User's Manual
Table Of Contents
- Chapter 1: Introduction 1-1
- Chapter 1: Introduction
- Chapter 2: Hardware Installation
- Chapter 3: Network Configuration
- Chapter 4: Initial Configuration
- Chapter 5: System Configuration
- Chapter 6: Command Line Interface
- Using the Command Line Interface
- Entering Commands
- Command Groups
- General Commands
- System Management Commands
- System Logging Commands
- System Clock Commands
- DHCP Relay Commands
- SNMP Commands
- snmp-server community
- snmp-server contact
- snmp-server location
- snmp-server enable server
- snmp-server host
- snmp-server trap
- snmp-server engine-id
- snmp-server user
- snmp-server targets
- snmp-server filter
- snmp-server filter-assignments
- show snmp groups
- show snmp users
- show snmp group-assignments
- show snmp target
- show snmp filter
- show snmp filter-assignments
- show snmp
- Flash/File Commands
- RADIUS Client
- 802.1X Authentication
- MAC Address Authentication
- Filtering Commands
- WDS Bridge Commands
- Spanning Tree Commands
- Ethernet Interface Commands
- Wireless Interface Commands
- interface wireless
- vap
- speed
- multicast-data-rate
- channel
- transmit-power
- radio-mode
- preamble
- antenna control
- antenna id
- antenna location
- beacon-interval
- dtim-period
- fragmentation-length
- rts-threshold
- super-g
- description
- ssid
- closed-system
- max-association
- assoc-timeout-interval
- auth-timeout-value
- shutdown
- show interface wireless
- show station
- Rogue AP Detection Commands
- Wireless Security Commands
- Link Integrity Commands
- IAPP Commands
- VLAN Commands
- WMM Commands
- Appendix A: Troubleshooting
- Appendix B: Cables and Pinouts
- Appendix C: Specifications
- Glossary
- Index
System Configuration
5-12
5
CLI Commands for SSH – To enable the SSH server, use the ip ssh-server enable
command from the CLI Ethernet interface configuration mode. To set the SSH
server UDP port, use the ip ssh-server port command. To view the current settings,
use the show system command from the CLI Exec mode (not shown in the
following example).
Authentication
Wireless clients can be authenticated for network access by checking their MAC
address against the local database configured on the access point, or by using a
database configured on a central RADIUS server. Alternatively, authentication can
be implemented using the IEEE 802.1X network access control protocol.
A client’s MAC address provides relatively weak user authentication, since MAC
addresses can be easily captured and used by another station to break into the
network. Using 802.1X provides more robust user authentication using user names
and passwords or digital certificates. You can configure the access point to use both
MAC address and 802.1X authentication, with client station MAC authentication
occurring prior to IEEE 802.1X authentication. However, it is better to choose one or
the other, as appropriate.
Take note of the following points before configuring MAC address or 802.1X
authentication:
• Use MAC address authentication for a small network with a limited number of
users. MAC addresses can be manually configured on the access point itself
without the need to set up a RADIUS server, but managing a large number of MAC
addresses across many access points is very cumbersome. A RADIUS server can
be used to centrally manage a larger database of user MAC addresses.
• Use IEEE 802.1X authentication for networks with a larger number of users and
where security is the most important issue. When using 802.1X authentication, a
RADIUS server is required in the wired network to centrally manage the credentials
of the wireless clients. It also provides a mechanism for enhanced network security
using dynamic encryption key rotation or W-Fi Protected Access (WPA).
Note: If you configure RADIUS MAC authentication together with 802.1X, RADIUS MAC
address authentication is performed prior to 802.1X authentication. If RADIUS
MAC authentication succeeds, then 802.1X authentication is performed. If
RADIUS MAC authentication fails, 802.1X authentication is not performed.
• The access point can also operate in a 802.1X supplicant mode. This enables the
access point itself to be authenticated with a RADIUS server using a configured
MD5 user name and password. This prevents rogue access points from gaining
access to the network.
Enterprise AP(if-ethernet)#no ip telnet-server 6-17
Enterprise AP(if-ethernet)#ip ssh-server enable 6-16
Enterprise AP(if-ethernet)#ip ssh-server port 1124 6-16
Enterprise AP(if-ethernet)#exit
Enterprise AP(if-ethernet)#configure