Configuring Radius - Cisco M10-RM Software Manual

Chapter 13 Configuring RADIUS and TACACS+ Servers
Figure 13-1
Client
device
In Steps 1 through 9 in
use 802.1x and EAP to perform a mutual authentication through the access point. The RADIUS server
sends an authentication challenge to the client. The client uses a one-way encryption of the user-supplied
password to generate a response to the challenge and sends that response to the RADIUS server. Using
information from its user database, the RADIUS server creates its own response and compares that to
the response from the client. When the RADIUS server authenticates the client, the process repeats in
reverse, and the client authenticates the RADIUS server.
When mutual authentication is complete, the RADIUS server and the client determine a WEP key that
is unique to the client and provides the client with the appropriate level of network access, thereby
approximating the level of security in a wired switched segment to an individual desktop. The client
loads this key and prepares to use it for the logon session.
During the logon session, the RADIUS server encrypts and sends the WEP key, called a session key,
over the wired LAN to the access point. The access point encrypts its broadcast key with the session key
and sends the encrypted broadcast key to the client, which uses the session key to decrypt it. The client
and access point activate WEP and use the session and broadcast WEP keys for all communications
during the remainder of the session.
There is more than one type of EAP authentication, but the access point behaves the same way for each
type: it relays authentication messages from the wireless client device to the RADIUS server and from
the RADIUS server to the wireless client device. See the
section on page 11-10

Configuring RADIUS

This section describes how to configure your access point to support RADIUS. At a minimum, you must
identify the host or hosts that run the RADIUS server software and define the method lists for RADIUS
authentication. You can optionally define method lists for RADIUS authorization and accounting.
OL-14209-01
Sequence for EAP Authentication
1. Authentication request
2. Identity request
3. Username
(relay to client)
5. Authentication response
(relay to client)
7. Authentication challenge
(relay to client)
9. Successful authentication
Figure 13-1, a wireless client device and a RADIUS server on the wired LAN
for instructions on setting up client authentication using a RADIUS server.
Wired LAN
Access point
or bridge
(relay to server)
4. Authentication challenge
(relay to server)
6. Authentication success
(relay to server)
8. Authentication response
(relay to server)
"Assigning Authentication Types to an SSID"
Cisco IOS Software Configuration Guide for Cisco Aironet Access Points
Configuring and Enabling RADIUS
RADIUS Server
13-3