Compatible Cipher Suites, Wpa | Cisco Systems OL-6415-04 specs

Chapter 5 Configuring Encryption Types

Configure Encryption Types

Table 5-3	Cipher Suites Compatible with WPA

Authenticated Key Management Types		Compatible Cipher Suites

WPA		• encryption mode ciphers aes-ccm
		• encryption mode ciphers aes-ccm wep128
		• encryption mode ciphers aes-ccm wep40
		• encryption mode ciphers aes-ccm tkip
		• encryption mode ciphers aes-ccm tkip
		wep128
		• encryption mode ciphers aes-ccm tkip
		wep128 wep40
		• encryption mode ciphers tkip wep128 wep40
		•

Note When you configure AES-CCM-only, TKIP-only, or AES-CCM + TKIP cipher TKIP encryption (not including any WEP 40 or WEP 128) on a radio interface or VLAN, every SSID on that radio or VLANmust be set to use the WPA key management. If you configure AES-CCM or TKIP on a radio or VLAN but do not configure key management on the SSIDs, client authentication fails on the SSIDs.

For a complete description of WPA and instructions for configuring authenticated key management, see the “Using WPA Key Management” section on page 6-6.

Enabling and Disabling Broadcast Key Rotation

Broadcast key rotation is disabled by default.

Note	Client devices using static WEP cannot use the access point when you enable broadcast key rotation.
	When you enable broadcast key rotation, only wireless client devices using 802.1x authentication (such
	as LEAP, EAP-TLS, or PEAP) can use the access point.

	Beginning in privileged EXEC mode, follow these steps to enable broadcast key rotation:

	Command	Purpose
Step 1
Step 1	configure terminal	Enter global configuration mode.
Step 2
Step 2	interface dot11radio { 0 1 }	Enter interface configuration mode for the radio interface. The
		2.4-GHz radio is radio 0, and the 5-GHz radio is radio 1.

Cisco Wireless ISR and HWIC Access Point Configuration Guide

	OL-6415-04	5-7

Image 83

Cisco Systems OL-6415-04 manual Enabling and Disabling Broadcast Key Rotation, Compatible Cipher Suites, Wpa

Contents

Text Part Number 0L-6415-04 Corporate HeadquartersPage N T E N T S Ssid Configuration Methods Supported by Cisco IOS Releases Creating Cipher Suites Protocol Filters Local Authenticator Messages Contents Cisco Wireless Router and Hwic Configuration Guide Preface provides information on the following topics PrefaceAudience Purpose Conventions Organization Preface Conventions Cisco Product Document Title Related Publications Cisco.com Obtaining Documentation Ordering Documentation Documentation FeedbackProduct Documentation DVD Cisco Product Security Overview Reporting Security Problems in Cisco Products Cisco Technical Support & Documentation Website Submitting a Service RequestObtaining Technical Assistance Obtaining Additional Publications and Information Definitions of Service Request Severity Preface Obtaining Additional Publications and Information Overview Wireless Device Management Root Unit on a Wired LAN Network Configuration Example Features Overview Features Overview Overview Cisco Wireless Router and Hwic Configuration Guide Configuring Radio Settings Cisco Role in Radio Network Eries ISRs Command PurposeEnabling the Radio Interface Roles in Radio Network Configuring Network or Fallback Role Following is a sample of a Root Bridge Configuration Bridge Features Not SupportedSample Bridging Configuration Following is a sample of Non-Root Bridge Configuration Interface Dot11Radio0/1/0 no ip address Configuring Universal Client Mode Universal Client Mode Virtual interface to aid NAT translation Following configuration is supported on NATNAT Network Address Translation No service password-encryption Hostname C1803WUC Configuring Radio Settings Configuring Radio Data Rates Configuring Radio Data Rates 2.0 5.5 6.0 9.0 Throughput ofdm defaultSpeed 11.0 2.0 5.5 basic-1.0 100 125 150 200 250 Configuring Radio Transmit PowerEnd Return to privileged Exec mode DBm Maximum Limiting the Power Level for Associated Client DevicesPower local 5 6 7 10 13 15 17 10 20 30 50 Maximum Configuring Radio Channel SettingsPower client 20 30 50 100 maximum Regulatory Domains 2412 2417 2422 2427 2432 2437 2442 2447 2452 2457 2462 2467 CenterChannel Identifier MHz 2472 2484 Channel GHz Channels on Which DFS is Automatically Enabled DFS Automatically Enabled on Some 5-GHz Radio Channels Blocking Channels from DFS Selection Enabling and Disabling World ModeConfirming that DFS is Enabled This example shows how to unblock all frequencies for DFS Enabling and Disabling Short Radio Preambles Antenna transmit Configuring Transmit and Receive AntennasAntenna receive Diversity left right No dot11 extension aironet Disabling and Enabling Access Point ExtensionsDisable Access Point extensions Snap dot1h Snap or 802.1h dot1h, the default settingPayload-encapsulation Set the encapsulation transformation method to RFC1042 Bridge-group group port-protected Configure terminal Enter global configuration modeEnable Pspf Configuring Protected Ports Configuring Beacon Period and Dtim Rts retries value Configuring RTS Threshold and RetriesConfiguring Maximum Data Retries Rts threshold value Fragment-threshold value Configuring Fragmentation ThresholdBytes for the 2.4-GHz radio. Enter a setting from 256 to Enabling Short Slot Time for 802.11g Radios Performing a Carrier Busy Test OL-6415-04 Configuring Multiple SSIDs Vlan Ssid Configuration Methods Supported by Cisco IOS ReleasesUnderstanding Multiple SSIDs Creating an Ssid Globally Configuring Multiple SSIDs Command Purpose Using Spaces in SSIDs Using a Radius Server to Restrict SSIDsViewing SSIDs Configured Globally Guidelines for Using Multiple BSSIDs Configuring Multiple Basic SSIDsRequirements for Configuring Multiple BSSIDs Information-element ssidl CLI Configuration ExampleDisplaying Configured BSSIDs Enabling Mbssid and Ssidl at the same time Below is a sample configuration for enabling Ssidl Sample Configuration for Enabling Mbssid and SsidlUse the no form of the command to disable Ssidl IEs Below is a sample configuration for enabling Mbssid Interface Dot11Radio0/0/0 no ip address OL-6415-04 Configuring an Access Point as a Local Authenticator Configure a Local Authenticator Understand Local Authentication Aaa new-model Enable AAA Guidelines for Local AuthenticatorsConfiguration Overview Configuring the Local Authenticator Access Point Ssid ssid Reauthentication time secondsRadius-server local Vlan vlan Mac-auth-only Password nthash password This example shows how to set up EAP-FAST authentication End Routerconfig# aaa new-model Configuring PAC Settings Configuring EAP-FAST Settings Possible PAC Failures Caused by Access Point Clock Configuring an Authority IDConfiguring Server Keys Unblocking Locked Usernames Limiting the Local Authenticator to One Authentication TypeViewing Local Authenticator Statistics This example shows local authenticator statistics Using Debug Messages Understand Encryption Types, Configure Encryption Types, Configuring Encryption Types Understand Encryption Types Creating WEP Keys Configure Encryption Types Key Security Configuration WEP Key RestrictionWEP Key Restrictions Encryption Creating Cipher Suites Example WEP Key SetupAccess Point Associated Device Slot Transmit? Key Contents Cipher Suites Compatible with WPA WPA Enabling and Disabling Broadcast Key RotationCompatible Cipher Suites Security Security Type in Universal Client Mode WEP 40-bit WEP 128-bit Universal client configurationTkip AES TKIP+AES