Configuring Security Settings for a WLAN SSID Profile

This section describes the procedure for configuring security settings for an Employee or Voice network. For information on guest network configuration, see Captive Portal for Guest Access.

 

If you are creating a new SSIDService Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network. profile, configure the WLANWireless Local Area Network. WLAN is a 802.11 standards-based LAN that the users access through a wireless connection. and VLANVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. settings before defining security settings. For more information, see In the Old WebUI and In the Old WebUI.

Configuring Security Settings for an Employee or Voice Network

You can configure security settings for an Employee or Voice network by using the Instant UIUser Interface. or the CLICommand-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions..

In the Old WebUI

To configure security settings for an Employee or Voice network:

1. In the Networks tab, select the network you want to edit and click edit.

2. Select the Security tab.

3. Specify any of the following types of security levels by moving the slider to a desired level:

Enterprise—On selecting the enterprise security level, the authentication options applicable to the enterprise network are displayed.

Personal—On selecting the personal security level, the authentication options applicable to the personalized network are displayed.

Open—On selecting the open security level, the authentication options applicable to an open network are displayed.

The default security setting for a network profile is Personal.

4. Based on the security level selected, specify the following parameters.

Table 1: Configuration Parameters for WLAN Security Settings in an Employee or Voice Network

Parameter Description Security Level

Key Management

Select the Enterprise security level, select any of the following options from the Key management drop-down list:

WPAWi-Fi Protected Access. WPA is an interoperable wireless security specification subset of the IEEE 802.11 standard. This standard provides authentication capabilities and uses TKIP for data encryption.-2 Enterprise

WPAWi-Fi Protected Access. WPA is an interoperable wireless security specification subset of the IEEE 802.11 standard. This standard provides authentication capabilities and uses TKIP for data encryption. Enterprise (TKIPTemporal Key Integrity Protocol. A part of the WPA encryption standard for wireless networks. TKIP is the next-generation Wired Equivalent Privacy (WEP) that provides per-packet key mixing to address the flaws encountered in the WEP standard. Encryption only)

WPAWi-Fi Protected Access. WPA is an interoperable wireless security specification subset of the IEEE 802.11 standard. This standard provides authentication capabilities and uses TKIP for data encryption. Enterprise (AESAdvanced Encryption Standard. AES is an encryption standard used for encrypting and protecting electronic data. The AES encrypts and decrypts data in blocks of 128 bits (16 bytes), and can use keys of 128 bits, 192 bits, and 256 bits. Encryption only)

Both (WPAWi-Fi Protected Access. WPA is an interoperable wireless security specification subset of the IEEE 802.11 standard. This standard provides authentication capabilities and uses TKIP for data encryption.-2 & WPAWi-Fi Protected Access. WPA is an interoperable wireless security specification subset of the IEEE 802.11 standard. This standard provides authentication capabilities and uses TKIP for data encryption.)

Dynamic WEPWired Equivalent Privacy. WEP is a security protocol that is specified in 802.11b and is designed to provide a WLAN with a level of security and privacy comparable to what is usually expected of a wired LAN. with 802.1X802.1X is an IEEE standard for port-based network access control designed to enhance 802.11 WLAN security. 802.1X provides an authentication framework that allows a user to be authenticated by a central authority.—If you do not want to use a session key from the RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  server to derive pairwise unicast keys, click the Use Session Key for LEAP check box. This is required for old printers that use dynamic WEPWired Equivalent Privacy. WEP is a security protocol that is specified in 802.11b and is designed to provide a WLAN with a level of security and privacy comparable to what is usually expected of a wired LAN. through LEAPLightweight Extensible Authentication Protocol. LEAP is a Cisco proprietary version of EAP used in wireless networks and Point-to-Point connections. authentication. The Use Session Key for LEAP feature is disabled by default.

Applicable to Enterprise and Personal security levels only.

For the Open security level, no encryption settings are required.

 

 

For the Personal security level, select any of the following encryption keys from the Key management drop-down list.

WPAWi-Fi Protected Access. WPA is an interoperable wireless security specification subset of the IEEE 802.11 standard. This standard provides authentication capabilities and uses TKIP for data encryption.-2 Personal

WPAWi-Fi Protected Access. WPA is an interoperable wireless security specification subset of the IEEE 802.11 standard. This standard provides authentication capabilities and uses TKIP for data encryption.-Personal (Both TKIPTemporal Key Integrity Protocol. A part of the WPA encryption standard for wireless networks. TKIP is the next-generation Wired Equivalent Privacy (WEP) that provides per-packet key mixing to address the flaws encountered in the WEP standard. and AESAdvanced Encryption Standard. AES is an encryption standard used for encrypting and protecting electronic data. The AES encrypts and decrypts data in blocks of 128 bits (16 bytes), and can use keys of 128 bits, 192 bits, and 256 bits. Encryption)

WPAWi-Fi Protected Access. WPA is an interoperable wireless security specification subset of the IEEE 802.11 standard. This standard provides authentication capabilities and uses TKIP for data encryption.-Personal (TKIPTemporal Key Integrity Protocol. A part of the WPA encryption standard for wireless networks. TKIP is the next-generation Wired Equivalent Privacy (WEP) that provides per-packet key mixing to address the flaws encountered in the WEP standard. Encryption only)

WPAWi-Fi Protected Access. WPA is an interoperable wireless security specification subset of the IEEE 802.11 standard. This standard provides authentication capabilities and uses TKIP for data encryption.-Personal (AESAdvanced Encryption Standard. AES is an encryption standard used for encrypting and protecting electronic data. The AES encrypts and decrypts data in blocks of 128 bits (16 bytes), and can use keys of 128 bits, 192 bits, and 256 bits. Encryption only)

Both (WPAWi-Fi Protected Access. WPA is an interoperable wireless security specification subset of the IEEE 802.11 standard. This standard provides authentication capabilities and uses TKIP for data encryption.-2 & WPAWi-Fi Protected Access. WPA is an interoperable wireless security specification subset of the IEEE 802.11 standard. This standard provides authentication capabilities and uses TKIP for data encryption.)

Static WEPWired Equivalent Privacy. WEP is a security protocol that is specified in 802.11b and is designed to provide a WLAN with a level of security and privacy comparable to what is usually expected of a wired LAN.

