Enabling EAP-FAST | Cisco Systems CB21AG specification

Chapter 5 Configuring the Client Adapter

Setting Security Parameters

Enabling EAP-FAST

Before you can enable EAP-FAST authentication, your network devices must meet the following requirements:

•To use EAP-FAST authentication with WPA2, client adapters must use the software included in Install Wizard 2.0 or later.

•Access points to which your client adapter may attempt to authenticate must use the following firmware versions or later: 11.23T (340 and 350 series access points), 11.54T (1200 series access points), or Cisco IOS Release 12.2(4)JA (1100 series access points).

Note To use WPA or CCKM, access points must use Cisco IOS Release 12.2(11)JA or later. To use WPA2, access points must use Cisco IOS Release 12.3(2)JA or later. To use the Reporting Access Points That Fail LEAP or EAP-FAST Authentication feature, access points must use the firmware versions listed on page 5-19.

Note The access point to which your client adapter will associate must be configured for both Network-EAP and Open authentication.

•All necessary infrastructure devices (such as access points, servers, gateways and user databases) must be properly configured for EAP-FAST authentication.

Follow these steps to enable EAP-FAST authentication for this profile.

Step 1 Perform one of the following on the Profile Management (Security) window:

•If you want to enable EAP-FAST without WPA or WPA2, choose 802.1x under Set Security Options and EAP-FASTin the 802.1x EAP Type drop-down box.

•If you want to enable EAP-FAST with WPA or WPA2, choose WPA/WPA2/CCKM under Set Security Options and EAP-FASTin the WPA/WPA2/CCKM EAP Type drop-down box.

Note If you want to enable CCKM on the client adapter, you must choose the WPA/WPA2/CCKM security option, regardless of whether you want the adapter to use WPA or WPA2. The configuration of the access point to which your client adapter associates determines whether CCKM will be used with 802.1x, WPA, or WPA2.

Note Refer to the “WPA and WPA2” section on page 5-18for additional information.

Step 2 Click Configure. The EAP-FAST Settings window appears (see Figure 5-8).

Cisco Aironet 802.11a/b/g Wireless LAN Client Adapters (CB21AG and PI21AG) Installation and Configuration Guide

