Cisco Systems 12.3(8)JEE, 12.4(25d)JA, 15.2(2)JA, 15.2(2)JB, IOS Releases 15.2(4)JA Using WPA Key Management

11-7

Cisco IOS Software Configuration Guide for Cisco Aironet Access Points

OL-29225-01

Chapter11 Configuring Authentication Types

Understanding Authentication Types

Figure 11-5 shows the reassociation process using CCKM.

Figure11-5 Client Reassociation Using CCKM

Using WPA Key Management

Wi-Fi Protected Access (WPA) is a standards-based, interoperable security enhancement that strongly

increases the level of data protection and access control for existing and future wireless LAN systems.

It is derived from and will be forward-compatible with the upcoming IEEE 802.11i standard. WPA

leverages TKIP (Temporal Key Integrity Protocol) for data protection and 802.1X for authenticated key

management.

WPA key management supports two mutually exclusive management types: WPA and WPA-preshared

key (WPA-PSK). Using WPA key management, clients and the authentication server authenticate to each

other using an EAP authentication method, and the client and server generate a pairwise master key

(PMK). Using WPA, the server generates the PMK dynamically and passes it to the access point. Using

WPA-PSK, however, you configure a preshared key on both the client and the access point, and that

preshared key is used as the PMK.

Note Unicast and multicast cipher suites advertised in WPA information element (and negotiated during

802.11 association) may potentially mismatch with the cipher suite supported in an explicitly assigned

VLAN. If the RADIUS server assigns a new vlan ID which uses a different cipher suite from the

previously negotiated cipher suite, there is no way for the access point and client to switch back to the

new cipher suite. Currently, the WPA and CCKM protocols does not allow the cipher suite to be changed

after the initial 802.11 cipher negotiation phase. In this scenario, the client device is disassociated from

the wireless LAN.

See the “Assigning Authentication Types to an SSID” section on page11-10 for instructions on

configuring WPA key management on your access point.

