Chapter 5
Configuring the Client Adapter
–
Note
When you enable Network-EAP or EAP on your access point and configure your client adapter for
LEAP, EAP-TLS, PEAP, or EAP-SIM, authentication to the network occurs in the following sequence:
The client associates to an access point and begins the authentication process.
1.
Note
Communicating through the access point, the client and RADIUS server complete the authentication
2.
process, with the password (LEAP and PEAP), certificate (EAP-TLS), or internal key stored on the
SIM card and in the service provider's Authentication Center (EAP-SIM) being the shared secret for
authentication. The password or internal key is never transmitted during the process.
If authentication is successful, the client and RADIUS server derive a dynamic, session-based WEP
3.
key that is unique to the client.
The RADIUS server transmits the key to the access point using a secure channel on the wired LAN.
4.
For the length of a session, or time period, the access point and the client use this key to encrypt or
5.
decrypt all unicast packets (and broadcast packets if the access point is set up to do so) that travel
between them.
Cisco Aironet 340, 350, and CB20A Wireless LAN Client Adapters Installation and Configuration Guide for Windows
OL-1394-07
EAP-SIM—EAP-SIM authentication is designed for use in public wireless LANs and requires
clients equipped with PCSC-compliant smartcard readers. The EAP-SIM supplicant included in
the Install Wizard file supports only Gemplus SIM+ cards; however, an updated supplicant is
available that supports standard GSM-SIM cards as well as more recent versions of the
EAP-SIM protocol. The new supplicant is available for download from the ftpeng FTP server
at the following URL:
ftp://ftpeng.cisco.com/ftp/pwlan/eapsim/CiscoEapSim.dll
Please note that the above requirements are necessary but not sufficient to successfully perform
EAP-SIM authentication. Typically, you are also required to enter into a service contract with
a WLAN service provider, who must support EAP-SIM authentication in its network. Also,
while your PCSC smartcard reader may be able to read standard GSM-SIM cards or chips,
EAP-SIM authentication usually requires your GSM cell phone account to be provisioned for
WLAN service by your service provider.
EAP-SIM is enabled or disabled through the operating system and uses a dynamic session-based
WEP key, which is derived from the client adapter and RADIUS server, to encrypt data.
EAP-SIM requires you to enter a user verification code, or PIN, for communication with the
SIM card. You can choose to have the PIN stored in your computer or to be prompted to enter
it after a reboot or prior to every authentication attempt.
RADIUS servers that support EAP-SIM include Cisco Access Registrar version 3.0 or greater.
Because EAP-TLS, PEAP, and EAP-SIM authentication are enabled in the operating system
and not in ACU, you cannot switch between these authentication types simply by switching
profiles in ACU. You can create a profile in ACU that uses host-based EAP, but you must
enable the specific authentication type in Windows (provided Windows uses the Microsoft
802.1X supplicant). In addition, Windows can be set for only one authentication type at a
time; therefore, if you have more than one profile in ACU that uses host-based EAP and you
want to use another authentication type, you must change authentication types in Windows
after switching profiles in ACU.
The client does not gain full access to the network until authentication between the client
and the RADIUS server is successful.
Setting Network Security Parameters
5-25