Configuring the Client Adapter
This chapter explains how to change the configuration parameters for a specific profile.
The following topics are covered in this chapter:
•Configuring Your Client Adapter
•Overview of Security Features
•Using Static WEP
•Using LEAP
•Using Host-Based EAP
Configuring Your Client Adapter
When you choose to create a new profile or edit an existing profile on the Profiles screen, the Properties screen appears with the name of your profile in quotation marks. This screen enables you to set the configuration parameters for that profile. Follow the steps below to access the Properties screen and complete the configuration process.
Note If you do not change any of the configuration parameters, the default values are used.
Step 1 When you create or select a profile on the Profiles screen and tap the Edit button, the Properties screen appears (see Figure 5-1).
Figure 5-1 Properties Screen
The Property box lists the configuration parameters that can be changed, and the Value box contains the highlighted parameter's current value. The Value box can appear as a drop-down menu with several possible values from which to choose or as a blank field in which characters are to be entered.
Step 2 Table 5-1 lists and describes the client adapter's configuration parameters. Follow the instructions in the table to initially set or change any parameters.
Note The security parameters (Network Security Type, WEP, User Name, User Password, and User Domain) are listed at the end of the table because they require further action.
Table 5-1 Client Adapter Configuration Parameters
|
|
SSID |
The service set identifier (SSID) identifies the specific wireless network that you want to access. Range: You can key in up to 32 characters (case sensitive) Default: A blank field Note If you leave this parameter blank, your client adapter can associate to any access point on the network that is configured to allow broadcast SSIDs (see the AP Radio Hardware page in the access point management system). If the access point with which the client adapter is to communicate is not configured to allow broadcast SSIDs, the value of this parameter must match the SSID of the access point. Otherwise, the client adapter cannot access the network. |
Client Name |
A logical name for your Windows CE device. It allows an administrator to determine which devices are connected to the access point without having to memorize every MAC address. This name is included in the access point's list of connected devices. Range: You can enter up to 16 characters Default: A blank field Note Each computer on the network should have a unique client name. |
Infrastructure Mode |
Specifies the type of network in which your client adapter is installed. Options: Yes or No Default: Yes |
|
|
Yes |
Indicates that your wireless network is connected to a wired Ethernet network through an access point. |
No |
Often referred to as ad hoc or peer-to-peer mode. Indicates that your wireless network consists of a few wireless devices that are not connected to a wired Ethernet network through an access point. |
Power Save Mode |
Sets your client adapter to its optimum power-consumption setting. Options: CAM, Fast PSP, or Max PSP Default: Fast PSP (Power Save Mode) |
|
|
CAM (Constantly Awake Mode) |
Keeps the client adapter powered up continuously so there is little lag in message response time. Consumes the most power but offers the highest throughput. Is recommended for desktop computers and devices that use AC power. |
Fast PSP (Power Save Mode) |
Switches between PSP mode and CAM mode, depending on network traffic. This mode switches to CAM when retrieving a large number of packets and switches back to PSP after the packets have been retrieved. Is recommended when power consumption is a concern but you need greater throughput than that allowed by Max PSP. |
Max PSP (Max Power Savings) |
Causes the access point to buffer incoming messages for the client adapter, which wakes up periodically and polls the access point to see if any buffered messages are waiting for it. The adapter can request each message and then go back to sleep. Conserves the most power but offers the lowest throughput. Is recommended for devices for which power consumption is the ultimate concern (such as small battery-powered devices). |
Authentication Type |
Defines how your client adapter will attempt to authenticate to an access point. Options: Open or Shared Key Default: Open |
|
|
Open Authentication |
Enables your client adapter, regardless of its WEP settings, to authenticate and attempt to communicate with an access point. If LEAP or host-based EAP is enabled on your client adapter, Open Authentication is the only available option. |
Shared Key Authentication |
Enables your client adapter to communicate only with access points that have the same WEP key. This option is available only if Static WEP Keys is selected. The access point sends a known unencrypted "challenge packet" to the client adapter, which encrypts the packet and sends it back to the access point. The access point attempts to decrypt the encrypted packet and sends an authentication response packet indicating the success or failure of the decryption back to the client adapter. |
Note Cisco recommends that shared key authentication not be used because it presents a security risk. |
Mixed Mode |
Indicates whether the client adapter can associate to an access point that allows both WEP and non-WEP associations. •If the access point with which the client adapter is to associate has WEP set to Optional and WEP is enabled on the client adapter, you must enable Mixed Mode on the adapter. Otherwise, the client adapter cannot establish a connection with the access point. •If the access point with which the client adapter is to associate does not have WEP set to Optional, Mixed Mode should be set to Disabled on the adapter. Options: Enabled or Disabled Default: Disabled Note For security reasons, Cisco recommends that WEP-enabled and WEP-disabled clients not be allowed in the same cell because broadcast packets are sent unencrypted, even to clients running WEP. |
World Mode |
Enables the client adapter to adopt the maximum transmit power level and the frequency range of the access point to which it is associated, provided the access point is also configured for world mode. This parameter is available only in infrastructure mode and is designed for users who travel between countries and want their client adapters to associate to access points in different regulatory domains. Options: Enabled or Disabled Default: Disabled Note When World Mode is enabled, the client adapter is limited to the maximum transmit power level allowed by the country of operation's regulatory agency. |
Data Rates |
Specifies the rate at which your client adapter should transmit or receive packets to or from access points (in infrastructure mode) or other clients (in ad hoc mode). Auto is recommended for infrastructure mode; setting a specific data rate is recommended for ad hoc mode. Options: Auto, 1 Mb Only, 2 Mb Only, 5.5 Mb Only, or 11 Mb Only Default: Auto |
|
|
Auto |
Uses the 11-Mbps data rate when possible but drops to lower rates when necessary |
1 Mb Only |
Offers the greatest range but the lowest throughput |
2 Mb Only |
Offers less range but greater throughput than the 1 Mbps Only option |
5.5 Mb Only |
Offers less range but greater throughput than the 2 Mbps Only option |
11 Mb Only |
Offers the greatest throughput but the lowest range |
Note Your client adapter's data rate must be set to Auto or must match the data rate of the access point (in infrastructure mode) or the other clients (in ad hoc mode) with which it is to communicate. Otherwise, your client adapter may not be able to associate to them. |
Transmit Power |
Defines the power level at which your client adapter transmits. This value must not be higher than that allowed by your country's regulatory agency (FCC in the U.S., DOC in Canada, ETSI in Europe, MKK in Japan, etc.). Options: Dependent on the power table programmed into the client adapter; see the table below Default: Max (the maximum level programmed into the client adapter and allowed by your country's regulatory agency) |
|
|
Max, 100 mW, 50 mW, 30 mW, 20 mW, 5 mW, or 1 mW |
350 series PC and LM cards |
Max, 30 mW, or 1 mW |
340 series PC cards |
Max, 30 mW, 15 mW, 5 mW, or 1 mW |
340 series LM cards |
Note Reducing the transmit power level conserves battery power but decreases radio range. Note If the client adapter is running, ACU queries the adapter and displays the settings programmed into the adapter. If the client adapter is not running, ACU displays power level options based on the last known radio type. Note When World Mode is enabled, the client adapter is limited to the maximum transmit power level allowed by the country of operation's regulatory agency. Note If you are using an older version of a 340 or 350 series client adapter, your power level options may be different than those listed here. |
Offline Channel Scan |
Causes the client adapter to periodically scan for a better access point with the same SSID if the signal strength falls below 50%. Options: Enabled or Disabled Default: Enabled |
WEP |
Specifies the type of wired equivalent privacy (WEP) that your client adapter will use. Options: No WEP, Static WEP Keys, or Dynamic WEP Keys Default: No WEP |
|
|
No WEP |
Disables WEP for your client adapter. |
Static WEP Keys |
Enables static WEP for your client adapter after you enter a valid WEP key. Note Go to Step 3 for instructions on entering a static WEP key and enabling WEP. |
Dynamic WEP Keys |
Enables WEP keys to be derived automatically during EAP authentication. If you set the Network Security Type to LEAP, Dynamic WEP Keys is set automatically. If you set the Network Security Type to Host Based EAP, you must set the WEP parameter to Dynamic WEP Keys. Note Go to Step 3 for instructions on setting dynamic WEP keys. |
Network Security Type |
Specifies the type of 802.1X authentication that your client adapter will use. Options: None, LEAP, or Host Based EAP Default: None |
|
|
None |
Disables 802.1X authentication for your client adapter. |
LEAP |
Enables LEAP authentication for your client adapter. Note Go to Step 3 for instructions on using LEAP. |
Host Based EAP |
Enables your client adapter to use any 802.1X authentication type for which your operating system has support (such as EAP-TLS or PEAP). Note Go to Step 3 for instructions on enabling and using host-based EAP. |
User Name |
If you are planning to use saved LEAP credentials rather than entering them in WLM, this parameter specifies the username that is to be saved and used automatically for LEAP authentication. This parameter is unavailable if the Network Security Type is not set to LEAP. Note Go to Step 3 for instructions on entering the LEAP username. |
User Password |
If you are planning to use saved LEAP credentials rather than entering them in WLM, this parameter specifies the password that is to be saved and used automatically for LEAP authentication. This parameter is unavailable if the Network Security Type is not set to LEAP. Note Go to Step 3 for instructions on entering the LEAP password. |
User Domain |
If you are planning to use saved LEAP credentials rather than entering them in WLM, this parameter specifies the domain name (if required) that is to be saved and used automatically for LEAP authentication. This parameter is unavailable if the Network Security Type is not set to LEAP. Note Go to Step 3 for instructions on entering the LEAP domain name. |
Step 3 If you plan to use any of the security features (static WEP, LEAP, EAP-TLS, or PEAP), read the "Overview of Security Features" section below and follow the instructions for the security feature you want to activate.
Step 4 Tap OK on the Properties screen to save any changes you have made. If the profile you just edited is the active profile and your client adapter is inserted, the changes are applied immediately.
Overview of Security Features
When you use your client adapter with Windows CE, you can protect your data as it is transmitted through your wireless network by encrypting it through the use of wired equivalent privacy (WEP) encryption keys. With WEP encryption, the transmitting device encrypts each packet with a WEP key, and the receiving device uses that same key to decrypt each packet.
The WEP keys used to encrypt and decrypt transmitted data can be statically associated with your adapter or dynamically created as part of the EAP authentication process. The information in the "Static WEP Keys" and "Dynamic WEP Keys with EAP" sections below can help you to decide which type of WEP keys you want to use. Dynamic WEP keys with EAP offer a higher degree of security than static WEP keys.
WEP keys, whether static or dynamic, are either 40 or 128 bits in length. 128-bit WEP keys offer a greater level of security than 40-bit WEP keys.
Note Refer to the "Additional WEP Key Security Features" section for information on three security features that can make your WEP keys even more secure.
Static WEP Keys
Each device (or profile) within your wireless network can be assigned up to four static WEP keys. If a device receives a packet that is not encrypted with the appropriate key (as the WEP keys of all devices that are to communicate with each other must match), the device discards the packet and never delivers it to the intended receiver.
Static WEP keys are write-only and temporary; however, you do not need to re-enter them each time the client adapter is inserted or the Windows CE device is reset. This is because the keys are stored (in an encrypted format for security reasons) in the registry of the Windows CE device. When the driver loads and reads the client adapter's registry parameters, it also finds the static WEP keys, unencrypts them, and stores them in volatile memory on the adapter.
The ACU Properties screen enables you to view the current WEP key settings for the client adapter and then to assign new WEP keys or overwrite existing WEP keys as well as to enable or disable static WEP. Refer to the "Using Static WEP" section for instructions.
Dynamic WEP Keys with EAP
The new standard for wireless LAN security, as defined by the Institute of Electrical and Electronics Engineers (IEEE), is called 802.1X for 802.11, or simply 802.1X. An access point that supports 802.1X and its protocol, Extensible Authentication Protocol (EAP), acts as the interface between a wireless client and an authentication server, such as a Remote Authentication Dial-In User Service (RADIUS) server, to which the access point communicates over the wired network.
Two 802.1X authentication types can be selected in ACU for use with Windows CE devices:
•EAP-Cisco Wireless (or LEAP)—Support for LEAP is provided not in the Windows CE operating system but in your client adapter's firmware and the Cisco software that supports it. RADIUS servers that support LEAP include Cisco Secure ACS version 2.6 and greater, Cisco Access Registrar version 1.7 and greater, and Funk Software's Steel-Belted RADIUS version 3.0 and greater.
LEAP is enabled in ACU, and either a saved LEAP username and password are entered in ACU or a temporary LEAP username and password are entered in WLM. The username and password are used by the client adapter to perform mutual authentication with the RADIUS server through the access point. The temporary LEAP username and password are stored in the client adapter's volatile memory and need to be re-entered whenever a LEAP profile is selected, the client adapter is ejected and reinserted, or the Windows CE device is reset.
•Host Based EAP—Selecting this option enables you to use any 802.1X authentication type for which your Windows CE device has support. Currently only PPC 2002 devices with the 802.1X backport support EAP-TLS and PEAP authentication.
–EAP-TLS—EAP-TLS is enabled or disabled through the Authentication Manager and uses a dynamic session-based WEP key, which is derived from the client adapter and RADIUS server, to encrypt data. EAP-TLS requires the use of certificates for authentication.
RADIUS servers that support EAP-TLS include Cisco Secure ACS version 3.0 or greater and Cisco Access Registrar version 1.8 or greater.
–Protected EAP (or PEAP)—PEAP authentication is designed to support One-Time Password (OTP), Windows NT or 2000 domain, and LDAP user databases over a wireless LAN. It is based on EAP-TLS authentication but uses a password instead of a client certificate for authentication. PEAP is enabled or disabled through the Authentication Manager and uses a dynamic session-based WEP key, which is derived from the client adapter and RADIUS server, to encrypt data. PEAP requires you to enter your username and password in order to start the authentication process and gain access to the network.
RADIUS servers that support PEAP authentication include Cisco Secure ACS version 3.1 or greater.
When you enable Network-EAP or Require EAP on your access point and configure your client adapter for LEAP, EAP-TLS, or PEAP, authentication to the network occurs in the following sequence:
1. The client associates to an access point and begins the authentication process.
Note The client does not gain access to the network until authentication between the client and the RADIUS server is successful.
2. Communicating through the access point, the client and RADIUS server complete the authentication process, with the password (LEAP and PEAP) or certificate (EAP-TLS) being the shared secret for authentication. The password is never transmitted during the process.
3. If authentication is successful, the client and RADIUS server derive a dynamic, session-based WEP key that is unique to the client.
4. The RADIUS server transmits the key to the access point using a secure channel on the wired LAN.
5. For the length of a session, or time period, the access point and the client use this key to encrypt or decrypt all unicast packets (and broadcast packets if the access point is set up to do so) that travel between them.
Refer to the "Using LEAP" section for instructions on enabling LEAP or to the "Using Host-Based EAP" section for instructions on enabling EAP-TLS or PEAP.
Note Refer to the IEEE 802.11 Standard for more information on 802.1X authentication and to the following URL for additional information on RADIUS servers: http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/12cgcr/secur_c/scprt2/scrad.htm
Additional WEP Key Security Features
The three security features discussed in this section (MIC, TKIP, and broadcast key rotation) are designed to prevent sophisticated attacks on your wireless network's WEP keys. These features do not need to be enabled on the client adapter; they are supported automatically in firmware version 5.02.19 or greater and driver version 2.30 or greater. However, they must be enabled on the access point.
Note Access point firmware version 11.10T or greater is required to enable these security features. Refer to the software configuration guide for your access point for instructions on enabling these features.
Message Integrity Check (MIC)
MIC prevents bit-flip attacks on encrypted packets. During a bit-flip attack, an intruder intercepts an encrypted message, alters it slightly, and retransmits it, and the receiver accepts the retransmitted message as legitimate. MIC adds a few bytes to each packet to make the packets tamper-proof.
