IKE Authentication, IKE Diffie-Hellman Group | Cisco Systems 3.2

Chapter 6 Configuring WLANs

Configuring Wireless LANs

IKE Authentication

IPSec IKE (Internet Key Exchange) uses pre-shared key exchanges, x.509 (RSA Signatures) certificates, and XAuth-psk for authentication. Enter these commands to enable IPSec IKE on a wireless LAN that uses IPSec:

•config wlan security ipsec ike authentication certificates wlan-id

–Use the certificates option to specify RSA signatures.

•config wlan security ipsec ike authentication xauth-psk wlan-id key

–Use the xauth-pskoption to specify XAuth pre-shared key.

–For key, enter a pre-shared key from 8 to 255 case-sensitive ASCII characters.

•config wlan security ipsec ike authentication pre-shared-key wlan-id key

•Enter show wlan to verify that IPSec IKE is enabled.

IKE Diffie-Hellman Group

IPSec IKE uses Diffie-Hellman groups to block easily-decrypted keys. Enter these commands to configure the Diffie-Hellman group on a wireless LAN with IPSec enabled:

•config wlan security ipsec ike DH-Group wlan-idgroup-id

–For group-id, enter group-1, group-2(this is the default setting), or group-5.

•Enter show wlan to verify that IPSec IKE DH group is configured.

IKE Phase 1 Aggressive and Main Modes

IPSec IKE uses the Phase 1 Aggressive (faster) or Main (more secure) mode to set up encryption between clients and the controller. Enter these commands to specify the Phase 1 encryption mode for a wireless LAN with IPSec enabled:

•config wlan security ipsec ike phase1 {aggressive main} wlan-id

•Enter show wlan to verify that the Phase 1 encryption mode is configured.

IKE Lifetime Timeout

IPSec IKE uses its timeout to limit the time that an IKE key is active. Enter these commands to configure an IKE lifetime timeout:

•config wlan security ipsec ike lifetime wlan-id seconds

–For seconds, enter a number of seconds from 1800 to 345600 seconds. The default timeout is 28800 seconds.

•Enter show wlan to verify that the key timeout is configured.

Cisco Wireless LAN Controller Configuration Guide

	OL-8335-02	6-7

Image 133

Cisco Systems 3.2 manual IKE Authentication, IKE Diffie-Hellman Group, IKE Phase 1 Aggressive and Main Modes

