You are here: Wireless Network Profiles > Configuring Wireless Network Profiles > Configuring Security Settings for a WLAN SSID Profile
Previous TopicNext Topic

Configuring Security Settings for a WLAN SSID Profile

The following procedures are described in this section:

Configuring Security Settings for an Employee or Voice Network

For information on guest network configuration, see Captive Portal for Guest Access.

 

If you are creating a new SSID profile, configure the WLAN and VLAN settings before defining security settings. For more information, see Configuring WLAN Settings for an SSID Profile and Configuring VLAN Settings for a WLAN SSID Profile.

Configuring Security Settings for an Employee or Voice Network

You can configure security settings for an employee or voice network by using the Instant UI or CLI.

In the Instant UI

To configure security settings for an employee or voice network:

1. In the Security tab, specify any of the following types of security levels by moving the slider to a desired level:
Enterprise—On selecting enterprise security level, the authentication options applicable to the enterprise network are displayed.
Personal — On selecting personal security level, the authentication options applicable to the personalized network are displayed.
Open—On selecting Open security level, the authentication options applicable to an open network are displayed:

The default security setting for a network profile is Personal.

The following figures show the configuration options for Enterprise, Personal, and Open security settings:

Figure 1  Security Tab: Enterprise

Figure 2  Security Tab: Personal

Figure 3  Security Tab: Open

2. Based on the security level specified, specify the following parameters:

Table 1: Configuration Parameters for WLAN Security Settings in an Employee or Voice Network

Parameter Description Security Level Type

Key Management

For Enterprise security level, select any of the following options from the Key management drop-down list:

l WPA-2 Enterprise
l Both (WPA-2 & WPA)
l WPA Enterprise
l Dynamic WEP with 802.1X — If you do not want to use a session key from the RADIUS Server to derive pair wise unicast keys, set Session Key for LEAP to Enabled. This is required for old printers that use dynamic WEP through Lightweight Extensible Authentication Protocol (LEAP) authentication. The Session Key for LEAP feature is Disabled by default.

Applicable to Enterprise and Personal security levels only.

For the Open security level, no encryption settings are required.

 

 

For Personal security level, select an encryption key from the Key management drop-down list.

l For WPA-2 Personal, WPA Personal, and Both (WPA-2&WPA) keys, specify the following parameters:
1. Passphrase format: Select a passphrase format from the Passphrase format drop-down list. The options are available are 8-63 alphanumeric characters and 64 hexadecimal characters.
2. Enter a passphrase in the Passphrase text box and reconfirm.
l For Static WEP, specify the following parameters:
1. Select an appropriate value for WEP key size from the WEP key size drop-down list. You can specify 64-bit or 128-bit .
2. Select an appropriate value for Tx key from the Tx Key drop-down list. You can specify 1, 2, 3, or 4.
3. Enter an appropriate WEP key and reconfirm.

Termination

To terminate the EAP portion of 802.1X authentication on the IAP instead of the RADIUS server, set Termination to Enabled.

Enabling Termination can reduce network traffic to the external RADIUS server by terminating the authorization protocol on the IAP. By default, for 802.1X authorization, the client conducts an EAP exchange with the RADIUS server, and the IAP acts as a relay for this exchange.

When Termination is enabled, the IAP by itself acts as an authentication server and terminates the outer layers of the EAP protocol, only relaying the innermost layer to the external RADIUS server. It can also

reduce the number of exchange packets between the IAP and authentication server.

NOTE: Instant supports the configuration of primary and backup authentication servers in an EAP termination enabled SSID.

NOTE: If you are using LDAP for authentication, ensure that AP termination is configured to support EAP.

Enterprise security level

Authentication server 1 and Authentication server 2

Select any of the following options from the Authentication server 1 drop-down list:

l Select an authentication server from the list if an external servers are already configured.
l Select New to configure any of the following servers as an external server:
l RADIUS Server
l LDAP Server
l CPPM Server for AirGroup CoA

For information on configuring external servers, see Configuring an External Server for Authentication.

l To use an internal server, select Internal server and add the clients that are required to authenticate with the internal RADIUS server. Click the Users link to add the users. For information on adding a user, see Managing IAP Users.

If an external server is selected, you can also configure another authentication server.

