Wpa-Psk | Cisco Systems OL-6415-04 manual

Chapter 6 Configuring Authentication Types

Matching Access Point and Client Device Authentication Types

		Table 6-2	Client and Access Point Security Settings (continued)

		Security Feature		Client Setting	Access Point Setting

		EAP-FAST authentication		Enable EAP-FAST and Wi-Fi	Select a cipher suite that includes
		with WPA		Protected Access (WPA) and	TKIP, set up and enable WEP, and
				enable automatic provisioning or	enable Network-EAP and WPA for
				import a PAC file.	the SSID.
				To allow the client to associate to	Note To allow both WPA and
				both WPA and non-WPA access	non-WPA clients to use the
				points, enable Allow Association to	SSID, enable optional
				both WPA and non-WPA	WPA.
				authenticators.

		802.1x authentication		Enable LEAP	Select a cipher suite and enable
					Network-EAP for the SSID

		802.1x authentication and		Enable any 802.1x authentication	Select a cipher suite and enable
		WPA		method	Open authentication and WPA for
					the SSID (you can also enable
					Network-EAP authentication in
					addition to or instead of Open
					authentication)
					Note To allow both WPA clients
					and non-WPA clients to use
					the SSID, enable optional
					WPA.

		802.1x authentication and		Enable any 802.1x authentication	Select a cipher suite and enable
		WPA-PSK		method	Open authentication and WPA for
					the SSID (you can also enable
					Network-EAP authentication in
					addition to or instead of Open
					authentication). Enter a WPA
					pre-shared key.
					Note To allow both WPA clients
					and non-WPA clients to use
					the SSID, enable optional
					WPA.

		EAP-TLS authentication

		If using ACU to		Enable Host Based EAP and Use	Set up and enable WEP and enable
		configure card		Dynamic WEP Keys in ACU and	EAP and Open authentication for
				select Enable network access	the SSID
				control using IEEE 802.1X and
				Smart Card or Other Certificate as
				the EAP Type in Windows 2000
				(with Service Pack 3) or
				Windows XP

		If using Windows XP		Select Enable network access	Set up and enable WEP and enable
		to configure card		control using IEEE 802.1X and	EAP and Open Authentication for
				Smart Card or other Certificate as	the SSID
				the EAP Type

