Home » Cisco Manuals » Bridges & Routers » Cisco CISCO1401 » Manual Viewer

Cisco CISCO1401 Software Guide - Page 118

Understanding WEP, Configuring WEP and WEP Features, Creating WEP Keys

UPC - 746320202785

Add to My Manuals
Save this manual to your list of manuals

Page 118 highlights

Understanding WEP Chapter 9 Configuring WEP and WEP Features Understanding WEP Just as anyone within range of a radio station can tune to the station's frequency and listen to the signal, any wireless networking device within range of an bridge can receive the bridge's radio transmissions. Because WEP is the first line of defense against intruders, Cisco recommends that you use full encryption on your wireless network. WEP encryption scrambles the radio communication between bridges to keep the communication private. Communicating bridges use the same WEP key to encrypt and unencrypt radio signals. WEP keys encrypt both unicast and multicast messages. Unicast messages are addressed to just one device on the network. Multicast messages are addressed to multiple devices on the network. Extensible Authentication Protocol (EAP) authentication provides dynamic WEP keys to wireless devices. Dynamic WEP keys are more secure than static, or unchanging, WEP keys. If an intruder passively receives enough packets encrypted by the same WEP key, the intruder can perform a calculation to learn the key and use it to join your network. Because they change frequently, dynamic WEP keys prevent intruders from performing the calculation and learning the key. See Chapter 10, "Configuring Authentication Types," for detailed information on EAP and other authentication types. Two additional security features defend your wireless network's WEP keys: • Message Integrity Check (MIC)-MIC prevents attacks on encrypted packets called bit-flip attacks. During a bit-flip attack, an intruder intercepts an encrypted message, alters it slightly, and retransmits it, and the receiver accepts the retransmitted message as legitimate. The MIC, implemented on associated bridges, adds a few bytes to each packet to make the packets tamper proof. • TKIP (Temporal Key Integrity Protocol, also known as WEP key hashing)-This feature defends against an attack on WEP in which the intruder uses the unencrypted initialization vector (IV) in encrypted packets to calculate the WEP key. TKIP removes the predictability that an intruder relies on to determine the WEP key by exploiting IVs. Note If VLANs are enabled on your bridges, WEP, MIC, and TKIP are supported only on the native VLAN. Configuring WEP and WEP Features These sections describe how to configure WEP and additional WEP features such as MIC and TKIP: • Creating WEP Keys, page 9-2 • Enabling and Disabling WEP and Enabling TKIP and MIC, page 9-3 WEP, TKIP, and MIC are disabled by default. Creating WEP Keys Beginning in privileged EXEC mode, follow these steps to create a WEP key and set the key properties: Step 1 Step 2 Command configure terminal interface dot11radio 0 Purpose Enter global configuration mode. Enter interface configuration mode for the radio interface. Cisco Aironet 1400 Series Wireless Bridges Software Configuration Guide 9-2 OL-4059-01

Section	Page
Cisco Aironet 1400 Series Wireless Bridge Software Configuration Guide	1
Contents	3
Preface	13
Audience	13
Purpose	13
Organization	13
Conventions	15
Related Publications	17
Overview	19
Features	20
Management Options	20
Network Configuration Examples	21
Point-to-Point Bridging	21
Point-to-Multipoint Bridging	22
Redundant Bridging	22
Configuring the Bridge for the First Time	25
Before You Start	26
Resetting the Bridge to Default Settings	26
Obtaining and Assigning an IP Address	27
Connecting to the Bridge Locally	27
Assigning Basic Settings	28
Default Settings on the Express Setup Page	32
Protecting Your Wireless LAN	32
Using the IP Setup Utility	32
Obtaining and Installing IPSU	33
Using IPSU to Find the Bridge’s IP Address	33
Using IPSU to Set the Bridge’s IP Address and SSID	34
Assigning an IP Address Using the CLI	35
Using a Telnet Session to Access the CLI	36
Using the Web-Browser Interface	37
Using the Web-Browser Interface for the First Time	38
Using the Management Pages in the Web-Browser Interface	38
Using Action Buttons	39
Character Restrictions in Entry Fields	40
Using Online Help	41
Using the Command-Line Interface	43
IOS Command Modes	44
Getting Help	45
Abbreviating Commands	45
Using no and default Forms of Commands	45
Understanding CLI Messages	46
Using Command History	46
Changing the Command History Buffer Size	46
Recalling Commands	47
Disabling the Command History Feature	47
Using Editing Features	47
Enabling and Disabling Editing Features	48
Editing Commands Through Keystrokes	48
Editing Command Lines that Wrap	49
Searching and Filtering Output of show and more Commands	50
Accessing the CLI	50
Opening the CLI with Telnet	50
Opening the CLI with Secure Shell	51
Administering the Bridge	53
Preventing Unauthorized Access to Your Bridge	54
Protecting Access to Privileged EXEC Commands	54
Default Password and Privilege Level Configuration	54
Setting or Changing a Static Enable Password	55
Protecting Enable and Enable Secret Passwords with Encryption	56
Configuring Username and Password Pairs	57
Configuring Multiple Privilege Levels	58
Setting the Privilege Level for a Command	58
Logging Into and Exiting a Privilege Level	59
Controlling Bridge Access with RADIUS	59
Default RADIUS Configuration	60
Configuring RADIUS Login Authentication	60
Defining AAA Server Groups	61
Configuring RADIUS Authorization for User Privileged Access and Network Services	63
Displaying the RADIUS Configuration	64
Controlling Bridge Access with TACACS+	64
Default TACACS+ Configuration	65
Configuring TACACS+ Login Authentication	65
Configuring TACACS+ Authorization for Privileged EXEC Access and Network Services	66
Displaying the TACACS+ Configuration	67
Configuring the Bridge for Local Authentication and Authorization	67
Configuring the Bridge for Secure Shell	68
Understanding SSH	68
Configuring SSH	69
Managing the System Time and Date	69
Understanding the System Clock	69
Understanding Network Time Protocol	70
Configuring NTP	71
Default NTP Configuration	72
Configuring NTP Authentication	72
Configuring NTP Associations	73
Configuring NTP Broadcast Service	74
Configuring NTP Access Restrictions	75
Creating an Access Group and Assigning a Basic IP Access List	76
Disabling NTP Services on a Specific Interface	77
Configuring the Source IP Address for NTP Packets	77
Displaying the NTP Configuration	78
Configuring Time and Date Manually	78
Setting the System Clock	79
Displaying the Time and Date Configuration	79
Configuring the Time Zone	80
Configuring Summer Time (Daylight Saving Time)	81
Configuring a System Name and Prompt	83
Default System Name and Prompt Configuration	83
Configuring a System Name	83
Understanding DNS	84
Default DNS Configuration	84
Setting Up DNS	84
Displaying the DNS Configuration	85
Creating a Banner	85
Default Banner Configuration	86
Configuring a Message-of-the-Day Login Banner	86
Configuring a Login Banner	87
Configuring Radio Settings	89
Disabling and Enabling the Radio Interface	90
Configuring the Role in Radio Network	90
Configuring the Radio Distance Setting	91
Configuring Radio Data Rates	91
Configuring Radio Transmit Power	92
Configuring Radio Channel Settings	93
Disabling and Enabling Aironet Extensions	94
Configuring the Ethernet Encapsulation Transformation Method	94
Configuring the Beacon Period	94
Configuring RTS Threshold and Retries	95
Configuring the Maximum Data Retries	95
Configuring the Fragmentation Threshold	96
Configuring Packet Concatenation	96
Performing a Carrier Busy Test	97
Configuring SSIDs	99
Understanding SSIDs	100
Configuring the SSID	100
Default SSID Configuration	100
Creating an SSID	101
Configuring Spanning Tree Protocol	103
Understanding Spanning Tree Protocol	104
STP Overview	104
Bridge Protocol Data Units	105
Election of the Spanning-Tree Root	106
Spanning-Tree Timers	106
Creating the Spanning-Tree Topology	106
Spanning-Tree Interface States	107
Blocking State	108
Listening State	109
Learning State	109
Forwarding State	109
Disabled State	109
Configuring STP Features	110
Default STP Configuration	110
Configuring STP Settings	110
STP Configuration Examples	111
Root Bridge Without VLANs	111
Non-Root Bridge Without VLANs	112
Root Bridge with VLANs	113
Non-Root Bridge with VLANs	114
Displaying Spanning-Tree Status	116
Configuring WEP and WEP Features	117
Understanding WEP	118
Configuring WEP and WEP Features	118
Creating WEP Keys	118
Enabling and Disabling WEP and Enabling TKIP and MIC	119
Configuring Authentication Types	121
Understanding Authentication Types	122
Open Authentication to the Bridge	122
Shared Key Authentication to the Bridge	122
EAP Authentication to the Network	123
Configuring Authentication Types	125
Default Authentication Settings	125
Assigning Authentication Types to an SSID	125
Configuring Authentication Holdoffs, Timeouts, and Intervals	127
Setting Up a Non-Root Bridge as a LEAP Client	128
Matching Authentication Types on Root and Non-Root Bridges	129
Configuring RADIUS and TACACS+ Servers	131
Configuring and Enabling RADIUS	132
Understanding RADIUS	132
RADIUS Operation	133
Configuring RADIUS	134
Default RADIUS Configuration	134
Identifying the RADIUS Server Host	134
Configuring RADIUS Login Authentication	137
Defining AAA Server Groups	139
Configuring RADIUS Authorization for User Privileged Access and Network Services	141
