- Preface
- 1 - Overview of Access Point Features
- 2 - Using the Web-Browser Interface
- 3 - Using the Command-Line Interface
- 4 - Configuring the Access Point for the First Time
- 5 - Administrating the Access Point
- 6 - Configuring Radio Settings
- 7 - Configuring Multiple SSIDs
- 8 - Configuring Spanning Tree Protocol
- 9 - Configuring an Access Point as a Local Authenticator
- 10 - Configuring WLAN Authentication and Encryption
- 11 - Configuring Authentication Types
- 12 - Configuring Other Services
- 13 - Configuring RADIUS and TACACS+ Servers
- 14 - Configuring VLANs
- 15 - Configuring QoS
- 16 - Configuring Filters
- 17 - Configuring CDP
- 18 - Configuring SNMP
- 19 - Configuring Repeater and Standby Access Points and Workgroup Bridge Mode
- 20 - Managing Firmware and Configurations
- 21 - Configuring L2TPv3 Over UDP/IP
- 22 - Configuring Ethernet over GRE
- 23 - Configuring System Message Logging
- 24 - Troubleshooting
- 25 - Miscellaneous AP-Specific Configurations
- Appendix A - Protocol Filters
- Appendix B - Supported MIBs
- Appendix C - Error and Event Messages
Configuring WLAN Authentication and Encryption
This chapter describes how to configure authentication and encryption schemes to protect your WLANs.
Encryption can be achieved using shared keys or individual client keys. Individual client keys are more robust, but need to be managed. Key management can be achieved using cipher suites with Wi-Fi Protected Access (WPA) version 1 or version 2 and Cisco Centralized Key Management (CCKM) authenticated key management.
Encryption robustness can be achieved using Wired Equivalent Privacy (WEP), WEP features including AES, Temporal Key Integrity Protocol (TKIP), Message Integrity Check (MIC), and broadcast key rotation. Authentication can be achieved using shared keys (with WEP), pre-shared keys (with WPA v1 or WPAv2) or individual client authentication with 802.1x/EAP.
Understanding Authentication and Encryption Mechanisms
Just as anyone within range of a radio station can tune to the station's frequency and listen to the signal, any wireless networking device within range of an access point can receive the access point's, and any wireless client's, radio transmissions. Also, the access point typically connects to the wired infrastructure. As the access point's radio signal can expand beyond the walls of the facility where the access point is deployed, external users may be provided access to the wired infrastructure through the access point. Therefore WLAN security relies on two major pillars:
- Authenticating the users, to make sure that only valid users are allowed to communicate through the access point.
- Encrypting wireless communications, to make sure that eavesdroppers cannot deciphers signals captured from the access point and clients communications.
On Cisco Aironet access points, SSIDs are mapped directly to the access point radio, or to VLANs configured on the AP radio interface. Encryption is configured at the radio level (if no VLAN is defined on the radio interface), or at the VLAN level (as soon as one or more VLANs are defined on the radio interface). This means that if you enable several SSIDs on a given radio interface or a given VLAN, all these SSIDs must share a common encryption scheme.
Authentication is configured at the SSID level. Each SSID can have a different authentication mechanism. However, as the SSID is mapped to a VLAN (or a radio interface), you need to make sure that the authentication mechanism defined at the SSID level is compatible with the encryption mechanism defined at the VLAN (or the radio) level for that SSID.
Encryption, defined at the radio (or the VLAN) level, can use one of the following schemes:
- No encryption
- Optional Static WEP (with a 40 bit or a 128 bit long key) encryption, both clients supporting WEP and those not supporting encryption are allowed to join the SSID
- Mandatory Static WEP (with a 40 bit or a 128 bit long key) encryption, clients must support static WEP encryption to be allowed to join the SSID
- Cipher 40 bit or 128 bit WEP encryption with key management, allowing for unicast WEP key rotation (if your authentication mechanism is compatible with individual client key determination) and/or broadcast key rotation (if your authentication mechanism is compatible with individual client key determination)
- Cipher TKIP, CKIP, CMIC,CKIP-CMIC, or AES (if your authentication mechanism is compatible with individual client key determination)
- A combination of two or three ciphers.
This type of combination is used when you want to elevate the security level of your SSID, but still support clients that only support a weaker encryption scheme. In that case, clients will use the strongest encryption mechanism allowed by the SSID. Broadcast keys will use the encryption mechanism supported by all clients.
Among all supported encryption schemes, AES-CCMP is the strongest, followed by TKIP. WEP is considered a weak encryption mechanism and is deprecated by the IEEE 802.11 standard.
