"All the mathematical sciences are founded on relations between physical laws and laws of numbers, so that the aim of exact science is to reduce the problems of nature to the determination of quantities by operations with numbers."

James C. Maxwell

Given the above guidance from our great wireless pioneer,  James C. Maxwell , this app is created to help you to determine as best possible the " numbers" that could help describe the different facets of your network. It is with the hope that with enough of these numbers being obtained, WifiOptimizer can help you to have a better picture of your wireless network and how to optimize it for the best possible performance.

This help page is also aimed at arming you with a minimal understanding of the wireless network technology so that you can make a well guided network design choice whenever needed. A little bit of knowledge could go a long way so please come back to this help page often. That would help you to get familiar with the topics that effect your network. 

Quick Links

Function

Usage

WIFI Background

WIFI Security

Comment and Suggestion 

Function  

Here are the main functions of WifiOptimizer.

  • Measure and chart the Receive Signal Strength (RSSI) of the wireless routers in the network.
  • Scan the wireless network and identify all the wireless routers in the network. Email the scan result if necessary to help users to communicate their network information.
  • Calculate and chart the Radio Frequency (RF) interference for each channel in the network and select the best channel to use.
  • Sampling and chart the wireless traffic generated by the phone so that a user can see the transmit and receive throughput of the network.

    Usage

    You can access to each of the functions provided by WifiOptimizer through touching on the tab having the same name.

  • RSSI tab : this tab displays the RSSI chart. It shows the signal strength of each of the wireless router. Within the RSSI tab you can select to display either 2.4GHz channels (802.11b/g/n) or 5GHz channels (802.11a/n). If you enable GPS then you can select to display chart according to a location of interest from the location spinner. Figure 1 shows the RSSI chart. The strongest wireless router signals are arranged at the bottom of the chart from left to right.

    Figure 1: RSSI Chart

  • SCAN tab: this tab displays the network scan result. Its text display give you much more detailed information of the wireless routers in your neighborhood. You can choose the display to be "Brief" or "Verbo ". There is also an email button provided so that you can share this information with your colleagues.

    Figure 2: Network Scan Result

    RF tab : this tab displays the RF interference chart. It shows the amount of RF interference for each of the channels in your network. It also let you know which is the best channel for you to configure your wireless router to. 

    Figure 3: RF Channel Interference

    TRAFFIC tab : this tab displays the chart of WIFI traffic generated by your phone. It shows the amount of data sent and received by your phone. Using this feature you can see what is your network capable of sending and receiving in terms of instantaneous and average throughput.

    Figure 4: Transmit and Receive Throughput  

    WIFI Background

    The WIFI standard is also known as the IEEE 802.11 standard. It encompassed a large number of standards that govern enterprise and home wireless networking. Each different standard is assigned different letter suffix that cover everything from the transmission media and protocol, to standards for security aspects, quality of service and the like. They are listed here for reference and only the most popular ones will be worth of our discussion.

    Of these the standards that are most widely known are the network bearer standards, 802.11a, 802.11b, 802.11g and now 802.11n , which are the only ones that we needed to concern ourselves with.

    All the 802.11 Wi-Fi standards operate within the ISM (Industrial, Scientific and Medical) frequency bands. These are shared by a variety of other users, but no license is required for operation within these frequencies. This makes them ideal for a general system for widespread use.

    The first accepted 802.11 WLAN standard was 802.11b and 802.11a, then came 802.11g and finally 802.11n. Table 1 shows the different WIFI standards and their operating characteristics.

      802.11A 802.11B 802.11G 802.11N
    Date of standard approval July 1999 July 1999 June 2003 Oct 2009
    Maximum data rate (Mbps) 54 11 54 ~600
    Modulation OFDM CCK or DSSS CCK, DSSS, or OFDM CCK, DSSS, or OFDM
    RF Band (GHz) 5 2.4 2.4 2.4 or 5
    Number of spatial streams 1 1 1 1, 2, 3, or 4
    Channel width (MHz)
    20 20 20 20, or 40
    Table 1: Summary of major 802.11 Wi-Fi Standards

    Bandwidths of nominal 20 MHz are usually quoted, although the actual bandwidth allowed is generally 22 MHz.


