Page 86
Chapter 5 Configuring the Client Adapter
Setting Security Parameters
Additional WEP Key Security Features
The three security features discussed in this section (MIC, TKIP, and broadcast key rotation) are designed to prevent sophisticated attacks on your wireless network’s WEP keys. These features do not need to be enabled on the client adapter; they are supported automatically in the client adapter software. However, they must be enabled on the access point.
Note Refer to the documentation for your access point for instructions on enabling these security features.
Message Integrity Check (MIC)
MIC prevents bit-flip attacks on encrypted packets. During a bit-flip attack, an intruder intercepts an encrypted message, alters it slightly, and retransmits it, and the receiver accepts the retransmitted message as legitimate. The MIC adds a few bytes to each packet to make the packets tamper-proof.
The Advanced Status window indicates if MIC is being used, and the Advanced Statistics window provides MIC statistics.
Temporal Key Integrity Protocol (TKIP)
This feature, also referred to as WEP key hashing, defends against an attack on WEP in which the intruder uses the initialization vector (IV) in encrypted packets to calculate the WEP key. TKIP removes the predictability that an intruder relies on to determine the WEP key by exploiting IVs. It protects both unicast and broadcast WEP keys.
Note TKIP is enabled automatically when WPA is enabled, and it is disabled when WPA is disabled.
Broadcast Key Rotation
When you enable broadcast WEP key rotation, the access point provides a dynamic broadcast WEP key and changes it at the interval you select.
Synchronizing Security Features
In order to use any of the security features discussed in this section, both your client adapter and the access point to which it will associate must be set appropriately. Table 5-4indicates the client and access point settings required for each security feature. This chapter provides specific instructions for enabling the security features on your client adapter. Refer to the documentation for your access point for instructions on enabling any of these features on the access point.
| | | | Table 5-4 | Client and Access Point Security Settings | | |
| | | | | | | |
| | | | Security Feature | Client Setting | Access Point Setting |
| | | | | | | |
| | | | Static WEP with open | Choose Open authentication and | Set up and enable WEP and enable |
| | | | authentication | | Pre-Shared Key (Static WEP) and | Open Authentication for the SSID |
| | | | | | create a WEP key | | |
| | | | | | | |
| | | | Static WEP with shared key | Choose Shared authentication and | Set up and enable WEP and enable |
| | | | authentication | | Pre-Shared Key (Static WEP) and | Shared Key Authentication for the |
| | | | | | create a WEP key | SSID |
| | | | | | | |
| | | Cisco Aironet 802.11a/b/g Wireless LAN Client Adapters (CB21AG and PI21AG) Installation and Configuration Guide |
| | |
| 5-20 | | | | | | OL-4211-03 | |
| | | | | | |
Contents
Corporate Headquarters
Customer Order Number Text Part Number OL-4211-03
Copyright 2005 Cisco Systems, Inc All rights reserved
N T E N T S
Iii
Assembling the Antenna
Overview
Pop-Up Menu Help Exit
Select Profile
Vii
Antenna Installation Warning B-3
Viii
WPA
OL-4211-03
Preface
Following topics are covered in this section
Organization
Audience
Purpose
Xii
Conventions
Xiii
Xiv
Cisco.com
Related Publications
Obtaining Documentation
Documentation DVD
Documentation Feedback
Cisco Product Security Overview
Ordering Documentation
Xvi
Cisco Technical Support Website
Reporting Security Problems in Cisco Products
Obtaining Technical Assistance
An emergency, you can also reach Psirt by telephone 877 408
Xviii
Submitting a Service Request
Definitions of Service Request Severity
Obtaining Additional Publications and Information
Xix
OL-4211-03
Product Overview
Client Adapter Model Number Description
Introduction to the Client Adapters
