Table of Contents
Advertisement
Understanding Authentication Types
When you enable EAP on your bridges, authentication to the network occurs in the sequence shown in
Figure
Figure 10-3 Sequence for EAP Authentication
Switch on
LAN 1
In Steps 1 through 9 in
802.1x and EAP to perform a mutual authentication through the root bridge. The RADIUS server sends
an authentication challenge to the non-root bridge. The non-root bridge uses a one-way encryption of
the user-supplied password to generate a response to the challenge and sends that response to the
RADIUS server. Using information from its user database, the RADIUS server creates its own response
and compares that to the response from the non-root bridge. When the RADIUS server authenticates the
non-root bridge, the process repeats in reverse, and the non-root bridge authenticates the RADIUS
server.
When mutual authentication is complete, the RADIUS server and the non-root bridge determine a WEP
key that is unique to the non-root bridge and provides the non-root bridge with the appropriate level of
network access, thereby approximating the level of security in a wired switched segment to an individual
desktop. The non-root bridge loads this key and prepares to use it for the logon session.
During the logon session, the RADIUS server encrypts and sends the WEP key, called a session key, over
the wired LAN to the root bridge. The root bridge encrypts its broadcast key with the session key and
sends the encrypted broadcast key to the non-root bridge, which uses the session key to decrypt it. The
non-root bridge and the root bridge activate WEP and use the session and broadcast WEP keys for all
communications during the remainder of the session.
There is more than one type of EAP authentication, but the bridge behaves the same way for each type:
it relays authentication messages from the wireless client device to the RADIUS server and from the
RADIUS server to the wireless client device. See the
section on page 10-5
Cisco Aironet 1400 Series Wireless Bridges Software Configuration Guide
10-4
10-3:
Non-Root
Bridge
1. Authentication request
2. Identity request
3. Username
(Relay to non-root bridge)
5. Authentication response
(Relay to non-root bridge)
7. Authentication challenge
(Relay to non-root bridge)
9. Authentication success
Figure
10-3, a non-root bridge and a RADIUS server on the wired LAN use
for instructions on setting up EAP on the bridge.
Chapter 10
Authentication
Root Bridge
server
(Relay to server)
4. Authentication challenge
(Relay to server)
6. Authentication success
(Relay to server)
8. Authentication response
(Relay to server)
"Assigning Authentication Types to an SSID"
Configuring Authentication Types
OL-4059-01
Advertisement
Table of Contents
