beautypg.com

Cisco 340 User Manual

Page 26

background image

5-26

Cisco Aironet 340, 350, and CB20A Wireless LAN Client Adapters Installation and Configuration Guide for Windows

OL-1394-08

Chapter 5 Configuring the Client Adapter

Setting Network Security Parameters

RADIUS servers that support PEAP authentication include Cisco Secure ACS version 3.1 or
later and Cisco Access Registrar version 3.5 or later.

Note

Windows XP Service Pack 1 and the Microsoft 802.1X supplicant for Windows 2000
include Microsoft’s PEAP supplicant, which supports a Windows username and
password only and does not interoperate with Cisco’s PEAP supplicant. To use Cisco’s
PEAP supplicant, install the Install Wizard file after Windows XP Service Pack 1 or the
Microsoft 802.1X supplicant for Windows 2000. Otherwise, Cisco’s PEAP supplicant
is overwritten by Microsoft’s PEAP supplicant.

EAP-SIM—EAP-SIM authentication is designed for use in public wireless LANs and requires
clients equipped with PCSC-compliant smartcard readers. The EAP-SIM supplicant included in
the Install Wizard file supports only Gemplus SIM+ cards; however, an updated supplicant is
available that supports standard GSM-SIM cards as well as more recent versions of the
EAP-SIM protocol. The new supplicant is available for download from Cisco.com at the
following URL:

http://www.cisco.com/cgi-bin/tablebuild.pl/access-registrar-encrypted

Please note that the above requirements are necessary but not sufficient to successfully perform
EAP-SIM authentication. Typically, you are also required to enter into a service contract with
a WLAN service provider, who must support EAP-SIM authentication in its network. Also,
while your PCSC smartcard reader may be able to read standard GSM-SIM cards or chips,
EAP-SIM authentication usually requires your GSM cell phone account to be provisioned for
WLAN service by your service provider.

EAP-SIM is enabled or disabled through the operating system and uses a dynamic session-based
WEP key, which is derived from the client adapter and RADIUS server, to encrypt data.
EAP-SIM requires you to enter a user verification code, or PIN, for communication with the
SIM card. You can choose to have the PIN stored in your computer or to be prompted to enter
it after a reboot or prior to every authentication attempt.

RADIUS servers that support EAP-SIM include Cisco Access Registrar version 3.0 or later.

Note

Because EAP-TLS, PEAP, and EAP-SIM authentication are enabled in the operating system
and not in ACU, you cannot switch between these authentication types simply by switching
profiles in ACU. You can create a profile in ACU that uses host-based EAP, but you must
enable the specific authentication type in Windows (provided Windows uses the Microsoft
802.1X supplicant). In addition, Windows can be set for only one authentication type at a
time; therefore, if you have more than one profile in ACU that uses host-based EAP and you
want to use another authentication type, you must change authentication types in Windows
after switching profiles in ACU.

When you enable Network-EAP or EAP on your access point and configure your client adapter for
LEAP, EAP-FAST, EAP-TLS, PEAP, or EAP-SIM, authentication to the network occurs in the following
sequence:

1.

The client associates to an access point and begins the authentication process.

Note

The client does not gain full access to the network until authentication between the client
and the RADIUS server is successful.