The ACU Status screen indicates if MIC is supported by the client adapter's driver and is enabled on the access point. See Figure 5-2.
Figure 5-2 ACU Status Screen
Note If you enable MIC on the access point, your client adapter's driver must support MIC; otherwise, the client cannot associate.
Temporal Key Integrity Protocol (TKIP)
This feature, also referred to as WEP key hashing, defends against an attack on WEP in which the intruder uses the initialization vector (IV) in encrypted packets to calculate the WEP key. TKIP removes the predictability that an intruder relies on to determine the WEP key by exploiting IVs. It protects both unicast and broadcast WEP keys.
Note If you enable TKIP on the access point, your client adapter's firmware must support TKIP; otherwise, the client cannot associate.
Broadcast Key Rotation
EAP authentication provides dynamic unicast WEP keys for client devices but uses static broadcast, or multicast, keys. When you enable broadcast WEP key rotation, the access point provides a dynamic broadcast WEP key and changes it at the interval you select. When you enable this feature, only wireless client devices using LEAP, EAP-TLS, or PEAP authentication can associate to the access point. Client devices using static WEP (with open or shared key authentication) cannot associate.
Synchronizing Security Features
In order to use any of the security features discussed in this section, both your client adapter and the access point to which it will associate must be set appropriately. Table 5-2 indicates the client and access point settings required for each security feature. This chapter provides specific instructions for enabling the security features on your client adapter. Refer to the software configuration guide for your access point for instructions on enabling any of these features on the access point.
Table 5-2 Client and Access Point Security Settings
|
|
|
Static WEP with open authentication |
Create a WEP key and enable Static WEP Keys and Open Authentication |
Set up and enable WEP and enable Open Authentication |
Static WEP with shared key authentication |
Create a WEP key and enable Static WEP Keys and Shared Key Authentication |
Set up and enable WEP and enable Shared Key Authentication |
LEAP authentication |
Enable LEAP |
Set up and enable WEP and enable Network-EAP |
EAP-TLS authentication |
Enable Host Based EAP and Dynamic WEP Keys in ACU and select TLS as the EAP Type in the Authentication Manager |
Set up and enable WEP and enable Network-EAP |
PEAP authentication |
Enable Host Based EAP and Dynamic WEP Keys in ACU and select Cisco PEAP (or PEAP) as the EAP Type in the Authentication Manager |
Set up and enable WEP and enable Network-EAP |
MIC |
Use driver version 2.30 or greater |
Set up and enable WEP with full encryption, set MIC to MMH, and set Use Aironet Extensions to Yes |
TKIP |
Use firmware version 5.02.19 or greater |
Set up and enable WEP, set TKIP to Cisco, and set Use Aironet Extensions to Yes |
Broadcast key rotation |
Use firmware version 5.02.19 or greater and enable LEAP, EAP-TLS, or PEAP |
Set up and enable WEP and set Broadcast WEP Key Rotation Interval to any value other than zero (0) |
Using Static WEP
This section provides instructions for entering new static WEP keys or overwriting existing static WEP keys.
Enabling Static WEP and Entering a New Static WEP Key
Follow the steps below to enter a new static WEP key for this profile.
Step 1 From the Properties screen, select Network Security Type under Property and None from the list of options in the Value box.
Step 2 Select WEP under Property and Static WEP Keys from the list of options in the Value box.
Step 3 Tap the WEP Keys button. The WEP Keys screen appears (see Figure 5-3).
Figure 5-3 WEP Keys Screen
This screen allows you to create up to four static WEP keys.
Step 4 For the static WEP key that you are entering (1, 2, 3, or 4), select a WEP key size of 40 or 128 on the right side of the screen. 128-bit client adapters can use 40- or 128-bit keys, but 40-bit adapters can use only 40-bit keys. If 128 bit is not supported by the client adapter, this option is grayed out, and you are unable to select it.
Step 5 Obtain the static WEP key from your system administrator and enter it in the blank field for the key you are creating. Follow the guidelines below to enter a new static WEP key:
•WEP keys can consist of the following hexadecimal characters: 0-9, A-F, and a-f.
