Wi-Fi Protected Access (Wpa - Cisco AIR-PCI340 Installation And Configuration Manual

Overview
When you enable Require EAP on your access point and configure your client adapter for EAP-TLS,
PEAP, or EAP-SIM using Windows XP, authentication to the network occurs in the following sequence:
1.
2.
3.
4.
5.
Note Refer to the IEEE 802.11 Standard for more information on 802.1X authentication and to the following
URL for additional information on RADIUS servers:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/12cgcr/secur_c/scprt2/scrad.htm

Wi-Fi Protected Access (WPA)

Wi-Fi Protected Access (WPA) is a standards-based, interoperable security enhancement that greatly
increases the level of data protection and access control for existing and future wireless LAN systems.
It is derived from and will be compatible with the upcoming IEEE 802.11i standard. WPA leverages
Temporal Key Integrity Protocol (TKIP) and Michael message integrity check (MIC) for data protection
and 802.1X for authenticated key management.
WPA supports two mutually exclusive key management types: WPA and WPA-Pre-shared key
(WPA-PSK). Using WPA key management, clients and the authentication server authenticate to each
other using an EAP authentication method, and the client and server generate a pairwise master key
(PMK). Using WPA, the server generates the PMK dynamically and passes it to the access point. Using
WPA-PSK, however, you configure a pre-shared key on both the client and the access point, and that
pre-shared key is used as the PMK.
Windows XP Service Pack 1 and Microsoft support patch 815485 must be installed in order to use WPA.
They can be downloaded from the following URLs:
•
•
Cisco Aironet 340, 350, and CB20A Wireless LAN Client Adapters Installation and Configuration Guide for Windows
E-4
RADIUS servers that support EAP-SIM include Cisco Access Registrar version 3.0 or greater.
The client adapter associates to an access point and begins the authentication process.
Note The client does not gain full access to the network until authentication between the client
and the RADIUS server is successful.
Communicating through the access point, the client and RADIUS server complete the authentication
process, with the password (PEAP), certificate (EAP-TLS), or internal key stored on the SIM card
and in the service provider's Authentication Center (EAP-SIM) being the shared secret for
authentication. The password or internal key is never transmitted during the process.
If authentication is successful, the client and RADIUS server derive a dynamic, session-based WEP
key that is unique to the client.
The RADIUS server transmits the key to the access point using a secure channel on the wired LAN.
For the length of a session, or time period, the access point and the client use this key to encrypt or
decrypt all unicast packets (and broadcast packets if the access point is set up to do so) that travel
between them.
Service Pack 1:
http://www.microsoft.com/WindowsXP/pro/downloads/servicepacks/sp1/default.asp
815485 support patch:
http://www.microsoft.com/downloads/details.aspx?FamilyID=009d8425-ce2b-47a4-abec-274845d
c9e91&DisplayLang=en
Appendix E Configuring the Client Adapter through the Windows XP Operating System
OL-1394-07