Brocade Mobility Access Point System Reference Guide (Supporting software release 5.5.0.0 and later) User Manual

410

Brocade Mobility Access Point System Reference Guide

53-1003100-01

6

Brocade recommends rotating these keys so a potential hacker would not have enough data using
a single key to attack the deployed encryption scheme.

9. Define the Fast Roaming configuration used only with 802.1x EAP-WPA/WPA2 authentication.

NOTE

Fast Roaming is available only when the authentication is EAP or EAP-PSK and the selected
encryption is either WPA/WPA2-TKIP or WPA-CCMP.

802.11i can speed up the roaming process from one access point to another. Instead of
doing a complete 802.1x authentication each time a client roams between access points,
802.11i allows a client to re-use previous PMK authentication credentials and perform a
four-way handshake. This speeds up the roaming process. In addition to reusing PMKs on
previously visited access points, Opportunistic Key Caching allows multiple access points
to share PMKs amongst themselves. This allows a client to roam to an access point it has
not previously visited and reuse a PMK to skip 802.1x authentication.

10. Set the following Advanced for the WPA2-CCMP encryption scheme:

Unicast Rotation Interval

Define a unicast key transmission interval from 30 - 86,400 seconds. Some clients have issues
using unicast key rotation, so ensure you know which clients are impacted before using unicast
keys. This value is disabled by default.

Broadcast Rotation
Interval

When enabled, the key indices used for encrypting/decrypting broadcast traffic will be alternatively
rotated based on the defined interval. Define a broadcast key transmission interval from 30 -
86,400 seconds. Key rotation enhances the broadcast traffic security on the WLAN. This value is
disabled by default.

Pre-Authentication

Selecting this option enables an associated client to carry out an 802.1x authentication with
another access point before it roams to it. This enables a roaming client to send and receive data
sooner by not having to conduct an 802.1x authentication after roaming. With pre-authentication, a
client can perform an 802.1X authentication with other detected access points while still
connected to its current access points. When a device roams to a neighboring access points, the
device is already authenticated, thus providing faster re-association.

Pairwise Master Key (PMK)
Caching

Pairwise Master Key (PMK) Caching is a technique for sidestepping the need to
re-establish security each time a client roams to a different switch. Using PMK caching, clients and
switches cache the results of 802.1X authentications. Therefore, access is much faster when a
client roams back to a switch to which the client is already authenticated.

Opportunistic Key Caching

This option enables the access point to use a PMK derived with a client on one access point, with
the same client when it roams over to another access point. Upon roaming, the client does not have
to do 802.1x authentication and can start sending and receiving data sooner.

TKIP Countermeasure Hold
Time

The TKIP Countermeasure Hold Time is the time a WLAN is disabled, if TKIP countermeasures have
been invoked on the WLAN. Use the drop-down menu to define a value in either Hours (0-18),
Minutes (0-1,092) or Seconds (0-65,535). The default setting is 60 seconds.

Exclude WPA2-TKIP

Select this option to advertise and enable support for only WPA-TKIP. This option can be used if
certain older clients are not compatible with newer WPA2-TKIP information elements. Enabling this
option allows backwards compatibility for clients that support WPA-TKIP and WPA2-TKIP, but do not
support WPA2-CCMP. Brocade recommends enabling this feature if WPA-TKIP or WPA2-TKIP
supported clients operate in a WLAN populated by WPA2-CCMP enabled clients. This feature is
disabled by default.

Use SHA256

Select this option to enable SHA-256 authentication key management suite. This suite consists of a
set of algorithms for key agreement, key derivation, key wrapping, and content encryption and
provide a minimum cryptographic security level of 128 bits.