Connectivity and Data Protection
The following describes interactions that take place within a general
802.1X/EAP framework.
1.
The station sends an EAP - Start message to the access point.
This initiates the process of EAP authentication.
2.
The access point sends an access request on behalf of the client
to the RADIUS server.
3.
The access point replies with an EAP – Request/Identity
message.
4.
The station sends an EAP – Response/Identity message
containing its credentials (such as username) to the access
point. This message will contain ID based on the EAP type in
use, such as EAP-TLS, EAP-TTLS, EAP-PEAP, EAP-LEAP,
or EAP-FAST. In a password-based EAP, the user’s password
is NOT part of this message.
5.
The access point forwards the user’s ID to the RADIUS server.
6.
The RADIUS server responds with a challenge message, which
the access point forwards to the station as an EAP message.
7.
The station encrypts the challenge message using its password
(or other credential) as a secret key and sends the resulting
value back to the access point.
8.
The access point forwards the encrypted challenge to the
RADIUS server.
9.
The RADIUS server uses the password (or other credential)
that it has stored for the user to encrypt the same challenge
message it sent to the station. If the resultant value and the
value returned by the station match, the RADIUS server sends
a success message to the access point.
10.
The access point forwards the success message to the station.
11.
The station now sends a challenge to the RADIUS server to
authenticate the access point (the network), and proceeds
through the reverse authentication process.
12.
If the network is successfully authenticated, the station passes a
success message through the access point to the RADIUS
server, which opens a port. The user is now LIVE on the
network.
