Cisco 802.1x Wireless using PEAP Quick Reference Guide
Copyright Copyright 2006, CRYPTOCard Inc. All Rights Reserved. No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated into any language in any form or by any means without the written permission of CRYPTOCard Corp. Trademarks CRYPTOCard, CRYPTO-Server, and CRYPTO-Logon are either registered trademarks or trademarks of CRYPTOCard Corp. All other trademarks, trade names, service marks, service names, product names, and images mentioned and/or used herein belong to their respective owners. Additional Information, Assistance, or Comments CRYPTOCard s technical support specialists can provide assistance when planning and implementing CRYPTOCard in your network. In addition to aiding in the selection of the appropriate authentication products, CRYPTOCard can suggest deployment procedures that provide a smooth, simple transition from existing access control systems and a satisfying experience for network users. We can also help you leverage your existing network equipment and systems to maximize your return on investment. This complimentary support service is available from your first evaluation system download. CRYPTOCard works closely with channel partners to offer worldwide Technical Support services. If you purchased this product through a CRYPTOCard channel partner, please contact your reseller directly for support needs. To contact CRYPTOCard directly: International Voice: +1-613-599-2441 North America Toll Free: 1-800-307-7042 support@cryptocard.com For information about obtaining a support contract, see our Support Web page at. Publication History Date July 16, 2004 November 8, 2005 Changes Creation Global edit
Text Conventions The following text conventions are used in this document: Courier text: denotes something you see on-screen (e.g. a dialog window title or field, a configurable Key, an exact filename) or something you enter verbatim on-screen (e.g. a command). <Italicized, bracketed text>: denotes a variable that requires an appropriate value to be entered. For example, if you see <IP_address>, you might enter 192.168.1.1. Bold text: denotes a path. If the path uses a pipe ( ) character (e.g. A B C D), the path does not lead to a directory, folder, or file, but rather represents GUI/application menu options. If the path uses the backslash (\) or forward slash (/) character, the path leads to a directory, folder, or file.
Table of Contents Copyright... 2 Trademarks... 2 Additional Information, Assistance, or Comments... 2 Publication History... 2 Text Conventions... 3 1 OVERVIEW... 5 Enabling PEAP in Cisco Secure 3.1... 5 2 WIRELESS CLIENT CONFIGURATION... 6 ACU Configuration... 6 Microsoft Wireless Connection Configuration... 7 Testing the Connection... 9 3 INSTALLING THE CRYPTOCARD EUS AND INITIALIZING TOKENS... 10 Connecting to the Network... 10
1 Overview When wireless communications are secured using PEAP, all data (including logon credentials) are transmitted over an encrypted connection. Cisco Secure Access Control Server (ACS) 3.1+ supports PEAP using CRYPTOCard tokens for authentication, giving PEAP the added security of CRYPTOCard Secure Password Technology. This document explains how to set up PEAP authentication from a client machine running Windows XP or 2000 to a Cisco Secure 3.1+ ACS. It is recommended that you configure PEAP for an internal Cisco Secure user before adding CRYPTOCard support to Cisco Secure 3.1+. Please refer to the CRYPTOCard Cisco Secure ACS Quick Reference Guide for instructions about adding CRYPTOCard Token Server support to ACS. Enabling PEAP in Cisco Secure 3.1 Follow the instructions in the Cisco documentation on setting up a server certificate in ACS. 1. In the ACS System Configuration, click on Global Authentication Setup. 2. Select Allow PEAP. 3. If desired, enter the text shown to the client when authenticating via PEAP. 4. Set the timeout for PEAP authentication. 5. Click Submit + Restart.
2 Wireless Client Configuration Cisco wireless clients include the Aironet Client Utility (ACU). While PEAP support is not configured in the ACU itself, there is an option in the Cisco ACU installation program to include the Cisco PEAP Supplicant. The PEAP Supplicant must be installed on the client system to allow PEAP authentication over a wireless connection. Ensure that the necessary Microsoft Hotfixes and service packs are installed on the client system prior to installing the Cisco ACU and PEAP Supplicant. ACU Configuration Create a profile including the desired access point settings. Under Network Security for the connection profile, select Host Based EAP, and Use Dynamic WEP Keys.
Microsoft Wireless Connection Configuration 1. Open the Wireless Network Connection properties. 2. Select the Wireless Networks tab. 3. Select the network that will require PEAP and click on Properties. 4. In the Association tab, choose Data encryption (WEP enabled) and The key is provided for me automatically.
5. In the Authentication tab, check Enable IEEE 802.1x authentication for this network. Choose PEAP as the EAP type. Click on Properties. 6. In the PEAP Properties window, check Validate server certificate. For added security, specify the server name of the ACS server and check Connect only if server name ends with. 7. Enter the trusted root authority, and check Connect only if server is signed by specified trusted root CA. Choose Generic Token Card as the Second Phase EAP Type and click on Properties. 8. In the Generic Token Card Properties window, choose One Time Password and regardless of whether you are using hardware or software tokens, check Support Hardware Token.
Testing the Connection Test the configuration to this point by creating/using a username and password from the local Cisco Secure ACS database. When the wireless card connects to the network, you will be prompted to accept the server certificate (first time only) and will then be prompted to enter a username and password. Enter a valid username/password combination from ACS to authenticate the network connection.
3 Installing the CRYPTOCard EUS and initializing tokens Please refer to the CRYPTO-Server Administrator s Manual for instructions about installing the EUS software and initializing SC-1, UB-1, and ST-1 tokens on a client device. Connecting to the Network After installing the EUS and a token on the client system, authenticating using CRYPTOCard Secure Password Technology is simply a matter of entering the username and password from the EUS when the network connection requests a username and password.