Cisco Router 860, 880 Series User Manual
Have a look at the manual Cisco Router 860, 880 Series User Manual online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 53 Cisco manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
Americas Headquarters: Cisco Systems, Inc., 170 West Tasman Drive, San Jose, CA 95134-1706 USA © 2008 Cisco Systems, Inc. All rights reserved. Cipher Suites and WEP This document describes how to configure the cipher suites required to use Wireless Protected Access (WPA) and Cisco Centralized Key Management (CCKM), Wired Equivalent Privacy (WEP), WEP features including Advanced Encryption Standard (AES), Message Integrity Check (MIC), Temporal Key Integrity Protocol (TKIP), and broadcast key rotation. This document contains the following sections: Understanding Cipher Suites and WEP, page 1 Configuring Cipher Suites and WEP, page 2 Understanding Cipher Suites and WEP This section describes how WEP and cipher suites protect traffic on your wireless LAN. Just as anyone within range of a radio station can tune to the station frequency and listen to the signal, any wireless networking device within range of a wireless device, such as an access point, can receive the radio transmissions of a wireless device. WEP is the first line of defense against intruders, and we recommend that you use full encryption on your wireless network. WEP encryption scrambles the data transmitted between wireless devices to keep the communication private. Wireless devices and their wireless client devices use the same WEP key to encrypt and decrypt data. WEP keys encrypt both unicast and multicast messages. (Unicast messages are addressed to one device on the network. Multicast messages are addressed to multiple devices on the network.) Extensible Authentication Protocol (EAP) authentication, also known as 802.1x authentication, provides dynamic WEP keys to wireless users. Dynamic WEP keys are more secure than static, or unchanging, WEP keys. If an intruder passively receives enough packets encrypted by the same WEP key, the intruder can perform a calculation to learn the key and use it to join your network. Because they change frequently, dynamic WEP keys prevent intruders from performing the calculation and learning the key. See the Configuring Authentication Types document on Cisco.com for detailed information on EAP and other authentication types. Cipher suites are sets of encryption and integrity algorithms designed to protect radio communication on your wireless LAN. You must use a cipher suite to enable Wi-Fi Protected Access (WPA) or Cisco Centralized Key Management (CCKM).
Cipher Suites and WEP Configuring Cipher Suites and WEP 2 Configuring Cipher Suites and WEP OL-15894-01 Cipher suites that contain TKIP provide the best security for your wireless LAN; cipher suites that contain only WEP are the least secure. These security features protect the data traffic on your wireless LAN: AES-CCMP—Based on the Advanced Encryption Standard (AES) defined in the National Institute of Standards and Technology’s FIPS Publication 197, AES-CCMP is a symmetric block cipher that can encrypt and decrypt data using keys of 128, 192, and 256 bits. AES Counter mode CBC MAC Protocol (AES-CCMP) is superior to WEP encryption and is defined in the IEEE 802.11i standard. WEP (Wired Equivalent Privacy)—WEP is an 802.11 standard encryption algorithm originally designed to provide your wireless LAN with the same level of privacy available on a wired LAN. However, the basic WEP construction is flawed, and an attacker can compromise the privacy with little effort. TKIP (Temporal Key Integrity Protocol)—TKIP is a suite of algorithms surrounding WEP that is designed to achieve the best possible security on legacy hardware built to run WEP. TKIP adds four enhancements to WEP: –A per-packet key-mixing function to defeat weak-key attacks –A new IV sequencing discipline to detect replay attacks –A cryptographic message integrity check (MIC), called Michael, to detect forgeries such as bit flipping and altering of packet source and destination –An extension of IV space, to limit the need for rekeying CKIP (Cisco Key Integrity Protocol)—Cisco’s WEP key permutation technique based on an early algorithm presented by the IEEE 802.11i security task group. CMIC (Cisco Message Integrity Check)—Like TKIP’s Michael, Ciscos Message Integrity Check mechanism is designed to detect forgery attacks. Broadcast key rotation (also known as Group Key Update)—Broadcast key rotation allows the wireless device to generate the best possible random group key and update all key-management-capable clients periodically. Wi-Fi Protected Access (WPA) also provides additional options for group key updates. NoteClient devices that are using static WEP cannot use the wireless device when you enable broadcast key rotation. When you enable broadcast key rotation, only wireless client devices that are using 802.1x authentication (such as LEAP, EAP-TLS, or PEAP) can use the wireless device. Configuring Cipher Suites and WEP These sections describe how to configure cipher suites, WEP and additional WEP features such as MIC, TKIP, and broadcast key rotation: Creating WEP Keys, page 3 Enabling Cipher Suites and WEP, page 5 Enabling and Disabling Broadcast Key Rotation, page 6 NoteWEP, TKIP, MIC, and broadcast key rotation are disabled by default.
Cipher Suites and WEP
Configuring Cipher Suites and WEP
3
Configuring Cipher Suites and WEP
OL-15894-01
Creating WEP Keys
NoteYou need to configure static WEP keys only if your wireless device needs to support client devices that
use static WEP. If all the client devices that associate to the wireless device use key management (WPA,
CCKM, or 802.1x authentication) you do not need to configure static WEP keys.
To create a WEP key and set the key properties follow these steps beginning in privileged EXEC mode:
This example shows how to configure a 128-bit WEP key in slot 3 for VLAN 22 and set the key as the
transmit key:
ap1200# configure terminal
ap1200(config)# interface dot11radio 0
ap1200(config-if)# encryption vlan 22 key 3 size 128 12345678901234567890123456
transmit-key
ap1200(config-if)# end
CommandPurpose
Step 1configure terminalEnters global configuration mode.
Step 2interface dot11radio radio-interfaceEnters interface configuration mode for the radio interface.
Step 3encryption
[vlan vlan-id]
key 1-4
size { 40 | 128 } encryption-key
[ 0 | 7 ]
[transmit-key]
Define a Wired Equivalent Privacy (WEP) key used for data
encryption on the wireless LAN or on a specific VLAN.
(Optional) Select the VLAN for which you want to create
a key.
Set the key slot where this WEP key resides. Up to 16
VLANs can be assigned. You can assign up to 4 WEP keys
for each VLAN.
Set the size of the key, either 40-bit or 128-bit. The 40-bit
keys contain 10 hexadecimal digits; the 128-bit keys
contain 26 hexadecimal digits.
(Optional) Specify a static encryption key. For example,
11aa33bb55 for a 40-bit key.
(Optional) Specify whether the key is encrypted (7) or
unencrypted (0).
(Optional) Set this key as the transmit key. The key in slot
1 is the transmit key by default.
NoteUsing features such as authenticated key management
or broadcast key rotation can restrict WEP key
configurations. See the
“WEP Key Restrictions”
section on page 4 for a list of restrictions that restrict
WEP keys.
Step 4endReturns to privileged EXEC mode.
Cipher Suites and WEP Configuring Cipher Suites and WEP 4 Configuring Cipher Suites and WEP OL-15894-01 WEP Key Restrictions Ta b l e 11-1 lists WEP key restrictions for various security configurations. Example WEP Key Setup Ta b l e 11-2 shows an example WEP key setup that would work for the wireless device and an associated wireless client devices. Because wireless device WEP key 1 is selected as the transmit key, associated device WEP key 1 must have the same contents. Associated device WEP key 4 is set, but because it is not set as the transmit key, WEP key 4 does not need to be set at all on the wireless device. Ta b l e 11-1 WEP Key Restrictions Security ConfigurationWEP Key Restriction CCKM or WPA authenticated key managementCannot configure a WEP key in key slot 1. LEAP or EAP authenticationCannot configure a WEP key in key slot 4. Cipher suite with 40-bit WEPCannot configure a 128-bit key. Cipher suite with 128-bit WEPCannot configure a 40-bit key. Cipher suite with TKIPCannot configure any WEP keys. Cipher suite with TKIP and 40-bit WEP or 128-bit WEPCannot configure a WEP key in key slots 1 and 4. Static WEP with MIC or CMICThe associated wireless devices must use the same WEP key as the transmit key, and the key must be in the same key slot on both wireless device and clients. Broadcast key rotationKeys in slots 2 and 3 are overwritten by rotating broadcast keys. Client devices using static WEP cannot use the wireless device when you enable broadcast key rotation. When you enable broadcast key rotation, only wireless client devices using 802.1x authentication (such as LEAP, EAP-TLS, or PEAP) can use the wireless device. Ta b l e 11-2 WEP Key Setup Example Key SlotWireless DeviceAssociated Device Transmit?Key ContentsTr a n s m i t ?Key Contents 1x12345678901234567890abcdef–12345678901234567890abcdef 2–09876543210987654321fedcbax09876543210987654321fedcba 3–not set–not set 4–not set–FEDCBA09876543211234567890
Cipher Suites and WEP
Configuring Cipher Suites and WEP
5
Configuring Cipher Suites and WEP
OL-15894-01
NoteIf you enable MIC but you use static WEP (you do not enable any type of EAP authentication),
both the wireless device and any devices with which it communicates must use the same WEP
key for transmitting data. For example, if a MIC-enabled wireless device configured as an access
point uses the key in slot 1 as the transmit key, a client device associated to the access point must
use the same key in its slot 1, and the associated client key slot 1 must be selected as the transmit
key.
Enabling Cipher Suites and WEP
To enable a cipher suite follow these steps beginning in privileged EXEC mode:
Use the no form of the encryption command to disable a cipher suite.
CommandPurpose
Step 1configure terminalEnter global configuration mode.
Step 2interface dot11radio radio-interfaceEnter interface configuration mode for the radio interface.
Step 3encryption
[vlan vlan-id]
mode ciphers
{[aes-ccm | ckip | cmic | ckip-cmic |
tkip]} {[wep128 | wep40]}
Enable a cipher suite containing the WEP protection you need.
Ta b l e 11-3 lists guidelines for selecting a cipher suite that
matches the type of authenticated key management you
configure.
(Optional) Select the VLAN for which you want to enable
WEP and WEP features.
Set the cipher options and WEP level. You can combine
TKIP with 128-bit or 40-bit WEP.
NoteIf you enable a cipher suite with two elements (such as
TKIP and 128-bit WEP), the second cipher becomes the
group cipher.
NoteIf you configure ckip, cmic, or ckip-cmic, you must
also enable Aironet extensions. The command for
enabling Aironet extensions is dot11 extension
aironet.
NoteYou can also use the encryption mode wep command
to set up static WEP. However, you should use
encryption mode wep only if no clients that associate
to a wireless device are capable of key management.
NoteWhen you configure the cipher TKIP (not TKIP +
WEP 128 or TKIP + WEP 40) for an SSID, the SSID
must use WPA or CCKM key management. Client
authentication fails on an SSID that uses the cipher
TKIP without enabling WPA or CCKM key
management.
Step 4endReturns to privileged EXEC mode.
Cipher Suites and WEP Configuring Cipher Suites and WEP 6 Configuring Cipher Suites and WEP OL-15894-01 This example configures a cipher suite for VLAN 22 that enables CKIP (unsupported), CMIC (unsupported), and 128-bit WEP: ap1200# configure terminal ap1200(config)# interface dot11radio 0ap1200(config-if)# encryption vlan 22 mode ciphers ckip-cmic wep128 ap1200(config-if)# exit Matching Cipher Suites with WPA and CCKM If you configure your wireless device to use WPA or CCKM authenticated key management, you must select a cipher suite compatible with the authenticated key management type. Ta b l e 11-3 lists the cipher suites that are compatible with WPA and CCKM. NoteWhen you configure TKIP (not TKIP + WEP 128 or TKIP + WEP 40) for an SSID, the SSID must use WPA or CCKM key management. Client authentication fails on an SSID that uses the cipher TKIP without enabling WPA or CCKM key management. Enabling and Disabling Broadcast Key Rotation Broadcast key rotation is disabled by default. NoteClient devices using static WEP cannot exchange data with a wireless device when you enable broadcast key rotation. When you enable broadcast key rotation, only wireless client devices using 802.1x authentication (such as LEAP, EAP-TLS, or PEAP) can use the wireless device. To enable broadcast key rotation follow these steps beginning in privileged EXEC mode: Ta b l e 11-3 Cipher Suites Compatible with WPA and CCKM Authenticated Key Management TypesCompatible Cipher Suites WPA encryption mode ciphers tkip encryption mode ciphers tkip wep128 encryption mode ciphers tkip wep40 CCKM encryption mode ciphers wep128 encryption mode ciphers wep40 encryption mode ciphers ckip encryption mode ciphers cmic encryption mode ciphers ckip-cmic encryption mode ciphers tkip CommandPurpose Step 1configure terminalEnters global configuration mode. Step 2interface dot11radio radio-interfaceEnters interface configuration mode for the radio interface.
Cipher Suites and WEP Configuring Cipher Suites and WEP 7 Configuring Cipher Suites and WEP OL-15894-01 Use the no form of the encryption command to disable broadcast key rotation. This example enables broadcast key rotation on VLAN 22 and sets the rotation interval to 300 seconds: ap1200# configure terminal ap1200(config)# interface dot11radio 0ap1200(config-if)# broadcast-key vlan 22 change 300 ap1200(config-if)# end Step 3broadcast-key change seconds [ vlan vlan-id ] [ membership-termination ] [ capability-change ] Configures the time interval between rotations of the broadcast encryption key. Enter the number of seconds between rotations of the broadcast key. (Optional) Enter a VLAN for which you want to enable broadcast key rotation. (Optional) If you enable WPA authenticated key management, you can enable additional circumstances under which the wireless device changes and distributes the WPA group key. –Membership termination—the wireless device generates and distributes a new group key when any authenticated client device disassociates from the wireless device. This feature protects the privacy of the group key for associated clients. However, it might generate some overhead if clients on your network roam frequently. –Capability change—the wireless device generates and distributes a dynamic group key when the last non-key management (static WEP) client disassociates, and it distributes the statically configured WEP key when the first non-key management (static WEP) client authenticates. In WPA migration mode, this feature significantly improves the security of key-management capable clients when there are no static-WEP clients associated to the wireless device. Step 4endReturns to privileged EXEC mode. Command Purpose
Cipher Suites and WEP Configuring Cipher Suites and WEP 8 Configuring Cipher Suites and WEP OL-15894-01
Americas Headquarters: Cisco Systems, Inc., 170 West Tasman Drive, San Jose, CA 95134-1706 USA © 2008 Cisco Systems, Inc. All rights reserved. Authentication Types for Wireless Devices This note describes how to configure authentication types on the access point in the following sections: Understanding Authentication Types, page 1 Configuring Authentication Types, page 8 Matching Access Point and Client Device Authentication Types, page 20 Understanding Authentication Types This section describes the authentication types that you can configure on the access point. The authentication types are tied to the SSIDs that you configure for the access point. If you want to serve different types of client devices with the same access point, you can configure multiple SSIDs. See “Configuring Multiple SSIDs,” for complete instructions on configuring multiple SSIDs. Before a wireless client device can communicate on your network through the access point, it must authenticate to the access point by using open or shared-key authentication. For maximum security, client devices should also authenticate to your network using MAC-address or EAP authentication. Both of these authentication types rely on an authentication server on your network. NoteBy default, the access point sends reauthentication requests to the authentication server with the service-type attribute set to authenticate-only. However, some Microsoft IAS servers do not support the authenticate-only service-type attribute. Changing the service-type attribute to login-only ensures that Microsoft IAS servers recognize reauthentication requests from the access point. Use the dot11 aaa authentication attributes service-type login-only global configuration command to set the service-type attribute in reauthentication requests to login-only.
Authentication Types for Wireless Devices Understanding Authentication Types 2 Authentication Types for Wireless Devices OL-15914-01 The access point uses several authentication mechanisms or types and can use more than one at the same time. These sections explain each authentication type: Open Authentication to the Access Point, page 2 Shared Key Authentication to the Access Point, page 2 EAP Authentication to the Network, page 3 MAC Address Authentication to the Network, page 5 Combining MAC-Based, EAP, and Open Authentication, page 6 Using CCKM for Authenticated Clients, page 6 Using WPA Key Management, page 7 Open Authentication to the Access Point Open authentication allows any device to authenticate and then attempt to communicate with the access point. Using open authentication, any wireless device can authenticate with the access point, but the device can communicate only if its WEP keys match the access point’s. Devices not using WEP do not attempt to authenticate with an access point that is using WEP. Open authentication does not rely on a RADIUS server on your network. Figure 1 shows the authentication sequence between a device trying to authenticate and an access point using open authentication. In this example, the device’s WEP key does not match the access point’s key, so it can authenticate but not pass data. Figure 1 Sequence for Open Authentication Shared Key Authentication to the Access Point Cisco provides shared key authentication to comply with the IEEE 802.11b standard. However, because of shared key’s security flaws, Cisco recommends that you avoid using it. During shared key authentication, the access point sends an unencrypted challenge text string to any device attempting to communicate with the access point. The device requesting authentication encrypts the challenge text and sends it back to the access point. If the challenge text is encrypted correctly, the access point allows the requesting device to authenticate. Access point or bridge with WEP key = 123 Client device with WEP key = 321 1. Authentication request 2. Authentication response 4. Association response 6. Key mismatch, frame discarded 3. Association request 5. WEP data frame to wired network 54583