Static Wep Keys; Dynamic Wep Keys With Eap - Cisco AIR-PCM341 Installation And Configuration Manual

Overview of Security Features

Static WEP Keys

Each device (or profile) within your wireless network can be assigned up to four static WEP keys. If a
device receives a packet that is not encrypted with the appropriate key (as the WEP keys of all devices
that are to communicate with each other must match), the device discards the packet and never delivers
it to the intended receiver.
Static WEP keys are write-only and temporary; however, you do not need to re-enter them each time the
client adapter is inserted or the Windows CE device is reset. This is because the keys are stored (in an
encrypted format for security reasons) in the registry of the Windows CE device. When the driver loads
and reads the client adapter's registry parameters, it also finds the static WEP keys, unencrypts them,
and stores them in volatile memory on the adapter.
The ACU Properties screen enables you to view the current WEP key settings for the client adapter and
then to assign new WEP keys or overwrite existing WEP keys as well as to enable or disable static WEP.
Refer to the

Dynamic WEP Keys with EAP

The new standard for wireless LAN security, as defined by the Institute of Electrical and Electronics
Engineers (IEEE), is called 802.1X for 802.11, or simply 802.1X. An access point that supports 802.1X
and its protocol, Extensible Authentication Protocol (EAP), acts as the interface between a wireless
client and an authentication server, such as a Remote Authentication Dial-In User Service (RADIUS)
server, to which the access point communicates over the wired network.
Two 802.1X authentication types can be selected in ACU for use with Windows CE devices:
•
•
Cisco Aironet Wireless LAN Client Adapters Installation and Configuration Guide for Windows CE
5-10
"Using Static WEP" section on page 5-14
EAP-Cisco Wireless (or LEAP)—Support for LEAP is provided not in the Windows CE operating
system but in your client adapter's firmware and the Cisco software that supports it. RADIUS
servers that support LEAP include Cisco Secure ACS version 2.6 and greater, Cisco Access
Registrar version 1.7 and greater, and Funk Software's Steel-Belted RADIUS version 3.0 and
greater.
LEAP is enabled in ACU, and either a saved LEAP username and password are entered in ACU or
a temporary LEAP username and password are entered in WLM. The username and password are
used by the client adapter to perform mutual authentication with the RADIUS server through the
access point. The temporary LEAP username and password are stored in the client adapter's volatile
memory and need to be re-entered whenever a LEAP profile is selected, the client adapter is ejected
and reinserted, or the Windows CE device is reset.
Host Based EAP—Selecting this option enables you to use any 802.1X authentication type for
which your Windows CE device has support. Currently only PPC 2002 devices with the 802.1X
backport support EAP-TLS and PEAP authentication.
EAP-TLS—EAP-TLS is enabled or disabled through the Authentication Manager and uses a
–
dynamic session-based WEP key, which is derived from the client adapter and RADIUS server,
to encrypt data. EAP-TLS requires the use of certificates for authentication.
RADIUS servers that support EAP-TLS include Cisco Secure ACS version 3.0 or greater and
Cisco Access Registrar version 1.8 or greater.
– Protected EAP (or PEAP)—PEAP authentication is designed to support One-Time Password
(OTP), Windows NT or 2000 domain, and LDAP user databases over a wireless LAN. It is based
on EAP-TLS authentication but uses a password instead of a client certificate for authentication.
PEAP is enabled or disabled through the Authentication Manager and uses a dynamic
Chapter 5 Configuring the Client Adapter
for instructions.
OL-1375-03