Cisco Systems CB21AG, PI21AG manual Overview of LEAP, How LEAP Works, 3-17

Page 71
Overview of LEAP

Chapter 3 Configuring EAP Types

Overview of LEAP

Overview of LEAP

Cisco LEAP is an authentication protocol that is designed for use in IEEE 802.11 wireless local are networks (WLANs). Important features of LEAP include the following:

Mutual authentication between the network infrastructure and the user.

Secure derivation of random, user-specific cryptographic session keys.

Compatibility with existing and widespread network authentication mechanisms (for example, RADIUS).

Computational speed.

Although Cisco LEAP is a Cisco proprietary protocol, it is based on existing IETF and IEEE standards. Cisco LEAP relies on the following:

Extensible Authentication Protocol (EAP)

EAP was originally designed to provide an framework so that new authentication methods could be introduced into Point-to-Point Protocol (PPP). Before EAP existed, entirely new PPP authentication protocols had to be defined to create new authentication methods. However, with EAP, new authentication types simply require the definition of a new EAP type. A new EAP type comprises a set of set of EAP request and response messages and their associated semantics.

Extensible Authentication Protocol over LAN (EAPOL)

Although originally designed to operate as part of PPP, EAP is flexible enough to be mapped to most types of framed link layer. With a wireless access point, this link layer is a wireless LAN, not PPP. The IEEE 802.1X EAP over LAN (EAPOL) specifies a method for encapsulating EAP packets in Ethernet packets so that they can be transmitted over a LAN.

Encryption and Key Exchange

The 802.11 specification allows for data traffic between the client and access point to be encrypted using an encryption key. As a result of key exchange through WPA, WPA2, CCKM, or WEP, the client and the network access device derive the same pair of keys—one key for broadcast and multicast traffic from the network access device and another key for all other packets.

Remote Authentication Dial-In User Service (RADIUS) Servers

Network access servers (such as WLAN access points) often rely on a centralized AAA server to authenticate clients on their behalf. One of the more popular types of AAA servers is a RADIUS server. Extensions to the RADIUS protocol have been defined to allow the transfer of the EAP packets between the authentication server and the network access server. In this case, the network access server is a relay agent; the authentication conversation takes place between the client and the RADIUS server. The RADIUS server informs the access point of the result of the authentication and whether to allow the client to access the network. Other parameters might be returned as well, including session keys for use between the client and the access point.

How LEAP Works

Because most RADIUS servers support the MS Challenge Handshake Authentication Protocol (MS-CHAP), MS-CHAP is the basis for LEAP. The protocol consists of the authenticator sending a random challenge to client. The client’s data encryption standard (DES) encrypts the challenge by using an MD4 hash of the password. The authenticator then verifies the response by using its knowledge of the client username and password.

Cisco Aironet 802.11a/b/g Wireless LAN Client Adapters (CB21AG and PI21AG) Installation and Configuration Guide for Windows Vista

 

OL-16534-01

3-17

 

 

 

