BR1310 Wireless Point-to-Point Bridge

Unanswered Question
Jun 30th, 2008

I recently configured two BR1310 Access Point/Bridges into a Root & Non-Root (without clients) configuration to extend a LAN to another building. I configured the units to use LEAP (Root acting as Radius server), authenticating with Network-EAP w/ WPA2, and AES as the encryption cipher. Being that WPA2/LEAP handle the key management, I had a question regarding best practices. I currently have configured a "dot1x timeout reauth-period" of 300 seconds, in addition a broadcast-key change of the same. I have 4 VLANs trunked over this bridge, and since I have no wireless clients associating with these bridges, I'm assuming I do not need the broadcast-key rotation. The idea is that by forcing a dot1x reauth, a new PTK/PMK will be created every 300 seconds. Is that a recommended practice?

Also, being that I have 4 VLANs trunked across these bridges, is there a way to verify (via debug?) that all VLANs traffic is being encrypted by AES? Obviously when I do a "show dot11 assoc all", only my native VLAN (mgmt) shows as AES, no other VLANs.

Thanks,

Dan

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
ulstegner Fri, 08/15/2008 - 00:37

Hello,

it normal that you only see with "sh dot11 ass .." the native vlan. On this vlan (infratstructure) will be realize the authentication and encryption. That means not,

all other vlan,s are not encrypted !! Of course they are, because the vlan,s will be "transport" sequential in the AES encrypted connection. You can by the way see this with a WLAN-ANALYSOR.

The timeouts (reauth-period) not so low I use 10000 sec. It is not mor secure If you so often reauthenticate the session.

A Cisco staff had by my customer configured 40000 sec. A good choice is once per day.

regards Ulrich

Actions

This Discussion

 

 

Trending Topics - Security & Network