10-2
Cisco IOS Software Configuration Guide for Cisco Aironet Access Points
OL-30644-01
Chapter10 Configuring WLAN Authentication and Encryption
Understanding Authentication and Encryption Mechanisms
Understanding Authentication and Encryption Mechanisms
Just as anyone within range of a radio station can tune to the station's frequency and listen to the signal,
any wireless networking device within range of an access point can receive the access point's, and any
wireless client's, radio transmissions. Also, the access point typically connects to the wired
infrastructure. As the access point's radio signal can expand beyond the walls of the facility where the
access point is deployed, external users may be provided access to the wired infrastructure through the
access point. Therefore WLAN security relies on two major pillars:
Authenticating the users, to make sure that only valid users are allowed to communicate through the
access point.
Encrypting wireless communications, to make sure that eavesdroppers cannot deciphers signals
captured from the access point and clients communications.
On Cisco Aironet access points, SSIDs are mapped directly to the access point radio, or to VLANs
configured on the AP radio interface. Encryption is configured at the radio level (if no VLAN is defined
on the radio interface), or at the VLAN level (as soon as one or more VLANs are defined on the radio
interface). This means that if you enable several SSIDs on a given radio interface or a given VLAN, all
these SSIDs must share a common encryption scheme.
Authentication is configured at the SSID level. Each SSID can have a different authentication
mechanism. However, as the SSID is mapped to a VLAN (or a radio interface), you need to make sure
that the authentication mechanism defined at the SSID level is compatible with the encryption
mechanism defined at the VLAN (or the radio) level for that SSID.
Encryption, defined at the radio (or the VLAN) level, can use one of the following schemes:
No encryption
Optional Static WEP (with a 40 bit or a 128 bit long key) encryption, both clients supporting WEP
and those not supporting encryption are allowed to join the SSID
Mandatory Static WEP (with a 40 bit or a 128 bit long key) encryption, clients must support static
WEP encryption to be allowed to join the SSID
Cipher 40 bit or 128 bit WEP encryption with key management, allowing for unicast WEP key
rotation (if your authentication mechanism is compatible with individual client key determination)
and/or broadcast key rotation (if your authentication mechanism is compatible with individual client
key determination)
Cipher TKIP, CKIP, CMIC,CKIP-CMIC, or AES (if your authentication mechanism is compatible
with individual client key determination)
A combination of two or three ciphers (TKIP+WEP, AES+TKIP, AES+TKIP+WEP).
This type of combination is used when you want to elevate the security level of your SSID, but still
support clients that only support a weaker encryption scheme. In that case, clients will use the
strongest encryption mechanism allowed by the SSID. Broadcast keys will use the encryption
mechanism supported by all clients.
Among all supported encryption schemes, AES-CCMP is the strongest, followed by TKIP. WEP is
considered a weak encryption mechanism and is deprecated by the IEEE 802.11 standard.
For example, suppose you define an AES+TKIP+WEP encryption. Clients supporting AES will use
AES for their unicast key encryption. Clients not supporting AES but supporting TKIP will be
allowed to join the cell, and will use TKIP for their unicast key encryption. Clients only supporting
WEP will also be allowed to join the cell, and will use WEP for their unicast key encryption. When
the cell contains AES, TKIP and WEP clients, the broadcast key will use WEP encryption (because
WEP is the only common encryption scheme supported by all clients). When the cell contains AES
and TKIP clients, but no WEP client, the broadcast key will use TKIP (the broadcast key encryption