Specifications
802.1x Solution Cookbook 241
Chapter 11
a The laptop will transmit an EAPOL-Start message to the Alcatel switch.
The Alcatel switch will then proceed with 802.1x authentication by
transmitting an EAPOL “Request identity” message to the laptop.
b b. The laptop will transmit the user’s username. The Alcatel switch will
recognize the username information, record it, and map it to the MAC
address of the client in an internal table. The new username will replace
the previously-learned computer name.
c The IAS server will compare the transmitted username with a list of
computers and users on the Active Directory server. Because the
username represents a user in the domain, the IAS server will process the
authentication request according to a policy matching the group to which
the user belongs (faculty, student, or system administrator.)
d The IAS server will transmit a digital certificate to the client. This digital
certificate was issued and signed by the local Windows certificate
authority. Each laptop has been configured to trust the local certificate
authority. Because of this trust relationship, the client accepts the
certificate and allows authentication to proceed. If an invalid certificate
were presented (for example, from an intruder attempting to gain access
to the network by running a separate AP and authentication server), the
client would halt the authentication process at this point.
e During the encrypted PEAP exchange, the client will again transmit a
username. Using MS-CHAP v2, the computer will next transmit the user’s
password entered during the Windows logon process. Note that this
exchange is MS-CHAP v2, so the actual password is not transmitted.
f If the username and password match those stored in the Active Directory
database, authentication is granted. The IAS server transmits a RADIUS
“Accept” message to the Alcatel switch. The Alcatel switch transmits an
EAPOL “Success” message to the wireless client. This concludes 802.1x
authentication.
zi. The IAS server has also been configured to transmit an RADIUS
attribute called “Class” to the Alcatel switch. The value of this
attribute is set to either “student”, “faculty”, or “sysadmin” to identify
the user’s group. The Alcatel switch is configured to recognize this
RADIUS attribute, and maps the wireless client to the appropriate role.
Different firewall policies are configured for different groups on the
Alcatel switch, primarily to limit student access to approved uses of
the network.
g The wireless laptop and Alcatel switch derive new encryption keys for
WEP.
h The wireless laptop maintains the same IP address.
5 The user now has network access consistent with the user’s group
privileges.
6. If the user moves to another room where the wireless association can no
longer be maintained, the laptop will search for a new AP and re-initiate the
association process. After each association, the 802.1x authentication
process will repeat. While a user is logged in to the laptop, the 802.1x
authentication will be performed using the user’s credentials. If 802.1x