Cisco Systems CB21AG manual Leap, EAP-FAST, EAP-TLS, Peap EAP-GTC, or Peap EAP-MSCHAP V2

Page 83

Chapter 5 Configuring the Client Adapter

Setting Security Parameters

PEAP (EAP-GTC)—This PEAP authentication type is designed to support One-Time Password (OTP), Windows NT or 2000 domain, and LDAP user databases over a wireless LAN. It is based on EAP-TLS authentication but uses a password instead of a client certificate for authentication. PEAP (EAP-GTC) uses a dynamic session-based WEP key derived from the client adapter and RADIUS server to encrypt data. If your network uses an OTP user database, PEAP (EAP-GTC) requires you to enter a hardware or software token password to start the EAP authentication process and gain access to the network. If your network uses a Windows NT or 2000 domain user database or an LDAP user database (such as NDS), PEAP (EAP-GTC) requires you to enter your username, password, and domain name in order to start the authentication process.

RADIUS servers that support PEAP (EAP-GTC) authentication include Cisco Secure ACS release 3.1 or later.

PEAP (EAP-MSCHAPV2)—This PEAP authentication type is based on EAP-TLS authentication but uses a password instead of a client certificate for authentication. PEAP (EAP-MSCHAP V2) uses a dynamic session-based WEP key derived from the client adapter and RADIUS server to encrypt data.

RADIUS servers that support PEAP (EAP-MSCHAP V2) authentication include Cisco Secure ACS release 3.2 or later.

When you configure your access point as indicated in Table 5-4 on page 5-20and configure your client adapter for LEAP, EAP-FAST, EAP-TLS, PEAP (EAP-GTC), or PEAP (EAP-MSCHAP V2), authentication to the network occurs in the following sequence:

1.The client associates to an access point and begins the authentication process.

Note The client does not gain full access to the network until authentication between the client and the RADIUS server is successful.

2.Communicating through the access point, the client and RADIUS server complete the authentication process, with the password (LEAP and PEAP), password and PAC (EAP-FAST), or certificate (EAP-TLS) being the shared secret for authentication. The password and PAC are never transmitted during the process.

3.If authentication is successful, the client and RADIUS server derive a dynamic, session-based WEP key that is unique to the client.

4.The RADIUS server transmits the key to the access point using a secure channel on the wired LAN.

5.For the length of a session, or time period, the access point and the client use this key to encrypt or decrypt all unicast packets (and broadcast packets if the access point is set up to do so) that travel between them.

Refer to the following pages for instructions on enabling these EAP types:

LEAP, page 5-27

EAP-FAST, page 5-31

EAP-TLS, PEAP (EAP-GTC), or PEAP (EAP-MSCHAP V2), page 5-39

Note Refer to the IEEE 802.11 Standard for more information on 802.1X authentication and to the following URL for additional information on RADIUS servers: http://www.cisco.com/en/US/products/sw/iosswrel/ps1835/products_configuration_guide_chapter0918 6a00800ca7ab.html

Cisco Aironet 802.11a/b/g Wireless LAN Client Adapters (CB21AG and PI21AG) Installation and Configuration Guide

 

OL-4211-03

5-17

 

 

 

