WPA2-CCMP

About this task

WPA2 is a newer 802.11i standard that provides even stronger wireless security than WPA (Wi-Fi Protected Access) and WEP. CCMP is the security standard used by the AES (Advanced Encryption Standard ). AES serves the same function TKIP does for WPA-TKIP. CCMP computes a MIC (Message Integrity Check) using the proven CBC (Cipher Block Chaining) technique. Changing just one bit in a message produces a totally different result.

WPA2/CCMP is based on the concept of a RSN (Robust Security Network), which defines a hierarchy of keys with a limited lifetime (similar to TKIP). Like TKIP, the keys the administrator provides are used to derive other keys. Messages are encrypted using a 128-bit secret key and a 128-bit block of data. The end result is an encryption scheme as secure as any a controller, service platform or Access Point provides for its connected clients.

To configure WPA2-CCMP encryption on a WLAN:

Procedure

  1. Select Configuration → Wireless → Wireless LAN Policy to display available WLANs.
  2. Select Add to create an additional WLAN, or select an existing WLAN and select Edit to modify its security properties.
  3. Select Security.
  4. If WPA2-CCMP is required, select PSK/None in authentication.
  5. Select the WPA2-CCMP check box from within the Select Encryption field.
    The screen populates with the parameters required to define a WPA2-CCMP configuration for the new or existing WLAN.
    Click to expand in new window
    WLAN Security - WPA2-CCMP Screen
    Screen capture displaying WPA2-CCMP selection as the encryption type in the WLAN security - WPA2-CCMP screen.
  6. Define Key Settings.
    Pre-Shared Key Enter either an alphanumeric string of 8 to 63 ASCII characters or 64 HEX characters as the primary string both transmitting and receiving authenticators must share. The alphanumeric string allows character spaces. The string is converetd to to a numeric value. This passphrase saves the administrator from entering the 256-bit key each time keys are generated.
  7. Define Key Rotation values.
    Unicast messages are addressed to a single device on the network. Broadcast messages are addressed to multiple devices. When using WPA2, a wireless client can use two keys: one unicast key, for its own traffic to and from an Access Point, and one broadcast key, the common key for all the clients in that subnet.

    Rotating the keys is recommended the keys so a potential hacker would not have enough data using a single key to attack the deployed encryption scheme.

    Unicast Rotation Interval Define an interval for unicast key transmission interval from 30 - 86,400 seconds. Some clients have issues using unicast key rotation, so ensure you know which kind of clients are impacted before using unicast keys. This feature is disabled by default.
    Broadcast Rotation Interval When enabled, the key indices used for encrypting and decrypting broadcast traffic is alternatively rotated based on the defined interval. Define a broadcast key transmission interval from 30 - 86,400 seconds. Key rotation enhances the broadcast traffic security on the WLAN. This feature is disabled by default.
  8. Set the following Advanced settings for the WPA2-CCMP encryption scheme:
    TKIP Countermeasure Hold Time The TKIP Countermeasure Hold Time is the time a WLAN is disabled, if TKIP countermeasures have been invoked on the WLAN. Use the drop-down menu to define a value in either Hours (0-18), Minutes (0-1,092) or Seconds (0-65,535). The default setting is 1 second.
    Exclude WPA2-TKIP Select this option to advertise and enable support for only WPA-TKIP. This option can be used if certain older clients are not compatible with newer WPA2-TKIP information elements. Enabling this option allows backwards compatibility for clients that support WPA-TKIP and WPA2-TKIP, but do not support WPA2-CCMP. We recommend that you enable this feature if WPA-TKIP or WPA2-TKIP supported clients operate in a WLAN populated by WPA2- CCMP enabled clients. This feature is disabled by default.
    Use SHA256

    Select this option for an Access Point to advertise and enable support for only WPA-TKIP. Select this option if certain older clients are not compatible with the newer WPA2-TKIP information elements. Enabling this option allows backwards compatibility for clients that support WPA-TKIP and WPA2-TKIP but do not support WPA2-CCMP. Consider enabling this feature if WPA-TKIP or WPA2-TKIP supported clients operate in a WLAN populated by WPA2-CCMP enabled clients. This feature is disabled by default.
  9. Select OK when completed to update the WLAN's WPA2-CCMP encryption configuration.

    Select Reset to revert to the last saved configuration.

What to do next

Before defining a WPA2-TKIP supported configuration on a WLAN, refer to the following deployment guidelines to ensure the configuration is optimally effective:
  • WPA2-CCMP should be configured for all new (non-visitor) WLANs requiring encryption, as it‘s supported by the majority of the hardware and client vendors using wireless networking equipment.
  • WPA2-CCMP supersedes WPA-TKIP and implements all the mandatory elements of the 802.11i standard. WPA2- CCMP introduces a new AES-based algorithm called CCMP which replaces TKIP and WEP and is considered significantly more secure.
9036512-01 Rev AB