6-22
Cisco Wireless LAN Controller Configuration Guide
OL-17037-01
Chapter 6 Configuring WLANsWireless Device Access
Configuring WLANs
Configuring a WLAN for Both Static and Dynamic WEP
You can configure up to four WLANs to support static WEP keys, and you can also configure dynamic
WEP on any of these static-WEP WLANs. Follow these guidelines when configuring a WLAN for both
static and dynamic WEP:
•
The static WEP key and the dynamic WEP key must be the same length.
•
When you configure both static and dynamic WEP as the Layer 2 security policy, no other security
policies can be specified. That is, you cannot configure web authentication. However, when you
configure either static or dynamic WEP as the Layer 2 security policy, you can configure web
authentication.
WPA1 and WPA2
Wi-Fi Protected Access (WPA or WPA1) and WPA2 are standards-based security solutions from the
Wi-Fi Alliance that provide data protection and access control for wireless LAN systems. WPA1 is
compatible with the IEEE 802.11i standard but was implemented prior to the standard's ratification;
WPA2 is the Wi-Fi Alliance's implementation of the ratified IEEE 802.11i standard.
By default, WPA1 uses Temporal Key Integrity Protocol (TKIP) and message integrity check (MIC) for
data protection while WPA2 uses the stronger Advanced Encryption Standard encryption algorithm
using Counter Mode with Cipher Block Chaining Message Authentication Code Protocol (AES-CCMP).
Both WPA1 and WPA2 use 802.1X for authenticated key management by default. However, these
options are also available: PSK, CCKM, and 802.1X+CCKM.
•
802.1X
—The standard for wireless LAN security, as defined by IEEE, is called
802.1X for 802.11
,
or simply
802.1X
. An access point that supports 802.1X acts as the interface between a wireless
client and an authentication server, such as a RADIUS server, to which the access point
communicates over the wired network. If 802.1X is selected, only 802.1X clients are supported.
•
PSK
—When you choose PSK (also known as
WPA pre-shared key
or
WPA passphrase
), you need
to configure a pre-shared key (or a passphrase). This key is used as the pairwise master key (PMK)
between the clients and the authentication server.
•
CCKM
—Cisco Centralized Key Management (CCKM) uses a fast rekeying technique that enables
clients to roam from one access point to another without going through the controller, typically in
under 150 milliseconds (ms). CCKM reduces the time required by the client to mutually authenticate
with the new access point and derive a new session key during reassociation. CCKM fast secure
roaming ensures that there is no perceptible delay in time-sensitive applications such as wireless
Voice over IP (VoIP), enterprise resource planning (ERP), or Citrix-based solutions. CCKM is a
CCXv4-compliant feature. If CCKM is selected, only CCKM clients are supported.
Note
The 4.2 or later release of controller software supports CCX versions 1 through 5. CCX
support is enabled automatically for every WLAN on the controller and cannot be disabled.
The controller stores the CCX version of the client in its client database and uses it to limit
client functionality. Clients must support CCXv4 or v5 in order to use CCKM. See the
“Configuring Cisco Client Extensions” section on page 6-39
for more information on CCX.
•
802.1X+CCKM
—During normal operation, 802.1X-enabled clients mutually authenticate with a
new access point by performing a complete 802.1X authentication, including communication with
the main RADIUS server. However, when you configure your WLAN for 802.1X and CCKM fast
secure roaming, CCKM-enabled clients securely roam from one access point to another without the
need to reauthenticate to the RADIUS server. 802.1X+CCKM is considered optional CCKM
because both CCKM and non-CCKM clients are supported when this option is selected.