Using EAP Authentication
This chapter explains the sequence of events that occurs and the actions you must take when a profile that is set for EAP authentication is selected for use.
The following topics are covered in this chapter:
•Overview
•Using LEAP or EAP-FAST
•Using EAP-TLS
•Using PEAP
Overview
This chapter explains the sequence of events that occurs as soon as you select a profile that uses EAP authentication as well as after you eject and reinsert the client adapter, reset the Windows CE device, or are informed that your username and password have expired. The chapter contains three sections based on the profile's authentication type:
•Using LEAP or EAP-FAST, see below
•Using EAP-TLS, page 5
•Using PEAP, page 6
Follow the instructions for your profile's authentication type to successfully authenticate.
Note If any error messages appear during authentication, refer to Chapter 9, for explanations and recommended actions.
Using LEAP or EAP-FAST
With a Temporary Username and Password
After you select a profile that uses LEAP or EAP-FAST authentication (with a temporary username and password) or you eject and reinsert the client adapter or reset your Windows CE device while this profile is selected, follow these steps to authenticate using LEAP or EAP-FAST.
Step 1 The Wireless Login Module window appears (see Figure 6-1).
Figure 6-1 Wireless Login Module Window
Note You can also start WLM by selecting Start > Programs > Cisco > Wireless Login Module. You may want to do this if you inadvertently exited WLM after it started or if you roam to a different part of the network where a different login is required.
Step 2 Obtain your LEAP or EAP-FAST username and password from your system administrator.
Note The password is optional because not all host accounts on the RADIUS server are set up with a password.
Step 3 Enter your LEAP or EAP-FAST username in the User Name field.
Step 4 Enter your LEAP or EAP-FAST password in the Password field if your RADIUS server account was set up with a password.
Note For security reasons, the characters entered for the password are displayed as asterisks.
Step 5 If your RADIUS server account specifies a domain, enter the domain name in the Domain field.
Step 6 Tap OK. If the username and password were entered correctly, they are written to volatile memory on the client adapter. The username and password remain on the client adapter until a different profile is selected, the client adapter is ejected and reinserted, or the Windows CE device is reset.
Note If you want to terminate the LEAP or EAP-FAST session, tap the Logout button. If you want to exit WLM, tap the Cancel button.
Step 7 One of three scenarios occurs:
1. The client adapter authenticates to the RADIUS server using your username and password and receives a dynamic, session-based WEP key. The ACU Profiles window indicates if your client adapter is authenticated to an access point.
2. If you enter the username or password incorrectly or enter ones that are not valid for the RADIUS server on the network, the Wireless Login Module window reappears with a message indicating that your login was incorrect. You are able to retry immediately by re-entering the username and password.
3. The client adapter times out while trying to authenticate, possibly because it is out of range of an access point. After 30 seconds, a message appears indicating that the authentication attempt timed out and that you need to rerun WLM.
With a Saved Username and Password
After you select a profile that uses LEAP or EAP-FAST authentication (with a saved username and password) or you eject and reinsert the client adapter or reset your Windows CE device while this profile is selected, the client adapter should authenticate automatically. The ACU Profiles window indicates if your client adapter is authenticated to an access point.
Note If you entered your username or password incorrectly in the ACU Properties window or entered ones that are not valid for the RADIUS server on the network, the Wireless Login Module window appears with a message indicating that your login was incorrect. Tap Cancel; then change your username or password on the ACU Properties window and tap OK.
Note If you want to log out of a LEAP or EAP-FAST session, select Start > Programs > Cisco > Wireless Login Module and tap the Logout button on the Wireless Login Module window.
After Your EAP-FAST Credentials Expire
If the EAP-FAST credentials (username and password) for your current profile expire or become invalid, follow these steps to change your password.
Step 1 When the Password Expired window appears (see Figure 6-2) to indicate that your password has expired, enter your old password in the Old Password field.
Figure 6-2 Password Expired Window
Step 2 Enter your new password in both the New Password and Confirm New fields and tap OK.
