Aruba PEAP-GTC Supplicant Plug-In Guide This document describes the installation and configuration of a supplicant plug-in which supports Protected Extensible Authentication Protocol (PEAP) with EAP-Generic Token Card (GTC) authentication for Windows XP clients. This software can only be installed and used in conjunction with an Aruba Mobility Controller with the AAA FastConnect feature enabled. This document describes the following topics: Overview on page 2 Installing the Supplicant Plug-In Software on page 3 Configuring PEAP with EAP-GTC on the Windows XP Client on page 4 Log File on page 8 NOTE: PEAP with EAP-GTC is only supported on Aruba Mobility Controllers running ArubaOS version 2.5.4 or later. The Mobility Controller administrator must enable the AAA FastConnect feature and configure EAP-GTC as the inner EAP type, as described in the ArubaOS User Guide. PEAP-GTC Supplicant Plug-In Guide 1
Overview The Extensible Authentication Protocol (EAP) type Protected EAP (PEAP) uses Transport Layer Security (TLS) to create an encrypted tunnel. Within the TLS tunnel, the client can be authenticated using one of the following inner EAP methods: EAP-Microsoft Challenge Handshake Authentication Protocol version 2 (MS-CHAPv2): Described in RFC 2759, this EAP method is widely supported by Microsoft clients. This is the default method and is supported by ArubaOS version 2.5.1 and later. EAP-Generic Token Card (GTC): Described in RFC 2284, this EAP method permits the transfer of unencrypted usernames and passwords from client to server. The main uses for EAP-GTC are one-time token cards such as SecureID and the use of LDAP or RADIUS as the user authentication server. You can also enable caching of user credentials on the controller as a backup to an external authentication server. This method is supported by ArubaOS version 2.5.4 and later. The current Wireless Zero Configuration (WZC) under Windows XP only supports PEAP with EAP-MS-CHAPv2. To use PEAP with EAP-GTC authentication in your wireless network, you need to install and configure Aruba s supplicant plug-in software on your Windows XP clients. 2 PEAP-GTC Supplicant Plug-In Guide 0510278-02 November 2006
Installing the Supplicant Plug-In Software Download the software for the PEAP with EAP-GTC supplicant plug-in from the Aruba Networks support website. Install the software by opening the installer package on a Windows XP client and following the instructions in the InstallShield Wizard. FIGURE 1 InstallShield Wizard for Installing Plug-In Software NOTE: You must reboot the Windows XP client after installing or uninstalling the supplicant plug-in software. PEAP-GTC Supplicant Plug-In Guide 3
Configuring PEAP with EAP-GTC on the Windows XP Client This section describes how to configure PEAP with EAP-GTC on a Windows XP client after you install the supplicant plug-in software. 1. On the Windows XP client, open the Wireless Network Connection Properties dialog box (Figure 2). A. Right-click on the My Network Places icon and select Properties. B. In the Network Connections window, right-click on Wireless Network Connection and select Properties. FIGURE 2 Wireless Network Connection Dialog Box 2. Select the Wireless Networks tab. 3. Under the Preferred networks section, click Add. The Wireless network properties dialog box appears with the Association tab selected (Figure 3). Enter the following information: Network name (SSID): Enter the network SSID Network Authentication: Select Open, WPA, or WPA2 from the drop-down menu Data encryption: Select WEP, TKIP, or AES from the drop-down menu 4 PEAP-GTC Supplicant Plug-In Guide 0510278-02 November 2006
FIGURE 3 Wireless Network Properties Association Tab 4. Click on the Authentication tab (Figure 4). Select Protected EAP (PEAP) from the EAP type drop-down menu. NOTE: EAP GTC does not work with machine authentication, therefore you must deselect the Authenticate as computer when computer information is available checkbox PEAP-GTC Supplicant Plug-In Guide 5
FIGURE 4 Wireless Network Properties Authentication Tab 5. Click on Properties to display the Protected EAP Properties dialog box (Figure 5). Enter the following selections: Select the Validate server certificate checkbox. Select EAP Token from the Select Authentication Method drop-down menu. NOTE: When you select EAP Token as the authentication method, no dialog box is displayed if you click the Configure button. 6 PEAP-GTC Supplicant Plug-In Guide 0510278-02 November 2006
FIGURE 5 Protected EAP Properties Dialog Box 6. Click OK. PEAP-GTC Supplicant Plug-In Guide 7
Log File The supplicant plug-in software logs authentication events in C:\Program Files\ Aruba Wireless Networks\EAP-GTC\gtc.log. Inspecting the log file is normally not necessary, however if there is a problem with client authentication, you can view the log file with a text editor. For example, the following messages in the log file indicate a successful client authentication (messages are preceded by the date and time of the event): [INFO] RasEapMakeMessage :: Got EAPCODE_success [INFO] RasEapMakeMessage :: Authentication succeeded The following messages in the log file indicate a client authentication failure because the wrong password was entered for the authentication: [INFO] RasEapMakeMessage :: Got EAPCODE_failure [ERROR] RasEapMakeMessage :: Authentication failed. Wrong password. The following messages in the log file indicate that the AAA FastConnect feature is not enabled on the Mobility Controller: [INFO] RasEapMakeMessage :: Got EAPCODE_Request [ERROR] RasEapMakeMessage :: AAA FastConnect (dot1x termination) is not enabled on the Aruba switch 8 PEAP-GTC Supplicant Plug-In Guide 0510278-02 November 2006