Wi-Fi Protected Access (Wpa - Cisco CB21AG Installation And Configuration Manual

Overview
When you enable Require EAP on your access point and configure your client adapter for EAP-TLS or
PEAP using Windows XP, authentication to the network occurs in the following sequence:
1.
2.
3.
4.
5.
Note Refer to the IEEE 802.11 Standard for more information on 802.1X authentication and to the following
URL for additional information on RADIUS servers:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/12cgcr/secur_c/scprt2/scrad.htm

Wi-Fi Protected Access (WPA)

Wi-Fi Protected Access (WPA) is a standards-based, interoperable security enhancement that greatly
increases the level of data protection and access control for existing and future wireless LAN systems.
It is derived from and is forward-compatible with the upcoming IEEE 802.11i standard. WPA leverages
Temporal Key Integrity Protocol (TKIP) and Michael message integrity check (MIC) for data protection
and 802.1X for authenticated key management.
WPA supports two mutually exclusive key management types: WPA and WPA passphrase (also known
as WPA Pre-shared Key or WPA-PSK). Using WPA, clients and the authentication server authenticate to
each other using an EAP authentication method, and the client and server generate a pairwise master key
(PMK). Using WPA, the server generates the PMK dynamically and passes it to the access point. Using
WPA passphrase, however, you configure a passphrase (or pre-shared key) on both the client and the
access point, and that passphrase is used as the PMK.
Windows XP Service Pack 1 and Microsoft support patch 815485 must be installed in order to use WPA.
They can be downloaded from the following URLs:
•
•
WPA must also be enabled on the access point. Access points must use Cisco IOS Release 12.2(11)JA
Note
or later to enable WPA. Refer to the documentation for your access point for instructions on enabling
this feature.
Cisco Aironet 802.11a/b/g Wireless LAN Client Adapters (CB21AG and PI21AG) Installation and Configuration Guide
E-4
The client adapter associates to an access point and begins the authentication process.
Note The client does not gain full access to the network until authentication between the client
and the RADIUS server is successful.
Communicating through the access point, the client and RADIUS server complete the authentication
process, with the password (PEAP) or certificate (EAP-TLS) being the shared secret for
authentication. The password is never transmitted during the process.
If authentication is successful, the client and RADIUS server derive a dynamic, session-based WEP
key that is unique to the client.
The RADIUS server transmits the key to the access point using a secure channel on the wired LAN.
For the length of a session, or time period, the access point and the client use this key to encrypt or
decrypt all unicast packets (and broadcast packets if the access point is set up to do so) that travel
between them.
Service Pack 1:
http://www.microsoft.com/WindowsXP/pro/downloads/servicepacks/sp1/default.asp
815485 support patch:
http://www.microsoft.com/downloads/details.aspx?FamilyID=009d8425-ce2b-47a4-abec-274845d
c9e91&DisplayLang=en
Appendix E Configuring the Client Adapter through the Windows XP Operating System
OL-4211-02