11-14
Cisco IOS Software Configuration Guide for Cisco Aironet Access Points
OL-30644-01
Chapter11 Configuring Authentication Types
Configuring Authentication Types
Configuring Additional WPA SettingsUse two optional settings to configure a pre-shared key on the access point and adjust the frequency of
group key updates.
Setting a pre-shared Key
To support WPA (WPAv1 or WPAv2) on a wireless LAN where 8021X/EAP-based authentication is not
available, you must configure a pre-shared key on the access point. You can enter the pre-shared key as
ASCII or hexadecimal characters. If you enter the key as ASCII characters, you enter between 8 and 63
characters, and the access point expands the key using the process described in the Password-based
Cryptography Standard (RFC2898). If you enter the key as hexadecimal characters, you must enter 64
hexadecimal characters.
Configuring Group Key Updates
In the last step in the WPA process, the access point distributes a group key to the authenticated client
device. You can use these optional settings to configure the access point to change and distribute the
group key based on client association and disassociation:
•Membership termination—the access point generates and distributes a new group key when any
authenticated device disassociates from the access point. This feature keeps the group key private
for associated devices, but it might generate some overhead traffic if clients on your network roam
frequently among access points.
•Capability change—the access point generates and distributes a dynamic group key when there is a
change in the cell clients capability. For example, in a cell allowing AES, TKIP and WEP and
currently containing only AES clients, the broadcast key uses AES. The access point generates a
new broadcast key using TKIP when the first TKIP client joins the cell, and generates a new
broadcast key when the first WEP client joins the cell. Symmetrically, the access point generates a
new broadcast key when the last WEP client leaves the cell. If at that time all clients support AES,
the new broadcast key will use AES. If some clients use TKIP and others use AES (AES clients also
support TKIP), the new broadcast key will use TKIP. When the last TKIP client leaves the cell, with
only AES clients left in the cell, the access point generates a new broadcast key using AES.
Beginning in privileged EXEC mode, follow these steps to configure a WPA pre-shared key and group
key update options:
Command Purpose
Step1 configure terminal Enter global configuration mode.
Step2 ssid ssid-string Enter SSID configuration mode for the SSID.
Step3 wpa-psk { hex | ascii } [ 0 | 7 ]
encryption-key
Enter a pre-shared key for client devices using WPA that also
use static WEP keys.
Enter a pre-shared key for client devices using WPAv1 or
WPAv2 with PSK authentication. If you use hexadecimal, you
must enter 64 hexadecimal characters to complete the 256-bit
key. If you use ASCII, you must enter a minimum of 8 letters,
numbers, or symbols, and the access point expands the key for
you. You can enter a maximum of 63 ASCII characters.