PEAP user access process for Cisco AP as a WLAN user access authentication point

Source: Internet
Author: User
Tags gtk hmac

1. Certificate acquisition
Certificates are used for mutual authentication between terminals and networks. The Radius server first requests a server certificate from the CA certificate authority to represent the legitimacy of the Radius server. The client downloads the CA root certificate from the CA certificate authority to verify that the certificate issued by the Radius server is valid. Generally, if the terminal does not need to authenticate the network, you do not need to download or install the root certificate ).
2 wireless access
The client establishes a physical connection between the open system and the AP through the open system access method.
3. Authentication Initialization
1) the Client sends an EAPoL-Start message to the AP device to Start 802.1x access.

(2) The AP sends the EAP-Request/Identity message to the client, requiring the client to send the user information.

3) The Client responds to an EAP-Response/Identity request to the AP, including the user's network ID. User ID, which is manually entered or configured on the client for PEAP-mschchap v2 authentication. Generally, the user ID is in the format of username @ domain, where username is the identity ID provided by the carrier to the user, and domain is the carrier's domain name such as "cmcc.com ").
4) The AP sends the EAP-Response/Identity to the RADIUS of the authentication server in the format of the EAP Over Radius packet, and carries the relevant RADIUS attributes.

5) Radius receives the EAP-Response/Identity from the client, uses EAP-PEAP authentication according to the configuration, and sends the RADIUS-Access-Challenge packet to the AP, it contains the EAP-Request/Peap/Start packet sent by Radius to the client, indicating that you want to Start authentication of the EAP-PEAP.

6) The AP device sends the EAP-Request/PEAP/Start to the authentication client.

4. Establish a TLS Channel
7) after the Client receives the EAP-Request/Peap/Start packet, a random number is generated, the list of encryption algorithms supported by the Client, the TLS Protocol version, session ID, and compression method are all NULL ), it is encapsulated in the EAP-Response/Client Hello packet and sent to the AP device.

(8) AP sends EAP-Response/Client Hello to the RADIUS Server of the authentication Server in the format of EAP Over Radius, and carries the relevant RADIUS attributes.

9) after the Radius receives the Client Hello Message from the Client, select a set of encryption algorithms supported by the Client from the list of Hello message encryption algorithms + a random number generated by the Server + the Server certificate contains the Server name and public key) + certificate request + Server_Hello_Done attribute form a Server Hello Message encapsulated in the Access-Challenge message and sent to the Client.

10) AP extracts the EAP domain from the Radius packet and encapsulates it into an EAP-request message and sends it to the Client.

Note: Because the certificate is large, one packet cannot be carried. Therefore, in the actual process, after the 10th and 11th steps are complete, there will be three further IP segment packets, the purpose is to send the Server certificate to the client.

11) After receiving the message, the Client verifies whether the Server certificate is valid and uses the root certificate obtained from the CA certificate authority for verification. It mainly verifies whether the certificate time is legal and whether the name is legal ), that is, the network is authenticated to ensure that the Server is valid. If it is valid, extract the public key in the Server certificate, generate a random password string pre-master-secret, and use the public key of the Server to encrypt it, finally, if the encrypted information ClientKeyExchange + client certificate does not have a certificate, you can set the attribute to 0) + TLS finished attribute is encapsulated into an EAP-Rsponse/tls OK message and sent to the authentication point AP. if the client does not install a certificate, it will not authenticate the validity of the Server certificate, that is, it cannot authenticate the network.

12) AP sends the EAP-Response/tls OK to the RADIUS Server of the authentication Server in the format of EAP Over Radius, and carries the relevant RADIUS attributes.

13) After receiving the message sent from the client, Radius decrypts the ClientKeyExchange with the private key corresponding to its certificate to obtain the pre-master-secret, then, perform operations on the pre-master-secret and add the random numbers generated by the Client and Server to generate the encryption key, the encryption initialization vector, and the hmac key, at this time, both parties have negotiated a set of encryption methods securely. Now the TLS channel has been established successfully, and the negotiated key will be used for encryption and verification in the future authentication process. With the hmac key, the Radius Server performs secure digest processing on the messages to be authenticated in the TLS channel, and then puts them together with the authentication messages. The encryption key is used to encrypt the messages in the initialization vector, which are encapsulated in the Access-Challenge message and sent to the Client. for more information about generation algorithms, see [16]: IETF RFC2246, The TLS Protocol Version 1.0.

