User's Manual
8-5
Cisco 3200 Series Wireless MIC Software Configuration Guide
OL-7734-02
Chapter 8 Configuring Authentication Types
Configuring Authentication Types
Using CCKM for Authenticated Bridges
Using Cisco Centralized Key Management (CCKM), authenticated non-root bridges can roam from one
root bridge to another without any perceptible delay during reassociation. An access point or switch on
your network provides Wireless Domain Services (WDS) and creates a cache of security credentials for
CCKM-enabled bridges on the subnet. The WDS device’s cache of credentials dramatically reduces the
time required for reassociation when a CCKM-enabled non-root bridge roams to a new root bridge.
When a non-root bridge roams, the WDS device forwards the bridge’s security credentials to the new
root bridge, and the reassociation process is reduced to a two-packet exchange between the roaming
bridge and the new root bridge. Roaming bridges reassociate so quickly that there is no perceptible delay
in voice or other time-sensitive applications. See the “Assigning Authentication Types to an SSID”
section on page 8-6 for instructions on enabling CCKM on your bridge.
Using WPA Key Management
Wi-Fi Protected Access (WPA) is a standards-based, interoperable security enhancement that strongly
increases the level of data protection and access control for existing and future wireless LAN systems.
It is derived from the IEEE 802.11i standard. WPA leverages TKIP (Temporal Key Integrity Protocol)
for data protection and 802.1X for authenticated key management.
WPA key management supports two mutually exclusive management types: WPA and WPA-Pre-shared
key (WPA-PSK). Using WPA key management, non-root bridges and the authentication server
authenticate to each other using an EAP authentication method, and the non-root bridge and server
generate a pairwise master key (PMK). Using WPA, the server generates the PMK dynamically and
passes it to the root bridge. Using WPA-PSK, however, you configure a pre-shared key on both the
non-root bridge and the root bridge, and that pre-shared key is used as the PMK.
Note Unicast and multicast cipher suites advertised in the WPA information element (and negotiated during
802.11 association) might potentially mismatch with the cipher suite supported in an explicitly assigned
VLAN. If the RADIUS server assigns a new VLAN ID which uses a different cipher suite from the
previously negotiated cipher suite, there is no way for the root bridge and the non-root bridge to switch
back to the new cipher suite. Currently, the WPA and CCKM protocols do not allow the cipher suite to
be changed after the initial 802.11 cipher negotiation phase. In this scenario, the non-root bridge is
disassociated from the wireless LAN.
See the “Assigning Authentication Types to an SSID” section on page 8-6 for instructions on configuring
WPA key management on your bridge.
Configuring Authentication Types
This section describes how to configure authentication types. You attach configuration types to the
WMIC’s SSID. See Chapter 5, “Configuring SSIDs,” for details on setting up the WMIC SSID. This
section contains these topics:
• Default Authentication Settings, page 8-6
• Assigning Authentication Types to an SSID, page 8-6
• Configuring Authentication Holdoffs, Timeouts, and Intervals, page 8-10