13-3
Cisco IOS Software Configuration Guide for Cisco Aironet Access Points
OL-30644-01
Chapter13 Configuring RADIUS and TACACS+ Servers
Configuring and Enabling RADIUS
Figure13-1 Sequence for EAP Authentication
As shown in Figure 13-1, at the start, a wireless client device and a RADIUS server on the wired LAN
use 802.1x and EAP to perform a mutual authentication through the access point. The initial phase is an
802.11 open authentication and association. The EAP process then starts.
The AP communicates with the client over the wireless link using EAP/802.1x, and relays the client
messages to the RADIUS server using RADIUS encapsulation. Once the client and the authentication
server agrees on an EAP method, the RADIUS server sends an authentication challenge to the client.
Some EAP methods also require the client to authenticate the RADIUS server before accepting a
challenge from the server. In all cases, the credential exchange is encrypted and cannot be read by
eavesdroppers.
When (one way or mutual) authentication is complete, and when WPA/WPA2 is in use, the RADIUS
server and the client derive an initial key called Pairwise Master Key (PMK). The the client and the
RADIUS server use the same method to derive the PKM, and therefore derive the same PMK. However,
the PMK is not exchanged over the wireless link.
The RADIUS server sends a copy of the PMK to the AP. The AP and the client will then use this PMK
to derive unicast encryption keys that will be used to encrypt the exchanges between the client and the
AP during the client session. The AP will also use the unicast encryption key to communicate to the
client the broadcast key, or the key used to encrypt traffic broadcasted to all clients in the cell.
There is more than one type of EAP authentication, but the access point behaves the same way for each
type. The AP relays authentication messages from the wireless client device to the RADIUS server and
from the RADIUS server to the wireless client device. See the “Assigning Authentication Types to an
SSID” section on page 11-9 for instructions on setting up client authentication using a RADIUS server.
Access point
or bridge
Wired LAN
Client
device RADIUS Server
1. Authentication request
2. Identity request
3. Username
(relay to client)
(relay to server)
4. Authentication challenge
5. Authentication response
(relay to client)
(relay to server)
6. Authentication success
7. Authentication challenge
(relay to client)
(relay to server)
8. Authentication response
9. Successful authentication (relay to server)
65583