Using EAP Authentication
This chapter explains the sequence of events that occurs and the actions you must take when a profile that is set for EAP authentication is activated.
The following topics are covered in this chapter:
•Overview
•Using LEAP or EAP-FAST
•Using LEAP or EAP-FAST with the Windows Username and Password
•Using LEAP or EAP-FAST with an Automatically Prompted Login
•Using LEAP or EAP-FAST with a Manually Prompted Login
•Using LEAP or EAP-FAST with a Saved Username and Password
•Using EAP-TLS
•Using PEAP (EAP-GTC)
•Using PEAP (EAP-MSCHAP V2)
•Restarting the Authentication Process
Overview
This chapter explains the sequence of events that occurs after you (or auto profile selection) activate a profile that uses EAP authentication or you eject and reinsert the client adapter, reboot the computer, log on while this profile is active, or are informed that your password has expired or is invalid. The chapter contains seven sections based on the profile's authentication type and its username and password settings:
•LEAP or EAP-FAST with the Windows username and password, page 4
•LEAP or EAP-FAST with an automatically prompted login, page 6
•LEAP or EAP-FAST with a manually prompted login, page 9
•LEAP or EAP-FAST with a saved username and password, page 13
•EAP-TLS, page 14
•PEAP (EAP-GTC), page 15
•PEAP (EAP-MSCHAP V2), page 16
Also provided are an overview of LEAP and EAP-FAST authentication (below) and instructions for restarting the authentication process when necessary (page 16).
Follow the instructions for your profile's authentication type and credential settings to successfully authenticate.
Note If any error messages appear during authentication, refer to Chapter 10 for explanations and recommended actions.
Using LEAP or EAP-FAST
When LEAP or EAP-FAST authentication begins, the LEAP or EAP-FAST Authentication Status window appears (see Figure 6-1).
Figure 6-1 LEAP or EAP-FAST Authentication Status Window
This window provides information about the status of LEAP or EAP-FAST authentication. Table 6-1 lists and explains the stages of LEAP or EAP-FAST authentication. As each stage is completed, a status message (such as Success) appears in the Status field. If any error messages appear, refer to the "Error Messages" section on page 10-18 for an explanation and the recommended action to take.
Table 6-1 Stages of LEAP or EAP-FAST Authentication
|
|
Starting LEAP or EAP-FAST Authentication |
The client adapter associates to an access point, and the LEAP or EAP-FAST authentication process begins. |
Checking Link Status |
The client adapter is EAP authenticated, and the network connection is verified. |
Renewing IP Address |
If DHCP is enabled, the IP address is released and renewed. |
Detecting IPX Frame Type |
The IPX frame type is reset if AutoDetect is enabled. |
Finding Domain Controller |
If you are logging into a domain and the active profile specifies that the domain name be included, an attempt is made to find the domain controller to make sure subsequent access to the domain is successful. |
If you do not want the LEAP or EAP-FAST Authentication Status window to appear each time the client adapter attempts to authenticate using LEAP or EAP-FAST, check the Show minimized next time check box at the bottom of the window. On future LEAP or EAP-FAST authentication attempts, the LEAP or EAP-FAST Authentication Status window appears minimized in the Windows taskbar.
Note To make the LEAP or EAP-FAST Authentication Status window reappear once it has been minimized, click the LEAP Authentication Status or EAP-FAST Authentication Status tab in the Windows taskbar and uncheck the Show minimized next time check box. The LEAP or EAP-FAST Authentication Status window should now appear for all future LEAP or EAP-FAST authentication attempts.
Using LEAP or EAP-FAST with the Windows Username and Password
After Profile Activation or Card Insertion
After you (or auto profile selection) activate a profile that uses your Windows username and password for LEAP or EAP-FAST authentication or you eject and reinsert the client adapter while this profile is active, the following events occur:
1. The LEAP or EAP-FAST Authentication Status window appears.
2. If your profile is configured for EAP-FAST and a message appears asking if you want to auto-provision a PAC, click Yes.
3. If your client adapter authenticates, the window shows that each stage was successful and then disappears. ASTU and the Link Status field on the ADU Current Status window show Authenticated.
If the authentication attempt fails, an error message appears after the authentication timeout period has expired. Refer to the "Error Messages" section on page 10-18 for the necessary action to take.
After a Reboot or Logon
After your computer reboots or you log on, follow these steps to authenticate using LEAP or EAP-FAST.
Step 1 When the Windows login window appears, enter your Windows username and password and click OK. The domain name is optional.
Note If your computer has Novell Client 32 software installed, a separate LEAP or EAP-FAST login window appears before the Novell login window. If this occurs, enter your Windows and Novell username and password in the login windows and click OK.
The LEAP or EAP-FAST Authentication Status window appears.
Step 2 If your profile is configured for EAP-FAST and a message appears asking if you want to auto-provision a PAC, click Yes.
Step 3 If your client adapter authenticates, the window shows that each stage was successful and then disappears.
If the authentication attempt fails, an error message appears after the authentication timeout period has expired. Refer to the "Error Messages" section on page 10-18 for the necessary action to take.
Step 4 Windows continues to log you onto the system. ASTU and the Link Status field on the ADU Current Status window show Authenticated.
After Your EAP-FAST Password Expires
If the EAP-FAST password for your current profile expires or becomes invalid, follow these steps to change your password.
Note If you change your Windows password using the standard Windows Change Password function, the client updates the EAP-FAST password automatically and maintains its connection to the access point if the current profile uses the Windows username and password. However, data packets may be dropped during this process.
Step 1 When the Please Change Password window appears (see Figure 6-2) to indicate that your password is invalid, enter your old password in the Old Password field.
Figure 6-2 Please Change Password Window
Step 2 Enter your new password in both the New Password and Verify New Password fields and click OK.
Step 3 If prompted, log off and on again in order to update your local cached account with your new password.
Note The Please Change Password window does not appear if you configured the profile to use Windows credentials for authentication.
Using LEAP or EAP-FAST with an Automatically Prompted Login
After Profile Activation or Card Insertion
After you (or auto profile selection) activate a profile that uses a separate username and password for LEAP or EAP-FAST authentication or you eject and reinsert the client adapter while this profile is active, follow these steps to authenticate.
Step 1 When the Enter Wireless Network Password window appears (see Figure 6-3), enter your LEAP or EAP-FAST username and password and click OK. The domain name can be entered in the Log On To field; it is optional.
Figure 6-3 Enter Wireless Network Password Window
The LEAP or EAP-FAST Authentication Status window appears.
Step 2 If your profile is configured for EAP-FAST and a message appears asking if you want to auto-provision a PAC, click Yes.
Step 3 If your client adapter authenticates, the LEAP or EAP -FAST Authentication Status window shows that each stage was successful and then disappears. ASTU and the Link Status field on the ADU Current Status window show Authenticated.
If the authentication attempt fails, an error message appears after the authentication timeout period has expired. Refer to the "Error Messages" section on page 10-18 for the necessary action to take.
After a Reboot or Logon
After your computer reboots or you log on, follow these steps to authenticate using LEAP or EAP-FAST.
Step 1 When the Windows login window appears, enter your Windows username and password and click OK.
Step 2 When the Enter Wireless Network Password window appears (see Figure 6-4), enter your LEAP or EAP-FAST username and password and click OK. The domain name can be entered in the Log On To field; it is optional.
Figure 6-4 Enter Wireless Network Password Window
The LEAP or EAP-FAST Authentication Status window appears.
Step 3 If your profile is configured for EAP-FAST and a message appears asking if you want to auto-provision a PAC, click Yes.
Step 4 If your client adapter authenticates, the window shows that each stage was successful and then disappears. The logon or boot-up process completes.
If the authentication attempt fails, an error message appears after the authentication timeout period has expired. Refer to the "Error Messages" section on page 10-18 for the necessary action to take.
After Your EAP-FAST Password Expires
If the EAP-FAST password for your current profile expires or becomes invalid, follow these steps to change your password.
Step 1 When the Please Change Password window appears (see Figure 6-5) to indicate that your password is invalid, enter your old password in the Old Password field.
Figure 6-5 Please Change Password Window
Step 2 Enter your new password in both the New Password and Verify New Password fields.
Step 3 Click OK. The client adapter should authenticate using your new password.
Using LEAP or EAP-FAST with a Manually Prompted Login
After Profile Activation
After you (or auto profile selection) activate a profile that uses LEAP or EAP-FAST authentication with a manually prompted login, follow these steps to authenticate.
Note If auto profile selection is enabled, this procedure is applicable the first time auto profile selection activates a manual LEAP or manual EAP-FAST profile. After you follow these steps to enter your LEAP or EAP-FAST credentials, you can switch profiles without having to re-enter your credentials until you reboot your computer, eject and reinsert your client adapter, or change the profile in any way (including its priority in auto profile selection). If auto profile selection is disabled, you must re-enter your credentials every time you activate a manual LEAP or manual EAP-FAST profile.
Step 1 When the Enter Wireless Network Password window appears (see Figure 6-6), enter your LEAP or EAP-FAST username and password and click OK. The domain name can be entered in the Log On To field; it is optional.
Figure 6-6 Enter Wireless Network Password Window
The LEAP or EAP-FAST Authentication Status window appears.
Step 2 If your profile is configured for EAP-FAST and a message appears asking if you want to auto-provision a PAC, click Yes.
Step 3 If your client adapter authenticates, the window shows that each stage was successful and then disappears. ASTU and the Link Status field on the ADU Current Status window show Authenticated.
If the authentication attempt fails, an error message appears after the authentication timeout period has expired. Refer to the "Error Messages" section on page 10-18 for the necessary action to take.
After a Reboot, Logon, or Card Insertion
After your computer reboots, you log on, or you eject and reinsert the client adapter, the adapter does not automatically attempt to authenticate. You must manually invoke the authentication process. To do so, follow these steps.
Step 1 If you rebooted your computer or logged on, complete your standard Windows login. Then open ASTU or ADU.
Step 2 Choose the Manual Login option from the ADU Action drop-down menu (see Figure 6-7).
Figure 6-7 Action Drop-Down Menu
You can also choose the Manual Login option from the ASTU pop-up menu (see Figure 6-8).
Figure 6-8 ASTU Pop-Up Menu
Note In ACAU, you can enable the Manual Login option in ASTU by clicking the Global Settings tab, double-clicking Global Settings, double-clicking ASTU Settings, and choosing Yes under Manual Login.
Step 3 When the Enter Wireless Network Password window appears (see Figure 6-9), enter your LEAP or EAP-FAST username and password and click OK. The domain name can be entered in the Log On To field; it is optional.
Figure 6-9 Enter Wireless Network Password Window
The LEAP or EAP-FAST Authentication Status window appears.
Step 4 If your profile is configured for EAP-FAST and a message appears asking if you want to auto-provision a PAC, click Yes.
Step 5 If your client adapter authenticates, the window shows that each stage was successful and then disappears. ASTU and the Link Status field on the ADU Current Status window show Authenticated.
If the authentication attempt fails, an error message appears after the authentication timeout period has expired. Refer to the "Error Messages" section on page 10-18 for the necessary action to take.
After Your EAP-FAST Password Expires
If the EAP-FAST password for your current profile expires or becomes invalid, follow these steps to change your password.
Step 1 When the Please Change Password window appears (see Figure 6-10) to indicate that your password is invalid, enter your old password in the Old Password field.
Figure 6-10 Please Change Password Window
Step 2 Enter your new password in both the New Password and Verify New Password fields.
Step 3 Click OK. The client adapter should authenticate using your new password.
Using LEAP or EAP-FAST with a Saved Username and Password
After Profile Activation or Card Insertion
After you (or auto profile selection) activate a profile that uses LEAP or EAP-FAST authentication with a saved LEAP or EAP-FAST username and password or you eject and reinsert the client adapter while this profile is active, the following events occur:
1. The LEAP or EAP-FAST Authentication Status window appears.
2. If your profile is configured for EAP-FAST and a message appears asking if you want to auto-provision a PAC, click Yes.
3. If your client adapter authenticates, the window shows that each stage was successful and then disappears. ASTU and the Link Status field on the ADU Current Status window show Authenticated.
If the authentication attempt fails, an error message appears after the authentication timeout period has expired. Refer to the "Error Messages" section on page 10-18 for the necessary action to take.