    802.11a Operating Characteristics

    802.11a boasts an impressive performance. It is able to transfer data with raw data rates up to 54 Mbps, and has a good range, although not when operating at its full data rate.

    Although the use of OFDM for a mass produced systems such as 802.11a is more expensive, it offers many advantages. The use of OFDM provides a significant reduction in the problems of interference caused by multipath effects. The use of OFDM also ensures that there is efficient use of the radio spectrum.

     

    802.11b Operating Characteristics

    When transmitting data 802.11b uses the Carrier Sense Multiple Access with Collision Avoidance (CSMA/CA) technique that is defined for the 802.11 wireless transmission. Using this technique, when a node wants to make a transmission it listens for a clear channel and then transmits. It then listens for an acknowledgement and if it does not receive one it backs off a random amount of time, assuming another transmission caused interference, and then listens for a clear channel and then retransmits the data.

    Although 802.11b is specified to operate at a basic rate of 11 Mbps, the system monitors the signal quality. If the signal falls or interference levels rise, then it is possible for the system to adopt a slower data rate with more error correction that is more resilient. Under these conditions the system will first fall back to a rate of 5.5 Mbps, then 2, and finally 1 Mbps. This scheme is known as Adaptive rate Selection (ARS).

    Although the basic raw data rates for transmitting data seem very good, in reality the actual data rates achieved over a real time network are much smaller. Even under reasonably good radio conditions, i.e. good signal and low interference the maximum data rate that might be expected when the system uses TCP is about 5.9 Mbps. This results from a number of factors. One is the use of CSMA/CA where the system has to wait for clear times on a channel to transmit and another is associated with the use of TCP and the additional overhead required. If UDP is used rather than TCP then the data rate can increase to around 7.1 Mbps. So don't be surprise if your throughput seems to be much less compared to your wireless connection speed.

    802.11g Operating Characteristics

    Like 802.11b, its predecessor, 802.11g operates in the 2.4 GHz ISM band. It provides a maximum raw data throughput of 54 Mbps, although this translates to a real maximum throughput of just over 24 Mbps.

    Although the system is compatible with 802.11b, the presence of an 802.11b participant in a network significantly reduces the speed of a net. In fact it was compatibility issues that took up much of the working time of the IEEE 802.11g committee.

    A variety of modulation schemes can be sued by 802.11g. For speeds of 6, 9, 12, 18, 24, 36, 48, and 54 Mbps Orthogonal frequency Division Multiplexing (OFDM) is used, but for 5.5 and 11 Mbps it uses Complementary Code Keying (CCK), and then for 1 and 2 Mbps it uses DBPSK/DQPSK+DSSS.

    The maximum range that can be achieved by 802.11g devices is slightly greater than that of those using 802.11b, but the range at which the full 54 Mbps can be achieved is much shorter than the maximum range of an 802.11 device. Only when signal levels and interference levels are low can the maximum specified performance be achieved.

     

    802.11n Operating Characteristics

    Once Wi-Fi standards including 802.11a, 802.11b, and 802.11g were established, work commenced on looking at how the raw data speeds provided by Wi-Fi, 802.11 networks could be increased still further. The result was that in 2009 the standard was finally published.


    The idea behind the IEEE 802.11n standard was that it would be able to provide much better performance and be able to keep pace with the rapidly growing speeds provided by technologies such as Ethernet. The new 802.11n standard boasts an impressive performance of 248Mbps. The major innovations are summarized below:

    Use of MIMO in IEEE 802.11n: MIMO or Multiple Input Multiple Output is a technique that exploits multipath propagation. Normally when a signal is transmitted from A to B the signal will reach the receiving antenna via multiple paths, causing interference. MIMO uses this multipath propagation to increase the data rate by using a technique known as spatial division multiplexing. The data is split into a number of what are termed spatial streams and these are transmitted through separate antennas to corresponding antennas at the receiver. Doubling the number of spatial streams doubles the raw data rate, enabling a far greater utilization of the available bandwidth. The current 802.11n standard allows for up to four spatial streams.

    Antenna technology for 802.11n: For 802.11n, the antenna associated technologies have been significantly improved by the introduction of beam forming and diversity.

    Beam forming focuses the radio signals directly along the path for the receiving antenna to improve the range and overall performance. A higher signal level and better signal to noise ratio will mean that the full use can be made of the channel.

    Diversity uses the multiple antennas available and combines or selects the best subset from a larger number of antennas to obtain the optimum signal conditions. This can be achieved because there are often surplus antennas in a MIMO system. As 802.11n supports any number of antennas between one and four, it is possible that one device may have three antennas while another with which it is communicating will only have two. The supposedly surplus antenna can be used to provide diversity reception or transmission as appropriate.

    Backward compatibility switching: While 802.11n provides backward compatibility for devices in a net using earlier versions of 802.11, this adds a significant overhead to any exchanges, thereby reducing the data transfer capacity. To provide the maximum data transfer speeds when all devices in the net at to the 802.11n standard, the backwards compatibility feature can be removed. When earlier devices enter the net, the backward compatibility overhead and features are re-introduced. As with 802.11g, when earlier devices enter a net, the operation of the whole net is considerably slowed. Therefore operating a net in 802.11n only mode offers considerable advantages.

    802.11n Access Point operational modes

    In view of the features associated with backward compatibility, there are three modes in which an 802.11n wireless router can operate:

     

    802.11 2.4GHz Channels

    There is a total of fourteen channels defined for use by Wi-Fi 802.11 for the 2.4 GHz ISM band. Not all of the channels are allowed in all countries: 11 are allowed by the FCC and used in what is often termed the North American domain, and 13 are allowed in Europe where channels have been defined by ETSI. The WLAN / Wi-Fi channels are spaced 5 MHz apart (with the exception of a 12 MHz spacing between the last two channels).

    The 802.11 WLAN standards specify a bandwidth of 22 MHz and a 25 MHz channel separation, although nominal figures for the bandwidth of 20 MHz are often given. The 20 / 22 MHz bandwidth and channel separation of 5 MHz means that adjacent channels overlap and signals on adjacent channels will interfere with each other.

    The table given below provides the frequencies for the total of fourteen WLAN / Wi-Fi channels that are available around the globe. Not all of these WLAN / Wi-Fi channels are available for use in all countries.

    CHANNEL NUMBER LOWER FREQUENCY
    GHZ
    CENTER FREQUENCY
    GHZ
    UPPER FREQUENCY
    GHZ
    1 2401 2412 2423
    2 2404 2417 2428
    3 2411 2422 2433
    4 2416 2427 2438
    5 2421 2432 2443
    6 2426 2437 2448
    7 2431 2442 2453
    8 2436 2447 2458
    9 2441 2452 2463
    10 2451 2457 2468
    11 2451 2462 2473
    12 2456 2467 2478
    13 2461 2472 2483
    14 2473 2484 2495

    WiFi channel overlap and selection

    The channels used for WiFI are separated by 5 MHz in most cases but have a bandwidth of 22 MHz. As a result channels overlap and it can be seen that it is possible to find a maximum of three non-overlapping channels. Therefore if there are adjacent pieces of WLAN equipment that need to work on non-interfering channels, there is only a possibility of three. There are five combinations of available non overlapping channels are given below:

    Wi-Fi channels, how they overlap and sets that can be used together

    Wi-Fi Channel overlap and which ones can be used as sets.

    As some energy spreads out further outside the nominal bandwidth, if only two channels are used, then the further away from each other the better the performance.

    It is found that when interference exists, the throughput of the system is reduced. It therefore pays to reduce the levels of interference to improve the overall performance of the WLAN equipment.

     

    802.11a 5 GHz Channels

     802.11a originally had 12 channels (4 each spread across three bands, separated for indoor, indoor/outdoor, and outdoor usage (which nobody paid attention to anyway as far as I've ever seen)). Which ones you can use will still vary by country and/or regulatory agency. The table below shows the different 5GHz bands and the associated channels. Unlike 2.4GHz channels, 5GHz channels are non overlapping therefore interference from adjacent channel is not as severe as in the 2.4GHz band.

    BAND CHANNELS USES
    5.15GHz to 5.35GHz 8 channels (36, 40, 44, 48, 52, 56, 60, 64) Band is common between US and Europe
    5.47GHz to 5.725GHz 11 channels (100, 104, 108, 112, 116, 120, 124, 128, 132, 136, 140) Band is common between US and Europe
    5.725GHz to 5.85GHz 5 channels (149, 153, 157, 161, 165) Band available in US, Canada, China but not Europe

    802.11 Spectrum and RF interference

    In any radio frequency system it is not possible to confine all the energy to a specific bandwidth. Some energy will always be present beyond the bandwidth provided. Instead bandwidths are defined in terms of a spectral mask and the output from any transmitters must fall within the levels defined by the mask.

    The 802.11 transmissions have a spectral mask defined as the energy from the transmitter will extend beyond the 22 MHz Wi-Fi channels allocated (i.e. +/- 11 MHz from fc the centre frequency). The spectral mask defines the maximum levels that may emanate from the transmitter over a given spectrum.

    At 11 MHz from the centre of the channel, the energy must be 30 dB lower than the maximum signal level, and at 22 MHz away, the energy must be 50 dB below the maximum level. Further away from the centre frequency, the energy levels fall further but some energy is still present and could result in interference on some channels.

     

     

    Spectral Mask for 2.4GHz and 5.0GHz channels


    WIFI Security 

     

    If you have worked with data security before, may be you would agree that this is the most complex and confusing field that mankind had created. Although the underlying mechanism is mathematically elegant, engineers have came up with too many algorithms, too many procedures and obscure jargons that obfuscate even the most beautiful things in the world. So please take it slowly and have plenty of drinks as you try to go through this section.

    Wi-Fi security is defined under IEEE802.11i and popular systems such as WEP, WPA and WPA2 are widely used at home and at work.

    Wi-Fi routers advertise their presence by periodically sending out a beacon signal that contains the SSID. This allows prospective users to identify the wireless router and to try to connect to it.

    Once detected, it is possible to try to connect to the wireless router, and the Wi-Fi authentication procedure starts. To achieve access, a secret key is generally required.

    Since the introduction of Wi-Fi a variety of keys have been used:

    WEP - Wired-Equivalent Privacy key

    The aim for this key was to make wireless networks such as Wi-Fi as safe as wired communications. Unfortunately this form of security did not live up to its name because it was soon hacked, and now there are many open source applications that can easily break into it in a matter of seconds.

    In terms of its operation, the Wi-Fi WEP key uses a clear text message sent from the client. This is then encrypted and returned using a pre-shared key.

    A WEP comes in different key sizes. The common key lengths are normally 40 or 128 bits.

    The security of the WEP system is seriously flawed. Primarily it does not address the issue of key management and this is a primary consideration to any security system. Normally keys are distributed manually or via another secure route. The Wi-Fi WEP system uses shared keys - i.e. the wireless router uses the same key for all clients, and therefore this means that if the key is accessed then all users are compromised. It only takes listening to the returned authentication frames to be able to determine the key.

    Still Wi-Fi WEP is better than nothing because not all people listening to a Wi-Fi wireless router will be hackers. It is still widely used and provides some level of security.

     

    WPA Wi-Fi Protected Access

    In order to provide a workable improvement to the flawed WEP system, the WPA access methodology was created to replace the WEP protocol.

    One of the key elements of the WPA scheme is the use of the TKIP - Temporal Key Integrity Protocol. TKIP is part of the IEEE802.11i standard and operates by performing per-packet key mixing with re-keying.

    In addition to this the WPA, Wi-Fi Protected Access scheme also provides optional support for AES-CCMP algorithm. This provides a significantly improved level of security.


     

    WPA2 / WPAv2

    The WPA2 scheme has now superseded WPA. It implements the mandatory elements of IEEE 802.11i. In particular, it introduces CCMP, a new AES-based encryption mode with strong security.

    Certification for WPA2 began in September, 2004 and now it is mandatory for all new devices that bear the Wi-Fi trademark.

     

    In summary you should never leave your network open. You should use only WPA2 and forget about other encryption methods like WEP or WPA whenever possible.

     

    Preshared Key Versus Server Based 802.1x Authentication

    The keys for the authentication algorithms (WEP,WPA, or WPA2) that run between the wireless client and the wireless router can be obtained in one of two ways:

    1. it is manually entered into the client and the wireless router by the user. This method is also known as pre-shared key (PSK).

    2. it is distributed to the wireless client and the wireless router dynamically from an authentication server using the 802.1x protocol.

    For home and many small offices, a pre-shared key (PSK) may be used as it is fairly fast and simple to configure. When using PSK, the whole 802.1X authentication process is eliminated. If you configure a PSK for WPA then it is often called "WPA Personal" (WPA-PSK).

    For a larger office, especially in the enterprise, it is preferable to use server based authentication method. 802.1x is the security protocol that enable remote authentication. A WPA configuration using server based key management is often called "WPA Enterprise".

     

    Details of 802.1x Authentication

    The main parts of 802.1x Authentication are:

    In a wireless network, 802.1x is used by an wireless router to implement WPA. In order to connect to the wireless router, a wireless client must first be authenticated using WPA. Being a door man, all that the wireless router does is to pass the authentication information between the client and the authentication server - the boss. The authentication server handles the actual verification of the client's credentials. This lets 802.1x support many authentication methods, from simple user name and password, to hardware token, challenge and response, and digital certificates.

    802.1x uses EAP (Extensible Authentication Protocol) to facilitate communication from the supplicant to the authenticator and from the authenticator to the authentication server.

    This diagram shows the steps of 802.1x and EAP used in authenticating a supplicant:

    Image

    EAP supports various authentication methods. As a user seeking authentication, you just need to use a method supported by the authentication server. As an administrator, you need to select which methods your server will use.

    1. EAP-TLS is widely supported. It uses PKI (e.g., a digital certificate) to authenticate the supplicant and authentication server. This method may provide you with the best security possible but it is costly because you would have to obtain a digital certificate for the authentication server and each of the clients in your network. At the cost of around $300 per server and $60 per client per year, this is a very costly security method. Use it only if you work for the government and money is no object. 
    2. EAP-MD5 uses standard user name and password. The supplicant's password is hashed with MD5 and the hash value is being used to authenticate the supplicant.
    3. LEAP is Cisco's Lightweight EAP, and works mainly with Cisco products. It also uses MD5 hash, but both the supplicant and authentication server are authenticated. Do not use this method as it is well known to have a huge security problem.
    4. EAP-TTLS uses PKI to authenticate the authentication server. However, it supports a different set of authenticate methods (e.g. CHAP, PAP, MS-CHAP v2) to authenticate the supplicant.
    5. PEAP (Protected EAP) uses PKI to authenticate the authentication server. It supports any type of EAP to authenticate the supplicant including certificate. This may be the best compromise for good security at minimal expense. Since only the server need to have a certificate the cost suddenly become more manageable. You can also create a free self-signed certificate for the authentication server and thus don't have to spend any money.

    Key Management

    Key management describes the handshake for generating and exchanging data encryption keys between the authentication server (i.e., the boss) and the client. See Figure 5.