For example, suppose you define an AES+TKIP+WEP encryption. Clients supporting AES will use AES for their unicast key encryption. Clients not supporting AES but supporting TKIP will be allowed to join the cell, and will use TKIP for their unicast key encryption. Clients only supporting WEP will also be allowed to join the cell, and will use WEP for their unicast key encryption. When the cell contains AES, TKIP and WEP clients, the broadcast key will use WEP encryption (because WEP is the only common encryption scheme supported by all clients). When the cell contains AES and TKIP clients, but no WEP client, the broadcast key will use TKIP (the broadcast key encryption will change to WEP if a WEP client joins the cell). When the cell contains only AES clients, the broadcast key uses AES (and will change to TKIP if TKIP clients join the cell, and to WEP if WEP clients join the cell).
Note
Encryption mechanism support is incremental. A client supporting WEP may or may not support TKIP or AES. However, a client supporting TKIP necessarily supports WEP. Similarly, an AES client necessarily supports TKIP and WEP.
You can find more details about each encryption mechanism in the Understanding Encryption Modes section of this chapter.
Encryption is configured at the radio or the VLAN level. Authentication is configured at the SSID level. Authentication can use one or a combination of the following mechanisms:
- Open—No authentication is required to associate to the Access Point.
- Shared key—For using static WEP authentication.
- Network EAP—For using LEAP
Note Both Open and Shared key modes can be combined with other modes, such as EAP/802.1x, where authentication occurs after association to the access point, or with MAC authentication, where authentication occurs during the final phase of the association to the access point.
You can find more details about each authentication mechanism in the "Understanding Authentication Mechanisms" section of this chapter.
Combination of different authentication and encryption mechanisms result in different security schemes for your SSID. The following table summarizes the supported combinations:
|
|
|
|
|---|---|---|
The AP announces the SSID as Open/Open, without broadcasting explicit support for WEP. However, the AP also accepts client association when client configuration is set to WEP encryption and/or WEP authentication. You must define a WEP key if you want to use this mode with clients using WEP. |
||
The AP announces the SSID as supporting WEP. The AP accepts client association when client configuration is set to Open/None, WEP encryption and/or WEP authentication. After the association phase, WEP support is mandatory in order to forward traffic through the access point. You must define a WEP key if you want to use this mode with clients using WEP. |
||
Client MAC authentication is added to the final phase of the client association to the AP (see the MAC Address Authentication to the Network section for more details) |
||
Any cipher (WEP 40, WEP 128, TKIP, CKIP, CMIC, CKIP-CMIC, TKIP + WEP 40, TKIP+WEP 128, AES-CCMP, AES-CCMP+TKIP, AES-CCMP + TKIP + WEP 40, AES-CCMP + TKIP + WEP 128) |
Client association to the AP is followed with 802.1x/EAP authentication (supported EAP modes are LEAP,EAP-FAST, PEAP/GTC, MSPEAP, EAP-TLS, and EAP-FAST). During this process individual client keys are generated. When several ciphers are allowed, the key will be generated using the strongest cipher supported by the client. A broadcast key will be forwarded to all clients, using a cipher supported by all clients. |
|
Any cipher (WEP 40, WEP 128, TKIP, CKIP, CMIC, CKIP-CMIC, TKIP + WEP 40, TKIP+WEP 128, AES-CCMP, AES-CCMP+TKIP, AES-CCMP + TKIP + WEP 40, AES-CCMP + TKIP + WEP 128) |
Client MAC authentication is added to the final phase of the client association to the AP. Client association to the AP is followed with 802.1x/EAP authentication. During this process individual client keys are generated. When several ciphers are allowed, the key will be generated using the strongest cipher supported by the client. A broadcast key will be forwarded to all clients, using a cipher supported by all clients. |
|
Any cipher (WEP 40, WEP 128, TKIP, CKIP, CMIC, CKIP-CMIC, TKIP + WEP 40, TKIP+WEP 128, AES-CCMP, AES-CCMP+TKIP, AES-CCMP + TKIP + WEP 40, AES-CCMP + TKIP + WEP 128) |
Clients configured for EAP will use individual authentication and encryption with individual keys. Clients with no security configuration can also associate to the AP. This mode is designed as a transition mechanism to stronger security. Broadcast key uses the common security mechanism supported by all clients. When both EAP and Open clients are associated, the broadcast key is not encrypted. |
|
The AP announces the SSID as supporting WEP. The AP only accepts clients configured with WEP authentication. WEP encryption after association is supported, but optional. |
||
The AP announces the SSID as supporting WEP. The AP only accepts clients configured with WEP authentication. WEP encryption after association is mandatory. |
||
WEP authentication is followed, during the final phase of the association phase, with MAC authentication. |
