Wireless Authentication Types on Fixed ISR Through SDM Configuration Example
[LEFT][CODE]http://www.cisco.com/en/US/products/hw/routers/ps380/products_configuration_example09186a00808acf2f.shtml[/CODE][B]Document ID: 98584[/B]
[B]Contents[/B][INDENT] [B] Introduction
[/B] [B] Prerequisites
Requirements
Components Used
Conventions
[/B] [B] Background Information
[/B] [B] Configure
Network Diagram
Configure the Router for SDM Access
Launch the SDM Wireless Application on the Router
Configure Open Authentication with WEP Encryption
Configure Internal DHCP Server for Wireless Clients of This VLAN
Configure Open with MAC Authentication
Configure 802.1x/EAP Authentication
Configure Shared Authentication
Configure WPA Authentication
Configure WPA-PSK Authentication
[/B] [B] Wireless Client Configuration
Configure Wireless Client for Open Authentication with WEP Encryption
Configure Wireless Client for Open with MAC Authentication
Configure Wireless Client for 802.1x/EAP Authentication
Configure Wireless Client for Shared Authentication
Configure Wireless Client for WPA Authentication
Configure Wireless Client for WPA-PSK Authentication
[/B] [B] Troubleshoot
Troubleshooting Commands
[/B] [B] Cisco Support Community - Featured Conversations
[/B] [B] Related Information [/B] [/INDENT][B] Introduction [/B]
This document provides configuration examples that explain how to configure various Layer 2 authentication types on a Cisco Wireless integrated fixed-configuration router for wireless connectivity with Security Device Manager (SDM).
[B] Prerequisites [/B]
[B] Requirements [/B]
Ensure that you meet these requirements before you attempt this configuration:
[LIST][*] Knowledge of how to configure the basic parameters of the Cisco Integrated Services Router (ISR) with SDM[*] Knowledge of how to configure the 802.11a/b/g Wireless Client Adapter with the Aironet Desktop Utility (ADU)[/LIST]
[B] Components Used [/B]
The information in this document is based on these software and hardware versions:
[LIST][*] Cisco 877W ISR that runs Cisco IOS® Software Release 12.3(8)YI1[*] Cisco SDM Version 2.4.1 installed on the ISR[*] Laptop with Aironet Desktop Utility Version 3.6[*] 802.11 a/b/g Client Adapter that runs Firmware Version 3.6[/LIST]
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.
[B] Conventions [/B]
Refer to [URL="http://www.cisco.com/en/US/tech/tk801/tk36/technologies_tech_note09186a0080121ac5.shtml"]Cisco Technical Tips Conventions[/URL] for more information on document conventions.
[B] Background Information [/B]
Cisco SDM is an intuitive, web-based device-management tool for Cisco IOS Software-based routers. Cisco SDM simplifies router and security configuration through smart wizards, which help customers quickly and easily deploy, configure, and monitor Cisco Systems® routers without requiring knowledge of the Cisco IOS Software command-line interface (CLI).
SDM can be downloaded free of charge from the [URL="http://www.cisco.com/pcgi-bin/tablebuild.pl/sdm"]Software Center[/URL] on Cisco.com.
SDM can be installed independently as a separate copy on every individual routers, or it can also be installed on a PC. Cisco SDM installed on a PC allows you to use SDM to manage other routers that run proper IOS images on the network. However, SDM on a PC does not support the reset of the router configuration to Manufacture default.
[B]This document uses the SDM installed on the wireless router to configure the router for wireless authentication. [/B]
Cisco SDM communicates with routers for two purposes:
[LIST][*] Access the Cisco SDM application files for download to the PC[*] Read and write the router configuration and status[/LIST]
Cisco SDM uses HTTP(s) to download the application files (sdm.tar, home.tar) to the PC. A combination of HTTP(s) and Telnet/SSH is used to read and write the router configuration.
Refer to [URL="http://www.cisco.com/en/US/products/sw/secursw/ps5318/products_qanda_item0900aecd800fd11b.shtml"]Cisco Router and Security Device Manager Q&A[/URL] for the latest information on routers and IOS software releases that support SDM.
