User guide

ManualsBrandsCisco ManualsComputer equipmentCisco Wireless LAN Controller 4100

151

152

153

154

155

156

157

158

159

160

6-11

Cisco WLAN Controller Web Interface User Guide

OL-7416-04

Chapter 6 Security Menu Bar Selection

RADIUS Accounting Servers

• IP sec - Check this check box to enable or disable the IP Security mechanism. If you enable this

option, the IP Security Parameters fields will be displayed.

–

IP Sec Authentication: Set the IP security authentication protocol to be used. Options are:

• HMAC-SHA1

• HMAC-MD5

• None

Message Authentication Codes (MAC) are used between two parties that share a secret key to

validate information transmitted between them. HMAC (Hash MAC) is a mechanism based on

cryptographic hash functions. HMAC can be used in combination with any iterated

cryptographic hash function. HMAC-MD5 and HMAC-SHA-1 are two constructs of the HMAC

using the MD5 hash function and the SHA-1hash function. HMAC also uses a secret key for

calculation and verification of the message authentication values.

–

IP sec Encryption: Set the IP security encryption mechanism to be used. Options are:

• DES - Data Encryption Standard is a method of data encryption using a private (secret) key.

DES applies a 56-bit key to each 64-bit block of data.

• Triple DES - Data Encryption Standard that applies three keys in succession.

• AES 128 CBC - Advanced Encryption Standard uses keys with a length of 128, 192, or 256 bits

to encrypt blocks with a length of 128, 192, or 256 bits. AES 128 CBC uses 128 bit data path

in Cipher Clock Chaining (CBC) mode.

–

IKE Authentication: Not an editable field.

IKE (Internet Key Exchange protocol) is used as a method of distributing the session keys

(encryption and authentication), as well as providing a way for the VPN endpoints to agree on

how the data should be protected. IKE keeps track of connections by assigning a bundle of

Security Associations (SAs), to each connection.

–

IKE Phase 1:Set the Internet Key Exchange protocol (IKE). Options are:

• Aggressive

• Main

IKE Phase-1 is used to negotiate how IKE should be protected. Aggressive mode will pass more

information in fewer packets, with the benefit of slightly faster connection establishment, at the

cost of transmitting the identities of the security gateways in the clear.

–

Lifetime (seconds): Set the timeout interval for the session expiry. Default is 28800 seconds.

–

IKE Diffie Hellman Group: Set the IKE Diffie Hellman Group. Options are:

• Group 1 (768 bits)

• Group 2 (1024 bits)

• Group 5 (1536 bits)

Diffie-Hellman techniques are used by two devices to generate a symmetric key where they can

publicly exchange values and generate the same symmetric key.

Although all the three groups provide security from conventional attacks, Group 5 is considered

more secure because of its larger key size. However, computations involving Group 1 and Group

2 based keys might occur slightly faster because of their smaller prime number size.

Command Buttons

• Back: Return to the previous window.