What level does WPA autenticate

[defuse54]

I'm wondering for an enterprise based AP, does the authentication stop at the AP or does it require a server?

 

[cmetz]

WPA Enterprise authenticates EAPOL over RADIUS. The actual crypto authentication method used is configurable.

 

[defuse54]

Ok, so technically a RADIUS server is required for a enterprises bases AP.

 

[spidey07]

Ok, so technically a RADIUS server is required for a enterprises bases AP.

It's not required (pre-shared key 'can' be used but not recommended due to administrative burden of changing the keys on every single client), but almost always used for whatever EAP method you choose. Any decent enterprise AP will support every flavor available, even pre-shared key.

In controller based installs the controller does all the AUTH, caches it for use with every AP when the client roams. The actual encryption is done by the AP radio chipsets themselves. The tunnel between the AP/controller may or may not be encrypted depending on implementation. CAPWAP (lightweight AP protocol) encrypts both the control and data channels I believe.