Refer to [URL="http://www.cisco.com/en/US/products/sw/secursw/ps5318/prod_installation_guide09186a00803e4727.html#wp70999"]Configure Your Router to Support SDM[/URL] for more information on how to use Cisco SDM on a router.
Refer to [URL="http://www.cisco.com/en/US/products/sw/secursw/ps5318/prod_installation_guide09186a00803e4727.html#wp65518"]Install the SDM Files[/URL] for instructions to install and download SDM files on the router or on the PC.
[B] Configure [/B]
The document explains how to configure these authentication types through SDM:
[LIST][*] Open Authentication with WEP Encryption[*] Open with MAC Authentication[*] Shared Authentication[*] 802.1x/Extensible Authentication Protocol (EAP) Authentication[*] Wi-Fi Protected Access (WPA)-Pre Shared Key (PSK) Authentication[*] WPA Authentication[/LIST]
In this section, you are presented with the information to configure the features described in this document.
[B]Note: [/B]Use the [URL="http://www.cisco.com/pcgi-bin/Support/Cmdlookup/home.pl"]Command Lookup Tool[/URL] ([SIZE=-1] [URL="http://tools.cisco.com/RPF/register/register.do"]registered[/URL] customers only[/SIZE]) to obtain more information on the commands used in this section.
[B] Network Diagram [/B]
This document uses this network setup:
[IMG]http://www.cisco.com/image/gif/paws/98584/isr-sdm-config1.gif[/IMG]
This setup uses the local RADIUS server on the Wireless ISR to authenticate wireless clients using 802.1x authentication.
[B] Configure the Router for SDM Access [/B]
Complete these steps in order to allow the router to be accessed through SDM:
[LIST=1][*] Configure the router for http/https access using the procedure explained in [URL="http://www.cisco.com/en/US/products/sw/secursw/ps5318/prod_installation_guide09186a00803e4727.html#wp70999"]Configure Your Router to Support SDM[/URL].[*] Assign an IP address to the router with these steps:[INDENT] Router#[B]configure terminal[/B]
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#[B]interface fastEthernet 0[/B]
Router(config-if)#[B]ip address[I]10.77.244.197 255.255.255.224[/I]
[/B]
[B]% IP addresses cannot be configured on L2 links.[/B][/INDENT]In the 871W router, you might encounter such an error message. This error message shows that fast ethernet 0 is a Layer 2 link on which you cannot configure any IP address.[*] In order to overcome this issue, create a Layer-3 (VLAN) interface and assign an IP address on the same with these steps:[INDENT] Router(config)#[B]interface Vlan1[/B]
Router(config-if)#[B]ip address [I]10.77.244.197 255.255.255.224[/I]
[/B][/INDENT][*] Allow this VLAN on the Layer-2 fast ethernet 0 interface with these steps. This document configures fast ethernet interface as a trunk interface to allow VLAN1. You can also configure it as an access interface and allow VLAN1 on the interface per your network setup.[INDENT] Router(config)#[B]interface fastEthernet [I]0[/I]
[/B]
Router(config-if)#[B]switchport trunk encapsulation dot1q[/B]
Router(config-if)#[B]switchport trunk allowed vlan add vlan1[/B]
[I]
[COLOR=#0000ff]!--- This command allows VLAN1 through the fast ethernet interface.
!--- In order to allow all VLANs through this interface, issue the
!--- [B]switchport trunk allowed vlan add all[/B] command on this interface.[/COLOR]
[/I][/INDENT][B]Note: [/B]This example assumes that basic router and wireless configurations are already performed on the router. Therefore, the next step is to straight away launch the wireless application on the router to configure authentication parameters.[/LIST]
[B] Launch the SDM Wireless Application on the Router [/B]
Complete these steps in order to launch the wireless application:
[LIST=1][*] Start SDM by opening a browser and entering the IP address of your router.
You are prompted to acccept or decline a Web Browser Security Alert window that looks like this:
[IMG]http://www.cisco.com/image/gif/paws/98584/isr-sdm-config2.gif[/IMG][*] Click [B]Yes[/B] to proceed.[*] On the window that appears, enter the privilege level_15 username and password in order to access the router.
