Manuals / Cisco Systems / Computer Equipment / Network Router

Cisco Systems DL-2159-05 Enabling Additional WEP Security Features, Using Snmp to Set Up WEP

Models: DL-2159-05

1 332

Download 332 pages 33.19 Kb

Page 172

Chapter 8 Security Setup

Enabling Additional WEP Security Features

Using SNMP to Set Up WEP

You can use SNMP to set the WEP level on the access point. Consult the “Using SNMP” section on page 2-7for details on using SNMP.

Access points use the following SNMP variables to set the WEP level:

•dot11ExcludeUnencrypted.2

•awcDot11AllowEncrypted.2

Table 8-2lists the SNMP variable settings and the corresponding WEP levels

.

Table 8-2 SNMP Variable Settings and Corresponding WEP Levels

SNMP Variable	WEP Full	WEP Off	WEP Optional

dot11ExcludeUnencrypted.2	true	false	false

awcDot11AllowEncrypted.2	true	false	true

Note Access points do not use the SNMP variable dot11PrivacyInvoked, so it is always set to disabled.

Enabling Additional WEP Security Features

You can enable three advanced security features to protect against sophisticated attacks on your wireless network’s WEP keys. This section describes how to set up and enable these features:

•Enabling Message Integrity Check (MIC)

•Enabling Temporal Key Integrity Protocol (TKIP)

•Enabling Broadcast WEP Key Rotation

Enabling Message Integrity Check (MIC)

Note

Note

MIC prevents attacks on encrypted packets called bit-flipattacks. During a bit-flip attack, an intruder intercepts an encrypted message, alters it slightly, and retransmits it, and the receiver accepts the retransmitted message as legitimate. The MIC, implemented on both the access point and all associated client devices, adds a few bytes to each packet to make the packets tamper-proof.

You must set up and enable WEP with full encryption before MIC takes effect.

To use MIC, the Use Aironet Extensions setting on the radio’s AP Radio Advanced page must be set to yes (the default setting).

Note Enabling MIC on the internal radio module might reduce throughput for that radio by as much as 30%.

Cisco Aironet 1200 Series Access Point Software Configuration Guide

8-10	OL-2159-05

Image 172

Cisco Systems DL-2159-05 manual Enabling Additional WEP Security Features, Using Snmp to Set Up WEP

Contents

Corporate Headquarters Text Part Number OL-2159-05Copyright 2001-2003, Cisco Systems, Inc All rights reserved N T E N T S IiiNavigating Using the Map Windows Native Vlan ID WEP Not Set on the Wireless Phone Settings on the Authenticator Configuration ViiEvent Notifications Setup ViiiSetting Up Administrator Authorization Snmp Setup Ssid Xii Organization Audience and ScopeXiii Tip Means the following are useful tips ConventionsXiv Obtaining Documentation Related PublicationsCisco.com Documentation CD-ROM Ordering DocumentationDocumentation Feedback XviObtaining Technical Assistance Cisco TAC Website Opening a TAC CaseTAC Case Priority Definitions XviiObtaining Additional Publications and Information XviiiOverview A P T E RKey Features Management Options Quality of Service SupportRoaming Client Devices What is QoS? Limitations and RestrictionsRelated Documents These documents are available on Cisco.comWhat is a VLAN? Vlan SupportIncorporating Wireless Devices into VLANs Level of Access Vlan ExampleNetwork Configuration Examples Root Unit on a Wired LANRepeater Unit that Extends Wireless Range Access Points as Root Units on a Wired LANCentral Unit in an All-Wireless Network Access Point as RepeaterUsing the Management Interfaces Using the Web-Browser Interface Using the Web-Browser Interface for the First TimeUsing the Management Pages in the Web-Browser Interface Button/Link DescriptionNavigating Using the Map Windows Map Window with Network Ports Pages ExpandedUsing the Command-Line Interface Preparing to Use a Terminal EmulatorConnecting the Serial Cable Changing Settings with the CLISetting Up the Terminal Emulator Selecting Pages and Settings Function DescriptionUsing a Telnet Session Using SnmpApplying Changes to the Configuration Supported MIBs Radio Configuration and Basic Settings Basic Settings Express SetupEntering Basic Settings Express Setup page contains the following settingsSystem Name MAC AddressConfiguration Server Protocol Default IP AddressDefault IP Subnet Mask Default GatewayRoot-Unit Access Points Security Setup Link Radio Network Optimization Optimize Radio Network ForSnmp Admin. Community Radio ConfigurationRadio Network Compatibility Ensure Compatibility With Settings on the AP Radio Identification Entering Identity InformationPrimary Port Settings Default IP AddressDefault IP Subnet Mask Service Set ID SsidLeap Password Entering Radio Hardware InformationAP Radio Hardware page contains the following settings Settings on the AP Radio HardwareAllow Broadcast Ssid to Associate? Enable World Mode Data RatesTransmit Power Frag. ThresholdRTS Threshold Max. RTS RetriesSearch for Less-Congested Radio Channel Default Radio ChannelRestrict Searched Channels Entering Advanced Configuration Information Receive Antenna and Transmit AntennaAP Radio Advanced Page for Internal Radio Settings on the AP Radio Advanced AP Radio Advanced pages contain the following settingsRequested Status Packet ForwardingDefault Multicast Address Filters Maximum Multicast Packets/SecondRadio Cell Role Ssid For Use By Infrastructure StationsUse Aironet Extensions Classify Workgroup Bridges as Network InfrastructureQuality of Service Setup Link Vlan Setup LinkRequire Use of Radio Firmware Ethernet Encapsulation TransformAdvanced Primary Ssid Setup Link Preferred Access PointsTemporal Key Integrity Protocol Broadcast WEP Key rotation interval secRadio Modulation Radio PreambleEthernet Configuration Non-Root MobilitySettings on the Ethernet Identification Entering Ethernet Hardware InformationEthernet Hardware page contains the following settings Settings on the Ethernet HardwareSpeed Loss of Backbone Connectivity Action Loss of Backbone Connectivity # of SecsLoss of Backbone Connectivity Ssid Settings on the Ethernet Advanced Ethernet Advanced page contains the following settingsDefault Unicast and Multicast Address Filters Always Unblock Ethernet When STP is Disabled Default Unicast Address FilterOptimize Ethernet for OL-2159-05 Configuring VLANs Vlan setup page contains the following settings Settings on the Vlan SetupEntering Vlan Information 802.1Q Encapsulation Mode Maximum Number of Enabled Vlan IDsVlan