Cisco Router 860, 880 Series User Manual

							      Authentication Types for Wireless Devices
Configuring Authentication Types
13
Authentication Types for Wireless Devices
OL-15914-01
Configuring Additional WPA Settings
Use two optional settings to configure a pre-shared key on the access point and to adjust the frequency 
of group key updates.
Setting a Pre-Shared Key
To support WPA on a wireless LAN where 802.1X-based authentication is not available, you must 
configure a pre-shared key on the access point. You can enter the pre-shared key in ASCII or 
hexadecimal characters. If you enter the key as ASCII characters, you enter between 8 and 63 characters, 
and the access point expands the key by using the process described in the Pa s s w o rd - b a s e d  
Cryptography Standard (RFC 2898). If you enter the key as hexadecimal characters, you must enter 64 
hexadecimal characters.
Configuring Group Key Updates
In the last step in the WPA process, the access point distributes a group key to the authenticated client 
device. You can use these optional settings to configure the access point to change and distribute the 
group key, based on client association and disassociation:
 Membership termination—The access point generates and distributes a new group key when any 
authenticated device disassociates from the access point. This feature keeps the group key private 
for associated devices, but it might generate some overhead traffic if clients on your network roam 
frequently among access points.
 Capability change—The access point generates and distributes a dynamic group key when the last 
non-key management (static WEP) client disassociates, and it distributes the statically configured 
WEP key when the first non-key management (static WEP) client authenticates. In WPA migration 
mode, this feature significantly improves the security of key-management capable clients when 
there are no static-WEP clients associated to the access point.
To configure a WPA pre-shared key and group key update options, follow these steps, beginning in 
privileged EXEC mode:
CommandPurpose
Step 1configure terminalEnters global configuration mode.
Step 2ssid ssid-stringEnters SSID configuration mode for the SSID. 
Step 3wpa-psk { hex | ascii } [ 0 | 7 ] 
encryption-keyEnters a pre-shared key for client devices using WPA that also 
use static WEP keys.
Enter the key by using either hexadecimal or ASCII characters. 
If you use hexadecimal, you must enter 64 hexadecimal 
characters to complete the 256-bit key. If you use ASCII, you 
must enter a minimum of 8 letters, numbers, or symbols, and 
the access point expands the key for you. You can enter a 
maximum of 63 ASCII characters.
Step 4interface dot11radio radio-interfaceEnters interface configuration mode for the radio interface. 
Step 5ssid ssid-stringEnters the SSID defined in Step 2 to assign the SSID to the 
selected radio interface. 
						

							      Authentication Types for Wireless Devices
Configuring Authentication Types
14
Authentication Types for Wireless Devices
OL-15914-01
This example shows how to configure a pre-shared key for clients using WPA and static WEP, with group 
key update options:
ap# configure terminalap(config-if)# ssid batman
ap(config-ssid)# wpa-psk ascii batmobile65
ap(config)# interface dot11radio 0ap(config-ssid)# ssid batman
ap(config-if)# exit
ap(config)# broadcast-key vlan 87 membership-termination capability-change
Configuring MAC Authentication Caching
If MAC-authenticated clients on your wireless LAN roam frequently, you can enable a MAC 
authentication cache on your access points. MAC authentication caching reduces overhead because the 
access point authenticates devices in its MAC address cache without sending the request to your 
authentication server. When a client device completes MAC authentication to your authentication server, 
the access point adds the client’s MAC address to the cache.
To enable MAC authentication caching, follow these steps, beginning in privileged EXEC mode:
Use the no form of the dot11 aaa mac-authen filter-cache command to disable MAC authentication 
caching. This example shows how to enable MAC authentication caching with a one-hour timeout:
ap# configure terminalap(config)# dot11 aaa mac-authen filter-cache timeout 3600
ap(config)# end
Step 6exitReturns to privileged EXEC mode.
Step 7broadcast-key [ vlan vlan-id ]  
{ change seconds }  
[ membership-termination ] 
[ capability-change ]
Uses the broadcast key rotation command to configure 
additional updates of the WPA group key.
Command Purpose
CommandPurpose
Step 1configure terminalEnters global configuration mode.
Step 2dot11 aaa mac-authen filter-cache 
[timeout seconds]Enables MAC authentication caching on the access point.
Use the timeout option to configure a timeout value for MAC 
addresses in the cache. Enter a value from 30 to 65555 seconds. 
The default value is 1800 (30 minutes). When you enter a 
timeout value, MAC-authentication caching is enabled 
automatically.
Step 3exitReturns to privileged EXEC mode. 
Step 4show dot11 aaa mac-authen 
filter-cache [address]Shows entries in the MAC-authentication cache. Include client 
MAC addresses to show entries for specific clients.
Step 5clear dot11 aaa mac-authen 
filter-cache [address]Clears all entries in the cache. Include client MAC addresses to 
clear specific clients from the cache.
Step 6endReturns to privileged EXEC mode. 
						