This example uses [B]admin[/B] as the username and password:
[IMG]http://www.cisco.com/image/gif/paws/98584/isr-sdm-config3.gif[/IMG][*] Click [B]OK[/B] to continue. Enter the same information wherever it is required.[*] Click [B]Yes[/B] and [B]OK[/B] as appropriate in the resultant pages in order to launch the SDM application.
As the SDM application opens, you are prompted by a security alert window to accept a signed security certificate.[*] Click [B]Yes[/B] to accept the signed certificate.
[IMG]http://www.cisco.com/image/gif/paws/98584/isr-sdm-config4.gif[/IMG]
The resultant Cisco Router and SDM main page look like this:
[IMG]http://www.cisco.com/image/gif/paws/98584/isr-sdm-config5.gif[/IMG][*] On this page, click [B]Configure[/B] at the top in order to launch the router configure mode window.[*] In the configure mode window, select [B]Interfaces and Connections[/B] from the Tasks column that appears at the left side of this page.[*] In the Interfaces and Connections window, click the [B]Create Connection[/B] tab.
This lists all the interfaces available to be configured on the router.[*] In order to launch the wireless application, choose [B]Wireless[/B] from the list of interfaces. Then, click [B]Launch Wireless Application[/B].
This screenshot explains steps 8, 9 and 10:
[IMG]http://www.cisco.com/image/gif/paws/98584/isr-sdm-config6.gif[/IMG]
This launches the SDM Wireless Application in a separate window where various authentication types can be configured.
The SDM Wireless Application home page looks like this:
[IMG]http://www.cisco.com/image/gif/paws/98584/isr-sdm-config7.gif[/IMG]
Observe that the Software Status is [B]Disabled[/B] and the Hardware Status of the radio (wireless) interface is [B]Down[/B] because no SSID is configured on the interface. Next, you configure the SSIDs and authentication types on this radio interface so that wireless clients can communicate through this interface.[/LIST]
[B] Configure Open Authentication with WEP Encryption [/B]
Open authentication is a null authentication algorithm. The access point (AP) will grant any request for authentication. Open authentication allows any device network access. If no encryption is enabled on the network, any device that knows the SSID of the AP can gain access to the network. With WEP encryption enabled on an AP, the WEP key itself becomes a means of access control. If a device does not have the correct WEP key, even though authentication is successful, the device will be unable to transmit data through the AP. Also, it cannot decrypt data sent from the AP.
Refer to [URL="http://www.cisco.com/en/US/docs/wireless/access_point/12.2_13_JA/configuration/guide/s13auth.html#wp1035025"]Open Authentication to the Access Point[/URL] for more information.
This example uses these configuration parameters for open authentication with WEP encryption:
[LIST][*] SSID name: [B]openwep[/B][*] VLAN id: [B]1[/B][*] VLAN IP address: [B]10.1.1.1/16[/B][*] DHCP address range for the wireless clients of this VLAN/SSID: [B]10.1.1.5/16 - 10.1.1.10/16[/B][/LIST]
Complete these steps in order to configure open authentication with WEP:
[LIST=1][*] On the Wireless Application home page, click [B]Wireless Services[/B] > [B]VLAN[/B] in order to configure a VLAN.
[IMG]http://www.cisco.com/image/gif/paws/98584/isr-sdm-config8.gif[/IMG][*] Select [B]Routing[/B] from the Services: VLAN page.
[IMG]http://www.cisco.com/image/gif/paws/98584/isr-sdm-config9.gif[/IMG][*] On the Services: VLAN Routing page, create the VLAN and assign it to the radio interface.
This is the configuration window of VLAN1 on the radio interface. VLAN1 is the native VLAN here:
[IMG]http://www.cisco.com/image/gif/paws/98584/isr-sdm-config10.gif[/IMG][*] On the Wireless Application home page, select [B]Wireless Security[/B] > [B]SSID Manager[/B] in order to configure the SSID and the authentication type.[*] On the Security: SSID Manager page, configure the SSID and assign the SSID to the VLAN created in step1 in order to enable the SSID on the radio interface.[*] Under the Authentication Settings section of this page, choose [B]Open Authentication[/B].
