Cisco Router 860, 880 Series User Manual
Have a look at the manual Cisco Router 860, 880 Series User Manual online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 53 Cisco manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
![Page 188
Authentication Types for Wireless Devices
Configuring Authentication Types
10
Authentication Types for Wireless Devices
OL-15914-01
Step 3authentication open
[mac-address list-name [alternate]]
[[optional] eap list-name]
(Optional) Sets the authentication type to open for this SSID.
Open authentication allows any device to authenticate and then
attempt to communicate with the access point.
(Optional) Set the SSID’s authentication type to open with
MAC address authentication. The access...](http://img.usermanuals.tech/thumb/17/102935/w64_index.html@nav=null&now=get&message=Downloading&file=SCG880-860-187.png "Page 188
Authentication Types for Wireless Devices
Configuring Authentication Types
10
Authentication Types for Wireless Devices
OL-15914-01
Step 3authentication open
[mac-address list-name [alternate]]
[[optional] eap list-name]
(Optional) Sets the authentication type to open for this SSID.
Open authentication allows any device to authenticate and then
attempt to communicate with the access point.
(Optional) Set the SSID’s authentication type to open with
MAC address authentication. The access...")
![Page 189
Authentication Types for Wireless Devices
Configuring Authentication Types
11
Authentication Types for Wireless Devices
OL-15914-01
Use the no form of the SSID commands to disable the SSID or to disable SSID features.
Step 5authentication network-eap
list-name
[mac-address list-name]
(Optional) Sets the authentication type for the SSID to
Network-EAP. Using the Extensible Authentication Protocol
(EAP) to interact with an EAP-compatible RADIUS server, the
access point helps a wireless client...](http://img.usermanuals.tech/thumb/17/102935/w64_index.html@nav=null&now=get&message=Downloading&file=SCG880-860-188.png "Page 189
Authentication Types for Wireless Devices
Configuring Authentication Types
11
Authentication Types for Wireless Devices
OL-15914-01
Use the no form of the SSID commands to disable the SSID or to disable SSID features.
Step 5authentication network-eap
list-name
[mac-address list-name]
(Optional) Sets the authentication type for the SSID to
Network-EAP. Using the Extensible Authentication Protocol
(EAP) to interact with an EAP-compatible RADIUS server, the
access point helps a wireless client...")
Authentication Types for Wireless Devices
Configuring Authentication Types
13
Authentication Types for Wireless Devices
OL-15914-01
Configuring Additional WPA Settings
Use two optional settings to configure a pre-shared key on the access point and to adjust the frequency
of group key updates.
Setting a Pre-Shared Key
To support WPA on a wireless LAN where 802.1X-based authentication is not available, you must
configure a pre-shared key on the access point. You can enter the pre-shared key in ASCII or
hexadecimal characters. If you enter the key as ASCII characters, you enter between 8 and 63 characters,
and the access point expands the key by using the process described in the Pa s s w o rd - b a s e d
Cryptography Standard (RFC 2898). If you enter the key as hexadecimal characters, you must enter 64
hexadecimal characters.
Configuring Group Key Updates
In the last step in the WPA process, the access point distributes a group key to the authenticated client
device. You can use these optional settings to configure the access point to change and distribute the
group key, based on client association and disassociation:
Membership termination—The access point generates and distributes a new group key when any
authenticated device disassociates from the access point. This feature keeps the group key private
for associated devices, but it might generate some overhead traffic if clients on your network roam
frequently among access points.
Capability change—The access point generates and distributes a dynamic group key when the last
non-key management (static WEP) client disassociates, and it distributes the statically configured
WEP key when the first non-key management (static WEP) client authenticates. In WPA migration
mode, this feature significantly improves the security of key-management capable clients when
there are no static-WEP clients associated to the access point.
To configure a WPA pre-shared key and group key update options, follow these steps, beginning in
privileged EXEC mode:
CommandPurpose
Step 1configure terminalEnters global configuration mode.
