Cisco Systems OL-6415-04 MAC Address Authentication to the Network

6-5

Cisco Wireless ISR and HWIC Access Point Configuration Guide

OL-6415-04

Chapter 6 Configuring Authentication Types

Understand Authentication Types

There is more than one type of EAP authentication, but the access point behaves the same way for each

type: it relays authentication messages from the wireless client device to the RADIUS server and from

the RADIUS server to the wireless client device. See the “Assigning Authentication Types to an SSID”

section on page 6-9 for instructions on setting up EAP on the access point.

Note If you use EAP authentication, you can select open or shared key authentication, but you don’t have to.

EAP authentication controls authentication both to your access point and to your network.

MAC Address Authentication to the Network

The access point relays the MAC address of the wireless client device to a RADIUS server on your

network, and the server checks the address against a list of allowed MAC addresses. Intruders can create

counterfeit MAC addresses, so MAC-based authentication is less secure than EAP authentication.

However, MAC-based authentication provides an alternate authentication method for client devices that

do not have EAP capability. See the “Assigning Authentication Types to an SSID” section on page 6-9

for instructions on enabling MAC-based authentication.

Tip If you don’t have a RADIUS server on your network, you can create a list of allowed MAC addresses on

the access point’s Advanced Security: MAC Address Authentication page. Devices with MAC addresses

not on the list are not allowed to authenticate.

Tip If MAC-authenticated clients on your wireless LAN roam frequently, you can enable a MAC

authentication cache on your access points. MAC authentication caching reduces overhead because the

access point authenticates devices in its MAC-address cache without sending the request to your

authentication server. See the “Configuring MAC Authentication Caching” section on page 6-14 for

instructions on enabling this feature.

Figure 6-4 shows the authentication sequence for MAC-based authentication.

