Ckip - Cisco 2100 Series Configuration Manual

Chapter 6 Configuring WLANsWireless Device Access
If you enabled WPA2 with 802.1X authenticated key management, the controller supports opportunistic
PMKID caching but not sticky (or non-opportunistic) PMKID caching. In sticky PMKID caching, the
client stores multiple PMKIDs. This approach is not practical because it requires full authentication for
each new access point and is not guaranteed to work in all conditions. In contrast, opportunistic PMKID
caching stores only one PMKID per client and is not subject to the limitations of sticky PMK caching.
Enter this command to enable the WLAN:
Step 9
config wlan enable wlan_id
Enter this command to save your settings:
Step 10
save config

CKIP

Cisco Key Integrity Protocol (CKIP) is a Cisco-proprietary security protocol for encrypting 802.11
media. CKIP improves 802.11 security in infrastructure mode using key permutation, message integrity
check (MIC), and message sequence number. Software release 4.0 or later supports CKIP with static key.
For this feature to operate correctly, you must enable Aironet information elements (IEs) for the WLAN.
A lightweight access point advertises support for CKIP in beacon and probe response packets by adding
an Aironet IE and setting one or both of the CKIP negotiation bits [key permutation and multi-modular
hash message integrity check (MMH MIC)]. Key permutation is a data encryption technique that uses
the basic encryption key and the current initialization vector (IV) to create a new key. MMH MIC
prevents bit-flip attacks on encrypted packets by using a hash function to compute message integrity
code.
The CKIP settings specified in a WLAN are mandatory for any client attempting to associate. If the
WLAN is configured for both CKIP key permutation and MMH MIC, the client must support both. If
the WLAN is configured for only one of these features, the client must support only this CKIP feature.
CKIP requires that 5-byte and 13-byte encryption keys be expanded to 16-byte keys. The algorithm to
perform key expansion happens at the access point. The key is appended to itself repeatedly until the
length reaches 16 bytes. All lightweight access points support CKIP.
You can configure CKIP through either the GUI or the CLI.
Using the GUI to Configure CKIP
Follow these steps to configure a WLAN for CKIP using the controller GUI.
Click WLANs to open the WLANs page.
Step 1
Step 2 Click the ID number of the desired WLAN to open the WLANs > Edit page.
Step 3 Click the Advanced tab.
Step 4 Check the Aironet IE check box to enable Aironet IEs for this WLAN and click Apply.
Click the General tab.
Step 5
Uncheck the Status check box, if checked, to disable this WLAN and click Apply.
Step 6
Click the Security and Layer 2 tabs to open the WLANs > Edit (Security > Layer 2) page (see
Step 7
Figure
OL-17037-01
6-12).
Cisco Wireless LAN Controller Configuration Guide
Configuring WLANs
6-25