10-7
Cisco IOS Software Configuration Guide for Cisco Aironet Access Points
OL-30644-01
Chapter10 Configuring WLAN Authentication and Encryption
Configuring Encryption Modes
WEP (Wired Equivalent Privacy)—WEP is an 802.11 standard encryption algorithm originally
designed to provide your wireless LAN with the same level of privacy available on a wired LAN.
However, the basic WEP construction is flawed, and an attacker can compromise the privacy with
reasonable effort.
TKIP (Temporal Key Integrity Protocol)—TKIP is a suite of algorithms surrounding WEP that is
designed to achieve the best possible security on legacy hardware built to run WEP. TKIP adds four
enhancements to WEP:
A per-packet key mixing function to defeat weak-key attacks
A new IV sequencing discipline to detect replay attacks
A cryptographic message integrity check (MIC), called Michael, to detect forgeries such as bit
flipping and altering packet source and destination
An extension of IV space, to virtually eliminate the need for re-keying
CKIP (Cisco Key Integrity Protocol)—Cisco's WEP key permutation technique based on an early
algorithm presented by the IEEE 802.11i security task group. WPA TKIP replaced most CKIP
implementations.
CMIC (Cisco Message Integrity Check)—Like TKIP's Michael, Cisco's message integrity check
mechanism is designed to detect forgery attacks. Cisco CKIP is required to use CMIC.
Broadcast key rotation (also known as Group Key Update)—Broadcast key rotation allows the
access point to generate the best possible random group key and update all key-management capable
clients periodically. Wi-Fi Protected Access (WPA) also provides additional options for group key
updates. See the “Using WPA Key Management” section on page11-7 for details on WPA.
Note Client devices using static WEP cannot use the access point when you enable broadcast key
rotation. Broadcast key rotation is supported only when using key management (such as dynamic
WEP (802.1x), WPA with EAP, or pre-shared key).
Note Encryption is configured at the interface or the VLAN level, and authentication is configured for
each SSDI to be supported on the relevant VLAN or interface. Therefore, encryption and
authentication combine. See Chapter 11, “Configuring Authentication Types,”for details on how
encryption and authentication combinations.
Configuring Encryption Modes
Encryption is configured at the VLAN or radio interface level. Ensure that the encryption mechanism
you enable is compatible with the authentication mechanism you plan on using for the SSID, that is
mapped to the relevant VLAN or radio interface. For more details on encryption and authentication
schemes compatibility, see the Understanding Authentication and Encryption Mechanisms section.
Note WEP, TKIP, MIC and broadcast key rotation are disabled by default.