10 November 2008

Configuring WEP Authentication on Cisco Aironet

The wireless network you installed for your LAN can mean that you are directly exposing your network to the public.

Anyone can use a wireless sniffer and view all the traffics going between the wireless access point and the clients. That's why you need to add security in your wireless LAN.

This post will talk about WEP or Wired Equivalent Privacy, the name states that your wireless network will be as safe as your wired network but not in reality.
There are many WEP decryption tools available out there. Just capture some packets using wireless sniffer and use the the decryption tool to find out the WEP key.

So we know the WEP is not secure, nevertheless I want to show how to configure WEP authentication for Cisco Aironet wireless access point.

WEP uses 40 bits encryption key (10 hexadecimal characters) or 128 bits (26 hexadecimal characters).
Don't get a false sense of security with the length of the encryption, the longer the encryption key just mean the more packets you need to capture and more time to decrypt them.

There are two types authentication for security according the IEEE 802.11 committee, the shared-key and open authentication.

In a shared-key authentication, the access point will send a challenge packet to the client and the client must encrypt the packet with with the right key (WEP key) then return it to the access point.
This method is not secure since everything sent in clear text.

The other method is open authentication, just like the name the authentication is open or you can say no authentication required.
But when open authentication used with the WEP, the WEP key will be used to encrypt all data before sending them.

I have to admit, I get a little confused when first time configuring authentication in Cisco Aironet wireless access points since no one thought me so I had to browse all the configuration examples.

It's easier to use the web interface of the access point, but I want to configure it through CLI.
To configure WEP authentication you should do this by entering the dot11radio interface:

1240AG> enable
1240AG# configure terminal
1240AG (config)# interface dot11radio 0

Create the SSID and associate it with VLAN if you haven't done it:

1240AG (config-if)# ssid Guest
1240AG (config-if-ssid)# vlan 40
1240AG (config-if-ssid)# authentication open
1240AG (config-if-ssid)# exit

Configure the WEP authentication:

1240AG (config-if)# encryption vlan 40 mode wep mandatory
1240AG (config-if)# encryption vlan 40 key 1 size 128bit 12345678901234567890123456 transmit-key

The above first command tell the Cisco Aironet to do WEP encryption on vlan 40 (SSID Guest) and set it as mandatory.
If you replace mandatory with optional, the use of WEP encryption depends on the client configuration, they can choose to encrypt the packets or not.

The second command tells the access point to use the WEP encryption key of 128 bit with the above 26 characters key. You can use whatever key you choose as long as it is hexadecimal characters (0-9 and A-F).

Don't forget to set up the access point as I did on the last post.