Showing results for 
Search instead for 
Did you mean: 

Wireless Security features - Cisco Cius






This Document discuss about various Wireless Security features available on Cisco Cius. when deploying a wireless LAN, security is essential.


Cisco Cius supports the following wireless security features.



  • WPA (802.1x authentication + TKIP or AES encryption)
  • WPA2 (802.1x authentication + AES or TKIP encryption)
  • WPA-PSK (Pre-Shared key + TKIP encryption)
  • WPA2-PSK (Pre-Shared key + AES encryption)
  • EAP-FAST (Extensible Authentication Protocol – Flexible Authentication via Secure Tunneling)
  • PEAP (Protected Extensible Authentication Protocol)
  • CCKM (Cisco Centralized Key Management)



  • AES (Advanced Encryption Scheme)
  • TKIP / MIC (Temporal Key Integrity Protocol / Message Integrity Check)
  • WEP (Wired Equivalent Protocol) 40/64 and 104/128 bit


Note: Dynamic WEP with 802.1x authentication and Shared Key authentication are not supported.


Extensible Authentication Protocol - Flexible Authentication via Secure Tunneling (EAP-FAST)

This client server security architecture encrypts EAP transactions within a Transport Level Security (TLS) tunnel between the

access point and the Remote Authentication Dial-in User Service (RADIUS) server such as the Cisco Access Control Server



The TLS tunnel uses Protected Access Credentials (PACs) for authentication between the client (Cisco Cius) and the RADIUS

server. The server sends an Authority ID (AID) to the client (Cisco Cius), which in turn selects the appropriate PAC. The client

(Cisco Cius) returns a PAC-Opaque to the RADIUS server. The server decrypts the PAC with its master-key. Both endpoints

now have the PAC key and a TLS tunnel is created. EAP-FAST supports automatic PAC provisioning, but it must enable don

the RADIUS server.


To enable EAP-FAST, a certificate must be installed on to the RADIUS server.


Cisco Cius currently supports only automatic provisioning of the PAC, so enable “Allow anonymous in-band PAC

provisioning” on the RADIUS server as shown below.


Both EAP-GTC and EAP-MSCHAPv2 must be enabled when “Allow anonymous in-band PAC provisioning” is enabled.

EAP-FAST requires that a user account be created on the authentication server.





  • If anonymous PAC provisioning is not allowed in the product wireless LAN environment then a staging Cisco ACS can be

setup for initial PAC provisioning of Cisco Cius.


  • This requires that the staging ACS server be setup as a slave EAP-FAST server and components are replicated from the product

master EAP-FAST server, which include user and group database and EAP-FAST master key and policy info.


  • Ensure the production master EAP-FAST ACS server is setup to send the EAP-FAST master keys and policies to the staging

slave EAP-FAST ACS server, which will then allow Cisco Cius to use the provisioned PAC in the production environment

where “Allow anonymous in-band PAC provisioning” is disabled.


  • When it is time to renew the PAC, then authenticated in-band PAC provisioning will be used, so ensure that “Allow

authenticated in-band PAC provisioning” is enabled.


  • Ensure that Cisco Cius has connected to the network during the grace period to ensure it can use its existing PAC created either

using the active or retired master key in order to get issued a new PAC.


  • Is recommended to only have the staging wireless LAN pointed to the staging ACS server and to disable the staging access

point radios when not being used.


Protected Extensible Authentication Protocol (PEAP)

Protected Extensible Authentication Protocol (PEAP) uses server-side public key certificates to authenticate clients by creating

an encrypted SSL/TLS tunnel between the client and the authentication server.


The ensuing exchange of authentication information is then encrypted and user credentials are safe from eavesdropping.

MS-CHAP v2 is the current supported inner authentication protocol (GTC is not supported).




PEAP (MS-CHAP v2) requires that a user account be created on the authentication server. Server validation for PEAP is currently not supported.


Cisco Centralized Key Management (CCKM)

When using 802.1x type authentication, it is recommended to implement CCKM to enable fast roaming. 802.1x can introduce

delay during roaming due to its requirement for full re-authentication. CCKM centralizes the key management and reduces the

number of key exchanges. WPA and WPA2 introduce additional transient keys and can lengthen roaming time.


When CCKM is utilized, roaming times can be reduced from 400-500 ms to less than 100 ms, where that transition time from

one access point to another will not be audible to the user.


Cisco Cius supports CCKM with WPA2 (AES or TKIP) or WPA (TKIP or AES).





Recognize Your Peers
Content for Community-Ad