Cisco Systems 12.3(8)JEE, 12.4(25d)JA, 15.2(2)JA, 15.2(2)JB, IOS Releases 15.2(4)JA EAP Authentication to the Network

11-4

Cisco IOS Software Configuration Guide for Cisco Aironet Access Points

OL-29225-01

Chapter11 Configuring Authentication Types

Understanding Authentication Types

EAP Authentication to the Network

This authentication type provides the highest level of security for your wireless network. By using the

Extensible Authentication Protocol (EAP) to interact with an EAP-compatible RADIUS server, the

access point helps a wireless client device and the RADIUS server to perform mutual authentication and

derive a dynamic unicast WEP key. The RADIUS server sends the WEP key to the access point, which

uses it for all unicast data signals that it sends to or receives from the client. The access point also

encrypts its broadcast WEP key (entered in the access point’s WEP key slot 1) with the client’s unicast

key and sends it to the client.

When you enable EAP on your access points and client devices, authentication to the network occurs in

the sequence shown in Figure 11-3:

Figure11-3 Sequence for EAP Authentication

In Steps 1 through 9 in Figure11-3, a wireless client device and a RADIUS server on the wired LAN

use 802.1x and EAP to perform a mutual authentication through the access point. The RADIUS server

sends an authentication challenge to the client. The client uses a one-way encryption of the user-supplied

password to generate a response to the challenge and sends that response to the RADIUS server. Using

information from its user database, the RADIUS server creates its own response and compares that to

the response from the client. When the RADIUS server authenticates the client, the process repeats in

reverse, and the client authenticates the RADIUS server.

When mutual authentication is complete, the RADIUS server and the client determine a WEP key that

is unique to the client and provides the client with the appropriate level of network access, thereby

approximating the level of security in a wired switched segment to an individual desktop. The client

loads this key and prepares to use it for the logon session.

During the logon session, the RADIUS server encrypts and sends the WEP key, called a session key, over

the wired LAN to the access point. The access point encrypts its broadcast key with the session key and

sends the encrypted broadcast key to the client, which uses the session key to decrypt it. The client and

access point activate WEP and use the session and broadcast WEP keys for all communications during

the remainder of the session.

Access point

or bridge

Wired LAN

Client

device RADIUS Server

1. Authentication request

2. Identity request

3. Username

(relay to client)

(relay to server)

4. Authentication challenge

5. Authentication response

(relay to client)

(relay to server)

6. Authentication success

7. Authentication challenge

(relay to client)

(relay to server)

8. Authentication response

9. Successful authentication (relay to server)

65583

Cisco Systems EAP Authentication to the Network

Models: 12.3(8)JEE 12.4(25d)JA 15.2(2)JA 15.2(2)JB IOS Releases 15.2(4)JA