Contents

Corporate Headquarters Cisco Wireless LAN Controller Configuration Guide Cisco Wireless LAN Controller Configuration Guide Iii N T E N T S Client Location Enabling Web and Secure Web Modes Configuring Ports Vii Configuring the System for SpectraLink NetLink Telephones Viii QoS-Level5-17 ACL-Name5-17 Interface-Name5-18 VLAN-Tag5-18 Using Dhcp Option 43 Radio Resource Monitoring Prerequisites Xii Series Wireless LAN Controllers B-8 Xiii Preface Purpose AudienceOrganization Xiv Conventions Xvi Obtaining Documentation Related PublicationsCisco.com Xvii Product Documentation DVD Documentation FeedbackOrdering Documentation Xviii Cisco Product Security Overview Reporting Security Problems in Cisco ProductsXix Obtaining Technical Assistance Submitting a Service RequestCisco Technical Support & Documentation Website Obtaining Additional Publications and Information Definitions of Service Request SeverityXxi Xxii Overview Cisco Wireless LAN Solution Overview Single-Controller Deployments Cisco Wlan Solution Components Single-Controller Deployment Multiple-Controller Deployments Operating System Security Operating System Software Cisco Wlan Solution Wired Security Configuration Requirements Cisco Wireless LAN ControllersLayer 2 and Layer 3 Lwapp Operation Operational Requirements Primary, Secondary, and Tertiary Controllers Client RoamingSame-Subnet Layer 2 Roaming Inter-Controller Layer 2 Roaming Client Location Inter-Subnet Layer 3 RoamingSpecial Case Voice Over IP Telephone Roaming External Dhcp Servers Per-Wireless LAN AssignmentPer-Interface Assignment Security Considerations Cisco Wlan Solution Wireless LANs Cisco Wlan Solution Wired Connections Identity Networking Access Control Lists Enhanced Integration with Cisco Secure ACS File Transfers Pico Cell Functionality Power over Ethernet Wireless LAN Controller Platforms Intrusion Detection Service IDS Cisco 4100 Series Wireless LAN Controllers Cisco 2000 Series Wireless LAN Controllers Cisco 2000 Series Wireless LAN Controller Model Numbers Cisco 4400 Series Wireless LAN Controllers Cisco 4400 Series Wireless LAN Controller Model Numbers Cisco 4100 Series Wireless LAN Controller Model Numbers Startup Wizard Cisco Wireless LAN Controller Failover Protection Cisco Wireless LAN Controller Memory Network Connections to Cisco Wireless LAN Controllers Cisco Wireless LAN Controller Automatic Time SettingCisco Wireless LAN Controller Time Zones Cisco 4100 Series Wireless LAN Controllers Cisco 2000 Series Wireless LAN Controllers 6shows connections to the 4100 series controller Cisco 4400 Series Wireless LAN Controllers Rogue Access Points Web User Interface and the CLI Rogue Access Point Location, Tagging, and ContainmentWeb User Interface Command Line Interface Using the Web-Browser and CLI Interfaces Guidelines for Using the GUI Using the Web-Browser InterfaceConfiguring the GUI for Https Enabling Web and Secure Web Modes Show certificate summary Loading an Externally Generated Https Certificate Web Administration Certificate file webadmincertname.pem Using Online Help Using the CLIDisabling the GUI Logging into the CLI Using a Remote Ethernet Connection Using a Local Serial Connection Logging Out of the CLI Command ActionNavigating the CLI Enter config network mgmt-via-wireless enable Configuring Ports and Interfaces Ports Overview of Ports and Interfaces Distribution System Ports Service Port Management Interface Interfaces Virtual Interface AP-Manager Interface Dynamic Interface Service-Port Interface Ports, Interfaces, and WLANs WLANs Configuring Ports and Interfaces Interfaces Management Interface AP-Manager Interface Service-Port InterfaceVirtual Interface Using the CLI to Configure the AP-Manager Interface Using the CLI to Configure the Management InterfaceConfig interface acl management access-control-list-name Config interface acl ap-manager access-control-list-name Using the CLI to Configure the Virtual Interface Using the GUI to Configure Dynamic Interfaces Configuring Dynamic InterfacesUsing the CLI to Configure the Service-Port Interface Interfaces New Using the CLI to Configure Dynamic Interfaces Ports Configuring Ports Controller Available Data Rates Parameter Description Default Auto Default EnableController Supported Data Rates Configuring Port Mirroring Configuring Spanning Tree Protocol STP State Description Using the GUI to Configure Spanning Tree Protocol STP Mode Description Default OffDefault 10 Controller Spanning Tree Configuration Range Default Default DisableRange Default 2 seconds Using the CLI to Configure Spanning Tree Protocol 11illustrates LAG Enabling Link Aggregation Link Aggregation Guidelines 12 Link Aggregation with Catalyst 6500 Neighbor Switch 13 General Using the GUI to Enable Link Aggregation Configuring Neighbor Devices to Support LAG Using the CLI to Enable Link Aggregation Using Multiple AP-Manager Interfaces Using Link Aggregation 14 Two AP-Manager Interfaces Examples 15 Three AP-Manager Interfaces 16 Four AP-Manager Interfaces 17 Interfaces New Connecting Additional Ports Configuring Controller Settings Before You Start Using the Configuration Wizard Resetting to Default Settings Using the CLI Resetting the Device to Default SettingsResetting to Default Settings Using the GUI Browse to the Commands/Reset to Factory Defaults Running the Configuration Wizard on the CLI Configuring Time and Date Manually Configuring a Country CodeConfiguring NTP Managing the System Time and Date Country Code Bands Allowed Enabling and Disabling 802.11 Bands Configuring Radius Settings Configuring Administrator Usernames and PasswordsConfiguring Snmp Settings Config 802.11a 802.11bg dtpc enable disable Enabling Dynamic Transmit Power ControlEnabling 802.3x Flow Control Enabling System Logging Understanding Multicast Mode Configuring Multicast ModeGuidelines for Using Multicast Mode Enabling Multicast Mode Configuring the Supervisor 720 to Support the WiSMCommand Multicast Mode Command Purpose Configuring the SupervisorGeneral WiSM Guidelines Wism service-vlan vlan Switchport mode trunk Channel-group 1 mode onInterface GigabitEthernet9/1-4 Interface GigabitEthernet9/5-8 Service-module wlan-controller 1/0 reset Using the Wireless LAN Controller Network Module OL-8335-02 Configuring Security Solutions Layer 1 Solutions Cisco Wlan Solution SecurityLayer 2 Solutions Security Overview Rogue Access Point Solutions Layer 3 SolutionsRogue Access Point Challenges Tagging and Containing Rogue Access Points Integrated Security Solutions Configuring the System for SpectraLink NetLink Telephones Using the CLI to Enable Long Preambles Using the GUI to Enable Long Preambles Using the GUI to Enable Management over Wireless Using Management over Wireless Using the CLI to Enable Management over Wireless Configuring DhcpUsing the GUI to Configure Dhcp Using the CLI to Configure Dhcp Customizing the Web Authentication Login ScreenConfig wlan disable wlan-id Config wlan enable wlan-id Typical Web-Browser Security Alert Default Web Authentication Operation Typical Web Authentication Login Window Hiding and Restoring the Cisco Wlan Solution Logo Customizing Web Authentication OperationChanging the Web Authentication Login Window Title Changing the Web Message Config custom-web webmessage messageChanging the Logo Clear webmessage Downloading the Logo or Graphic Config custom-web redirecturl url Verifying Web Authentication ChangesCreating a Custom URL Redirect Example of a Customized Web Authentication Login Window Example Sample Customized Web Authentication Login Window Identity Networking Overview Configuring Identity Networking QoS-Level Radius Attributes Used in Identity NetworkingACL-Name VLAN-Tag Interface-Name Tunnel Attributes OL-8335-02 Configuring WLANs Configuring Wireless LANs Wireless LAN OverviewDisplaying, Creating, Disabling, and Deleting Wireless LANs Assigning a Wireless LAN to a Dhcp Server Activating Wireless LANsConfiguring MAC Filtering for Wireless LANs Enabling MAC Filtering Configuring Layer 2 Security Assigning Wireless LANs to VLANsConfiguring a Timeout for Disabled Clients Dynamic 802.1X Keys and Authorization Dynamic WPA Keys and Encryption WEP Keys Configuring a Wireless LAN for Both Static and Dynamic WEP Configuring Layer 3 SecurityIPSec Authentication IPSec IKE Phase 1 Aggressive and Main Modes IKE AuthenticationIKE Lifetime Timeout IKE Diffie-Hellman Group Web-Based Authentication Configuring Quality of ServiceIPSec Passthrough Local Netuser Config wlan wmm disabled allowed required wlan-id Configuring QoS Enhanced BSS QbssTraffic Type Ieee 802.11e UP Config wlan 7920-support client-cac-limit enable wlan-id Enabling 7920 Support Mode Controlling Lightweight Access Points Cisco 1000 Series Ieee 802.11a/b/g Lightweight Access Points Lightweight Access Point Overview Typical 1030 Lightweight Access Point Configuration Cisco 1030 Remote Edge Lightweight Access Points Cisco 1000 Series Lightweight Access Point Part Numbers External Antenna Connectors Cisco 1000 Series Lightweight Access Point LEDsAntenna Sectorization Cisco 1000 Series Lightweight Access Point Connectors Cisco 1000 Series Lightweight Access Point Mounting Options Using the DNS for Controller DiscoveryCisco 1000 Series Lightweight Access Point Monitor Mode Dynamic Frequency Selection Reverting from Lightweight Mode to Autonomous Mode Autonomous Access Points Converted to Lightweight Mode Using a Controller to Return to a Previous Release Access Point VCI String Using Dhcp Option Enabling Memory Core Dumps from Converted Access Points Converted Access