10-3
Cisco IOS Software Configuration Guide for Cisco Aironet Access Points
OL-30644-01
Chapter10 Configuring WLAN Authentication and Encryption
Understanding Authentication and Encryption Mechanisms
will change to WEP if a WEP client joins the cell). When the cell contains only AES clients, the
broadcast key uses AES (and will change to TKIP if TKIP clients join the cell, and to WEP if WEP
clients join the cell).
Note Encryption mechanism support is incremental. A client supporting WEP may or may not support TKIP
or AES. However, a client supporting TKIP necessarily supports WEP. Similarly, an AES client
necessarily supports TKIP and WEP.
You can find more details about each encryption mechanism in the Understanding Encryption Modes
section of this chapter.
Encryption is configured at the radio or the VLAN level. Authentication is configured at the SSID level.
Authentication can use one or a combination of the following mechanisms:
Open—No authentication is required to associate to the Access Point.
Shared key—For using static WEP authentication.
Network EAP—For using LEAP
Note Both Open and Shared key modes can be combined with other modes, such as EAP/802.1x, where
authentication occurs after association to the access point, or with MAC authentication, where
authentication occurs during the final phase of the association to the access point.
You can find more details about each authentication mechanism in the "Understanding Authentication
Mechanisms" section of this chapter.
Combination of different authentication and encryption mechanisms result in different security schemes
for your SSID. The following table summarizes the supported combinations:
SSID Authentication Interface encryption Supported security
Open WEP optional The AP announces the SSID as Open/Open, without
broadcasting explicit support for WEP. However, the
AP also accepts client association when client
configuration is set to WEP encryption and/or WEP
authentication. You must define a WEP key if you want
to use this mode with clients using WEP.
Open WEP mandatory The AP announces the SSID as supporting WEP. The
AP accepts client association when client
configuration is set to Open/None, WEP encryption
and/or WEP authentication. After the association
phase, WEP support is mandatory in order to forward
traffic through the access point. You must define a
WEP key if you want to use this mode with clients
using WEP.
Open with MAC Any mode supported
with Open
authentication
Client MAC authentication is added to the final phase
of the client association to the AP (see the MAC
Address Authentication to the Network, page11-5
section for more details)