Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

New security features to version 11.10T AP firmware?

So I see in the release notes of the latest AP firmware that there are 2 new security enhancements. One is the Message Integrity Checking (MIC) and the other is the WEP key hashing which is suppose to defend against attacks that use the initialization vector in encrypted packets to calculate the WEP key.

Will these new features eliminate attacks by freeware products such as Airsnort?

Does this make WEP keys essentially unbreakable? If so then does that eliminate the need for rotating keys, i.e. EAP or LEAP?

I assume these changes were brought on by the IEEE's agreement on RSA's WEP security fix...,4125,NAV47_STO66707,00.html

Should we expect to see any other changes to WEP anytime soon?

New Member

Re: New security features to version 11.10T AP firmware?


It is my understanding that the RSA patch is a double hashed initialization vector. Although the Cisco solution is well on the way to a better solution, it is proprietary. All of your clients must be Cisco radios and they must have the latest firmware, NDIS drivers, and ACU to take advantage of this fix. The new ACU is a big step forward featurewise, and worth installing for the features.

New Member

Re: New security features to version 11.10T AP firmware?

There is another security enhancement that allows the broadcast WEP key to be rotated as well. Previously the broadcast WEP key was static on the AP. I think the same key is also issued for multicast traffic. A key is not required for the client for this operation.

New Member

Re: New security features to version 11.10T AP firmware?

replay to SECUREID trouble

I verified that at this moment it is not possible to use an OTP(One Time Password) with LEAP protocol 'couse this kind of authentication uses a One Way process while link between AP and NICs is Two-way kind: client is autenticated by AP --> and viceversa <--- .

So is not a Cisco secure bug, instead a security policy for wireless to block a "stranger" AP.

I contact RSA (secure-id manifacture) and Cisco italia, both told me they are going to develope a new protocol (PEAP) to solve the problem.