Cisco Aironet 340, 350, and CB20A Wireless LAN Client Adapters Installation and Configuration Guide for Windows, OL-1394-08
Chapter 5 - Configuring the Client Adapter
Download this chapter
Chapter 5 - Configuring the Client AdapterChapter 5 - Configuring the Client Adapter
Download the complete book
Cisco Aironet Wireless LAN Client Adapters Installation and Configuration Guide for Windows, OL-1394-08 (book in PDF format)Cisco Aironet Wireless LAN Client Adapters Installation and Configuration Guide for Windows, OL-1394-08 (book in PDF format) (PDF - 5 MB)
give_us_feedback

Table Of Contents

Configuring the Client Adapter

Overview

Setting System Parameters

Setting RF Network Parameters

Setting Advanced Infrastructure Parameters

Setting Advanced Ad Hoc Parameters

Setting Network Security Parameters

Setting the Allow Association to Mixed Cells Parameter

Overview of Security Features

Static WEP Keys

EAP (with Dynamic WEP Keys)

Wi-Fi Protected Access (WPA)

Fast Roaming (CCKM)

Reporting Access Points that Fail LEAP or EAP-FAST Authentication

Additional WEP Key Security Features

Synchronizing Security Features

Using Static WEP

Entering a New Static WEP Key

Overwriting an Existing Static WEP Key

Disabling Static WEP

Enabling LEAP

Enabling EAP-FAST

Enabling Host-Based EAP

Enabling Host-Based EAP Authentication in ACU

Enabling WPA (Windows 2000 or XP Only - Optional)

Enabling EAP Authentication in Windows

Disabling LEAP, EAP-FAST, or Host-Based EAP

Disabling LEAP or EAP-FAST

Disabling Host-Based EAP


Configuring the Client Adapter

This chapter explains how to set the configuration parameters for a specific profile.

The following topics are covered in this chapter:

Overview

Setting System Parameters

Setting RF Network Parameters

Setting Advanced Infrastructure Parameters

Setting Advanced Ad Hoc Parameters

Setting Network Security Parameters

Overview

When you choose to create a new profile or edit an existing profile on the Profile Manager screen, the Properties screens appear with the name of your profile in parentheses. These screens enable you to set the configuration parameters for that profile.

Note If you do not change any of the configuration parameters, the default values are used.

Note If you are planning to set parameters on more than one of the Properties screens, wait until you are finished with all of the screens before clicking OK. When you click OK, you are returned to the Profile Manager screen.

Each of the Properties screens (listed below) contains parameters that affect a specific aspect of the client adapter:

System Parameters—Prepares the client adapter for use in a wireless network

RF Network—Controls how the client adapter transmits and receives data

Advanced (Infrastructure)—Controls how the client adapter operates within an infrastructure network

Advanced (Ad Hoc)—Controls how the client adapter operates within an ad hoc (peer-to-peer) network

Network Security—Controls how a client adapter associates to an access point, authenticates to the wireless network, and encrypts and decrypts data


Table 5-1 enables you to quickly locate the instructions for setting each Properties screen's parameters.

Table 5-1 Locating Configuration Instructions

Parameter Category
Page Number

System

page 3

RF network

page 7

Advanced infrastructure

page 14

Advanced ad hoc

page 18

Network security

page 21

Setting System Parameters

The System Parameters screen (see Figure 5-1) enables you to set parameters that prepare the client adapter for use in a wireless network. This screen appears after you create and save a new profile or click Edit on the Profile Manager screen.

Figure 5-1 System Parameters Screen

Table 5-2 lists and describes the client adapter's system parameters. Follow the instructions in the table to change any parameters.

Table 5-2 System Parameters 

Parameter
Description

Client Name

A logical name for your workstation. It allows an administrator to determine which devices are connected to the access point without having to memorize every MAC address. This name is included in the access point's list of connected devices.

Range: You can key in up to 16 ASCII characters
Default: A blank field

Note Each computer on the network should have a unique client name.

SSID1

The service set identifier (SSID) identifies the specific wireless network that you want to access.

Range: You can key in up to 32 ASCII characters (case sensitive)
Default: A blank field

Note If you leave this parameter blank, your client adapter can associate to any access point on the network that is configured to allow broadcast SSIDs (see the AP Radio Hardware page in the access point management system). If the access point with which the client adapter is to communicate is not configured to allow broadcast SSIDs, the value of this parameter must match the SSID of the access point. Otherwise, the client adapter is unable to access the network.

SSID2

An optional SSID that identifies a second distinct network and enables you to roam to that network without having to reconfigure your client adapter.

Range: You can key in up to 32 ASCII characters (case sensitive)
Default: A blank field

Note If a profile specifies more than one SSID, it cannot be included in auto profile selection.

Note This field is unavailable for any profiles that are included in auto profile selection.

SSID3

An optional SSID that identifies a third distinct network and enables you to roam to that network without having to reconfigure your client adapter.

Range: You can key in up to 32 ASCII characters (case sensitive)
Default: A blank field

Note If a profile specifies more than one SSID, it cannot be included in auto profile selection.

Note This field is unavailable for any profiles that are included in auto profile selection.

Power Save Mode

Sets your client adapter to its optimum power consumption setting.

Options: CAM, Max PSP, or Fast PSP
Default: CAM (Constantly Awake Mode)

Power Save Mode

Description

CAM (Constantly Awake Mode)

Keeps the client adapter powered up continuously so there is little lag in message response time.

Consumes the most power but offers the highest throughput. Is recommended for desktop computers and devices that use AC power.

Max PSP (Max Power Savings)

Causes the access point to buffer incoming messages for the client adapter, which wakes up periodically and polls the access point to see if any buffered messages are waiting for it. The adapter can request each message and then go back to sleep.

Conserves the most power but offers the lowest throughput. Is recommended for devices for which power consumption is the ultimate concern (such as small battery-powered devices).

Note When you set Max PSP mode and close ACU, the following message appears the next time you open ACU: "Maximum Power Save Mode will be temporarily disabled while you are running this application." While ACU is open, Fast PSP mode is active. When you close ACU, the card returns to Max PSP mode.

Fast PSP (Power Save Mode)

Switches between PSP mode and CAM mode, depending on network traffic. This mode switches to CAM when retrieving a large number of packets and switches back to PSP after the packets have been retrieved.

Is recommended when power consumption is a concern but you need greater throughput than that allowed by Max PSP.

Network Type

Specifies the type of network in which your client adapter is installed.

Options: Ad Hoc or Infrastructure
Default: Infrastructure

Network Type

Description

Ad Hoc

Often referred to as peer to peer. Indicates that your wireless network consists of a few wireless devices that are not connected to a wired Ethernet network through an access point. For example, an ad hoc network can be set up between computers in a conference room so users can share information in a meeting.

Infrastructure

Indicates that your wireless network is connected to a wired Ethernet network through an access point.


Go to the next section to set additional parameters or click OK to return to the Profile Manager screen. On the Profile Manager screen, click OK or Apply to save your changes.

Setting RF Network Parameters

The RF Network screen (see Figure 5-2) enables you to set parameters that control how and when the client adapter transmits and receives data. To access this screen, choose the RF Network tab from the Properties screens.

Figure 5-2 RF Network Screen

Table 5-3 lists and describes the client adapter's RF network parameters. Follow the instructions in the table to change any parameters.

Table 5-3 RF Network Parameters 

Parameter
Description

Data Rate

Specifies the rate at which your client adapter should transmit or receive packets to or from access points (in infrastructure mode) or other clients (in ad hoc mode).

Auto Rate Selection is recommended for infrastructure mode; setting a specific data rate is recommended for ad hoc mode.

Options: Auto Rate Selection, 1 Mbps Only, 2 Mbps Only, 5.5 Mbps Only, or 11 Mbps Only (2.4-GHz client adapters);
Auto Rate Selection, 6 Mbps Only, 9 Mbps Only, 12 Mbps Only, 18 Mbps Only, 24 Mbps Only, 36 Mbps Only, 48 Mbps Only, or 54 Mbps Only (5-GHz client adapters)
Default: Auto Rate Selection

Data Rate



Description

2.4-GHz Client Adapters
5-GHz Client Adapters

Auto Rate Selection

Auto Rate Selection

Uses the 11-Mbps (for 2.4-GHz client adapters) or 54-Mbps (for 5-GHz client adapters) data rate when possible but drops to lower rates when necessary.

1 Mbps Only

6 Mbps Only

Offers the greatest range but the lowest throughput.

2 Mbps Only and 5.5 Mbps Only

9 Mbps Only to 48 Mbps Only

Progressively offers less range but greater throughput than the 1 Mbps Only (for 2.4-GHz client adapters) or 6 Mbps Only (for 5-GHz client adapters) option.

11 Mbps Only

54 Mbps Only

Offers the greatest throughput but the lowest range.

Note Your client adapter's data rate must be set to Auto Rate Selection or must match the data rate of the access point (in infrastructure mode) or the other clients (in ad hoc mode) with which it is to communicate. Otherwise, your client adapter may not be able to associate to them.

Use Short Radio Headers

Checking this check box sets your client adapter to use short radio headers. However, the adapter can use short radio headers only if the access point is also configured to support them and is using them. If any clients associated to an access point are using long headers, then all clients in that cell must also use long headers, even if both this client and the access point have short radio headers enabled.

Short radio headers improve throughput performance; long radio headers ensure compatibility with clients and access points that do not support short radio headers.

Default: Checked

Note This parameter is available only for 2.4-GHz client adapters.

Note This parameter is referred to as Preambles on the access point screens.

World Mode

Checking this check box enables the client adapter to adopt the maximum transmit power level and the frequency range of the access point to which it is associated, provided the access point is also configured for world mode. This parameter is available only in infrastructure mode and is designed for users who travel between countries and want their client adapters to associate to access points in different regulatory domains.

Default: Unchecked

Note This parameter is available only for 2.4-GHz client adapters.

Note When World Mode is enabled, the client adapter is limited to the maximum transmit power level allowed by the country of operation's regulatory agency.

Scan For A Better Access Point

Checking this check box causes the client to look for a better access point if the signal strength of its associated access point is less than the specified value after the specified time and to switch associations if it finds one.

Example: If the default values of 20 seconds and 50% are used, the client begins monitoring the strength of the signal received from its associated access point 20 seconds after becoming associated. The monitoring continues once per second. If the client detects a signal strength reading below 50%, it scans for a better access point.

Range: 5 to 255 seconds; 0 to 75% signal strength
Defaults: Checked, 20 seconds, 50% signal strength

Note The ability to specify the time and signal strength is available in ACU version 6.1 or later, which is included in Install Wizard version 1.1 or later.

Channel

Specifies the frequency that your client adapter will use as the channel for communications. These channels conform to the IEEE 802.11 Standard for your regulatory domain.

In infrastructure mode, this parameter is set automatically and cannot be changed. The client adapter listens to the entire spectrum, selects the best access point to associate to, and uses the same frequency as that access point.

In ad hoc mode, the channel of the client adapter must be set to match the channel used by the other clients in the wireless network. If the client adapter does not find any other ad hoc adapters, this parameter specifies the channel with which the adapter will start its cell.

