- Cisco Grid Module for CGR 1000 Series
19
Cisco Connected Grid Modules for CGR 1000 Series—WiMAX Installation and Configuration Guide
OL-26236-03
Configuring the Module
EAP-TLS and EAP-TTLS Authentication Methods
To set up a username and password for the Pairwise Key Management (PKM) of a CGR 1000, the
WiMAX module must be installed and running. CGR 1000s that ship with a pre-installed WIMAX
module will have a pre-installed WiMAX configuration.
You can configure your WiMAX interface for one of the following authentication methods:
• No Authentication (Open)
• EAP-TLS Authentication
The WiMAX interface uses trustpoints in the following manner. A certificate-based mutual
authentication is mandatory. The WiMAX module needs both of the following for authentication:
–
A server-root-ca CA certificate authority trustpoint containing the CA certificate that signs the
certificate being used on the AAA/RADIUS server.
–
A device trustpoint for the WIMAX module. The modem on the WiMAX module has an
embedded Airspan-signed device certificate that the supplicant can automatically use as the
device trustpoint for authentication. If users do not want to use this certificate, they must import
and specify a device trustpoint using the imported device certificate.
–
To configure EAP-TLS to use a user-defined WIMAX device certificate:
Router(config-if)# shutdown
Router(config-if)# pkm version pkm-v2
Router(config-if)# pkm trustpoint device
actual_device_trustpoint_label
Router(config-if)# pkm trustpoint server-root-ca actual_ca_trustpoint_label
Router(config-if)# pkm auth-method eap-tls
Router(config-if)# no shutdown
–
To configure EAP-TLS to use the embedded Airspan certificate as the WIMAX device
certificate:
Router(config-if)# shutdown
Router(config-if)# pkm version pkm-v2
Router(config-if)# pkm trustpoint server-root-ca
actual_ca_trustpoint_label
Router(config-if)# pkm auth-method eap-tls
Router(config-if)# no shutdown
If the trustpoint CLI is not issued for device trustpoint, then the system uses the embedded
certificate.
• EAP-TTLS Authentication
EAP-TTLS authentication is a one-sided authentication using an Airspan certificate. A
certificate-based authentication is only required for the AAA/RADIUS server. Only a server-root-ca
trustpoint configuration is required for the WIMAX interface to authenticate the AAA/RADIUS
server certificate. The client (WIMAX interface) authentication is executed through MSCHAPv2
authentication (configuring the PKM user and password) through an encrypted tunnel.
Router(config-if)# shutdown
Router(config-if)# pkm version pkm-v2
Router(config-if)# pkm trustpoint server-root-ca
actual_ca_trustpoint_label
Router(config-if)# pkm username actual_user_name password actual_password
Router(config-if)# pkm auth-method eap-ttls