Руководство По Проектированию для Cisco Cisco Aironet 350 Mini-PCI Wireless LAN Client Adapter
4-5
Enterprise Mobility 4.1 Design Guide
OL-14435-01
Chapter 4 Cisco Unified Wireless Network Architecture—Base Security Features
802.1X
Extensible Authentication Protocol
Extensible Authentication Protocol (EAP) is an IETF RFC that stipulates that an authentication protocol
must be decoupled from the transport protocol used to carry it. This allows the EAP protocol to be
carried by transport protocols such as 802.1X, UDP, or RADIUS without having to make changes to the
authentication protocol itself.
must be decoupled from the transport protocol used to carry it. This allows the EAP protocol to be
carried by transport protocols such as 802.1X, UDP, or RADIUS without having to make changes to the
authentication protocol itself.
The basic EAP protocol is relatively simple, consisting of the following four packet types:
•
EAP request—The request packet is sent by the authenticator to the supplicant. Each request has a
type field that indicates what is being requested; for example, supplicant identity and EAP type to
be used. A sequence number allows the authenticator and the peer to match an EAP response to each
EAP request.
type field that indicates what is being requested; for example, supplicant identity and EAP type to
be used. A sequence number allows the authenticator and the peer to match an EAP response to each
EAP request.
•
EAP response—The response packet is sent by the supplicant to the authenticator, and uses a
sequence number to match the initiating EAP request. The type of the EAP response generally
matches the EAP request, except if the response is a negative-acknowledgment (NAK).
sequence number to match the initiating EAP request. The type of the EAP response generally
matches the EAP request, except if the response is a negative-acknowledgment (NAK).
•
EAP success—The success packet is sent when successful authentication has occurred, and is sent
from the authenticator to the supplicant.
from the authenticator to the supplicant.
•
EAP failure—The failure packet is sent when unsuccessful authentication has occurred, and is sent
from the authenticator to the supplicant.
from the authenticator to the supplicant.
When using EAP in an 802.11i compliant system, the AP operates in EAP pass-through mode. In this
mode, it checks the code, identifier, and length fields, and then forwards EAP packets received from the
client supplicant to the AAA. EAP packets received by the authenticator from the AAA server are
forwarded to the supplicant.
mode, it checks the code, identifier, and length fields, and then forwards EAP packets received from the
client supplicant to the AAA. EAP packets received by the authenticator from the AAA server are
forwarded to the supplicant.
shows an example of EAP protocol flow.
Figure 4-2
EAP Protocol Flow
221274
LWAPP
Authentication conversation is between client and Authentication Server
RADIUS
Enterprise
Network
EAP Identity Request
EAP Identity Response
EAP Request – EAP Type
Forward Identify to ACS Server
EAP Response – EAP Type
EAP Response – EAP Type
EAP Request – EAP Type
EAP Success
EAP Success
802.1x
LWAPP