5-24
Cisco Aironet 340, 350, and CB20A Wireless LAN Client Adapters Installation and Configuration Guide for Windows
OL-1394-07
Chapter 5 Configuring the Client Adapter
Setting Network Security Parameters
The username and password are used by the client adapter to perform mutual authentication with the
RADIUS server through the access point. The username and password are stored in the client adapter’s
volatile memory; therefore, they are temporary and need to be re-entered whenever power is removed
from the adapter, typically due to the client adapter being ejected or the system powering down.
Note
If the LEAP security module was not selected during installation, the LEAP option is
unavailable in ACU. If you want to be able to enable and disable LEAP, you must run the
installation program again and select LEAP.
•
Host Based EAP—Selecting this option enables you to use any 802.1X authentication type for
which your operating system has support. For example, if your operating system uses the Microsoft
802.1X supplicant, it provides native support for EAP-TLS authentication and general support for
PEAP and EAP-SIM authentication.
Note
To use EAP-TLS, PEAP, or EAP-SIM authentication, you must install the Microsoft 802.1X
supplicant, ACU, and the PEAP or EAP-SIM security module; configure your client adapter
using ACU; enable the authentication type in Windows; and enable Network-EAP on the
access point.
–
EAP-TLS—EAP-TLS is enabled or disabled through the operating system and uses a dynamic
session-based WEP key, which is derived from the client adapter and RADIUS server, to encrypt
data. Once enabled, a few configuration parameters must be set within the operating system.
RADIUS servers that support EAP-TLS authentication include Cisco Secure ACS version 3.0
or greater and Cisco Access Registrar version 1.8 or greater.
Note
EAP-TLS requires the use of a certificate. Refer to Microsoft’s documentation for
information on downloading and installing the certificate.
–
Protected EAP (or PEAP)—PEAP authentication is designed to support One-Time Password
(OTP), Windows NT or 2000 domain, and LDAP user databases over a wireless LAN. It is based
on EAP-TLS authentication but uses a password or PIN instead of a client certificate for
authentication. PEAP is enabled or disabled through the operating system and uses a dynamic
session-based WEP key, which is derived from the client adapter and RADIUS server, to encrypt
data. If your network uses an OTP user database, PEAP requires you to enter either a hardware
token password or a software token PIN to start the EAP authentication process and gain access
to the network. If your network uses a Windows NT or 2000 domain user database or an LDAP
user database (such as NDS), PEAP requires you to enter your username, password, and domain
name in order to start the authentication process.
RADIUS servers that support PEAP authentication include Cisco Secure ACS version 3.1 or
greater and Cisco Access Registrar version 3.5 or greater.
Note
Windows XP Service Pack 1 and the Microsoft 802.1X supplicant for Windows 2000
include Microsoft’s PEAP supplicant, which supports a Windows username and
password only and does not interoperate with Cisco’s PEAP supplicant. To use Cisco’s
PEAP supplicant, install the Install Wizard file after Windows XP Service Pack 1 or the
Microsoft 802.1X supplicant for Windows 2000. Otherwise, Cisco’s PEAP supplicant
is overwritten by Microsoft’s PEAP supplicant.