Cisco Systems CB21AG manual WPA and WPA2, Cckm Fast Secure Roaming

Page 84

Chapter 5 Configuring the Client Adapter

Setting Security Parameters

WPA and WPA2

Wi-Fi Protected Access (WPA) and WPA2 are standards-based security solutions from the Wi-Fi Alliance that provide data protection and access control for wireless LAN systems. WPA is compatible with the IEEE 802.11i standard but was implemented prior to the standard’s ratification; WPA2 is the Wi-Fi Alliance’s implementation of the ratified IEEE 802.11i standard.

WPA uses Temporal Key Integrity Protocol (TKIP) and message integrity check (MIC) for data protection while WPA2 uses the stronger Advanced Encryption Standard encryption algorithm using Counter Mode with Cipher Block Chaining Message Authentication Code Protocol (AES-CCMP). Both WPA and WPA2 use 802.1X for authenticated key management.

Both WPA and WPA2 support two mutually exclusive key management types: WPA/WPA2 and WPA/WPA2 passphrase (also known as WPA pre-shared key or WPA-PSK). Using WPA or WPA2, clients and the authentication server authenticate to each other using an EAP authentication method, and the client and server generate a pairwise master key (PMK). The server generates the PMK dynamically and passes it to the access point. Using WPA or WPA2 passphrase, however, you configure a passphrase (or pre-shared key) on both the client and the access point, and that passphrase is used as the PMK.

Refer to the following pages for instructions on enabling these WPA variations:

WPA/WPA2 Passphrase, page 5-26

LEAP with WPA/WPA2, page 5-27

EAP-FAST with WPA/WPA2, page 5-31

EAP-TLS with WPA/WPA2, page 5-40

PEAP (EAP-GTC) with WPA/WPA2, page 5-42

PEAP (EAP-MSCHAP V2) with WPA/WPA2, page 5-46

Note WPA must also be enabled on the access point. To use WPA, access points must use Cisco IOS Release 12.2(11)JA or later. To use WPA2, access points must use Cisco IOS Release 12.3(2)JA or later. Refer to the documentation for your access point for instructions on enabling this feature.

CCKM Fast Secure Roaming

Some applications that run on a client device may require fast roaming between access points. Voice applications, for example, require it to prevent delays and gaps in conversation. CCKM fast secure roaming is enabled automatically in Install Wizard 1.0 or later for LEAP-enabled CB21AG and PI21AG clients using WPA/WPA2 and in Install Wizard 2.0 or later for CB21AG and PI21AG clients using WPA/WPA2/CCKM with EAP-FAST, EAP-TLS, PEAP (EAP-GTC), or PEAP (EAP-MSCHAP V2). However, this feature must be enabled on the access point.

During normal operation, EAP-enabled clients mutually authenticate with a new access point by performing a complete EAP authentication, including communication with the main RADIUS server. However, when you configure your wireless LAN for CCKM fast secure roaming, EAP-enabled clients securely roam from one access point to another without the need to reauthenticate with the RADIUS server. Using Cisco Centralized Key Management (CCKM), an access point that is configured for wireless domain services (WDS) uses a fast rekeying technique that enables Cisco client devices to roam from one access point to another typically in under 150 milliseconds (ms). CCKM fast secure roaming ensures that there is no perceptible delay in time-sensitive applications such as wireless Voice over IP (VoIP), enterprise resource planning (ERP), or Citrix-based solutions.

Cisco Aironet 802.11a/b/g Wireless LAN Client Adapters (CB21AG and PI21AG) Installation and Configuration Guide

5-18

OL-4211-03

 

 

