Cisco Cisco IOS Software Release 12.3(4)T

The SSG EAP Transparency features operates in the environment described in the 

. Before you can use this feature, you must set up each of the components 

of the environment, as specified in other Cisco documents. 

The SSG EAP Transparency feature has the following requirements:

You must set up the SSG RADIUS proxy feature on the router that has SSG. It enables the SSG to 
be aware of EAP authentication and process the user’s SSG service information sent in the 
Access-Accept packet. You also must configure the access point (AP) and AZR as the RADIUS 
proxy client.

The AP must use SSG as the authentication, authorization, and accounting (AAA) server for EAP 
authentication.

The AZR must use the Domain Host Configuration Protocol (DHCP) accounting feature and the 
Address Resolution Protocol (ARP) log feature.

SESM must be in RADIUS mode. 

To use SSG EAP transparency, you should understand the following concepts: 

SSG supports the following EAP implementations, which are designed to support 802.1x requirements 
for public wireless LANs (PWLANs) and Ethernet LANs:

EAP-Subscriber Identity Module (SIM)

EAP-Transport Layer Security (TLS)

Microsoft Protected Extensible Authentication Protocol (PEAP)

Any other EAP mechanisms that use Microsoft Point-to-Point Encryption (MPPE) to share Wired 
Equivalent Privacy (WEP) keys

SSG does not terminate native EAP messages. SSG supports EAP transparency by looking at the 
RADIUS packets generated by APs or switches.