INTEL WIRELESS
Wired Stuff
WiFi Tablet Corner
My80211 White Papers (Coming Soon!)

Cisco Wireless Compatibility Matrix (Nov. 2011)

Podcasts / Videos

My80211 Videos

Cisco: 802 11 frames with Cisco VIP George Stefanick

Fluke Networks: Minimize Wi Fi Network Downtime

Aruba: Packets never lie: An in-depth overview of 802.11 frames

ATM15 Ten Talk “Wifi drivers and devices”

Houston Methodist Innovates with Wireless Technology

Bruce Frederick Antennas (1/2)

 

Bruce Frederick dB,dBi,dBd (2/2)

Cisco AP Group Nugget

Social Links
Revolution WiFi Capacity Planner

Anchor / Office Extends Ports

 

Peek Inside Cisco's Gear

See inside Cisco's latest wireless gear!

2.4 GHz Channel Overlap

EXAMPLE 1  

EXAMPLE 2

EXAMPLE 3  

CWSP RELEASE DATE 2/08/2010
  • CWSP Certified Wireless Security Professional Official Study Guide: Exam PW0-204
    CWSP Certified Wireless Security Professional Official Study Guide: Exam PW0-204
    by David D. Coleman, David A. Westcott, Bryan E. Harkins, Shawn M. Jackman

    Shawn Jackman (Jack) CWNE#54 is a personal friend and has been a mentor to me for many years.  I've had the pleasure and opportunity to work with Jack for 4 years. Jack is a great teacher who takes complex 802.11 standards and breaks them down so almost anyone can understand the concept at hand. I'm excited for you brother. Great job and job well done! Put another notch in the belt!

IEEE 802.11a/g/n Reference Sheet

 

LWAPP QoS Packet Tagging

 

 

Interference Types

BLUETOOTH
 

Microwave Oven
 

Cordless Phone

JAMMER!
 

« Cisco 6.0.199.0 Controller Code Release - Potential MD / AW Release | Main | George Stefanick - CWSP Journey, (Chapter 5 – RSN POST#2) - 7/4/2010 »
Monday
Jul052010

GEORGE STEFANICK - CWSP JOURNEY, (CHAPTER 5 – TSN POST#3)- 7/5/2010

  

George Stefanick - CWSP Journey, (Chapter 5 – TSN POST#3) - 7/5/2010

TSN stands for (Transition Security Network).  TSN supports both RSN and  pre-RSN legacy authentication and encryption on the same BSS.

Example – Think of WEP with WPA and/or WPA2 enabled on the same BSS. Pre-RSN +  RSN = TSN

Suppose your WLAN was secured with WEP and you wanted to upgrade to WPA2 . Instead of having to manage another WLAN and add additional wireless utilization (each WLAN you add you increase wireless utilization) you can modify the current WLAN to allow for WPA2 security.

Cisco often references TSN as a “migration” WLAN. I was emailed today about adding a config for a Cisco autonomous ap with TSN.

First lets look at a packet capture example:

Our SSID is: wep-wpa2

GROUP CIPHER WEP102 (WEP128)

RSNIE: You will notice the below capture the Group Cipher is Wep104 (WEP128). This is our indication WEP is enabled on this BSS. Since all stations share a single group encryption the lowest common denominator is used. In this case it is Wep104 (WEP128).

PAIRWISE CIPHER CODE 00-0F-AC-4

Some other areas of interest, the Pairwise Cipher code 00-0F-AC 4. This is our other indication AES-CCMP is being used.

NOTE:

OUI       Suite Type        Definition
00-0F-AC 0                    Use the group cipher suite (only valid for pairwise ciphers)
00-0F-AC 1                    WEP-40
00-0F-AC 2                    TKIP
00-0F-AC 3                    Reserved
00-0F-AC 4                    CCMP
 

Auth Key Management Suite

Since we are in the frame, let me share what the AUTH KEY MANAGEMENT means. This is were the RSN authentication type lives. You will see 2 types, 00-0F-AC1 for 802.1X or 00-0F-AC2 fo PSK.  In our example we are using PSK.

Authentication and key management suites

OUI Suite type   Authentication                          Key management
00-0F-AC 1        802.1X or PMK caching              Key derivation from preshared master key
00-0F-AC 2        Pre-shared key                          Key derivation from pre-shared key

 

Cisco 1240 TSN Configuration

Configuration Notes:

SSID is wep-wpa2

WPA PSK: WPA2/AES

PSK: 1234567890

WEP KEY: Slot 3

WEP KEY: 128 / 12345678901234567890123456

Logon Cisco / Cisco

 

!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname ap
!
enable secret 5 $1$/d5u$WOD0P0tI3GSizQKugBNyj0
!
no aaa new-model
no ip domain lookup
!
!
dot11 syslog
!

! dot11: dot11 ssid wep-wpa2 is the SSID that your authentication    

! configuration will be applied

!

! Authentication OPEN: Auth OPEN allows open auth for WEP

! Authentication Key-Management: Key-Man WPA V2 optional allows WPA2 with ! the optional command meaning WPA and WEP can be used

! WPA-PSK: This is your key (note its encrypted)

 dot11 ssid wep-wpa2

   authentication open
   authentication key-management wpa version 2 optional
   wpa-psk ascii 7 135445415F59527D737D78
!
!
username Cisco password 7 02250D480809
!
bridge irb
!

! Dot11Radio0: This is your 802.11b/g radio where you encryption will live

! Encrypt: Key 3 is the slot, 128 bit is the length, next is your key and !then you are telling the ap that slot 3 is a transmit key

! Encrypt: Mode Cipher aes-ccm and wep128 is telling the radio what

! encryption modes to use. In this case use aes-ccmp AND WEP128

!
interface Dot11Radio0
 no ip address
 no ip route-cache
 !
 encryption key 3 size 128bit 7 904856427E9D21265549561E467E transmit-key
 encryption mode ciphers aes-ccm wep128
 !
 ssid wep-wpa2
 !
 station-role root
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
 bridge-group 1 spanning-disabled
!
interface Dot11Radio1
 no ip address
 no ip route-cache
 shutdown
 !
 encryption key 3 size 128bit 7 8F156E346C961F07447BA1D43824 transmit-key
 encryption mode wep mandatory
 dfs band 3 block
 channel dfs
 station-role root
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
 bridge-group 1 spanning-disabled
!
interface FastEthernet0
 no ip address
 no ip route-cache
 duplex auto
 speed auto
 bridge-group 1
 no bridge-group 1 source-learning
 bridge-group 1 spanning-disabled
!
interface BVI1
 ip address 10.10.0.30 255.255.0.0
 no ip route-cache
!
ip http server
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
bridge 1 route ip
!
!
!
line con 0
line vty 0 4
 login local
!
end

PrintView Printer Friendly Version

EmailEmail Article to Friend

Reader Comments (1)

Good post ... thanks

July 9, 2010 | Unregistered CommenterStan

PostPost a New Comment

Enter your information below to add a new comment.

My response is on my own website »
Author Email (optional):
Author URL (optional):
Post:
 
Some HTML allowed: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <code> <em> <i> <strike> <strong>