If a WPAWi-Fi Protected Access. WPA is an interoperable wireless security specification subset of the IEEE 802.11 standard. This standard provides authentication capabilities and uses TKIP for data encryption.-2, WPAWi-Fi Protected Access. WPA is an interoperable wireless security specification subset of the IEEE 802.11 standard. This standard provides authentication capabilities and uses TKIP for data encryption. encryption, or Both (WPAWi-Fi Protected Access. WPA is an interoperable wireless security specification subset of the IEEE 802.11 standard. This standard provides authentication capabilities and uses TKIP for data encryption.-2&WPAWi-Fi Protected Access. WPA is an interoperable wireless security specification subset of the IEEE 802.11 standard. This standard provides authentication capabilities and uses TKIP for data encryption.) is selected, configure the passphrase:

1. Select a passphrase format from the Passphrase format drop-down list. The options available are 8–63 alphanumeric characters and 64 hexadecimal characters.

2. Enter a passphrase in the Passphrase text box. To reconfirm, update the passphrase in the Retype text box.

NOTE: The Passphrase may contain any special character except for ".

For Static WEP, specify the following parameters:

1. Select an appropriate value for WEP key size from the WEPWired Equivalent Privacy. WEP is a security protocol that is specified in 802.11b and is designed to provide a WLAN with a level of security and privacy comparable to what is usually expected of a wired LAN. key size drop-down list. You can specify 64-bit or 128-bit .

2. Select an appropriate value for Tx key from the Tx Key drop-down list. You can specify 1, 2, 3, or 4.

3. Enter an appropriate WEP key and reconfirm.

EAP Offload

To terminate the EAPExtensible Authentication Protocol. An authentication protocol for wireless networks that extends the methods used by the PPP, a protocol often used when connecting a computer to the Internet. EAP can support multiple authentication mechanisms, such as token cards, smart cards, certificates, one-time passwords, and public key encryption authentication.  portion of 802.1X802.1X is an IEEE standard for port-based network access control designed to enhance 802.11 WLAN security. 802.1X provides an authentication framework that allows a user to be authenticated by a central authority. authentication on the Instant AP instead of the RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  server, set EAP Offload to Enabled. Enabling EAP Offload can reduce network traffic to the external RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  server by terminating the authorization protocol on the Instant AP. By default, for 802.1X802.1X is an IEEE standard for port-based network access control designed to enhance 802.11 WLAN security. 802.1X provides an authentication framework that allows a user to be authenticated by a central authority. authorization, the client conducts an EAPExtensible Authentication Protocol. An authentication protocol for wireless networks that extends the methods used by the PPP, a protocol often used when connecting a computer to the Internet. EAP can support multiple authentication mechanisms, such as token cards, smart cards, certificates, one-time passwords, and public key encryption authentication.  exchange with the RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  server, and the Instant AP acts as a relay for this exchange.

When EAP Offload is enabled, the Instant AP by itself acts as an authentication server and terminates the outer layers of the EAPExtensible Authentication Protocol. An authentication protocol for wireless networks that extends the methods used by the PPP, a protocol often used when connecting a computer to the Internet. EAP can support multiple authentication mechanisms, such as token cards, smart cards, certificates, one-time passwords, and public key encryption authentication.  protocol, only relaying the innermost layer to the external RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  server. It can also reduce the number of exchange packets between the Instant AP and the authentication server.

NOTE: Instant supports the configuration of primary and backup authentication servers in an EAPExtensible Authentication Protocol. An authentication protocol for wireless networks that extends the methods used by the PPP, a protocol often used when connecting a computer to the Internet. EAP can support multiple authentication mechanisms, such as token cards, smart cards, certificates, one-time passwords, and public key encryption authentication.  termination-enabled SSIDService Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network..

NOTE: If you are using LDAPLightweight Directory Access Protocol. LDAP is a communication protocol that provides the ability to access and maintain distributed directory information services over a network. for authentication, ensure that Instant AP termination is configured to support EAPExtensible Authentication Protocol. An authentication protocol for wireless networks that extends the methods used by the PPP, a protocol often used when connecting a computer to the Internet. EAP can support multiple authentication mechanisms, such as token cards, smart cards, certificates, one-time passwords, and public key encryption authentication. .

Enterprise security level

Authentication server 1 and Authentication server 2

Select any of the following options from the Authentication server 1 drop-down list:

Select an authentication server from the list if an external server is already configured. To modify the server parameters, click Edit.

Select New to add a new server.

For information on configuring external servers, see In the Old WebUI.

To use an internal server, select Internal server and add the clients that are required to authenticate with the internal RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  server. Click the Users link to add the users. For information on adding a user, see Managing Instant AP Users.

If an external server is selected, you can also configure another authentication server.

Enterprise, Personal, and Open security levels.

Load balancing

Set this to Enabled if you are using two RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  authentication servers, so that the load across the two RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  servers is balanced. For more information on the dynamic load balancing mechanism, see Dynamic Load Balancing between Two Authentication Servers.

Enterprise, Personal, and Open security levels.

Reauth interval

Specify a value for Reauth interval. When set to a value greater than zero, Instant APs periodically reauthenticate all associated and authenticated clients.

The following list provides descriptions for three reauthentication interval configuration scenarios:

When Reauth interval is configured on an SSIDService Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network. performing L2 authentication (MACMedia Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. or 802.1X802.1X is an IEEE standard for port-based network access control designed to enhance 802.11 WLAN security. 802.1X provides an authentication framework that allows a user to be authenticated by a central authority. authentication)—When reauthentication fails, the clients are disconnected. If the SSIDService Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network. is performing only MACMedia Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. authentication and has a pre-authentication role assigned to the client, the client will get a post-authentication role only after a successful reauthentication. If reauthentication fails, the client retains the pre-authentication role.

When Reauth interval is configured on an SSIDService Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network. performing both L2 and L3 authentication (MACMedia Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. with captive portalA captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. authentication)—When reauthentication succeeds, the client retains the role that is already assigned. If reauthentication fails, a pre-authentication role is assigned to the client.

When Reauth interval is configured on an SSIDService Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network. performing only L3 authentication (captive portalA captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. authentication)—When reauthentication succeeds, a pre-authentication role is assigned to the client that is in a post-authentication role. Due to this, the clients are required to go through captive portalA captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. to regain access.

Enterprise, Personal, and Open security levels.

Blacklisting

To enable blacklisting of the clients with a specific number of authentication failures, select Enabled from the Blacklisting drop-down list and specify a value for Max auth failures. The users who fail to authenticate the number of times specified in Max authentication failures are dynamically blacklisted.

Enterprise, Personal, and Open security levels.

Accounting

Select any of the following options:

To enable accounting, select Use authentication servers from the Accounting drop-down list. On enabling the accounting function, Instant APs post accounting information to the RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  server at the specified Accounting interval.

To use a separate server for accounting, select Use separate servers. The accounting server is distinguished from the authentication server specified for the SSIDService Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network. profile.