Range: Dependent on client adapter radio and regulatory domain
Example for 2.4-GHz client adapters:
1 to 11 (2412 to 2462 MHz) in North America
Example for 5-GHz client adapters:
36, 40, 44, 48, 52, 56, 60, and 64 (5180, 5200, 5220, 5240, 5260, 5280, 5300, and 5320 MHz) in North America
Default: Dependent on client adapter radio and regulatory domain
Example for 2.4-GHz client adapters:
6 (2437 MHz) in North America
Example for 5-GHz client adapters:
36 (5180 MHz) in North America

Note Refer to Appendix D, for a list of channel identifiers, channel center frequencies, and regulatory domains for each channel.

Transmit Power

Defines the power level at which your client adapter transmits. This value must not be higher than that allowed by your country's regulatory agency (FCC in the U.S., DOC in Canada, ETSI in Europe, MKK in Japan, etc.).

Options: Dependent on the power table programmed into the client adapter; see the table below
Default: The maximum power level programmed into the client adapter and allowed by your country's regulatory agency

Possible Power Levels

Client Adapter Type

30 mW or 1 mW

340 series PC cards

30 mW, 15 mW, 5 mW, or
1 mW

340 series LM cards and PCI cards

100 mW, 50 mW, 30 mW, 20 mW, 5 mW, or 1 mW

350 series client adapters

20 mW, 10 mW, or 5 mW

PC-Cardbus card

Note Reducing the transmit power level conserves battery power but decreases radio range.

Note When World Mode is enabled, the client adapter is limited to the maximum transmit power level allowed by the country of operation's regulatory agency.

Note If you are using an older version of a 340 or 350 series client adapter, your power level options may be different than those listed here.

Clear Channel Assessment

Specifies the method that determines whether the channel on which your client adapter will operate is clear prior to the transmission of data.

Options: Firmware Default (XXX), Carrier/Correlation (Car/Cor), Energy Detect (ED), or ED or Car/Cor
Default: Firmware Default (XXX)

Method

Description

Firmware Default (XXX)

The Clear Channel Assessment (CCA) mechanism will report that the channel is busy based on the default value of the client adapter's firmware. The firmware's CCA default value is shown in parentheses.

Note The CCA default value for PCM, LMC, and PCI card firmware is Car/Cor; the default value for mini PCI card firmware is ED.

Carrier/Correlation (Car/Cor)

The CCA mechanism will report that the channel is busy upon detection of a direct-sequence spread spectrum (DSSS) signal. This signal may be above or below the ED threshold.

Energy Detect (ED)

The CCA mechanism will report that the channel is busy upon detection of any energy above the ED threshold.

ED or Car/Cor

The CCA mechanism will report that the channel is busy upon detection of a DSSS signal or any energy above the ED threshold.

Note This parameter is available only for 2.4-GHz client adapters.

Data Retries

Defines the number of times a packet is resent if the initial transmission is unsuccessful.

Range: 1 to 128
Default: 16 (2.4-GHz client adapters) or 32 (5-GHz client adapters)

Note If your network protocol performs its own retries, set this to a smaller value than the default. This way notification of a "bad" packet is sent up the protocol stack quickly so the application can retransmit the packet if necessary.

Fragment Threshold

Defines the threshold above which an RF data packet is split up or fragmented. If one of those fragmented packets experiences interference during transmission, only that specific packet would need to be resent.

Throughput is generally lower for fragmented packets because the fixed packet overhead consumes a higher portion of the RF bandwidth.

Range: 256 to 2312
Default: 2312

Go to the next section to set additional parameters or click OK to return to the Profile Manager screen. On the Profile Manager screen, click OK or Apply to save your changes.

Setting Advanced Infrastructure Parameters

Note You can set advanced infrastructure parameters only if your client adapter has been set to operate in an infrastructure network. See the Network Type parameter in Table 5-2.

The Advanced (Infrastructure) screen (see Figure 5-3) enables you to set parameters that control how the client adapter operates within an infrastructure network. To access this screen, choose the Advanced (Infrastructure) tab from the Properties screens.

Figure 5-3 Advanced (Infrastructure) Screen

Table 5-4 lists and describes the client adapter's advanced infrastructure parameters. Follow the instructions in the table to change any parameters.

Table 5-4 Advanced (Infrastructure) Parameters 

Parameter
Description

Antenna Mode (Receive)

Specifies the antenna that your client adapter uses to receive data.

PC card—The PC card's integrated, permanently attached antenna operates best when used in diversity mode. Diversity mode allows the card to use the better signal from its two antenna ports.

Options: Diversity (Both), Primary Antenna Only, Secondary Antenna Only

Default: Diversity (Both)

LM card—The LM card is shipped without an antenna; however, an antenna can be connected through the card's external connector. If a snap-on antenna is used, diversity mode is recommended. Otherwise, choose the mode that corresponds to the antenna port to which the antenna is connected.

Options: Diversity (Both), Primary Antenna Only, Secondary Antenna Only

Default: Diversity (Both)

PCI card—The PCI card must use the Primary Antenna Only option.

Default: Primary Antenna Only

Mini PCI card—The mini PCI card, which can be used with one or two antennas, operates best in diversity mode. Diversity mode allows the card to use the better signal from its two antenna connectors.

Options: Diversity (Both), Primary Antenna Only, Secondary Antenna Only

Default: Diversity (Both)

Note This parameter is available only for 2.4-GHz client adapters.

Note The Primary Antenna Only and Secondary Antenna Only options were formerly named Right Antenna Only and Left Antenna Only, respectively.

Antenna Mode (Transmit)

Specifies the antenna that your client adapter uses to transmit data. See the Antenna Mode (Receive) parameter above for information on the options available for your client adapter.

Note This parameter is available only for 2.4-GHz client adapters.

Specified Access Point 1- 4

Specifies the MAC addresses of up to four preferred access points with which the client adapter can associate. If the specified access points are not found or the client adapter roams out of range, the adapter may associate to another access point.

You can enter the MAC addresses of the access points in the edit boxes or choose not to specify access points by leaving the boxes blank.

Default: Blank fields

Note This parameter should be used only for access points that are in repeater mode. For normal operation, leave these fields blank because specifying an access point slows down the roaming process.

RTS Threshold

Specifies the size of the data packet that the low-level RF protocol issues to a request-to-send (RTS) packet.

Setting this parameter to a small value causes RTS packets to be sent more often. When this occurs, more of the available bandwidth is consumed and the throughput of other network packets is reduced, but the system is able to recover faster from interference or collisions, which may be caused from a high multipath environment characterized by obstructions or metallic surfaces.

Range: 0 to 2312
Default: 2312

Note Refer to the IEEE 802.11 Standard for more information on the RTS/CTS mechanism.

RTS Retry Limit

Specifies the number of times the client adapter resends a request-to-send (RTS) packet if it does not receive a clear-to-send (CTS) packet from the previously sent RTS packet.

Setting this parameter to a large value decreases the available bandwidth whenever interference is encountered but makes the system more immune to interference and collisions, which may be caused from a high multipath environment characterized by obstructions or metallic surfaces.

Range: 1 to 128
Default: 16 (2.4-GHz client adapters) or 32 (5-GHz client adapters)

Note Refer to the IEEE 802.11 Standard for more information on the RTS/CTS mechanism.

Enable Radio Management Support

Checking this check box enables the access point to which the client adapter is associated to control the use of radio management (RM), provided RM is enabled on the access point. RM is a system-wide feature that involves multiple infrastructure nodes. The RM feature on the access point acts on radio measurement requests from other network devices to instruct the access point and its associated clients to perform required radio measurements and then report them.

Default: Checked

Note This parameter is available in Install Wizard version 1.2 or later for 350 series cards and Install Wizard version 1.3 or later for CB20A cards.

Note Access points must use Cisco IOS Release 12.2(13)JA or later to enable RM. Refer to the documentation for your access point for instructions on enabling this feature.


Go to the next section to set additional parameters or click OK to return to the Profile Manager screen. On the Profile Manager screen, click OK or Apply to save your changes.

Setting Advanced Ad Hoc Parameters

Note You can set advanced ad hoc parameters only if your client adapter has been set to operate in an ad hoc network. See the Network Type parameter in Table 5-2.

The Advanced (Ad Hoc) screen (see Figure 5-4) enables you to set parameters that control how the client adapter operates within an ad hoc network. To access this screen, choose the Advanced (Ad Hoc) tab from the Properties screens.

Figure 5-4 Advanced (Ad Hoc) Screen

Table 5-5 lists and describes the client adapter's advanced ad hoc parameters. Follow the instructions in the table to change any parameters.

Table 5-5 Advanced (Ad Hoc) Parameters 

Parameter
Description

Antenna Mode (Receive)

Specifies the antenna that your client adapter uses to receive data.

PC card—The PC card's integrated, permanently attached antenna operates best when used in diversity mode. Diversity mode allows the card to use the better signal from its two antenna ports.

Options: Diversity (Both), Primary Antenna Only, Secondary Antenna Only

Default: Diversity (Both)

LM card—The LM card is shipped without an antenna; however, an antenna can be connected through the card's external connector. If a snap-on antenna is used, diversity mode is recommended. Otherwise, choose the mode that corresponds to the antenna port to which the antenna is connected.

Options: Diversity (Both), Primary Antenna Only, Secondary Antenna Only

Default: Diversity (Both)

PCI card—The PCI card must use the Primary Antenna Only option.

Default: Primary Antenna Only

Mini PCI card—The mini PCI card, which can be used with one or two antennas, operates best in diversity mode. Diversity mode allows the card to use the better signal from its two antenna connectors.

Options: Diversity (Both), Primary Antenna Only, Secondary Antenna Only

Default: Diversity (Both)

Note This parameter is available only for 2.4-GHz client adapters.

Note The Primary Antenna Only and Secondary Antenna Only options were formerly named Right Antenna Only and Left Antenna Only, respectively.

Antenna Mode (Transmit)

Specifies the antenna that your client adapter uses to transmit data. See the Antenna Mode (Receive) parameter above for information on the options available for your client adapter.

Note This parameter is available only for 2.4-GHz client adapters.

RTS Threshold

Specifies the size of the data packet that the low-level RF protocol issues to a request-to-send (RTS) packet.

Setting this parameter to a small value causes RTS packets to be sent more often. When this occurs, more of the available bandwidth is consumed and the throughput of other network packets is reduced, but the system is able to recover faster from interference or collisions, which may be caused from a high multipath environment characterized by obstructions or metallic surfaces.

Range: 0 to 2312
Default: 2312

Note Refer to the IEEE 802.11 Standard for more information on the RTS/CTS mechanism.

RTS Retry Limit

Specifies the number of times the client adapter resends a request-to-send (RTS) packet if it does not receive a clear-to-send (CTS) packet from the previously sent RTS packet.

Setting this parameter to a large value decreases the available bandwidth whenever interference is encountered but makes the system more immune to interference and collisions, which may be caused from a high multipath environment characterized by obstructions or metallic surfaces.

