Cisco Cisco Aironet 1524 Lightweight Outdoor Mesh Access Point
18
Mobile Access Router and Mesh Networks Design Guide
OL-11823-01
Security
Key Management
This section describes the available key management features.
Using CCKM Key Management
Using Cisco Centralized Key Management (CCKM), authenticated client devices can roam from one AP
to another without any perceptible delay during reauthentication. An LWAPP AP on the network
provides secure fast roaming, when the WLC creates a cache of security credentials for CCKM-enabled
devices on the subnet. The WLC cache of credentials dramatically reduces the time required for
reauthentication when a CCKM-enabled client device roams to an AP. When a client device roams and
tries to reauthentication to a new AP served by the same WLC or a WLC belonging to the same mobility
group, the WLC authenticates the client using its cache of client's credentials rather than requiring
RADIUS server to authenticate the client. The reassociation process is reduced to a two-packet exchange
between the roaming client device and the new AP. Roaming client devices reauthentication quickly
enough for there to be no perceptible delay in voice or other time-sensitive applications
to another without any perceptible delay during reauthentication. An LWAPP AP on the network
provides secure fast roaming, when the WLC creates a cache of security credentials for CCKM-enabled
devices on the subnet. The WLC cache of credentials dramatically reduces the time required for
reauthentication when a CCKM-enabled client device roams to an AP. When a client device roams and
tries to reauthentication to a new AP served by the same WLC or a WLC belonging to the same mobility
group, the WLC authenticates the client using its cache of client's credentials rather than requiring
RADIUS server to authenticate the client. The reassociation process is reduced to a two-packet exchange
between the roaming client device and the new AP. Roaming client devices reauthentication quickly
enough for there to be no perceptible delay in voice or other time-sensitive applications
Using WPA Key Management
Wi-Fi Protected Access (WPA) is a standards-based interoperable security enhancement that strongly
increases the level of data protection and access control for existing and future wireless LAN systems.
WPA is derived from the IEEE 802.11i standard. WPA leverages Temporal Key Integrity Protocol
(TKIP) or Advanced Encryption Standard (AES) for data protection.
increases the level of data protection and access control for existing and future wireless LAN systems.
WPA is derived from the IEEE 802.11i standard. WPA leverages Temporal Key Integrity Protocol
(TKIP) or Advanced Encryption Standard (AES) for data protection.
WPA key management supports two mutually exclusive management types: WPA and WPA-Pre-Shared
key (WPA-PSK). Using WPA key management, the client device and the authentication server
authenticate with each other using the EAP authentication method, and the client device and server
generate a pairwise master key (PMK). Using WPA, the server generates the PMK dynamically and
passes it to the root device. With WPA-PSK, you configure a pre-shared key on both the client device
and the root device, and that pre-shared key is used as the PMK.
key (WPA-PSK). Using WPA key management, the client device and the authentication server
authenticate with each other using the EAP authentication method, and the client device and server
generate a pairwise master key (PMK). Using WPA, the server generates the PMK dynamically and
passes it to the root device. With WPA-PSK, you configure a pre-shared key on both the client device
and the root device, and that pre-shared key is used as the PMK.
Note
Unicast and multicast cipher suites advertised in the WPA information element (and negotiated during
802.11 association) could potentially mismatch with the cipher suite supported in an explicitly assigned
VLAN. If the RADIUS server assigns a new VLAN ID which uses a different cipher suite from the
previously negotiated cipher suite, there is no way for the root device and the client device to switch back
to the new cipher suite. Currently, the WPA and CCKM protocols do not allow the cipher suite to be
changed after the initial 802.11 cipher negotiation phase. In this scenario, the non-root bridge is
disassociated from the wireless LAN.)
802.11 association) could potentially mismatch with the cipher suite supported in an explicitly assigned
VLAN. If the RADIUS server assigns a new VLAN ID which uses a different cipher suite from the
previously negotiated cipher suite, there is no way for the root device and the client device to switch back
to the new cipher suite. Currently, the WPA and CCKM protocols do not allow the cipher suite to be
changed after the initial 802.11 cipher negotiation phase. In this scenario, the non-root bridge is
disassociated from the wireless LAN.)
Security Configuration
The default configuration for the WMIC in AP mode has an SSID of autoinstall, which is also configured
as guest mode. In guest mode, the WMIC broadcasts this SSID in its beacon and allows client devices
with no SSID to associate.
as guest mode. In guest mode, the WMIC broadcasts this SSID in its beacon and allows client devices
with no SSID to associate.
Note
By default, the authentication type assigned to autoinstall is open. This enables clients with no security
settings to connect to the MAR3200. In order to secure the MAR, this configuration default must be
changed.
settings to connect to the MAR3200. In order to secure the MAR, this configuration default must be
changed.