To disable the accounting function, select Disabled.

Enterprise, Personal, and Open security levels.

Authentication survivability

To enable authentication survivability, set Authentication survivability to Enabled. Specify a value in hours for Cache timeout (global) to set the duration after which the authenticated credentials in the cache must expire. When the cache expires, the clients are required to authenticate again. You can specify a value within a range of 1–99 hours and the default value is 24 hours.

NOTE: The authentication survivability feature requires ClearPass Policy Manager 6.0.2 or later, and is available only when the New server option is selected. On setting this parameter to Enabled, Instant authenticates the previously connected clients using EAP-PEAPEAP–Protected EAP. A widely used protocol for securely transporting authentication data across a network (tunneled). authentication even when connectivity to ClearPass Policy Manager is temporarily lost. The Authentication survivability feature is not applicable when a RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  server is configured as an internal server.

Enterprise security level

MAC authentication

To enable MACMedia Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. -address-based authentication for Personal and Open security levels, set MACMedia Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. authentication to Enabled.

For Enterprise security level, the following options are available:

Perform MACMedia Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. authentication before 802.1X802.1X is an IEEE standard for port-based network access control designed to enhance 802.11 WLAN security. 802.1X provides an authentication framework that allows a user to be authenticated by a central authority.—Select this check box to use 802.1X802.1X is an IEEE standard for port-based network access control designed to enhance 802.11 WLAN security. 802.1X provides an authentication framework that allows a user to be authenticated by a central authority. authentication only when the MACMedia Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. authentication is successful.

MACMedia Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. authentication fail-thru—On selecting this check box, the 802.1X802.1X is an IEEE standard for port-based network access control designed to enhance 802.11 WLAN security. 802.1X provides an authentication framework that allows a user to be authenticated by a central authority. authentication is attempted when the MACMedia Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. authentication fails.

NOTE: If Enterprise Security level is chosen, the server used for mac authentication will be the same as the server, defined for 802.1x authentication. You will not be able to use the Instant APs internal database for mac authentication and external RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  server for 802.1x authentication on the same SSIDService Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network..

Enterprise, Personal, and Open security levels.

Delimiter character

Specify a character (for example, colon or dash) as a delimiter for the MACMedia Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. address string. When configured, the Instant AP will use the delimiter in the MACMedia Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. authentication request. For example, if you specify colon as the delimiter, MACMedia Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. addresses in the xx:xx:xx:xx:xx:xx format are used. If the delimiter is not specified, the MACMedia Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. address in the xxxxxxxxxxxx format is used.

NOTE: This option is available only when MACMedia Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. authentication is enabled.

Enterprise, Personal, and Open security levels.

Uppercase support

Set to Enabled to allow the Instant AP to use uppercase letters in MACMedia Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. address string for MACMedia Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. authentication.

NOTE: This option is available only if MACMedia Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. authentication is enabled.

Enterprise, Personal, and Open security levels.

Upload certificate

Click the Upload certificate link and browse to upload a certificate file for the internal server. For more information on certificates, see Uploading Certificates.

Enterprise, Personal, and Open security levels

Fast Roaming

You can configure the following fast roaming options for the WLANWireless Local Area Network. WLAN is a 802.11 standards-based LAN that the users access through a wireless connection. SSIDService Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network.:

Opportunistic Key Caching: You can enable Opportunistic Key Caching (OKC) when WPA-2 Enterprise and Both (WPA2 & WPA) encryption types are selected. If OKCOpportunistic Key Caching. OKC is a technique available for authentication between multiple APs in a network where those APs are under common administrative control. Using OKC, a station roaming to any AP in the network will not have to complete a full authentication exchange, but will instead just perform the 4-way handshake to establish transient encryption keys. is enabled, a cached PMKPairwise Master Key. PMK is a shared secret key that is generated after PSK or 802.1X authentication. is used when the client roams to a new Instant AP. This allows faster roaming of clients without the need for a complete 802.1X802.1X is an IEEE standard for port-based network access control designed to enhance 802.11 WLAN security. 802.1X provides an authentication framework that allows a user to be authenticated by a central authority. authentication.

802.11r: Selecting this check box enables fast BSSBasic Service Set. A BSS is a set of interconnected stations that can communicate with each other. BSS can be an independent BSS or infrastructure BSS. An independent BSS is an ad hoc network that does not include APs, whereas the infrastructure BSS consists of an AP and all its associated clients. transition. The Fast BSSBasic Service Set. A BSS is a set of interconnected stations that can communicate with each other. BSS can be an independent BSS or infrastructure BSS. An independent BSS is an ad hoc network that does not include APs, whereas the infrastructure BSS consists of an AP and all its associated clients. Transition mechanism minimizes the delay when a client transitions from one BSSBasic Service Set. A BSS is a set of interconnected stations that can communicate with each other. BSS can be an independent BSS or infrastructure BSS. An independent BSS is an ad hoc network that does not include APs, whereas the infrastructure BSS consists of an AP and all its associated clients. to another within the same cluster. This option is available only when WPAWi-Fi Protected Access. WPA is an interoperable wireless security specification subset of the IEEE 802.11 standard. This standard provides authentication capabilities and uses TKIP for data encryption.-2 Enterprise and WPAWi-Fi Protected Access. WPA is an interoperable wireless security specification subset of the IEEE 802.11 standard. This standard provides authentication capabilities and uses TKIP for data encryption.-2 personal encryption keys are selected.

802.11k: Selecting this check box enables 802.11k802.11k is an IEEE standard that enables APs and client devices to discover the best available radio resources for seamless BSS transition in a WLAN. roaming on the SSIDService Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network. profile. The 802.11k802.11k is an IEEE standard that enables APs and client devices to discover the best available radio resources for seamless BSS transition in a WLAN. protocol enables Instant APs and clients to dynamically measure the available radio resources. When 802.11k802.11k is an IEEE standard that enables APs and client devices to discover the best available radio resources for seamless BSS transition in a WLAN. is enabled, Instant APs and clients send neighbor reports, beacon reports, and link measurement reports to each other.

