Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

How to enable Protected Extensible Authentication Protocol


To enable Protected Extensible Authentication Protocol (PEAP) on the client adapter, perform the steps in the Enabling PEAP section of Configuring the Client Adapter.

Enabling PEAP

Follow the steps below to enable PEAP.

Step 1 For EAP type, select PEAP.

Step 2 Click Properties. The PEAP Properties screen appears (see Figure 5-10). Figure 5-10     PEAP Properties Screen

Step 3 Check the Validate server certificate check box if server certificate validation is required (recommended).

Step 4 If you want to specify the name of the server to connect to, check the Connect only if server name ends with check box and enter the appropriate server name suffix in the field below.

Note If you enter a server name and the client adapter connects to a server that does not match the name you entered, you are prompted to accept or cancel the connection during the authentication process.

Note If you leave this field blank, the server name is not verified, and a connection is established as long as the certificate is valid.

Step 5 Make sure that the name of the certificate authority from which the server certificate was downloaded appears in the Trusted root certificate authority (CA) field. If necessary, click the arrow on the drop-down menu and select the appropriate name.

Note If you leave this field blank, you are prompted to accept a connection to the root certification authority during the authentication process.

Step 6 Check the Connect only if server is signed by specified trusted root CA check box if you want to ensure that the certificate server uses the trusted root certificate specified in the field above. This prevents the client from establishing connections to rogue access points.

Step 7 Currently Generic Token Card is the only second phase EAP type available. Click Properties. The Generic Token Card Properties screen appears (see Figure 5-11).

Figure 5-11     Generic Token Card Properties Screen

Step 8 Select either the Static Password (Windows NT/2000, LDAP) or the One Time Password option, depending on your user database.

Step 9 Perform one of the following:

If you selected the Static Password (Windows NT/2000, LDAP) option in Step 8, go to Step 10.

If you selected the One Time Password option in Step 8, check one or both of the following check boxes to specify the type of tokens that will be supported for one-time passwords:

Support Hardware Token—A hardware token device obtains the one-time password. You must use your hardware token device to obtain the one-time password and enter the password when prompted for your user credentials.

Support Software Token—The PEAP supplicant works with a software token program to retrieve the one-time password. You have to enter only the PIN, not the one-time password. If you check this check box, you must also select from the Supported Type drop-down box the software token software that is installed on the client (such as Secure Computing SofToken Version 1.3, Secure Computing SofToken II 2.0, or RSA SecurID Software Token v 2.5), and if Secure Computing SofToken Version 1.3 is selected, you must locate the software program path using the Browse button.

Note The SofToken Program Path field is unavailable if a software token program other than Secure Computing SofToken Version 1.3 is selected.

Step 10 Click OK three times to save your settings. The configuration is complete.

Step 11 Refer to Chapter 6, for instructions on authenticating using PEAP.

To configure PEAP on an Access Point (AP), refer to Configuring VLANs.

PEAP is supported only on client adapters that support WEP and use either the PCM, LMC, or PCI cards with firmware version 4.25.30 or later (or mini PCI card firmware version 5.00.03 or later). Cisco Aironet 1200, 350, and 340 series APs must have firmware release 11.23T or later, and Cisco Aironet 1100 series APs must have Cisco IOS  Software Release 12.2.4-JA or later.

For more information on configuring Cisco Secure ACS version 3.1 for Windows, refer to the Protected Extensible Authentication Protocol Application Note.

The following is information about PCM, LMC, and PCI cards:

  • A PCM is a PCMCIA card, which is a laptop adapter card
  • An LMC is a PCMCIA card with no physical antenna attached
  • A PCI is a PC adapter card

Problem Type

Configure / Configuration issues


Access point

BR 350

WLAN adapters (wireless card) / ACU (Aironet Client Utility)

Security Options


Version history
Revision #:
1 of 1
Last update:
‎06-22-2009 05:33 PM
Updated by: