Cisco Systems CSACS3415K9 Manual De Usuario

The following describes the process for creating the TLS tunnel:

271629

Phase 1

Phase 2

User authentication credentials are sent

through TLS Tunnel again using EAP.

Client authenticates the server certificate.

TLS Tunnel is created

Client gets network access

AP gets encryption keys

RADIUS Server authenticates

to user repository.

After creating a logical link, the wireless AP sends an 
EAP-Request/Identity message to the wireless client. 

The wireless client responds with an 
EAP-Response/Identity message that contains the 
identity (user or computer name) of the wireless client. 

The wireless AP sends the EAP-Response/Identity 
message to ACS. From this point on, the logical 
communication occurs between ACS and the wireless 
client by using the wireless AP as a pass-through device. 

ACS sends an EAP-Request/Start PEAP message to the 
wireless client. 

The wireless client and ACS exchange a series of TLS 
messages through which the cipher suite for the TLS 
channel is negotiated. In ACS 5.4, the client certificate is 
not used in PEAP.

At the end of the PEAP negotiation, ACS has 
authenticated itself to the wireless client. Both nodes 
have determined mutual encryption and signing keys (by 
using public key cryptography, not passwords) for the 
TLS channel.