802.11v: Selecting this check box enables the 802.11v802.11v is an IEEE standard that allows client devices to exchange information about the network topology and RF environment. This information is used for assigning best available radio resources for the client devices to provide seamless connectivity.-based BSSBasic Service Set. A BSS is a set of interconnected stations that can communicate with each other. BSS can be an independent BSS or infrastructure BSS. An independent BSS is an ad hoc network that does not include APs, whereas the infrastructure BSS consists of an AP and all its associated clients. transition. 802.11v802.11v is an IEEE standard that allows client devices to exchange information about the network topology and RF environment. This information is used for assigning best available radio resources for the client devices to provide seamless connectivity. standard defines mechanisms for wireless network management enhancements and BSSBasic Service Set. A BSS is a set of interconnected stations that can communicate with each other. BSS can be an independent BSS or infrastructure BSS. An independent BSS is an ad hoc network that does not include APs, whereas the infrastructure BSS consists of an AP and all its associated clients.  transition management. It allows client devices to exchange information about the network topology and RFRadio Frequency. RF refers to the electromagnetic wave frequencies within a range of 3 kHz to 300 GHz, including the frequencies used for communications or Radar signals. environment. The BSSBasic Service Set. A BSS is a set of interconnected stations that can communicate with each other. BSS can be an independent BSS or infrastructure BSS. An independent BSS is an ad hoc network that does not include APs, whereas the infrastructure BSS consists of an AP and all its associated clients. transition management mechanism enables an Instant AP to request a voice client to transition to a specific Instant AP, or suggest a set of preferred Instant APs to a voice client, due to network load balancing or BSSBasic Service Set. A BSS is a set of interconnected stations that can communicate with each other. BSS can be an independent BSS or infrastructure BSS. An independent BSS is an ad hoc network that does not include APs, whereas the infrastructure BSS consists of an AP and all its associated clients. termination. It also helps the voice client identify the best Instant AP to transition to as they roam.

Enterprise, Personal, and Open security levels.

4. Click Next to configure access rules. For more information, see In the Old WebUI.

In the New WebUI

To configure security settings for an Employee or Voice network:

1. Navigate to the Configuration > Networks page.

2. Under Networks select the network you want to configure and click Edit.

3. Select Security tab. In the Security Level drop-down list box select one of the following levels:

Enterprise—On selecting the enterprise security level, the authentication options applicable to the enterprise network are displayed.

Personal—On selecting the personal security level, the authentication options applicable to the personalized network are displayed.

Open—On selecting the open security level, the authentication options applicable to an open network are displayed.

The default security setting for a network profile is Personal.

4. Based on the security level selected, specify the following parameters.

Table 2: Configuration Parameters for WLAN Security Settings in an Employee or Voice Network

Parameter Description Security Level

Key Management

Click the Enterprise security level, select any of the following options from the Key management drop-down list:

WPAWi-Fi Protected Access. WPA is an interoperable wireless security specification subset of the IEEE 802.11 standard. This standard provides authentication capabilities and uses TKIP for data encryption.-2 Enterprise

WPAWi-Fi Protected Access. WPA is an interoperable wireless security specification subset of the IEEE 802.11 standard. This standard provides authentication capabilities and uses TKIP for data encryption. Enterprise

Both (WPAWi-Fi Protected Access. WPA is an interoperable wireless security specification subset of the IEEE 802.11 standard. This standard provides authentication capabilities and uses TKIP for data encryption.-2 & WPAWi-Fi Protected Access. WPA is an interoperable wireless security specification subset of the IEEE 802.11 standard. This standard provides authentication capabilities and uses TKIP for data encryption.)

Dynamic WEPWired Equivalent Privacy. WEP is a security protocol that is specified in 802.11b and is designed to provide a WLAN with a level of security and privacy comparable to what is usually expected of a wired LAN. with 802.1X802.1X is an IEEE standard for port-based network access control designed to enhance 802.11 WLAN security. 802.1X provides an authentication framework that allows a user to be authenticated by a central authority.—If you do not want to use a session key from the RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  server to derive pairwise unicast keys, set Session Key for LEAP to Enabled. This is required for old printers that use dynamic WEPWired Equivalent Privacy. WEP is a security protocol that is specified in 802.11b and is designed to provide a WLAN with a level of security and privacy comparable to what is usually expected of a wired LAN. through LEAPLightweight Extensible Authentication Protocol. LEAP is a Cisco proprietary version of EAP used in wireless networks and Point-to-Point connections. authentication. The Session Key for LEAP feature is set to Disabled by default.

Applicable to Enterprise and Personal security levels only.

For the Open security level, no encryption settings are required.

 

 

For the Personal security level, select any of the following encryption keys from the Key management drop-down list.

WPAWi-Fi Protected Access. WPA is an interoperable wireless security specification subset of the IEEE 802.11 standard. This standard provides authentication capabilities and uses TKIP for data encryption.-2 Personal

WPAWi-Fi Protected Access. WPA is an interoperable wireless security specification subset of the IEEE 802.11 standard. This standard provides authentication capabilities and uses TKIP for data encryption.-Personal (Both TKIPTemporal Key Integrity Protocol. A part of the WPA encryption standard for wireless networks. TKIP is the next-generation Wired Equivalent Privacy (WEP) that provides per-packet key mixing to address the flaws encountered in the WEP standard. and AESAdvanced Encryption Standard. AES is an encryption standard used for encrypting and protecting electronic data. The AES encrypts and decrypts data in blocks of 128 bits (16 bytes), and can use keys of 128 bits, 192 bits, and 256 bits. Encryption)

WPAWi-Fi Protected Access. WPA is an interoperable wireless security specification subset of the IEEE 802.11 standard. This standard provides authentication capabilities and uses TKIP for data encryption.-Personal (TKIPTemporal Key Integrity Protocol. A part of the WPA encryption standard for wireless networks. TKIP is the next-generation Wired Equivalent Privacy (WEP) that provides per-packet key mixing to address the flaws encountered in the WEP standard. Encryption only)

WPAWi-Fi Protected Access. WPA is an interoperable wireless security specification subset of the IEEE 802.11 standard. This standard provides authentication capabilities and uses TKIP for data encryption.-Personal (AESAdvanced Encryption Standard. AES is an encryption standard used for encrypting and protecting electronic data. The AES encrypts and decrypts data in blocks of 128 bits (16 bytes), and can use keys of 128 bits, 192 bits, and 256 bits. Encryption only)

Both (WPAWi-Fi Protected Access. WPA is an interoperable wireless security specification subset of the IEEE 802.11 standard. This standard provides authentication capabilities and uses TKIP for data encryption.-2 & WPAWi-Fi Protected Access. WPA is an interoperable wireless security specification subset of the IEEE 802.11 standard. This standard provides authentication capabilities and uses TKIP for data encryption.)

Static WEPWired Equivalent Privacy. WEP is a security protocol that is specified in 802.11b and is designed to provide a WLAN with a level of security and privacy comparable to what is usually expected of a wired LAN.

