Cisco Cisco Aironet 350 Wireless LAN Client Adapter
4
Release Notes for Cisco Aironet Client Utilities 2.50 and Driver 2.50 for Windows CE
OL-5517-01
New and Changed Information
New and Changed Information
Support for EAP-TLS and Cisco PEAP on Additional Platforms
EAP-TLS and Cisco PEAP authentication are now supported for use on PPC 2003 and Windows CE
.NET 4.2 devices.
.NET 4.2 devices.
Support for EAP-FAST Authentication
Extensible Authentication Protocol-Flexible Authentication via Secure Tunneling (EAP-FAST)
authentication is available on PPC 2002, PPC 2003, and Windows CE .NET 4.2 devices. EAP-FAST
offers flexible, easy deployment and management, supports a variety of user and password database
types, supports server-initiated password expiration and change, and does not require digital certificates.
Cisco developed EAP-FAST for customers who want to deploy an 802.1X EAP type that does not use
certificates and provides protection from dictionary attacks. For example, a customer using Cisco LEAP
who cannot enforce a strong password policy and does not want to use certificates can migrate to
EAP-FAST for protection from dictionary attacks.
authentication is available on PPC 2002, PPC 2003, and Windows CE .NET 4.2 devices. EAP-FAST
offers flexible, easy deployment and management, supports a variety of user and password database
types, supports server-initiated password expiration and change, and does not require digital certificates.
Cisco developed EAP-FAST for customers who want to deploy an 802.1X EAP type that does not use
certificates and provides protection from dictionary attacks. For example, a customer using Cisco LEAP
who cannot enforce a strong password policy and does not want to use certificates can migrate to
EAP-FAST for protection from dictionary attacks.
EAP-FAST uses a three-phased tunneled authentication process to provide advanced 802.1X EAP
mutual authentication.
mutual authentication.
•
Phase 0 enables the client to dynamically provision a protected access credentials (PAC) when
necessary. During this phase, a PAC is generated securely between the user and the network.
necessary. During this phase, a PAC is generated securely between the user and the network.
•
Phase 1 uses the PAC to establish a mutually authenticated and secure tunnel between the client and
the RADIUS server. RADIUS servers that support EAP-FAST include Cisco Secure ACS version
3.2.3 and later.
the RADIUS server. RADIUS servers that support EAP-FAST include Cisco Secure ACS version
3.2.3 and later.
•
Phase 2 performs client authentication in the established tunnel.
EAP-FAST is enabled in ACU, and either a saved EAP-FAST username and password are entered in
ACU or a temporary EAP-FAST username and password are entered in WLM. In addition, automatic or
manual PAC provisioning is enabled in ACU. The client adapter uses the username, password, and PAC
to perform mutual authentication with the RADIUS server through the access point. The temporary
EAP-FAST username and password are stored in the client adapter’s volatile memory and need to be
re-entered whenever an EAP-FAST profile is selected, the client adapter is ejected and reinserted, or the
Windows CE device is reset.
ACU or a temporary EAP-FAST username and password are entered in WLM. In addition, automatic or
manual PAC provisioning is enabled in ACU. The client adapter uses the username, password, and PAC
to perform mutual authentication with the RADIUS server through the access point. The temporary
EAP-FAST username and password are stored in the client adapter’s volatile memory and need to be
re-entered whenever an EAP-FAST profile is selected, the client adapter is ejected and reinserted, or the
Windows CE device is reset.
PACs are created by Cisco Secure ACS and are identified by an ID. The user obtains a copy of the PAC
from the server, and the ID links the PAC to the profile created in ACU. When manual PAC provisioning
is enabled, the PAC file is manually copied from the server and imported onto the client device. The
following rules govern PAC storage:
from the server, and the ID links the PAC to the profile created in ACU. When manual PAC provisioning
is enabled, the PAC file is manually copied from the server and imported onto the client device. The
following rules govern PAC storage:
•
PACs are stored in a single PAC database and are available to all users of the device.
•
PAC files can be added or replaced using the import feature, but they cannot be removed or exported.
EAP-FAST authentication is designed to support the following user databases over a wireless LAN:
•
Cisco Secure ACS internal user database
•
Cisco Secure ACS ODBC user database
•
Windows NT/2000/2003 domain user database
•
LDAP user database