	OL-4211-03	5-31

Image 97

Cisco Systems CB21AG manual Enabling EAP-FAST

Contents

Customer Order Number Text Part Number OL-4211-03 Corporate Headquarters Copyright 2005 Cisco Systems, Inc All rights reserved Iii N T E N T S Assembling the Antenna Overview Pop-Up Menu Help Exit Vii Select Profile Viii Antenna Installation Warning B-3 WPA OL-4211-03 Following topics are covered in this section Preface Purpose AudienceOrganization Xii Xiii Conventions Xiv Obtaining Documentation Related PublicationsCisco.com Documentation DVD Ordering Documentation Cisco Product Security OverviewDocumentation Feedback Xvi Obtaining Technical Assistance Reporting Security Problems in Cisco ProductsCisco Technical Support Website An emergency, you can also reach Psirt by telephone 877 408 Definitions of Service Request Severity Submitting a Service RequestXviii Xix Obtaining Additional Publications and Information OL-4211-03 Product Overview Terminology Introduction to the Client AdaptersClient Adapter Model Number Description AIR-CB21AG Radio Hardware ComponentsRadio Antenna LEDs Driver Software ComponentsClient Utilities Ad Hoc Wireless LAN Network Configurations Using Client Adapters Access Point Root Unit Wired LAN Preparing for Installation FCC Safety Compliance Statement Safety informationSafety Guidelines Unpacking the Client Adapter Package Contents System Requirements For Infrastructure Devices Site RequirementsFor Client Devices OL-4211-03 Installing the Client Adapter Inserting a PC-Cardbus Card Inserting a Client Adapter Changing the Bracket Inserting a PCI CardBracket screws Inserting the Card Inserting a PCI Card into a PC Assembling the Antenna Inserting the Antenna into Its Base Mounting the Antenna Bottom of Antenna Base Mounting the Antenna Installing the Client Adapter Software Preparing Setup Window Cisco Aironet Installation Program Window Click Next. The Setup Type window appears see Figure 10 Setup Type Window 11 Install Cisco Aironet Site Survey Utility Window 12 Choose Destination Location Window 13 Select Program Folder Window 14 Important Please Read! Window 15 Choose Configuration Tool Window Feature With dynamic WEP EAP-TLS or Peap authentication Yes Leap or EAP-FAST authenticationSecurity Static WEP Yes Receive Click Properties Installing a Microsoft Hot Fix for Group Policy Delay Page OL-4211-03 Using the Profile Manager Opening Profile Manager Overview of Profile Manager SSID1 Field DescriptionSSID2 SSID3 Available Infrastructure and Ad Hoc Networks Window Creating a New Profile SNR Profile Management General Window Auto Profile Selection Management Window Including a Profile in Auto Profile Selection OL-4211-03 Selecting the Active Profile Importing and Exporting Profiles Modifying a ProfileEditing a Profile Deleting a Profile Exporting a Profile Importing a Profile Export Profile Window Configuring the Client Adapter Parameter Category Number Overview Setting General Parameters Parameter Description Auto profile selection or configured for use in an ad hoc ReconfiguredClient adapter to roam to that network without having to be Auto profile selection Profile Management Advanced Window Setting Advanced Parameters Radio Band Transmit Power Level Profile Management Advanced Parameters Network Type Description Parameter Description Parameter Description Default Open Preferred Access Points Window Setting Security Parameters Profile Management Security Window Overview of Security Features EAP with Dynamic WEP Keys Static WEP Keys Configuring the Client Adapter Setting Security Parameters EAP-FAST, EAP-TLS, Peap EAP-GTC, or Peap EAP-MSCHAP V2, LEAP, Cckm Fast Secure Roaming WPA and WPA2 Reporting Access Points that Fail Leap Authentication Additional WEP Key Security Features Synchronizing Security FeaturesSecurity Feature Client Setting Access Point Setting Ssid WPA Security Feature Client Setting Access Point Setting Or later, choose a cipher suite that is LEAP, EAP-FAST, EAP-TLSWPA/WPA2/CCKM MIC Tkip Enabling Static WEPPeap EAP-MSCHAP Interval to any value other than Configuring the Client Adapter Setting Security Parameters Define WPA/WPA2 Pre-Shared Key Window Enabling WPA/WPA2 Passphrase Enabling Leap Leap Settings Window Configuring the Client Adapter Setting Security Parameters Configuring the Client