IPv6 Configuration Guide, Cisco IOS XE Release 3SE (Catalyst 3850 Switches)
Configuring IPv6 WLAN Security
Downloads: This chapterpdf (PDF - 1.52MB) The complete bookPDF (PDF - 3.89MB) | Feedback

Configuring IPv6 WLAN Security

Prerequisites for IPv6 WLAN Security

A client VLAN must be mapped to the WLAN configured on the switch

Restrictions for IPv6 WLAN Security

RADIUS Server Support

  • If multiple RADIUS servers are configured for redundancy, the user database must be identical in all the servers for the backup to work properly.

Radius ACS Support

  • You must configure RADIUS on both your Cisco Secure Access Control Server (ACS) and your switch
  • RADIUS is supported on Cisco Secure ACS version 3.2 and later releases.

Information About IPv6 WLAN Security

Information About RADIUS

Remote Authentication Dial-In User Service (RADIUS) is a client/server protocol that provides centralized security for users attempting to gain management access to a network. It serves as a back-end database similar to Local EAP and provides authentication and accounting services.

  • Authentication—The process of verifying users when they attempt to log into the switch Users must enter a valid username and password for the switch to authenticate users to the RADIUS server. If multiple databases are configured, then specify the sequence in which the backend database must be tried.
  • Accounting— The process of recording user actions and changes. Whenever a user successfully executes an action, the RADIUS accounting server logs the changed attributes, the user ID of the person who made the change, the remote host where the user is logged in, the date and time when the command was executed, the authorization level of the user, and a description of the action performed and the values provided. If the RADIUS accounting server is unreachable, the users can continue their sessions uninterrupted.

User Datagram Protocol— RADIUS uses User Datagram Protocol (UDP) for its transport. It maintains a database and listens on UDP port 1812 for incoming authentication requests and UDP port 1813 for incoming accounting requests. The switch, which requires access control, acts as the client and requests AAA services from the server. The traffic between the switch and the server is encrypted by an algorithm defined in the protocol and a shared secret key configured on both devices.

Configures multiple RADIUS accounting and authentication servers. For example, you can have one central RADIUS authentication server but several RADIUS accounting servers in different regions. If you configure multiple servers of the same type and the first one fails or becomes unreachable, the controller automatically tries the second one, then the third one if necessary, and so on.

When RADIUS method is configured for the WLAN, the switch will use the RADIUS method configured for the WLAN. When the WLAN is configured to use local EAP, the RADIUS method configured on the WLAN points to Local. The WLAN must also be configured with the name of the local EAP profile to use.

If no RADIUS method is configured in the WLAN, the switch will use the default RADIUS method defined in global mode.

Information About Local EAP

Local EAP is an authentication method that allows users and wireless clients to be authenticated locally. It is designed for use in remote offices that maintain connectivity to wireless clients when the back-end system is disrupted or the external authentication server goes down. When you enable local EAP, the switch serves as the authentication server and the local user database, which removes dependence on an external authentication server. Local EAP retrieves user credentials from the local user database or the LDAP back-end database to authenticate users. Local EAP supports LEAP, EAP-FAST, EAP-TLS, PEAPv0/MSCHAPv2, and PEAPv1/GTC authentication between the controller and wireless clients.


Note


The LDAP back-end database supports these local EAP methods: EAP-TLS, EAP-FAST/GTC, and PEAPv1/GTC. LEAP, EAP-FAST/MSCHAPv2, and PEAPv0. MSCHAPv2 is supported only if the LDAP server is set up to return a clear-text password.



Note


Switch support Local EAP authentication against external LDAP databases such as Microsoft Active Directory and Novell’s eDirectory. For more information about configuring the controller for Local EAP authentication against Novell’s eDirectory, see the Configure Unified Wireless Network for Authentication Against Novell's eDirectory Database whitepaper.


Figure 1. Local EAP Example



How to Configure IPv6 WLAN Security

Configuring Local Authentication

Creating a Local User

SUMMARY STEPS

    1.    configure terminal

    2.    username aaa_test

    3.    password 0 aaa_test

    4.    end


DETAILED STEPS
      Command or Action Purpose
    Step 1 configure terminal


    Example:
    Switch# configure terminal
     

    Enters global command mode.

     
    Step 2 username aaa_test


    Example:
    Switch(config)# username aaa_test
     

    Creates a username.

     
    Step 3 password 0 aaa_test


    Example:
    Switch(config)# usernameaaa_test password 0 aaa_test
     

    Assigns a password for the username.

     
    Step 4 end


    Example:
    Switch(config)# end
     

    Returns to privileged EXEC mode. Alternatively, you can also press Ctrl-Z to exit the global configuration mode.

     

    Switch# configure terminal
    Switch(config)# username aaa_test password 0 aaa_test
    Switch(config)# end

    Creating an Client VLAN and Interface

    SUMMARY STEPS

      1.    configure terminal

      2.    vlan

      3.    exit

      4.    interface vlan vlan_ID

      5.    ip address

      6.    ipv6 address

      7.    end


    DETAILED STEPS
        Command or Action Purpose
      Step 1 configure terminal


      Example:
      Switch# configure terminal
       

      Enters global command mode.

       
      Step 2 vlan


      Example:
      Switch(config)# vlan 137
      
       

      Creates a VLAN.

       
      Step 3 exit


      Example:
      Switch (config-vlan)# exit
       

      Exits VLAN configuration mode.

       
      Step 4 interface vlan vlan_ID


      Example:
      Switch (config)# interface vlan 137
       

      Associates the VLAN to an interface.

       
      Step 5 ip address


      Example:
      Switch(config-if)# ip address 10.7.137.10 255.255.255.0
       

      Assigns an IP address to the VLAN interface.

       
      Step 6 ipv6 address


      Example:
      Switch(config-if)#ipv6 address 2001:db8::20:1/64
       

      Assigns an IPv6 address to the VLAN interface.

       
      Step 7 end


      Example:
      Switch(config)# end
       

      Returns to privileged EXEC mode. Alternatively, you can also press Ctrl-Z to exit the global configuration mode.

       
      Switch# configure terminal
      Switch(config)# vlan 137
      Switch(config-vlan)#exit
      Switch(config)#interface vlan 137
      Switch(config-if)#ip address 10.7.137.10 255.255.255.0
      Switch(config-if)#ipv6 address 2001:db8::20:1/64
      Switch(config-if)#end

      Configuring a EAP Profile

      SUMMARY STEPS

        1.    eap profile name

        2.    method leap

        3.    method tls

        4.    method peap

        5.    method mschapv2

        6.    method md5

        7.    method gtc

        8.    method fast profile my-fast

        9.    description my_localeap profile

        10.    exit

        11.    eap method fast profilemyFast

        12.    authority-id [identity|information]

        13.    local-key 0 key-name

        14.    pac-password 0 password

        15.    end


      DETAILED STEPS
          Command or Action Purpose
        Step 1 eap profile name


        Example:
        Switch(config)# eap profile wcm_eap_prof
         

        Creates a EAP profile.

         
        Step 2 method leap


        Example:
        Switch(config-eap-profile)# method leap
         

        Configures EAP-LEAP method on the profile.

         
        Step 3 method tls


        Example:
        Switch(config-eap-profile)# method tls
         

        Configures EAP-TLS method on the profile.

         
        Step 4 method peap


        Example:
        Switch(config-eap-profile)# method peap
         

        Configures PEAP method on the profile.

         
        Step 5 method mschapv2


        Example:
        Switch(config-eap-profile)# method mschapv2
         

        Configures EAP-MSCHAPV2 method on the profile.

         
        Step 6 method md5


        Example:
        Switch(config-eap-profile)# method md5
         

        Configures EAP-MD5 method on the profile.

         
        Step 7 method gtc


        Example:
        Switch(config-eap-profile)# method gtc
         

        Configures EAP-GTC method on the profile.

         
        Step 8 method fast profile my-fast


        Example:
        Switch(config-eap-profile)# eap method fast profile my-fast
        Switch (config-eap-profile)#description my_local eap profile
        
         

        Creates a EAP profile named my-fast.

         
        Step 9 description my_localeap profile


        Example:
        Switch (config-eap-profile)#description my_local eap profile
        
         

        Provides a description for the local profile.

         
        Step 10 exit


        Example:
        Switch (config-eap-profile)# exit
         

        Exits the eap-profile configuration mode.

         
        Step 11 eap method fast profilemyFast


        Example:
        Switch (config)# eap method fast profile myFast
         

        Configures the EAP method profile.

         
        Step 12 authority-id [identity|information]


        Example:
        Switch(config-eap-method-profile)# authority-id identity my_identity
        Switch(config-eap-method-profile)#authority-id information my_information
         

        Configure the authority ID and information for the EAP method profile.

         
        Step 13 local-key 0 key-name


        Example:
        Switch(config-eap-method-profile)# local-key 0 test
         

        Configures the local server key.

         
        Step 14 pac-password 0 password


        Example:
        Switch(config-eap-method-profile)# pac-password 0 test
         

        Configures the PAC password for manual PAC provisioning.

         
        Step 15 end


        Example:
        Switch(config)# end
         

        Returns to privileged EXEC mode. Alternatively, you can also press Ctrl-Z to exit the global configuration mode.

         
        Switch(config)#eap profile wcm_eap_prof
        Switch(config-eap-profile)#method leap 
        Switch(config-eap-profile)#method tls
        Switch(config-eap-profile)#method peap
        Switch(config-eap-profile)#method mschapv2
        Switch(config-eap-profile)#method md5
        Switch(config-eap-profile)#method gtc
        Switch(config-eap-profile)#eap method fast profile my-fast
        Switch (config-eap-profile)#description my_local eap profile
        Switch(config-eap-profile)# exit
        Switch (config)# eap method fast profile myFast
        Switch(config-eap-method-profile)#authority-id identity my_identity
        Switch(config-eap-method-profile)#authority-id information my_information
        Switch(config-eap-method-profile)#local-key 0 test
        Switch(config-eap-method-profile)#pac-password 0 test
        Switch(config-eap-method-profile)# end

        Creating a Local Authentication Model

        SUMMARY STEPS

          1.    aaa new-model

          2.    authentication dot1x default local

          3.    dot1x method_list local

          4.    aaa authentication dot1x dot1x_name local

          5.    aaa authorization credential-download name local

          6.    aaa local authentication auth-name authorization authorization-name

          7.    session ID

          8.    dot1x system-auth-control


        DETAILED STEPS
            Command or Action Purpose
          Step 1 aaa new-model


          Example:
          Switch(config)# aaa new-model
           

          Creates a AAA authentication model.

           
          Step 2 authentication dot1x default local


          Example:
          Switch(config)# aaa authentication dot1x default local
           

          Implies that the dot1x must use the default local RADIUS when no other method is found.

           
          Step 3 dot1x method_list local


          Example:
          Switch(config)# aaa authentication dot1x wcm_local local
           

          Assigns the local authentication for wcm_local method list.

           
          Step 4 aaa authentication dot1x dot1x_name local


          Example:
          Switch(config)# aaa authentication dot1x aaa_auth local
           

          Configures the local authentication for the dot1x method.

           
          Step 5 aaa authorization credential-download name local


          Example:
          Switch(config)# aaa authorization credential-download wcm_author local
           

          Configures local database to download EAP credentials from Local/RADIUS/LDAP.

           
          Step 6 aaa local authentication auth-name authorization authorization-name


          Example:
          Switch(config)# aaa local authentication wcm_local authorization wcm_author
           

          Selects local authentication and authorization.

           
          Step 7 session ID


          Example:
          Switch(config)# aaa session-id common
           

          Configures a session ID for AAA.

           
          Step 8 dot1x system-auth-control


          Example:
           Switch(config)# dot1x system-auth-control
           

          Enables dot.1x system authentication control.

