Manualshelf

User's Manual Part 2

ManualsBrandsCisco Systems ManualsElectronicsAIR-CB20A-A-K9
71727374757677787980
BETA DRAFT - CISCO CONFIDENTIAL
E-3
Cisco Aironet Wireless LAN Client Adapters Installation and Configuration Guide for Windows
OL-1394-03
Appendix E Configuring the Client Adapter through Windows XP
Overview
Two 802.1X authentication types are available when configuring your client adapter through
Windows XP:
EAP-TLS This authentication type is enabled through the operating system and uses a dynamic,
session-based WEP key, which is derived from the client adapter and RADIUS server, to encrypt
data.
RADIUS servers that support EAP-TLS include Cisco Secure ACS version 3.0 and greater and
Cisco Access Registrar version 1.8 and greater.
Note EAP-TLS requires the use of a certificate. Refer to Microsofts documentation for
information on downloading and installing the certificate.
EAP-MD5 This authentication type is enabled through the operating system and uses static WEP
to encrypt data. EAP-MD5 requires you to enter a separate EAP username and password (in addition
to your standard Windows network login) in order to start the EAP authentication process and gain
access to the network.
Note If you want to authenticate without encrypting the data that is transmitted over your
network, you can use EAP-MD5 without static WEP.
RADIUS servers that support EAP-MD5 include Cisco Secure ACS version 3.0 and greater and
Cisco Access Registrar version 1.8 and greater.
When you enable Require EAP on your access point and configure your client adapter for EAP-TLS or
EAP-MD5 using Windows XP, authentication to the network occurs in the following sequence:
1. The client adapter associates to an access point and begins the authentication process.
Note The client does not gain access to the network until mutual authentication between the
client and the RADIUS server is successful.
2. Communicating through the access point, the client and RADIUS server complete a mutual
authentication process, with the password (for EAP-MD5) or certificate (for EAP-TLS) being the
shared secret for authentication. The password or certificate is never transmitted during the process.
Note The authentication process is now complete for EAP-MD5. For EAP-TLS, the process
continues.
3. If mutual authentication is successful, the client and RADIUS server derive a dynamic,
session-based WEP key that is unique to the client.
4. The RADIUS server transmits the key to the access point using a secure channel on the wired LAN.
5. For the length of a session, or time period, the access point and the client use this key to encrypt or
decrypt all unicast packets that travel between them.
Note Refer to the IEEE 802.11 Standard for more information on 802.1X authentication and to the
following URL for additional information on RADIUS servers:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/12cgcr/secur_c/scprt2/scrad.htm