I have one basic doubt about 802.1x wireless client authentication. After reading documentation also I am still confused about how this authentication takes place securly.
In general case client will send it's username / password to AP which in turn will forward it to RADIUS/ TACACS server for authentication. But when client sends username / password to AP how is it encrypted? If it is not encrypted then wireless sniffer can copy the clear text frame and use it. I could not understand this first step itself.
Similarly with EAP-TLS clients and servers use digital certificats issued by same CA. How does AP authenticates a real user with Diti. certs? ( Please correct if I am making wild speculations ).
I would like to compare it with Site-to-site VPN, in this case D-H -group2 algorithm is used to generate "Identical-unique" huge number are both end devices. With this unique-same number a pre-shared key ( in this case username / password ) is encrypted by pre-negotiated algirithms and sent to each other. Then this "hidden-pre-sgared-key" data is decrypted and if the key matches other end is authenticated. Here important step is a "Identical unique" number is generated by D-H algorithm. Is anything similar happening in wireless also so as to send username and password in encryption form?
Please share the experience.
Any link on cisco.com?
Thanks in advance