Wpa And Wpa2; Cckm Fast Secure Roaming - Cisco CB21AG Installation And Configuration Manual

Setting Security Parameters

WPA and WPA2

Wi-Fi Protected Access (WPA) and WPA2 are standards-based security solutions from the Wi-Fi
Alliance that provide data protection and access control for wireless LAN systems. WPA is compatible
with the IEEE 802.11i standard but was implemented prior to the standard's ratification; WPA2 is the
Wi-Fi Alliance's implementation of the ratified IEEE 802.11i standard.
WPA uses Temporal Key Integrity Protocol (TKIP) and message integrity check (MIC) for data
protection while WPA2 uses the stronger Advanced Encryption Standard encryption algorithm using
Counter Mode with Cipher Block Chaining Message Authentication Code Protocol (AES-CCMP). Both
WPA and WPA2 use 802.1X for authenticated key management.
Both WPA and WPA2 support two mutually exclusive key management types: WPA/WPA2 and
WPA/WPA2 passphrase (also known as WPA pre-shared key or WPA-PSK). Using WPA or WPA2, clients
and the authentication server authenticate to each other using an EAP authentication method, and the
client and server generate a pairwise master key (PMK). The server generates the PMK dynamically and
passes it to the access point. Using WPA or WPA2 passphrase, however, you configure a passphrase (or
pre-shared key) on both the client and the access point, and that passphrase is used as the PMK.
Refer to the following pages for instructions on enabling these WPA variations:
•
•
•
•
•
•
Note WPA must also be enabled on the access point. To use WPA, access points must use Cisco IOS Release
12.2(11)JA or later. To use WPA2, access points must use Cisco IOS Release 12.3(2)JA or later. Refer
to the documentation for your access point for instructions on enabling this feature.

CCKM Fast Secure Roaming

Some applications that run on a client device may require fast roaming between access points. Voice
applications, for example, require it to prevent delays and gaps in conversation. CCKM fast secure
roaming is enabled automatically in Install Wizard 1.0 or later for LEAP-enabled CB21AG and PI21AG
clients using WPA/WPA2 and in Install Wizard 2.0 or later for CB21AG and PI21AG clients using
WPA/WPA2/CCKM with EAP-FAST, EAP-TLS, PEAP (EAP-GTC), or PEAP (EAP-MSCHAP V2).
However, this feature must be enabled on the access point.
During normal operation, EAP-enabled clients mutually authenticate with a new access point by
performing a complete EAP authentication, including communication with the main RADIUS server.
However, when you configure your wireless LAN for CCKM fast secure roaming, EAP-enabled clients
securely roam from one access point to another without the need to reauthenticate with the RADIUS
server. Using Cisco Centralized Key Management (CCKM), an access point that is configured for
wireless domain services (WDS) uses a fast rekeying technique that enables Cisco client devices to roam
from one access point to another typically in under 150 milliseconds (ms). CCKM fast secure roaming
ensures that there is no perceptible delay in time-sensitive applications such as wireless Voice over IP
(VoIP), enterprise resource planning (ERP), or Citrix-based solutions.
Cisco Aironet 802.11a/b/g Wireless LAN Client Adapters (CB21AG and PI21AG) Installation and Configuration Guide
5-18
WPA/WPA2 Passphrase, page 5-26
LEAP with WPA/WPA2, page 5-27
EAP-FAST with WPA/WPA2,
EAP-TLS with WPA/WPA2,
PEAP (EAP-GTC) with WPA/WPA2,
PEAP (EAP-MSCHAP V2) with WPA/WPA2,
page 5-31
page 5-40
page 5-42
page 5-46
Chapter 5 Configuring the Client Adapter
OL-4211-03