Specifications
802.1x Solution Cookbook 239
Chapter 11
a The laptop searches for the wireless ESSID “Wireless LAN-01”, chooses
the AP with the best signal strength, and attempts to associate to it.
zi. The laptop will send 802.11 broadcast probe-requests to search for
any ESSID.
zii. All APs in range will respond with probe-responses containing the
ESSID “Wireless LAN-01”. A load balancing feature has been enabled
on the Alcatel switch that will limit the number of users on a single AP
to 20. If the load-balancing high watermark has been reached on a
given AP, this AP will not respond to probe-responses. From the lap-
top’s perspective, it appears as though the AP does not exist.
ziii. The laptop will choose the best AP among the list of responses. This
decision is typically based on measured signal strength.
ziv. The laptop will initiate an 802.11 association process with the chosen
AP.
b The laptop will initiate 802.1x authentication by transmitting an
EAPOL-Start message to the AP. An 802.1x authentication sequence
using PEAP will follow. The Alcatel switch will convert all 802.1x EAPOL
messages on the wireless network into EAPOL-over-RADIUS messages
on the wired network, and will transmit them to the Microsoft IAS server.
All 802.1x communication is between the client and the IAS server, with
the Alcatel components acting as pass-through devices.
zi. The laptop will transmit a username of “host\computer_name” where
“computer_name” is replaced by the actual configured computer name
of the laptop. The Alcatel switch will recognize the username informa-
tion, record it, and map it to the MAC address of the client in an inter-
nal table.
zii. The IAS server will compare the transmitted username with a list of
computers and users in the Active Directory database. Because the
username represents a computer in the domain, the IAS server will
process the authentication request according to a policy matching all
domain computers.
ziii. The IAS server will transmit a digital certificate to the client. This digi-
tal certificate was issued and signed by the local Windows certificate
authority. Each laptop has been configured to trust the local certificate
authority. Because of this trust relationship, the client accepts the cer-
tificate and allows authentication to proceed. If an invalid certificate
were presented (for example, from an intruder attempting to gain
access to the network by running a separate AP and authentication
server), the client would halt the authentication process at this point.
ziv. During the encrypted PEAP exchange, the client will again transmit a
username corresponding to its computer name. Using MS-CHAP v2,
the computer will next transmit a password. In this case, the pass-
word is the domain SID (security identifier) previously exchanged
between the laptop and the domain controller the first time the laptop
joined the domain. The SID is stored on each laptop automatically.
zv. If the computer name and SID match those stored in the Active Direc-
tory database, authentication is granted. The IAS server transmits a
RADIUS “Accept” message to the Alcatel switch. The Alcatel switch
transmits an EAPOL “Success” message to the wireless client. This
concludes 802.1x authentication.