Access Point WEP Setup

Cisco,com

© 2003, Cisco Systems, Inc. All rights re

From the Security Setup screen, click on Radio Data Encryption (WEP) to launch the WEP configuration screen.

© 2003, Cisco Systems, Inc. All rights re

To configure WEP, an encryption type must be chosen by checking the appropriate box.

■ Open (default): Allows any device, regardless of its WEP settings, to authenticate and then attempt to communicate with the access point.

■ Shared Key: The access point sends a plain text, shared-key query to any device attempting to communicate with the access point. This query can leave the device open to a known-text attack from intruders, however, and is therefore not as secure as the Open setting.

■ Network-EAP: The access point uses the Extensible Authentication Protocol (EAP) to interact with an EAP-compatible RADIUS server on your network to provide authentication for wireless client devices.

The standard 802.11 WEP can be used without using EAP or an authentication server, allowing for data encryption between the clients and the access point. Using 802.11 WEP does not encrypt all data on the network. Only the data sent between the client and the access point will be encrypted.

© 2003, Cisco Systems, Inc. All rights re

© 2003, Cisco Systems, Inc. All rights re

■ Transmit With Key: These buttons allow you to select the key this access point will use when transmitting data. Only one key can be selected at a time. All set keys can be used to receive data. The selected key must already be set before it can be specified as the Transmit key.

■ Encryption Key: These fields allow you to enter the WEP keys. Type ten hexadecimal digits (any combination of 0-9, a-f, or A-F) for 40-bit WEP keys. Type 26 hexadecimal digits (any combination of 0-9, a-f, or A-F) for 128-bit WEP keys. To protect WEP key security, existing WEP keys do not appear in the entry fields. You can write over existing keys, but you cannot edit or delete them.

■ Key Size: Use this setting to set the keys to either 40 or 128-bit WEP. If "not set" appears for this selection, the key has not been set.

Note You cannot delete a key by selecting "not set." You may use the Restore Defaults button to remove all WEP Keys.

© 2003, Cisco Systems, Inc. All rights re

Uses of data Encryption by Stations are:

■ No Encryption (default): The access point communicates only with client devices that are not using WEP.

■ Optional: Client devices can communicate with the access point either with or without WEP.

■ Full Encryption: Client devices must use WEP when communicating with the access point. Clients not using WEP are not allowed to communicate.

If using Network-EAP as the authentication method then a key must be set in the WEP Key 1 slot. This is the key that is used for multicast packets and is sent during the authentication process.

The access point is not restricted to use of only 40-bit or 128-bit keys and any combination of 40-bit and 128-bit keys may be used.

Static WEP key encryption may be enabled on the Cisco IOS AP from the Security> Encryption Manager screen.

Under Encryption Modes, select WEP Encryption and either Optional or Mandatory WEP Encryption

For additional encryption protection when using Cisco client cards, you may also enable Message Integrity Check (MIC) and Per Packet Keying (TKIP). These features minimize the vulnerability of the WEP protocol to either Man-in-the-middle (inductive) key attacks or passive key attacks.

Under Encryption Keys, enter the Encryption Key in hexadecimal format and select the appropriate Key Size and select the Transmit Key index.

Note that, if using a dynamic key derivation (802.1X) mechanism, it is necessary to enter a key under Encryption Key for broadcast only, the unicast key will be derived for each client using the 802.1X mechanism.

© 2003, Cisco Systems, Inc. All rights reserved. AWLF v3.1—9-27

To fully configure WEP, an authentication method should be specified by checking the appropriate box.

■ Open (default): Allows any device, regardless of its WEP settings, to authenticate and then attempt to communicate with the access point.

■ Shared Key: The access point sends a plain text, shared-key query to any device attempting to communicate with the access point. This query can leave the device open to a known-text attack from intruders, however, and is therefore not as secure as the Open setting.

■ Network-EAP: The access point uses the Extensible Authentication Protocol (EAP) to interact with an EAP-compatible RADIUS server on your network to provide authentication for wireless client devices.

By default, Open authentication is enabled, which, if WEP key is enabled, will permit authentication only be devices which have the correct WEP key configured.

WPA (Authenticated Key Mgmt)

WiFi Protected Access (WPA) is the WiFi Alliance standards-based mechanism to create secure and interoperable WLAN networks. WPA provides a mechanism to authenticate keys for use in 802.11 environments as well as providing enhancements to WEP encryption to increase the robustness of the security protocol.

To enable WPA on an access point, an appropriate Cipher (or combination of ciphers) must be chosen. TKIP is the cipher used for WPA compliant devices. The following are valid WPA ciphers:

Also note that when using WPA encryption on an access point, Encryption Key 1 must not be used- as the WPA key negotiation mechanism uses this key position in the AP to transfer authentication data to the client.

In order to enable WPA Authentication on the AP, after enabling the Encryption mechanism which supports WPA, the SSID must be configured to use a form of Authenticated Key Management.

For the selected SSID, under the Authenticated Key Management section, select WPA and select the appropriate dropdown menu selection, either Mandatory for WPA-only clients, or Optional for coexistence between WPA and legacy WEP clients.

If using a WPA Pre-shared Key (as opposed to using 802.1X authentication), enter the Pre-shared key in either ASCII text (minimum 8 characters) or via a hexadecimal string (64 hex characters). Note that this same pre-shared key must be configured on the WPA client.

Was this article helpful?

0 0

Post a comment