Page 57
Chapter 3 Configuring EAP Types
How EAP-FAST Works
After the tunnel is established, the second phase of authentication begins. The client and server communicate further to establish the required authentication and authorization policies. This phase consists of a series of requests and responses that are encapsulated in TLV objects. The TLV exchange includes the EAP method to be used within the protected tunnel. For more information about TLV objects and format, see section 4.2 of RFC 4851.
The EAP-FAST module offers a variety of EAP-FAST configuration options, including whether automatic or manual PAC provisioning is used to establish a tunnel, whether or not server certificate is used to establish a tunnel, what type of user credentials to use for authentication and provisioning, and what type of authentication method to use to in the established tunnel.
Protected Access Credentials
Protected Access Credentials (PACs) are credentials that are distributed to clients for optimized network authentication. PACs can be used to establish an authentication tunnel between the client and the authentication server (the first phase of authentication as described in the “Two-Phase Tunneled Authentication” section on page 3-2). A PAC consists of, at most, three components: a shared secret, an opaque element, and other information.
The shared secret component contains the pre-shared key between the client and authentication server. Called the PAC-Key, this pre-shared key establishes the tunnel in the first phase of authentication.
The opaque component is provided to the client and is presented to the authentication server when the client wants to obtain access to network resources. Called the PAC-Opaque, this component is a variable length field that is sent to the authentication server during tunnel establishment. The EAP server interprets the PAC-Opaque to obtain the required information to validate the client's identity and authentication. The PAC-Opaque includes the PAC-Key and may contain the PAC's client identity.
The PAC might contain other information. Called PAC-Info, this component is a variable length field that is used to provide, at a minimum, the authority identity of the PAC issuer (the server that created the PAC). Other useful but not mandatory information, such as the PAC-Key lifetime, can also be conveyed by the PAC-issuing server to the client during PAC provisioning or refreshment.
PACs are created and issued by a PAC authority, such as Cisco Secure ACS, and are identified by an ID. A user obtains his or her own copy of a PAC from a server, and the ID links the PAC to a profile.
Persistent PACs, such as machine PACs, are stored in the EAP-FAST registry and encrypted. These PACs are also protected with access control lists (ACLs) so only designated users (the owners of the PACs) and members of privileged user groups (for example, administrators) can access them. Machine PACs are stored globally so that all users of a machine can use the PACs.
All PACs are encrypted and tied to the host machine with Microsoft Crypto API (CryptoProtectData). PACs cannot be copied and used on other machines.
All non-persistent PACs, such as User Authorization PACs, are stored in volatile memory and do not persist after reboot or after a user has logged off.
Server Certificate Validation
As a part of TLS negotiation in the first phase of EAP-FAST authentication, the authentication server presents the client with a certificate. The client must verify the validity of the EAP server certificate and also examines the EAP server name that is presented in order to determine if the server can be trusted.
Cisco Aironet 802.11a/b/g Wireless LAN Client Adapters (CB21AG and PI21AG) Installation and Configuration Guide for Windows Vista
Contents
Americas Headquarters
Software Release
Cisco Systems, Inc 170 West Tasman Drive San Jose, CA
800 553-NETS Fax 408
Turn the television or radio antenna until the interference stops
Ad Hoc Wireless LAN
Network Configurations Using Client Adapters
FCC Safety Compliance Statement
Preface
Two-Phase Tunneled Authentication
Advanced Roaming Setting