88964

Reassociation request

Reassociation response

Pre-registration request

Pre-registration reply

Roaming client

device

Access point WDS Device - Router/

Switch/AP Authentication server

Wired LAN

Contents

Main Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Preface Audience Purpose Organization Conventions Related Publications Obtaining Documentation, Obtaining Support, and Security Guidelines Page Page Overview Features Features Introduced in This Release Support for IPv6 Support for Guest Access Support for 802.11w Management Options Roaming Client Devices Network Configuration Examples Root Access Point Repeater Access Point Bridges Workgroup Bridge Central Unit in an All-Wireless Network Access point Page Using the Web-Browser Interface Using the Web-Browser Interface for the First Time Using the Management Pages in the Web-Browser Interface Using Action Buttons Character Restrictions in Entry Fields Enabling HTTPS for Secure Browsing Page Page Page Page Page Page Page Deleting an HTTPS Certificate Using Online Help Changing the Location of Help Files Disabling the Web-Browser Interface Using the Command-Line Interface Cisco IOS Command Modes Getting Help Abbreviating Commands Using the no and Default Forms of Commands Understanding CLI Messages Using Command History Changing the Command History Buffer Size Recalling Commands Disabling the Command History Feature Using Editing Features Enabling and Disabling Editing Features Editing Commands Through Keystrokes Editing Command Lines that Wrap Searching and Filtering Output of show and more Commands Accessing the CLI Opening the CLI with Telnet Opening the CLI with Secure Shell Page Configuring the Access Point for the First Time Before You Start Resetting the Device to Default Settings Resetting to Default Settings Using the MODE Button Resetting to Default Settings Using the GUI Resetting to Default Settings Using the CLI Logging into the Access Point Obtaining and Assigning an IP Address Default IP Address Behavior Connecting to the 1100 Series Access Point Locally Connecting to the 1130 Series Access Point Locally Connecting to the 1040, 1140,1200, 1230, 1240, 1250, 1260, and 2600 Series Access Points Locally Connecting to the 1300 Series Access Point/Bridge Locally Default Radio Settings Assigning Basic Settings Page Page Page Page Page Default Settings on the Express Setup Page Page Configuring Basic Security Settings Understanding Express Security Settings Using VLANs Express Security Types Page Express Security Limitations Using the Express Security Page CLI Configuration Examples 4-22 4-23 Example: EAP Authentication Note The following warning message appears if your radio clients are using EAP-FAST and you do not 4-24 Example: WPA 4-25 Configuring System Power Settings Access Points Using the AC Power Adapter Using a Switch Capable of IEEE 802.3af Power Negotiation Using a Switch That Does Not Support IEEE 802.3af Power Negotiation Using a Power Injector Support for 802.11n Performance on 1250 Series Access Points with Standard 802.3af PoE 1250 Series Power Modes Assigning an IP Address Using the CLI Using a Telnet Session to Access the CLI Configuring the 802.1X Supplicant Creating a Credentials Profile Applying the Credentials to an Interface or SSID Applying the Credentials Profile to the Wired Port Applying the Credentials Profile to an SSID Used For the Uplink Creating and Applying EAP Method Profiles Configuring IPv6 Configuring DHCPv6 address IPv6 Neighbor Discovery Configuring IPv6 Access Lists RADIUS Configuration IPv6 WDS Support CDPv6 Support: RA filtering Page Administering the Access Point Disabling the Mode Button Preventing Unauthorized Access to Your Access Point Protecting Access to Privileged EXEC Commands Default Password and Privilege Level Configuration Setting or Changing a Static Enable Password Page Protecting Enable and Enable Secret Passwords with Encryption Configuring Username and Password Pairs Configuring Multiple Privilege Levels Setting the Privilege Level for a Command Logging Into and Exiting a Privilege Level Configuring Easy Setup Configuring Spectrum Expert Mode Controlling Access Point Access with RADIUS Default RADIUS Configuration Configuring RADIUS Login Authentication Page Defining AAA Server Groups Page Configuring RADIUS Authorization for User Privileged Access and Network Services Displaying the RADIUS Configuration Controlling Access