							      Authentication Types for Wireless Devices
Configuring Authentication Types
15
Authentication Types for Wireless Devices
OL-15914-01
Configuring Authentication Holdoffs, Timeouts, and Intervals
To configure holdoff times, reauthentication periods, and authentication timeouts for client devices 
authenticating through your access point, follow these steps, beginning in privileged EXEC mode:
CommandPurpose
Step 1configure terminalEnters global configuration mode.
Step 2dot11 holdoff-time secondsEnters the number of seconds that a client device must wait 
before it can reattempt to authenticate after a failed 
authentication. The holdoff time is invoked when a client fails 
three login attempts or fails to respond to three authentication 
requests from the access point. Enter a value from 1 to 65555 
seconds.
Step 3dot1x timeout supp-response 
seconds [local]Enters the number of seconds that the access point should wait 
for a client to reply to an EAP/dot1x message before the 
authentication fails. Enter a value from 1 to 120 seconds. 
The RADIUS server can be configured to send a different 
timeout value which overrides the one that is configured. Enter 
the local keyword to configure the access point to ignore the 
RADIUS server value and use the configured value.
The optional no keyword resets the timeout to its default state, 
30 seconds.
Step 4interface dot11radio radio-interfaceEnters interface configuration mode for the radio interface. 
Step 5dot1x reauth-period { seconds | 
server }Enters the interval, in seconds, that the access point waits 
before forcing an authenticated client to reauthenticate.
Enter the server keyword to configure the access point to use 
the reauthentication period specified by the authentication 
server. If you use this option, configure your authentication 
server with RADIUS attribute 27, Session-Timeout. This 
attribute sets the maximum number of seconds of service to be 
provided to the client before termination of the session or 
prompt. The server sends this attribute to the access point when 
a client device performs EAP authentication.
NoteIf you configure both MAC address authentication and 
EAP authentication for an SSID, the server sends the 
Session-Timeout attribute for both MAC and EAP 
authentications for a client device. The access point 
uses the Session-Timeout attribute for the last 
authentication that the client performs. For example, if 
a client performs MAC address authentication and then 
performs EAP authentication, the access point uses the 
server’s Session-Timeout value for the EAP 
authentication. To avoid confusion about which 
Session-Timeout attribute is used, configure the same 
Session-Timeout value on your authentication server 
for both MAC and EAP authentication. 
						

							      Authentication Types for Wireless Devices
Configuring the 802.1X Supplicant
16
Authentication Types for Wireless Devices
OL-15914-01
Use the no form of these commands to reset the values to default settings. 
Configuring the 802.1X Supplicant
Traditionally, the dot1x authenticator and client have always been a network device and a PC client 
respectively, as it was the PC user that had to authenticate to gain access to the network. However, 
wireless networks introduce unique challenges to the traditional authenticator/client relationship. 
Access points can be placed in public places, inviting the possibility that they could be unplugged and 
their network connection used by an outsider. 
The supplicant is configured in two phases: 
 Create and configure a credentials profile
 Apply the credentials to an interface or SSID
You can complete the phases in any order, but they must be completed before the supplicant becomes 
operational.
Creating a Credentials Profile
To create an 802.1X credentials profile, follow these steps, beginning in privileged EXEC mode:
Step 6countermeasure tkip hold-time 
secondsConfigures a TKIP MIC failure holdtime. If the access point 
detects two MIC failures within 60 seconds, it blocks all the 
TKIP clients on that interface for the holdtime period.
Step 7endReturns to privileged EXEC mode.
Command Purpose
CommandPurpose
Step 1configure terminalEnters global configuration mode.
Step 2dot1x credentials profileCreates a dot1x credentials profile and enters the dot1x 
credentials configuration submode.
Step 3anonymous-id description(Optional)—Enters the anonymous identity to be used.
Step 4description description(Optional)—Enters a description for the credentials profile
Step 5username usernameEnters the authentication user id.
Step 6password {0 | 7 | LINE}Enters an unencrypted password for the credentials.
0—An unencrypted password will follow. 
7—A hidden password will follow. Hidden passwords are used 
when applying a previously saved configuration. 
LINE—An unencrypted (clear text) password.
NoteUnencrypted and clear text are the same. You can enter a 
0 followed by the clear text password, or omit the 0 and 
enter the clear text password. 
						

