Chapter 8 Security Setup

Enabling Additional WEP Security Features

Step 2 Follow this link path to browse to the AP Radio Advanced page:

a.On the Summary Status page, click Setup.

b.On the Setup page, click Advanced in the AP Radio row under Network Ports for the internal radio or the radio module.

Step 3 Select Cisco from the Temporal Key Integrity Protocol pull-down menu.

Step 4 Make sure yes is selected for the Use Aironet Extensions setting. Key hashing does not work if Use Aironet Extensions is set to no.

Step 5 Click OK. TKIP is enabled.

Enabling Broadcast WEP Key Rotation

EAP authentication provides dynamic unicast WEP keys for client devices but uses static multicast keys. With broadcast, or multicast, WEP key rotation enabled, the access point provides a dynamic broadcast WEP key and changes it at the interval you select. Broadcast key rotation is an excellent alternative to TKIP if your wireless LAN supports wireless client devices that are not Cisco devices or that cannot be upgraded to the latest firmware for Cisco client devices.

Note When you enable broadcast key rotation, only wireless client devices using LEAP, EAP-TLS, or PEAP authentication can use the access point. Client devices using static WEP (with open, shared key, or EAP-MD5 authentication) cannot use the access point when you enable broadcast key rotation.

Tip Broadcast key rotation and TKIP (WEP key hashing) provide similar protection. If you enable TKIP, you might not need to enable key rotation.

When broadcast key rotation is enabled, you can configure the WEP keys so that the unicast key is overwritten when the keys are rotated. If no keys are set when broadcast key rotation is enabled, key 0 becomes the transmit key by default. This means that key 0 and key 1 are rotated as the broadcast keys and key 3 is used as the unicast key. This configuration poses no problem.

A key can also be explicitly set as the transmit key, meaning that the transmit key and transmit key index +1 are rotated as the broadcast keys. Setting key 0 or 1 works satisfactorily. But if you set key 2 or 3 as the transmit key then the unicast key, which is generated following LEAP authentication and set as key 3, is overwritten as the broadcast keys are rotated.

Therefore, you should specify only key 0 or 1 as the transmit key.

Note If you enable Broadcast Key Rotation on one of the radios in a dual-radio access point, Broadcast Key Rotation is automatically enabled on the other radio.

Tip You might not need to enable broadcast key rotation if you enable TKIP. You can use both key rotation and key hashing, but these features provide similar protection.

Cisco Aironet 1200 Series Access Point Software Configuration Guide

 

OL-2159-05

8-13

 

 

 

Page 175
Image 175
Cisco Systems DL-2159-05 manual Enabling Broadcast WEP Key Rotation