				Cisco Wireless ISR and HWIC Access Point Configuration Guide


	OL-6415-04						6-17
	OL-6415-04						6-17

Image 105

Cisco Systems OL-6415-04 manual Wpa-Psk

Contents

Text Part Number 0L-6415-04 Corporate HeadquartersPage N T E N T S Ssid Configuration Methods Supported by Cisco IOS Releases Creating Cipher Suites Protocol Filters Local Authenticator Messages Contents Cisco Wireless Router and Hwic Configuration Guide Audience PrefacePurpose Preface provides information on the following topics Conventions Organization Preface Conventions Cisco Product Document Title Related Publications Cisco.com Obtaining Documentation Documentation Feedback Product Documentation DVDOrdering Documentation Cisco Product Security Overview Reporting Security Problems in Cisco Products Submitting a Service Request Obtaining Technical AssistanceCisco Technical Support & Documentation Website Obtaining Additional Publications and Information Definitions of Service Request Severity Preface Obtaining Additional Publications and Information Overview Wireless Device Management Root Unit on a Wired LAN Network Configuration Example Features Overview Features Overview Overview Cisco Wireless Router and Hwic Configuration Guide Configuring Radio Settings Enabling the Radio Interface Command PurposeRoles in Radio Network Cisco Role in Radio Network Eries ISRs Configuring Network or Fallback Role Bridge Features Not Supported Sample Bridging ConfigurationFollowing is a sample of a Root Bridge Configuration Following is a sample of Non-Root Bridge Configuration Interface Dot11Radio0/1/0 no ip address Configuring Universal Client Mode Universal Client Mode Following configuration is supported on NAT NAT Network Address TranslationVirtual interface to aid NAT translation No service password-encryption Hostname C1803WUC Configuring Radio Settings Configuring Radio Data Rates Configuring Radio Data Rates Speed Throughput ofdm default11.0 2.0 5.5 basic-1.0 2.0 5.5 6.0 9.0 End Return to privileged Exec mode Configuring Radio Transmit PowerDBm 100 125 150 200 250 Power local Limiting the Power Level for Associated Client Devices5 6 7 10 13 15 17 Maximum Power client Configuring Radio Channel Settings20 30 50 100 maximum 10 20 30 50 Maximum Regulatory Domains Channel CenterIdentifier MHz 2412 2417 2422 2427 2432 2437 2442 2447 2452 2457 2462 2467 2472 2484 Channel GHz Channels on Which DFS is Automatically Enabled DFS Automatically Enabled on Some 5-GHz Radio Channels Confirming that DFS is Enabled Enabling and Disabling World ModeThis example shows how to unblock all frequencies for DFS Blocking Channels from DFS Selection Enabling and Disabling Short Radio Preambles Antenna receive Configuring Transmit and Receive AntennasDiversity left right Antenna transmit Disabling and Enabling Access Point Extensions Disable Access Point extensionsNo dot11 extension aironet Payload-encapsulation Snap or 802.1h dot1h, the default settingSet the encapsulation transformation method to RFC1042 Snap dot1h Configure terminal Enter global configuration mode Enable PspfBridge-group group port-protected Configuring Protected Ports Configuring Beacon Period and Dtim Configuring Maximum Data Retries Configuring RTS Threshold and RetriesRts threshold value Rts retries value Bytes for the 2.4-GHz radio. Enter a setting from 256 to Configuring Fragmentation ThresholdEnabling Short Slot Time for 802.11g Radios Fragment-threshold value Performing a Carrier Busy Test OL-6415-04 Configuring Multiple SSIDs Ssid Configuration Methods Supported by Cisco IOS Releases Understanding Multiple SSIDsVlan Creating an Ssid Globally Configuring Multiple SSIDs Command Purpose Using a Radius Server to Restrict SSIDs Viewing SSIDs Configured GloballyUsing Spaces in SSIDs Configuring Multiple Basic SSIDs Requirements for Configuring Multiple BSSIDsGuidelines for Using Multiple BSSIDs Displaying Configured BSSIDs CLI Configuration ExampleEnabling Mbssid and Ssidl at the same time Information-element ssidl Use the no form of the command to disable Ssidl IEs Sample Configuration for Enabling Mbssid and SsidlBelow is a sample configuration for enabling Mbssid Below is a sample configuration for enabling Ssidl Interface Dot11Radio0/0/0 no ip address OL-6415-04 Configuring an Access Point as a Local Authenticator Configure a Local Authenticator Understand Local Authentication Configuration Overview Guidelines for Local AuthenticatorsConfiguring the Local Authenticator Access Point Aaa new-model Enable AAA Radius-server local Reauthentication time secondsVlan vlan Ssid ssid Mac-auth-only Password nthash password This example shows how to set up EAP-FAST authentication End Routerconfig# aaa new-model Configuring PAC Settings Configuring EAP-FAST Settings Configuring an Authority ID Configuring Server KeysPossible PAC Failures Caused by Access Point Clock Viewing Local Authenticator Statistics Limiting the Local Authenticator to One Authentication TypeThis example shows local authenticator statistics Unblocking Locked Usernames Using Debug Messages Understand Encryption Types, Configure Encryption Types, Configuring Encryption Types Understand Encryption Types Creating WEP Keys Configure Encryption Types WEP Key Restrictions Security Configuration WEP Key RestrictionEncryption Key Example WEP Key Setup Access Point Associated Device Slot Transmit? Key ContentsCreating Cipher Suites Cipher Suites Compatible with WPA Enabling and Disabling Broadcast Key Rotation Compatible Cipher SuitesWPA Security Security Type in Universal