Page 71
Chapter 3 Configuring EAP Types
Overview of LEAP
Overview of LEAP
Cisco LEAP is an authentication protocol that is designed for use in IEEE 802.11 wireless local are networks (WLANs). Important features of LEAP include the following:
•Mutual authentication between the network infrastructure and the user.
•Secure derivation of random, user-specific cryptographic session keys.
•Compatibility with existing and widespread network authentication mechanisms (for example, RADIUS).
•Computational speed.
Although Cisco LEAP is a Cisco proprietary protocol, it is based on existing IETF and IEEE standards. Cisco LEAP relies on the following:
•Extensible Authentication Protocol (EAP)
EAP was originally designed to provide an framework so that new authentication methods could be introduced into Point-to-Point Protocol (PPP). Before EAP existed, entirely new PPP authentication protocols had to be defined to create new authentication methods. However, with EAP, new authentication types simply require the definition of a new EAP type. A new EAP type comprises a set of set of EAP request and response messages and their associated semantics.
•Extensible Authentication Protocol over LAN (EAPOL)
Although originally designed to operate as part of PPP, EAP is flexible enough to be mapped to most types of framed link layer. With a wireless access point, this link layer is a wireless LAN, not PPP. The IEEE 802.1X EAP over LAN (EAPOL) specifies a method for encapsulating EAP packets in Ethernet packets so that they can be transmitted over a LAN.
•Encryption and Key Exchange
The 802.11 specification allows for data traffic between the client and access point to be encrypted using an encryption key. As a result of key exchange through WPA, WPA2, CCKM, or WEP, the client and the network access device derive the same pair of keys—one key for broadcast and multicast traffic from the network access device and another key for all other packets.
•Remote Authentication Dial-In User Service (RADIUS) Servers
Network access servers (such as WLAN access points) often rely on a centralized AAA server to authenticate clients on their behalf. One of the more popular types of AAA servers is a RADIUS server. Extensions to the RADIUS protocol have been defined to allow the transfer of the EAP packets between the authentication server and the network access server. In this case, the network access server is a relay agent; the authentication conversation takes place between the client and the RADIUS server. The RADIUS server informs the access point of the result of the authentication and whether to allow the client to access the network. Other parameters might be returned as well, including session keys for use between the client and the access point.
How LEAP Works
Because most RADIUS servers support the MS Challenge Handshake Authentication Protocol (MS-CHAP), MS-CHAP is the basis for LEAP. The protocol consists of the authenticator sending a random challenge to client. The client’s data encryption standard (DES) encrypts the challenge by using an MD4 hash of the password. The authenticator then verifies the response by using its knowledge of the client username and password.
Cisco Aironet 802.11a/b/g Wireless LAN Client Adapters (CB21AG and PI21AG) Installation and Configuration Guide for Windows Vista
Contents
800 553-NETS Fax 408
Software Release
Americas Headquarters
Cisco Systems, Inc 170 West Tasman Drive San Jose, CA
Turn the television or radio antenna until the interference stops
Preface
Network Configurations Using Client Adapters
Ad Hoc Wireless LAN
FCC Safety Compliance Statement
Inserting the Card
Advanced Roaming Setting
Two-Phase Tunneled Authentication
Obtaining Client Adapter Software
Finding the Version of the LEAP Module
Accessing LEAP Properties for Configuration
Configuring LEAP
Configuring and Starting Logging
English Translation D-7
Creating Strong Passwords A-9
Antenna Installation Warning
EAP Messages A-1
English Translation
Channels
Acknowledgments and Licensing F-1
Chinese Translation
OL-16534-01
viii
Audience, page Purpose, page Organization, page Conventions, page
Preface
Audience
Purpose
Conventions
Organization
Varoitus Tämä varoitusmerkki merkitsee vaaraa. Olet tilanteessa, joka voi johtaa ruumiinvammaan. Ennen kuin työskentelet minkään laitteiston parissa, ota selvää sähkökytkentöihin liittyvistä vaaroista ja tavanomaisista onnettomuuksien ehkäisykeinoista. Tässä julkaisussa esiintyvien varoitusten käännökset löydät liitteestä Translated Safety Warnings käännetyt turvallisuutta koskevat varoitukset
Obtaining Documentation, Obtaining Support, and Security Guidelines
Related Publications
Installing the Client Adapter Driver and Software, page
Product Overview and Installation
Network Configurations Using Client Adapters, page
Safety information, page Unpacking the Client Adapter, page
card
Introduction to the Client Adapters
Terminology
PC-Cardbus
LEDs
Hardware Components
Radio
Radio Antenna
Software Components
Network Configurations Using Client Adapters
Ad Hoc Wireless LAN
Figure 1-1 Ad Hoc Wireless LAN
Wireless Infrastructure with Workstations Accessing a Wired LAN
Safety Guidelines
Safety information
FCC Safety Compliance Statement
Warnings
Unpacking the Client Adapter
http//support.microsoft.com/kb/935222
Package Contents
System Requirements
http//support.microsoft.com/kb/932063
For Client Devices
Site Requirements
For Infrastructure Devices
1-10
Inserting the Client Adapter
Inserting a PC-Cardbus Card
Assemble the antenna see the “Assembling the Antenna” section on page
Inserting a PCI Card
Changing the Bracket
Insert the card see the “Inserting the Card” section on page
1-12
Inserting the Card
1-13
Assembling the Antenna
1-14
Mounting the Antenna
Step 1 Perform one of the following
1-15
Step 8 If the Found New Hardware Wizard window appears, click Cancel
1-16
Step 6 Click Client Adapters and Client Software
Step 5 Click Wireless Software
Step 7 Click Cisco Aironet Wireless LAN Client Adapters
Obtaining Client Adapter Software
1-18
Installing the Client Adapter Driver and Software
Hardware Insertion
1-19
Figure 1-11 Cisco Aironet Installation Program Window
Figure 1-13 Cisco Aironet Installation Program-Setup Status Window
1-20
Step 8 Click Finish
1-21
1-22
Creating a New Profile and Configuring Basic Settings, page
Configuring Wireless Profiles
Overview of Wireless Profiles, page
Accessing Microsoft Vista Network and Sharing Center, page
Accessing Microsoft Vista Network and Sharing Center
Overview of Wireless Profiles
Creating a New Profile and Configuring Basic Settings
Cisco Aironet 802.11a/b/g Wireless Adapter see Figure
OL-16534-01
Step 7 In this dialog box, enter information for the wireless network that you want to add.Table 2-1 lists and describes general settings for the profile. Follow the instructions in the table to configure these settings
What to Enter
Encryption Types” section on page
Setting
Profile Management General Settings continued
Chapter 3, “Configuring EAP Types.” The enterprise network EAP
and Encryption Types” section on page
What to Enter
2-10
Security and Encryption Types
WEP Shared Security with Static WEP Keys
WPA and WPA2
2-11
802.1X with Dynamic WEP Keys
2-12
Accessing a Profile That Was Created Previously
CCKM Fast Secure Roaming
Figure 2-7 Network and Sharing Center Window
Viewing and Changing the Settings of a Profile
2-13
Figure 2-8 Wireless Network properties Dialog Box-Connection Tab
2-14
in Table 2-1 on page
is available, Choose Control Panel Manage Wireless Networks
Settings dialog box. See the “Radio Measurement” section on
page 2-18 and the “Advanced Roaming Setting” section on page
Figure 2-9 Wireless Network properties Dialog Box-Security Tab
2-16
2-17
2-18
Radio Measurement
2-19
Advanced Roaming Setting
2-20
Configuring PEAP-GTC, page
Configuring EAP Types
Configuring EAP-FAST, page Overview of LEAP, page
How LEAP Works, page Configuring LEAP, page
How EAP-FAST Works