Range: 1 to 128
Default: 16 (2.4-GHz client adapters) or 32 (5-GHz client adapters)

Note Refer to the IEEE 802.11 Standard for more information on the RTS/CTS mechanism.

Wake Duration (Kms)

Specifies the amount of time following a beacon that the client adapter stays awake to receive announcement traffic indication message (ATIM) packets, which are sent to the adapter to keep it awake until the next beacon.

Refer to the Power Save Mode parameter in Table 5-2.

Range: 0 Kms (in CAM mode); 5 to 60 Kms (in Max PSP or Fast PSP mode)
Default: 5 Kms

Note If your client adapter is set to CAM mode, you must set the wake duration to 0 Kms. If your client adapter is set to Max PSP or Fast PSP mode, you must set the wake duration to a minimum of 5 Kms.

Note Kms is a unit of measurement in software terms. K = 1024,
m = 10-6, and s = seconds, so Kms = .001024 seconds, 1.024 milliseconds, or 1024 microseconds.

Beacon Period (Kms)

Specifies the duration between beacon packets, which are used to help clients find each other in ad hoc mode.

Range: 20 to 976 Kms
Default: 100 Kms

Go to the next section to set additional parameters or click OK to return to the Profile Manager screen. On the Profile Manager screen, click OK or Apply to save your changes.

Setting Network Security Parameters

The Network Security screen (see Figure 5-5) enables you to set parameters that control how the client adapter associates to an access point, authenticates to the wireless network, and encrypts and decrypts data. To access this screen, choose the Network Security tab from the Properties screens.

Figure 5-5 Network Security Screen

This screen is different from the other Properties screens in that it presents several security features, each of which involves a number of steps. In addition, the security features themselves are complex and need to be understood before they are implemented. Therefore, this section provides an overview of the security features as well as procedures for using them.

However, before you determine the appropriate security settings for your client adapter, you must decide how to set the Allow Association to Mixed Cells parameter, which appears at the bottom of the Network Security screen and is not associated to any of the security features. See the "Setting the Allow Association to Mixed Cells Parameter" section below.

Setting the Allow Association to Mixed Cells Parameter

The Allow Association to Mixed Cells parameter indicates whether the client adapter can associate to an access point that allows both WEP and non-WEP associations. Follow these steps to set this parameter.

Note This parameter is unavailable if the Wi-Fi Protected Access (WPA) check box is checked.

Step 1 Perform one of the following:

Check the Allow Association to Mixed Cells check box if the access point with which the client adapter is to associate has WEP set to Optional and WEP is enabled on the client adapter. Otherwise, the client is unable to establish a connection with the access point.

Uncheck the Allow Association to Mixed Cells check box if the access point with which the client adapter is to associate does not have WEP set to Optional. This is the default setting.

Note For security reasons, Cisco recommends that WEP-enabled and WEP-disabled clients not be allowed in the same cell because broadcast packets are sent unencrypted, even to clients running WEP.

Step 2 Perform one of the following:

If you do not want to change any other parameters on the Network Security screen, click OK to return to the Profile Manager screen; then click OK or Apply to save your changes

If you want to change some of the other parameters on the Network Security screen, go to the next section.

Overview of Security Features

You can protect your data as it is transmitted through your wireless network by encrypting it through the use of wired equivalent privacy (WEP) encryption keys. With WEP encryption, the transmitting device encrypts each packet with a WEP key, and the receiving device uses that same key to decrypt each packet.

The WEP keys used to encrypt and decrypt transmitted data can be statically associated with your adapter or dynamically created as part of the EAP authentication process. The information in the "Static WEP Keys" and "EAP (with Dynamic WEP Keys)" sections below can help you to decide which type of WEP keys you want to use. Dynamic WEP keys with EAP offer a higher degree of security than static WEP keys.

WEP keys, whether static or dynamic, are either 40 or 128 bits in length. 128-bit WEP keys offer a greater level of security than 40-bit WEP keys.

Note Refer to the "Additional WEP Key Security Features" section for information on three security features that can make your WEP keys even more secure.

Static WEP Keys

Each device (or profile) within your wireless network can be assigned up to four static WEP keys. If a device receives a packet that is not encrypted with the appropriate key (as the WEP keys of all devices that are to communicate with each other must match), the device discards the packet and never delivers it to the intended receiver.

Static WEP keys are write-only and temporary; therefore, they cannot be read back from the client adapter, and they are lost when power to the adapter is removed or the Windows device is rebooted. Although the keys are temporary, you do not need to re-enter them each time the client adapter is inserted or the Windows device is rebooted. This is because the keys are stored (in an encrypted format for security reasons) in the registry of the Windows device. When the driver loads and reads the client adapter's registry parameters, it also finds the static WEP keys, unencrypts them, and stores them in volatile memory on the adapter.

The Network Security screen enables you to view the current WEP key settings for the client adapter and then to assign new WEP keys or overwrite existing WEP keys as well as to enable or disable static WEP. Refer to the "Using Static WEP" section for instructions.

EAP (with Dynamic WEP Keys)

The new standard for wireless LAN security, as defined by the Institute of Electrical and Electronics Engineers (IEEE), is called 802.1X for 802.11, or simply 802.1X. An access point that supports 802.1X and its protocol, Extensible Authentication Protocol (EAP), acts as the interface between a wireless client and an authentication server, such as a Remote Authentication Dial-In User Service (RADIUS) server, to which the access point communicates over the wired network.

