Cisco Systems CB21AG

5-17

Cisco Aironet 802.11a/b/g Wireless LAN Client Adapters (CB21AG and PI21AG) Installation and Configuration Guide

OL-4211-03

Chapter5 Configuring the Client Adap ter Setting Security Parameters

•PEAP (EAP-GTC)—This PEAP authentication type is designed to support One-Time Password

(OTP), Windows NT or 2000 domain, and LDAP user databases over a wireless LAN. It is based on

EAP-TLS authentication but uses a password instead of a client certificate for authentication . PEAP

(EAP-GTC) uses a dynamic session-based WEP key derived from the client ad ap ter and RAD IUS

server to encrypt data. If your network uses an OTP user database, PEAP (EAP-GTC) requires you

to enter a hardware or software token password to start the EAP authentication process and gain

access to the network. If your network uses a Windows NT or 2000 domain user database or an

LDAP user database (such as NDS), PEAP (EAP-GTC) requires you to enter your username,

password, and domain name in order to start the authentication process.

RADIUS servers that support PEAP (EAP-GTC) authentication include Cisco Secure ACS release

3.1 or later.

•PEAP (EAP-MSCHAP V2)—This PEAP authentication type is based on EAP-TLS authentication

but uses a password instead of a client certificate for authentication. PEAP (EAP-MSCHAP V2)

uses a dynamic session-based WEP key derived from the client adapter and RADIUS ser ver to

encrypt data.

RADIUS servers that support PEAP (EAP-MSCHAP V2) authentication include Cisco Secure ACS

release 3.2 or later.

When you configure your access point as indicated in Table 5-4 on page 5-20 and configure your client

adapter for LEAP, EAP-FAST, EAP-TLS, PEAP (EAP-GTC), or PEAP (EAP-MSCHAP V2),

authentication to the network occurs in the following sequence:

1. The client associates to an access point and begins the authentication process.

Note The client does not gain full access to the network until authentication between the client

and the RADIUS server is successful.

2. Communicating through the access point, the client and RADIUS server complete the authentication

process, with the password (LEAP and PEAP), password and PAC (EAP-FAST), or certificate

(EAP-TLS) being the shared secret for authentication. The pas sw ord an d PAC are never transmitted

during the process.

3. If authentication is successful, the client and RADIUS server d eri v e a dy nami c, ses sion -base d WEP

key that is unique to the client.

4. The RADIUS server transmits the key to the access point using a secure channel on the wired LAN.

5. For the length of a session, or time period, the access point and the client use thi s key to en crypt or

decrypt all unicast packets (and broadcast packets if the access point is set up to do so) that travel

between them.

Refer to the following pages for instructions on enabling these EAP types:

•LEAP, page 5-27

•EAP-FAST, page 5-31

•EAP-TLS, PEAP (EAP-GTC), or PEAP (EAP-MSCHAP V2), page 5-39

Note Refer to the IEEE 802.11 Standard for more information on 802.1X authentication an d to the following

URL for additional information on RADIUS servers:

http://www.cisco.com/en/US/products/sw/iosswrel/ps1835/products_configuration_guide_chapter0918

6a00800ca7ab.html