Cisco Cisco Aironet 1200 Access Point 产品宣传册
© 2005 Cisco Systems, Inc. All rights reserved.
Important notices, privacy statements, and trademarks of Cisco Systems, Inc. can be found on cisco.com.
Page 10 of 15
In conjunction with encryption keys and the reauthentication timer, VLAN name/ID and SSID parameters are passed to the autonomous access
point or wireless LAN controller. When the autonomous access point or wireless LAN controller receives the VLAN name/ID assignment for a
specific user, it places that user on the specified VLAN name/ID. If the allowed SSID list is also passed to the access point or controller, the access
point or controller will help ensure that the user is providing a valid SSID to access the WLAN. If the user provides an SSID not specified in the
allowed SSID list, the access point or wireless LAN controller disassociates the user from the WLAN network.
The Cisco Unified Wireless Network supports Simple Network Management Protocol Version 3 (SNMPv3), Secure Shell (SSH) Protocol (secure
Web), and SSL (secure Telnet) interfaces to the Cisco Wireless Control System (WCS). Furthermore, the Cisco WCS is configurable such that
management is not possible over the air, and it supports a separate management VLAN so only stations on a specific VLAN can modify the WLAN
network settings.
Management Frame Protection (MFP) provides strong cryptographic authentication of WLAN management frames for the detection and prevention
of 802.11 management frame attacks. This provides for more accurate detection capabilities against 802.11 exploit tools. Not only is this effective
against known attacks, but also any future attacks that rely on the unprotected nature of the WLAN management frames.
Mitigation of Brute-Force Attacks
Traditional WLAN implementations based on static encryption keys are easily susceptible to “brute-force” network attacks. A brute-force network
attack is one in which the intruder attempts to derive an encryption key by trying one value at a time. For standard 128-bit WEP, this would require
trying a maximum of 2104 different keys. The use of 802.1X dynamic, per-user, per-session encryption keys makes a brute-force attack, although
still theoretically possible, extremely difficult to conduct and virtually futile.
WPA Encryption—Temporal Key Integrity Protocol
The Cisco Unified Wireless Network supports TKIP, a WPA component and an IEEE 802.11i standard. TKIP is an enhancement to WEP security.
Like WEP, TKIP uses an encryption method developed by engineer Ron Rivest, known as Ron’s Code 4 (RC4) encryption. However, TKIP
enhances WEP by adding measures such as per-packet key hashing, MIC, and broadcast key rotation to address known vulnerabilities of WEP.
TKIP uses the RC4 stream cipher with 128-bit keys for encryption and 64-bit keys for authentication. By encrypting data with a key that can be used
only by the intended recipient of the data, TKIP helps to ensure that only the intended audience understands the transmitted data. TKIP encryption
can generate up to 280 trillion possible keys for a given data packet.
With the Cisco Unified Wireless Network, both Cisco TKIP and WPA TKIP algorithms are available on Cisco Aironet autonomous access points
and Cisco Aironet and Cisco Compatible WLAN client devices. Although Cisco TKIP and WPA TKIP do not interoperate, Cisco Aironet Series
autonomous access points can run both Cisco TKIP and WPA TKIP simultaneously when using multiple VLANs. System administrators will
need to choose one set of TKIP algorithms to activate on the enterprise’s client devices because clients cannot support both sets of TKIP algorithms
simultaneously. Cisco recommends that WPA TKIP be used for client devices and access points wherever possible. Cisco wireless LAN controllers
and Cisco Aironet lightweight access points support only WPA TKIP.