Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Informational: Cisco Wireless Dynamic WEP Solution

I just wanted to take an opportunity to apprise folks of Cisco's solution for vulnerabilities identified in the WEP protocol.

Recently, Berkley issued a white paper detailing the weakness of WEP in 802.11 wireless networks. They were "right-on" in their assessments. Problems stem from both the fact that WEP keys are statically assigned to wireless clients, and some vendors implement IVs (Initialization Vectors) poorly.

The problem with static WEP keys is that once assigned (manually) to a wireless client, they remain in-place for all encryption sessions. Not only does this cause problems if the client device is stolen, but with a constant stream of single key encrypted sessions, cryptographic techniques can discover the WEP key and compromise encrypted traffic.

Cisco recently announced a security architecture designed to mitigate the inherent flaws of WEP. Cisco's new architecture uses dynamic WEP key distribution based on EAP (Extensible Authentication Protocol) and the forthcoming 802.1x standard. The bottom line is that Cisco now offers a wireless authentication mechanism that facilitates dynamic WEP key generation. This solution works with Aironet 340 and 350 products and the CiscoSecure ACS 2.6 AAA server.

Cisco uses a “pre-standard” implementation of EAP and 802.1x called LEAP (Light-weight Extensible Authentication Protocol). LEAP uses a challenge/response methodology for generating dynamic WEP keys that can be configured to forcibly expire and refresh without user intervention. Think of it as a wireless version of PPP with WEP key generation based on successful authentication.

The wireless client and the AAA server generate the WEP key locally without actually passing the key in the clear. After proper authentication and key generation the AAA server passes the key to the wireless access-point to stimulate mutual authentication between the access-point and wireless client.

Thus, Cisco's LEAP solution facilitates dynamic, refreshable (if that's a word) key generation with mutual authentication between the wireless client and access-point. This solves the problem of static WEP keys and so called “rogue” access-points, as detailed in the Berkley white paper.

Concerning IV vulnerabilities, Cisco uses per-packet random IVs. On a packet-by-packet basis, the Cisco wireless-client generates a random (or more properly, pseudorandom) IV for every IP packet transmission. This reduces the likelihood that a snooper could cryptanalyze wireless traffic via IV attacks.

The Cisco LEAP architecture is nothing short of a phenomenal advance in wireless security. Even though our solution is "pre-standard" 802.1x, which will offer a fully specified solution for WEP vulnerability, Cisco is the first wireless vendor to provide a solution to wireless security vulnerabilities. When 802.1x becomes standard, we will of course comply with the specification and offer software upgrades for all wireless products.

Furthermore, to achieve an even higher-level of wireless security, you can use remote-access VPN solutions based on the Cisco VPN 3000 solution.

No matter how you slice it. Cisco has a robust architecture for solving wireless security problems.

For more information, please visit

Good luck!

CreatePlease login to create content