288 CHAPTER 13: CONFIGURING USER E NCRYPTIONWPA AuthenticationMethodsYou can configure an SSID to support one or both of the followingauthentication methods for WPA clients: 802.1X — The MAP and client use an Extensible AuthenticationProtocol (EAP) method to authenticate one another, then use theresulting key in a handshake to derive a unique key for the session.The 802.1X authentication method requires user information to beconfigured on AAA servers or in the WX switch’s local database. This isthe default WPA authentication method. Preshared key (PSK) — A MAP radio and a client authenticate oneanother based on a key that is statically configured on both devices.The devices then use the key in a handshake to derive a unique key forthe session. For a given service profile, you can globally configure aPSK for use with all clients. You can configure the key by entering anASCII passphrase or by entering the key itself in raw (hexadecimal)form.For a MAC client that authenticates using a PSK, the RADIUS servers orlocal database still must contain an authentication rule for the client, toassign the client to a VLAN.MSS sets the timeout for the key exchanges between WPA (or RSN)clients and the MAP to the same value as the last setting of theretransmission timeout. The retransmission timeout is set to the lower ofthe 802.1X supplicant timeout or the RADIUS session-timeout attribute.See “Setting EAP Retransmission Attempts” on page 535 for moreinformation.WPA InformationElementA WPA information element (IE) is a set of extra fields in a wireless framethat contain WPA information for the access point or client. To enableWPA support in a service profile, you must enable the WPA IE. Thefollowing types of wireless frames can contain a WPA IE: Beacon (sent by a MAP) — The WPA IE in a beacon frame advertisesthe cipher suites and authentication methods that a MAP radiosupports for the encrypted SSID. The WPA IE also lists the cipher suitesthat the radio uses to encrypt broadcast and multicast frames. A MAPradio always uses the least secure of the cipher suites to encryptbroadcast and multicast frames to ensure that all clients associatedwith the SSID can decrypt the frames. A MAP radio uses the mostsecure cipher suite supported by both the radio and a client to encryptunicast traffic to that client.