If a WPAWi-Fi Protected Access. WPA is an interoperable wireless security specification subset of the IEEE 802.11 standard. This standard provides authentication capabilities and uses TKIP for data encryption.-2, WPAWi-Fi Protected Access. WPA is an interoperable wireless security specification subset of the IEEE 802.11 standard. This standard provides authentication capabilities and uses TKIP for data encryption. encryption, or Both (WPAWi-Fi Protected Access. WPA is an interoperable wireless security specification subset of the IEEE 802.11 standard. This standard provides authentication capabilities and uses TKIP for data encryption.-2&WPAWi-Fi Protected Access. WPA is an interoperable wireless security specification subset of the IEEE 802.11 standard. This standard provides authentication capabilities and uses TKIP for data encryption.) is selected, configure the passphrase:

1. Select a passphrase format from the Passphrase format  drop-down list. The options available are 8–63 alphanumeric characters and 64 hexadecimal characters.

2. Enter a passphrase in the Passphrase text box. To reconfirm, update the passphrase in the Retype text box.

NOTE: The Passphrase may contain any special character except for ".

For Static WEP, specify the following parameters:

1. Select an appropriate value for WEP key size from the WEPWired Equivalent Privacy. WEP is a security protocol that is specified in 802.11b and is designed to provide a WLAN with a level of security and privacy comparable to what is usually expected of a wired LAN. key size drop-down list. You can specify 64-bit or 128-bit .

2. Select an appropriate value for Tx key from the Tx Key drop-down list. You can specify 1, 2, 3, or 4.

3. Enter an appropriate WEP key and reconfirm.

EAP Offload

To terminate the EAPExtensible Authentication Protocol. An authentication protocol for wireless networks that extends the methods used by the PPP, a protocol often used when connecting a computer to the Internet. EAP can support multiple authentication mechanisms, such as token cards, smart cards, certificates, one-time passwords, and public key encryption authentication.  portion of 802.1X802.1X is an IEEE standard for port-based network access control designed to enhance 802.11 WLAN security. 802.1X provides an authentication framework that allows a user to be authenticated by a central authority. authentication on the Instant AP instead of the RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  server, click the EAP Offload toggle switch. Enabling termination can reduce network traffic to the external RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  server by terminating the authorization protocol on the Instant AP. By default, for 802.1X802.1X is an IEEE standard for port-based network access control designed to enhance 802.11 WLAN security. 802.1X provides an authentication framework that allows a user to be authenticated by a central authority. authorization, the client conducts an EAPExtensible Authentication Protocol. An authentication protocol for wireless networks that extends the methods used by the PPP, a protocol often used when connecting a computer to the Internet. EAP can support multiple authentication mechanisms, such as token cards, smart cards, certificates, one-time passwords, and public key encryption authentication.  exchange with the RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  server, and the Instant AP acts as a relay for this exchange.

When EAP Offload is enabled, the Instant AP by itself acts as an authentication server and terminates the outer layers of the EAPExtensible Authentication Protocol. An authentication protocol for wireless networks that extends the methods used by the PPP, a protocol often used when connecting a computer to the Internet. EAP can support multiple authentication mechanisms, such as token cards, smart cards, certificates, one-time passwords, and public key encryption authentication.  protocol, only relaying the innermost layer to the external RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  server. It can also reduce the number of exchange packets between the Instant AP and the authentication server.

NOTE: Instant supports the configuration of primary and backup authentication servers in an EAPExtensible Authentication Protocol. An authentication protocol for wireless networks that extends the methods used by the PPP, a protocol often used when connecting a computer to the Internet. EAP can support multiple authentication mechanisms, such as token cards, smart cards, certificates, one-time passwords, and public key encryption authentication.  termination-enabled SSIDService Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network..

NOTE: If you are using LDAPLightweight Directory Access Protocol. LDAP is a communication protocol that provides the ability to access and maintain distributed directory information services over a network. for authentication, ensure that Instant AP termination is configured to support EAPExtensible Authentication Protocol. An authentication protocol for wireless networks that extends the methods used by the PPP, a protocol often used when connecting a computer to the Internet. EAP can support multiple authentication mechanisms, such as token cards, smart cards, certificates, one-time passwords, and public key encryption authentication. .

Enterprise security level

Authentication server 1 and Authentication server 2

Select any of the following options from the Authentication server 1 drop-down list:

Select an authentication server from the list if an external server is already configured. To modify the server parameters, click the edit icon.

Select + to add a new server.

For information on configuring external servers, see In the Old WebUI.

To use an internal server, select InternalServer and add the clients that are required to authenticate with the internal RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  server.

If an external server is selected, you can also configure another authentication server.

Enterprise, Personal, and Open security levels.

Load balancing

Click the toggle switch if you are using two RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  authentication servers, so that the load across the two RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  servers is balanced. For more information on the dynamic load balancing mechanism, see Dynamic Load Balancing between Two Authentication Servers.

Enterprise, Personal, and Open security levels.

Reauth interval

Specify a value for Reauth interval. When set to a value greater than zero, Instant APs periodically reauthenticate all associated and authenticated clients.

The following list provides descriptions for three reauthentication interval configuration scenarios:

When Reauth interval is configured on an SSIDService Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network. performing L2 authentication (MACMedia Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. or 802.1X802.1X is an IEEE standard for port-based network access control designed to enhance 802.11 WLAN security. 802.1X provides an authentication framework that allows a user to be authenticated by a central authority. authentication)—When reauthentication fails, the clients are disconnected. If the SSIDService Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network. is performing only MACMedia Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. authentication and has a pre-authentication role assigned to the client, the client will get a post-authentication role only after a successful reauthentication. If reauthentication fails, the client retains the pre-authentication role.

When Reauth interval is configured on an SSIDService Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network. performing both L2 and L3 authentication (MACMedia Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. with captive portalA captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. authentication)—When reauthentication succeeds, the client retains the role that is already assigned. If reauthentication fails, a pre-authentication role is assigned to the client.

When Reauth interval is configured on an SSIDService Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network. performing only L3 authentication (captive portalA captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. authentication)—When reauthentication succeeds, a pre-authentication role is assigned to the client that is in a post-authentication role. Due to this, the clients are required to go through captive portalA captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. to regain access.

Enterprise, Personal, and Open security levels.

Blacklisting

To enable blacklisting of the clients with a specific number of authentication failures, Click the Blacklisting toggle switch and specify a value for Max authentication failures. The users who fail to authenticate the number of times specified in Max authentication failures are dynamically blacklisted.

Enterprise, Personal, and Open security levels.

Accounting

Select any of the following options:

To enable accounting, select Use authentication servers from the Accounting drop-down list. On enabling the accounting function, Instant APs post accounting information to the RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  server at the specified Accounting interval.

To use a separate server for accounting, select Use separate servers. The accounting server is distinguished from the authentication server specified for the SSIDService Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network. profile.

To disable the accounting function, select Disabled.

Enterprise, Personal, and Open security levels.

Authentication survivability

To enable authentication survivability, click the Authentication survivability toggle switch. Specify a value in hours for Cache timeout (global) to set the duration after which the authenticated credentials in the cache must expire. When the cache expires, the clients are required to authenticate again. You can specify a value within a range of 1–99 hours and the default value is 24 hours.

NOTE: The authentication survivability feature requires ClearPass Policy Manager 6.0.2 or later, and is available only when the New server option is selected. On setting this parameter to Enabled, Instant authenticates the previously connected clients using EAP-PEAPEAP–Protected EAP. A widely used protocol for securely transporting authentication data across a network (tunneled). authentication even when connectivity to ClearPass Policy Manager is temporarily lost. The Authentication survivability feature is not applicable when a RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  server is configured as an internal server.

Enterprise security level

MAC authentication

To enable MACMedia Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. -address-based authentication for Personal and Open security levels, enable the MACMedia Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. authentication toggle switch.

For Enterprise security level, the following options are available:

Perform MACMedia Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. authentication before 802.1X802.1X is an IEEE standard for port-based network access control designed to enhance 802.11 WLAN security. 802.1X provides an authentication framework that allows a user to be authenticated by a central authority.—Select this check box to use 802.1X802.1X is an IEEE standard for port-based network access control designed to enhance 802.11 WLAN security. 802.1X provides an authentication framework that allows a user to be authenticated by a central authority. authentication only when the MACMedia Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. authentication is successful.

MACMedia Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. authentication fail-thru—On selecting this check box, the 802.1X802.1X is an IEEE standard for port-based network access control designed to enhance 802.11 WLAN security. 802.1X provides an authentication framework that allows a user to be authenticated by a central authority. authentication is attempted when the MACMedia Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. authentication fails.

NOTE: If Enterprise Security level is chosen, the server used for mac authentication will be the same as the server, defined for 802.1x authentication. You will not be able to use the Instant APs internal database for mac authentication and external RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  server for 802.1x authentication on the same SSIDService Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network..

Enterprise, Personal, and Open security levels.

Delimiter character

Specify a character (for example, colon or dash) as a delimiter for the MACMedia Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. address string. When configured, the Instant AP will use the delimiter in the MACMedia Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. authentication request. For example, if you specify colon as the delimiter, MACMedia Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. addresses in the xx:xx:xx:xx:xx:xx format are used. If the delimiter is not specified, the MACMedia Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. address in the xxxxxxxxxxxx format is used.

NOTE: This option is available only when MACMedia Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. authentication is enabled.

Enterprise, Personal, and Open security levels.

Uppercase support

Click the toggle switch to allow the Instant AP to use uppercase letters in MACMedia Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. address string for MACMedia Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. authentication.

NOTE: This parameter is available only when MACMedia Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. authentication is enabled.

Enterprise, Personal, and Open security levels.

Upload Certificate

Click Upload Certificate and browse to upload a certificate file for the internal server. For more information on certificates, see Uploading Certificates.

Enterprise, Personal, and Open security levels

Fast Roaming

You can configure the following fast roaming options for the WLANWireless Local Area Network. WLAN is a 802.11 standards-based LAN that the users access through a wireless connection. SSIDService Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network.:

Opportunistic Key Caching: You can enable Opportunistic Key Caching (OKC) when WPA-2 Enterprise and Both (WPA2 & WPA) encryption types are selected. If OKCOpportunistic Key Caching. OKC is a technique available for authentication between multiple APs in a network where those APs are under common administrative control. Using OKC, a station roaming to any AP in the network will not have to complete a full authentication exchange, but will instead just perform the 4-way handshake to establish transient encryption keys. is enabled, a cached PMKPairwise Master Key. PMK is a shared secret key that is generated after PSK or 802.1X authentication. is used when the client roams to a new Instant AP. This allows faster roaming of clients without the need for a complete 802.1X802.1X is an IEEE standard for port-based network access control designed to enhance 802.11 WLAN security. 802.1X provides an authentication framework that allows a user to be authenticated by a central authority. authentication.

802.11r: Selecting this check box enables fast BSSBasic Service Set. A BSS is a set of interconnected stations that can communicate with each other. BSS can be an independent BSS or infrastructure BSS. An independent BSS is an ad hoc network that does not include APs, whereas the infrastructure BSS consists of an AP and all its associated clients. transition. The Fast BSSBasic Service Set. A BSS is a set of interconnected stations that can communicate with each other. BSS can be an independent BSS or infrastructure BSS. An independent BSS is an ad hoc network that does not include APs, whereas the infrastructure BSS consists of an AP and all its associated clients. Transition mechanism minimizes the delay when a client transitions from one BSSBasic Service Set. A BSS is a set of interconnected stations that can communicate with each other. BSS can be an independent BSS or infrastructure BSS. An independent BSS is an ad hoc network that does not include APs, whereas the infrastructure BSS consists of an AP and all its associated clients. to another within the same cluster. This option is available only when WPAWi-Fi Protected Access. WPA is an interoperable wireless security specification subset of the IEEE 802.11 standard. This standard provides authentication capabilities and uses TKIP for data encryption.-2 Enterprise and WPAWi-Fi Protected Access. WPA is an interoperable wireless security specification subset of the IEEE 802.11 standard. This standard provides authentication capabilities and uses TKIP for data encryption.-2 personal encryption keys are selected.

802.11k: Selecting this check box enables 802.11k802.11k is an IEEE standard that enables APs and client devices to discover the best available radio resources for seamless BSS transition in a WLAN. roaming on the SSIDService Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network. profile. The 802.11k802.11k is an IEEE standard that enables APs and client devices to discover the best available radio resources for seamless BSS transition in a WLAN. protocol enables Instant APs and clients to dynamically measure the available radio resources. When 802.11k802.11k is an IEEE standard that enables APs and client devices to discover the best available radio resources for seamless BSS transition in a WLAN. is enabled, Instant APs and clients send neighbor reports, beacon reports, and link measurement reports to each other.

