Encryption Overview
WEP Encryption and Authentication
802.1x Authentication
What is a RADIUS
Wi-Fi Protected Access (WPA)
PEAP
Cisco LEAP
Security in the WLAN can be supplemented by enabling data encryption using WEP (Wireless Encryption Protocol). You can choose a 64 or 128 bit level encryption. Also, the data can then be encrypted with a key. Another parameter called the key index provides the option to create multiple keys for that profile. However, only one key can be used at a time. You can also choose to password protect an Intel(R) PROSet for Wireless profile to ensure privacy. The pass phrase is used to generate a WEP key automatically. You have the option of either using a pass phrase or entering a WEP key manually. Using 64-bit encryption, the pass phrase is 5 characters long and you can choose to enter any arbitrary and easy to remember phrase like Acme1 or enter 10 Hexadecimal numbers for the WEP key corresponding to the network the user wants to connect to. For 128-bit encryption, the pass phrase is 13 characters long or you can enter a 26 hexadecimal numbers for the WEP key to get connected to the appropriate network.
Wired Equivalent Privacy (WEP) encryption and shared authentication provides protection for your data on the network. WEP uses an encryption key to encrypt data before transmitting it. Only computers using the same encryption key can access the network or decrypt the encrypted data transmitted by other computers. Authentication provides an additional validation process from the adapter to the access point.
Supported a authentication schemes are Open and Shared-Key authentication:
When Data Encryption (WEP, CKIP or TKIP) is enabled, a network key is used for encryption. A network key can be provided for you automatically (for example, it might be provided on your wireless network adapter, or enter it yourself and specify the key length (64-bits or 128-bit), key format (ASCII characters or hexadecimal digits), and key index (the location where a specific key is stored). The longer the key length, the more secure the key. Every time the length of a key is increased by one bit, the number of possible keys double. Under 802.11, a wireless station can be configured with up to four keys (the key index values are 1, 2, 3, and 4). When an access point or a wireless station transmits an encrypted message using a key that is stored in a specific key index, the transmitted message indicates the key index that was used to encrypt the message body. The receiving access point or wireless station can then retrieve the key that is stored at the key index and use it to decode the encrypted message body.
802.1x uses two types of encryption keys, static and dynamic. Static encryption keys are changed manually and are more vulnerable. MD5 authentication only uses static encryption keys. Dynamic encryption keys are renewed automatically on a periodic basis. This makes the encryption key(s) more secure. To enable dynamic encryption keys, you must use 802.1x certificate-based authentication methods, such as TLS or TTLS or PEAP.
802.1x features
802.1x supplicant protocol support
Support for the Extensible Authentication Protocol (EAP) - RFC 2284
Supported Authentication Methods:
MD5 - RFC 2284
EAP TLS Authentication Protocol - RFC 2716 and RFC 2246
EAP Tunneled TLS (TTLS)
Cisco LEAP
PEAP
Supports Windows XP, 2000
802.1x Authentication Notes
802.1x authentication methods, include passwords, certificates, and smart cards (plastic cards that hold data)
802.1x authentication option can only be used with Infrastructure operation mode
Network Authentication modes are: EAP-TLS, EAP-TTLS, MD5 Challenge, LEAP (for Cisco-Client eXtentions mode only), and PEAP (for WPA modes only)
Overview
802.1x authentication is independent of the 802.11 authentication process. The 802.1x standard provides a framework for various authentication and key-management protocols. There are different 802.1x authentication types, each providing a different approach to authentication but all employing the same 802.1x protocol and framework for communication between a client and an access point. In most protocols, upon the completion of the 802.1x authentication process, the supplicant receives a key that it uses for data encryption.
