88
Performing Advanced Configuration
Authentication Process
There are three main components in the authentication process. The standard refers to them as:
1. supplicant (client PC)
2. authenticator (Access Point)
3. authentication server (RADIUS server)
When using Authentication Mode to 802.1x, WPA, Mixed mode (802.1x and WEP), or 802.11i, you need to configure
your RADIUS server for authentication purposes.
Prior to successful authentication, an unauthenticated client PC cannot send any data traffic through the AP device to
other systems on the LAN. The AP inhibits all data traffic from a particular client PC until the client PC is authenticated.
Regardless of its authentication status, a client PC can always exchange 802.1x messages in the clear with the AP
(the client begins encrypting data after it has been authenticated).
Figure 4-25 RADIUS Authentication Illustrated
The AP acts as a pass-through device to facilitate communications between the client PC and the RADIUS server. The
AP (2) and the client (1) exchange 802.1x messages using an EAPOL (EAP Over LAN) protocol (A). Messages sent
from the client station are encapsulated by the AP and transmitted to the RADIUS (3) server using EAP extensions (B).
Upon receiving a reply EAP packet from the RADIUS, the message is typically forwarded to the client, after translating
it back to the EAPOL format. Negotiations take place between the client and the RADIUS server. After the client has
been successfully authenticated, the client receives an Encryption Key from the AP (if the EAP type supports
automatic key distribution). The client uses this key to encrypt data after it has been authenticated.
For 802.11a and 802.11b/g clients that communicate with an AP, each client receives its own unique encryption key;
this is known as Per User Per Session Encryption Keys.
Wi-Fi Protected Access (WPA)
Wi-Fi Protected Access (WPA) is a security standard designed by the Wi-Fi Alliance in conjunction with the Institute of
Electrical and Electronics Engineers (IEEE). THE AP supports WPA2, based on the IEEE 802.11i security standard.
NOTE
For Dual-radio APs: WPA is available only for the AP-2000b/g and for APs using either an 802.11a or
802.11b/g Upgrade Kit. WPA is not available for APs with an 802.11b PC Card or a 5 GHz Upgrade Kit.
WPA is a replacement for Wired Equivalent Privacy (WEP), the encryption technique specified by the original 802.11
standard. WEP has several vulnerabilities that have been widely publicized. WPA addresses these weaknesses and
provides a stronger security system to protect wireless networks.
WPA provides the following new security measures not available with WEP:
• Improved packet encryption using the Temporal Key Integrity Protocol (TKIP) and the Michael Message Integrity
Check (MIC).
• Per-user, per-session dynamic encryption keys:
– Each client uses a different key to encrypt and decrypt unicast packets exchanged with the AP
– A client's key is different for every session; it changes each time the client associates with an AP
– The AP uses a single global key to encrypt broadcast packets that are sent to all clients simultaneously
– Encryption keys change periodically based on the Re-keying Interval parameter
– WPA uses 128-bit encryption keys