Step 2ssid ssid-stringEnters SSID configuration mode for the SSID.
Step 3wpa-psk { hex | ascii } [ 0 | 7 ]
encryption-keyEnters a pre-shared key for client devices using WPA that also
use static WEP keys.
Enter the key by using either hexadecimal or ASCII characters.
If you use hexadecimal, you must enter 64 hexadecimal
characters to complete the 256-bit key. If you use ASCII, you
must enter a minimum of 8 letters, numbers, or symbols, and
the access point expands the key for you. You can enter a
maximum of 63 ASCII characters.
Step 4interface dot11radio radio-interfaceEnters interface configuration mode for the radio interface.
Step 5ssid ssid-stringEnters the SSID defined in Step 2 to assign the SSID to the
selected radio interface.
Authentication Types for Wireless Devices
Configuring Authentication Types
14
Authentication Types for Wireless Devices
OL-15914-01
This example shows how to configure a pre-shared key for clients using WPA and static WEP, with group
key update options:
ap# configure terminalap(config-if)# ssid batman
ap(config-ssid)# wpa-psk ascii batmobile65
ap(config)# interface dot11radio 0ap(config-ssid)# ssid batman
ap(config-if)# exit
ap(config)# broadcast-key vlan 87 membership-termination capability-change
Configuring MAC Authentication Caching
If MAC-authenticated clients on your wireless LAN roam frequently, you can enable a MAC
authentication cache on your access points. MAC authentication caching reduces overhead because the
access point authenticates devices in its MAC address cache without sending the request to your
authentication server. When a client device completes MAC authentication to your authentication server,
the access point adds the client’s MAC address to the cache.
To enable MAC authentication caching, follow these steps, beginning in privileged EXEC mode:
Use the no form of the dot11 aaa mac-authen filter-cache command to disable MAC authentication
caching. This example shows how to enable MAC authentication caching with a one-hour timeout:
ap# configure terminalap(config)# dot11 aaa mac-authen filter-cache timeout 3600
ap(config)# end
Step 6exitReturns to privileged EXEC mode.
Step 7broadcast-key [ vlan vlan-id ]
{ change seconds }
[ membership-termination ]
[ capability-change ]
Uses the broadcast key rotation command to configure
additional updates of the WPA group key.
Command Purpose
CommandPurpose
Step 1configure terminalEnters global configuration mode.
Step 2dot11 aaa mac-authen filter-cache
[timeout seconds]Enables MAC authentication caching on the access point.
Use the timeout option to configure a timeout value for MAC
addresses in the cache. Enter a value from 30 to 65555 seconds.
The default value is 1800 (30 minutes). When you enter a
timeout value, MAC-authentication caching is enabled
automatically.
Step 3exitReturns to privileged EXEC mode.
Step 4show dot11 aaa mac-authen
filter-cache [address]Shows entries in the MAC-authentication cache. Include client
MAC addresses to show entries for specific clients.
Step 5clear dot11 aaa mac-authen
filter-cache [address]Clears all entries in the cache. Include client MAC addresses to
clear specific clients from the cache.
Step 6endReturns to privileged EXEC mode.
Authentication Types for Wireless Devices
Configuring Authentication Types
15
Authentication Types for Wireless Devices
OL-15914-01
Configuring Authentication Holdoffs, Timeouts, and Intervals
To configure holdoff times, reauthentication periods, and authentication timeouts for client devices
authenticating through your access point, follow these steps, beginning in privileged EXEC mode:
CommandPurpose
Step 1configure terminalEnters global configuration mode.
Step 2dot11 holdoff-time secondsEnters the number of seconds that a client device must wait
before it can reattempt to authenticate after a failed
authentication. The holdoff time is invoked when a client fails
three login attempts or fails to respond to three authentication
requests from the access point. Enter a value from 1 to 65555
seconds.
Step 3dot1x timeout supp-response
seconds [local]Enters the number of seconds that the access point should wait
for a client to reply to an EAP/dot1x message before the
authentication fails. Enter a value from 1 to 120 seconds.
