireless Communication in a Wireless Network

Wireless networks, like their wired counterparts, rely on the manipulation of electrical charge to enable communication between devices. Changes or oscillations in signal strength from 0 to some maximum value (amplitude) and the rate of those oscillations (frequency) are used singularly or in combination with each other to encode and decode information.

When two devices understand the method(s) used to encode and decode information contained in the changes to the electrical properties of the communications medium, they can communicate with each other. A network adaptor is able to decode the changes in the electric current it senses on the wire and convert them to meaningful information (bits) that it can subsequently send to higher levels for processing. Likewise, a network adaptor can encode information (bits) by manipulating the properties of the electric current for transmission on the communications medium (the cable, in the case of wired networks).

The obvious and primary difference between wired and wireless networks is that wireless networks use a special type of electric current, commonly known as Radio Frequency (RF), which is created by applying alternating current (AC) to an antenna to produce an electromagnetic field (EM). The resulting RF field is used by devices for broadcast and reception. In the case of wireless networks, the medium for communications is the EM field, the region of space that is influenced by the electromagnetic radiation (unlike audio waves, radio waves do not require a medium such as air or water to propagate). As with wired networks, amplitude decreases with distance, resulting in the degradation of signal strength and the ability to communicate. However, the EM field is also dispersed according to the properties of the transmitting antenna, and not tightly bounded as is the case with communication on a wire. The area over which the radio waves propagate from an electromagnetic source is known as the Fresnel Zone.

Like the waves created by throwing a rock into a pool of water, radio waves are affected by the presence of obstructions and may be reflected, refracted, diffracted, or scattered, depending on the properties of the obstruction and its interaction with the radio waves. Reflected radio waves can be a source of interference on wireless networks. The interference created by bounced radio waves is called multipath interference.

When radio waves are reflected, additional wave fronts are created. These different wave fronts may arrive at the receiver at different times and be in phase or out of phase with the main signal. When the peak of a wave is added to another wave (in phase), the wave is amplified. When the peak of a wave meets a trough (out of phase), the wave is effectively cancelled. Multipath interference can be the source of hard-to-troubleshoot problems. In planning for a wireless network, administrators should consider the presence of common sources of multipath interference. These include metal doors, metal roofs, water, metal vertical blinds, and any other source that is highly reflective to radio waves. Antennas may help to compensate for the effects of multipath interference, but these have to be carefully chosen. In fact, many wireless access points have two antennas for precisely this purpose. But, a single omni-directional antenna may be of no use at all for this kind of interference.

Another source of signal loss is the presence of obstacles. While radio waves can travel through physical objects, they will be degraded according to the properties of the object they travel through. A window, for example, is fairly transparent to radio waves, but may reduce the effective range of a wireless network by 50 – 70%, depending on the presence and nature of coatings on the glass. A solid core wall can reduce the effective range of a wireless network by up to 90% or greater.

EM fields are also prone to interference and signal degradation by the presence of other EM fields. In particular, 802.11 wireless networks are prone to interference produced by cordless phones, microwave ovens, and a wide range of devices that use the same unlicensed Industrial, Scientific and Medical (ISM) or Unlicensed National Information Infrastructure (UNII) bands. To mitigate the effects of interference from these devices and other sources of electromagnetic interference, RF-based wireless networks employ Spread Spectrum technologies. Spread spectrum provides a way to “share” bandwidth with other devices that may be operating in the same frequency range. Rather than operating on a single, dedicated frequency such as is the case with radio and television broadcasts, wireless networks use a “spectrum” of frequencies for communication.

First conceived of by Hedy Lamarr and George Antheil (a Hollywood actress and composer respectively) in 1940 as a method to secure military communications from jamming and eavesdropping during WWII, spread spectrum defines methods for wireless devices to use a number of narrowband frequencies over a range of frequencies simultaneously for communication. The narrowband frequencies used between devices change according to a random-appearing but defined pattern, allowing the use of individual frequencies to contain parts of the transmission. Someone listening to a transmission using spread spectrum would hear only noise, unless their device understood in advance what frequencies were used for the transmission and could synchronize with them.