After a Reboot or Logon
After your computer reboots or you log on, the following events occur:
1. After you enter your Windows username and password, the authentication process begins automatically using your saved LEAP or EAP-FAST username and password.
Note If you unchecked the No Network Connection Unless User Is Logged In check box on the LEAP Settings window or EAP-FAST Settings window, the EAP authentication process begins before the Windows login window appears.
2. If your profile is configured for EAP-FAST and a message appears asking if you want to auto-provision a PAC, click Yes.
3. If your client adapter authenticates, the LEAP or EAP-FAST Authentication Status window shows that each stage was successful and then disappears.
If the authentication attempt fails, an error message appears after the authentication timeout period has expired. Refer to the "Error Messages" section on page 10-18 for the necessary action to take.
4. Windows continues to log you onto the system. ASTU and the Link Status field on the ADU Current Status window show Authenticated.
After Your EAP-FAST Password Expires
If the EAP-FAST password for your current profile expires or becomes invalid, follow these steps to change your password.
Step 1 When the Please Change Password window appears (see Figure 6-11) to indicate that your password is invalid, enter your old password in the Old Password field.
Figure 6-11 Please Change Password Window
Step 2 Enter your new password in both the New Password and Verify New Password fields.
Step 3 Click OK. The client adapter should authenticate using your new password.
Step 4 Edit the profile in ADU by changing the saved username and password on the EAP-FAST Settings window.
Using EAP-TLS
After you (or auto profile selection) activate a profile that uses EAP-TLS authentication or you eject and reinsert the client adapter, reboot the computer, or log on while this profile is active, the EAP authentication process begins automatically, and the client adapter should EAP authenticate.
If your client adapter authenticates, ASTU and the Link Status field on the ADU Current Status window show Authenticated. If the authentication attempt fails, ASTU and ADU show Authentication Failed.
Using PEAP (EAP-GTC)
After you (or auto profile selection) activate a profile that uses PEAP (EAP-GTC) authentication or you eject and reinsert the client adapter, reboot the computer, or log on while this profile is active, follow the steps in one of the sections below to EAP authenticate. Choose the section appropriate for your user database.
Windows NT or 2000 Domain Databases or LDAP Databases Only
The EAP authentication process begins automatically. The client adapter should EAP authenticate using either your Windows credentials or the username and password entered in the Define PEAP (EAP-GTC) Configuration window. If your client adapter authenticates, ASTU and the Link Status field on the ADU Current Status window show Authenticated. If the authentication attempt fails, ASTU and ADU show Authentication Failed.
OTP Databases Only
Step 1 Use your hardware token device or SofToken program to obtain the one-time password.
Step 2 When the Token Configuration window appears (see Figure 6-12), enter the one-time password.
Figure 6-12 Token Configuration Window
Note The username is filled in automatically.
Step 3 Click OK to begin the authentication process.
Note If the password is invalid or entered incorrectly, the Token Configuration window reappears, enabling you to re-enter it.
If your client adapter authenticates, ASTU and the Link Status field on the ADU Current Status window show Authenticated. If the authentication attempt fails, ASTU and ADU show Authentication Failed.
Using PEAP (EAP-MSCHAP V2)
After you (or auto profile selection) activate a profile that uses PEAP (EAP-MSCHAP V2) authentication or you eject and reinsert the client adapter, reboot the computer, or log on while this profile is active, the EAP authentication process begins automatically. The client adapter should EAP authenticate using either your Windows credentials or the username and password entered in the Define PEAP (EAP-MSCHAP V2) Configuration window.
If your client adapter authenticates, ASTU and the Link Status field on the ADU Current Status window show Authenticated. If the authentication attempt fails, ASTU and ADU show Authentication Failed.
Restarting the Authentication Process
To force your client adapter to try to reauthenticate using the username and password of the current profile, choose Reauthenticate from the ASTU pop-up menu or the ADU Action drop-down menu. When you choose this option, the authentication process begins.
If your client adapter is unable to authenticate using the specified username and password, you may be prompted to re-enter them. If you click Cancel, a message appears indicating that the current profile will be disabled until you choose the Reauthenticate option, reboot your computer, or eject and reinsert the client adapter.