           
          Switch(config)# aaa new-model
          Switch(config)# aaa authentication dot1x default local
          Switch(config)# aaa authentication dot1x wcm-local local
          Switch(config)# aaa authentication dot1x aaa_auth local
          Switch(config)# aaa authorization credential-download wcm_author local
          Switch(config)# aaa local authentication wcm_local authorization wcm_author
          Switch(config)# aaa session-id common
          Switch(config)# dot1x system-auth-control

          Creating a Client WLAN


          Note


          This example uses 802.1x with dynamic WEP. You can use any other security mechanism supported by the wireless client and configurable on the switch
          SUMMARY STEPS

            1.    configure terminal

            2.    wlan wlan name <identifier> SSID

            3.    broadcast-ssid

            4.    no security wpa

            5.    security dot1x

            6.    security dot1x authentication-list wcm-local

            7.    local-auth wcm_eap_prof

            8.    client vlan 137

            9.    no shutdown

            10.    end


          DETAILED STEPS
              Command or Action Purpose
            Step 1 configure terminal


            Example:
            Switch# configure terminal
             

            Enters global command mode.

             
            Step 2 wlan wlan name <identifier> SSID


            Example:
            Switch(config)# wlan wlanProfileName 1 ngwcSSID
            
             

            Creates a WLAN.

             
            Step 3 broadcast-ssid


            Example:
            Switch(config-wlan)# broadcast-ssid
            
             

            Configures to broadcast the SSID on a WLAN.

             
            Step 4 no security wpa


            Example:
            Switch(config-wlan)# no security wpa
            
             

            Disables the wpa for WLAN to enable 802.1x.

             
            Step 5 security dot1x


            Example:
            Switch(config-wlan)# security dot1x 
            
             

            Configures the 802.1x encryption security for the WLAN.

             
            Step 6 security dot1x authentication-list wcm-local


            Example:
            Switch(config-wlan)# security dot1x authentication-list wcm-local
            
             

            Configures the server group mapping to the WLAN for dot1x authentication.

             
            Step 7 local-auth wcm_eap_prof


            Example:
            Switch (config-wlan)# local-auth wcm_eap_profile
             

            Configures the eap profile on the WLAN for local authentication.

             
            Step 8 client vlan 137


            Example:
            Switch(config-wlan)# client vlan 137
            
             

            Associates the VLAN to a WLAN.

             
            Step 9 no shutdown


            Example:
            Switch(config-wlan)# no shutdown
            
             

            Enables the WLAN.

             
            Step 10 end


            Example:
            Switch(config)# end
             

            Returns to privileged EXEC mode. Alternatively, you can also press Ctrl-Z to exit the global configuration mode.

             
            Switch# config terminal
            Switch(config)#wlan wlanProfileName 1 ngwcSSID
            Switch(config-wlan)#broadcast-ssid
            Switch(config-wlan)#no security wpa
            Switch(config-wlan)#security dot1x 
            Switch(config-wlan)#security dot1x authentication-list wcm-local
            Switch (config-wlan)# local-auth wcm_eap_prof
            Switch(config-wlan)#client vlan 137
            Switch(config-wlan)#no shutdown
            Switch(config-wlan)#end
            Switch# 

            Configuring Local Authentication with WPA2+AES

            SUMMARY STEPS

              1.    configure terminal

              2.    aaa new model

              3.    dot1x system-auth-control

              4.    aaa authentication dot1x default local

              5.    aaa local authorization credential-download default local

              6.    aaa local authentication default authorization default

              7.    eap profile wcm_eap_profile

              8.    method leap

              9.    end


            DETAILED STEPS
                Command or Action Purpose
              Step 1 configure terminal


              Example:
              Switch# configure terminal
               

              Enters global command mode.

               
              Step 2 aaa new model


              Example:
              Switch(config)# aaa new-model
               

              Creates a AAA authentication model.

               
              Step 3 dot1x system-auth-control


              Example:
              Switch(config)# dot1x system-auth-control
               

              Enables dot1x system authentication control.

