Introduction
32 AP-4131 Access Point Product Reference Guide
1.3.12 KSS Databases
The KSS has two databases. One database stores valid access points (AP
setup account). The other database stores Kerberos account information
(Kerberos entry account). The AP setup account database stores validation
information for an AP. This database uses the AP MAC address as a Primary
Key. The entry includes the range of time the AP is allowed access and status
information. A Foreign Key entry for a record in the AP setup account is the
Kerberos Principal for this AP. This Foreign Key is used as an index to the
Kerberos Entry account database to retrieve other Kerberos information for
the AP. The Kerberos Entry account database stores specific Kerberos
information for APs. It uses the Kerberos Principal (AP’s ESSID) as its Primary
Key, and it includes other Kerberos network information that an AP needs to
authenticate with the KDC.
When an AP requests information from the KSS, the KSS queries the AP Setup
database to validate the AP. If the AP is valid the KSS will query its Kerberos
Entry account database for the AP’s Kerberos information. The KSS packages
the information and sends it to the AP.
APs with the same ESSID will share common Kerberos Entry account
information since the ESSID is used as an AP Kerberos Principal.
1.3.13 Roaming and Authentication
When an MU authenticates through the KDC it specifies that it wants access
to the AP that it has associated with. When the MU completes the full AS-
REQ/AS-REP, TGT-REQ/TGT-REP, and AP-REQ/AP-REP hand-shake sequence,
it possesses a ticket and a session key (WEP encryption key) for use in
communicating with that AP. However, since the password and the username
are the same for all APs, that ticket decrypts and validates with any AP.
When a MU roams, after it has associated with the new AP it sends to that AP
the same AP-REQ that it sent to the AP that it first authenticated with. The new
AP decrypts the ticket and validates the authenticator in the AP-REQ message.
It then sends back an AP-REP with a new session key to the MU and normal
communication through the new AP can continue.