Cisco SD2008T-NA Configuration Manual page 181

Chapter 6 Configuring WLANsWireless Device Access
By default, WPA1 uses Temporal Key Integrity Protocol (TKIP) and message integrity check (MIC) for
data protection while WPA2 uses the stronger Advanced Encryption Standard encryption algorithm
using Counter Mode with Cipher Block Chaining Message Authentication Code Protocol (AES-CCMP).
Both WPA1 and WPA2 use 802.1X for authenticated key management by default. However, these
options are also available: PSK, CCKM, and 802.1X+CCKM.
•
•
•
•
On a single WLAN, you can allow WPA1, WPA2, and 802.1X/PSK/CCKM/802.1X+CCKM clients to
join. All of the access points on such a WLAN advertise WPA1, WPA2, and 802.1X/PSK/CCKM/
802.1X+CCKM information elements in their beacons and probe responses. When you enable WPA1
and/or WPA2, you can also enable one or two ciphers, or cryptographic algorithms, designed to protect
data traffic. Specifically, you can enable AES and/or TKIP data encryption for WPA1 and/or WPA2.
TKIP is the default value for WPA1, and AES is the default value for WPA2.
You can configure WPA1+WPA2 through either the GUI or the CLI.
Using the GUI to Configure WPA1+WPA2
Follow these steps to configure a WLAN for WPA1+WPA2 using the controller GUI.
Click WLANs to access the WLANs page.
Step 1
Click the Edit link for the desired WLAN to access the WLANs > Edit page (see
Step 2
OL-1926-06OL-9141-03
802.1X—The standard for wireless LAN security, as defined by IEEE, is called 802.1X for 802.11,
or simply 802.1X. An access point that supports 802.1X acts as the interface between a wireless
client and an authentication server, such as a RADIUS server, to which the access point
communicates over the wired network. If 802.1X is selected, only 802.1X clients are supported.
PSK—When you choose PSK (also known as WPA pre-shared key or WPA passphrase), you need
to configure a pre-shared key (or a passphrase). This key is used as the pairwise master key (PMK)
between the clients and the authentication server.
CCKM—Cisco Centralized Key Management (CCKM) uses a fast rekeying technique that enables
clients to roam from one access point to another without going through the controller, typically in
under 150 milliseconds (ms). CCKM reduces the time required by the client to mutually authenticate
with the new access point and derive a new session key during reassociation. CCKM fast secure
roaming ensures that there is no perceptible delay in time-sensitive applications such as wireless
Voice over IP (VoIP), enterprise resource planning (ERP), or Citrix-based solutions. CCKM is a
CCXv4-compliant feature. If CCKM is selected, only CCKM clients are supported.
The 4.0 release of controller software supports CCX versions 1 through 4. CCX support is
Note
enabled automatically for every WLAN on the controller and cannot be disabled. The
controller stores the CCX version of the client in its client database and uses it to limit client
functionality. Clients must support CCX v4 in order to use CCKM. See the
Quality of Service Profiles" section on page 6-19
802.1X+CCKM—During normal operation, 802.1X-enabled clients mutually authenticate with a
new access point by performing a complete 802.1X authentication, including communication with
the main RADIUS server. However, when you configure your WLAN for 802.1X and CCKM fast
secure roaming, CCKM-enabled clients securely roam from one access point to another without the
need to reauthenticate to the RADIUS server. 802.1X+CCKM is considered optional CCKM
because both CCKM and non-CCKM clients are supported when this option is selected.
for more information on CCX.
Cisco Wireless LAN Controller Configuration Guide
Configuring WLANs
"Configuring
Figure 6-1).
6-9