Adapter Setting Security Parameters Enabling EAP-FAST EAP-FAST Settings Window Configuring the Client Adapter Setting Security Parameters Click Select More Select EAP-FAST PAC Window 10 Import EAP-FAST PAC File Window Configuring the Client Adapter Setting Security Parameters Deleting a Manually Provisioned PAC File Enabling EAP-TLS or Peap 12 Define Certificate Window Enabling EAP-TLS Configuring the Client Adapter Setting Security Parameters Enabling Peap EAP-GTC 13 Define Peap EAP-GTC Configuration Window 14 Configuration Settings Window Configuring the Client Adapter Setting Security Parameters Enabling Peap EAP-MSCHAP 15 Define Peap EAP-MSCHAP V2 Configuration Window 16 Configuration Settings Window Configuring the Client Adapter Setting Security Parameters Configuring the Client Adapter Setting Security Parameters Configuring the Client Adapter Setting Security Parameters Disabling Static WEP, WPA/WPA2 Passphrase, or EAP Enabling Wi-Fi MultimediaEnabling the QoS Packet Scheduler on Windows 17 Wireless Cisco Connection Properties Window 18 Select Network Component Type Window Click Control Panel Double-clickNetwork Connections Enabling the QoS Packet Scheduler on Windows XP Follow these steps to access the roaming parameters Setting Roaming Parameters in the Windows Control Panel Wireless Mode Using EAP Authentication Leap or EAP-FAST Authentication Status Window Using Leap or EAP-FAST Stage Explanation After Profile Activation or Card Insertion After Your EAP-FAST Password Expires After a Reboot or Logon Using Leap or EAP-FAST with an Automatically Prompted Login Enter Wireless Network Password Window After Your EAP-FAST Password Expires After Profile Activation Using Leap or EAP-FAST with a Manually Prompted Login After a Reboot, Logon, or Card Insertion Action Drop-Down Menu After Your EAP-FAST Password Expires Using Leap or EAP-FAST with a Saved Username and Password 10 Please Change Password Window Using EAP-TLS Windows NT or 2000 Domain Databases or Ldap Databases Only Using Peap EAP-GTCOTP Databases Only Restarting the Authentication Process Using Peap EAP-MSCHAP OL-4211-03 Viewing Status and Statistics Tool Overview of ADU Status and Statistics ToolsStatus Statistics Number Signal-to-noise ratio as a percentage Displays the signal strength 3interprets each element of the Current Status window Viewing the Current Status of Your Client Adapter Status Description Status Description 4interprets each element of the Advanced Status window Details on these server-based authentication types MIC is enabled and is being used with None MIC is disabledMichael MIC is enabled and is being used with WPA and Tkip MMH WMM Status Description Status Description Viewing Statistics for Your Client Adapter Cisco Aironet Desktop Utility Diagnostics Window Advanced Statistics Window Statistic Description 6interprets each element of the Advanced Statistics window Ckip MIC OK Integrity check MIC value when Ckip was being usedPoint OL-4211-03 Using the Aironet System Tray Utility Astu Overview of Astu Infrastructure mode or another client in ad hoc modeAstu Icon Icon Description Status Element Description Tool Tip Window Connection Status Description Pop-Up Menu This option enables you to access the online helpHelp Following sections describe each Astu pop-up menu option Exit TroubleshootingOpen Aironet Desktop Utility Preferences Enable/Disable Radio Reauthenticate Manual LoginSelect Profile Connection Status Window Show Connection Status Connection Status Window Elements Ssid OL-4211-03 Routine Procedures Removing a PC-Cardbus Card Removing a Client AdapterRemoving a PCI Card Upgrading the Client Adapter Software Client Adapter Software Procedures Previous Installation Detected Window Choose Update the previous installation and click Next Choose Uninstall the previous installation and click Next Uninstalling the Client Adapter Software Opening ADU ADU ProceduresExiting ADU Viewing Client Adapter Information Finding the Version of ADU Accessing Online Help Astu ProceduresRefer to for instructions on using Astu Enabling or Disabling Your Client Adapter’s Radio OL-4211-03 10-1 Troubleshooting Interpreting the Indicator LEDs Accessing the Latest Troubleshooting InformationStatus LED green Activity LED amber Condition 10-2 Using the