Manuals / Cisco Systems / Computer Equipment / Network Hardware

Cisco Systems CGR1120K9 manual EAP-TLS and EAP-TTLS Authentication Methods

Models: CGR1120K9

1 28
Download 28 pages 50.91 Kb
Page 19
Image 19

Configuring the Module

EAP-TLS and EAP-TTLS Authentication Methods

To set up a username and password for the Pairwise Key Management (PKM) of a CGR 1000, the WiMAX module must be installed and running. CGR 1000s that ship with a pre-installed WIMAX module will have a pre-installed WiMAX configuration.

You can configure your WiMAX interface for one of the following authentication methods:

No Authentication (Open)

EAP-TLS Authentication

The WiMAX interface uses trustpoints in the following manner. A certificate-based mutual authentication is mandatory. The WiMAX module needs both of the following for authentication:

A server-root-ca CA certificate authority trustpoint containing the CA certificate that signs the certificate being used on the AAA/RADIUS server.

A device trustpoint for the WIMAX module. The modem on the WiMAX module has an embedded Airspan-signed device certificate that the supplicant can automatically use as the device trustpoint for authentication. If users do not want to use this certificate, they must import and specify a device trustpoint using the imported device certificate.

To configure EAP-TLS to use a user-defined WIMAX device certificate:

Router(config-if)# shutdown

Router(config-if)# pkm version pkm-v2

Router(config-if)#pkm trustpoint device actual_device_trustpoint_label

Router(config-if)#pkm trustpoint server-root-ca actual_ca_trustpoint_label

Router(config-if)#pkm auth-method eap-tls

Router(config-if)# no shutdown

To configure EAP-TLS to use the embedded Airspan certificate as the WIMAX device certificate:

Router(config-if)# shutdown

Router(config-if)# pkm version pkm-v2

Router(config-if)#pkm trustpoint server-root-ca actual_ca_trustpoint_label

Router(config-if)#pkm auth-method eap-tls

Router(config-if)# no shutdown

If the trustpoint CLI is not issued for device trustpoint, then the system uses the embedded certificate.

EAP-TTLS Authentication

EAP-TTLS authentication is a one-sided authentication using an Airspan certificate. A certificate-based authentication is only required for the AAA/RADIUS server. Only a server-root-ca trustpoint configuration is required for the WIMAX interface to authenticate the AAA/RADIUS server certificate. The client (WIMAX interface) authentication is executed through MSCHAPv2 authentication (configuring the PKM user and password) through an encrypted tunnel.

Router(config-if)# shutdown

Router(config-if)# pkm version pkm-v2

Router(config-if)#pkm trustpoint server-root-ca actual_ca_trustpoint_label

Router(config-if)#pkm username actual_user_name password actual_password

Router(config-if)#pkm auth-method eap-ttls

Cisco Connected Grid Modules for CGR 1000 Series—WiMAX Installation and Configuration Guide

 

OL-26236-03

19

 

 

 

Page 18 Page 20
Page 19
Image 19
Cisco Systems CGR1120K9 manual EAP-TLS and EAP-TTLS Authentication Methods, Routerconfig-if#pkm auth-method eap-ttls
Page 18 Page 20