2164
Wireless LAN Setup and Security Loopholes
RADIUS Overview
Remote authentication dial-in user service (RA-
DIUS) is a widely deployed protocol enabling
centralized authentication, authorization, and
accounting for network access. RADIUS is
originally developed for dial-up remote access,
but now it is supported by virtual private network
(VPN) servers, wireless access points, authenti-
cating ethernet switches, digital subscriber line
(DSL) access, and other network access types.
A RADIUS client (here is referred to access
point) sends the details of user credentials and
connection parameter in the form of a UDP (user
datagram protocol) message to the RADIUS
server. The RADIUS server authenticates and
authorizes the RADIUS client request, and sends
back a RADIUS message response. To provide
security for RADIUS messages, the RADIUS
FOLHQWDQGWKH5$',86VHUYHUDUHFRQ¿JXUHG
with a common shared secret. The shared secret
LVXVHGWRVHFXUHWKHWUDI¿FEDFNDQGIRUWKIURP
RADIUS server, and is commonly entered as a
text string on both the RADIUS client and server
(Microsoft, 2000).
Simple 802.1x Authentication with
RADIUS Server
The following steps show the necessary interac-
tions that happen during authentication (Gast,
2002).

1. The
Authenticator (Access Point) sends an
EAP-Request/Identity packet to the Sup-
plicant (Client) as soon as it detects that the
link is active.
2. The Supplicant (Client) sends an EAP-Re
-
sponse/Identity packet, with its identity in
it, to the Authenticator (Access Point). The
Authenticator then repackages this packet
in the RADIUS protocol and passes it to the
Authentication (RADIUS) Server.
3. The Authentication (RADIUS) Server sends
back a challenge to the Authenticator (Ac-
cess Point), such as with a token password
system. The Authenticator unpacks this from
RADIUS, repacks it into EAPOL (EAP
over LAN), and sends it to the Supplicant
(Client).
4. The Supplicant (Client) responds to the
challenge via the Authenticator (Access
Point), which passes the response onto the
Authentication (RADIUS) Server.
5. If the Supplicant (Client) provides proper
credentials, the Authentication (RADIUS)
Server responds with a success message
that is then passed on to the Supplicant. The
Authenticator (Access Point) now allows
access to the LAN, based on the attributes
that came back from the Authentication

Server.
Figure 3 shows the details in a pictorial way,
where client, AP, and RADIUS server interact.
There are a few EAP types of authentication that
include EAP-MD5, EAP-TLS, EAP-TTLS, LEAP,
and PEAP with MS-CHAPv2. The PEAP authen-
tication process consists of two main phases. Step
1: Server authentication and the creation of a TLS
(transport layer security) encryption channel hap-
SHQVLQWKLVVWHS7KHVHUYHULGHQWL¿HVLWVHOIWRD
FOLHQWE\SURYLGLQJFHUWL¿FDWHLQIRUPDWLRQWRWKH
FOLHQW$IWHUWKHFOLHQWYHUL¿HVWKHLGHQWLW\RIWKH
server, a master secret is generated. The session
keys that are derived from the master secret are
then used to create a TLS encryption channel that
encrypts all subsequent communication between
the server and the wireless client. Step 2: EAP
conversation and user and client computer authen-
tication happens in this step. A complete EAP
conversation between the client and the server is
encapsulated within the TLS encryption channel.
With PEAP, you can use any one of several EAP
a u t h e n t i c a t i o n m e t h o d s , s u c h a s p a s s w o r d s , s m a r t
FDUGVDQGFHUWL¿FDWHV WRDXWKHQWLFDWHWKHXVHU
and client computer.
2165
Wireless LAN Setup and Security Loopholes
PEAP-Microsoft challenge handshake au-
thentication protocol version 2 (MS-CHAP v2)
is a mutual authentication method that supports

password-based user or computer authentication.
During the PEAP with MS-CHAPv2 authentica-
tion process, both the server and client must prove
that they have knowledge of the user’s password in
order for authentication to succeed. With PEAP-
MS-CHAPv2, after successful authentication,
users can change their passwords, and they are
QRWL¿HGZKHQWKHLUSDVVZRUGVH[SLUH
Implementing EAP Authentication
with RADIUS Server
This section shows the implementation of 802.1x
port-based authentication of PEAP (protected
extensible authentication protocol) with MS-
CHAPv2 (Microsoft challenge handshake authen-
tication protocol version 2) by setting up RADIUS
servers on Windows 2000 server and Linux Red
Hat 9 as shown in Figure 4. Like what has been
discussed in the authentication part, the purpose
of this implementation is to allow authorized us-
Figure 3. Step-by-step extensible authentication protocol (EAP) sequences that include the client or user
computer, the Access Point, as well as the RADIUS server
2166
Wireless LAN Setup and Security Loopholes
Figure 4. Wireless network implementation. The WLAN is connected to the LAN where RADIUS server
is used for authentication purpose
Figure 5. AP association table shows that the clients are EAP authenticated
2167
Wireless LAN Setup and Security Loopholes
ers to login to the WLAN. Authorized users are
those users who are to register their usernames

and their passwords with RADIUS server before
they are allowed to access the WLAN.
7KH 5$',86 VHUYHU FDQ EH FRQ¿JXUHG DV
EULHÀ\H[SODLQHGQH[WRQ:LQGRZVVHUYHU
ZLWK VHUYLFH SDFN  E\ FRQ¿JXULQJ WKH ,$6
(Internet authentication server). In the IAS au-
thentication service, there is a need to register
the RADIUS client. Typically, that would be an
access point, and its name and IP address with
the shared secret are entered into IAS. Remote
DFFHVV SROLF\ QHHGV WR EH FRQ¿JXUHG WR JLYH
proper access rights. EAP authentication needs to
EHVHOHFWHGDV3($3SURWHFWHG($3&HUWL¿FDWH
VHUYLFHVQHHGWREHFRQ¿JXUHGDQGFHUWL¿FDWLRQ
authority details need to be entered to create the
FHUWL¿FDWHWKDWKDVWREHXVHGZLWK,$67KHXVHU
account that uses wireless network needs to be
given remote access rights in the active directory
user management.
On the access point, there is a need to do the
DXWKHQWLFDWRUFRQ¿JXUDWLRQE\DGGLQJWKH,3
address of the RADIUS server and the shared
secret details. On the client’s side, windows XP
ZRUNVWDWLRQ KDV WR EHFRQ¿JXUHG ZLWK D ZLUH-
less card to negotiate with the AP that is doing
RADIUS authentication through IAS server. The
association table on CISCO AP in Figure 5 shows
the details after the client’s EAP authentication
with RADIUS server. Note the words ‘EAP As-
soc’ under the State column.

An example setup used by the authors can
be explained as follows. The user guest who
had an account in the RADIUS/Windows 2000
server, risecure.isecures.com (with IP address
172.20.121.15), had connected from a client,
PC.isecures.com (with IP address 172.20.121.60),
through a CISCO Aironet 350 access point (with
IP address 172.20.121.57). The event viewer output
(only selected lines are shown) after successful
EAP authenticatio was as follows:
IAS event viewer output on Windows 2000
Server:
Event Type: Information
Event Source: IAS
Computer: RISECURES
Description:
User ISECURES\guest was granted access.
)XOO\4XDOL¿HG8VHU1DPH LVHFXUHVFRP8VHUV*XHVW
1$6,3$GGUHVV 
1$6,GHQWL¿HU $3
&OLHQW)ULHQGO\1DPH LVHFXUHVODE
&OLHQW,3$GGUHVV 
3ROLF\1DPH $OORZDFFHVVLIGLDOLQHQWU\HQDEOHG
$XWKHQWLFDWLRQ7\SH ($3
($37\SH 3URWHFWHG($33($3
7RLPSOHPHQWWKH5$',86FRQ¿JXUDWLRQ
in Linux platform, a GNU RADIUS software,
known as FreeRADIUS, can be downloaded and
EHFRQ¿JXUHGDVWKH5$',86VHUYHU7KHGHWDLOV
of that can be found at the Web site http://www.