Obtaining Client Adapter Software
Inserting the Card
Configuring LEAP
Accessing LEAP Properties for Configuration
Configuring and Starting Logging
Finding the Version of the LEAP Module
Antenna Installation Warning
Creating Strong Passwords A-9
EAP Messages A-1
English Translation D-7
Acknowledgments and Licensing F-1
Channels
Chinese Translation
English Translation
OL-16534-01
viii
Audience
Preface
Purpose
Audience, page Purpose, page Organization, page Conventions, page
Conventions
Organization
Varoitus Tämä varoitusmerkki merkitsee vaaraa. Olet tilanteessa, joka voi johtaa ruumiinvammaan. Ennen kuin työskentelet minkään laitteiston parissa, ota selvää sähkökytkentöihin liittyvistä vaaroista ja tavanomaisista onnettomuuksien ehkäisykeinoista. Tässä julkaisussa esiintyvien varoitusten käännökset löydät liitteestä Translated Safety Warnings käännetyt turvallisuutta koskevat varoitukset
Obtaining Documentation, Obtaining Support, and Security Guidelines
Related Publications
Network Configurations Using Client Adapters, page
Product Overview and Installation
Safety information, page Unpacking the Client Adapter, page
Installing the Client Adapter Driver and Software, page
Terminology
Introduction to the Client Adapters
PC-Cardbus
card
Radio
Hardware Components
Radio Antenna
LEDs
Network Configurations Using Client Adapters
Ad Hoc Wireless LAN
Software Components
Figure 1-1 Ad Hoc Wireless LAN
Wireless Infrastructure with Workstations Accessing a Wired LAN
Safety information
FCC Safety Compliance Statement
Safety Guidelines
Warnings
Unpacking the Client Adapter
System Requirements
Package Contents
http//support.microsoft.com/kb/932063
http//support.microsoft.com/kb/935222
Site Requirements
For Infrastructure Devices
For Client Devices
Inserting the Client Adapter
Inserting a PC-Cardbus Card
1-10
Changing the Bracket
Inserting a PCI Card
Insert the card see the “Inserting the Card” section on page
Assemble the antenna see the “Assembling the Antenna” section on page
1-12
Inserting the Card
1-13
Assembling the Antenna
1-14
Mounting the Antenna
Step 1 Perform one of the following
1-15
Step 8 If the Found New Hardware Wizard window appears, click Cancel
1-16
Step 7 Click Cisco Aironet Wireless LAN Client Adapters
Step 5 Click Wireless Software
Obtaining Client Adapter Software
Step 6 Click Client Adapters and Client Software
1-18
Installing the Client Adapter Driver and Software
1-19
Figure 1-11 Cisco Aironet Installation Program Window
Hardware Insertion
Figure 1-13 Cisco Aironet Installation Program-Setup Status Window
1-20
Step 8 Click Finish
1-21
1-22
Overview of Wireless Profiles, page
Configuring Wireless Profiles
Accessing Microsoft Vista Network and Sharing Center, page
Creating a New Profile and Configuring Basic Settings, page
Accessing Microsoft Vista Network and Sharing Center
Overview of Wireless Profiles
Creating a New Profile and Configuring Basic Settings
Cisco Aironet 802.11a/b/g Wireless Adapter see Figure
Chapter 2 Configuring Wireless Profiles
Step 7 In this dialog box, enter information for the wireless network that you want to add.Table 2-1 lists and describes general settings for the profile. Follow the instructions in the table to configure these settings
Encryption Types” section on page
Setting
What to Enter
Chapter 3, “Configuring EAP Types.” The enterprise network EAP
and Encryption Types” section on page
Profile Management General Settings continued
What to Enter
WEP Shared Security with Static WEP Keys
Security and Encryption Types
WPA and WPA2
2-10
2-11
802.1X with Dynamic WEP Keys
Accessing a Profile That Was Created Previously
CCKM Fast Secure Roaming
2-12
Viewing and Changing the Settings of a Profile
2-13
Figure 2-7 Network and Sharing Center Window
Figure 2-8 Wireless Network properties Dialog Box-Connection Tab
2-14
Settings dialog box. See the “Radio Measurement” section on
is available, Choose Control Panel Manage Wireless Networks
page 2-18 and the “Advanced Roaming Setting” section on page
in Table 2-1 on page
Figure 2-9 Wireless Network properties Dialog Box-Security Tab
2-16
2-17
2-18
Radio Measurement
2-19