Three 802.1X authentication types can be selected in ACU for use with Windows operating systems:

EAP-Cisco Wireless (or LEAP)—This authentication type is available for Windows 98, 98 SE, NT, 2000, Me, and XP, as well as non-Windows systems. Support for LEAP is provided not in the Windows operating system but in your client adapter's firmware and the Cisco software that supports it. RADIUS servers that support LEAP include Cisco Secure ACS version 2.6 and later, Cisco Access Registrar version 1.7 and later, and Funk Software's Steel-Belted RADIUS version 3.0 and later.

LEAP is enabled or disabled for a specific profile through ACU, provided the LEAP security module was selected during installation. After LEAP is enabled, a variety of configuration options are available, including how and when a username and password are entered to begin the authentication process.

The username and password are used by the client adapter to perform mutual authentication with the RADIUS server through the access point. The username and password need to be re-entered each time the client adapter is inserted or the Windows device is rebooted, unless you configure your adapter to use saved LEAP credentials.

Note If the LEAP security module was not selected during installation, the LEAP option is unavailable in ACU. If you want to be able to enable and disable LEAP, you must run the installation program again and choose LEAP.

EAP-FAST—This authentication type (Flexible Authentication via Secure Tunneling) is available for 350 series and CB20A cards on computers running Windows 2000 or XP. EAP-FAST uses a three-phased tunneled authentication process to provide advanced 802.1X EAP mutual authentication.

Phase 0 enables the client to dynamically provision a protected access credentials (PAC) when necessary. During this phase, a PAC is generated securely between the user and the network.

Phase 1 uses the PAC to establish a mutually authenticated and secure tunnel between the client and the RADIUS server. RADIUS servers that support EAP-FAST include Cisco Secure ACS version 3.2.3 and later.

Phase 2 performs client authentication in the established tunnel.

EAP-FAST is enabled or disabled for a specific profile through ACU, provided the EAP-FAST security module was selected during installation. After EAP-FAST is enabled, a variety of configuration options are available, including how and when a username and password are entered to begin the authentication process and whether automatic or manual PAC provisioning is used.

The client adapter uses the username, password, and PAC to perform mutual authentication with the RADIUS server through the access point. The username and password need to be re-entered each time the client adapter is inserted or the Windows device is rebooted, unless you configure your adapter to use saved EAP-FAST credentials.

PACs are created by Cisco Secure ACS and are identified by an ID. The user obtains his or her own copy of the PAC from the server, and the ID links the PAC to the profile created in ACU. When manual PAC provisioning is enabled, the PAC file is manually copied from the server and imported onto the client device. The following rules govern PAC storage:

In most cases PACs are provisioned and stored separately for each Windows logon user. These per-user PACs are not viewable by other users.

If a profile is configured to use manual provisioning, each user must manually provision his or her own PAC for that profile.

PAC files can be added or replaced using the import feature, but they cannot be removed or exported.

For profiles configured with saved EAP-FAST usernames and passwords, the PACs are not stored per user but in a global PAC area shared by all users. Global PACs are also enabled when the No Network Connection Unless User Is Logged In check box is unchecked. These global PACs can be imported and used by all users.

Note PACs are also stored globally on computers that use the Novell Network login prompt or any other third-party login application that does not share its credentials with the EAP-FAST supplicant.

EAP-FAST authentication is designed to support the following user databases over a wireless LAN:

Cisco Secure ACS internal user database

Cisco Secure ACS ODBC user database

Windows NT/2000/2003 domain user database

LDAP user database

LDAP user databases (such as NDS) support only manual PAC provisioning while the other three user databases support both automatic and manual PAC provisioning.

Note If the EAP-FAST security module was not selected during installation, the EAP-FAST option is unavailable in ACU. If you want to be able to enable and disable EAP-FAST, you must run the installation program again and choose EAP-FAST. EAP-FAST is supported in Install Wizard version 1.3 and later.

Host Based EAP—Choosing this option enables you to use any 802.1X authentication type for which your operating system has support. For example, if your operating system uses the Microsoft 802.1X supplicant, it provides native support for EAP-TLS authentication and general support for PEAP and EAP-SIM authentication.

Note To use EAP-TLS, PEAP, or EAP-SIM authentication, you must install the Microsoft 802.1X supplicant, ACU, and the PEAP or EAP-SIM supplicant; configure your client adapter using ACU; enable the authentication type in Windows; and enable Network-EAP on the access point.

EAP-TLS—EAP-TLS is enabled or disabled through the operating system and uses a dynamic session-based WEP key, which is derived from the client adapter and RADIUS server, to encrypt data. Once enabled, a few configuration parameters must be set within the operating system.

RADIUS servers that support EAP-TLS authentication include Cisco Secure ACS version 3.0 or later and Cisco Access Registrar version 1.8 or later.

Note EAP-TLS requires the use of a certificate. Refer to Microsoft's documentation for information on downloading and installing the certificate.

Protected EAP (or PEAP)—PEAP authentication is designed to support One-Time Password (OTP), Windows NT or 2000 domain, and LDAP user databases over a wireless LAN. It is based on EAP-TLS authentication but uses a password or PIN instead of a client certificate for authentication. PEAP is enabled or disabled through the operating system and uses a dynamic session-based WEP key, which is derived from the client adapter and RADIUS server, to encrypt data. If your network uses an OTP user database, PEAP requires you to enter either a hardware token password or a software token PIN to start the EAP authentication process and gain access to the network. If your network uses a Windows NT or 2000 domain user database or an LDAP user database (such as NDS), PEAP requires you to enter your username, password, and domain name in order to start the authentication process.

RADIUS servers that support PEAP authentication include Cisco Secure ACS version 3.1 or later and Cisco Access Registrar version 3.5 or later.

