Cisco Systems IOS Releases 15.2(4)JA Universal Remote User Manual


 
13-3
Cisco IOS Software Configuration Guide for Cisco Aironet Access Points
OL-29225-01
Chapter 13 Configuring RADIUS and TACACS+ Servers
Configuring and Enabling RADIUS
Figure 13-1 Sequence for EAP Authentication
In Steps 1 through 9 in Figure 13-1, a wireless client device and a RADIUS server on the wired LAN
use 802.1x and EAP to perform a mutual authentication through the access point. The RADIUS server
sends an authentication challenge to the client. The client uses a one-way encryption of the user-supplied
password to generate a response to the challenge and sends that response to the RADIUS server. Using
information from its user database, the RADIUS server creates its own response and compares that to
the response from the client. When the RADIUS server authenticates the client, the process repeats in
reverse, and the client authenticates the RADIUS server.
When mutual authentication is complete, the RADIUS server and the client determine a WEP key that
is unique to the client and provides the client with the appropriate level of network access, thereby
approximating the level of security in a wired switched segment to an individual desktop. The client
loads this key and prepares to use it for the logon session.
During the logon session, the RADIUS server encrypts and sends the WEP key, called a session key, over
the wired LAN to the access point. The access point encrypts its broadcast key with the session key and
sends the encrypted broadcast key to the client, which uses the session key to decrypt it. The client and
access point activate WEP and use the session and broadcast WEP keys for all communications during
the remainder of the session.
There is more than one type of EAP authentication, but the access point behaves the same way for each
type: it relays authentication messages from the wireless client device to the RADIUS server and from
the RADIUS server to the wireless client device. See the “Assigning Authentication Types to an SSID”
section on page 11-10 for instructions on setting up client authentication using a RADIUS server.
Configuring RADIUS
This section describes how to configure your access point to support RADIUS. At a minimum, you must
identify the host or hosts that run the RADIUS server software and define the method lists for RADIUS
authentication. You can optionally define method lists for RADIUS authorization and accounting.
Access point
or bridge
Wired LAN
Client
device
RADIUS Server
1. Authentication request
2. Identity request
3. Username
(relay to client)
(relay to server)
4. Authentication challenge
5. Authentication response
(relay to client)
(relay to server)
6. Authentication success
7. Authentication challenge
(relay to client)
(relay to server)
8. Authentication response
9. Successful authentication
(relay to server)
65583