The following procedures are described in this section:
| Configuring Security Settings for an Employee or Voice Network |
For information on guest network configuration, see Captive Portal for Guest Access.
|
If you are creating a new SSID profile, configure the WLAN and VLAN settings before defining security settings. For more information, see Configuring WLAN Settings for an SSID Profile and Configuring VLAN Settings for a WLAN SSID Profile. |
You can configure security settings for an employee or voice network by using the Instant UI or CLI.
To configure security settings for an employee or voice network:
1. | In the | tab, specify any of the following types of security levels by moving the slider to a desired level:
| Enterprise—On selecting enterprise security level, the authentication options applicable to the enterprise network are displayed. |
| Personal — On selecting personal security level, the authentication options applicable to the personalized network are displayed. |
| Open—On selecting Open security level, the authentication options applicable to an open network are displayed: |
The default security setting for a network profile is Personal.
The following figures show the configuration options for
, , and security settings:Figure 1 Security Tab: Enterprise
Figure 2 Security Tab: Personal
Figure 3 Security Tab: Open
2. | Based on the security level specified, specify the following parameters: |
Parameter | Description | Security Level Type | |||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
For Key management drop-down list: security level, select any of the following options from the
|
Applicable to and security levels only.For the security level, no encryption settings are required.
|
|||||||||||||||||||
For Key management drop-down list. security level, select an encryption key from the
|
|||||||||||||||||||||
|
To terminate the EAP portion of 802.1X authentication on the IAP instead of the RADIUS server, set Termination to . Enabling Termination can reduce network traffic to the external RADIUS server by terminating the authorization protocol on the IAP. By default, for 802.1X authorization, the client conducts an EAP exchange with the RADIUS server, and the IAP acts as a relay for this exchange. When Termination is enabled, the IAP by itself acts as an authentication server and terminates the outer layers of the EAP protocol, only relaying the innermost layer to the external RADIUS server. It can also reduce the number of exchange packets between the IAP and authentication server. Instant supports the configuration of primary and backup authentication servers in an EAP termination enabled SSID. If you are using LDAP for authentication, ensure that AP termination is configured to support EAP. |
security level |
|||||||||||||||||||
Authentication server 1 and |
Select any of the following options from the Authentication server 1 drop-down list:
For information on configuring external servers, see Configuring an External Server for Authentication.
If an external server is selected, you can also configure another authentication server. |
, , and security levels. |
|||||||||||||||||||
|
Set this to Dynamic Load Balancing between Two Authentication Servers. if you are using two RADIUS authentication servers, so that the load across the two RADIUS servers is balanced. For more information on the dynamic load balancing mechanism, see |
, , and security levels. |
|||||||||||||||||||
Reauth interval |
Specify a value for Reauth interval. When set to a value greater than zero, APs periodically reauthenticate all associated and authenticated clients. |
, , and security levels. |
|||||||||||||||||||
Blacklisting |
To enable blacklisting of the clients with a specific number of authentication failures, select Enabled from the Blacklisting drop-down list and specify a value for | . The users who fail to authenticate the number of times specified in field are dynamically blacklisted.
, , and security levels. |
|||||||||||||||||||
|
To enable accounting, select from the drop-down list. On setting this option to , APs post accounting information to the RADIUS server at the specified . |
, , and security levels. |
|||||||||||||||||||
Authentication survivability |
To enable authentication survivability, set Authentication survivability to . Specify a value in hours for Cache timeout (global) to set the duration after which the authenticated credentials in the cache must expire. When the cache expires, the clients are required to authenticate again. You can specify a value within range of 1 to 99 hours and the default value is 24 hours.The authentication survivability feature requires ClearPass Policy Manager 6.0.2 or later, and is available only when the New server option is selected authentication. On setting this parameter to Enabled, Instant authenticates the previously connected clients using EAP-PEAP authentication even when connectivity to ClearPass Policy Manager is temporarily lost. The Authentication survivability feature is not applicable when a RADIUS server is configured as an internal server. |
