User's Manual
CA (Certificate
Authority)
A corporate certification authority implemented on a server. In addition, Internet Explorer's
certificate can import a certificate from a file. A trusted CA certificate is stored in the root store.
CCX (Cisco
Compatible
eXtension)
Cisco Compatible Extensions Program ensures that devices used on Cisco wireless LAN
infrastructure meet the security, management and roaming requirements.
Certificate Used for client authentication. A certificate is registered on the authentication server (for
example, RADIUS server) and used by the authenticator.
CKIP Cisco Key Integrity Protocol (CKIP) is a Cisco proprietary security protocol for encryption in
802.11 media. CKIP uses a key message integrity check and message sequence number to
improve 802.11 security in infrastructure mode. CKIP is Cisco's version of TKIP.
Client computer The computer that gets its Internet connection by sharing either the host computer's connection
or the access point's connection.
DSSS Direct Sequence Spread Spectrum. Technology used in radio transmission. Incompatible with
FHSS.
EAP Short for Extensible Authentication Protocol, EAP sits inside of Point-to-Point Protocol's (PPP)
authentication protocol and provides a generalized framework for several different authentication
methods. EAP is supposed to head off proprietary authentication systems and let everything
from passwords to challenge-response tokens and public-key infrastructure certificates all work
smoothly.
EAP-AKA EAP-AKA (Extensible Authentication Protocol Method for UMTS Authentication and Key
Agreement) is an EAP mechanism for authentication and session key distribution, using the
Universal Mobile Telecommunications System (UMTS) Subscriber Identity Module (USIM). The
USIM card is a special smart card used with cellular networks to validate a given user with the
network.
EAP-FAST EAP-FAST, like EAP-TTLS and PEAP, uses tunneling to protect traffic. The main difference is that
EAP-FAST does not use certificates to authenticate.
Provisioning in EAP-FAST is negotiated solely by the client as the first communication exchange
when EAP-FAST is requested from the server. If the client does not have a pre-shared secret
Protected Access Credential (PAC), it can request to initiate a provisioning EAP-FAST exchange
to dynamically obtain one from the server.
EAP-FAST documents two methods to deliver the PAC: manual delivery through an out-of-band
secure mechanism, and automatic provisioning.
Manual delivery mechanisms can be any delivery mechanism that the administrator of the
network feels is sufficiently secure for their network.
Automatic provisioning establishes an encrypted tunnel to protect the authentication of
the client and the delivery of the PAC to the client. This mechanism, while not as secure
as a manual method may be, is more secure than the authentication method used in
LEAP.
The EAP-FAST method can be divided into two parts: provisioning, and authentication. The
provisioning phase involves the initial delivery of the PAC to the client. This phase only needs to
be performed once per client and user.
EAP-GTC The EAP-GTC (Generic Token Card) is similar to the EAP-OTP except with hardware token cards.
The request contains a displayable message, and the response contains the string read from the
hardware token card.
EAP-OTP EAP-OTP (One-Time Password) is similar to MD5, except it uses the OTP as the response. The
request contains a displayable message. The OTP method is defined in RFC 2289.
EAP-SIM Extensible Authentication Protocol-Subscriber Identity Module (EAP-SIM) authentication can be
used with:
Network Authentication types: Open, Shared, and WPA*-Enterprise, WPA2*-Enterprise.
Data Encryption types: None, WEP and CKIP.