Point Access with TACACS+ Default TACACS+ Configuration Configuring TACACS+ Login Authentication Page Configuring TACACS+ Authorization for Privileged EXEC Access and Network Services Displaying the TACACS+ Configuration Configuring Ethernet Speed and Duplex Settings Configuring the Access Point for Wireless Network Management Configuring the Access Point for Local Authentication and Authorization Configuring the Authentication Cache and Profile 5-23 Configuring the Access Point to Provide DHCP Service Setting up the DHCP Server Page Monitoring and Maintaining the DHCP Server Access Point Show Commands Clear Commands Debug Command Configuring the Access Point for Secure Shell Understanding SSH Configuring SSH Support for Secure Copy Protocol Configuring Client ARP Caching Understanding Client ARP Caching Optional ARP Caching Configuring ARP Caching Managing the System Time and Date Understanding Simple Network Time Protocol Configuring SNTP Configuring Time and Date Manually Setting the System Clock Displaying the Time and Date Configuration Configuring the Time Zone Configuring Summer Time (Daylight Saving Time) Page Defining HTTP Access Configuring a System Name and Prompt Default System Name and Prompt Configuration Configuring a System Name Understanding DNS Default DNS Configuration Setting Up DNS Displaying the DNS Configuration Creating a Banner Default Banner Configuration Configuring a Message-of-the-Day Login Banner Page Configuring a Login Banner Upgrading Autonomous Cisco Aironet Access Points to Lightweight Mode Migrating to Japan W52 Domain Page Verifying the Migration Configuring Multiple VLAN and Rate Limiting for Point-to-Multipoint Bridging CLI Command Configuring Radio Settings Enabling the Radio Interface Configuring the Role in Radio Network Page Page Universal Workgroup Bridge Mode Point-to-point and Multi Point bridging support for 802.11n platforms Configuring Dual-Radio Fallback Radio Tracking Fast Ethernet Tracking MAC-Address Tracking Bridge Features Not Supported Configuring Radio Data Rates Access Points Send Multicast and Management Frames at Highest Basic Rate Page Configuring MCS Rates Configuring Radio Transmit Power Page Page Limiting the Power Level for Associated Client Devices Configuring Radio Channel Settings Channel Widths for 802..11n Dynamic Frequency Selection Radar Detection on a DFS Channel CLI Commands Confirming that DFS is Enabled Configuring a Channel Blocking Channels from DFS Selection Setting the 802.11n Guard Interval Configuring Location-Based Services Understanding Location-Based Services Configuring LBS on Access Points Enabling and Disabling World Mode Disabling and Enabling Short Radio Preambles Configuring Transmit and Receive Antennas Enabling and Disabling Gratuitous Probe Response Disabling and Enabling Aironet Extensions Configuring the Ethernet Encapsulation Transformation Method Enabling and Disabling Reliable Multicast to Workgroup Bridges Enabling and Disabling Public Secure Packet Forwarding Configuring Protected Ports Configuring the Beacon Period and the DTIM Configure RTS Threshold and Retries Configuring the Maximum Data Retries Configuring the Fragmentation Threshold Enabling Short Slot Time for 802.11g Radios Performing a Carrier Busy Test Configuring VoIP Packet Handling Viewing VoWLAN Metrics Viewing Voice Reports Page Viewing Wireless Client Reports Viewing Voice Fault Summary Configuring Voice QoS Settings Configuring Voice Fault Settings Configuring ClientLink Using the CLI to Configure ClientLink Debugging Radio Functions Page Page Configuring Multiple SSIDs Understanding Multiple SSIDs Effect of Software Versions on SSIDs Page Configuring Multiple SSIDs Default SSID Configuration Creating an SSID Globally Page Viewing SSIDs Configured Globally Using Spaces in SSIDs Using a RADIUS Server to Restrict SSIDs Configuring Multiple Basic SSIDs Requirements for Configuring Multiple BSSIDs Guidelines for Using Multiple BSSIDs Configuring Multiple BSSIDs Page Displaying Configured BSSIDs Assigning IP Redirection for an SSID Guidelines for Using IP Redirection Configuring IP Redirection Including an SSID in an SSIDL IE NAC Support for MBSSID Page Configuring NAC for MBSSID 7-17 Page Configuring Spanning Tree Protocol Understanding Spanning Tree Protocol STP Overview 1300 and 350 Series Bridge Interoperability Access Point/Bridge Protocol Data Units Election of the Spanning-Tree Root