Remote Authentication Dial-In User Service (RADIUS) server connected to the access
point. The authentication process uses credentials, such as a user's password that are
not transmitted over the wireless network. Most 802.1x types support dynamic per-user,
per-session keys to strengthen the static key security. 802.1x benefits from the use of an
existing authentication protocol known as the Extensible Authentication Protocol (EAP).
802.1x authentication for wireless LANs has three main components: The authenticator
(the access point), the supplicant (the client software), and the authentication server (a
Remote Authentication Dial-In User Service server (RADIUS). 802.1x authentication
security initiates an authorization request from the WLAN client to the access point,
which authenticates the client to an Extensible Authentication Protocol (EAP) compliant
RADIUS server. This RADIUS server may authenticate either the user (via passwords or
certificates) or the system (by MAC address). In theory, the wireless client is not allowed
to join the networks until the transaction is complete. There are several authentication
algorithms used for 802.1x; MD5-Challenge, EAP-TLS, EAP-TTLS, Protected EAP
(PEAP), and EAP Cisco Wireless Light Extensible Authentication Protocol (LEAP). These
are all methods for the WLAN client to identify itself to the RADIUS server. With RADIUS
authentication, users identities are checked against databases. RADIUS constitutes a set
of standards addressing Authentication, Authorization and Accounting (AAA). Radius
includes a proxy process to validate clients in a multi-server environment. The IEEE
802.1x standard is for controlling and authenticating access to port-based 802.11
wireless and wired Ethernet networks. Port-based network access control is similar to a
switched local area network (LAN) infrastructure that authenticates devices that are
attached to a LAN port and prevent access to that port if the authentication process fails.
How 802.1x authentication works
A simplified description of the 802.1x authentication is:
1. A client sends a "request to access" message to an access point. The access point
requests the identity of the client.
2. The client replies with its identity packet which is passed along to the
authentication server.
3. The authentication server sends an "accept" packet to the access point.
4. The access point places the client port in the authorized state and data traffic is
allowed to proceed.
What is a RADIUS?