Page 83 Page 85
Image 84
Page 83 Page 85
Contents Corporate Headquarters Customer Order Number Text Part Number OL-4211-03Copyright 2005 Cisco Systems, Inc All rights reserved N T E N T S IiiAssembling the Antenna Overview Pop-Up Menu Help Exit Select Profile ViiAntenna Installation Warning B-3 ViiiWPA OL-4211-03 Preface Following topics are covered in this sectionAudience PurposeOrganization XiiConventions XiiiXiv Related Publications Obtaining DocumentationCisco.com Documentation DVDCisco Product Security Overview Ordering DocumentationDocumentation Feedback XviReporting Security Problems in Cisco Products Obtaining Technical AssistanceCisco Technical Support Website An emergency, you can also reach Psirt by telephone 877 408Submitting a Service Request Definitions of Service Request SeverityXviii Obtaining Additional Publications and Information XixOL-4211-03 Product Overview Introduction to the Client Adapters TerminologyClient Adapter Model Number Description AIR-CB21AGHardware Components RadioRadio Antenna LEDsSoftware Components DriverClient Utilities Network Configurations Using Client Adapters Ad Hoc Wireless LANAccess Point Root Unit Wired LAN Preparing for Installation Safety information FCC Safety Compliance StatementSafety Guidelines Package Contents Unpacking the Client AdapterSystem Requirements Site Requirements For Infrastructure DevicesFor Client Devices OL-4211-03 Installing the Client Adapter Inserting a Client Adapter Inserting a PC-Cardbus CardInserting a PCI Card Changing the BracketBracket screws Inserting the Card Assembling the Antenna Inserting a PCI Card into a PCMounting the Antenna Inserting the Antenna into Its BaseBottom of Antenna Base Mounting the Antenna Installing the Client Adapter Software Preparing Setup Window Click Next. The Setup Type window appears see Figure Cisco Aironet Installation Program Window10 Setup Type Window 11 Install Cisco Aironet Site Survey Utility Window 12 Choose Destination Location Window 13 Select Program Folder Window 14 Important Please Read! Window Feature 15 Choose Configuration Tool WindowLeap or EAP-FAST authentication With dynamic WEP EAP-TLS or Peap authentication YesSecurity Static WEP Yes ReceiveClick Properties Installing a Microsoft Hot Fix for Group Policy Delay Page OL-4211-03 Using the Profile Manager Overview of Profile Manager Opening Profile ManagerField Description SSID1SSID2 SSID3Creating a New Profile Available Infrastructure and Ad Hoc Networks WindowSNR Profile Management General Window Including a Profile in Auto Profile Selection Auto Profile Selection Management WindowOL-4211-03 Selecting the Active Profile Modifying a Profile Importing and Exporting ProfilesEditing a Profile Deleting a ProfileImporting a Profile Exporting a ProfileExport Profile Window Configuring the Client Adapter Overview Parameter Category NumberSetting General Parameters Parameter Description Reconfigured Auto profile selection or configured for use in an ad hocClient adapter to roam to that network without having to be Auto profile selectionSetting Advanced Parameters Profile Management Advanced WindowRadio Band Transmit Power Level Profile Management Advanced Parameters Network Type Description Parameter Description Parameter Description Default Open Setting Security Parameters Preferred Access Points WindowOverview of Security Features Profile Management Security WindowStatic WEP Keys EAP with Dynamic WEP KeysConfiguring the Client Adapter Setting Security Parameters LEAP, EAP-FAST, EAP-TLS, Peap EAP-GTC, or Peap EAP-MSCHAP V2,WPA and WPA2 Cckm Fast Secure RoamingReporting Access Points that Fail Leap Authentication Synchronizing Security Features Additional WEP Key Security FeaturesSecurity Feature Client Setting Access Point Setting SsidWPA Security Feature Client Setting Access Point Setting LEAP, EAP-FAST, EAP-TLS Or later, choose a cipher suite that isWPA/WPA2/CCKM MICEnabling Static WEP TkipPeap EAP-MSCHAP Interval to any value other thanConfiguring the Client Adapter Setting Security Parameters Enabling WPA/WPA2 Passphrase Define WPA/WPA2 Pre-Shared Key WindowEnabling Leap Leap Settings Window Configuring the Client Adapter Setting Security Parameters Configuring the Client Adapter Setting Security Parameters Enabling EAP-FAST EAP-FAST Settings Window