Online Help for Cisco IOS Release 12.3(08)JA
Home
Express Set-up
Express Security
Network Map
Association
Network Interfaces
Security
Admin Access
Encryption Manager
SSID Manager
Encryption Manager
Server Manager
AP Authentication
Intrusion Detection
Local RADIUS Server
Advanced Security
Services
Wireless Services
System Software
Event Log

 

  
Security: Encryption Manager
 

You use Wired Equivalent Privacy (WEP) to encrypt radio signals sent by the device and decrypt radio signals received by the device. This page enables you to select authentication types for the access point.

Encryption Modes

Indicate whether clients should use data encryption when communicating with the device. The three options are:

  • None - The device communicates only with client devices that are not using WEP.

  • WEP Encryption - Choose Optional or Mandatory. If optional, client devices can communicate with this access point or bridge with or without WEP. If mandatory, client devices must use WEP when communicating with the access point. Devices not using WEP are not allowed to communicate. WEP (Wired Equivalent Privacy) is an 802.11 standard encryption algorithm originally designed to provide with a level of privacy experienced on a wired LAN. The standard defines WEP base keys of size 40 bits or 104 bits.

    • Cisco Compliant TKIP Features - Temporal Key Integrity Protocol (TKIP) is a suite of algorithms surrounding WEP, designed to achieve the best possible security on legacy hardware build to run WEP. TKIP adds four new enhancements to WEP:

      1. A per-packet key mixing function, to defeat weak key attacks.

      2. A new IV sequencing discipline to detect replay attacks.

      3. A cryptographic message integrity check (MIC) to detect forgeries such as bit flipping and altering of packet source and destination.

      4. An extension of IV space, to virtually eliminate the need for a re-key.

    • Enable Message Integrity Check (MIC) - MIC prevents attacks on encrypted packets called bit-flip attacks. During a bit-flip attack, an intruder intercepts an encrypted message, alters it slightly, and retransmits it, and the receiver accepts the retransmitted message as legitimate. The MIC, implemented on both the access point and all associated client devices, adds a few bytes to each packet to make the packets tamper-proof. WEP Encryption must be set to Mandatory for MIC to be enabled.
    • Enable Per Packet Keying (PPK)- EAP authentication provides dynamic unicast WEP keys for client devices but uses static keys. With broadcast, or multicast, WEP key rotation enabled, the access point provides a dynamic broadcast WEP key and changes it at the interval you select in the Broadcast Key Change Frequency field. Broadcast key rotation is an excellent alternative to TKIP if your wireless LAN supports wireless client devices that are not Cisco devices or that cannot be upgraded to the latest firmware for Cisco client devices.
  • Cipher-Cipher suites are sets of encryption and integrity algorithms designed to protect radio communication on your wireless LAN. You must use a cipher suite to enable Wi-Fi Protected Access (WPA) or Cisco Centralized Key Management (CCKM). Because cipher suites provide the protection of communication while also allowing the use of authenticated key management, we recommend that you enable encryption using using the encryption mode cipher command. Use the drop-down menu to choose among TKIP, CKIP, CMIC, and WEP. TKIP is the most secured, and WEP is the least secured cipher suite.
      • CKIP- (Cisco Key Integrity Protocol, also known) - Cisco's WEP key permutation technique based on an early algorithm presented in the 802.11i security task group.
      • CMIC- (Cisco Message Integrity Check) - CMIC is Cisco's message integrity check mechanism designed to detect forgeries attracts.

Encryption Keys

Transmit Key

Click Transmit Key and select the WEP key this device will use. Only one key can be selected at a time. All set keys can be used to receive data.

Note: The key that you select as the transmit key must also be entered in the same key slot on client devices that associate with the access point or bridge, but it does not have to be selected as the transmit key on the client devices.

Encryption Key (Hexadecimal) 1-4

Enter a WEP key in one of the Encryption Key fields. For 40-bit encryption, enter 10 hexadecimal digits; for 128-bit encryption, enter 26 hexadecimal digits. Hexadecimal digits are a set of characters that includes numbers 0 through 9, lowercase letters a through f, and uppercase letters A through F. Your WEP keys can contain combinations of any of these characters. WEP keys are not case-sensitive.

You can enter up to four WEP keys. The key that you select as the transmit key must also be entered in the same key slot on client devices that associate with the access point or bridge, but it does not have to be selected as the transmit key on the client devices.

If you have four WEP keys configured and WEP key 2 is selected as the transmit key, WEP key 2 on the client device must contain the same contents. If WEP key 4 on the device client is set, but is not selected as the transmit key, WEP key 4 on the access point does not need to be set at all.

Key Size

Select 40-bit or 128-bit encryption for each key.

Global Properties

Broadcast Key Rotation Interval

Allows the access point to generate best possible random group key and update all the key-management capable stations periodically. Broadcast key rotation does not work for static WEP clients. This feature keeps the group key private to currently active members only. However, it may generate some overhead if clients in your network roam frequently.

WPA Group Key Update

Check the appropriate check box to determine how frequently the access point changes and distributes the group key to WPA-enabled client devices.

Enable Group Key Update on Membership Termination

The access point generates and distributes a new group key when any authenticated station disassociates from the access point. This feature keeps the group key private to only currently active members. However, it may generate some overhead if clients in your network roam frequently. You should not enable this feature if clients roam frequently among access points.

Enable Group Key Update on Member's Capability Change

The access point generates and distributes a dynamic group key when the last non-key management (static WEP) client disassociates, and it distributes the statically configured WEP key when the first non-key management (static WEP) client authenticates. In WPA migration mode, this feature significantly improves the security of the key management capable clients when there are no legacy clients associated to the access point.

 

 

 
   
Copyright (c) 2006 by Cisco Systems, Inc.