Wi-Fi Protected Access (Wpa) - Cisco CB21AG Installation And Configuration Manual

Setting Security Parameters
When you enable EAP on your access point and configure your client adapter for LEAP, EAP-TLS,
PEAP (EAP-GTC), or PEAP (EAP-MSCHAP V2), authentication to the network occurs in the following
sequence:
1.
2.
3.
4.
5.
Refer to the
"Enabling EAP-TLS or PEAP" section on page 5-27
(EAP-GTC), or PEAP (EAP-MSCHAP V2).
Refer to the IEEE 802.11 Standard for more information on 802.1X authentication and to the following
Note
URL for additional information on RADIUS servers:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/12cgcr/secur_c/scprt2/scrad.htm

Wi-Fi Protected Access (WPA)

Wi-Fi Protected Access (WPA) is a standards-based, interoperable security enhancement that provides
data protection and access control for existing and future wireless LAN systems. It is derived from and
is forward-compatible with the upcoming IEEE 802.11i standard. WPA leverages Temporal Key
Integrity Protocol (TKIP) and Michael message integrity check (MIC) for data protection and 802.1X
for authenticated key management.
WPA supports two mutually exclusive key management types: WPA and WPA passphrase (also known
as WPA Pre-Shared Key or WPA-PSK). Using WPA, clients and the authentication server authenticate to
each other using an EAP authentication method, and the client and server generate a pairwise master key
(PMK). The server generates the PMK dynamically and passes it to the access point. Using WPA
passphrase, however, you configure a passphrase (or pre-shared key) on both the client and the access
point, and that passphrase is used as the PMK.
Refer to the
passphrase, the
or the
(EAP-GTC), or PEAP (EAP-MSCHAP V2) with WPA.
WPA must also be enabled on the access point. Access points must use Cisco IOS Release 12.2(11)JA
Note
or later to enable WPA. Refer to the documentation for your access point for instructions on enabling
this feature.
Cisco Aironet 802.11a/b/g Wireless LAN Client Adapters (CB21AG and PI21AG) Installation and Configuration Guide
5-16
The client associates to an access point and begins the authentication process.
Note The client does not gain full access to the network until authentication between the client
and the RADIUS server is successful.
Communicating through the access point, the client and RADIUS server complete the authentication
process, with the password (LEAP and PEAP) or certificate (EAP-TLS) being the shared secret for
authentication. The password is never transmitted during the process.
If authentication is successful, the client and RADIUS server derive a dynamic, session-based WEP
key that is unique to the client.
The RADIUS server transmits the key to the access point using a secure channel on the wired LAN.
For the length of a session, or time period, the access point and the client use this key to encrypt or
decrypt all unicast packets (and broadcast packets if the access point is set up to do so) that travel
between them.
"Enabling LEAP" section on page 5-24
"Enabling WPA Passphrase" section on page 5-23
"Enabling LEAP" section on page 5-24
"Enabling EAP-TLS or PEAP" section on page 5-27
Chapter 5 Configuring the Client Adapter
for instructions on enabling LEAP or to the
for instructions on enabling EAP-TLS, PEAP
for instructions on using a WPA
for instructions on enabling LEAP with WPA,
for instructions on enabling EAP-TLS, PEAP
OL-4211-02