Configuring 802.1X Authentication

On the managed device, use the following steps to configure a wireless network that uses 802.1X 802.1X is an IEEE standard for port-based network access control designed to enhance 802.11 WLAN security. 802.1X provides an authentication framework that allows a user to be authenticated by a central authority. authentication:

  1. Configure the VLANs Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. to which the authenticated users will be assigned. See Network Configuration Parameters.
  2. Configure policies and roles. You can specify a default role for users who are successfully authenticated using 802.1X 802.1X is an IEEE standard for port-based network access control designed to enhance 802.11 WLAN security. 802.1X provides an authentication framework that allows a user to be authenticated by a central authority.. You can also configure server derivation rules to assign a user role based on attributes returned by the authentication server; server-derived user roles take precedence over default roles. For more information about policies and roles, see Roles and Policies. The Policy Enforcement Firewall Firewall is a network security system used for preventing unauthorized access to or from a private network. Virtual Private Network module provides identity-based security for wired and wireless users and must be installed on the managed device. The stateful firewall Firewall is a network security system used for preventing unauthorized access to or from a private network. allows user classification based on user identity, device type, location, and time of day to provide differentiated access for different classes of users. For information about obtaining and installing licenses, refer to the Aruba Mobility Master Licensing Guide.
  3. Configure the authentication server(s) and server group. The server can be an 802.1X 802.1X is an IEEE standard for port-based network access control designed to enhance 802.11 WLAN security. 802.1X provides an authentication framework that allows a user to be authenticated by a central authority. RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  server or, if you use AAA Authentication, Authorization, and Accounting. AAA is a security framework to authenticate users, authorize the type of access based on user credentials, and record authentication events and information about the network access and network resource consumption. FastConnect, a non-802.1X 802.1X is an IEEE standard for port-based network access control designed to enhance 802.11 WLAN security. 802.1X provides an authentication framework that allows a user to be authenticated by a central authority. server or the internal database of the managed device. If you use EAP-GTC EAP – Generic Token Card. (non-tunneled). within a PEAP Protected Extensible Authentication Protocol. PEAP is a type of EAP communication that addresses security issues associated with clear text EAP transmissions by creating a secure channel encrypted and protected by TLS. tunnel, configure an LDAP Lightweight Directory Access Protocol. LDAP is a communication protocol that provides the ability to access and maintain distributed directory information services over a network. or RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  server as the authentication server (see Authentication Servers). If you use EAP-TLS EAP–Transport Layer Security. EAP-TLS is a certificate-based authentication method supporting mutual authentication, integrity-protected ciphersuite negotiation and key exchange between two endpoints. See RFC 5216., import server and CA Certificate Authority or Certification Authority. Entity in a public key infrastructure system that issues certificates to clients. A certificate signing request received by the CA is converted into a certificate when the CA adds a signature generated with a private key. See digital certificate. certificates on the managed device (see Configuring and Using Certificates with AAA FastConnect).
  4. Configure the AAA Authentication, Authorization, and Accounting. AAA is a security framework to authenticate users, authorize the type of access based on user credentials, and record authentication events and information about the network access and network resource consumption. profile:
    1. Select the 802.1X 802.1X is an IEEE standard for port-based network access control designed to enhance 802.11 WLAN security. 802.1X provides an authentication framework that allows a user to be authenticated by a central authority. default user role.
    2. Select the server group you previously configured for the 802.1X 802.1X is an IEEE standard for port-based network access control designed to enhance 802.11 WLAN security. 802.1X provides an authentication framework that allows a user to be authenticated by a central authority. authentication server group.
  5. Configure the 802.1X 802.1X is an IEEE standard for port-based network access control designed to enhance 802.11 WLAN security. 802.1X provides an authentication framework that allows a user to be authenticated by a central authority. authentication profile. See Example Configurations.
  6. Configure the virtual AP profile for an AP group or for a specific AP:
    1. Select the AAA Authentication, Authorization, and Accounting. AAA is a security framework to authenticate users, authorize the type of access based on user credentials, and record authentication events and information about the network access and network resource consumption. profile you previously configured.
    2. In the SSID Service Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network. profile, configure the WLAN Wireless Local Area Network. WLAN is a 802.11 standards-based LAN that the users access through a wireless connection. for 802.1X 802.1X is an IEEE standard for port-based network access control designed to enhance 802.11 WLAN security. 802.1X provides an authentication framework that allows a user to be authenticated by a central authority. authentication.

For details on how to complete the above steps, see Example Configurations.

The following procedure describes how to create and configure a new instance of an 802.1X 802.1X is an IEEE standard for port-based network access control designed to enhance 802.11 WLAN security. 802.1X provides an authentication framework that allows a user to be authenticated by a central authority. authentication profile:

  1. In a Managed Network node hierarchy, navigate to the Configuration > Authentication > L2 Authentication tab.
  2. In the L2 Authentication table, select 802.1X Authentication.
  3. Click + in the 802.1X Authentication Profile: New Profile.
  4. Enter a Profile Name.
  5. Change the settings described in Table 1 as desired.
  6. Click Pending Changes.
  7. In the Pending Changes window, select the check box and click Deploy changes.

Table 1: 802.1X Authentication Profile WebUI Parameters

Parameter

Description

Max Authentication Failures

Number of times a user can try to log in with wrong credentials

after which the user is blacklisted as a security threat. Set to 0

to disable blacklisting, otherwise enter a non-zero integer to

blacklist the user after the specified number of failures.

Range: 0-5 failures.

Default: 0 failure.

NOTE: This option may require a license.

Enforce Machine Authentication

Select the Enforce Machine Authentication option to require

machine authentication. This option is also available on the Basic settings tab.

NOTE: This option may require a license.

Machine Authentication: Default Machine Role

Default role assigned to the user after 802.1X 802.1X is an IEEE standard for port-based network access control designed to enhance 802.11 WLAN security. 802.1X provides an authentication framework that allows a user to be authenticated by a central authority. authentication. The default role for this setting is the “guest” role.

Machine Authentication Cache Timeout

The timeout, in hours, for machine authentication. The allowed range of values is 1-1000 hours, and the default value is 24 hours.

Blacklist on Machine Authentication Failure

Select this check box to blacklist a client if machine authentication fails. This setting is disabled by default.

Machine Authentication: Default User Role

Default role assigned to the user after completing only machine authentication. The default role for this setting is the “guest” role.

Interval between Identity Requests

Interval, in seconds, between identity request retries.

Range: 1-65535 seconds.

Default: 5 seconds.

Quiet Period after Failed Authentication

The enforced quiet period interval, in seconds, following failed authentication. Range: 1-65535 seconds.

Default: 30 seconds.

Reauthentication Interval

Interval, in seconds, between reauthentication attempts.

Range: 60-864000 seconds.

Default: 86400 seconds (1 day).

Use Server provided Reauthentication Interval

Select this option to override any user-defined reauthentication interval and use the reauthentication period defined by the authentication server.

Use the termination -action attribute from the Server

Select this option to honor termination- action attribute from the server.

Multicast Key Rotation Time Interval

Interval, in seconds, between multicast key rotation.

Range: 60-864000 seconds.

Default: 1800 seconds.

Unicast Key Rotation Time Interval

Interval, in seconds, between unicast key rotation.

Range: 60-864000 seconds. Default: 900 seconds.

Authentication Server Retry Interval

Server group retry interval, in seconds.

Range: 2-65535 seconds.

Default: 5 seconds.

Authentication Server Retry Count

Maximum number of authentication requests that are sent to server group.

Range: 0-5 requests.

Default: 3 requests.

Framed MTU

Sets the framed MTU Maximum Transmission Unit. MTU is the largest size packet or frame specified in octets (eight-bit bytes) that can be sent in networks such as the Internet. attribute sent to the authentication server.

Range: 500-1500 bytes.

Default: 1100 bytes.

Max number of requests sent during an Auth attempt

Maximum number of times ID requests are sent to the client.

Range: 1-10 retries.

Default: 5 retries.

Maximum Number of Reauthentication Attempts

Number of times a user can try to log in with wrong credentials after which the user is blacklisted as a security threat. Set to 0 to disable blacklisting, otherwise enter a value from 0-5 to blacklist the user after the specified number of failures.

Default: 3 retries.

NOTE: If changed from its default value, this option may require a license.

Maximum number of times Held State can be bypassed

Number of consecutive authentication failures which, when reached, causes the managed device to not respond to authentication requests from a client while the managed device is in a held state after the authentication failure. Before this number is reached, the managed device responds to authentication requests from the client even while the managed device is in its held state.

(This parameter is applicable when 802.1X 802.1X is an IEEE standard for port-based network access control designed to enhance 802.11 WLAN security. 802.1X provides an authentication framework that allows a user to be authenticated by a central authority. authentication is terminated on the managed device, also known as AAA Authentication, Authorization, and Accounting. AAA is a security framework to authenticate users, authorize the type of access based on user credentials, and record authentication events and information about the network access and network resource consumption. FastConnect.) The allowed range of values for this parameter is 0-3 failures, and the default value is 0.

