EAPOL (4-way handshake)

5.4 Configure and verify wireless security features

📘CCNP Encore (350-401-ENCORE-v1.1)

What is EAPOL?

  • EAPOL stands for Extensible Authentication Protocol over LAN.
  • It’s part of 802.1X authentication and is used in wireless networks to securely connect a client (like a laptop or phone) to a Wi-Fi network.
  • The 4-way handshake is the process used to exchange encryption keys between the wireless client and the access point (AP).

Think of it as a secure method for the client and the AP to agree on how to encrypt their communication without someone eavesdropping.

Why is the 4-way handshake important?

  • It ensures that:
    1. Only authorized clients can connect to the network.
    2. Encryption keys are never transmitted in plain text.
    3. The session is protected using WPA2 or WPA3 encryption (AES or GCMP for WPA3).

Without the handshake, anyone could potentially connect to the network or intercept traffic.

How the 4-Way Handshake Works

The handshake happens after the client has been authenticated (usually through 802.1X or PSK).

Here’s the step-by-step process:

Step 1: AP sends a nonce (ANonce)

  • AP generates a random number called ANonce.
  • AP sends this to the client.
  • The nonce ensures that each session is unique, preventing replay attacks.

Step 2: Client generates its own nonce (SNonce) and computes the PTK

  • Client generates SNonce (its own random number).
  • Using ANonce, SNonce, and the shared key (PMK), the client calculates the Pairwise Transient Key (PTK).
    • PMK (Pairwise Master Key) comes from:
      • PSK in WPA/WPA2 Personal, or
      • 802.1X EAP authentication in Enterprise mode.
  • Client sends SNonce and a Message Integrity Code (MIC) back to the AP.
    • The MIC ensures the message isn’t tampered with.

Step 3: AP verifies MIC and sends the Group Temporal Key (GTK)

  • AP uses the SNonce and ANonce to calculate the PTK on its side.
  • It checks the MIC sent by the client.
    • If it’s correct, the AP knows the client also has the PMK.
  • AP sends the GTK to the client, encrypted with the PTK.
    • GTK is used for encrypting broadcast and multicast traffic.

Step 4: Client acknowledges

  • Client installs the PTK and GTK.
  • Sends an acknowledgment to the AP to complete the handshake.

At this point, the client and AP can securely exchange encrypted data.

Key Concepts You Must Remember for the Exam

  1. PMK (Pairwise Master Key):
    • Derived from the PSK or 802.1X authentication.
    • Never sent over the air.
  2. PTK (Pairwise Transient Key):
    • Generated from PMK + ANonce + SNonce + MAC addresses.
    • Used to encrypt unicast traffic between client and AP.
  3. GTK (Group Temporal Key):
    • Used to encrypt broadcast/multicast traffic.
  4. Nonces (ANonce and SNonce):
    • Random numbers to ensure session uniqueness.
  5. MIC (Message Integrity Code):
    • Ensures messages are not tampered with during the handshake.

Important Exam Points

  • The 4-way handshake is part of WPA/WPA2/WPA3 security.
  • Occurs after authentication but before full data transmission.
  • Encrypts both unicast and broadcast traffic.
  • Protects against replay attacks by using nonces.
  • PTK is unique for every session; it is never reused.
  • In Enterprise Wi-Fi, the PMK comes from 802.1X EAP authentication.
  • In Personal Wi-Fi, the PMK comes from the pre-shared key (PSK).

IT Example

  • Imagine a company Wi-Fi:
    • Laptop wants to join Wi-Fi.
    • Laptop and AP exchange nonces (ANonce and SNonce).
    • Both calculate the PTK without sending the key over the air.
    • AP securely sends GTK so the laptop can receive broadcast messages.
    • Handshake completes → encrypted data can flow securely.

All this ensures the network traffic is safe, and unauthorized devices cannot read it.

Summary Table for Exam

StepWho sendsWhat is sentPurpose
1APANonceInitiate handshake, ensure randomness
2ClientSNonce + MICGenerate PTK, prove it knows PMK
3APEncrypted GTK + MICSend group key for broadcast/multicast
4ClientACKConfirm PTK and GTK installed

Exam Tip:

  • Know the sequence: ANonce → SNonce → GTK → ACK
  • Know the difference between PMK, PTK, and GTK
  • Understand why the handshake exists: authentication + encryption key exchange
Buy Me a Coffee

Powered by
Necessary cookies enable essential site features like secure log-ins and consent preference adjustments. They do not store personal data.
None
Functional cookies support features like content sharing on social media, collecting feedback, and enabling third-party tools.
None
Analytical cookies track visitor interactions, providing insights on metrics like visitor count, bounce rate, and traffic sources.
None
Advertisement cookies deliver personalized ads based on your previous visits and analyze the effectiveness of ad campaigns.
None
Powered by