Here is the configuration window that explains these steps:
[IMG]http://www.cisco.com/image/gif/paws/98584/isr-sdm-config11.gif[/IMG][*] Click [B]Apply[/B].
[B]Note: [/B]The drop-down box that corresponds to the Open Authentication check box implies that open authentication can be configured in addition with several additional authentication types, such as EAP or MAC authentication. This section discusses only open authentication with NO ADDITION (without additional authentication type).[*] Configure WEP encryption for this SSID/VLAN. On the Wireless home page, select [B]Wireless Security[/B] > [B]Encryption Manager[/B] in order to configure the encryption settings.
[LIST=1][*] On the Security: Encryption Manager page, set the Encryption Mode and Keys for [B]VLAN1[/B].[*] Choose [B]WEP Encryption: Mandatory[/B] as the Encryption Mode.[*] Set the Encryption Key for this VLAN.
This section uses these encryption key settings:
[LIST][*] Encryption key slot 1: used as the Transmit Key[*] Encryption key size: 40 bit[*] Encryption key in hexadecimal value: 1234567890[/LIST]
[B]Note: [/B]The same encryption key slot (1, in this case) should be used as the transmit key at the wireless client. Also, the wireless client should be configured with the same key value (1234567890 in this case) in order for the wireless client to communicate with this WLAN network.
This configuration window explains these steps:
[IMG]http://www.cisco.com/image/gif/paws/98584/isr-sdm-config12.gif[/IMG]
[/LIST]
This Wireless Security page represents the entire configuration:
[IMG]http://www.cisco.com/image/gif/paws/98584/isr-sdm-config13.gif[/IMG]
[/LIST]
[B] Configure Internal DHCP Server for Wireless Clients of This VLAN [/B]
Complete these steps in order to configure an internal DHCP server on the router. This is an optional, though recommended, method to assign IP address to wireless clients.
[LIST=1][*] On the SDM configure mode window, select [B]Additional Tasks[/B] under the Tasks column that is on the left side of the window.
[IMG]http://www.cisco.com/image/gif/paws/98584/isr-sdm-config14.gif[/IMG][*] On the [B]Additional Tasks[/B] page, expand the [B]DHCP[/B] tree and choose [B]DHCP Pools[/B] as shown in this example. In the DHCP Pools column shown on the right side of this page, click [B]Add[/B] to create a new DHCP pool.
[IMG]http://www.cisco.com/image/gif/paws/98584/isr-sdm-config15.gif[/IMG][*] On the Add DHCP Pool page, specify the DHCP Pool Name, DHCP Pool Network, Subnet mask, Starting IP address, Ending IP address and Default Router parameters as shown in this example:
[IMG]http://www.cisco.com/image/gif/paws/98584/isr-sdm-config16.gif[/IMG][*] Click [B]OK[/B].
The internal DHCP server is configured on the router.[/LIST]
[B] Configure Open with MAC Authentication [/B]
In this type of authentication, the wireless client will be allowed to access the WLAN network only if the client's MAC address is under the list of allowed MAC addresses in the authentication server. The AP relays the wireless client device's MAC address to a RADIUS authentication server on your network, and the server checks the address against a list of allowed MAC addresses. MAC-based authentication provides an alternate authentication method for client devices that do not have EAP capability.
Refer to [URL="http://www.cisco.com/en/US/docs/wireless/access_point/12.2_13_JA/configuration/guide/s13auth.html#wp1034875"]MAC Address Authentication to the Network[/URL] for more information.
[B]Note: [/B]The entire document uses local RADIUS server for MAC authentication, 802.1x/EAP, as well as WPA authentication.