     

    Figure 5: Key management and distribution in 802.11i.

    1. When the client and Authentication Server (AS) authenticate, one of the last messages sent from AS, given that authentication was successful, is a Master Key(MK). After it has been sent, the MK is known only to the client and the AS. The MK is bound to this session between the Client and the AS.

    2. Both the Client and the AS derive a new key, called the Pairwise Master Key (PMK), from the Master Key.

    3. The PMK is then moved from the AS to the wireless router. Only the client and the AS can derive the PMK, else the wireless router could make access-control decisions instead of the AS. The PMK is a fresh symmetric key bound to this session between the client and the wireless router.

    4. PMK and a 4-way handshake are used between the client and the wireless router to derive, bind, and verify a Pairwise Transient Key (PTK). The PTK is a collection of operational keys:

      • Key Confirmation Key (KCK), as the name implies, is used to prove the posession of the PMK and to bind the PMK to the wireless router.

      • Key Encryption Key (KEK) is used to distributed the Group Transient Key (GTK). Described below.

      • Temporal Key 1 & 2 (TK1/TK2) are used for encryption. Usage of TK1 and TK2 is ciphersuite-specific.

      See figure for a overview of the Pairwise Key Hierarchy.

    5. The KEK and a 4-way group handshake are then used to send the Group Transient Key (GTK) from the wireless router to the client. The GTK is a shared key among all clients connected to the same wireless router, and is used to secure multicast/broadcast traffic.

    Figure PKH: Pairwise Key Hierarchy


    Overview of TLS-Protected EAP Methods

    The EAP-TLS authentication method and the TLS protected EAP methods based on it - EAP-TTLS and EAP-PEAP - all make use of the Transport Layer Security (TLS) protocol to provide integrity and confidentiality protection.

    The underlying TLS protocol is based on the Secure Sockets Layer (SSL) protocol commonly used by web browsers to secure web transactions.  Using public key cryptography, communicating parties may authenticate themselves to each other using public key certificates.  In web applications, only the server typically has a certificate and authenticates itself to the client so that the user can have confidence that his communication has not been redirected or intercepted by an imposter.  In this case, TLS provides unidirectional authentication.  But if both parties have certificates, TLS can provide mutual authentication.  Following the authentication phase, the two parties use a key agreement protocol such as Diffie-Hellman to derive a session key which is used to authenticate and encrypt messages exchanged during the TLS session.

    EAP-TLS

    EAP-TLS uses the TLS public key certificate authentication mechanism within EAP to provide mutual authentication of client to server and server to client.  With EAP-TLS, both the client and the server must be assigned a digital certificate signed by a Certificate Authority (CA) that they both trust.
    Features of EAP-TLS include:

    • Mutual authentication (server to client as well as client to server)
    • Key exchange (to establish dynamic WEP or TKIP keys)
    • Fragmentation and reassembly (of very long EAP messages, if needed)
    • Fast reconnect (via TLS session resumption) - not currently supported by Interlink
    EAP-TTLS
  • The Tunneled TLS EAP method (EAP-TTLS) is very similar to EAP-PEAP in the way that it works and the features that it provides.  The difference is that instead of encapsulating EAP messages within TLS, the TLS payload of EAP-TTLS messages consists of a sequence of attributes.  By including a RADIUS EAP-Message attribute in the payload, EAP-TTLS can be made to provide the same functionality as EAP-PEAP.  If, however, a RADIUS Password or CHAP-Password attribute is encapsulated, EAP-TTLS can protect the legacy authentication mechanisms of RADIUS. 

    The advantage of this becomes apparent if the EAP-TTLS server is used as a proxy to mediate between an access point and a legacy home RADIUS server.  When the EAP-TTLS server forwards RADIUS messages to the home RADIUS server, it encapsulates the attributes protected by EAP-TTLS and inserts them directly into the forwarded message.  The EAP-TTLS messages are not forwarded to the home RADIUS server.  Thus the legacy authentication mechanisms supported by existing RADIUS severs in the infrastructure can be protected for transmission over wireless LANs.

    EAP-PEAP

    We shall devote a bit of time describing the EAP-PEAP in a little more details because as we have mentioned before, it offers the best compromise for security and cost of implementation.

    Protected EAP (PEAP) adds a TLS layer on top of EAP in the same way as EAP-TLS, but it then uses the resulting TLS session as a carrier to protect other, legacy EAP methods.

    The PEAP protocol has two phases. The first phase is to establish a secure tunnel using the EAP-TLS with server authentication. The second phase implements the client authentication based on EAP methods.

    PEAP Phase 1

    Like in regular EAP negotiation, the phase 1 starts when the wireless router sends an EAP-Request/Identity message. Unlike regular EAP where the Client replies with an EAP-Response/Identity message, in PEAP, the client can reply with an anonyous identity, for example user@anonyous.com. The client's real identity is sent in phase 2. It is likely that the client can send its identity partly like user@company_name.com, so that the wireless router can choose a proper authentication server based on company name.

    After the client EAP-Response/Identity is forwarded to the Authentication Server using RADIUS by the wireless router, the EAP-TLS starts. The process is same as SSL Connection Setup.

    The EAP server becomes aware of the client when it receives RADIUS Access Request message forwarded by the wireless router. The server sends an empty EAP-TLS request with the Start flag set and Type field set to 25 (PEAP); EAP-TLS uses Type=13. Only this message has the Start flag set. The client sends a Client-Hello message containing all the ciphersuites it supports including a Client-Random ID with Session ID set to 0.

    The server replies with a Server-Hello message containing a Server-Random ID, a Session ID and the agreed ciphersuite. The server also sends a Certificate including its public key in a Server Certificate message. It can request a client Certificate from the Client. This is followed by a Server Hello Done message and waits for the client to take the next step.

    The client in response sends a Client Key Exchange message after computing the pre_master secret. The client generates a random number (48 bytes) which is called the pre-master secret, encrypts it using server's public key and sends to the server. Only the server can decrypt this message as it holds the Private key. Both, client and server, now have the pre-master secret.

    The client and the server now generate the Master Session Key (MSK) from the Client-Random ID, Server-RAndom ID and the pre_master secret.

    Finally, the server sends an EAP-Success message to complete the EAP Handshake.

    PEAP Phase 2

    Phase 2 begins with an EAP server sending an (optional) EAP-Request/Identity message to the client, protected by the TLS ciphersuite negotiated in phase 1. The client responds with an EAP-Response/Identity message containing its user-id.

    The server will then select an authentication method (aka EAP Type like EAP-MD5, EAP-TLS or EAP-MSCHAPv2, etc) for the client, and will send an EAP-Request message with the proposed authentication method. The client can reply with a NAK or accept the authentication method. EAP methods are always encapsulated within EAP Payload TLV.

    Before completing negotiation of EAP method, the client and the server must use Crypto Binding TLV. The success or failure of EAP method negotiation is done using EAP Result TLV.

    The client and the server now derive the Extended Master Session Key (EMSK) and subsequently the Compound Session Key (CSK). The CSK is 128 bytes which is concatenation of MSK and EMSK. Then the server sends its CSK and the EAP Success message to the wireless router.

    The client can then send data to the wireless router using the derived CSK.

    RADIUS EAP-TTLS, EAP-PEAP, 802.1X

    Figure 1 - EAP-PEAP Authentication

     

    Comment and Suggestion 

    Please report any problems by mail to  polyglotzmobile@gmail.com . Emailing is more helpful for me than reporting them on the market. I am always looking for ways to improve the application so I will study all of your comments and I'll try to work them into the application in the later releases. My aim is to make WifiOptimizer a helpful trouble shooting tool, easy to use so I would appreciate all your suggestions.

    Thank you for using Wifi Optimizer.

    I appreciate any donation to help fund this work. Thank you.