Cisco Systems IOS Releases 15.2(4)JA Universal Remote User Manual


 
10-2
Cisco IOS Software Configuration Guide for Cisco Aironet Access Points
OL-29225-01
Chapter 10 Configuring Cipher Suites and WEP
Understanding Cipher Suites and WEP
Understanding Cipher Suites and WEP
This section describes how WEP and cipher suites protect traffic on your wireless LAN.
Just as anyone within range of a radio station can tune to the station's frequency and listen to the signal,
any wireless networking device within range of an access point can receive the access point's radio
transmissions. Because WEP is the first line of defense against intruders, We recommend that you use
full encryption on your wireless network.
WEP encryption scrambles the communication between the access point and client devices to keep the
communication private. Both the access point and client devices use the same WEP key to encrypt and
unencrypt radio signals. WEP keys encrypt both unicast and multicast messages. Unicast messages are
addressed to just one device on the network. Multicast messages are addressed to multiple devices on
the network.
Extensible Authentication Protocol (EAP) authentication, also called 802.1x authentication, provides
dynamic WEP keys to wireless users. Dynamic WEP keys are more secure than static, or unchanging,
WEP keys. If an intruder passively receives enough packets encrypted by the same WEP key, the intruder
can perform a calculation to learn the key and use it to join your network. Because they change
frequently, dynamic WEP keys prevent intruders from performing the calculation and learning the key.
See Chapter 11, “Configuring Authentication Types,” for detailed information on EAP and other
authentication types.
Cipher suites are sets of encryption and integrity algorithms designed to protect radio communication
on your wireless LAN. You must use a cipher suite to enable WPA or CCKM. Because cipher suites
provide the protection of WEP while also allowing use of authenticated key management, We
recommend that you enable WEP by using the encryption mode cipher command in the CLI or by using
the cipher drop-down list in the web-browser interface. Cipher suites that contain TKIP provide the best
security for your wireless LAN, and cipher suites that contain only WEP are the least secure.
These security features protect the data traffic on your wireless LAN:
AES-CCMP—Based on the Advanced Encryption Standard (AES) defined in the National Institute
of Standards and Technology’s FIPS Publication 197, AES-CCMP is a symmetric block cipher that
can encrypt and decrypt data using keys of 128, 192, and 256 bits. AES-CCMP is superior to WEP
encryption and is defined in the IEEE 802.11i standard.
Note Cisco Aironet 1130 and 1230 series access points support WPA2. Cisco Aironet 1100, 1200, and 1300
series 802.11g radios support WPA2 with a Cisco IOS software upgrade to Release 12.3(2)JA or later.
Note Cisco Aironet 1200 series radio modules having part numbers AIR-RM21A or AIR-RM22A support
WPA2 or AES.
Note Cisco 802.11n radios require that either no encryption or AES-CCMP be configured for proper
operation.
WEP (Wired Equivalent Privacy)—WEP is an 802.11 standard encryption algorithm originally
designed to provide your wireless LAN with the same level of privacy available on a wired LAN.
However, the basic WEP construction is flawed, and an attacker can compromise the privacy with
reasonable effort.