With 802.1x authentication, an authentication method is used between the client and a Remote Authentication Dial-In User Service (RADIUS) server connected to the access point. The authentication process uses credentials, such as a user's password that are not transmitted over the wireless network. Most 802.1x types support dynamic per-user, per-session keys to strengthen the static key security. 802.1x benefits from the use of an existing authentication protocol known as the Extensible Authentication Protocol (EAP). 802.1x authentication for wireless LANs has three main components: The authenticator (the access point), the supplicant (the client software), and the authentication server (a Remote Authentication Dial-In User Service server (RADIUS). 802.1x authentication security initiates an authorization request from the WLAN client to the access point, which authenticates the client to an Extensible Authentication Protocol (EAP) compliant RADIUS server. This RADIUS server may authenticate either the user (via passwords or certificates) or the system (by MAC address). In theory, the wireless client is not allowed to join the networks until the transaction is complete. There are several authentication algorithms used for 802.1x; MD5-Challenge, EAP-TLS, EAP-TTLS, Protected EAP (PEAP), and EAP Cisco Wireless Light Extensible Authentication Protocol (LEAP). These are all methods for the WLAN client to identify itself to the RADIUS server. With RADIUS authentication, users identities are checked against databases. RADIUS constitutes a set of standards addressing Authentication, Authorization and Accounting (AAA). Radius includes a proxy process to validate clients in a multi-server environment. The IEEE 802.1x standard is for controlling and authenticating access to port-based 802.11 wireless and wired Ethernet networks. Port-based network access control is similar to a switched local area network (LAN) infrastructure that authenticates devices that are attached to a LAN port and prevent access to that port if the authentication process fails.
How 802.1x authentication works
A simplified description of the 802.1x authentication is:
Refer to Setting up the Client for WEP and MD5 authentication for details about setting up an 802.1x profile using the Intel(R) PROSet for Wireless utility.
RADIUS is the Remote Access Dial-In User Service, an Authorization, Authentication, and Accounting (AAA) client-server protocol for when a AAA dial-up client logs in or out of a Network Access Server. Typically, a RADIUS server is used by Internet Service Providers (ISP) to performs AAA tasks. AAA phases are described as follows:
Authentication phase: Verifies a user name and password against a local database. After the credentials are verified, the authorization process begins.
Authorization phase: Determines whether a request will be allowed access to a resource. An IP address is assigned for the Dial-Up client.
Accounting phase: Collects information on resource usage for the purpose of trend analysis, auditing, session time billing, or cost allocation.
Wi-Fi Protected Access (WPA) is a security enhancement that strongly increases the level of data protection and access control to a WLAN. WPA mode enforces 802.1x authentication and key-exchange and only works with dynamic encryption keys. To strengthen data encryption, WPA utilizes its Temporal Key Integrity Protocol (TKIP). TKIP provides important data encryption enhancements that include a per-packet key mixing function, a Message Integrity Check (MIC) named Michael an extended initialization vector (IV) with sequencing rules, and a also re-keying mechanism. Using these improvement enhancements, TKIP protects against WEP's known weaknesses.
PEAP is a new Extensible Authentication Protocol (EAP) IEEE 802.1x authentication type designed to take advantage of server-side EAP-Transport Layer Security (EAP-TLS) and to support various authentication methods, including user's passwords and one-time passwords, and Generic Token Cards.
Cisco LEAP (EAP Cisco Wireless) is a server and client 802.1x authentication via a user-supplied logon password. When a wireless access point communicates with a Cisco LEAP-enabled RADIUS (Cisco Secure Access Control Server (ACS) server), Cisco LEAP provides access control through mutual authentication between client wireless adapters and the wireless network and provides dynamic, individual user encryption keys to help protect the privacy of transmitted data.
Cisco Rogue AP security feature
The Cisco Rogue AP feature provides security protection from
an introduction of a rogue access point that could mimic a
legitimate access point on a network in order to extract
information about user credentials and authentication protocols
which could compromise security. This feature only works with
Cisco's LEAP authentication. Standard 802.11 technology does
not protect a network from the introduction of a rogue access
point.
CKIP
Cisco Key Integrity Protocol (CKIP) is Cisco proprietary
security protocol for encryption
in 802.11 media. CKIP uses the following features to improve
802.11 security in infrastructure
mode:
Some access points, for example Cisco 350 or Cisco 1200, support environments in which not all client stations support WEP encryption, this is called Mixed-Cell Mode. When these wireless network operate in “optional encryption” mode, client stations that join in WEP mode, send all messages encrypted, and stations, that join in using standard mode, send all messages unencrypted. These APs broadcast that the network is not using encryption, but allow clients to join using WEP mode. When “Mixed-Cell” is enabled in a profile, it allows you to connect to access points that are configured for “optional encryption.”
![]() |
NOTE: Make sure to enable the Advanced Settings Mixed-Cell (Requires Cisco CCX option) when using Enable Cisco-Client eXtentions in a profile. A Cisco CCX enabled profile uses CKIP data encryption and 802.1x LEAP authentication. |
Please read all restrictions and
disclaimers.