Configuring Wireless Security

This section describes how to configure the security mode for the SSID. All devices on this network must use the same security mode and settings to work correctly. Cisco recommends using the highest level of security that is supported by the devices in your network.

Note If the security mode is set as WEP or as WPA with TKIP encryption algorithm for the SSID that supports 802.11n, the transmit rate for its associated client stations will not exceed 54 Mbps.

 1. Click Wireless > Basic Settings.

 2. In the SSIDs area, click the Edit (pencil) icon to edit the settings for the SSID.

The SSID - Edit window opens.

 3. In the Security Mode tab, specify the following information:

 • SSID Name: The name of the SSID on which the security settings are applied.

 • User Limit: Specify the maximum number of users that can simultaneously connect to this SSID. Enter a value in the range 0 to 200. The value of zero (0) indicates that there is no limit for this SSID.

NOTE: The maximum number of users that can simultaneously connect to all enabled SSIDs is 200.

 • Security Mode: Choose the type of security.

Security Mode

Description

Open

Any wireless device that is in range can connect to the SSID. This is the default setting but not recommended.

WEP

Wired Equivalent Privacy (WEP) is a data encryption protocol for 802.11 wireless networks. All wireless stations and SSIDs on the network are configured with a static 64-bit or 128-bit Shared Key for data encryption. The higher the bit for data encryption, the more secure for your network.

WEP encryption is an older encryption method that is not considered to be secure and can easily be broken. Choose this option only if you need to allow access to devices that do not support WPA or WPA2.

WPA

Wi-Fi Protected Access (WPA) provides better security than WEP because it uses dynamic key encryption. This standard was implemented as an intermediate measure to replace WEP, pending final completion of the 802.11i standard for WPA2.

The security appliance supports the following WPA security modes. Choose one of them if you need to allow access to devices that do not support WPA2.

 • WPA-Personal: Supports TKIP (Temporal Key Integrity Protocol) or AES (Advanced Encryption System) encryption mechanisms for data encryption (default is TKIP). TKIP uses dynamic keys and incorporates Message Integrity Code (MIC) to provide protection against hackers. AES uses symmetric 128-bit block data encryption.

 • WPA-Enterprise: Uses WPA with RADIUS authentication. This mode supports TKIP and AES encryption mechanisms (default is TKIP) and requires the use of a RADIUS server to authenticate users.

WPA2

WPA2 provides the best security for wireless transmissions. This method implements the security standards specified in the final version of 802.11i. The security appliance supports the following WPA2 security modes:

 • WPA2-Personal: Always uses AES encryption mechanism for data encryption.

 • WPA2-Enterprise: Uses WPA2 with RADIUS authentication. This mode always uses AES encryption mechanism for data encryption and requires the use of a RADIUS server to authenticate users.

WPA + WPA2

Allows both WPA and WPA2 clients to connect simultaneously. The SSID automatically chooses the encryption algorithm used by each client device.

This security mode is a good choice to enable a higher level of security while allowing access by devices that might not support WPA2. The security appliance supports the following WPA+WPA2 security modes:

 • WPA/WPA2-Personal mixed: Supports the transition from WPA-Personal to WPA2-Personal. You can have client devices that use either WPA-Personal or WPA2-Personal.

 • WPA/WPA2-Enterprise mixed: Supports the transition from WPA-Enterprise to WPA2-Enterprise. You can have client devices that use either WPA-Enterprise or WPA2-Enterprise.

RADIUS

Uses RADIUS servers for client authentication and dynamic WEP key generation for data encryption.

 4. If you choose Open as the security mode, no other options are configurable. This mode means that any data transferred to and from the SSID is not encrypted. This security mode can be useful during initial network configuration or for problem solving, but it is not recommended for regular use on the internal network because it is not secure.

 5. If you choose WEP as the security mode, enter the following information:

 • Authentication Type: Choose either Open System or Shared key, or choose Auto to let the security appliance accept both Open System and Shared Key schemes.

 • Default Transmit Key: Choose a key index as the default transmit key. Key indexes 1 through 4 are available.

 • Encryption: Choose the encryption type: 64 bits (10 hex digits), 64 bits (5 ASCII), 128 bits (26 hex digits), or 128 bits (13 ASCII). The default is 64 bits (10 hex digits). The larger size keys provide stronger encryption, thus making the key more difficult to crack.

 • Passphrase: If you want to generate WEP keys by using a Passphrase, enter any alphanumeric phrase (between 4 to 63 characters) and then click Generate to generate 4 unique WEP keys. Select one key to use as the key that devices must have to use the wireless network.

 • Key 1-4: If a WEP Passphrase is not specified, a key can be entered directly into one of the Key boxes. The length of the key should be 5 ASCII characters (or 10 hex characters) for 64-bit encryption and 13 ASCII characters (or 26 hex characters) for 128-bit encryption.