Advanced Roaming Setting
2-20
Configuring EAP-FAST, page Overview of LEAP, page
Configuring EAP Types
How LEAP Works, page Configuring LEAP, page
Configuring PEAP-GTC, page
Two-Phase Tunneled Authentication, page
Two-Phase Tunneled Authentication
Protected Access Credentials, page
How EAP-FAST Works
Server Certificate Validation
Protected Access Credentials
Accessing EAP-FAST Properties for Configuration
Configuring EAP-FAST
Accessing EAP-FAST Properties for Configuration, page
Configuring EAP-FAST Settings in the Connection Tab, page
Configuring EAP-FAST Settings in the Connection Tab
Default anonymous
Default On
Default None
Default On
Default Enabled
Use Protected Access
PAC box and the Validate Server Certificate box at the same time
Default Off
Usernames and Passwords
Overview of the User Credentials Tab
Client Certificates
Configuring EAP-FAST Settings in the User Credentials Tab
3-10
Figure 3-3 User Credentials Tab in EAP-FAST Properties Window
information about OTP, see the “Understanding PIN Mode and Token
Mode with OTP” section on page
3-11
3-12
Understanding PIN Mode and Token Mode with OTP
Figure 3-4 New PIN Prompt Window
Figure 3-5 Next Token Prompt Window
3-13
Configuring EAP-FAST Settings in the Authentication Tab
3-14
Table 3-3 lists and describes options for authentication
Figure 3-6 Authentication Tab in EAP-FAST Properties Window
a certificate on this computer radio button in the User
Default Disabled
3-15
Select an authentication
Finding the Version of the EAP-FAST Module
3-16
Figure 3-7 About Tab in EAP-FAST Properties Window
Overview of LEAP
How LEAP Works
3-17
Accessing LEAP Properties for Configuration
Configuring LEAP
Accessing LEAP Properties for Configuration, page
Configuring LEAP Settings in the Network Credentials Tab, page
Configuring LEAP Settings in the Network Credentials Tab
3-19
Figure 3-8 Wireless Network Properties Window
Settings
3-20
Table 3-4 LEAP Network Credentials Settings
LEAP Network Credentials
Overview of PEAP-GTC
Finding the Version of the LEAP Module
3-21
3-22
How PEAP-GTC Works
Accessing PEAP-GTC Properties for Configuration
Configuring PEAP-GTC
Accessing PEAP-GTC Properties for Configuration, page
Configuring PEAP-GTC Settings in the Connection Tab, page
Figure 3-10 Wireless Network Properties Window
3-24
Configuring PEAP-GTC Settings in the Connection Tab
3-25
Figure 3-11 Connection Tab in PEAP-GTC Properties Window
If the Validate server certificate box is checked and the Do not
Default anonymous
prompt user to authorize new servers or trusted certificate
If the Validate server certificate box is checked but the Do not
3-27
Configuring PEAP-GTC Settings in the User Credentials Tab
password option
Default Off
and Token Mode with OTP” section on page
which is the case for the Prompt automatically for username and
3-29
PEAP-GTC User Credentials Options continued
Figure 3-13 New PIN Prompt Window
Finding the Version of the PEAP-GTC Module
Understanding PEAP-GTC Authentication
3-30
Figure 3-14 Next Token Prompt Window
Using Microsoft Tools to Perform Administrative Tasks, page
Performing Administrative Tasks
The EAP-FAST XML Schema, page The PEAP-GTC XML Schema, page
The LEAP XML Schema, page Logging for EAP Modules, page
Overview of Group Policy Objects
Using Microsoft Tools to Perform Administrative Tasks
Adding a Group Policy Object Editor
Overview of Group Policy Objects, page
Creating a EAP Group Policy Object in Windows Vista
a. Go to File Add/Remove Snap-in
g. From the Select Group Policy Object dialog box, click Finish
Configuring Machine Authentication for EAP-FAST
Configuring Single Sign-On for EAP-FAST
Configuring Machine Authentication for PEAP-GTC
Configuring Single Sign-On for PEAP-GTC and LEAP
The EAP-FAST XML Schema
xsdocumentation
xselement xschoice
xselement name=authenticateWithToken xscomplexType xssequence
xselement xselement name=sendViaInnerMethod xscomplexType xsall
4-10
xscomplexType name=PasswordFromProfile xssimpleContent
4-11
4-12
xsannotation xselement xschoice xselement name=enableFastReconnect
4-13
4-14
xssimpleType xsrestriction base=xsstring xsenumeration value=exactly
4-15
