Eap (With Dynamic Wep Keys) - Cisco CB21AG Installation And Configuration Manual

Chapter 5 Configuring the Client Adapter
You do not need to re-enter static WEP keys each time the client adapter is inserted or the Windows
device is rebooted because the keys are stored (in an encrypted format for security reasons) in the
registry of the Windows device. When the driver loads and reads the client adapter's registry parameters,
it also finds the static WEP keys, unencrypts them, and stores them in volatile memory on the adapter.
The Define Pre-Shared Keys window enables you to view the WEP key settings for a particular profile
and to assign new WEP keys or overwrite existing WEP keys. Refer to the
section on page 5-22

EAP (with Dynamic WEP Keys)

The standard for wireless LAN security, as defined by IEEE, is called 802.1X for 802.11, or simply
802.1X. An access point that supports 802.1X and its protocol, Extensible Authentication Protocol
(EAP), acts as the interface between a wireless client and an authentication server, such as a RADIUS
server, to which the access point communicates over the wired network.
Four 802.1X authentication types are available in ADU for use with Windows 2000 or XP:
•
•
•
•
Cisco Aironet 802.11a/b/g Wireless LAN Client Adapters (CB21AG and PI21AG) Installation and Configuration Guide
OL-4211-02
for instructions.
EAP-Cisco Wireless (or LEAP)—This authentication type leverages Cisco Key Integrity Protocol
(CKIP) and MMH message integrity check (MIC) for data protection. ADU offers a variety of LEAP
configuration options, including how a username and password are entered to begin the
authentication process.
The username and password are used by the client adapter to perform mutual authentication with the
RADIUS server through the access point. The username and password need to be re-entered each
time the client adapter is inserted or the Windows device is rebooted unless you configure your
adapter to use saved LEAP credentials.
RADIUS servers that support LEAP include Cisco Secure ACS release 2.6 or later, Cisco Access
Registrar release 1.7 or later, Funk Software's Steel-Belted RADIUS release 4.1 or later, and
Meetinghouse Data Communications' AEGIS release 1.1 or later.
EAP-TLS—This authentication type uses a dynamic session-based WEP key derived from the
client adapter and RADIUS server to encrypt data. It uses a client certificate for authentication.
RADIUS servers that support EAP-TLS include Cisco Secure ACS release 3.0 or later and Cisco
Access Registrar release 1.8 or later.
PEAP (EAP-GTC)—This PEAP authentication type is designed to support One-Time Password
(OTP), Windows NT or 2000 domain, and LDAP user databases over a wireless LAN. It is based on
EAP-TLS authentication but uses a password instead of a client certificate for authentication. PEAP
(EAP-GTC) uses a dynamic session-based WEP key derived from the client adapter and RADIUS
server to encrypt data. If your network uses an OTP user database, PEAP (EAP-GTC) requires you
to enter a hardware or software token password to start the EAP authentication process and gain
access to the network. If your network uses a Windows NT or 2000 domain user database or an
LDAP user database (such as NDS), PEAP (EAP-GTC) requires you to enter your username,
password, and domain name in order to start the authentication process.
RADIUS servers that support PEAP (EAP-GTC) authentication include Cisco Secure ACS release
3.1 or later.
PEAP (EAP-MSCHAP V2)—This PEAP authentication type is based on EAP-TLS authentication
but uses a password instead of a client certificate for authentication. PEAP (EAP-MSCHAP V2)
uses a dynamic session-based WEP key derived from the client adapter and RADIUS server to
encrypt data.
RADIUS servers that support PEAP (EAP-MSCHAP V2) authentication include Cisco Secure ACS
release 3.2 or later.
Setting Security Parameters
"Enabling Static WEP"
5-15