Authenticating 802.1x (Windows CE 5.0)
Following authentication, the 802.1x protocol should be configured to request the supplicant to periodically re-authenticate.
To authenticate 802.1x
- The authenticator should be configured to inhibit data traffic from being forwarded either to a wired network or to another wireless supplicant unless a valid authentication key is used.
- The authenticator and supplicant must be configured to support a multicast/global authentication key or per-station unicast session key.
- If the authenticator observes a new supplicant, the authenticator transmits an EAP request to the new supplicant. If the authenticator receives an EAP start message from a supplicant, it sends an EAP request back to the supplicant. The supplicant then transmits an EAP start message upon associating with a new authenticator.
- A supplicant transmits an EAP response containing the device name in response to an EAP request.
- The authenticator forwards the EAP response message to a RADIUS server. The RADIUS server sends an EAP request in response to the EAP response message from the supplicant. The authenticator forwards that EAP request from the RADIUS server to the supplicant.
- The supplicant transmits an EAP response containing all credentials to the RADIUS server through the wireless authenticator. The wireless authenticator then forwards the supplicant's credentials to the RADIUS server.
- The RADIUS server validates the credentials and generates a success message to supplicant. The RADIUS server's response to the wireless authenticator contains the supplicant's message and the encryption key derived from the EAP-TLS session key. The wireless authenticator generates the multicast/global authentication key by generating a random number or by selecting it from a set value. On receiving the RADIUS server message, the wireless authenticator forwards the success message to the supplicant.
- The wireless authenticator transmits an EAP-Key message to the supplicant containing the multicast/global authentication key encrypted using the per-session encryption key. If the wireless authenticator and supplicant support the per-supplicant unicast session key, the authenticator uses the encryption key sent from the radius server as the per-supplicant unicast session key.
- When the wireless authenticator changes the multicast/global authentication key, it generates EAP-Key messages, where each message contains the new multicast/global authentication key encrypted with the particular supplicant's session key. The wireless authenticator adds the unicast session key, if supported, to the list of unicast session keys.
- The supplicant, on receiving the EAP-Key message, uses the per-supplicant unicast session encryption key to decrypt the multicast/global authentication key. If the wireless authenticator and supplicant support per-supplicant unicast session keys and a multicast/global authentication key has been received, the encryption key derived from the EAP-TLS session key is passed to the wireless supplicant as the per-supplicant unicast session key.
- When the wireless network adapter driver receives the authentication keys, it must program the wireless supplicant's network adapter. Once the authentication keys have been programmed, the supplicant calls Dynamic Host Configuration Protocol (DHCP) to restart the DHCP process.
See Also
Wireless Authentication Implementation
Send Feedback on this topic to the authors