Product Info
CA (Certificate
Authority)
A corporate certification authority implemented on a server. In addition, Internet Explorer's
certificate can import a certificate from a file. A trusted CA certificate is stored in the root
store.
CCX (Cisco
Compatible
eXtension)
Cisco Compatible Extensions Program ensures that devices used on Cisco wireless LAN
infrastructure meet the security, management and roaming requirements.
Certificate Used for client authentication. A certificate is registered on the authentication server (for
example, RADIUS server) and used by the authenticator.
CKIP Cisco Key Integrity Protocol (CKIP) is a Cisco proprietary security protocol for encryption in
802.11 media. CKIP uses a key message integrity check and message sequence number to
improve 802.11 security in infrastructure mode. CKIP is Cisco's version of TKIP.
Client computer The computer that gets its Internet connection by sharing either the host computer's
connection or the access point's connection.
DSSS Direct Sequence Spread Spectrum. Technology used in radio transmission. Incompatible with
FHSS.
EAP Short for Extensible Authentication Protocol, EAP sits inside of Point-to-Point Protocol's (PPP)
authentication protocol and provides a generalized framework for several different
authentication methods. EAP is supposed to head off proprietary authentication systems and
let everything from passwords to challenge-response tokens and public-key infrastructure
certificates all work smoothly.
EAP-AKA EAP-AKA (Extensible Authentication Protocol Method for UMTS Authentication and Key
Agreement) is an EAP mechanism for authentication and session key distribution, using the
Universal Mobile Telecommunications System (UMTS) Subscriber Identity Module (USIM).
The USIM card is a special smart card used with cellular networks to validate a given user
with the network.
EAP-FAST EAP-FAST, like EAP-TTLS and PEAP, uses tunneling to protect traffic. The main difference is
that EAP-FAST does not use certificates to authenticate.
Provisioning in EAP-FAST is negotiated solely by the client as the first communication
exchange when EAP-FAST is requested from the server. If the client does not have a pre-
shared secret Protected Access Credential (PAC), it can request to initiate a provisioning
EAP-FAST exchange to dynamically obtain one from the server.
EAP-FAST documents two methods to deliver the PAC: manual delivery through an out-of-
band secure mechanism, and automatic provisioning.
Manual delivery mechanisms can be any delivery mechanism that the administrator of
the network feels is sufficiently secure for their network.
Automatic provisioning establishes an encrypted tunnel to protect the authentication of
the client and the delivery of the PAC to the client. This mechanism, while not as
secure as a manual method may be, is more secure than the authentication method
used in LEAP.
The EAP-FAST method can be divided into two parts: provisioning, and authentication. The
provisioning phase involves the initial delivery of the PAC to the client. This phase only needs
to be performed once per client and user.
EAP-GTC The EAP-GTC (Generic Token Card) is similar to the EAP-OTP except with hardware token
cards. The request contains a displayable message, and the response contains the string
read from the hardware token card.
EAP-OTP EAP-OTP (One-Time Password) is similar to MD5, except it uses the OTP as the response.
The request contains a displayable message. The OTP method is defined in RFC 2289.
EAP-SIM Extensible Authentication Protocol-Subscriber Identity Module (EAP-SIM) authentication can
be used with:
Network Authentication types: Open, Shared, and WPA*-Enterprise, WPA2*-
Enterprise.