							      Authentication Types for Wireless Devices
Configuring the 802.1X Supplicant
17
Authentication Types for Wireless Devices
OL-15914-01
Use the no form of the dot1x credentials command to negate a parameter.
The following example creates a credentials profile named test with the username Cisco and a the 
unencrypted password Cisco:
ap>enable
Password:xxxxxxxap# config terminal
Enter configuration commands, one per line. End with CTRL-Z.
ap(config)# dot1x credentials testap(config-dot1x-creden)#username Cisco
ap(config-dot1x-creden)#password Cisco
ap(config-dot1x-creden)#exitap(config)#
Applying the Credentials to an Interface or SSID
Credential profiles are applied to an interface or an SSID in the same way. 
Applying the Credentials Profile to the Wired Port
To apply the credentials to the access point’s wired port, follow these steps, beginning in the privileged 
EXEC mode:
The following example applies the credentials profile test to the access point’s Fast Ethernet port:
ap>enable
Password:xxxxxxxap# config terminal
Enter configuration commands, one per line. End with CTRL-Z.
ap(config)#interface fa0ap(config-if)#dot1x credentials test
ap(config-if)#end
ap#
Step 7pki-trustpoint pki-trustpoint(Optional and only used for EAP-TLS)—Enters the default 
pki-trustpoint.
Step 8endReturns to the privileged EXEC mode.
Command Purpose
CommandPurpose
Step 1configure terminalEnters global configuration mode.
Step 2interface fastethernet 
portnumberEnters the interface configuration mode for the Fast Ethernet 
port.
Step 3dot1x credentials profile name] Enters the name of a previously created credentials profile.
Step 4endReturns to the privileged EXEC mode 
						

							      Authentication Types for Wireless Devices
Configuring the 802.1X Supplicant
18
Authentication Types for Wireless Devices
OL-15914-01
Applying the Credentials Profile to an SSID Used For the Uplink
If you have a repeater access point in your wireless network and are using the 802.1X supplicant on the 
root access point, you must apply the 802.1X supplicant credentials to the SSID that the repeater uses to 
associate with and authenticate to the root access point. 
To apply the credentials to an SSID used for the uplink, follow these steps, beginning in the privileged 
EXEC mode:
The following example applys the credentials profile test to the ssid testap1 on a repeater access point.
repeater-ap>enable
Password:xxxxxxxrepeater-ap# config terminal
Enter configuration commands, one per line. End with CTRL-Z.
repeater-ap(config-if)#dot11 ssid testap1repeater-ap(config-ssid)#dot1x credentials test
repeater-ap(config-ssid)#end
repeater-ap(config)
Creating and Applying EAP Method Profiles for the 802.1X Supplicant
This section describes the optional configuration of an EAP method list for the 802.1X supplicant. 
Configuring EAP method profiles enables the supplicant to not acknowledge some EAP methods, even 
though they are available on the supplicant. For example, if a RADIUS server supports EAP-FAST and 
LEAP, under certain configurations, the server might initially employ LEAP instead of a more secure 
method. If no preferred EAP method list is defined, the supplicant supports LEAP, but it may be 
advantageous to force the supplicant to use a more secure method such as EAP-FAST. 
Creating an EAP Method Profile
To define a new EAP profile, follow these steps, beginning in privileged exec mode:
CommandPurpose
Step 1configure terminalEnters global configuration mode.
Step 2dot11 ssid ssidEnters the 802.11 SSID. The SSID can consist of up to 32 
alphanumeric characters. SSIDs are case sensitive.
NoteThe first character cannot contain the !, #, or ; character.
The +, ], /, , TAB, and trailing spaces are invalid characters for 
SSIDs. 
Step 3dot1x credentials profileEnters the name of a preconfigured credentials profile.
Step 4endExits the dot1x credentials configuration submode
Command Purpose
Step 1configure terminalEnters global configuration mode.
Step 2eap profile profile nameEnters a name for the profile 
						