Spanning-Tree Timers Creating the Spanning-Tree Topology Spanning-Tree Interface States Blocking State Listening State Learning State Forwarding State Disabled State Configuring STP Features Default STP Configuration Configuring STP Settings 8-10 STP Configuration Examples Root Bridge Without VLANs This example shows the configuration of a root bridge with no VLANs configured and with STP enabled: 8-11 Non-Root Bridge Without VLANs Root Bridge with VLANs This example shows the configuration of a root bridge with VLANs configured with STP enabled: 8-12 8-13 Non-Root Bridge with VLANs This example shows the configuration of a non-root bridge with VLANs configured with STP enabled: Displaying Spanning-Tree Status Configuring an Access Point as a Local Authenticator Understanding Local Authentication Configuring a Local Authenticator Guidelines for Local Authenticators Configuration Overview Configuring the Local Authenticator Access Point Page Page Configuring Other Access Points to Use the Local Authenticator Configuring EAP-FAST Settings Configuring PAC Settings PAC Expiration Times Generating PACs Manually Configuring an Authority ID Configuring Server Keys Possible PAC Failures Caused by Access Point Clock Limiting the Local Authenticator to One Authentication Type Unblocking Locked Usernames Viewing Local Authenticator Statistics Using Debug Messages Configuring Cipher Suites and WEP Understanding Cipher Suites and WEP Configuring Cipher Suites and WEP Creating WEP Keys Page WEP Key Restrictions Example WEP Key Setup Enabling Cipher Suites and WEP Matching Cipher Suites with WPA or CCKM Enabling and Disabling Broadcast Key Rotation Page Page Configuring Authentication Types Understanding Authentication Types Open Authentication to the Access Point Shared Key Authentication to the Access Point EAP Authentication to the Network MAC Address Authentication to the Network Combining MAC-Based, EAP, and Open Authentication Using CCKM for Authenticated Clients Using WPA Key Management 11-8 Figure 11-6 shows the WPA key management process. Software and Firmware Requirements for WPA, CCKM, CKIP, and WPA-TKIP Page Configuring Authentication Types Assigning Authentication Types to an SSID Page Page Configuring WPA Migration Mode Configuring Additional WPA Settings Setting a preshared Key Configuring Group Key Updates Configuring MAC Authentication Caching Configuring Authentication Holdoffs, Timeouts, and Intervals Creating and Applying EAP Method Profiles for the 802.1X Supplicant Creating an EAP Method Profile Applying an EAP Profile to the Fast Ethernet Interface Applying an EAP Profile to an Uplink SSID Matching Access Point and Client Device Authentication Types Page Page Guest Access Management Page Guest Account Creation Page Page Configuring WDS, Fast Secure Roaming, Radio Management, and Wireless Intrusion Detection Services Understanding WDS Role of the WDS Device Role of Access Points Using the WDS Device Understanding Fast Secure Roaming Page Understanding Radio Management Understanding Layer 3 Mobility Understanding Wireless Intrusion Detection Services Configuring WDS Guidelines for WDS Requirements for WDS Configuration Overview Configuring Access Points as Potential WDS Devices Page Page Page Page Configuring Access Points to use the WDS Device Configuring the Authentication Server to Support WDS Page Page Page Configuring WDS Only Mode Viewing WDS Information Using Debug Messages Configuring Fast Secure Roaming Requirements for Fast Secure Roaming Configuring Access Points to Support Fast Secure Roaming Page CLI Configuration Example Support for 802.11r Configuring Management Frame Protection Management Frame Protection Overview Protection of Unicast Management Frames Protection of Broadcast Management Frames Client MFP For Access Points in Root mode Configuring Client MFP Management Frame Protection with 802.11w Page Configuring Radio Management CLI Configuration Example Configuring Access Points to Participate in WIDS Configuring the Access Point for Scanner Mode Configuring the Access Point for Monitor Mode Displaying Monitor Mode Statistics Configuring Monitor Mode Limits Configuring an Authentication Failure Limit Configuring RADIUS and TACACS+ Servers Configuring and Enabling RADIUS Understanding RADIUS RADIUS Operation Configuring RADIUS Default RADIUS Configuration Identifying the RADIUS Server Host Page Page Configuring RADIUS Login