11-2
Cisco IOS Software Configuration Guide for Cisco Aironet Access Points
OL-30644-01
Chapter11 Configuring Authentication Types
Understanding Authentication Types
Understanding Authentication TypesThis section describes in detail the authentication types that you can configure on the access point. The
authentication types are tied to the SSIDs that you configure for the access point. The SSID is then tied
to a VLAN or a radio interface with a possible configured encryption mechanism. Hence, make sure that
the authentication scheme you configure for the SSID is compatible with the encryption method
configured for the associated VLAN or radio interface.
See Chapter10, “Understanding Authentication and Encryption Mechanisms,” section for more details.
If you want to serve different types of client devices with the same access point, you can configure
multiple SSIDs. See Chapter 7, “Configuring Multiple SSIDs.” for complete instructions on configuring
multiple SSIDs.
Before a wireless client device can communicate on your network through the access point, it must
authenticate to the access point using open or shared-key authentication. For maximum security, client
devices should also authenticate to your network using MAC-address or EAP authentication, both of
which rely on an authentication server on your network.
The authentication server can be configured on the AP or on an external server. You can set the client
authentication process to be as follows:
1. The client can authenticate to the access point (using open or shared key).
2. During the association phase, optionally the client can be authenticated using it's MAC address
3. After association to the AP, optionally the client can be authenticated against a RADIUS server,
4. Individual client key generation and management can be done using EAP/802.1x. EAP/802.1x
mechanism.
Note By default, the access point sends re-authentication requests to the authentication server with the
service-type attribute set to authenticate-only. However, some Microsoft IAS servers do not support the
authenticate-only service-type attribute. Depending on the user requirements, set the service-type
attribute to: dot11 aaa authentication attributes service-type login-user or dot11 aaa authentication
attributes service-type framed-user. By default the service type "login" is sent in the access request.
The access point uses several authentication mechanisms or types and can use more than one at the same
time. These sections explain each authentication type:
•Open Authentication to the Access Point, page11-2
•WEP Shared Key Authentication to the Access Point, page 11-3
•EAP Authentication to the Network, page11-4
•MAC Address Authentication to the Network, page 11-5
•Combining MAC-Based, EAP, and Open Authentication, page11-6
•Using CCKM for Authenticated Clients, page 11-6
•Using WPA Key Management, page11-7
Open Authentication to the Access Point
Open authentication allows any device to authenticate and then attempt to communicate with the access
point. Using open authentication, any wireless device can authenticate with the access point, Open
authentication does not rely on a RADIUS server on your network.