5. authentication process
14) AP extracts the EAP domain from the Radius packet and encapsulates it into an EAP-request message and sends it to the Client.
15) after the client receives a message from the Radius server, it uses the same method as the server to generate an encryption key, encrypt the key of the initialization vector and hmac, and decrypt and verify the message using the corresponding key and method, then an authentication response message is generated, encrypted and verified with the key, and finally encapsulated into an EAP-response Message and sent to the AP, the AP sends the EAP-Response to the RADIUS Server of the authentication Server in the format of EAP Over Radius, and carries the relevant RADIUS attributes. In this way, the AP interacts repeatedly until the authentication is completed. Note: for different authentication method interaction process is inconsistent, the general authentication method is: PEAP-MSCHAPV2 or SIM, the following is a separate authentication process, if it is SIM authentication, you also need to interact with the HLR/AUC device and use AS the authentication server). During the authentication process, the Radius Server sends the PMK that is used to generate an empty Port Data encryption key, including the unicast and multicast keys, to the Client.
16) if the server successfully authenticates the client, an Access-Accept message is sent to the AP, which contains the MPPE attribute provided by the authentication server.
17) when the AP receives the RADIUS-Access-Accept packet, it extracts the key in the MPPE attribute as the PMK for WPA encryption and sends the EAP-success packet to the client.
6 dynamic encryption key installation
18) WPA unicast key installation PTK): the AP and Client use the obtained PMK to install the WPA unicast key. (four-step handshake) for detailed procedures, see reference [5]: IEEE 802.11i, 2001, Standards for Local and Metropolitan Area Networks-Specific requirements-Part 11: wireless LAN Medium Access Control (MAC) and Physical Layer (PHY) specifications: Medium Access Method (MAC) Security Enhancements

19) install the multicast key GTK): the AP and Client generate the key128 ~ Install the multicast key under the protection of 255bit (two-step handshake). For detailed procedures, see reference [5]

7. Address Allocation

20) after the key is successfully installed, the air data packets between the Client and the AP are encrypted and transmitted, and the DHCP process is interacted with the AC until the Client obtains the IP address.

8. Billing starts.
21) the AP uses the RADIUS-Accounting-RequestStart packet to notify the Radius Server to start billing, which contains related billing information.

22) the Radius Server returns the RADIUS-Accouting-Response (Start) message to the AP, indicating that the billing has started.

9 Force Portal

23) the user opens IE, accesses a website, and initiates an HTTP request
24) AC intercepts users' HTTP requests, forces them to the Portal Server, and adds relevant parameters to the forced Portal URL.
25) The Portal Server Returns to the Portal page.
10. Key Update

26) Update the unicast key during data transmission between the AP and the client, in order to ensure data security, WPA requires a scheduled or quantitative number of packets, when the update time or the number of data transfers reaches, the AP will initiate a key update].

27) in the data transmission process between the AP and the client, to ensure data security, WPA requires a scheduled or quantitative number of packets) to update the multicast key, when the update time or the number of data transfers reaches, the AP initiates a key update.

11 real-time Billing


28) during the user's Internet access process, to protect the user's billing information, the AP reports a Real-Time billing information to the Radius at intervals of time, including the total length of the current user's Internet access and the total user traffic information.


29) Radius responds to the AP validation message.

30) when the AP receives the offline request, it sends a billing End message to the Radius.

31) Radius responds to the billing End message of the AP.


Certificates are used for mutual authentication between terminals and networks. The Radius server first requests a server certificate from the CA certificate authority to represent the legitimacy of the Radius server. The client downloads the CA root certificate from the CA certificate authority to verify that the certificate issued by the Radius server is valid. Generally, if the terminal does not need to authenticate the network, you do not need to download or install the root certificate ).

2 wireless access
The client establishes a physical connection between the open system and the AP through the open system access method.

3. Authentication Initialization

1) the Client sends an EAPoL-Start message to the AP device to Start 802.1x access.

(2) The AP sends the EAP-Request/Identity message to the client, requiring the client to send the user information.

3) The Client responds to an EAP-Response/Identity request to the AP, including the user's network ID. User ID, which is manually entered or configured on the client for PEAP-mschchap v2 authentication. Generally, the user ID is in the format of username @ domain, where username is the identity ID provided by the carrier to the user, and domain is the carrier's domain name such as "cmcc.com ").

4) The AP sends the EAP-Response/Identity to the RADIUS of the authentication server in the format of the EAP Over Radius packet, and carries the relevant RADIUS attributes.

5) Radius receives the EAP-Response/Identity from the client, uses EAP-PEAP authentication according to the configuration, and sends the RADIUS-Access-Challenge packet to the AP, it contains the EAP-Request/Peap/Start packet sent by Radius to the client, indicating that you want to Start authentication of the EAP-PEAP.

6) The AP device sends the EAP-Request/PEAP/Start to the authentication client.

4. Establish a TLS Channel
7) after the Client receives the EAP-Request/Peap/Start packet, a random number is generated, the list of encryption algorithms supported by the Client, the TLS Protocol version, session ID, and compression method are all NULL ), it is encapsulated in the EAP-Response/Client Hello packet and sent to the AP device.

(8) AP sends EAP-Response/Client Hello to the RADIUS Server of the authentication Server in the format of EAP Over Radius, and carries the relevant RADIUS attributes.

9) after the Radius receives the Client Hello Message from the Client, select a set of encryption algorithms supported by the Client from the list of Hello message encryption algorithms + a random number generated by the Server + the Server certificate contains the Server name and public key) + certificate request + Server_Hello_Done attribute form a Server Hello Message encapsulated in the Access-Challenge message and sent to the Client.

10) AP extracts the EAP domain from the Radius packet and encapsulates it into an EAP-request message and sends it to the Client.

Note: Because the certificate is large, one packet cannot be carried. Therefore, in the actual process, after the 10th and 11th steps are complete, there will be three further IP segment packets, the purpose is to send the Server certificate to the client.