xselement name=anyServerName type=Empty xsannotation
4-16
4-17
The PEAP-GTC XML Schema
4-18
xscomplexContent xscomplexType xscomplexType name=IdentityPattern
4-19
xscomplexType name=TokenSource xschoice
4-20
xschoice xssequence xscomplexType
4-21
4-22
4-23
The LEAP XML Schema
attributeFormDefault=unqualified xselement name=eapLeap type=EapLeap
4-24
4-25
Configuring and Starting Logging, page
Configuring and Starting Logging
Step 1 Choose Start All Programs Accessories
Step 2 Right-click Command Prompt and select Run as administrator
wevtutil sl Cisco-EAP-FAST/Debug /efalse
Disabling Logging and Flushing Internal Buffers
wevtutil sl Cisco-EAP-PEAP/Debug /efalse
wevtutil sl Cisco-EAP-LEAP/Debug /efalse
wevtutil sl Cisco-EAP-FAST/Debug /lfn“pathtoetllogfile”
Locating Log Files
wevtutil sl Cisco-EAP-PEAP/Debug /lfn“pathtoetllogfile”
wevtutil sl Cisco-EAP-LEAP/Debug /lfn“pathtoetllogfile”
Routine Procedures
Removing a Client Adapter, page
Upgrading the Client Adapter Software, page
Removing a Client Adapter
Removing a PC-Cardbus Card
Removing a PCI Card
Upgrading the Client Adapter Software
Step 5 Click Update the previous installation
Figure 5-3 Cisco Aironet Installation Program-Setup Status Window
Chapter 5 Routine Procedures Upgrading the Client Adapter Software
Troubleshooting and Diagnostics
Troubleshooting with Cisco Aironet Client Diagnostics, page
Enabling Client Reporting, page
Figure 6-1 Network and Sharing Center Window
Troubleshooting with Cisco Aironet Client Diagnostics
Figure 6-3 Cisco Aironet Client Diagnostics Dialog Box-Choose Adapter
Figure 6-2 Cisco Aironet Client Diagnostics Dialog Box
Figure 6-5 Cisco Aironet Client Diagnostics Dialog Box-Testing Delay
Figure 6-7 Aironet Desktop Utility-Stop Running Diagnostics
Figure 6-6 Cisco Aironet Client Diagnostics Dialog Box-Test Window
Enabling Client Reporting
EAP-FAST Error Messages and Prompts, page A-1
EAP-FAST Error Messages and Prompts
PEAP-GTC and LEAP Error Messages and Prompts, page A-6
Creating Strong Passwords, page A-9
Appendix A EAP Messages EAP-FAST Error Messages and Prompts
Page
Recommended Action Enter a username
Recommended Action Press OK to continue
PEAP-GTC and LEAP Error Messages and Prompts
Page
Page
Creating Strong Passwords
Characteristics of Strong Passwords
Characteristics of Weak Passwords
A-10
Password Security Basics
Technical Specifications
Radio Specifications, page B-3
A P P E N D I X B
Physical Specifications
Radio Specifications
5250 to 5350 MHz
5150 to 5250 MHz
5470 to 5725 MHz
5725 to 5805 MHz
Outdoor typical
Indoor typical
Safety and Regulatory Compliance Specifications
Power Specifications
Antenna Installation Warning, page C-3
Translated Safety Warnings
A P P E N D I X C
Explosive Device Proximity Warning, page C-2
Explosive Device Proximity Warning
Antenna Installation Warning
Warning for Laptop Users
Page
Page
A P P E N D I X D
Declarations of Conformity and Regulatory Information
Department of Communications - Canada, page D-3
Declaration of Conformity for RF Exposure, page D-7
FCC Certification Number LDK102050 CB21AG
Department of Communications - Canada
European Community, Switzerland, Norway, Iceland, and Liechtenstein
Canadian Compliance Statement
Page
Declaration of Conformity Statement
Cisco Aironet CB21AG Wireless LAN Client Adapter
Cisco Aironet PI21AG Wireless LAN Client Adapter
Japanese Translation
Declaration of Conformity for RF Exposure
English Translation
03-6434-6500
2.4- and 5-GHz Client Adapters
Chinese Translation
English Translation
5-GHz Client Adapters
Brazil/Anatel Approval
D-10
AIR-CB21AG-W-K9
D-11
AIR-PI21AG-W-K9
D-12
Channels, page E-2 Maximum Power Levels and Antenna Gains, page E-4
A P P E N D I X E
Channels, Power Levels, and Antenna Gains
IEEE 802.11a
Channels
Regulatory Domains
IEEE 802.11b/g
IEEE 802.11b
Maximum Power Levels and Antenna Gains
IEEE 802.11g
Appendix E Channels, Power Levels, and Antenna Gains
A P P E N D I X F
Acknowledgments and Licensing
Appendix F Acknowledgments and Licensing
OL-16534-01
Appendix F Acknowledgments and Licensing
OL-16534-01
A P P E N D I X G
Abbreviations
List of Acronyms continued
Table G-1