•WEP keys must contain the following number of characters:
–10 hexadecimal characters for 40-bit keys
Example: 12345abcde
–26 hexadecimal characters for 128-bit keys
Example: AB34CD78EFab01cd23ef456789
•Your client adapter's WEP key must match the WEP key used by the access point (in infrastructure mode) or clients (in ad hoc mode) with which you are planning to communicate.
•When setting more than one WEP key, the keys must be assigned to the same WEP key numbers for all devices. For example, WEP key 2 must be WEP key number 2 on all devices. When multiple WEP keys are set, they must be in the same order on all devices.
Note After you enter a WEP key, you can write over it, but you cannot edit or delete it.
Step 6 Tap the Transmit Key button to the left of the key you want to use to transmit packets. Only one WEP key can be selected as the transmit key.
Step 7 Tap OK to write your WEP key(s) to the client adapter's volatile memory and the registry of the Windows CE device or tap Cancel to exit the WEP Keys screen without updating the keys.
Step 8 Tap OK to save your changes.
Overwriting an Existing Static WEP Key
Follow the steps below to overwrite an existing static WEP key.
Step 1 From the Properties screen, tap the WEP Keys button. The WEP Keys screen appears (see Figure 5-3). A check mark appears in the Already Set? box for all existing static WEP keys.
Note For security reasons, the codes for existing static WEP keys do not appear on the screen. Also, you can write over existing keys, but you cannot edit or delete them.
Step 2 Decide which existing static WEP key you want to overwrite.
Step 3 Tap within the blank field of that key.
Step 4 Enter a new key, following the guidelines outlined in Step 5 of the "Enabling Static WEP and Entering a New Static WEP Key" section.
Step 5 Make sure the Transmit Key button to the left of your key is selected, if you want this key to be used to transmit packets.
Step 6 Tap OK to write your new static WEP key to the client adapter's volatile memory and the registry of the Windows CE device or tap Cancel to exit the WEP Keys screen without overwriting any keys.
Step 7 Tap OK to save your changes.
Disabling Static WEP
Follow the steps below if you ever need to disable static WEP.
Note Selecting LEAP for the Network Security Type disables static WEP automatically.
Step 1 Double-tap the ACU icon or select Start > Programs > Cisco > ACU. The Profiles screen appears.
Step 2 Select the profile that you want to change from the Manage Profiles box and tap the Edit button.
Step 3 Select WEP under Property and No WEP from the list of options in the Value box.
Step 4 Tap OK to save your changes.
Using LEAP
Before you can enable LEAP authentication, your network devices must meet the following requirements:
•Client adapters must support WEP, and firmware version 5.02.19 or greater is recommended.
•Access points to which your client adapter will attempt to authenticate must use the following firmware versions or greater: 11.23T (340 and 350 series access points), 12.2(4)JA (1100 series access points), or 11.54T (1200 series access points).
•All necessary infrastructure devices (for example, access points, servers, etc.) must be properly configured for LEAP authentication.
Enabling LEAP
Follow the steps below to enable LEAP authentication for this profile.
Step 1 From the Properties screen, select Network Security Type under Property and LEAP from the list of options in the Value box. When LEAP is enabled, the following parameters on the Properties screen are changed automatically:
•WEP is set to Dynamic WEP Keys.
•Authentication Type is set to Open.
Step 2 Perform one of the following:
•If you want to use a temporary username and password (which must be entered whenever a LEAP profile is selected, the client adapter is ejected and reinserted, or the Windows CE device is reset in order to authenticate and gain access to the network), go to Step 3.
•If you want to use a saved username and password (which do not need to be entered whenever a LEAP profile is selected, the client adapter is ejected and reinserted, or the Windows CE device is reset because authentication occurs automatically as needed using your saved credentials), enter your LEAP username, password, and optional domain name in the User Name, User Password, and User Domain edit boxes.
Step 3 Tap OK to enable LEAP.
Step 4 Refer to the "Using LEAP" section for instructions on authenticating using LEAP.
Disabling LEAP
Follow the steps below if you ever need to disable LEAP for a particular profile.
