Generate Preshared Key Ascii Solaris

/ Comments off

How to Refresh IKE Preshared Keys

Thisprocedure assumes that you want to replace an existing preshared key at regularintervals.

  1. On the system console, assume the Primary Administrator role orbecome superuser.

    The Primary Administrator role includes thePrimary Administrator profile. To create the role and assign the role to auser, see Chapter 2, Working With the Solaris Management Console (Tasks), in System Administration Guide: Basic Administration. Spintires mudrunner steam key generator.

    Note –

    Logging in remotely exposes security-critical traffic to eavesdropping.Even if you somehow protect the remote login, the security of the system isreduced to the security of the remote login session. Use the ssh commandfor a secure remote login.

  2. Generate random numbers and construct a key of the appropriatelength.

    For details, see How to Generate Random Numbers on a Solaris System. If you are generatinga preshared key for a Solaris system that is communicating with an operatingsystem that requires ASCII, see Example 22–1.

  3. Replace the current key with a new key.

    For example,on the hosts enigma and partym,you would replace the value of key in the /etc/inet/secret/ike.preshared file with a new number of the same length.

  4. Refresh the IKE keys.


Contents

Introduction

Generate random numbers and construct a key of the appropriate length. For details, see How to Generate Random Numbers on a Solaris System.If you are generating a preshared key for a Solaris system that is communicating with an operating system that requires ASCII, see Example 22–1. Oct 19, 2009  In addition to enterprise- or corporate-level security concerns, WPA also provides a Pre-Shared Key version (WPA-PSK) that is intended for use in small office, home office (SOHO) or home wireless networks. Cisco Aironet Client Utility (ACU) does not support WPA-PSK. Optionally, to make a more variable key, you can enter two encoding keys, and these keys must be exchanged between both parties. For example, you can make the two keys the public IP address of the two VPN terminators.

  1. The Wireshark WPA Pre-shared Key Generator provides an easy way to convert a WPA passphrase and SSID to the 256-bit pre-shared ('raw') key used for key derivation. Directions: Type or paste in your WPA passphrase and SSID below. Wait a while. The PSK will be calculated by your browser.
  2. The Wireshark WPA Pre-shared Key Generator provides an easy way to convert a WPA passphrase and SSID to the 256-bit pre-shared ('raw') key used for key derivation. Type or paste in your WPA passphrase and SSID below. Wait a while. The PSK will be calculated by your browser. Javascript isn't known.
  3. The administrator places this value in the ike.preshared file on the Solaris system. # Shared key in hex (192 bits) key 726d On Windows XP which requires ASCII preshared keys, the passphrase is the preshared key. The Solaris system administrator telephones the other administrator with the passphrase, welcome.

This document provides a sample configuration for Wi-Fi Protected Access (WPA), the interim security standard that Wi-Fi Alliance members use.

Prerequisites

Requirements

Ensure that you meet these requirements before you attempt this configuration:

  • Thorough knowledge of wireless networks and wireless security issues

  • Knowledge of Extensible Authentication Protocol (EAP) security methods

Components Used

The information in this document is based on these software and hardware versions:

  • Cisco IOS® Software-based access points (APs)

  • Cisco IOS Software Release 12.2(15)JA or later

    Note: Preferably, use the latest Cisco IOS Software release, even though WPA is supported in Cisco IOS Software Release 12.2(11)JA and later. In order to obtain the latest Cisco IOS Software release, refer to Downloads (registered customers only) .

  • A WPA-compliant network interface card (NIC) and its WPA-compliant client software

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.

Background Theory

Security features in a wireless network, such as WEP, are weak. The Wi-Fi Alliance (or WECA) industry group devised a next-generation, interim security standard for wireless networks. The standard provides defense against weaknesses until the IEEE organization ratifies the 802.11i standard.

