Wireless Security Commands
BreezeMAX Wi² and BreezeACCESS Wi² System Manual 239
Example
5.20.5 cipher-suite This command defines the cipher algorithm used to encrypt the global key for
broadcast and multicast traffic when using WiFi Protected Access (WPA) security.
Syntax
multicast-cipher <aes-ccmp | tkip | wep>
•aes-ccmp - Use AES-CCMP encryption for the unicast and multicast cipher.
•tkip - Use TKIP encryption for the multicast cipher. TKIP or AES-CCMP can be used for the
unicast cipher depending on the capability of the client.
•wep - Use WEP encryption for the multicast cipher. TKIP or AES-CCMP can be used for the
unicast cipher depending on the capability of the client.
Default Setting
wep
Command Mode
Interface Configuration (Wireless-VAP)
Command Usage
• WPA enables the AP to support different unicast encryption keys for each client. However, the
global encryption key for multicast and broadcast traffic must be the same for all clients.
• If any clients supported by the AP are not WPA enabled, the multicast-cipher algorithm must be
set to WEP.
• WEP is the first generation security protocol used to encrypt data crossing the wireless medium
using a fairly short key. Communicating devices must use the same WEP key to encrypt and
decrypt radio signals. WEP has many security flaws, and is not recommended for transmitting
highly sensitive data.
• TKIP provides data encryption enhancements including per-packet key hashing (i.e., changing
the encryption key on each packet), a message integrity check, an extended initialization vector
with sequencing rules, and a re-keying mechanism. Select TKIP if there are clients in the network
that are not WPA2 compliant.
• TKIP defends against attacks on WEP in which the unencrypted initialization vector in encrypted
packets is used to calculate the WEP key. TKIP changes the encryption key on each packet, and
rotates not just the unicast keys, but the broadcast keys as well. TKIP is a replacement for WEP
that removes the predictability that intruders relied on to determine the WEP key.
• AES-CCMP (Advanced Encryption Standard Counter-Mode/CBCMAC Protocol): WPA2 is
backward compatible with WPA, including the same 802.1X and PSK modes of operation and
support for TKIP encryption. The main enhancement is its use of AES Counter-Mode encryption
with Cipher Block Chaining Message Authentication Code (CBC-MAC) for message integrity. The
AES Counter-Mode/CBCMAC Protocol (AES-CCMP) provides extremely robust data
confidentiality using a 128-bit key. The AES-CCMP encryption cipher is specified as a standard
requirement for WPA2. However, the computational intensive operations of AES-CCMP requires
hardware support on client devices. Therefore to implement WPA2 in the network, wireless
clients must be upgraded to WPA2-compliant hardware.
Enterprise AP(if-wireless g: VAP[0])#transmit-key 2
Enterprise AP(if-wireless g)#