Starting RADIUS Accounting	142
Configuring Settings for All RADIUS Servers	143
Configuring the Bridge to Use Vendor-Specific RADIUS Attributes	143
Configuring the Bridge for Vendor-Proprietary RADIUS Server Communication	144
Displaying the RADIUS Configuration	145
Configuring and Enabling TACACS+	146
Understanding TACACS+	146
TACACS+ Operation	147
Configuring TACACS+	147
Default TACACS+ Configuration	148
Identifying the TACACS+ Server Host and Setting the Authentication Key	148
Configuring TACACS+ Login Authentication	149
Configuring TACACS+ Authorization for Privileged EXEC Access and Network Services	150
Starting TACACS+ Accounting	151
Displaying the TACACS+ Configuration	152
Configuring VLANs	153
Understanding VLANs	154
Related Documents	155
Incorporating Wireless Bridges into VLANs	156
Configuring VLANs	156
Configuring a VLAN	156
Viewing VLANs Configured on the Bridge	159
Configuring QoS	161
Understanding QoS for Wireless LANs	162
QoS for Wireless LANs Versus QoS on Wired LANs	162
Impact of QoS on a Wireless LAN	162
Precedence of QoS Settings	163
Configuring QoS	163
Configuration Guidelines	163
Configuring QoS Using the Web-Browser Interface	164
Adjusting Radio Traffic Class Definitions	168
CW-min and CW-max Settings for Point-to-Point and Point-to-Multipoint Bridge Links	169
QoS Configuration Examples	170
Giving Priority to Voice Traffic	170
Giving Priority to Video Traffic	172
Configuring Filters	173
Understanding Filters	174
Configuring Filters Using the CLI	174
Configuring Filters Using the Web-Browser Interface	174
Configuring and Enabling MAC Address Filters	175
Creating a MAC Address Filter	176
Configuring and Enabling IP Filters	177
Creating an IP Filter	179
Configuring and Enabling Ethertype Filters	180
Creating an Ethertype Filter	181
Configuring CDP	183
Understanding CDP	184
Configuring CDP	184
Default CDP Configuration	184
Configuring the CDP Characteristics	185
Disabling and Enabling CDP	185
Disabling and Enabling CDP on an Interface	186
Monitoring and Maintaining CDP	187
Configuring SNMP	191
Understanding SNMP	192
SNMP Versions	192
SNMP Manager Functions	193
SNMP Agent Functions	193
SNMP Community Strings	193
Using SNMP to Access MIB Variables	194
Configuring SNMP	194
Default SNMP Configuration	195
Enabling the SNMP Agent	195
Configuring Community Strings	195
Configuring Trap Managers and Enabling Traps	197
Setting the Agent Contact and Location Information	199
Using the snmp-server view Command	199
SNMP Examples	199
Displaying SNMP Status	200
Managing Firmware and Configurations	201
Working with the Flash File System	202
Displaying Available File Systems	202
Setting the Default File System	203
Displaying Information About Files on a File System	203
Changing Directories and Displaying the Working Directory	204
Creating and Removing Directories	204
Copying Files	205
Deleting Files	205
Creating, Displaying, and Extracting tar Files	206
Creating a tar File	206
Displaying the Contents of a tar File	207
Extracting a tar File	207
Displaying the Contents of a File	208
Working with Configuration Files	208
Guidelines for Creating and Using Configuration Files	209
Configuration File Types and Location	209
Creating a Configuration File by Using a Text Editor	210
Copying Configuration Files by Using TFTP	210
Preparing to Download or Upload a Configuration File by Using TFTP	210
Downloading the Configuration File by Using TFTP	211
Uploading the Configuration File by Using TFTP	211
Copying Configuration Files by Using FTP	212
Preparing to Download or Upload a Configuration File by Using FTP	213
Downloading a Configuration File by Using FTP	213
Uploading a Configuration File by Using FTP	214
Copying Configuration Files by Using RCP	215
Preparing to Download or Upload a Configuration File by Using RCP	216
Downloading a Configuration File by Using RCP	216
Uploading a Configuration File by Using RCP	217
Clearing Configuration Information	218
Deleting a Stored Configuration File	218
Working with Software Images	219
Image Location on the Bridge	219
tar File Format of Images on a Server or Cisco.com	219
Copying Image Files by Using TFTP	220
Preparing to Download or Upload an Image File by Using TFTP	220
Downloading an Image File by Using TFTP	221
Uploading an Image File by Using TFTP	222
Copying Image Files by Using FTP	223
Preparing to Download or Upload an Image File by Using FTP	223
Downloading an Image File by Using FTP	224
Uploading an Image File by Using FTP	226
Copying Image Files by Using RCP	227
Preparing to Download or Upload an Image File by Using RCP	227
Downloading an Image File by Using RCP	229
Uploading an Image File by Using RCP	231
Reloading the Image Using the Web Browser Interface	232
Browser HTTP Interface	232
Browser TFTP Interface	232
Reloading the Image Using the Power Injector MODE button	233
Configuring System Message Logging	235
Understanding System Message Logging	236
Configuring System Message Logging	236
System Log Message Format	236
Default System Message Logging Configuration	237
Disabling and Enabling Message Logging	238
Setting the Message Display Destination Device	239
Enabling and Disabling Timestamps on Log Messages	240
Enabling and Disabling Sequence Numbers in Log Messages	240
Defining the Message Severity Level	241
Limiting Syslog Messages Sent to the History Table and to SNMP	242
Setting a Logging Rate Limit	243
Configuring UNIX Syslog Servers	244
Logging Messages to a UNIX Syslog Daemon	244
Configuring the UNIX System Logging Facility	244
Displaying the Logging Configuration	246
Troubleshooting	247
Checking the Bridge LEDs	248
Bridge Normal Mode LED Indications	249
Power Injector LEDs	250
Checking Power	252
Checking Basic Configuration Settings	253
SSID	253
Security Settings	253
Antenna Alignment	254
Resetting to the Default Configuration	254
Using the MODE Button	254
Using the Web Browser Interface	255
Reloading the Bridge Image	255
Using the MODE button	255
Web Browser Interface	256
Browser HTTP Interface	256
Browser TFTP Interface	257
Obtaining the Bridge Image File	257
Obtaining the TFTP Server Software	258
Channels and Antenna Settings	259
Channels	260
IEEE 802.11a (5-GHz Band)	260
Maximum Power Levels	260
5.8-GHz Band	260
Protocol Filters	261
Supported MIBs	267
MIB List	267
Using FTP to Access the MIB Files	268
Error and Event Messages	269
Glossary	273

