Cisco Systems 0L-11350-01 - page 224

10-8

Cisco IOS Software Configuration Guide for Cisco Aironet Access Points

OL-11350-01

Chapter10 Configuring Cipher Suites and WEP

Configuring Cipher Suites and WEP

Beginning in privileged EXEC mode, follow these steps to enable broadcast key rotation:

Use the no form of the encryption command to disable broadcast key rotation.

This example enables broadcast key rotation on VLAN 22 and sets the rotation interval to 300 seconds:

ap1200# configure terminal

ap1200(config)# interface dot11radio 0

ap1200(config-if)# broadcast-key vlan 22 change 300

ap1200(config-if)# end

Command Purpose

Step1 configure terminal Enter global configuration mode.

Step2 interface dot11radio { 0 | 1 } Enter interface configuration mode for the radio interface. The

2.4-GHz radio is radio 0, and the 5-GHz radio is radio 1.

Step3 broadcast-key

change seconds

[ vlan vlan-id ]

[ membership-termination ]

[ capability-change ]

Enable broadcast key rotation.

•Enter the number of seconds between each rotation of the

broadcast key.

•(Optional) Enter a VLAN for which you want to enable

broadcast key rotation.

•(Optional) If you enable WPA authenticated key

management, you can enable additional circumstances

under which the access point changes and distributes the

WPA group key.

–

Membership termination—the access point generates

and distributes a new group key when any

authenticated client device disassociates from the

access point. This feature protects the privacy of the

group key for associated clients. However, it might

generate some overhead if clients on your network

roam frequently.

–

Capability change—the access point generates and

distributes a dynamic group key when the last non-key

management (static WEP) client disassociates, and it

distributes the statically configured WEP key when

the first non-key management (static WEP) client

authenticates. In WPA migration mode, this feature

significantly improves the security of

key-management capable clients when there are no

static-WEP clients associated to the access point.

See Chapter 11, “Configuring Authentication Types,” for

detailed instructions on enabling authenticated key

management.

Step4 end Return to privileged EXEC mode.

Step5 copy running-config startup-config (Optional) Save your entries in the configuration file.

Contents

Main Page CONTENTS Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Preface Audience Purpose Organization Conventions xxii this manual. or loss of data. Related Publications Page Overview Features Features Introduced in This Release Japan Upgrade Utility Multiple VLAN and Rate Limiting Support for Point-to-Multipoint Bridging Client MFP Support Regulatory Changes for Taiwan Universal Workgroup Bridge Management Options Roaming Client Devices Network Configuration Examples Root Access Point Repeater Access Point Bridges Workgroup Bridge Central Unit in an All-Wireless Network Access point Using the Web-Browser Interface Page Using the Web-Browser Interface for the First Time Using the Management Pages in the Web-Browser Interface Using Action Buttons Character Restrictions in Entry Fields Enabling HTTPS for Secure Browsing Page Page Page Page Page Page Page Deleting an HTTPS Certificate Using Online Help Changing the Location of Help Files Disabling the Web-Browser Interface Page Using the Command-Line Interface Cisco IOS Command Modes Getting Help Abbreviating Commands Using no and default Forms of Commands Understanding CLI Messages Using Command History Changing the Command History Buffer Size Recalling Commands Disabling the Command History Feature Using Editing Features Enabling and Disabling Editing Features Editing Commands Through Keystrokes Editing Command Lines that Wrap Searching and Filtering Output of show and more Commands Accessing the CLI Opening the CLI with Telnet Opening the CLI with Secure Shell Page Configuring the Access Point for the First Time Before You Start Resetting the Device to Default Settings Resetting to Default Settings Using the MODE Button Resetting to Default Settings Using the GUI Resetting to Default Settings Using the CLI Obtaining and Assigning an IP Address Default IP Address Behavior Connecting to the 1100 Series Access Point Locally Connecting to the 1130 Series Access Point Locally Connecting to the 1200, 1230, and 1240 Series Access Points Locally Connecting to the 1300 Series Access Point/Bridge Locally Default Radio Settings Assigning Basic Settings Page Page Page Page Page Default Settings on the Express Setup Page Configuring Basic Security Settings Page Page Understanding Express Security Settings Using VLANs Express Security Types Page Express Security Limitations Using the Express Security Page 4-22 CLI Configuration Examples Example: No Security 4-23 Example: Static WEP 4-24 Example: EAP Authentication 4-25 Example: WPA 4-26 Configuring System Power Settings for 1130 and 1240 Series Access Points Using the AC Power Adapter Using a Switch Capable of IEEE 802.3af Power Negotiation Using a Switch That Does Not Support IEEE 802.3af Power Negotiation Using a Power Injector Using the IP Setup Utility Obtaining IPSU Using IPSU to Find the Access Points IP Address Assigning an IP Address Using the CLI Using a Telnet Session to Access the CLI Configuring the 802.1X Supplicant Creating a Credentials Profile Applying the Credentials to an Interface or SSID Applying the Credentials Profile to the Wired Port Applying the Credentials Profile to an SSID Used For the Uplink Creating and Applying EAP Method Profiles Page Administering the Access PointWireless Device Access Disabling the Mode Button Preventing Unauthorized Access to Your Access Point Protecting Access to Privileged EXEC Commands Default Password and Privilege Level Configuration Setting or Changing a Static Enable Password Page Protecting Enable and Enable Secret Passwords with Encryption Configuring Username and Password Pairs Configuring Multiple Privilege Levels Setting the Privilege Level for a Command Logging Into and Exiting a Privilege Level Controlling Access Point Access with RADIUS Default RADIUS Configuration Configuring RADIUS Login Authentication Page Defining AAA Server Groups Page Configuring RADIUS Authorization for User Privileged Access and Network Services Displaying the RADIUS Configuration Controlling Access Point Access with TACACS+ Default TACACS+ Configuration Configuring TACACS+ Login Authentication Page Configuring TACACS+ Authorization for Privileged EXEC Access and Network Services Displaying the TACACS+ Configuration Configuring Ethernet Speed and Duplex Settings Configuring the Access Point for Wireless Network Management Configuring the Access Point for Local Authentication and Authorization Configuring the Authentication Cache and Profile 5-21 Configuring the Access Point to Provide DHCP Service Setting up the DHCP Server Page Monitoring and Maintaining the DHCP Server Access Point Show Commands Clear Commands Debug Command Configuring the Access Point for Secure Shell Understanding SSH Configuring SSH Configuring Client ARP Caching Understanding Client ARP Caching Optional ARP Caching Configuring ARP Caching Managing the System Time and Date Understanding Simple Network Time Protocol Configuring SNTP Configuring Time and Date Manually Setting the System Clock Displaying the Time and Date Configuration Configuring the Time Zone Configuring Summer Time (Daylight Saving Time) Page Defining HTTP Access Configuring a System Name and Prompt