Page 82 Page 84
Image 83
Page 82 Page 84
Contents Customer Order Number Text Part Number OL-4211-03 Corporate HeadquartersCopyright 2005 Cisco Systems, Inc All rights reserved Iii N T E N T SAssembling the Antenna Overview Pop-Up Menu Help Exit Vii Select ProfileViii Antenna Installation Warning B-3WPA OL-4211-03 Following topics are covered in this section PrefaceXii AudiencePurpose OrganizationXiii ConventionsXiv Documentation DVD Related PublicationsObtaining Documentation Cisco.comXvi Cisco Product Security OverviewOrdering Documentation Documentation FeedbackAn emergency, you can also reach Psirt by telephone 877 408 Reporting Security Problems in Cisco ProductsObtaining Technical Assistance Cisco Technical Support WebsiteXviii Submitting a Service RequestDefinitions of Service Request Severity Xix Obtaining Additional Publications and InformationOL-4211-03 Product Overview AIR-CB21AG Introduction to the Client AdaptersTerminology Client Adapter Model Number DescriptionLEDs Hardware ComponentsRadio Radio AntennaClient Utilities Software ComponentsDriver Ad Hoc Wireless LAN Network Configurations Using Client AdaptersAccess Point Root Unit Wired LAN Preparing for Installation Safety Guidelines Safety informationFCC Safety Compliance Statement Unpacking the Client Adapter Package ContentsSystem Requirements For Client Devices Site RequirementsFor Infrastructure Devices OL-4211-03 Installing the Client Adapter Inserting a PC-Cardbus Card Inserting a Client AdapterBracket screws Inserting a PCI CardChanging the Bracket Inserting the Card Inserting a PCI Card into a PC Assembling the AntennaInserting the Antenna into Its Base Mounting the AntennaBottom of Antenna Base Mounting the Antenna Installing the Client Adapter Software Preparing Setup Window Cisco Aironet Installation Program Window Click Next. The Setup Type window appears see Figure10 Setup Type Window 11 Install Cisco Aironet Site Survey Utility Window 12 Choose Destination Location Window 13 Select Program Folder Window 14 Important Please Read! Window 15 Choose Configuration Tool Window FeatureReceive Leap or EAP-FAST authenticationWith dynamic WEP EAP-TLS or Peap authentication Yes Security Static WEP YesClick Properties Installing a Microsoft Hot Fix for Group Policy Delay Page OL-4211-03 Using the Profile Manager Opening Profile Manager Overview of Profile ManagerSSID3 Field DescriptionSSID1 SSID2Available Infrastructure and Ad Hoc Networks Window Creating a New ProfileSNR Profile Management General Window Auto Profile Selection Management Window Including a Profile in Auto Profile SelectionOL-4211-03 Selecting the Active Profile Deleting a Profile Modifying a ProfileImporting and Exporting Profiles Editing a ProfileExporting a Profile Importing a ProfileExport Profile Window Configuring the Client Adapter Parameter Category Number OverviewSetting General Parameters Parameter Description Auto profile selection ReconfiguredAuto profile selection or configured for use in an ad hoc Client adapter to roam to that network without having to beProfile Management Advanced Window Setting Advanced ParametersRadio Band Transmit Power Level Profile Management Advanced Parameters Network Type Description Parameter Description Parameter Description Default Open Preferred Access Points Window Setting Security ParametersProfile Management Security Window Overview of Security FeaturesEAP with Dynamic WEP Keys Static WEP KeysConfiguring the Client Adapter Setting Security Parameters EAP-FAST, EAP-TLS, Peap EAP-GTC, or Peap EAP-MSCHAP V2, LEAP,Cckm Fast Secure Roaming WPA and WPA2Reporting Access Points that Fail Leap Authentication Ssid Synchronizing Security FeaturesAdditional WEP Key Security Features Security Feature Client Setting Access Point SettingWPA Security Feature Client Setting Access Point Setting MIC LEAP, EAP-FAST, EAP-TLSOr later, choose a cipher suite that is WPA/WPA2/CCKMInterval to any value other than Enabling Static WEPTkip Peap EAP-MSCHAPConfiguring the Client Adapter Setting Security Parameters Define WPA/WPA2 Pre-Shared Key Window Enabling WPA/WPA2 PassphraseEnabling Leap Leap Settings Window Configuring the Client Adapter Setting Security Parameters Configuring the Client Adapter Setting Security Parameters Enabling EAP-FAST EAP-FAST Settings Window Configuring the Client Adapter Setting Security Parameters Click Select More Select EAP-FAST PAC Window 10 Import EAP-FAST PAC File Window Configuring the Client Adapter Setting Security Parameters Deleting a Manually Provisioned PAC File Enabling EAP-TLS or Peap 12 Define Certificate Window Enabling EAP-TLSConfiguring the Client Adapter Setting Security Parameters Enabling Peap EAP-GTC 13 Define Peap EAP-GTC Configuration Window 14 Configuration Settings Window Configuring the Client Adapter Setting Security Parameters Enabling Peap EAP-MSCHAP 15 Define Peap EAP-MSCHAP V2 Configuration Window16 Configuration Settings Window Configuring the Client Adapter Setting Security Parameters Configuring the Client Adapter Setting Security Parameters Configuring the Client Adapter Setting Security Parameters Enabling the QoS Packet Scheduler on Windows Enabling Wi-Fi MultimediaDisabling Static WEP, WPA/WPA2 Passphrase, or EAP 17 Wireless Cisco Connection Properties Window 18 Select Network Component Type Window Click Control Panel Double-clickNetwork Connections Enabling the QoS Packet Scheduler on Windows XPFollow these steps to access the roaming parameters Setting Roaming Parameters in the Windows Control PanelWireless Mode Using EAP Authentication Leap or EAP-FAST Authentication Status Window Using Leap or EAP-FASTStage Explanation After Profile Activation or Card InsertionAfter Your EAP-FAST Password Expires After a Reboot or LogonUsing Leap or EAP-FAST with an Automatically Prompted Login Enter Wireless Network Password Window After Your EAP-FAST Password Expires After Profile Activation Using Leap or EAP-FAST with a Manually Prompted LoginAfter a Reboot, Logon, or Card Insertion Action Drop-Down Menu After Your EAP-FAST Password Expires Using Leap or EAP-FAST with a Saved Username and Password 10 Please Change Password Window Using EAP-TLSOTP Databases Only Using Peap EAP-GTCWindows NT or 2000 Domain Databases or Ldap Databases Only Restarting the Authentication Process Using Peap EAP-MSCHAPOL-4211-03 Viewing Status and Statistics Number Overview of ADU Status and Statistics ToolsTool Status StatisticsSignal-to-noise ratio as a percentage Displays the signal strength3interprets each element of the Current Status window Viewing the Current Status of Your Client AdapterStatus Description Status Description 4interprets each element of the Advanced Status window Details on these server-based authentication typesMMH None MIC is disabledMIC is enabled and is being used with Michael MIC is enabled and is being used with WPA and TkipWMM Status Description Status Description Viewing Statistics for Your Client Adapter Cisco Aironet Desktop Utility Diagnostics WindowAdvanced Statistics Window Statistic Description6interprets each element of the Advanced Statistics window Point Integrity check MIC value when Ckip was being usedCkip MIC OK OL-4211-03 Using the Aironet System Tray Utility Astu Icon Description Infrastructure mode or another client in ad hoc modeOverview of Astu Astu IconStatus Element Description Tool Tip WindowConnection Status Description Following sections describe each Astu pop-up menu option This option enables you to access the online helpPop-Up Menu HelpPreferences TroubleshootingExit Open Aironet Desktop UtilityEnable/Disable Radio Select Profile Manual LoginReauthenticate Connection Status Window Show Connection StatusConnection Status Window Elements Ssid OL-4211-03 Routine Procedures Removing a PCI Card Removing a Client AdapterRemoving a PC-Cardbus Card Upgrading the Client Adapter Software Client Adapter Software ProceduresPrevious Installation Detected Window Choose Update the previous installation and click Next Choose Uninstall the previous installation and click Next Uninstalling the Client Adapter SoftwareExiting ADU ADU ProceduresOpening ADU Viewing Client Adapter Information Finding the Version of ADUEnabling or Disabling Your Client Adapter’s Radio Astu ProceduresAccessing Online Help Refer to for instructions on using AstuOL-4211-03 10-1 Troubleshooting10-2 Accessing the Latest Troubleshooting InformationInterpreting the Indicator LEDs Status LED green Activity LED amber ConditionDiagnosing Your Client Adapter’s Operation Troubleshooting the Client AdapterUsing the Troubleshooting Utility