Note Windows XP Service Pack 1 and the Microsoft 802.1X supplicant for Windows 2000 include Microsoft's PEAP supplicant, which supports a Windows username and password only and does not interoperate with Cisco's PEAP supplicant. To use Cisco's PEAP supplicant, install the Install Wizard file after Windows XP Service Pack 1 or the Microsoft 802.1X supplicant for Windows 2000. Otherwise, Cisco's PEAP supplicant is overwritten by Microsoft's PEAP supplicant.

EAP-SIM—EAP-SIM authentication is designed for use in public wireless LANs and requires clients equipped with PCSC-compliant smartcard readers. The EAP-SIM supplicant included in the Install Wizard file supports only Gemplus SIM+ cards; however, an updated supplicant is available that supports standard GSM-SIM cards as well as more recent versions of the EAP-SIM protocol. The new supplicant is available for download from Cisco.com at the following URL:

http://www.cisco.com/pcgi-bin/tablebuild.pl/access-registrar-encrypted

Please note that the above requirements are necessary but not sufficient to successfully perform EAP-SIM authentication. Typically, you are also required to enter into a service contract with a WLAN service provider, who must support EAP-SIM authentication in its network. Also, while your PCSC smartcard reader may be able to read standard GSM-SIM cards or chips, EAP-SIM authentication usually requires your GSM cell phone account to be provisioned for WLAN service by your service provider.

EAP-SIM is enabled or disabled through the operating system and uses a dynamic session-based WEP key, which is derived from the client adapter and RADIUS server, to encrypt data. EAP-SIM requires you to enter a user verification code, or PIN, for communication with the SIM card. You can choose to have the PIN stored in your computer or to be prompted to enter it after a reboot or prior to every authentication attempt.

RADIUS servers that support EAP-SIM include Cisco Access Registrar version 3.0 or later.

Note Because EAP-TLS, PEAP, and EAP-SIM authentication are enabled in the operating system and not in ACU, you cannot switch between these authentication types simply by switching profiles in ACU. You can create a profile in ACU that uses host-based EAP, but you must enable the specific authentication type in Windows (provided Windows uses the Microsoft 802.1X supplicant). In addition, Windows can be set for only one authentication type at a time; therefore, if you have more than one profile in ACU that uses host-based EAP and you want to use another authentication type, you must change authentication types in Windows after switching profiles in ACU.

When you enable Network-EAP or EAP on your access point and configure your client adapter for LEAP, EAP-FAST, EAP-TLS, PEAP, or EAP-SIM, authentication to the network occurs in the following sequence:

1. The client associates to an access point and begins the authentication process.

Note The client does not gain full access to the network until authentication between the client and the RADIUS server is successful.

2. Communicating through the access point, the client and RADIUS server complete the authentication process, with the password (LEAP and PEAP), password and PAC (EAP-FAST), certificate (EAP-TLS), or internal key stored on the SIM card and in the service provider's Authentication Center (EAP-SIM) being the shared secret for authentication. The password, PAC, or internal key is never transmitted during the process.

3. If authentication is successful, the client and RADIUS server derive a dynamic, session-based WEP key that is unique to the client.

4. The RADIUS server transmits the key to the access point using a secure channel on the wired LAN.

5. For the length of a session, or time period, the access point and the client use this key to encrypt or decrypt all unicast packets (and broadcast packets if the access point is set up to do so) that travel between them.

Refer to one of these sections for instructions on enabling EAP authentication:

Enabling LEAP

Enabling EAP-FAST

Enabling Host-Based EAP

Note Refer to the IEEE 802.11 Standard for more information on 802.1X authentication and to the following URL for additional information on RADIUS servers: http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/12cgcr/secur_c/scprt2/scrad.htm

Wi-Fi Protected Access (WPA)

Wi-Fi Protected Access (WPA) is a standards-based, interoperable security enhancement that greatly increases the level of data protection and access control for existing and future wireless LAN systems. It is derived from and will be compatible with the upcoming IEEE 802.11i standard. WPA leverages Temporal Key Integrity Protocol (TKIP) and Michael message integrity check (MIC) for data protection and 802.1X for authenticated key management.

WPA supports two mutually exclusive key management types: WPA and WPA-Pre-shared key (WPA-PSK). Using WPA key management, clients and the authentication server authenticate to each other using an EAP authentication method, and the client and server generate a pairwise master key (PMK). The server generates the PMK dynamically and passes it to the access point. Using WPA-PSK key management, however, you configure a pre-shared key on both the client and the access point, and that pre-shared key is used as the PMK.

Only 350 series and CB20A cards that are installed on computers running Windows 2000 or XP and running LEAP, EAP-FAST, or host-based EAP authentication can be used with WPA. Support for WPA is available in the software components included in Install Wizard version 1.2 or later. However, if you want to use host-based EAP authentication with WPA, you must install additional software with WPA support. The following WPA software is recommended for use with Cisco Aironet client adapters:

Funk Odyssey Client supplicant version 2.2 (for Windows 2000)

Windows XP Service Pack 1 and Microsoft support patch 815485 (for Windows XP)

Note Meetinghouse AEGIS Client supplicant version 2.1 or later is also supported for use with Windows 2000 and XP; however, it was not tested with this client adapter software release.

The software components included in Install Wizard version 1.3 or later automatically support WPA migration mode. WPA migration mode is an access point setting that enables both WPA and non-WPA clients to associate to the access point using the same SSID.

Refer to one of these sections for instructions on enabling EAP authentication with WPA:

Enabling LEAP

Enabling EAP-FAST

Enabling Host-Based EAP

Note WPA must also be enabled on the access point. Access points must use Cisco IOS Release 12.2(11)JA or later to enable WPA. Refer to the documentation for your access point for instructions on enabling this feature.

