Configuring IPv6 WLAN Security

Prerequisites for IPv6 WLAN Security

A client VLAN must be mapped to the WLAN configured on the switch

Restrictions for IPv6 WLAN Security

RADIUS Server Support

  • If multiple RADIUS servers are configured for redundancy, the user database must be identical in all the servers for the backup to work properly.

Radius ACS Support

  • You must configure RADIUS on both your Cisco Secure Access Control Server (ACS) and your switch

  • RADIUS is supported on Cisco Secure ACS version 3.2 and later releases.

Information About IPv6 WLAN Security

Information About RADIUS

Remote Authentication Dial-In User Service (RADIUS) is a client/server protocol that provides centralized security for users attempting to gain management access to a network. It serves as a back-end database similar to Local EAP and provides authentication and accounting services.

  • Authentication—The process of verifying users when they attempt to log into the switch

    Users must enter a valid username and password for the switch to authenticate users to the RADIUS server. If multiple databases are configured, then specify the sequence in which the backend database must be tried.

  • Accounting— The process of recording user actions and changes.

    Whenever a user successfully executes an action, the RADIUS accounting server logs the changed attributes, the user ID of the person who made the change, the remote host where the user is logged in, the date and time when the command was executed, the authorization level of the user, and a description of the action performed and the values provided. If the RADIUS accounting server is unreachable, the users can continue their sessions uninterrupted.

User Datagram Protocol— RADIUS uses User Datagram Protocol (UDP) for its transport. It maintains a database and listens on UDP port 1812 for incoming authentication requests and UDP port 1813 for incoming accounting requests. The switch, which requires access control, acts as the client and requests AAA services from the server. The traffic between the switch and the server is encrypted by an algorithm defined in the protocol and a shared secret key configured on both devices.

Configures multiple RADIUS accounting and authentication servers. For example, you can have one central RADIUS authentication server but several RADIUS accounting servers in different regions. If you configure multiple servers of the same type and the first one fails or becomes unreachable, the controller automatically tries the second one, then the third one if necessary, and so on.

When RADIUS method is configured for the WLAN, the switch will use the RADIUS method configured for the WLAN. When the WLAN is configured to use local EAP, the RADIUS method configured on the WLAN points to Local. The WLAN must also be configured with the name of the local EAP profile to use.

If no RADIUS method is configured in the WLAN, the switch will use the default RADIUS method defined in global mode.

Information About Local EAP

Local EAP is an authentication method that allows users and wireless clients to be authenticated locally. It is designed for use in remote offices that maintain connectivity to wireless clients when the back-end system is disrupted or the external authentication server goes down. When you enable local EAP, the switch serves as the authentication server and the local user database, which removes dependence on an external authentication server. Local EAP retrieves user credentials from the local user database or the LDAP back-end database to authenticate users. Local EAP supports LEAP, EAP-FAST, EAP-TLS, PEAPv0/MSCHAPv2, and PEAPv1/GTC authentication between the controller and wireless clients.

Without an EAP profile name being provided, or if a name was provided for an EAP profile that does not exist, then EAP by default allows no EAP method for local authentication.


Note

The LDAP back-end database supports these local EAP methods: EAP-TLS, EAP-FAST/GTC, and PEAPv1/GTC. LEAP, EAP-FAST/MSCHAPv2, and PEAPv0. MSCHAPv2 is supported only if the LDAP server is set up to return a clear-text password.



Note

Switch support Local EAP authentication against external LDAP databases such as Microsoft Active Directory and Novell’s eDirectory. For more information about configuring the controller for Local EAP authentication against Novell’s eDirectory, see the Configure Unified Wireless Network for Authentication Against Novell's eDirectory Database whitepaper.


Figure 1. Local EAP Example


How to Configure IPv6 WLAN Security

Configuring Local Authentication

Creating a Local User

Procedure

  Command or Action Purpose
Step 1

configure terminal

Example:

Switch# configure terminal

Enters global command mode.

Step 2

username aaa_test

Example:

Switch(config)# username  aaa_test

Creates a username.

Step 3

password 0 aaa_test

Example:

Switch(config)# username aaa_test password  0  aaa_test

Assigns a password for the username.

