Guest

Cisco 4400 Series Wireless LAN Controllers

Wireless LAN Controller Layer 2 Layer 3 Security Compatibility Matrix

Cisco - Wireless LAN Controller Layer 2 – Layer 3 Security Compatibility Matrix

Introduction

This document provides the compatibility matrix for the Layer 2 and Layer 3 security mechanisms supported on the Wireless LAN Controller (WLC).

Prerequisites

Requirements

Cisco recommends that you have knowledge of these topics:

  • Basic knowledge of the configuration of lightweight APs and Cisco WLCs

  • Basic knowledge of Lightweight AP Protocol (LWAPP)

  • Basic Knowledge of Wireless Security Solutions

Components Used

The information in this document is based on a Cisco 4400/2100 Series WLC that runs firmware version 7.0.116.0

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.

Conventions

Refer to Cisco Technical Tips Conventions for more information on document conventions.

Cisco Unified Wireless Network Security Solutions

The Cisco Unified Wireless Network supports Layer 2 and Layer 3 security methods.

  • Layer 2 security

  • Layer 3 security (for WLAN) or Layer 3 security (for Guest LAN)

Layer 2 security is not supported on Guest LANs.

This table lists the various Layer 2 and Layer 3 security methods supported on the Wireless LAN Controller. These security methods can be enabled from the Security tab on the WLANs > Edit page of the WLAN.

Layer 2 Security Mechanism
Parameter Description
Layer 2 Security None No Layer 2 security selected.
WPA+WPA2 Use this setting in order to enable Wi-Fi Protected Access.
802.1X Use this setting in order to enable 802.1x authentication.
Static WEP Use this setting in order to enable Static WEP encryption.
Static WEP + 802.1x Use this setting in order to enable both Static WEP and 802.1x parameters.
CKIP Use this setting in order to enable Cisco Key Integrity Protocol (CKIP). Functional on AP Models 1100, 1130, and 1200, but not AP 1000. Aironet IE needs to be enabled for this feature to work. CKIP expands the encryption keys to 16 bytes.
MAC Filtering Select to filter clients by MAC address. Locally configure clients by MAC address in the MAC Filters > New page. Otherwise, configure the clients on a RADIUS server.
Layer 3 Security Mechanism (for WLAN)
Parameter Description
Layer 3 Security None No Layer 3 security selected.
IPSec Use this setting in order to enable IPSec. You need to check software availability and client hardware compatibility before you implement IPSec.

Note: You must have the optional VPN/Enhanced Security Module (crypto processor card) installed to enable IPSec. Verify it is installed on your controller on the Inventory page.

VPN Pass-Through Use this setting in order to enable VPN Pass-Through.

Note: This option is not available on Cisco 5500 Series Controllers and Cisco 2100 Series Controllers. However, you can replicate this functionality on a Cisco 5500 Series Controller or Cisco 2100 Series Controller by creating an open WLAN using an ACL.

Web Policy Select this check box to enable Web Policy. The controller forwards DNS traffic to and from wireless clients before authentication.

Note: Web Policy cannot be used in combination with IPsec or VPN Pass-Through options.