||
WEP authentication is followed with open association to the AP. Association is followed with individual client EAP authentication and individual key generation. |
||
WEP authentication is followed, during the final phase of the association phase, with MAC authentication. Association is followed with individual client EAP authentication and individual key generation. |
||
Any cipher (WEP 40, WEP 128, TKIP, CKIP, CMIC, CKIP-CMIC, TKIP + WEP 40, TKIP+WEP 128, AES-CCMP, AES-CCMP+TKIP, AES-CCMP + TKIP + WEP 40, AES-CCMP + TKIP + WEP 128) |
Client association to the AP is followed with Cisco LEAP authentication. During this process individual client keys are generated. When several ciphers are allowed, the key will be generated using the strongest cipher supported by the client. A broadcast key will be forwarded to all clients, using a cipher supported by all clients. |
|
Any cipher (WEP 40, WEP 128, TKIP, CKIP, CMIC, CKIP-CMIC, TKIP + WEP 40, TKIP+WEP 128, AES-CCMP, AES-CCMP+TKIP, AES-CCMP + TKIP + WEP 40, AES-CCMP + TKIP + WEP 128) |
Client MAC authentication is added to the final phase of the client association to the AP. Client association to the AP is followed with 802.1x/EAP authentication using LEAP. During this process individual client keys are generated. When several ciphers are allowed, the key will be generated using the strongest cipher supported by the client. A broadcast key will be forwarded to all clients, using a cipher supported by all clients. |
|
Web authentication can be used independently (with no other SSID authentication or encryption), or in combination with any other authentication and encryption scheme. |
You can enable Network EAP authentication in combination with Open (with EAP or not, and any combination of MAC, namely Network EAP with or without MAC, with Open with or without EAP, with or without MAC, or with or without EAP and MAC). Network EAP uses LEAP, but requires support for LEAP formatting in the AP announcements. Clients that do not support this specific announcement formatting can use the Open mode (with LEAP or another EAP mechanism). The client will always try to use the most secure authentication mechanism supported through the access point, and the strongest encryption mechanism. However, client access points (in bridge or workgroup bridge mode) will use Network EAP by default, unless you configure the client side specifically to use a stronger authentication mechanism.
When configuring the SSID, using a cipher allows you to manage each client individual key. When configuring the SSID, you can define how this key should be managed. If you configure the interface to use a Cipher, you must also enable key management when configuring the SSID. Key management can be set to none (when using no security or shared key security), mandatory (when using a cipher), or Optional (when using Open with optional EAP or Shared key with optional EAP authentications). Please refer to the Key management sections of this chapter for more details on the different key management modes.
Understanding Encryption Modes
As encryption is defined at the interface (VLAN or radio) level of the access point, and can be common to several SSIDs, encryption is usually configured before the SSID and its authentication mechanism.
Just as anyone within range of a radio station can tune to the station's frequency and listen to the signal, any wireless networking device within range of an access point can receive the access point's radio transmissions. Because encrypted communication is the first line of defense against attackers, Cisco recommends that you use full encryption on your wireless network.
The original encryption mechanism described by the 802.11 standard is WEP (Wired Equivalent Privacy). WEP encryption scrambles the communication between the access point and client devices to keep the communication private. The 802.11 standard describes what Cisco and some other vendors describe as static WEP. In this mode, WEP keys are defined statically on the client and the AP. Both the access point and client devices use the same WEP key to encrypt and unencrypt radio signals. WEP keys encrypt both unicast and multicast messages. Unicast messages are addressed to just one device on the network. Multicast messages are addressed to multiple devices on the network.
WEP is a legacy protocol deprecated by the 802.11 standard. Cisco recommends using a stronger protocol, such as AES/CCMP, whenever possible.
When your SSID authentication mechanism uses Extensible Authentication Protocol (EAP) with 802.1x authentication (and without WPA v1 or WPA v2 support), dynamic WEP keys can be generated for each wireless user. Dynamic WEP keys are more secure than static, or unchanging, WEP keys. If an intruder passively receives enough packets encrypted by the same WEP key, the intruder can perform a calculation to learn the key and use it to join your network. Because they change frequently, dynamic WEP keys prevent intruders from performing the calculation and learning the key. See “Configuring Authentication Types,” for detailed information on EAP and other authentication types.
