Cisco Aironet Installation And Configuration Manual page 92

Setting Network Security Parameters
–
–
Note
When you enable Network-EAP or Require EAP on your access point and configure your client adapter
for LEAP, EAP-TLS, EAP-MD5, PEAP, or EAP-SIM, authentication to the network occurs in the
following sequence:
The client associates to an access point and begins the authentication process.
1.
Note
Cisco Aironet Wireless LAN Client Adapters Installation and Configuration Guide for Windows
5-24
Protected EAP (or PEAP)—PEAP authentication is designed to support One-Time Password
(OTP), Windows NT or 2000 domain, and LDAP user databases over a wireless LAN. It is based
on EAP-TLS authentication but uses a password or PIN instead of a client certificate for
authentication. PEAP is enabled or disabled through the operating system and uses a dynamic
session-based WEP key, which is derived from the client adapter and RADIUS server, to encrypt
data. If your network uses an OTP user database, PEAP requires you to enter either a hardware
token password or a software token PIN to start the EAP authentication process and gain access
to the network. If your network uses a Windows NT or 2000 domain user database or an LDAP
user database (such as NDS), PEAP requires you to enter your username, password, and domain
name in order to start the authentication process.
RADIUS servers that support PEAP authentication include Cisco Secure ACS version 3.1 or
greater.
Note Service Pack 1 for Windows XP includes Microsoft's PEAP supplicant, which supports
a Windows username and password only and does not interoperate with Cisco's PEAP
supplicant. To use Cisco's PEAP supplicant, install ACU version 5.05 or greater after
Service Pack 1 for Windows XP. Otherwise, it will be overwritten by Microsoft's PEAP
supplicant.
EAP-SIM—EAP-SIM authentication is designed for use in public wireless LANs with clients
containing Gemplus SIM+ smartcards in PCSC-compliant smartcard readers. EAP-SIM is
enabled or disabled through the operating system and uses a dynamic session-based WEP key,
which is derived from the client adapter and RADIUS server, to encrypt data. EAP-SIM requires
you to enter a user verification code, or PIN, for communication with the SIM card. You can
choose to have the PIN stored in your computer or to be prompted to enter it only after a reboot
or prior to every authentication attempt.
RADIUS servers that support EAP-SIM include Cisco Access Registrar version 3.0 or greater.
Because EAP-TLS, EAP-MD5, PEAP, and EAP-SIM authentication are enabled in the
operating system and not in ACU, you cannot switch between these authentication types
simply by switching profiles in ACU. You can create a profile in ACU that uses host-based
EAP, but you must enable the specific authentication type in Windows 2000 (with Service
Pack 3 or greater and the Windows 2000 Wireless 802.1X hot fix) or Windows XP. In
addition, Windows can be set for only one authentication type at a time; therefore, if you
have more than one profile in ACU that uses host-based EAP and you want to use another
authentication type, you must change authentication types in Windows after switching
profiles in ACU.
The client does not gain full access to the network until authentication between the client
and the RADIUS server is successful.
Chapter 5 Configuring the Client Adapter
OL-1394-04