Migrating from CTA 802.1x Wired Client to Cisco Secure Services Client - Migrating from CTA with CTA 802.1x Wired Client to CTA with SSC [Cisco Trust Agent]

Table Of Contents

Migrating from CTA with CTA 802.1x Wired Client to CTA with SSC

Operating System Requirements for Installation of CTA 2.1.103.0 and SSC

CTA 2.1.103.0 Installation File

SSC 4.1.2 Installation Files

Upgrade Procedures

Installing SSC for an Existing CTA 2.1.103.0 Installation

Upgrading CTA 2.1.x with CTA 802.1x Wired Client to CTA 2.1.103 and SSC

Upgrading CTA 2.0 to CTA 2.1.103.0 and Installing SSC

Upgrading CTA 2.0 with CTA 802.1x Wired Client to CTA 2.1.103 and Installing SSC

Upgrading CTA 1.0 to CTA 2.1.103.0 and Installing SSC

Uninstalling CTA and the CTA 802.1x Wired Client

Uninstalling CTA and the CTA 802.1x Wired Client Using Add or Remove Programs

Uninstalling CTA and the CTA 802.1x Wired Client Using Standard Msiexec.exe Commands

Examples of SSC Deployment Packages

Machine Authentication Deployment Package

Machine and User Authentication Deployment Package File

User Authentication Deployment Package File

Migrating from CTA with CTA 802.1x Wired Client to CTA with SSC

The recommended version of Cisco Trust Agent is release 2.1.103.0. If you want to perform machine or user authentication using the IEEE 802.1x security protocol, Cisco recommends using the Cisco Secure Services Client supplicant, release 4.1.2 or later.

This chapter contains these sections:

•Operating System Requirements for Installation of CTA 2.1.103.0 and SSC

•CTA 2.1.103.0 Installation File

•SSC 4.1.2 Installation Files

•Upgrade Procedures

–Installing SSC for an Existing CTA 2.1.103.0 Installation

–Upgrading CTA 2.1.x with CTA 802.1x Wired Client to CTA 2.1.103 and SSC

–Upgrading CTA 2.0 to CTA 2.1.103.0 and Installing SSC

–Upgrading CTA 2.0 with CTA 802.1x Wired Client to CTA 2.1.103 and Installing SSC

–Upgrading CTA 1.0 to CTA 2.1.103.0 and Installing SSC

•Uninstalling CTA and the CTA 802.1x Wired Client

–Uninstalling CTA and the CTA 802.1x Wired Client Using Add or Remove Programs

–Uninstalling CTA and the CTA 802.1x Wired Client Using Standard Msiexec.exe Commands

•Examples of SSC Deployment Packages

–Machine Authentication Deployment Package

–Machine and User Authentication Deployment Package File

–User Authentication Deployment Package File

Operating System Requirements for Installation of CTA 2.1.103.0 and SSC

Table 2-1 summarizes the Windows operating systems on which CTA 2.1.103.0 and SSC run as well as the operating systems they have in common.

Note See the Cisco Secure Services Client Administrator Guide for a complete list of operating systems that support SSC and the Administrator Guide for Cisco Trust Agent, Release 2.1, Without Bundled Supplicant for a complete list of operating systems that support CTA.

Table 2-1 CTA System Requirements

System Component

CTA 2.1.103.0 Requirement

Windows operating systems on which CTA 2.1 runs

•Windows 2000 Professional and Advanced Server, SP4 and Update Rollup 1

•Windows XP Professional, SP1, SP2, and SP3

•Windows XP Home, SP1, SP2, and SP3

•Windows 2003 Server, SP1 and R2

Windows operating systems on which Cisco Secure Services Client runs

•Windows 2000 Professional and Advanced Server, SP4.

•Windows XP Professional, SP1, SP2, and SP3

•Windows 2003 Server

Common Windows operating systems on which CTA 2.1 and Cisco Secure Services Client run.

•Windows 2000 Professional and Advanced Server, SP4

•Windows XP Professional, SP1, SP2, and SP3

•Windows 2003 Server

CTA 2.1.103.0 Installation File

In this offering of CTA 2.1.103.0, there is one installation file: CtaAdminEx-win-2.1.103.0.exe. This contains the ctasetup-win-2.1.103.0.msi file which allows administrators to accept the end user license agreement and install CTA 2.1.103.0. CtaAdminEx-win-2.1.103.0.exe does not contain CTA 802.1x Wired Client or Cisco Secure Services Client.

In the previous offering of CTA 2.1.103.0, there was an additional installation file: CtaAdminEx-supplicant-win-2.1.103.0.exe. This file allowed an administrator to install the CTA 802.1x Wired Client as well as CTA.

When migrating from the CTA 802.1x Wired Client to Cisco Secure Services Client, you must uninstall CTA 2.1.103.0 and the CTA 802.1x Wired Client first and then re-install CTA 2.1.103.0 alone using the CtaAdminEx-win-2.1.103.0.exe file.

SSC 4.1.2 Installation Files

Download these files to install SSC 4.1.2:

•Cisco_SSC-XP2K-4_1_2_5929.msi

•SSCAdminUtils_4.1.2.5928.zip

The Cisco_SSC-XP2K-4_1_2_5929.msi is the generic "out of the box" version of SSC. SSC as downloaded from cisco.com is not configured. It is intended for use by an IT organization that is responsible for configuring and deploying a derived, end-user version. This deployed version is appropriate for use by the various enterprise departments and organizations that you support. The IT Administrator you have control over the user experience and the end-user's allowed choices and configuration options. The out-of-the-box version has a fully open policy that allows access to most features and requires configuring a network when initially started. However, only through a deployed distribution package file, that is, a SSC configuration file, does the IT Administrator have full access to all settings and network configurations.

The SSCAdminUtils_4.1.2.5928.zip file contains utilities which perform these functions:

•Validate the preprocessed distribution package for both schema and business rule violations.

•Encrypt all credentials and secrets from their original clear text.

•Retrieve and packages any optional files referred to in the input file.

•Digitally sign the distribution package file to help prevent any tampering with its contents while it resides in the end station.

•Create a new SSC installation file that incorporates the deployment package XML file in the "out of the box" installation file.

For a complete description of the contents of the SSC SSCAdminUtils_4.1.2.5928.zip file, the utilities it provides and how they are used, see the Cisco Secure Services Client Administrator Guide.

Upgrade Procedures

These procedures describe migrating from your current installation of CTA to CTA 2.1.103.0 and Cisco Secure Services Client, release 4.1.2 or later.

Installing SSC for an Existing CTA 2.1.103.0 Installation

This upgrade scenario assumes that CTA 2.1.103.0 is installed without the CTA 802.1x Wired Client and that CTA 2.1.103.0 was installed using the CtaAdminEx-win-2.1.103.0.exe file.

Note SSC does not control wireless adapters while configured for wired-only, however, co-existence with all 802.1x supplicants has not been qualified.

Step 1 Install SSC according to the Cisco Secure Services Client Administrator Guide.

Step 2 Reboot when prompted.

Upgrading CTA 2.1.x with CTA 802.1x Wired Client to CTA 2.1.103 and SSC

This upgrade scenario assumes that CTA 2.1.103.0 and CTA 802.1x Wired Client are installed on the computer and you want to upgrade the supplicant from CTA 802.1x Wired Client to Cisco Secure Services Client.

Note SSC does not control wireless adapters while configured for wired-only, however, co-existence with all 802.1x supplicants has not been qualified.

Step 1 Uninstall CTA 2.1.103.0 with CTA 802.1x Wired Client. See "Uninstalling CTA and the CTA 802.1x Wired Client" section for these instructions.

Step 2 Reboot the computer when prompted.

Step 3 Install CTA 2.1.103.0 using the CtaAdminEx-win-2.1.103.0.exe file. Follow the installation instructions in Chapter 4 of the Administrator Guide for Cisco Trust Agent, Release 2.1, Without Bundled Supplicant.

Step 4 Install SSC 4.1.2. or later by following the directions in the Cisco Secure Services Client Administrator Guide.

Step 5 Reboot the computer when prompted.

Upgrading CTA 2.0 to CTA 2.1.103.0 and Installing SSC

This upgrade scenario assumes that CTA 2.0.0.30 is already installed and that you want to upgrade to CTA 2.1.103.0 and add the Cisco Secure Services Client.

Note SSC does not control wireless adapters while configured for wired-only, however, co-existence with all 802.1x supplicants has not been qualified.

Step 1 Upgrade CTA 2.0 to CTA 2.1.103.0. To upgrade, use the CtaAdminEx-win-2.1.103.0.exe file and follow the installation instructions in Chapter 4, of the Administrator Guide for Cisco Trust Agent, Release 2.1, Without Bundled Supplicant.

Step 2 Install Cisco Secure Services Client 4.1.2 or later according to the Cisco Secure Services Client Administrator Guide.

Step 3 Reboot when prompted.

Upgrading CTA 2.0 with CTA 802.1x Wired Client to CTA 2.1.103 and Installing SSC

This upgrade scenario assumes that CTA 2.0.0.30 and CTA 802.1x Wired Client are installed on the computer and you want to upgrade CTA 2.0.0.30 to CTA 2.1.103.0 and upgrade the CTA 802.1x Wired Client supplicant to Cisco Secure Services Client supplicant.

Note SSC does not control wireless adapters while configured for wired-only, however, co-existence with all 802.1x supplicants has not been qualified.

Step 1 Uninstall CTA 2.0.0.30 and the CTA 802.1x Wired Client. See "Uninstalling CTA and the CTA 802.1x Wired Client" section for these procedures.

Step 2 Reboot the computer when prompted.

Step 3 Install CTA 2.1.103.0 using the CtaAdminEx-win-2.1.103.0.exe file. Follow the instructions in Chapter 4, of the Administrator Guide for Cisco Trust Agent, Release 2.1, Without Bundled Supplicant for this procedure.

Step 4 Install SSC 4.1.2 or later by following the instructions in the Cisco Secure Services Client Administrator Guide.

Step 5 Reboot the computer when prompted.

Upgrading CTA 1.0 to CTA 2.1.103.0 and Installing SSC

This upgrade scenario assumes that CTA 1.0 is already installed and that you want to upgrade to CTA 2.1.103.0 and add the Cisco Secure Services Client.

Note SSC does not control wireless adapters while configured for wired-only, however, co-existence with all 802.1x supplicants has not been qualified.

Step 1 Upgrade CTA 1.0 to CTA 2.1.103.0. To upgrade, use the CtaAdminEx-win-2.1.103.0.exe file and follow the installation instructions in Chapter 4, of the Administrator Guide for Cisco Trust Agent, Release 2.1, Without Bundled Supplicant.

Step 2 Install Cisco Secure Services Client 4.1.2 or later according to the Cisco Secure Services Client Administrator Guide.

Step 3 Reboot when prompted.

Uninstalling CTA and the CTA 802.1x Wired Client

CTA 2.1.103.0 and the CTA 802.1x Wired Client were installed together using the CtaAdminex-supplicant-win-2.1.103.0.exe file. They are also uninstalled together using either the Add or Remove Programs interface on Windows Operating Systems or by using the Msiexec.exe commands.

Note After uninstalling CTA and the CTA 802.1x Wired Client, you will lose wired network connectivity until after you reboot.

Uninstalling CTA and the CTA 802.1x Wired Client Using Add or Remove Programs

Step 1 Navigate Start > Settings > Control Panel.

Step 2 Double-click Add or Remove Programs.

Step 3 Select Cisco Trust Agent 2.1.103.0.

Step 4 Click Remove.

Step 5 Click Yes to confirm your desire to uninstall CTA.

Step 6 Click Yes to restart your computer.

Step 7 (Optional) After the computer reboots, you can manually delete the CTA 802.1x Wired Client Directory:

Drive:\Program Files\Cisco Systems\Cisco Trust Agent 802_1x Wired Client

Uninstalling CTA and the CTA 802.1x Wired Client Using Standard Msiexec.exe Commands

To uninstall CTA using MSI command line options, you must know CTA's ProductCode or "GUID." To find the GUID, follow this procedure:

Step 1 Open the Windows Registry Editor.

Step 2 Navigate to HKEY_LOCAL_MACHINE\Software\Cisco Systems \Cisco Trust Agent.

The value of the ProductCode registry key, including the curly brackets, is the GUID.

To uninstall Cisco Trust Agent, use the /X option with Msiexec.exe command. The command can be entered from any prompt. See the following example:

Msiexec.exe /X {GUID}

After running the command you will be prompted to reboot your computer.

Examples of SSC Deployment Packages

This section contains examples of SSC deployment packages that require machine authentication, machine and user authentication, and user authentication. Some of the elements are called out for explanation and others are not. For a complete description of the elements used in a deployment package XML file, and their interoperability, see Chapter 2 of the Cisco Secure Services Administrator Guide.

Machine Authentication Deployment Package

Example 2-1 is an example of a deployment package file requiring machine authentication. These characteristics of the deployment package are numbered in the example:

1. Authenticate machine credentials only

2. Source of machine credential is the Microsoft Active Directory

3. Restrict sending the UserName in the EAP Identity response of the outer (unprotected) tunnel. Send anonymous@Domain for the Identity response.

