Chapter 6 Configuring WLANs

Configuring Wireless LANs

IKE Authentication

IPSec IKE (Internet Key Exchange) uses pre-shared key exchanges, x.509 (RSA Signatures) certificates, and XAuth-psk for authentication. Enter these commands to enable IPSec IKE on a wireless LAN that uses IPSec:

config wlan security ipsec ike authentication certificates wlan-id

Use the certificates option to specify RSA signatures.

config wlan security ipsec ike authentication xauth-psk wlan-id key

Use the xauth-pskoption to specify XAuth pre-shared key.

For key, enter a pre-shared key from 8 to 255 case-sensitive ASCII characters.

config wlan security ipsec ike authentication pre-shared-key wlan-id key

Enter show wlan to verify that IPSec IKE is enabled.

IKE Diffie-Hellman Group

IPSec IKE uses Diffie-Hellman groups to block easily-decrypted keys. Enter these commands to configure the Diffie-Hellman group on a wireless LAN with IPSec enabled:

config wlan security ipsec ike DH-Group wlan-idgroup-id

For group-id, enter group-1, group-2(this is the default setting), or group-5.

Enter show wlan to verify that IPSec IKE DH group is configured.

IKE Phase 1 Aggressive and Main Modes

IPSec IKE uses the Phase 1 Aggressive (faster) or Main (more secure) mode to set up encryption between clients and the controller. Enter these commands to specify the Phase 1 encryption mode for a wireless LAN with IPSec enabled:

config wlan security ipsec ike phase1 {aggressive main} wlan-id

Enter show wlan to verify that the Phase 1 encryption mode is configured.

IKE Lifetime Timeout

IPSec IKE uses its timeout to limit the time that an IKE key is active. Enter these commands to configure an IKE lifetime timeout:

config wlan security ipsec ike lifetime wlan-id seconds

For seconds, enter a number of seconds from 1800 to 345600 seconds. The default timeout is 28800 seconds.

Enter show wlan to verify that the key timeout is configured.

Cisco Wireless LAN Controller Configuration Guide

 

OL-8335-02

6-7

 

 

 

Page 133
Image 133
Cisco Systems 3.2 manual IKE Authentication, IKE Diffie-Hellman Group, IKE Phase 1 Aggressive and Main Modes