From: Jacques Caron (Jacques.Caron_at_IPsector.com)
Date: 2002-10-11 11:24:43 UTC
Hi,
Indeed, reading:
ftp://ftp.orinocowireless.com/pub/docs/ORINOCO/BROCHURES/US/AP-2000%20US.pdf
it seems it might be the case that they use the same key for all stations, and only use the 802.1X EAPOL-Key messages to send this key to the stations (at authentication time, but also when the key changes, since they apparently support this).
In this case, the key provided by the EAP method is only used to encrypt the WEP key transmitted in the EAPOL-Key messages, not as a WEP key itself.
This solution is then probably OK for enterprise environments (where one doesn't care too much if an authenticated client can see traffic from other authenticated clients), but might of course be a bit more of a problem in a public or mixed environment.
Just a wild guess, of course, since marketing material is not always very easy to translate into technical terms, but this approach would match what they state, like "automatic key distribution".
Jacques.
At 13:06 11/10/2002, Lei chuanhua wrote:
>
>----------
>Thanks Caron and Jouni,
> You make me understand very clearly about 802.1x implementation
> using per-client key or keymapping method. However, I have asked agere
> system technical manager and he said that their AP 2000(now belongs to
> proxim) indeed always used the same key. He confirmed that agere cards/
> orinoco cards don't support keymapping or host-encryption. Now I have
> another question.
> If Orinoco used the two methods you described, it should be
> difficult to implement 802.1x using orinoco cards. However, they indeed
> implemented 802.1x long time ago.
> Method 1(key pair), at the end of authentication success, AS sever
> will send a key pair to AP and station. AP will encrypt its WEP keys with
> key pair from AS server, at the same time, it will keep the encrypted WEP
> key in its station list(Hostap should be this case). Apparently, every
> station should have a different key.
> Method 2 (Cisco??) Even if AP and station both use the key that AS
> server sent, however every station should also have a different key.
> The fact is that AP 2000 can only send the same key. How can Orinoco
> implement 802.1x in AP 2000? It should be contradictory.
> I can't understand why AP2000 can implenment 802.1x if their
> technical manager told me the truth.
> I hope that I can get some lights from you in principle at least.
> Thanks once time.
> hualab