01-26-2004 07:02 AM - edited 07-04-2021 09:18 AM
Hello.
We have a test with an ACS 3.2, 1100 AP and run PEAP for authentication. I have read that it is possible to deliver dynamic WEP-keys from the aaa-server to the client but not sure how and how to verify..
Setup:
ACS with PEAP enabled (works fine)
Client
- XP with 350-card
- PEAP conf
- Data encr. WEP
- Key is provided for me autom.
AP
interface Dot11Radio0
no ip address
no ip route-cache
!
encryption key xxxx size 40bitxxxxxtransmit-key
encryption mode wep mandatory
!
broadcast-key capability-change
!
!
ssid testssid
authentication open eap peap
So, the question is, perhaps stupid!,,, is the key that´s configured in the AP the only WEP-key and there is no dynamic key-delivery from the ACS. Belive so...:-) How to enable the automatic key/rotating key from the ACS?
Need some help on this one, haven's found any good stuff on CCO.
Regards
/Fred
02-03-2004 07:24 AM
You can configure "Broadcast WEP Key rotation interval " under the radio's advanced properties to enable WEP key rotation LEAP currently. This is not supported for PEAP currently.
02-03-2004 07:23 PM
As I understand it, there are two types of key rotation, bradcast and unicast. Broadcast key rotation rotates ONLY the keys that are manually entered into the AP to protect the AP's broadcast traffic. Unicast keys (as in TKIP's per packet keying) are unique to each client.
I'm sorry I can't remember the command to actually see verification of unicast key rotation but one of the debug commands will log a message when the keys are changed. Look through some of the debug choices on the AP at the CLI. Hope some of this helps.
02-09-2004 02:23 AM
Hi,
Using PEAP as EAP method authentication on WLAN are you sure that Dynamic WEP Key is not currently supported???
I'm using a 3rd party EAP supplicant configured for PEAP with automatic WEP key. On my AP I've not defined a WEP Key but my client is still be able to be authenticated and associated...
02-27-2004 10:55 AM
Hello,
I haven't actually tried this but I've read about it so you'll have to try it out and let us know if it works :)
The two "encryption" commands that you have above are used to configure static WEP keys. EAP authentication also allows for dynamic WEP key management. To do this, you have to turn on a "key management" function. Cisco offers 2: CCKM and WPA. CCKM is used with Cisco's WDS. WPA is the WiFi implementation that uses TKIP for encryption. Under each the RADIUS server should create the WEP keys dynamically and pass them to the AP.
With CCKM, configure "encryption mode ciphers wep128" under the radio interface and "authentication key-management cckm" under the SSID. Other ciphers such as CKIP+CMIC are available. Configure this on top of the auth command you already have. You can remove your 2 encryption commands. The broadcast-key command will take care of rotating your broadcast WEP keys.
For WPA & TKIP it's similar. Use "encryption mode ciphers tkip" and "authentication key-management wpa".
I hope this helps.
Serge
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: