Need Call flow diagram for WPA2 EAP authentication with NPS server including DHCP and authentication flow

need-call-flow-diagram-for-wpa2-eap-authentication

 

Hello Avanindra,

 

Here’s a detailed call flow diagram for WPA2 EAP authentication using an NPS server, including DHCP and authentication flow:

 

1. Client Device Initialization

- Client: Turns on Wi-Fi and initiates connection to the Access Point (AP).

 

2. DHCP Discovery

- Client: Sends a DHCP Discover message to request an IP address.

- DHCP Server: Responds with a DHCP Offer.

- Client: Sends a DHCP Request to confirm the offered IP address.

- DHCP Server: Sends a DHCP Acknowledgement to finalize the IP address allocation.

 

3. 802.1X Authentication Initiation

- Client: Initiates 802.1X authentication by sending an EAPOL-Start message to the Access Point (AP).

- AP: Sends an EAP-Request/Identity message to the Client.

 

4. EAP Authentication

- Client: Responds with an EAP-Response/Identity message containing its identity.

- AP: Forwards the EAP-Response/Identity message to the RADIUS/NPS Server.

 

5. NPS Server Authentication Process

- NPS Server: Processes the EAP-Response/Identity message and sends an EAP-Request/Challenge (e.g., EAP-TLS) back to the Client via the AP.

- AP: Forwards the EAP-Request/Challenge to the Client.

- Client: Responds with an EAP-Response containing the necessary credentials (e.g., certificate or username/password).

- AP: Forwards the EAP-Response to the NPS Server.

- NPS Server: Validates the credentials against its policies and user database. If valid, it sends an EAP-Success message back to the Client via the AP.

- AP: Forwards the EAP-Success message to the Client.

 

6. Encryption Key Generation

- Client and AP: Perform the 4-Way Handshake to generate and exchange encryption keys.

- Message 1: AP sends ANonce (a random number) to the Client.

- Message 2: Client generates SNonce and derives PTK (Pairwise Transient Key) using ANonce, SNonce, PMK (Pairwise Master Key), and the Client/AP MAC addresses. Sends SNonce and MIC (Message Integrity Code) to the AP.

- Message 3: AP verifies the MIC, derives the PTK, and sends Group Temporal Key (GTK) and another MIC to the Client.

- Message 4: Client installs the GTK and sends an acknowledgment to the AP.

 

7. DHCP Renewal (if necessary)

- Client: May renew DHCP lease to ensure IP connectivity post-authentication.

- DHCP Server: Handles the DHCP Renewal process as described in the initial DHCP Discovery step.

 

8. Secure Data Transmission

- Client and AP: Start secure communication using the established WPA2 encryption.

 

 

Explanation

 

- Client: The user device initiating the connection.

- AP: Access Point that serves as the intermediary for the wireless connection.

- NPS Server: Network Policy Server handling the EAP authentication.

- DHCP Server: Server assigning IP addresses to clients.