Table of Contents
Advertisement
Chapter 5
Configuring the Client Adapter
When you enable Network-EAP or Require EAP on your access point and configure your client adapter
for LEAP, EAP-TLS, or PEAP, authentication to the network occurs in the following sequence:
1.
2.
3.
4.
5.
Refer to the
Host-Based EAP" section on page 5-17
Refer to the IEEE 802.11 Standard for more information on 802.1X authentication and to the following
Note
URL for additional information on RADIUS servers:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/12cgcr/secur_c/scprt2/scrad.htm
Additional WEP Key Security Features
The three security features discussed in this section (MIC, TKIP, and broadcast key rotation) are
designed to prevent sophisticated attacks on your wireless network's WEP keys. These features do not
need to be enabled on the client adapter; they are supported automatically in firmware version 5.02.19
or greater and driver version 2.30 or greater. However, they must be enabled on the access point.
Note
Access point firmware version 11.10T or greater is required to enable these security features. Refer to
the software configuration guide for your access point for instructions on enabling these features.
Message Integrity Check (MIC)
MIC prevents bit-flip attacks on encrypted packets. During a bit-flip attack, an intruder intercepts an
encrypted message, alters it slightly, and retransmits it, and the receiver accepts the retransmitted
message as legitimate. MIC adds a few bytes to each packet to make the packets tamper-proof.
OL-1375-03
session-based WEP key, which is derived from the client adapter and RADIUS server, to encrypt
data. PEAP requires you to enter your username and password in order to start the
authentication process and gain access to the network.
RADIUS servers that support PEAP authentication include Cisco Secure ACS version 3.1 or
greater.
The client associates to an access point and begins the authentication process.
Note
The client does not gain access to the network until authentication between the client and
the RADIUS server is successful.
Communicating through the access point, the client and RADIUS server complete the authentication
process, with the password (LEAP and PEAP) or certificate (EAP-TLS) being the shared secret for
authentication. The password is never transmitted during the process.
If authentication is successful, the client and RADIUS server derive a dynamic, session-based WEP
key that is unique to the client.
The RADIUS server transmits the key to the access point using a secure channel on the wired LAN.
For the length of a session, or time period, the access point and the client use this key to encrypt or
decrypt all unicast packets (and broadcast packets if the access point is set up to do so) that travel
between them.
"Using LEAP" section on page 5-16
Cisco Aironet Wireless LAN Client Adapters Installation and Configuration Guide for Windows CE
for instructions on enabling LEAP or to the
for instructions on enabling EAP-TLS or PEAP.
Overview of Security Features
"Using
5-11
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