Step 1 Double-tap the ACU icon or select Start > Programs > Cisco > ACU. The Profiles screen appears.
Step 2 Select the profile that you want to change from the Manage Profiles box and tap the Edit button.
Step 3 Select Network Security Type under Property and None from the list of options in the Value box.
Step 4 Tap OK to save your changes.
Using Host-Based EAP
Before you can enable host-based EAP authentication, your network devices must meet the following requirements:
•The Windows CE device must be a PPC 2002 device.
Note Support for EAP-TLS and PEAP authentication will be available for Windows CE .NET devices in a future release.
•Client adapters must support WEP, and firmware version 5.02.19 or greater is recommended.
•Access points to which your client adapter will attempt to authenticate must use the following firmware versions or greater: 11.23T (340 and 350 series access points), 12.2(4)JA (1100 series access points), or 11.54T (1200 series access points).
•All necessary infrastructure devices (for example, access points, servers, gateways, user databases, etc.) must be properly configured for the authentication type you plan to enable on the client.
Obtaining CA and User Certificates
EAP-TLS and PEAP authentication require the use of certificates. EAP-TLS requires both a Certificate Authority (CA) certificate and a user certificate while PEAP requires only a CA certificate. After you import the necessary certificates, you should not have to repeat this procedure until the certificates expire (at a time that is predetermined by the certificate server).
Note Chapter 8, provides instructions for viewing and removing certificates, if necessary.
If you have not yet obtained a CA certificate (for EAP-TLS or PEAP) and a user certificate (for EAP-TLS), follow the steps below.
Step 1 Obtain the certificate file(s) (*.cer or *.crt) from your system administrator.
Step 2 Establish an ActiveSync connection between your laptop or PC and your Windows CE device.
Step 3 Open Windows Explorer on your laptop or PC.
Step 4 Copy the certificate file(s) and paste them into a folder under My Computer > Mobile Device.
Step 5 Follow the steps in the "Obtaining a CA Certificate" section below and the "Obtaining a User Certificate" section to import the certificate file(s) for your Windows CE device.
Obtaining a CA Certificate
If you are planning to use EAP-TLS or PEAP authentication on a PPC 2002 device, follow the steps below to import the CA certificate.
Step 1 Select Start > Programs > Cisco > CertMgr. The Certificate Manager screen appears (see Figure 5-4).
Figure 5-4 Certificate Manager Screen
Step 2 Make sure Trusted Authorities appears in the Certificate drop-down menu.
Step 3 Tap the Import button.
Step 4 The Certificate Manager Open screen appears (see Figure 5-5).
Figure 5-5 Certificate Manager Open Screen
Step 5 Tap the CA certificate file.
Step 6 The Certificate Manager screen reappears with the name of the CA certificate server listed in the middle of the screen.
Step 7 Tap OK to close the Certificate Manager.
Obtaining a User Certificate
If you are planning to use EAP-TLS authentication on a PPC 2002 device, follow the steps below to import the user certificate.
Note As an alternative to the procedure below, you can use the Certificate Manager to import a user certificate. To do so, follow the steps in the "Obtaining a CA Certificate" section above, but make sure My Certificates (not Trusted Authorities) appears in the Certificate drop-down menu in Step 2 and tap the user certificate file (not the CA certificate file) in Step 5.
Step 1 Make sure that your Windows CE device has an ActiveSync link to a laptop or PC that is on the same network as the certificate server you want to use.
Step 2 Select Start > Programs > Cisco > Enroll. The Certificate Enrollment screen appears (see Figure 5-6).
Figure 5-6 Certificate Enrollment Screen
Step 3 Enter your username, password, and server name for your certificate server, which can be obtained from your system administrator, in the appropriate fields.
Step 4 Tap the Enroll button. The box at the bottom of the screen indicates the status of the certificate enrollment by changing from Ready to Processing.
If the operation is successful, the following message appears: "A certificate has been added to your device."
Step 5 Tap OK to close the Certificate Enrollment screen.
Enabling Host-Based EAP
Follow the steps below to enable host-based EAP authentication (EAP-TLS or PEAP) for this profile on a PPC 2002 device.