Default System Name and Prompt Configuration Configuring a System Name Understanding DNS Default DNS Configuration Setting Up DNS Displaying the DNS Configuration Creating a Banner Default Banner Configuration Configuring a Message-of-the-Day Login Banner Page Configuring a Login Banner Upgrading Autonomous Cisco Aironet Access Points to Lightweight Mode Migrating to Japan W52 Domain Page Verifying the Migration Configuring Multiple VLAN and Rate Limiting for Point-to-Multipoint Bridging CLI Command Configuring Radio Settings Enabling the Radio Interface Configuring the Role in Radio Network Page Page Universal Workgroup Bridge Mode Configuring Dual-Radio Fallback Radio Tracking Fast Ethernet Tracking MAC-Address Tracking Bridge Features Not Supported Configuring Radio Data Rates Page Page Configuring Radio Transmit Power Page Limiting the Power Level for Associated Client Devices Configuring Radio Channel Settings Page Page Page Dynamic Frequency Selection CLI Commands Confirming that DFS is Enabled Configuring a Channel Blocking Channels from DFS Selection Configuring Location-Based Services Understanding Location-Based Services Configuring LBS on Access Points Enabling and Disabling World Mode Disabling and Enabling Short Radio Preambles Configuring Transmit and Receive Antennas Enabling and Disabling Gratuitous Probe Response Disabling and Enabling Aironet Extensions Configuring the Ethernet Encapsulation Transformation Method Enabling and Disabling Reliable Multicast to Workgroup Bridges Enabling and Disabling Public Secure Packet Forwarding Configuring Protected Ports Configuring the Beacon Period and the DTIM Configure RTS Threshold and Retries Configuring the Maximum Data Retries Configuring the Fragmentation Threshold Enabling Short Slot Time for 802.11g Radios Performing a Carrier Busy Test Configuring VoIP Packet Handling Viewing VoWLAN Metrics Viewing Voice Reports Page Viewing Wireless Client Reports Viewing Voice Fault Summary Configuring Voice QoS Settings Configuring Voice Fault Settings Page Configuring Multiple SSIDs Understanding Multiple SSIDs Effect of Software Versions on SSIDs Page Configuring Multiple SSIDs Default SSID Configuration Creating an SSID Globally Page Viewing SSIDs Configured Globally Using Spaces in SSIDs Using a RADIUS Server to Restrict SSIDs Configuring Multiple Basic SSIDs Requirements for Configuring Multiple BSSIDs Guidelines for Using Multiple BSSIDs Configuring Multiple BSSIDs Page Displaying Configured BSSIDs Assigning IP Redirection for an SSID Guidelines for Using IP Redirection Configuring IP Redirection Including an SSID in an SSIDL IE NAC Support for MBSSID Page Configuring NAC for MBSSID 7-16 Configuring Spanning Tree Protocol Understanding Spanning Tree Protocol STP Overview 350 Series Bridge Interoperability Access Point/Bridge Protocol Data Units Election of the Spanning-Tree Root Spanning-Tree Timers Creating the Spanning-Tree Topology Spanning-Tree Interface States Page Blocking State Listening State Learning State Forwarding State Disabled State Configuring STP Features Default STP Configuration Configuring STP Settings 8-10 STP Configuration Examples Root Bridge Without VLANs 8-11 Non-Root Bridge Without VLANs Root Bridge with VLANs This example shows the configuration of a root bridge with VLANs configured with STP enabled: 8-12 8-13 Non-Root Bridge with VLANs This example shows the configuration of a non-root bridge with VLANs configured with STP enabled: Displaying Spanning-Tree Status Page Page Configuring an Access Point as a Local Authenticator Understanding Local Authentication Configuring a Local Authenticator Guidelines for Local Authenticators Configuration Overview Configuring the Local Authenticator Access Point Page Page Configuring Other Access Points to Use the Local Authenticator Configuring EAP-FAST Settings Configuring PAC Settings PAC Expiration Times Generating PACs Manually Configuring an Authority ID Configuring Server Keys Possible PAC Failures Caused by Access Point Clock Limiting the Local Authenticator to One Authentication Type Unblocking Locked Usernames Viewing Local Authenticator Statistics Page Using Debug Messages Page Configuring Cipher Suites and WEP Understanding Cipher Suites and WEP Configuring Cipher Suites and WEP Creating WEP Keys Page WEP Key Restrictions Example WEP Key Setup Enabling Cipher Suites and WEP Matching Cipher Suites with WPA and CCKM Enabling and Disabling Broadcast Key Rotation Page Configuring Authentication Types Understanding Authentication Types Open Authentication to the Access Point Shared Key Authentication to the Access Point EAP Authentication to the Network MAC Address Authentication to the Network Combining MAC-Based, EAP, and Open Authentication Using CCKM for Authenticated Clients Using WPA Key Management 11-8 Figure 11-6 shows the WPA key management process. Software and Firmware Requirements for WPA, CCKM, CKIP, and WPA-TKIP Page Configuring Authentication Types Assigning Authentication Types to an SSID Page Page Configuring WPA Migration Mode Configuring Additional WPA Settings Setting a Pre-Shared Key Configuring Group Key Updates Configuring MAC Authentication