• Chapter 1: Cisco VOIP Implementations
• Chapter 2: IP Quality of Service
• Chapter 3: Classification, Marking, and NBAR
• Chapter 4: Congestion Management and Queuing
• Chapter 5: Congestion Avoidance, Policing, Shaping, and Link Efficieny Mechanisms
• Chapter 6: Implementing QoS Pre-Classify and Deploying End-to-End QoS
• Chapter 7: Implementing AutoQoS
• Chapter 8: Wireless LAN QoS Implementation
• Chapter 9: 802.1x and Configuring Encryption and Authentication
• Chapter 10: WLAN Management

Chapter 9: 802.1x and Configuring Encryption and Authentication

Wireless Security

Wired Equivalent Privacy (WEP) was the first implementation of wireless encryption, and has several drawbacks:

• Weak encryption (proven to be easily broken)
• Vulnerable to dictionary attacks
• Does not offer protection against rogue access points
• Keys must be manually distributed

Cisco developed Lightweight Extensible Authentication Protocol (LEAP) to extend WEP.

LEAP provides several benefits:

• Server-based authentication using 802.1x
• Dynamic keys
• Mutual client and server authentication
• Replay attack protection

Wi-Fi Protected Access (WPA) was developed by the Wi-Fi Alliance Group as an interim non-proprietary solution to replace WEP.

IEEE 802.11i (also known as WPA2) was released after WPA, but required a hardware upgrade to implement the stronger AES encryption.

IEEE 802.1x

802.1x provides port-based network access control.

802.1x is used in conjunction with Extensible Authentication Protocol (EAP) to secure wireless LANs.

EAP Authentication Protocols

Cisco LEAP

Provides fast and secure roaming and single sign-on.

EAP-FAST

EAP Flexible Authentication via Secure Tunneling (EAP-FAST) is nonproprietary.

EAP-FAST does not require certificates.

EAP-FAST consists of three phases:

• Phase 0 (optional) - Client is dynamically provisioned with a Protected Access Credential (PAC)
• Phase 1 - Client establishes a secure tunnel with the AAA server using PAC
• Phase 2 - Client authentication

EAP-TLS

EAP Transport Layer Security (EAP-TLS) uses TLS and PKI.

Clients and servers must have certificates to be authenticated.

PEAP

Protected EAP (PEAP) only requires the authentication server to have a certificate.

PEAP has two phases:

• Phase 1 - The server is authenticated and an encrypted tunnel is formed
• Phase 2 - Client authentication

Client authentication can be performed using Generic Token Card (GTC) (called PEAP-GTC) or Microsoft Challenge Handshake Authentication Protocol (MS-CHAP) version 2 (PEAP-MSCHAPv2).

	Cisco LEAP	EAP-FAST	EAP-TLS	PEAP-GTC	PEAP-MSCHAPv2
Active Directory auth	Yes	Yes	Yes	Yes	Yes
LDAP auth	No	Yes	Yes	Yes	No
OTP auth	No	No	Yes	Yes	No
Novell NDS auth	No	No	Yes	Yes	No
Requires server cert	No	No	Yes	Yes	Yes
Requires client cert	No	No	Yes	No	No
Windows single sign-on?	Yes	Yes	Yes	No	Yes
Fast secure roaming?	Yes	Yes	No	No	No
WPA/WPA2	Yes	Yes	Yes	Yes	Yes

WPA

WPA performs authentication using either 802.1x/EAP or with preshared keys.

First-generation WPA uses Temporal Key Integrity Protocol (TKIP), which is based on the same RC4 encryption used by WEP, and Message Integrity Code (MIC).

IEEE 802.11i (also known as WPA2) was released shortly after WPA.

WPA2 uses CCMP to implement AES encryption; old WPA hardware typically cannot support the stronger AES encryption, requiring a hardware upgrade.

WPA/WPA2 provide two modes of operation:

• Personal mode - Authentication is performed using preshared keys
• Enterprise mode - 802.1x/EAP is used for authentication