Table of Contents
Advertisement
Authentication Process
There are three main components in the authentication process. The standard refers to them
as:
supplicant (client PC)
•
authenticator (Access Point)
•
authentication server (RADIUS server)
•
When the Security Mode is set to 802.1x Station, WPA Station, or 802.11i Station you need to
configure your RADIUS server for authentication purposes.
Prior to successful authentication, an unauthenticated client PC cannot send any data traffic
through the AP device to other systems on the LAN. The AP inhibits all data traffic from a
particular client PC until the client PC is authenticated. Regardless of its authentication status, a
client PC can always exchange 802.1x messages in the clear with the AP (the client begins
encrypting data after it has been authenticated).
Figure 46: RADIUS Authentication Illustrated
The AP acts as a pass-through device to facilitate communications between the client PC and
the RADIUS server. The AP (2) and the client (1) exchange 802.1x messages using an EAPOL
(EAP Over LAN) protocol (A). Messages sent from the client station are encapsulated by the AP
and transmitted to the RADIUS (3) server using EAP extensions (B).
Upon receiving a reply EAP packet from the RADIUS, the message is typically forwarded to the
client, after translating it back to the EAPOL format. Negotiations take place between the client
and the RADIUS server. After the client has been successfully authenticated, the client receives
an Encryption Key from the AP (if the EAP type supports automatic key distribution). The client
uses this key to encrypt data after it has been authenticated.
For 802.11a and 802.11b/g clients that communicate with an AP, each client receives its own
unique encryption key; this is known as Per User Per Session Encryption Keys.
Security Configuration
Issue 1 September 2004
133
Advertisement
Table of Contents
