Open as PDF
288 CHAPTER 13: CONFIGURING USER ENCRYPTION
You can configure an SSID to support one or both of the following
authentication methods for WPA clients:
802.1X — The MAP and client use an Extensible Authentication
Protocol (EAP) method to authenticate one another, then use the
resulting key in a handshake to derive a unique key for the session.
The 802.1X authentication method requires user information to be
configured on AAA servers or in the WX switch’s local database. This is
the default WPA authentication method.
Preshared key (PSK) — A MAP radio and a client authenticate one
another based on a key that is statically configured on both devices.
The devices then use the key in a handshake to derive a unique key for
the session. For a given service profile, you can globally configure a
PSK for use with all clients. You can configure the key by entering an
ASCII passphrase or by entering the key itself in raw (hexadecimal)
For a MAC client that authenticates using a PSK, the RADIUS servers or
local database still must contain an authentication rule for the client, to
assign the client to a VLAN.
MSS sets the timeout for the key exchanges between WPA (or RSN)
clients and the MAP to the same value as the last setting of the
retransmission timeout. The retransmission timeout is set to the lower of
the 802.1X supplicant timeout or the RADIUS session-timeout attribute.
See “Setting EAP Retransmission Attempts” on page 535 for more
A WPA information element (IE) is a set of extra fields in a wireless frame
that contain WPA information for the access point or client. To enable
WPA support in a service profile, you must enable the WPA IE. The
following types of wireless frames can contain a WPA IE:
Beacon (sent by a MAP) — The WPA IE in a beacon frame advertises
the cipher suites and authentication methods that a MAP radio
supports for the encrypted SSID. The WPA IE also lists the cipher suites
that the radio uses to encrypt broadcast and multicast frames. A MAP
radio always uses the least secure of the cipher suites to encrypt
broadcast and multicast frames to ensure that all clients associated
with the SSID can decrypt the frames. A MAP radio uses the most
secure cipher suite supported by both the radio and a client to encrypt
unicast traffic to that client.