Step 4

end

Example:

Switch(config)# end

Returns to privileged EXEC mode. Alternatively, you can also press Ctrl-Z to exit the global configuration mode.

Switch# configure terminal
Switch(config)# username aaa_test password 0 aaa_test
Switch(config)# end

Creating an Client VLAN and Interface

Procedure

  Command or Action Purpose
Step 1

configure terminal

Example:

Switch# configure terminal

Enters global command mode.

Step 2

vlan

Example:

Switch(config)# vlan 137

Creates a VLAN.

Step 3

exit

Example:

Switch (config-vlan)# exit

Exits VLAN configuration mode.

Step 4

interface vlan vlan_ID

Example:

Switch (config)# interface vlan 137

Associates the VLAN to an interface.

Step 5

ip address

Example:

Switch(config-if)# ip address 10.7.137.10 255.255.255.0

Assigns an IP address to the VLAN interface.

Step 6

ipv6 address

Example:

Switch(config-if)#ipv6 address 2001:db8::20:1/64

Assigns an IPv6 address to the VLAN interface.

Step 7

end

Example:

Switch(config)# end

Returns to privileged EXEC mode. Alternatively, you can also press Ctrl-Z to exit the global configuration mode.

Example

Switch# configure terminal
Switch(config)# vlan 137
Switch(config-vlan)#exit
Switch(config)#interface vlan 137
Switch(config-if)#ip address 10.7.137.10 255.255.255.0
Switch(config-if)#ipv6 address 2001:db8::20:1/64
Switch(config-if)#end

Configuring a EAP Profile

Procedure

  Command or Action Purpose
Step 1

eap profile name

Example:

Switch(config)# eap profile wcm_eap_prof

Creates a EAP profile.

Step 2

method leap

Example:

Switch(config-eap-profile)# method leap

Configures EAP-LEAP method on the profile.

Step 3

method tls

Example:

Switch(config-eap-profile)# method tls

Configures EAP-TLS method on the profile.

Step 4

method peap

Example:

Switch(config-eap-profile)# method peap

Configures PEAP method on the profile.

Step 5

method mschapv2

Example:

Switch(config-eap-profile)# method mschapv2

Configures EAP-MSCHAPV2 method on the profile.

Step 6

method md5

Example:

Switch(config-eap-profile)# method md5

Configures EAP-MD5 method on the profile.

Step 7

method gtc

Example:

Switch(config-eap-profile)# method gtc

Configures EAP-GTC method on the profile.

Step 8

method fast profile my-fast

Example:

Switch(config-eap-profile)# eap method fast profile my-fast
Switch (config-eap-profile)#description my_local eap profile

Creates a EAP profile named my-fast.

Step 9

description my_localeap profile

Example:

Switch (config-eap-profile)#description my_local eap profile

Provides a description for the local profile.

Step 10

exit

Example:

Switch (config-eap-profile)# exit

Exits the eap-profile configuration mode.

Step 11

eap method fast profile myFast

Example:

Switch (config)# eap method fast profile myFast

Configures the EAP method profile.

Step 12

authority-id [identity|information]

Example:

Switch(config-eap-method-profile)# authority-id identity my_identity
Switch(config-eap-method-profile)#authority-id information my_information

Configure the authority ID and information for the EAP method profile.

Step 13

local-key 0 key-name

Example:

Switch(config-eap-method-profile)# local-key 0 test

Configures the local server key.

Step 14

pac-password 0 password

Example:

Switch(config-eap-method-profile)# pac-password 0 test

Configures the PAC password for manual PAC provisioning.

Step 15

end

Example:

Switch(config)# end

Returns to privileged EXEC mode. Alternatively, you can also press Ctrl-Z to exit the global configuration mode.

Example

Switch(config)#eap profile wcm_eap_prof
Switch(config-eap-profile)#method leap 
Switch(config-eap-profile)#method tls
Switch(config-eap-profile)#method peap
Switch(config-eap-profile)#method mschapv2
Switch(config-eap-profile)#method md5
Switch(config-eap-profile)#method gtc
Switch(config-eap-profile)#eap method fast profile my-fast
Switch (config-eap-profile)#description my_local eap profile
Switch(config-eap-profile)# exit
Switch (config)# eap method fast profile myFast
Switch(config-eap-method-profile)#authority-id identity my_identity
Switch(config-eap-method-profile)#authority-id information my_information
Switch(config-eap-method-profile)#local-key 0 test
Switch(config-eap-method-profile)#pac-password 0 test
Switch(config-eap-method-profile)# end

Creating a Local Authentication Model

Procedure

  Command or Action Purpose
Step 1

aaa new-model

Example:

Switch(config)# aaa new-model

Creates a AAA authentication model.

