GEORGE STEFANICK - CWSP JOURNEY, (CHAPTER 5 – TSN POST#3)- 7/5/2010
George Stefanick - CWSP Journey, (Chapter 5 – TSN POST#3) - 7/5/2010
TSN stands for (Transition Security Network). TSN supports both RSN and pre-RSN legacy authentication and encryption on the same BSS.
Example – Think of WEP with WPA and/or WPA2 enabled on the same BSS. Pre-RSN + RSN = TSN
Suppose your WLAN was secured with WEP and you wanted to upgrade to WPA2 . Instead of having to manage another WLAN and add additional wireless utilization (each WLAN you add you increase wireless utilization) you can modify the current WLAN to allow for WPA2 security.
Cisco often references TSN as a “migration” WLAN. I was emailed today about adding a config for a Cisco autonomous ap with TSN.
First lets look at a packet capture example:
Our SSID is: wep-wpa2
GROUP CIPHER WEP102 (WEP128)
RSNIE: You will notice the below capture the Group Cipher is Wep104 (WEP128). This is our indication WEP is enabled on this BSS. Since all stations share a single group encryption the lowest common denominator is used. In this case it is Wep104 (WEP128).
PAIRWISE CIPHER CODE 00-0F-AC-4
Some other areas of interest, the Pairwise Cipher code 00-0F-AC 4. This is our other indication AES-CCMP is being used.
NOTE:
OUI Suite Type Definition
00-0F-AC 0 Use the group cipher suite (only valid for pairwise ciphers)
00-0F-AC 1 WEP-40
00-0F-AC 2 TKIP
00-0F-AC 3 Reserved
00-0F-AC 4 CCMP
Auth Key Management Suite
Since we are in the frame, let me share what the AUTH KEY MANAGEMENT means. This is were the RSN authentication type lives. You will see 2 types, 00-0F-AC1 for 802.1X or 00-0F-AC2 fo PSK. In our example we are using PSK.
Authentication and key management suites
OUI Suite type Authentication Key management
00-0F-AC 1 802.1X or PMK caching Key derivation from preshared master key
00-0F-AC 2 Pre-shared key Key derivation from pre-shared key
Cisco 1240 TSN Configuration
Configuration Notes:
SSID is wep-wpa2
WPA PSK: WPA2/AES
PSK: 1234567890
WEP KEY: Slot 3
WEP KEY: 128 / 12345678901234567890123456
Logon Cisco / Cisco
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname ap
!
enable secret 5 $1$/d5u$WOD0P0tI3GSizQKugBNyj0
!
no aaa new-model
no ip domain lookup
!
!
dot11 syslog
!
! dot11: dot11 ssid wep-wpa2 is the SSID that your authentication
! configuration will be applied
!
! Authentication OPEN: Auth OPEN allows open auth for WEP
! Authentication Key-Management: Key-Man WPA V2 optional allows WPA2 with ! the optional command meaning WPA and WEP can be used
! WPA-PSK: This is your key (note its encrypted)
dot11 ssid wep-wpa2
authentication open
authentication key-management wpa version 2 optional
wpa-psk ascii 7 135445415F59527D737D78
!
!
username Cisco password 7 02250D480809
!
bridge irb
!
! Dot11Radio0: This is your 802.11b/g radio where you encryption will live
! Encrypt: Key 3 is the slot, 128 bit is the length, next is your key and !then you are telling the ap that slot 3 is a transmit key
! Encrypt: Mode Cipher aes-ccm and wep128 is telling the radio what
! encryption modes to use. In this case use aes-ccmp AND WEP128
!
interface Dot11Radio0
no ip address
no ip route-cache
!
encryption key 3 size 128bit 7 904856427E9D21265549561E467E transmit-key
encryption mode ciphers aes-ccm wep128
!
ssid wep-wpa2
!
station-role root
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
!
interface Dot11Radio1
no ip address
no ip route-cache
shutdown
!
encryption key 3 size 128bit 7 8F156E346C961F07447BA1D43824 transmit-key
encryption mode wep mandatory
dfs band 3 block
channel dfs
station-role root
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
!
interface FastEthernet0
no ip address
no ip route-cache
duplex auto
speed auto
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
!
interface BVI1
ip address 10.10.0.30 255.255.0.0
no ip route-cache
!
ip http server
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
bridge 1 route ip
!
!
!
line con 0
line vty 0 4
login local
!
end