Table of Contents
Advertisement
Authentication Types
The following example sets authentication type for the SSID bridgeman to perform LEAP authentication
with AES encryption on the client device (workgroup bridge or non-root bridge).
bridge(config)# interface dot11radio 0
bridge(config-if)# encryption mode ciphers aes-ccm
bridge(config)# dot11 ssid bridgeman
bridge(config-ssid)# authentication network-eap eap_adam
bridge(config-ssid)# authentication key-management wpa
bridge(config-ssid)# authentication client username adam password adam
bridge(config-ssid)# infrastructure-ssid
bridge(config-if)# end
Configuring the Root Device to Interact with the WDS Device
To support non-root bridges using CCKM, your root device must interact with the WDS device on your
network, and your authentication server must be configured with a username and password for the root
device. For detailed instructions on configuring WDS and CCKM on your wireless LAN, see Chapter 11
in the Cisco IOS Software Configuration Guide for Cisco Access Points.
On your root device, enter this command in global configuration mode:
bridge(config)# wlccp ap username username password password
You must configure the same username and password pair when you set up the root device as a client on
your authentication server.
Configuring Additional WPA Settings
Use two optional settings to configure a pre-shared key on the bridge and adjust the frequency of group
key updates.
Setting a Pre-Shared Key
To support WPA on a wireless LAN where 802.1x-based authentication is not available, you must
configure a pre-shared key on the bridge. You can enter the pre-shared key as ASCII or hexadecimal
characters. If you enter the key as ASCII characters, you enter between 8 and 63 characters, and the
bridge expands the key using the process described in the Password-based Cryptography Standard (RFC
2898). If you enter the key as hexadecimal characters, you must enter 64 hexadecimal characters.
Configuring Group Key Updates
In the second optional WPA setting, the root device distributes a group key to the authenticated non-root
bridge. You can use these optional settings to configure the root device to change and distribute the group
key based on association and disassociation of non-root bridges:
•
•
To configure a WPA pre-shared key, follow these steps, beginning in privileged EXEC mode.
Membership termination—the root device generates and distributes a new group key when any
authenticated non-root bridge disassociates from the root device. This feature keeps the group key
private for associated bridges.
Capability change—the root device generates and distributes a dynamic group key when the last
non-key management (static WEP) non-root bridge disassociates, and it distributes the statically
configured WEP key when the first non-key management (static WEP) non-root bridge
authenticates. In WPA migration mode, this feature significantly improves the security of
key-management capable clients when there are no static-WEP bridges associated to the root device.
Cisco 3200 Series Wireless MIC Software Configuration Guide
Configuring Authentication Types
23
Hide quick links:
Advertisement
Table of Contents