This new scheme builds on current EAP/802.1x authentication and dynamic key management, and adds stronger cipher encryption. After the client device and the authentication server make an EAP/802.1x association, WPA key management is negotiated between the AP and the WPA-compliant client device.

Cisco AP products also provide for a hybrid configuration in which both legacy WEP-based EAP clients (with legacy or no key management) work in conjunction with WPA clients. This configuration is referred to as migration mode. Migration mode allows for a phased approach to migrate to WPA. This document does not cover migration mode. This document provides an outline for a pure WPA-secured network.

In addition to enterprise- or corporate-level security concerns, WPA also provides a Pre-Shared Key version (WPA-PSK) that is intended for use in small office, home office (SOHO) or home wireless networks. Cisco Aironet Client Utility (ACU) does not support WPA-PSK. The Wireless Zero Configuration utility from Microsoft Windows supports WPA-PSK for most wireless cards, as do these utilities:

  • AEGIS Client from Meetinghouse Communications

    Note: Refer to EOS and EOL Announcement for the Meetinghouse AEGIS Product Line.

  • Odyssey client from Funk Software

    Note: Refer to Juniper Networks Customer Support Center .

  • Original equipment manufacturer (OEM) client utilities from some manufacturers

You can configure WPA-PSK when:

  • You define the Encryption Mode as Cipher Temporal Key Integrity Protocol (TKIP) on the Encryption Manager tab.

  • You define the authentication type, the use of authenticated key management, and the pre-shared key on the Service Set Identifier (SSID) Manager tab of the GUI.

  • No configuration is required on the Server Manager tab.

In order to enable WPA-PSK through the command-line interface (CLI), enter these commands. Start from the configuration mode:

Note: This section provides only the configuration that is relevant to WPA-PSK. The configuration in this section is only to give you an understanding on how to enable WPA-PSK and is not the focus of this document. This document explains how to configure WPA.

Conventions

Refer to the Cisco Technical Tips Conventions for more information on document conventions.

Configure

WPA builds on the current EAP/802.1x methods. This document assumes that you have a Light EAP (LEAP), EAP, or Protected EAP (PEAP) configuration that works before you add the configuration in order to engage WPA.

This section presents the information to configure the features described in this document.

Note: Use the Command Lookup Tool (registered customers only) to obtain more information on the commands used in this section.

Network EAP or Open Authentication with EAP

In any EAP/802.1x-based authentication method, you may question what the differences are between Network-EAP and Open authentication with EAP. These items refer to values in the Authentication Algorithm field in the headers of management and association packets. Most manufacturers of wireless clients set this field at the value 0 (Open authentication), and then signal their desire to do EAP authentication later in the association process. Cisco sets the value differently, from the start of association with the Network EAP flag.

Use the authentication method that this list indicates if your network has clients that are:

  • Cisco clients—Use Network-EAP.

  • Third-party clients (which include Cisco Compatible Extensions [CCX]-compliant products)—Use Open authentication with EAP.

  • A combination of both Cisco and third-party clients—Choose both Network-EAP and Open authentication with EAP.

Generate Preshared Key Ascii Solaris

CLI Configuration

This document uses these configurations:

  • A LEAP configuration that exists and works

  • Cisco IOS Software Release 12.2(15)JA for the Cisco IOS Software-based APs

AP

GUI Configuration

Complete these steps in order to configure the AP for WPA:

  1. Complete these steps in order to set up the Encryption Manager:

    1. Enable Cipher for TKIP.

    2. Clear the value in Encryption Key 1.

    3. Set Encryption Key 2 as the Transmit Key.

    4. Click Apply-Radio#.

  2. Complete these steps in order to set up the SSID Manager:

    1. Select the desired SSID from Current SSID List.

    2. Choose an appropriate authentication method.

      Base this decision on the type of client cards that you use. See the Network EAP or Open Authentication with EAP section of this document for more information. If EAP worked before the addition of WPA, a change is probably not necessary.

    3. Complete these steps in order to enable key management:

      1. Choose Mandatory from the Key Management drop-down menu.

      2. Check the WPA check box.

    4. Click Apply-Radio#.

Verify

Use this section to confirm that your configuration works properly.

The Output Interpreter Tool (registered customers only) (OIT) supports certain show commands. Use the OIT to view an analysis of show command output.

  • show dot11 association mac_address—This command displays information about a specifically identified associated client. Verify that the client negotiates Key Management as WPA and Encryption as TKIP.

  • The Association table entry for a particular client must also indicate Key Management as WPA and Encryption as TKIP. In the Association table, click a particular MAC address for a client in order to see the details of the association for that client.

Troubleshoot

This section provides information you can use to troubleshoot your configuration.

Troubleshoot Procedure

This information is relevant to this configuration. Complete these steps in order to troubleshoot your configuration:

  1. If this LEAP, EAP, or PEAP configuration has not been thoroughly tested before WPA implementation, you must complete these steps:

    1. Temporarily disable the WPA encryption mode.

    2. Reenable the appropriate EAP.

    3. Confirm that the authentication works.

  2. Verify that the configuration of the client matches that of the AP.

    For example, when the AP is configured for WPA and TKIP, confirm that the settings match the settings that are configured in the client.

Troubleshoot Commands

Generate Pre Shared Key Ascii Solaris Download

Note: Refer to Important Information on Debug Commands before you use debug commands.

WPA key management involves a four-way handshake after EAP authentication successfully completes. You can see these four messages in debugs. If EAP does not successfully authenticate the client or if you do not see the messages, complete these steps:

  1. Download skyrim online for mac. Temporarily disable WPA.

  2. Reenable the appropriate EAP.

  3. Confirm that the authentication works.

Generate Preshared Key Ascii Solaris Download

This list describes the debugs:

  • debug dot11 aaa manager keys—This debug shows the handshake that happens between the AP and the WPA client as the pairwise transient key (PTK) and group transient key (GTK) negotiate. This debug was introduced in Cisco IOS Software Release 12.2(15)JA.

    debug dot11 aaa manager keys

    If no debug outputs appear, verify these items:

    • The terminal monitor term mon is enabled (if you use a Telnet session).

    • The debugs are enabled.

    • The client is appropriately configured for WPA.

    If the debug shows that PTK and/or GTK handshakes are built but not verified, check the WPA supplicant software for the correct configuration and up-to-date version.

  • debug dot11 aaa authenticator state-machine—This debug shows the various states of negotiations that a client goes through as it associates and authenticates. The state names indicate these states. This debug was introduced in Cisco IOS Software Release 12.2(15)JA. The debug obsoletes the debug dot11 aaa dot1x state-machine command in Cisco IOS Software Release 12.2(15)JA and later.

  • debug dot11 aaa dot1x state-machine—This debug shows the various states of negotiations that a client goes through as it associates and authenticates. The state names indicate these states. In Cisco IOS Software releases that are earlier than Cisco IOS Software Release 12.2(15)JA, this debug also shows the WPA key management negotiation.

  • debug dot11 aaa authenticator process—This debug is most helpful to diagnose problems with negotiated communications. The detailed information shows what each participant in the negotiation sends and shows the response of the other participant. You can also use this debug in conjunction with the debug radius authentication command. This debug was introduced in Cisco IOS Software Release 12.2(15)JA. The debug obsoletes the debug dot11 aaa dot1x process command in Cisco IOS Software Release 12.2(15)JA and later.

  • debug dot11 aaa dot1x process—This debug is helpful to diagnose problems with negotiated communications. The detailed information shows what each participant in the negotiation sends and shows the response of the other participant. You can also use this debug in conjunction with the debug radius authentication command. In Cisco IOS Software releases that are earlier than Cisco IOS Software Release 12.2(15)JA, this debug shows the WPA key management negotiation.

Pre Shared Key Blackberry

Related Information