Step 3 If prompted, log off and on again in order to update your local cached account with your new password.
Using EAP-TLS
After you select a profile that uses host-based EAP authentication and configure the card for EAP-TLS, follow these steps to EAP authenticate.
Note These instructions are applicable after profile selection, card ejection and reinsertion, or reset.
Step 1 If a message appears informing you that you need to accept a certificate to begin the EAP authentication process, tap the message and follow the instructions provided to accept the certificate.
Note You should not have to accept a certificate for future authentication attempts. After you accept one, the same certificate is used subsequently.
Step 2 If a message appears indicating the root certification authority for the server's certificate and it is the correct certification authority, tap OK to accept the connection. Otherwise, tap Cancel.
Step 3 If a message appears indicating the server to which your client adapter is connected and it is the correct server to connect to, tap OK to accept the connection. Otherwise, tap Cancel.
Step 4 The User Logon window appears (see Figure 6-3).
Figure 6-3 User Logon Window
Step 5 Enter your EAP-TLS username and optional domain name (which are registered with the RADIUS server) in the appropriate fields. For example, if your EAP-TLS username is jsmith and the domain name is corporate, you would enter jsmith in the User Name field and corporate in the Domain field.
Note If your network uses a Cisco Secure ACS server, you must leave the Domain field blank and enter the fully qualified domain name in the User Name field as follows: username@fully.qualified.domain. For example, if your EAP-TLS username is jsmith and the domain name is corporate on Cisco.com, you would enter jsmith@corporate.cisco.com in the User Name field and leave the Domain field blank.
Step 6 Tap OK. The client adapter should now EAP authenticate.
To verify authentication on a PPC 2002 device, select Start > Programs > Cisco > AuthMgr. The Status field at the bottom of the window shows the authentication status. If the authentication is successful, the Status field displays Authenticated, and the IP Address field displays the IP address of the client adapter.
Using PEAP
After Profile Selection, Card Insertion, or Reset
After you select a profile that uses host-based EAP authentication and configure the card for PEAP, follow these steps to EAP authenticate.
Note These instructions are applicable for use with Windows NT or 2000 domain, LDAP, or OTP user databases after profile selection, card ejection and reinsertion, or reset.
Step 1 If a message appears informing you that you need to select a certificate or other credentials to access the network, tap this message.
Step 2 If a message appears indicating the root certification authority for the server's certificate and it is the correct certification authority, tap OK to accept the connection. Otherwise, tap Cancel.
Step 3 If a message appears indicating the server to which your client adapter is connected and it is the correct server to connect to, tap OK to accept the connection. Otherwise, tap Cancel.
Step 4 The Static Password window appears (see Figure 6-4).
Note If a message appears prompting you to process your logon information for your wireless network, tap this message. Then the Static Password window appears.
Figure 6-4 Static Password Window
Step 5 Enter your PEAP username and password (which are registered with the RADIUS server) in the appropriate fields.
Step 6 If applicable, enter your domain name in the Domain field.
Note A domain name is not required for OTP databases.
Step 7 Tap OK. The client adapter should now EAP authenticate.
To verify authentication on a PPC 2002 device, select Start > Programs > Cisco > AuthMgr. The Status field at the bottom of the window shows the authentication status. If the authentication is successful, the Status field displays Authenticated, and the IP Address field displays the IP address of the client adapter.
After Your Password Expires (Windows NT or 2000 Domain Databases Only)
If you are using a Windows NT or 2000 domain database with PEAP and the password for your current username expires, follow these steps to change your password.
Step 1 When the Change Password window appears (see Figure 6-5) to indicate that your password has expired, enter your old password in the Old Password field.
Figure 6-5 Change Password Window
Step 2 Enter your new password in both the New Password and Confirm New Password fields.
Note The password is also changed in the Windows NT or 2000 domain user database.
Step 3 Tap OK. The client adapter should authenticate using your new password.