Match case Limit results 1 per page

9-2

Cisco Aironet 1400 Series Wireless Bridges Software Configuration Guide

OL-4059-01

Chapter 9

Configuring WEP and WEP Features

Understanding WEP

Just as anyone within range of a radio station can tune to the station's frequency and listen to the signal,

any wireless networking device within range of an bridge can receive the bridge's radio transmissions.

Because WEP is the first line of defense against intruders, Cisco recommends that you use full

encryption on your wireless network.

WEP encryption scrambles the radio communication between bridges to keep the communication

private. Communicating bridges use the same WEP key to encrypt and unencrypt radio signals. WEP

keys encrypt both unicast and multicast messages. Unicast messages are addressed to just one device on

the network. Multicast messages are addressed to multiple devices on the network.

Extensible Authentication Protocol (EAP) authentication provides dynamic WEP keys to wireless

devices. Dynamic WEP keys are more secure than static, or unchanging, WEP keys. If an intruder

passively receives enough packets encrypted by the same WEP key, the intruder can perform a

calculation to learn the key and use it to join your network. Because they change frequently, dynamic

WEP keys prevent intruders from performing the calculation and learning the key. See

Chapter 10,

“Configuring Authentication Types,”

for detailed information on EAP and other authentication types.

Two additional security features defend your wireless network's WEP keys:

•

Message Integrity Check (MIC)—MIC prevents attacks on encrypted packets called

bit-flip attacks

During a bit-flip attack, an intruder intercepts an encrypted message, alters it slightly, and

retransmits it, and the receiver accepts the retransmitted message as legitimate. The MIC,

implemented on associated bridges, adds a few bytes to each packet to make the packets tamper

proof.

•

TKIP (Temporal Key Integrity Protocol, also known as

WEP key hashing

)—This feature defends

against an attack on WEP in which the intruder uses the unencrypted initialization vector (IV) in

encrypted packets to calculate the WEP key. TKIP removes the predictability that an intruder relies

on to determine the WEP key by exploiting IVs.

Note

If VLANs are enabled on your bridges, WEP, MIC, and TKIP are supported only on the native VLAN.

Configuring WEP and WEP Features

These sections describe how to configure WEP and additional WEP features such as MIC and TKIP:

•

Creating WEP Keys, page 9-2

•

Enabling and Disabling WEP and Enabling TKIP and MIC, page 9-3

WEP, TKIP, and MIC are disabled by default.

Creating WEP Keys

Beginning in privileged EXEC mode, follow these steps to create a WEP key and set the key properties:

Command

Purpose

Step 1

configure terminal

Enter global configuration mode.

Step 2

interface dot11radio 0

Enter interface configuration mode for the radio interface.