Dynamic WEP Key Message Retry Count

Set the Number of times WPA Wi-Fi Protected Access. WPA is an interoperable wireless security specification subset of the IEEE 802.11 standard. This standard provides authentication capabilities and uses TKIP for data encryption. or WPA2 Wi-Fi Protected Access 2. WPA2 is a certification program maintained by IEEE that oversees standards for security over wireless networks. WPA2 supports IEEE 802.1X/EAP authentication or PSK technology, but includes advanced encryption mechanism using CCMP that is referred to as AES. key messages are retried.

Range: 1-5 retries.

Default: 1 retry.

Dynamic WEP Key Size

The default dynamic WEP Wired Equivalent Privacy. WEP is a security protocol that is specified in 802.11b and is designed to provide a WLAN with a level of security and privacy comparable to what is usually expected of a wired LAN. key size is 128 bits, If desired, you can change this parameter to 40 bits.

Interval between WPA/WPA2 Key Messages

Interval, in milliseconds, between each WPA Wi-Fi Protected Access. WPA is an interoperable wireless security specification subset of the IEEE 802.11 standard. This standard provides authentication capabilities and uses TKIP for data encryption. key exchanges.

Range: 1000-5000 ms.

Default: 1000 ms.

Delay between EAP-Success and WPA2 Unicast Key Exchange

Interval, in milliseconds, between EAP Extensible Authentication Protocol. An authentication protocol for wireless networks that extends the methods used by the PPP, a protocol often used when connecting a computer to the Internet. EAP can support multiple authentication mechanisms, such as token cards, smart cards, certificates, one-time passwords, and public key encryption authentication. -Success and unicast key exchanges.

Range: 0-2000 ms.

Default: 0 ms (no delay).

Delay between WPA/WPA2 Unicast Key and Group Key Exchange

Interval, in milliseconds, between unicast and multicast key exchange. Time interval in milliseconds.

Range: 0-2000.

Default: 0 (no delay).

Time interval after which the PMKSA will be deleted

The time interval after which the Pairwise Master Key Security Association cache is deleted. Time interval in Hours.

Range: 1-2000.

Default: 8.

WPA/WPA2 Key Message Retry Count

Number of times WPA Wi-Fi Protected Access. WPA is an interoperable wireless security specification subset of the IEEE 802.11 standard. This standard provides authentication capabilities and uses TKIP for data encryption. or WPA2 Wi-Fi Protected Access 2. WPA2 is a certification program maintained by IEEE that oversees standards for security over wireless networks. WPA2 supports IEEE 802.1X/EAP authentication or PSK technology, but includes advanced encryption mechanism using CCMP that is referred to as AES. key messages are retried.

Range: 1-5 retries.

Default: 3 retries.

Multicast Key Rotation

Select this check box to enable multicast key rotation. This feature is disabled by default.

Unicast Key Rotation

Select this check box to enable unicast key rotation. This feature is disabled by default.

Reauthentication

Select the Reauthentication check box to force the client to do a 802.1X 802.1X is an IEEE standard for port-based network access control designed to enhance 802.11 WLAN security. 802.1X provides an authentication framework that allows a user to be authenticated by a central authority. reauthentication after the expiration of the default timer for reauthentication. (The default value of the timer is 24 hours.) If the user fails to reauthenticate with valid credentials, the state of the user is cleared. If derivation rules are used to classify 802.1X 802.1X is an IEEE standard for port-based network access control designed to enhance 802.11 WLAN security. 802.1X provides an authentication framework that allows a user to be authenticated by a central authority.-authenticated users, then the reauthentication timer per role overrides this setting.

This option is disabled by default.

Opportunistic Key Caching

By default, the 802.1X 802.1X is an IEEE standard for port-based network access control designed to enhance 802.11 WLAN security. 802.1X provides an authentication framework that allows a user to be authenticated by a central authority. authentication profile enables a cached PMK Pairwise Master Key. PMK is a shared secret key that is generated after PSK or 802.1X authentication. which is derived through a client and an associated AP. This key is used when the client roams to a new AP. This allows clients faster roaming without a full 802.1X 802.1X is an IEEE standard for port-based network access control designed to enhance 802.11 WLAN security. 802.1X provides an authentication framework that allows a user to be authenticated by a central authority. authentication. Uncheck this option to disable this feature.

NOTE: Make sure that the wireless client (the 802.1X 802.1X is an IEEE standard for port-based network access control designed to enhance 802.11 WLAN security. 802.1X provides an authentication framework that allows a user to be authenticated by a central authority. supplicant) supports this feature. If the client does not support this feature, the client will attempt to renegotiate the key whenever it roams to a new AP. As a result, the key cached on the managed device can be out of sync with the key of the client.

Validate PMKID

This parameter instructs the managed device to check the PMK Pairwise Master Key. PMK is a shared secret key that is generated after PSK or 802.1X authentication. ID sent by the client. When you enable this option, the client must send a PMK Pairwise Master Key. PMK is a shared secret key that is generated after PSK or 802.1X authentication. ID in the associate or reassociate frame to indicate that it supports OKC Opportunistic Key Caching. OKC is a technique available for authentication between multiple APs in a network where those APs are under common administrative control. Using OKC, a station roaming to any AP in the network will not have to complete a full authentication exchange, but will instead just perform the 4-way handshake to establish transient encryption keys. or PMK Pairwise Master Key. PMK is a shared secret key that is generated after PSK or 802.1X authentication. caching; otherwise, full 802.1X 802.1X is an IEEE standard for port-based network access control designed to enhance 802.11 WLAN security. 802.1X provides an authentication framework that allows a user to be authenticated by a central authority. authentication takes place.

NOTE: This feature is optional, since most clients that support OKC Opportunistic Key Caching. OKC is a technique available for authentication between multiple APs in a network where those APs are under common administrative control. Using OKC, a station roaming to any AP in the network will not have to complete a full authentication exchange, but will instead just perform the 4-way handshake to establish transient encryption keys. and PMK Pairwise Master Key. PMK is a shared secret key that is generated after PSK or 802.1X authentication. caching do not send the PMK Pairwise Master Key. PMK is a shared secret key that is generated after PSK or 802.1X authentication. ID in their association request.

Use Session Key

Use Session key as the Unicast WEP Wired Equivalent Privacy. WEP is a security protocol that is specified in 802.11b and is designed to provide a WLAN with a level of security and privacy comparable to what is usually expected of a wired LAN. key. This option is disabled by default.

Use Static Key

Use Static key as Unicast / Multicast WEP Wired Equivalent Privacy. WEP is a security protocol that is specified in 802.11b and is designed to provide a WLAN with a level of security and privacy comparable to what is usually expected of a wired LAN. key. This option is disabled by default.

xSec MTU

Maximum size used for xSec MTU Maximum Transmission Unit. MTU is the largest size packet or frame specified in octets (eight-bit bytes) that can be sent in networks such as the Internet..

Default: 1300

Termination

Select this check box to allow 802.1X 802.1X is an IEEE standard for port-based network access control designed to enhance 802.11 WLAN security. 802.1X provides an authentication framework that allows a user to be authenticated by a central authority. authentication to terminate on the managed device. This option is disabled by default.

Termination EAP-Type

If you enable termination, click either EAP-PEAP EAP–Protected EAP. A widely used protocol for securely transporting authentication data across a network (tunneled). or EAP-TLS EAP–Transport Layer Security. EAP-TLS is a certificate-based authentication method supporting mutual authentication, integrity-protected ciphersuite negotiation and key exchange between two endpoints. See RFC 5216. to select a EAP Extensible Authentication Protocol. An authentication protocol for wireless networks that extends the methods used by the PPP, a protocol often used when connecting a computer to the Internet. EAP can support multiple authentication mechanisms, such as token cards, smart cards, certificates, one-time passwords, and public key encryption authentication.  method.

Termination Inner EAP-Type

If you use EAP-PEAP EAP–Protected EAP. A widely used protocol for securely transporting authentication data across a network (tunneled). as the EAP Extensible Authentication Protocol. An authentication protocol for wireless networks that extends the methods used by the PPP, a protocol often used when connecting a computer to the Internet. EAP can support multiple authentication mechanisms, such as token cards, smart cards, certificates, one-time passwords, and public key encryption authentication.  method, specify one of the following

inner EAP Extensible Authentication Protocol. An authentication protocol for wireless networks that extends the methods used by the PPP, a protocol often used when connecting a computer to the Internet. EAP can support multiple authentication mechanisms, such as token cards, smart cards, certificates, one-time passwords, and public key encryption authentication.  types:

eap-gtc: Described in RFC Request For Comments. RFC is a commonly used format for the Internet standards documentss. 2284, this EAP Extensible Authentication Protocol. An authentication protocol for wireless networks that extends the methods used by the PPP, a protocol often used when connecting a computer to the Internet. EAP can support multiple authentication mechanisms, such as token cards, smart cards, certificates, one-time passwords, and public key encryption authentication.  method permits the transfer of unencrypted usernames and passwords from client to server. The main uses for EAP-GTC EAP – Generic Token Card. (non-tunneled). are one-time token cards such as SecureID and the use of LDAP Lightweight Directory Access Protocol. LDAP is a communication protocol that provides the ability to access and maintain distributed directory information services over a network. or RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  as the user authentication server. You can also enable caching of user credentials on the managed device as a backup to an external authentication server.

eap-mschapv2: Described in RFC Request For Comments. RFC is a commonly used format for the Internet standards documentss. 2759, this EAP Extensible Authentication Protocol. An authentication protocol for wireless networks that extends the methods used by the PPP, a protocol often used when connecting a computer to the Internet. EAP can support multiple authentication mechanisms, such as token cards, smart cards, certificates, one-time passwords, and public key encryption authentication.  method is widely supported by Microsoft clients.

Enforce Suite-B 128 bit or more security level Authentication

Configure Suite-B 128 bit or more security level authentication enforcement.

Enforce Suite-B 128 bit or more security level Authentication

Configure Suite-B 192 bit security level authentication enforcement.

Termination

Select the Termination check box to allow 802.1X 802.1X is an IEEE standard for port-based network access control designed to enhance 802.11 WLAN security. 802.1X provides an authentication framework that allows a user to be authenticated by a central authority. authentication to terminate on the managed device. This option is disabled by default.

Termination EAP-Type

If you enable termination, click either EAP-PEAP EAP–Protected EAP. A widely used protocol for securely transporting authentication data across a network (tunneled). or EAP-TLS EAP–Transport Layer Security. EAP-TLS is a certificate-based authentication method supporting mutual authentication, integrity-protected ciphersuite negotiation and key exchange between two endpoints. See RFC 5216. to select a EAP Extensible Authentication Protocol. An authentication protocol for wireless networks that extends the methods used by the PPP, a protocol often used when connecting a computer to the Internet. EAP can support multiple authentication mechanisms, such as token cards, smart cards, certificates, one-time passwords, and public key encryption authentication.  method.

Termination Inner EAP-Type

If you use EAP-PEAP EAP–Protected EAP. A widely used protocol for securely transporting authentication data across a network (tunneled). as the EAP Extensible Authentication Protocol. An authentication protocol for wireless networks that extends the methods used by the PPP, a protocol often used when connecting a computer to the Internet. EAP can support multiple authentication mechanisms, such as token cards, smart cards, certificates, one-time passwords, and public key encryption authentication.  method, specify one of the following

inner EAP Extensible Authentication Protocol. An authentication protocol for wireless networks that extends the methods used by the PPP, a protocol often used when connecting a computer to the Internet. EAP can support multiple authentication mechanisms, such as token cards, smart cards, certificates, one-time passwords, and public key encryption authentication.  types:

eap-gtc: Described in RFC Request For Comments. RFC is a commonly used format for the Internet standards documentss. 2284, this EAP Extensible Authentication Protocol. An authentication protocol for wireless networks that extends the methods used by the PPP, a protocol often used when connecting a computer to the Internet. EAP can support multiple authentication mechanisms, such as token cards, smart cards, certificates, one-time passwords, and public key encryption authentication.  method permits the transfer of unencrypted usernames and passwords from client to server. The main uses for EAP-GTC EAP – Generic Token Card. (non-tunneled). are one-time token cards such as SecureID and the use of LDAP Lightweight Directory Access Protocol. LDAP is a communication protocol that provides the ability to access and maintain distributed directory information services over a network. or RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  as the user authentication server. You can also enable caching of user credentials on the managed device as a backup to an external authentication server.

eap-mschapv2: Described in RFC Request For Comments. RFC is a commonly used format for the Internet standards documentss. 2759, this EAP Extensible Authentication Protocol. An authentication protocol for wireless networks that extends the methods used by the PPP, a protocol often used when connecting a computer to the Internet. EAP can support multiple authentication mechanisms, such as token cards, smart cards, certificates, one-time passwords, and public key encryption authentication.  method is widely supported by Microsoft clients.

Token Caching

If you select EAP-GTC EAP – Generic Token Card. (non-tunneled). as the inner EAP Extensible Authentication Protocol. An authentication protocol for wireless networks that extends the methods used by the PPP, a protocol often used when connecting a computer to the Internet. EAP can support multiple authentication mechanisms, such as token cards, smart cards, certificates, one-time passwords, and public key encryption authentication.  method, you can select the Token Caching check box to enable the managed device to cache the username and password of each authenticated user. The managed device continues to reauthenticate users with the remote authentication server. However, if the authentication server is unavailable, the managed device will inspect its cached credentials to reauthenticate users.

This option is disabled by default.

Token Caching Period

If you select EAP-GTC EAP – Generic Token Card. (non-tunneled). as the inner EAP Extensible Authentication Protocol. An authentication protocol for wireless networks that extends the methods used by the PPP, a protocol often used when connecting a computer to the Internet. EAP can support multiple authentication mechanisms, such as token cards, smart cards, certificates, one-time passwords, and public key encryption authentication.  method, you can specify the timeout period, in hours, for the cached information. The default value is 24 hours.

CA-Certificate

Click the CA-Certificate drop-down list and select a certificate for client authentication. The CA Certificate Authority or Certification Authority. Entity in a public key infrastructure system that issues certificates to clients. A certificate signing request received by the CA is converted into a certificate when the CA adds a signature generated with a private key. See digital certificate. certificate needs to be loaded in the managed device before it will appear on this list.

Server-Certificate

Click the Server-Certificate drop-down list and select a server certificate the managed device will use to authenticate itself to the client.

NOTE: By default, the default-self-signed certificate is used as server certificate. For more details on default-self-signed certificate, see Managing Certificates.

TLS Guest Access

Select TLS Guest Access to enable guest access for EAP-TLS EAP–Transport Layer Security. EAP-TLS is a certificate-based authentication method supporting mutual authentication, integrity-protected ciphersuite negotiation and key exchange between two endpoints. See RFC 5216. users with valid

certificates. This option is disabled by default.

TLS Guest Role

Click the TLS Guest Role drop-down list and select the default user role for EAP-TLS EAP–Transport Layer Security. EAP-TLS is a certificate-based authentication method supporting mutual authentication, integrity-protected ciphersuite negotiation and key exchange between two endpoints. See RFC 5216. guest users. This option may require a license.

Ignore EAPOL-START after authentication

Select Ignore EAPOL-START after authentication to ignore EAPOL-START messages after authentication. This option is disabled by default.

Handle EAPOL-Logoff

Select Handle EAPOL-Logoff to enable handling of EAPOL-LOGOFF messages. This option is disabled by default.

Ignore EAP ID during negotiation

Select Ignore EAP ID during negotiation to ignore EAP Extensible Authentication Protocol. An authentication protocol for wireless networks that extends the methods used by the PPP, a protocol often used when connecting a computer to the Internet. EAP can support multiple authentication mechanisms, such as token cards, smart cards, certificates, one-time passwords, and public key encryption authentication.  IDs during negotiation. This option is disabled by default.

WPA-Fast-Handover

Select this option to enable WPA Wi-Fi Protected Access. WPA is an interoperable wireless security specification subset of the IEEE 802.11 standard. This standard provides authentication capabilities and uses TKIP for data encryption.-fast-handover on phones that support this feature. WAP fast-handover is disabled by default.

Check certificate common name against AAA server

If you use client certificates for user authentication, enable this option to verify that the common name of the certificate exists in the server. This parameter is enabled by default in the default-cap and default-rap VPN Virtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two. profiles, and disabled by default on all other VPN Virtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two. profiles.

The following CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. command configures settings for an 802.1X 802.1X is an IEEE standard for port-based network access control designed to enhance 802.11 WLAN security. 802.1X provides an authentication framework that allows a user to be authenticated by a central authority. authentication profiles. Individual parameters are described in the previous table.

(host) [mynode](config)# aaa authentication dot1x {<profile>|countermeasures}

Configuring EAP-TLS Fragmentation

The following CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. command configures EAP-TLS EAP–Transport Layer Security. EAP-TLS is a certificate-based authentication method supporting mutual authentication, integrity-protected ciphersuite negotiation and key exchange between two endpoints. See RFC 5216. fragmentation in an 802.1X 802.1X is an IEEE standard for port-based network access control designed to enhance 802.11 WLAN security. 802.1X provides an authentication framework that allows a user to be authenticated by a central authority. authentication profile:

(host) [mynode](config) #aaa authentication dot1x eap-frag-mtu <ipmtu>