Manuals / Cisco Systems / Computer Equipment / Network Router

Cisco Systems OL-6415-04 manual Creating Cipher Suites, Example WEP Key Setup

Models: OL-6415-04

1 188

Download 188 pages 52.52 Kb

Page 81

Chapter 5 Configuring Encryption Types

Configure Encryption Types

Table 5-1	WEP Key Restrictions (continued)

Security Configuration		WEP Key Restriction

Cipher suite with TKIP and 40-bit WEP or		Cannot configure a WEP key in key slot 1 and 4
128-bit WEP

Broadcast key rotation		Keys in slots 2 and 3 are overwritten by rotating
		broadcast keys
		Note Client devices using static WEP cannot use the
		access point when you enable broadcast key
		rotation. When you enable broadcast key
		rotation, only wireless client devices using
		802.1x authentication (such as LEAP, EAP-TLS,
		or PEAP) can use the access point.

Example WEP Key Setup

Table 5-2shows an example WEP key setup that would work for the access point and an associated device:

Table 5-2		WEP Key Setup Example

Key	Access Point			Associated Device
Key
Slot	Transmit?		Key Contents	Transmit?	Key Contents

1	x		12345678901234567890abcdef	–	12345678901234567890abcdef

2	–		09876543210987654321fedcba	x	09876543210987654321fedcba

3	–		not set	–	not set

4	–		not set	–	FEDCBA09876543211234567890

Because the access point’s WEP key 1 is selected as the transmit key, WEP key 1 on the other device must have the same contents. WEP key 4 on the other device is set, but because it is not selected as the transmit key, WEP key 4 on the access point does not need to be set at all.

Creating Cipher Suites

Beginning in privileged EXEC mode, follow these steps to create a cipher suite:

	Command	Purpose
Step 1
Step 1	configure terminal	Enter global configuration mode.
Step 2
Step 2	interface dot11radio { 0 1 }	Enter interface configuration mode for the radio interface. The
		2.4-GHz radio is radio 0, and the 5-GHz radio is radio 1.

Cisco Wireless ISR and HWIC Access Point Configuration Guide

	OL-6415-04	5-5

Image 81

Cisco Systems OL-6415-04 manual Creating Cipher Suites, Example WEP Key Setup

Contents

Text Part Number 0L-6415-04 Corporate HeadquartersPage N T E N T S Ssid Configuration Methods Supported by Cisco IOS Releases Creating Cipher Suites Protocol Filters Local Authenticator Messages Contents Cisco Wireless Router and Hwic Configuration Guide Audience PrefacePurpose Preface provides information on the following topicsConventions OrganizationPreface Conventions Cisco Product Document Title Related PublicationsCisco.com Obtaining DocumentationDocumentation Feedback Product Documentation DVDOrdering Documentation Cisco Product Security Overview Reporting Security Problems in Cisco ProductsSubmitting a Service Request Obtaining Technical AssistanceCisco Technical Support & Documentation Website Obtaining Additional Publications and Information Definitions of Service Request SeverityPreface Obtaining Additional Publications and Information Overview Wireless Device ManagementRoot Unit on a Wired LAN Network Configuration ExampleFeatures Overview Features Overview Overview Cisco Wireless Router and Hwic Configuration Guide Configuring Radio Settings Enabling the Radio Interface Command PurposeRoles in Radio Network Cisco Role in Radio Network Eries ISRsConfiguring Network or Fallback Role Bridge Features Not Supported Sample Bridging ConfigurationFollowing is a sample of a Root Bridge Configuration Following is a sample of Non-Root Bridge Configuration Interface Dot11Radio0/1/0 no ip address Configuring Universal Client Mode Universal Client ModeFollowing configuration is supported on NAT NAT Network Address TranslationVirtual interface to aid NAT translation No service password-encryption Hostname C1803WUC Configuring Radio Settings Configuring Radio Data Rates Configuring Radio Data RatesSpeed Throughput ofdm default11.0 2.0 5.5 basic-1.0 2.0 5.5 6.0 9.0End Return to privileged Exec mode Configuring Radio Transmit PowerDBm 100 125 150 200 250Power local Limiting the Power Level for Associated Client Devices5 6 7 10 13 15 17 MaximumPower client Configuring Radio Channel Settings20 30 50 100 maximum 10 20 30 50 MaximumRegulatory Domains Channel CenterIdentifier MHz 2412 2417 2422 2427 2432 2437 2442 2447 2452 2457 2462 24672472 2484 Channel GHz Channels on Which DFS is Automatically Enabled DFS Automatically Enabled on Some 5-GHz Radio ChannelsConfirming that DFS is Enabled Enabling and Disabling World ModeThis example shows how to unblock all frequencies for DFS Blocking Channels from DFS SelectionEnabling and Disabling Short Radio Preambles Antenna receive Configuring Transmit and Receive AntennasDiversity left right Antenna transmitDisabling and Enabling Access Point Extensions Disable Access Point extensionsNo dot11 extension aironet Payload-encapsulation Snap or 802.1h dot1h, the default settingSet the encapsulation transformation method to RFC1042 Snap dot1hConfigure terminal Enter global configuration mode Enable PspfBridge-group group port-protected Configuring Protected Ports Configuring Beacon Period and DtimConfiguring Maximum Data Retries Configuring RTS Threshold and RetriesRts threshold value Rts retries valueBytes for the 2.4-GHz radio. Enter a setting from 256 to Configuring Fragmentation ThresholdEnabling Short Slot Time for 802.11g Radios Fragment-threshold valuePerforming a Carrier Busy Test OL-6415-04 Configuring Multiple SSIDs Ssid Configuration Methods Supported by Cisco IOS Releases Understanding Multiple SSIDsVlan Creating an Ssid Globally Configuring Multiple SSIDsCommand Purpose Using a Radius Server to Restrict SSIDs Viewing SSIDs Configured GloballyUsing Spaces in SSIDs Configuring Multiple Basic SSIDs Requirements for Configuring Multiple BSSIDsGuidelines for Using Multiple BSSIDs Displaying Configured BSSIDs CLI Configuration ExampleEnabling Mbssid and Ssidl at the same time Information-element ssidlUse the no form of the command to disable Ssidl IEs Sample Configuration for Enabling Mbssid and SsidlBelow is a sample configuration for enabling Mbssid Below is a sample configuration for enabling SsidlInterface Dot11Radio0/0/0 no ip address OL-6415-04 Configuring an Access Point as a Local Authenticator Configure a Local Authenticator Understand Local AuthenticationConfiguration Overview Guidelines for Local AuthenticatorsConfiguring the Local Authenticator Access Point Aaa new-model Enable AAARadius-server local Reauthentication time secondsVlan vlan Ssid ssidMac-auth-only Password nthash passwordThis example shows how to set up EAP-FAST authentication End Routerconfig# aaa new-model Configuring PAC Settings Configuring EAP-FAST SettingsConfiguring an Authority ID Configuring Server KeysPossible PAC Failures Caused by Access Point Clock Viewing Local Authenticator Statistics Limiting the Local Authenticator to One Authentication TypeThis example shows local authenticator statistics Unblocking Locked UsernamesUsing Debug Messages Understand Encryption Types, Configure Encryption Types, Configuring Encryption TypesUnderstand Encryption Types Creating WEP Keys Configure Encryption TypesWEP Key Restrictions Security Configuration WEP Key RestrictionEncryption KeyExample WEP Key Setup Access Point Associated Device Slot Transmit? Key ContentsCreating Cipher Suites Cipher Suites Compatible with WPA Enabling and Disabling Broadcast Key Rotation Compatible Cipher SuitesWPA Security Security Type in Universal Client ModeUniversal client configuration Tkip AES TKIP+AESWEP 40-bit WEP 128-bit Caveats DebuggingWEP OL-6415-04 Configuring Authentication Types Open Authentication to Access Point Understand Authentication TypesTraffic from client Shared Key Authentication to Access PointSequence for EAP Authentication EAP Authentication to NetworkMAC Address Authentication to the Network Using WPA Key Management Combining MAC-Based, EAP, and Open Authentication5shows the WPA key management process Software and Firmware Requirements for WPA and WPA-TKIP WPA-PSK Mode Windows XP YesThird Party Host Supplicant Protocol Required? SystemsAssigning Authentication Types to an Ssid Configure Authentication TypesOptional Set the authentication type to open for this Ssid Authentication openMac-address list-name alternate Optional eap list-nameAuthentication network-eap Authentication sharedAuthentication key-management Mac-address list-nameConfiguring WPA Migration Mode Wpa-psk hex ascii 0 Configuring Additional WPA SettingsConfiguring MAC Authentication Caching Dot11 holdoff-time seconds Dot1x client-timeout secondsDot1x reauth-period seconds ServerSecurity Feature Client Setting Access Point Setting Detects two MIC failures within 60 seconds, it blocks allTkip clients on that interface for the holdtime period WPA-PSK Security Feature Client Setting Access Point Setting Configuring Radius Servers Understanding Radius Configuring and Enabling RadiusRadius Operation Default Radius Configuration Configuring RadiusIdentifying the Radius Server Host Port for authentication requests.Optional For acct-port Acct-port port-number timeoutRadius-server timeout command is used Radius-server host hostnameShow running-config Verify your entries Configuring Radius Login AuthenticationLogin authentication default Aaa authentication login defaultAuthentication login command Include-in-access-req format %hDefining AAA Server Groups Port for accounting requests Port for authentication requestsAaa group server radius group-name Define the AAA server-group with a group nameRadius Starting Radius Accounting Configuring Settings for All Radius Servers Selecting the Csid FormatOption MAC Address Example Show running-config Verify your settings Authentication Radius-server vsa send accountingRadius-server host hostname ip-address non-standard Radius-server key string Configuring WISPr Radius AttributesSnmp-server location location Displaying the Radius ConfigurationAttribute ID Description Radius Attributes Sent by the Access PointVLAN-ID VSA attribute NAS-Location Disc-Cause-Ext Acct-Terminate-CauseConfiguring VLANs Understanding VLANs Related Documents LAN and Vlan Segmentation with Wireless DevicesIncorporating Wireless Devices into VLANs Configuring VLANsInterface dot11radio 0.x Configuring a VlanEncapsulation dot1q vlan-id Guidelines for Using Vlan Names Using a Radius Server to Assign Users to VLANsAssigning Names to VLANs Creating a Vlan NameViewing VLANs Configured on the Access Point Ssid Vlan ID Vlan Configuration ExampleVlan 1 Interfaces Vlan 2 Interfaces Vlan 3 Interfaces Configuring VlanConfiguring VLANs Vlan Configuration Example OL-6415-04 Understanding QoS for Wireless LANs, Configuring QoS, Configuring QoSUnderstanding QoS for Wireless LANs QoS for Wireless LANs Versus QoS on Wired LANsImpact of QoS on a Wireless LAN Upstream and Downstream Traffic Flow Precedence of QoS SettingsUsing Wi-Fi Multimedia Mode Configuration Guidelines Configuring QoSAdjusting Radio Access Categories Fixed Slot TimeDisabling Igmp Snooping Helper Sample Configuration Using the CLIIeee 802.11b 2.4-GHz Band Channel SettingsCenter Frequency Americas JapanIeee 802.11a 5-GHz Band Ieee 802.11g 2.4-GHz BandCenter Regulatory Domains Americas -A Emea -E Japan -J FrequencyFrequency North America OL-6415-04 Protocol Filters Protocol Igmp IcmpTCP EGP PUP ChaosISO Designator POP2 TsapPOP3 IMAP2RPC RIPUucp CVSSupported MIBs MIB ListIEEE802dot11-MIB RFC1213-MIB RFC1398-MIB SNMPv2-MIB SNMPv2-SMI SNMPv2-TC Using FTP to Access the MIB FilesHow to Read System Messages Error and Event MessagesThis appendix lists the CLI error and event messages Level DescriptionExplanation a station disassociated from an access point Explanation a station associated to an access pointMessage Traceback Reports Association Management MessagesSubsystem Messages Recommended Action None Explanation The device has begun its DFS scanning process Recommended Action None Error Message DOT11-4-RMINCAPABLE Interface interface Recommended Action Reload the system Error Message DOT11-4-CANTASSOC Cannot associate characters Recommended Action None Recommended Action Local Authenticator Messages Wireless network composed of stations without Access Points Network with wireless stationsAccess Point Operating in the 2.4-GHz bandGL-2 Hoc modeWired Ethernet network LAN 802.11 specificationsAn antenna that radiates its signal in a spherical pattern Corresponding IP addressesTransmission at 2 Mbps Transmission at 6, 9, 12, 18, 24, 36, 48, and 54 MbpsThat of a cable While maintaining an unbroken connection to the LANWireless MultiMedia Computing device with an installed client adapter802.1X for authenticated key management AES-CCMP EAPIN-2 EAP-FAST 1Leap FTPNames, Vlan Network-EAP OfdmQbss Local authentication Names Ssid 4 Vlan command 4 Guest mode Multiple SSIDs Support Using spacesRegulatory Domains Radius RFCWPA migration mode Wpa-psk command World-mode commandIN-7 IN-8 IN-9 IN-10 IN-11 IN-12 IN-13 IN-14