Cisco AIR-PCM352 - Aironet 350 Series 11Mbps Wireless LAN PC Card Adapter Installation And Configuration Manual page 57

Chapter 5 Configuring the Client Adapter
Note
–
–
When you enable Network-EAP or Require EAP on your access point and configure your client adapter
for LEAP, EAP-FAST, EAP-TLS, or PEAP, authentication to the network occurs in the following
sequence:
1. The client associates to an access point and begins the authentication process.
Note
Communicating through the access point, the client and RADIUS server complete the authentication
2.
process, with the password (LEAP and PEAP), password and PAC (EAP-FAST), or certificate
(EAP-TLS) being the shared secret for authentication. The password or PAC is never transmitted
during the process.
If authentication is successful, the client and RADIUS server derive a dynamic, session-based WEP
3.
key that is unique to the client.
The RADIUS server transmits the key to the access point using a secure channel on the wired LAN.
4.
For the length of a session, or time period, the access point and the client use this key to encrypt or
5.
decrypt all unicast packets (and broadcast packets if the access point is set up to do so) that travel
between them.
Refer to one of these sections for instructions on enabling EAP authentication:
Enabling LEAP, page 5-20
•
• Enabling EAP-FAST, page 5-21
• Enabling Host-Based EAP, page 5-25
Cisco Aironet 350 Series Wireless LAN Client Adapters Installation and Configuration Guide for Windows CE
OL-1375-04
PPC 2003 and other Windows CE .NET 4.2 devices can be configured for EAP-TLS or
PEAP authentication if you configure your client adapter through Windows CE .NET instead
of ACU. See Appendix E
EAP-TLS—EAP-TLS is enabled or disabled through the Authentication Manager and uses a
dynamic session-based WEP key, which is derived from the client adapter and RADIUS server,
to encrypt data. EAP-TLS requires the use of certificates for authentication.
RADIUS servers that support EAP-TLS include Cisco Secure ACS version 3.0 or later and
Cisco Access Registrar version 1.8 or later.
Cisco PEAP—Cisco PEAP authentication (also known as PEAP-GTC) is designed to support
One-Time Password (OTP), Windows NT or 2000 domain, and LDAP user databases over a
wireless LAN. It is based on EAP-TLS authentication but uses a password instead of a client
certificate for authentication. Cisco PEAP is enabled or disabled through the Authentication
Manager and uses a dynamic session-based WEP key, which is derived from the client adapter
and RADIUS server, to encrypt data. Cisco PEAP requires you to enter your username and
password in order to start the authentication process and gain access to the network. RADIUS
servers that support Cisco PEAP authentication include Cisco Secure ACS version 3.1 or later.
To use Cisco PEAP authentication, you must have checked the Install Cisco PEAP
Note
Support check box during installation.
The client does not gain access to the network until authentication between the client and
the RADIUS server is successful.
for instructions.
Overview of Security Features
5-13