Set the appropriate security levels using the slider in the Security tab. The default level is Personal

The available options are Enterprise, Personal, and Open which are described in the following tables.

Table 5 Conditions for Client IP and VLAN assignment

If you select then

Virtual Controller assigned The client gets the IP address from the Virtual Controller.

The Virtual Controller creates a private subnet and VLAN on the IAP for the wireless clients.

The Virtual Controller NATs all traffic that passes out of this interface. This setup eliminates the need for complex VLAN and IP address management for a multi site wireless network. See Chapter 11, “Virtual Controller” on page 115 for configuring the DHCP server.

Network assigned By default, the client VLAN is assigned to the native VLAN on the wired network.

 Default— The client gets the IP address in the same subnet as the IAPs.

 Static— Select to specify a single VLAN, a comma separated list of VLANs, or a range of VLANs for all clients on this network.

 Dynamic— Select to create rules for per-user VLAN assignment. See “VLAN Derivation Rule” on page 156 for more information.

NOTE: Select the Static option in Client VLAN assignment section to configure VLAN pooling. See

“VLAN pooling” on page 76 for additional details.

Instant 6.2.0.0-3.2 | User Guide Wireless Network | 53

Figure 32 Employee Security Tab— Enterprise

Table 6 Conditions for Adding an Employee Network— Security Tab

If then,

You select the Enterprise security level Perform the following steps:

1. Select the required key options from the Key management drop-down list. Available options are:

 WPA-2 Enterprise

 WPA Enterprise

 Both (WPA-2 & WPA)

 Dynamic WEP with 802.1X

 Use Session Key for LEAP— Use the Session Key for LEAP instead of using Session Key from the RADIUS Server to derive pair wise unicast keys. This is required for old printers that use dynamic WEP via LEAP authentication. This is Disabled by default.

For more information on encryption and recommended encryption type, see Chapter 13, “Encryption” .

2. Termination— Enable this option to terminate the EAP portion of 802.1X authentication on the IAP instead of the RADIUS server.

For more information, see “External RADIUS Server” on page 118.

3. Authentication server 1— Select the required Authentication server option from the drop-down list. Available options are:

 New— If you select this option, an external RADIUS server has to be configured to authenticate the users. For information on configuring an external RADIUS server, see Chapter 12,

“Authentication” .

 InternalServer— If you select this option, users who are required to authenticate with the internal RADIUS server must be added.

Click the Users link to add the users. For information on adding a user, see “Adding a User” on page 271.

4. Reauth interval— When set to a value greater than zero, the Access Points periodically reauthenticate all associated and authenticated clients.

5. Blacklisting— Select Enabled to enable blacklisting of the clients with a specific number of authentication failures.

6. Authentication survivability— This feature requires ClearPass Policy Manager (6.0.2 and above) and is visible in the UI only when you select New to configure an external RADIUS server for authentication. If you select your RADIUS server as an internal server, then this feature is not applicable. When enabled, this feature allows Instant to authenticate the previously connected clients using EAP-PEAP authentication even when connectivity to ClearPass Policy Manager is temporarily lost.

Cache timeout (global)—Indicates the duration after which the authenticated credentials in the cache expire. When the cache expires, the clients are required to authenticate again. The supported range is 1 - 99 hours and the default value is 24 hours.

7. MAC authentication — Indicates per-user authentication using MAC address.

 Perform MAC authentication before 802.1X—Indicates per-user authentication using MAC address. This feature is optional.

 MAC authentication fail-thru—When this option is enabled, if MAC authentication fails, 802.1X authentication is attempted.

When this option is disabled, if MAC authentication fails, no further authentication is attempted.

8. Click Upload Certificate and browse to upload a certificate file for the internal server. See “Certificates” on page 144 for more information.

Instant 6.2.0.0-3.2 | User Guide Wireless Network | 55 You want to use the default security level,

Personal

Perform the following steps:

1. Select the required key options from the Key management drop-down list. Available options are:

 WPA-2 Personal

 WPA Personal

 Both (WPA-2 & WPA)

 Static WEP— If you have selected Static WEP, do the following:

 Select appropriate WEP key size from the WEP key size drop-down list. Available options are 64-bit and 128-bit.