Troubleshooting Information Number10-4 Troubleshooting Utility Window10-5 Troubleshooting Utility Window with Test Results10-6 Troubleshooting Utility Window Detailed Report10-7 Saving the Detailed Report to a Text File10-8 Client Adapter Recognition ProblemsDisabling the Microsoft 802.1X Supplicant Windows 2000 Only 10-9 Reboot your computerResolving Resource Conflicts Resolving Resource Conflicts in Windows10-10 Problems Associating to an Access PointResolving Resource Conflicts in Windows XP 10-11 Problems Connecting to the NetworkPrioritizing Network Connections Parameters Missing from Profile Management Windows10-12 Error Messages10-13 10-14 10-15 10-16 10-17 10-18 10-19 10-20 10-21 10-22 10-23 10-24 Technical Specifications KV human body model Physical SpecificationsRadio Specifications ESDAppendix a Technical Specifications DBm @ 36 Mbps Receiver sensitivity 802.11aDBm @ 6, 9, 12, and 18 Mbps DBm @ 24 MbpsIndoor typical Outdoor typical Safety and Regulatory Compliance Specifications Power SpecificationsTranslated Safety Warnings Explosive Device Proximity Warning Antenna Installation Warning Appendix B Translated Safety Warnings Appendix B Translated Safety Warnings Appendix B Translated Safety Warnings Declarations of Conformity and Regulatory Information USA Models AIR-CB21AG-A-K9, AIR-PI21AG-A-K9Canadian Compliance Statement Department of Communications CanadaOL-4211-03 Declaration of Conformity Statement Cisco Aironet CB21AG Wireless LAN Client AdapterCisco Aironet PI21AG Wireless LAN Client Adapter English Translation Declaration of Conformity for RF ExposureJapanese Translation Communication ACT 5-GHz Client AdaptersChinese Translation English TranslationThis equipment is limited for indoor use GHz Client AdaptersOL-4211-03 Channels, Power Levels, and Antenna Gains Regulatory Domains ChannelsIeee 802.11a Ieee 802.11b/g With 1-dBi Antenna Gain Maximum Power Levels and Antenna GainsIeee 802.11b Data RateMbps 31.6 Ieee 802.11gOL-4211-03 P E N D I X E Overview EAP with Dynamic WEP Keys WPA Configuring the Client Adapter Configuring the Client Adapter Page Configuring the Client Adapter Page Enabling EAP-TLS Authentication For EAP type, choose Smart Card or other Certificate Configuring the Client Adapter Enabling Peap Authentication Figure E-6 Protected EAP Properties Window Figure E-7 EAP MSCHAPv2 Properties Window Figure E-8 Peap Properties Window Figure E-9 Generic Token Card Properties Window Figure E-10 Wireless Network Connection Status Window Associating to an Access Point Using Windows XPPerforming a Site Survey Additional Information GuidelinesSelecting the Client Adapter Opening the Site Survey UtilitySpecifying Display Units Using the Associated AP Status TabViewing the Access Point’s Status Table F-1 Site Survey Utility Associated AP Status Description Using the AP Scan List Tab Figure F-5 Site Survey Utility AP Scan List Viewing the AP Scan ListRssi Value 1, 2, 3, or Pausing the AP Scan ListCCX Detailed Information Parameter Description Access point’s wireless networkViewing AP Details Rssi Figure F-7 Site Survey Utility Log File Generating an AP Scan Log FileExiting the Site Survey Utility Accessing Online HelpUninstalling the Site Survey Utility Finding the Version of the Site Survey UtilityPage Set of characters that contains both letters and numbers Wireless network composed of stations without access pointsStations StandardGL-2 GL-3 Setting must be within the range of 64 to 2312 bytesGL-4 Ethernet 802.3 and wireless LAN 802.11 specificationsGL-5 GL-6 GL-7 Computing device with an installed client adapterProtection and 802.1X for authenticated key management 802.1X for authenticated key managementGL-8 IN-1 Authentication Mode parameterSelecting in ADU IN-2 Pausing ViewingADU Selecting the active profileIN-3 AstuCAM IN-4 ADU Windows XPData encryption ADU Site survey utility FCC C-2IN-5 RTS CRCFCC ACK CTSIN-7 IN-8 Disabling EnablingMMH MIC Status With Leap Modify buttonIN-9 IN-10 IN-11 IN-12 IN-13 Regulatory compliance Safety Spread spectrumSetting Viewing ADU IN-14 Third-party tool, enabling in Install WizardInitial window With test resultsIN-15 Security featuresIN-16
Related manuals
Manual 34 pages 15 Kb Manual 22 pages 28.37 Kb Manual 170 pages 950 b Manual 22 pages 55.14 Kb
Top Page Image Contents