для Cisco Cisco Aironet 1524 Lightweight Outdoor Mesh Access Point
16
Mobile Access Router and Mesh Networks Design Guide
OL-11823-01
Security
encrypting it with a unicast key. The unicast key is used to exchange unicast data between the root device
and authenticated device, and the broadcast key is used to exchange multicast and broadcast data
between them.
and authenticated device, and the broadcast key is used to exchange multicast and broadcast data
between them.
When you enable EAP on your bridges, authentication to the network occurs in the sequence shown in
.
Figure 9
EAP Authentication
, a non-root bridge and a RADIUS server on the wired LAN use 802.1x
and EAP to perform a mutual authentication through the root device:
•
The RADIUS server sends an authentication challenge to the non-root bridge.
•
The non-root bridge uses a one-way encryption of the user-supplied password to generate a response
to the challenge and sends that response to the RADIUS server.
to the challenge and sends that response to the RADIUS server.
•
Using information from its user database, the RADIUS server creates its own response and compares
that to the response from the non-root bridge.
that to the response from the non-root bridge.
•
When the RADIUS server authenticates the non-root bridge, the process repeats in reverse, and the
non-root bridge authenticates the RADIUS server.
non-root bridge authenticates the RADIUS server.
•
When mutual authentication is complete, the RADIUS server and the non-root bridge determine a
session key that is unique to this session between the RADIUS server and non-root bridge and
provide the non-root bridge with the appropriate level of network access.
session key that is unique to this session between the RADIUS server and non-root bridge and
provide the non-root bridge with the appropriate level of network access.
•
The RADIUS server encrypts and transmits the session key over the wired LAN to the root device.
•
The root device and the non-root bridge derive the unicast key from the session key. The root device
generates the broadcast key and sends it to the non-root bridge after encrypting it with the unicast
key.
generates the broadcast key and sends it to the non-root bridge after encrypting it with the unicast
key.
191189
802.11
Switch on
LAN 1
Non-Root Bridge
with WEP key = 123
802.11
Switch on
LAN 1
Non-Root Bridge
with WEP key = 123
1. Authentication request
5. Authentication response
2. Identity request
(Relay to non-root bridge)
3. User name
(Relay to non-root bridge)
7. Authentication challenge
9. Authentication success
(Relay to non-root bridge)
(Relay to server)
4. Authentication challenge
(Relay to server)
6. Authentication success
(Relay to server)
9. (Relay to server)
8. Authentication response