Примечания к выпуску для Cisco Cisco Aironet 350 Wireless LAN Client Adapter
5
Release Notes for Cisco Aironet 802.11a/b/g Client Adapters (CB21AG and PI21AG) Install Wizard 2.0
OL-7578-01
New and Changed Information
Supporting Documentation
The Cisco Aironet 802.11a/b/g Wireless LAN Client Adapters (CB21AG and PI21AG) Installation and
Configuration Guide (part number OL-4211-03) pertains specifically to CB21AG and PI21AG client
adapters. If you are using a Cisco Aironet 340, 350, or CB20A client adapter, refer to the Installation
and Configuration Guide for that client adapter and your computer’s operating system.
Configuration Guide (part number OL-4211-03) pertains specifically to CB21AG and PI21AG client
adapters. If you are using a Cisco Aironet 340, 350, or CB20A client adapter, refer to the Installation
and Configuration Guide for that client adapter and your computer’s operating system.
New and Changed Information
Support for EAP-FAST Authentication
Extensible Authentication Protocol-Flexible Authentication via Secure Tunneling (EAP-FAST)
authentication is a new IEEE 802.1X authentication type available for Cisco Aironet CB21AG and
PI21AG client adapters on computers running Windows 2000 or XP. EAP-FAST offers flexible easy
deployment and management, supports a variety of user and password database types, supports
server-initiated password expiration and change, and does not require digital certificates. Cisco
developed EAP-FAST for customers who want to deploy an 802.1X EAP type that does not use
certificates and provides protection from dictionary attacks. For example, a customer using Cisco LEAP
who cannot enforce a strong password policy and does not want to use certificates can migrate to
EAP-FAST for protection from dictionary attacks. EAP-FAST allows for a seamless migration from
LEAP.
authentication is a new IEEE 802.1X authentication type available for Cisco Aironet CB21AG and
PI21AG client adapters on computers running Windows 2000 or XP. EAP-FAST offers flexible easy
deployment and management, supports a variety of user and password database types, supports
server-initiated password expiration and change, and does not require digital certificates. Cisco
developed EAP-FAST for customers who want to deploy an 802.1X EAP type that does not use
certificates and provides protection from dictionary attacks. For example, a customer using Cisco LEAP
who cannot enforce a strong password policy and does not want to use certificates can migrate to
EAP-FAST for protection from dictionary attacks. EAP-FAST allows for a seamless migration from
LEAP.
EAP-FAST uses a three-phased tunneled authentication process to provide advanced 802.1X EAP
mutual authentication.
mutual authentication.
•
Phase 0 enables the client to dynamically provision a protected access credentials (PAC) when
necessary. During this phase, a PAC is generated securely between the user and the network.
necessary. During this phase, a PAC is generated securely between the user and the network.
•
Phase 1 uses the PAC to establish a mutually authenticated and secure tunnel between the client and
the RADIUS server. RADIUS servers that support EAP-FAST include Cisco Secure ACS version
3.2.3 and later.
the RADIUS server. RADIUS servers that support EAP-FAST include Cisco Secure ACS version
3.2.3 and later.
•
Phase 2 performs client authentication in the established tunnel.
EAP-FAST is enabled or disabled for a specific profile through ADU. A variety of EAP-FAST
configuration options are available, including how and when a username and password are entered to
begin the authentication process and whether automatic or manual PAC provisioning is used.
configuration options are available, including how and when a username and password are entered to
begin the authentication process and whether automatic or manual PAC provisioning is used.
The client adapter uses the username, password, and PAC to perform mutual authentication with the
RADIUS server through the access point. The username and password need to be re-entered each time
the client adapter is inserted or the Windows device is rebooted, unless you configure your adapter to
use saved EAP-FAST credentials.
RADIUS server through the access point. The username and password need to be re-entered each time
the client adapter is inserted or the Windows device is rebooted, unless you configure your adapter to
use saved EAP-FAST credentials.
PACs are created by Cisco Secure ACS and are identified by an ID. The user obtains his or her own copy
of the PAC from the server, and the ID links the PAC to the profile created in ADU. When manual PAC
provisioning is enabled, the PAC is manually copied from the server and imported onto the client device.
of the PAC from the server, and the ID links the PAC to the profile created in ADU. When manual PAC
provisioning is enabled, the PAC is manually copied from the server and imported onto the client device.