10-4
Cisco IOS Software Configuration Guide for Cisco Aironet Access Points
OL-30644-01
Chapter10 Configuring WLAN Authentication and Encryption
Understanding Authentication and Encryption Mechanisms
Open with EAP Any cipher (WEP 40,
WEP 128, TKIP,
CKIP, CMIC,
CKIP-CMIC, TKIP +
WEP 40, TKIP+WEP
128, AES-CCMP,
AES-CCMP+TKIP,
AES-CCMP + TKIP
+ WEP 40,
AES-CCMP + TKIP
+ WEP 128)
Client association to the AP is followed with
802.1x/EAP authentication (supported EAP modes are
LEAP,EAP-FAST, PEAP/GTC, MSPEAP, EAP-TLS,
and EAP-FAST). During this process individual client
keys are generated. When several ciphers are allowed,
the key will be generated using the strongest cipher
supported by the client. A broadcast key will be
forwarded to all clients, using a cipher supported by all
clients.
Open with MAC and
EAP
Any cipher (WEP 40,
WEP 128, TKIP,
CKIP, CMIC,
CKIP-CMIC, TKIP +
WEP 40, TKIP+WEP
128, AES-CCMP,
AES-CCMP+TKIP,
AES-CCMP + TKIP
+ WEP 40,
AES-CCMP + TKIP
+ WEP 128)
Client MAC authentication is added to the final phase
of the client association to the AP. Client association to
the AP is followed with 802.1x/EAP authentication.
During this process individual client keys are
generated. When several ciphers are allowed, the key
will be generated using the strongest cipher supported
by the client. A broadcast key will be forwarded to all
clients, using a cipher supported by all clients.
Open with Optional
EAP
Any cipher (WEP 40,
WEP 128, TKIP,
CKIP, CMIC,
CKIP-CMIC, TKIP +
WEP 40, TKIP+WEP
128, AES-CCMP,
AES-CCMP+TKIP,
AES-CCMP + TKIP
+ WEP 40,
AES-CCMP + TKIP
+ WEP 128)
Clients configured for EAP will use individual
authentication and encryption with individual keys.
Clients with no security configuration can also
associate to the AP. This mode is designed as a
transition mechanism to stronger security. Broadcast
key uses the common security mechanism supported
by all clients. When both EAP and Open clients are
associated, the broadcast key is not encrypted.
Shared
Authentication
WEP Optional The AP announces the SSID as supporting WEP. The
AP only accepts clients configured with WEP
authentication. WEP encryption after association is
supported, but optional.
Shared
Authentication
WEP Mandatory The AP announces the SSID as supporting WEP. The
AP only accepts clients configured with WEP
authentication. WEP encryption after association is
mandatory.
Shared
Authentication with
MAC
Any mode supported
with Shared
authentication
WEP authentication is followed, during the final phase
of the association phase, with MAC authentication.
Shared
Authentication with
EAP
Any mode supported
with Shared
authentication
WEP authentication is followed with open association
to the AP. Association is followed with individual
client EAP authentication and individual key
generation.
SSID Authentication Interface encryption Supported security