Radius operation – Rockwell Automation 1783-WAPxxx Stratix 5100 Wireless Access Point User Manual User Manual
Page 409
Rockwell Automation Publication 1783-UM006A-EN-P - May 2014
409
Configuring RADIUS and TACACS+ Servers
Chapter 14
RADIUS Operation
When a wireless user attempts to log in and authenticate to an access point whose
access is controlled by a RADIUS server, authentication to the network occurs in
the steps shown in this figure.
Figure 109 - Sequence for EAP Authentication
In Steps 1…9, a wireless client device and a RADIUS server on the wired LAN
use 802.1x and EAP to perform a mutual authentication through the access
point. The RADIUS server sends an authentication challenge to the client. The
client uses a one-way encryption of the user-supplied password to generate a
response to the challenge and sends that response to the RADIUS server.
By using information from its user database, the RADIUS server creates its own
response and compares that to the response from the client. When the RADIUS
server authenticates the client, the process repeats in reverse, and the client
authenticates the RADIUS server.
When mutual authentication is complete, the RADIUS server and the client
determine a WEP key that is unique to the client and provides the client with the
appropriate level of network access, thereby approximating the level of security in
a wired switched segment to an individual desktop. The client loads this key and
prepares to use it for the logon session.
During the logon session, the RADIUS server encrypts and sends the WEP key,
called a session key, over the wired LAN to the access point. The access point
encrypts its broadcast key with the session key and sends the encrypted broadcast
key to the client, that uses the session key to decrypt it. The client and access
point activate WEP and use the session and broadcast WEP keys for all
communication during the remainder of the session.
Access point
or bridge
Wired LAN
Client
device
RADIUS Server
1. Authentication request
2. Identity request
3. Username
(relay to client)
(relay to server)
4. Authentication challenge
5. Authentication response
(relay to client)
(relay to server)
6. Authentication success
7. Authentication challenge
(relay to client)
(relay to server)
8. Authentication response
9. Successful authentication
(relay to server)
65583