Technical data
Configure a Security Profile With the CLI
© 2012 Meru Networks, Inc. Configuring Security 125
The 802.1x Termination is configured separately for PEAP and TTLS.
Configure 802.1X Radius Security With the CLI
To allow WLAN access to your site’s 802.1X authorized and authenticated users, set
up 802.1X Radius authentication. To do this:
Create a global Radius Server Profile that specifies how to communicate with the
primary Radius server in your network. If an optional secondary Radius server is
to be used, a separate profile is also created for it.
Create a Security Profile for the ESS that configures 802.1X Layer 2 security and
assigns a primary Radius profile and optional secondary Radius profile
Refer to your Radius server documentation regarding how to configure the type of
EAP protocol for your site and the procedure for installing any necessary certificates.
The actual Radius server configuration is not covered here, only the configuration for
enabling the communication between the Radius server and the controller is
described.
The following commands set up a profile for the primary Radius server, main-auth,
that specify the server’s IP address and secret key. All other default parameters (such
as the port number (1812)) are acceptable, and not changed:
default# configure terminal
default(config)# radius-profile main-auth
default(config-radius)# ip-address 10.1.100.10
default(config-radius)# key secure-secret
default(config-radius)# exit
For additional reliability, configure a secondary Radius Server Profile to serve as a
backup should the primary server become unavailable.
default# configure terminal
default(config)# radius-profile backup-auth
default(config-radius)# ip-address 10.1.100.2
default(config-radius)# key secure-secret2
default(config-radius)# exit
Next, create the Security Profile that enables 802.1X and points to the profiles that
describe the Radius primary and secondary servers.
Example Security Profile with 802.1X Radius
In the following example, the Security Profile 8021x-data is created. It supports
802.1X authentication and uses the Radius profile main-auth to enable the primary
Radius authentication server and the backup-auth profile for the secondary Radius
server.
default(config)# security-profile 8021x-data
default(config-security)# allowed-l2-modes 802.1x
default(config-security)# radius-server primary main-auth
default(config-security)# radius-server secondary backup-auth
default(config-security)# exit