The RADIUS server can be configured to send a different
timeout value which overrides the one that is configured. Enter
the local keyword to configure the access point to ignore the
RADIUS server value and use the configured value.
The optional no keyword resets the timeout to its default state,
30 seconds.
Step 4interface dot11radio radio-interfaceEnters interface configuration mode for the radio interface.
Step 5dot1x reauth-period { seconds |
server }Enters the interval, in seconds, that the access point waits
before forcing an authenticated client to reauthenticate.
Enter the server keyword to configure the access point to use
the reauthentication period specified by the authentication
server. If you use this option, configure your authentication
server with RADIUS attribute 27, Session-Timeout. This
attribute sets the maximum number of seconds of service to be
provided to the client before termination of the session or
prompt. The server sends this attribute to the access point when
a client device performs EAP authentication.
NoteIf you configure both MAC address authentication and
EAP authentication for an SSID, the server sends the
Session-Timeout attribute for both MAC and EAP
authentications for a client device. The access point
uses the Session-Timeout attribute for the last
authentication that the client performs. For example, if
a client performs MAC address authentication and then
performs EAP authentication, the access point uses the
server’s Session-Timeout value for the EAP
authentication. To avoid confusion about which
Session-Timeout attribute is used, configure the same
Session-Timeout value on your authentication server
for both MAC and EAP authentication.
Authentication Types for Wireless Devices
Configuring the 802.1X Supplicant
16
Authentication Types for Wireless Devices
OL-15914-01
Use the no form of these commands to reset the values to default settings.
Configuring the 802.1X Supplicant
Traditionally, the dot1x authenticator and client have always been a network device and a PC client
respectively, as it was the PC user that had to authenticate to gain access to the network. However,
wireless networks introduce unique challenges to the traditional authenticator/client relationship.
Access points can be placed in public places, inviting the possibility that they could be unplugged and
their network connection used by an outsider.
The supplicant is configured in two phases:
Create and configure a credentials profile
Apply the credentials to an interface or SSID
You can complete the phases in any order, but they must be completed before the supplicant becomes
operational.
Creating a Credentials Profile
To create an 802.1X credentials profile, follow these steps, beginning in privileged EXEC mode:
Step 6countermeasure tkip hold-time
secondsConfigures a TKIP MIC failure holdtime. If the access point
detects two MIC failures within 60 seconds, it blocks all the
TKIP clients on that interface for the holdtime period.
Step 7endReturns to privileged EXEC mode.
Command Purpose
CommandPurpose
Step 1configure terminalEnters global configuration mode.
Step 2dot1x credentials profileCreates a dot1x credentials profile and enters the dot1x
credentials configuration submode.
Step 3anonymous-id description(Optional)—Enters the anonymous identity to be used.
Step 4description description(Optional)—Enters a description for the credentials profile
Step 5username usernameEnters the authentication user id.
Step 6password {0 | 7 | LINE}Enters an unencrypted password for the credentials.
0—An unencrypted password will follow.
7—A hidden password will follow. Hidden passwords are used
when applying a previously saved configuration.
LINE—An unencrypted (clear text) password.
NoteUnencrypted and clear text are the same. You can enter a
0 followed by the clear text password, or omit the 0 and
enter the clear text password.
Authentication Types for Wireless Devices Configuring the 802.1X Supplicant 17 Authentication Types for Wireless Devices OL-15914-01 Use the no form of the dot1x credentials command to negate a parameter. The following example creates a credentials profile named test with the username Cisco and a the unencrypted password Cisco: ap>enable Password:xxxxxxxap# config terminal Enter configuration commands, one per line. End with CTRL-Z. ap(config)# dot1x credentials testap(config-dot1x-creden)#username Cisco ap(config-dot1x-creden)#password Cisco ap(config-dot1x-creden)#exitap(config)# Applying the Credentials to an Interface or SSID Credential profiles are applied to an interface or an SSID in the same way. Applying the Credentials Profile to the Wired Port To apply the credentials to the access point’s wired port, follow these steps, beginning in the privileged EXEC mode: The following example applies the credentials profile test to the access point’s Fast Ethernet port: ap>enable Password:xxxxxxxap# config terminal Enter configuration commands, one per line. End with CTRL-Z. ap(config)#interface fa0ap(config-if)#dot1x credentials test ap(config-if)#end ap# Step 7pki-trustpoint pki-trustpoint(Optional and only used for EAP-TLS)—Enters the default pki-trustpoint. Step 8endReturns to the privileged EXEC mode. Command Purpose CommandPurpose Step 1configure terminalEnters global configuration mode. Step 2interface fastethernet portnumberEnters the interface configuration mode for the Fast Ethernet port. Step 3dot1x credentials profile name] Enters the name of a previously created credentials profile. Step 4endReturns to the privileged EXEC mode
Authentication Types for Wireless Devices Configuring the 802.1X Supplicant 18 Authentication Types for Wireless Devices OL-15914-01 Applying the Credentials Profile to an SSID Used For the Uplink If you have a repeater access point in your wireless network and are using the 802.1X supplicant on the root access point, you must apply the 802.1X supplicant credentials to the SSID that the repeater uses to associate with and authenticate to the root access point. To apply the credentials to an SSID used for the uplink, follow these steps, beginning in the privileged EXEC mode: The following example applys the credentials profile test to the ssid testap1 on a repeater access point. repeater-ap>enable Password:xxxxxxxrepeater-ap# config terminal Enter configuration commands, one per line. End with CTRL-Z. repeater-ap(config-if)#dot11 ssid testap1repeater-ap(config-ssid)#dot1x credentials test repeater-ap(config-ssid)#end repeater-ap(config) Creating and Applying EAP Method Profiles for the 802.1X Supplicant This section describes the optional configuration of an EAP method list for the 802.1X supplicant. Configuring EAP method profiles enables the supplicant to not acknowledge some EAP methods, even though they are available on the supplicant. For example, if a RADIUS server supports EAP-FAST and LEAP, under certain configurations, the server might initially employ LEAP instead of a more secure method. If no preferred EAP method list is defined, the supplicant supports LEAP, but it may be advantageous to force the supplicant to use a more secure method such as EAP-FAST. Creating an EAP Method Profile To define a new EAP profile, follow these steps, beginning in privileged exec mode: CommandPurpose Step 1configure terminalEnters global configuration mode. Step 2dot11 ssid ssidEnters the 802.11 SSID. The SSID can consist of up to 32 alphanumeric characters. SSIDs are case sensitive. NoteThe first character cannot contain the !, #, or ; character. The +, ], /, , TAB, and trailing spaces are invalid characters for SSIDs. Step 3dot1x credentials profileEnters the name of a preconfigured credentials profile. Step 4endExits the dot1x credentials configuration submode Command Purpose Step 1configure terminalEnters global configuration mode. Step 2eap profile profile nameEnters a name for the profile
Authentication Types for Wireless Devices Configuring the 802.1X Supplicant 19 Authentication Types for Wireless Devices OL-15914-01 Use the no command to negate a command or to set its defaults. Use the show eap registrations method command to view the currently available (registered) EAP methods. Use the show eap sessions command to view existing EAP sessions. Applying an EAP Profile to the Fast Ethernet Interface This operation normally applies to root access points. To apply an EAP profile to the Fast Ethernet interface, follow these steps, beginning in privileged exec mode: Applying an EAP Profile to an Uplink SSID This operation typically applies to repeater access points. To apply an EAP profile to the uplink SSID, follow these steps, beginning in the privileged exec mode: NoteThe repeater mode is not supported on Cisco 860 and Cisco 880 series embedded-wireless devices. Step 3description(Optional)—Enters a description for the EAP profile Step 4method fast Enters an allowed EAP method or methods. NoteAlthough they appear as sub-parameters, EAP-GTC, EAP-MD5, and EAP-MSCHAPV2 are intended as inner methods for tunneled EAP authentication and should not be used as the primary authentication method. Step 5endReturns to the privileged EXEC mode. Command Purpose CommandPurpose Step 1configure terminalEnters the global configuration mode. Step 2interface fastethernet portnumberEnters the interface configuration mode for the Fast Ethernet port. Step 3dot1x eap profile profileEnters the profile preconfigured profile name. Step 4endExits the interface configuration mode. CommandPurpose Step 1configure terminalEnters the global configuration mode. Step 2interface dot11radio radio-interfaceEnters interface configuration mode for the radio interface. Step 3ssid ssidAssigns the uplink SSID to the radio interface. Step 4exitReturns to the configure terminal mode. Step 5eap profile profileEnters the profile preconfigured profile name. Step 6endReturns to the privileged EXEC mode.
Authentication Types for Wireless Devices Matching Access Point and Client Device Authentication Types 20 Authentication Types for Wireless Devices OL-15914-01 Matching Access Point and Client Device Authentication Types To use the authentication types described in this section, the access point authentication settings must match the authentication settings on the client adapters that associate to the access point. See the Cisco Aironet Wireless LAN Client Adapters Installation and Configuration Guide for Windows for instructions on setting authentication types on wireless client adapters. See Cipher Suites and WEP for instructions on configuring cipher suites and WEP on the access point. Ta b l e 1 lists the client and access point settings required for each authentication type. NoteSome non-Cisco Aironet client adapters do not perform 802.1X authentication to the access point unless you configure Open authentication with EAP. To allow both Cisco Aironet clients using LEAP and non-Cisco Aironet clients using LEAP to associate using the same SSID, you might need to configure the SSID for both Network EAP authentication and Open authentication with EAP. Likewise, to allow both Cisco Aironet 802.11a/b/g client adapters (CB21AG and PI21AG) running EAP-FAST and non-Cisco Aironet clients using EAP-FAST or LEAP to associate using the same SSID, you might need to configure the SSID for both Network EAP authentication and Open authentication with EAP. NoteIf you are running an 802.11n access point, for best results be sure to get the latest driver from the 802.11n Wi-Fi card vendor for the card that you are using. fTa b l e 1 Client and Access Point Security Settings Security FeatureClient SettingAccess Point Setting Static WEP with open authenticationCreate a WEP key, and enable Use Static WEP Keys and Open Authentication.Set up and enable WEP, and enable Open Authentication for the SSID. Static WEP with shared key authenticationCreate a WEP key, and enable Use Static WEP Keys and Shared Key Authentication.Set up and enable WEP, and enable Shared Key Authentication for the SSID. LEAP authenticationEnable LEAP.Set up and enable WEP ,and enable Network-EAP for the SSID1. EAP-FAST authenticationEnable EAP-FAST, and enable automatic provisioning or import a PAC file.Set up and enable WEP, and enable Network-EAP for the SSID1. If radio clients are configured to authenticate using EAP-FAST, open authentication with EAP should also be configured. If you do not configure open authentication with EAP, the following warning message appears: SSID CONFIG WARNING: [SSID]: If radio clients are using EAP-FAST, AUTH OPEN with EAP should also be configured.