This example uses these configuration parameters for open with MAC authentication:
[LIST][*] SSID name: [B]openmac[/B][*] VLAN id: [B]2[/B][*] VLAN IP address: [B]10.2.1.1/16[/B][*] DHCP address range for the wireless clients of this VLAN/SSID: [B]10.2.1.5/16 - 10.2.1.10/16[/B][/LIST]
Complete these steps in order to configure open with MAC authentication:
[LIST=1][*] On the Wireless Application home page, click [B]Wireless Services[/B] > [B]VLAN[/B] in order to configure a VLAN.[*] Select [B]Routing[/B] from the Services: VLAN page. On the Services: VLAN Routing page, create the VLAN and assign it to the radio interface.
Here is the configuration window of [B]VLAN 2[/B] on the radio interface:
[IMG]http://www.cisco.com/image/gif/paws/98584/isr-sdm-config17.gif[/IMG][*] Configure the local RADIUS server for MAC authentication. This local RADIUS server will hold the MAC address of the wireless client in its database and will allow or deny the client into the WLAN network as per the result of authentication.
[LIST=1][*] On the Wireless home page, select [B]Wireless Security[/B] > [B]Server Manager[/B] in order to configure the local RADIUS server.
[IMG]http://www.cisco.com/image/gif/paws/98584/isr-sdm-config18.gif[/IMG][*] On the Server Manager page, configure the IP address, Shared Secret, and the Authentication and Accounting Ports of the RADIUS server.
Because it is a local RADIUS server, the IP address specified is the address of this wireless interface. The shared secret key used should be the same on the AAA client configuration.
In this example, the shared secret is [B]cisco[/B].
[IMG]http://www.cisco.com/image/gif/paws/98584/isr-sdm-config19.gif[/IMG][*] Click [B]Apply[/B].[*] Scroll down the page to look for Default Server Priorities section. In this section, choose this RADIUS server ([B]10.2.1.1[/B]) as the default priority server for MAC Authentication as shown in this example:
[IMG]http://www.cisco.com/image/gif/paws/98584/isr-sdm-config20.gif[/IMG][*] In order to configure the AAA client and user credentials, select [B]Wireless Security[/B] > [B]Local RADIUS Server[/B] from the Wireless home page.[*] On the Local RADIUS Server page, click [B]GENERAL SET-UP[/B].
[IMG]http://www.cisco.com/image/gif/paws/98584/isr-sdm-config21.gif[/IMG][*] On the GENERAL SET-UP page, configure the AAA client and the shared secret key as shown.
With a local RADIUS server configuration, the IP address of the server and the AAA client will be the same.
[IMG]http://www.cisco.com/image/gif/paws/98584/isr-sdm-config22.gif[/IMG][*] Scroll down the GENERAL SET-UP page to look for the [B]Individual Users[/B] configuration section. In the Individual Users section, configure the MAC address of the wireless client as username and password.[*] Enable the [B]MAC Authentication Only[/B] check-box, then click [B]Apply[/B].
[IMG]http://www.cisco.com/image/gif/paws/98584/isr-sdm-config23.gif[/IMG]
In order to avoid the client from authentication failure at times, specify the MAC address of the client in a continuous format without any separation as shown in this example.[/LIST]
[*] On the Wireless Application home page, select [B]Wireless Security[/B] > [B]SSID Manager[/B] in order to configure the SSID and the authentication type.
[LIST=1][*] On the Security: SSID Manager page, configure the SSID and assign the SSID to the VLAN created in step1 in order to enable the SSID on the radio interface.[*] Under the Authentication Settings section of this page, choose [B]Open Authentication[/B] and from the corresponding drop-down box, choose [B]with MAC Authentication[/B].[*] In order to configure Server Priorities, choose [B]Customize[/B] under MAC Authenticate Servers and choose the IP address of the local RADIUS server [B]10.2.1.1[/B].