							      Authentication Types for Wireless Devices
Configuring the 802.1X Supplicant
19
Authentication Types for Wireless Devices
OL-15914-01
Use the no command to negate a command or to set its defaults.
Use the show eap registrations method command to view the currently available (registered) EAP 
methods.
Use the show eap sessions command to view existing EAP sessions.
Applying an EAP Profile to the Fast Ethernet Interface
This operation normally applies to root access points. To apply an EAP profile to the Fast Ethernet 
interface, follow these steps, beginning in privileged exec mode:
Applying an EAP Profile to an Uplink SSID
This operation typically applies to repeater access points. To apply an EAP profile to the uplink SSID, 
follow these steps, beginning in the privileged exec mode:
NoteThe repeater mode is not supported on Cisco 860 and Cisco 880 series embedded-wireless devices.
Step 3description(Optional)—Enters a description for the EAP profile
Step 4method fast Enters an allowed EAP method or methods.
NoteAlthough they appear as sub-parameters, EAP-GTC, 
EAP-MD5, and EAP-MSCHAPV2 are intended as inner 
methods for tunneled EAP authentication and should not 
be used as the primary authentication method.
Step 5endReturns to the privileged EXEC mode.
Command Purpose
CommandPurpose
Step 1configure terminalEnters the global configuration mode.
Step 2interface fastethernet 
portnumberEnters the interface configuration mode for the Fast Ethernet 
port.
Step 3dot1x eap profile profileEnters the profile preconfigured profile name.
Step 4endExits the interface configuration mode.
CommandPurpose
Step 1configure terminalEnters the global configuration mode.
Step 2interface dot11radio 
radio-interfaceEnters interface configuration mode for the radio interface. 
Step 3ssid ssidAssigns the uplink SSID to the radio interface.
Step 4exitReturns to the configure terminal mode.
Step 5eap profile profileEnters the profile preconfigured profile name.
Step 6endReturns to the privileged EXEC mode. 
						

							      Authentication Types for Wireless Devices
Matching Access Point and Client Device Authentication Types
20
Authentication Types for Wireless Devices
OL-15914-01
Matching Access Point and Client Device Authentication Types 
To use the authentication types described in this section, the access point authentication settings must 
match the authentication settings on the client adapters that associate to the access point. See the Cisco 
Aironet Wireless LAN Client Adapters Installation and Configuration Guide for Windows for instructions 
on setting authentication types on wireless client adapters. See 
Cipher Suites and WEP for instructions 
on configuring cipher suites and WEP on the access point. 
Ta b l e 1 lists the client and access point settings required for each authentication type.
NoteSome non-Cisco Aironet client adapters do not perform 802.1X authentication to the access point unless 
you configure Open authentication with EAP. To allow both Cisco Aironet clients using LEAP and 
non-Cisco Aironet clients using LEAP to associate using the same SSID, you might need to configure 
the SSID for both Network EAP authentication and Open authentication with EAP.
 
Likewise, to allow both Cisco Aironet 802.11a/b/g client adapters (CB21AG and PI21AG) running 
EAP-FAST and non-Cisco Aironet clients using EAP-FAST or LEAP to associate using the same SSID, 
you might need to configure the SSID for both Network EAP authentication and Open authentication 
with EAP.
NoteIf you are running an 802.11n access point, for best results be sure to get the latest driver from the 
802.11n Wi-Fi card vendor for the card that you are using.
fTa b l e 1 Client and Access Point Security Settings 
Security FeatureClient SettingAccess Point Setting
Static WEP with open 
authenticationCreate a WEP key, and enable Use Static WEP 
Keys and Open Authentication.Set up and enable WEP, and enable Open 
Authentication for the SSID.
Static WEP with shared key 
authenticationCreate a WEP key, and enable Use Static WEP 
Keys and Shared Key Authentication.Set up and enable WEP, and enable Shared Key 
Authentication for the SSID.
LEAP authenticationEnable LEAP.Set up and enable WEP ,and enable 
Network-EAP for the SSID1.
EAP-FAST authenticationEnable EAP-FAST, and enable automatic 
provisioning or import a PAC file.Set up and enable WEP, and enable 
Network-EAP for the SSID1.
If radio clients are configured to authenticate 
using EAP-FAST, open authentication with 
EAP should also be configured. If you do not 
configure open authentication with EAP, the 
following warning message appears: 
SSID CONFIG WARNING: [SSID]: If radio 
clients are using EAP-FAST, AUTH OPEN 
with EAP should also be configured. 
						

