Authentication Types
Understanding Authentication Types
6
Cisco 3200 Series Wireless MIC Software Configuration Guide
MAC Address Authentication to the Network
The access point relays the wireless client device’s MAC address to a RADIUS server on the network,
and the server checks the address against a list of allowed MAC addresses. Because intruders can create
counterfeit MAC addresses, MAC-based authentication is less secure than EAP authentication.
However, MAC-based authentication does provide an alternate authentication method for client devices
that do not have EAP capability.
Tip
If you do not have a RADIUS server on your network, you can create a list of allowed MAC addresses
on the access point’s Advanced Security: MAC Address Authentication page. Devices with MAC
addresses not on the list are not allowed to authenticate.
Tip
If MAC-authenticated clients on your wireless LAN roam frequently, you can enable a MAC
authentication cache on your access points. MAC authentication caching reduces overhead because the
access point authenticates devices in its MAC-address cache without sending the request to your
authentication server. See the “Configuring MAC Authentication Caching” section on page 11-15 for
instructions on enabling this feature.
Using CCKM Key Management
Using Cisco Centralized Key Management (CCKM), EAP-authenticated client devices can roam from
one root device to another without any perceptible delay during reassociation. A root device or switch
on the network provides Wireless Domain Services (WDS) and creates a cache of security credentials
for CCKM-enabled devices on the subnet. The WDS device’s cache of credentials dramatically reduces
the time required for reassociation when a CCKM-enabled client device roams to a new root device.
When a client device roams and tries to reassociate to a root device served by the same WDS device that
served the previous root device, the WDS device authenticates the client by using its cache of clients’
credentials rather than requiring the RADIUS server to authenticate the client. The reassociation process
is reduced to a two-packet exchange between the roaming client device and the new root device.
Roaming client devices reassociate quickly enough for there to be no perceptible delay in voice or other
time-sensitive applications
See the
“Assigning Authentication Types to an SSID” section on page 16
for instructions on enabling
CCKM on your bridge.
Using WPA Key Management
Wi-Fi Protected Access (WPA) is a standards-based, interoperable security enhancement that strongly
increases the level of data protection and access control for existing and future wireless LAN systems.
It is derived from the IEEE 802.11i standard. WPA leverages Temporal Key Integrity Protocol (TKIP)
and/or Advanced Encryption Standard (AES) for data protection.
WPA key management supports two mutually exclusive management types: WPA and WPA-pre-shared
key (WPA-PSK). Using WPA key management, the client device and the authentication server
authenticate with each other using the EAP authentication method, and the client device and server
generate a pairwise master key (PMK). Using WPA, the server generates the PMK dynamically and
passes it to the root device. With WPA-PSK, you configure a pre-shared key on both the client device
and the root device, and that pre-shared key is used as the PMK.