Introduction
How to configure encryption on Autonomous Access Points
Solution
Cipher suites are sets of encryption and integrity algorithms designed to protect radio communication on your wireless LAN. You must use a cipher suite to enable Wi-Fi Protected Access (WPA) or Cisco Centralized Key Management (CCKM). Because cipher suites provide the protection of WEP while also allowing use of authenticated key management, Cisco recommends that you enable WEP by using the encryption mode cipher command in the CLI or by using the cipher drop-down menu in the web-browser interface. Cipher suites that contain TKIP provide the best security for your wireless LAN, and cipher suites that contain only WEP are the least secure.
Security features
These security features protect the data traffic on your wireless LAN:
•AES-CCMP—Based on the Advanced Encryption Standard (AES) defined in the National Institute of Standards and Technology's FIPS Publication 197, AES-CCMP is a symmetric block cipher that can encrypt and decrypt data using keys of 128, 192, and 256 bits. AES-CCMP is superior to WEP encryption and is defined in the IEEE 802.11i standard.
•WEP (Wired Equivalent Privacy)—WEP is an 802.11 standard encryption algorithm originally designed to provide your wireless LAN with the same level of privacy available on a wired LAN. However, the basic WEP construction is flawed, and an attacker can compromise the privacy with reasonable effort.
•TKIP (Temporal Key Integrity Protocol)—TKIP is a suite of algorithms surrounding WEP that is designed to achieve the best possible security on legacy hardware built to run WEP. TKIP adds four enhancements to WEP:
–A per-packet key mixing function to defeat weak-key attacks
–A new IV sequencing discipline to detect replay attacks
–A cryptographic message integrity check (MIC), called Michael, to detect forgeries such as bit flipping and altering packet source and destination
–An extension of IV space, to virtually eliminate the need for re-keying
•CKIP (Cisco Key Integrity Protocol)—Cisco's WEP key permutation technique based on an early algorithm presented by the IEEE 802.11i security task group.
•CMIC (Cisco Message Integrity Check)—Like TKIP's Michael, Cisco's message integrity check mechanism is designed to detect forgery attacks.
•Broadcast key rotation (also known as Group Key Update)—Broadcast key rotation allows the access point to generate the best possible random group key and update all key-management capable clients periodically. Wi-Fi Protected Access (WPA) also provides additional options for group key updates. See the "Using WPA Key Management" section on page 11-7 for details on WPA.
Enabling Cipher Suites and WEP
Beginning in privileged EXEC mode, follow these steps to enable a cipher suite
Command
Purpose
Step 1 | configure terminal | Enter global configuration mode. |
Step 2 | interface dot11radio {0 | 1 } | Enter interface configuration mode for the radio interface. The 2.4-GHz radio is radio 0, and the 5-GHz radio is radio 1. |
Step 3 | encryption [vlan vlan-id] mode ciphers {[ tkip]} {[wep128 |wep40]} | Enable a cipher suite containing the WEP protection you need. •(Optional) Select the VLAN for which you want to enable WEP and WEP features. •Set the cipher options and WEP level. You can combine TKIP with 128-bit or 40-bit WEP. Note If you enable a cipher suite with two elements (such as TKIP and 128-bit WEP), the second cipher becomes the group cipher. Note If you configure ckip, cmic, or ckip-cmic, you must also enable Aironet extensions. The command to enable Aironet extensions is dot11 extension aironet. Note You can also use the encryption mode wep command to set up static WEP. However, you should use encryption mode wep only if no clients that associate to the access point are capable of key management. See the Cisco IOS Command Reference for Cisco Access Points and Bridges for a detailed description of the encryption mode wep command. Note When you configure the cipher TKIP (not TKIP + WEP 128 or TKIP + WEP 40) for an SSID, the SSID must use WPA or CCKM key management. Client authentication fails on an SSID that uses the cipher TKIP without enabling WPA or CCKM key management. |
Step 4 | end | Return to privileged EXEC mode. |
Step 5 | copy running-config startup-config | Optional) Save your entries in the configuration file. |
Example
This example sets up a cipher suite for VLAN 22 that enables CKIP, CMIC, and 128-bit WEP.
ap1200# configure terminal
ap1200(config)# interface dot11radio 0
ap1200(config-if)# encryption vlan 22 mode ciphers ckip-cmic wep128
ap1200(config-if)# exit
Reference