beautypg.com

Intel 3945ABG User Manual

Page 134

background image

There are different 802.1x authentication types, each provides a different approach to

authentication but all employ the same 802.1x protocol and framework for communication

between a client and an access point. In most protocols, upon the completion of the 802.1x

authentication process, the supplicant receives a key that it uses for data encryption. Refer

to

How 802.1x authentication works

for more information. With 802.1x authentication, an

authentication method is used between the client and a Remote Authentication Dial-In User

Service (RADIUS) server connected to the access point. The authentication process uses

credentials, such as a user's password that are not transmitted over the wireless network.

Most 802.1x types support dynamic per-user, per-session keys to strengthen the static key

security. 802.1x benefits from the use of an existing authentication protocol known as the

Extensible Authentication Protocol (EAP).

802.1x authentication for wireless LANs has three main components:

The authenticator (the access point)

The supplicant (the client software)

The authentication server (a Remote Authentication Dial-In User Service server

[RADIUS])

802.1x authentication security initiates an authorization request from the wireless client to

the access point, which authenticates the client to an Extensible Authentication Protocol

(EAP) compliant RADIUS server. This RADIUS server may authenticate either the user (via

passwords or certificates) or the system (by MAC address). In theory, the wireless client is

not allowed to join the networks until the transaction is complete.

There are several authentication algorithms used for 802.1x. Some examples are: EAP-TLS,

EAP-TTLS, and Protected EAP (PEAP). These are all methods for the wireless client to

identify itself to the RADIUS server. With RADIUS authentication, user identities are checked

against databases. RADIUS constitutes a set of standards addressing Authentication,

Authorization and Accounting (AAA). Radius includes a proxy process to validate clients in a

multi-server environment. The IEEE 802.1x standard is for controlling and authenticating

access to port-based 802.11 wireless and wired Ethernet networks. Port-based network

access control is similar to a switched local area network (LAN) infrastructure that

authenticates devices that are attached to a LAN port and prevent access to that port if the

authentication process fails.

What is RADIUS?

RADIUS is the Remote Access Dial-In User Service, an Authorization, Authentication, and

Accounting (AAA) client-server protocol, which is used when a AAA dial-up client logs in or

out of a Network Access Server. Typically, a RADIUS server is used by Internet Service

Providers (ISP) to perform AAA tasks. AAA phases are described as follows:

Authentication phase: Verifies a user name and password against a local database.

After the credentials are verified, the authorization process begins.

Authorization phase: Determines whether a request is allowed access to a resource.