802.11v: Selecting this check box enables the 802.11v802.11v is an IEEE standard that allows client devices to exchange information about the network topology and RF environment. This information is used for assigning best available radio resources for the client devices to provide seamless connectivity.-based BSSBasic Service Set. A BSS is a set of interconnected stations that can communicate with each other. BSS can be an independent BSS or infrastructure BSS. An independent BSS is an ad hoc network that does not include APs, whereas the infrastructure BSS consists of an AP and all its associated clients. transition. 802.11v802.11v is an IEEE standard that allows client devices to exchange information about the network topology and RF environment. This information is used for assigning best available radio resources for the client devices to provide seamless connectivity. standard defines mechanisms for wireless network management enhancements and BSSBasic Service Set. A BSS is a set of interconnected stations that can communicate with each other. BSS can be an independent BSS or infrastructure BSS. An independent BSS is an ad hoc network that does not include APs, whereas the infrastructure BSS consists of an AP and all its associated clients.  transition management. It allows client devices to exchange information about the network topology and RFRadio Frequency. RF refers to the electromagnetic wave frequencies within a range of 3 kHz to 300 GHz, including the frequencies used for communications or Radar signals. environment. The BSSBasic Service Set. A BSS is a set of interconnected stations that can communicate with each other. BSS can be an independent BSS or infrastructure BSS. An independent BSS is an ad hoc network that does not include APs, whereas the infrastructure BSS consists of an AP and all its associated clients. transition management mechanism enables an Instant AP to request a voice client to transition to a specific Instant AP, or suggest a set of preferred Instant APs to a voice client, due to network load balancing or BSSBasic Service Set. A BSS is a set of interconnected stations that can communicate with each other. BSS can be an independent BSS or infrastructure BSS. An independent BSS is an ad hoc network that does not include APs, whereas the infrastructure BSS consists of an AP and all its associated clients. termination. It also helps the voice client identify the best Instant AP to transition to as they roam.

Enterprise, Personal, and Open security levels.

4. Click Next to configure access rules. For more information, see In the Old WebUI.

In the CLI

To configure enterprise security settings for the Employee and Voice users:

(Instant AP)(config)# wlan ssid-profile <name>

(Instant AP)(SSID Profile <name>)# opmode {wpa2-aes|wpa-tkip,wpa2-aes|dynamic-wep}

(Instant AP)(SSID Profile <name>)# leap-use-session-key

(Instant AP)(SSID Profile <name>)# termination

(Instant AP)(SSID Profile <name>)# auth-server <server-name>

(Instant AP)(SSID Profile <name>)# external-server

(Instant AP)(SSID Profile <name>)# server-load-balancing

(Instant AP)(SSID Profile <name>)# blacklist

(Instant AP)(SSID Profile <name>)# mac-authentication

(Instant AP)(SSID Profile <name>)# l2-auth-failthrough

(Instant AP)(SSID Profile <name>)# auth-survivability

(Instant AP)(SSID Profile <name>)# radius-accounting

(Instant AP)(SSID Profile <name>)# radius-accounting-mode {user-association|user-authentication}

(Instant AP)(SSID Profile <name>)# radius-interim-accounting-interval <minutes>

(Instant AP)(SSID Profile <name>)# radius-reauth-interval <minutes>

(Instant AP)(SSID Profile <name>)# max-authentication-failures <number>

(Instant AP)(SSID Profile <name>)# okc

(Instant AP)(SSID Profile <name>)# dot11r

(Instant AP)(SSID Profile <name>)# dot11k

(Instant AP)(SSID Profile <name>)# dot11v

(Instant AP)(SSID Profile <name>)# exit

(Instant AP)(config)# auth-survivability cache-time-out

To configure personal security settings for the Employee and Voice users:

(Instant AP)(config)# wlan ssid-profile <name>

(Instant AP)(SSID Profile <name>)# opmode {wpa2-psk-aes|wpa-tkip|wpa-psk-tkip|wpa-psk-tkip,wpa2-psk-aes|static-wep|mpsk-aes}

(Instant AP)(SSID Profile <name>)# mac-authentication

(Instant AP)(SSID Profile <name>)# auth-server <server-name>

(Instant AP)(SSID Profile <name>)# external-server

(Instant AP)(SSID Profile <name>)# server-load-balancing

(Instant AP)(SSID Profile <name>)# blacklist

(Instant AP)(SSID Profile <name>)# max-authentication-failures <number>

(Instant AP)(SSID Profile <name>)# radius-accounting

(Instant AP)(SSID Profile <name>)# radius-accounting-mode {user-association|user-authentication}

(Instant AP)(SSID Profile <name>)# radius-interim-accounting-interval <minutes>

(Instant AP)(SSID Profile <name>)# radius-reauth-interval <minutes>

To configure open security settings for Employee and Voice users of a WLANWireless Local Area Network. WLAN is a 802.11 standards-based LAN that the users access through a wireless connection. SSIDService Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network. profile:

(Instant AP)(config)# wlan ssid-profile <name>

(Instant AP)(SSID Profile <name>)# opmode opensystem

(Instant AP)(SSID Profile <name>)# mac-authentication

(Instant AP)(SSID Profile <name>)# auth-server <server-name>

(Instant AP)(SSID Profile <name>)# external-server

(Instant AP)(SSID Profile <name>)# server-load-balancing

(Instant AP)(SSID Profile <name>)# blacklist

(Instant AP)(SSID Profile <name>)# max-authentication-failures <number>

(Instant AP)(SSID Profile <name>)# radius-accounting

(Instant AP)(SSID Profile <name>)# radius-accounting-mode {user-association|user-authentication}

(Instant AP)(SSID Profile <name>)# radius-interim-accounting-interval <minutes>

(Instant AP)(SSID Profile <name>)# radius-reauth-interval <minutes>

Configuring Multiple PSK For WLAN SSID Profiles

WPA2Wi-Fi Protected Access 2. WPA2 is a certification program maintained by IEEE that oversees standards for security over wireless networks. WPA2 supports IEEE 802.1X/EAP authentication or PSK technology, but includes advanced encryption mechanism using CCMP that is referred to as AES. PSKPre-shared key. A unique shared secret that was previously shared between two parties by using a secure channel. This is used with WPA security, which requires the owner of a network to provide a passphrase to users for network access. -based deployments generally consist of a single passphrase configured as part of the WLANWireless Local Area Network. WLAN is a 802.11 standards-based LAN that the users access through a wireless connection. SSIDService Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network. profile. This single passphrase is applicable for all clients that associate with the SSIDService Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network.. Starting from Aruba Instant 8.4.0.0, multiple PSKs in conjunction with ClearPass Policy Manager are supported for WPAWi-Fi Protected Access. WPA is an interoperable wireless security specification subset of the IEEE 802.11 standard. This standard provides authentication capabilities and uses TKIP for data encryption. and WPA2Wi-Fi Protected Access 2. WPA2 is a certification program maintained by IEEE that oversees standards for security over wireless networks. WPA2 supports IEEE 802.1X/EAP authentication or PSK technology, but includes advanced encryption mechanism using CCMP that is referred to as AES. PSKPre-shared key. A unique shared secret that was previously shared between two parties by using a secure channel. This is used with WPA security, which requires the owner of a network to provide a passphrase to users for network access. -based deployments. Every client connected to the WLANWireless Local Area Network. WLAN is a 802.11 standards-based LAN that the users access through a wireless connection. SSIDService Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network. will have its own unique PSKPre-shared key. A unique shared secret that was previously shared between two parties by using a secure channel. This is used with WPA security, which requires the owner of a network to provide a passphrase to users for network access. .

