Your software release may not support all the features documented in this module. For the latest feature information and caveats, see the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the Feature Information Table at the end of this document.
Use Cisco Feature Navigator to find information about platform support and Cisco
software image support. To access Cisco Feature Navigator, go to
http://www.cisco.com/go/cfn. An account on Cisco.com is not
required.
Prerequisites for Layer 2 Security
WLANs with the same SSID must have unique Layer 2 security policies so that clients can make a WLAN selection based on information advertised in beacon and probe responses. The available Layer 2 security policies are as follows:
None (open WLAN)
Static WEP or 802.1X
Note
Because static WEP and 802.1X are both advertised by the same bit in beacon and probe responses, they cannot be differentiated by clients. Therefore, they cannot both be used by multiple WLANs with the same SSID.
WPA/WPA2
Note
Although WPA and WPA2 cannot be used by multiple WLANs with the same SSID, you can configure two WLANs with the same SSID with WPA/TKIP with PSK and Wi-Fi Protected Access (WPA )/Temporal Key Integrity Protocol (TKIP) with 802.1X, or with WPA/TKIP with 802.1X or WPA/AES with 802.1X.
The AAA Override option of a WLAN enables you to configure the WLAN for identity networking. It enables you to apply VLAN tagging, Quality of Service (QoS), and Access Control Lists (ACLs) to individual clients based on the returned RADIUS attributes from the AAA server.
Switch(config-wlan)# security static-wep-key encryption 40 hex 0 test 2
Configures static WEP security on a WLAN.
The keywords and arguments are as follows:
authentication—Configures 802.11 authentication.
encryption—Sets the static WEP keys and indices.
open—Configures open system authentication.
sharedkey—Configures shared key authentication.
104, 40—Specifies the WEP key size.
hex, ascii—Specifies the input format of the key.
wep-key-index , wep-key-index1-4—Type of password that follows. A value of 0 indicates that an unencrypted password follows. A value of 8 indicates that an AES encrypted follows.
Step 4
end
Example:
Switch(config)# end
Returns to privileged EXEC mode. Alternatively, you can also press Ctrl-Z to exit global configuration mode.
authentication—Specifies the authentication type you can set. The values are open and shared.
encryption—Specifies the encryption type that you can set. The valid values are 104 and 40. 40-bit keys must contain 5 ASCII text characters or 10 hexadecimal characters. 104-bit keys must contain 13 ASCII text characters or 26 hexadecimal characters
ascii—Specifies the key format as ASCII.
hex—Specifies the key format as HEX.
Step 4
end
Example:
Switch(config)# end
Returns to privileged EXEC mode. Alternatively, you can also press Ctrl-Z to exit global configuration mode.
authentication-list—Specifies the authentication list for IEEE 802.1X.
encryption—Specifies the length of the CKIP encryption key. The valid values are 0, 40, and 104. Zero (0) signifies no encryption. This is the default.
Note
All keys within a WLAN must be of the same size.
Step 5
end
Example:
Switch(config)# end
Returns to privileged EXEC mode. Alternatively, you can also press Ctrl-Z to exit global configuration mode.
Click the WLANs profile of the WLAN you want to configure.
The WLANs > Edit > page appears.
Step 3
Click the Security > Layer 2 > tab.
Parameter
Description
Layer2 Security
Layer2 security for the selected WLAN. Values are the following:
None—No Layer 2 security selected.
WPA+WPA2—Wi-Fi Protected Access.
802.1X—WEP 802.1X data encryption type. For information on these settings, see the Layer 2 802.1X Parameters topic.
Static WEP—Static WEP encryption parameters.
Static WEP + 802.1x—Both Static WEP and 802.1X parameters.
MAC Filtering
MAC address filtering. You can locally configure clients by their MAC addresses in the MAC Filters > New page . Otherwise, configure the clients on a RADIUS server.
Note
MAC Filtering is also known as MAC Authentication By Pass (MAB).
Fast Transition
Check box to enable or disable a
fast transition
between access points.
Over the DS
Check box to enable or disable a
fast transition
over a distributed system.
Reassociation Timeout
Time in seconds after which a
fast transition
reassociation times out.
To configure the WPA + WPA2 parameters, provide the following details:
Parameter
Description
WPA Policy
Check box to enable or disable WPA policy.
WPA Encryption
WPA2 encryption type: TKIP or AES. Available only if the WPA policy is enabled.
WPA2 Policy.
Check box to enable or disable WPA2 policy.
WPA2 Encryption
WPA2 encryption type: TKIP or AES. Available only if the WPA2 policy is enabled.
Authentication Key Management
The rekeying mechanism parameter.. Values are the following:
802.1X
CCKM
PSK
802.1x + CCKM
PSK Format
Enabled when you select the PSK value for Authentication Key Management. Choose ASCII or the HEX format and enter the preshared key.
To configure 802.1x parameters, provide the following details:
Parameter
Description
802.11 data encryption
WEP 802.11 data encryption type.
Type
Security type.
Key size
Key size. Values are the following:
None
40 bits
104 bits
The third-party AP WLAN (17) can only be configured with 802.1X encryption. Drop-down configurable 802.1X parameters are not available for this WLAN.
To specify Static WEP, configure the following parameters:
Parameter
Description
802.11 Data Encryption
Static WEP encryption type.
Current Key
Displays the current selected key details.
Type
Security type.
Key size
Key size. Values are the following:
Not set
40 bits
104 bits
Key Index
Key index from 1 to 4.
One unique WEP key index can be applied to each WLAN. Because there are only four WEP key indexes, only four WLANs can be configured for static WEP Layer 2 encryption.
Because there are only four WEP key indexes, only four WLANs can be configured for static WEP Layer 2 encryption.
Encryption Key
Encryption key.
Key Format
Encryption key format in ASCII or HEX.
Allow Shared Key Authentication
Key authentication that you can enable or disable.
To configure Static WEP + 802.1X Parameters
Parameter
Description
Static WEP Parameters
802.11 Data Encryption
Static WEP encryption type.
Current Key
Displays the current selected key details.
Type
Security type.
Key size
Key size. Values are the following:
Not set
40 bits
104 bits
Key Index
Key index from 1 to 4.
One unique WEP key index can be applied to each WLAN. Because there are only four WEP key indexes, only four WLANs can be configured for static WEP Layer 2 encryption.
Because there are only four WEP key indexes, only four WLANs can be configured for static WEP Layer 2 encryption.
Encryption Key
Encryption key.
Key Format
Encryption key format in ASCII or HEX.
Allow Shared Key Authentication
Key authentication that you can enable or disable.
802.1x Parameters
802.11 Data Encryption
Static WEP encryption type.
Current Key
Display Only. The current selected key details.
Type
Security type.
Key size
Key size. Values are the following:
Not set
40 bits
104 bits
Key Index
Key index from 1 to 4.
Note One unique WEP key index can be applied to each WLAN. Because there are only four WEP key indexes, only four WLANs can be configured for static WEP Layer 2 encryption.
Encryption Key
Encryption key.
Key Format
Encryption key format in ASCII or HEX.
Allow Shared Key Authentication
Key authentication that you can enable or disable.
The Cisco Support website provides extensive online resources,
including documentation and tools for troubleshooting and
resolving technical issues with Cisco products and technologies.
To receive security and technical information about your
products, you can subscribe to various services, such as the
Product Alert Tool (accessed from Field Notices), the Cisco
Technical Services Newsletter, and Really Simple Syndication
(RSS) Feeds.
Access to most tools on the Cisco Support website requires a
Cisco.com user ID and password.