Cisco Wireless LAN Controller Configuration Guide, Release 7.5
Configuring CKIP
Downloads: This chapterpdf (PDF - 1.2MB) The complete bookPDF (PDF - 19.52MB) | The complete bookePub (ePub - 4.58MB) | Feedback

Configuring CKIP

Information About CKIP

Cisco Key Integrity Protocol (CKIP) is a Cisco-proprietary security protocol for encrypting 802.11 media. CKIP improves 802.11 security in infrastructure mode using key permutation, a message integrity check (MIC), and a message sequence number. Software release 4.0 or later releases support CKIP with a static key. For this feature to operate correctly, you must enable Aironet information elements (IEs) for the WLAN.

A lightweight access point advertises support for CKIP in beacon and probe response packets by adding an Aironet IE and setting one or both of the CKIP negotiation bits (key permutation and multi-modular hash message integrity check [MMH MIC]). Key permutation is a data encryption technique that uses the basic encryption key and the current initialization vector (IV) to create a new key. MMH MIC prevents bit-flip attacks on encrypted packets by using a hash function to compute message integrity code.

The CKIP settings specified in a WLAN are mandatory for any client attempting to associate. If the WLAN is configured for both CKIP key permutation and MMH MIC, the client must support both. If the WLAN is configured for only one of these features, the client must support only the CKIP feature.

CKIP requires that 5-byte and 13-byte encryption keys be expanded to 16-byte keys. The algorithm to perform key expansion occurs at the access point. The key is appended to itself repeatedly until the length reaches 16 bytes. All lightweight access points support CKIP.

Note


CKIP is supported for use only with static WEP. It is not supported for use with dynamic WEP. Therefore, a wireless client that is configured to use CKIP with dynamic WEP is unable to associate to a WLAN that is configured for CKIP. We recommend that you use either dynamic WEP without CKIP (which is less secure) or WPA/WPA2 with TKIP or AES (which are more secure).


Configuring CKIP (GUI)


    Step 1   Choose WLANs to open the WLANs page.
    Step 2   Click the ID number of the desired WLAN to open the WLANs > Edit page.
    Step 3   Choose the Advanced tab.
    Step 4   Select the Aironet IE check box to enable Aironet IEs for this WLAN and click Apply.
    Step 5   Choose the General tab.
    Step 6   Unselect the Status check box, if selected, to disable this WLAN and click Apply.
    Step 7   Choose the Security and Layer 2 tabs to open the WLANs > Edit (Security > Layer 2) page.
    Step 8   Choose CKIP from the Layer 2 Security drop-down list.
    Step 9   Under CKIP Parameters, choose the length of the CKIP encryption key from the Key Size drop-down list.The range is Not Set, 40 bits, or 104 bits and the default is Not Set.
    Step 10   Choose the number to be assigned to this key from the Key Index drop-down list. You can configure up to four keys.
    Step 11   From the Key Format drop-down list, choose ASCII or HEX and then enter an encryption key in the Encryption Key text box. 40-bit keys must contain 5 ASCII text characters or 10 hexadecimal characters. 104-bit keys must contain 13 ASCII text characters or 26 hexadecimal characters.
    Step 12   Select the MMH Mode check box to enable MMH MIC data protection for this WLAN. The default value is disabled (or unselected).
    Step 13   Select the Key Permutation check box to enable this form of CKIP data protection. The default value is disabled (or unselected).
    Step 14   Click Apply to commit your changes.
    Step 15   Choose the General tab.
    Step 16   Select the Status check box to enable this WLAN.
    Step 17   Click Apply to commit your changes.
    Step 18   Click Save Configuration to save your changes.

    Configuring CKIP (CLI)


      Step 1   Disable the WLAN by entering this command:

      config wlan disable wlan_id

      Step 2   Enable Aironet IEs for this WLAN by entering this command:

      config wlan ccx aironet-ie enable wlan_id

      Step 3   Enable or disable CKIP for the WLAN by entering this command:

      config wlan security ckip { enable | disable} wlan_id

      Step 4   Specify a CKIP encryption key for the WLAN by entering this command:

      config wlan security ckip akm psk set-key wlan_id { 40 | 104} { hex | ascii} key key_index

      Step 5   Enable or disable CKIP MMH MIC for the WLAN by entering this command:

      config wlan security ckip mmh-mic { enable | disable} wlan_id

      Step 6   Enable or disable CKIP key permutation for the WLAN by entering this command:

      config wlan security ckip kp { enable | disable} wlan_id

      Step 7   Enable the WLAN by entering this command:

      config wlan enable wlan_id

      Step 8   Save your settings by entering this command:

      save config