Appendix E
Configuring the Client Adapter through the Windows XP Operating System
Three 802.1X authentication types are available when configuring your client adapter through
Windows XP:
•
EAP-TLS—This authentication type is enabled or disabled through the operating system and uses
a dynamic session-based WEP key, which is derived from the client adapter and RADIUS server, to
encrypt data.
RADIUS servers that support EAP-TLS include Cisco Secure ACS version 3.0 or greater and Cisco
Access Registrar version 1.8 or greater.
Note
Protected EAP (or PEAP)—PEAP authentication is designed to support One-Time Password
•
(OTP), Windows NT or 2000 domain, and LDAP user databases over a wireless LAN. It is based on
EAP-TLS authentication but uses a password or PIN instead of a client certificate for authentication.
PEAP is enabled or disabled through the operating system and uses a dynamic session-based WEP
key, which is derived from the client adapter and RADIUS server, to encrypt data. If your network
uses an OTP user database, PEAP requires you to enter either a hardware token password or a
software token PIN to start the EAP authentication process and gain access to the network. If your
network uses a Windows NT or 2000 domain user database or an LDAP user database (such as
NDS), PEAP requires you to enter your username, password, and domain name in order to start the
authentication process.
RADIUS servers that support PEAP authentication include Cisco Secure ACS version 3.1 or greater
and Cisco Access Registrar version 3.5 or greater.
Note
•
EAP-SIM—EAP-SIM authentication is designed for use in public wireless LANs and requires
clients equipped with PCSC-compliant smartcard readers. The EAP-SIM supplicant included in the
Install Wizard file supports only Gemplus SIM+ cards; however, an updated supplicant is available
that supports standard GSM-SIM cards as well as more recent versions of the EAP-SIM protocol.
The new supplicant is available for download from the ftpeng FTP server at the following URL:
ftp://ftpeng.cisco.com/ftp/pwlan/eapsim/CiscoEapSim.dll
Please note that the above requirements are necessary but not sufficient to successfully perform
EAP-SIM authentication. Typically, you are also required to enter into a service contract with a
WLAN service provider, who must support EAP-SIM authentication in its network. Also, while
your PCSC smartcard reader may be able to read standard GSM-SIM cards or chips, EAP-SIM
authentication usually requires your GSM cell phone account to be provisioned for WLAN service
by your service provider.
EAP-SIM is enabled or disabled through the operating system and uses a dynamic session-based
WEP key, which is derived from the client adapter and RADIUS server, to encrypt data. EAP-SIM
requires you to enter a user verification code, or PIN, for communication with the SIM card. You
can choose to have the PIN stored in your computer or to be prompted to enter it after a reboot or
prior to every authentication attempt.
Cisco Aironet 340, 350, and CB20A Wireless LAN Client Adapters Installation and Configuration Guide for Windows
OL-1394-07
EAP-TLS requires the use of a certificate. Refer to Microsoft's documentation for
information on downloading and installing the certificate.
To use PEAP authentication, you must install the PEAP security module during installation
or Windows XP Service Pack 1. This Service Pack includes Microsoft's PEAP supplicant,
which supports a Windows username and password only and does not interoperate with
Cisco's PEAP supplicant. To use Cisco's PEAP supplicant, install ACU after Windows XP
Service Pack 1. Otherwise, Cisco's PEAP supplicant is overwritten by Microsoft's PEAP
supplicant.
Overview
E-3