Filter
Top Products
11-5
Cisco IOS Software Configuration Guide for Cisco Aironet Access Points
OL-30644-01
Chapter 11 Configuring Authentication Types
Understanding Authentication Types
When mutual authentication is complete, the RADIUS server and the client determine a a WEP key or
a Pairwise Master Key (WPAv1/v2) that is unique to the client and provides the client with the
appropriate level of network access, thereby approximating the level of security in a wired switched
segment to an individual desktop. The client loads this key and prepares to use it for the logon session.
During the logon session, the RADIUS server encrypts and sends the WEP key, or the WPAv1/v2
Pairwise Master Key, over the wired LAN to the access point. The AP uses this key to encrypt its
broadcast key, and sends the encrypted broadcast key to the client, which uses its identical unicast key
to decrypt it. The client and access point activate encryption and use the unicast and broadcast keys for
all communications during the remainder of the session.
There is more than one type of EAP authentication, but the access point behaves the same way for each
type: it relays authentication messages from the wireless client device to the RADIUS server and from
the RADIUS server to the wireless client device. See the “Assigning Authentication Types to an SSID”
section on page 11-9 for instructions on setting up EAP on the access point.
Note If you use EAP authentication, you can select open or shared key authentication, but you do not have to.
EAP authentication controls authentication both to your access point and to your network.
MAC Address Authentication to the Network
The access point relays the wireless client device’s MAC address to a RADIUS server on your network,
and the server checks the address against a list of allowed MAC addresses. Intruders can create
counterfeit MAC addresses, so MAC-based authentication is less secure than EAP authentication.
However, MAC-based authentication provides an alternate authentication method for client devices that
do not have EAP capability. See the “Assigning Authentication Types to an SSID” section on page 11-9
for instructions on enabling MAC-based authentication.
Tip If you do not have a RADIUS server on your network, you can create a list of allowed MAC addresses
on the access point’s Advanced Security: MAC Address Authentication page. Devices with MAC
addresses not on the list are not allowed to authenticate.
Tip If MAC-authenticated clients on your wireless LAN roam frequently, you can enable a MAC
authentication cache on your access points. MAC authentication caching reduces overhead because the
access point authenticates devices in its MAC-address cache without sending the request to your
authentication server. See the “Configuring MAC Authentication Caching” section on page 11-15 for
instructions on enabling this feature.
Figure 11-4 shows the authentication sequence for MAC-based authentication.