10-6
Cisco IOS Software Configuration Guide for Cisco Aironet Access Points
OL-30644-01
Chapter10 Configuring WLAN Authentication and Encryption
Understanding Encryption Modes
Understanding Encryption ModesAs encryption is defined at the interface (VLAN or radio) level of the access point, and can be common
to several SSIDs, encryption is usually configured before the SSID and its authentication mechanism.
Just as anyone within range of a radio station can tune to the station's frequency and listen to the signal,
any wireless networking device within range of an access point can receive the access point's radio
transmissions. Because encrypted communication is the first line of defense against attackers, Cisco
recommends that you use full encryption on your wireless network.
The original encryption mechanism described by the 802.11 standard is WEP (Wired Equivalent
Privacy). WEP encryption scrambles the communication between the access point and client devices to
keep the communication private. The 802.11 standard describes what Cisco and some other vendors
describe as static WEP. In this mode, WEP keys are defined statically on the client and the AP. Both the
access point and client devices use the same WEP key to encrypt and unencrypt radio signals. WEP keys
encrypt both unicast and multicast messages. Unicast messages are addressed to just one device on the
network. Multicast messages are addressed to multiple devices on the network.
WEP is a legacy protocol deprecated by the 802.11 standard. Cisco recommends using a stronger
protocol, such as AES/CCMP, whenever possible.
When your SSID authentication mechanism uses Extensible Authentication Protocol (EAP) with 802.1x
authentication (and without WPA v1 or WPA v2 support), dynamic WEP keys can be generated for each
wireless user. Dynamic WEP keys are more secure than static, or unchanging, WEP keys. If an intruder
passively receives enough packets encrypted by the same WEP key, the intruder can perform a
calculation to learn the key and use it to join your network. Because they change frequently, dynamic
WEP keys prevent intruders from performing the calculation and learning the key. See Chapter11,
“Configuring Authentication Types,” for detailed information on EAP and other authentication types.
Cipher suites are sets of encryption and integrity algorithms designed to protect radio communication
on your wireless LAN. You must use a cipher suite when using WPA, WPA2 or CCKM. When using
WEP encryption, you have the choice to set WEP using the WEP encryption command, or the cipher
command. When using the WEP encryption command, you can use a static WEP key for authentication
and / or encryption. However, you cannot use per user secure authentication (using 802.1x) in this mode.
Because cipher suites can provide WEP encryption while also allowing use of individual user
authentication and key management, Cisco recommends that you enable WEP by using the encryption
mode cipher command in the CLI or by using the cipher drop-down list in the web-browser interface,
instead of the WEP encryption command. However, WEP is a protocol deprecated by the IEEE, and
Cisco recommends using WEP only when client drivers do not support any stronger security mechanism.
The recommended security is AES-CCMP.
These security features protect the data traffic on your wireless LAN:
•AES-CCMP—Based on the Advanced Encryption Standard (AES) defined in the National Institute
of Standards and Technology’s FIPS Publication 197, AES-CCMP is a symmetric block cipher that
can encrypt and decrypt data using keys of 128, 192, and 256 bits. AES-CCMP is superior to WEP
encryption and is defined in the IEEE 802.11i standard.
Note The 802.11n amendment relies on implementation of either No encryption or AES-CCMP encryption.
Therefore, 802.11n radios require that either no encryption or AES-CCMP be configured to provide
802.11n rates support.