freeradius.org. The details of the authentication
messages (only selected lines are shown) when
FreeRADIUS is run in a debug mode (i.e., radiusd
- X) in Linux after successful EAP authentication
can be as shown.
FreeRADIUS authentication output on red hat
Linux:
rad_recv: Access-Request packet from host
LG OHQJWK 
8VHU1DPH ³JXHVW´
&LVFR$93DLU ³VVLG LVHFXUHVODE´
1$6,3$GGUHVV 
&DOOHG6WDWLRQ,G ³;;´
&DOOLQJ6WDWLRQ,G ³FIG;;´
1$6,GHQWL¿HU ³$3;;´«
UOPBHDS($3SHDS
rlm_eap: processing type peap
rlm_eap_peap: Authenticate
rlm_eap_tls: processing TLS
rlm_eap_peap: EAPTLS_OK
rlm_eap_peap: Session established.
rlm_eap_peap: Received EAP-TLV response.
rlm_eap_peap: Tunneled data is valid.
rlm_eap_peap: Success
/RJLQ2.>JXHVW@IURPFOLHQWLVHFXUHVODESRUWFOL
FIGEF«
2168
Wireless LAN Setup and Security Loopholes
The authors had used FreeRADIUS 1.0.0
to setup the RADIUS server. The source was

compiled and executable was created. Some con-
¿JXUDWLRQ¿OHVZHUHHGLWHGOLNHUDGLXVGFRQIHDS
conf and clients.conf, to allow user permission
ZLWKSDVVZRUGWRFRQ¿JXUH3($306&+$3Y
functions.
THE WEP CRACKING PROCEDURE
Problems with WEP
Generally, attacks on WEP were based on the
design of the system, which many people thought
was sound. However, a paper written by Fluhrer,
Mantin, and Shamir (2001) dispelled that notion.
7KHDXWKRUVIRXQGDÀDZLQWKH³NH\VFKHGXOLQJ
algorithm” of RC4 that made certain RC4 keys
fundamentally weak, and they designed an attack
that would allow a passive listener to recover the
VHFUHW:(3NH\VLPSO\E\FROOHFWLQJDVXI¿FLHQW
number of frames encrypted with weak keys.
Though they did not implement the attack, others
GLG7KH¿UVWSXEOLFGHVFULSWLRQZDVLQIURP
DQ $77 /DEV WHFKQLFDO UHSRUW 6WXEEOH¿HOG
Ioannidis, & Rubin, 2001).
Aircrack is a WEP key cracker that the authors
had used. It implements the so-called Fluhrer-
Mantin-Shamir (FMS) attack, along with some
new attacks by KoreK. When enough encrypted
packets have been gathered, Aircrack can almost
instantly recover the WEP key. Every WEP en-
crypted packet has an associated 3-byte (24 bits)
initialization vector. Some IVs leak information
about a certain byte of key and, thus statistically,

WKHFRUUHFWNH\HPHUJHVZKHQDVXI¿FLHQWQXPEHU
of IVs have been collected. To recover a WEP key,
it really depends on the way the IVs are distributed.
Most of the time, one million unique IVs (thus
about 2 million packets) are enough.
Practical Cracking
Both the 64-bit and 128-bit WEP key cracking
were tested and analyzed by the authors. The
cracking was done using an ACER laptop client
VWDWLRQZLWKDSSURSULDWHVRIWZDUH+XJH¿OHVIURP
Table 2. Hardware and software used for WEP cracking
Equipment/Item
6SHFL¿FDWLRQ
Laptop
Acer Laptop with Mobile Centrino Intel processor, 256 MB
RAM and 20 GB HDD with Windows XP.
Network Detection Software NetStumbler 0.4.0
Packets Capturing Software Link Ferret 3.10 (also used as analyzer)
Wireless Network Adapters
Onboard wireless network adapter and CISCO Aironet 350
series PCMCIA
WEP Cracking Software Aircrack 2.1
2169
Wireless LAN Setup and Security Loopholes
the Internet (around 650 MB) were downloaded by
WKHZLUHOHVVODSWRSWRFUHDWHVXI¿FLHQWSDFNHWVIRU
FDSWXULQJ7KHODSWRSKDGDEXLOWLQZL¿QHWZRUN
adapter used for connection to the Internet through
access point network. An additional CISCO Ai-
ronet 350 series PCMCIA card was used on the

