Table Of Contents
Product Bulletin No. 1942
Software: Cisco Wireless Security Suite for
Cisco Aironet Products Now Includes Protected
Extensible Authentication Protocol Support
Product Bulletin No. 1942
Cisco Systems announces the expansion of the Cisco Wireless Security Suite to include Protected Extensible Authentication Protocol (PEAP) support for Cisco Aironet® wireless LAN client adapters.
PEAP is a new Extensible Authentication Protocol (EAP) IEEE 802.1X authentication type designed to take advantage of server-side EAP-Transport Layer Security (EAP-TLS) and to support various authentication methods, including logon passwords and one-time passwords (OTPs). Several 802.1X authentication types exist, each providing a different approach to authentication while relying on the same framework and protocol—EAP—for communication between a client and an access point.
With 802.1X authentication, mutual authentication is implemented between the client and a Remote Authentication Dial-In User Service (RADIUS) server connected to the access point. The credentials used for authentication, such as a logon password, are never transmitted without encryption over the wireless medium. Most 802.1X types support dynamic per-user, per-session Wired Equivalent Privacy (WEP) keys to remove the administrative burden and security issues surrounding static WEP keys.
With the Cisco Wireless Security Suite, an 802.1X-based enterprise-class security solution, customers may choose from a variety of 802.1X EAP authentication types—including LEAP, EAP-TLS, and PEAP—to secure their wireless LANs (WLAN).
•LEAP—Server and client authentication via a user-supplied logon password. Supported on all current versions of Windows, Windows CE, Mac OS, Linux, and MS-DOS.
•EAP-TLS—Server and client authentication via digital certificates. Supported on Windows XP.
•PEAP—Server authentication via a digital certificate; client authentication via a user-supplied password or OTP. Supported on Windows XP.
PEAP supports a variety of user databases, including Windows NT or 2000 domains, Lightweight Directory Access Protocol (LDAP) databases, Novell Directory Services (NDS), and OTP databases. RADIUS servers that support PEAP authentication include Cisco Secure Access Control Server (ACS) version 3.1 or greater.
PEAP is based on an Internet Draft (I-D) submitted to the Internet Engineering Task Force (IETF) by Cisco Systems, Microsoft, and RSA Security. Glen Zorn, a Cisco innovator, was the Cisco Systems lead engineer and coauthor of this I-D.
To enable PEAP on a client machine, users must install the Cisco Aironet Client Utility version 5.05.001, connect to a Cisco Aironet Access Point running version 11.23T or later, and be authenticated by a Cisco Secure ACS Version 3.1 or greater.
PEAP client software from Cisco is complementary to PEAP client software from Microsoft. Users may choose to install either of these PEAP implementations on their client machines.
Download the New Software for this Release:
A Comprehensive Review of 802.11 Wireless LAN Security and the Cisco Wireless Security Suite (See PEAP Section 8.3)
PEAP Internet Draft submitted to IETF—Please visit the IETF I-D Individual Submissions Web site and search for "Protected EAP Protocol (PEAP)".