Cipher suites are sets of encryption and integrity algorithms designed to protect radio communication on your wireless LAN. You must use a cipher suite when using WPA, WPA2 or CCKM. When using WEP encryption, you have the choice to set WEP using the WEP encryption command, or the cipher command. When using the WEP encryption command, you can use a static WEP key for authentication and / or encryption. However, you cannot use per user secure authentication (using 802.1x) in this mode. Because cipher suites can provide WEP encryption while also allowing use of individual user authentication and key management, Cisco recommends that you enable WEP by using the encryption mode cipher command in the CLI or by using the cipher drop-down list in the web-browser interface, instead of the WEP encryption command. However, WEP is a protocol deprecated by the IEEE, and Cisco recommends using WEP only when client drivers do not support any stronger security mechanism. The recommended security is AES-CCMP.
These security features protect the data traffic on your wireless LAN:
- AES-CCMP—Based on the Advanced Encryption Standard (AES) defined in the National Institute of Standards and Technology’s FIPS Publication 197, AES-CCMP is a symmetric block cipher that can encrypt and decrypt data using keys of 128, 192, and 256 bits. AES-CCMP is superior to WEP encryption and is defined in the IEEE 802.11i standard.
Note The 802.11n amendment relies on implementation of either No encryption or AES-CCMP encryption. Therefore, 802.11n radios require that either no encryption or AES-CCMP be configured to provide 802.11n rates support.
- WEP (Wired Equivalent Privacy)—WEP is an 802.11 standard encryption algorithm originally designed to provide your wireless LAN with the same level of privacy available on a wired LAN. However, the basic WEP construction is flawed, and an attacker can compromise the privacy with reasonable effort.
- TKIP (Temporal Key Integrity Protocol)—TKIP is a suite of algorithms surrounding WEP that is designed to achieve the best possible security on legacy hardware built to run WEP. TKIP adds four enhancements to WEP:
– A per-packet key mixing function to defeat weak-key attacks
– A new IV sequencing discipline to detect replay attacks
– A cryptographic message integrity check (MIC), called Michael, to detect forgeries such as bit flipping and altering packet source and destination
– An extension of IV space, to virtually eliminate the need for re-keying
- CKIP (Cisco Key Integrity Protocol)—Cisco's WEP key permutation technique based on an early algorithm presented by the IEEE 802.11i security task group. WPA TKIP replaced most CKIP implementations.
- CMIC (Cisco Message Integrity Check)—Like TKIP's Michael, Cisco's message integrity check mechanism is designed to detect forgery attacks. Cisco CKIP is required to use CMIC.
- Broadcast key rotation (also known as Group Key Update)—Broadcast key rotation allows the access point to generate the best possible random group key and update all key-management capable clients periodically. Wi-Fi Protected Access (WPA) also provides additional options for group key updates. See the “Using WPA Key Management” for details on WPA.
Note Client devices using static WEP cannot use the access point when you enable broadcast key rotation. Broadcast key rotation is supported only when using key management (such as dynamic WEP (802.1x), WPA with EAP, or pre-shared key).
Note Encryption is configured at the interface or the VLAN level, and authentication is configured for each SSDI to be supported on the relevant VLAN or interface. Therefore, encryption and authentication combine. See “Configuring Authentication Types,”for details on how encryption and authentication combinations.
Configuring Encryption Modes
Encryption is configured at the VLAN or radio interface level. Ensure that the encryption mechanism you enable is compatible with the authentication mechanism you plan on using for the SSID, that is mapped to the relevant VLAN or radio interface. For more details on encryption and authentication schemes compatibility, see the Understanding Authentication and Encryption Mechanisms section.
Note WEP, TKIP, MIC and broadcast key rotation are disabled by default.
Creating Static WEP Keys
Note You need to configure static WEP keys only if your access point needs to support client devices that use static WEP. If all the client devices that associate to the access point use key management (WPA, CCKM, or 802.1x authentication) you do not need to configure static WEP keys.
Beginning in privileged EXEC mode, follow these steps to create a WEP key and set the key properties:
|
|
|
|
|---|---|---|
Enter interface configuration mode for the radio interface. |
||
encryption |
Create a WEP key and set up its properties.
Note If you configure static WEP with MIC (key hash), the access point and associated client devices must use the same WEP key as the transmit key, and the key must be in the same key slot on the access point and the clients. Note Configuration of static WEP with CMIC is not supported. Note Using security features such as authenticated key management can limit WEP key configurations. See the “WEP Key Restrictions” section for a list of features that impact WEP keys. |
|
This example shows how to create a 128-bit WEP key in slot 3 for VLAN 22 and sets the key as the transmit key:
WEP Key Restrictions
Table 10-1 lists WEP key restrictions based on your security configuration.
