Cisco AIR-PCM352 - Aironet 350 Series 11Mbps Wireless LAN PC Card Adapter Installation And Configuration Manual page 56

Overview of Security Features
Up to three 802.1X authentication types can be selected in ACU for use with Windows CE devices:
EAP-Cisco Wireless (or LEAP)—Support for LEAP is provided not in the Windows CE operating
•
system but in your client adapter's firmware and the Cisco software that supports it. RADIUS
servers that support LEAP include Cisco Secure ACS version 2.6 and later, Cisco Access Registrar
version 1.7 and later, and Funk Software's Steel-Belted RADIUS version 3.0 and later.
LEAP is enabled in ACU, and either a saved LEAP username and password are entered in ACU or
a temporary LEAP username and password are entered in WLM. The username and password are
used by the client adapter to perform mutual authentication with the RADIUS server through the
access point. The temporary LEAP username and password are stored in the client adapter's volatile
memory and need to be re-entered whenever a LEAP profile is selected, the client adapter is ejected
and reinserted, or the Windows CE device is reset.
EAP-FAST—This authentication type (Flexible Authentication via Secure Tunneling) is available
•
on PPC 2002, PPC 2003, and Windows CE .NET 4.2 devices. EAP-FAST uses a three-phased
tunneled authentication process to provide advanced 802.1X EAP mutual authentication.
–
–
–
EAP-FAST is enabled in ACU, and either a saved EAP-FAST username and password are entered
in ACU or a temporary EAP-FAST username and password are entered in WLM. In addition,
automatic or manual PAC provisioning is enabled in ACU. The client adapter uses the username,
password, and PAC to perform mutual authentication with the RADIUS server through the access
point. The temporary EAP-FAST username and password are stored in the client adapter's volatile
memory and need to be re-entered whenever an EAP-FAST profile is selected, the client adapter is
ejected and reinserted, or the Windows CE device is reset.
PACs are created by Cisco Secure ACS and are identified by an ID. The user obtains a copy of the
PAC from the server, and the ID links the PAC to the profile created in ACU. When manual PAC
provisioning is enabled, the PAC file is manually copied from the server and imported onto the client
device. The following rules govern PAC storage:
–
–
EAP-FAST authentication is designed to support the following user databases over a wireless LAN:
–
–
–
–
LDAP user databases (such as NDS) support only manual PAC provisioning while the other three
user databases support both automatic and manual PAC provisioning.
Host Based EAP (PPC 2002 devices only)—Selecting this option enables you to use any 802.1X
•
authentication type for which your Windows CE device has support, such as EAP-TLS or PEAP. You
can select this option only on PPC 2002 devices with the 802.1X backport installed.
Cisco Aironet 350 Series Wireless LAN Client Adapters Installation and Configuration Guide for Windows CE
5-12
Phase 0 enables the client to dynamically provision a protected access credentials (PAC) when
necessary. During this phase, a PAC is generated securely between the user and the network.
Phase 1 uses the PAC to establish a mutually authenticated and secure tunnel between the client
and the RADIUS server. RADIUS servers that support EAP-FAST include Cisco Secure ACS
version 3.2.3 and later.
Phase 2 performs client authentication in the established tunnel.
PACs are stored in a single PAC database and are available to all users of the device.
PAC files can be added or replaced using the import feature, but they cannot be removed or
exported.
Cisco Secure ACS internal user database
Cisco Secure ACS ODBC user database
Windows NT/2000/2003 domain user database
LDAP user database
Chapter 5 Configuring the Client Adapter
OL-1375-04