Brocade Mobility RFS Controller System Reference Guide (Supporting software release 5.5.0.0 and later) User Manual

268

Brocade Mobility RFS Controller System Reference Guide

53-1003099-01

6

5. Define Key Settings.

6. Define Key Rotation values.

Unicast messages are addressed to a single device on the network. Broadcast messages
are addressed to multiple devices. When using WPA2-CCMP, a wireless client can use 2
keys: one unicast key, for its own traffic to and from an Access Point, and one broadcast
key, the common key for all the clients in that subnet.

Brocade recommends rotating these keys so a potential hacker would not have enough
data using a single key to attack the deployed encryption scheme.

7. Set the following Advanced for the WPA2-CCMP encryption scheme.

8. Select OK when completed to update the WLAN’s WPA2-CCMP encryption configuration. Select

Reset to revert back to its last saved configuration.

WPA2-CCMP Deployment Considerations

WPA2-CCMP

Before defining a WPA2-CCMP supported configuration on a wireless controller WLAN, refer to the
following deployment guidelines to ensure the configuration is optimally effective:

•

Brocade recommends WPA2-CCMP be configured for all new (non visitor) WLANs requiring
encryption, as it’s supported by the majority of the hardware and client vendors using Brocade
wireless networking equipment.

Pre-Shared Key

Enter either an alphanumeric string of 8 to 63 ASCII characters or 64 HEX characters as the
primary string both transmitting and receiving authenticators must share. The alphanumeric string
allows character spaces. The string is converted to a numeric value. This passphrase saves the
administrator from entering the 256-bit key each time keys are generated.

Unicast Rotation Interval

Define an interval for unicast key transmission in seconds (30 -86,400). Some clients have issues
using unicast key rotation, so ensure you know which clients are impacted before using unicast
keys. This value is disabled by default.

Broadcast Rotation
Interval

When enabled, the key indices used for encrypting/decrypting broadcast traffic are alternatively
rotated based on the defined interval. Define an interval for broadcast key transmission in seconds
(30-86,400). Key rotation enhances the broadcast traffic security on the WLAN. This value is
disabled by default.

TKIP Countermeasure Hold
Time

The TKIP countermeasure hold-time is the time during which the use of the WLAN is disabled if
TKIP countermeasures have been invoked on the WLAN. Use the drop-down menu to define a value
in either Hours (0-18), Minutes (0-1,092) or Seconds (0-65,535). The default setting is 60
seconds.

Exclude WPA2-TKIP

Select this option for an Access Point to advertise and enable support for only WPA-TKIP. Select this
option if certain older clients are not compatible with the newer WPA2-TKIP information elements.
Enabling this option allows backwards compatibility for clients that support WPA-TKIP and
WPA2-TKIP but do not support WPA2-CCMP. Brocade recommends enabling this feature if
WPA-TKIP or WPA2-TKIP supported clients operate in a WLAN populated by WPA2-CCMP enabled
clients. This feature is disabled by default.

Use SHA256

Select this option for an Access Point to advertise and enable support for only WPA-TKIP. Select this
option if certain older clients are not compatible with the newer WPA2-TKIP information elements.
Enabling this option allows backwards compatibility for clients that support WPA-TKIP and
WPA2-TKIP but do not support WPA2-CCMP. Brocade recommends enabling this feature if
WPA-TKIP or WPA2-TKIP supported clients operate in a WLAN populated by WPA2-CCMP enabled
clients. This feature is disabled by default.