Terminology
AIR-CB21AG
Radio Antenna
Hardware Components
Radio
LEDs
Client Utilities
Software Components
Driver
Network Configurations Using Client Adapters
Ad Hoc Wireless LAN
Access Point Root Unit Wired LAN
Preparing for Installation
Safety Guidelines
Safety information
FCC Safety Compliance Statement
Package Contents
Unpacking the Client Adapter
System Requirements
For Client Devices
Site Requirements
For Infrastructure Devices
OL-4211-03
Installing the Client Adapter
Inserting a Client Adapter
Inserting a PC-Cardbus Card
Bracket screws
Inserting a PCI Card
Changing the Bracket
Inserting the Card
Assembling the Antenna
Inserting a PCI Card into a PC
Mounting the Antenna
Inserting the Antenna into Its Base
Bottom of Antenna Base
Mounting the Antenna
Installing the Client Adapter Software
Preparing Setup Window
Click Next. The Setup Type window appears see Figure
Cisco Aironet Installation Program Window
10 Setup Type Window
11 Install Cisco Aironet Site Survey Utility Window
12 Choose Destination Location Window
13 Select Program Folder Window
14 Important Please Read! Window
Feature
15 Choose Configuration Tool Window
Security Static WEP Yes
Leap or EAP-FAST authentication
With dynamic WEP EAP-TLS or Peap authentication Yes
Receive
Click Properties
Installing a Microsoft Hot Fix for Group Policy Delay
Page
OL-4211-03
Using the Profile Manager
Overview of Profile Manager
Opening Profile Manager
SSID2
Field Description
SSID1
SSID3
Creating a New Profile
Available Infrastructure and Ad Hoc Networks Window
SNR
Profile Management General Window
Including a Profile in Auto Profile Selection
Auto Profile Selection Management Window
OL-4211-03
Selecting the Active Profile
Editing a Profile
Modifying a Profile
Importing and Exporting Profiles
Deleting a Profile
Importing a Profile
Exporting a Profile
Export Profile Window
Configuring the Client Adapter
Overview
Parameter Category Number
Setting General Parameters
Parameter Description
Client adapter to roam to that network without having to be
Reconfigured
Auto profile selection or configured for use in an ad hoc
Auto profile selection
Setting Advanced Parameters
Profile Management Advanced Window
Radio Band Transmit Power Level
Profile Management Advanced Parameters
Network Type Description
Parameter Description
Parameter Description
Default Open
Setting Security Parameters
Preferred Access Points Window
Overview of Security Features
Profile Management Security Window
Static WEP Keys
EAP with Dynamic WEP Keys
Configuring the Client Adapter Setting Security Parameters
LEAP,
EAP-FAST, EAP-TLS, Peap EAP-GTC, or Peap EAP-MSCHAP V2,
WPA and WPA2
Cckm Fast Secure Roaming
Reporting Access Points that Fail Leap Authentication
Security Feature Client Setting Access Point Setting
Synchronizing Security Features
Additional WEP Key Security Features
Ssid
WPA
Security Feature Client Setting Access Point Setting
WPA/WPA2/CCKM
LEAP, EAP-FAST, EAP-TLS
Or later, choose a cipher suite that is
MIC
Peap EAP-MSCHAP
Enabling Static WEP
Tkip
Interval to any value other than
Configuring the Client Adapter Setting Security Parameters
Enabling WPA/WPA2 Passphrase
Define WPA/WPA2 Pre-Shared Key Window
Enabling Leap
Leap Settings Window
Configuring the Client Adapter Setting Security Parameters
Configuring the Client Adapter Setting Security Parameters
Enabling EAP-FAST
EAP-FAST Settings Window
Configuring the Client Adapter Setting Security Parameters
Click Select More
Select EAP-FAST PAC Window
10 Import EAP-FAST PAC File Window
Configuring the Client Adapter Setting Security Parameters
Deleting a Manually Provisioned PAC File
Enabling EAP-TLS or Peap
Enabling EAP-TLS
12 Define Certificate Window
Configuring the Client Adapter Setting Security Parameters
Enabling Peap EAP-GTC
13 Define Peap EAP-GTC Configuration Window
14 Configuration Settings Window
Configuring the Client Adapter Setting Security Parameters
15 Define Peap EAP-MSCHAP V2 Configuration Window
Enabling Peap EAP-MSCHAP