 6. If you choose WPA-Personal as the security mode, enter the following information:

 • Encryption: Choose either TKIP or TKIP_CCMP (AES) as the encryption algorithm for data encryption. The default is TKIP.

 • Shared Secret: The Pre-shared Key (PSK) is the shared secret key for WPA. Enter a string of at least 8 characters to a maximum of 63 characters.

 • Key Renewal Timeout: Enter a value to set the interval at which the key is refreshed for clients associated to this SSID. The valid range is 0 to 4194303 seconds. A value of zero (0) indicates that the key is not refreshed. The default value is 3600 seconds.

 7. If you choose WPA2-Personal as the security mode, enter the following information:

 • Encryption: Always use AES for data encryption.

 • Shared Secret: The Pre-shared Key (PSK) is the shared secret key for WPA. Enter a string of at least 8 characters to a maximum of 63 characters.

 • Key Renewal Timeout: Enter a value to set the interval at which the key is refreshed for clients associated to this SSID. The valid range is 0 to 4194303 seconds. A value of zero (0) indicates that the key is not refreshed. The default value is 3600 seconds.

 8. If you choose WPA/WPA2-Personal mixed as the security mode, enter the following information:

 • Encryption: Automatically choose TKIP or AES for data encryption.

 • Shared Secret: The Pre-shared Key (PSK) is the shared secret key for WPA. Enter a string of at least 8 characters to a maximum of 63 characters.

 • Key Renewal Timeout: Enter a value to set the interval at which the key is refreshed for clients associated to this SSID. The valid range is 0 to 4194303 seconds. A value of zero (0) indicates that the key is not refreshed. The default value is 3600 seconds.

 9. If you choose WPA-Enterprise as the security mode, enter the following information:

 • Encryption: Choose either TKIP or AES as the encryption algorithm for data encryption. The default is TKIP.

 • Key Renewal Timeout: Enter a value to set the interval at which the key is refreshed for clients associated to this SSID. The valid range is 0 to 4194303 seconds. A value of zero (0) indicates that the key is not refreshed. The default value is 3600 seconds.

 • RADIUS Server ID: The security appliance predefines three RADIUS groups. Choose an existing RADIUS group for client authentication. The following RADIUS server settings of the selected group are displayed.

 – Primary RADIUS Server IP Address: The IP address of the primary RADIUS server.

 – Primary RADIUS Server Port: The port number of the primary RADIUS server.

 – Primary RADIUS Server Shared Secret: The shared secret key of the primary RADIUS server.

 – Secondary RADIUS Server IP Address: The IP address of the secondary RADIUS server.

 – Secondary RADIUS Server Port: The port number of the secondary RADIUS server.

 – Secondary RADIUS Server Shared Secret: The shared secret key of the secondary RADIUS server.

NOTE: You can change the settings in the above fields but the RADIUS server settings you specify will replace the default settings of the selected group. To maintain the RADIUS servers, go to the Users > RADIUS Servers page. See Configuring RADIUS Servers, page 333.

 10. If you choose WPA2-Enterprise as the security mode, enter the following information:

 • Encryption: Always use AES encryption algorithm for data encryption.

 • Key Renewal Timeout: Enter a value to set the interval at which the key is refreshed for clients associated to this SSID. The valid range is 0 to 4194303 seconds. A value of zero (0) indicates that the key is not refreshed. The default value is 3600 seconds.

 • RADIUS Server ID: Choose an existing RADIUS group for client authentication. The RADIUS server settings of the selected group are displayed. You can change the RADIUS server settings but the settings you specify will replace the default settings of the selected group. To maintain the RADIUS servers, go to the Users > RADIUS Servers page. See Configuring RADIUS Servers, page 333.

 11. If you choose WPA/WPA2-Enterprise Mixed as the security mode, enter the following information:

 • Encryption: Automatically choose TKIP or AES encryption algorithm for data encryption.

 • Key Renewal Timeout: Enter a value to set the interval at which the key is refreshed for clients associated to this SSID. The valid range is 0 to 4194303 seconds. A value of zero (0) indicates that the key is not refreshed. The default value is 3600 seconds.

 • RADIUS Server ID: Choose an existing RADIUS group for client authentication. The RADIUS server settings of the selected group are displayed. You can change the RADIUS server settings but the settings you specify will replace the default settings of the selected group. To maintain the RADIUS servers, go to the Users > RADIUS Servers page. See Configuring RADIUS Servers, page 333.

 12. If you choose RADIUS as the security mode, choose an existing RADIUS group for client authentication from the RADIUS Server ID drop-down list. The RADIUS server settings of the selected group are displayed. You can change the RADIUS server settings but the settings you specify will replace the default settings of the selected group. To maintain the RADIUS servers, go to the Users > RADIUS Servers page. See Configuring RADIUS Servers, page 333.

 13. Click OK to save your settings.

 14. Click Save to apply your settings.