User's Manual
6-7
Cisco Wireless LAN Controller Configuration Guide
OL-8335-02
Chapter 6 Configuring WLANs
Configuring Wireless LANs
IKE Authentication
IPSec IKE (Internet Key Exchange) uses pre-shared key exchanges, x.509 (RSA Signatures) certificates, 
and XAuth-psk for authentication. Enter these commands to enable IPSec IKE on a wireless LAN that 
uses IPSec:
• config wlan security ipsec ike authentication certificates wlan-id
–
Use the certificates option to specify RSA signatures.
• config wlan security ipsec ike authentication xauth-psk wlan-id key
–
Use the xauth-psk option to specify XAuth pre-shared key.
–
For key, enter a pre-shared key from 8 to 255 case-sensitive ASCII characters.
• config wlan security ipsec ike authentication pre-shared-key wlan-id key
• Enter show wlan to verify that IPSec IKE is enabled. 
IKE Diffie-Hellman Group
IPSec IKE uses Diffie-Hellman groups to block easily-decrypted keys. Enter these commands to 
configure the Diffie-Hellman group on a wireless LAN with IPSec enabled:
• config wlan security ipsec ike DH-Group wlan-id group-id
–
For group-id, enter group-1, group-2 (this is the default setting), or group-5.
• Enter show wlan to verify that IPSec IKE DH group is configured. 
IKE Phase 1 Aggressive and Main Modes
IPSec IKE uses the Phase 1 Aggressive (faster) or Main (more secure) mode to set up encryption between 
clients and the controller. Enter these commands to specify the Phase 1 encryption mode for a wireless 
LAN with IPSec enabled:
• config wlan security ipsec ike phase1 {aggressive | main} wlan-id
• Enter show wlan to verify that the Phase 1 encryption mode is configured. 
IKE Lifetime Timeout
IPSec IKE uses its timeout to limit the time that an IKE key is active. Enter these commands to configure 
an IKE lifetime timeout:
• config wlan security ipsec ike lifetime wlan-id seconds
–
For seconds, enter a number of seconds from 1800 to 345600 seconds. The default timeout is 
28800 seconds.
• Enter show wlan to verify that the key timeout is configured. 