Authentication Page Defining AAA Server Groups Page Configuring RADIUS Authorization for User Privileged Access and Network Services Configuring Packet of Disconnect Starting RADIUS Accounting m Selecting the CSID Format Configuring Settings for All RADIUS Servers Configuring the Access Point to Use Vendor-Specific RADIUS Attributes Configuring the Access Point for Vendor-Proprietary RADIUS Server Communication Configuring WISPr RADIUS Attributes Displaying the RADIUS Configuration RADIUS Attributes Sent by the Access Point Page Page Configuring and Enabling TACACS+ Understanding TACACS+ TACACS+ Operation Configuring TACACS+ Default TACACS+ Configuration Identifying the TACACS+ Server Host and Setting the Authentication Key Configuring TACACS+ Login Authentication Configuring TACACS+ Authorization for Privileged EXEC Access and Network Services Starting TACACS+ Accounting Displaying the TACACS+ Configuration Page Configuring VLANs Understanding VLANs Related Documents Incorporating Wireless Devices into VLANs Configuring VLANs Configuring a VLAN Page Assigning Names to VLANs Guidelines for Using VLAN Names Creating a VLAN Name Using a RADIUS Server to Assign Users to VLANs Using a RADIUS Server for Dynamic Mobility Group Assignment Viewing VLANs Configured on the Access Point VLAN Configuration Example Page 14-12 Table14-3 Results of Example Configuration Commands VLAN 1 Interfaces VLAN 2 Interfaces VLAN 3 Interfaces Configuring QoS Understanding QoS for Wireless LANs QoS for Wireless LANs Versus QoS on Wired LANs Impact of QoS on a Wireless LAN Precedence of QoS Settings Using Wi-Fi Multimedia Mode Using Band Select Configuring QoS Configuration Guidelines Configuring QoS Using the Web-Browser Interface Page Page Page The QoS Policies Advanced Page QoS Element for Wireless Phones IGMP Snooping AVVID Priority Mapping WiFi Multimedia (WMM) Rate Limiting Adjusting Radio Access Categories Configuring Nominal Rates Optimized Voice Settings Configuring Call Admission Control Configuring the Radio Troubleshooting Admission Control QoS Configuration Examples Giving Priority to Voice Traffic Giving Priority to Video Traffic Page Page Configuring Filters Understanding Filters Configuring Filters Using the CLI Configuring Filters Using the Web-Browser Interface Configuring and Enabling MAC Address Filters Creating a MAC Address Filter Page Using MAC Address ACLs to Block or Allow Client Association to the Access Point Page Creating a Time-Based ACL ACL Logging Configuring and Enabling IP Filters Page Creating an IP Filter Configuring and Enabling EtherType Filters Creating an EtherType Filter Page Configuring CDP Understanding CDP Configuring CDP Default CDP Configuration Configuring the CDP Characteristics Disabling and Enabling CDP Disabling and Enabling CDP on an Interface Monitoring and Maintaining CDP Page 17-6 17-7 Page Configuring SNMP Understanding SNMP SNMP Versions SNMP Manager Functions SNMP Agent Functions SNMP Community Strings Using SNMP to Access MIB Variables Configuring SNMP Default SNMP Configuration Enabling the SNMP Agent Configuring Community Strings Specifying SNMP-Server Group Names Configuring SNMP-Server Hosts Configuring SNMP-Server Users Configuring Trap Managers and Enabling Traps Page Setting the Agent Contact and Location Information Using the snmp-server view Command SNMP Examples Page Displaying SNMP Status Configuring Repeater and Standby Access Points and Workgroup Bridge Mode Understanding Repeater Access Points Configuring a Repeater Access Point Default Configuration Guidelines for Repeaters Setting Up a Repeater Aligning Antennas Verifying Repeater Operation Setting Up a Repeater As a LEAP Client Setting Up a Repeater As a WPA Client Understanding Hot Standby Configuring a Hot Standby Access Point Page Verifying Standby Operation Understanding Workgroup Bridge Mode Page Treating Workgroup Bridges as Infrastructure Devices or as Client Devices Configuring a Workgroup Bridge for Roaming Configuring a Workgroup Bridge for Limited Channel Scanning Configuring the Limited Channel Set Ignoring the CCX Neighbor List Configuring a Client VLAN Workgroup Bridge VLAN Tagging Configuring Workgroup Bridge Mode Page Using Workgroup Bridges in a Lightweight Environment Guidelines for Using Workgroup Bridges in a Lightweight Environment Page Sample Workgroup Bridge Configuration Enabling VideoStream Support on Workgroup Bridges Page Managing Firmware