Cisco Cisco Aironet 1200 Access Point Brochure
© 2005 Cisco Systems, Inc. All rights reserved.
Important notices, privacy statements, and trademarks of Cisco Systems, Inc. can be found on cisco.com.
Page 8 of 15
WPA addresses all known WEP vulnerabilities in the original IEEE 802.11 security implementation bringing an immediate security solution
to WLANs in both enterprise and small office/home office (SOHO) environments. WPA uses TKIP for encryption.
WPA2 is the next generation of Wi-Fi security. It is the Wi-Fi Alliance’s interoperable implementation of the ratified IEEE 802.11i standard.
It implements the National Institute of Standards and Technology (NIST) recommended AES encryption algorithm using Counter Mode with
Cipher Block Chaining Message Authentication Code Protocol (CCMP). WPA2 facilitates government FIPS 140-2 compliance. (Table 1)
Table 1.
Comparison of WPA and WPA2 Mode Types
WPA
WPA2
Enterprise Mode (Business, Government,
Education)
Education)
•
Authentication: IEEE 802.1X/EAP
•
Encryption: TKIP/MIC
•
Authentication: IEEE 802.1X/EAP
•
Encryption: AES-CCMP
Personal Mode (SOHO, Home/Personal)
•
Authentication: PSK
•
Encryption: TKIP/MIC
•
Authentication: PSK
•
Encryption: AES-CCMP
IEEE 802.1X Authentication and the Extensible Authentication Protocol
The IEEE has adopted 802.1X as a standard for authentication on wired and wireless networks. 802.1X is supported by both WPA-Enterprise Mode
and WPA2-Enterprise Mode. 802.1X provides WLANs with strong, mutual authentication between a client and an authentication server. In addition,
802.1X provides dynamic per-user, per-session encryption keys, removing the administrative burden and security issues surrounding static
encryption keys.
With 802.1X, the credentials used for authentication, such as logon passwords, are never transmitted in the clear, or without encryption, over the
wireless medium. While 802.1X authentication types provide strong authentication for wireless LANs, TKIP or AES are needed for encryption in
addition to 802.1X since standard 802.11 WEP encryption, is vulnerable to network attacks.
Several 802.1X authentication types exist, each providing a different approach to authentication while relying on the same framework and EAP for
communication between a client and an access point. Cisco Aironet products support more 802.1X EAP authentication types than any other WLAN
products. Supported types include:
Cisco LEAP
,
EAP-Flexible Authentication via Secure Tunneling
(EAP-FAST), EAP-Transport Layer Security
(EAP-TLS),
Protected Extensible Authentication Protocol
(PEAP), EAP-Tunneled TLS (EAP-TTLS), and EAP-Subscriber Identity Module
(EAP-SIM).
Cisco recommends that customers evaluate their networks and security environments to select the best EAP authentication type for their
802.1X deployment. Areas to evaluate when selecting an EAP type include the type of security mechanism used for security credentials, the user
authentication database, the client operating systems in use, the available client supplicants, the type of user login needed, and RADIUS or AAA
servers.
Each EAP type has advantages and disadvantages. Trade-offs exist between the security provided, EAP type manageability, the operating systems
supported, the client devices supported, the client software and authentication messaging overhead, certificate requirements, user ease of use and
WLAN infrastructure device support. Multiple EAP types might also be used within a network to meet specific authentication, client device, or
end user needs.
A wide selection of RADIUS servers, such as the
Cisco Secure Access Control Server
(ACS) and
Cisco CNS Access Registrar
®
, or third-party
AAA RADIUS servers such as Interlink Networks (AAA RADIUS), can be used for 802.1X authentication.