TKIP-CCMP

About this task

WPA (Wi-Fi Protected Access) is an encryption scheme specified in the IEEE Wireless Fidelity standard 802.11i. WPA provides more sophisticated data encryption than WEP. WPA is designed for corporate networks and small-business environments where more wireless traffic allows quicker discovery of encryption keys by an unauthorized person.

The encryption method is TKIP (Temporal Key Integrity Protocol). TKIP addresses WEP's weaknesses with a re-keying mechanism, a per-packet mixing function, a message integrity check and an extended initialization vector. However, TKIP also has vulnerabilities.

CCMP is a security standard used by the AES (Advanced Encryption Standard). AES serves the same function TKIP does for WPA-TKIP. CCMP computes a MIC (Message Integrity Check) using the proven CBC (Cipher Block Chaining) technique. Changing just one bit in a message produces a totally different result.

To configure TKIP-CCMP encryption on a WLAN:

Procedure

Select Configuration → Wireless → Wireless LAN Policy to display available WLANs.
Click Add to create an additional WLAN, or select an existing WLAN and click Edit to modify its security properties.
Select Security.
Select the TKIP-CCMP check box from within the Select Encryption field.

The screen populates with the parameters required to define a TKIP-CCMP configuration for the WLAN.
WLAN Security - TKIP-CCMP Screen

Define Key Settings.


Pre-Shared Key	Enter either an alphanumeric string of 8 to 63 ASCII characters or 64 HEX characters as the primary string both transmitting and receiving authenticators must share. The alphanumeric string allows character spaces. The string is converetd to to a numeric value. This passphrase saves the administrator from entering the 256-bit key each time keys are generated.

Define Key Rotation values.

Unicast messages are addressed to a single device on the network. Broadcast messages are addressed to multiple devices. When using WPA2, a wireless client can use two keys: one unicast key, for its own traffic to and from an access point, and one broadcast key, the common key for all the clients in that subnet.

Rotating the keys is recommended the keys so a potential hacker would not have enough data using a single key to attack the deployed encryption scheme.


Unicast Rotation Interval	Define an interval for unicast key transmission interval from 30 - 86,400 seconds. Some clients have issues using unicast key rotation, so ensure you know which kind of clients are impacted before using unicast keys. This feature is disabled by default.
Broadcast Rotation Interval	When enabled, the key indices used for encrypting and decrypting broadcast traffic is alternatively rotated based on the defined interval. Define a broadcast key transmission interval from 30 - 86,400 seconds. Key rotation enhances the broadcast traffic security on the WLAN. This feature is disabled by default.

Set the following Advanced settings for the TKIP-CCMP encryption scheme:


TKIP Countermeasure Hold Time	The TKIP Countermeasure Hold Time is the time a WLAN is disabled, if TKIP countermeasures have been invoked on the WLAN. Use the drop-down menu to define a value in either Hours (0-18), Minutes (0-1,092) or Seconds (0-65,535). The default setting is 1 second.
Exclude WPA2-TKIP	Select this option to advertise and enable support for only WPA-TKIP. This option can be used if certain older clients are not compatible with newer WPA2-TKIP information elements. Enabling this option allows backwards compatibility for clients that support WPA-TKIP and WPA2-TKIP, but do not support WPA2-CCMP. We recommend that you enable this feature if WPA-TKIP or WPA2-TKIP supported clients operate in a WLAN populated by WPA2- CCMP enabled clients. This feature is disabled by default.
Use SHA256	Select to enable use of the SHA-256 hash algorithms with WPA2. This is optional when using WPA2 without 802.11w Protected Management Frames (PMF) enabled. This is mandatory when PMF is enabled.

Select OK when completed to update the WLAN's TKIP-CCMP encryption configuration.

Select Reset to revert to the last saved configuration.

What to do next

Before defining a WPA-TKIP supported configuration on a WLAN, refer to the following deployment guidelines to ensure the configuration is optimally effective:

Enable TKIP for legacy device support only when WPA2-CCMP support is not available.
Although TKIP offers better security than WEP, it can be vulnerable to certain attacks.
When both TKIP and CCMP are enabled, a mix of clients are allowed to associate with the WLAN. Some use TKIP, others use CCMP. Because broadcast traffic needs to be understood by all clients, the broadcast encryption type in this scenario is TKIP.