WLAN - Configuring WLAN Security [Cisco Catalyst 3850 Series Switches]

Contents
Configuring WLAN Security
Finding Feature Information
Prerequisites for WLANs
Information About AAA Override
How to Configure WLAN Security
Configuring Static WEP + 802.1X Layer 2 Security Parameters (CLI)
Configuring Static WEP Layer 2 Security Parameters (CLI)
Configuring WPA + WPA2 Layer 2 Security Parameters (CLI)
Configuring 802.1X Layer 2 Security Parameters (CLI)
Additional References
Feature Information about WLAN Layer 2 Security
Configuring WLAN Security

This chapter contains the following sections:

Finding Feature Information
Prerequisites for WLANs
Information About AAA Override
How to Configure WLAN Security
Additional References
Feature Information about WLAN Layer 2 Security

Finding Feature Information

Your software release may not support all the features documented in this module. For the latest feature information and caveats, see the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the Feature Information Table at the end of this document.

Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.

Prerequisites for WLANs

You can associate up to 16 WLANs with each access point group and assign specific access points to each group. Each access point advertises only the enabled WLANs that belong to its access point group. The access point (AP) does not advertise disabled WLANs in its access point group or WLANs that belong to another group.

We recommend that you assign one set of VLANs for WLANs and a different set of VLANs for management interfaces to ensure that controllers properly route VLAN traffic.

The controller uses different attributes to differentiate between WLANs with the same Service Set Identifier (SSID).
WLANs with the same SSID and same Layer 2 policy cannot be created if the WLAN ID is lower than 17.

Two WLANs with IDs that are greater than 17 and that have the same SSID and same Layer 2 policy is allowed if WLANs are added in different AP groups.

Note
This requirement ensures that clients never detect the SSID present on the same access point radio.

Information About AAA Override

The AAA Override option of a WLAN enables you to configure the WLAN for identity networking. It enables you to apply VLAN tagging, Quality of Service (QoS), and Access Control Lists (ACLs) to individual clients based on the returned RADIUS attributes from the AAA server.

Related Tasks

Configuring Advanced WLAN Properties (CLI)

How to Configure WLAN Security
Configuring Static WEP + 802.1X Layer 2 Security Parameters (CLI)
Before You Begin
You must have administrator privileges.

SUMMARY STEPS
1.    configure terminal

2.    wlan wlan-name

3.    security static-wep-key {authentication {open | sharedkey} | encryption {104 | 40} [ascii | hex] { 0 | 8 } } wep-key wep-key-index1-4

4.    end

DETAILED STEPS
Command or Action Purpose
Step 1
configure terminal

Example:
Switch# configure terminal
Enters global configuration mode.
Step 2
wlan wlan-name

Example:
Switch# wlan test4
Enters the WLAN configuration submode. The wlan-name is the profile name of the configured WLAN.
Step 3
security static-wep-key {authentication {open | sharedkey} | encryption {104 | 40} [ascii | hex] { 0 | 8 } } wep-key wep-key-index1-4

Example:
Switch(config-wlan)# security static-wep-key encryption 40 hex 0  test 2
Configures static WEP security on a WLAN. The keywords and arguments are as follows:
authentication—Configures 802.11 authentication.

encryption—Sets the static WEP keys and indices.

open— Configures open system authentication.

sharedkey—Configures shared key authentication.

104, 40 — Specifies the WEP key size.

hex, ascii—Specifies the input format of the key.

wep-key-index—Type of password that follows. A value of 0 indicates that an unencrypted password follows. A value of 8 indicates that an AES encrypted follows.
Step 4
end

Example:
Switch(config)# end
Returns to privileged EXEC mode. Alternatively, you can also press Ctrl-z to exit global configuration mode.
Configuring Static WEP Layer 2 Security Parameters (CLI)
Before You Begin
You must have administrator privileges.

SUMMARY STEPS
1.    configure terminal

2.    wlan wlan-name

3.    security static-wep-key [authentication {open | shared} | encryption {104 | 40} {ascii | hex} [0 | 8]]

4.    end

DETAILED STEPS
Command or Action Purpose
Step 1
configure terminal

Example:
Switch# configure terminal
Enters global configuration mode.
Step 2
wlan wlan-name

Example:
Switch# wlan test4
Enters the WLAN configuration submode. The wlan-name is the profile name of the configured WLAN.
Step 3
security static-wep-key [authentication {open | shared} | encryption {104 | 40} {ascii | hex} [0 | 8]]

Example:
Switch(config-wlan)# security static-wep-key authentication open
The keywords are as follows:

static-wep-key—Configures Static WEP Key authentication.

authentication—Specifies the authentication type you can set. The values are open and shared.

encryption—Specifies the encryption type that you can set. The valid values are 104 and 40. 40-bit keys must contain 5 ASCII text characters or 10 hexadecimal characters. 104-bit keys must contain 13 ASCII text characters or 26 hexadecimal characters

ascii—Specifies the key format as ASCII.

hex—Specifies the key format as HEX.
Step 4
end

Example:
Switch(config)# end
Returns to privileged EXEC mode. Alternatively, you can also press Ctrl-z to exit global configuration mode.
Configuring WPA + WPA2 Layer 2 Security Parameters (CLI)
Note
The default security policy is WPA2.

