Q

TKIP encryption

We're in the process of implementing PEAP (MS-ChapV2), authenticating to an existing NT Active Dir domain and all

is working ok. Two questions...

1) I've got the key rotation set for every 5 minutes on the RADIUS server (Cisco Secure 3.2). Will TKIP get any additional security?

2) The period of time the PC is given to authenticate is too short. It's actually around 2 minutes which should be long enough but I'd like to lengthen it to an hour or so.
TKIP encryption is based on transient keys, changed often enough to prevent the key reuse that lead to WEP cracking. In TKIP, there are pairwise transient keys and group transient keys. Pairwise transient keys are different for every association. They get derived and installed at the end of 802.1X. They can be automatically updated as needed, using the pairwise master key, because changes affect only one association.

The same broadcast key must be used by all stations connected to an AP (or a VLAN on an AP). When using TKIP, the group transient key is delivered securely after the pairwise transient keys are derived and installed. Because the same group key is used by everyone, it is effectively static unless something forces it to change. Broadcast key rotation updates that group transient key for all stations currently associated to the AP.

I am not aware of a configurable timeout that would control how long a station is given to authenticate overall, but you can usually control how long the AP and RADIUS server wait before timing out on any individual RADIUS message. For example, see radius-server timeout in Cisco APs.

This was first published in October 2003

Dig deeper on Wireless LAN Implementation

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

SearchSDN

SearchEnterpriseWAN

SearchUnifiedCommunications

SearchMobileComputing

SearchDataCenter

SearchITChannel

Close