Step 2

authentication dot1x default local

Example:

Switch(config)# aaa authentication dot1x default local

Implies that the dot1x must use the default local RADIUS when no other method is found.

Step 3

dot1x method_list local

Example:

Switch(config)# aaa authentication dot1x wcm_local local

Assigns the local authentication for wcm_local method list.

Step 4

aaa authentication dot1x dot1x_name local

Example:

Switch(config)# aaa authentication dot1x aaa_auth local

Configures the local authentication for the dot1x method.

Step 5

aaa authorization credential-download name local

Example:

Switch(config)# aaa authorization credential-download wcm_author local

Configures local database to download EAP credentials from Local/RADIUS/LDAP.

Step 6

aaa local authentication auth-name authorization authorization-name

Example:

Switch(config)# aaa local authentication wcm_local authorization wcm_author

Selects local authentication and authorization.

Step 7

session ID

Example:

Switch(config)# aaa session-id common

Configures a session ID for AAA.

Step 8

dot1x system-auth-control

Example:

 Switch(config)# dot1x system-auth-control

Enables dot.1x system authentication control.

Example

Switch(config)# aaa new-model
Switch(config)# aaa authentication dot1x default local
Switch(config)# aaa authentication dot1x wcm-local local
Switch(config)# aaa authentication dot1x aaa_auth local
Switch(config)# aaa authorization credential-download wcm_author local
Switch(config)# aaa local authentication wcm_local authorization wcm_author
Switch(config)# aaa session-id common
Switch(config)# dot1x system-auth-control

Creating a Client WLAN


Note

This example uses 802.1x with dynamic WEP. You can use any other security mechanism supported by the wireless client and configurable on the switch

Procedure

  Command or Action Purpose
Step 1

configure terminal

Example:

Switch# configure terminal

Enters global command mode.

Step 2

wlan wlan name <identifier> SSID

Example:

Switch(config)# wlan wlanProfileName 1 ngwcSSID

Creates a WLAN.

Step 3

broadcast-ssid

Example:

Switch(config-wlan)# broadcast-ssid

Configures to broadcast the SSID on a WLAN.

Step 4

no security wpa

Example:

Switch(config-wlan)# no security wpa

Disables the wpa for WLAN to enable 802.1x.

Step 5

security dot1x

Example:

Switch(config-wlan)# security dot1x 

Configures the 802.1x encryption security for the WLAN.

Step 6

security dot1x authentication-list wcm-local

Example:

Switch(config-wlan)# security dot1x authentication-list wcm-local

Configures the server group mapping to the WLAN for dot1x authentication.

Step 7

local-auth wcm_eap_prof

Example:

Switch (config-wlan)# local-auth wcm_eap_profile

Configures the eap profile on the WLAN for local authentication.

Step 8

client vlan 137

Example:

Switch(config-wlan)# client vlan 137

Associates the VLAN to a WLAN.

Step 9

no shutdown

Example:

Switch(config-wlan)# no shutdown

Enables the WLAN.

Step 10

end

Example:

Switch(config)# end

Returns to privileged EXEC mode. Alternatively, you can also press Ctrl-Z to exit the global configuration mode.

Example

Switch# config terminal
Switch(config)#wlan wlanProfileName 1 ngwcSSID
Switch(config-wlan)#broadcast-ssid
Switch(config-wlan)#no security wpa
Switch(config-wlan)#security dot1x 
Switch(config-wlan)#security dot1x authentication-list wcm-local
Switch (config-wlan)# local-auth wcm_eap_prof
Switch(config-wlan)#client vlan 137
Switch(config-wlan)#no shutdown
Switch(config-wlan)#end
Switch# 

Configuring Local Authentication with WPA2+AES

Procedure

  Command or Action Purpose
Step 1

configure terminal

Example:

Switch# configure terminal

Enters global command mode.

