Motorola Solutions AP-6511 Access Point System Reference Guide
6-14
8. Set the following Advanced settings for the WPA/WPA2-TKIP encryption scheme
9. Select OK when completed to update the WLAN’s WPA/WPA2-TKIP encryption configuration. Select
Reset to revert the screen back to its last saved configuration.
WPA-TKIP Deployment Considerations
Before defining a WPA-TKIP supported configuration on a wireless controller WLAN, refer to the following
deployment guidelines to ensure the configuration is optimally effective:
• Though TKIP offers better security than WEP, it can be vulnerable to certain attacks.
• When both TKIP and CCMP are both enabled a mix of clients are allowed to associate with the WLAN.
Some use TKIP, others use CCMP. Since broadcast traffic needs to be understood by all clients, the
broadcast encryption type in this scenario is TKIP.
6.1.2.6 WPA2-CCMP
Configuring WLAN Security
WPA2 is a newer 802.11i standard that provides even stronger wireless security than Wi-Fi Protected Access
(WPA) and WEP. CCMP is the security standard used by the Advanced Encryption Standard (AES). AES serves
the same function TKIP does for WPA-TKIP. CCMP computes a Message Integrity Check (MIC) using the
proven Cipher Block Chaining (CBC) technique. Changing just one bit in a message produces a totally
different result.
WPA2/CCMP is based on the concept of a Robust Security Network (RSN), which defines a hierarchy of keys
with a limited lifetime (similar to TKIP). Like TKIP, the keys the administrator provides are used to derive other
keys. Messages are encrypted using a 128-bit secret key and a 128-bit block of data. The end result is an
encryption scheme as secure as any for associated clients.
To configure WPA2-CCMP encryption on a WLAN:
1. Select Configuration > Wireless > Wireless LAN Policy to display a high-level display of the existing
WLANs.
TKIP Countermeasure
Hold Time
The TKIP countermeasure hold-time is the time during which the use of the
WLAN is disabled if TKIP countermeasures have been invoked on the WLAN.
Use the drop-down menu to define a value in either Hours (0-18), Minutes (0-
1,092) or Seconds (0-65,535). The default setting is 60 seconds.
Exclude WPA2-TKIP Select this option for an Access Point to advertise and enable support for only
WPA-TKIP. This option can be used if certain older clients are not compatible
with the newer WPA2-TKIP information elements. Enabling this option allows
backwards compatibility for clients that support WPA-TKIP and WPA2-TKIP but
do not support WPA2-CCMP. Motorola recommends enabling this feature if
WPA-TKIP or WPA2-TKIP supported clients operate in a WLAN populated by
WPA2-CCMP enabled clients. This feature is disabled by default.
NOTE: WPA-TKIP is not supported on radios configured to exclusively use 802.11n.