Cisco 340 User Manual

5-24

Cisco Aironet 340, 350, and CB20A Wireless LAN Client Adapters Installation and Configuration Guide for Windows

OL-1394-08

Chapter 5 Configuring the Client Adapter

Setting Network Security Parameters

LEAP is enabled or disabled for a specific profile through ACU, provided the LEAP security module
was selected during installation. After LEAP is enabled, a variety of configuration options are
available, including how and when a username and password are entered to begin the authentication
process.

The username and password are used by the client adapter to perform mutual authentication with the
RADIUS server through the access point. The username and password need to be re-entered each
time the client adapter is inserted or the Windows device is rebooted, unless you configure your
adapter to use saved LEAP credentials.

Note

If the LEAP security module was not selected during installation, the LEAP option is
unavailable in ACU. If you want to be able to enable and disable LEAP, you must run the
installation program again and choose LEAP.

•

EAP-FAST—This authentication type (Flexible Authentication via Secure Tunneling) is available
for 350 series and CB20A cards on computers running Windows 2000 or XP. EAP-FAST uses a
three-phased tunneled authentication process to provide advanced 802.1X EAP mutual
authentication.

–

Phase 0 enables the client to dynamically provision a protected access credentials (PAC) when
necessary. During this phase, a PAC is generated securely between the user and the network.

–

Phase 1 uses the PAC to establish a mutually authenticated and secure tunnel between the client
and the RADIUS server. RADIUS servers that support EAP-FAST include Cisco Secure ACS
version 3.2.3 and later.

–

Phase 2 performs client authentication in the established tunnel.

EAP-FAST is enabled or disabled for a specific profile through ACU, provided the EAP-FAST
security module was selected during installation. After EAP-FAST is enabled, a variety of
configuration options are available, including how and when a username and password are entered
to begin the authentication process and whether automatic or manual PAC provisioning is used.

The client adapter uses the username, password, and PAC to perform mutual authentication with the
RADIUS server through the access point. The username and password need to be re-entered each
time the client adapter is inserted or the Windows device is rebooted, unless you configure your
adapter to use saved EAP-FAST credentials.

PACs are created by Cisco Secure ACS and are identified by an ID. The user obtains his or her own
copy of the PAC from the server, and the ID links the PAC to the profile created in ACU. When
manual PAC provisioning is enabled, the PAC file is manually copied from the server and imported
onto the client device. The following rules govern PAC storage:

–

In most cases PACs are provisioned and stored separately for each Windows logon user. These
per-user PACs are not viewable by other users.

–

If a profile is configured to use manual provisioning, each user must manually provision his or
her own PAC for that profile.

–

PAC files can be added or replaced using the import feature, but they cannot be removed or
exported.

–

For profiles configured with saved EAP-FAST usernames and passwords, the PACs are not
stored per user but in a global PAC area shared by all users. Global PACs are also enabled when
the No Network Connection Unless User Is Logged In check box is unchecked. These global
PACs can be imported and used by all users.