Two methods to synchronize wireless devices are frequency hopping spread spectrum (FHSS) and direct sequence spread spectrum (DSSS). As the name implies, FHSS works by quickly moving from one frequency to another according to a pseudo-random pattern. The frequency range used by the frequency hop is relatively large (83.5 MHz), providing excellent protection from interference. The amount of time spent on any given frequency is known as dwell time; the amount of time it takes to move from one frequency to another is known as hop time. FHSS devices will begin their transmission on one frequency and move to other frequencies according to the pre-defined pseudo-random sequence and then repeat the sequence after reaching the final frequency in the pattern. Hop time is usually very short (200 – 300 ìs) and not significant relative to the dwell time (100 – 200 ms). However, Bluetooth devices use very short dwell times, and the hop times in this case can be significant, resulting in lower throughput. In general, the longer the dwell time, the greater the throughput and the more susceptible the transmission may be to narrowband interference.

The frequency hopping sequence creates the channel, allowing multiple channels to coexist in the same frequency range without interfering with one another. As many as 79 FCC-compliant FHSS devices using the 2.4 GHz ISM band may be co-located with each other. However, the expense of implementing such a large number of systems limits the practical number of co-located devices to well below this number. Wireless networks that use FHSS include HomeRF and Bluetooth, which both operate in the unlicensed 2.4GHz ISM band. FHSS is less subject to EM interference than DSSS, but usually operates at lower rates of data transmission (usually 1.6Mbps, but can be as high as 10 Mbps) than networks that use DSSS.

DSSS works somewhat differently. With DSSS, the data is divided and simultaneously transmitted on as many frequencies as possible within a particular frequency band (the channel). DSSS adds redundant bits of data known as chips to the data to represent binary 0s or 1s. The ratio of chips to data is known as the spreading ratio: the higher the ratio, the more immune to interference the signal is because if part of the transmission is corrupted, the data can still be recovered from the remaining part of the chipping code. This method provides greater rates of transmission than FHSS, which uses a limited number of frequencies, but fewer channels in a given frequency range. And, it also protects against data loss through the redundant, simultaneous transmission of data. However, because DSSS floods the channel it is using, it is also more vulnerable to interference from EM devices operating in the same range. In the 2.4 - 2.4835 GHz frequency range employed by 802.11b, DSSS transmissions can be broadcast in any one of 14 22 MHz-wide channels. The number of center-channel frequencies used by 802.11 DSSS devices depends on the country. For example, North America allows 11 channels operating in the 2.4 – 2.4835 GHz range, Europe 13, and Japan 1. Because each channel is 22 MHz wide, channels may overlap with each other. With the 11 available channels available in North America, only a maximum of 3 channels (1, 6, and 11) may be used concurrently without the use of overlapping frequencies.

When comparing FHSS and DSSS technologies, it should be noted that FHSS networks are not inherently more secure than DSSS networks, contrary to popular belief. Even if the relatively few manufacturers of FHSS devices were not to publish the hopping sequence used by their devices, a sophisticated hacker armed with a spectrum analyzer and a computer could easily determine this information and eavesdrop on the communications.

Wireless networks operate at the Physical and Data Link Layers of the OSI model. The PHY layer is concerned with the physical connections between devices, such as the medium and how bits (0s and 1s) are encoded and decoded. Both FHSS and DSSS, for example, are implemented at the PHY layer. The Data Link Layer is divided into two sub layers, the Media Access Control (MAC) and Logical Link Control (LLC) layers. The MAC layer is responsible for such things as the framing of data, error control, synchronization, and collision detection and avoidance. The Ethernet 802.3 standard, which defines the Carrier Sense Multiple Access with Collision Detection (CSMA/CD) method for protecting against data loss as result of data collisions on the cable, is defined at this layer.
Wireless Local Area Networks

Wireless Local Area Networks (WLANs) are covered by the IEEE 802.11 standards. The purpose of these standards is to provide a wireless equivalent to IEEE 802.3 Ethernet-based networks. The IEEE 802.3 standard defines a method for dealing with collisions (CSMA/CD), speeds of operation (10 Mbps, 100 Mbps, and faster), and cabling types (Category 5 twisted pair and fiber). The standard ensures the interoperability of various devices, despite different speeds and cabling types.

As with the 802.3 standard, the 802.11 standard defines methods for dealing with collision and speeds of operation. However, because of the differences in the media (air as opposed to wires), the devices being used, the potential mobility of users connected to the network, and the possible wireless network topologies, the 802.11 standards differ significantly from the 802.3 standard. As we mentioned earlier in this chapter, 802.11 networks use Carrier Sense Multiple Access with Collision Avoidance (CSMA/CA) as a method to deal with potential collisions, as opposed to CSMA/CD used by Ethernet networks, because not all stations on a wireless network may be able to hear collisions that can occur on the network.

In addition to providing a solution to the problems created by collisions that occur on a wireless network, the 802.11 standard must deal with other issues specific to the nature of wireless devices and wireless communications in general. For example, wireless devices need to be able to locate other wireless devices, such as access points, and be able to communicate with them. Wireless users are mobile and therefore should be able to move seamlessly from one wireless zone to another. Many wireless-enabled devices, such as laptops, use battery power and should be able to conserve power when they are not actively communicating with the network. Wireless communication over the air needs to be secure to mitigate both passive and active attacks.
WAP

The Wireless Application Protocol (WAP) is an open specification designed to enable mobile wireless users to easily access and interact with information and services instantly. WAP is designed for handheld digital wireless devices such as mobile phones, pagers, two-way radios, smartphones and other communicators. It works over most wireless networks and can be built on many operating systems including PalmOS, Windows CE, JavaOS, and others. The WAP operational model is built on the World Wide Web (WWW) programming model with a few enhancements. This model is shown in Figure 1.

WAP 2.0 Architecture Programming Model




WAP browsers in the wireless client are analogous to the standard WWW browsers on computers. WAP URIs are the same as those defined for traditional networks and are also used to identify local resources in the WAP enabled client. The WAP specification added two significant enhancements to the above programming model : push and telephony support (Wireless Telephony Application – WTA). WAP also provides for the use of proxy servers as well as supporting servers providing such functions as PKI support, user profile support, and provisioning support.
WTLS

The Wireless Transport Layer Security (WTLS) is an attempt by the WAP Forum to introduce a measure of security into the Wireless Access Protocol (WAP). The WTLS protocol is based on the Transport Layer Security protocol (TLS) that is itself a derivative of the Secure Sockets Layer protocol (SSL). However several changes were made to the protocols in order to adapt them to work within WAP. These changes include:


*.Support for both datagram as well as connection-oriented protocols

*.Support for long round-trip times.

*.Low-bandwidth, limited memory and processor capabilities.

WTLS is designed to provide privacy as well as reliability for both the client and the server over an insecure network. It is specific to applications that utilize WAP. These applications tend to be limited by memory, processor capabilities, and low bandwidth environments.
IEEE 802.11

The original 802.11 standard was developed in 1989 and defines the operation of wireless networks operating in the 2.4 GHz range using either DSSS or FHSS at the Physical layer of the OSI model. The standard also defines the use of Infrared for wireless communication. The intent of the standard is to provide a wireless equivalent for standards, such as 802.3, that are used for wired networks. DSSS devices that follow the 802.11 standard communicate at speeds of 1 and 2 Mbps and generally have a range of around 300 feet. Because of the need for higher rates of data transmission and the need to provide more functionality at the MAC layer, other standards were developed by the 802.11 Task Groups (or in some cases the 802.11 standards were developed from technologies that preceded them).

The IEEE 802.11 standard provides for all the necessary definitions and constructs for wireless networks. Everything from the physical transmission specifications to the authentication negotiation is provided. Wireless traffic, like its wired counterpart, consists of frames transmitted from one station to another. The primary feature which sets wireless networks apart from wired networks is that one end of the communication pair is either another wireless client or a wireless access point.

IEEE 802.11b

The most common standard in use today for wireless networks, the 802.11b standard defines DSSS networks that use the 2.4GHz ISM band and communicate at speeds of 1, 2, 5.5 and 11 Mbps. The 802.11b standard defines the operation of only DSSS devices and is backward compatible with 802.11 DSSS devices. The standard is also concerned only with the PHY and MAC layers: Layer 3 and higher protocols are considered payload. There is only one frame type used by 802.11b networks, and it is significantly different from Ethernet frames. The 802.11b frame type has a maximum length of 2346 bytes, although it is often fragmented at 1518 bytes as it traverses an access point to communicate with Ethernet networks. The frame type provides for 3 general categories of frames: management frames, control frames, and data. In general, the frame type provides methods for wireless devices to discover, associate (or disassociate), and authenticate with one another; to shift data rates as signals become stronger or weaker; to conserve power by going into sleep mode; to handle collisions and fragmentation; and to enable encryption through WEP. With regard to WEP, we should note that the standard defines the use of only 64-bit (also sometimes referred to as 40-bit to add to the confusion) encryption, which may cause issues of interoperability between devices from different vendors that use 128-bit or higher encryption.
Ad-Hoc and Infrastructure Network Configuration

