The Start Phase
In the start phase, the supplicant begins the authentication by issuing an EAPOWStart
message to the authenticator. The authenticator responds to the supplicant with
an EAP-Request/Identity message. The supplicant responds with an EAPResponse/
Identity message that delivers its identity to the authenticator.
In the start phase, the supplicant begins the authentication by issuing an EAPOWStart
message to the authenticator. The authenticator responds to the supplicant with
an EAP-Request/Identity message. The supplicant responds with an EAPResponse/
Identity message that delivers its identity to the authenticator.
Figure 2 – The Start Phase. The supplicant (client) sends an EAPOL-Start message. Theauthenticator responds with an EAP-Request/Identity message. Finally, the supplicantresponds with an EAP-Response/Identity message which contains the identity of the user.The Authenticate Phase
The Cisco LEAP authentication is a mutual authentication method. The
Authenticator (Access Point) relays EAP messages to the authentication server
using a RADIUS Access-Request message with EAP attributes. The Authentication
Server responds with a RADIUS Access-Challenge message. The Authenticator
relays this message to the Supplicant as an EAP-Request. Next, the supplicant
responds with an EAP-Response message that is forwarded to the Authentication
Server as a RADIUS message with EAP attributes.
Figure 3 – The Authenticate Phase. The authenticator sends a RADIUS Access-Request
message. The AAA server issues a challenge that is carried via EAP to the supplicant. The
supplicant responds and the authenticator issues another RADIUS access request.
message. The AAA server issues a challenge that is carried via EAP to the supplicant. The
supplicant responds and the authenticator issues another RADIUS access request.
The Finish Phase
If the user is not valid, the Authentication server sends a RADIUS Deny packet with
an EAP fail message. If the user is valid, the Authentication Server sends a
RADIUS access accept packet with an EAP success attribute. The RADIUS-Access-
Accept message contains the MS-MPPE-Send-Key attribute to the Authenticator.
The Authentication Server and the Supplicant are able to derive a key from the
user’s password. The key derivation technique creates a longer key than will be used
for the session. Upon receipt of the key from the Authentication server, the
Authenticator transmits an EAPOL-Key message to the Supplicant. This message is
a key index and key length that the supplicant can use to calculate the session key to
be used.
Figure 4 – The Finish Phase. After the AAA server issues a RADIUS Access-Accept message,
the authenticator can send and EAP-Accept message along with a key index and length.
At this point, the Supplicant and Authenticator have a common session key that can
be used for the duration of the session.
be used for the duration of the session.
No comments:
Post a Comment