Two-Phase Tunneled Authentication
Two-Phase Tunneled Authentication, page
Protected Access Credentials, page
Server Certificate Validation
Protected Access Credentials
Configuring EAP-FAST Settings in the Connection Tab, page
Configuring EAP-FAST
Accessing EAP-FAST Properties for Configuration
Accessing EAP-FAST Properties for Configuration, page
Configuring EAP-FAST Settings in the Connection Tab
Default anonymous
Default On
Use Protected Access
Default On
Default None
Default Enabled
PAC box and the Validate Server Certificate box at the same time
Default Off
Client Certificates
Usernames and Passwords
Overview of the User Credentials Tab
Figure 3-3 User Credentials Tab in EAP-FAST Properties Window
Configuring EAP-FAST Settings in the User Credentials Tab
3-10
3-11
information about OTP, see the “Understanding PIN Mode and Token
Mode with OTP” section on page
Figure 3-5 Next Token Prompt Window
Understanding PIN Mode and Token Mode with OTP
3-12
Figure 3-4 New PIN Prompt Window
3-13
Configuring EAP-FAST Settings in the Authentication Tab
Figure 3-6 Authentication Tab in EAP-FAST Properties Window
3-14
Table 3-3 lists and describes options for authentication
Select an authentication
Default Disabled
a certificate on this computer radio button in the User
3-15
Figure 3-7 About Tab in EAP-FAST Properties Window
Finding the Version of the EAP-FAST Module
3-16
3-17
Overview of LEAP
How LEAP Works
Configuring LEAP Settings in the Network Credentials Tab, page
Configuring LEAP
Accessing LEAP Properties for Configuration
Accessing LEAP Properties for Configuration, page
Figure 3-8 Wireless Network Properties Window
Configuring LEAP Settings in the Network Credentials Tab
3-19
LEAP Network Credentials
3-20
Settings
Table 3-4 LEAP Network Credentials Settings
3-21
Overview of PEAP-GTC
Finding the Version of the LEAP Module
3-22
How PEAP-GTC Works
Configuring PEAP-GTC Settings in the Connection Tab, page
Configuring PEAP-GTC
Accessing PEAP-GTC Properties for Configuration
Accessing PEAP-GTC Properties for Configuration, page
Figure 3-10 Wireless Network Properties Window
3-24
Figure 3-11 Connection Tab in PEAP-GTC Properties Window
Configuring PEAP-GTC Settings in the Connection Tab
3-25
If the Validate server certificate box is checked but the Do not
Default anonymous
If the Validate server certificate box is checked and the Do not
prompt user to authorize new servers or trusted certificate
3-27
Configuring PEAP-GTC Settings in the User Credentials Tab
which is the case for the Prompt automatically for username and
Default Off
password option
and Token Mode with OTP” section on page
Figure 3-13 New PIN Prompt Window
3-29
PEAP-GTC User Credentials Options continued
Figure 3-14 Next Token Prompt Window
Understanding PEAP-GTC Authentication
Finding the Version of the PEAP-GTC Module
3-30
The LEAP XML Schema, page Logging for EAP Modules, page
Performing Administrative Tasks
Using Microsoft Tools to Perform Administrative Tasks, page
The EAP-FAST XML Schema, page The PEAP-GTC XML Schema, page
Overview of Group Policy Objects, page
Using Microsoft Tools to Perform Administrative Tasks
Overview of Group Policy Objects
Adding a Group Policy Object Editor
g. From the Select Group Policy Object dialog box, click Finish
Creating a EAP Group Policy Object in Windows Vista
a. Go to File Add/Remove Snap-in
Configuring Machine Authentication for EAP-FAST
Configuring Single Sign-On for PEAP-GTC and LEAP
Configuring Single Sign-On for EAP-FAST
Configuring Machine Authentication for PEAP-GTC
The EAP-FAST XML Schema
xsdocumentation
xselement xschoice
xselement name=authenticateWithToken xscomplexType xssequence
xselement xselement name=sendViaInnerMethod xscomplexType xsall
4-10
xscomplexType name=PasswordFromProfile xssimpleContent
4-11
4-12
xsannotation xselement xschoice xselement name=enableFastReconnect
4-13
4-14
xssimpleType xsrestriction base=xsstring xsenumeration value=exactly
4-15
xselement name=anyServerName type=Empty xsannotation
4-16
4-17
The PEAP-GTC XML Schema
4-18
xscomplexContent xscomplexType xscomplexType name=IdentityPattern
4-19
xscomplexType name=TokenSource xschoice
4-20
xschoice xssequence xscomplexType
4-21
4-22
4-23
The LEAP XML Schema
attributeFormDefault=unqualified xselement name=eapLeap type=EapLeap
4-24
4-25
Step 2 Right-click Command Prompt and select Run as administrator
Configuring and Starting Logging
Configuring and Starting Logging, page
Step 1 Choose Start All Programs Accessories
wevtutil sl Cisco-EAP-LEAP/Debug /efalse
Disabling Logging and Flushing Internal Buffers
wevtutil sl Cisco-EAP-FAST/Debug /efalse
wevtutil sl Cisco-EAP-PEAP/Debug /efalse
wevtutil sl Cisco-EAP-LEAP/Debug /lfn“pathtoetllogfile”
Locating Log Files
wevtutil sl Cisco-EAP-FAST/Debug /lfn“pathtoetllogfile”
wevtutil sl Cisco-EAP-PEAP/Debug /lfn“pathtoetllogfile”
Upgrading the Client Adapter Software, page
Routine Procedures
Removing a Client Adapter, page
Removing a PCI Card
Removing a Client Adapter
Removing a PC-Cardbus Card
Upgrading the Client Adapter Software
Step 5 Click Update the previous installation
Figure 5-3 Cisco Aironet Installation Program-Setup Status Window
OL-16534-01
Enabling Client Reporting, page
Troubleshooting and Diagnostics
Troubleshooting with Cisco Aironet Client Diagnostics, page
Figure 6-1 Network and Sharing Center Window
Troubleshooting with Cisco Aironet Client Diagnostics
Figure 6-3 Cisco Aironet Client Diagnostics Dialog Box-Choose Adapter
Figure 6-2 Cisco Aironet Client Diagnostics Dialog Box
Figure 6-5 Cisco Aironet Client Diagnostics Dialog Box-Testing Delay
Figure 6-7 Aironet Desktop Utility-Stop Running Diagnostics
Figure 6-6 Cisco Aironet Client Diagnostics Dialog Box-Test Window
Enabling Client Reporting
Creating Strong Passwords, page A-9
EAP-FAST Error Messages and Prompts
EAP-FAST Error Messages and Prompts, page A-1
PEAP-GTC and LEAP Error Messages and Prompts, page A-6
Appendix A EAP Messages EAP-FAST Error Messages and Prompts
Page
Recommended Action Enter a username
Recommended Action Press OK to continue
PEAP-GTC and LEAP Error Messages and Prompts
Page
Page
Characteristics of Weak Passwords
Creating Strong Passwords
Characteristics of Strong Passwords
A-10
Password Security Basics
A P P E N D I X B
Technical Specifications
Radio Specifications, page B-3
Physical Specifications
Radio Specifications
5725 to 5805 MHz
5150 to 5250 MHz
5250 to 5350 MHz
5470 to 5725 MHz
Outdoor typical
Indoor typical
Safety and Regulatory Compliance Specifications
Power Specifications
Explosive Device Proximity Warning, page C-2
Translated Safety Warnings
Antenna Installation Warning, page C-3
A P P E N D I X C
Explosive Device Proximity Warning
Antenna Installation Warning
Warning for Laptop Users
Page
Page
Declaration of Conformity for RF Exposure, page D-7
Declarations of Conformity and Regulatory Information
A P P E N D I X D
Department of Communications - Canada, page D-3
FCC Certification Number LDK102050 CB21AG
Canadian Compliance Statement
Department of Communications - Canada
European Community, Switzerland, Norway, Iceland, and Liechtenstein
Page
Declaration of Conformity Statement
Cisco Aironet CB21AG Wireless LAN Client Adapter
Cisco Aironet PI21AG Wireless LAN Client Adapter
03-6434-6500
Declaration of Conformity for RF Exposure
Japanese Translation
English Translation
English Translation
2.4- and 5-GHz Client Adapters
Chinese Translation
5-GHz Client Adapters
Brazil/Anatel Approval
D-10
AIR-CB21AG-W-K9
D-11
AIR-PI21AG-W-K9
D-12
Channels, Power Levels, and Antenna Gains
Channels, page E-2 Maximum Power Levels and Antenna Gains, page E-4
A P P E N D I X E
IEEE 802.11a
Channels
Regulatory Domains
IEEE 802.11b/g
IEEE 802.11b
Maximum Power Levels and Antenna Gains
IEEE 802.11g
OL-16534-01
A P P E N D I X F
Acknowledgments and Licensing
Appendix F Acknowledgments and Licensing
OL-16534-01
Appendix F Acknowledgments and Licensing
OL-16534-01
A P P E N D I X G
Abbreviations
List of Acronyms continued
Table G-1