User's Manual
Table Of Contents
- Chapter 1: Introduction 1-1
- Chapter 1: Introduction
- Chapter 2: Hardware Installation
- Chapter 3: Network Configuration
- Chapter 4: Initial Configuration
- Chapter 5: System Configuration
- Chapter 6: Command Line Interface
- Using the Command Line Interface
- Entering Commands
- Command Groups
- General Commands
- System Management Commands
- System Logging Commands
- System Clock Commands
- DHCP Relay Commands
- SNMP Commands
- snmp-server community
- snmp-server contact
- snmp-server location
- snmp-server enable server
- snmp-server host
- snmp-server trap
- snmp-server engine-id
- snmp-server user
- snmp-server targets
- snmp-server filter
- snmp-server filter-assignments
- show snmp groups
- show snmp users
- show snmp group-assignments
- show snmp target
- show snmp filter
- show snmp filter-assignments
- show snmp
- Flash/File Commands
- RADIUS Client
- 802.1X Authentication
- MAC Address Authentication
- Filtering Commands
- WDS Bridge Commands
- Spanning Tree Commands
- Ethernet Interface Commands
- Wireless Interface Commands
- interface wireless
- vap
- speed
- multicast-data-rate
- channel
- transmit-power
- radio-mode
- preamble
- antenna control
- antenna id
- antenna location
- beacon-interval
- dtim-period
- fragmentation-length
- rts-threshold
- super-g
- description
- ssid
- closed-system
- max-association
- assoc-timeout-interval
- auth-timeout-value
- shutdown
- show interface wireless
- show station
- Rogue AP Detection Commands
- Wireless Security Commands
- Link Integrity Commands
- IAPP Commands
- VLAN Commands
- WMM Commands
- Appendix A: Troubleshooting
- Appendix B: Cables and Pinouts
- Appendix C: Specifications
- Glossary
- Index
System Configuration
5-74
5
CLI Commands for WEP over 802.1X Security – Use the vap command to access
each VAP interface to configure the security settings. First set 802.1X to required
using the 802.1x command and set the 802.1X key refresh rates. Then, use the
authentication command to select open system authentication and the encryption
command to enable data encryption. To view the current security settings, use the
show interface wireless g 0 command (not shown in example).
Wi-Fi Protected Access (WPA)
WPA employs a combination of several technologies to provide an enhanced
security solution for 802.11 wireless networks.
The access point supports the following WPA components and features:
IEEE 802.1X and the Extensible Authentication Protocol
(EAP):
WPA employs
802.1X as its basic framework for user authentication and dynamic key
management. The 802.1X client and RADIUS server should use an appropriate EAP
type—such as EAP-TLS (Transport Layer Security), EAP-TTLS (Tunneled TLS), or
PEAP (Protected EAP)—for strongest authentication. Working together, these
protocols provide “mutual authentication” between a client, the access point, and a
RADIUS server that prevents users from accidentally joining a rogue network. Only
when a RADIUS server has authenticated a user’s credentials will encryption keys
be sent to the access point and client.
Note: To implement WPA on wireless clients requires a WPA-enabled network card
driver and 802.1X client software that supports the EAP authentication type that
you want to use. Windows XP provides native WPA support, other systems
require additional software.
Temporal Key Integrity Protocol (TKIP): WPA specifies TKIP as the data
encryption method to replace WEP. TKIP avoids the problems of WEP static keys by
dynamically changing data encryption keys. Basically, TKIP starts with a master
(temporal) key for each user session and then mathematically generates other keys
to encrypt each data packet. TKIP provides further data encryption enhancements
by including a message integrity check for each packet and a re-keying mechanism,
which periodically changes the master key.
Enterprise AP(if-wireless g)#vap 0
Enterprise AP(if-wireless g: VAP[0])#802.1X required
6-65
Enterprise AP(if-wireless g: VAP[0])#802.1X
broadcast-key-refresh-rate 5
6-66
Enterprise AP(if-wireless g: VAP[0])#802.1X
session-key-refresh-rate 5
6-67
Enterprise AP(if-wireless g: VAP[0])#802.1X session-timeout 300 6-67
Enterprise AP(if-wireless g: VAP[0])#interface wireless g 6-88
Enter Wireless configuration commands, one per line.
Enterprise AP(if-wireless g: VAP[0])#authentication open
6-117
Enterprise AP(if-wireless g: VAP[0])#encryption 6-116
Enterprise AP(if-wireless g: VAP[0])#