Caching Configuring Authentication Holdoffs, Timeouts, and Intervals Creating and Applying EAP Method Profiles for the 802.1X Supplicant Creating an EAP Method Profile Applying an EAP Profile to the Fast Ethernet Interface Applying an EAP Profile to an Uplink SSID Matching Access Point and Client Device Authentication Types Page Page Page Configuring WDS, Fast Secure Roaming, Radio Management, and Wireless Intrusion Detection Services Understanding WDS Role of the WDS Device Role of Access Points Using the WDS Device Understanding Fast Secure Roaming Page Understanding Radio Management Understanding Layer 3 Mobility Understanding Wireless Intrusion Detection Services Configuring WDS Guidelines for WDS Requirements for WDS Configuration Overview Configuring Access Points as Potential WDS Devices Page Page Page Page Configuring Access Points to use the WDS Device Configuring the Authentication Server to Support WDS Page Page Page Page Configuring WDS Only Mode Viewing WDS Information Using Debug Messages Configuring Fast Secure Roaming Requirements for Fast Secure Roaming Configuring Access Points to Support Fast Secure Roaming Page CLI Configuration Example Configuring Management Frame Protection Management Frame Protection Overview Protection of Unicast Management Frames Protection of Broadcast Management Frames Client MFP For Access Points in Root mode Configuring Client MFP Page Configuring Radio Management CLI Configuration Example Configuring Access Points to Participate in WIDS Configuring the Access Point for Scanner Mode Configuring the Access Point for Monitor Mode Displaying Monitor Mode Statistics Configuring Monitor Mode Limits Configuring an Authentication Failure Limit Configuring WLSM Failover Resilient Tunnel Recovery Active/Standby WLSM Failover Configuring RADIUS and TACACS+ Servers Configuring and Enabling RADIUS Understanding RADIUS RADIUS Operation Configuring RADIUS Default RADIUS Configuration Identifying the RADIUS Server Host Page Configuring RADIUS Login Authentication Page Defining AAA Server Groups Page Configuring RADIUS Authorization for User Privileged Access and Network Services Configuring Packet of Disconnect Starting RADIUS Accounting m Selecting the CSID Format Configuring Settings for All RADIUS Servers Configuring the Access Point to Use Vendor-Specific RADIUS Attributes Configuring the Access Point for Vendor-Proprietary RADIUS Server Communication Configuring WISPr RADIUS Attributes Displaying the RADIUS Configuration RADIUS Attributes Sent by the Access Point Page Page Configuring and Enabling TACACS+ Understanding TACACS+ TACACS+ Operation Configuring TACACS+ Default TACACS+ Configuration Identifying the TACACS+ Server Host and Setting the Authentication Key Configuring TACACS+ Login Authentication Configuring TACACS+ Authorization for Privileged EXEC Access and Network Services Starting TACACS+ Accounting Displaying the TACACS+ Configuration Page Configuring VLANs Understanding VLANs Related Documents Incorporating Wireless Devices into VLANs Configuring VLANs Configuring a VLAN Page Assigning Names to VLANs Guidelines for Using VLAN Names Creating a VLAN Name Using a RADIUS Server to Assign Users to VLANs Using a RADIUS Server for Dynamic Mobility Group Assignment Viewing VLANs Configured on the Access Point VLAN Configuration Example Page 14-12 Table14-3 Results of Example Configuration Commands VLAN 1 Interfaces VLAN 2 Interfaces VLAN 3 Interfaces Page Page Configuring QoS Understanding QoS for Wireless LANs QoS for Wireless LANs Versus QoS on Wired LANs Impact of QoS on a Wireless LAN Precedence of QoS Settings Using Wi-Fi Multimedia Mode Configuring QoS Configuration Guidelines Configuring QoS Using the Web-Browser Interface Page Page Page The QoS Policies Advanced Page QoS Element for Wireless Phones IGMP Snooping AVVID Priority Mapping WiFi Multimedia (WMM) Adjusting Radio Access Categories Page Optimized Voice Settings Configuring Call Admission Control Configuring the Radio Enabling Admission Control Troubleshooting Admission Control QoS Configuration Examples Giving Priority to Voice Traffic Giving Priority to Video Traffic Page Page Configuring Filters Understanding Filters Configuring Filters Using the CLI Configuring Filters Using the Web-Browser Interface Configuring and Enabling MAC Address Filters Creating a MAC Address Filter Page Using MAC Address ACLs to Block or Allow Client Association to the Access Point Page ACL Logging Configuring and Enabling IP Filters Page Creating an IP Filter Configuring and Enabling Ethertype Filters Creating an Ethertype Filter Page Page Configuring CDP Understanding CDP Configuring CDP Default CDP Configuration Configuring the CDP Characteristics Disabling and Enabling CDP Disabling and Enabling CDP on an Interface Monitoring and Maintaining CDP Page 17-6 17-7 Page Configuring SNMP Understanding SNMP SNMP Versions SNMP Manager Functions SNMP Agent Functions SNMP Community Strings Using SNMP to Access MIB Variables Configuring SNMP Default SNMP Configuration Enabling the SNMP Agent Configuring Community Strings Specifying SNMP-Server Group Names Configuring SNMP-Server Hosts Configuring