Enterprise, Personal, and Open security levels.

Load balancing

Set this to Enabled if you are using two RADIUS authentication servers, so that the load across the two RADIUS servers is balanced. For more information on the dynamic load balancing mechanism, see Dynamic Load Balancing between Two Authentication Servers.

Enterprise, Personal, and Open security levels.

Reauth interval

Specify a value for Reauth interval. When set to a value greater than zero, APs periodically reauthenticate all associated and authenticated clients.

Enterprise, Personal, and Open security levels.

Blacklisting

To enable blacklisting of the clients with a specific number of authentication failures, select Enabled from the Blacklisting drop-down list and specify a value for Max authentication failures. The users who fail to authenticate the number of times specified in Max authentication failures field are dynamically blacklisted.

Enterprise, Personal, and Open security levels.

Accounting

To enable accounting, select Enabled from the Accounting drop-down list. On setting this option to Enabled, APs post accounting information to the RADIUS server at the specified Accounting interval.

Enterprise, Personal, and Open security levels.

Authentication survivability

To enable authentication survivability, set Authentication survivability to Enabled. Specify a value in hours for Cache timeout (global) to set the duration after which the authenticated credentials in the cache must expire. When the cache expires, the clients are required to authenticate again. You can specify a value within range of 1 to 99 hours and the default value is 24 hours.

NOTE: The authentication survivability feature requires ClearPass Policy Manager 6.0.2 or later, and is available only when the New server option is selected authentication. On setting this parameter to Enabled, Instant authenticates the previously connected clients using EAP-PEAP authentication even when connectivity to ClearPass Policy Manager is temporarily lost. The Authentication survivability feature is not applicable when a RADIUS server is configured as an internal server.

Enterprise security level

MAC authentication

To enable MAC address based authentication for Personal and Open security levels, set MAC authentication to Enabled.

For Enterprise security level, the following options are available:

l Perform MAC authentication before 802.1X — Select this checkbox to use 802.1X authentication only when the MAC authentication is successful.
l MAC authentication fail-thru — On selecting this checkbox, the 802.1X authentication is attempted when the MAC authentication fails.

Enterprise, Personal, and Open security levels.

Delimiter character

Specify a character ( for example, colon or dash) as a delimiter for the MAC address string. When configured, the IAP will use the delimiter in the MAC authentication request. For example, if you specify the colon as a delimiter, MAC addresses in the xx:xx:xx:xx:xx:xx format are used. If the delimiter is not specified, the MAC address in the xxxxxxxxxxxx format is used.

This option is available only when MAC authentication is enabled.

Enterprise, Personal, and Open security levels.
Uppercase support

Set to Enabled to allow the IAP to use uppercase letters in MAC address string for MAC authentication.

This option is available only if MAC authentication is enabled.

Enterprise, Personal, and Open security levels.

Upload Certificate

Click Upload Certificate and browse to upload a certificate file for the internal server. For more information on certificates, see Uploading Certificates.

Enterprise, Personal, and Open security levels

Fast Roaming

You can configure the following fast roaming options for the WLAN SSID:

 

l Opportunistic Key Caching: When WPA-2 Enterprise and Both (WPA2-WPA) encryption types are selected and if 802.1x authentication method is configured, the Opportunistic Key Caching (OKC) is enabled by default. If OKC is enabled, a cached pairwise master key (PMK) is used when the client roams to a new AP. This allows faster roaming of clients without the need for a complete 802.1x authentication.
l 802.11r: Selecting this checkbox enables fast BSS transition. The Fast BSS Transition mechanism minimizes the delay when a client transitions from one BSS to another within the same cluster.
l 802.11k: Selecting this checkbox enables 802.11k roaming on the SSID profile. The 802.11k protocol enables IAPs and clients to dynamically measure the available radio resources. When 802.11k is enabled, IAPs and clients send neighbor reports, beacon reports, and link measurement reports to each other.
l 802.11v: Selecting this checkbox enables 802.11v based BSS transition.802.11v standard defines mechanisms for wireless network management enhancements and BSS transition management. It allows the client devices to exchange information about the network topology and RF environment. The BSS transition management mechanism enables an AP to request a voice client to transition to a specific AP, or suggest a set of preferred APs to a voice client, due to network load balancing or BSS termination. It also helps the voice client identify the best AP to transition to as they roam.

