Wpa2-ccmp – Brocade Mobility RFS Controller System Reference Guide (Supporting software release 5.5.0.0 and later) User Manual
Page 278
266
Brocade Mobility RFS Controller System Reference Guide
53-1003099-01
6
Brocade recommends rotating the keys so a potential hacker would not have enough data
using a single key to attack the deployed encryption scheme.
7. Set the following Advanced settings for the WPA/WPA2-TKIP encryption scheme
8. Select OK when completed to update the WLAN’s WPA/WPA2-TKIP encryption configuration.
Select Reset to revert the screen back to its last saved configuration.
NOTE
WPA-TKIP is not supported on radios configured to exclusively use 802.11n.
WPA-TKIP Deployment Considerations
Before defining a WPA-TKIP supported configuration on a wireless controller WLAN, refer to the
following deployment guidelines to ensure the configuration is optimally effective:
•
Brocade recommends TKIP only be enabled for legacy device support when WPA2-CCMP
support is not available.
•
Though TKIP offers better security than WEP, it can be vulnerable to certain attacks.
•
When both TKIP and CCMP are both enabled a mix of clients are allowed to associate with the
WLAN. Some use TKIP, others use CCMP. Since broadcast traffic needs to be understood by all
clients, the broadcast encryption type in this scenario is TKIP.
WPA2-CCMP
WPA2 is a newer 802.11i standard that provides even stronger wireless security than Wi-Fi
Protected Access (WPA) and WEP. CCMP is the security standard used by the Advanced Encryption
Standard (AES). AES serves the same function TKIP does for WPA-TKIP. CCMP computes a Message
Integrity Check (MIC) using the proven Cipher Block Chaining (CBC) technique. Changing just one
bit in a message produces a totally different result.
Unicast Rotation Interval
Define an interval for unicast key transmission in seconds (30 -86,400). Some clients have issues
using unicast key rotation, so ensure you know which kind of clients are impacted before using
unicast keys. This feature is disabled by default.
Broadcast Rotation
Interval
When enabled, the key indices used for encrypting/decrypting broadcast traffic are alternatively
rotated based on the defined interval. Define an interval for broadcast key transmission in seconds
(30-86,400). Key rotation enhances the broadcast traffic security on the WLAN. This feature is
disabled by default.
TKIP Countermeasure Hold
Time
The TKIP countermeasure hold-time is the time during which the use of the WLAN is disabled if
TKIP countermeasures have been invoked on the WLAN. Use the drop-down menu to define a value
in either Hours (0-18), Minutes (0-1,092) or Seconds (0-65,535). The default setting is 60
seconds.
Exclude WPA2 TKIP
Select this option for an Access Point to advertise and enable support for only WPA-TKIP. This
option can be used if certain older clients are not compatible with the newer WPA2-TKIP
information elements. Enabling this option allows backwards compatibility for clients that support
WPA-TKIP and WPA2-TKIP but do not support WPA2-CCMP. Brocade recommends enabling this
feature if WPA-TKIP or WPA2-TKIP supported clients operate in a WLAN populated by WPA2-CCMP
enabled clients. This feature is disabled by default.
Use SHA256
Select to enable use of the SHA-256 hash algorithms with WPA2. This is optional when using WPA2
without 802.11w Protected Management Frames (PMF) enabled. This is mandatory when PMF is
enabled.