Cisco Aironet 802.11a/b/g Wireless LAN Client Adapters (CB21AG and PI21AG) Installation and Configuration Guide, Release 2.5
Chapter 6 - Using EAP Authentication
Downloads: This chapterpdf (PDF - 388.0KB) | Feedback

Using EAP Authentication

Table Of Contents

Using EAP Authentication

Overview

Using LEAP or EAP-FAST

Using LEAP or EAP-FAST with the Windows Username and Password

After Profile Activation or Card Insertion

After a Reboot or Logon

After Your EAP-FAST Password Expires

Using LEAP or EAP-FAST with an Automatically Prompted Login

After Profile Activation or Card Insertion

After a Reboot or Logon

After Your EAP-FAST Password Expires

Using LEAP or EAP-FAST with a Manually Prompted Login

After Profile Activation

After a Reboot, Logon, or Card Insertion

After Your EAP-FAST Password Expires

Using LEAP or EAP-FAST with a Saved Username and Password

After Profile Activation or Card Insertion

After a Reboot or Logon

After Your EAP-FAST Password Expires

Using EAP-TLS

Using PEAP (EAP-GTC)

Windows NT or 2000 Domain Databases or LDAP Databases Only

OTP Databases Only

Using PEAP (EAP-MSCHAP V2)

Restarting the Authentication Process


Using EAP Authentication


This chapter explains the sequence of events that occurs and the actions you must take when a profile that is set for EAP authentication is activated.

The following topics are covered in this chapter:

Overview

Using LEAP or EAP-FAST

Using LEAP or EAP-FAST with the Windows Username and Password

Using LEAP or EAP-FAST with an Automatically Prompted Login

Using LEAP or EAP-FAST with a Manually Prompted Login

Using LEAP or EAP-FAST with a Saved Username and Password

Using EAP-TLS

Using PEAP (EAP-GTC)

Using PEAP (EAP-MSCHAP V2)

Restarting the Authentication Process

Overview

This chapter explains the sequence of events that occurs after you (or auto profile selection) activate a profile that uses EAP authentication or you eject and reinsert the client adapter, reboot the computer, log on while this profile is active, or are informed that your password has expired or is invalid. The chapter contains seven sections based on the profile's authentication type and its username and password settings:

LEAP or EAP-FAST with the Windows username and password, page 3

LEAP or EAP-FAST with an automatically prompted login, page 5

LEAP or EAP-FAST with a manually prompted login, page 8

LEAP or EAP-FAST with a saved username and password, page 12

EAP-TLS, page 13

PEAP (EAP-GTC), page 14

PEAP (EAP-MSCHAP V2), page 15

Also provided are an overview of LEAP and EAP-FAST authentication (below) and instructions for restarting the authentication process when necessary (page 15).

Follow the instructions for your profile's authentication type and credential settings to successfully authenticate.


Note If any error messages appear during authentication, refer to Chapter 10 for explanations and recommended actions.


Using LEAP or EAP-FAST

When LEAP or EAP-FAST authentication begins, the LEAP or EAP-FAST Authentication Status window appears (see Figure 6-1).

Figure 6-1 LEAP or EAP-FAST Authentication Status Window

This window provides information about the status of LEAP or EAP-FAST authentication. Table 6-1 lists and explains the stages of LEAP or EAP-FAST authentication. As each stage is completed, a status message (such as Success) appears in the Status field. If any error messages appear, refer to the "Error Messages" section for an explanation and the recommended action to take.

Table 6-1 Stages of LEAP or EAP-FAST Authentication

Stage
Explanation

Starting LEAP or EAP-FAST Authentication

The client adapter associates to an access point, and the LEAP or EAP-FAST authentication process begins.

Checking Link Status

The client adapter is EAP authenticated, and the network connection is verified.

Renewing IP Address

If DHCP is enabled, the IP address is released and renewed.

Detecting IPX Frame Type

The IPX frame type is reset if AutoDetect is enabled.

Finding Domain Controller

If you are logging into a domain and the active profile specifies that the domain name be included, an attempt is made to find the domain controller to make sure subsequent access to the domain is successful.


If you do not want the LEAP or EAP-FAST Authentication Status window to appear each time the client adapter attempts to authenticate using LEAP or EAP-FAST, check the Show minimized next time check box at the bottom of the window. On future LEAP or EAP-FAST authentication attempts, the LEAP or EAP-FAST Authentication Status window appears minimized in the Windows taskbar.