               
              Step 4 aaa authentication dot1x default local


              Example:
              Switch(config)# aaa authentication dot1x default local
               

              Configures the local authentication for the default dot1x method.

               
              Step 5 aaa local authorization credential-download default local


              Example:
              Switch(config)# aaa authorization credential-download default local
               

              Configures default database to download EAP credentials from local server.

               
              Step 6 aaa local authentication default authorization default


              Example:
              Switch(config)# aaa local authentication default authorization default
               

              Selects the default local authentication and authorization.

               
              Step 7 eap profile wcm_eap_profile


              Example:
              Switch(config)#eap profile wcm_eap_profile
               

              Creates an EAP profile.

               
              Step 8 method leap


              Example:
              Switch(config)# method leap
               

              Configures EAP-LEAP method on the profile.

               
              Step 9 end


              Example:
              Switch(config)# end
               

              Returns to privileged EXEC mode. Alternatively, you can also press Ctrl-Z to exit the global configuration mode.

               

              Switch# configure terminal
              Switch(config)# aaa new-model
              Switch(config)# dot1x system-auth-control
              Switch(config)# aaa authentication dot1x default local
              Switch(config)# aaa authorization credential-download default local
              Switch(config)# aaa local authentication default authorization default
              Switch(config)#eap profile wcm_eap_profile
              Switch(config)# method leap
              Switch(config)# end

              Creating Client VLAN for WPA2+AES

              Create a VLAN for the WPA2+AES type of local authentication. This VLAN is later mapped to a WLAN.

              SUMMARY STEPS

                1.    configure terminal

                2.    vlan vlan_ID

                3.    exit

                4.    interface vlan vlan_ID

                5.    ip address

                6.    ipv6 address

                7.    exit


              DETAILED STEPS
                  Command or Action Purpose
                Step 1 configure terminal


                Example:
                Switch# configure terminal
                 

                Enters global command mode.

                 
                Step 2 vlan vlan_ID


                Example:
                Switch (config)# vlan 105
                 

                Creates a VLAN.

                 
                Step 3 exit


                Example:
                Switch (config-vlan)# exit
                 

                Exits from the VLAN mode.

                 
                Step 4 interface vlan vlan_ID


                Example:
                Switch(config)# interface vlan 105
                 

                Associates the VLAN to the interface.

                 
                Step 5 ip address


                Example:
                Switch(config-if)# ip address  10.8.105.10 255.255.255.0
                 

                Assigns IP address to the VLAN interface.

                 
                Step 6 ipv6 address


                Example:
                Switch(config-if)#ipv6 address 2001:db8::10:1/64
                 

                Assigns IPv6 address to the VLAN interface.

                 
                Step 7 exit


                Example:
                Switch (config-if)# exit
                 

                Exits from the interface mode.

                 

                Switch# configure terminal
                Switch(config)# vlan105
                Switch (config-vlan)# exit
                Switch (config)# interface vlan 105
                Switch(config-if)#ip address 10.8.105.10 255.255.255.0
                Switch(config-if)#ipv6 address 2001:db8::10:1/64
                Switch(config-if)#exit
                Switch(config)#

                Related Tasks

                Creating WLAN for WPA2+AES

                Create a WLAN and map it to the client VLAN created for WPA2+AES.

                SUMMARY STEPS

                  1.    configure terminal

                  2.    wlan wpas2-aes-wlan 1 wpas2-aes-wlan

                  3.    client vlan 105

                  4.    local-auth wcm_eap_profile

                  5.    security dot1x authentication-list default

                  6.    no shutdown

                  7.    end


                DETAILED STEPS
                    Command or Action Purpose
                  Step 1 configure terminal


                  Example:
                  Switch# configure terminal
                   

                  Enters global command mode.

                   
                  Step 2 wlan wpas2-aes-wlan 1 wpas2-aes-wlan


                  Example:
                  Switch(config)#wlan wpa2-aes-wlan 1 wpa2-aes-wlan
                  Switch(config-wlan)#
                   

                  Creates a WLAN.

