Cisco Systems OL-6415-04 Configure Encryption Types

5-3

Cisco Wireless ISR and HWIC Access Point Configuration Guide

OL-6415-04

Chapter 5 Configuring Encryption Types

Configure Encryption Types

Note Client devices using static WEP cannot use the access point when you enable broadcast key

rotation. When you enable broadcast key rotation, only wireless client devices using 802.1x

authentication (such as LEAP, EAP-TLS, or PEAP) can use the access point.

Configure Encryption Types

These sections describe how to configure encryption, such as WEP, AES-CCM, and and broadcast key

rotation:

• Creating WEP Keys, page 5-3

• Creating Cipher Suites, page 5-5

• Enabling and Disabling Broadcast Key Rotation, page 5-7

Note All encryption types are disabled by default.

Creating WEP Keys

Note You need to configure static WEP keys only if your access point needs to support client devices that use

static WEP. If all the client devices that associate to the access point use key management (WPA or

802.1x authentication) you do not need to configure static WEP keys.

Beginning in privileged EXEC mode, follow these steps to create a WEP key and set the key properties:

Command Purpose

Step 1 configure terminal Enter global configuration mode.

Step 2 interface dot11radio { 0 | 1 }Enter interface configuration mode for the radio interface. The

2.4-GHz radio is radio 0, and the 5-GHz radio is radio 1.

