Cisco Systems CB21AG Static WEP Keys, EAP (with Dynamic WEP Keys)

5-15

Cisco Aironet 802.11a/b/g Wireless LAN Client Adapters (CB21AG and PI21AG) Installation and Configuration Guide

OL-4211-03

Chapter5 Configuring the Client Adap ter Setting Security Parameters

Static WEP Keys

Each device (or profile) within your wireless network can be assigned u p to fo ur stati c WE P keys. If a

device receives a packet that is not encrypted with the appropriate key (as the WEP keys of all devices

that are to communicate with each other must match), the device discards the packet and never delivers

it to the intended receiver.

You do not need to re-enter static WEP keys each time the client adapter is inserted or the Windows

device is rebooted because the keys are stored (in an encrypted format for security reasons) in the

registry of the Windows device. When the driver loads and reads the client adapter’s registry parameters,

it also finds the static WEP keys, unencrypts them, and stores them in volatile memory on the adapter.

The Define Pre-Shared Keys window enables you to view the WEP key settings for a particular profile

and to assign new WEP keys or overwrite existing WEP keys. Refer to the “Enabling Static WEP”

section on page 5-24 for instructions.

EAP (with Dynamic WEP Keys)

The standard for wireless LAN security, as defined by IEEE, is called 802.1X for 802.11, or simply

802.1X. An access point that supports 802.1X and its protocol, E xten sibl e A uthe nticat ion Proto col

(EAP), acts as the interface between a wireless client and an authentication server, such as a RADIUS

server, to which the access point communicates over the wired network.

Five 802.1X authentication types are available in ADU for use with Windows 2000 or XP:

•EAP-Cisco Wireless (or LEAP)—This authentication type leverages Cisco Key Integrity Protocol

(CKIP) and MMH message integrity check (MIC) for data protection. ADU offers a variety of LEAP

configuration options, including how a username and password are entered to begin the

authentication process.

The username and password are used by the client adapter to perf orm mutual authentication with the

RADIUS server through the access point. The username and pa ssword need t o be r e-en tere d eac h

time the client adapter is inserted or the Windows device is rebooted unless you configur e yo ur

adapter to use saved LEAP credentials.

RADIUS servers that support LEAP include Cisco Secure ACS release 2.6 or later, Cisco Access

Registrar release 1.7 or later, Funk Software’s Steel-Belted RADIUS release 4.1 or later, and

Meetinghouse Data Communications’ AEGIS release 1.1 or later.

•EAP-FAST—This authentication type (Flexible Authentication via Secure Tunneling) uses a

three-phased tunneled authentication process to provide advanced 802.1X EAP mutual

authentication.

–

Phase 0 enables the client to dynamically provision a protected access credentials (PAC) when

necessary. During this phase, a PAC is generated securely between the user and the network.

–

Phase 1 uses the PAC to establish a mu tually a uthenticat ed an d secu re tunne l betwee n the clie nt

and the RADIUS server. RADIUS servers that support EAP-FAST include Cisco Secure ACS

version 3.2.3 and later.

–

Phase 2 performs client authentication in the established tunnel.

ADU offers a variety of EAP-FAST configuration options, including how and when a username and

password are entered to begin the authentication process and wheth er a utom ati c o r m anua l PAC

provisioning is used.