Cisco Cisco Aironet 350 Mini-PCI Wireless LAN Client Adapter Guia Do Desenho
11-14
Enterprise Mobility 4.1 Design Guide
OL-14435-01
Chapter 11 Mobile Access Router, Universal Bridge Client, and Cisco Unified Wireless
Security
Configuring Additional WPA Settings
Use two optional settings to configure a pre-shared key on the bridge and adjust the frequency of group
key updates.
key updates.
Setting a Pre-Shared Key
To support WPA on a wireless LAN where 802.1x-based authentication is not available, you must
configure a pre-shared key on the bridge. You can enter the pre-shared key as ASCII or hexadecimal
characters. If you enter the key as ASCII characters, you enter between 8 and 63 characters, and the
bridge expands the key using the process described in the Password-based Cryptography Standard
(RFC2898). If you enter the key as hexadecimal characters, you must enter 64 hexadecimal characters.
Keep in mind that WPA-PSK is susceptible to some known attack tools. However, note that the
WPA-PSK authentication mechanism was intended to be used for consumer networks, not
small-to-medium businesses or enterprise networks, and is not suggested to be used in an
enterprise-class WGB or mesh environment.
configure a pre-shared key on the bridge. You can enter the pre-shared key as ASCII or hexadecimal
characters. If you enter the key as ASCII characters, you enter between 8 and 63 characters, and the
bridge expands the key using the process described in the Password-based Cryptography Standard
(RFC2898). If you enter the key as hexadecimal characters, you must enter 64 hexadecimal characters.
Keep in mind that WPA-PSK is susceptible to some known attack tools. However, note that the
WPA-PSK authentication mechanism was intended to be used for consumer networks, not
small-to-medium businesses or enterprise networks, and is not suggested to be used in an
enterprise-class WGB or mesh environment.
Fortunately, off-line dictionary attacks are not very effective against WPA-PSK networks, because of the
IEEE selection of the pbkdf2 algorithm for PSK hashing. A key generated from a passphrase of less than
approximately 20 characters is likely to be vulnerable to a dictionary attack. If you intend to use
WPA-PSK, it is recommended that you use only truly random keys.
IEEE selection of the pbkdf2 algorithm for PSK hashing. A key generated from a passphrase of less than
approximately 20 characters is likely to be vulnerable to a dictionary attack. If you intend to use
WPA-PSK, it is recommended that you use only truly random keys.
Configuring Group Key Updates
In the last step in the WPA process, the root device distributes a group key to the authenticated non-root
bridge. You can use the following optional settings to configure the root device to change and distribute
the group key based on association and disassociation of non-root bridges:
bridge. You can use the following optional settings to configure the root device to change and distribute
the group key based on association and disassociation of non-root bridges:
•
Membership termination—The root device generates and distributes a new group key when any
authenticated non-root bridge disassociates from the root device. This feature keeps the group key
private for associated bridges.
authenticated non-root bridge disassociates from the root device. This feature keeps the group key
private for associated bridges.
•
Capability change—The root device generates and distributes a dynamic group key when the last
non-key management non-root bridge disassociates, and it distributes the statically configured key
when the first non-key management non-root bridge authenticates. In WPA migration mode, this
feature significantly improves the security of key-management capable clients.
non-key management non-root bridge disassociates, and it distributes the statically configured key
when the first non-key management non-root bridge authenticates. In WPA migration mode, this
feature significantly improves the security of key-management capable clients.
Beginning in privileged EXEC mode, follow these steps to configure a WPA pre-shared key and group
key update options:
key update options:
1.
Enter SSID configuration mode for the SSID:
dot11 ssid
ssid-string
2.
Enter a pre-shared key for bridges using WPA that also use static WEP keys.
wpa-psk { hex | ascii } [ 0 | 7 ]
encryption-key
Enter the key using either hexadecimal or ASCII characters. If you use hexadecimal, you must enter
64 hexadecimal characters to complete the 256-bit key. If you use ASCII, you must enter a minimum
of 8 letters, numbers, or symbols, and the bridge expands the key for you. You can enter a maximum
of 63 ASCII characters.
64 hexadecimal characters to complete the 256-bit key. If you use ASCII, you must enter a minimum
of 8 letters, numbers, or symbols, and the bridge expands the key for you. You can enter a maximum
of 63 ASCII characters.
WPA and Pre-shared Key Configuration Example
The following example shows how to configure a pre-shared key for non-root bridges using WPA and
static WEP, with group key update options:
static WEP, with group key update options: