Cisco Aironet 1100 Series Installation And Configuration Manual page 139

Chapter 11 Configuring RADIUS Servers
Figure 11-1 Sequence for EAP Authentication
Client
device
In steps 1 through 9 in
802.1x and EAP to perform a mutual authentication through the access point. The RADIUS server sends
an authentication challenge to the client. The client uses a one-way encryption of the user-supplied
password to generate a response to the challenge and sends that response to the RADIUS server. Using
information from its user database, the RADIUS server creates its own response and compares that to
the response from the client. When the RADIUS server authenticates the client, the process repeats in
reverse, and the client authenticates the RADIUS server.
When mutual authentication is complete, the RADIUS server and the client determine a WEP key that
is unique to the client and provides the client with the appropriate level of network access, thereby
approximating the level of security in a wired switched segment to an individual desktop. The client
loads this key and prepares to use it for the logon session.
During the logon session, the RADIUS server encrypts and sends the WEP key, called a session key, over
the wired LAN to the access point. The access point encrypts its broadcast key with the session key and
sends the encrypted broadcast key to the client, which uses the session key to decrypt it. The client and
access point activate WEP and use the session and broadcast WEP keys for all communications during
the remainder of the session.
There is more than one type of EAP authentication, but the access point behaves the same way for each
type: it relays authentication messages from the wireless client device to the RADIUS server and from
the RADIUS server to the wireless client device. See the
section on page 10-6
OL-2851-01
1. Authentication request
2. Identity request
3. Username
(relay to client)
5. Authentication response
(relay to client)
7. Authentication challenge
(relay to client)
9. Successful authentication
Figure 11-1, a wireless client device and a RADIUS server on the wired LAN use
for instructions on setting up client authentication using a RADIUS server.
Cisco Aironet 1100 Series Access Point Installation and Configuration Guide
Wired LAN
Access point
or bridge
(relay to server)
4. Authentication challenge
(relay to server)
6. Authentication success
(relay to server)
8. Authentication response
(relay to server)
"Assigning Authentication Types to an SSID"
RADIUS Operation
Server
11-3