Additional Wep Key Security Features - Cisco Aironet Installation And Configuration Manual

Chapter 5 Configuring the Client Adapter
2.
3.
4.
5.
Refer to the
"Enabling Host-Based EAP" section on page 5-34
PEAP, or EAP-SIM.
Refer to the IEEE 802.11 Standard for more information on 802.1X authentication and to the following
Note
URL for additional information on RADIUS servers:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/12cgcr/secur_c/scprt2/scrad.htm

Additional WEP Key Security Features

The three security features discussed in this section (MIC, TKIP, and broadcast key rotation) are
designed to prevent sophisticated attacks on your wireless network's WEP keys. These features are
supported in the following client adapter software releases:
•
•
•
These features do not need to be enabled on the client adapter; they are supported automatically in the
firmware and driver versions listed above. However, they must be enabled on the access point.
Note Access point firmware version 11.10T or greater is required to enable these security features. Refer to
the Software Configuration Guide for your access point for instructions on enabling these security
features.
Message Integrity Check (MIC)
MIC prevents bit-flip attacks on encrypted packets. During a bit-flip attack, an intruder intercepts an
encrypted message, alters it slightly, and retransmits it, and the receiver accepts the retransmitted
message as legitimate. The MIC adds a few bytes to each packet to make the packets tamper-proof.
The Status screen indicates if MIC is being used, and the Statistics screen provides MIC statistics.
OL-1394-04
Communicating through the access point, the client and RADIUS server complete the authentication
process, with the password (LEAP, EAP-MD5, and PEAP), certificate (EAP-TLS), or internal key
stored on the SIM card and in the service provider's Authentication Center (EAP-SIM) being the
shared secret for authentication. The password, certificate, or internal key is never transmitted
during the process.
The authentication process is now complete for EAP-MD5. For LEAP, EAP-TLS, PEAP, and
Note
EAP-SIM, the process continues.
If authentication is successful, the client and RADIUS server derive a dynamic, session-based WEP
key that is unique to the client.
The RADIUS server transmits the key to the access point using a secure channel on the wired LAN.
For the length of a session, or time period, the access point and the client use this key to encrypt or
decrypt all unicast packets (and broadcast packets if the access point is set up to do so) that travel
between them.
"Enabling LEAP" section on page 5-31
PCM/LMC/PCI card firmware version 4.25.23 or greater and driver version 8.01 or greater
Mini PCI card firmware version 5.0 or greater and driver version 2.20 or greater
PC-Cardbus card firmware version 4.99 or greater and driver version 3.4 or greater
Cisco Aironet Wireless LAN Client Adapters Installation and Configuration Guide for Windows
Setting Network Security Parameters
for instructions on enabling LEAP or to the
for instructions on enabling EAP-TLS, EAP-MD5,
5-25