Cisco Router 860, 880 Series User Manual
Have a look at the manual Cisco Router 860, 880 Series User Manual online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 53 Cisco manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
![](/img/blank.gif)
Authentication Types for Wireless Devices Understanding Authentication Types 3 Authentication Types for Wireless Devices OL-15914-01 Both the unencrypted challenge and the encrypted challenge can be monitored, however, which leaves the access point open to attack from an intruder who calculates the WEP key by comparing the unencrypted and encrypted text strings. Because of this weakness, shared key authentication can be less secure than open authentication. Like open authentication, shared key authentication does not rely on a RADIUS server on your network. Figure 2 shows the authentication sequence between a device trying to authenticate and an access point using shared key authentication. In this example the device’s WEP key matches the access point’s key, so it can authenticate and communicate. Figure 2 Sequence for Shared Key Authentication EAP Authentication to the Network This authentication type provides the highest level of security for your wireless network. By using the Extensible Authentication Protocol (EAP) to interact with an EAP-compatible RADIUS server, the access point helps a wireless client device and the RADIUS server to perform mutual authentication and derive a dynamic unicast WEP key. The RADIUS server sends the WEP key to the access point, which uses it for all unicast data signals that it sends to or receives from the client. The access point also encrypts its broadcast WEP key (entered in the access point’s WEP key slot 1) with the client’s unicast key and sends it to the client. When you enable EAP on your access points and client devices, authentication to the network occurs in the sequence shown in Figure 3: Access point or bridgeWired LAN Client deviceServer 1. Authentication request 2. Unencrypted challenge text 3. Encrypted challenge text 4. Authentication success 231083
![](/img/blank.gif)
Authentication Types for Wireless Devices Understanding Authentication Types 4 Authentication Types for Wireless Devices OL-15914-01 Figure 3 Sequence for EAP Authentication In Steps 1 through 9 in Figure 3, a wireless client device and a RADIUS server on the wired LAN use 802.1x and EAP to perform a mutual authentication through the access point. The RADIUS server sends an authentication challenge to the client. The client uses a one-way encryption of the user-supplied password to generate a response to the challenge and sends that response to the RADIUS server. Using information from its user database, the RADIUS server creates its own response and compares that to the response from the client. When the RADIUS server authenticates the client, the process repeats in reverse, and the client authenticates the RADIUS server. When mutual authentication is complete, the RADIUS server and the client determine a WEP key that is unique to the client and provides the client with the appropriate level of network access, thereby approximating the level of security in a wired switched segment to an individual desktop. The client loads this key and prepares to use it for the logon session. During the logon session, the RADIUS server encrypts and sends the WEP key, called a session key, over the wired LAN to the access point. The access point encrypts its broadcast key with the session key and sends the encrypted broadcast key to the client, which uses the session key to decrypt it. The client and access point activate WEP and use the session and broadcast WEP keys for all communications during the remainder of the session. There is more than one type of EAP authentication, but the access point behaves the same way for each type: it relays authentication messages from the wireless client device to the RADIUS server and from the RADIUS server to the wireless client device. See the “Assigning Authentication Types to an SSID” section on page 9 for instructions on setting up EAP on the access point. NoteIf you use EAP authentication, you can select open or shared key authentication, but you don’t have to. EAP authentication controls authentication both to your access point and to your network. Access point or bridgeWired LAN Client deviceRADIUS Server 1. Authentication request 2. Identity request 3. Username (relay to client)(relay to server) 4. Authentication challenge 5. Authentication response (relay to client)(relay to server) 6. Authentication success 7. Authentication challenge (relay to client)(relay to server) 8. Authentication response 9. Successful authentication(relay to server)65583
![](/img/blank.gif)
Authentication Types for Wireless Devices Understanding Authentication Types 5 Authentication Types for Wireless Devices OL-15914-01 MAC Address Authentication to the Network The access point relays the wireless client device’s MAC address to a RADIUS server on your network, and the server checks the address against a list of allowed MAC addresses. Intruders can create counterfeit MAC addresses, so MAC-based authentication is less secure than EAP authentication. However, MAC-based authentication provides an alternate authentication method for client devices that do not have EAP capability. See the “Assigning Authentication Types to an SSID” section on page 9 for instructions on enabling MAC-based authentication. TipIf you don’t have a RADIUS server on your network, you can create a list of allowed MAC addresses on the access point’s Advanced Security: MAC Address Authentication page. Devices with MAC addresses not on the list are not allowed to authenticate. TipIf MAC-authenticated clients on your wireless LAN roam frequently, you can enable a MAC authentication cache on your access points. MAC authentication caching reduces overhead because the access point authenticates devices in its MAC-address cache without sending the request to your authentication server. See the “Configuring MAC Authentication Caching” section on page 14 for instructions on enabling this feature. Figure 4 shows the authentication sequence for MAC-based authentication. Figure 4 Sequence for MAC-Based Authentication Access point or bridgeWired LAN Client deviceServer 1. Authentication request 2. Authentication success 3. Association request 4. Association response (block traffic from client) 5. Authentication request 6. Success 7. Access point or bridge unblocks traffic from client 65584
![](/img/blank.gif)
Authentication Types for Wireless Devices Understanding Authentication Types 6 Authentication Types for Wireless Devices OL-15914-01 Combining MAC-Based, EAP, and Open Authentication You can set up the access point to authenticate client devices using a combination of MAC-based and EAP authentication. When you enable this feature, client devices that associate to the access point using 802.11 open authentication first attempt MAC authentication; if MAC authentication succeeds, the client device joins the network. If MAC authentication fails, EAP authentication takes place. See the “Assigning Authentication Types to an SSID” section on page 9 for instructions on setting up this combination of authentications. Using CCKM for Authenticated Clients Using Cisco Centralized Key Management (CCKM), authenticated client devices can roam from one access point to another without any perceptible delay during reassociation. An access point on your network provides Wireless Domain Services (WDS) and creates a cache of security credentials for CCKM-enabled client devices on the subnet. The WDS access point’s cache of credentials dramatically reduces the time required for reassociation when a CCKM-enabled client device roams to a new access point. When a client device roams, the WDS access point forwards the client’s security credentials to the new access point, and the reassociation process is reduced to a two-packet exchange between the roaming client and the new access point. Roaming clients reassociate so quickly that there is no perceptible delay in voice or other time-sensitive applications. See the “Assigning Authentication Types to an SSID” section on page 9 for instructions on enabling CCKM on your access point. The RADIUS-assigned VLAN feature is not supported for client devices that associate using SSIDs with CCKM enabled. Figure 5 shows the reassociation process using CCKM. Figure 5 Client Reassociation Using CCKM 88964Reassociation request Reassociation responsePre-registration request Pre-registration reply Roaming client deviceAccess point WDS Device - Router/ Switch/APAuthentication server Wired LAN
![](/img/blank.gif)
Authentication Types for Wireless Devices Understanding Authentication Types 7 Authentication Types for Wireless Devices OL-15914-01 Using WPA Key Management Wi-Fi Protected Access is a standards-based, interoperable security enhancement that strongly increases the level of data protection and access control for existing and future wireless LAN systems. It is derived from and will be forward-compatible with the upcoming IEEE 802.11i standard. WPA leverages TKIP (Temporal Key Integrity Protocol) for data protection and 802.1X for authenticated key management. WPA key management supports two mutually exclusive management types: WPA and WPA-Pre-shared key (WPA-PSK). Using WPA key management, clients and the authentication server authenticate to each other using an EAP authentication method, and the client and server generate a pairwise master key (PMK). Using WPA, the server generates the PMK dynamically and passes it to the access point. Using WPA-PSK, however, you configure a pre-shared key on both the client and the access point, and that pre-shared key is used as the PMK. NoteUnicast and multicast cipher suites advertised in WPA information element (and negotiated during 802.11 association) may potentially mismatch with the cipher suite supported in an explicitly assigned VLAN. If the RADIUS server assigns a new vlan ID which uses a different cipher suite from the previously negotiated cipher suite, there is no way for the access point and client to switch back to the new cipher suite. Currently, the WPA and CCKM protocols does not allow the cipher suite to be changed after the initial 802.11 cipher negotiation phase. In this scenario, the client device is disassociated from the wireless LAN. See the “Assigning Authentication Types to an SSID” section on page 9 for instructions on configuring WPA key management on your access point. Figure 6 shows the WPA key management process.
