User's Manual

ManualsBrandsCisco Systems ManualsComputers & Accessories802.11 a/g Cardbus Adapter

5-17

Cisco Aironet 802.11a/b/g Wireless LAN Client Adapters (CB21AG and PI21AG) Installation and Configuration Guide

OL-4211-05

Chapter 5 Configuring the Client Adapter

Setting Security Parameters

EAP-FAST authentication is designed to support the following user databases over a wireless LAN:

–

Cisco Secure ACS internal user database

–

Cisco Secure ACS ODBC user database

–

Windows NT/2000/2003 domain user database

–

LDAP user database

LDAP user databases (such as NDS) support only manual PAC provisioning while the other three

user databases support both automatic and manual PAC provisioning.

Note PACs that are created by ACS version 3.x.xx are not compatible with ACS version 4.0.xx. Client

stations must import new PACs. If you select auto-provisioning, new PACs will automatically be

generated and used. However, if you select manual provisioning, you must manually export new

PACs to the client stations. If a user wants to authenticate to ACS version 4.0.xx and version

3.x.xx at different times, both PACs must remain on the client station. The ADU is capable of

automatically selecting the appropriate PAC. However, if you experiences authentication failures

after upgrading the software, delete all the PACs provisioned from the 3.x.xx server.

• EAP-TLS—This authentication type uses a dynamic session-based WEP key derived from the

client adapter and RADIUS server to encrypt data. It uses a client certificate for authentication.

RADIUS servers that support EAP-TLS include Cisco Secure ACS release 3.0 or later and Cisco

Access Registrar release 1.8 or later.

• PEAP (EAP-GTC)—This PEAP authentication type is designed to support One-Time Password

(OTP), Windows NT or 2000 domain, and LDAP user databases over a wireless LAN. It is based on

EAP-TLS authentication but uses a password instead of a client certificate for authentication. PEAP

(EAP-GTC) uses a dynamic session-based WEP key derived from the client adapter and RADIUS

server to encrypt data. If your network uses an OTP user database, PEAP (EAP-GTC) requires you

to enter a hardware or software token password to start the EAP authentication process and gain

access to the network. If your network uses a Windows NT or 2000 domain user database or an

LDAP user database (such as NDS), PEAP (EAP-GTC) requires you to enter your username,

password, and domain name in order to start the authentication process.

RADIUS servers that support PEAP (EAP-GTC) authentication include Cisco Secure ACS release

3.1 or later.

• PEAP (EAP-MSCHAP V2)—This PEAP authentication type is based on EAP-TLS authentication

but uses a password or client certificate for authentication. PEAP (EAP-MSCHAP V2) uses a

dynamic session-based WEP key derived from the client adapter and RADIUS server to encrypt

data.

RADIUS servers that support PEAP (EAP-MSCHAP V2) authentication include Cisco Secure ACS

release 3.2 or later.

When you configure your access point as indicated in Table 5-4 on page 5-22 and configure your client

adapter for LEAP, EAP-FAST, EAP-TLS, PEAP (EAP-GTC), or PEAP (EAP-MSCHAP V2),

authentication to the network occurs in the following sequence:

1. The client associates to an access point and begins the authentication process.

Note The client does not gain full access to the network until authentication between the client

and the RADIUS server is successful.