So far as I known the LEAP protocol is a Cisco proprietary extension of the EAP, , I was not able to find any specificarion about that,Does anyone know how to change free-radius to work with Cisco Aiornet ? What are the steps of the LEAP authentication protocol?
Regards,
Alberto.
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of Raghu
Sent: Thursday, March 21, 2002 6:45 PM
To: [EMAIL PROTECTED]
Subject: Re: EAP-MD5 ?
John Lindsay wrote:
> I've just studied this with Cisco and I can steal a clear explanation from
> the notes.
EAP CLIENT(EC) ----> ACCESS POINT(AP) ----> RADIUS-SERVER(S)
The comminication between EC & AP is wireless (EAPOL).
The communication between AP & Radius is RADIUS
with EAP payload encapsulated in EAP-Message attribute.
1. EC sends EAPOL-START to AP.
2. AP sends EAP/Identity request to EC
3. EC sends EAP/Identity response to AP.
4. AP frames the RADIUS Access-Request packet and
EAP/Identity response payload in EAP-Message.
5. Radius sends Access-challenge to AP with
EAP-MD5 challenge value.
6. AP extracts EAP and sends it to EC.
7. EC sends the Challenge response to AP
(see CHAP(rfc1994) for details or rfc2284)
8. AP forwards it to Radius.
9. Radius sends EAP-Success/EAP-Failure to AP.
10. AP forwards it EC.
>
> To make it clear for everyone, the supplicant is the software on the client
> (machine with the wireless card).
>
> The EAP process doesn't start until the client has associated with the
> Access Point using Open authentication. If this process isn't crystal
> clear you need to go away and gain understanding.
>
> Once the association is made the AP blocks all traffic that is not 802.1x
> so although associated the connection only has value for EAP. Any EAP
> traffic is passed to the radius server and any radius traffic is passed
> back to the client.
>
> So, after the client has associated to the Access Point, the supplicant
> starts the process for using EAP over LAN by asking the user for their
> logon and password.
>
> Using 802.1x and EAP the supplicant sends the username and a one-way hash
> of the password to the AP.
No. See below
>
> The AP encapsulates the request and sends it to the RADIUS server.
>
> The radius server needs a plaintext password so that it can perform the
> same one-way hash to determine that the password is correct. If it is, the
> radius server issues an access challenge which goes back via to the AP to
> the client. (my study guide says client but my brain says 'supplicant')
>
> The client sends the EAP response to the challenge via the AP to the RADIUS
> server.
>
AP sends an EAP/Identity request to the supplicant.
The supplicant then just sends only the User-Name to AP.
AP then forwards this to Radius Server,
Radius Server now sends EAP-Response with some random Challenge value.
Supplicant then sends the challenge-response using the User-Password.
See CHAP rfc1994 for details.
-Raghu
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