Enterprise, Personal, and Open security levels.

NOTE: OKC roaming can be configured only for the Enterprise security level.

4. Click Next to configure access rules. For more information, see Configuring Access Rules for a WLAN SSID Profile.

In the CLI

To configure enterprise security settings for the employee and voice users of a WLAN SSID profile:

(Instant AP)(config)# wlan ssid-profile <name>

(Instant AP)(SSID Profile <name>)# opmode {wpa2-aes|wpa-tkip,wpa2-aes|wpa-psk-tkip,wpa2-psk-aes|dynamic-wep}

(Instant AP)(SSID Profile <name>)# leap-use-session-key

(Instant AP)(SSID Profile <name>)# termination

(Instant AP)(SSID Profile <name>)# auth-server <server-name>

(Instant AP)(SSID Profile <name>)# external-server

(Instant AP)(SSID Profile <name>)# server-load-balancing

(Instant AP)(SSID Profile <name>)# blacklist

(Instant AP)(SSID Profile <name>)# mac-authentication

(Instant AP)(SSID Profile <name>)# l2-auth-failthrough

(Instant AP)(SSID Profile <name>)# auth-survivability

(Instant AP)(SSID Profile <name>)# radius-accounting

(Instant AP)(SSID Profile <name>)# radius-accounting-mode {user-association| user-authentication}

(Instant AP)(SSID Profile <name>)# radius-interim-accounting-interval <minutes>

(Instant AP)(SSID Profile <name>)# radius-reauth-interval <minutes>

(Instant AP)(SSID Profile <name>)# max-authentication-failures <number>

(Instant AP)(SSID Profile <name>)# no okc-disable

(Instant AP)(SSID Profile <name>)# dot11r

(Instant AP)(SSID Profile <name>)# dot11k

(Instant AP)(SSID Profile <name>)# dot11v

(Instant AP)(SSID Profile <name>)# exit

(Instant AP)(config)# auth-survivability cache-time-out

(Instant AP)(config)# end

(Instant AP)# commit apply

To configure personal security settings for the employee and voice users of a WLAN SSID profile:

(Instant AP)(config)# wlan ssid-profile <name>

(Instant AP)(SSID Profile <name>)# opmode {wpa2-psk-aes|wpa-tkip| wpa-psk-tkip|wpa-psk-tkip,wpa2-psk-aes| static-wep}

(Instant AP)(SSID Profile <name>)# mac-authentication

(Instant AP)(SSID Profile <name>)# auth-server <server-name>

(Instant AP)(SSID Profile <name>)# external-server

(Instant AP)(SSID Profile <name>)# server-load-balancing

(Instant AP)(SSID Profile <name>)# blacklist

(Instant AP)(SSID Profile <name>)# max-authentication-failures <number>

(Instant AP)(SSID Profile <name>)# radius-accounting

(Instant AP)(SSID Profile <name>)# radius-accounting-mode {user-association|user-authentication}

(Instant AP)(SSID Profile <name>)# radius-interim-accounting-interval <minutes>

(Instant AP)(SSID Profile <name>)# radius-reauth-interval <minutes>

(Instant AP)(SSID Profile <name>)# end

(Instant AP)# commit apply

To configure open security settings for employee and voice users of a WLAN SSID profile:

(Instant AP)(config)# wlan ssid-profile <name>

(Instant AP)(SSID Profile <name>)# opmode opensystem

(Instant AP)(SSID Profile <name>)# mac-authentication

(Instant AP)(SSID Profile <name># auth-server <server-name>

(Instant AP)(SSID Profile <name># external-server

(Instant AP)(SSID Profile <name># server-load-balancing

(Instant AP)(SSID Profile <name># blacklist

(Instant AP)(SSID Profile <name># max-authentication-failures <number>

(Instant AP)(SSID Profile <name># radius-accounting

(Instant AP)(SSID Profile <name># radius-accounting-mode {user-association|user-authentication}

(Instant AP)(SSID Profile <name># radius-interim-accounting-interval <minutes>

(Instant AP)(SSID Profile <name># radius-reauth-interval <minutes>

(Instant AP)(SSID Profile <name># end

(Instant AP)# commit apply