Access point requirements—Minimum access point firmware of 11.06 for LEAP Draft 10, recommended 11.10T
Router requirements—Refer to for Cisco IOS® platform requirements
This document discusses the requirements and prerequisites for classifying and marking RADIUS packets using the Cisco Modular QoS Command Line (MQC), a methodology to determine the appropriate queue size for the 802.1x/RADIUS packets, and to determine how to enable queuing on router interfaces to provide priority for the RADIUS packets during network congestion. Although this paper is targeted for any 802.1x authentication type, Cisco LEAP is used in the examples. The methodology in prioritizing traffic can be applied to other algorithms as well.
This issue is overcome by giving the RADIUS packets priority on transmissions both from the access point to the RADIUS server and from the RADIUS server to the access point. When priority is given to the RADIUS packets, the WAN routers service them before lower-priority traffic. The end result is that LEAP clients can authenticate successfully during times of WAN link congestion.
Cisco Aironet® deployments in the branch office may send authentication requests back to the authentication server (access control server [ACS] or Remote Access Dial-In User Service [RADIUS] server) across a WAN link. The 802.1x framework uses RADIUS messages for communications between the access point and the authentication server. RADIUS messages use User Datagram Protocol (UDP) and are connectionless, so it is possible during WAN link congestion for RADIUS packets to be delayed or dropped. This can cause delays or authentication timeouts to users attempting to authenticate to an access point, or when roaming to a different access point.
Cisco has supported 802.1x authentication for 802.11 LANs since November 2000 with the introduction of the Lightweight Extensible Authentication Protocol (LEAP) algorithm. Cisco 802.1x/LEAP provides user-based, centralized authentication, as well as per-user wired equivalent privacy (WEP) session keys. Wireless LAN network administrators have been taking advantage of the simplified user and security administration that LEAP provides. Cisco support for 802.1x includes support for most EAP authentication types. With the introduction of Windows XP, Cisco supports the Transport Layer Security (TLS) EAP subtype, EAP-TLS, as well. As wireless LANs become more prevalent in enterprise networks, they are also extending into the enterprise branch office (Figure 1).
802.1x and EAP-Based Authentication Across Congested WAN Links
802.1x and EAP-Based Authentication Across Congested WAN Links [Cisco Aironet 1100 Series] - Cisco Systems
Комментариев нет:
Отправить комментарий