same laptop for packet capturing on channel 6.
The packet capturing was done using Link Ferret
s of t w a r e (v e r s i o n 3.10). O n c e t h e P C M C I A c a r d i s
FRQ¿JXUHGIRUSURPLVFXRXVFDSWXULQJLWFDQQRW
be used for connecti ng to a w ireless net work. T he
list of equipment (hardware or software) used is
shown in Table 2.
The 128-bit WEP key (alphanumeric) was
cracked by capturing around 3- to 4-million
packets with 264674 unique IVs. The cracking
took only 2 seconds and is shown in Figure 6.
Other random 128-bit alphanumeric keys were
also cracked easily.
Thus, WEP does not use RC4 encryption
algorithm in a proper way, in that it exposes the
protocol to weak key attacks, and free software
hacker tools like Aircrack or Airsnort or others
exploit this weakness.
WAR DRIVING AND PACKET
ANALYSIS
War driving is the process of driving around a
place or city with a PC or laptop with a wireless
card, running some wireless detection software
and, preferably, connected to a global positioning
system (GPS). The software detects the presence
of wireless networks, and the war driver associ-
ates his device to the wireless network. This is
due to the nature of all wireless networks, as they
need to announce their existence so that potential
clients can link up and use the services provided

by the network. However, the information needed
to join a network is also the information needed
to launch an attack on a network. Beacon frames
are not processed by any privacy functions, and
that means that the 802.11 network and its pa-
rameters are available for anybody with a 802.11
card. War drivers have used high-gain antennas
and software to log the appearance of Beacon
frames and associate them with a geographic
location using GPS.
Figure 6. WEP key (128 bits or rather 104 bits) cracked using Aircrack software
2170
Wireless LAN Setup and Security Loopholes
Packet capturing can be done in various spots
where wireless networks are detected through Net-
Stumbler software alerts. Anyone would be quite
surprised to see that quite a number of wireless
networks are working without encryption. They
simply had not enabled the WEP option. The au-
thors had done war driving and packet capturing
in eight different sessions for an average duration
of around 30 minutes from different locations.
7KHFDSWXUHGSDFNHW¿OHVDUHPDLQO\IURPGLIIHU-
ent locations that include petrol stations, banks,
¿QDQFLDOLQVWLWXWLRQVVKRSSLQJFRPSOH[HVDQG
government organizations. It is unfortunate that
the header of the wireless packets can reveal some
interesting information, as it is transmitted in the
FOHDU6QLI¿QJDQGJHWWLQJVXFKGHWDLOVRQDZLUHG
network is not that easy. Wireless frames/packets

captured were a combination of control frames,
management frames, and data frames. Control
a n d m a n a g e m e n t f r a m e s w e r e m u c h m o r e i n c o m -
parison to data frames. Some critical information
captured were source, destination and BSSID (or
AP) MAC addresses, source and destination node
IP addresses, source and destination node open
port numbers, checksum details, initialization
vector (IV) value, and so forth. This information
in itself is not very sensitive, but some of it can be
used to launch attacks against a wireless LAN,
especially the DoS attacks. Encrypted packets
showed signs of using a set of WEP keys (against
using one static key), and in some packets, TKIP
protocol was used.
Some data packets were captured that were
not even encrypted. Even though some APs
were using WEP encrypted transmission with
TKIP enabled, quite a number of unencrypted
fragmented IEEE 802.11 data frames (with frame
control type=2, i.e., type=data frame) could still
be collected. These can be used to get meaning-
ful or sensitive information that can interest an
intruder, if one uses appropriate tools and shows
some patient effort. For example, EtherPEG and
DriftNet are free programs (EtherPEG, 2005
and DriftNet, 2005) that show you all the image
¿OHVOLNH-3(*VDQG*,)VWUDYHUVLQJWKURXJKRXU
network. It works by capturing unencrypted TCP
packets, and then grouping packets based on the

