User's Manual

ManualsBrandsGetac Technology ManualsElectronicsWLAN Module

191

192

193

194

195

196

197

198

199

200

authenticate the server and ensure the best security practices.

Provisioning of Protected Access Credentials (PAC):

EAP-FAST uses a PAC key to protect the user credentials that are exchanged. All EAP-FAST authenticators

are identified by an authority identity (A-ID). The local authenticator sends its A-ID to an authenticating

client, and the client checks its database for a matching A-ID. If the client does not recognize the A-ID, it

requests a new PAC.

NOTE: If the provisioned Protected Access Credential (PAC) is valid, the WiFi connection utility does not

prompt the user for acceptance of the PAC. If the PAC is invalid, the WiFi connection utility fails the

provisioning automatically. A status message is displayed in the

Wireless Event Viewer that an

administrator can review on the user's computer.

1. Verify that Disable EAP-FAST Enhancements (CCXv4) is not selected. Allow unauthenticated

provisioning and Allow authenticated provisioning are selected by default. Once a PAC is

selected from the Default Server, you can deselect any of these provisioning methods.

2. Default Server: None is selected as the default. Click Select Server to select a PAC from the

default PAC authority server or select a server from the Server group list. The EAP-FAST Default

Server (PAC Authority) selection page opens.

NOTE: Server groups are only listed if you have installed an

Administrator Package that

contains EAP-FAST Authority ID (A-ID) Group settings.

PAC distribution can also be completed manually (out-of-band). Manual provisioning enables

you to create a PAC for a user on an ACS server and then import it into a user's computer. A

PAC file can be protected with a password, which the user needs to enter during a PAC import.

3. To import a PAC:

a. Click Import to import a PAC from the PAC server.

b. Click Open.

c. Enter the PAC password (optional).

d. Click OK closes this page. The selected PAC is used for this wireless profile.

EAP-FAST CCXv4 enables support for the provisioning of other credentials beyond the PAC currently

provisioned for tunnel establishment. The credential types supported include trusted CA certificate,

machine credentials for machine authentication, and temporary user credentials used to bypass user

authentication.

Use a certificate (TLS Authentication)

1. Click Use a certificate (TLS Authentication)

2. Click Identity Protection when the tunnel is protected.

3. Select one of the following to obtain a certificate:

Use my smart card, Use the certificate issued to

this computer, or Use a user certificate on this computer.

4. User Name: Enter the user name assigned to the user certificate.

5. Click Next.

Step 2 of 3: EAP-FAST Additional Information

If you selected Use a certificate (TLS Authentication) and Use a user certificate on this computer,

click Next (no roaming identity is required) and proceed to

Step 3 to configure EAP-FAST Server