Professional Documents
Culture Documents
All contents are Copyright 19922004 Cisco Systems, Inc. All rights reserved. Important Notices and Privacy Statement.
Page 1 of 8
WPA
WPA2
Encryption: TKIP/MIC
Encryption: AES-CCMP
Authentication: PSK
Authentication: PSK
Encryption: TKIP/MIC
Encryption: AES-CCMP
Do Cisco Aironet access points support WPA Certified and WPA2 Certified client devices from other vendors?
Yes. Cisco Aironet access points support WPA Certified and WPA2 Certified client devices.
Does Cisco support WPA and WPA2 Enterprise Mode and Personal Mode?
Yes. Cisco Aironet products support WPA Enterprise Mode, WPA Personal Mode, WPA2 Enterprise Mode, and WPA2 Personal Mode. Cisco
recommends Enterprise Mode for our customers because it provides enterprise-class security with mutual authentication.
What EAP types do Cisco Aironet products support for IEEE 802.1X authentication?
Cisco Aironet products support more IEEE 802.1X EAP authentication types than other WLAN products. Supported types include:
EAP-Flexible Authentication via Secure Tunneling (EAP-FAST)
Cisco LEAP
Protected Extensible Authentication Protocol (PEAP)
EAP-Transport Layer Security (EAP-TLS)
EAP-Tunneled TLS (EAP-TTLS)
EAP-Subscriber Identity Module (EAP-SIM)
WPA AND WPA2 DEPLOYMENT
Should Cisco Aironet customers deploy WPA or WPA2?
WPA2 offers a higher level of security than WPA because AES offers stronger encryption than TKIP. Cisco recommends that customers use
WPA2 for client devices that support WPA2. Though WPA is still considered secure and TKIP has not been broken, Cisco recommends that
customers transition to WPA2 as soon as they can.
Because WPA2 requires configuration changes to both access points and client devices, the introduction of WPA2 should be planned and large sets
of client devices and access points should be transitioned at the same time to minimize network disruption. One opportunity for a transition to WPA2
is when a wireless network is introduced, upgraded, or expanded.
Specialized WLAN client devices may not be able to run AES and may not be upgradable to AES (and WPA2). Therefore, Cisco recommends that
enterprise organizations continue to use and deploy WPA for these devices as applicable. All networks should run WPA as a minimum.
What businesses or organizations will be early adopters of WPA2?
Early adopters of WPA2 are likely to be organizations that:
Want Wi-Fi Certified products based on the full IEEE 802.11i standard
Are government agencies that require a security solution that can meet the FIPS 140-2 requirement, which WPA2s AES addresses
Are in industries like financial services, insurance, or healthcare that want the added security of AES encryption
Want the speed/CPU advantages of hardware-based AES over software-based MIC
Is it possible to have WPA and WEP clients associated to the same Cisco Aironet access point?
Yes. This is considered a transition mode and two solutions are available:
1.
Use two different virtual LANs/service set identifiers (VLANs/SSIDs), one for WEP clients and one for WPA clients
2.
Configure WPA Migration Mode (discussed below) on the Cisco Aironet access point
Is it possible to have WPA2 and WPA clients associated to the same Cisco Aironet access point?
Yes. Two solutions are available:
1.
Use two different virtual LANs/service set identifiers (VLANs/SSIDs), one for WPA2 clients and one for WPA clients
2.
Configure WPA2 Mixed Mode (discussed below) on the Cisco Aironet access point
WPA (TKIP)
WPA2 (AES)
Yes
Yes
Yes
AES (128-bit)
No
No
Yes
24 bits
48 bits
48 bits
Not required
Not required
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
What is TKIP?
TKIP is an IEEE 802.11i standard. It is an enhancement to WEP security. TKIP enhances WEP by adding measures such as PPK, MIC, and
broadcast key rotation to address known vulnerabilities of WEP. TKIP uses the RC4 stream cipher with 128-bit keys for encryption and 64-bit keys
for authentication. By encrypting data with a key that can be used only by the intended recipient of the data, TKIP helps to ensure that only the
intended audience understands the transmitted data.
TKIP uses a MIC called Michael. Michael allows devices to confirm that their packets are uncorrupted during the sending-and-receiving
transmission process. MIC prevents bit-flip attacks on encrypted packets. During a bit-flip attack, an intruder intercepts an encrypted message,
alters it slightly, and retransmits it, and the receiver accepts the retransmitted message as legitimate. The MIC adds a few bytes to each packet to
make the packets tamper-proof. MIC is similar to cyclical redundancy check (CRC) and can detect if a hacker has intercepted and changed a packet
between its source and destination.
Broadcast key rotation enables the network administrator to set the shared broadcast key to timeout, causing a new broadcast key to be generated.
