User's Manual
Table Of Contents
- Warranty and Product Registration
- How to Use This Guide
- Contents
- Figures
- Tables
- Getting Started
- Web Configuration
- Command Line Interface
- Using the Command Line Interface
- General Commands
- System Management Commands
- country
- prompt
- system name
- system-resource
- password
- reboot-schedule
- apmgmgtui ssh enable
- apmgmtui ssh port
- apmgmtui telnet- server enable
- apmgmtui http port
- apmgmtui http server
- apmgmtui http session-timeout
- apmgmtui https port
- apmgmtui https server
- apmgmtui snmp
- apmgmtip
- show apmanagement
- show system
- show system resource
- show version
- show config
- System Logging Commands
- System Clock Commands
- DHCP Relay Commands
- SNMP Commands
- snmp-server community
- snmp-server contact
- snmp-server location
- snmp-server enable server
- snmp-server host
- snmp-server trap
- snmp-server vacm view
- snmp-server vacm group
- snmp-server user
- snmp-server target
- snmp-server filter
- show snmp users
- show snmp target
- show snmp filter
- show snmp
- show snmp vacm view
- show snmp vacm group
- Flash/File Commands
- RADIUS Client Commands
- 802.1X Authentication Commands
- MAC Address Authentication Commands
- Filtering Commands
- Spanning Tree Commands
- bridge stp service
- bridge stp br-conf forwarding-delay
- bridge stp br-conf hello-time
- bridge stp br-conf max-age
- bridge stp br-conf priority
- bridge stp port-conf interface
- bridge-link path-cost
- bridge-link port- priority
- vap (STP Interface)
- path-cost (STP Interface)
- port-priority (STP Interface)
- bridge mac-aging
- show bridge stp
- show bridge br-conf
- show bridge port-conf interface
- show bridge status
- show bridge forward address
- show bridge mac- aging
- WDS Bridge Commands
- Ethernet Interface Commands
- Wireless Interface Commands
- interface wireless
- vap
- a-mpdu
- a-msdu
- channel
- transmit-power
- min-allowed-rate
- disable-coexist
- make-rf-setting- effective
- preamble
- short-guard-interval
- beacon-interval
- dtim-period
- rts-threshold
- ssid
- closed-system
- max-client
- max-association
- client-assoc-preempt
- assoc-timeout- interval
- auth-timeout-interval
- multicast-enhance
- shutdown (VAP)
- interfere-chan- recover
- antenna-chain
- long-distance
- long-distance reference-data
- long-distance slottime
- long-distance acktimeout
- long-distance ctstimeout
- bandwidth-control downlink
- bandwidth-control downlink rate
- bandwidth-control uplink
- bandwidth-control uplink rate
- show interface wireless
- show station
- show station statistics
- Wireless Security Commands
- Rogue AP Detection Commands
- Link Integrity Commands
- Link Layer Discovery Commands
- VLAN Commands
- WMM Commands
- QoS Commands
- Appendices
- Index of CLI Commands
- Index
Chapter 25
| Wireless Security Commands
– 237 –
cipher-suite This command defines the cipher algorithm used to encrypt the global key for
broadcast and multicast traffic when using WPA or WPA2 security.
Syntax
multicast-cipher <aes-ccmp | tkip >
aes-ccmp - Use AES-CCMP encryption for the unicast and multicast cipher.
tkip - Use TKIP encryption for the multicast cipher. TKIP or AES-CCMP can
be used for the unicast cipher depending on the capability of the client.
Default Setting
None
Command Mode
Interface Configuration (Wireless-VAP)
Command Usage
◆ WPA and WPA2 enable a VAP to support different unicast encryption keys for
each client. However, the global encryption key for multicast and broadcast
traffic must be the same for all clients.
◆ TKIP provides data encryption enhancements including per-packet key
hashing (i.e., changing the encryption key on each packet), a message integrity
check, an extended initialization vector with sequencing rules, and a re-keying
mechanism. Select TKIP if there are clients in the network that are not WPA2
compliant.
◆ TKIP defends against attacks on WEP in which the unencrypted initialization
vector in encrypted packets is used to calculate the WEP key. TKIP changes the
encryption key on each packet, and rotates not just the unicast keys, but the
broadcast keys as well. TKIP is a replacement for WEP that removes the
predictability that intruders relied on to determine the WEP key.
◆ AES-CCMP (Advanced Encryption Standard Counter-Mode/CBCMAC Protocol):
WPA2 is backward compatible with WPA, including the same 802.1X and PSK
modes of operation and support for TKIP encryption. The main enhancement is
its use of AES Counter-Mode encryption with Cipher Block Chaining Message
Authentication Code (CBC-MAC) for message integrity. The AES Counter-Mode/
CBCMAC Protocol (AES-CCMP) provides extremely robust data confidentiality
using a 128-bit key. The AES-CCMP encryption cipher is specified as a standard
requirement for WPA2. However, the computational intensive operations of
AES-CCMP requires hardware support on client devices. Therefore to
implement WPA2 in the network, wireless clients must be upgraded to WPA2-
compliant hardware.