24 Nokia A032 Addendum
The authentication procedure is initiated by the
station, which sends Authentication Req MAC
frame to the AP. The AP builds a Radius Access-
Request containing a Radius user-name and
user-password derived as follows:
• The user-name is either the MAC address of
the station expressed as a 12-character
hexadecimal string or the unit name if this
has been supplied by the station.
The A040 adapter sends its unit name as a
vendor-specific IEEE802.11 information
element in the Authentication Req message.
• The user-password is generated from a
password, a shared secret and a random
Request Authenticator included in the
Radius packet (see RFC2138 section 5.2 for
the password generation algorithm) using
the MD5 hashing function. The password
and shared secret are defined via the ‘set
shared_secret’ command on the AP CLI.
Note that the password, being a value
entered at into the AP configuration, is the
same for all stations.
Using its copy of the shared secret and password,
the Radius server can check that the user-
password supplied is valid. The password for all
the MAC-address entries in the Radius server
configuration should be set to same value as
was entered on the APs. Also, the password and
shared secret must be the same in all the APs
using the Radius server.
When the Radius server receives the Access-
Request, it takes the user-name and looks up the
entry for the station. It then recalculates its
own copy of the user-password and if the
supplied user-password and its own match it
builds an Access-Accept message to send back to