Filter
Top Products
13-3
Cisco IOS Software Configuration Guide for Cisco Aironet Access Points
OL-11350-01
Chapter 13 Configuring RADIUS and TACACS+ Servers
Configuring and Enabling RADIUS
RADIUS Operation
When a wireless user attempts to log in and authenticate to an access point whose access is controlled
by a RADIUS server, authentication to the network occurs in the steps shown in Figure 13-1:
Figure 13-1 Sequence for EAP Authentication
In Steps 1 through 9 in Figure 13-1, a wireless client device and a RADIUS server on the wired LAN
use 802.1x and EAP to perform a mutual authentication through the access point. The RADIUS server
sends an authentication challenge to the client. The client uses a one-way encryption of the user-supplied
password to generate a response to the challenge and sends that response to the RADIUS server. Using
information from its user database, the RADIUS server creates its own response and compares that to
the response from the client. When the RADIUS server authenticates the client, the process repeats in
reverse, and the client authenticates the RADIUS server.
When mutual authentication is complete, the RADIUS server and the client determine a WEP key that
is unique to the client and provides the client with the appropriate level of network access, thereby
approximating the level of security in a wired switched segment to an individual desktop. The client
loads this key and prepares to use it for the logon session.
During the logon session, the RADIUS server encrypts and sends the WEP key, called a session key,
over the wired LAN to the access point. The access point encrypts its broadcast key with the session key
and sends the encrypted broadcast key to the client, which uses the session key to decrypt it. The client
and access point activate WEP and use the session and broadcast WEP keys for all communications
during the remainder of the session.
There is more than one type of EAP authentication, but the access point behaves the same way for each
type: it relays authentication messages from the wireless client device to the RADIUS server and from
the RADIUS server to the wireless client device. See the “Assigning Authentication Types to an SSID”
section on page 11-10 for instructions on setting up client authentication using a RADIUS server.
Access point
or bridge
Wired LAN
Client
device
RADIUS Server
1. Authentication request
2. Identity request
3. Username
(relay to client)
(relay to server)
4. Authentication challenge
5. Authentication response
(relay to client)
(relay to server)
6. Authentication success
7. Authentication challenge
(relay to client)
(relay to server)
8. Authentication response
9. Successful authentication
(relay to server)
65583