The 802.11 standard provides for two modes for wireless clients to communicate: ad-hoc and infrastructure. The ad-hoc mode is geared for a network of stations within communication range of each other. Ad-hoc networks are created spontaneously between the network participants. In infrastructure mode, access points (APs) provide for a more permanent structure for the network. An infrastructure consists of one or more access points as well as a distribution system (i.e. wired network) behind the access points which tie the wireless network with the wired network. Figures 2 and 3 show both an ad-hoc network as well as an infrastructure network respectively.

Ad-Hoc Network Configurations



Infrastructure Network Configurations



To distinguish different wireless networks the 802.11 standard defines the SSID (Service Set Identifier). The SSID can be considered the identity element which "glues" various components of a wireless LAN together. Traffic from wireless clients which use one SSID can be distinguished from other wireless traffic using a different SSID. Using the SSID an access point can determine which traffic is meant for it and which is meant for other wireless networks.

802.11 traffic can be subdivided into three parts: control frames, management frames and data frames. Control frames include such information as Request to Send (RTS), Clear to Send (CTS), and Acknowledgment (ACK) messages. Management frames include beacon frames, probe request/response, authentication frames, and association frames. Data frames are, as the name implies, 802.11 traffic that carries data. That data is typically considered network traffic such as IP encapsulated frames.
WEP

The IEEE 802.11 standard covers the communication between WLAN components. RF poses challenges to privacy in that it travels through and around physical objects. Because of the nature of the 802.11 wireless LANs the IEEE working group implemented a mechanism to protect the privacy of the individual transmissions. The intent was to mirror the privacy found on the wired LAN and the mechanism became known as Wired Equivalent Privacy or WEP. Because WEP utilizes a cryptographic security countermeasure for the fulfillment of its stated goal of privacy, it has the added benefit of becoming an authentication mechanism. This benefit is realized through a shared key authentication that allows the encryption and decryption of the wireless transmissions. Up to four keys can be defined on an AP or a client, and they can be rotated to add complexity for a higher security standard in the WLAN policy.

WEP was never intended to be the absolute authority in security. The IEEE 802.11 standard states that WEP provides for protection from “casual eavesdropping”. Instead, the driving force behind WEP was privacy. In cases that require high degrees of security, other mechanisms should be utilized, such as authentication, access control, password protection, and virtual private networks.

Despite its flaws, WEP still offers some level of security, provided that all its features are used properly. This means great care in key management, avoiding default options, and ensuring adequate encryption is enabled at every opportunity.

Proposed improvements in the standard should overcome many of the limitations of the original security options, and should make WEP more appealing as a security solution. Additionally, as WLAN technology gains popularity, and users clamor for functionality, both the standards committees as well as the hardware vendors will offer improvements. It is critically important to keep abreast of vendor-related software fixes and changes that improve the overall security posture a wireless LAN.

Most APs advertise that they support WEP in at least 40-bit encryption, but often the 128-bit option is also supported. For corporate networks, 128-bit encryption–capable devices should be considered as a minimum. With data security enabled in a closed network, the settings on the client for the SSID and the encryption keys have to match the AP when attempting to associate with the network, or it will fail. The next few paragraphs discuss WEP in its relation to the functionality of the 802.11 standard, including a standard definition of WEP, the privacy created, and the authentication.

WEP provides some security and privacy in transmissions to prevent curious or casual browsers from viewing the contents of the transmissions held between the AP and the clients. In order to gain access, the degree of sophistication of the intruder has to improve, and specific intent to gain access is required. Some of the other benefits of implementing WEP:


*. All messages are encrypted using a CRC-32 checksum to provide some degree of integrity.

*.Privacy is maintained via the RC4 encryption. Without possession of the secret key the message cannot be easily decrypted.
*.
WEP is extremely easy to implement. All that is required is to set the encryption key on the APs and on each client.

*.WEP provides a very basic level of security for WLAN applications.

*.WEP keys are user definable and unlimited (within limits). They can, and should, be changed often.


