user manual

ManualsBrandsCisco Systems ManualsNetwork RouterNetwork Router DL-2159-05

161

162

163

164

165

166

167

168

169

170

8-4

Cisco Aironet 1200 Series Access Point Software Configuration Guide

OL-2159-05

Chapter 8 Security Setup

Security Overview

Figure 8-2 Sequence for EAP Authentication

In Steps 1 through 9 in Figure 8-2, a wireless client device and a RADIUS server on the wired LAN

use 802.1x and EAP to perform a mutual authentication through the access point. The RADIUS

server sends an authentication challenge to the client. The client uses a one-way encryption of the

user-supplied password to generate a response to the challenge and sends that response to the

RADIUS server. Using information from its user database, the RADIUS server creates its own

response and compares that to the response from the client. When the RADIUS server authenticates

the client, the process repeats in reverse, and the client authenticates the RADIUS server.

When mutual authentication is complete, the RADIUS server and the client determine a WEP key

that is unique to the client and provides the client with the appropriate level of network access,

thereby approximating the level of security in a wired switched segment to an individual desktop.

The client loads this key and prepares to use it for the logon session.

During the logon session, the RADIUS server encrypts and sends the WEP key, called a session key,

over the wired LAN to the access point. The access point encrypts its broadcast key with the session

key and sends the encrypted broadcast key to the client, which uses the session key to decrypt it. The

client and access point activate WEP and use the session and broadcast WEP keys for all

communications during the remainder of the session.

There is more than one type of EAP authentication, but the access point behaves the same way for

each type: it relays authentication messages from the wireless client device to the RADIUS server

and from the RADIUS server to the wireless client device. See the “Setting Up EAP Authentication”

section on page 8-15 for instructions on setting up EAP on the access point.

Note If you use EAP authentication, you can select open or shared key authentication, but you

don’t have to. EAP authentication controls authentication both to your access point and to

your network.

Access point

or bridge

Wired LAN

Client

device

Server

1. Authentication request

2. Identity request

3. Username

(relay to client)

(relay to server)

4. Authentication challenge

5. Authentication response

(relay to client)

(relay to server)

6. Authentication success

7. Authentication challenge

(relay to client)

(relay to server)

8. Authentication response

9. Successful authentication

(relay to server)

65583