Before You Begin
You must have administrator privileges.

SUMMARY STEPS
1.    configure terminal

2.    wlan wlan-name

3.    security wpa

4.    security wpa wpa1

5.    security wpa wpa1 ciphers [ aes | tkip]

6.    security wpa wpa2

7.    security wpa wpa2 ciphers [ aes | tkip ]

8.    end

DETAILED STEPS
Command or Action Purpose
Step 1
configure terminal

Example:
Switch# configure terminal
Enters global configuration mode.
Step 2
wlan wlan-name

Example:
Switch# wlan test4
Enters the WLAN configuration submode. The wlan-name is the profile name of the configured WLAN.
Step 3
security wpa

Example:
Switch(config-wlan)# security wpa
Enables WPA.
Step 4
security wpa wpa1

Example:
Switch(config-wlan)# security wpa wpa1
Enables WPA1.
Step 5
security wpa wpa1 ciphers [ aes | tkip]

Example:
Switch(config-wlan)# security wpa wpa1 ciphers aes
Specifies the WPA1 cipher. Choose one of the following encryption types:
aes—Specifies WPA/AES support.

tkip—Specifies WPA/TKIP support.
Step 6
security wpa wpa2

Example:
Switch(config-wlan)# security wpa
Enables WPA 2.
Step 7
security wpa wpa2 ciphers [ aes | tkip ]

Example:
Switch(config-wlan)# security wpa wpa2 ciphers tkip
Configure WPA2 cipher. Choose one of the following encryption types:
aes—Specifies WPA/AES support.

tkip—Specifies WPA/TKIP support.
Step 8
end

Example:
Switch(config)# end
Returns to privileged EXEC mode. Alternatively, you can also press Ctrl-z to exit global configuration mode.
Configuring 802.1X Layer 2 Security Parameters (CLI)
Before You Begin
You must have administrator privileges.

SUMMARY STEPS
1.    configure terminal

2.    wlan wlan-name

3.    security dot1x

4.    security [authentication-list {auth-list-name} | encryption { 0 | 104 | 40 }

5.    end

DETAILED STEPS
Command or Action Purpose
Step 1
configure terminal

Example:
Switch# configure terminal
Enters global configuration mode.
Step 2
wlan wlan-name

Example:
Switch# wlan test4
Enters the WLAN configuration submode. The wlan-name is the profile name of the configured WLAN.
Step 3
security dot1x

Example:
Switch(config-wlan)# security dot1x
Specifies 802.1X security.
Step 4
security [authentication-list {auth-list-name} | encryption { 0 | 104 | 40 }

Example:
Switch(config-wlan)# security encryption 104
The keywords and arguments are as follows:
authentication-list—Specifies the authentication list for IEEE 802.1X.

encryption—Specifies the length of the CKIP encryption key. The valid values are 0, 40, and 104. Zero (0) signifies no encryption. This is the default.

Note All keys within a WLAN must be of the same size.
Step 5
end

Example:
Switch(config)# end
Returns to privileged EXEC mode. Alternatively, you can also press Ctrl-z to exit global configuration mode.
Additional References

Related Documents

Related Topic Document Title

WLAN command reference
WLAN Command Reference, Cisco IOS XE Release 3SE (Catalyst 3850 Switches)

Security configuration guide
Security Configuration Guide (Catalyst 3850 Switches)

MIBs

MIB MIBs Link

All supported MIBs for this release.
To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use Cisco MIB Locator found at the following URL:

http://www.cisco.com/go/mibs

Technical Assistance

Description Link

The Cisco Support website provides extensive online resources, including documentation and tools for troubleshooting and resolving technical issues with Cisco products and technologies.

To receive security and technical information about your products, you can subscribe to various services, such as the Product Alert Tool (accessed from Field Notices), the Cisco Technical Services Newsletter, and Really Simple Syndication (RSS) Feeds.

Access to most tools on the Cisco Support website requires a Cisco.com user ID and password.

http://www.cisco.com/support

Feature Information about WLAN Layer 2 Security

This table lists the features in this module and provides links to specific configuration information.

Feature Name Release Feature Information

WLAN Security functionality Cisco IOS XE 3.2SE This feature was introduced.