9-2
Cisco Aironet 1400 Series Wireless Bridges Software Configuration Guide
OL-4059-01
Chapter 9 Configuring WEP and WEP Features
Understanding WEP
Understanding WEP
Just as anyone within range of a radio station can tune to the station's frequency and listen to the signal,
any wireless networking device within range of an bridge can receive the bridge's radio transmissions.
Because WEP is the first line of defense against intruders, Cisco recommends that you use full
encryption on your wireless network.
WEP encryption scrambles the radio communication between bridges to keep the communication
private. Communicating bridges use the same WEP key to encrypt and unencrypt radio signals. WEP
keys encrypt both unicast and multicast messages. Unicast messages are addressed to just one device on
the network. Multicast messages are addressed to multiple devices on the network.
Extensible Authentication Protocol (EAP) authentication provides dynamic WEP keys to wireless
devices. Dynamic WEP keys are more secure than static, or unchanging, WEP keys. If an intruder
passively receives enough packets encrypted by the same WEP key, the intruder can perform a
calculation to learn the key and use it to join your network. Because they change frequently, dynamic
WEP keys prevent intruders from performing the calculation and learning the key. See
Chapter 10,
“Configuring Authentication Types,”
for detailed information on EAP and other authentication types.
Two additional security features defend your wireless network's WEP keys:
•
Message Integrity Check (MIC)—MIC prevents attacks on encrypted packets called
bit-flip attacks
.
During a bit-flip attack, an intruder intercepts an encrypted message, alters it slightly, and
retransmits it, and the receiver accepts the retransmitted message as legitimate. The MIC,
implemented on associated bridges, adds a few bytes to each packet to make the packets tamper
proof.
•
TKIP (Temporal Key Integrity Protocol, also known as
WEP key hashing
)—This feature defends
against an attack on WEP in which the intruder uses the unencrypted initialization vector (IV) in
encrypted packets to calculate the WEP key. TKIP removes the predictability that an intruder relies
on to determine the WEP key by exploiting IVs.
Note
If VLANs are enabled on your bridges, WEP, MIC, and TKIP are supported only on the native VLAN.
Configuring WEP and WEP Features
These sections describe how to configure WEP and additional WEP features such as MIC and TKIP:
•
Creating WEP Keys, page 9-2
•
Enabling and Disabling WEP and Enabling TKIP and MIC, page 9-3
WEP, TKIP, and MIC are disabled by default.
Creating WEP Keys
Beginning in privileged EXEC mode, follow these steps to create a WEP key and set the key properties:
Command
Purpose
Step 1
configure terminal
Enter global configuration mode.
Step 2
interface dot11radio 0
Enter interface configuration mode for the radio interface.