Académique Documents
Professionnel Documents
Culture Documents
What is WPA2?
WPA2 is the next generation of Wi-Fi security. It is the Wi-Fi Alliance’s interoperable implementation of the ratified IEEE 802.11i standard. It
implements the National Institute of Standards and Technology (NIST) recommended Advanced Encryption Standard (AES) encryption algorithm
using Counter Mode with Cipher Block Chaining Message Authentication Code Protocol (CCMP). WPA2 facilitates government FIPS 140-2
compliance, and is fully supported by the Cisco Unified Wireless Network.
All contents are Copyright © 1992–2005 Cisco Systems, Inc. All rights reserved. Important Notices and Privacy Statement.
Page 1 of 9
ENTERPRISE MODE AND PERSONAL MODE
What are the different modes of operation of WPA and WPA2?
WPA and WPA2 have two different modes—Enterprise and Personal. Both modes provide encryption support and user authentication. Below is
a summary of WPA and WPA2 and each mode type. A comparison of the mode types is presented in Table 1.
WPA
• Provides authentication support via IEEE 802.1X and Pre-Shared Key (PSK) (IEEE 802.1X recommended for enterprise deployments)
• Provides encryption support via TKIP, including message identity check (MIC) and per-packet keying (PPK) via initialization vector (IV) hashing
and broadcast key rotation
WPA2
• Provides authentication support via IEEE 802.1X and PSK
• Provides encryption support via AES-CCMP
Enterprise Mode
Enterprise Mode is a term given to products that are tested to be interoperable in both PSK and IEEE 802.1X/EAP modes of operation for
authentication. When IEEE 802.1X is used, an authentication, authorization, and accounting (AAA) server (the RADIUS protocol for authentication
and key management and centralized management of user credentials) is required. Enterprise Mode is targeted to enterprise environments.
Personal Mode
Personal Mode is a term given to products tested to be interoperable in the PSK-only mode of operation for authentication. It requires manual
configuration of a pre-shared key on the access point and clients. PSK authenticates users via a password, or identifying code, on both the client
station and the access point. No authentication server is needed. Personal Mode is targeted to SOHO environments.
WPA WPA2
Enterprise Mode (Business, Government, Authentication: IEEE 802.1X/EAP Authentication: IEEE 802.1X/EAP
Education)
Encryption: TKIP/MIC Encryption: AES-CCMP
Which Cisco Aironet 1200 Series 802.11a radio modules support WPA2 and AES?
Cisco Aironet 1200 Series radio modules with the part numbers AIR-RM21A or AIR-RM22A support WPA2 and AES. The Cisco Aironet
1200 Series radio module with the part number AIR-RM20A does not support WPA2 or AES.
Which Cisco Aironet 802.11b access points support WPA2 and AES?
Cisco Aironet 802.11b access points are not upgradeable to support WPA2 and AES.
Will Cisco Aironet 350 Series access points and client devices support WPA2?
No. Cisco Aironet 350 Series products will not support WPA2 because their radios lack AES support. Customers will need to upgrade to Cisco
Aironet Series access points and client devices that support AES if they wish to use WPA2.
What Cisco Aironet client devices will support WPA2 and AES?
Cisco Aironet 802.11a/b/g client adapters purchased today can run AES and support WPA2. Cisco Aironet 802.11a/b/g client adapters
purchased in early 2005 are AES-ready and need only a software upgrade to run AES and support WPA2.
Do Cisco Aironet access points support WPA Certified and WPA2 Certified client devices from other vendors?
Yes. Cisco Aironet access points support WPA Certified and WPA2 Certified client devices.
Does Cisco support WPA and WPA2 Enterprise Mode and Personal Mode?
Yes. Cisco Aironet products support WPA Enterprise Mode, WPA Personal Mode, WPA2 Enterprise Mode, and WPA2 Personal Mode. Cisco
recommends Enterprise Mode for our customers because it provides enterprise-class security with mutual authentication.