Authentication Types for Wireless Devices Matching Access Point and Client Device Authentication Types 21 Authentication Types for Wireless Devices OL-15914-01 EAP-FAST authentication with WPAEnable EAP-FAST and Wi-Fi Protected Access (WPA), and enable automatic provisioning or import a PAC file. To allow the client to associate to both WPA and non-WPA access points, enable Allow Association to both WPA and non-WPA authenticators. Select a cipher suite that includes TKIP, set up and enable WEP, and enable Network-EAP and WPA for the SSID. NoteTo allow both WPA and non-WPA clients to use the SSID, enable optional WPA. 802.1X authentication and CCKMEnable LEAP.Select a cipher suite, and enable Network-EAP and CCKM for the SSID. NoteTo allow both 802.1X clients and non-802.1X clients to use the SSID, enable optional CCKM. 802.1X authentication and WPAEnable any 802.1X authentication method.Select a cipher suite, and enable Open authentication and WPA for the SSID (you can also enable Network-EAP authentication in addition to or instead of Open authentication). NoteTo allow both WPA clients and non-WPA clients to use the SSID, enable optional WPA. 802.1X authentication and WPA-PSKEnable any 802.1X authentication method.Select a cipher suite, and enable Open authentication and WPA for the SSID (you can also enable Network-EAP authentication in addition to or instead of Open authentication). Enter a WPA pre-shared key. NoteTo allow both WPA clients and non-WPA clients to use the SSID, enable optional WPA. EAP-TLS authentication If using ACU to configure cardEnable Host Based EAP and Use Dynamic WEP Keys in ACU, and select Enable network access control using IEEE 802.1X and Smart Card or Other Certificate as the EAP Type in Windows 2000 (with Service Pack 3) or Windows XP. Set up and enable WEP, and enable EAP and Open authentication for the SSID. If using Windows XP to configure cardSelect Enable network access control using IEEE 802.1X and Smart Card or other Certificate as the EAP Type.Set up and enable WEP, and enable EAP and Open Authentication for the SSID. EAP-MD5 authentication If using ACU to configure cardCreate a WEP key, enable Host Based EAP, and enable Use Static WEP Keys in ACU, and select Enable network access control using IEEE 802.1X and MD5-Challenge as the EAP Type in Windows 2000 (with Service Pack 3) or Windows XP.Set up and enable WEP, and enable EAP and Open authentication for the SSID. Table 1 Client and Access Point Security Settings (continued) Security Feature Client Setting Access Point Setting
Authentication Types for Wireless Devices Matching Access Point and Client Device Authentication Types 22 Authentication Types for Wireless Devices OL-15914-01 If using Windows XP to configure cardSelect Enable network access control using IEEE 802.1X and MD5-Challenge as the EAP Ty p e .Set up and enable WEP, and enable EAP and Open Authentication for the SSID. PEAP authentication If using ACU to configure cardEnable Host Based EAP and Use Dynamic WEP Keys in ACU, and select Enable network access control using IEEE 802.1X and PEAP as the EAP Type in Windows 2000 (with Service Pack 3) or Windows XP.Set up and enable WEP, and enable EAP and Open authentication for the SSID. If using Windows XP to configure cardSelect Enable network access control using IEEE 802.1X and PEAP as the EAP Type.Set up and enable WEP, and enable Require EAP and Open Authentication for the SSID. EAP-SIM authentication If using ACU to configure cardEnable Host Based EAP and Use Dynamic WEP Keys in ACU, and select Enable network access control using IEEE 802.1X and SIM Authentication as the EAP Type in Windows 2000 (with Service Pack 3) or Windows XP.Set up and enable WEP with full encryption, and enable EAP and Open authentication for the SSID. If using Windows XP to configure cardSelect Enable network access control using IEEE 802.1X and SIM Authentication as the EAP Type.Set up and enable WEP with full encryption, and enable Require EAP and Open Authentication for the SSID. 1. Some non-Cisco Aironet client adapters do not perform 802.1X authentication to the access point unless you configure Open authentication with EAP. To allow both Cisco Aironet clients using LEAP and non-Cisco Aironet clients using LEAP to associate using the same SSID, you might need to configure the SSID for both Network EAP authentication and Open authentication with EAP. Likewise, to allow both Cisco Aironet 802.11a/b/g client adapters (CB21AG and PI21AG) running EAP-FAST and non-Cisco Aironet clients using EAP-FAST or LEAP to associate using the same SSID, you might need to configure the SSID for both Network EAP authentication and Open authentication with EAP. Table 1 Client and Access Point Security Settings (continued) Security Feature Client Setting Access Point Setting