![](/img/blank.gif)
Authentication Types for Wireless Devices Configuring Authentication Types 8 Authentication Types for Wireless Devices OL-15914-01 Figure 6 WPA Key Management Process Configuring Authentication Types This section describes how to configure authentication types. You attach configuration types to the SSIDs. See Service Set Identifier (SSID) for details on setting up multiple SSIDs. This section contains these topics: Assigning Authentication Types to an SSID, page 9 Configuring Authentication Holdoffs, Timeouts, and Intervals, page 15 Creating and Applying EAP Method Profiles for the 802.1X Supplicant, page 18 NoteThere are no default authentication SSIDs for the wireless router. 88965 Client and server authenticate to each other, generating an EAP master key Client deviceAccess point Authentication server Wired LAN Server uses the EAP master key to generate a pairwise master key (PMK) to protect communication between the client and the access point. (However, if the client is using 802.1x authentication and both the access point and the client are configured with the same pre-shared key, the pre-shared key is used as the PMK and the server does not generate a PMK.) Client and access point complete a four-way handshake to: Client and access point complete a two-way handshake to securely deliver the group transient key from the access point to the client.Confirm that a PMK exists and that knowledge of the PMK is current. Derive a pairwise transient key from the PMK. Install encryption and integrity keys into the encryption/integrity engine, if necessary. Confirm installation of all keys.
![](/img/blank.gif)
Authentication Types for Wireless Devices Configuring Authentication Types 9 Authentication Types for Wireless Devices OL-15914-01 Assigning Authentication Types to an SSID To configure authentication types for SSIDs, follow these steps, beginning in privileged EXEC mode: CommandPurpose Step 1configure terminalEnters global configuration mode. Step 2dot11 ssid ssid-stringCreates an SSID and enter SSID configuration mode for the new SSID. The SSID can consist of up to 32 alphanumeric characters. SSIDs are case sensitive. The SSID can consist of up to 32 alphanumeric, case-sensitive, characters. The first character cannot contain the following characters: Exclamation point (!) Pound sign (#) Semicolon (;) The following characters are invalid and cannot be used in an SSID: Plus sign (+) Right bracket (]) Front slash (/) Quotation mark () Ta b Trailing spaces
![](/img/blank.gif)
Authentication Types for Wireless Devices Configuring Authentication Types 10 Authentication Types for Wireless Devices OL-15914-01 Step 3authentication open [mac-address list-name [alternate]] [[optional] eap list-name] (Optional) Sets the authentication type to open for this SSID. Open authentication allows any device to authenticate and then attempt to communicate with the access point. (Optional) Set the SSID’s authentication type to open with MAC address authentication. The access point forces all client devices to perform MAC-address authentication before they are allowed to join the network. For list-name, specify the authentication method list. Click this link for more information on method lists: http://www.cisco.com/univercd/cc/td/doc/product/softwar e/ios122/122cgcr/fsecur_c/fsaaa/scfathen.htm#xtocid2 Use the alternate keyword to allow client devices to join the network using either MAC or EAP authentication; clients that successfully complete either authentication are allowed to join the network. (Optional) Set the SSID’s authentication type to open with EAP authentication. The access point forces all client devices to perform EAP authentication before they are allowed to join the network. For list-name, specify the authentication method list. Use the optional keyword to allow client devices using either open or EAP authentication to associate and become authenticated. This setting is used mainly by service providers that require special client accessibility. NoteAn access point configured for EAP authentication forces all client devices that associate to perform EAP authentication. Client devices that do not use EAP cannot use the access point. Step 4authentication shared [mac-address list-name] [eap list-name] (Optional) Sets the authentication type for the SSID to shared key. NoteBecause of shared key’s security flaws, Cisco recommends that you avoid using it. NoteYou can assign shared key authentication to only one SSID. (Optional) Set the SSID’s authentication type to shared key with MAC address authentication. For list-name, specify the authentication method list. (Optional) Set the SSID’s authentication type to shared key with EAP authentication. For list-name, specify the authentication method list. Command Purpose
![](/img/blank.gif)
Authentication Types for Wireless Devices Configuring Authentication Types 11 Authentication Types for Wireless Devices OL-15914-01 Use the no form of the SSID commands to disable the SSID or to disable SSID features. Step 5authentication network-eap list-name [mac-address list-name] (Optional) Sets the authentication type for the SSID to Network-EAP. Using the Extensible Authentication Protocol (EAP) to interact with an EAP-compatible RADIUS server, the access point helps a wireless client device and the RADIUS server to perform mutual authentication and derive a dynamic unicast WEP key. However, the access point does not force all client devices to perform EAP authentication. (Optional) Set the SSID’s authentication type to Network-EAP with MAC address authentication. All client devices that associate to the access point are required to perform MAC-address authentication. For list-name, specify the authentication method list. Step 6authentication key-management { [wpa] [cckm] } [ optional ] (Optional) Sets the authentication type for the SSID to WPA, CCKM, or both. If you use the optional keyword, client devices other than WPA and CCKM clients can use this SSID. If you do not use the optional keyword, only WPA or CCKM client devices are allowed to use the SSID. To enable CCKM for an SSID, you must also enable Network-EAP authentication. When CCKM and Network EAP are enabled for an SSID, client devices using LEAP, EAP-FAST, PEAP/GTC, MSPEAP, EAP-TLS, and EAP-FAST can authenticate using the SSID. To enable WPA for an SSID, you must also enable Open authentication or Network-EAP or both. NoteWhen you enable both WPA and CCKM for an SSID, you must enter wpa first and cckm second. Any WPA client can attempt to authenticate, but only CCKM voice clients can attempt to authenticate. NoteBefore you can enable CCKM or WPA, you must set the encryption mode for the SSID’s VLAN to one of the cipher suite options. To enable both CCKM and WPA, you must set the encryption mode to a cipher suite that includes TKIP. See Cipher Suites and WEP for instructions on configuring the VLAN encryption mode. NoteIf you enable WPA for an SSID without a pre-shared key, the key management type is WPA. If you enable WPA with a pre-shared key, the key management type is WPA-PSK. See the “Configuring Additional WPA Settings” section on page 13 for instructions on configuring a pre-shared key. Step 7endReturns to privileged EXEC mode. Step 8copy running-config startup-config(Optional) Saves your entries in the configuration file. Command Purpose
![](/img/blank.gif)
Authentication Types for Wireless Devices Configuring Authentication Types 12 Authentication Types for Wireless Devices OL-15914-01 This example sets the authentication type for the SSID batman to Network-EAP with CCKM authenticated key management. Client devices using the SSID batman authenticate using the adam server list. After they are authenticated, CCKM-enabled clients can perform fast reassociations using CCKM. ap1200# configure terminal ap1200(config-if)# ssid batmanap1200(config-ssid)# authentication network-eap adam ap1200(config-ssid)# authentication key-management cckm optional ap1200(config)# interface dot11radio 0ap1200(config-if)# ssid batman ap1200(config-ssid)# end Configuring WPA Migration Mode WPA migration mode allows these client device types to use the same SSIS to associate to the access point: WPA clients capable of TKIP and authenticated key management 802.1X-2001 clients (such as legacy LEAP clients and clients using TLS) capable of authenticated key management but not TKIP Static-WEP clients not capable of TKIP or authenticated key management If all three client types associate using the same SSID, the multicast cipher suite for the SSID must be WEP. If only the first two types of clients use the same SSID, the multicast key can be dynamic, but if the static-WEP clients use the SSID, the key must be static. To accommodate associated client devices, the access point can switch automatically between a static group key and a dynamic group key. To support all three types of clients on the same SSID, you must configure the static key in key slot 2 or 3. To set up an SSID for WPA migration mode, configure these settings: WPA optional A cipher suite containing TKIP and 40-bit or 128-bit WEP A static WEP key in key slot 2 or 3 This example sets the SSID migrate for WPA migration mode: ap1200# configure terminalap1200(config-if)# ssid migrate ap1200(config-if)# encryption mode cipher tkip wep128 ap1200(config-if)# encryption key 3 size 128 12345678901234567890123456 transmit-keyap1200(config-ssid)# authentication open ap1200(config-ssid)# authentication network-eap adam ap1200(config-ssid)# authentication key-management wpa optionalap1200(config-ssid)# wpa-psk ascii batmobile65 ap1200(config)# interface dot11radio 0 ap1200(config-if)# ssid migrateap1200(config-ssid)# end