Large wireless enterprise networks and wireless internet service providers use AAA (Authentication Authorization and Accounting) protocols in combination with IEEE wireless network security standards to manage their access network. Depending on several factors (network delay, packet loss rate, …), the security and AAA operations may generate delays that can affect the over all quality of service. This is particularly true for VoIP users with high mobility. When the handoffs become frequent, these can translate into frequent service disruption which makes the deployment of real time applications in wireless networks a tricky matter.

It is essential thus, for a wireless internet service provider or an institution deploying a large wireless access network to constantly monitor and evaluate the performance of its AAA operations in order to guarantee stable and reliable service.

In this series of articles, I explain a method for efficiently assessing the performance of the security infrastructure supporting your wireless network using exclusively open source software namely tshark, awk, bash, gnuplot and wpa_supplicant.

The next articles will discuss the factors that may cause delays in wireless access networks in general. After understanding the wireless handoff process, we will focus on the authentication process and see how its performance can be assessed using open-source tools. The result will be graphs like this one:

This sample graph represents several cumulative distribution functions that show the overall performance of the authentication operations in the wireless access network (using the EAP-PEAPv0 authentication method) under different network conditions (Network RTT in this example).

Throughout these articles, and for illustration purposes, I will assume we are a Wireless Internet Service Provider that has roaming agreements with other ISPs in the same country and abroad. Our overall goal is to evaluate and estimate the user perceived quality of service. The result of this evaluation will help us to pro-actively take the necessary actions in order to guarantee the best QoS for our customers.

Authentication refers to the process through which the service provider (In this case the wireless internet provider) establishes the identity of the client and vice versa (for mutual authentication). The authentication involves the use of EAP [RFC3741], the Extensible Authentication Protocol. EAP packets are exchanged between the wireless client and a back-end AAA server in order to verify the client's credentials (username/pasword, Public Key certificate. etc..). The AAA server that is able to validate user credentials is referred to as home AAA server and is generally managed by the same ISP where the client belongs. Since the AAA server is located in the back-end (behind the access points), the client can not exchange EAP packets directly with it. For this reason, the EAP protocol specifies that the Access points must play the role of a proxy for EAP exchanges between wireless clients and AAA servers. The Access point receives EAP packets from the wireless client and forwards them to the back-end AAA server and vice versa.

Figure 1. EAP authentication in wireless access networks

The figure above depicts the EAP authentication between a wireless station and the back-end Authentication server, based on public key certificates and the TLS protocol.

At the end of a successful EAP exchange, the wireless client and the Authentication server derive a session key. The session key is then transferred to the access point. The wireless client and the access point then perform a 4-way handshake to authenticate each other and derive keys for traffic encryption.

EAP packets are transported over the 802.11 between the wireless client and the access point using 802.1X frames. This is part of the 802.11i specification. On the other hand, EAP packets between the access point and the back-end Authentication server are transported over a AAA protocol, RADIUS in our study case. The RADIUS protocol itself is carried over UDP which allows the Authentication server to be located several IP hops away from the wireless fringe.

• Part 1 : Introduction
• Part 2 : The 802.11 handoff process
• Part 3 : Wireless handoff performance: Understanding the delays
• Part 4 : Capture and Analysis of RADIUS traffic with tshark
• Part 5 : Visualizing wireless authentication delays