10-5
Cisco IOS Software Configuration Guide for Cisco Aironet Access Points
OL-30644-01
Chapter10 Configuring WLAN Authentication and Encryption
Understanding Authentication and Encryption Mechanisms
You can enable Network EAP authentication in combination with Open (with EAP or not, and any
combination of MAC, namely Network EAP with or without MAC, with Open with or without EAP, with
or without MAC, or with or without EAP and MAC). Network EAP uses LEAP, but requires support for
LEAP formatting in the AP announcements. Clients that do not support this specific announcement
formatting can use the Open mode (with LEAP or another EAP mechanism). The client will always try
to use the most secure authentication mechanism supported through the access point, and the strongest
encryption mechanism. However, client access points (in bridge or workgroup bridge mode) will use
Network EAP by default, unless you configure the client side specifically to use a stronger authentication
mechanism.
When configuring the SSID, using a cipher allows you to manage each client individual key. When
configuring the SSID, you can define how this key should be managed. If you configure the interface to
use a Cipher, you must also enable key management when configuring the SSID. Key management can
be set to none (when using no security or shared key security), mandatory (when using a cipher), or
Optional (when using Open with optional EAP or Shared key with optional EAP authentications). Please
refer to the Key management sections of this chapter for more details on the different key management
modes.
Shared
Authentication with
EAP and MAC
Any mode supported
with Shared
authentication
WEP authentication is followed, during the final phase
of the association phase, with MAC authentication.
Association is followed with individual client EAP
authentication and individual key generation.
Network EAP Any cipher (WEP 40,
WEP 128, TKIP,
CKIP, CMIC,
CKIP-CMIC, TKIP +
WEP 40, TKIP+WEP
128, AES-CCMP,
AES-CCMP+TKIP,
AES-CCMP + TKIP
+ WEP 40,
AES-CCMP + TKIP
+ WEP 128)
Client association to the AP is followed with Cisco
LEAP authentication. During this process individual
client keys are generated. When several ciphers are
allowed, the key will be generated using the strongest
cipher supported by the client. A broadcast key will be
forwarded to all clients, using a cipher supported by all
clients.
Network EAP with
MAC
Any cipher (WEP 40,
WEP 128, TKIP,
CKIP, CMIC,
CKIP-CMIC, TKIP +
WEP 40, TKIP+WEP
128, AES-CCMP,
AES-CCMP+TKIP,
AES-CCMP + TKIP
+ WEP 40,
AES-CCMP + TKIP
+ WEP 128)
Client MAC authentication is added to the final phase
of the client association to the AP. Client association to
the AP is followed with 802.1x/EAP authentication
using LEAP. During this process individual client keys
are generated. When several ciphers are allowed, the
key will be generated using the strongest cipher
supported by the client. A broadcast key will be
forwarded to all clients, using a cipher supported by all
clients.
Web Authentication Any Web authentication can be used independently (with
no other SSID authentication or encryption), or in
combination with any other authentication and
encryption scheme.
SSID Authentication Interface encryption Supported security