1.2 Enterprise Network

When a wireless station connects to an enterprise enabled access point, it is identified as a new supplicant. Firstly, the new supplicant connects to the access point by performing an Open System Authentication and performing the frame exchange for authentication and association. Once the Open System Authentication phase completes, the EAP authentication starts. Until the EAP authentication is completed, all other traffic to the new supplicant is blocked.

The EAP authentication starts with the authenticator sending an EAP Identity frame to the supplicant. The supplicant, on receiving the EAP request identity, responds with EAP Identity response frame containing user ID to the authenticator. Then the authenticator encapsulates this EAP identity response in a RADIUS access request packet and forwards it to the authentication server.

Finally, the authentication server and the supplicant must agree on one EAP method to proceed with the authentication process. Based on the EAP method, EAP requests and EAP responses are sent between supplicant and authentication server until the authentication server responds with EAP-Success or EAP failure packet. If the authentication is successful, the authenticator allows normal traffic to the supplicant. If authentication is unsuccessful, the authenticator blocks all other traffic (except EAP data frames) to the supplicant.

During EAP authentication, the supplicant and the authentication server derive a Pairwise Master Key (PMK) for data encryption. This key is unique for each session of a given client. For broadcast and multicast traffic it uses a Group Transient Key (GTK) which is common to all clients. The authentication server sends the derived PMK to the authenticator, and the supplicant and the authenticator perform a four-way handshake to complete the authentication process.