At 03:21 AM 22/03/02, Alan DeKok wrote: >"Derek M. Harkness" <[EMAIL PROTECTED]> wrote: > > Okay so if I'm following this correctly and from my understanding of RFC > > 2869, EAP doesn't simply "encrypt" or wrap the normal radius process. > > With that said where does the authentication information come from? > > From EAP magic. It just gets transported in a RADIUS packet. > > EAP *replaces* the normal username/password authentication.
I've just studied this with Cisco and I can steal a clear explanation from the notes. To make it clear for everyone, the supplicant is the software on the client (machine with the wireless card). The EAP process doesn't start until the client has associated with the Access Point using Open authentication. If this process isn't crystal clear you need to go away and gain understanding. Once the association is made the AP blocks all traffic that is not 802.1x so although associated the connection only has value for EAP. Any EAP traffic is passed to the radius server and any radius traffic is passed back to the client. So, after the client has associated to the Access Point, the supplicant starts the process for using EAP over LAN by asking the user for their logon and password. Using 802.1x and EAP the supplicant sends the username and a one-way hash of the password to the AP. The AP encapsulates the request and sends it to the RADIUS server. The radius server needs a plaintext password so that it can perform the same one-way hash to determine that the password is correct. If it is, the radius server issues an access challenge which goes back via to the AP to the client. (my study guide says client but my brain says 'supplicant') The client sends the EAP response to the challenge via the AP to the RADIUS server. If the response is valid the RADIUS server sends a success message and the session WEP key (EAP over wireless) to the client via the AP. The same session WEP key is also sent to the AP in the success packet. The client and the AP then begin using session WEP keys. The WEP key used for multicasts is then sent from the AP to the client. It is encrypted using the session WEP key. -- John Lindsay - Engineering Services Manager Internode Professional Access ph +61 8 8223 2999 fx +61 8 8223 1777 31 York St Adelaide, PO BOX 284 Rundle Mall SA 5000 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