11) After receiving the message, the Client verifies whether the Server certificate is valid and uses the root certificate obtained from the CA certificate authority for verification. It mainly verifies whether the certificate time is legal and whether the name is legal ), that is, the network is authenticated to ensure that the Server is valid. If it is valid, extract the public key in the Server certificate, generate a random password string pre-master-secret, and use the public key of the Server to encrypt it, finally, if the encrypted information ClientKeyExchange + client certificate does not have a certificate, you can set the attribute to 0) + TLS finished attribute is encapsulated into an EAP-Rsponse/tls OK message and sent to the authentication point AP. if the client does not install a certificate, it will not authenticate the validity of the Server certificate, that is, it cannot authenticate the network.

12) AP sends the EAP-Response/tls OK to the RADIUS Server of the authentication Server in the format of EAP Over Radius, and carries the relevant RADIUS attributes.

13) After receiving the message sent from the client, Radius decrypts the ClientKeyExchange with the private key corresponding to its certificate to obtain the pre-master-secret, then, perform operations on the pre-master-secret and add the random numbers generated by the Client and Server to generate the encryption key, the encryption initialization vector, and the hmac key, at this time, both parties have negotiated a set of encryption methods securely. Now the TLS channel has been established successfully, and the negotiated key will be used for encryption and verification in the future authentication process. With the hmac key, the Radius Server performs secure digest processing on the messages to be authenticated in the TLS channel, and then puts them together with the authentication messages. The encryption key is used to encrypt the messages in the initialization vector, which are encapsulated in the Access-Challenge message and sent to the Client. for more information about generation algorithms, see [16]: IETF RFC2246, The TLS Protocol Version 1.0.

5. authentication process
14) AP extracts the EAP domain from the Radius packet and encapsulates it into an EAP-request message and sends it to the Client.

15) after the client receives a message from the Radius server, it uses the same method as the server to generate an encryption key, encrypt the key of the initialization vector and hmac, and decrypt and verify the message using the corresponding key and method, then an authentication response message is generated, encrypted and verified with the key, and finally encapsulated into an EAP-response Message and sent to the AP, the AP sends the EAP-Response to the RADIUS Server of the authentication Server in the format of EAP Over Radius, and carries the relevant RADIUS attributes. In this way, the AP interacts repeatedly until the authentication is completed. Note: for different authentication method interaction process is inconsistent, the general authentication method is: PEAP-MSCHAPV2 or SIM, the following is a separate authentication process, if it is SIM authentication, you also need to interact with the HLR/AUC device and use AS the authentication server). During the authentication process, the Radius Server sends the PMK that is used to generate an empty Port Data encryption key, including the unicast and multicast keys, to the Client.

16) if the server successfully authenticates the client, an Access-Accept message is sent to the AP, which contains the MPPE attribute provided by the authentication server.

17) when the AP receives the RADIUS-Access-Accept packet, it extracts the key in the MPPE attribute as the PMK for WPA encryption and sends the EAP-success packet to the client.

6 dynamic encryption key installation
18) WPA unicast key installation PTK): the AP and Client use the obtained PMK to install the WPA unicast key. (four-step handshake) for detailed procedures, see reference [5]: IEEE 802.11i, 2001, Standards for Local and Metropolitan Area Networks-Specific requirements-Part 11: wireless LAN Medium Access Control (MAC) and Physical Layer (PHY) specifications: Medium Access Method (MAC) Security Enhancements

19) install the multicast key GTK): the AP and Client generate the key128 ~ Install the multicast key under the protection of 255bit (two-step handshake). For detailed procedures, see reference [5]

7. Address Allocation
20) after the key is successfully installed, the air data packets between the Client and the AP are encrypted and transmitted, and the DHCP process is interacted with the AC until the Client obtains the IP address.

8. Billing starts.
21) the AP uses the RADIUS-Accounting-RequestStart packet to notify the Radius Server to start billing, which contains related billing information.

22) the Radius Server returns the RADIUS-Accouting-Response (Start) message to the AP, indicating that the billing has started.

9 Force Portal
23) the user opens IE, accesses a website, and initiates an HTTP request

24) AC intercepts users' HTTP requests, forces them to the Portal Server, and adds relevant parameters to the forced Portal URL.

25) The Portal Server Returns to the Portal page.

10. Key Update
26) Update the unicast key during data transmission between the AP and the client, in order to ensure data security, WPA requires a scheduled or quantitative number of packets, when the update time or the number of data transfers reaches, the AP will initiate a key update].

27) in the data transmission process between the AP and the client, to ensure data security, WPA requires a scheduled or quantitative number of packets) to update the multicast key, when the update time or the number of data transfers reaches, the AP initiates a key update.

11 real-time Billing
28) during the user's Internet access process, to protect the user's billing information, the AP reports a Real-Time billing information to the Radius at intervals of time, including the total length of the current user's Internet access and the total user traffic information.
29) Radius responds to the AP validation message.

30) when the AP receives the offline request, it sends a billing End message to the Radius.

31) Radius responds to the billing End message of the AP.


Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.