Page 72
Chapter 3 Configuring EAP Types
Configuring LEAP
During authentication, the access point acts as a transparent relay for the conversation between the client and the RADIUS server. The EAPOL header is removed from EAPOL packets that come from the client. The contents of the EAPOL packet are added as an EAP attribute to a RADIUS request packet and sent to the RADIUS server. RADIUS packets from the server have the EAP attribute contents added to an EAPOL packet and sent to the client. The access point never examines the contents of the EAP data.
When the client associates to an access point, the access point sends an EAP identity request to the client. The client responds with a username. The RADIUS server then formats a LEAP challenge EAP attribute. The client sends a LEAP challenge response back to the RADIUS server.
If the user is invalid, the RADIUS server sends a RADIUS access-deny message that contains an EAP failure attribute. If the user is valid, the server sends a RADIUS access-challenge packet with an EAP success attribute. The client responds with a LEAP challenge. The server responds with a RADIUS access-accept packet that contains an EAP attribute with the LEAP challenge response. This packet also contains a Cisco vendor-specific attribute that informs the access point of the value of the encryption key. The client verifies the challenge response. If the response is invalid, client disassociates and attempts to find another access point.
802.11supports the use of up to four encryption keys for the traffic between a client and its access point. The access point uses one of the key indices for the session key. This key has a different value for each connection between the client and the access point.
The session key is derived from the user password and the contents of the LEAP challenges and responses that go to and from the client. 802.11 encryption might be based on a 40-bit key or a 128-bit key. The key derivation routines provide a key that is longer than needed.
Configuring LEAP
This section explains how to configure LEAP module settings. The following topics are covered in this section:
Accessing LEAP Properties for Configuration
To access the LEAP Properties window, perform the following steps:
Step 1 Click the Start button on the lower-left corner of the desktop.
Step 2 From the right pane, right-click Network.
Step 3 Select Properties.
Step 4 From the left pane, select Manage Wireless Networks.
Step 5 Double-click the wireless network.
Step 6 From the Wireless Network properties window, select the Security tab (see Figure 3-1).
| Cisco Aironet 802.11a/b/g Wireless LAN Client Adapters (CB21AG and PI21AG) Installation and Configuration Guide for Windows Vista |
3-18 | OL-16534-01 |
Contents
Software Release
Americas Headquarters
Cisco Systems, Inc 170 West Tasman Drive San Jose, CA
800 553-NETS Fax 408
Turn the television or radio antenna until the interference stops
Network Configurations Using Client Adapters
Ad Hoc Wireless LAN
FCC Safety Compliance Statement
Preface
Advanced Roaming Setting
Two-Phase Tunneled Authentication
Obtaining Client Adapter Software
Inserting the Card
Accessing LEAP Properties for Configuration
Configuring LEAP
Configuring and Starting Logging
Finding the Version of the LEAP Module
Creating Strong Passwords A-9
Antenna Installation Warning
EAP Messages A-1
English Translation D-7
Channels
Acknowledgments and Licensing F-1
Chinese Translation
English Translation
viii
OL-16534-01
Preface
Audience
Purpose
Audience, page Purpose, page Organization, page Conventions, page
Organization
Conventions
Varoitus Tämä varoitusmerkki merkitsee vaaraa. Olet tilanteessa, joka voi johtaa ruumiinvammaan. Ennen kuin työskentelet minkään laitteiston parissa, ota selvää sähkökytkentöihin liittyvistä vaaroista ja tavanomaisista onnettomuuksien ehkäisykeinoista. Tässä julkaisussa esiintyvien varoitusten käännökset löydät liitteestä Translated Safety Warnings käännetyt turvallisuutta koskevat varoitukset