 Select appropriate Tx key from the Tx Key drop-down list.

Available options are 1, 2, 3, and 4.

 Enter an appropriate WEP key and reconfirm.

For more information on encryption and recommended encryption type, see Chapter 13, “Encryption” . 2. WPA-2 Personal—

 Select a passphrase format from the Passphrase format drop-down list. Available options are:

 8-63 alphanumeric chars

 64 hexadecimal chars

3. Enter a passphrase in the Passphrase text box and reconfirm.

4. Select the required option from the MAC authentication drop-down list. Available options are Enabled and Disabled.

When Enabled, user must configure at least one RADIUS server for authentication server. See “MAC Authentication” on page 139 for further details.

5. Authentication server 1— Select the required Authentication server option from the drop-down list. Available options are:

 New— If you select this option, an external RADIUS server has to be configured to authenticate the users. For information on configuring an external RADIUS server, see Chapter 12,

“Authentication” .

6. Reauth interval— When set to a value greater than zero, the Access Points periodically reauthenticate all associated and authenticated clients.

7. Accounting — When enabled, the Access Points posts accounting information as RADIUS START and RADIUS STOP accounting records to the RADIUS server.

8. Accounting interval — When set to a value greater than zero, the Access Point periodically posts accounting information as RADIUS INTERIM accounting records to the RADIUS server.

9. Blacklisting— Select Enabled to enable blacklisting of the clients with a specific number of authentication failures.

10. Max authentication failures— Users who fail to authenticate the number of times specified here are dynamically blacklisted. The maximum value for this entry is 10.

11. Internal server— If you select this option, users who are required to authenticate with the internal RADIUS server must be added. Click the Users link to add the users.For information on adding a user, see “Adding a User” on page 271.

NOTE: Navigate to PEF > Blacklisting in the Instant UI to specify the duration of the blacklisting on the Blacklisting tab of the PEF window.

12. Click Upload Certificate and browse to upload a certificate file for the internal server. See “Certificates” on page 144 for more information.

Table 6 Conditions for Adding an Employee Network— Security Tab (Continued)

If then,

Figure 33 Employee Security Tab— Personal

Instant 6.2.0.0-3.2 | User Guide Wireless Network | 57

Table 7 Conditions for Adding an Employee Network— Security Tab

If then,

You select the Open security level 1. Select the required MAC authentication from the MAC authentication drop-down list. Available options are— Enabled and Disabled

 When Enabled, user must configure at least one RADIUS server for authentication server. See “MAC Authentication” on page 139 for further details.

2. Authentication server 1— Select the required Authentication server option from the drop-down list.

Available options are:

 New— If you select this option, an external RADIUS server has to be configured to authenticate the users. For information on configuring an external RADIUS server, see Chapter 12, “Authentication” . 3. Reauth interval— When set to a value greater than

zero, the Access Points periodically reauthenticate all associated and authenticated clients.

4. Accounting — When enabled, the Access Points posts accounting information as RADIUS START and RADIUS STOP accounting records to the RADIUS server.

5. Accounting interval — When set to a value greater than zero, the Access Point periodically posts accounting information as RADIUS INTERIM accounting records to the RADIUS server.

6. Blacklisting— Select Enabled to enable blacklisting of the clients with a specific number of

authentication failures.

7. Max authentication failures— Users who fail to authenticate the number of times specified here are dynamically blacklisted. The maximum value for this entry is 10.

NOTE: Navigate to PEF > Blacklisting in the Instant UI to specify the duration of the blacklisting on the Blacklisting tab of the PEF window.

8. Internal server— If you select this option, users who are required to authenticate with the internal RADIUS server must be added. Click the Users link to add the users. For information on adding a user, see

“Adding a User” on page 271.

9. Click Upload Certificate and browse to upload a certificate file for the internal server. See

“Certificates” on page 144 for more information.

Figure 34 Employee Security Tab — Open

10. Click Next to continue.