Руководство По Проектированию для Cisco Cisco Aironet 350 Mini-PCI Wireless LAN Client Adapter
4-6
Enterprise Mobility 4.1 Design Guide
OL-14435-01
Chapter 4 Cisco Unified Wireless Network Architecture—Base Security Features
802.1X
Authentication
Depending on the customer requirements, various authentication protocols such as PEAP, EAP-TLS, and
EAP-FAST can be used in secure wireless deployments. Regardless of the protocol, they all currently
use 802.1X, EAP, and RADIUS as their underlying transport. These protocols allow network access to
be controlled based on the successful authentication of the WLAN client, and just as importantly, allow
the WLAN network to be authenticated by the user.
EAP-FAST can be used in secure wireless deployments. Regardless of the protocol, they all currently
use 802.1X, EAP, and RADIUS as their underlying transport. These protocols allow network access to
be controlled based on the successful authentication of the WLAN client, and just as importantly, allow
the WLAN network to be authenticated by the user.
This solution also provides authorization through policies communicated through the RADIUS protocol,
as well as RADIUS accounting.
as well as RADIUS accounting.
EAP types used for performing authentication are described in more detail below. The primary factor
affecting the choice of EAP protocol is the authentication system (AAA) currently in use. Ideally, a
secure WLAN deployment should not require the introduction of a new authentication system, but rather
should leverage the authentication systems that are already in place.
affecting the choice of EAP protocol is the authentication system (AAA) currently in use. Ideally, a
secure WLAN deployment should not require the introduction of a new authentication system, but rather
should leverage the authentication systems that are already in place.
Supplicants
The client software used for WLAN authentication is called a supplicant, based on 802.1X terminology.
The Cisco Secure Services Client (CSSC) 4.1 is a supplicant that supports both wired and wireless
networks, and all the common EAP types. Supplicants may also be provided by the WLAN NIC
manufacturer, or can come integrated within an operating system; for example, Windows XP supports
PEAP MSCHAPv2 and EAP-TLS.
The Cisco Secure Services Client (CSSC) 4.1 is a supplicant that supports both wired and wireless
networks, and all the common EAP types. Supplicants may also be provided by the WLAN NIC
manufacturer, or can come integrated within an operating system; for example, Windows XP supports
PEAP MSCHAPv2 and EAP-TLS.
For more information on CSSC, see the following URL:
tp://www.cisco.com/en/US/products/ps7034/index.html
shows the logical location of the supplicant relative to the overall authentication architecture.
The role of the supplicant is to facilitate end-user authentication using EAP and 802.1X to an upstream
authenticator; in this case, the WLC. The authenticator forwards EAP messages received by the
supplicant and forwards them to an upstream AAA server using RADIUS.
authenticator; in this case, the WLC. The authenticator forwards EAP messages received by the
supplicant and forwards them to an upstream AAA server using RADIUS.
Figure 4-3
WLAN Client Supplicant
The various EAP supplicants that are available in the marketplace reflect the diversity of authentication
solutions available and customer preferences.
solutions available and customer preferences.
LWAPP
RADIUS
RADIUS
EAP
Supplicant
Encryption
WLAN Client
Authenticator
Enterprise Network
Wireless LAN
Controller
Access Point
LWAPP
Authentication
Server
AAA Server
802.1x
221275
LWAPP
RADIUS
RADIUS
EAP
yption
Authenticator
Enterprise Network
Wireless LAN
Controller
Access Point
LWAPP
LWAPP
n
Authe
entication
Server
AAA
A Server
802.1x
y