user manual
8-3
Cisco Aironet 1200 Series Access Point Software Configuration Guide
OL-2159-05
Chapter 8 Security Setup
Security Overview
WEP encryption scrambles the communication between the access point and client devices to keep the
communication private. Both the access point and client devices use the same WEP key to encrypt and
unencrypt radio signals. WEP keys encrypt both unicast and multicast messages. Unicast messages are
addressed to just one device on the network. Multicast messages are addressed to multiple devices on
the network.
Extensible Authentication Protocol (EAP) authentication provides dynamic WEP keys to wireless users.
Dynamic WEP keys are more secure than static, or unchanging, WEP keys. If an intruder passively
receives enough packets encrypted by the same WEP key, the intruder can perform a calculation to learn
the key and use it to join your network. Because they change frequently, dynamic WEP keys prevent
intruders from performing the calculation and learning the key.
Additional WEP Security Features
Three additional security features defend your wireless network’s WEP keys:
• Message Integrity Check (MIC)—MIC prevents attacks on encrypted packets called bit-flip attacks.
During a bit-flip attack, an intruder intercepts an encrypted message, alters it slightly, and
retransmits it, and the receiver accepts the retransmitted message as legitimate. The MIC,
implemented on both the access point and all associated client devices, adds a few bytes to each
packet to make the packets tamper-proof. See the “Enabling Message Integrity Check (MIC)”
section on page 8-10 for instructions on enabling MIC.
• TKIP (Temporal Key Integrity Protocol, also known as WEP key hashing)—This feature defends
against an attack on WEP in which the intruder uses the unencrypted initialization vector (IV) in
encrypted packets to calculate the WEP key. TKIP removes the predictability that an intruder relies
on to determine the WEP key by exploiting IVs. See the “Enabling Temporal Key Integrity Protocol
(TKIP)” section on page 8-12 for instructions on enabling TKIP.
• Broadcast key rotation—EAP authentication provides dynamic unicast WEP keys for client devices
but uses static broadcast, or multicast, keys. When you enable broadcast WEP key rotation, the
access point provides a dynamic broadcast WEP key and changes it at the interval you select.
Broadcast key rotation is an excellent alternative to TKIP if your wireless LAN supports wireless
client devices that are not Cisco devices or that cannot be upgraded to the latest firmware for Cisco
client devices. See the “Enabling Broadcast WEP Key Rotation” section on page 8-13 for
instructions on enabling broadcast key rotation.
Network Authentication Types
Before a wireless client device can communicate on your network through the access point, it must
authenticate to the access point and to your network. The access point uses four authentication
mechanisms or types and can use more than one at the same time:
• Network-EAP—This authentication type provides the highest level of security for your wireless
network. By using the Extensible Authentication Protocol (EAP) to interact with an
EAP-compatible RADIUS server, the access point helps a wireless client device and the RADIUS
server to perform mutual authentication and derive a dynamic unicast WEP key. The RADIUS server
sends the WEP key to the access point, which uses it for all unicast data signals that it sends to or
receives from the client. The access point also encrypts its broadcast WEP key (entered in the access
point’s WEP key slot 1) with the client’s unicast key and sends it to the client.
When you enable EAP on your access points and client devices, authentication to the network occurs
in the steps shown in Figure 8-2: