11-8
Cisco IOS Software Configuration Guide for Cisco Aironet Access Points
OL-29225-01
Chapter 11 Configuring Authentication Types
Understanding Authentication Types
Figure 11-6 shows the WPA key management process.
Figure 11-6 WPA Key Management Process
Software and Firmware Requirements for WPA, CCKM, CKIP, and WPA-TKIP
Table 11-1 lists the firmware and software requirements required on access points and Cisco Aironet
client devices to support WPA and CCKM key management and CKIP and WPA-TKIP encryption
protocols.
88965
Client and server authenticate to each other, generating an EAP master key
Client device
Access point
Authentication
server
Wired LAN
Server uses the EAP master key to
generate a pairwise master key (PMK)
to protect communication between the
client and the access point. (However,
if the client is using 802.1x authentication
and both the access point and the client
are configured with the same pre-shared key,
the pre-shared key is used as the PMK and
the server does not generate a PMK.)
Client and access point complete
a four-way handshake to:
Client and access point complete
a two-way handshake to securely
deliver the group transient key from
the access point to the client.
Confirm that a PMK exists and that
knowledge of the PMK is current.
Derive a pairwise transient key from
the PMK.
Install encryption and integrity keys into
the encryption/integrity engine, if necessary.
Confirm installation of all keys.