topic Re: dot1x/PEAP and dynamic WEP-keys in Wireless

dot1x/PEAP and dynamic WEP-keys

walruspro — Sun, 04 Jul 2021 16:18:45 GMT

Hello.

We have a test with an ACS 3.2, 1100 AP and run PEAP for authentication. I have read that it is possible to deliver dynamic WEP-keys from the aaa-server to the client but not sure how and how to verify..

Setup:

ACS with PEAP enabled (works fine)

Client

- XP with 350-card

- PEAP conf

- Data encr. WEP

- Key is provided for me autom.

interface Dot11Radio0

no ip address

no ip route-cache

encryption key xxxx size 40bitxxxxxtransmit-key

encryption mode wep mandatory

broadcast-key capability-change

ssid testssid

authentication open eap peap

So, the question is, perhaps stupid!,,, is the key that´s configured in the AP the only WEP-key and there is no dynamic key-delivery from the ACS. Belive so...:-) How to enable the automatic key/rotating key from the ACS?

Need some help on this one, haven's found any good stuff on CCO.

Regards

/Fred

Re: dot1x/PEAP and dynamic WEP-keys

b.speltz — Tue, 03 Feb 2004 15:24:13 GMT

You can configure "Broadcast WEP Key rotation interval " under the radio's advanced properties to enable WEP key rotation LEAP currently. This is not supported for PEAP currently.

Re: dot1x/PEAP and dynamic WEP-keys

sdesforges — Wed, 04 Feb 2004 03:23:45 GMT

As I understand it, there are two types of key rotation, bradcast and unicast. Broadcast key rotation rotates ONLY the keys that are manually entered into the AP to protect the AP's broadcast traffic. Unicast keys (as in TKIP's per packet keying) are unique to each client.

I'm sorry I can't remember the command to actually see verification of unicast key rotation but one of the debug commands will log a message when the keys are changed. Look through some of the debug choices on the AP at the CLI. Hope some of this helps.

Re: dot1x/PEAP and dynamic WEP-keys

oguarisco — Mon, 09 Feb 2004 10:23:21 GMT

Hi,

Using PEAP as EAP method authentication on WLAN are you sure that Dynamic WEP Key is not currently supported???

I'm using a 3rd party EAP supplicant configured for PEAP with automatic WEP key. On my AP I've not defined a WEP Key but my client is still be able to be authenticated and associated...

Re: dot1x/PEAP and dynamic WEP-keys

s.vautour — Fri, 27 Feb 2004 18:55:46 GMT

Hello,

I haven't actually tried this but I've read about it so you'll have to try it out and let us know if it works 🙂

The two "encryption" commands that you have above are used to configure static WEP keys. EAP authentication also allows for dynamic WEP key management. To do this, you have to turn on a "key management" function. Cisco offers 2: CCKM and WPA. CCKM is used with Cisco's WDS. WPA is the WiFi implementation that uses TKIP for encryption. Under each the RADIUS server should create the WEP keys dynamically and pass them to the AP.

With CCKM, configure "encryption mode ciphers wep128" under the radio interface and "authentication key-management cckm" under the SSID. Other ciphers such as CKIP+CMIC are available. Configure this on top of the auth command you already have. You can remove your 2 encryption commands. The broadcast-key command will take care of rotating your broadcast WEP keys.

For WPA & TKIP it's similar. Use "encryption mode ciphers tkip" and "authentication key-management wpa".

I hope this helps.

Serge