                   
                  Step 3 client vlan 105


                  Example:
                  Switch(config-wlan)#client vlan 105
                  Switch(config-wlan)#
                   

                  Maps the WLAN to the client VLAN.

                   
                  Step 4 local-auth wcm_eap_profile


                  Example:
                  Switch(config-wlan)#local-auth wcm_eap_profile
                   

                  Creates and sets the EAP profile on the WLAN.

                   
                  Step 5 security dot1x authentication-list default


                  Example:
                  Switch(config-wlan)#security dot1x authentication-list default 
                  
                   

                  Uses the default dot1x authentication list.

                   
                  Step 6 no shutdown


                  Example:
                  Switch(config-wlan)#no shutdown
                  Switch(config-wlan)#
                   

                  Enables the WLAN.

                   
                  Step 7 end


                  Example:
                  Switch(config)# end
                   

                  Returns to privileged EXEC mode. Alternatively, you can also press Ctrl-Z to exit global configuration mode.

                   

                  Switch# configure terminal
                  Switch(config)#wlan wpa2-aes-wlan 1 wpa2-aes-wlan
                  Switch(config-wlan)#client vlan 105
                  Switch(config-wlan)#local-auth wcm_eap_profile
                  Switch(config-wlan)#security dot1x authentication-list default 
                  Switch(config-wlan)#no shutdown
                  Switch(config-wlan)# exit

                  Configuring External RADIUS Server

                  Configuring RADIUS Authentication Server Host

                  SUMMARY STEPS

                    1.    configure terminal

                    2.    radius server One

                    3.    address ipv4 address auth-portauth_port_number acct-port acct_port_number

                    4.    address ipv6 address auth-portauth_port_number acct-port acct_port_number

                    5.    key 0cisco

                    6.   


                  DETAILED STEPS
                      Command or Action Purpose
                    Step 1 configure terminal


                    Example:
                    Switch# configure terminal
                     

                    Enters global command mode.

                     
                    Step 2 radius server One


                    Example:
                    Switch (config)# radius server One
                     

                    Creates a radius server.

                     
                    Step 3 address ipv4 address auth-portauth_port_number acct-port acct_port_number


                    Example:
                    Switch (config-radius-server)# address ipv4 10.10.10.10 auth-port 1812 acct-port 1813  
                     

                    Configures the IPv4 address for the radius server.

                     
                    Step 4 address ipv6 address auth-portauth_port_number acct-port acct_port_number


                    Example:
                    Switch (config-radius-server)# address ipv6 2001:db8::25:2 auth-port 1812 acct-port 1813 
                     
                    Configures the IPv6 address for the radius server. 
                    Step 5 key 0cisco


                    Example:
                    Switch (config-radius-server)# key 0 cisco
                     

                    exit

                     
                    Step 6


                    Example:
                    Switch (config-radius-server)# exit
                     

                    Exits from the radius server mode.

                     

                    Switch# configure terminal
                    Switch (config)# radius server One
                    Switch (config-radius-server)# address ipv4 10.10.10.10 auth-port 1812 acct-port 1813 
                    Switch (config-radius-server)# address ipv6 2001:db8::25:2 auth-port 1812 acct-port 1813
                    Switch (config-radius-server)# key 0 cisco
                    Switch (config-radius-server)#exit
                    

                    Configuring RADIUS Authentication Server Group

                    SUMMARY STEPS

                      1.    configure terminal

                      2.    aaa new-model

                      3.    aaa group server radius wcm_rad

                      4.    server <ip address>auth-port1812acct-port1813

                      5.    aaa authentication dot1x method_list group wcm_rad

                      6.    dot1x system-auth-control

                      7.    aaa session-idcommon


                    DETAILED STEPS
                        Command or Action Purpose
                      Step 1 configure terminal


                      Example:
                      Switch# configure terminal
                       

                      Enters global command mode.

                       
                      Step 2 aaa new-model


                      Example:
                      Switch(config)#aaa new-model
                       

                      Creates a AAA authentication model.

