Introduction
How to configure encryption on Autonomous Access Points
Solution
Cipher suites are sets of encryption and integrity algorithms designed to protect radio communication on your wireless LAN. You must use a cipher suite to enable Wi-Fi Protected Access (WPA) or Cisco Centralized Key Management (CCKM). Because cipher suites provide the protection of WEP while also allowing use of authenticated key management, Cisco recommends that you enable WEP by using the encryption mode cipher command in the CLI or by using the cipher drop-down menu in the web-browser interface. Cipher suites that contain TKIP provide the best security for your wireless LAN, and cipher suites that contain only WEP are the least secure.
Security features
These security features protect the data traffic on your wireless LAN:
•AES-CCMP—Based on the Advanced Encryption Standard (AES) defined in the National Institute of Standards and Technology's FIPS Publication 197, AES-CCMP is a symmetric block cipher that can encrypt and decrypt data using keys of 128, 192, and 256 bits. AES-CCMP is superior to WEP encryption and is defined in the IEEE 802.11i standard.
•WEP (Wired Equivalent Privacy)—WEP is an 802.11 standard encryption algorithm originally designed to provide your wireless LAN with the same level of privacy available on a wired LAN. However, the basic WEP construction is flawed, and an attacker can compromise the privacy with reasonable effort.
•TKIP (Temporal Key Integrity Protocol)—TKIP is a suite of algorithms surrounding WEP that is designed to achieve the best possible security on legacy hardware built to run WEP. TKIP adds four enhancements to WEP:
–A per-packet key mixing function to defeat weak-key attacks
–A new IV sequencing discipline to detect replay attacks
–A cryptographic message integrity check (MIC), called Michael, to detect forgeries such as bit flipping and altering packet source and destination
–An extension of IV space, to virtually eliminate the need for re-keying
•CKIP (Cisco Key Integrity Protocol)—Cisco's WEP key permutation technique based on an early algorithm presented by the IEEE 802.11i security task group.
•CMIC (Cisco Message Integrity Check)—Like TKIP's Michael, Cisco's message integrity check mechanism is designed to detect forgery attacks.
•Broadcast key rotation (also known as Group Key Update)—Broadcast key rotation allows the access point to generate the best possible random group key and update all key-management capable clients periodically. Wi-Fi Protected Access (WPA) also provides additional options for group key updates. See the "Using WPA Key Management" section on page 11-7 for details on WPA.
Enabling Cipher Suites and WEP
Beginning in privileged EXEC mode, follow these steps to enable a cipher suite
Command
Purpose
Step 1 | configure terminal | Enter global configuration mode. |
Step 2 | interface dot11radio {0 | 1 } | Enter interface configuration mode for the radio interface. The 2.4-GHz radio is radio 0, and the 5-GHz radio is radio 1. |
Step 3 | encryption | Enable a cipher suite containing the WEP protection you need. • • Note Note Note Note |
Step 4 | end | Return to privileged EXEC mode. |
Step 5 | copy running-config startup-config | Optional) Save your entries in the configuration file. |
(Optional) Select the VLAN for which you want to enable WEP and WEP features.
Example
This example sets up a cipher suite for VLAN 22 that enables CKIP, CMIC, and 128-bit WEP.
ap1200# configure terminal
ap1200(config)# interface dot11radio 0
ap1200(config-if)# encryption vlan 22 mode ciphers ckip-cmic wep128
ap1200(config-if)# exit