Client Mode Universal client configuration Tkip AES TKIP+AESWEP 40-bit WEP 128-bit Caveats Debugging WEP OL-6415-04 Configuring Authentication Types Open Authentication to Access Point Understand Authentication Types Traffic from client Shared Key Authentication to Access Point Sequence for EAP Authentication EAP Authentication to Network MAC Address Authentication to the Network Using WPA Key Management Combining MAC-Based, EAP, and Open Authentication 5shows the WPA key management process Software and Firmware Requirements for WPA and WPA-TKIP WPA-PSK Mode Windows XP YesThird Party Host Supplicant Protocol Required? Systems Assigning Authentication Types to an Ssid Configure Authentication Types Optional Set the authentication type to open for this Ssid Authentication openMac-address list-name alternate Optional eap list-name Authentication network-eap Authentication sharedAuthentication key-management Mac-address list-name Configuring WPA Migration Mode Wpa-psk hex ascii 0 Configuring Additional WPA Settings Configuring MAC Authentication Caching Dot11 holdoff-time seconds Dot1x client-timeout secondsDot1x reauth-period seconds Server Security Feature Client Setting Access Point Setting Detects two MIC failures within 60 seconds, it blocks allTkip clients on that interface for the holdtime period WPA-PSK Security Feature Client Setting Access Point Setting Configuring Radius Servers Understanding Radius Configuring and Enabling Radius Radius Operation Default Radius Configuration Configuring Radius Identifying the Radius Server Host Port for authentication requests.Optional For acct-port Acct-port port-number timeoutRadius-server timeout command is used Radius-server host hostname Show running-config Verify your entries Configuring Radius Login Authentication Login authentication default Aaa authentication login defaultAuthentication login command Include-in-access-req format %h Defining AAA Server Groups Port for accounting requests Port for authentication requestsAaa group server radius group-name Define the AAA server-group with a group name Radius Starting Radius Accounting Configuring Settings for All Radius Servers Selecting the Csid FormatOption MAC Address Example Show running-config Verify your settings Authentication Radius-server vsa send accountingRadius-server host hostname ip-address non-standard Radius-server key string Configuring WISPr Radius Attributes Snmp-server location location Displaying the Radius Configuration Attribute ID Description Radius Attributes Sent by the Access Point VLAN-ID VSA attribute NAS-Location Disc-Cause-Ext Acct-Terminate-Cause Configuring VLANs Understanding VLANs Related Documents LAN and Vlan Segmentation with Wireless Devices Incorporating Wireless Devices into VLANs Configuring VLANs Interface dot11radio 0.x Configuring a Vlan Encapsulation dot1q vlan-id Guidelines for Using Vlan Names Using a Radius Server to Assign Users to VLANsAssigning Names to VLANs Creating a Vlan Name Viewing VLANs Configured on the Access Point Ssid Vlan ID Vlan Configuration Example Vlan 1 Interfaces Vlan 2 Interfaces Vlan 3 Interfaces Configuring Vlan Configuring VLANs Vlan Configuration Example OL-6415-04 Understanding QoS for Wireless LANs, Configuring QoS, Configuring QoS Understanding QoS for Wireless LANs QoS for Wireless LANs Versus QoS on Wired LANsImpact of QoS on a Wireless LAN Upstream and Downstream Traffic Flow Precedence of QoS Settings Using Wi-Fi Multimedia Mode Configuration Guidelines Configuring QoSAdjusting Radio Access Categories Fixed Slot Time Disabling Igmp Snooping Helper Sample Configuration Using the CLI Ieee 802.11b 2.4-GHz Band Channel SettingsCenter Frequency Americas Japan Ieee 802.11a 5-GHz Band Ieee 802.11g 2.4-GHz BandCenter Regulatory Domains Americas -A Emea -E Japan -J Frequency Frequency North America OL-6415-04 Protocol Filters Protocol Igmp IcmpTCP EGP PUP Chaos ISO Designator POP2 TsapPOP3 IMAP2 RPC RIPUucp CVS Supported MIBs MIB ListIEEE802dot11-MIB RFC1213-MIB RFC1398-MIB SNMPv2-MIB SNMPv2-SMI SNMPv2-TC Using FTP to Access the MIB Files How to Read System Messages Error and Event MessagesThis appendix lists the CLI error and event messages Level Description Explanation a station disassociated from an access point Explanation a station associated to an access pointMessage Traceback Reports Association Management Messages Subsystem Messages Recommended Action None Explanation The device has begun its DFS scanning process Recommended Action None Error Message DOT11-4-RMINCAPABLE Interface interface Recommended Action Reload the system Error Message DOT11-4-CANTASSOC Cannot associate characters Recommended Action None Recommended Action Local Authenticator Messages Wireless network composed of stations without Access Points Network with wireless stationsAccess Point Operating in the 2.4-GHz band GL-2 Hoc mode Wired Ethernet network LAN 802.11 specificationsAn antenna that radiates its signal in a spherical pattern Corresponding IP addresses Transmission at 2 Mbps Transmission at 6, 9, 12, 18, 24, 36, 48, and 54 Mbps That of a cable While maintaining an unbroken connection to the LAN Wireless MultiMedia Computing device with an installed client adapter802.1X for authenticated key management AES-CCMP EAP IN-2 EAP-FAST 1 Leap FTP Names, Vlan Network-EAP OfdmQbss Local authentication Names Ssid 4 Vlan command 4 Guest mode Multiple SSIDs Support Using spacesRegulatory Domains Radius RFC WPA migration mode Wpa-psk command World-mode command IN-7 IN-8 IN-9 IN-10 IN-11 IN-12 IN-13 IN-14