C H A P T E R 5 Configuring the Client Adapter This chapter explains how to set the configuration parameters for a specific profile.
Chapter 5 Configuring the Client Adapter Overview Overview When you choose to create a new profile or edit an existing profile on the Profile Manager screen, the Properties screens appear with the name of your profile in parentheses. These screens enable you to set the configuration parameters for that profile. Note If you do not change any of the configuration parameters, the default values are used.
Chapter 5 Configuring the Client Adapter Setting System Parameters Setting System Parameters The System Parameters screen (see Figure 5-1) enables you to set parameters that prepare the client adapter for use in a wireless network. This screen appears after you create and save a new profile or click Edit on the Profile Manager screen. Figure 5-1 System Parameters Screen Table 5-2 lists and describes the client adapter’s system parameters. Follow the instructions in the table to change any parameters.
Chapter 5 Configuring the Client Adapter Setting System Parameters Table 5-2 System Parameters Parameter Description Client Name A logical name for your workstation. It allows an administrator to determine which devices are connected to the access point without having to memorize every MAC address. This name is included in the access point’s list of connected devices.
Chapter 5 Configuring the Client Adapter Setting System Parameters Table 5-2 System Parameters (continued) Parameter Description Power Save Mode Sets your client adapter to its optimum power consumption setting. Options: CAM, Max PSP, or Fast PSP Default: CAM (Constantly Awake Mode) Power Save Mode Description CAM (Constantly Awake Mode) Keeps the client adapter powered up continuously so there is little lag in message response time. Consumes the most power but offers the highest throughput.
Chapter 5 Configuring the Client Adapter Setting System Parameters Table 5-2 System Parameters (continued) Parameter Description Network Type Specifies the type of network in which your client adapter is installed. Options: Ad Hoc or Infrastructure Default: Infrastructure Network Type Description Ad Hoc Often referred to as peer to peer. Indicates that your wireless network consists of a few wireless devices that are not connected to a wired Ethernet network through an access point.
Chapter 5 Configuring the Client Adapter Setting RF Network Parameters Setting RF Network Parameters The RF Network screen (see Figure 5-2) enables you to set parameters that control how and when the client adapter transmits and receives data. To access this screen, choose the RF Network tab from the Properties screens.
Chapter 5 Configuring the Client Adapter Setting RF Network Parameters Table 5-3 lists and describes the client adapter’s RF network parameters. Follow the instructions in the table to change any parameters. Table 5-3 RF Network Parameters Parameter Description Data Rate Specifies the rate at which your client adapter should transmit or receive packets to or from access points (in infrastructure mode) or other clients (in ad hoc mode).
Chapter 5 Configuring the Client Adapter Setting RF Network Parameters Table 5-3 RF Network Parameters (continued) Parameter Description Use Short Radio Headers Checking this check box sets your client adapter to use short radio headers. However, the adapter can use short radio headers only if the access point is also configured to support them and is using them.
Chapter 5 Configuring the Client Adapter Setting RF Network Parameters Table 5-3 RF Network Parameters (continued) Parameter Description Channel Specifies the frequency that your client adapter will use as the channel for communications. These channels conform to the IEEE 802.11 Standard for your regulatory domain. • In infrastructure mode, this parameter is set automatically and cannot be changed.
Chapter 5 Configuring the Client Adapter Setting RF Network Parameters Table 5-3 RF Network Parameters (continued) Parameter Description Transmit Power Defines the power level at which your client adapter transmits. This value must not be higher than that allowed by your country’s regulatory agency (FCC in the U.S., DOC in Canada, ETSI in Europe, MKK in Japan, etc.).
Chapter 5 Configuring the Client Adapter Setting RF Network Parameters Table 5-3 RF Network Parameters (continued) Parameter Description Clear Channel Assessment Specifies the method that determines whether the channel on which your client adapter will operate is clear prior to the transmission of data.
Chapter 5 Configuring the Client Adapter Setting RF Network Parameters Table 5-3 RF Network Parameters (continued) Parameter Description Data Retries Defines the number of times a packet is resent if the initial transmission is unsuccessful. Range: 1 to 128 Default: 16 (2.4-GHz client adapters) or 32 (5-GHz client adapters) Note Fragment Threshold If your network protocol performs its own retries, set this to a smaller value than the default.
Chapter 5 Configuring the Client Adapter Setting Advanced Infrastructure Parameters Setting Advanced Infrastructure Parameters Note You can set advanced infrastructure parameters only if your client adapter has been set to operate in an infrastructure network. See the Network Type parameter in Table 5-2. The Advanced (Infrastructure) screen (see Figure 5-3) enables you to set parameters that control how the client adapter operates within an infrastructure network.
Chapter 5 Configuring the Client Adapter Setting Advanced Infrastructure Parameters Table 5-4 lists and describes the client adapter’s advanced infrastructure parameters. Follow the instructions in the table to change any parameters. Table 5-4 Advanced (Infrastructure) Parameters Parameter Description Antenna Mode (Receive) Specifies the antenna that your client adapter uses to receive data. • PC card—The PC card’s integrated, permanently attached antenna operates best when used in diversity mode.
Chapter 5 Configuring the Client Adapter Setting Advanced Infrastructure Parameters Table 5-4 Advanced (Infrastructure) Parameters (continued) Parameter Description Specified Access Point 1- 4 Specifies the MAC addresses of up to four preferred access points with which the client adapter can associate. If the specified access points are not found or the client adapter roams out of range, the adapter may associate to another access point.
Chapter 5 Configuring the Client Adapter Setting Advanced Infrastructure Parameters Table 5-4 Advanced (Infrastructure) Parameters (continued) Parameter Description Enable Radio Management Support Checking this check box enables the access point to which the client adapter is associated to control the use of radio management (RM), provided RM is enabled on the access point. RM is a system-wide feature that involves multiple infrastructure nodes.
Chapter 5 Configuring the Client Adapter Setting Advanced Ad Hoc Parameters Setting Advanced Ad Hoc Parameters Note You can set advanced ad hoc parameters only if your client adapter has been set to operate in an ad hoc network. See the Network Type parameter in Table 5-2. The Advanced (Ad Hoc) screen (see Figure 5-4) enables you to set parameters that control how the client adapter operates within an ad hoc network. To access this screen, choose the Advanced (Ad Hoc) tab from the Properties screens.
Chapter 5 Configuring the Client Adapter Setting Advanced Ad Hoc Parameters Table 5-5 lists and describes the client adapter’s advanced ad hoc parameters. Follow the instructions in the table to change any parameters. Table 5-5 Advanced (Ad Hoc) Parameters Parameter Description Antenna Mode (Receive) Specifies the antenna that your client adapter uses to receive data. • PC card—The PC card’s integrated, permanently attached antenna operates best when used in diversity mode.
Chapter 5 Configuring the Client Adapter Setting Advanced Ad Hoc Parameters Table 5-5 Advanced (Ad Hoc) Parameters (continued) Parameter Description RTS Threshold Specifies the size of the data packet that the low-level RF protocol issues to a request-to-send (RTS) packet. Setting this parameter to a small value causes RTS packets to be sent more often.
Chapter 5 Configuring the Client Adapter Setting Network Security Parameters Table 5-5 Advanced (Ad Hoc) Parameters (continued) Parameter Description Beacon Period (Kμs) Specifies the duration between beacon packets, which are used to help clients find each other in ad hoc mode. Range: 20 to 976 Kμs Default: 100 Kμs Go to the next section to set additional parameters or click OK to return to the Profile Manager screen. On the Profile Manager screen, click OK or Apply to save your changes.
Chapter 5 Configuring the Client Adapter Setting Network Security Parameters This screen is different from the other Properties screens in that it presents several security features, each of which involves a number of steps. In addition, the security features themselves are complex and need to be understood before they are implemented. Therefore, this section provides an overview of the security features as well as procedures for using them.
Chapter 5 Configuring the Client Adapter Setting Network Security Parameters Overview of Security Features You can protect your data as it is transmitted through your wireless network by encrypting it through the use of wired equivalent privacy (WEP) encryption keys. With WEP encryption, the transmitting device encrypts each packet with a WEP key, and the receiving device uses that same key to decrypt each packet.
Chapter 5 Configuring the Client Adapter Setting Network Security Parameters LEAP is enabled or disabled for a specific profile through ACU, provided the LEAP security module was selected during installation. After LEAP is enabled, a variety of configuration options are available, including how and when a username and password are entered to begin the authentication process.
Chapter 5 Configuring the Client Adapter Setting Network Security Parameters Note PACs are also stored globally on computers that use the Novell Network login prompt or any other third-party login application that does not share its credentials with the EAP-FAST supplicant.
Chapter 5 Configuring the Client Adapter Setting Network Security Parameters RADIUS servers that support PEAP authentication include Cisco Secure ACS version 3.1 or later and Cisco Access Registrar version 3.5 or later. Note Windows XP Service Pack 1 and the Microsoft 802.1X supplicant for Windows 2000 include Microsoft’s PEAP supplicant, which supports a Windows username and password only and does not interoperate with Cisco’s PEAP supplicant.