Summary Status Link Vlan 802.1Q TaggingVlan Security Policy Single Vlan ID which allows Unencrypted packetsOptionally allow Encrypted packets on the unencrypted Vlan Vlan NameNative Vlan Configuration Broadcast Domain SegmentationParameter TKIP/MICPrimary and Secondary SSIDs Deployment of Infrastructure and Non infrastructure DevicesRADIUS-Based Vlan Access Control Vlan IDCriteria for Deploying Wireless VLANs VlanWireless Vlan Deployment Example 5shows the wireless Vlan deployment scenario described above Using the Configuration Screens Obtaining and Recording Vlan ID and Setup InformationCreating and Configuring VLANs on the Access Point Creating the Native VlanVlan Setup Vlan ID #1 Setup Creating the Full- and Part-Time VLANs Creating the Maintenance Vlan Creating the Guest VlanCreating and Configuring the SSIDs AP Radio Internal Service Sets Configuring VLANs Wireless Vlan Deployment Example Enabling Vlan 802.1Q Tagging and Identifying the Native Vlan 11 AP Radio Service Sets Guidelines for Wireless Vlan Deployment Creating an Ssid for Infrastructure DevicesOL-2159-05 Configuring Filters and QoS Filter Setup Protocol FilteringCreating a Protocol Filter Enter a descriptive filter set name in the Set Name fieldFilter Set Enabling a Protocol Filter MAC Address Filtering Address FiltersCreating a MAC Address Filter AP Radio Advanced AP Radio Primary Ssid QoS Configuration Use Symbol Extensions Settings on the Quality of Service SetupGenerate Qbss Element Applying QoS By StationSend Igmp General Query Traffic Category10 Protocol Filters Setup By Vlan 12 Vlan ID13 Filters Priority Setting By FilterBy CoS Value By Dscp ValueWireless QoS Deployment Example 17 Vlan Setup18 Vlan ID #xx WEP Set on the Wireless Phone WEP Not Set on the Wireless Phone20 AP Radio Internal Service Sets 21 AP Radio Internal Service Sets OL-2159-05 Configuring Proxy Mobile IP Proxy Mobile IP Introduction to Mobility in IPMobile Approach Nomadic ApproachMobile IP Explained Mobile IP Environment Proxy Mobile IP Explained Mobile IP Traffic PatternBefore Deploying Proxy Mobile IP Issues to Consider While Deploying Proxy Mobile IP Components of a Proxy Mobile IP NetworkHow Proxy Mobile IP Works Agent DiscoverySubnet Map Exchange Home Agent Subnet MaskRegistration TunnelingProxy Mobile IP Setup Proxy Mobile IP SecurityProxy Mobile IP Setup GeneralAuthentication Server Settings on the Proxy Mobile IP GeneralEnable Proxy Mobile IP Authoritative AP nSettings on the Authenticator Configuration Settings on the Local SA Bindings Local SA BindingsSettings on the Proxy Mobile IP Statistics StatisticsAuthentication Failures for HA Authentication Failures for FAActive AAP MN IP AddressesSettings on the Subnet Map Table Configuring Proxy Mobile IPView Subnet Map Table Configuring Proxy Mobile IP on Your Wired LAN 11 a Sample Network 13 AP Radio Internal Service Sets 15 Proxy Mobile IP General 17 Subnet Map Table 18 Authenticator Configuration 20 Network Configuration Screen for an Access Point Client 22 Passed Authentication Screen Configuring Other Settings Server Setup Entering Time Server SettingsSettings on the Time Server Setup Settings on the Boot Server Setup Entering Boot Server SettingsBoot Server Setup page contains the following settings Configuration Server Protocol Use Previous Configuration Server SettingsBootp Server Timeout sec Dhcp Multiple-Offer Timeout secDhcp Requested Lease Duration min Dhcp Minimum Lease Duration minDhcp Client Identifier Type Option DefinitionSettings on the Web Server Setup Web Server Setup page contains the following settingsDhcp Client Identifier Value Dhcp Class IdentifierDefault Help Root URL Default Web Root URLAllow Non-Console Browsing Http PortEntering Name Server Settings Settings on the Name Server SetupDefault Domain Domain Name SystemEntering FTP Settings Settings on the FTP SetupFTP Setup page contains the following settings Domain Name ServersRouting Setup New Network Route Settings Entering Routing SettingsRouting Setup page contains the following settings Installed Network Routes list Association Table Display SetupAssociation Table Filters Configuring Other Settings Association Table Display