Cisco Systems 0L-11350-01 Enabling Cipher Suites and WEP

10-6

Cisco IOS Software Configuration Guide for Cisco Aironet Access Points

OL-11350-01

Chapter10 Configuring Cipher Suites and WEP

Configuring Cipher Suites and WEP

Note If you enable MIC but you use static WEP (you do not enable any type of EAP authentication),

both the access point and any devices with which it communicates must use the same WEP key

for transmitting data. For example, if the MIC-enabled access point uses the key in slot 1 as the

transmit key, a client device associated to the access point must use the same key in its slot 1,

and the key in the client’s slot 1 must be selected as the transmit key.

Enabling Cipher Suites and WEP

Beginning in privileged EXEC mode, follow these steps to enable a cipher suite:

Command Purpose

Step1 configure terminal Enter global configuration mode.

Step2 interface dot11radio { 0 | 1 } Enter interface configuration mode for the radio interface. The

2.4-GHz radio is radio 0, and the 5-GHz radio is radio 1.

Step3 encryption

[vlan vlan-id]

mode ciphers

{[aes-ccm | ckip | cmic | ckip-cmic |

tkip]} {[wep128 | wep40]}

Enable a cipher suite containing the WEP protection you need.

Table 1 0-3 lists guidelines for selecting a cipher suite that

matches the type of authenticated key management you

configure.

•(Optional) Select the VLAN for which you want to enable

WEP and WEP features.

•Set the cipher options and WEP level. You can combine

TKIP with 128-bit or 40-bit WEP.

Note If you enable a cipher suite with two elements (such as

TKIP and 128-bit WEP), the second cipher becomes the

group cipher.

Note If you configure ckip, cmic, or ckip-cmic, you must

also enable Aironet extensions. The command to enable

Aironet extensions is dot11 extension aironet.

Note You can also use the encryption mode wep command

to set up static WEP. However, you should use

encryption mode wep only if no clients that associate

to the access point are capable of key management. See

the Cisco IOS Command Reference for Cisco Access

Points and Bridges for a detailed description of the

encryption mode wep command.

Note When you configure the cipher TKIP (not TKIP +

WEP 128 or TKIP + WEP 40) for an SSID, the SSID

must use WPA or CCKM key management. Client

authentication fails on an SSID that uses the cipher

TKIP without enabling WPA or CCKM key

management.

Step4 end Return to privileged EXEC mode.

Step5 copy running-config startup-config (Optional) Save your entries in the configuration file.