Configuring the Module
EAP-TLS and EAP-TTLS Authentication Methods
To set up a username and password for the Pairwise Key Management (PKM) of a CGR 1000, the WiMAX module must be installed and running. CGR 1000s that ship with a pre-installed WIMAX module will have a pre-installed WiMAX configuration.
You can configure your WiMAX interface for one of the following authentication methods:
•No Authentication (Open)
•EAP-TLS Authentication
The WiMAX interface uses trustpoints in the following manner. A certificate-based mutual authentication is mandatory. The WiMAX module needs both of the following for authentication:
–A server-root-ca CA certificate authority trustpoint containing the CA certificate that signs the certificate being used on the AAA/RADIUS server.
–A device trustpoint for the WIMAX module. The modem on the WiMAX module has an embedded Airspan-signed device certificate that the supplicant can automatically use as the device trustpoint for authentication. If users do not want to use this certificate, they must import and specify a device trustpoint using the imported device certificate.
–To configure EAP-TLS to use a user-defined WIMAX device certificate:
Router(config-if)# shutdown
Router(config-if)# pkm version pkm-v2
Router(config-if)#pkm trustpoint device actual_device_trustpoint_label
Router(config-if)#pkm trustpoint server-root-ca actual_ca_trustpoint_label
Router(config-if)#pkm auth-method eap-tls
Router(config-if)# no shutdown
–To configure EAP-TLS to use the embedded Airspan certificate as the WIMAX device certificate:
Router(config-if)# shutdown
Router(config-if)# pkm version pkm-v2
Router(config-if)#pkm trustpoint server-root-ca actual_ca_trustpoint_label
Router(config-if)#pkm auth-method eap-tls
Router(config-if)# no shutdown
If the trustpoint CLI is not issued for device trustpoint, then the system uses the embedded certificate.
•EAP-TTLS Authentication
EAP-TTLS authentication is a one-sided authentication using an Airspan certificate. A certificate-based authentication is only required for the AAA/RADIUS server. Only a server-root-ca trustpoint configuration is required for the WIMAX interface to authenticate the AAA/RADIUS server certificate. The client (WIMAX interface) authentication is executed through MSCHAPv2 authentication (configuring the PKM user and password) through an encrypted tunnel.
Router(config-if)# shutdown
Router(config-if)# pkm version pkm-v2
Router(config-if)#pkm trustpoint server-root-ca actual_ca_trustpoint_label
Router(config-if)#pkm username actual_user_name password actual_password
Router(config-if)#pkm auth-method eap-ttls
Cisco Connected Grid Modules for CGR 1000 Series—WiMAX Installation and Configuration Guide