Cisco Systems OL-6415-04 Cipher Suites Compatible with WPA

5-6

Cisco Wireless ISR and HWIC Access Point Configuration Guide

OL-6415-04

Chapter 5 Configuring Encryption Types

Configure Encryption Types

Use the no form of the encryption command to disable a cipher suite.

This example sets up a cipher suite for VLAN 22 that enables AES-CCM, and 128-bit WEP.

router# configure terminal

router(config)# interface dot11radio 0

router(config-if)# encryption vlan 22 mode ciphers aes-ccm wep128

router(config-if)# exit

Cipher Suites Compatible with WPA

If you configure your access point to use WPA authenticated key management, you must select a cipher

suite compatible with the authenticated key management type. Table 5-3 lists the cipher suites that are

compatible with WPA.

Step 3 encryption

[vlan vlan-id]

mode ciphers

{[aes-ccm | tkip]} {[wep128 |

wep40]}

Enable a cipher suite containing the encryption you need.

Table 5-3 lists guidelines for selecting a cipher suite that

matches the type of authenticated key management you

configure.

• (Optional) Select the VLAN for which you want to enable

WEP and WEP features.

• Set the cipher options and WEP level. You can combine

TKIP with 128-bit or 40-bit WEP.

Note You can also use the encryption mode wep command

to set up static WEP. However, you should use

encryption mode wep only if no clients that associate

to the access point are capable of key management. See

the Cisco IOS Command Reference for Cisco Access

Points and Bridges for a detailed description of the

encryption mode wep command.

Note When you configure the cipher TKIP and AES-CCM

(not TKIP + WEP 128 or TKIP + WEP 40) for an

SSID, the SSID must use WPA key management. Client

authentication fails on an SSID that uses the cipher

TKIP without enabling WPA key management.

Step 4 end Return to privileged EXEC mode.

Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file.

