Cisco Systems 0L-11350-01

11-12

Cisco IOS Software Configuration Guide for Cisco Aironet Access Points

OL-11350-01

Chapter11 Configuring Authentication Types

Configuring Authentication Types

Step5 authentication network-eap

list-name

[mac-address list-name]

(Optional) Set the authentication type for the SSID to

Network-EAP. Using the Extensible Authentication Protocol

(EAP) to interact with an EAP-compatible RADIUS server, the

access point helps a wireless client device and the RADIUS

server to perform mutual authentication and derive a dynamic

unicast WEP key. However, the access point does not force all

client devices to perform EAP authentication.

•(Optional) Set the SSID’s authentication type to

Network-EAP with MAC address authentication. All client

devices that associate to the access point are required to

perform MAC-address authentication. For list-name,

specify the authentication method list.

Step6 authentication key-management

{[wpa] [cckm] } [ optional ]

(Optional) Set the authentication type for the SSID to WPA,

CCKM, or both. If you use the optional keyword, client

devices other than WPA and CCKM clients can use this SSID.

If you do not use the optional keyword, only WPA or CCKM

client devices are allowed to use the SSID.

To enable CCKM for an SSID, you must also enable

Network-EAP authentication. When CCKM and Network EAP

are enabled for an SSID, client devices using LEAP,

EAP-FAST, PEAP/GTC, MSPEAP, EAP-TLS, and EAP-FAST

can authenticate using the SSID.

To enable WPA for an SSID, you must also enable Open

authentication or Network-EAP or both.

Note When you enable both WPA and CCKM for an SSID,

you must enter wpa first and cckm second. Any WPA

client can attempt to authenticate, but only CCKM

voice clients can attempt to authenticate.

Note Before you can enable CCKM or WPA, you must set

the encryption mode for the SSID’s VLAN to one of the

cipher suite options. To enable both CCKM and WPA,

you must set the encryption mode to a cipher suite that

includes TKIP. See the “Configuring Cipher Suites and

WEP” section on page 10-3 for instructions on

configuring the VLAN encryption mode.

Note If you enable WPA for an SSID without a pre-shared

key, the key management type is WPA. If you enable

WPA with a pre-shared key, the key management type

is WPA-PSK. See the “Configuring Additional WPA

Settings” section on page11-14 for instructions on

configuring a pre-shared key.

See Chapter 12, “Configuring WDS, Fast Secure Roaming,

Radio Management, and Wireless Intrusion Detection

Services,” for detailed instructions on setting up your wireless

LAN to use CCKM and a subnet context manager.

Command Purpose