Chapter 6 Configuring Authentication Types

Configure Authentication Types

Configuring Additional WPA Settings

Use two optional settings to configure a pre-shared key on the access point and adjust the frequency of group key updates.

Setting a Pre-Shared Key

To support WPA on a wireless LAN where 802.1x-based authentication is not available, you must configure a pre-shared key on the access point. You can enter the pre-shared key as ASCII or hexadecimal characters. If you enter the key as ASCII characters, you enter between 8 and 63 characters, and the access point expands the key using the process described in the Password-based Cryptography Standard (RFC2898). If you enter the key as hexadecimal characters, you must enter 64 hexadecimal characters.

Configuring Group Key Updates

In the last step in the WPA process, the access point distributes a group key to the authenticated client device. You can use these optional settings to configure the access point to change and distribute the group key based on client association and disassociation:

Membership termination—the access point generates and distributes a new group key when any authenticated device disassociates from the access point. This feature keeps the group key private for associated devices, but it might generate some overhead traffic if clients on your network roam frequently among access points.

Capability change—the access point generates and distributes a dynamic group key when the last non-key management (static WEP) client disassociates, and it distributes the statically configured WEP key when the first non-key management (static WEP) client authenticates. In WPA migration mode, this feature significantly improves the security of key-management capable clients when there are no static-WEP clients associated to the access point.

Beginning in privileged EXEC mode, follow these steps to configure a WPA pre-shared key and group key update options:

 

Command

Purpose

Step 1

 

 

configure terminal

Enter global configuration mode.

Step 2

 

 

interface dot11radio { 0 1 }

Enter interface configuration mode for the radio interface. The

 

 

2.4-GHz radio is radio 0, and the 5-GHz radio is radio 1.

Step 3

 

 

ssid ssid-string

Enter SSID configuration mode for the SSID.

 

 

 

Step 4 wpa-psk { hex ascii } [ 0 7 ]

Enter a pre-shared key for client devices using WPA that also

 

encryption-key

use static WEP keys.

 

 

Enter the key using either hexadecimal or ASCII characters. If

 

 

you use hexadecimal, you must enter 64 hexadecimal

 

 

characters to complete the 256-bit key. If you use ASCII, you

 

 

must enter a minimum of 8 letters, numbers, or symbols, and

 

 

the access point expands the key for you. You can enter a

 

 

maximum of 63 ASCII characters.

Step 5

 

 

end

Return to privileged EXEC mode.

 

 

 

Cisco Wireless ISR and HWIC Access Point Configuration Guide

 

OL-6415-04

6-13

 

 

 

Page 101
Image 101
Cisco Systems OL-6415-04 manual Configuring Additional WPA Settings, Wpa-psk hex ascii 0