Troubleshooting Utility Troubleshooting the Client AdapterTroubleshooting Information Number Diagnosing Your Client Adapter’s Operation 10-4 Troubleshooting Utility Window 10-5 Troubleshooting Utility Window with Test Results 10-6 Troubleshooting Utility Window Detailed Report 10-7 Saving the Detailed Report to a Text File Disabling the Microsoft 802.1X Supplicant Windows 2000 Only Client Adapter Recognition Problems10-8 Resolving Resource Conflicts Reboot your computerResolving Resource Conflicts in Windows 10-9 Resolving Resource Conflicts in Windows XP Problems Associating to an Access Point10-10 Prioritizing Network Connections Problems Connecting to the NetworkParameters Missing from Profile Management Windows 10-11 10-12 Error Messages 10-13 10-14 10-15 10-16 10-17 10-18 10-19 10-20 10-21 10-22 10-23 10-24 Technical Specifications Radio Specifications Physical SpecificationsESD KV human body model Appendix a Technical Specifications DBm @ 6, 9, 12, and 18 Mbps Receiver sensitivity 802.11aDBm @ 24 Mbps DBm @ 36 Mbps Indoor typical Outdoor typical Safety and Regulatory Compliance Specifications Power Specifications Translated Safety Warnings Explosive Device Proximity Warning Antenna Installation Warning Appendix B Translated Safety Warnings Appendix B Translated Safety Warnings Appendix B Translated Safety Warnings Declarations of Conformity and Regulatory Information USA Models AIR-CB21AG-A-K9, AIR-PI21AG-A-K9 Canadian Compliance Statement Department of Communications Canada OL-4211-03 Declaration of Conformity Statement Cisco Aironet CB21AG Wireless LAN Client Adapter Cisco Aironet PI21AG Wireless LAN Client Adapter Japanese Translation Declaration of Conformity for RF ExposureEnglish Translation Chinese Translation 5-GHz Client AdaptersEnglish Translation Communication ACT This equipment is limited for indoor use GHz Client Adapters OL-4211-03 Channels, Power Levels, and Antenna Gains Ieee 802.11a ChannelsRegulatory Domains Ieee 802.11b/g Ieee 802.11b Maximum Power Levels and Antenna GainsData Rate With 1-dBi Antenna Gain Mbps 31.6 Ieee 802.11g OL-4211-03 P E N D I X E Overview EAP with Dynamic WEP Keys WPA Configuring the Client Adapter Configuring the Client Adapter Page Configuring the Client Adapter Page Enabling EAP-TLS Authentication For EAP type, choose Smart Card or other Certificate Configuring the Client Adapter Enabling Peap Authentication Figure E-6 Protected EAP Properties Window Figure E-7 EAP MSCHAPv2 Properties Window Figure E-8 Peap Properties Window Figure E-9 Generic Token Card Properties Window Figure E-10 Wireless Network Connection Status Window Associating to an Access Point Using Windows XP Performing a Site Survey Additional Information Guidelines Selecting the Client Adapter Opening the Site Survey Utility Specifying Display Units Using the Associated AP Status Tab Viewing the Access Point’s Status Table F-1 Site Survey Utility Associated AP Status Description Using the AP Scan List Tab Figure F-5 Site Survey Utility AP Scan List Viewing the AP Scan List Rssi CCX Pausing the AP Scan ListValue 1, 2, 3, or Viewing AP Details Access point’s wireless networkDetailed Information Parameter Description Rssi Figure F-7 Site Survey Utility Log File Generating an AP Scan Log File Uninstalling the Site Survey Utility Accessing Online HelpFinding the Version of the Site Survey Utility Exiting the Site Survey UtilityPage Stations Wireless network composed of stations without access pointsStandard Set of characters that contains both letters and numbers GL-2 GL-3 Setting must be within the range of 64 to 2312 bytes GL-4 Ethernet 802.3 and wireless LAN 802.11 specifications GL-5 GL-6 Protection and 802.1X for authenticated key management Computing device with an installed client adapter802.1X for authenticated key management GL-7 GL-8 Selecting in ADU Authentication Mode parameterIN-1 ADU Pausing ViewingSelecting the active profile IN-2 CAM AstuIN-3 Data encryption ADU Site survey utility ADU Windows XPFCC C-2 IN-4 IN-5 FCC CRCACK CTS RTS IN-7 MMH MIC Disabling EnablingStatus With Leap Modify button IN-8 IN-9 IN-10 IN-11 IN-12 Setting Viewing ADU Regulatory compliance Safety Spread spectrumIN-13 Initial window Third-party tool, enabling in Install WizardWith test results IN-14 IN-15 Security features IN-16