Configuring the Client Adapter Setting Security Parameters Click Select More Select EAP-FAST PAC Window 10 Import EAP-FAST PAC File Window Configuring the Client Adapter Setting Security Parameters Deleting a Manually Provisioned PAC File Enabling EAP-TLS or Peap Enabling EAP-TLS 12 Define Certificate WindowConfiguring the Client Adapter Setting Security Parameters Enabling Peap EAP-GTC 13 Define Peap EAP-GTC Configuration Window 14 Configuration Settings Window Configuring the Client Adapter Setting Security Parameters 15 Define Peap EAP-MSCHAP V2 Configuration Window Enabling Peap EAP-MSCHAP16 Configuration Settings Window Configuring the Client Adapter Setting Security Parameters Configuring the Client Adapter Setting Security Parameters Configuring the Client Adapter Setting Security Parameters Enabling Wi-Fi Multimedia Disabling Static WEP, WPA/WPA2 Passphrase, or EAPEnabling the QoS Packet Scheduler on Windows 17 Wireless Cisco Connection Properties Window 18 Select Network Component Type Window Enabling the QoS Packet Scheduler on Windows XP Click Control Panel Double-clickNetwork ConnectionsSetting Roaming Parameters in the Windows Control Panel Follow these steps to access the roaming parametersWireless Mode Using EAP Authentication Using Leap or EAP-FAST Leap or EAP-FAST Authentication Status WindowAfter Profile Activation or Card Insertion Stage ExplanationAfter a Reboot or Logon After Your EAP-FAST Password ExpiresUsing Leap or EAP-FAST with an Automatically Prompted Login Enter Wireless Network Password Window After Your EAP-FAST Password Expires Using Leap or EAP-FAST with a Manually Prompted Login After Profile ActivationAfter a Reboot, Logon, or Card Insertion Action Drop-Down Menu After Your EAP-FAST Password Expires Using Leap or EAP-FAST with a Saved Username and Password Using EAP-TLS 10 Please Change Password WindowUsing Peap EAP-GTC Windows NT or 2000 Domain Databases or Ldap Databases OnlyOTP Databases Only Using Peap EAP-MSCHAP Restarting the Authentication ProcessOL-4211-03 Viewing Status and Statistics Overview of ADU Status and Statistics Tools ToolStatus Statistics NumberDisplays the signal strength Signal-to-noise ratio as a percentageViewing the Current Status of Your Client Adapter 3interprets each element of the Current Status windowStatus Description Status Description Details on these server-based authentication types 4interprets each element of the Advanced Status windowNone MIC is disabled MIC is enabled and is being used withMichael MIC is enabled and is being used with WPA and Tkip MMHWMM Status Description Status Description Cisco Aironet Desktop Utility Diagnostics Window Viewing Statistics for Your Client AdapterStatistic Description Advanced Statistics Window6interprets each element of the Advanced Statistics window Integrity check MIC value when Ckip was being used Ckip MIC OKPoint OL-4211-03 Using the Aironet System Tray Utility Astu Infrastructure mode or another client in ad hoc mode Overview of AstuAstu Icon Icon DescriptionTool Tip Window Status Element DescriptionConnection Status Description This option enables you to access the online help Pop-Up MenuHelp Following sections describe each Astu pop-up menu optionTroubleshooting ExitOpen Aironet Desktop Utility PreferencesEnable/Disable Radio Manual Login ReauthenticateSelect Profile Show Connection Status Connection Status WindowConnection Status Window Elements Ssid OL-4211-03 Routine Procedures Removing a Client Adapter Removing a PC-Cardbus CardRemoving a PCI Card Client Adapter Software Procedures Upgrading the Client Adapter SoftwarePrevious Installation Detected Window Choose Update the previous installation and click Next Uninstalling the Client Adapter Software Choose Uninstall the previous installation and click NextADU Procedures Opening ADUExiting ADU Finding the Version of ADU Viewing Client Adapter InformationAstu Procedures Accessing Online HelpRefer to for instructions on using Astu Enabling or Disabling Your Client Adapter’s RadioOL-4211-03 Troubleshooting 10-1Accessing the Latest Troubleshooting Information Interpreting the Indicator LEDsStatus LED green Activity LED amber Condition 10-2Troubleshooting the Client Adapter Using the Troubleshooting UtilityTroubleshooting Information Number Diagnosing