Cisco Cisco Aironet 350 Mini-PCI Wireless LAN Client Adapter Guida Alla Progettazione
4-8
Enterprise Mobility 4.1 Design Guide
OL-14435-01
Chapter 4 Cisco Unified Wireless Network Architecture—Base Security Features
802.1X
shows the logical location of the “authenticator” within the overall authentication
architecture. The authenticator controls network access using the 802.1X protocol, and relays EAP
messages between the supplicant and the authentication server.
messages between the supplicant and the authentication server.
Figure 4-4
Authenticator Location
shows an example decode of an EAP-TLS authentication where the four left-most columns are
wireless 802.1X decodes, and the three right-most columns are decodes of the respective RADIUS
transactions for the same EAP-TLS authentication.
transactions for the same EAP-TLS authentication.
The EAP exchange sequence is as follows:
•
Packet #1 is sent by the AP to the client, requesting the client identity. This begins the EAP
exchange.
exchange.
•
Packet #2 is the client identity that is forwarded to the RADIUS server. Based on this identity, the
RADIUS server can decide whether to continue with the EAP authentication.
RADIUS server can decide whether to continue with the EAP authentication.
•
In packet #3, the RADIUS server sends a request to use PEAP as the EAP method for authentication.
The actual request depends on the EAP types configured on the RADIUS server. If the client rejects
the PEAP request, the RADIUS server may offer other EAP types.
The actual request depends on the EAP types configured on the RADIUS server. If the client rejects
the PEAP request, the RADIUS server may offer other EAP types.
•
Packets #4–8 are the TLS tunnel setup for PEAP.
•
Packets #9–16 are the authentication exchange within PEAP.
•
Packet #17 is the EAP message saying that the authentication was successful.
In addition to informing the supplicant and the authenticator that the authentication was successful,
packet #17 also carries encryption keys and authorization information in the form of RADIUS VSAs
to the authenticator.
packet #17 also carries encryption keys and authorization information in the form of RADIUS VSAs
to the authenticator.
LWAPP
RADIUS
RADIUS
EAP
Supplicant
Encryption
WLAN Client
Authenticator
Enterprise Network
Wireless LAN
Controller
Access Point
LWAPP
Authentication
Server
AAA Server
802.1x
221276
n
Authe
entication
Server
AAA
A Server
Supplicant
Encry
WLAN Client
y