User's Manual

ManualsBrandsCisco Systems ManualsWelding SystemCisco Systems IOS Software 0L-11350-01

231

232

233

234

235

236

237

238

239

240

11-14

Cisco IOS Software Configuration Guide for Cisco Aironet Access Points

OL-11350-01

Chapter 11 Configuring Authentication Types

Configuring Authentication Types

Configuring Additional WPA Settings

Use two optional settings to configure a pre-shared key on the access point and adjust the frequency of

group key updates.

Setting a Pre-Shared Key

To support WPA on a wireless LAN where 802.1X-based authentication is not available, you must

configure a pre-shared key on the access point. You can enter the pre-shared key as ASCII or

hexadecimal characters. If you enter the key as ASCII characters, you enter between 8 and 63 characters,

and the access point expands the key using the process described in the Password-based Cryptography

Standard (RFC2898). If you enter the key as hexadecimal characters, you must enter 64 hexadecimal

characters.

Configuring Group Key Updates

In the last step in the WPA process, the access point distributes a group key to the authenticated client

device. You can use these optional settings to configure the access point to change and distribute the

group key based on client association and disassociation:

• Membership termination—the access point generates and distributes a new group key when any

authenticated device disassociates from the access point. This feature keeps the group key private

for associated devices, but it might generate some overhead traffic if clients on your network roam

frequently among access points.

• Capability change—the access point generates and distributes a dynamic group key when the last

non-key management (static WEP) client disassociates, and it distributes the statically configured

WEP key when the first non-key management (static WEP) client authenticates. In WPA migration

mode, this feature significantly improves the security of key-management capable clients when

there are no static-WEP clients associated to the access point.

Beginning in privileged EXEC mode, follow these steps to configure a WPA pre-shared key and group

key update options:

Command Purpose

Step 1

configure terminal Enter global configuration mode.

Step 2

ssid ssid-string Enter SSID configuration mode for the SSID.

Step 3

wpa-psk { hex | ascii } [ 0 | 7 ]

encryption-key

Enter a pre-shared key for client devices using WPA that also

use static WEP keys.

Enter the key using either hexadecimal or ASCII characters. If

you use hexadecimal, you must enter 64 hexadecimal

characters to complete the 256-bit key. If you use ASCII, you

must enter a minimum of 8 letters, numbers, or symbols, and

the access point expands the key for you. You can enter a

maximum of 63 ASCII characters.

Step 4

interface dot11radio { 0 | 1 } Enter interface configuration mode for the radio interface. The

2.4-GHz radio is radio 0, and the 5-GHz radio is radio 1.

Step 5

ssid ssid-string Enter the ssid defined in Step 2 to assign the ssid to the selected

radio interface.

Step 6

exit Return to privileged EXEC mode.