User's Manual

ManualsBrandsCisco Systems ManualsElectronics4.9 GHz WMIC Mini PCI Module

151

152

153

154

155

156

157

158

159

160

8-4

Cisco 3200 Series Wireless MIC Software Configuration Guide

OL-7734-02

Chapter 8 Configuring Authentication Types

Understanding Authentication Types

Figure 8-3 Sequence for EAP Authentication

In Steps 1 through 9 in Figure 8-3, a non-root bridge and a RADIUS server on the wired LAN use 802.1x

and EAP to perform a mutual authentication through the root bridge. The RADIUS server sends an

authentication challenge to the non-root bridge. The non-root bridge uses a one-way encryption of the

user-supplied password to generate a response to the challenge and sends that response to the RADIUS

server. Using information from its user database, the RADIUS server creates its own response and

compares that to the response from the non-root bridge. When the RADIUS server authenticates the

non-root bridge, the process repeats in reverse, and the non-root bridge authenticates the RADIUS

server.

When mutual authentication is complete, the RADIUS server and the non-root bridge determine a WEP

key that is unique to the non-root bridge and provides the non-root bridge with the appropriate level of

network access, thereby approximating the level of security in a wired switched segment to an individual

desktop. The non-root bridge loads this key and prepares to use it for the logon session.

During the logon session, the RADIUS server encrypts and sends the WEP key, called a session key, over

the wired LAN to the root bridge. The root bridge encrypts its broadcast key with the session key and

sends the encrypted broadcast key to the non-root bridge, which uses the session key to decrypt it. The

non-root bridge and the root bridge activate WEP and use the session and broadcast WEP keys for all

communications during the remainder of the session.

There is more than one type of EAP authentication, but the bridge behaves the same way for each type.

It relays authentication messages from the wireless client device to the RADIUS server and from the

RADIUS server to the wireless client device. See the “Assigning Authentication Types to an SSID”

section on page 8-6 for instructions on setting up EAP on the WMIC.

Note If you use EAP authentication, you can select open or shared key authentication, but you do not have to.

EAP authentication controls authentication both to your bridge and to your network.

88901

Switch on

LAN 1

1. Authentication request

Authentication

server

Non-Root

Bridge

Root Bridge

2. Identity request

3. Username

(Relay to non-root bridge)

5. Authentication response

(Relay to non-root bridge)

7. Authentication challenge

(Relay to non-root bridge)

9. Authentication success

(Relay to server)

4. Authentication challenge

(Relay to server)

6. Authentication success

(Relay to server)

8. Authentication response

(Relay to server)