Chapter 4 Security Setup
Security Overview
4-4
Cisco Aironet 1200 Series Access Point Software Configuration Guide
OL-2159-03
both the access point and all associated client devices, adds a few bytes to
each packet to make the packets tamper-proof. See the
“Enabling Message
Integrity Check (MIC)” section on page 4-14
for instructions on enabling
MIC.
•
TKIP (Temporal Key Integrity Protocol, also known as WEP key
hashing)—This feature defends against an attack on WEP in which the
intruder uses the unencrypted initialization vector (IV) in encrypted packets
to calculate the WEP key. TKIP removes the predictability that an intruder
relies on to determine the WEP key by exploiting IVs. See the
“Enabling
Temporal Key Integrity Protocol (TKIP)” section on page 4-16
for
instructions on enabling TKIP.
•
Broadcast key rotation—EAP authentication provides dynamic unicast WEP
keys for client devices but uses static broadcast, or multicast, keys. When you
enable broadcast WEP key rotation, the access point provides a dynamic
broadcast WEP key and changes it at the interval you select. Broadcast key
rotation is an excellent alternative to TKIP if your wireless LAN supports
wireless client devices that are not Cisco devices or that cannot be upgraded
to the latest firmware for Cisco client devices. See the
“Enabling Broadcast
WEP Key Rotation” section on page 4-18
for instructions on enabling
broadcast key rotation.
Network Authentication Types
Before a wireless client device can communicate on your network through the
access point, it must authenticate to the access point and to your network. The
access point uses four authentication mechanisms or types and can use more than
one at the same time:
•
Network-EAP—This authentication type provides the highest level of
security for your wireless network. By using the Extensible Authentication
Protocol (EAP) to interact with an EAP-compatible RADIUS server, the
access point helps a wireless client device and the RADIUS server to perform
mutual authentication and derive a dynamic unicast WEP key. The RADIUS
server sends the WEP key to the access point, which uses it for all unicast data
signals that it sends to or receives from the client. The access point also
encrypts its broadcast WEP key (entered in the access point’s WEP key slot
1) with the client’s unicast key and sends it to the client.