Dynamic Wep Keys With Eap - Cisco AIR-PCM352 - Aironet 350 Series 11Mbps Wireless LAN PC Card Adapter Installation And Configuration Manual

Appendix E Configuring the Client Adapter through Windows CE .NET

Dynamic WEP Keys with EAP

The new standard for wireless LAN security, as defined by IEEE, is called 802.1X for 802.11, or simply
802.1X. An access point that supports 802.1X and its protocol, Extensible Authentication Protocol
(EAP), acts as the interface between a wireless client and an authentication server, such as a RADIUS
server, to which the access point communicates over the wired network.
Two 802.1X authentication types are available for PPC 2003 and other Windows CE .NET 4.2 devices
when you configure your client adapter through Windows CE .NET:
•
•
When you enable Require EAP on your access point and configure your client adapter for EAP-TLS or
PEAP using Windows CE .NET, authentication to the network occurs in the following sequence:
1.
2.
3.
4.
5.
Refer to the IEEE 802.11 Standard for more information on 802.1X authentication and to the following
Note
URL for additional information on RADIUS servers:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/12cgcr/secur_c/scprt2/scrad.htm
OL-1375-04
EAP-TLS—This authentication type is enabled or disabled through the operating system and uses
a dynamic session-based WEP key, which is derived from the client adapter and RADIUS server, to
encrypt data. EAP-TLS requires the use of certificates for authentication.
RADIUS servers that support EAP-TLS include Cisco Secure ACS version 3.0 or later and Cisco
Access Registrar version 1.8 or later.
Cisco PEAP—Cisco PEAP authentication (also known as PEAP-GTC) is designed to support
One-Time Password (OTP), Windows NT or 2000 domain, and LDAP user databases over a wireless
LAN. It is based on EAP-TLS authentication but uses a password instead of a client certificate for
authentication. Cisco PEAP is enabled or disabled through the operating system and uses a dynamic
session-based WEP key, which is derived from the client adapter and RADIUS server, to encrypt
data. Cisco PEAP requires you to enter your username and password in order to start the
authentication process and gain access to the network. RADIUS servers that support Cisco PEAP
authentication include Cisco Secure ACS version 3.1 or later.
To use Cisco PEAP authentication, you must have checked the Install Cisco PEAP Support
Note
check box during installation.
The client associates to an access point and begins the authentication process.
The client does not gain access to the network until authentication between the client and
Note
the RADIUS server is successful.
Communicating through the access point, the client and RADIUS server complete the authentication
process, with the password (PEAP) or certificate (EAP-TLS) being the shared secret for
authentication. The password is never transmitted during the process.
If authentication is successful, the client and RADIUS server derive a dynamic, session-based WEP
key that is unique to the client.
The RADIUS server transmits the key to the access point using a secure channel on the wired LAN.
For the length of a session, or time period, the access point and the client use this key to encrypt or
decrypt all unicast packets (and broadcast packets if the access point is set up to do so) that travel
between them.
Cisco Aironet 350 Series Wireless LAN Client Adapters Installation and Configuration Guide for Windows CE
Overview
E-3