Note Because EAP-TLS and PEAP authentication are not enabled in ACU, you cannot switch between these authentication types simply by switching profiles in ACU. You can create a profile in ACU that uses host-based EAP, but you must enable the specific authentication type in the Authentication Manager. In addition, only one authentication type can be set at a time; therefore, if you have more than one profile in ACU that uses host-based EAP and you want to use another authentication type, you must change the authentication type in the Authentication Manager after switching profiles in ACU.
Step 1 From the Properties screen, select Network Security Type under Property and Host Based EAP from the list of options in the Value box.
Step 2 Select WEP under Property and Dynamic WEP Keys from the list of options in the Value box.
Step 3 Tap OK to save your changes.
Step 4 Select Start > Programs > Cisco > AuthMgr. The Authentication screen appears (see Figure 5-7).
Figure 5-7 Authentication Screen
Step 5 Perform one of the following, depending on the authentication type you want to use:
•If you are planning to use EAP-TLS, go to the "Enabling EAP-TLS" section below.
•If you are planning to use PEAP, go to the "Enabling PEAP" section.
Enabling EAP-TLS
Follow the steps below to enable EAP-TLS for this profile.
Step 1 For EAP Type, select TLS.
Step 2 If your Windows CE device has more than one user certificate, tap the Properties button. On the Select Certificate screen, select the user certificate that you want to use and tap OK.
Step 3 The configuration is complete. Tap the Connect button on the Authentication screen to start the EAP authentication process.
Note Any time you make a change to the active profile in ACU or the Authentication Manager, you must tap the Connect button on the Authentication screen to start the authentication process.
Step 4 Refer to the "Using EAP-TLS" section for instructions on authenticating using EAP-TLS.
Enabling PEAP
Follow the steps below to enable PEAP for this profile.
Step 1 For EAP Type, select Cisco PEAP or PEAP. If you select Cisco PEAP, go to Step 2. If you select PEAP, go to Step 8.
Note PEAP appears as an EAP Type option on a PPC 2002 device if the Microsoft PEAP supplicant (rather than the Cisco PEAP supplicant) was installed.
Step 2 Tap the Properties button. The PEAP Properties screen appears (see Figure 5-8).
Figure 5-8 PEAP Properties Screen
Step 3 Make sure that the Validate server certificate check box is checked if server certificate validation is required (recommended).
Step 4 If you want to specify the name of the server to connect to, check the Connect only if server name ends in check box and enter the appropriate server name suffix in the field below.
Note If you enter a server name and the client adapter connects to a server that does not match the name you entered, you are prompted to accept or cancel the connection during the authentication process.
Note If you leave this field blank, the server name is not verified, and a connection is established as long as the certificate is valid.
Step 5 Make sure that the name of the certificate authority from which the server certificate was downloaded appears in the Trusted root certificate field. If necessary, tap the arrow on the drop-down menu and select the appropriate name.
Note If you leave this field blank, you are prompted to accept a connection to the root certification authority during the authentication process.
Step 6 Check the Connect only if server is signed by specified trusted root CA check box if you want to ensure that the certificate server uses the trusted root certificate specified in the field above. This prevents the client from establishing connections to rogue access points.
Step 7 Tap OK to save your settings. The configuration is complete.
Step 8 Tap the Connect button on the Authentication screen to start the EAP authentication process.
Note Any time you make a change to the active profile in ACU or the Authentication Manager, you must tap the Connect button on the Authentication screen to start the authentication process.
Step 9 Refer to the "Using PEAP" section for instructions on authenticating using PEAP.
Disabling Host-Based EAP
Follow the steps below if you ever need to disable host-based EAP (EAP-TLS or PEAP) for a particular profile on a PPC 2002 device.
Step 1 Double-tap the ACU icon or select Start > Programs > Cisco > ACU. The Profiles screen appears.
Step 2 Select the profile that you want to change from the Manage Profiles box and tap the Edit button.
Step 3 Select Network Security Type under Property and None from the list of options in the Value box.
Step 4 Tap OK to save your changes.