You can configure security settings for an employee or voice network by using the Instant UI or CLI.
In the Instant UI
To configure security settings for an employee or voice network:
1. In the Security tab, specify any of the following types of security levels by moving the slider to a desired level:
l Enterprise
l Personal
l Open
The default security setting for a network profile is Personal.
2. Based on the security level specified, complete the following procedures:
l Configuring Enterprise Security Level
l Configuring Personal Security Level
l Configuring Open Security Level Configuring Enterprise Security Level
On selecting enterprise security level, the authentication options applicable to the enterprise network are displayed:
Figure 31 Security Tab: Enterprise
To configure settings for the enterprise security level:
1. Select the required key option from the Key management drop-down list. The following options are available:
l WPA-2 Enterprise
l WPA Enterprise
l Both (WPA-2 & WPA)
l Dynamic WEP with 802.1X
2. If you do not want to use a session key from the RADIUS Server to derive pair wise unicast keys, set Session Key for LEAP to Enabled. This is required for old printers that use dynamic WEP through Lightweight Extensible Authentication Protocol (LEAP) authentication. The Session Key for LEAP feature is Disabled by default.
3. To terminate the EAP portion of 802.1X authentication on the IAP instead of the RADIUS server, set Termination to Enabled.
Enabling Termination can reduce network traffic to the external RADIUS server by terminating the authorization protocol on the IAP. By default, for 802.1X authorization, the client conducts an EAP exchange with the RADIUS server, and the IAP acts as a relay for this exchange. When Termination is enabled, the IAP by itself acts as an authentication server and terminates the outer layers of the EAP protocol, only relaying the innermost layer to the external RADIUS server.
If you are using LDAP for authentication, ensure that AP termination is configured to support EAP.
4. Configure an authentication server by using the Authentication server 1 drop-down list:
l Select an authentication server from the list if an external servers are already configured.
l Select New to configure any of the following servers as an external RADIUS server:
n RADIUS Server
n LDAP Server
n CPPM Server for AirGroup CoA
For information on configuring external servers, seeConfiguring an External Server for Authentication on page 120.
l To use an internal server, select Internal server and add the clients that are required to authenticate with the internal RADIUS server. Click the Users link to add the users. For information on adding a user, see
Configuring Users on page 125.
5. Specify a value for Reauth interval. When set to a value greater than zero, APs periodically reauthenticate all associated and authenticated clients.
6. To enable blacklisting of the clients with a specific number of authentication failures, select Enabled from the Blacklisting drop-down list and specify a value for Max authentication failures. The users who fail to authenticate the number of times specified in Max authentication failures field are dynamically blacklisted.
7. To enable accounting, select Enabled from the Accounting drop-down list. On setting this option to Enabled, APs post accounting information to the Radius server at the specified Accounting interval.
8. To enable authentication survivability, set Authentication survivability to Enabled. Specify a value in hours for Cache timeout (global) to set the duration after which the authenticated credentials in the cache must expire.
When the cache expires, the clients are required to authenticate again. You can specify a value within range of 1 to 99 hours and the default value is 24 hours.
The authentication survivability feature requires ClearPass Policy Manager 6.0.2 or later, and is available only when the New server option is selected authentication. On setting this parameter to Enabled, Instant authenticates the previously connected clients using EAP-PEAP authentication even when connectivity to ClearPass Policy Manager is temporarily lost. The Authentication survivability feature is not applicable when a RADIUS server is configured as an internal server.
9. Specify the following parameters to configure the MAC address based authentication under MAC authentication.
l Perform MAC authentication before 802.1X — Select this check box to use 802.1X authentication only when the MAC authentication is successful.
l MAC authentication fail-thru — On selecting this check box, the 802.1X authentication is attempted when the MAC authentication fails.
10. Click Upload Certificate and browse to upload a certificate file for the internal server. For more information on certificates, seeUploading Certificates on page 145.
11. Click Next to configure access rules. For more information, seeConfiguring Access Rules for a WLAN SSID Profile on page 87.
Configuring Personal Security Level
On selecting personal security level, the authentication options applicable to the personalized network are displayed.
Figure 32 Security Tab: Personal
To configure settings for the personal security level:
1. Ensure that security level set to Personal.
2. Select an encryption key from the Key management drop-down list.
l For WPA-2 Personal, WPA Personal, and Both (WPA-2&WPA) keys, specify the following parameters:
a. Passphrase format: Select a passphrase format from the Passphrase format drop-down list.
The following options are available are:
l 8-63 alphanumeric chars
l 64 hexadecimal chars
b. Enter a passphrase in the Passphrase text box and reconfirm.
l For Static WEP, specify the following parameters:
a. Select an appropriate value for WEP key size from the WEP key size drop-down list. You can specify 64-bit or 128-bit .
b. Select an appropriate value for Tx key from the Tx Key drop-down list. You can specify 1, 2, 3, or 4.
c. Enter an appropriate WEP key and reconfirm.