Example WEP Key Setup
Table 10-2 shows an example WEP key setup that would work for the access point and an associated device.
|
|
|
|
||
|---|---|---|---|---|
|
|
|
|
|
|
Because the access point’s WEP key 1 is selected as the transmit key, WEP key 1 on the other device must have the same contents. WEP key 4 on the other device is set, but because it is not selected as the transmit key, WEP key 4 on the access point does not need to be set at all.
Note If you enable MIC but you use static WEP (you do not enable any type of EAP authentication), both the access point and any devices with which it communicates must use the same WEP key for transmitting data. For example, if the MIC-enabled access point uses the key in slot 1 as the transmit key, a client device associated to the access point must use the same key in its slot 1, and the key in the client’s slot 1 must be selected as the transmit key.
Enabling Cipher Suites
Beginning in privileged EXEC mode, follow these steps to enable a cipher suite:
|
|
|
|
|---|---|---|
Enter interface configuration mode for the radio interface. The 2.4-GHz radio is radio 0, and the 5-GHz radio is radio 1. |
||
encryption [vlan vlan-id] mode ciphers {aes-ccm | ckip | ckip-cmic | cmic | tkip | wep128 | wep40} |
Enable a cipher suite containing the protection you need. Table 10-3 lists guidelines for selecting a cipher suite that matches the type of authenticated key management you configure.
Note If you enable a cipher suite with 2 or 3 elements, each client will use the highest encryption mechanism enabled on the interface and supported by the client. The broadcast key will use the element supported by all clients. See the Understanding Authentication and Encryption Mechanisms section for more details. Note If you configure ckip you must also enable Aironet extensions. The command to enable Aironet extensions is dot11 extension aironet. Note You can also use the encryption mode wep command to set up static WEP. However, you should use encryption mode wep only if no clients that associate to the access point are capable of key management. See the Cisco IOS Command Reference for Cisco Access Points and Bridges for a detailed description of the encryption mode wep command. Note When you configure the cipher TKIP (not TKIP + WEP 128 or TKIP + WEP 40) for an SSID, the SSID must use WPA or CCKM key management. Client authentication fails on an SSID that uses the cipher TKIP without enabling WPA or CCKM key management. Note You must configure WPA key management as optional in order to configure cipher modes TKIP + WEP 128 or TKIP + WEP 40. |
|
Use the no form of the encryption command to disable a cipher suite.
Matching Cipher Suites with WPA or CCKM
If you configure your access point to use WPA or CCKM authenticated key management, you must select a cipher suite compatible with the authenticated key management type. Table 10-3 lists the cipher suites that are compatible with WPA and CCKM.
Note If using WPA and CCKM as key management, only tkip and aes ciphers are supported. If using only CCKM as key management, ckip, cmic, ckip-cmic, tkip, wep, and aes ciphers are supported.
Note When you configure the cipher TKIP (not TKIP + WEP 128 or TKIP + WEP 40) for an SSID, the SSID must use WPA or CCKM key management. Client authentication fails on an SSID that uses the cipher TKIP without enabling WPA or CCKM key management.
For a complete description of WPA and instructions for configuring authenticated key management, see the “Using WPA Key Management”.
Note Wi-Fi certified access points no longer support WPA/TKIP configuration. TKIP is only allowed in combination with WPA2/AES for backward compatibility to allow older TKIP-only devices to associate. WPA version 1 option has been removed from the authentication key-management wpa cli and configuring TKIP only under this interface is not supported.
Enabling and Disabling Broadcast Key Rotation
Broadcast key rotation is disabled by default.
Note Client devices using static WEP cannot use the access point when you enable broadcast key rotation. Broadcast key rotation is supported only when using key management (such as dynamic WEP (802.1x), WPA with EAP, or pre-shared key).
Beginning in privileged EXEC mode, follow these steps to enable broadcast key rotation:
|
|
|
|
|---|---|---|
Enter interface configuration mode for the radio interface. |
||
broadcast-key |
Enable broadcast key rotation.
– – See “Configuring Authentication Types,” for detailed instructions on enabling authenticated key management. |
|
Use the no form of the encryption command to disable broadcast key rotation.
This example enables broadcast key rotation on VLAN 22 and sets the rotation interval to 300 seconds:
Feedback