11-4
Cisco IOS Software Configuration Guide for Cisco Aironet Access Points
OL-30644-01
Chapter11 Configuring Authentication Types
Understanding Authentication Types
EAP Authentication to the Network
This authentication type provides the highest level of security for your wireless network. By using the
Extensible Authentication Protocol (EAP) to interact with an EAP-compatible RADIUS server, the
access point helps a wireless client device and the RADIUS server to perform mutual authentication and
derive a dynamic unicast key. The RADIUS server sends the key to the access point, which uses it for
all unicast data signals that it sends to or receives from the client. The access point also encrypts its
broadcast key with the client’s unicast key and sends it to the client.
Depending on the underlying security framework (802.1X with dynamic WEP, WPA or WPA 2), the key
is used:
In the case of WEP – directly by the Access Point for all unicast data signals that it sends to or
receives from the client,
In the case of WPAv1/v2 – the key is used to derive unicast keys that are used for all unicast data
signals that it sends to or receives from the client.
When you enable EAP on your access points and client devices, authentication to the network occurs in
the sequence shown in Figure 11-3:
Figure11-3 Sequence for EAP Authentication
In Steps 1 through 9 in Figure11-3, a wireless client device and a RADIUS server on the wired LAN
use 802.1x and EAP to perform a mutual authentication through the access point. The RADIUS server
sends an authentication challenge to the client. The client uses a one-way encryption of the user-supplied
or machine-supplied credentials to generate a response to the challenge and sends that response to the
RADIUS server. Using information from its user database, the RADIUS server creates its own response
and compares that to the response from the client. When the RADIUS server authenticates the client, the
process repeats in reverse, and the client authenticates the RADIUS server.
Access point
or bridge
Wired LAN
Client
device RADIUS Server
1. Authentication request
2. Identity request
3. Username
(relay to client)
(relay to server)
4. Authentication challenge
5. Authentication response
(relay to client)
(relay to server)
6. Authentication success
7. Authentication challenge
(relay to client)
(relay to server)
8. Authentication response
9. Successful authentication (relay to server)
65583