Your Client Adapter’s OperationTroubleshooting Utility Window 10-4Troubleshooting Utility Window with Test Results 10-5Troubleshooting Utility Window Detailed Report 10-6Saving the Detailed Report to a Text File 10-7Client Adapter Recognition Problems Disabling the Microsoft 802.1X Supplicant Windows 2000 Only10-8 Reboot your computer Resolving Resource ConflictsResolving Resource Conflicts in Windows 10-9Problems Associating to an Access Point Resolving Resource Conflicts in Windows XP10-10 Problems Connecting to the Network Prioritizing Network ConnectionsParameters Missing from Profile Management Windows 10-11Error Messages 10-1210-13 10-14 10-15 10-16 10-17 10-18 10-19 10-20 10-21 10-22 10-23 10-24 Technical Specifications Physical Specifications Radio SpecificationsESD KV human body modelAppendix a Technical Specifications Receiver sensitivity 802.11a DBm @ 6, 9, 12, and 18 MbpsDBm @ 24 Mbps DBm @ 36 MbpsIndoor typical Outdoor typical Power Specifications Safety and Regulatory Compliance SpecificationsTranslated Safety Warnings Explosive Device Proximity Warning Antenna Installation Warning Appendix B Translated Safety Warnings Appendix B Translated Safety Warnings Appendix B Translated Safety Warnings Declarations of Conformity and Regulatory Information Models AIR-CB21AG-A-K9, AIR-PI21AG-A-K9 USADepartment of Communications Canada Canadian Compliance StatementOL-4211-03 Cisco Aironet CB21AG Wireless LAN Client Adapter Declaration of Conformity StatementCisco Aironet PI21AG Wireless LAN Client Adapter Declaration of Conformity for RF Exposure Japanese TranslationEnglish Translation 5-GHz Client Adapters Chinese TranslationEnglish Translation Communication ACTGHz Client Adapters This equipment is limited for indoor useOL-4211-03 Channels, Power Levels, and Antenna Gains Channels Ieee 802.11aRegulatory Domains Ieee 802.11b/g Maximum Power Levels and Antenna Gains Ieee 802.11bData Rate With 1-dBi Antenna GainIeee 802.11g Mbps 31.6OL-4211-03 P E N D I X E Overview EAP with Dynamic WEP Keys WPA Configuring the Client Adapter Configuring the Client Adapter Page Configuring the Client Adapter Page Enabling EAP-TLS Authentication For EAP type, choose Smart Card or other Certificate Configuring the Client Adapter Enabling Peap Authentication Figure E-6 Protected EAP Properties Window Figure E-7 EAP MSCHAPv2 Properties Window Figure E-8 Peap Properties Window Figure E-9 Generic Token Card Properties Window Associating to an Access Point Using Windows XP Figure E-10 Wireless Network Connection Status WindowPerforming a Site Survey Guidelines Additional InformationOpening the Site Survey Utility Selecting the Client AdapterUsing the Associated AP Status Tab Specifying Display UnitsViewing the Access Point’s Status Table F-1 Site Survey Utility Associated AP Status Description Using the AP Scan List Tab Viewing the AP Scan List Figure F-5 Site Survey Utility AP Scan ListRssi Pausing the AP Scan List CCXValue 1, 2, 3, or Access point’s wireless network Viewing AP DetailsDetailed Information Parameter Description Rssi Generating an AP Scan Log File Figure F-7 Site Survey Utility Log FileAccessing Online Help Uninstalling the Site Survey UtilityFinding the Version of the Site Survey Utility Exiting the Site Survey UtilityPage Wireless network composed of stations without access points StationsStandard Set of characters that contains both letters and numbersGL-2 Setting must be within the range of 64 to 2312 bytes GL-3Ethernet 802.3 and wireless LAN 802.11 specifications GL-4GL-5 GL-6 Computing device with an installed client adapter Protection and 802.1X for authenticated key management802.1X for authenticated key management GL-7GL-8 Authentication Mode parameter Selecting in ADUIN-1 Pausing Viewing ADUSelecting the active profile IN-2Astu CAMIN-3 ADU Windows XP Data encryption ADU Site survey utilityFCC C-2 IN-4IN-5 CRC FCCACK CTS RTSIN-7 Disabling Enabling MMH MICStatus With Leap Modify button IN-8IN-9 IN-10 IN-11 IN-12 Regulatory compliance Safety Spread spectrum Setting Viewing ADUIN-13 Third-party tool, enabling in Install Wizard Initial windowWith test results IN-14Security features IN-15IN-16
Related manuals
Manual 34 pages 15 Kb Manual 22 pages 28.37 Kb Manual 170 pages 950 b Manual 22 pages 55.14 Kb
Top Page Image Contents