Advertisement
Chapter 5
Configuring the Client Adapter
EAP-FAST authentication is designed to support the following user databases over a wireless LAN:
–
–
–
–
LDAP user databases (such as NDS) support only manual PAC provisioning while the other three
user databases support both automatic and manual PAC provisioning.
Note
Host Based EAP—Choosing this option enables you to use any 802.1X authentication type for
•
which your operating system has support. For example, if your operating system uses the Microsoft
802.1X supplicant, it provides native support for EAP-TLS authentication and general support for
PEAP and EAP-SIM authentication.
Note
–
–
Cisco Aironet 340, 350, and CB20A Wireless LAN Client Adapters Installation and Configuration Guide for Windows
OL-1394-08
PACs are also stored globally on computers that use the Novell Network login prompt
Note
or any other third-party login application that does not share its credentials with the
EAP-FAST supplicant.
Cisco Secure ACS internal user database
Cisco Secure ACS ODBC user database
Windows NT/2000/2003 domain user database
LDAP user database
If the EAP-FAST security module was not selected during installation, the EAP-FAST
option is unavailable in ACU. If you want to be able to enable and disable EAP-FAST, you
must run the installation program again and choose EAP-FAST. EAP-FAST is supported in
Install Wizard version 1.3 and later.
To use EAP-TLS, PEAP, or EAP-SIM authentication, you must install the Microsoft 802.1X
supplicant, ACU, and the PEAP or EAP-SIM supplicant; configure your client adapter using
ACU; enable the authentication type in Windows; and enable Network-EAP on the access
point.
EAP-TLS—EAP-TLS is enabled or disabled through the operating system and uses a dynamic
session-based WEP key, which is derived from the client adapter and RADIUS server, to encrypt
data. Once enabled, a few configuration parameters must be set within the operating system.
RADIUS servers that support EAP-TLS authentication include Cisco Secure ACS version 3.0
or later and Cisco Access Registrar version 1.8 or later.
EAP-TLS requires the use of a certificate. Refer to Microsoft's documentation for
Note
information on downloading and installing the certificate.
Protected EAP (or PEAP)—PEAP authentication is designed to support One-Time Password
(OTP), Windows NT or 2000 domain, and LDAP user databases over a wireless LAN. It is based
on EAP-TLS authentication but uses a password or PIN instead of a client certificate for
authentication. PEAP is enabled or disabled through the operating system and uses a dynamic
session-based WEP key, which is derived from the client adapter and RADIUS server, to encrypt
data. If your network uses an OTP user database, PEAP requires you to enter either a hardware
token password or a software token PIN to start the EAP authentication process and gain access
to the network. If your network uses a Windows NT or 2000 domain user database or an LDAP
user database (such as NDS), PEAP requires you to enter your username, password, and domain
name in order to start the authentication process.
Setting Network Security Parameters
5-25
- Quick Links:
- Setting System Parameters
Hide quick links:
Advertisement
