User's Manual Part 1
Table Of Contents
- contents
- Preface
- Product Overview
- Preparing for Installation
- Installing the Client Adapter
- Using the Profile Manager
- Configuring the Client Adapter
- Overview
- Setting System Parameters
- Setting RF Network Parameters
- Setting Advanced Infrastructure Parameters
- Setting Advanced Ad Hoc Parameters
- Setting Network Security Parameters
- Using EAP Authentication
- Performing Diagnostics
BETA DRAFT - CISCO CONFIDENTIAL
5-23
Cisco Aironet Wireless LAN Client Adapters Installation and Configuration Guide for Windows
OL-1394-03
Chapter 5 Configuring the Client Adapter
Setting Network Security Parameters
Note If LEAP was not selected during installation, the LEAP option is unavailable in ACU. If you
want to be able to enable and disable LEAP, you must run the installation program again and
select Modify and LEAP.
• Host Based EAP – Selecting this option enables you to use any 802.1X authentication type for
which your operating system has built-in support. For example, Windows XP has built-in support
for both EAP-TLS and EAP-MD5.
–
EAP-TLS – EAP-TLS is enabled or disabled through the operating system and uses a dynamic,
session-based WEP key, which is derived from the client adapter and RADIUS server, to encrypt
data. Once enabled, a few configuration parameters must be set within the operating system.
RADIUS servers that support EAP-TLS include Cisco Secure ACS version 3.0 and greater and
Cisco Access Registrar version 1.8 and greater.
Note EAP-TLS requires the use of a certificate. Refer to Microsoft’s documentation for
information on downloading and installing the certificate.
–
EAP-MD5 – EAP-MD5 is enabled or disabled through the operating system and uses static
WEP to encrypt data. EAP-MD5 requires you to enter a separate EAP username and password
(in addition to your standard Windows network login) in order to start the EAP authentication
process and gain access to the network.
RADIUS servers that support EAP-MD5 include Cisco Secure ACS version 3.0 and greater and
Cisco Access Registrar version 1.8 and greater.
Note If you want to authenticate without encrypting the data that is transmitted over your
network, you can use EAP-MD5 without static WEP.
Note Although EAP-TLS and EAP-MD5 are enabled in the operating system, you can set up
profiles in ACU to use these authentication types. To do so, follow the instructions in the
“Enabling Host-Based EAP” section on page 5-31.
When you enable Network-EAP on your access point and configure your client adapter for LEAP,
EAP-TLS, or EAP-MD5 using ACU or enable Require EAP on your access point and configure your
client adapter for EAP-TLS or EAP-MD5 using Windows XP, authentication to the network occurs in
the following sequence:
1. The client associates to an access point and begins the authentication process.
Note The client does not gain access to the network until mutual authentication between the client
and the RADIUS server is successful.
2. Communicating through the access point, the client and RADIUS server complete a mutual
authentication process, with the password (or certificate for EAP-TLS) being the shared secret for
authentication. The password (or certificate) is never transmitted during the process.