Rockwell Automation 1783-WAPxxx Stratix 5100 Wireless Access Point User Manual User Manual

Rockwell Automation Publication 1783-UM006A-EN-P - May 2014

115

Stratix 5100 Device Manager Parameter Definitions

Chapter 4

Table 31 - Security Encryption Manager Parameter Descriptions

Parameter

Description

Encryption Modes

Indicate whether clients should use data encryption when communicating with the bridge.

None

The bridge communicates only with client devices that are not using WEP.

WEP Encryption

Choose Optional or Mandatory. If optional, client devices can communicate with this access point or bridge with or without WEP. If mandatory,
client devices must use WEP when communicating with the access point. Bridges not using WEP are not allowed to communicate. WEP (Wired
Equivalent Privacy) is an 802.11 standard encryption algorithm originally designed to provide with a level of privacy experienced on a wired LAN.
The standard defines WEP base keys of size 40 bits or 104 bits.
• Cisco Compliant TKIP Features

Temporal Key Integrity Protocol (TKIP) is a suite of algorithms surrounding WEP, designed to achieve the best possible security on legacy
hardware build to run WEP. TKIP adds four new enhancements to WEP:

– A per-packet key mixing function, to defeat weak key attacks.
– A new IV sequencing discipline to detect replay attacks.
– A cryptographic message integrity check (MIC) to detect forgeries such as bit flipping and altering of packet source and destination.
– An extension of IV space, to virtually eliminate the need for a re-key.

• Enable MIC

MIC prevents attacks on encrypted packets called bit-flip attacks. During a bit-flip attack, an intruder intercepts an encrypted message, alters it
slightly, and retransmits it, and the receiver accepts the retransmitted message as legitimate. The MIC, implemented on both the access point
and all associated client devices, adds a few bytes to each packet to make the packets tamper-proof. WEP Encryption must be set to Mandatory
for MIC to be enabled.

• Enable Per Packet Keying

EAP authentication provides dynamic unicast WEP keys for client devices but uses static keys. With broadcast, or multicast, WEP key rotation
enabled, the access point provides a dynamic broadcast WEP key and changes it at the interval you select in the Broadcast Key Change
Frequency field. Broadcast key rotation is an excellent alternative to TKIP if your wireless LAN supports wireless client devices that are not Cisco
devices or that cannot be upgraded to the latest firmware for Cisco client devices.

Cipher

Cipher suites are sets of encryption and integrity algorithms designed to protect radio communication on your wireless LAN. You must use a cipher
suite to enable Wi-Fi Protected Access (WPA) or Cisco Centralized Key Management (CCKM). Because cipher suites provide the protection of
communication while also allowing the use of authenticated key management, we recommend that you enable encryption by using the

encryption mode cipher

command. Use the drop-down menu to choose among TKIP, CKIP, CMIC, and WEP. TKIP is the most

secured, and WEP is the least secured cipher suite.
• CKIP

(Cisco Key Integrity Protocol, also known) - Cisco's WEP key permutation technique based on an early algorithm presented in the 802.11i
security task group.

• CMIC

(Cisco Message Integrity Check) - CMIC is Cisco's message integrity check mechanism designed to detect forgeries attracts.

Transmit Key

Click Transmit Key and select the WEP key this bridge will use. Only one key can be selected at a time. All set keys can be used to receive data.
Note: The key that you select as the transmit key must also be entered in the same key slot on client devices that associate with the access point or
bridge, but it does not have to be selected as the transmit key on the client devices.

Encryption Key 1-4

Enter a WEP key in one of the Encryption Key fields. For 40-bit encryption, enter 10 hexadecimal digits; for 128-bit encryption, enter 26
hexadecimal digits. Hexadecimal digits are a set of characters that includes numbers 0 through 9, lowercase letters a through f, and uppercase
letters A through F. Your WEP keys can contain combinations of any of these characters. WEP keys are not case-sensitive.
You can enter up to four WEP keys. The key that you select as the transmit key must also be entered in the same key slot on client devices that
associate with the access point or bridge, but it does not have to be selected as the transmit key on the client devices.
If you have four WEP keys configured and WEP key 2 is selected as the transmit key, WEP key 2 on the client device must contain the same
contents. If WEP key 4 on the device client is set, but is not selected as the transmit key, WEP key 4 on the access point does not need to be set at
all.

Key Size

Select 40-bit or 128-bit encryption for each key.

Global Properties

Broadcast Key Rotation Interval: Disable Rotation or Enable Rotation with Interval
(10…10000000 s)

Broadcast Key Rotation Interval

Allows the access point to generate best possible random group key and update all the key-management capable stations periodically. Broadcast
key rotation does not work for static WEP clients. This feature keeps the group key private to currently active members only. However, it may
generate some overhead if clients in your network roam frequently.

WPA Group Key Update

Check the appropriate checkbox to determine how frequently the access point changes and distributes the group key to WPA-enabled client
devices.
• Enable Group Key Update on Membership Termination
• Enable Group Key Update on Member’s Capability Change