Chapter 5 Configuring the Client Adapter Setting Network Security Parameters 2. Communicating through the access point, the client and RADIUS server complete the authentication process, with the password (LEAP and PEAP), password and PAC (EAP-FAST), certificate (EAP-TLS), or internal key stored on the SIM card and in the service provider’s Authentication Center (EAP-SIM) being the shared secret for authentication. The password, PAC, or internal key is never transmitted during the process. 3.
Chapter 5 Configuring the Client Adapter Setting Network Security Parameters The software components included in Install Wizard version 1.3 or later automatically support WPA migration mode. WPA migration mode is an access point setting that enables both WPA and non-WPA clients to associate to the access point using the same SSID.
Chapter 5 Configuring the Client Adapter Setting Network Security Parameters Reporting Access Points that Fail LEAP or EAP-FAST Authentication The following client adapter and access point firmware versions support a feature that is designed to detect access points that fail LEAP or EAP-FAST authentication: • Client adapter firmware version 5.02.20 or later (for LEAP) • Client adapter firmware version 5.40.10 or later (for EAP-FAST) • 12.
Chapter 5 Configuring the Client Adapter Setting Network Security Parameters Message Integrity Check (MIC) MIC prevents bit-flip attacks on encrypted packets. During a bit-flip attack, an intruder intercepts an encrypted message, alters it slightly, and retransmits it, and the receiver accepts the retransmitted message as legitimate. The MIC adds a few bytes to each packet to make the packets tamper-proof.
Chapter 5 Configuring the Client Adapter Setting Network Security Parameters Synchronizing Security Features In order to use any of the security features discussed in this section, both your client adapter and the access point to which it will associate must be set appropriately. Table 5-6 indicates the client and access point settings required for each security feature. This chapter provides specific instructions for enabling the security features on your client adapter.
Chapter 5 Configuring the Client Adapter Setting Network Security Parameters Table 5-6 Client and Access Point Security Settings (continued) Security Feature Client Setting Access Point Setting EAP-TLS authentication If using ACU to configure card Enable Host Based EAP (802.1x) Set up and enable WEP and enable Open Authentication for the SSID and Dynamic WEP in ACU and and specify the use of EAP select Enable network access control using IEEE 802.1X (or Enable IEEE 802.
Chapter 5 Configuring the Client Adapter Setting Network Security Parameters Table 5-6 Client and Access Point Security Settings (continued) Security Feature Client Setting Access Point Setting PEAP authentication with WPA If using ACU to configure card If using Windows XP to configure card Enable Wi-Fi Protected Access (WPA), Host Based EAP (WPA), and Dynamic WEP in ACU and enable WPA and select Enable network access control using IEEE 802.
Chapter 5 Configuring the Client Adapter Setting Network Security Parameters Table 5-6 Client and Access Point Security Settings (continued) Security Feature Client Setting Access Point Setting EAP-SIM authentication with WPA If using ACU to configure card If using Windows XP to configure card Enable Wi-Fi Protected Access (WPA), Host Based EAP (WPA), and Dynamic WEP in ACU and enable WPA and select Enable network access control using IEEE 802.
Chapter 5 Configuring the Client Adapter Setting Network Security Parameters Using Static WEP This section provides instructions for entering new static WEP keys or overwriting existing static WEP keys. Entering a New Static WEP Key Follow these steps to enter a new static WEP key for this profile. Step 1 Choose None under Network Authentication on the Network Security screen. Step 2 Choose Static WEP under Data Encryption. Step 3 Click the Static WEP Keys button.
Chapter 5 Configuring the Client Adapter Setting Network Security Parameters Step 6 Obtain the static WEP key from your system administrator and enter it in the blank field for the key you are creating.
Chapter 5 Configuring the Client Adapter Setting Network Security Parameters Overwriting an Existing Static WEP Key Follow these steps to overwrite an existing static WEP key. Note You can overwrite existing WEP keys, but you cannot edit or delete them. Step 1 Click the Static WEP Keys button on the Network Security screen. The Static WEP Keys screen appears (see Figure 5-6). Step 2 Look at the current WEP key settings in the middle of the screen.
Chapter 5 Configuring the Client Adapter Setting Network Security Parameters Enabling LEAP Before you can enable LEAP authentication, your network devices must meet the following requirements: • Client adapters must support WEP and use the firmware, drivers, utilities, and security modules included in the Install Wizard file. • To use WPA, 350 series and CB20A client adapters must use the software included in Install Wizard version 1.2 or later on a computer running Windows 2000 or XP.
Chapter 5 Configuring the Client Adapter Setting Network Security Parameters Figure 5-7 Step 4 LEAP Settings Screen Choose one of the following LEAP username and password setting options: • Use Temporary User Name and Password—Requires you to enter the LEAP username and password each time the computer reboots in order to authenticate and gain access to the network. • Use Saved User Name and Password—Does not require you to enter a LEAP username and password each time the computer reboots.
Chapter 5 Configuring the Client Adapter Setting Network Security Parameters Step 5 Perform one of the following: • If you selected Use Temporary User Name and Password in Step 4, choose one of the following options: – Use Windows Logon User Name and Password—Causes your Windows username and password to also serve as your LEAP username and password, giving you only one set of credentials to remember. After you log in, the LEAP authentication process begins automatically.
Chapter 5 Configuring the Client Adapter Setting Network Security Parameters Step 8 In the Authentication Timeout Value field, enter the amount of time (in seconds) before a LEAP authentication attempt is considered to be failed and an error message appears. Range: 10 to 300 seconds Default: 90 seconds Step 9 Click OK to exit the LEAP Settings screen. Step 10 Check the Allow Fast Roaming (CCKM) check box on the Network Security screen if you want to enable fast roaming for your client adapter.
Chapter 5 Configuring the Client Adapter Setting Network Security Parameters b. Click the Authentication tab. Note Step 14 In Windows Service Pack 1, the Authentication tab has moved from its previous location. To access it, make sure the Use Windows to configure my wireless network settings check box is checked. Click the SSID of the profile you are creating from the list of available networks and click Configure.
Chapter 5 Configuring the Client Adapter Setting Network Security Parameters Step 2 Step 3 Choose EAP-FAST or EAP-FAST (WPA). Note This option is available only if you selected the EAP-FAST security module during installation. Note When you choose this option, dynamic WEP (if WPA is disabled) or TKIP (if WPA is enabled) is set automatically. Click Configure. The EAP-FAST Settings screen appears (see Figure 5-8).
Chapter 5 Configuring the Client Adapter Setting Network Security Parameters Step 4 Choose one of the following EAP-FAST username and password setting options: • Use Temporary User Name and Password—Requires you to enter the EAP-FAST username and password each time the computer reboots in order to authenticate and gain access to the network. • Use Saved User Name and Password—Does not require you to enter an EAP-FAST username and password each time the computer reboots.
Chapter 5 Configuring the Client Adapter Setting Network Security Parameters Step 6 If you work in an environment with multiple domains and therefore want your Windows login domain to be passed to the RADIUS server along with your username, check the Include Windows Logon Domain with User Name check box. The default setting is checked.
Chapter 5 Configuring the Client Adapter Setting Network Security Parameters Step 10 Perform one of the following to enable manual PAC provisioning: • From the Select a PAC Authority To Use with This Profile drop-down list, select the PAC authority that is associated with the network defined by the profile’s SSID. The list contains the names of all the PAC authorities from which you have previously provisioned a PAC.
Chapter 5 Configuring the Client Adapter Setting Network Security Parameters e. f. If a message appears indicating that the PAC file you are about to import will be made accessible to all users of your system, click Yes. If you click No, the PAC file is not imported. Note The PAC file you are about to import will be made accessible to all users of your system if your profile is configured for global PACs.
Chapter 5 Configuring the Client Adapter Setting Network Security Parameters Step 12 Check the Allow Fast Roaming (CCKM) check box on the Network Security screen if you want to enable fast roaming for your client adapter. • Checking this check box enables the client adapter to use CCKM when associated to an access point that uses CCKM or to associate to access points that are not using CCKM. • Unchecking this check box prevents the client adapter from using CCKM even with access points that use it.
Chapter 5 Configuring the Client Adapter Setting Network Security Parameters c. Uncheck the Enable network access control using IEEE 802.1X or Enable IEEE 802.1x authentication for this network check box. d. Click OK to save your settings. e. If you are using Windows XP Service Pack 1, uncheck the Use Windows to configure my wireless network settings check box on the Wireless Networks screen and click OK.
Chapter 5 Configuring the Client Adapter Setting Network Security Parameters This section consists of the following three subsections. Follow the steps in each subsection to enable host-based EAP authentication (EAP-TLS, PEAP, or EAP-SIM) for this profile.
Chapter 5 Configuring the Client Adapter Setting Network Security Parameters • If your computer is running Windows XP, perform one of the following: – If you want to enable WPA, double-click My Computer, Control Panel, and Network Connections. Right-click Wireless Network Connection. Click Properties. The Wireless Network Connection Properties screen appears. Go to the “Enabling WPA (Windows 2000 or XP Only - Optional)” section below.
Chapter 5 Configuring the Client Adapter Setting Network Security Parameters Figure 5-11 Wireless Network Connection Properties Screen (Wireless Networks Tab) Step 2 Make sure that the Use Windows to configure my wireless network settings check box is checked. Step 3 Click the SSID of the profile you began setting up in ACU from the list of available networks and click Configure. If your profile’s SSID is not listed, click Add. The Wireless Network Properties screen appears (see Figure 5-12).
Chapter 5 Configuring the Client Adapter Setting Network Security Parameters Figure 5-12 Wireless Network Properties Screen (Association Tab) Step 4 Perform one of the following: • If you selected an SSID from the list of available networks, make sure the SSID appears in the Network name (SSID) field. • If you clicked Add, enter the case-sensitive SSID of your profile in the Network name (SSID) field. Step 5 Choose WPA from the Network Authentication drop-down list.
Chapter 5 Configuring the Client Adapter Setting Network Security Parameters Enabling EAP Authentication in Windows Follow the steps in this section to enable EAP authentication in Windows for this profile. Step 1 Click the Authentication tab. The following screen appears (see Figure 5-13). Figure 5-13 Wireless Network Connection Properties Screen (Authentication Tab) Note The Authentication screen shown above appears on computers running Windows 2000 or XP.
Chapter 5 Configuring the Client Adapter Setting Network Security Parameters Enabling EAP-TLS Follow these steps to enable EAP-TLS. Step 1 For EAP type, choose Certificates (on Windows 98, 98 SE, NT, or Me) or Smart Card or other Certificate (on Windows 2000 or XP). Step 2 Click Properties. The Certificate Properties screen (see Figure 5-14) or the Smart Card or other Certificate Properties screen appears (see Figure 5-15 and Figure 5-16).
Chapter 5 Configuring the Client Adapter Setting Network Security Parameters Figure 5-15 Smart Card or other Certificate Properties Screen - Windows 2000 and XP Figure 5-16 Smart Card or Other Certificate Properties Screen - Windows XP Service Pack 1 Cisco Aironet 340, 350, and CB20A Wireless LAN Client Adapters Installation and Configuration Guide for Windows 5-56 OL-1394-08
Chapter 5 Configuring the Client Adapter Setting Network Security Parameters Step 3 Choose the Use a certificate on this computer option. Step 4 If your computer is running Windows 98, 98 SE, NT, or Me or Windows XP Service Pack 1, make sure the Use simple certificate selection (Recommended) check box is selected. Step 5 Check the Validate server certificate check box if server certificate validation is required.
Chapter 5 Configuring the Client Adapter Setting Network Security Parameters Enabling PEAP Follow these steps to enable PEAP. Step 1 For EAP type, choose PEAP. Step 2 Click Properties. The PEAP Properties screen appears (see Figure 5-17). Figure 5-17 PEAP Properties Screen Step 3 Check the Validate server certificate check box if server certificate validation is required (recommended).
Chapter 5 Configuring the Client Adapter Setting Network Security Parameters Step 5 Make sure that the name of the certificate authority from which the server certificate was downloaded appears in the Trusted root certificate authority (CA) field. If necessary, click the arrow on the drop-down menu and choose the appropriate name. Note If you leave this field blank, you are prompted to accept a connection to the root certification authority during the authentication process.
Chapter 5 Configuring the Client Adapter Setting Network Security Parameters Step 9 Choose either the Static Password (Windows NT/2000, LDAP) or the One Time Password option, depending on your user database. Step 10 Perform one of the following: • If you selected the Static Password (Windows NT/2000, LDAP) option in Step 9, go to Step 11.
Chapter 5 Configuring the Client Adapter Setting Network Security Parameters Figure 5-19 SIM Authentication Properties Screen Step 3 To access any resources (data or commands) on the SIM, the EAP-SIM supplicant must provide a valid PIN to the SIM card, which must match the PIN stored on the SIM.
Chapter 5 Configuring the Client Adapter Setting Network Security Parameters Disabling LEAP, EAP-FAST, or Host-Based EAP If you ever need to disable LEAP, EAP-FAST, or host-based EAP for a particular profile, follow the instructions below for your EAP authentication type. Disabling LEAP or EAP-FAST To disable LEAP or EAP-FAST for a particular profile, choose None under Network Authentication on the Network Security screen in ACU, click OK, and click OK or Apply on the Profile Manager screen.