Step 2

aaa new model

Example:

Switch(config)# aaa new-model

Creates a AAA authentication model.

Step 3

dot1x system-auth-control

Example:

Switch(config)# dot1x system-auth-control

Enables dot1x system authentication control.

Step 4

aaa authentication dot1x default local

Example:

Switch(config)# aaa authentication dot1x default local

Configures the local authentication for the default dot1x method.

Step 5

aaa local authorization credential-download default local

Example:

Switch(config)# aaa authorization credential-download default local

Configures default database to download EAP credentials from local server.

Step 6

aaa local authentication default authorization default

Example:

Switch(config)# aaa local authentication default authorization default

Selects the default local authentication and authorization.

Step 7

eap profile wcm_eap_profile

Example:

Switch(config)#eap profile wcm_eap_profile

Creates an EAP profile.

Step 8

method leap

Example:

Switch(config)# method leap

Configures EAP-LEAP method on the profile.

Step 9

end

Example:

Switch(config)# end

Returns to privileged EXEC mode. Alternatively, you can also press Ctrl-Z to exit the global configuration mode.

Switch# configure terminal
Switch(config)# aaa new-model
Switch(config)# dot1x system-auth-control
Switch(config)# aaa authentication dot1x default local
Switch(config)# aaa authorization credential-download default local
Switch(config)# aaa local authentication default authorization default
Switch(config)#eap profile wcm_eap_profile
Switch(config)# method leap
Switch(config)# end

Creating Client VLAN for WPA2+AES

Create a VLAN for the WPA2+AES type of local authentication. This VLAN is later mapped to a WLAN.

Procedure

  Command or Action Purpose
Step 1

configure terminal

Example:

Switch# configure terminal

Enters global command mode.

Step 2

vlan vlan_ID

Example:

Switch (config)# vlan 105

Creates a VLAN.

Step 3

exit

Example:

Switch (config-vlan)# exit

Exits from the VLAN mode.

Step 4

interface vlan vlan_ID

Example:

Switch(config)# interface vlan 105

Associates the VLAN to the interface.

Step 5

ip address

Example:

Switch(config-if)# ip address  10.8.105.10  255.255.255.0

Assigns IP address to the VLAN interface.

Step 6

ipv6 address

Example:

Switch(config-if)#ipv6 address 2001:db8::10:1/64

Assigns IPv6 address to the VLAN interface.

Step 7

exit

Example:

Switch (config-if)# exit

Exits from the interface mode.

Switch# configure terminal
Switch(config)# vlan105
Switch (config-vlan)# exit
Switch (config)# interface vlan 105
Switch(config-if)#ip address 10.8.105.10 255.255.255.0
Switch(config-if)#ipv6 address 2001:db8::10:1/64
Switch(config-if)#exit
Switch(config)#

Creating WLAN for WPA2+AES

Create a WLAN and map it to the client VLAN created for WPA2+AES.

Procedure

  Command or Action Purpose
Step 1

configure terminal

Example:

Switch# configure terminal

Enters global command mode.

Step 2

wlan wpas2-aes-wlan 1 wpas2-aes-wlan

Example:

Switch(config)#wlan wpa2-aes-wlan 1 wpa2-aes-wlan
Switch(config-wlan)#

Creates a WLAN.

Step 3

client vlan 105

Example:

Switch(config-wlan)#client vlan 105
Switch(config-wlan)#

Maps the WLAN to the client VLAN.

Step 4

local-auth wcm_eap_profile

Example:

Switch(config-wlan)#local-auth wcm_eap_profile

Creates and sets the EAP profile on the WLAN.

Step 5

security dot1x authentication-list default

Example:

Switch(config-wlan)#security dot1x authentication-list default 

Uses the default dot1x authentication list.

Step 6

no shutdown

Example:

Switch(config-wlan)#no shutdown
Switch(config-wlan)#

Enables the WLAN.

Step 7

end

Example:

Switch(config)# end

Returns to privileged EXEC mode. Alternatively, you can also press Ctrl-Z to exit global configuration mode.

