Cisco Systems CB21AG Network Card User Manual


 
5-17
Cisco Aironet 802.11a/b/g Wireless LAN Client Adapters (CB21AG and PI21AG) Installation and Configuration Guide
OL-4211-03
Chapter 5 Configuring the Client Adapter
Setting Security Parameters
PEAP (EAP-GTC)—This PEAP authentication type is designed to support One-Time Password
(OTP), Windows NT or 2000 domain, and LDAP user databases over a wireless LAN. It is based on
EAP-TLS authentication but uses a password instead of a client certificate for authentication. PEAP
(EAP-GTC) uses a dynamic session-based WEP key derived from the client adapter and RADIUS
server to encrypt data. If your network uses an OTP user database, PEAP (EAP-GTC) requires you
to enter a hardware or software token password to start the EAP authentication process and gain
access to the network. If your network uses a Windows NT or 2000 domain user database or an
LDAP user database (such as NDS), PEAP (EAP-GTC) requires you to enter your username,
password, and domain name in order to start the authentication process.
RADIUS servers that support PEAP (EAP-GTC) authentication include Cisco Secure ACS release
3.1 or later.
PEAP (EAP-MSCHAP V2)—This PEAP authentication type is based on EAP-TLS authentication
but uses a password instead of a client certificate for authentication. PEAP (EAP-MSCHAP V2)
uses a dynamic session-based WEP key derived from the client adapter and RADIUS server to
encrypt data.
RADIUS servers that support PEAP (EAP-MSCHAP V2) authentication include Cisco Secure ACS
release 3.2 or later.
When you configure your access point as indicated in Table 5-4 on page 5-20 and configure your client
adapter for LEAP, EAP-FAST, EAP-TLS, PEAP (EAP-GTC), or PEAP (EAP-MSCHAP V2),
authentication to the network occurs in the following sequence:
1. The client associates to an access point and begins the authentication process.
Note The client does not gain full access to the network until authentication between the client
and the RADIUS server is successful.
2. Communicating through the access point, the client and RADIUS server complete the authentication
process, with the password (LEAP and PEAP), password and PAC (EAP-FAST), or certificate
(EAP-TLS) being the shared secret for authentication. The password and PAC are never transmitted
during the process.
3. If authentication is successful, the client and RADIUS server derive a dynamic, session-based WEP
key that is unique to the client.
4. The RADIUS server transmits the key to the access point using a secure channel on the wired LAN.
5. For the length of a session, or time period, the access point and the client use this key to encrypt or
decrypt all unicast packets (and broadcast packets if the access point is set up to do so) that travel
between them.
Refer to the following pages for instructions on enabling these EAP types:
LEAP, page 5-27
EAP-FAST, page 5-31
EAP-TLS, PEAP (EAP-GTC), or PEAP (EAP-MSCHAP V2), page 5-39
Note Refer to the IEEE 802.11 Standard for more information on 802.1X authentication and to the following
URL for additional information on RADIUS servers:
http://www.cisco.com/en/US/products/sw/iosswrel/ps1835/products_configuration_guide_chapter0918
6a00800ca7ab.html