Note To make the LEAP or EAP-FAST Authentication Status window reappear once it has been minimized, click the LEAP Authentication Status or EAP-FAST Authentication Status tab in the Windows taskbar and uncheck the Show minimized next time check box. The LEAP or EAP-FAST Authentication Status window should now appear for all future LEAP or EAP-FAST authentication attempts.


Using LEAP or EAP-FAST with the Windows Username and Password

After Profile Activation or Card Insertion

After you (or auto profile selection) activate a profile that uses your Windows username and password for LEAP or EAP-FAST authentication or you eject and reinsert the client adapter while this profile is active, the following events occur:

1. The LEAP or EAP-FAST Authentication Status window appears.

2. If your profile is configured for EAP-FAST and a message appears asking if you want to auto-provision a PAC, click Yes.

3. If your client adapter authenticates, the window shows that each stage was successful and then disappears. ASTU and the Link Status field on the ADU Current Status window show Authenticated.

If the authentication attempt fails, an error message appears after the authentication timeout period has expired. Refer to the "Error Messages" section for the necessary action to take.

After a Reboot or Logon

After your computer reboots or you log on, follow these steps to authenticate using LEAP or EAP-FAST.


Step 1 When the Windows login window appears, enter your Windows username and password and click OK. The domain name is optional.


Note If your computer has Novell Client 32 software installed, a separate LEAP or EAP-FAST login window appears before the Novell login window. If this occurs, enter your Windows and Novell username and password in the login windows and click OK.


The LEAP or EAP-FAST Authentication Status window appears.

Step 2 If your profile is configured for EAP-FAST and a message appears asking if you want to auto-provision a PAC, click Yes.

Step 3 If your client adapter authenticates, the window shows that each stage was successful and then disappears.

If the authentication attempt fails, an error message appears after the authentication timeout period has expired. Refer to the "Error Messages" section for the necessary action to take.

Step 4 Windows continues to log you onto the system. ASTU and the Link Status field on the ADU Current Status window show Authenticated.


After Your EAP-FAST Password Expires

If the EAP-FAST password for your current profile expires or becomes invalid, follow these steps to change your password.


Note If you change your Windows password using the standard Windows Change Password function, the client updates the EAP-FAST password automatically and maintains its connection to the access point if the current profile uses the Windows username and password. However, data packets may be dropped during this process.



Step 1 When the Please Change Password window appears (see Figure 6-2) to indicate that your password is invalid, enter your old password in the Old Password field.

Figure 6-2 Please Change Password Window

Step 2 Enter your new password in both the New Password and Verify New Password fields and click OK.

Step 3 If prompted, log off and on again in order to update your local cached account with your new password.


Using LEAP or EAP-FAST with an Automatically Prompted Login

After Profile Activation or Card Insertion

After you (or auto profile selection) activate a profile that uses a separate username and password for LEAP or EAP-FAST authentication or you eject and reinsert the client adapter while this profile is active, follow these steps to authenticate.


Step 1 When the Enter Wireless Network Password window appears (see Figure 6-3), enter your LEAP or EAP-FAST username and password and click OK. The domain name can be entered in the Log On To field; it is optional.

Figure 6-3 Enter Wireless Network Password Window

The LEAP or EAP-FAST Authentication Status window appears.

Step 2 If your profile is configured for EAP-FAST and a message appears asking if you want to auto-provision a PAC, click Yes.

Step 3 If your client adapter authenticates, the LEAP or EAP -FAST Authentication Status window shows that each stage was successful and then disappears. ASTU and the Link Status field on the ADU Current Status window show Authenticated.

If the authentication attempt fails, an error message appears after the authentication timeout period has expired. Refer to the "Error Messages" section for the necessary action to take.


After a Reboot or Logon

After your computer reboots or you log on, follow these steps to authenticate using LEAP or EAP-FAST.


Step 1 When the Windows login window appears, enter your Windows username and password and click OK.

Step 2 When the Enter Wireless Network Password window appears (see Figure 6-4), enter your LEAP or EAP-FAST username and password and click OK. The domain name can be entered in the Log On To field; it is optional.

Figure 6-4 Enter Wireless Network Password Window

The LEAP or EAP-FAST Authentication Status window appears.

Step 3 If your profile is configured for EAP-FAST and a message appears asking if you want to auto-provision a PAC, click Yes.