MPSK enhances the WPA2Wi-Fi Protected Access 2. WPA2 is a certification program maintained by IEEE that oversees standards for security over wireless networks. WPA2 supports IEEE 802.1X/EAP authentication or PSK technology, but includes advanced encryption mechanism using CCMP that is referred to as AES. PSKPre-shared key. A unique shared secret that was previously shared between two parties by using a secure channel. This is used with WPA security, which requires the owner of a network to provide a passphrase to users for network access. mode by allowing device-specific or group-specific passphrases, which are generated at ClearPass Policy Manager and sent to the Instant AP.

A MPSK passphrase requires MACMedia Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. authentication against a ClearPass Policy Manager server. The MPSK passphrase works only with wpa2-psk-aes encryption and not with any other PSKPre-shared key. A unique shared secret that was previously shared between two parties by using a secure channel. This is used with WPA security, which requires the owner of a network to provide a passphrase to users for network access. based encryption. The Aruba-MPSK-Passphrase radius VSAVendor-Specific Attribute. VSA is a method for communicating vendor-specific information between NASs and RADIUS servers. is added and the ClearPass Policy Manager server populates this VSAVendor-Specific Attribute. VSA is a method for communicating vendor-specific information between NASs and RADIUS servers. with the encrypted passphrase for the device.

A user registers the device on a ClearPass Policy Manager guest-registration or device-registration webpage and receives a device-specific or group-specific passphrase. The device associates with the SSIDService Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network. using wpa2-psk-aes encryption and uses MPSK passphrase. The Instant AP performs MACMedia Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. authentication of the client against the ClearPass Policy Manager server. On successful MACMedia Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. authentication, the ClearPass Policy Manager returns Access-AcceptResponse from the RADIUS server indicating successful authentication and containing authorization information. with the VSAVendor-Specific Attribute. VSA is a method for communicating vendor-specific information between NASs and RADIUS servers. containing the encrypted passphrase. The Instant AP generates a PSKPre-shared key. A unique shared secret that was previously shared between two parties by using a secure channel. This is used with WPA security, which requires the owner of a network to provide a passphrase to users for network access. from the passphrase and performs 4-way key exchange. If the device uses the correct per-device or per-group passphrase, authentication succeeds. If the ClearPass Policy Manager server returns Access-RejectResponse from RADIUS server indicating that a user is not authorized. or the client uses incorrect passphrase, authentication fails.

 

When multiple PSKPre-shared key. A unique shared secret that was previously shared between two parties by using a secure channel. This is used with WPA security, which requires the owner of a network to provide a passphrase to users for network access. is enabled on the WLANWireless Local Area Network. WLAN is a 802.11 standards-based LAN that the users access through a wireless connection. SSIDService Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network. profile, make sure that MACMedia Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network.  authentication is not configured for RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  authentication. Multiple PSKPre-shared key. A unique shared secret that was previously shared between two parties by using a secure channel. This is used with WPA security, which requires the owner of a network to provide a passphrase to users for network access. and MACMedia Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network.  authentication are mutually exclusive and follows a special procedure which does not require enabling MACMedia Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. authentication in the WLANWireless Local Area Network. WLAN is a 802.11 standards-based LAN that the users access through a wireless connection. SSIDService Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network. manually. Also, ensure that the RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  server configured for the WLANWireless Local Area Network. WLAN is a 802.11 standards-based LAN that the users access through a wireless connection. SSIDService Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network. profile is not an internal server.

Currently, the multiple PSKPre-shared key. A unique shared secret that was previously shared between two parties by using a secure channel. This is used with WPA security, which requires the owner of a network to provide a passphrase to users for network access. feature can be enabled on the Instant AP only through the Instant CLICommand-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions.. The following configuration enables the multiple PSKPre-shared key. A unique shared secret that was previously shared between two parties by using a secure channel. This is used with WPA security, which requires the owner of a network to provide a passphrase to users for network access.  feature on the WLANWireless Local Area Network. WLAN is a 802.11 standards-based LAN that the users access through a wireless connection. SSIDService Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network. profile:

(Instant AP)(configure)# wlan ssid-profile <profile_name>

(Instant AP)(SSID Profile <profile_name>)# opmode mpsk-aes

Execute the following command to verify the status of the MPSK configuration on the WLANWireless Local Area Network. WLAN is a 802.11 standards-based LAN that the users access through a wireless connection. SSIDService Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network. profile:

(Instant AP)# show network <ssid profile name>

Points to Remember

The following configurations are mutually exclusive with MPSK for the WLANWireless Local Area Network. WLAN is a 802.11 standards-based LAN that the users access through a wireless connection. SSIDService Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network. profile and does not require to be configured manually:

MPSK and MACMedia Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network.  authentication

MPSK and Blacklisting

MPSK and internal RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  server

MPSK Cache

The Instant AP stores the MPSK passphrase in its local cache for client roaming. The cache is shared between all the Instant APs within a single cluster. The cache can also be shared with standalone Instant APs in a different cluster provided the APs belong to the same multicast VLANVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN.. Each Instant AP will first search the local cache for the MPSK information. If the local cache has the corresponding mPSK passphrase, the Instant AP skips the mac authentication procedure, and provides access to the client. If the MPSK passphrase is not found in the local cache, you must manually configure the MPSK passphrase as shown in the above section.

The cached MPSK passphrase can be used only if the client connects to the same WLANWireless Local Area Network. WLAN is a 802.11 standards-based LAN that the users access through a wireless connection. SSIDService Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network.. The entire MPSK local cache is erased in the following scenarios:

If the cached MPSK does not work.

The client is manually disconnected

The client is disconnected from the CoAChange of Authorization. The RADIUS CoA is used in the AAA service framework to allow dynamic modification of the authenticated, authorized, and active subscriber sessions. .

 

The MPSK passphrase in the local cache automatically expires if the client disconnects and does not connect again during the inactivity-timeout window.

To view the details of the MPSK local cache:

(Instant AP)# show ap mpskcache