WPA2-CCMP

WPA2 is a newer 802.11i standard that provides even stronger wireless security than WPA (Wi-Fi Protected Access) and WEP. CCMP is the security standard used by the AES (Advanced Encryption Standard ). AES serves the same function TKIP does for WPA-TKIP. CCMP computes a MIC (Message Integrity Check) using the proven CBC (Cipher Block Chaining) technique. Changing just one bit in a message produces a totally different result.

WPA2/CCMP is based on the concept of a RSN (Robust Security Network), which defines a hierarchy of keys with a limited lifetime (similar to TKIP). Like TKIP, the keys the administrator provides are used to derive other keys. Messages are encrypted using a 128-bit secret key and a 128-bit block of data. The end result is an encryption scheme as secure as any a controller, service platform or Access Point provides for its connected clients.

To configure WPA2-CCMP encryption on a WLAN:

  1. Select Configuration → Wireless → Wireless LANs to display available WLANs.
  2. Select Add to create an additional WLAN, or select an existing WLAN and select Edit to modify its security properties.
  3. Select Security.
  4. If WPA2-CCMP is required, select PSK/None in authentication.
  5. Select the WPA2-CCMP check box from within the Select Encryption field.
    The screen populates with the parameters required to define a WPA2-CCMP configuration for the new or existing WLAN.
    Click to expand in new window
    WLAN Security - WPA2-CCMP Screen
    Screen capture displaying WPA2-CCMP selection as the encryption type in the WLAN security - WPA2-CCMP screen.
  6. Define Key Settings.
    Pre-Shared Key Enter either an alphanumeric string of 8 to 63 ASCII characters or 64 HEX characters as the primary string both transmitting and receiving authenticators must share. The alphanumeric string allows character spaces. The string is converetd to to a numeric value. This passphrase saves the administrator from entering the 256-bit key each time keys are generated.
  7. Define Key Rotation values.
    Unicast messages are addressed to a single device on the network. Broadcast messages are addressed to multiple devices. When using WPA2, a wireless client can use two keys: one unicast key, for its own traffic to and from an Access Point, and one broadcast key, the common key for all the clients in that subnet.

    Rotating the keys is recommended the keys so a potential hacker would not have enough data using a single key to attack the deployed encryption scheme.

    Unicast Rotation Interval Define an interval for unicast key transmission interval from 30 - 86,400 seconds. Some clients have issues using unicast key rotation, so ensure you know which kind of clients are impacted before using unicast keys. This feature is disabled by default.
    Broadcast Rotation Interval When enabled, the key indices used for encrypting and decrypting broadcast traffic is alternatively rotated based on the defined interval. Define a broadcast key transmission interval from 30 - 86,400 seconds. Key rotation enhances the broadcast traffic security on the WLAN. This feature is disabled by default.
  8. Define the Fast Roaming configuration used only with 802.1x EAP-WPA/WPA2 authentication.
    Note

    Note

    Fast Roaming is available only when the authentication is EAP or EAP-PSK and the selected encryption is either TKIP-CCMP or WPA2-CCMP.

    Using 802.11i can speed up the roaming process from one access point to another. Instead of doing a complete 802.1x authentication each time a client roams between access points, 802.11i allows a client to re-use previous PMK authentication credentials and perform a four-way handshake. This speeds up the roaming process. In addition to reusing PMKs on previously visited access points, Opportunistic Key Caching allows multiple access points to share PMKs among themselves. This allows a client to roam to an access point it has not previously visited and reuse a PMK from another access point to skip 802.1x authentication.

    Pre-Authentication Selecting this option enables an associated client to carry out an 802.1x authentication with another access point before it roams to it. This enables a roaming client to send and receive data sooner by not having to conduct an 802.1x authentication after roaming. With pre-authentication, a client can perform an 802.1X authentication with other detected access points while still connected to its current access point. When a device roams to a neighboring access point, the device is already authenticated on the access point, thus providing faster re-association.
    Pairwise Master Key (PMK) Caching Pairwise Master Key (PMK) caching is a technique for sidestepping the need to re-establish security each time a client roams to a different switch. Using PMK caching, clients and switches cache the results of 802.1X authentications. Therefore, access is much faster when a client roams back to a switch to which the client is already authenticated.
    Opportunistic Key Caching This option enables the access point to use a PMK derived with a client on one access point, with the same client when it roams over to another access point. Upon roaming, the client does not have to do 802.1x authentication and can start sending and receiving data sooner.
  9. Set the following Advanced settings for the WPA2-CCMP encryption scheme:
    TKIP Countermeasure Hold Time The TKIP Countermeasure Hold Time is the time a WLAN is disabled, if TKIP countermeasures have been invoked on the WLAN. Use the drop-down menu to define a value in either Hours (0-18), Minutes (0-1,092) or Seconds (0-65,535). The default setting is 1 second.
    Exclude WPA2-TKIP Select this option to advertise and enable support for only WPA-TKIP. This option can be used if certain older clients are not compatible with newer WPA2-TKIP information elements. Enabling this option allows backwards compatibility for clients that support WPA-TKIP and WPA2-TKIP, but do not support WPA2-CCMP. We recommend that you enable this feature if WPA-TKIP or WPA2-TKIP supported clients operate in a WLAN populated by WPA2- CCMP enabled clients. This feature is disabled by default.
    Use SHA256

    Select this option to enable SHA-256 authentication key management suite. This suite consists of a set of algorithms for key agreement, key derivation, key wrapping, and content encryption and provide a minimum cryptographic security level of 128 bits. This feature is disabled by default.

  10. Select OK when completed to update the WLAN's WPA2-CCMP encryption configuration.

    Select Reset to revert to the last saved configuration.

Before defining a WPA2-TKIP supported configuration on a WLAN, refer to the following deployment guidelines to ensure the configuration is optimally effective:
  • WPA2-CCMP should be configured for all new (non-visitor) WLANs requiring encryption, as it‘s supported by the majority of the hardware and client vendors using wireless networking equipment.
  • WPA2-CCMP supersedes WPA-TKIP and implements all the mandatory elements of the 802.11i standard. WPA2- CCMP introduces a new AES-based algorithm called CCMP which replaces TKIP and WEP and is considered significantly more secure.