Related Publications
Obtaining Documentation, Obtaining Support, and Security Guidelines
Product Overview and Installation
Network Configurations Using Client Adapters, page
Safety information, page Unpacking the Client Adapter, page
Installing the Client Adapter Driver and Software, page
Introduction to the Client Adapters
Terminology
PC-Cardbus
card
Hardware Components
Radio
Radio Antenna
LEDs
Network Configurations Using Client Adapters
Ad Hoc Wireless LAN
Software Components
Wireless Infrastructure with Workstations Accessing a Wired LAN
Figure 1-1 Ad Hoc Wireless LAN
Safety information
FCC Safety Compliance Statement
Safety Guidelines
Unpacking the Client Adapter
Warnings
Package Contents
System Requirements
http//support.microsoft.com/kb/932063
http//support.microsoft.com/kb/935222
Site Requirements
For Infrastructure Devices
For Client Devices
Inserting the Client Adapter
Inserting a PC-Cardbus Card
1-10
Inserting a PCI Card
Changing the Bracket
Insert the card see the “Inserting the Card” section on page
Assemble the antenna see the “Assembling the Antenna” section on page
Inserting the Card
1-12
Assembling the Antenna
1-13
Mounting the Antenna
1-14
1-15
Step 1 Perform one of the following
1-16
Step 8 If the Found New Hardware Wizard window appears, click Cancel
Step 5 Click Wireless Software
Step 7 Click Cisco Aironet Wireless LAN Client Adapters
Obtaining Client Adapter Software
Step 6 Click Client Adapters and Client Software
Installing the Client Adapter Driver and Software
1-18
1-19
Figure 1-11 Cisco Aironet Installation Program Window
Hardware Insertion
1-20
Figure 1-13 Cisco Aironet Installation Program-Setup Status Window
1-21
Step 8 Click Finish
1-22
Configuring Wireless Profiles
Overview of Wireless Profiles, page
Accessing Microsoft Vista Network and Sharing Center, page
Creating a New Profile and Configuring Basic Settings, page
Overview of Wireless Profiles
Accessing Microsoft Vista Network and Sharing Center
Creating a New Profile and Configuring Basic Settings
Cisco Aironet 802.11a/b/g Wireless Adapter see Figure
Chapter 2 Configuring Wireless Profiles
Step 7 In this dialog box, enter information for the wireless network that you want to add.Table 2-1 lists and describes general settings for the profile. Follow the instructions in the table to configure these settings
Encryption Types” section on page
Setting
What to Enter
Chapter 3, “Configuring EAP Types.” The enterprise network EAP
and Encryption Types” section on page
Profile Management General Settings continued
Setting
Security and Encryption Types
WEP Shared Security with Static WEP Keys
WPA and WPA2
2-10
802.1X with Dynamic WEP Keys
2-11
Accessing a Profile That Was Created Previously
CCKM Fast Secure Roaming
2-12
Viewing and Changing the Settings of a Profile
2-13
Figure 2-7 Network and Sharing Center Window
2-14
Figure 2-8 Wireless Network properties Dialog Box-Connection Tab
is available, Choose Control Panel Manage Wireless Networks
Settings dialog box. See the “Radio Measurement” section on
page 2-18 and the “Advanced Roaming Setting” section on page
in Table 2-1 on page
2-16
Figure 2-9 Wireless Network properties Dialog Box-Security Tab
2-17
Radio Measurement
2-18
Advanced Roaming Setting
2-19
2-20
Configuring EAP Types
Configuring EAP-FAST, page Overview of LEAP, page
How LEAP Works, page Configuring LEAP, page
Configuring PEAP-GTC, page
Two-Phase Tunneled Authentication
Two-Phase Tunneled Authentication, page
Protected Access Credentials, page
How EAP-FAST Works
Protected Access Credentials
Server Certificate Validation
Configuring EAP-FAST
Accessing EAP-FAST Properties for Configuration
Accessing EAP-FAST Properties for Configuration, page
Configuring EAP-FAST Settings in the Connection Tab, page
Configuring EAP-FAST Settings in the Connection Tab
Default On
Default anonymous
Default On
Default None
Default Enabled
Use Protected Access
Default Off
PAC box and the Validate Server Certificate box at the same time
Usernames and Passwords
Overview of the User Credentials Tab
Client Certificates
Configuring EAP-FAST Settings in the User Credentials Tab
3-10
Figure 3-3 User Credentials Tab in EAP-FAST Properties Window
information about OTP, see the “Understanding PIN Mode and Token
Mode with OTP” section on page
3-11
Understanding PIN Mode and Token Mode with OTP
3-12
Figure 3-4 New PIN Prompt Window
Figure 3-5 Next Token Prompt Window
Configuring EAP-FAST Settings in the Authentication Tab
3-13
3-14
Table 3-3 lists and describes options for authentication
Figure 3-6 Authentication Tab in EAP-FAST Properties Window
Default Disabled
a certificate on this computer radio button in the User
3-15
Select an authentication
Finding the Version of the EAP-FAST Module
3-16
Figure 3-7 About Tab in EAP-FAST Properties Window
Overview of LEAP
How LEAP Works
3-17
Configuring LEAP
Accessing LEAP Properties for Configuration
Accessing LEAP Properties for Configuration, page
Configuring LEAP Settings in the Network Credentials Tab, page
Configuring LEAP Settings in the Network Credentials Tab
3-19
Figure 3-8 Wireless Network Properties Window
3-20
Settings
Table 3-4 LEAP Network Credentials Settings
LEAP Network Credentials
Overview of PEAP-GTC
Finding the Version of the LEAP Module
3-21
How PEAP-GTC Works
3-22
Configuring PEAP-GTC
Accessing PEAP-GTC Properties for Configuration
Accessing PEAP-GTC Properties for Configuration, page
Configuring PEAP-GTC Settings in the Connection Tab, page
3-24
Figure 3-10 Wireless Network Properties Window
Configuring PEAP-GTC Settings in the Connection Tab
3-25
Figure 3-11 Connection Tab in PEAP-GTC Properties Window
Default anonymous
If the Validate server certificate box is checked and the Do not
prompt user to authorize new servers or trusted certificate
If the Validate server certificate box is checked but the Do not
Configuring PEAP-GTC Settings in the User Credentials Tab
3-27
Default Off
password option
and Token Mode with OTP” section on page
which is the case for the Prompt automatically for username and
3-29
PEAP-GTC User Credentials Options continued
Figure 3-13 New PIN Prompt Window
Understanding PEAP-GTC Authentication
Finding the Version of the PEAP-GTC Module
3-30
Figure 3-14 Next Token Prompt Window
Performing Administrative Tasks
Using Microsoft Tools to Perform Administrative Tasks, page
The EAP-FAST XML Schema, page The PEAP-GTC XML Schema, page
The LEAP XML Schema, page Logging for EAP Modules, page
Using Microsoft Tools to Perform Administrative Tasks
Overview of Group Policy Objects
Adding a Group Policy Object Editor
Overview of Group Policy Objects, page
Creating a EAP Group Policy Object in Windows Vista
a. Go to File Add/Remove Snap-in
g. From the Select Group Policy Object dialog box, click Finish
Configuring Machine Authentication for EAP-FAST
Configuring Single Sign-On for EAP-FAST
Configuring Machine Authentication for PEAP-GTC
Configuring Single Sign-On for PEAP-GTC and LEAP
The EAP-FAST XML Schema
xsdocumentation
xselement xschoice
xselement name=authenticateWithToken xscomplexType xssequence
4-10
xselement xselement name=sendViaInnerMethod xscomplexType xsall
4-11
xscomplexType name=PasswordFromProfile xssimpleContent
4-12
4-13
xsannotation xselement xschoice xselement name=enableFastReconnect
4-14
4-15
xssimpleType xsrestriction base=xsstring xsenumeration value=exactly
4-16
xselement name=anyServerName type=Empty xsannotation
The PEAP-GTC XML Schema
4-17
4-18
4-19
xscomplexContent xscomplexType xscomplexType name=IdentityPattern
4-20
xscomplexType name=TokenSource xschoice
4-21
xschoice xssequence xscomplexType
4-22
The LEAP XML Schema
4-23
4-24
attributeFormDefault=unqualified xselement name=eapLeap type=EapLeap
4-25
Configuring and Starting Logging
Configuring and Starting Logging, page
Step 1 Choose Start All Programs Accessories
Step 2 Right-click Command Prompt and select Run as administrator
Disabling Logging and Flushing Internal Buffers
wevtutil sl Cisco-EAP-FAST/Debug /efalse
wevtutil sl Cisco-EAP-PEAP/Debug /efalse
wevtutil sl Cisco-EAP-LEAP/Debug /efalse
Locating Log Files
wevtutil sl Cisco-EAP-FAST/Debug /lfn“pathtoetllogfile”
wevtutil sl Cisco-EAP-PEAP/Debug /lfn“pathtoetllogfile”
wevtutil sl Cisco-EAP-LEAP/Debug /lfn“pathtoetllogfile”
Routine Procedures
Removing a Client Adapter, page
Upgrading the Client Adapter Software, page
Removing a Client Adapter
Removing a PC-Cardbus Card
Removing a PCI Card
Upgrading the Client Adapter Software
Step 5 Click Update the previous installation
Figure 5-3 Cisco Aironet Installation Program-Setup Status Window
Chapter 5 Routine Procedures Upgrading the Client Adapter Software
Troubleshooting and Diagnostics
Troubleshooting with Cisco Aironet Client Diagnostics, page
Enabling Client Reporting, page
Troubleshooting with Cisco Aironet Client Diagnostics
Figure 6-1 Network and Sharing Center Window
Figure 6-2 Cisco Aironet Client Diagnostics Dialog Box
Figure 6-3 Cisco Aironet Client Diagnostics Dialog Box-Choose Adapter
Figure 6-5 Cisco Aironet Client Diagnostics Dialog Box-Testing Delay
Figure 6-6 Cisco Aironet Client Diagnostics Dialog Box-Test Window
Figure 6-7 Aironet Desktop Utility-Stop Running Diagnostics
Enabling Client Reporting
EAP-FAST Error Messages and Prompts
EAP-FAST Error Messages and Prompts, page A-1
PEAP-GTC and LEAP Error Messages and Prompts, page A-6
Creating Strong Passwords, page A-9
Appendix A EAP Messages EAP-FAST Error Messages and Prompts
Page
Recommended Action Enter a username
Recommended Action Press OK to continue
PEAP-GTC and LEAP Error Messages and Prompts
Page
Page
Creating Strong Passwords
Characteristics of Strong Passwords
Characteristics of Weak Passwords
Password Security Basics
A-10
Technical Specifications
Radio Specifications, page B-3
A P P E N D I X B
Physical Specifications
Radio Specifications
5150 to 5250 MHz
5250 to 5350 MHz
5470 to 5725 MHz
5725 to 5805 MHz
Indoor typical
Outdoor typical
Power Specifications
Safety and Regulatory Compliance Specifications
Translated Safety Warnings
Antenna Installation Warning, page C-3
A P P E N D I X C
Explosive Device Proximity Warning, page C-2
Explosive Device Proximity Warning
Antenna Installation Warning
Warning for Laptop Users
Page
Page
Declarations of Conformity and Regulatory Information
A P P E N D I X D
Department of Communications - Canada, page D-3
Declaration of Conformity for RF Exposure, page D-7
FCC Certification Number LDK102050 CB21AG
Department of Communications - Canada
European Community, Switzerland, Norway, Iceland, and Liechtenstein
Canadian Compliance Statement
Page
Cisco Aironet CB21AG Wireless LAN Client Adapter
Declaration of Conformity Statement
Cisco Aironet PI21AG Wireless LAN Client Adapter
Declaration of Conformity for RF Exposure
Japanese Translation
English Translation
03-6434-6500
2.4- and 5-GHz Client Adapters
Chinese Translation
English Translation
Brazil/Anatel Approval
5-GHz Client Adapters
AIR-CB21AG-W-K9
D-10
AIR-PI21AG-W-K9
D-11
D-12
Channels, page E-2 Maximum Power Levels and Antenna Gains, page E-4
A P P E N D I X E
Channels, Power Levels, and Antenna Gains
Channels
IEEE 802.11a
IEEE 802.11b/g
Regulatory Domains
Maximum Power Levels and Antenna Gains
IEEE 802.11b
IEEE 802.11g
Appendix E Channels, Power Levels, and Antenna Gains
Acknowledgments and Licensing
A P P E N D I X F
Appendix F Acknowledgments and Licensing
Appendix F Acknowledgments and Licensing
OL-16534-01
Appendix F Acknowledgments and Licensing
Abbreviations
A P P E N D I X G
Table G-1
List of Acronyms continued