Contents

Main Page CONTENTS Page Page Page Page Page Preface Audience Purpose Organization Conventions Page Related Publications Obtaining Documentation Cisco.com Product Documentation DVD Ordering Documentation Documentation Feedback Cisco Product Security Overview Reporting Security Problems in Cisco Products Obtaining Technical Assistance Cisco Technical Support & Documentation Website Submitting a Service Request Definitions of Service Request Severity Obtaining Additional Publications and Information Page Overview Wireless Device Management Network Configuration Example Root Unit on a Wired LAN Features Page Page Page Configuring Radio Settings Enabling the Radio Interface Roles in Radio Network Configuring Network or Fallback Role 2-4 Bridge Features Not Supported Sample Bridging Configuration The following is a sample of a Root Bridge Configuration: 2-5 The following is a sample of Non-Root Bridge Configuration: 2-6 Universal Client Mode Configuring Universal Client Mode Page 2-9 Configuring Radio Data Rates Page Configuring Radio Transmit Power Limiting the Power Level for Associated Client Devices Configuring Radio Channel Settings Page Page Page Page DFS Automatically Enabled on Some 5-GHz Radio Channels Confirming that DFS is Enabled Blocking Channels from DFS Selection Enabling and Disabling World Mode Enabling and Disabling Short Radio Preambles Configuring Transmit and Receive Antennas Disabling and Enabling Access Point Extensions Configuring the Ethernet Encapsulation Transformation Method Enabling and Disabling Reliable Multicast to Workgroup Bridges Enabling and Disabling Public Secure Packet Forwarding Configuring Protected Ports Configuring Beacon Period and DTIM Configuring RTS Threshold and Retries Configuring Maximum Data Retries Configuring Fragmentation Threshold Enabling Short Slot Time for 802.11g Radios Performing a Carrier Busy Test Page Configuring Multiple SSIDs Understanding Multiple SSIDs SSID Configuration Methods Supported by Cisco IOS Releases Configuring Multiple SSIDs Creating an SSID Globally Page Viewing SSIDs Configured Globally Using Spaces in SSIDs Using a RADIUS Server to Restrict SSIDs Configuring Multiple Basic SSIDs Requirements for Configuring Multiple BSSIDs Guidelines for Using Multiple BSSIDs CLI Configuration Example Displaying Configured BSSIDs Enabling MBSSID and SSIDL at the same time 3-8 Use the no form of the command to disable SSIDL IEs. Sample Configuration for Enabling MBSSID and SSIDL Below is a sample configuration for enabling MBSSID: Below is a sample configuration for enabling SSIDL: 3-9 Page Configuring an Access Point as a Local Authenticator Understand Local Authentication Configure a Local Authenticator Guidelines for Local Authenticators Configuration Overview Configuring the Local Authenticator Access Point Page Page 4-6 This example shows how to set up EAP-FAST authentication: 4-7 Configuring Other Access Points to Use the Local Authenticator Configuring EAP-FAST Settings Configuring PAC Settings PAC Expiration Times Generating PACs Manually Configuring an Authority ID Configuring Server Keys Possible PAC Failures Caused by Access Point Clock Limiting the Local Authenticator to One Authentication Type Unblocking Locked Usernames Viewing Local Authenticator Statistics Using Debug Messages Configuring Encryption Types Understand Encryption Types Configure Encryption Types Creating WEP Keys WEP Key Restrictions Example WEP Key Setup Creating Cipher Suites Cipher Suites Compatible with WPA Enabling and Disabling Broadcast Key Rotation Security Type in Universal Client Mode Universal client configuration Page 5-11 Page Configuring Authentication Types Understand Authentication Types Open Authentication to Access Point Shared Key Authentication to Access Point EAP Authentication to Network MAC Address Authentication to the Network Combining MAC-Based, EAP, and Open Authentication Using WPA Key Management Page Software and Firmware Requirements for WPA and WPA-TKIP Configure Authentication Types Assigning Authentication Types to an SSID Page Page Configuring WPA Migration Mode Configuring Additional WPA Settings Setting a Pre-Shared Key Configuring Group Key Updates Configuring MAC Authentication Caching Configuring Authentication Holdoffs, Timeouts, and Intervals Matching Access Point and Client Device Authentication Types Page Page Configuring RADIUS Servers Configuring and Enabling RADIUS Understanding RADIUS RADIUS Operation Configuring RADIUS Default RADIUS Configuration Identifying the RADIUS Server Host Page Configuring RADIUS Login Authentication Page Defining AAA Server Groups Page Configuring RADIUS Authorization for User Privileged Access and Network Services Starting RADIUS Accounting Selecting the CSID Format Configuring Settings for All RADIUS Servers Configuring the Access Point to Use Vendor-Specific RADIUS Attributes Configuring the Access Point for Vendor-Proprietary RADIUS Server Communication Configuring WISPr RADIUS Attributes Displaying the RADIUS Configuration RADIUS Attributes Sent by the Access Point Page Page Configuring VLANs Understanding VLANs Related Documents Incorporating Wireless Devices into VLANs Configuring VLANs Configuring a VLAN Page Assigning Names to VLANs Guidelines for Using VLAN Names Creating a VLAN Name Using a RADIUS Server to Assign Users to VLANs Viewing VLANs Configured on the Access Point VLAN Configuration Example 8-10 Table 8-2 shows the commands needed to configure the three VLANs in this example. Tab l e 8-2 Configuration Commands for VLAN Example Configuring VLAN 1 Configuring VLAN 2 Configuring VLAN 3 Tab l e 8-3 Results of Example Configuration Commands Page Page Configuring QoS Understanding QoS for Wireless LANs QoS for Wireless LANs Versus QoS on Wired LANs Impact of QoS on a Wireless LAN Precedence of QoS Settings Using Wi-Fi Multimedia Mode Configuring QoS Configuration Guidelines Adjusting Radio Access Categories Disabling IGMP Snooping Helper Sample Configuration Using the CLI A Channel Settings IEEE 802.11b (2.4-GHz Band) IEEE 802.11g (2.4-GHz Band) IEEE 802.11a (5-GHz Band) Page Page B Protocol Filters Page Page Page Page Page C Supported MIBs MIB List Using FTP to Access the MIB Files D Error and Event Messages How to Read System Messages Message Traceback Reports Association Management Messages 802.11 Subsystem Messages Page Page Page Page Page Page Page Page Local Authenticator Messages GLOSSARY A B C D E F G I M O P Q S T U W Page INDEX Numerics A B C D E F G I J N O P Q S T V W