Configuring Enterprise Security for a WLAN SSID Profile

To configure an enterprise security profile, complete the following steps:

  1. To access the WLAN Wireless Local Area Network. WLAN is a 802.11 standards-based LAN that the users access through a wireless connection. SSID Service Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network. configuration wizard for a new SSID profile or an existing SSID profile, see Configuring a WLAN SSID Profile in Bridge Mode.
  2. In the WLAN SSID configuration wizard, click the Security tab.
  3. In Security Level, select Enterprise.
  4. Configure the parameters described in Table 1.
  5. Click Advanced Settings and configure the parameters described in Table 2.
  6. Click Save Settings.

 

The following table describes the configuration parameters for Enterprise security profile.

Table 1: Enterprise Security Profile Configuration Parameters

Parameter

Description

Key Management

Select any of the following options from the Key Management drop-down list:

NOTE: When either WPA2-Enterprise or Both (WPA2-WPA) encryption type is selected and if 802.1X 802.1X is an IEEE standard for port-based network access control designed to enhance 802.11 WLAN security. 802.1X provides an authentication framework that allows a user to be authenticated by a central authority. authentication method is configured, ensure that you turn on the Opportunistic key caching (OKC) toggle switch under Advanced Settings to enable OKC Opportunistic Key Caching. OKC is a technique available for authentication between multiple APs in a network where those APs are under common administrative control. Using OKC, a station roaming to any AP in the network will not have to complete a full authentication exchange, but will instead just perform the 4-way handshake to establish transient encryption keys. . When OKC is enabled, a cached Pairwise Master Key (PMK Pairwise Master Key. PMK is a shared secret key that is generated after PSK or 802.1X authentication. ) is used when the client roams to a new AP. This allows faster roaming of clients without the need for a complete 802.1X authentication. OKC roaming can be configured only for the Enterprise security level.

Server Group

Select a server group. For more information on server groups, see Configuring Server Groups.

The first server in the list is always used by default. If it is unavailable, the next server in the list is used.

The default is Primary and back up only, if Server Group is not selected.

NOTE: When this option is selected, the primary and secondary authentication servers are not available for selection.

Primary Server

Specify a primary authentication server for client authentication.

To create a new server, see Configuring External Authentication Servers for a WLAN SSID Profile.

Secondary Server

Specify a secondary authentication server for client authentication.

To create a new server, see Configuring External Authentication Servers for a WLAN SSID Profile.

Load Balancing

Enable this option to load balance between the two authentication servers.

The following table describes the advanced WLAN security settings for Enterprise security profile.

Table 2: Advanced WLAN security Settings—Enterprise Security Profile

Parameter

Description

Use Session Key for LEAP

Select this option to use the session key for Lightweight Extensible Authentication Protocol (LEAP)

Perform MAC Media Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. Authentication Before 802.1X

Allows you to use 802.1X authentication after the client completes the MAC authentication successfully. You can configure the following parameters:

Delimiter Character—Specify a character as a delimiter for the MAC address string. When configured, the AP uses the delimiter in the MAC authentication request. For example, if you specify the colon as a delimiter, MAC addresses in the xx:xx:xx:xx:xx:xx format are used. If the delimiter is not specified, the MAC address in the xxxxxxxxxxxx format is used. The supported characters are : (colon), / (slash), , (comma), - (dash), and % (percent).

Uppercase Support—Set to Enabled to allow the AP to use uppercase letters in the MAC address string for MAC authentication. This option is available only if MAC authentication is enabled.

MAC Authentication Fail-Through

On selecting this, the 802.1X authentication is attempted when the MAC authentication of an AP client fails.

Reauth Interval

Define a value for Reauth Interval. When set to a value greater than zero, APs periodically reauthenticate all associated and authenticated clients.

The following events occur when the reauthentication interval is configured on WLANS SSIDs:

On an SSID performing L2 authentication (MAC or 802.1X authentication)—When reauthentication fails, the clients are disconnected. If the SSID is performing only MAC authentication and has a preauthentication role assigned to the client, the client will get a post-authentication role only after a successful reauthentication. If reauthentication fails, the client retains the preauthentication role.

On an SSID performing L2 authentication (MAC with captive portal A captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. authentication)—When reauthentication succeeds, the client retains the role that is already assigned. If reauthentication fails, a preauthentication role is assigned to the client.

Denylisting

To enable denylisting of the clients with a specific number of authentication failures, select Denylisting and specify a value for Max Authentication Failures. The users who fail to authenticate the number of times specified in the Max Authentication Failures field are dynamically denylisted. By default, the Denylisting option is disabled.

Max Authentication Failures

Sets a value for the maximum allowed authentication failures. Enter a number between 1-10.

Enforce DHCP

To enforce DHCP Dynamic Host Configuration Protocol. A network protocol that enables a server to automatically assign an IP address to an IP-enabled device from a defined range of numbers configured for a given network.  and to block traffic for AP clients that do not obtain IP address from DHCP, enable Enforce DHCP. When DHCP is enforced:

  • A layer-2 user entry is created when a client associates with an AP.
  • The client DHCP state and IP address are tracked.
  • When the client obtains an IP address from DHCP, the DHCP state changes to complete.
  • If the DHCP state is complete, a layer-3 user entry is created.
  • When a client roams between the APs, the DHCP state and the client IP address are synchronized with the new AP.

Use IP for Calling Station ID

Enable this option to configure the client IP address as calling station ID.

Called Station ID Type

The Called Station ID Type detail can be configured even if the Use IP for Calling Station ID is set to disabled. Select any of the following options for configuring a called station ID:

Called Station ID Include SSID

Appends the SSID name to the called station ID.

Called Station ID Delimiter

Sets a delimiter at the end of the called station ID.

Delimiter Character

Specify a character (for example, colon or dash) as a delimiter for the MAC address string. When configured, the AP uses the delimiter in the MAC authentication request. For example, if you specify the colon as a delimiter, MAC addresses in the xx:xx:xx:xx:xx:xx format are used. If the delimiter is not specified, the MAC address in the xxxxxxxxxxxx format is used. The supported characters are: (colon), / (slash), , (comma), - (dash), and % (percent).

NOTE: This parameter is available only when you enable MAC authentication.

Uppercase Support

Set to Enabled to allow the AP to use uppercase letters in the MAC address string for MAC authentication. This option is available only if MAC authentication is enabled.

WPA3 Transition

Enable this option to allow WPA2 and WPA3 clients to be on the same SSID. The WPA3 Transition is available only when the WPA3-Enterprise(CCM 128) option is selected from the Key Management drop-down list for Enterprise security level.

Passpoint Service Profile

Select a Passpoint Passpoint is a Wi-Fi certified solution that enables the mobile devices to automatically authenticate on enterprise Wi-Fi networks using their cellular credentials. service profile from the drop-down list. To add a new Passpoint service profile, click Manage Passpoint Services.

For more information, see Configuring a Passpoint Service Profile in a WLAN Network.

NOTE: The Passpoint Service Profile parameter is not available if you select CloudAuth Cloud Authentication and Policy allows you to configure user and client access policies that provide a secured, cloud-based network access control (NAC). from the Primary Server drop-down list.

Accounting

 

Accounting

Enable or disable RADIUS accounting. Select one of the following options from the drop-down list:

Disabled—To disable the accounting option.

Use a separate servers—To select specific accounting and define the accounting interval time in minutes.

Accounting Interval

Specify a number to set the minutes used for interim accounting. You can specify a value within the range of 1-60 minutes.

NOTE: Setting the value to 0 disables interim accounting.

Fast Roaming

 

Opportunistic Key Caching (OKC)

Turn on the Opportunistic key caching (OKC) toggle switch to reduce the time needed for authentication. When OKC is enabled, multiple APs can share Pairwise Master Keys (PMKs) and use these keys when clients roam to a neighboring AP.

802.11r 802.11r is an IEEE standard for enabling seamless BSS transitions in a WLAN. 802.11r standard is also referred to as Fast BSS transition.

Select 802.11r to enable 802.11r roaming. Selecting this option enables fast BSS Basic Service Set. A BSS is a set of interconnected stations that can communicate with each other. BSS can be an independent BSS or infrastructure BSS. An independent BSS is an ad hoc network that does not include APs, whereas the infrastructure BSS consists of an AP and all its associated clients. transition. The fast BSS transition mechanism minimizes the delay when a client transitions from [one BSS to another within the same cluster.

MDID

A mobility domain identifier (MDID). Enter a value between 1-65535.

This option is available only when Opportunistic Key Caching (OKC) field is enabled.

802.11k 802.11k is an IEEE standard that enables APs and client devices to discover the best available radio resources for seamless BSS transition in a WLAN.

Select 802.11k to enable 802.11k roaming. The 802.11k protocol enables APs and clients to dynamically discover the available radio resources. When 802.11k is enabled, APs and clients send neighbor reports, beacon reports, and link measurement reports to each other.

RRM Quiet IE

Turn off the toggle switch to disable Quiet IE and disable transmission of the 802.11k Quiet IE information elements. When you enable RRM Quiet IE, the AP will advertise in beacon and probe responses the Quiet IE, that is used to silence the channel for measurement purposes. When an AP uses Quiet IE to schedule a quiet interval, stations will not transmit on that channel during the quiet interval.