SNMP-Server Users Configuring Trap Managers and Enabling Traps Page Setting the Agent Contact and Location Information Using the snmp-server view Command SNMP Examples Page Displaying SNMP Status Configuring Repeater and Standby Access Points and Workgroup Bridge Mode Understanding Repeater Access Points Configuring a Repeater Access Point Default Configuration Guidelines for Repeaters Setting Up a Repeater Aligning Antennas Verifying Repeater Operation Setting Up a Repeater As a LEAP Client Setting Up a Repeater As a WPA Client Understanding Hot Standby Configuring a Hot Standby Access Point Page Page Verifying Standby Operation Understanding Workgroup Bridge Mode Treating Workgroup Bridges as Infrastructure Devices or as Client Devices Configuring a Workgroup Bridge for Roaming Configuring a Workgroup Bridge for Limited Channel Scanning Configuring the Limited Channel Set Ignoring the CCX Neighbor List Configuring a Client VLAN Configuring Workgroup Bridge Mode Page The Workgroup Bridge in a Lightweight Environment Guidelines for Using Workgroup Bridges in a Lightweight Environment Page Sample Workgroup Bridge Configuration Managing Firmware and Configurations Working with the Flash File System Displaying Available File Systems Setting the Default File System Displaying Information About Files on a File System Changing Directories and Displaying the Working Directory Creating and Removing Directories Copying Files Deleting Files Creating, Displaying, and Extracting tar Files Creating a tar File Displaying the Contents of a tar File Extracting a tar File Displaying the Contents of a File Working with Configuration Files Guidelines for Creating and Using Configuration Files Configuration File Types and Location Creating a Configuration File by Using a Text Editor Copying Configuration Files by Using TFTP Preparing to Download or Upload a Configuration File by Using TFTP Downloading the Configuration File by Using TFTP Uploading the Configuration File by Using TFTP Copying Configuration Files by Using FTP Preparing to Download or Upload a Configuration File by Using FTP Downloading a Configuration File by Using FTP Uploading a Configuration File by Using FTP Copying Configuration Files by Using RCP Preparing to Download or Upload a Configuration File by Using RCP Downloading a Configuration File by Using RCP Uploading a Configuration File by Using RCP Clearing Configuration Information Deleting a Stored Configuration File Working with Software Images Image Location on the Access Point tar File Format of Images on a Server or Cisco.com Copying Image Files by Using TFTP Preparing to Download or Upload an Image File by Using TFTP Downloading an Image File by Using TFTP Uploading an Image File by Using TFTP Copying Image Files by Using FTP Preparing to Download or Upload an Image File by Using FTP Downloading an Image File by Using FTP Page Uploading an Image File by Using FTP Copying Image Files by Using RCP Preparing to Download or Upload an Image File by Using RCP Page Downloading an Image File by Using RCP Page Uploading an Image File by Using RCP Reloading the Image Using the Web Browser Interface Browser HTTP Interface Browser TFTP Interface Page Configuring System Message Logging Understanding System Message Logging Configuring System Message Logging System Log Message Format Default System Message Logging Configuration Disabling and Enabling Message Logging Setting the Message Display Destination Device Enabling and Disabling Timestamps on Log Messages Enabling and Disabling Sequence Numbers in Log Messages Defining the Message Severity Level Limiting Syslog Messages Sent to the History Table and to SNMP Setting a Logging Rate Limit Configuring UNIX Syslog Servers Logging Messages to a UNIX Syslog Daemon Configuring the UNIX System Logging Facility Page Displaying the Logging Configuration Wireless Device Troubleshooting Checking the Top Panel Indicators 22-3 Page Page Indicators on 1130 Series Access Points Page Page Indicators on 1240 Series Access Points Indicators on 1300 Outdoor Access Point/Bridges Normal Mode LED Indications Page Power Injector Checking Power Low Power Condition Checking Basic Settings SSID WEP Keys Security Settings Resetting to the Default Configuration Using the MODE Button Using the Web Browser Interface Using the CLI Reloading the Access Point Image Using the MODE button Using the Web Browser Interface Browser HTTP Interface Browser TFTP Interface Using the CLI Page Obtaining the Access Point Image File Obtaining TFTP Server Software Page A Protocol Filters Page Page Page Page Page B Supported MIBs MIB List Using FTP to Access the MIB Files C Error and Event Messages Conventions Software Auto Upgrade Messages Association Management Messages Unzip Messages 802.11 Subsystem Messages Page Page Page Page Page Page Page Page Page Page Page Page Page Inter-Access Point Protocol Messages Local Authenticator Messages Page WDS Messages Mini IOS Messages Access Point/Bridge Messages Cisco Discovery Protocol Messages External Radius Server Error Messages Page GLOSSARY A B C D E F G I M O P Q S T U W INDEX Numerics A B C Page D E F G H I J K L M N O P Q R S Page T U V W