4. EAP settings:

a. Use EAP-FAST for EAP method (outer method).

b. Do not validate server certificates

c. Respond to a re-authentication request using cached credentials.

d. Do not send client certificate unprotected during the unprotected (phase 1) portion of --FAST PAC provisioning. The client certificate will be sent after a tunnel is established. PAC provisioning.

e. Use "eapMschapv2" as inner EAP method

5. Set the number of non-interactive and interactive authentication retry attempts to four.

Note The elements <interactiveAuthenticationRetries> and <nonInteractiveAuthenticationRetries are both children of the <authenticationNetwork> element.

6. Prevent the end-user from creating new networks.

7. Allow the end-user to directly license CSSC via the Active Product Features dialog.

8. Allow only "wired" network connections.

9. The <allowUserSimultaneousConnectionsControl> and <allowUserWpaHandshakeValidationControl> elements are both children of the <networkPolicy> element

Example 2-1 Machine Authentication Deployment Package File
<?xml version="1.0" encoding="UTF-8"?>
<configuration xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
xsi:noNamespaceSchemaLocation="distributionPackage.xsd" major_version="4" 
minor_version="1" maintenance_version="2">
<license>SQ2G-MYVX-AKUM-T4FN-PYCQ-IFEI-4B42-2ANC-TQCR-OKBY-OSAL-UGRF-O5EM-5ENM-I4CL-I65K-V
KGV-3XYR</license>
	<networkPolicy>
		<allowedAssociationModes></allowedAssociationModes>
		<allowedEapMethods>
(4a)			<eapFast/>
		</allowedEapMethods>
		<serverValidationPolicy>
			<allowUserValidationControl/>
		</serverValidationPolicy>
(9)	
<allowUserSimultaneousConnectionsControl>false</allowUserSimultaneousConnectionsControl>
		<allowedCredentialStorage>
			<forever/>
			<logonSession/>
		</allowedCredentialStorage>
(9)
<allowUserWpaHandshakeValidationControl>false</allowUserWpaHandshakeValidationControl>
		<allowPublicProfileCreation>false</allowPublicProfileCreation>
	</networkPolicy>
	<networks>
		<wiredNetwork>
			<displayName>TestNetwork1</displayName>
			<authenticationNetwork>
(1)				<machineAuthentication>
					<collectionMethod>
(2)						<auto/>
					</collectionMethod>
(3)					<useAnonymousId>true</useAnonymousId>
(4)					<eapMethods>
	(4a)					<eapFast>
	(4b)						<validateServerIdentity>false</validateServerIdentity>
	(4c)						<enableFastReconnect>true</enableFastReconnect>
	(4d)						<protectClientCertificate>true</protectClientCertificate>
							<innerEapMethods>
	(4e)							<eapMschapv2/>
							</innerEapMethods>
						</eapFast>
					</eapMethods>
				</machineAuthentication>
(5)				<interactiveAuthenticationRetries>4</interactiveAuthenticationRetries>
(5)				
<nonInteractiveAuthenticationRetries>4</nonInteractiveAuthenticationRetries>
			</authenticationNetwork>
		</wiredNetwork>
	</networks>
	<connectionSettings>
		<simultaneousConnections>singleHomed</simultaneousConnections>
		<validateWpaHandshake>true</validateWpaHandshake>
	</connectionSettings>
	<userControlPolicy>
(6)		<clientUIType>preset</clientUIType>
(7)		<allowLicensing>true</allowLicensing>
		<allowedMedia>
(8)			<wired/>
		</allowedMedia>
	</userControlPolicy>
</configuration>
Machine and User Authentication Deployment Package File

Example 2-2 is an example of a distribution package file requiring machine and user authentication. These characteristics of the deployment package are numbered in the example:

1. Authenticate both machine and user credentials

2. Source of machine credential is the Microsoft Active Directory

3. Restrict sending the UserName in the EAP Identity response of the outer (unprotected) tunnel. Send anonymous@Domain for the Identity response.

4. When the user logs into the system, automatically initiate the user-context connection process.

5. Use username/password entered by a user for the operating system login for user authentication.

6. EAP setting:

a. Use EAP-FAST for EAP method (outer method)

b. Validate server certificate

c. Respond to a re-authentication request using cached credentials.

d. Do not send client certificate unprotected during the unprotected (phase 1) portion of FAST PAC provisioning. The client certificate will be sent after a tunnel is established.

e. Use "eapMschapv2" or "eapGtc" as inner EAP method

7. Server certificate trust rule:

a. SubjectAltName (DNS name) must end with "cisco.com".

b. Trust any CA certificates that have been placed in the proper Windows Certificate Store

8. Set the number of non-interactive and interactive authentication retry attempts to four.

Note The elements <interactiveAuthenticationRetries> and <nonInteractiveAuthenticationRetries are both children of the <authenticationNetwork> element.

9. Prevent the end-user from creating new networks

10. Do not allow licensing by the user interface. Licensing can be controlled only from the distribution package.

11. Allow only "wired" network connections.

12. The <allowUserSimultaneousConnectionsControl> and <allowUserWpaHandshakeValidationControl> elements are both children of the <networkPolicy> element.

Example 2-2 Machine and User Authentication Deployment Package
<?xml version="1.0" encoding="UTF-8"?>
<configuration xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
xsi:noNamespaceSchemaLocation="distributionPackage.xsd" major_version="4" 
minor_version="1">
		
<license>SQ2G-MYVX-AKUM-T4FN-PYCQ-IFEI-4B42-2ANC-TQCR-OKBY-OSAL-UGRF-O5EM-5ENM-I4CL-I65K-V
KGV-3XYR</license>
	<networkPolicy>
		<allowedAssociationModes>
			<open/>
		</allowedAssociationModes>
		<allowedEapMethods>
(6a)			<eapFast/>
		</allowedEapMethods>
		<serverValidationPolicy>
			<allowUserValidationControl/>
		</serverValidationPolicy>
(12)		
<allowUserSimultaneousConnectionsControl>false</allowUserSimultaneousConnectionsControl>
		<allowedCredentialStorage>
			<forever/>
			<logonSession/>
			<duration>60</duration>
		</allowedCredentialStorage>
(12)		
<allowUserWpaHandshakeValidationControl>true</allowUserWpaHandshakeValidationControl>
		<allowPublicProfileCreation>false</allowPublicProfileCreation>
	</networkPolicy>
	<networks>
		<wiredNetwork>
			<displayName>CorporateNetwork</displayName>
			<authenticationNetwork>
(1)				<machineUserAuthentication>
					<machine>
						<collectionMethod>
(2)							<auto/>
						</collectionMethod>
(3)						<useAnonymousId>true</useAnonymousId>
					</machine>
					<user>
(4)						<autoConnect>true</autoConnect>
						<collectionMethod>
(5)							<singleSignOn/>
						</collectionMethod>
(3)						<useAnonymousId>true</useAnonymousId>
					</user>
(6)					<eapMethods>
		(6a)				<eapFast>
		(6b)					<validateServerIdentity>true</validateServerIdentity>
		(6c)					<enableFastReconnect>true</enableFastReconnect>
		(6d)					<protectClientCertificate>true</protectClientCertificate>
							<innerEapMethods>
		(6e)						<eapMschapv2/>
		(6e)						<eapGtc/>
							</innerEapMethods>
						</eapFast>
					</eapMethods>
				</machineUserAuthentication>
(7)				<serverValidation>
					<validationRules>
		(7a)				<matchSubjectAlternativeName match="endsWith" 
						name="altName1">cisco.com</matchSubjectAlternativeName>
					</validationRules>
		(7b)			<trustAnyRootCaFromOs/>
				</serverValidation>
(8)				<interactiveAuthenticationRetries>5</interactiveAuthenticationRetries>
(8)				
<nonInteractiveAuthenticationRetries>5</nonInteractiveAuthenticationRetries>
			</authenticationNetwork>
		</wiredNetwork>
	</networks>
	<connectionSettings>
		<simultaneousConnections>singleHomed</simultaneousConnections>
		<validateWpaHandshake>true</validateWpaHandshake>
	</connectionSettings>
	<userControlPolicy>
(9)		<clientUIType>preset</clientUIType>
(10)		<allowLicensing>false</allowLicensing>
		<allowedMedia>
(11)			<wired/>
		</allowedMedia>
	</userControlPolicy>
</configuration>
User Authentication Deployment Package File

Example 2-3 is an example of a distribution package file requiring user authentication. These characteristics of the deployment package are numbered in the example:

1. Authenticate user credentials only

2. When the user logs into the system, automatically initiate the user-context connection process.

3. Attempt to connect to the network before the user logs into Windows.

4. Use username/password entered by a user for the operating system login for user authentication.

5. Restrict sending the UserName in the EAP Identity response of the outer (unprotected) tunnel. Send anonymous@Domain for the Identity response.

6. EAP setting:

a. Use EAP-FAST for EAP method (outer method)

b. Validate server certificate

c. Respond to a re-authentication request using cached credentials

d. Do not send client certificate unprotected during the unprotected (phase 1) portion of FAST PAC provisioning. The client certificate will be sent after a tunnel is established

e. Use "eapMschapv2" or "eapGtc" as inner EAP method

7. Server certificate trust rule:

a. subject name (common name or domain name) must end with "cisco.com"

b. Trust any CA certificates that have been placed in the proper Windows Certificate Store

8. Set the number of non-interactive and interactive authentication retry attempts to four

Note The elements <interactiveAuthenticationRetries> and <nonInteractiveAuthenticationRetries are both children of the <authenticationNetwork> element.

9. Prevent the end-user from creating new networks

10. Do not allow licensing by the user interface. Licensing can be controlled only from the distribution package.

11. Allow only "wired" network connections

12. The <allowUserSimultaneousConnectionsControl> and <allowUserWpaHandshakeValidationControl> elements are both children of the <networkPolicy> element

Example 2-3 User Authentication Deployment Package File
<?xml version="1.0" encoding="UTF-8"?>
<configuration xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
xsi:noNamespaceSchemaLocation="distributionPackage.xsd" major_version="4" 
minor_version="1">
		
<license>SQ2G-MYVX-AKUM-T4FN-PYCQ-IFEI-4B42-2ANC-TQCR-OKBY-OSAL-UGRF-O5EM-5ENM-I4CL-I65K-V
KGV-3XYR</license>
	<networkPolicy>
		<allowedAssociationModes>
			<open/>
		</allowedAssociationModes>
(6a)		<allowedEapMethods>
			<eapFast/>
		</allowedEapMethods>
		<serverValidationPolicy>
			<alwaysValidate>
				<allowUserTrustedServers>false</allowUserTrustedServers>
			</alwaysValidate>
		</serverValidationPolicy>
(12)													
<allowUserSimultaneousConnectionsControl>false</allowUserSimultaneousConnectionsControl>
		<allowedCredentialStorage>
			<forever/>
			<logonSession/>
			<duration>60</duration>
		</allowedCredentialStorage>
(12)		
<allowUserWpaHandshakeValidationControl>true</allowUserWpaHandshakeValidationControl>
		<allowPublicProfileCreation>false</allowPublicProfileCreation>
	</networkPolicy>
	<networks>
		<wiredNetwork>
			<displayName>CorporateNetwork</displayName>
			<authenticationNetwork>
(1)				<userAuthentication>
(2)					<autoConnect>
(3)						<connectBeforeLogon>true</connectBeforeLogon>
					</autoConnect>
					<collectionMethod>
(4)						<singleSignOn/>
					</collectionMethod>
(5)					<useAnonymousId>true</useAnonymousId>
(6)					<eapMethods>
	(6a)					<eapFast>
	(6b)						<validateServerIdentity>true</validateServerIdentity>
	(6c)						<enableFastReconnect>true</enableFastReconnect>
	(6d)						<protectClientCertificate>true</protectClientCertificate>
							<innerEapMethods>
	(6e)							<eapMschapv2/>
	(6e)							<eapGtc/>
							</innerEapMethods>
						</eapFast>
					</eapMethods>
				</userAuthentication>
(7)				<serverValidation>
	(7a)				<validationRules>
						<matchSubjectName match="endsWith"
						name="subjectName1">cisco.com</matchSubjectName>
					</validationRules>
	(7b)				<trustAnyRootCaFromOs/>
				</serverValidation>
(8)				<interactiveAuthenticationRetries>4</interactiveAuthenticationRetries>
(8)				
<nonInteractiveAuthenticationRetries>4</nonInteractiveAuthenticationRetries>
			</authenticationNetwork>
		</wiredNetwork>
	</networks>
	<connectionSettings>
		<simultaneousConnections>singleHomed</simultaneousConnections>
		<validateWpaHandshake>true</validateWpaHandshake>
	</connectionSettings>
	<userControlPolicy>
(9)		<clientUIType>preset</clientUIType>
(10)		<allowLicensing>false</allowLicensing>
		<allowedMedia>
(11)			<wired/>
		</allowedMedia>
	</userControlPolicy>
</configuration>