Cisco AIR-LAP1252AG-A-K9 Software Configuration Guide - Page 122

Network Authentication Types

Page 122 highlights

Security Overview Chapter 4 Security Setup both the access point and all associated client devices, adds a few bytes to each packet to make the packets tamper-proof. See the "Enabling Message Integrity Check (MIC)" section on page 4-14 for instructions on enabling MIC. • TKIP (Temporal Key Integrity Protocol, also known as WEP key hashing)-This feature defends against an attack on WEP in which the intruder uses the unencrypted initialization vector (IV) in encrypted packets to calculate the WEP key. TKIP removes the predictability that an intruder relies on to determine the WEP key by exploiting IVs. See the "Enabling Temporal Key Integrity Protocol (TKIP)" section on page 4-16 for instructions on enabling TKIP. • Broadcast key rotation-EAP authentication provides dynamic unicast WEP keys for client devices but uses static broadcast, or multicast, keys. When you enable broadcast WEP key rotation, the access point provides a dynamic broadcast WEP key and changes it at the interval you select. Broadcast key rotation is an excellent alternative to TKIP if your wireless LAN supports wireless client devices that are not Cisco devices or that cannot be upgraded to the latest firmware for Cisco client devices. See the "Enabling Broadcast WEP Key Rotation" section on page 4-18 for instructions on enabling broadcast key rotation. Network Authentication Types Before a wireless client device can communicate on your network through the access point, it must authenticate to the access point and to your network. The access point uses four authentication mechanisms or types and can use more than one at the same time: • Network-EAP-This authentication type provides the highest level of security for your wireless network. By using the Extensible Authentication Protocol (EAP) to interact with an EAP-compatible RADIUS server, the access point helps a wireless client device and the RADIUS server to perform mutual authentication and derive a dynamic unicast WEP key. The RADIUS server sends the WEP key to the access point, which uses it for all unicast data signals that it sends to or receives from the client. The access point also encrypts its broadcast WEP key (entered in the access point's WEP key slot 1) with the client's unicast key and sends it to the client. Cisco Aironet 1200 Series Access Point Software Configuration Guide 4-4 OL-2159-03

  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • 27
  • 28
  • 29
  • 30
  • 31
  • 32
  • 33
  • 34
  • 35
  • 36
  • 37
  • 38
  • 39
  • 40
  • 41
  • 42
  • 43
  • 44
  • 45
  • 46
  • 47
  • 48
  • 49
  • 50
  • 51
  • 52
  • 53
  • 54
  • 55
  • 56
  • 57
  • 58
  • 59
  • 60
  • 61
  • 62
  • 63
  • 64
  • 65
  • 66
  • 67
  • 68
  • 69
  • 70
  • 71
  • 72
  • 73
  • 74
  • 75
  • 76
  • 77
  • 78
  • 79
  • 80
  • 81
  • 82
  • 83
  • 84
  • 85
  • 86
  • 87
  • 88
  • 89
  • 90
  • 91
  • 92
  • 93
  • 94
  • 95
  • 96
  • 97
  • 98
  • 99
  • 100
  • 101
  • 102
  • 103
  • 104
  • 105
  • 106
  • 107
  • 108
  • 109
  • 110
  • 111
  • 112
  • 113
  • 114
  • 115
  • 116
  • 117
  • 118
  • 119
  • 120
  • 121
  • 122
  • 123
  • 124
  • 125
  • 126
  • 127
  • 128
  • 129
  • 130
  • 131
  • 132
  • 133
  • 134
  • 135
  • 136
  • 137
  • 138
  • 139
  • 140
  • 141
  • 142
  • 143
  • 144
  • 145
  • 146
  • 147
  • 148
  • 149
  • 150
  • 151
  • 152
  • 153
  • 154
  • 155
  • 156
  • 157
  • 158
  • 159
  • 160
  • 161
  • 162
  • 163
  • 164
  • 165
  • 166
  • 167
  • 168
  • 169
  • 170
  • 171
  • 172
  • 173
  • 174
  • 175
  • 176
  • 177
  • 178
  • 179
  • 180
  • 181
  • 182
  • 183
  • 184
  • 185
  • 186
  • 187
  • 188
  • 189
  • 190
  • 191
  • 192
  • 193
  • 194
  • 195
  • 196
  • 197
  • 198
  • 199
  • 200
  • 201
  • 202
  • 203
  • 204
  • 205
  • 206
  • 207
  • 208
  • 209
  • 210
  • 211
  • 212
  • 213
  • 214
  • 215
  • 216
  • 217
  • 218
  • 219
  • 220
  • 221
  • 222
  • 223
  • 224
  • 225
  • 226
  • 227
  • 228
  • 229
  • 230
  • 231
  • 232
  • 233
  • 234
  • 235
  • 236
  • 237
  • 238
  • 239
  • 240
  • 241
  • 242
  • 243
  • 244
  • 245
  • 246
  • 247
  • 248
  • 249
  • 250
  • 251
  • 252
  • 253
  • 254
  • 255
  • 256
  • 257
  • 258
  • 259
  • 260
  • 261
  • 262
  • 263
  • 264
  • 265
  • 266
  • 267
  • 268
  • 269
  • 270
  • 271
  • 272
  • 273
  • 274
  • 275
  • 276
  • 277
  • 278
  • 279
  • 280
  • 281
  • 282
  • 283
  • 284

Chapter 4
Security Setup
Security Overview
4-4
Cisco Aironet 1200 Series Access Point Software Configuration Guide
OL-2159-03
both the access point and all associated client devices, adds a few bytes to
each packet to make the packets tamper-proof. See the
Enabling Message
Integrity Check (MIC)
section on page 4-14
for instructions on enabling
MIC.
TKIP (Temporal Key Integrity Protocol, also known as WEP key
hashing)
This feature defends against an attack on WEP in which the
intruder uses the unencrypted initialization vector (IV) in encrypted packets
to calculate the WEP key. TKIP removes the predictability that an intruder
relies on to determine the WEP key by exploiting IVs. See the
Enabling
Temporal Key Integrity Protocol (TKIP)
section on page 4-16
for
instructions on enabling TKIP.
Broadcast key rotation
EAP authentication provides dynamic unicast WEP
keys for client devices but uses static broadcast, or multicast, keys. When you
enable broadcast WEP key rotation, the access point provides a dynamic
broadcast WEP key and changes it at the interval you select. Broadcast key
rotation is an excellent alternative to TKIP if your wireless LAN supports
wireless client devices that are not Cisco devices or that cannot be upgraded
to the latest firmware for Cisco client devices. See the
Enabling Broadcast
WEP Key Rotation
section on page 4-18
for instructions on enabling
broadcast key rotation.
Network Authentication Types
Before a wireless client device can communicate on your network through the
access point, it must authenticate to the access point and to your network. The
access point uses four authentication mechanisms or types and can use more than
one at the same time:
Network-EAP
This authentication type provides the highest level of
security for your wireless network. By using the Extensible Authentication
Protocol (EAP) to interact with an EAP-compatible RADIUS server, the
access point helps a wireless client device and the RADIUS server to perform
mutual authentication and derive a dynamic unicast WEP key. The RADIUS
server sends the WEP key to the access point, which uses it for all unicast data
signals that it sends to or receives from the client. The access point also
encrypts its broadcast WEP key (entered in the access point
s WEP key slot
1) with the client
s unicast key and sends it to the client.