Fast Roaming (CCKM)

Some applications that run on a client device may require fast roaming between access points. Voice applications, for example, require seamless roaming to prevent delays and gaps in conversation. Support for fast roaming is available for LEAP-enabled clients in Install Wizard version 1.1 or later and EAP-FAST-enabled clients in Install Wizard version 1.3 or later.

During normal operation, LEAP- or EAP-FAST-enabled clients mutually authenticate with a new access point by performing a complete LEAP or EAP-FAST authentication, including communication with the main RADIUS server. However, when you configure your wireless LAN for fast roaming, LEAP- or EAP-FAST-enabled clients securely roam from one access point to another without the need to reauthenticate with the RADIUS server. Using Cisco Centralized Key Management (CCKM), an access point that is configured for wireless domain services (WDS) uses a fast rekeying technique that enables client devices to roam from one access point to another in under 150 milliseconds (ms). Fast roaming ensures that there is no perceptible delay in time-sensitive applications such as wireless Voice over IP (VoIP), enterprise resource planning (ERP), or Citrix-based solutions.

This feature is enabled on the client adapter in two ways, depending on the software installed:

If you are using ACU version 6.2 and client adapter firmware version 5.30.17 (which is included in Install Wizard version 1.2) or later, you need to enable fast roaming in ACU. Refer to Step 10 in the "Enabling LEAP" section or Step 12 in the "Enabling EAP-FAST" section for details.

If you are using client adapter firmware version 5.20.17 (which is included in Install Wizard version 1.1), fast roaming is supported automatically.

Regardless of how fast roaming is enabled on the client adapter, it must also be enabled on the access point.

Note Access points must use Cisco IOS Release 12.2(11)JA or later to enable fast roaming. Refer to the documentation for your access point for instructions on enabling this feature.

Note If the Microsoft 802.1X supplicant is installed on your computer, you must disable one or two Windows parameters in order for this feature to operate correctly. Refer to Step 13 in the "Enabling LEAP" section or Step 15 in the "Enabling EAP-FAST" section for details.

Reporting Access Points that Fail LEAP or EAP-FAST Authentication

The following client adapter and access point firmware versions support a feature that is designed to detect access points that fail LEAP or EAP-FAST authentication:

Client adapter firmware version 5.02.20 or later (for LEAP)

Client adapter firmware version 5.40.10 or later (for EAP-FAST)

12.00T or later (340, 350, and 1200 series access points)

Cisco IOS Release 12.2(4)JA or later (1100 series access points)

An access point running one of these firmware versions records a message in the system log when a client running one of these firmware versions discovers and reports another access point in the wireless network that has failed LEAP or EAP-FAST authentication.

The process takes place as follows:

1. A client with a LEAP or EAP-FAST profile attempts to associate to access point A.

2. Access point A does not handle LEAP or EAP-FAST authentication successfully, perhaps because the access point does not understand LEAP or EAP-FAST or cannot communicate to a trusted LEAP or EAP-FAST authentication server.

3. The client records the MAC address for access point A and the reason why the association failed.

4. The client associates successfully to access point B.

5. The client sends the MAC address of access point A and the reason code for the failure to access point B.

6. Access point B logs the failure in the system log.

Note This feature does not need to be enabled on the client adapter or access point; it is supported automatically in the firmware of both devices. However, both the client and access point must use these firmware versions or later.

Additional WEP Key Security Features

The three security features discussed in this section (MIC, TKIP, and broadcast key rotation) are designed to prevent sophisticated attacks on your wireless network's WEP keys. These features do not need to be enabled on the client adapter; they are supported automatically in the firmware and driver versions included in the Install Wizard file. However, they must be enabled on the access point.

Note Access point firmware version 11.10T or later is required to enable these security features. Refer to the documentation for your access point for instructions on enabling these security features.

Message Integrity Check (MIC)

MIC prevents bit-flip attacks on encrypted packets. During a bit-flip attack, an intruder intercepts an encrypted message, alters it slightly, and retransmits it, and the receiver accepts the retransmitted message as legitimate. The MIC adds a few bytes to each packet to make the packets tamper-proof.

The Status screen indicates if MIC is being used, and the Statistics screen provides MIC statistics.

Note If you enable MIC on the access point, your client adapter's driver must support these features; otherwise, the client cannot associate.

Temporal Key Integrity Protocol (TKIP)

This feature, also referred to as WEP key hashing, defends against an attack on WEP in which the intruder uses the initialization vector (IV) in encrypted packets to calculate the WEP key. TKIP removes the predictability that an intruder relies on to determine the WEP key by exploiting IVs. It protects both unicast and broadcast WEP keys.

Note If you enable TKIP on the access point, your client adapter's firmware must support these features; otherwise, the client cannot associate.

Note TKIP is automatically enabled whenever WPA is enabled, and it is disabled whenever WPA is disabled.

Broadcast Key Rotation

EAP authentication provides dynamic unicast WEP keys for client devices but uses static broadcast, or multicast, keys. When you enable broadcast WEP key rotation, the access point provides a dynamic broadcast WEP key and changes it at the interval you choose. When you enable this feature, only wireless client devices using LEAP, EAP-FAST, EAP-TLS, PEAP, or EAP-SIM authentication can associate to the access point. Client devices using static WEP (with open or shared key authentication) cannot associate.

Synchronizing Security Features

In order to use any of the security features discussed in this section, both your client adapter and the access point to which it will associate must be set appropriately. Table 5-6 indicates the client and access point settings required for each security feature. This chapter provides specific instructions for enabling the security fea