16 Configuration Settings Window
Configuring the Client Adapter Setting Security Parameters
Configuring the Client Adapter Setting Security Parameters
Configuring the Client Adapter Setting Security Parameters
Enabling the QoS Packet Scheduler on Windows
Enabling Wi-Fi Multimedia
Disabling Static WEP, WPA/WPA2 Passphrase, or EAP
17 Wireless Cisco Connection Properties Window
18 Select Network Component Type Window
Enabling the QoS Packet Scheduler on Windows XP
Click Control Panel Double-clickNetwork Connections
Setting Roaming Parameters in the Windows Control Panel
Follow these steps to access the roaming parameters
Wireless Mode
Using EAP Authentication
Using Leap or EAP-FAST
Leap or EAP-FAST Authentication Status Window
After Profile Activation or Card Insertion
Stage Explanation
After a Reboot or Logon
After Your EAP-FAST Password Expires
Using Leap or EAP-FAST with an Automatically Prompted Login
Enter Wireless Network Password Window
After Your EAP-FAST Password Expires
Using Leap or EAP-FAST with a Manually Prompted Login
After Profile Activation
After a Reboot, Logon, or Card Insertion
Action Drop-Down Menu
After Your EAP-FAST Password Expires
Using Leap or EAP-FAST with a Saved Username and Password
Using EAP-TLS
10 Please Change Password Window
OTP Databases Only
Using Peap EAP-GTC
Windows NT or 2000 Domain Databases or Ldap Databases Only
Using Peap EAP-MSCHAP
Restarting the Authentication Process
OL-4211-03
Viewing Status and Statistics
Status Statistics
Overview of ADU Status and Statistics Tools
Tool
Number
Displays the signal strength
Signal-to-noise ratio as a percentage
Viewing the Current Status of Your Client Adapter
3interprets each element of the Current Status window
Status Description
Status Description
Details on these server-based authentication types
4interprets each element of the Advanced Status window
Michael MIC is enabled and is being used with WPA and Tkip
None MIC is disabled
MIC is enabled and is being used with
MMH
WMM
Status Description
Status Description
Cisco Aironet Desktop Utility Diagnostics Window
Viewing Statistics for Your Client Adapter
Statistic Description
Advanced Statistics Window
6interprets each element of the Advanced Statistics window
Point
Integrity check MIC value when Ckip was being used
Ckip MIC OK
OL-4211-03
Using the Aironet System Tray Utility Astu
Astu Icon
Infrastructure mode or another client in ad hoc mode
Overview of Astu
Icon Description
Tool Tip Window
Status Element Description
Connection Status Description
Help
This option enables you to access the online help
Pop-Up Menu
Following sections describe each Astu pop-up menu option
Open Aironet Desktop Utility
Troubleshooting
Exit
Preferences
Enable/Disable Radio
Select Profile
Manual Login
Reauthenticate
Show Connection Status
Connection Status Window
Connection Status Window Elements
Ssid
OL-4211-03
Routine Procedures
Removing a PCI Card
Removing a Client Adapter
Removing a PC-Cardbus Card
Client Adapter Software Procedures
Upgrading the Client Adapter Software
Previous Installation Detected Window
Choose Update the previous installation and click Next
Uninstalling the Client Adapter Software
Choose Uninstall the previous installation and click Next
Exiting ADU
ADU Procedures
Opening ADU
Finding the Version of ADU
Viewing Client Adapter Information
Refer to for instructions on using Astu
Astu Procedures
Accessing Online Help
Enabling or Disabling Your Client Adapter’s Radio
OL-4211-03
Troubleshooting
10-1
Status LED green Activity LED amber Condition
Accessing the Latest Troubleshooting Information
Interpreting the Indicator LEDs
10-2
Troubleshooting Information Number
Troubleshooting the Client Adapter
Using the Troubleshooting Utility
Diagnosing Your Client Adapter’s Operation
Troubleshooting Utility Window
10-4
Troubleshooting Utility Window with Test Results
10-5
Troubleshooting Utility Window Detailed Report
10-6
Saving the Detailed Report to a Text File
10-7
10-8
Client Adapter Recognition Problems
