Specifications

Cisco Systems, Inc.
All contents are Copyright © 1992–2002 Cisco Systems, Inc. All rights reserved. Important Notices and Privacy Statement.
Page 11 of 42
Figure 4-4
Session Key Derivation in EAP-TLS Authentication
5 EAP-TLS Deployment in a WLAN Environment
Thissectiondetails the system componentsthatarerequired to rolloutEAP-TLSin an enterprisenetwork.Certificate
requirements, both for the AAA server andthe clients, are discussed in detail.Deployment issues, such asmixed EAP
protocol deployment and AAA server scalability, are addressed in sections 5.3 and 5.4.
5.1 System Components
Table 5.1 lists the components that are required for accessing awireless LAN network using EAP-TLS authentication:
Table 5-1 Components for Accessing a Wireless LAN Network
Access point(s) Cisco Wireless Access Point, operating system Version 11.06 or later, or
equivalent device
AAA/RADIUS server Cisco Secure ACS for Windows Version 3.0 or later, Cisco Access Registrar
v3.0 or any other AAA/RADIUS server that supports EAP-TLS and supports
Enhanced Key Usage (see Figure 5-1)
Client(s) (user machines) Microsoft XP (other clients for non-XP operating systems may be available)
1
1. Note: Microsoft has announcedEAPsupportfor legacy operating systemsin 2002 (Windows 2000, WindowsNT® 4, Windows 98,Windows 98 Second Edition,
and Windows ME). Also, there are third-party EAP supplicants that provide support for EAP-TLS on various operating systems (for example, Meetinghouse Data
Communications EAP supplicant).
Certification authority server Microsoft certification authority server or any other certification authority
server that supports Enhanced Key Usage (see Figure 5-1)
Client Random
(per connection)
Server Random
(per connection)
Pre-Master Secret
(per session)
PRF
Master Secret
(per session)
IV Client/Server
(per connection)
Write Secret Client/Server
(per connection)
Write MAC Client/Server
(per connection)
PRF