User Guide
Table Of Contents
- Cisco Wireless ISR and HWIC Access Point Configuration Guide
- Contents
- Preface
- Overview
- Configuring Radio Settings
- Enabling the Radio Interface
- Roles in Radio Network
- Configuring Network or Fallback Role
- Universal Client Mode
- Configuring Universal Client Mode
- Configuring Radio Data Rates
- Configuring Radio Transmit Power
- Configuring Radio Channel Settings
- Enabling and Disabling World Mode
- Enabling and Disabling Short Radio Preambles
- Configuring Transmit and Receive Antennas
- Disabling and Enabling Access Point Extensions
- Configuring the Ethernet Encapsulation Transformation Method
- Enabling and Disabling Reliable Multicast to Workgroup Bridges
- Enabling and Disabling Public Secure Packet Forwarding
- Configuring Beacon Period and DTIM
- Configuring RTS Threshold and Retries
- Configuring Maximum Data Retries
- Configuring Fragmentation Threshold
- Enabling Short Slot Time for 802.11g Radios
- Performing a Carrier Busy Test
- Configuring Multiple SSIDs
- Configuring an Access Point as a Local Authenticator
- Understand Local Authentication
- Configure a Local Authenticator
- Guidelines for Local Authenticators
- Configuration Overview
- Configuring the Local Authenticator Access Point
- Configuring Other Access Points to Use the Local Authenticator
- Configuring EAP-FAST Settings
- Limiting the Local Authenticator to One Authentication Type
- Unblocking Locked Usernames
- Viewing Local Authenticator Statistics
- Using Debug Messages
- Configuring Encryption Types
- Configuring Authentication Types
- Configuring RADIUS Servers
- Configuring and Enabling RADIUS
- Understanding RADIUS
- RADIUS Operation
- Configuring RADIUS
- Default RADIUS Configuration
- Identifying the RADIUS Server Host
- Configuring RADIUS Login Authentication
- Defining AAA Server Groups
- Configuring RADIUS Authorization for User Privileged Access and Network Services
- Starting RADIUS Accounting
- Selecting the CSID Format
- Configuring Settings for All RADIUS Servers
- Configuring the Access Point to Use Vendor-Specific RADIUS Attributes
- Configuring the Access Point for Vendor-Proprietary RADIUS Server Communication
- Configuring WISPr RADIUS Attributes
- Displaying the RADIUS Configuration
- RADIUS Attributes Sent by the Access Point
- Configuring and Enabling RADIUS
- Configuring VLANs
- Configuring QoS
- Channel Settings
- Protocol Filters
- Supported MIBs
- Error and Event Messages
- Glossary
- Index
6-13
Cisco Wireless ISR and HWIC Access Point Configuration Guide
OL-6415-04
Chapter 6 Configuring Authentication Types
Configure Authentication Types
Configuring Additional WPA Settings
Use two optional settings to configure a pre-shared key on the access point and adjust the frequency of
group key updates.
Setting a Pre-Shared Key
To support WPA on a wireless LAN where 802.1x-based authentication is not available, you must
configure a pre-shared key on the access point. Yo u c an e nt er the p r e-s har ed ke y a s AS CII o r
hexadecimal characters. If you enter the key as ASCII characters, you enter between 8 and 63 characters,
and the access point expands the key using the process described in the Password-based Cryptography
Standard (RFC2898). If you enter the key as hexadecimal characters, you must enter 64 hexadecimal
characters.
Configuring Group Key Updates
In the last step in the WPA process, the access point distributes a group key to the authenticated client
device. You can use these optional settings to configure the access point to change and distribute the
group key based on client association and disassociation:
• Membership termination—the access point generates and distributes a new group key when any
authenticated device disassociates from the access point. This feature keeps the group key private
for associated devices, but it might generate some overhead traffic if clients on your network roam
frequently among access points.
• Capability change—the access point generates and distributes a dynamic group key when the last
non-key management (static WEP) client disassociates, and it distributes the statically configured
WEP key when the first non-key management (static WEP) client authenticates. In WPA migration
mode, this feature significantly improves the security of key-management capable clients when
there are no static-WEP clients associated to the access point.
Beginning in privileged EXEC mode, follow these steps to configure a WPA pre-shared key and group
key update options:
Command Purpose
Step 1
configure terminal Enter global configuration mode.
Step 2
interface dot11radio { 0 | 1 } Enter interface configuration mode for the radio interface. The
2.4-GHz radio is radio 0, and the 5-GHz radio is radio 1.
Step 3
ssid ssid-string Enter SSID configuration mode for the SSID.
Step 4
wpa-psk { hex | ascii } [ 0 | 7 ]
encryption-key
Enter a pre-shared key for client devices using WPA that also
use static WEP keys.
Enter the key using either hexadecimal or ASCII characters. If
you use hexadecimal, you must enter 64 hexadecimal
characters to complete the 256-bit key. If you use ASCII, you
must enter a minimum of 8 letters, numbers, or symbols, and
the access point expands the key for you. You can enter a
maximum of 63 ASCII characters.
Step 5
end Return to privileged EXEC mode.