Cisco Aironet Installation And Configuration Manual page 240

Overview
• EAP-SIM—EAP-SIM authentication is designed for use in public wireless LANs with clients
containing Gemplus SIM+ smartcards in PCSC-compliant smartcard readers. EAP-SIM is enabled
or disabled through the operating system and uses a dynamic session-based WEP key, which is
derived from the client adapter and RADIUS server, to encrypt data. EAP-SIM requires you to enter
a user verification code, or PIN, for communication with the SIM card. You can choose to have the
PIN stored in your computer or to be prompted to enter it only after a reboot or prior to every
authentication attempt.
RADIUS servers that support EAP-SIM include Cisco Access Registrar version 3.0 or greater.
Note
Note
When you enable Require EAP on your access point and configure your client adapter for EAP-TLS,
EAP-MD5, PEAP, or EAP-SIM using Windows XP, authentication to the network occurs in the
following sequence:
The client adapter associates to an access point and begins the authentication process.
1.
Note
Communicating through the access point, the client and RADIUS server complete the authentication
2.
process, with the password (EAP-MD5 and PEAP), certificate (EAP-TLS), or internal key stored on
the SIM card and in the service provider's Authentication Center (EAP-SIM) being the shared secret
for authentication. The password, certificate, or internal key is never transmitted during the process.
Note
3. If authentication is successful, the client and RADIUS server derive a dynamic, session-based WEP
key that is unique to the client.
4. The RADIUS server transmits the key to the access point using a secure channel on the wired LAN.
5. For the length of a session, or time period, the access point and the client use this key to encrypt or
decrypt all unicast packets (and broadcast packets if the access point is set up to do so) that travel
between them.
Note Refer to the IEEE 802.11 Standard for more information on 802.1X authentication and to the
following URL for additional information on RADIUS servers:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/12cgcr/secur_c/scprt2/scrad.htm
Cisco Aironet Wireless LAN Client Adapters Installation and Configuration Guide for Windows
E-4
To use EAP-SIM authentication, you must install the EAP-SIM supplicant during ACU
installation.
PC-Cardbus cards do not support EAP-SIM authentication.
The client does not gain full access to the network until authentication between the client
and the RADIUS server is successful.
The authentication process is now complete for EAP-MD5. For EAP-TLS, PEAP, and
EAP-SIM, the process continues.
Appendix E Configuring the Client Adapter through Windows XP
OL-1394-04