Cisco Systems CB21AG Reporting Access Points that Fail LEAP Authentication

5-19

Cisco Aironet 802.11a/b/g Wireless LAN Client Adapters (CB21AG and PI21AG) Installation and Configuration Guide

OL-4211-03

Chapter5 Configuring the Client Adap ter Setting Security Parameters

Note If you want to enable CCKM fast secure roaming on the client adapter, you must choose the

WPA/WPA2/CCKM security option on the Profile Management (Security) window, regardless of

whether you want the adapter to use WPA or WPA2. The configuration of the access point to which your

client adapter associates determines whether CCKM will be used with 802.1x, WPA, or WPA2.

Note Access points must use Cisco IOS Release 12.2(11)JA or later to enable CCKM fast secure roaming.

Refer to the documentation for your access point for instructions on enabling this feature.

Note The Microsoft Wireless Configuration Manager and the Microsoft 80 2.1X supplicant, if installed, must

be disabled in order for CCKM fast secure roaming to oper ate c orre ctl y. If your comput er i s ru nning

Windows XP and you chose to configure your client adapter using ADU during installation, these

features should already be disabled. Similarly, if your computer is running Windows 2000, the Microsoft

802.1X supplicant, if installed, should already be disabled. Refer to Chapter 10 if you need addit iona l

information.

Reporting Access Points that Fail LEAP Authentication

The CB21AG and PI21AG client adapters and the following access point firmware versions support a

feature that is designed to detect access points that fail LEAP authentication:

•12.00T or later (access points running VxWorks)

•Cisco IOS Release 12.2(4)JA or later (1100 series access points)

•Cisco IOS Release 12.2(8)JA or later (1200 series access points)

•Cisco IOS Release 12.2(13)JA or later (350 series access points)

An access point running one of these firmware versions records a message in the system log when the

client discovers and reports another access point in the wireless network that has failed LEAP

authentication.

The process takes place as follows:

1. A client with a LEAP profile attempts to associate to access point A.

2. Access point A does not handle LEAP authentication successfully, perhaps because the access point

does not understand LEAP or cannot communicate to a trusted LEAP authentication server.

3. The client records the MAC address for access point A and the reason why the association failed.

4. The client associates successfully to access point B.

5. The client sends the MAC address of access point A and the reason code for the failure to access

point B.

6. Access point B logs the failure in the system log.

Note This feature does not need to be enabled on the cl ient ad ap ter or a c cess p oin t; i t i s sup ported

automatically by both devices. However, the access points must use the specified firmware versions

or later.