GEORGE STEFANICK - CWSP JOURNEY, (CHAPTER 5 – TSN POST#3)- 7/5/2010

Monday, July 5, 2010 at 9:53PM
George

  

George Stefanick - CWSP Journey, (Chapter 5 – TSN POST#3) - 7/5/2010

TSN stands for (Transition Security Network).  TSN supports both RSN and  pre-RSN legacy authentication and encryption on the same BSS.

Example – Think of WEP with WPA and/or WPA2 enabled on the same BSS. Pre-RSN +  RSN = TSN

Suppose your WLAN was secured with WEP and you wanted to upgrade to WPA2 . Instead of having to manage another WLAN and add additional wireless utilization (each WLAN you add you increase wireless utilization) you can modify the current WLAN to allow for WPA2 security.

Cisco often references TSN as a “migration” WLAN. I was emailed today about adding a config for a Cisco autonomous ap with TSN.

First lets look at a packet capture example:

Our SSID is: wep-wpa2

GROUP CIPHER WEP102 (WEP128)

RSNIE: You will notice the below capture the Group Cipher is Wep104 (WEP128). This is our indication WEP is enabled on this BSS. Since all stations share a single group encryption the lowest common denominator is used. In this case it is Wep104 (WEP128).

PAIRWISE CIPHER CODE 00-0F-AC-4

Some other areas of interest, the Pairwise Cipher code 00-0F-AC 4. This is our other indication AES-CCMP is being used.

NOTE:

OUI       Suite Type        Definition
00-0F-AC 0                    Use the group cipher suite (only valid for pairwise ciphers)
00-0F-AC 1                    WEP-40
00-0F-AC 2                    TKIP
00-0F-AC 3                    Reserved
00-0F-AC 4                    CCMP 

Auth Key Management Suite

Since we are in the frame, let me share what the AUTH KEY MANAGEMENT means. This is were the RSN authentication type lives. You will see 2 types, 00-0F-AC1 for 802.1X or 00-0F-AC2 fo PSK.  In our example we are using PSK.

Authentication and key management suites

OUI Suite type   Authentication                          Key management
00-0F-AC 1        802.1X or PMK caching              Key derivation from preshared master key
00-0F-AC 2        Pre-shared key                          Key derivation from pre-shared key

 

Cisco 1240 TSN Configuration

Configuration Notes:

SSID is wep-wpa2

WPA PSK: WPA2/AES

PSK: 1234567890

WEP KEY: Slot 3

WEP KEY: 128 / 12345678901234567890123456

Logon Cisco / Cisco

 

!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname ap
!
enable secret 5 $1$/d5u$WOD0P0tI3GSizQKugBNyj0
!
no aaa new-model
no ip domain lookup
!
!
dot11 syslog
!

! dot11: dot11 ssid wep-wpa2 is the SSID that your authentication    

! configuration will be applied

!

! Authentication OPEN: Auth OPEN allows open auth for WEP

! Authentication Key-Management: Key-Man WPA V2 optional allows WPA2 with ! the optional command meaning WPA and WEP can be used

! WPA-PSK: This is your key (note its encrypted)

 dot11 ssid wep-wpa2

   authentication open
   authentication key-management wpa version 2 optional
   wpa-psk ascii 7 135445415F59527D737D78
!
!
username Cisco password 7 02250D480809
!
bridge irb
!

! Dot11Radio0: This is your 802.11b/g radio where you encryption will live

! Encrypt: Key 3 is the slot, 128 bit is the length, next is your key and !then you are telling the ap that slot 3 is a transmit key

! Encrypt: Mode Cipher aes-ccm and wep128 is telling the radio what

! encryption modes to use. In this case use aes-ccmp AND WEP128

!
interface Dot11Radio0
 no ip address
 no ip route-cache
 !
 encryption key 3 size 128bit 7 904856427E9D21265549561E467E transmit-key
 encryption mode ciphers aes-ccm wep128
 !
 ssid wep-wpa2
 !
 station-role root
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
 bridge-group 1 spanning-disabled
!
interface Dot11Radio1
 no ip address
 no ip route-cache
 shutdown
 !
 encryption key 3 size 128bit 7 8F156E346C961F07447BA1D43824 transmit-key
 encryption mode wep mandatory
 dfs band 3 block
 channel dfs
 station-role root
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
 bridge-group 1 spanning-disabled
!
interface FastEthernet0
 no ip address
 no ip route-cache
 duplex auto
 speed auto
 bridge-group 1
 no bridge-group 1 source-learning
 bridge-group 1 spanning-disabled
!
interface BVI1
 ip address 10.10.0.30 255.255.0.0
 no ip route-cache
!
ip http server
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
bridge 1 route ip
!
!
!
line con 0
line vty 0 4
 login local
!
end

Article originally appeared on my80211.com (http://www.my80211.com/).