security level |
|||||||||||||||||||
MAC authentication |
To enable MAC address based authentication for and security levels, set MAC authentication to .For security level, the following options are available:
|
, , and security levels. |
|||||||||||||||||||
|
Specify a character ( for example, colon or dash) as a delimiter for the MAC address string. When configured, the IAP will use the delimiter in the MAC authentication request. For example, if you specify the colon as a delimiter, MAC addresses in the xx:xx:xx:xx:xx:xx format are used. If the delimiter is not specified, the MAC address in the xxxxxxxxxxxx format is used. This option is available only when MAC authentication is enabled. |
, , and security levels. | |||||||||||||||||||
Set to IAP to use uppercase letters in MAC address string for MAC authentication. to allow theThis option is available only if MAC authentication is enabled. |
, , and security levels. | ||||||||||||||||||||
Upload Certificate |
Click Upload Certificate and browse to upload a certificate file for the internal server. For more information on certificates, see Uploading Certificates. |
, , and security levels |
|||||||||||||||||||
You can configure the following fast roaming options for the WLAN SSID:
|
, , and security levels. OKC roaming can be configured only for the security level. |
4. | Click Configuring Access Rules for a WLAN SSID Profile. | to configure access rules. For more information, see
To configure enterprise security settings for the employee and voice users of a WLAN SSID profile:
(Instant AP)(config)# wlan ssid-profile <name>
(Instant AP)(SSID Profile <name>)# opmode {wpa2-aes|wpa-tkip,wpa2-aes|wpa-psk-tkip,wpa2-psk-aes|dynamic-wep}
(Instant AP)(SSID Profile <name>)# leap-use-session-key
(Instant AP)(SSID Profile <name>)# termination
(Instant AP)(SSID Profile <name>)# auth-server <server-name>
(Instant AP)(SSID Profile <name>)# external-server
(Instant AP)(SSID Profile <name>)# server-load-balancing
(Instant AP)(SSID Profile <name>)# blacklist
(Instant AP)(SSID Profile <name>)# mac-authentication
(Instant AP)(SSID Profile <name>)# l2-auth-failthrough
(Instant AP)(SSID Profile <name>)# auth-survivability
(Instant AP)(SSID Profile <name>)# radius-accounting
(Instant AP)(SSID Profile <name>)# radius-accounting-mode {user-association| user-authentication}
(Instant AP)(SSID Profile <name>)# radius-interim-accounting-interval <minutes>
(Instant AP)(SSID Profile <name>)# radius-reauth-interval <minutes>
(Instant AP)(SSID Profile <name>)# max-authentication-failures <number>
(Instant AP)(SSID Profile <name>)# no okc-disable
(Instant AP)(SSID Profile <name>)# dot11r
(Instant AP)(SSID Profile <name>)# dot11k
(Instant AP)(SSID Profile <name>)# dot11v
(Instant AP)(SSID Profile <name>)# exit
(Instant AP)(config)# auth-survivability cache-time-out
(Instant AP)(config)# end
(Instant AP)# commit apply
To configure personal security settings for the employee and voice users of a WLAN SSID profile:
(Instant AP)(config)# wlan ssid-profile <name>
(Instant AP)(SSID Profile <name>)# opmode {wpa2-psk-aes|wpa-tkip| wpa-psk-tkip|wpa-psk-tkip,wpa2-psk-aes| static-wep}
(Instant AP)(SSID Profile <name>)# mac-authentication
(Instant AP)(SSID Profile <name>)# auth-server <server-name>
(Instant AP)(SSID Profile <name>)# external-server
(Instant AP)(SSID Profile <name>)# server-load-balancing
(Instant AP)(SSID Profile <name>)# blacklist
(Instant AP)(SSID Profile <name>)# max-authentication-failures <number>
(Instant AP)(SSID Profile <name>)# radius-accounting
(Instant AP)(SSID Profile <name>)# radius-accounting-mode {user-association|user-authentication}
(Instant AP)(SSID Profile <name>)# radius-interim-accounting-interval <minutes>
(Instant AP)(SSID Profile <name>)# radius-reauth-interval <minutes>
(Instant AP)(SSID Profile <name>)# end
(Instant AP)# commit apply
To configure open security settings for employee and voice users of a WLAN SSID profile:
(Instant AP)(config)# wlan ssid-profile <name>
(Instant AP)(SSID Profile <name>)# opmode opensystem
(Instant AP)(SSID Profile <name>)# mac-authentication
(Instant AP)(SSID Profile <name># auth-server <server-name>
(Instant AP)(SSID Profile <name># external-server
(Instant AP)(SSID Profile <name># server-load-balancing
(Instant AP)(SSID Profile <name># blacklist
(Instant AP)(SSID Profile <name># max-authentication-failures <number>
(Instant AP)(SSID Profile <name># radius-accounting
(Instant AP)(SSID Profile <name># radius-accounting-mode {user-association|user-authentication}
(Instant AP)(SSID Profile <name># radius-interim-accounting-interval <minutes>
(Instant AP)(SSID Profile <name># radius-reauth-interval <minutes>
(Instant AP)(SSID Profile <name># end
(Instant AP)# commit apply