This procedure mitigates passive attacks attempting to determine the broadcast key from weak initialization vectors.
Does Cisco support both Cisco TKIP and WPA TKIP?
With the Cisco Wireless Security Suite, both Cisco TKIP and WPA TKIP algorithms are available on Cisco Aironet access points and Cisco
and Cisco Compatible client devices. Although Cisco TKIP and WPA TKIP do not interoperate, Cisco Aironet access points can run both Cisco
TKIP and WPA TKIP simultaneously when using multiple VLANs. System administrators will need to choose one set of TKIP algorithms to activate
on the enterprises client devices, because clients cannot support both sets of TKIP algorithms simultaneously. WPA TKIP is recommended for use
in most instances when WPA is used.
Is AES encryption performed in hardware or software?
It is recommended that AES encryption (and decryption) be performed in hardware because of the computationally intensive nature of AES.
Cisco Aironet products perform AES encryption in hardware. Performing AES encryption in software requires sufficient horsepower, such as that
offered by a 2.5-GHz Pentium processor laptop. If an access point performed AES encryption/decryption in software while serving numerous
associated clients, the access point likely would incur performance degradation, especially if that access point lacked a powerful processor and a
large amount of RAM and ROM.
What is CCMP?
AES-CCMP is the encryption protocol in the 802.11i standard. CCMP is based upon the Counter Mode with CBC-MAC (CCM) of the AES
encryption algorithm.
CCM is the algorithm providing data privacy.
The Cipher Block Chaining Message Authentication Code (CBC-MAC) component of CCMP provides data integrity and authentication.
CCMP uses 128-bit keys, with a 48-bit initialization vector (IV) for replay detection.
Corporate Headquarters
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, CA 95134-1706
USA
www.cisco.com
Tel: 408 526-4000
800 553-NETS (6387)
Fax: 408 526-4100
European Headquarters
Cisco Systems International BV
Haarlerbergpark
Haarlerbergweg 13-19
1101 CH Amsterdam
The Netherlands
www-europe.cisco.com
Tel: 31 0 20 357 1000
Fax: 31 0 20 357 1100
Americas Headquarters
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, CA 95134-1706
USA
www.cisco.com
Tel: 408 526-7660
Fax: 408 527-0883
Cisco Systems has more than 200 offices in the following countries and regions. Addresses, phone numbers, and fax numbers are listed on
the Cisco Web site at www.cisco.com/go/offices.
Argentina Australia Austria Belgium Brazil Bulgaria Canada Chile China PRC Colombia Costa Rica Croatia Cyprus Czech Republic
Denmark Dubai, UAE Finland France Germany Greece Hong Kong SAR Hungary India Indonesia Ireland Israel Italy Japan Korea
Luxembourg Malaysia Mexico The Netherlands New Zealand Norway Peru Philippines Poland Portugal Puerto Rico Romania Russia
Saudi Arabia Scotland Singapore Slovakia Slovenia South Africa Spain Sweden Switzerland Taiwan Thailand Turkey Ukraine United
Kingdom United States Venezuela Vietnam Zimbabwe
Copyright 2004 Cisco Systems, Inc. All rights reserved. CCIP, CCSP, the Cisco Powered Network mark, Cisco Unity, Follow Me Browsing, FormShare, and StackWise are trademarks
of Cisco Systems, Inc.; Changing the Way We Work, Live, Play, and Learn, and iQuick Study are service marks of Cisco Systems, Inc.; and Aironet, ASIST, BPX, Catalyst, CCDA, CCDP,
CCIE, CCNA, CCNP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, the Cisco IOS logo, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo,
Empowering the Internet Generation, Enterprise/Solver, EtherChannel, EtherSwitch, Fast Step, GigaStack, Internet Quotient, IOS, IP/TV, iQ Expertise, the iQ logo, iQ Net Readiness
Scorecard, LightStream, Linksys, MGX, MICA, the Networkers logo, Networking Academy, Network Registrar, Packet, PIX, Post-Routing, Pre-Routing, RateMUX, Registrar,
ScriptShare, SlideCast, SMARTnet, StrataView Plus, Stratm, SwitchProbe, TeleRouter, The Fastest Way to Increase Your Internet Quotient, TransPath, and VCO are registered trademarks
of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.
All other trademarks mentioned in this document or Web site are the property of their respective owners. The use of the word partner does not imply a partnership relationship between
Cisco and any other company. (0402R)
204113_ETMG_SD_11.04
2004 Cisco Systems, Inc. All rights reserved.
Printed in the USA
Important notices, privacy statements, and trademarks of Cisco Systems, Inc. can be found on cisco.com.
Page 8 of 9