and Configurations Working with the Flash File System Displaying Available File Systems Setting the Default File System Displaying Information About Files on a File System Changing Directories and Displaying the Working Directory Creating and Removing Directories Copying Files Deleting Files Creating, Displaying, and Extracting tar Files Creating a tar File Displaying the Contents of a tar File Extracting a tar File Displaying the Contents of a File Working with Configuration Files Guidelines for Creating and Using Configuration Files Configuration File Types and Location Creating a Configuration File by Using a Text Editor Copying Configuration Files by Using TFTP Preparing to Download or Upload a Configuration File by Using TFTP Downloading the Configuration File by Using TFTP Uploading the Configuration File by Using TFTP Copying Configuration Files by Using FTP Preparing to Download or Upload a Configuration File by Using FTP Downloading a Configuration File by Using FTP Uploading a Configuration File by Using FTP Copying Configuration Files by Using RCP Preparing to Download or Upload a Configuration File by Using RCP Downloading a Configuration File by Using RCP Uploading a Configuration File by Using RCP Clearing Configuration Information Deleting a Stored Configuration File Working with Software Images Image Location on the Access Point tar File Format of Images on a Server or Cisco.com Copying Image Files by Using TFTP Preparing to Download or Upload an Image File by Using TFTP Downloading an Image File by Using TFTP Page Uploading an Image File by Using TFTP Copying Image Files by Using FTP Preparing to Download or Upload an Image File by Using FTP Downloading an Image File by Using FTP Page Uploading an Image File by Using FTP Copying Image Files by Using RCP Preparing to Download or Upload an Image File by Using RCP Page Downloading an Image File by Using RCP Page Uploading an Image File by Using RCP Reloading the Image Using the Web Browser Interface Browser HTTP Interface Browser TFTP Interface Page Configuring System Message Logging Understanding System Message Logging Configuring System Message Logging System Log Message Format Default System Message Logging Configuration Disabling and Enabling Message Logging Setting the Message Display Destination Device Enabling and Disabling Timestamps on Log Messages Enabling and Disabling Sequence Numbers in Log Messages Defining the Message Severity Level Limiting Syslog Messages Sent to the History Table and to SNMP Setting a Logging Rate Limit Configuring UNIX Syslog Servers Logging Messages to a UNIX Syslog Daemon Configuring the UNIX System Logging Facility Page Displaying the Logging Configuration Troubleshooting Checking the Top Panel Indicators 22-3 Page Indicators on 1130 Series Access Points Page Page Indicators on 1040 or 1140 Series Access Point 2 3 41 Page Indicators on 1240 Series Access Points Page Indicators on 1250 Access Points Page Indicators on 1260 Series Access Points Page Indicators on 1300 Outdoor Access Point/Bridges Normal Mode LED Indications Page Power Injector Checking Power Low Power Condition Checking Basic Settings SSID WEP Keys Security Settings Resetting to the Default Configuration Using the MODE Button Using the Web Browser Interface Using the CLI Reloading the Access Point Image Using the MODE button Using the Web Browser Interface Browser HTTP Interface Browser TFTP Interface Using the CLI Obtaining the Access Point Image File Obtaining TFTP Server Software Image Recovery on the 1520 Access Point Page 22-32 Note If the ENABLE_BREAK=no environmental variable is set, you will not be able to escape to the bootloader. tftpd32 installed. Step9 Copy the image using TFTP to the 1520 access points flash: 22-33 Page A Protocol Filters Page Page Page Page Page B Supported MIBs MIB List Using FTP to Access the MIB Files C Error and Event Messages Conventions Software Auto Upgrade Messages Page Association Management Messages Unzip Messages System Log Messages 802.11 Subsystem Messages Page Page Page Page Page Page Page Page Page Page Page Page Inter-Access Point Protocol Messages Local Authenticator Messages Page Page WDS Messages Mini IOS Messages Access Point/Bridge Messages Cisco Discovery Protocol Messages External Radius Server Error Messages LWAPP Error Messages Sensor Messages SNMP Error Messages SSH Error Messages Page Page GLOSSARY A B C D E F G I M O P Q S T U W