Configuring and Validating Key Controller (Wireless Security)
To support wireless security to standard WPA protocols, a key rotation strategy has been implemented on IW9167E.
The key controller protocol can be described as a packet exchange between two devices, in which different stages of the process correspond to different states of each device, and the algorithm flow is controlled by a set of timers scheduled periodically to generate new PTK/GTK (Pairwise Transient Key/Group Transient Key) for packet encryption. The more often keys are updated, the less information is leaked in case of attack.
Configuring Key Controller from CLI
To configure a key controller, use the following CLI commands.
-
To enable AES (Advanced Encryption Standard ) on radio use the following CLI command.
Device# configure dot11Radio <interface> crypto aes enable
-
To enable key controller use the following CLI command.
Device #configure dot11Radio <interface> crypto key-control enable
-
To enable key rotation use the following CLI command.
Device# configure dot11Radio <interface> crypto key-control key-rotation enable
-
To set key rotation timer use the following CLI command.
Device# configure dot11Radio <interface> crypto key-control key-rotation 3600
Note |
AES disabled by default. Config should be the same on all devices. |
Validating Key Controller from CLI
To validate a key controller, use the following show commands.
Device# show dot11Radio X crypto
AES encryption: enabled
AES key-control: enabled
Key rotation: enabled
Key rotation timeout: 3600(second)