                       
                      Step 3 aaa group server radius wcm_rad


                      Example:
                      Switch(config)# aaa group server radius wcm_rad
                      Switch(config-sg-radius)#
                       

                      Creates an radius server-group.

                       
                      Step 4 server <ip address>auth-port1812acct-port1813


                      Example:
                      Switch(config-sg-radius)# server One auth-port 1812 acct-port 1813
                      Switch(config-sg-radius)# server Two auth-port 1812 acct-port 1813
                      Switch(config-sg-radius)# server Three auth-port 1812 acct-port 1813
                       

                      Adds servers to the radius group created in Step 3. Configures the UDP port for RADIUS accounting server and authentication server.

                       
                      Step 5 aaa authentication dot1x method_list group wcm_rad


                      Example:
                      Switch(config)# aaa authentication dot1x method_list group wcm_rad
                      
                       

                      Maps the method list to the radius group.

                       
                      Step 6 dot1x system-auth-control


                      Example:
                      Switch(config)# dot1x system-auth-control
                      
                       

                      Enables the system authorization control for the radius group.

                       
                      Step 7 aaa session-idcommon


                      Example:
                      Switch(config)# aaa session-id common
                      
                       

                      Ensures that all session IDs information sent out, from the radius group, for a given call are identical.

                       

                      Switch# configure terminal
                      Switch(config)# aaa new-model
                      Switch(config)# aaa group server radius wcm_rad
                      Switch(config-sg-radius)# server One auth-port 1812 acct-port 1813
                      Switch(config-sg-radius)# server Two auth-port 1812 acct-port 1813
                      Switch(config-sg-radius)# server Three auth-port 1812 acct-port 1813
                      Switch(config)# aaa authentication dot1x method_list group wcm_rad
                      Switch(config)# dot1x system-auth-control
                      Switch(config)# aaa session-id common
                      Switch(config)#

                      Creating a Client VLAN

                      SUMMARY STEPS

                        1.    configure terminal

                        2.    vlan 137

                        3.    exit

                        4.    interface vlan 137

                        5.    ip address 10.7.137.10 255.255.255.0

                        6.    ipv6 address 2001:db8::30:1/64

                        7.    end


                      DETAILED STEPS
                          Command or Action Purpose
                        Step 1 configure terminal


                        Example:
                        Switch# configure terminal
                         

                        Enters global command mode.

                         
                        Step 2 vlan 137


                        Example:
                        Switch(config)# vlan 137
                         

                        Creates a VLAN and associate it to the interface.

                         
                        Step 3 exit


                        Example:
                        Switch (config-vlan)# exit
                         

                        Exits from the VLAN mode.

                         
                        Step 4 interface vlan 137


                        Example:
                        Switch (config)# interface vlan 137
                         

                        Assigns a VLAN to an interface.

                         
                        Step 5 ip address 10.7.137.10 255.255.255.0


                        Example:
                        Switch(config-if)# ip address 10.7.137.10 255.255.255.0
                         

                        Assigns an IPv4 address to the VLAN interface.

                         
                        Step 6 ipv6 address 2001:db8::30:1/64


                        Example:
                        Switch(config-if)# ipv6 address  2001:db8::30:1/64
                         

                        Assigns an IPv6 address to the VLAN interface.

                         
                        Step 7 end


                        Example:
                        Switch(config)# end
                         

                        Returns to privileged EXEC mode. Alternatively, you can also press Ctrl-Z to exit global configuration mode.

                         

                        Switch# configure terminal
                        Switch(config)# vlan137
                        Switch(config-vlan)# exit
                        Switch(config)# interface vlan137
                        Switch(config-if)# ip address 10.7.137.10 255.255.255.0
                        Switch(config-if)# ipv6 address 2001:db8::30:1/64
                        Switch(config-if)# end
                        

                        Creating 802.1x WLAN Using an External RADIUS Server

                        SUMMARY STEPS

                          1.    configure terminal

                          2.    wlan ngwc-1x<ssid>ngwc-1x

                          3.    broadcast-ssid

                          4.    no security wpa

                          5.    security dot1x

                          6.    security dot1x authentication-list wcm-rad

                          7.    client vlan 137

                          8.    no shutdown

                          9.    end


                        DETAILED STEPS
                            Command or Action Purpose
                          Step 1 configure terminal


                          Example:
                          Switch# configure terminal
                           

                          Enters global command mode.

                           
                          Step 2 wlan ngwc-1x<ssid>ngwc-1x


                          Example:
                          Switch(config)# wlan ngwc_8021x 2 ngwc_8021x
                          
                           

                          Creates a new WLAN for 802.1x authentication.

                           
                          Step 3 broadcast-ssid


                          Example:
                          Switch(config-wlan)# broadcast-ssid
                          
                           

                          Configures to broadcast the SSID on WLAN.

                           
                          Step 4 no security wpa


                          Example:
                          Switch(config-wlan)# no security wpa
                          
                           

                          Disables the WPA for WLAN to enable 802.1x.

                           
                          Step 5 security dot1x


                          Example:
                          Switch(config-wlan)# security dot1x 
                          
                           

                          Configures the 802.1x encryption security for the WLAN.

                           
                          Step 6 security dot1x authentication-list wcm-rad


                          Example:
                          Switch(config-wlan)# security dot1x authentication-list wcm-rad
                          
                           

                          Configures the server group mapping to the WLAN for dot1x authentication.

                           
                          Step 7 client vlan 137


                          Example:
                          Switch(config-wlan)# client vlan 137
                          
                           

                          Associates the VLAN to a WLAN.

                           
                          Step 8 no shutdown


                          Example:
                          Switch(config-wlan)# no shutdown
                          
                           

                          Enables the WLAN.

                           
                          Step 9 end


                          Example:
                          Switch(config)# end
                           

                          Returns to privileged EXEC mode. Alternatively, you can also press Ctrl-Z to exit the global configuration mode.

                           
                          Switch# configure terminal
                          Switch(config)#wlan ngwc_8021x 2 ngwc_8021x
                          Switch(config-wlan)# broadcast-ssid
                          Switch(config-wlan)# no security wpa
                          Switch(config-wlan)# security dot1x 
                          Switch(config-wlan)# security dot1x authentication-list wcm-rad
                          Switch(config-wlan)# client vlan 137
                          Switch(config-wlan)# no shutdown
                          Switch(config-wlan)# end
                          Related Tasks

                          Additional References

                          Related Documents

                          Related Topic Document Title
                          IPv6 command reference IPv6 Command Reference (Catalyst 3850 Switches)
                          WLAN command reference WLAN Command Reference, Cisco IOS XE Release 3SE (Catalyst 3850 Switches)
                          WLAN configuration WLAN Configuration Guide, Cisco IOS XE Release 3SE (Catalyst 3850 Switches)

                          Error Message Decoder

                          Description Link

                          To help you research and resolve system error messages in this release, use the Error Message Decoder tool.

                          https:/​/​www.cisco.com/​cgi-bin/​Support/​Errordecoder/​index.cgi

                          MIBs

                          MIB MIBs Link
                          All supported MIBs for this release.

                          To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use Cisco MIB Locator found at the following URL:

                          http:/​/​www.cisco.com/​go/​mibs

                          Technical Assistance

                          Description Link

                          The Cisco Support website provides extensive online resources, including documentation and tools for troubleshooting and resolving technical issues with Cisco products and technologies.

                          To receive security and technical information about your products, you can subscribe to various services, such as the Product Alert Tool (accessed from Field Notices), the Cisco Technical Services Newsletter, and Really Simple Syndication (RSS) Feeds.

                          Access to most tools on the Cisco Support website requires a Cisco.com user ID and password.

                          http:/​/​www.cisco.com/​support

                          Feature Information for IPv6 WLAN Security

                          This table lists the features in this module and provides links to specific configuration information:

                          Feature

                          Release

                          Modification

                          IPv6 WLAN Security Functionality

                          Cisco IOS XE 3.2SE

                          This feature was introduced.