Points Send Radio Core Dumps to ControllerDisplay of MAC Addresses for Converted Access Points Config ap get-radio-core-dump slot ap-name Config ap static-ip enable ap-name ip-address mask gateway Config ap reset-button enable disable ap-nameall OL-8335-02 Managing Controller Software Configurations Upgrading Controller Software Transferring Files to and from a Controller Transfer download path absolute-tftp-server-path-to-file Clearing the Controller Configuration Saving ConfigurationsErasing the Controller Configuration Resetting the Controller OL-8335-02 Configuring Radio Resource Management Radio Resource Monitoring Overview of Radio Resource Management Dynamic Channel Assignment Coverage Hole Detection and Correction Dynamic Transmit Power ControlClient and Network Load Balancing RRM Benefits Overview of RF GroupsRF Group Leader RF Group Name Configuring an RF Group General Using the GUI to Configure an RF Group Using the GUI to View RF Group Status Using the CLI to Configure RF GroupsViewing RF Group Status Global Parameters Global Parameters Auto RF Auto Using the CLI to View RF Group Status Using the GUI to Enable Rogue Access Point Detection Enabling Rogue Access Point Detection All APs Details AP Authentication Policy Using the CLI to Enable Rogue Access Point Detection Configuring Dynamic RRM Default Enabled Using the GUI to Configure Dynamic RRMRF Group You click Invoke Channel Update Now Default AutomaticRF Channel Assignment Channel Assignment Method Description Default Disabled Click Invoke Power Update Now Tx Power Level AssignmentAssignment Method Description Default -70 dBm Default 10%Default 80% Default 25% Monitor Intervals Default Noise/Interference/Rogue Monitoring Channels Config 802.11a disable Config 802.11b disable Using the CLI to Configure Dynamic RRM Overriding Dynamic RRM Radios Cisco APs Configure Config 802.11a txPower AP1 Config 802.11a disable Config 802.11b disable Viewing Additional RRM Settings Using the CLI 10-1 Configuring Mobility Groups 10-2 Overview of Mobility Inter-Controller Roaming 10-3 Inter-Subnet Roaming 10-4 10-5 Overview of Mobility Groups Two Mobility Groups 10-6 Determining When to Include Controllers in a Mobility Group Configuring Mobility GroupsPrerequisites 10-7 10-8 Using the GUI to Configure Mobility Groups Mobility Group Member New 10-9 Mobility Group Members Edit All 10-10 Using the CLI to Configure Mobility Groups Configuring Auto-Anchor Mobility10-11 Using the GUI to Configure Auto-Anchor Mobility Guidelines for Using Auto-Anchor Mobility10-12 WLANs 10-13 10-14 Using the CLI to Configure Auto-Anchor Mobility Safety Considerations Translated Safety Warnings Bewaar Deze Instructies Safety Considerations Avvertenza Importanti Istruzioni Sulla Sicurezza Warnung Wichtige Sicherheitshinweise Guarde Estas Instruções Aviso Instruções Importantes DE Segurança Class 1 Laser Product Warning Aviso Produto a laser de classe Ground Conductor Warning Cisco Wireless LAN Controller Configuration Guide Chassis Warning for Rack-Mounting and Servicing Cisco Wireless LAN Controller Configuration Guide Cisco Wireless LAN Controller Configuration Guide OL-8335-02 Cisco Wireless LAN Controller Configuration Guide Page OL-8335-02 Page OL-8335-02 Page Battery Handling Warning for 4400 Series Controllers Cisco Wireless LAN Controller Configuration Guide OL-8335-02 Equipment Installation Warning Cisco Wireless LAN Controller Configuration Guide OL-8335-02 OL-8335-02 Cisco Wireless LAN Controller Configuration Guide OL-8335-02 Cisco Wireless LAN Controller Configuration Guide Cisco Wireless LAN Controller Configuration Guide OL-8335-02 OL-8335-02 Declarations of Conformity and Regulatory Information Model Regulatory Information for 1000 Series Access PointsFCC Certification number Manufacturer Canadian Compliance Statement Department of Communications-CanadaCertification number EMC Declaration of Conformity for RF Exposure 03-5549-6500 All Access Points Access Points with Ieee 802.11a Radios Declaration of Conformity Statements Cisco Wireless LAN Controller Configuration Guide OL-8335-02 OL-8335-02 End User License and Warranty End User License Agreement Cisco Wireless LAN Controller Configuration Guide OL-8335-02 Limited Warranty Appendix C End User License and Warranty Limited Warranty Disclaimer of Warranty Additional Open Source Terms OL-8335-02 System Messages and Access Point LED Patterns System Messages Error Message Description Lradifcurrentchannelchanged Client Reason Codes Using Client Reason and Status Codes in Trap LogsClient Reason Code Description Meaning Client Status Code Description Meaning Client Status Codes LED Conditions Status Using Lightweight Access Point LEDs IN-1 Numerics IN-2 IN-3 DFS Dhcp IN-4 Help Hold Time parameter IN-5 IN-6 IN-7 IN-8