Step 4 If your client adapter authenticates, the window shows that each stage was successful and then disappears. The logon or boot-up process completes.

If the authentication attempt fails, an error message appears after the authentication timeout period has expired. Refer to the "Error Messages" section for the necessary action to take.


After Your EAP-FAST Password Expires

If the EAP-FAST password for your current profile expires or becomes invalid, follow these steps to change your password.


Step 1 When the Please Change Password window appears (see Figure 6-5) to indicate that your password is invalid, enter your old password in the Old Password field.

Figure 6-5 Please Change Password Window

Step 2 Enter your new password in both the New Password and Verify New Password fields.

Step 3 Click OK. The client adapter should authenticate using your new password.


Using LEAP or EAP-FAST with a Manually Prompted Login

After Profile Activation

After you (or auto profile selection) activate a profile that uses LEAP or EAP-FAST authentication with a manually prompted login, follow these steps to authenticate.


Note If auto profile selection is enabled, this procedure is applicable the first time auto profile selection activates a manual LEAP or manual EAP-FAST profile. After you follow these steps to enter your LEAP or EAP-FAST credentials, you can switch profiles without having to re-enter your credentials until you reboot your computer, eject and reinsert your client adapter, or change the profile in any way (including its priority in auto profile selection). If auto profile selection is disabled, you must re-enter your credentials every time you activate a manual LEAP or manual EAP-FAST profile.



Step 1 When the Enter Wireless Network Password window appears (see Figure 6-6), enter your LEAP or EAP-FAST username and password and click OK. The domain name can be entered in the Log On To field; it is optional.

Figure 6-6 Enter Wireless Network Password Window

The LEAP or EAP-FAST Authentication Status window appears.

Step 2 If your profile is configured for EAP-FAST and a message appears asking if you want to auto-provision a PAC, click Yes.

Step 3 If your client adapter authenticates, the window shows that each stage was successful and then disappears. ASTU and the Link Status field on the ADU Current Status window show Authenticated.

If the authentication attempt fails, an error message appears after the authentication timeout period has expired. Refer to the "Error Messages" section for the necessary action to take.


After a Reboot, Logon, or Card Insertion

After your computer reboots, you log on, or you eject and reinsert the client adapter, the adapter does not automatically attempt to authenticate. You must manually invoke the authentication process. To do so, follow these steps.


Step 1 If you rebooted your computer or logged on, complete your standard Windows login. Then open ASTU or ADU.

Step 2 Choose the Manual Login option from the ASTU pop-up menu or the ADU Action drop-down menu (see Figure 6-7).

Figure 6-7 Action Drop-Down Menu

Step 3 When the Enter Wireless Network Password window appears (see Figure 6-8), enter your LEAP or EAP-FAST username and password and click OK. The domain name can be entered in the Log On To field; it is optional.

Figure 6-8 Enter Wireless Network Password Window

The LEAP or EAP-FAST Authentication Status window appears.

Step 4 If your profile is configured for EAP-FAST and a message appears asking if you want to auto-provision a PAC, click Yes.

Step 5 If your client adapter authenticates, the window shows that each stage was successful and then disappears. ASTU and the Link Status field on the ADU Current Status window show Authenticated.

If the authentication attempt fails, an error message appears after the authentication timeout period has expired. Refer to the "Error Messages" section for the necessary action to take.


After Your EAP-FAST Password Expires

If the EAP-FAST password for your current profile expires or becomes invalid, follow these steps to change your password.


Step 1 When the Please Change Password window appears (see Figure 6-9) to indicate that your password is invalid, enter your old password in the Old Password field.

Figure 6-9 Please Change Password Window

Step 2 Enter your new password in both the New Password and Verify New Password fields.

Step 3 Click OK. The client adapter should authenticate using your new password.


Using LEAP or EAP-FAST with a Saved Username and Password

After Profile Activation or Card Insertion

After you (or auto profile selection) activate a profile that uses LEAP or EAP-FAST authentication with a saved LEAP or EAP-FAST username and password or you eject and reinsert the client adapter while this profile is active, the following events occur:

1. The LEAP or EAP-FAST Authentication Status window appears.

2. If your profile is configured for EAP-FAST and a message appears asking if you want to auto-provision a PAC, click Yes.

3. If your client adapter authenticates, the window shows that each stage was successful and then disappears. ASTU and the Link Status field on the ADU Current Status window show Authenticated.

If the authentication attempt fails, an error message appears after the authentication timeout period has expired. Refer to the "Error Messages" section for the necessary action to take.

After a Reboot or Logon

After your computer reboots or you log on, the following events occur:

1. After you enter your Windows username and password, the authentication process begins automatically using your saved LEAP or EAP-FAST username and password.


Note If you unchecked the No Network Connection Unless User Is Logged In check box on the LEAP Settings window or EAP-FAST Settings window, the EAP authentication process begins before the Windows login window appears.


2. If your profile is configured for EAP-FAST and a message appears asking if you want to auto-provision a PAC, click Yes.

3. If your client adapter authenticates, the LEAP or EAP-FAST Authentication Status window shows that each stage was successful and then disappears.

If the authentication attempt fails, an error message appears after the authentication timeout period has expired. Refer to the "Error Messages" section for the necessary action to take.

4. Windows continues to log you onto the system. ASTU and the Link Status field on the ADU Current Status window show Authenticated.

After Your EAP-FAST Password Expires

If the EAP-FAST password for your current profile expires or becomes invalid, follow these steps to change your password.


Step 1 When the Please Change Password window appears (see Figure 6-10) to indicate that your password is invalid, enter your old password in the Old Password field.

Figure 6-10 Please Change Password Window

Step 2 Enter your new password in both the New Password and Verify New Password fields.

Step 3 Click OK. The client adapter should authenticate using your new password.

Step 4 Edit the profile in ADU by changing the saved username and password on the EAP-FAST Settings window.


Using EAP-TLS

After you (or auto profile selection) activate a profile that uses EAP-TLS authentication or you eject and reinsert the client adapter, reboot the computer, or log on while this profile is active, the EAP authentication process begins automatically, and the client adapter should EAP authenticate.

If your client adapter authenticates, ASTU and the Link Status field on the ADU Current Status window show Authenticated. If the authentication attempt fails, ASTU and ADU show Authentication Failed.

Using PEAP (EAP-GTC)

After you (or auto profile selection) activate a profile that uses PEAP (EAP-GTC) authentication or you eject and reinsert the client adapter, reboot the computer, or log on while this profile is active, follow the steps in one of the sections below to EAP authenticate. Choose the section appropriate for your user database.

Windows NT or 2000 Domain Databases or LDAP Databases Only

The EAP authentication process begins automatically. The client adapter should EAP authenticate using either your Windows credentials or the username and password entered in the Define PEAP (EAP-GTC) Configuration window. If your client adapter authenticates, ASTU and the Link Status field on the ADU Current Status window show Authenticated. If the authentication attempt fails, ASTU and ADU show Authentication Failed.

OTP Databases Only


Step 1 Use your hardware token device or SofToken program to obtain the one-time password.

Step 2 When the Token Configuration window appears (see Figure 6-11), enter the one-time password.

Figure 6-11 Token Configuration Window


Note The username is filled in automatically.


Step 3 Click OK to begin the authentication process.


Note If the password is invalid or entered incorrectly, the Token Configuration window reappears, enabling you to re-enter it.


If your client adapter authenticates, ASTU and the Link Status field on the ADU Current Status window show Authenticated. If the authentication attempt fails, ASTU and ADU show Authentication Failed.


Using PEAP (EAP-MSCHAP V2)

After you (or auto profile selection) activate a profile that uses PEAP (EAP-MSCHAP V2) authentication or you eject and reinsert the client adapter, reboot the computer, or log on while this profile is active, the EAP authentication process begins automatically. The client adapter should EAP authenticate using either your Windows credentials or the username and password entered in the Define PEAP (EAP-MSCHAP V2) Configuration window.

If your client adapter authenticates, ASTU and the Link Status field on the ADU Current Status window show Authenticated. If the authentication attempt fails, ASTU and ADU show Authentication Failed.

Restarting the Authentication Process

To force your client adapter to try to reauthenticate using the username and password of the current profile, choose Reauthenticate from the ASTU pop-up menu or the ADU Action drop-down menu. When you choose this option, the authentication process begins.

If your client adapter is unable to authenticate using the specified username and password, you may be prompted to re-enter them. If you click Cancel, a message appears indicating that the current profile will be disabled until you choose the Reauthenticate option, reboot your computer, or eject and reinsert the client adapter.