Setup Stations to Show Settings on the Association Table FiltersFields to Show Association Table Advanced Packets To/From StationBytes To/From Station Primary SortSettings on the Association Table Advanced Association Table AdvancedRogue AP Alert Timeout minutes Handle Station Alerts as Severity LevelMaximum number of bytes stored per Station Alert packet Maximum Number of Forwarding Table EntriesEvent Notification Setup Event Display SetupSettings on the Event Display Setup Default Activity Timeout seconds Per Device ClassHow should time generally be displayed? How should Event Elapsed non-wall-clock Time be displayed?Severity Level at which to display events Severity Level DescriptionEvent Handling Setup 10 The Event Handling Setup Settings on the Event Handling Setup Disposition of EventsHandle Station Events as Severity Level Maximum number of bytes stored per Alert packetClear Alert Statistics Event Notifications SetupPurge Trace Buffer Settings on the Event Notifications Setup Should Notify-Disposition Events generate Snmp Traps?Snmp Trap Destination Snmp Trap CommunityShould Syslog Messages use the Cisco Emblem Format? Syslog Destination AddressSyslog Facility Number Ieee Snmp Traps Should Generate the Following NotificationsSecurity Setup Security Overview Encrypting Radio Signals with WEPLevels of Security Additional WEP Security Features Network Authentication TypesSequence for EAP Authentication Wired LAN Client Combining MAC-Based, EAP, and Open Authentication Sequence for Open AuthenticationSetting Up WEP Protecting the Access Point Configuration with User ManagerKey Access Point Associated Device Transmit? Key ContentsNot set Enabling Additional WEP Security Features Using Snmp to Set Up WEPEnabling Message Integrity Check MIC Snmp Variable WEP Full WEP OffAP Radio Advanced Page for Internal Radio Enabling Temporal Key Integrity Protocol Tkip Enabling Broadcast WEP Key Rotation Setting Up Open or Shared Key Authentication Setting Up EAP Authentication Enabling EAP on the Access PointFirmware Version Draft 802.1x-2001 Access Point EAP Settings for Various Client Configurations Click Add New Access Server Enabling EAP in Cisco Secure ACSSetting Up a Repeater Access Point As a Leap Client Setting a Session-Based WEP Key TimeoutAP Radio Identification Page for Internal Radio Setting Up MAC-Based Authentication Enabling MAC-Based Authentication on the Access Point11 Authenticator Configuration Security Setup Setting Up MAC-Based Authentication 12 AP Radio Advanced Authenticating Client Devices Using MAC Addresses or EAP Enabling MAC-Based Authentication in Cisco Secure ACS Authentication Types Required Settings Summary of Settings for Authentication TypesLeap EAP-TLS, EAP-MD5 Radius Attributes Sent by the Access Point Attribute ID DescriptionAcct-Delay-Time Acct-Session-IdAcct-Authentic VSA attribute Nas-location Vlan-id Auth-algo-typeSetting Up Backup Authentication Servers Acct-Terminate-CauseSetting Up Administrator Authorization 14 Security Setup Creating a List of Authorized Management System Users16 User Management Window Setting up Centralized Administrator Authentication Click User Information. The User Information page appearsClick Add New User. The User Management window appears Click Apply. You are returned to the User Information18 Authenticator Configuration System Flow Notes Authorization Parameters Network Management Setting the Display Options Using the Association TableBrowsing to Network Devices Using Station Pages StationInformation on Station Pages Station Identification and StatusTo Station Information Rate, Signal, and Status InformationFrom Station Information Hops and Timing Information Performing Pings and Link TestsPerforming a Ping Performing a Link Test Click Link TestDeauthenticating and Disassociating Client Devices Using the Network Map WindowClearing and Updating Statistics Using Cisco Discovery Protocol Settings on the CDP Setup MIB for CDPAssigning Network Ports Port AssignmentsEnabling Wireless Network Accounting Settings on the Port AssignmentsSettings on the Accounting Setup Accounting SetupAccounting Attributes Attribute DefinitionRadiusipadr OL-2159-05 Managing Firmware and Configurations 10-1Full Update of the Firmware Components Updating FirmwareUpdating with the Browser from a Local Drive 10-2Selective Update of the Firmware Components 10-3Updating from a File Server 10-4Update All Firmware From File Server 10-5Update Firmware From File Server 10-6Retrieving Firmware and Web Page Files 10-7Distributing Firmware 10-8Distributing a Configuration 10-9Limiting Distributions 10-10Downloading the Current Configuration 10-11Uploading a Configuration Uploading from a Local DriveUploading from a File Server 10-12Resetting the Configuration 10-13Restarting the Access Point 10-14Management System Setup 11-1Settings on the Snmp Setup Snmp Setup11-2 Settings on the Database Query Using the Database Query11-3 Changing Settings with the Database Query Console and Telnet Setup11-4 Using Secure Shell Settings on the Console/Telnet11-5 11-6 Special Configurations 12-1Setting Up a Repeater Access Point 12-212-3 12-4 Using Hot Standby Mode 12-512-6 12-7 12-8 Sections in this chapter include 13-1Using Diagnostic Pages Network DiagnosticsSelections on the Network Diagnostics 13-2Radio Diagnostics Tests 13-3SSIDs Int, Mod Vlan Summary Status13-4 Network Ports 13-5Data Received Identifying Information and Status13-6 Ethernet Port Data Transmitted13-7 Receive Statistics Configuration Information13-8 Transmit Statistics AP Radio13-9 13-10 AP Radio Port13-11 Display Options 13-12Event Log Display Settings13-13 Log Headings Saving the LogEvent Log Summary 13-14Command Information Displayed Using Command-Line Diagnostics13-15 Entering Diagnostic Commands 13-16Eapdiag1on Diagnostic Command Results13-17 Vxdiagarpshow Eapdiag2on13-18 13-19 Vxdiagcheckstack 13-20Vxdiaghostshow 13-21Vxdiagi 13-22Vxdiagipstatshow 13-23Vxdiagmemshow 13-24Vxdiagmuxshow 13-25Vxdiagrouteshow 13-26Vxdiagtcpstatshow 13-27Reserving Access Point Memory for a Packet Trace Log File Tracing PacketsVxdiagudpstatshow 13-28Tracing Packets for Specific Devices 13-29Tracing Packets for Ethernet and Radio Ports Viewing Packet Trace DataPackets Stored in a Log File 13-30Packets Displayed on the CLI Checking the Top Panel Indicators13-31 Message Ethernet Status Radio Meaning Type Indicator 13-32Finding an Access Point by Blinking the Top Panel Indicators 13-33Checking Basic Settings EAP Authentication Requires Matching 802.1x Protocol DraftsWEP Keys 13-34Firmware Version Draft 13-35Resetting to the Default Configuration 13-3613-37 13-38 Channels, Power Levels, and Antenna Gains Ieee 802.11a ChannelsRegulatory Domains Maximum Power Levels and Antenna Gains Ieee 802.11bMaximum Power Level mW Regulatory Domain Antenna Gain dBi Maximum Power Level mWRegulatory Domain With 6-dBi Antenna Gain Americas -A 100 Eirp maximum 13.5 Emea -E MW Eirp maximumRegulatory Domain Antenna Gain dBi Maximum Power Level mW OL-2159-05 Protocol Filter Lists Protocol ISO DesignatorUDP XNS-IDP ISO-TP4 ISO-CNLP Cnlp VinesSVP SmtpTftp HttpTsap POP2Cmot BGPIRC RIPCVS RadiusRFE Event Log Messages Default Format Message FormatsCisco Emblem Format With a timestamp, messages look like this exampleLoginfo Syslog Severity Emblem SeverityLogemerg LogalertMessage Descriptions Possible Cause orSeverity Event Description Mnemonic Recommended Action ReasonDevice HostSrchost NewaddrIfDescr Desthost length pktLen Srchost to port ifDescrReqlen bytes Packet from srchost to desthost IfDescr error= errornumDesthost on port ifDescr IfDescr error=erronum For procedure on port ifDescrSrchost to desthost on port From srchost to desthost on portSrchost on port ifDescr Srchost to desthost of unknown VersionDesthost Sysreboot RebootinfAdmin PrtrarpipPort device Status IfDescr errno=errno PktLenENC WEP UnencXidexp EtherconMedia port Frame bytes FrameUsername Failed UsernamePort devName unit Unit1XVER HstndbyenAssoclost HstndbyethInstkey AcctconAmngrreq NulsesNorbuf NosbufNoaserv OpenVlanID IfIndex MIB IfIndex AwcmibNomibdkey BadsizeTaskfailed TaskstartedSsidIdx Statuses and Reasons Appendix C Event Log Messages Statuses and Reasons OL-2159-05 Numerics IN-1CDP MIB DhcpCLI DtimIN-3 Radio traffic Ethernet Locate unit by flashing LEDsIN-4 Pspf IN-5Vlan SSHIN-6 Warm restart IN-7IN-8