262 CHAPTER 6: C ONFIGURING WIRELESS PARAMETERSConfiguring WPAWPA is a security enhancement to the IEEE 802.11 wireless standard.WPA provides enhanced encryption with new cipher suites and providesper-packet message integrity checks. WPA is based on Draft 3 of the802.11i standard. You can use WPA with 802.1X authentication. If theclient does not support 802.1X, you can use a preshared key on the MAPand the client for authentication.WPA Authentication MethodsYou can configure MAP access points to support one or both of thefollowing authentication methods for WPA clients:■ 802.1X — The MAP and client use an Extensible AuthenticationProtocol (EAP) method to authenticate one another, then use theresulting key in a handshake to derive a unique key for the session.802.1X authentication requires user information to be configured onAAA servers or in the WX switch’s local database. This is the defaultWPA authentication method.■ Preshared key (PSK) — a MAP and a client authenticate one anotherbased on a key that is statically configured on both devices. Thedevices use the key in a handshake to derive a unique key for thesession. For a given radio profile, you can globally configure a PSK foruse with all clients. You can configure the key by entering an ASCIIpassphrase or by entering the key itself in raw (hexadecimal) form.For a MAC client that authenticates using a PSK, the RADIUS serversor local database must contain an authentication rule and anauthorization rule for the client, to assign the client to a VLAN.WPA Cipher SuitesWPA supports the following cipher suites for packet encryption, listedfrom most secure to least secure:■ Counter Mode with Cipher Block Chaining Message AuthenticationCode Protocol (CCMP) — CCMP provides Advanced EncryptionStandard (AES) data encryption. To provide message integrity, CCMPuses the Cipher Block Chaining Message Authentication Code(CBC-MAC).■ Temporal Key Integrity Protocol (TKIP) — TKIP uses the RC4 encryptionalgorithm, a 128-bit encryption key, a 48-bit initialization vector (IV),and a message integrity code (MIC) called Michael.