TCP connection (i.e. from details determined from
source IP address, destination IP address, source
TCP port, and destination TCP port). It then joins
7DEOH'HWDLOVRIFDSWXUHGSDFNHW¿OHV
3DFNHW¿OH
name
No. of
total
packets
No. of
unencrypted data
packets
(UDP)
Average
unencrypted data
packet size (in
bytes)
No. of
unencrypted
data packets/sec
pkt1.cap 32767 2532 1081.86 3.31
pkt2.cap 32767 7482 108.17 2.42
pkt3.cap 19321 1397 428.34 1.05
pkt4.cap 32767 1465 228.15 0.45
pkt5.cap 6073 2385 173.85 1.30
pkt6.cap 32767 3527 83.57 4.71
pkt7.cap 32768 1558 84.79 1.13
pkt8.cap 39607 2550 77.25 1.81
0HUJHG¿OH 228837 22896 241.08 2.02
2171

Wireless LAN Setup and Security Loopholes
or reassembles these packets in the right order
based on the TCP sequence number, and then
looks at the resulting data for byte patterns that
show the existence of JPEG or GIF data. This is
XVHIXOZKHQRQHJHWVFRQQHFWHG³LOOHJDOO\´WRD
wireless LAN.
Overall, 50 access points or peers in wireless
networks without WEP encryption, and 21 ac-
cess points or peers with WEP encryption were
located. It is similarly easy to even connect to
an encrypted peer wireless network by typing
in a random password. The PC or laptop thus
connected was assigned an IP address. Packet
Analyzers like Ethereal (2005), Packetyzer (2005)
and Link Ferret monitor software (Link Ferret,
2005) can be used for the detailed analysis of
SDFNHWV8VLQJ¿OWHUVRQHFRXOGVLPSO\OLVWRXW
the selective packets. Each of those packets could
then be analyzed with its detailed contents.
Table 3 gives some statistical information on
data frames/packets that are unencrypted, and
Figure 7 shows the related graph. The captured
SDFNHW¿OHVSNWWRSNWDUHIURPVHYHQGLIIHUHQW
locations during different times (Issac, Jacob, &
Mohammed, 2005).
The data frames considered for tabular analysis
f a l l i n t o t h e f ol l o w i n g c a t e g o r i e s o r g r o u p s — D a t a
(frame type 32), Data + CF-Acknowledgement
(frame type 33), Data + CF-Poll (frame type 34)

and Data + CF-Acknowledgement/Poll (frame
type 35). These data packets will be referred to as
unencrypted data packets (UDP) from henceforth.
Data frame type 32 dominates the population. The
sample considered for analysis consists of unen-
crypted data frames and unencrypted fragmented
data frames, both containing visible data sections
in HEX format as viewed through Ethereal. The
packet samples are only indicative, and they are
not very exhaustive.
Frames of type Data + Acknowledgement (No
data, frame type 37), Data + CF-Poll (No data,
frame type 38), Data + CF-Acknowledgement (No
data, frame type 39), QoS Data (frame type 40)
and QoS Null (No data, frame type 44) are not
considered for tabular analysis, since they contain
n o d a t a p a y l o a d o r r e l e v a n t d a t a . F r o m Ta b l e 3 , o n e
can see that the average number of unencrypted
data packets per second is 2, and the average
unencrypted data packet size is around 241.
Figure 7. The graph showing the percentage of unencrypted data packets (UDP) captured from eight
different sessions, based on Table 3.
2172
Wireless LAN Setup and Security Loopholes
Using conditional probability on the eight
samples collected, the following is observed.
Given an unencrypted packet, there exists a
15% verage chance that it is a data packet. Thus
mathematically,
P

avg
(DP | UP) =
()
()
PDP UP
PUP

= 0.15,
where DP is data packet and UP is unencrypted
packet. Grouping the captured packets based on
the source company/organization yielded Table 4.
7KHFRQ¿GHQFHLQWHUYDOZDVDOVRFDOFXODWHG
a s s u m i n g 5 % e r r o r i n c a p t u r e d p a c k e t s . T h e r e s u l t s
are quite revealing (Issac et al., 2005).
IEEE802.11B VULNERABILITIES
AND OTHER ATTACKS
This section presents some vulnerabilities that are
present in the wireless networks. While most of
these also apply to wired-networks as well, they
are particularly important in wireless networks.
This is not because the same risks are present, but
also because of the nature of wireless networks
that has made it more vulnerable than wired net-
works. The main focus will be in the areas such
as interception, impersonation, denial-of-service,
theft-of-service, and the like.
Issues with Default Access Point
Setup
Access points (AP) are like base stations; they
are the nonmobile unit that connects the wireless

network into a wired network. They behave like
a bridge or router. Usually, APs from manufac-
WXUHUVFRPHZLWKDVHWRIGHIDXOWFRQ¿JXUDWLRQ
parameters. These default parameters need to
be changed in line with the corporate security
policies, or else the default setup may leave some
loopholes for attacks. For instance (depending
7DEOH6RXUFHRIFDSWXUHGSDFNHWVZLWKFRQ¿GHQFHLQWHUYDOFDOFXODWLRQ
Packet File name Type of Company/ Organization
&RQ¿GHQFH,QWHUYDO
for the proportion of
unencrypted data packets
pkt1.cap
Petrol Station & Private
Installations
(7.44%, 8.02%)
pkt2.cap Bank/ Financial Institution (22.38%, 23.29%)
pkt3.cap Petrol Station (6.87%, 7.60%)
pkt4.cap Multistoried Shopping Complex (4.25%, 4.70%)
pkt5.cap Bank/ Financial Institution (38.04%, 40.50%)
pkt6.cap Bank/ Financial Institution (10.43%, 11.10%)
pkt7.cap
Government Organization/
2I¿FH
(4.52%, 4.99%)
pkt8.cap
Government Organization/
2I¿FH
(7.49%, 8.07%)
2173

Wireless LAN Setup and Security Loopholes
on the manufacturer), most APs have a default
administrator password, SSID, channels, authen-
tication/encryption settings, SNMP read/write
community strings, and so forth. Since these
default values are available in user manuals,
vendor’s websites, and installation guides, they
are well known to the general public, and may be
used by wireless hackers to compromise WLAN
security. Some default SSID based on different
vendor products are shown in Table 5.
A VHUYLFHVHWLGHQWL¿HU (SSID) is a 32-byte
FDVHVHQVLWLYHWH[WVWULQJWKDWLGHQWL¿HVWKHQDPH
of a wireless local area network (WLAN). All
wireless devices on a WLAN must employ the
same SSID in order to communicate with each
other. SSID can be set either manually, by enter-
ing the SSID into the client network settings, or
DXWRPDWLFDOO\E\OHDYLQJWKH66,'XQVSHFL¿HG
or blank. A network administrator often uses a
public SSID that is set on the access point and
broadcast to all wireless devices in range. War
drivers can scan for the SSIDs being broadcast
by wireless LANs using software tools such as
Netstumbler, Wellenreiter, and the like. Once
they gain knowledge on the SSID, then they set
that SSID on their client to attempt to join that
WLAN. However, knowing the SSID name does
n o t n e c e s s a r i l y m e a n t h a t r o g u e c l i e n t s w i l l b e a b l e
to join the network, but it is part of the primary

information required to carry on different forms
of attacks.
The use of a Web browser or Telnet program
to access the setup console of an access point
can be a possibility from default values used in
an AP setup. This allows the attacker to modify
WKHFRQ¿JXUDWLRQRIWKHDFFHVVSRLQW8QOHVVWKH
administrator creates user-ID and password for
authentication for AP’s management console
access, the network is in deep trouble with open
access to the AP setup facility.
Rogue Access Point Installation
Easy access to wireless LANs is coupled with
easy deployment. Any user can purchase an
access point and connect it to the corporate net-
work without authorization. Rogue access points
deployed by end users pose great security risks.
Many end users are not security experts and may
not be aware of the risks posed by wireless LANs.
Table 5. Types of default SSID and their vendors
Vendor Default SSID
Cisco Aironet tsunami
3Com AirConnect comcomcom
Symbol Technologies 101
Compaq WL -100/200/300/400 Compaq
D-Link DL -713 WLAN
SMC SMC2652W/SMC2526W WLAN
SMC SMC2682 BRIDGE
Intel Pro/Wireless 2011 intel