̈ Chapter 11: Wireless LAN – WLAN LANCOM Reference Manual LCOS 3.50
221
Wireless LAN – WLAN
the possibility of installing a valid WEP key for the next session is more or less
a byproduct. Figure 2 shows the basic process of a session secured by EAP.
In the first phase, the client registers with the access point as usual, and enters
the state in which it can now send and receive over the access point in normal
WEP or WEPplus—but not with EAP, because in this state the client still
doesn't have a key to secure its data traffic from eavesdropping. Instead, the
client is in an 'intermediate state' from the point of view of the access point,
in which only particular packets from the client are forwarded, and these are
only directed to an authentication server. These packets implement EAP/
802.1x as already mentioned, which can easily be distinguished from other
protocols due to its Ethernet type 0x888e. The access point packages these
packets in RADIUS queries and sends them on to the authentication server.
The access point converts the replies coming from the RADIUS server back into
EAP packets, and sends them back to the client.
Figure 2: Schematic process of a WLAN session with EAP/802.1x
Access point
WLAN registration
EAP/802.1x negotiation
Session key
Sharing of Master Secret
Client RADIUS server
normal data traffic
new session key
more normal data traffic