Switch# configure terminal
Switch(config)#wlan wpa2-aes-wlan 1 wpa2-aes-wlan
Switch(config-wlan)#client vlan 105
Switch(config-wlan)#local-auth wcm_eap_profile
Switch(config-wlan)#security dot1x authentication-list default 
Switch(config-wlan)#no shutdown
Switch(config-wlan)# exit

Configuring External RADIUS Server

Configuring RADIUS Authentication Server Host

Procedure

  Command or Action Purpose
Step 1

configure terminal

Example:

Switch# configure terminal

Enters global command mode.

Step 2

radius server One

Example:

Switch (config)# radius server One

Creates a radius server.

Step 3

address ipv4 address auth-port auth_port_number acct-port acct_port_number

Example:

Switch (config-radius-server)# address ipv4 10.10.10.10 auth-port 1812 acct-port 1813  

Configures the IPv4 address for the radius server.

Step 4

address ipv6 address auth-port auth_port_number acct-port acct_port_number

Example:

Switch (config-radius-server)# address ipv6 2001:db8::25:2 auth-port 1812 acct-port 1813 
Configures the IPv6 address for the radius server.
Step 5

key 0cisco

Example:

Switch (config-radius-server)# key 0 cisco

exit

Step 6

Example:

Switch (config-radius-server)# exit

Exits from the radius server mode.

Switch# configure terminal
Switch (config)# radius server One
Switch (config-radius-server)# address ipv4 10.10.10.10 auth-port 1812 acct-port 1813 
Switch (config-radius-server)# address ipv6 2001:db8::25:2 auth-port 1812 acct-port 1813
Switch (config-radius-server)# key 0 cisco
Switch (config-radius-server)#exit

Configuring RADIUS Authentication Server Group

Procedure

  Command or Action Purpose
Step 1

configure terminal

Example:

Switch# configure terminal

Enters global command mode.

Step 2

aaa new-model

Example:

Switch(config)#aaa new-model

Creates a AAA authentication model.

Step 3

aaa group server radius wcm_rad

Example:

Switch(config)# aaa group server radius wcm_rad
Switch(config-sg-radius)#

Creates an radius server-group.

Step 4

server <ip address>auth-port 1812acct-port 1813

Example:

Switch(config-sg-radius)# server One auth-port 1812 acct-port 1813
Switch(config-sg-radius)# server Two auth-port 1812 acct-port 1813
Switch(config-sg-radius)# server Three auth-port 1812 acct-port 1813

Adds servers to the radius group created in Step 3. Configures the UDP port for RADIUS accounting server and authentication server.

Step 5

aaa authentication dot1x method_list group wcm_rad

Example:

Switch(config)# aaa authentication dot1x method_list group wcm_rad

Maps the method list to the radius group.

Step 6

dot1x system-auth-control

Example:

Switch(config)# dot1x system-auth-control

Enables the system authorization control for the radius group.

Step 7

aaa session-id common

Example:

Switch(config)# aaa session-id common

Ensures that all session IDs information sent out, from the radius group, for a given call are identical.

Switch# configure terminal
Switch(config)# aaa new-model
Switch(config)# aaa group server radius wcm_rad
Switch(config-sg-radius)# server One auth-port 1812 acct-port 1813
Switch(config-sg-radius)# server Two auth-port 1812 acct-port 1813
Switch(config-sg-radius)# server Three auth-port 1812 acct-port 1813
Switch(config)# aaa authentication dot1x method_list group wcm_rad
Switch(config)# dot1x system-auth-control
Switch(config)# aaa session-id common
Switch(config)#

Creating a Client VLAN

Procedure

  Command or Action Purpose
Step 1

configure terminal

Example:

Switch# configure terminal

Enters global command mode.

Step 2

vlan 137

Example:

Switch(config)# vlan 137

Creates a VLAN and associate it to the interface.

Step 3

exit

Example:

Switch (config-vlan)# exit

Exits from the VLAN mode.

Step 4

interface vlan 137

Example:

Switch (config)# interface vlan 137

Assigns a VLAN to an interface.

Step 5

ip address 10.7.137.10 255.255.255.0

Example:

Switch(config-if)# ip address 10.7.137.10 255.255.255.0

Assigns an IPv4 address to the VLAN interface.