Caveats Debugging WEP OL-6415-04 Configuring Authentication Types Open Authentication to Access Point Understand Authentication Types Traffic from client Shared Key Authentication to Access Point Sequence for EAP Authentication EAP Authentication to Network MAC Address Authentication to the Network Using WPA Key Management Combining MAC-Based, EAP, and Open Authentication 5shows the WPA key management process Protocol Required? Systems WPA-PSK Mode Windows XP YesSoftware and Firmware Requirements for WPA and WPA-TKIP Third Party Host Supplicant Assigning Authentication Types to an Ssid Configure Authentication Types Optional eap list-name Authentication openOptional Set the authentication type to open for this Ssid Mac-address list-name alternate Mac-address list-name Authentication sharedAuthentication network-eap Authentication key-management Configuring WPA Migration Mode Wpa-psk hex ascii 0 Configuring Additional WPA Settings Configuring MAC Authentication Caching Server Dot1x client-timeout secondsDot11 holdoff-time seconds Dot1x reauth-period seconds Tkip clients on that interface for the holdtime period Security Feature Client Setting Access Point SettingDetects two MIC failures within 60 seconds, it blocks all WPA-PSK Security Feature Client Setting Access Point Setting Configuring Radius Servers Understanding Radius Configuring and Enabling Radius Radius Operation Default Radius Configuration Configuring Radius Identifying the Radius Server Host Radius-server host hostname Acct-port port-number timeoutPort for authentication requests.Optional For acct-port Radius-server timeout command is used Show running-config Verify your entries Configuring Radius Login Authentication Include-in-access-req format %h Aaa authentication login defaultLogin authentication default Authentication login command Defining AAA Server Groups Define the AAA server-group with a group name Port for authentication requestsPort for accounting requests Aaa group server radius group-name Radius Starting Radius Accounting Option MAC Address Example Configuring Settings for All Radius ServersSelecting the Csid Format Show running-config Verify your settings Radius-server host hostname ip-address non-standard AuthenticationRadius-server vsa send accounting Radius-server key string Configuring WISPr Radius Attributes Snmp-server location location Displaying the Radius Configuration Attribute ID Description Radius Attributes Sent by the Access Point VLAN-ID VSA attribute NAS-Location Disc-Cause-Ext Acct-Terminate-Cause Configuring VLANs Understanding VLANs Related Documents LAN and Vlan Segmentation with Wireless Devices Incorporating Wireless Devices into VLANs Configuring VLANs Interface dot11radio 0.x Configuring a Vlan Encapsulation dot1q vlan-id Creating a Vlan Name Using a Radius Server to Assign Users to VLANsGuidelines for Using Vlan Names Assigning Names to VLANs Viewing VLANs Configured on the Access Point Ssid Vlan ID Vlan Configuration Example Vlan 1 Interfaces Vlan 2 Interfaces Vlan 3 Interfaces Configuring Vlan Configuring VLANs Vlan Configuration Example OL-6415-04 Understanding QoS for Wireless LANs, Configuring QoS, Configuring QoS Impact of QoS on a Wireless LAN Understanding QoS for Wireless LANsQoS for Wireless LANs Versus QoS on Wired LANs Upstream and Downstream Traffic Flow Precedence of QoS Settings Using Wi-Fi Multimedia Mode Fixed Slot Time Configuring QoSConfiguration Guidelines Adjusting Radio Access Categories Disabling Igmp Snooping Helper Sample Configuration Using the CLI Japan Channel SettingsIeee 802.11b 2.4-GHz Band Center Frequency Americas Americas -A Emea -E Japan -J Frequency Ieee 802.11g 2.4-GHz BandIeee 802.11a 5-GHz Band Center Regulatory Domains Frequency North America OL-6415-04 Protocol Filters Protocol EGP PUP Chaos IcmpIgmp TCP ISO Designator IMAP2 TsapPOP2 POP3 CVS RIPRPC Uucp IEEE802dot11-MIB Supported MIBsMIB List RFC1213-MIB RFC1398-MIB SNMPv2-MIB SNMPv2-SMI SNMPv2-TC Using FTP to Access the MIB Files Level Description Error and Event MessagesHow to Read System Messages This appendix lists the CLI error and event messages Association Management Messages Explanation a station associated to an access pointExplanation a station disassociated from an access point Message Traceback Reports Subsystem Messages Recommended Action None Explanation The device has begun its DFS scanning process Recommended Action None Error Message DOT11-4-RMINCAPABLE Interface interface Recommended Action Reload the system Error Message DOT11-4-CANTASSOC Cannot associate characters Recommended Action None Recommended Action Local Authenticator Messages Operating in the 2.4-GHz band Network with wireless stationsWireless network composed of stations without Access Points Access Point GL-2 Hoc mode Corresponding IP addresses LAN 802.11 specificationsWired Ethernet network An antenna that radiates its signal in a spherical pattern Transmission at 2 Mbps Transmission at 6, 9, 12, 18, 24, 36, 48, and 54 Mbps That of a cable While maintaining an unbroken connection to the LAN 802.1X for authenticated key management Wireless MultiMediaComputing device with an installed client adapter AES-CCMP EAP IN-2 EAP-FAST 1 Leap FTP Qbss Names, Vlan Network-EAPOfdm Radius RFC Guest mode Multiple SSIDs Support Using spacesLocal authentication Names Ssid 4 Vlan command 4 Regulatory Domains WPA migration mode Wpa-psk command World-mode command IN-7 IN-8 IN-9 IN-10 IN-11 IN-12 IN-13 IN-14