Disabling the Microsoft 802.1X Supplicant Windows 2000 Only
Resolving Resource Conflicts in Windows
Reboot your computer
Resolving Resource Conflicts
10-9
10-10
Problems Associating to an Access Point
Resolving Resource Conflicts in Windows XP
Parameters Missing from Profile Management Windows
Problems Connecting to the Network
Prioritizing Network Connections
10-11
Error Messages
10-12
10-13
10-14
10-15
10-16
10-17
10-18
10-19
10-20
10-21
10-22
10-23
10-24
Technical Specifications
ESD
Physical Specifications
Radio Specifications
KV human body model
Appendix a Technical Specifications
DBm @ 24 Mbps
Receiver sensitivity 802.11a
DBm @ 6, 9, 12, and 18 Mbps
DBm @ 36 Mbps
Indoor typical Outdoor typical
Power Specifications
Safety and Regulatory Compliance Specifications
Translated Safety Warnings
Explosive Device Proximity Warning
Antenna Installation Warning
Appendix B Translated Safety Warnings
Appendix B Translated Safety Warnings
Appendix B Translated Safety Warnings
Declarations of Conformity and Regulatory Information
Models AIR-CB21AG-A-K9, AIR-PI21AG-A-K9
USA
Department of Communications Canada
Canadian Compliance Statement
OL-4211-03
Cisco Aironet CB21AG Wireless LAN Client Adapter
Declaration of Conformity Statement
Cisco Aironet PI21AG Wireless LAN Client Adapter
English Translation
Declaration of Conformity for RF Exposure
Japanese Translation
English Translation
5-GHz Client Adapters
Chinese Translation
Communication ACT
GHz Client Adapters
This equipment is limited for indoor use
OL-4211-03
Channels, Power Levels, and Antenna Gains
Regulatory Domains
Channels
Ieee 802.11a
Ieee 802.11b/g
Data Rate
Maximum Power Levels and Antenna Gains
Ieee 802.11b
With 1-dBi Antenna Gain
Ieee 802.11g
Mbps 31.6
OL-4211-03
P E N D I X E
Overview
EAP with Dynamic WEP Keys
WPA
Configuring the Client Adapter
Configuring the Client Adapter
Page
Configuring the Client Adapter
Page
Enabling EAP-TLS Authentication
For EAP type, choose Smart Card or other Certificate
Configuring the Client Adapter
Enabling Peap Authentication
Figure E-6 Protected EAP Properties Window
Figure E-7 EAP MSCHAPv2 Properties Window
Figure E-8 Peap Properties Window
Figure E-9 Generic Token Card Properties Window
Associating to an Access Point Using Windows XP
Figure E-10 Wireless Network Connection Status Window
Performing a Site Survey
Guidelines
Additional Information
Opening the Site Survey Utility
Selecting the Client Adapter
Using the Associated AP Status Tab
Specifying Display Units
Viewing the Access Point’s Status
Table F-1 Site Survey Utility Associated AP Status
Description
Using the AP Scan List Tab
Viewing the AP Scan List
Figure F-5 Site Survey Utility AP Scan List
Rssi
Value 1, 2, 3, or
Pausing the AP Scan List
CCX
Detailed Information Parameter Description
Access point’s wireless network
Viewing AP Details
Rssi
Generating an AP Scan Log File
Figure F-7 Site Survey Utility Log File
Finding the Version of the Site Survey Utility
Accessing Online Help
Uninstalling the Site Survey Utility
Exiting the Site Survey Utility
Page
Standard
Wireless network composed of stations without access points
Stations
Set of characters that contains both letters and numbers
GL-2
Setting must be within the range of 64 to 2312 bytes
GL-3
Ethernet 802.3 and wireless LAN 802.11 specifications
GL-4
GL-5
GL-6
802.1X for authenticated key management
Computing device with an installed client adapter
Protection and 802.1X for authenticated key management
GL-7
GL-8
IN-1
Authentication Mode parameter
Selecting in ADU
Selecting the active profile
Pausing Viewing
ADU
IN-2
IN-3
Astu
CAM
FCC C-2
ADU Windows XP
Data encryption ADU Site survey utility
IN-4
IN-5
ACK CTS
CRC
FCC
RTS
IN-7
Status With Leap Modify button
Disabling Enabling
MMH MIC
IN-8
IN-9
IN-10
IN-11
IN-12
IN-13
Regulatory compliance Safety Spread spectrum
Setting Viewing ADU
With test results
Third-party tool, enabling in Install Wizard
Initial window
IN-14
Security features
IN-15
IN-16