Contents

Main Page CONTENTS Page Page Page Page Page Preface Audience Purpose Organization Conventions Page Related Publications Obtaining Documentation Cisco.com Product Documentation DVD Ordering Documentation Documentation Feedback Cisco Product Security Overview Reporting Security Problems in Cisco Products Obtaining Technical Assistance Cisco Technical Support & Documentation Website Submitting a Service Request Definitions of Service Request Severity Obtaining Additional Publications and Information Page Overview Wireless Device Management Network Configuration Example Root Unit on a Wired LAN Features Page Page Page Configuring Radio Settings Enabling the Radio Interface Roles in Radio Network Configuring Network or Fallback Role 2-4 Bridge Features Not Supported Sample Bridging Configuration The following is a sample of a Root Bridge Configuration: 2-5 The following is a sample of Non-Root Bridge Configuration: 2-6 Universal Client Mode Configuring Universal Client Mode Page 2-9 Configuring Radio Data Rates Page Configuring Radio Transmit Power Limiting the Power Level for Associated Client Devices Configuring Radio Channel Settings Page Page Page Page DFS Automatically Enabled on Some 5-GHz Radio Channels Confirming that DFS is Enabled Blocking Channels from DFS Selection Enabling and Disabling World Mode Enabling and Disabling Short Radio Preambles Configuring Transmit and Receive Antennas Disabling and Enabling Access Point Extensions Configuring the Ethernet Encapsulation Transformation Method Enabling and Disabling Reliable Multicast to Workgroup Bridges Enabling and Disabling Public Secure Packet Forwarding Configuring Protected Ports Configuring Beacon Period and DTIM Configuring RTS Threshold and Retries Configuring Maximum Data Retries Configuring Fragmentation Threshold Enabling Short Slot Time for 802.11g Radios Performing a Carrier Busy Test Page Configuring Multiple SSIDs Understanding Multiple SSIDs SSID Configuration Methods Supported by Cisco IOS Releases Configuring Multiple SSIDs Creating an SSID Globally Page Viewing SSIDs Configured Globally Using Spaces in SSIDs Using a RADIUS Server to Restrict SSIDs Configuring Multiple Basic SSIDs Requirements for Configuring Multiple BSSIDs Guidelines for Using Multiple BSSIDs CLI Configuration Example Displaying Configured BSSIDs Enabling MBSSID and SSIDL at the same time 3-8 Use the no form of the command to disable SSIDL IEs. Sample Configuration for Enabling MBSSID and SSIDL Below is a sample configuration for enabling MBSSID: Below is a sample configuration for enabling SSIDL: 3-9 Page Configuring an Access Point as a Local Authenticator Understand Local Authentication Configure a Local Authenticator Guidelines for Local Authenticators Configuration Overview Configuring the Local Authenticator Access Point Page Page 4-6 This example shows how to set up EAP-FAST authentication: 4-7 Configuring Other Access Points to Use the Local Authenticator Configuring EAP-FAST Settings Configuring PAC Settings PAC Expiration Times Generating PACs Manually Configuring an Authority ID Configuring Server Keys Possible PAC Failures Caused by Access Point Clock Limiting the Local Authenticator to One Authentication Type Unblocking Locked Usernames Viewing Local Authenticator Statistics Using Debug Messages Configuring Encryption Types Understand Encryption Types Configure Encryption Types Creating WEP Keys WEP Key Restrictions Example WEP Key Setup Creating Cipher Suites Cipher Suites Compatible with WPA Enabling and Disabling Broadcast Key Rotation Security Type in Universal Client Mode Universal client configuration Page 5-11 Page Configuring Authentication Types Understand Authentication Types Open Authentication to Access Point Shared Key Authentication to Access Point EAP Authentication to Network MAC Address Authentication to the Network Combining MAC-Based, EAP, and Open Authentication Using WPA Key Management Page Software and Firmware Requirements for WPA and WPA-TKIP Configure Authentication Types Assigning Authentication Types to an SSID Page Page Configuring WPA Migration Mode Configuring Additional WPA Settings Setting a Pre-Shared Key Configuring Group Key Updates Configuring MAC Authentication Caching Configuring Authentication Holdoffs, Timeouts, and Intervals Matching Access Point and Client Device Authentication Types Page Page Configuring RADIUS Servers Configuring and Enabling RADIUS Understanding RADIUS RADIUS Operation Configuring RADIUS Default RADIUS Configuration Identifying the RADIUS Server Host Page Configuring RADIUS Login Authentication Page Defining AAA Server Groups Page Configuring RADIUS Authorization for User Privileged Access and Network Services Starting RADIUS Accounting Selecting the CSID Format Configuring Settings for All RADIUS Servers Configuring the Access Point to Use Vendor-Specific RADIUS Attributes Configuring the Access Point for Vendor-Proprietary RADIUS Server Communication Configuring WISPr RADIUS Attributes Displaying the RADIUS Configuration RADIUS Attributes Sent by the Access Point Page Page Configuring VLANs Understanding VLANs Related Documents Incorporating Wireless Devices into VLANs Configuring VLANs Configuring a VLAN Page Assigning Names to VLANs Guidelines for Using VLAN Names Creating a VLAN Name Using a RADIUS Server to Assign Users to VLANs Viewing VLANs Configured on the Access Point VLAN Configuration Example 8-10 Table 8-2 shows the commands needed to configure the three VLANs in this example. Tab l e 8-2 Configuration Commands for VLAN Example Configuring VLAN 1 Configuring VLAN 2 Configuring VLAN 3 Tab l e 8-3 Results of Example Configuration Commands Page Page Configuring QoS Understanding QoS for Wireless LANs QoS for Wireless LANs Versus QoS on Wired LANs Impact of QoS on a Wireless LAN Precedence of QoS Settings Using Wi-Fi Multimedia Mode Configuring QoS Configuration Guidelines Adjusting Radio Access Categories Disabling IGMP Snooping Helper Sample Configuration Using the CLI A Channel Settings IEEE 802.11b (2.4-GHz Band) IEEE 802.11g (2.4-GHz Band) IEEE 802.11a (5-GHz Band) Page Page B Protocol Filters Page Page Page Page Page C Supported MIBs MIB List Using FTP to Access the MIB Files D Error and Event Messages How to Read System Messages Message Traceback Reports Association Management Messages 802.11 Subsystem Messages Page Page Page Page Page Page Page Page Local Authenticator Messages GLOSSARY A B C D E F G I M O P Q S T U W Page INDEX Numerics A B C D E F G I J N O P Q S T V W