3. To configure MAC authentication, set MAC authentication to Enabled. When Enabled, configure at least one RADIUS server for authentication server.
4. Configure an authentication server by using the Authentication server 1 drop-down list:
l Select an authentication server from the list if an external servers are already configured.
l Select New to configure any of the following servers as an external RADIUS server:
n RADIUS Server
n LDAP Server
n CPPM Server for AirGroup CoA
For information on configuring external servers, seeConfiguring an External Server for Authentication on page 120.
l To use an internal server, select Internal server and add the clients that are required to authenticate with the internal RADIUS server. Click the Users link to add the users. For information on adding a user, see
Configuring Users on page 125.
5. Specify a value for Reauth interval. When set to a value greater than zero, APs periodically reauthenticate all associated and authenticated clients.
6. To enable blacklisting of the clients with a specific number of authentication failures, select Enabled from the Blacklisting drop-down list and specify a value for Max authentication failures. The users who fail to authenticate the number of times specified in Max authentication failures field are dynamically blacklisted.
7. To enable accounting, select Enabled from the Accounting drop-down list. On setting this option to Enabled, APs post accounting information to the Radius server at the specified Accounting interval.
8. Click Upload Certificate and browse to upload a certificate file for the internal server. SeeUploading Certificates on page 145for more information.
9. Click Next to configure access rules. For more information, seeConfiguring Access Rules for a WLAN SSID Profile on page 87.
Configuring Open Security Level
On selecting Open security level, the authentication options applicable to an open network are displayed:
Figure 33 Security Tab: Open
To configure settings for the open security level:
1. To enable MAC authentication, select Enabled from the MAC authentication drop-down list. When Enabled, configure at least one RADIUS server for authentication server.
a. Select a required type of authentication server option from the Authentication server 1 drop-down list.
l New— If you select this option, an external RADIUS server has to be configured to authenticate the users.
For information on configuring an external RADIUS server, seeAuthentication on page 113.
l Internal server— To use an internal server, select Internal server and add the clients that are required to authenticate with the internal RADIUS server. Click the Users link to add the users. For information on adding a user, seeConfiguring Users on page 125.
b. Reauth interval— When set to a value greater than zero, APs periodically reauthenticate all associated and authenticated clients.
c. Accounting — When enabled, APs posts accounting information to the RADIUS server at the specified Accounting interval.
d. Blacklisting— To enable blacklisting of the clients with a specific number of authentication failures, select the Enabled option. Specify the number of times after which users who fail to authenticate must be dynamically blacklisted in the Max authentication failures text box. The maximum value for this entry is 10.
2. Click Upload Certificate and browse to upload a certificate file for the internal server. SeeUploading Certificates on page 145for more information.
3. Click Next to configure access rules. For more information, seeConfiguring Access Rules for a WLAN SSID Profile on page 87.
In the CLI
To configure security settings for the employee and voice users of a WLAN SSID profile:
(Instant Access Point)(config)# wlan ssid-profile <SSID-Name>
(Instant Access Point)(SSID Profile<name>)# opmode {<opensystem>|<wpa2-ae>|<wpa2-psk- aes>|<wpa-tkip>|<wpa-psk-tkip>|<wpa-tkip>|<wpa2-aes>|<wpa-psk-tkip>|<wpa2-psk-aesstatic-wep>|<dynamic-wep>}
(Instant Access Point)(SSID Profile<name>)# leap-use-session-key (Instant Access Point)(SSID Profile<name>)# blacklist
(Instant Access Point)(SSID Profile<name>)# mac-authentication (Instant Access Point)(SSID Profile<name>)# l2-auth-failthrough (Instant Access Point)(SSID Profile<name>)# external-server (Instant Access Point)(SSID Profile<name>)# termination
(Instant Access Point)(SSID Profile<name>)# auth-server <server-name>
(Instant Access Point)(SSID Profile<name>)# auth-survivability
(Instant Access Point)(SSID Profile<name>)# auth-survivability cache-time-out <hours>
(Instant Access Point)(SSID Profile<name>)# server-load-balancing (Instant Access Point)(SSID Profile<name>)# radius-accounting
(Instant Access Point)(SSID Profile<name>)# radius-accounting-mode {authentication| user-association}
(Instant Access Point)(SSID Profile<name>)# radius-interim-accounting-interval <minutes>
(Instant Access Point)(SSID Profile<name>)# radius-reauth-interval <minutes>
(Instant Access Point)(SSID Profile<name>)# max-authentication-failures <number>
(Instant Access Point)(SSID Profile<name>)# end (Instant Access Point)# commit apply