Enable and configure WEP

From the IEEE, we have standards such as 802.11b. As part of those standards, there must be a way to secure Wireless transmissions the same way that they are secured on a Wired network. WEP – hence the name ‘Wired Equivalent Privacy’. Wired Equivalent Privacy (WEP) is a security protocol, specified in the IEEE Wireless Fidelity (Wi-Fi) standard, 802.11b, which is designed to provide a wireless local area network (WLAN) with a level of security and privacy comparable to what is usually expected of a wired LAN. Radio Waves are not bound by walls nor wires, so it’s hard to protect access to wireless with physical based control. If your Wireless network is not secured properly, it will be very easy for an attacker to penetrate your network especially if you think its secures like a wired network can be locked down. WEP seeks to establish similar protection to that offered by the wired network's physical security measures by encrypting data transmitted over the WLAN. WEP, with strengths of 40/64 bit and 128bit, will allow you to achieve security over your wireless network. Encryption protects the highly vulnerable wireless system between devices. WEP is in fact crackable especially in its weaker strengths. There are tools that exist that will allow you to capture traffic and analyze it, and run code against it to crack it. This doesn’t mean its useless, 128 is pretty tough to crack, so use it! Don’t leave it out. Ill put it to you like this, if you don’t use WEP and leave your wireless system open and not ‘closed’ (where the SSID is broadcasted), then WEP may be your only chance at stopping penetration so make sure you use it.
Secure your SSID

The SSID is called the service set identifier (SSID for short) and it is a used for identification purposes within a WLAN. Data that is transmitted needs to have the proper SSID between the client and the Access Point so that both items are identifiable on the network. You can think of the SSID as a sort of password used between the devices so that acknowledgment can happen, and data can be transferred. In a sense, you can almost think of the SSID as the ‘Workgroup” name used in Windows based operating systems – if that is an easier way for you to think of it and remember it. What is nice about SSID’s is that you can divide your network up with them… and this is where the problems come in. Many administrators are not to well versed in Wireless Security (because the technology is sparsely used and fairly new on the market) so when you mention a tool like ‘Netstumbler’ to them, they may shrug their shoulders because they are not sure what that is. Netstumbler is the tool you can use to find open systems broadcasting their SSID’s and with a little effort, your WLAN can be exploited. Your SSID’s are best served by the following three rules:

1. Change the Default SSID!
2. Change the SSID at frequent intervals
3. Make sure you are not running an Open System
4. Do not use very easy or identifiable SSID’s

Most SSID’s are based on the vendor you purchase them from. In other words, if you bought a Linksys AP, your SSID will be Linksys. This is just way too easy to be exploited and to get and use against you (with tools like Netstumbler) so make sure you change the default SSID.

You can also make sure that you make a schedule at frequent intervals to change your SSID’s as time progresses. This is also a very common item to securing your WLAN that is missed, forgotten or not considered at all.

Make certain that you are not running an open system. In a nutshell, remember that its important to not have the SSID broadcasting so a hacker can pick it up with freeware tools readily available on the Internet. Not doing this defeats your entire WLAN security infrastructure.

DO NOT under any circumstances use an easy to guess or exploit SSID scheme. Many Administrators may be interested in the KISS theory – Keep it Super Simple… and you may find an SSID list like this:

* Finance Department: SSID = ‘Finance’
* MIS Department: SSID = ‘MIS’
* Marketing Department: SSID = ‘Marketing’

And so on… the point here is, this is unimaginably prone to guesstamation. You can do something like this instead:

* Finance Department: SSID = ‘Finfloor1’
* MIS Department: SSID = ‘MISfloor2’
* Marketing Department: SSID = ‘Mrktfloor3’

This is just a simple scheme to prove a point, but nonetheless, you need to understand that with a closed system, the SSID is not broadcasted, therefore it cant be picked up with tools, its not easily guessed and best of all, its not the default SSID like ‘Linksys’ which is ridiculously easy to exploit because it’s the vendor name to the product being used as an SSID. Don’t think for one second that there isn’t a list out there with all the default SSID’s available and that this is ‘not’ used when engaging in a active penetration attack on your WLAN, thinking this will get you in trouble… Secure the SSID!
Change passwords

