10-3
Cisco IOS Software Configuration Guide for Cisco Aironet Access Points
OL-11350-01
Chapter10 Configuring Cipher Suites and WEP
Configuring Cipher Suites and WEP
TKIP (Temporal Key Integrity Protocol)—TKIP is a suite of algorithms surrounding WEP that is
designed to achieve the best possible security on legacy hardware built to run WEP. TKIP adds four
enhancements to WEP:
A per-packet key mixing function to defeat weak-key attacks
A new IV sequencing discipline to detect replay attacks
A cryptographic message integrity check (MIC), called Michael, to detect forgeries such as bit
flipping and altering packet source and destination
An extension of IV space, to virtually eliminate the need for re-keying
CKIP (Cisco Key Integrity Protocol)—Cisco's WEP key permutation technique based on an early
algorithm presented by the IEEE 802.11i security task group.
CMIC (Cisco Message Integrity Check)—Like TKIP's Michael, Cisco's message integrity check
mechanism is designed to detect forgery attacks.
Broadcast key rotation (also known as Group Key Update)—Broadcast key rotation allows the
access point to generate the best possible random group key and update all key-management capable
clients periodically. Wi-Fi Protected Access (WPA) also provides additional options for group key
updates. See the “Using WPA Key Management” section on page11-7 for details on WPA.
Note Client devices using static WEP cannot use the access point when you enable broadcast key
rotation. When you enable broadcast key rotation, only wireless client devices using 802.1x
authentication (such as LEAP, EAP-TLS, or PEAP) can use the access point.
Configuring Cipher Suites and WEP
These sections describe how to configure cipher suites, WEP and additional WEP features such as MIC,
TKIP, and broadcast key rotation:
Creating WEP Keys, page 10-3
Enabling Cipher Suites and WEP, page10-6
Enabling and Disabling Broadcast Key Rotation, page 10-7
Note WEP, TKIP, MIC, and broadcast key rotation are disabled by default.

Creating WEP Keys

Note You need to configure static WEP keys only if your access point needs to support client devices that use
static WEP. If all the client devices that associate to the access point use key management (WPA,
CCKM, or 802.1x authentication) you do not need to configure static WEP keys.