These parameters are displayed:
  • Authentication—If you select this option, the user is prompted for username and password while connecting the client to the wireless network.
  • Passthrough—If you select this option, the user can access the network directly without the username and password authentication.
  • Conditional Web Redirect—If you select this option, the user can be conditionally redirected to a particular web page after 802.1X authentication successfully completes. You can specify the redirect page and the conditions under which the redirect occurs on your RADIUS server.
  • Splash Page Web Redirect—If you select this option, the user is redirected to a particular web page after 802.1X authentication successfully completes. After the redirect, the user has full access to the network. You can specify the splash web page on your RADIUS server.
  • On MAC Filter failure—Enables web authentication MAC filter failures.
Preauthentication ACL Select the ACL to be used for traffic between the client and the controller.
Over-ride Global Config Displays if you select Authentication. Check this box in order to override the global authentication configuration set on the Web Login Page.
Web Auth type Displays if you select Web Policy and Over-ride Global Config. Select a type of Web authentication:
  • Internal
  • Customized (Downloaded)
    • Login Page—Select a login page from the drop-down list.
    • Login Failure page—Select a login page that displays to the client if Web authentication fails.
    • Logout page—Select a login page that displays to the client when the user logs out of the system.
  • External (Re-direct to external server)
    • URL—Enter the URL of the external server.
Email Input Displays if you select Passthrough. If you select this option, you are prompted for your email address while connecting to the network.
Layer 3 Security Mechanism (for Guest LAN)
Parameter Description
Layer 3 Security None No Layer 3 security selected.
Web Authentication If you select this option, you are prompted for username and password while connecting the client to the network.
Web Passthrough If you select this option, you can access the network directly without the username and password authentication.
Preauthentication ACL Select the ACL to be used for traffic between the client and the controller.
Over-ride Global Config Check this box in order to override the global authentication configuration set on the Web Login Page.
Web Auth type Displays if you select Over-ride Global Config. Select a type of Web authentication:
  • Internal
  • Customized (Downloaded)
    • Login Page—Select a login page from the drop-down list.
    • Login Failure page—Select a login page that displays to the client if Web authentication fails.
    • Logout page—Select a login page that displays to the client when the user logs out of the system.
  • External (Re-direct to external server)
    • URL—Enter the URL of the external server.
Email Input Displays if you select Web Passthrough. If you select this option, you are prompted for your email address while connecting to the network.

Note: In controller software release 4.1.185.0 or later, CKIP is supported for use only with static WEP. It is not supported for use with dynamic WEP. Therefore, a wireless client that is configured to use CKIP with dynamic WEP is unable to associate to a wireless LAN that is configured for CKIP. Cisco recommends that you use either dynamic WEP without CKIP (which is less secure) or WPA/WPA2 with TKIP or AES (which are more secure).

Wireless LAN Controller Layer 2 – Layer 3 Security Compatibility Matrix

When you configure security on a Wireless LAN, both Layer 2 and Layer 3 security methods can be used in conjunction. However, not all the Layer 2 security methods can be used with all Layer 3 security methods. This table shows the compatibility matrix for the Layer 2 and Layer 3 security methods supported on the Wireless LAN Controller.

Layer 2 Security Mechanism Layer 3 Security Mechanism Compatibility
None None Valid
WPA+WPA2 None Valid
WPA+WPA2 Web Authentication Invalid
WPA-PSK/WPA2-PSK Web Authentication Valid
WPA+WPA2 Web Passthrough Invalid
WPA-PSK/WPA2-PSK Web Passthrough Valid
WPA+WPA2 Conditional Web Redirect Valid
WPA+WPA2 Splash Page Web Redirect Valid
WPA+WPA2 VPN-PassThrough Valid
802.1x None Valid
802.1x Web Authentication Invalid
802.1x Web Passthrough Invalid
802.1x Conditional Web Redirect Valid
802.1x Splash Page Web Redirect Valid
802.1x VPN-PassThrough Valid
Static WEP None Valid
Static WEP Web Authentication Valid
Static WEP Web Passthrough Valid
Static WEP Conditional Web Redirect Invalid
Static WEP Splash Page Web Redirect Invalid
Static WEP VPN-PassThrough Valid
Static-WEP+ 802.1x None Valid
Static-WEP+ 802.1x Web Authentication Invalid
Static-WEP+ 802.1x Web Passthrough Invalid
Static-WEP+ 802.1x Conditional Web Redirect Invalid
Static-WEP+ 802.1x Splash Page Web Redirect Invalid
Static-WEP+ 802.1x VPN-PassThrough Invalid
CKIP None Valid
CKIP Web Authentication Valid
CKIP Web Passthrough Valid
CKIP Conditional Web Redirect Invalid
CKIP Splash Page Web Redirect Invalid
CKIP VPN-PassThrough Valid

Related Information

Updated: Jun 28, 2011
Document ID: 106082