Step 6

ipv6 address 2001:db8::30:1/64

Example:

Switch(config-if)# ipv6 address  2001:db8::30:1/64

Assigns an IPv6 address to the VLAN interface.

Step 7

end

Example:

Switch(config)# end

Returns to privileged EXEC mode. Alternatively, you can also press Ctrl-Z to exit global configuration mode.

Switch# configure terminal
Switch(config)# vlan137
Switch(config-vlan)# exit
Switch(config)# interface vlan137
Switch(config-if)# ip address 10.7.137.10 255.255.255.0
Switch(config-if)# ipv6 address 2001:db8::30:1/64
Switch(config-if)# end

Creating 802.1x WLAN Using an External RADIUS Server

Procedure

  Command or Action Purpose
Step 1

configure terminal

Example:

Switch# configure terminal

Enters global command mode.

Step 2

wlan ngwc-1x<ssid> ngwc-1x

Example:

Switch(config)# wlan ngwc_8021x 2 ngwc_8021x

Creates a new WLAN for 802.1x authentication.

Step 3

broadcast-ssid

Example:

Switch(config-wlan)# broadcast-ssid

Configures to broadcast the SSID on WLAN.

Step 4

no security wpa

Example:

Switch(config-wlan)# no security wpa

Disables the WPA for WLAN to enable 802.1x.

Step 5

security dot1x

Example:

Switch(config-wlan)# security dot1x 

Configures the 802.1x encryption security for the WLAN.

Step 6

security dot1x authentication-list wcm-rad

Example:

Switch(config-wlan)# security dot1x authentication-list wcm-rad

Configures the server group mapping to the WLAN for dot1x authentication.

Step 7

client vlan 137

Example:

Switch(config-wlan)# client vlan 137

Associates the VLAN to a WLAN.

Step 8

no shutdown

Example:

Switch(config-wlan)# no shutdown

Enables the WLAN.

Step 9

end

Example:

Switch(config)# end

Returns to privileged EXEC mode. Alternatively, you can also press Ctrl-Z to exit the global configuration mode.

Example

Switch# configure terminal
Switch(config)#wlan ngwc_8021x 2 ngwc_8021x
Switch(config-wlan)# broadcast-ssid
Switch(config-wlan)# no security wpa
Switch(config-wlan)# security dot1x 
Switch(config-wlan)# security dot1x authentication-list wcm-rad
Switch(config-wlan)# client vlan 137
Switch(config-wlan)# no shutdown
Switch(config-wlan)# end

Additional References

Related Documents

Related Topic Document Title
IPv6 command reference IPv6 Command Reference (Cisco WLC 5700 Series)IPv6 Command Reference (Catalyst 3650 Switches)
WLAN command reference WLAN Command Reference, Cisco IOS XE Release 3SE (Cisco WLC 5700 Series)WLAN Command Reference, Cisco IOS XE Release 3SE (Catalyst 3650 Switches)
WLAN configuration WLAN Configuration Guide, Cisco IOS XE Release 3SE (Cisco WLC 5700 Series)WLAN Configuration Guide, Cisco IOS XE Release 3SE (Catalyst 3650 Switches)

Error Message Decoder

Description Link

To help you research and resolve system error messages in this release, use the Error Message Decoder tool.

https://www.cisco.com/cgi-bin/Support/Errordecoder/index.cgi

MIBs

MIB MIBs Link
All supported MIBs for this release.

To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use Cisco MIB Locator found at the following URL:

http://www.cisco.com/go/mibs

Technical Assistance

Description Link

The Cisco Support website provides extensive online resources, including documentation and tools for troubleshooting and resolving technical issues with Cisco products and technologies.

To receive security and technical information about your products, you can subscribe to various services, such as the Product Alert Tool (accessed from Field Notices), the Cisco Technical Services Newsletter, and Really Simple Syndication (RSS) Feeds.

Access to most tools on the Cisco Support website requires a Cisco.com user ID and password.

http://www.cisco.com/support

Feature Information for IPv6 WLAN Security

This table lists the features in this module and provides links to specific configuration information:

Feature

Release

Modification

IPv6 WLAN Security Functionality

Cisco IOS XE 3.2SECisco IOS XE 3.3SECisco IOS XE 3.3SE

This feature was introduced.