Cisco Cisco Aironet 350 Wireless LAN Client Adapter
6
Release Notes for Cisco Aironet 350 and CB20A Client Adapter Install Wizard 1.3 for Windows
OL-5515-01
New and Changed Information
Supporting Documentation
The Cisco Aironet 340, 350, and CB20A Wireless LAN Client Adapters Installation and Configuration
Guide for Windows (part number OL-1394-08) provides detailed installation, configuration, and
troubleshooting information for Install Wizard version 1.3 and its software components.
Guide for Windows (part number OL-1394-08) provides detailed installation, configuration, and
troubleshooting information for Install Wizard version 1.3 and its software components.
Note
Install Wizard version 1.3 and its software components are not supported for use with Cisco Aironet 340
series client adapters.
series client adapters.
New and Changed Information
Support for EAP-FAST Authentication
Extensible Authentication Protocol-Flexible Authentication via Secure Tunneling (EAP-FAST)
authentication is a new IEEE 802.1X authentication type available for Cisco Aironet 350 series and
CB20A client adapters on computers running Windows 2000 or XP. EAP-FAST offers flexible, easy
deployment and management, supports a variety of user and password database types, supports
server-initiated password expiration and change, and does not require digital certificates. Cisco
developed EAP-FAST for customers who want to deploy an 802.1X EAP type that does not use
certificates and provides protection from dictionary attacks. For example, a customer using Cisco LEAP
who cannot enforce a strong password policy and does not want to use certificates can migrate to
EAP-FAST for protection from dictionary attacks. EAP-FAST allows for a seamless migration from
LEAP.
authentication is a new IEEE 802.1X authentication type available for Cisco Aironet 350 series and
CB20A client adapters on computers running Windows 2000 or XP. EAP-FAST offers flexible, easy
deployment and management, supports a variety of user and password database types, supports
server-initiated password expiration and change, and does not require digital certificates. Cisco
developed EAP-FAST for customers who want to deploy an 802.1X EAP type that does not use
certificates and provides protection from dictionary attacks. For example, a customer using Cisco LEAP
who cannot enforce a strong password policy and does not want to use certificates can migrate to
EAP-FAST for protection from dictionary attacks. EAP-FAST allows for a seamless migration from
LEAP.
Note
If you change an old LEAP profile (one that was created using ACU version 6.2 or earlier) with
a saved username and password to EAP-FAST, you are prompted to re-enter your password if
you try to save the profile without entering a new password.
a saved username and password to EAP-FAST, you are prompted to re-enter your password if
you try to save the profile without entering a new password.
EAP-FAST uses a three-phased tunneled authentication process to provide advanced 802.1X EAP
mutual authentication.
mutual authentication.
•
Phase 0 enables the client to dynamically provision a protected access credentials (PAC) when
necessary. During this phase, a PAC is generated securely between the user and the network.
necessary. During this phase, a PAC is generated securely between the user and the network.
•
Phase 1 uses the PAC to establish a mutually authenticated and secure tunnel between the client and
the RADIUS server. RADIUS servers that support EAP-FAST include Cisco Secure ACS version
3.2.3 and later.
the RADIUS server. RADIUS servers that support EAP-FAST include Cisco Secure ACS version
3.2.3 and later.
•
Phase 2 performs client authentication in the established tunnel.
EAP-FAST is enabled or disabled for a specific profile through ACU, provided the EAP-FAST security
module was selected during installation. After EAP-FAST is enabled, a variety of configuration options
are available, including how and when a username and password are entered to begin the authentication
process and whether automatic or manual PAC provisioning is used.
module was selected during installation. After EAP-FAST is enabled, a variety of configuration options
are available, including how and when a username and password are entered to begin the authentication
process and whether automatic or manual PAC provisioning is used.
The client adapter uses the username, password, and PAC to perform mutual authentication with the
RADIUS server through the access point. The username and password need to be re-entered each time
the client adapter is inserted or the Windows device is rebooted, unless you configure your adapter to
use saved EAP-FAST credentials.
RADIUS server through the access point. The username and password need to be re-entered each time
the client adapter is inserted or the Windows device is rebooted, unless you configure your adapter to
use saved EAP-FAST credentials.