Wi-Fi Protected Access (WPA or WPA1) and WPA2 are standards-based security solutions from the Wi-Fi Alliance that provide
data protection and access control for wireless LAN systems. WPA1 is compatible with the IEEE 802.11i standard but was implemented
prior to the standard’s ratification; WPA2 is the Wi-Fi Alliance's implementation of the ratified IEEE 802.11i standard.
By default, WPA1 uses Temporal Key Integrity Protocol (TKIP) and message integrity check (MIC) for data protection while WPA2
uses the stronger Advanced Encryption Standard encryption algorithm using Counter Mode with Cipher Block Chaining Message
Authentication Code Protocol (AES-CCMP). Both WPA1 and WPA2 use 802.1X for authenticated key management by default. However,
these options are also available:
-
802.1X—The standard for wireless LAN security, as defined by IEEE, is called 802.1X for 802.11, or simply 802.1X. An access
point that supports 802.1X acts as the interface between a wireless client and an authentication server, such as a RADIUS
server, to which the access point communicates over the wired network. If 802.1X is selected, only 802.1X clients are supported.
-
PSK—When you choose PSK (also known as WPA preshared key or WPA passphrase), you need to configure a preshared key (or a passphrase).
This key is used as the pairwise master key (PMK) between the clients and the authentication server.
-
CCKM—Cisco Centralized Key Management (CCKM) uses a fast rekeying technique that enables clients to roam from one access point
to another without going through the controller, typically in under 150 milliseconds (ms). CCKM reduces the time required
by the client to mutually authenticate with the new access point and derive a new session key during reassociation. CCKM fast
secure roaming ensures that there is no perceptible delay in time-sensitive applications such as wireless Voice over IP (VoIP),
enterprise resource planning (ERP), or Citrix-based solutions. CCKM is a CCXv4-compliant feature. If CCKM is selected, only
CCKM clients are supported.
When CCKM is enabled, the behavior of access points differs from the controller's for fast roaming in the following ways:
-
If an association request sent by a client has CCKM enabled in a Robust Secure Network Information Element (RSN IE) but CCKM
IE is not encoded and only PMKID is encoded in RSN IE, then the controller does not do a full authentication. Instead, the
controller validates the PMKID and does a four-way handshake.
-
If an association request sent by a client has CCKM enabled in RSN IE but CCKM IE is not encoded and only PMKID is encoded
in RSN IE, then AP does a full authentication. The access point does not use PMKID sent with the association request when
CCKM is enabled in RSN IE.
-
802.1X+CCKM—During normal operation, 802.1X-enabled clients mutually authenticate with a new access point by performing a
complete 802.1X authentication, including communication with the main RADIUS server. However, when you configure your WLAN
for 802.1X and CCKM fast secure roaming, CCKM-enabled clients securely roam from one access point to another without the need
to reauthenticate to the RADIUS server. 802.1X+CCKM is considered optional CCKM because both CCKM and non-CCKM clients are
supported when this option is selected.
On a single WLAN, you can allow WPA1, WPA2, and 802.1X/PSK/CCKM/802.1X+CCKM clients to join. All of the access points on such
a WLAN advertise WPA1, WPA2, and 802.1X/PSK/CCKM/
802.1X+CCKM information elements in their beacons and probe responses. When
you enable WPA1 and/or WPA2, you can also enable one or two ciphers, or cryptographic algorithms, designed to protect data
traffic. Specifically, you can enable AES and/or TKIP data encryption for WPA1 and/or WPA2. TKIP is the default value for
WPA1, and AES is the default value for WPA2.
This section contains the following subsections: