Cisco Systems CB21AG

5-16

Cisco Aironet 802.11a/b/g Wireless LAN Client Adapters (CB21AG and PI21AG) Installation and Configuration Guide

OL-4211-03

Chapter5 Configuring the Client Adapter

Setting Security Parameters

The client adapter uses the username, password, and PAC to perform mutual authentication with the

RADIUS server through the access point. The username and pa ssword need t o be re -en tere d eac h

time the client adapter is inserted or the Windows device is rebooted unless you configur e yo ur

adapter to use saved EAP-FAST credentials.

PACs are created by Cisco Secure ACS and are identified by an ID. The user obtains his or her own

copy of the PAC from the server, and the ID links the PAC to the profile created in ADU. When

manual PAC provisioning is enabled, the PAC is manually copied from the server and imported onto

the client device. The following rules govern PAC storage:

–

PACs are stored as encrypted data files in either the global or private store on the user’s

computer.

•Global PACs can be accessed and used by any user at any logon stage. They are available

before or during logon or after the user is logged off if the profile is not configure d with the

No Network Connection Unless User Is Logged In option.

•Private PACs can be accessed and used only by the user who provisioned them or the system

administrator.

Note Global PACs are stored on C:\Document and Settings\All Users\Application

Data\Cisco\cscostore, and private PACs are stored on C:\Document and Settings\user\

Application Data\Cisco\cscostore.

–

If automatic PAC provisioning is enabled and it occurs after the user is logged on, the PAC is

stored in the private store of the currently logged-on user. Otherwise, the PAC is stored in the

global store.

–

PAC files can be added or overwritten using the import feature.

–

PAC files can be removed using the delete feature. They are also deleted when you uninstall the

client adapter software.

EAP-FAST authentication is designed to support the following user databases o v er a wireless LAN:

–

Cisco Secure ACS internal user database

–

Cisco Secure ACS ODBC user database

–

Windows NT/2000/2003 domain user database

–

LDAP user database

LDAP user databases (such as NDS) support only manual PAC provisioning while the other three

user databases support both automatic and manual PAC provisioning.

•EAP-TLS—This authentication type uses a dynamic session-based WEP key derived from the

client adapter and RADIUS server to encrypt data. It uses a client certificate for authentication.

RADIUS servers that support EAP-TLS include Cisco Secure ACS release 3.0 or late r an d C is co

Access Registrar release 1.8 or later.