This should be very self-explanatory, but sometimes it is missed. When you have an interface either via a web browser, or command line, to not change the default password it completely insane. Everything you do to secure your Wireless network can be thwarted within seconds of leaving your default password on your devices. For example, most vendors use a blank password, the password of ‘password’ or their vendor name. This is bad, and it should be your first priority after rolling out any device. Change the password!
Change access point position

When you want to roll out a Wireless solution, you will need to see that its very important to have a site survey done. This goes beyond the scope of this article so I placed a link here for you to gather some info about why a site survey is ‘critical’ in a wireless deployment:

http://www.naswireless.com/survey_proc.html

Make certain that when you do look at placement of devices within the site survey, you consider security as a main point of interest. It is very important that you plan the coverage to radiate to areas where coverage is needed, but not to radiate past that if possible in other words, if you only need 20 Feet of coverage, adjust your AP to only provide for 20 Feet of coverage. A nice little trick you can use is to place some aluminum behind the AP so that it can limit radiation out a window so that you do not have outsiders trying to Wardrive.
Re-Do a wireless site survey

There are many tools out there (Netstumbler is free), but other products from Cisco and other vendors that will allow you to find what is called ‘Rogue Access Points”. Basically, this is any AP or device that you do not know about or was installed without the MIS department’s permission. Doing a site survey will help you find these rogue AP’s.
Use MAC Filtering

AP’s today will allow you to control access based on a MAC address. The MAC address is a physical address burned in to the Network Interface card on your system, an AP or any other device residing on your network. It is written in Hexadecimal format and looks like this:

00-08-74-97-0B-26

This is unique to each device on the network and although duplicates do exist (from aging equipment that hasn’t been replaced), it is pretty safe to say that every device’s MAC is unique. Since they are unique, it makes it very easy to define with security. In other words, if you have 10 PC’s on your network, you will have 10 unique MAC addresses. If you want, you can apply these MAC’s in a filter in nearly all Wireless AP gear that exists today to filter out MAC’s that shouldn’t be accessing the AP. In other words, if you set up to allow only these 10 PCs then that is all that can participate on the network. Two possible issues exist:

1. If you have a very large number of AP’s, the management can get pretty scary
2. ARP Spoofing (if an attacker can figure out what an allowed systems MAC is) is a possible active attack against the network that is commonly exploited.

All in all, if you have a smaller network, this is a good form of security, but if you have a large network, you may want to move into other forms of security like Radius and IPSec.
Use Radius or IPSec

In an enterprise setup of Wireless, you will need a security infrastructure that works with your deployment. This is critical because easy to use security measures will win over your heart quickly once you deploy. Remote Authentication Dial-In User Service (RADIUS) is a client/server protocol and software that enables remote access servers to communicate with a central server to authenticate dial-in users and authorize their access to the requested system or service. You can use RADIUS to maintain user profiles in a central database that all devices can share and use. This is much the same with WLAN configurations.

You can also use IPSec for more security. IPSec (Internet Protocol Security) is a protocol used for security at the network or packet-processing layer of network communication. In other words, if you are using IP, then you can use IP Security, or IPSec for short. It just adds another layer of security to your WLAN infrastructure. In any case, use these whenever you are able.
Other Security Options

This last section hosts many of the other items you can deploy or think about in regards to Wireless security:

If possible, always get Wireless devices that are upgradeable. Since this is such a new technology in the marketplace, changes and advancements are very rapid.

Watch your vendor closely. Make sure that you are on top of all the newest releases, patches, and security notes that are released from the vendor. In other words, if you were using Cisco Products, you may want to scan the Cisco Site for updates and release notes:

http://www.cisco.com/en/U...cd8009298f.html

Use security other than WEP, when you can. In other words, there are many other forms of security you can implement, some of which were already mentioned in this same article. Other forms of security are:

The IEEE recognized WEP as very short on deliverable security so 802.1x and EAP because new defacto implementations of Wireless security. 802.1x itself is not the mainstay in Wireless security, but combining it with lets say EAP, will create a fantastic solution for you when applied correctly.

The 802.1X standard is designed to enhance the security of wireless local area networks (WLANs) that follow the IEEE 802.11 standard. 802.1X provides an authentication framework for wireless LANs, allowing a user to be authenticated by a central authority. 802.1X uses an existing protocol, the Extensible Authentication Protocol (RFC 2284) that works on Ethernet, token ring, or wireless LANs, for message exchange during the authentication process.