10-11
Cisco IOS Software Configuration Guide for Cisco Aironet Access Points
OL-30644-01
Chapter10 Configuring WLAN Authentication and Encryption
Configuring Encryption Modes
Use the no form of the encryption command to disable a cipher suite.
Matching Cipher Suites with WPA or CCKM
If you configure your access point to use WPA or CCKM authenticated key management, you must select
a cipher suite compatible with the authenticated key management type. Table10-3 lists the cipher suites
that are compatible with WPA and CCKM.
Step3 encryption [vlan vlan-id] mode
ciphers {aes-ccm | ckip | ckip-cmic |
cmic | tkip | wep128 | wep40}
Enable a cipher suite containing the protection you need.
Table 1 0-3 lists guidelines for selecting a cipher suite that
matches the type of authenticated key management you
configure.
(Optional) Select the VLAN for which you want to enable
a cipher type.
Select the cipher options you need. You can select more
than one cipher.
Note If you enable a cipher suite with 2 or 3 elements, each
client will use the highest encryption mechanism
enabled on the interface and supported by the client.
The broadcast key will use the element supported by all
clients. See the Understanding Authentication and
Encryption Mechanisms section for more details.
Note If you configure ckip you must also enable Aironet
extensions. The command to enable Aironet extensions
is dot11 extension aironet.
Note You can also use the encryption mode wep command
to set up static WEP. However, you should use
encryption mode wep only if no clients that associate
to the access point are capable of key management. See
the Cisco IOS Command Reference for Cisco Access
Points and Bridges for a detailed description of the
encryption mode wep command.
Note When you configure the cipher TKIP (not TKIP +
WEP 128 or TKIP + WEP 40) for an SSID, the SSID
must use WPA or CCKM key management. Client
authentication fails on an SSID that uses the cipher
TKIP without enabling WPA or CCKM key
management.
Note You must configure WPA key management as optional
in order to configure cipher modes TKIP + WEP 128
or TKIP + WEP 40.
Step4 end Return to privileged EXEC mode.
Step5 copy running-config startup-config (Optional) Save your entries in the configuration file.
Command Purpose