Setting up Data Encryption and Authentication
Encryption Overview
How to Enable WEP Encryption
System Administrator Tasks
Setting up the Client for WEP and MD5 authentication
Setting up the Client for WPA-PSK using WEP or TKIP
authentication
Setting up the Client for WPA using TKIP encryption and TLS
authentication
Setting up the Client for WPA using TKIP encryption and TTLS or
PEAP authentication
Setting up the Client for
CCX using CKIP encryption and LEAP authentication
Wired Equivalent Privacy (WEP) encryption and shared authentication helps provide protection for your data on the network. WEP uses an encryption key to encrypt data before transmitting it. Only computers using the same encryption key can access the network or decrypt the encrypted data transmitted by other computers. Authentication provides an additional validation process from the adapter to the access point. The WEP encryption algorithm is vulnerable to passive and active network attacks. TKIP and CKIP algorithms include enhancements to the WEP protocol that mitigate existing network attacks and address its shortcomings.
802.11 support two types of network authentication methods; Open System and Shared that use 64-bit and 128-bit WEP encryption. Open does not require an encryption authentication method to associate to a specific access point. Supported authentication schemes are Open and Shared authentication:
When Data Encryption (WEP, CKIP or TKIP) is enabled, a network key is used for encryption. A network key can be provided for you automatically (for example, it might be provided on your wireless network adapter, or you can enter it yourself and specify the key the key length (64-bits or 128-bit), key format (ASCII characters or hexadecimal digits), and key index (the location where a specific key is stored). The longer the key length, the more secure the key. Every time the length of a key is increased by one bit, the number of possible keys double.
Under 802.11, a wireless station can be configured with up to four keys (the key index values are 1, 2, 3, and 4). When an access point or a wireless station transmits an encrypted message using a key that is stored in a specific key index, the transmitted message indicates the key index that was used to encrypt the message body. The receiving access point or wireless station can then retrieve the key that is stored at the key index and use it to decode the encrypted message body.
802.1x uses two types of encryption keys, static and dynamic. Static encryption keys are changed manually and are more vulnerable. MD5 authentication only uses static encryption keys. Dynamic encryption keys are renewed automatically on a periodic basis. This makes the encryption key(s) more secure. To enable dynamic encryption keys, you must use 802.1x authentication methods, such as TLS, TTLS, PEAP or LEAP.
Security in the WLAN can be supplemented by enabling data encryption using WEP (Wireless Encryption Protocol). You can choose a 64 or 128 bit level encryption. Also, the data can then be encrypted with a key. Another parameter called the key index is provides the option to create multiple keys for that profile. However, only one key can be used at a time. You can also choose to password protect the profile to ensure privacy.
The pass phrase is used to generate a WEP key automatically. You have the option of either using a pass phrase or entering a WEP key manually. Using 64-bit encryption, the pass phrase is 5 characters long and you can choose to enter any arbitrary and easy to remember phrase like, Acme1, or enter 10 Hexadecimal characters for the WEP key that matches the network that the connects to. For 128-bit encryption, the pass phrase is 13 characters long or you can enter a 26 hexadecimal characters for the WEP key to get connected to the appropriate network.
Note: You must use the same encryption type, key index number, and WEP key as other devices on your wireless network.
The following example describes how to edit an existing profile and apply WEP encryption.
Note: Before you begin, contact your system administrator for the
network WEP pass phrase or Hex Key.
To enable WEP encryption:
- Use pass phrase: Click Use Pass Phrase to enable. Enter a text phrase, up to five (using 64-bit) or 13 (using 128-bit) alphanumeric characters (0-9, a-z or A-Z), in the pass phrase field.
- Use hex Key: Click Use hex Key to enable. Enter up to ten (using 64-bit) alphanumeric characters, 0-9, A-F, or twenty-six (using 128-bit) alphanumeric characters, 0-9, A-F in the hex key field.
![]() |
NOTE: The following information is intended for system administrators. |
If you do not have any certificates for EAP-TLS, or EAP-TTLS you must get a client certificate to allow authentication. Typically you need to consult with your system network administrator for instructions on how to obtain a certificate on your network. Certificates can be managed from "Internet Settings", accessed from either Internet Explorer or the Windows Control Panel applet. Use the "Content" page of "Internet Settings".
Windows XP and 2000: When obtaining a client certificate, do not enable strong private key protection. If you enable strong private key protection for a certificate, you will need to enter an access password for the certificate each time this certificate is used. You must disable strong private key protection for the certificate if you are configuring the service for TLS/TTLS authentication. Otherwise the 802.1x service will fail authentication because there is no logged in user to whom it can display the prompt dialog.
Notes about Smart Cards
After installing a Smart Card, the certificate is automatically installed on your computer and can be select from the person certificate store and root certificate store.
Step 1: Getting a certificate
To allow TLS authentication, you need a valid client (user) certificate in the local repository for the logged-in user’s account. You also need a trusted CA certificate in the root store.
The following information provides two methods for getting a certificate;
Note: If this is the first certificate you have obtained, the CA will first ask you if it should install a trusted CA certificate in the root store. The dialog will not say this is a trusted CA certificate, but the name on the certificate shown will be that of the host of the CA. Click yes, you need this certificate for both TLS and TTLS.
The following example describes how to use WPA with TKIP encryption using TTLS or PEAP authentication.
Step 2: Specifying the certificate used by Intel(R) PROSet for Wireless
Click the "allow intermediate certificates" checkbox to allow a number of unspecified certificates to be in the server certificate chain between the server certificate and the specified CA. If unchecked, then the specified CA must have directly issued the server certificate.
If you know the server name enter this name.
Select the appropriate option to match the server name exactly or specify the domain name.
Note about Certificates: The specified identity should match the field "Issued to" in the certificate and should be registered on the authentication server (i.e., RADIUS server) that is used by the authenticator. Your certificate must be "valid" with respect to the authentication server. This requirement depends on the authentication server and generally means that the authentication server must know the issuer of your certificate as a Certificate Authority. You should be logged in using the same username you used when the certificate was installed.
To add WEP and MD5 authentication to a new profile:
Note: Before you begin, contact your system administrator for the username and password on the RADIUS server.
NOTE: To install the 802.1x password synchronization capability feature (Use Windows Logon), refer to Installing or Uninstalling the 802.1x Password Synchronization Capability Feature for installation instructions.
Use Wi-Fi Protected Access - Pre Shared Key (WPA-PSK) mode if there is no authentication server being used. This mode does not use any 802.1x authentication protocol, It can be used with the data encryption types: WEP or TKIP. WPA-PSK requires configuration of a pre-shared key (PSK). You must enter a pass phrase or 64 hex characters for a Pre-Shared Key of length 256-bits. The data encryption key is derived from the PSK.
To configure a profile using WPA-PSK:
Wi-Fi Protected Access (WPA) mode can be used with TLS, TTLS, or PEAP. This 802.1x authentication protocol using data encryption options; WEP or TKIP. Wi-Fi Protected Access (WPA) mode binds with 802.1x authentication. The data encryption key is received from the 802.1x key exchange. To improve data encryption, Wi-Fi Protected Access utilizes its Temporal Key Integrity Protocol (TKIP). TKIP provides important data encryption enhancements including a re-keying method.
Click the "allow intermediate certificates" checkbox to allow a number of unspecified certificates to be in the server certificate chain between the server certificate and the specified CA. If unchecked, then the specified CA must have directly issued the server certificate.
If you know the server name enter this name.
Select the appropriate option to match the server name exactly or specify the domain name.
Note about Certificates: The specified identity should match the field "Issued to" in the certificate and should be registered on the authentication server (i.e., RADIUS server) that is used by the authenticator. Your certificate must be "valid" with respect to the authentication server. This requirement depends on the authentication server and generally means that the authentication server must know the issuer of your certificate as a Certificate Authority. You should be logged in using the same username you used when the certificate was installed.
Using TTLS authentication: These settings define the protocol and the credentials used to authenticate a user. In TTLS, the client uses EAP-TLS to validate the server and create a TLS-encrypted channel between the client and server. The client can use another authentication protocol, typically password-based protocols, such as MD5 Challenge over this encrypted channel to enable server validation. The challenge and response packets are sent over a non-exposed TLS encrypted channel.
Using PEAP authentication: PEAP settings are required for the authentication of the client to the authentication server. In PEAP, the client uses EAP-TLS to validate the server and create a TLS-encrypted channel between client and server. The client can use another EAP mechanism, such as Microsoft Challenge Authentication Protocol (MSCHAP) Version 2, over this encrypted channel to enable server validation. The challenge and response packets are sent over a non-exposed TLS encrypted channel.
The following example describes how to use WPA with TKIP encryption using TTLS or PEAP authentication.
NOTE: To install the 802.1x password synchronization capability feature (Use Windows Logon), refer to Installing or Uninstalling the 802.1x Password Synchronization Capability Feature for installation instructions.
Click the "allow intermediate certificates" checkbox to allow a number of unspecified certificates to be in the server certificate chain between the server certificate and the specified CA. If unchecked, then the specified CA must have directly issued the server certificate.
If you know the server name enter this name.
Select the appropriate option to match the server name exactly or specify the domain name.
Note about Certificates: The specified identity should match the field "Issued to" in the certificate and should be registered on the authentication server (i.e., RADIUS server) that is used by the authenticator. Your certificate must be "valid" with respect to the authentication server. This requirement depends on the authentication server and generally means that the authentication server must know the issuer of your certificate as a Certificate Authority. You should be logged in using the same username you used when the certificate was installed.
![]() |
NOTE: A LEAP profile can only be configured using Intel(R) PROSet for Wireless. |
An Intel(R) PROSet for Wireless CCX (v1.0) profile must be configured to connect to a specific ESS or Wireless LAN network. The profiles settings include LEAP, CKIP and Rogue AP detection settings.
To configure a profile for CCX security settings:
NOTE: To install the 802.1x password synchronization capability feature (Use Windows Logon), refer to Installing or Uninstalling the 802.1x Password Synchronization Capability Feature for installation instructions.
The access point provides settings to select different authentication types depending on the WLAN environment. The client sends an Authentication algorithm field during the 802.11 authentication handshake that takes place between the client and the AP during connection establishment. The Authentication algorithm values recognized by a CCX enabled AP is different for the different authentication types. For instance "Network-EAP" which denotes LEAP has a value of 0x80 while "Open" which is the 802.11 specified Open authentication and "Required EAP" which requires an EAP handshake exchange have values of 0x0.
AP: For CCX enabled networks using LEAP authentication only the authentication type is set with "Network-EAP" checkbox selected, and "Open" and "Required EAP" boxes unchecked. The AP is then configured to allow LEAP clients ONLY to authenticate and connect. In this case, the AP expects the 802.11 authentication algorithm to be set to 0x80 (LEAP), and rejects clients that attempt authentication with an Authentication algorithm value 0x0.
Client: In this case the client needs to send out an authentication algorithm value of 0x80 else the 802.11 authentication handshake would fail. During boot, when the Wireless LAN driver is already loaded, but the Intel(R) PROSet for Wireless supplicant is still unloaded, the client sends 802.11 authentication with an Authentication algorithm value of 0x0. Once the Intel(R) PROSet for Wireless supplicant loads, and engages the LEAP profile, it sends 802.11 authentication with an Authentication algorithm value of 0x80. However, the supplicant sends out 0x80 only if the Rogue AP box is checked.
Network-EAP, Open and Required EAP
AP: If Network-EAP, Open and Required EAP boxes are checked then it would accept both types of 802.11 authentication algorithm values 0x0 and 0x80. However, once the client is associated and authenticated the AP expects an EAP handshake to take place. For any reason if the EAP handshake does not take place quickly, the AP would not respond to the client for about 60 seconds.
Client: Here the client could send out an authentication algorithm value of 0x80 or 0x0. Both values are acceptable and the 802.11 authentication handshake would succeed. During boot, when the Wireless LAN driver is already loaded and the client sends 802.11 authentication with an Authentication algorithm value of 0x0. This is sufficient to get authenticated but the corresponding EAP or LEAP credentials need to be communicated to the AP to establish a connection.
AP: In the case where the AP is configured with Network-EAP unchecked, but Open and Required EAP checked, the AP will reject any client attempting to 802.11 authenticate using an authentication algorithm value of 0x80. The AP would accept any client using an authentication algorithm value of 0x0, and expects EAP handshake to commence soon after. In this case, the client uses MD5, TLS, LEAP or any other appropriate EAP method suitable for the specific network configuration.
Client: The client in this case is required to send out an authentication algorithm value of 0x0. As mentioned before the sequence involves a repeat of the initial 802.11 authentication handshake. First, the Wireless LAN driver initiates authentication with a value of 0x0 and later the supplicant would repeat the process. However, the authentication algorithm value used by the supplicant depends status of the Rogue AP checkbox. When the Rogue AP box is unchecked, the client sends an 802.11 authentication with Authentication algorithm value of 0x0 even after the supplicant loads and engages the LEAP profile.
Some non-Intel clients, for example, when set to LEAP, cannot authenticate in this case. However, the Intel Wireless LAN client can authenticate, if the Rogue AP is unchecked.
When the checkbox is checked it ensures that the client implements the Rogue AP feature as required by CCX. The client makes note of APs that it failed to authenticate with and sends this information to the AP that allows it to authenticate and connect. Also, the supplicant sets the Authentication algorithm type to 0x80 when the Rogue AP box is checked. There may be some network configurations implementing and Open and Required EAP only as described above. For this setup to work, the client must use an Authentication Algorithm value of 0x0, as opposed to the need to use 0x80 for Network-EAP only described above. Therefore, the Rogue AP checkbox also enables the client to support Network-EAP only and Open and Required EAP only.
The Cisco mandatory Client Compliance Specifications Version1.0:
Compliance to all mandatory items of 802.11
De-fragmentation of MSDUs and MMPDUs
Generate CTS in response to an RTS
Open and Shared key authentication support
Support Active scanning
Wi-Fi compliance required
On Windows platforms, Microsoft 802.11 NIC compliance
802.1X-2001 Compliance
EAP-TLS (Transport Level Security, RFC 2716) support on Windows XP
EAP-MD4 (RFC 1320) support on Windows XP
EAP packets to be sent unencrypted
Broadcast key rotation support
CKIP support
WEP/RC4 support
Support of 4 keys for WEP
Both WEP40 and WEP128 keys are supported
LEAP support is required
Rogue AP reporting support
Cisco Extension: Aironet IE support – CWmin and CWmax fields
Encapsulation Transformation Rule IE support
Cisco Extension: AP IP address IE
Cisco Extension: Symbol IE
Mixed (WEP and non-WEP) cells
AP may respond to more than one SSID – VLAN awareness
Stealth mode support - Clients should ignore missing SSIDs in beacons
Multiple SSID support – Client should be able to roam up to 3 SSIDs
Client to use configured SSID in probe request
Note: Please refer to Cisco Client extensions version 1.0 document available at www.cisco.com for more details.
Please read all restrictions and disclaimers.