Command Purpose

Contents

Main Page CONTENTS Page Page Page Page Page Preface Audience Purpose Organization Conventions Page Related Publications Obtaining Documentation Cisco.com Product Documentation DVD Ordering Documentation Documentation Feedback Cisco Product Security Overview Reporting Security Problems in Cisco Products Obtaining Technical Assistance Cisco Technical Support & Documentation Website Submitting a Service Request Definitions of Service Request Severity Obtaining Additional Publications and Information Page Overview Wireless Device Management Network Configuration Example Root Unit on a Wired LAN Features Page Page Page Configuring Radio Settings Enabling the Radio Interface Roles in Radio Network Configuring Network or Fallback Role 2-4 Bridge Features Not Supported Sample Bridging Configuration The following is a sample of a Root Bridge Configuration: 2-5 The following is a sample of Non-Root Bridge Configuration: 2-6 Universal Client Mode Configuring Universal Client Mode Page 2-9 Configuring Radio Data Rates Page Configuring Radio Transmit Power Limiting the Power Level for Associated Client Devices Configuring Radio Channel Settings Page Page Page Page DFS Automatically Enabled on Some 5-GHz Radio Channels Confirming that DFS is Enabled Blocking Channels from DFS Selection Enabling and Disabling World Mode Enabling and Disabling Short Radio Preambles Configuring Transmit and Receive Antennas Disabling and Enabling Access Point Extensions Configuring the Ethernet Encapsulation Transformation Method Enabling and Disabling Reliable Multicast to Workgroup Bridges Enabling and Disabling Public Secure Packet Forwarding Configuring Protected Ports Configuring Beacon Period and DTIM Configuring RTS Threshold and Retries Configuring Maximum Data Retries Configuring Fragmentation Threshold Enabling Short Slot Time for 802.11g Radios Performing a Carrier Busy Test Page Configuring Multiple SSIDs Understanding Multiple SSIDs SSID Configuration Methods Supported by Cisco IOS Releases Configuring Multiple SSIDs Creating an SSID Globally Page Viewing SSIDs Configured Globally Using Spaces in SSIDs Using a RADIUS Server to Restrict SSIDs Configuring Multiple Basic SSIDs Requirements for Configuring Multiple BSSIDs Guidelines for Using Multiple BSSIDs CLI Configuration Example Displaying Configured BSSIDs Enabling MBSSID and SSIDL at the same time 3-8 Use the no form of the command to disable SSIDL IEs. Sample Configuration for Enabling MBSSID and SSIDL Below is a sample configuration for enabling MBSSID: Below is a sample configuration for enabling SSIDL: 3-9 Page Configuring an Access Point as a Local Authenticator Understand Local Authentication Configure a Local Authenticator Guidelines for Local Authenticators Configuration Overview Configuring the Local Authenticator Access Point Page Page 4-6 This example shows how to set up EAP-FAST authentication: 4-7 Configuring Other Access Points to Use the Local Authenticator Configuring EAP-FAST Settings Configuring PAC Settings PAC Expiration Times Generating PACs Manually Configuring an Authority ID Configuring Server Keys Possible PAC Failures Caused by Access Point Clock Limiting the Local Authenticator to One Authentication Type Unblocking Locked Usernames Viewing Local Authenticator Statistics Using Debug Messages Configuring Encryption Types Understand Encryption Types Configure Encryption Types Creating WEP Keys WEP Key Restrictions Example WEP Key Setup Creating Cipher Suites Cipher Suites Compatible with WPA Enabling and Disabling Broadcast Key Rotation Security Type in Universal Client Mode Universal client configuration Page 5-11 Page Configuring Authentication Types Understand Authentication Types Open Authentication to Access Point Shared Key Authentication to Access Point EAP Authentication to Network MAC Address Authentication to the Network Combining MAC-Based, EAP, and Open Authentication Using WPA Key Management Page Software and Firmware Requirements for WPA and WPA-TKIP Configure Authentication Types Assigning Authentication Types to an SSID Page Page Configuring WPA Migration Mode Configuring Additional WPA Settings Setting a Pre-Shared Key Configuring Group Key Updates Configuring MAC Authentication Caching Configuring Authentication Holdoffs, Timeouts, and Intervals Matching Access Point and Client Device Authentication Types Page Page Configuring RADIUS Servers Configuring and Enabling RADIUS Understanding RADIUS RADIUS Operation Configuring RADIUS Default RADIUS Configuration Identifying the RADIUS Server Host Page Configuring RADIUS Login Authentication Page Defining AAA Server Groups Page Configuring RADIUS Authorization for User Privileged Access and Network Services Starting RADIUS Accounting Selecting the CSID Format Configuring Settings for All RADIUS Servers Configuring the Access Point to Use Vendor-Specific RADIUS Attributes Configuring the Access Point for Vendor-Proprietary RADIUS Server Communication Configuring WISPr RADIUS Attributes Displaying the RADIUS Configuration RADIUS Attributes Sent by the Access Point Page Page Configuring VLANs Understanding VLANs Related Documents Incorporating Wireless Devices into VLANs Configuring VLANs Configuring a VLAN Page Assigning Names to VLANs Guidelines for Using VLAN Names Creating a VLAN Name Using a RADIUS Server to Assign Users to VLANs Viewing VLANs Configured on the Access Point VLAN Configuration Example 8-10 Table 8-2 shows the commands needed to configure the three VLANs in this example. Tab l e 8-2 Configuration Commands for VLAN Example Configuring VLAN 1 Configuring VLAN 2 Configuring VLAN 3 Tab l e 8-3 Results of Example Configuration Commands Page Page Configuring QoS Understanding QoS for Wireless LANs QoS for Wireless LANs Versus QoS on Wired LANs Impact of QoS on a Wireless LAN Precedence of QoS Settings Using Wi-Fi Multimedia Mode Configuring QoS Configuration Guidelines Adjusting Radio Access Categories Disabling IGMP Snooping Helper Sample Configuration Using the CLI A Channel Settings IEEE 802.11b (2.4-GHz Band) IEEE 802.11g (2.4-GHz Band) IEEE 802.11a (5-GHz Band) Page Page B Protocol Filters Page Page Page Page Page C Supported MIBs MIB List Using FTP to Access the MIB Files D Error and Event Messages How to Read System Messages Message Traceback Reports Association Management Messages 802.11 Subsystem Messages Page Page Page Page Page Page Page Page Local Authenticator Messages GLOSSARY A B C D E F G I M O P Q S T U W Page INDEX Numerics A B C D E F G I J N O P Q S T V W