Cisco Systems OL-7426-03

5/26/05 Local MAC Filter

OL-7426-03

IPSec AuthenticationIPSec Authentication

IPSec uses hmac-sha-1 authentication as the default for encrypting WLAN data, but can also use

hmac-md5, or no authentication.

•Use the show wlan command to view the current IPSec authentication protocol.

•Use the following command to configure the IPSec IP authentication:

>config wlan security ipsec authentication [hmac-md5/hmac-sha-1/none] <WLAN

id>

where <WLAN id> = 1 through 16.

•Use the show wlan command to verify that you have correctly set the IPSec authentication.

IPSec EncryptionIIPSec Encryption

IPSec uses 3DES encryption as the default for encrypting WLAN data, but can also use AES, DES, or no

encryption.

•Use the show wlan command to view the current IPSec encryption.

•Use the following command to configure the IPSec encryption:

>config wlan security ipsec encryption [3des/aes/des/none] <WLAN id>

where aes= AES-CBC, and where <WLAN id> = 1 through 16.

•Use the show wlan command to verify that you have correctly set the IPSec encryption.

IKE AuthenticationIKE Authentication

IPSec IKE (Internet Key Exchange) uses pre-shared key exchanges, x.509 (RSA Signatures) certifi-

cates, and XAuth-psk for authentication.

•Use the show wlan command to see if IPSec IKE is enabled.

•Use the following commands to configure IKE authentication on a WLAN with IPSec enabled:

>config wlan security ipsec ike authentication certificates <wlan id>

>config wlan security ipsec ike authentication xauth-psk <wlan id> <key>

>config wlan security ipsec ike authentication pre-shared-key <wlan id> <key>

where <wlan id> = 1 through 16, certificates = RSA signatures, xauth-psk = XAuth pre-shared

key, and <key> = Preshared Key (Eight to 255 ASCII characters, case sensitive).

•Use the show wlan command to verify that you have IPSec IKE enabled.

IKE Diffie-Hellman GroupIKE Diffie-Hellman Group

IPSec IKE uses Diffie-Hellman groups to block easily-decrypted keys.

•Use the show wlan command to verify whether or not the Cisco Wireless LAN Controller has

IPSec IKE DH Groups properly set.

•Use the following command to configure the IKE Diffie-Hellman group on a WLAN with IPSec

enabled:

>config wlan security ipsec ike DH-Group <WLAN id> <group-id>

where <WLAN id> = 1 through 16; <group-id> = group-1, group-2 (default), or group-5.

•Use the show wlan command to verify that the Cisco Wireless LAN Controller has IPSec IKE DH

Groups properly set.