							      Authentication Types for Wireless Devices
Matching Access Point and Client Device Authentication Types
21
Authentication Types for Wireless Devices
OL-15914-01
EAP-FAST authentication 
with WPAEnable EAP-FAST and Wi-Fi Protected 
Access (WPA), and enable automatic 
provisioning or import a PAC file.
To allow the client to associate to both WPA 
and non-WPA access points, enable Allow 
Association to both WPA and non-WPA 
authenticators.
Select a cipher suite that includes TKIP, set up 
and enable WEP, and enable Network-EAP and 
WPA for the SSID.
NoteTo allow both WPA and non-WPA 
clients to use the SSID, enable optional 
WPA.
802.1X authentication and 
CCKMEnable LEAP.Select a cipher suite, and enable Network-EAP 
and CCKM for the SSID.
NoteTo allow both 802.1X clients and 
non-802.1X clients to use the SSID, 
enable optional CCKM.
802.1X authentication and 
WPAEnable any 802.1X authentication method.Select a cipher suite, and enable Open 
authentication and WPA for the SSID (you can 
also enable Network-EAP authentication in 
addition to or instead of Open authentication).
NoteTo allow both WPA clients and 
non-WPA clients to use the SSID, 
enable optional WPA.
802.1X authentication and 
WPA-PSKEnable any 802.1X authentication method.Select a cipher suite, and enable Open 
authentication and WPA for the SSID (you can 
also enable Network-EAP authentication in 
addition to or instead of Open authentication). 
Enter a WPA pre-shared key.
NoteTo allow both WPA clients and 
non-WPA clients to use the SSID, 
enable optional WPA.
EAP-TLS authentication
If using ACU to configure 
cardEnable Host Based EAP and Use Dynamic 
WEP Keys in ACU, and select Enable network 
access control using IEEE 802.1X and Smart 
Card or Other Certificate as the EAP Type in 
Windows 2000 (with Service Pack 3) or 
Windows
 XP.
Set up and enable WEP, and enable EAP and 
Open authentication for the SSID.
If using Windows XP to 
configure cardSelect Enable network access control using 
IEEE 802.1X and Smart Card or other 
Certificate as the EAP Type.Set up and enable WEP, and enable EAP and 
Open Authentication for the SSID.
EAP-MD5 authentication
If using ACU to configure 
cardCreate a WEP key, enable Host Based EAP, 
and enable Use Static WEP Keys in ACU, and 
select Enable network access control using 
IEEE 802.1X and MD5-Challenge as the EAP 
Type in Windows 2000 (with Service Pack 3) 
or Windows XP.Set up and enable WEP, and enable EAP and 
Open authentication for the SSID.
Table 1 Client and Access Point Security Settings (continued)
Security Feature Client Setting Access Point Setting 
						

							      Authentication Types for Wireless Devices
Matching Access Point and Client Device Authentication Types
22
Authentication Types for Wireless Devices
OL-15914-01
If using Windows XP to 
configure cardSelect Enable network access control using 
IEEE 802.1X and MD5-Challenge as the EAP 
Ty p e .Set up and enable WEP, and enable EAP and 
Open Authentication for the SSID.
PEAP authentication
If using ACU to configure 
cardEnable Host Based EAP and Use Dynamic 
WEP Keys in ACU, and select Enable network 
access control using IEEE 802.1X and PEAP 
as the EAP Type in Windows 2000 (with 
Service Pack 3) or Windows XP.Set up and enable WEP, and enable EAP and 
Open authentication for the SSID.
If using Windows XP to 
configure cardSelect Enable network access control using 
IEEE 802.1X and PEAP as the EAP Type.Set up and enable WEP, and enable Require 
EAP and Open Authentication for the SSID.
EAP-SIM authentication
If using ACU to configure 
cardEnable Host Based EAP and Use Dynamic 
WEP Keys in ACU, and select Enable network 
access control using IEEE 802.1X and SIM 
Authentication as the EAP Type in Windows 
2000 (with Service Pack 3) or Windows XP.Set up and enable WEP with full encryption, 
and enable EAP and Open authentication for 
the SSID.
If using Windows XP to 
configure cardSelect Enable network access control using 
IEEE 802.1X and SIM Authentication as the 
EAP Type.Set up and enable WEP with full encryption, 
and enable Require EAP and Open 
Authentication for the SSID.
1. Some non-Cisco Aironet client adapters do not perform 802.1X authentication to the access point unless you configure  Open authentication with EAP. To allow both Cisco Aironet clients using LEAP and non-Cisco Aironet clients using LEAP to associate using the same 
SSID, you might need to configure the SSID for both Network EAP authentication and  Open authentication with EAP. Likewise, to allow both Cisco Aironet 802.11a/b/g client adapters (CB21AG and PI21AG) running EAP-FAST and 
non-Cisco Aironet clients using EAP-FAST or LEAP to associate using the same SSID, you might need to configure the SSID for both Network EAP 
authentication and Open authentication with EAP.
Table 1 Client and Access Point Security Settings (continued)
Security Feature Client Setting Access Point Setting