User Guide
Table Of Contents
- Cisco Wireless ISR and HWIC Access Point Configuration Guide
- Contents
- Preface
- Overview
- Configuring Radio Settings
- Enabling the Radio Interface
- Roles in Radio Network
- Configuring Network or Fallback Role
- Universal Client Mode
- Configuring Universal Client Mode
- Configuring Radio Data Rates
- Configuring Radio Transmit Power
- Configuring Radio Channel Settings
- Enabling and Disabling World Mode
- Enabling and Disabling Short Radio Preambles
- Configuring Transmit and Receive Antennas
- Disabling and Enabling Access Point Extensions
- Configuring the Ethernet Encapsulation Transformation Method
- Enabling and Disabling Reliable Multicast to Workgroup Bridges
- Enabling and Disabling Public Secure Packet Forwarding
- Configuring Beacon Period and DTIM
- Configuring RTS Threshold and Retries
- Configuring Maximum Data Retries
- Configuring Fragmentation Threshold
- Enabling Short Slot Time for 802.11g Radios
- Performing a Carrier Busy Test
- Configuring Multiple SSIDs
- Configuring an Access Point as a Local Authenticator
- Understand Local Authentication
- Configure a Local Authenticator
- Guidelines for Local Authenticators
- Configuration Overview
- Configuring the Local Authenticator Access Point
- Configuring Other Access Points to Use the Local Authenticator
- Configuring EAP-FAST Settings
- Limiting the Local Authenticator to One Authentication Type
- Unblocking Locked Usernames
- Viewing Local Authenticator Statistics
- Using Debug Messages
- Configuring Encryption Types
- Configuring Authentication Types
- Configuring RADIUS Servers
- Configuring and Enabling RADIUS
- Understanding RADIUS
- RADIUS Operation
- Configuring RADIUS
- Default RADIUS Configuration
- Identifying the RADIUS Server Host
- Configuring RADIUS Login Authentication
- Defining AAA Server Groups
- Configuring RADIUS Authorization for User Privileged Access and Network Services
- Starting RADIUS Accounting
- Selecting the CSID Format
- Configuring Settings for All RADIUS Servers
- Configuring the Access Point to Use Vendor-Specific RADIUS Attributes
- Configuring the Access Point for Vendor-Proprietary RADIUS Server Communication
- Configuring WISPr RADIUS Attributes
- Displaying the RADIUS Configuration
- RADIUS Attributes Sent by the Access Point
- Configuring and Enabling RADIUS
- Configuring VLANs
- Configuring QoS
- Channel Settings
- Protocol Filters
- Supported MIBs
- Error and Event Messages
- Glossary
- Index
6-7
Cisco Wireless ISR and HWIC Access Point Configuration Guide
OL-6415-04
Chapter 6 Configuring Authentication Types
Understand Authentication Types
Note Unicast and multicast cipher suites advertised in WPA information element (and negotiated during
802.11 association) may potentially mismatch with the cipher suite supported in an explicitly assigned
VLAN. If the RADIUS server assigns a new vlan ID which uses a different cipher suite from the
previously negotiated cipher suite, there is no way for the access point and client to switch back to the
new cipher suite. Currently, the WPA protocol does not allow the cipher suite to be changed after the
initial 802.11 cipher negotiation phase. In this scenario, the client device is disassociated from the
wireless LAN.
See the “Assigning Authentication Types to an SSID” section on page 6-9 for instructions on configuring
WPA key management on your access point.
Figure 6-5 shows the WPA key management process.
Figure 6-5 WPA Key Management Process
88965
Client and server authenticate to each other, generating an EAP master key
Client device
Access point
Authentication
server
Wired LAN
Server uses the EAP master key to
generate a pairwise master key (PMK)
to protect communication between the
client and the access point. (However,
if the client is using 802.1x authentication
and both the access point and the client
are configured with the same pre-shared key,
the pre-shared key is used as the PMK and
the server does not generate a PMK.)
Client and access point complete
a four-way handshake to:
Client and access point complete
a two-way handshake to securely
deliver the group transient key from
the access point to the client.
Confirm that a PMK exists and that
knowledge of the PMK is current.
Derive a pairwise transient key from
the PMK.
Install encryption and integrity keys into
the encryption/integrity engine, if necessary.
Confirm installation of all keys.