Radius Operation - Cisco C3201FESMIC-TP= - 3201 Fast EN Switch Mobile Interface Card Expansion Module Software Configuration Manual

Configuring and Enabling RADIUS

RADIUS Operation

When a non-root bridge attempts to authenticate to a bridge whose access is controlled by a RADIUS
server, authentication to the network occurs in the steps shown in
Figure 1
Switch on
LAN 1
In Figure
a mutual authentication through the root device. The RADIUS server sends an authentication challenge
to the non-root bridge. The non-root bridge uses a one-way encryption of the user-supplied password to
generate a response to the challenge and sends that response to the RADIUS server. Using information
from its user database, the RADIUS server creates its own response and compares that to the response
from the non-root bridge. When the RADIUS server authenticates the non-root bridge, the process
repeats in reverse, and the non-root bridge authenticates the RADIUS server.
When mutual authentication is complete, the RADIUS server and the non-root bridge determine a WEP
key that is unique to the non-root bridge and that provides the non-root bridge with the appropriate level
of network access, thereby approximating the level of security in a wired switched segment to an
individual desktop. The non-root bridge loads this key and prepares to use it for the logon session.
During the logon session, the RADIUS server encrypts and sends the WEP key, called a session key, over
the wired LAN to the root device. The root device encrypts its broadcast key with the session key and
sends the encrypted broadcast key to the non-root bridge, which uses the session key to decrypt it. The
non-root bridge and the root device activate WEP and use the session and broadcast WEP keys for all
communications during the remainder of the session.
There is more than one type of EAP authentication, but the root device behaves the same way for each
type: it relays authentication messages from the non-root bridge to the RADIUS server and from the
RADIUS server to the non-root bridge. See the
authentication using a RADIUS server.
Cisco 3200 Series Wireless MIC Software Configuration Guide
20
Sequence for EAP Authentication
Non-Root
Bridge
1. Authentication request
2. Identity request
3. Username
(Relay to non-root bridge)
5. Authentication response
(Relay to non-root bridge)
7. Authentication challenge
(Relay to non-root bridge)
9. Authentication success
1, a non-root bridge and a RADIUS server on the wired LAN use 802.1x and EAP to perform
Figure
Authentication
Root Bridge
server
(Relay to server)
4. Authentication challenge
(Relay to server)
6. Authentication success
(Relay to server)
8. Authentication response
(Relay to server)
"Authentication Types"
Administering the WMIC
1.
for instructions on setting up