What EAP types do Cisco Aironet products support for IEEE 802.1X authentication?
Cisco Aironet products support more IEEE 802.1X EAP authentication types than other WLAN products. Supported types include:
Because WPA2 requires configuration changes to both access points and client devices, the introduction of WPA2 should be planned and large sets
of client devices and access points should be transitioned at the same time to minimize network disruption. One opportunity for a transition to WPA2
is when a wireless network is introduced, upgraded, or expanded.
Specialized WLAN client devices may not be able to run AES and may not be upgradable to AES (and WPA2). Therefore, Cisco recommends that
enterprise organizations continue to use and deploy WPA for these devices as applicable. All networks should run WPA as a minimum.
• Want Wi-Fi Certified products based on the full IEEE 802.11i standard
• Are government agencies that require a security solution that can meet the FIPS 140-2 requirement, which WPA2’s AES addresses
• Are in industries like financial services, insurance, or healthcare that want the added security of AES encryption
• Want the speed/CPU advantages of hardware-based AES over software-based MIC
Is it possible to have WPA and WEP clients associated to the same Cisco Aironet access point?
Yes. This is considered a transition mode and two solutions are available:
1. Use two different virtual LANs/service set identifiers (VLANs/SSIDs), one for WEP clients and one for WPA clients
2. Configure WPA Migration Mode (discussed below) on the Cisco Aironet access point
Is it possible to have WPA2 and WPA clients associated to the same Cisco Aironet access point?
Yes. Two solutions are available:
1. Use two different virtual LANs/service set identifiers (VLANs/SSIDs), one for WPA2 clients and one for WPA clients
2. Configure WPA2 Mixed Mode (discussed below) on the Cisco Aironet access point
Per-User Session Key Refresh Every 4 hours and 40 minutes Not required Not required
(Session Key Rotation)
What is TKIP?
TKIP is an IEEE 802.11i standard. It is an enhancement to WEP security. TKIP enhances WEP by adding measures such as PPK, MIC, and
broadcast key rotation to address known vulnerabilities of WEP. TKIP uses the RC4 stream cipher with 128-bit keys for encryption and 64-bit keys
for authentication. By encrypting data with a key that can be used only by the intended recipient of the data, TKIP helps to ensure that only the
intended audience understands the transmitted data.
TKIP uses a MIC called Michael. Michael allows devices to confirm that their packets are uncorrupted during the sending-and-receiving
transmission process. MIC prevents “bit-flip” attacks on encrypted packets. During a bit-flip attack, an intruder intercepts an encrypted message,
alters it slightly, and retransmits it, and the receiver accepts the retransmitted message as legitimate. The MIC adds a few bytes to each packet to
Broadcast key rotation enables the network administrator to set the shared broadcast key to “timeout”, causing a new broadcast key to be generated.
This procedure mitigates passive attacks attempting to determine the broadcast key from weak initialization vectors.
What is CCMP?
AES-CCMP is the encryption protocol in the 802.11i standard. CCMP is based upon the Counter Mode with CBC-MAC (CCM) of the AES
encryption algorithm.
ATTACK MITIGATION
What network attacks are mitigated by WPA and WPA2?
WPA and WPA2 mitigate several active and passive network attacks, including man-in-the-middle, authentication forging, weak key attacks,
packet forgery, and brute force attacks when PEAP, EAP-TLS, EAP-FAST, or Cisco LEAP are used with TKIP or AES. It is important to note that
Cisco LEAP requires strong passwords.
How do I configure WPA Migration Mode on a Cisco Aironet access point operating autonomously?
Cisco Aironet autonomous access points using Cisco IOS Software Release 12.2(11)JA and later support WPA migration mode. To set up an
SSID for WPA Migration Mode, configure these settings:
• WPA optional
• A cipher suite containing TKIP and 40-bit or 128-bit WEP
• A static WEP key in key slot 2 or 3
For more information about Cisco Compatible client devices, visit: http://www.cisco.com/go/ciscocompatible/wireless