Introduction
AP-4131 Access Point Product Reference Guide 29
When the AP boots up it contacts the KSS to obtain KDC information. The AP
sends an Authentication Service Request (AS_REQ) to the KDC. The KDC
looks up the username (ESSID in the case of APs), the associated password,
and other authentication information including the current time stamp. If the
AP has provided the correct information the KDC responds with an
Authentication Service Response (AS_REP). These initial Kerberos messages
are used to obtain the client credentials and session key known as the Ticket
Granting Ticket. The AP verifies the information and is authenticated with the
KDC. After the AP validates the message, it turns on its RF services but does
not bridge data packets until the MU has been authenticated.
An MU is required to authenticate with the KDC before the AP allows any RF
bridging. The MU appears to associate but because it has not been
authenticated, the AP does not bridge any non-Kerberos authentication type
packets to the network. The AP acts as a conduit (the AP will proxy the MU
requests/replies to and from the KDC) passing AS_REQ, AS_REP, Ticket
Granting Service Request (TGS_REQ) and Ticket Granting Service Reply
(TGS_REP) between the clients and the KDC until authentication is successful.
Once a ticket is issued and the authentication process is completed, the AP
continues to bridge data with the MU even if the KDC/KSS are unavailable.
Once the ticket expires, the AP/MU stop passing Kerberos data if the
KDC/KSS are still unavailable to issue tickets.
The authentication process for an MU is similar to an AP authentication. The
difference being that the MU/client sends all requests through the AP with
one additional step. The additional step is sending the KDC a TGS_REQ for
RF services. The TGS_REQ message is encrypted with the encryption key that
the MU received during the first part of the authentication process. The ticket
the MU received in the AS_REP includes: the ESSID of the AP whose RF
services it wishes to access. The AP proxies (forwards) the MU request to the
KDC. The KDC verifies the request and responds with a TGS_REP sent to the
MU through the AP which proxies the reply to the MU. The AP proxy does not
read the MU TGS_REQ but replaces the header information with an IP
header (the AP IP address). Conversely, the AP replaces the TGS_REP header