Configuring Certificates Using The Crypto Pki Cli; Configuration Using The Cut And Paste Method - Cisco C3201FESMIC-TP= - 3201 Fast EN Switch Mobile Interface Card Expansion Module Software Configuration Manual

Authentication Types
Note Unicast and multicast cipher suites advertised in the WPA information element (and negotiated during
802.11 association) might potentially mismatch with the cipher suite supported in an explicitly assigned
VLAN. If the RADIUS server assigns a new VLAN ID which uses a different cipher suite from the
previously negotiated cipher suite, there is no way for the root device and the client device to switch back
to the new cipher suite. Currently, the WPA and CCKM protocols do not allow the cipher suite to be
changed after the initial 802.11 cipher negotiation phase. In this scenario, the non-root bridge is
disassociated from the wireless LAN.
See the
WPA key management on your bridge.

Configuring Certificates Using the crypto pki CLI

This section explains how to import CA and router certificates using the crypto PKI CLI and how to add
a trustpoint to the dot1x credentials. Before any PKI operations can begin, the CA generates its own
public key pair and creates a self-signed CA certificate; thereafter, the CA can sign certificate requests
and begin peer enrollment for the PKI.
The domain name and clock must be set prior to enrollment of certificates.
Note
You can import the CA and router certificates in any of the following ways:
•
•
•

Configuration Using the Cut and Paste Method

To manually configure a trustpoint and import the CA and router certificate, follow these steps:
Command
Step 1 configure terminal
Step 2 crypto pki trustpoint name
Step 3 enrollment terminal
Step 4
rsakeypair name 1024
"Assigning Authentication Types to an SSID" section on page 16
Configuration using cut and paste—This is useful when there is no connection between the router
and the CA or in cases where scripting is required. In this method, the certificate request generated
on the router is copied to the CA server to receive certificate for the router's key pair. Both the CA
and router certificate are imported using the CLI.
Configuration using TFTP—In this method, the certificate request generated on the router is
automatically copied to the TFTP server. The CA and router certificates are automatically imported
from the TFTP server after they are copied to the TFTP server from the CA server.
Configuration using SCEP—In this method, the CA and router certificates are automatically
imported from the CA server.
Configuring Certificates Using the crypto pki CLI
Purpose
Enters global configuration mode.
Specifies the name of the trustpoint.
Specifies that the terminal is to be used for certificate
enrollment.
Specifies that a manual key with the given name will be
generated with length 1024.
Cisco 3200 Series Wireless MIC Software Configuration Guide
for instructions on configuring
7