Specifications
9-7
Cisco IOS Software Configuration Guide for Cisco Aironet Access Points
OL-5260-01
Chapter 9 Configuring Cipher Suites and WEP
Configuring Cipher Suites and WEP
Matching Cipher Suites with WPA and CCKM
If you configure your access point to use WPA or CCKM authenticated key management, you must select
a cipher suite compatible with the authenticated key management type. Table 9-3 lists the cipher suites
that are compatible with WPA and CCKM.
Note When you configure the cipher TKIP (not TKIP + WEP 128 or TKIP + WEP 40) for an SSID, the SSID
must use WPA or CCKM key management. Client authentication fails on an SSID that uses the cipher
TKIP without enabling WPA or CCKM key management.
For a complete description of WPA and CCKM and instructions for configuring authenticated key
management, see the “Using CCKM for Authenticated Clients” section on page 10-6 and the “Using
WPA Key Management” section on page 10-7.
Enabling and Disabling Broadcast Key Rotation
Broadcast key rotation is disabled by default.
Note Client devices using static WEP cannot use the access point when you enable broadcast key rotation.
When you enable broadcast key rotation, only wireless client devices using 802.1x authentication (such
as LEAP, EAP-TLS, or PEAP) can use the access point.
Beginning in privileged EXEC mode, follow these steps to enable broadcast key rotation:
Table 9-3 Cipher Suites Compatible with WPA and CCKM
Authenticated Key Management Types Compatible Cipher Suites
CCKM
• encryption mode ciphers wep128
• encryption mode ciphers wep40
• encryption mode ciphers ckip
• encryption mode ciphers cmic
• encryption mode ciphers ckip-cmic
• encryption mode ciphers tkip
WPA
• encryption mode ciphers tkip
• encryption mode ciphers tkip wep128
• encryption mode ciphers tkip wep40
Command Purpose
Step 1
configure terminal Enter global configuration mode.
Step 2
interface dot11radio { 0 | 1 } Enter interface configuration mode for the radio interface. The
2.4-GHz radio is radio 0, and the 5-GHz radio is radio 1.