Query

serial <= 2.048 kb/s - WFQ

other default - FIFO

EAP

WEP

■ A lack of mutual authentication makes WEP vulnerable to rogue access points.

■ Usage of static keys makes WEP vulnerable to dictionary attacks.

■ Even with use of initialization vector (IV), attackers can deduct WEP keys by capturing

enough data.

■ Configuring clients with the static WEP keys is nonscalable.

LEAP

■ Following are the benefits of LEAP over the basic 802.11 (WEP):

■ Server-based authentication (leveraging 802.1x) using passwords, one-time tokens,

public key infrastructure (PKI) certificates, or machine IDs

■ Usage of dynamic WEP keys (also called session keys) through reauthenticating the user

periodically and negotiating a new WEP key each time (Cisco Key Integrity Protocol or

CKIP)

■ Mutual authentication between the wireless client and the RADIUS server

■ Usage of Cisco Message Integrity Check (CMIC) to protect against inductive WEP

attacks and replays

WPA

■ Authenticated key management—WPA performs authentication using either IEEE 802.1x

or preshared key (PSK) prior to the key management phase.

■ Unicast and broadcast key management—After successful user authentication, message

integrity and encryption keys are derived, distributed, validated, and stored on the client and

the AP

■ Utilization of TKIP and MIC—Temporal Key Integrity Protocol (TKIP) and Message

Integrity Check (MIC) are both elements of the WPA standard and they secure a system

against WEP vulnerabilities such as intrusive attacks.

■ Initialization vector space expansion—WPA provides per-packet keying (PPK) via

initialization vector (IV) hashing and broadcast key rotation. The IV is expanded from 24 bits

(as in 802.11 WEP) to 48 bits.

WPA2

■ AES

■ more CPU-intensive than WPA mostly because of the usage of AES

EAP-FAST

■ Supports Windows single sign-on for Cisco Aironet clients and Cisco-compatible clients

■ Does not use certificates or require Public Key Infrastructure (PKI) support on client

devices

■ Provides for a seamless migration from Cisco LEAP

■ Provides full support for 802.11i, 802.1x, TKIP, and AES

■ Supports password expiration or change (Microsoft password change)

■ EAP-TLS uses the Transport Layer Security (TLS) protocol.

■ EAP-TLS uses Public Key Infrastructure (PKI).

■ EAP-TLS is one of the original EAP authentication methods, and it is used in many

environments.

■ The supported clients for EAP-TLS include Microsoft Windows 2000, XP, and CE, plus

non-Windows platforms with third-party supplicants, such as Meetinghouse.

■ One of the advantages of Cisco and Microsoft implementation of EAP-TLS is that it is

possible to tie the Microsoft credentials of the user to the certificate of that user in a

Microsoft database, which permits a single logon to a Microsoft domain.

PEAP

■ PEAP was developed by Cisco Systems, Microsoft, and RSA Security to the IETF.

■ With PEAP, only the server authentication is performed using PKI certificate.

■ PEAP works in two phases. In Phase 1, server-side authentication is performed and an

encrypted tunnel (TLS) is created. In Phase 2, the client is authenticated using either EAP-

GTC or EAP-MSCHAPv2 within the TLS tunnel.

■ PEAP-MSCHAPv2 supports single sign-on, but Cisco PEAP-GTC supplicant does not

support single logon

Wireless

Autonomous APs— WLSE + WDS

WLSE - centralized configuration, monitoring, and management

WDS -radio monitoring and management communication between the autonomous APs and

CiscoWorks WLSE

LWAP - WLC (controllers) + WCS

WLSE

■ Configuration—One CiscoWorks WLSE console supports up to 2500 APs. Configuration

changes can be performed in mass, individually, or in defined groups as desired or on a

schedule time. All Cisco Aironet APs are supported.

■ Fault and policy monitoring—WLSE monitors device faults and performance threshold

conditions

■ Reporting—WLSE provides the capability to e-mail, print, and export reports. Client,

device, and security information can all be tracked and reported.

■ Firmware—WLSE performs centralized firmware upgrades. Upgrades can be done in mass,

individually, or in defined groups as desired or on a scheduled time.

■ Radio management—WLSE assists in management of the WLAN radio environment. Radio

management features include parameter generation, network status, and reports.

■ Deployment wizard—WLSE provides a deployment wizard that discovers, uploads

configurations, and manages all deployed AP

WCS has three versions:

■ WCS Base

■ WCS Location

■ WCS Location + 2700 Series Wireless Location Appliance

■ Configuration for controllers and managed APs using customer-defined templates

■ Status and alarm monitoring of all managed devices with automated and manual client

monitoring and control functions

■ Automated monitoring of rogue APs, coverage holes, security violations, controllers, and APs

■ Event log information for data clients, rogue APs, coverage holes, security violations,

controllers, and APs

■ Automatic channel and power level assignment using radio resource management (RRM)

■ User-defined audit status, missed trap polling, configuration backups, and policy cleanups