Image 71
Contents 800 553-NETS Fax 408 Software ReleaseAmericas Headquarters Cisco Systems, Inc 170 West Tasman Drive San Jose, CATurn the television or radio antenna until the interference stops Preface Network Configurations Using Client AdaptersAd Hoc Wireless LAN FCC Safety Compliance StatementInserting the Card Advanced Roaming SettingTwo-Phase Tunneled Authentication Obtaining Client Adapter SoftwareFinding the Version of the LEAP Module Accessing LEAP Properties for ConfigurationConfiguring LEAP Configuring and Starting LoggingEnglish Translation D-7 Creating Strong Passwords A-9Antenna Installation Warning EAP Messages A-1English Translation ChannelsAcknowledgments and Licensing F-1 Chinese TranslationOL-16534-01 viiiAudience, page Purpose, page Organization, page Conventions, page PrefaceAudience PurposeConventions OrganizationVaroitus Tämä varoitusmerkki merkitsee vaaraa. Olet tilanteessa, joka voi johtaa ruumiinvammaan. Ennen kuin työskentelet minkään laitteiston parissa, ota selvää sähkökytkentöihin liittyvistä vaaroista ja tavanomaisista onnettomuuksien ehkäisykeinoista. Tässä julkaisussa esiintyvien varoitusten käännökset löydät liitteestä Translated Safety Warnings käännetyt turvallisuutta koskevat varoitukset Obtaining Documentation, Obtaining Support, and Security Guidelines Related PublicationsInstalling the Client Adapter Driver and Software, page Product Overview and InstallationNetwork Configurations Using Client Adapters, page Safety information, page Unpacking the Client Adapter, pagecard Introduction to the Client AdaptersTerminology PC-CardbusLEDs Hardware ComponentsRadio Radio AntennaSoftware Components Network Configurations Using Client AdaptersAd Hoc Wireless LAN Figure 1-1 Ad Hoc Wireless LAN Wireless Infrastructure with Workstations Accessing a Wired LANSafety Guidelines Safety informationFCC Safety Compliance Statement Warnings Unpacking the Client Adapterhttp//support.microsoft.com/kb/935222 Package ContentsSystem Requirements http//support.microsoft.com/kb/932063For Client Devices Site RequirementsFor Infrastructure Devices 1-10 Inserting the Client AdapterInserting a PC-Cardbus Card Assemble the antenna see the “Assembling the Antenna” section on page Inserting a PCI CardChanging the Bracket Insert the card see the “Inserting the Card” section on page1-12 Inserting the Card1-13 Assembling the Antenna1-14 Mounting the AntennaStep 1 Perform one of the following 1-15Step 8 If the Found New Hardware Wizard window appears, click Cancel 1-16Step 6 Click Client Adapters and Client Software Step 5 Click Wireless SoftwareStep 7 Click Cisco Aironet Wireless LAN Client Adapters Obtaining Client Adapter Software1-18 Installing the Client Adapter Driver and SoftwareHardware Insertion 1-19Figure 1-11 Cisco Aironet Installation Program Window Figure 1-13 Cisco Aironet Installation Program-Setup Status Window 1-20Step 8 Click Finish 1-211-22 Creating a New Profile and Configuring Basic Settings, page Configuring Wireless ProfilesOverview of Wireless Profiles, page Accessing Microsoft Vista Network and Sharing Center, pageAccessing Microsoft Vista Network and Sharing Center Overview of Wireless ProfilesCreating a New Profile and Configuring Basic Settings Cisco Aironet 802.11a/b/g Wireless Adapter see Figure OL-16534-01 Step 7 In this dialog box, enter information for the wireless network that you want to add.Table 2-1 lists and describes general settings for the profile. Follow the instructions in the table to configure these settings What to Enter Encryption Types” section on pageSetting Profile Management General Settings continued Chapter 3, “Configuring EAP Types.” The enterprise network EAPand Encryption Types” section on page What to Enter 2-10 Security and Encryption TypesWEP Shared Security with Static WEP Keys WPA and WPA22-11 802.1X with Dynamic WEP Keys2-12 Accessing a Profile That Was Created PreviouslyCCKM Fast Secure Roaming Figure 2-7 Network and Sharing Center Window Viewing and Changing the Settings of a Profile2-13 Figure 2-8 Wireless Network properties Dialog Box-Connection Tab 2-14in Table 2-1 on page is available, Choose Control Panel Manage Wireless NetworksSettings dialog box. See the “Radio Measurement” section on page 2-18 and the “Advanced Roaming Setting” section on pageFigure 2-9 Wireless Network properties Dialog Box-Security Tab 2-162-17 2-18 Radio Measurement2-19 Advanced Roaming Setting2-20 Configuring PEAP-GTC, page Configuring EAP TypesConfiguring EAP-FAST, page Overview of LEAP, page How LEAP Works, page Configuring LEAP, pageHow EAP-FAST Works Two-Phase Tunneled AuthenticationTwo-Phase Tunneled Authentication, page Protected Access Credentials, pageServer Certificate Validation Protected Access CredentialsConfiguring EAP-FAST Settings in the Connection Tab, page Configuring EAP-FASTAccessing EAP-FAST Properties for Configuration Accessing EAP-FAST Properties for Configuration, pageConfiguring EAP-FAST Settings in the Connection Tab Default anonymous Default OnUse Protected Access Default OnDefault None Default EnabledPAC box and the Validate Server Certificate box at the same time Default OffClient Certificates Usernames and PasswordsOverview of the User Credentials Tab Figure 3-3 User Credentials Tab in EAP-FAST Properties Window Configuring EAP-FAST Settings in the User Credentials Tab3-10 3-11 information about OTP, see the “Understanding PIN Mode and TokenMode with OTP” section on page Figure 3-5 Next Token Prompt Window Understanding PIN Mode and Token Mode with OTP3-12 Figure 3-4 New PIN Prompt Window3-13 Configuring EAP-FAST Settings in the Authentication TabFigure 3-6 Authentication Tab in EAP-FAST Properties Window 3-14Table 3-3 lists and describes options for authentication Select an authentication Default Disableda certificate on this computer radio button in the User 3-15Figure 3-7 About Tab in EAP-FAST Properties Window Finding the Version of the EAP-FAST Module3-16 3-17 Overview of LEAPHow LEAP Works Configuring LEAP Settings in the Network Credentials Tab, page Configuring LEAPAccessing LEAP Properties for Configuration Accessing LEAP Properties for Configuration, pageFigure 3-8 Wireless Network Properties Window Configuring LEAP Settings in the Network Credentials Tab3-19 LEAP Network Credentials 3-20Settings Table 3-4 LEAP Network Credentials Settings3-21 Overview of PEAP-GTCFinding the Version of the LEAP Module 3-22 How PEAP-GTC WorksConfiguring PEAP-GTC Settings in the Connection Tab, page Configuring PEAP-GTCAccessing PEAP-GTC Properties for Configuration Accessing PEAP-GTC Properties for Configuration, pageFigure 3-10 Wireless Network Properties Window 3-24Figure 3-11 Connection Tab in PEAP-GTC Properties Window Configuring PEAP-GTC Settings in the Connection Tab3-25 If the Validate server certificate box is checked but the Do not Default anonymousIf the Validate server certificate box is checked and the Do not prompt user to authorize new servers or trusted certificate3-27 Configuring PEAP-GTC Settings in the User Credentials Tabwhich is the case for the Prompt automatically for username and Default Offpassword option and Token Mode with OTP” section on pageFigure 3-13 New PIN Prompt Window 3-29PEAP-GTC User Credentials Options continued Figure 3-14 Next Token Prompt Window Understanding PEAP-GTC AuthenticationFinding the Version of the PEAP-GTC Module 3-30The LEAP XML Schema, page Logging for EAP Modules, page Performing Administrative TasksUsing Microsoft Tools to Perform Administrative Tasks, page The EAP-FAST XML Schema, page The PEAP-GTC XML Schema, pageOverview of Group Policy Objects, page Using Microsoft Tools to Perform Administrative TasksOverview of Group Policy Objects Adding a Group Policy Object Editorg. From the Select Group Policy Object dialog box, click Finish Creating a EAP Group Policy Object in Windows Vistaa. Go to File Add/Remove Snap-in Configuring Machine Authentication for EAP-FAST Configuring Single Sign-On for PEAP-GTC and LEAP Configuring Single Sign-On for EAP-FASTConfiguring Machine Authentication for PEAP-GTC The EAP-FAST XML Schema xsdocumentation xselement xschoice xselement name=authenticateWithToken xscomplexType xssequence xselement xselement name=sendViaInnerMethod xscomplexType xsall 4-10xscomplexType name=PasswordFromProfile xssimpleContent 4-114-12 xsannotation xselement xschoice xselement name=enableFastReconnect 4-134-14 xssimpleType xsrestriction base=xsstring xsenumeration value=exactly 4-15xselement name=anyServerName type=Empty xsannotation 4-164-17 The PEAP-GTC XML Schema4-18 xscomplexContent xscomplexType xscomplexType name=IdentityPattern 4-19xscomplexType name=TokenSource xschoice 4-20xschoice xssequence xscomplexType 4-214-22 4-23 The LEAP XML SchemaattributeFormDefault=unqualified xselement name=eapLeap type=EapLeap 4-244-25 Step 2 Right-click Command Prompt and select Run as administrator Configuring and Starting LoggingConfiguring and Starting Logging, page Step 1 Choose Start All Programs Accessorieswevtutil sl Cisco-EAP-LEAP/Debug /efalse Disabling Logging and Flushing Internal Bufferswevtutil sl Cisco-EAP-FAST/Debug /efalse wevtutil sl Cisco-EAP-PEAP/Debug /efalsewevtutil sl Cisco-EAP-LEAP/Debug /lfn“pathtoetllogfile” Locating Log Fileswevtutil sl Cisco-EAP-FAST/Debug /lfn“pathtoetllogfile” wevtutil sl Cisco-EAP-PEAP/Debug /lfn“pathtoetllogfile”Upgrading the Client Adapter Software, page Routine ProceduresRemoving a Client Adapter, page Removing a PCI Card Removing a Client AdapterRemoving a PC-Cardbus Card Upgrading the Client Adapter Software Step 5 Click Update the previous installation Figure 5-3 Cisco Aironet Installation Program-Setup Status Window OL-16534-01 Enabling Client Reporting, page Troubleshooting and DiagnosticsTroubleshooting with Cisco Aironet Client Diagnostics, page Figure 6-1 Network and Sharing Center Window Troubleshooting with Cisco Aironet Client DiagnosticsFigure 6-3 Cisco Aironet Client Diagnostics Dialog Box-Choose Adapter Figure 6-2 Cisco Aironet Client Diagnostics Dialog BoxFigure 6-5 Cisco Aironet Client Diagnostics Dialog Box-Testing Delay Figure 6-7 Aironet Desktop Utility-Stop Running Diagnostics Figure 6-6 Cisco Aironet Client Diagnostics Dialog Box-Test WindowEnabling Client Reporting Creating Strong Passwords, page A-9 EAP-FAST Error Messages and PromptsEAP-FAST Error Messages and Prompts, page A-1 PEAP-GTC and LEAP Error Messages and Prompts, page A-6Appendix A EAP Messages EAP-FAST Error Messages and Prompts Page Recommended Action Enter a username Recommended Action Press OK to continue PEAP-GTC and LEAP Error Messages and Prompts Page Page Characteristics of Weak Passwords Creating Strong PasswordsCharacteristics of Strong Passwords A-10 Password Security BasicsA P P E N D I X B Technical SpecificationsRadio Specifications, page B-3 Physical Specifications Radio Specifications 5725 to 5805 MHz 5150 to 5250 MHz5250 to 5350 MHz 5470 to 5725 MHzOutdoor typical Indoor typicalSafety and Regulatory Compliance Specifications Power SpecificationsExplosive Device Proximity Warning, page C-2 Translated Safety WarningsAntenna Installation Warning, page C-3 A P P E N D I X CExplosive Device Proximity Warning Antenna Installation Warning Warning for Laptop Users Page Page Declaration of Conformity for RF Exposure, page D-7 Declarations of Conformity and Regulatory InformationA P P E N D I X D Department of Communications - Canada, page D-3FCC Certification Number LDK102050 CB21AG Canadian Compliance Statement Department of Communications - CanadaEuropean Community, Switzerland, Norway, Iceland, and Liechtenstein Page Declaration of Conformity Statement Cisco Aironet CB21AG Wireless LAN Client AdapterCisco Aironet PI21AG Wireless LAN Client Adapter 03-6434-6500 Declaration of Conformity for RF ExposureJapanese Translation English TranslationEnglish Translation 2.4- and 5-GHz Client AdaptersChinese Translation 5-GHz Client Adapters Brazil/Anatel ApprovalD-10 AIR-CB21AG-W-K9D-11 AIR-PI21AG-W-K9D-12 Channels, Power Levels, and Antenna Gains Channels, page E-2 Maximum Power Levels and Antenna Gains, page E-4A P P E N D I X E IEEE 802.11a ChannelsRegulatory Domains IEEE 802.11b/gIEEE 802.11b Maximum Power Levels and Antenna GainsIEEE 802.11g OL-16534-01 A P P E N D I X F Acknowledgments and LicensingAppendix F Acknowledgments and Licensing OL-16534-01 Appendix F Acknowledgments and LicensingOL-16534-01 A P P E N D I X G AbbreviationsList of Acronyms continued Table G-1
Related manuals
Manual 34 pages 15 Kb Manual 286 pages 35.03 Kb Manual 22 pages 28.37 Kb Manual 22 pages 55.14 Kb