This is an example that explains this step:
[IMG]http://www.cisco.com/image/gif/paws/98584/isr-sdm-config24.gif[/IMG][/LIST]
[*] In order to configure the internal DHCP server for wireless clients of this VLAN, complete the same steps explained in the [URL="http://www.cisco.com/en/US/products/hw/routers/ps380/products_configuration_example09186a00808acf2f.shtml#dhcp"]Configure Internal DHCP Server for Wireless Clients of This VLAN[/URL] section of this document with these configuration parameters:
[LIST][*] DHCP Pool Name: VLAN 2[*] DHCP Pool Network: 10.2.0.0[*] Subnet Mask: 255.255.0.0[*] Starting IP: 10.2.1.5[*] Ending IP: 10.2.1.10[*] Default Router: 10.2.1.1[/LIST]
[/LIST]
[B] Configure 802.1x/EAP Authentication [/B]
This authentication type provides the highest level of security for your wireless network. By using the EAP to interact with an EAP-compatible RADIUS server, the AP helps a wireless client device and the RADIUS server to perform mutual authentication and derive a dynamic unicast WEP key. The RADIUS server sends the WEP key to the AP which uses it for all unicast data signals that it sends to, or receives, from the client.
Refer to [URL="http://www.cisco.com/en/US/docs/wireless/access_point/12.2_13_JA/configuration/guide/s13auth.html#wp1035193"]EAP Authentication to the Network[/URL] for more information.
[B]Note: [/B]There are several methods of EAP authentication available. Throughout this document, it explains how to configure Lightweight Extensible Authentication Protocol (LEAP) as the EAP authentication. LEAP uses the username and password as user credentials for authentication.
[B]Note: [/B]In order to configure EAP-Flexible Authentication via Secure Tunneling (EAP-FAST) as the EAP authentication type, refer to [URL="http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00804b9d57.shtml"]EAP-FAST Version 1.02 Configuration Guide[/URL] for the procedure.
This example uses these configuration parameters for EAP authentication:
[LIST][*] SSID name: [B]leap[/B][*] VLAN id: [B]3[/B][*] VLAN IP address: [B]10.3.1.1/16 [/B][*] DHCP address range for the wireless clients of this VLAN/SSID: [B]10.3.1.5/16 - 10.3.1.10/16 [/B][/LIST]
Complete these steps in order to configure EAP authentication:
[LIST=1][*] Repeat steps 1 and 2 of [URL="http://www.cisco.com/en/US/products/hw/routers/ps380/products_configuration_example09186a00808acf2f.shtml#mac"]Configure Open with MAC Authentication[/URL] in order to create and configure VLAN with these configuration parameters:
[LIST][*] VLAN id: 3[*] Radio interface IP address: 10.3.1.1[*] subnet mask: 255.255.0.0[/LIST]
[*] Then, configure the local RADIUS server for client authentication. In order to perform this, repeat steps 3a to 3c of [URL="http://www.cisco.com/en/US/products/hw/routers/ps380/products_configuration_example09186a00808acf2f.shtml#mac"]Configure Open with MAC Authentication[/URL] with these configuration parameters:
[LIST][*] IP address of RADIUS server: 10.3.1.1[*] Shared Secret: cisco[/LIST]
Here is the configuration screen that explains step 2 of EAP authentication:
[IMG]http://www.cisco.com/image/gif/paws/98584/isr-sdm-config25.gif[/IMG] [*] Scroll down the page to look for the Default Server Priorities section. In this section, choose this RADIUS server ([B]10.3.1.1[/B]) as the default priority server for EAP Authentication as shown in this example.
[IMG]http://www.cisco.com/image/gif/paws/98584/isr-sdm-config26.gif[/IMG][*] Repeat steps 3e and 3f of [URL="http://www.cisco.com/en/US/products/hw/routers/ps380/products_configuration_example09186a00808acf2f.shtml#mac"]Configure Open with MAC Authentication[/URL].[*] Repeat steps 3g and 3h of [URL="http://www.cisco.com/en/US/products/hw/routers/ps380/products_configuration_example09186a00808acf2f.shtml#mac"]Configure Open with MAC Authentication[/URL] with these configuration parameters for EAP authentication:
[LIST][*] AAA client IP address: 10.3.1.1[*] Shared secret: cisco[*] Under the Individual Users section, configure the username and password as [B]user1[/B].[/LIST]
[*] On the Wireless Application home page, select [B]Wireless Security[/B] > [B]SSID Manager[/B] in order to configure the SSID and the authentication type.
[LIST=1][*] On the Security: SSID Manager page, configure the SSID and assign the SSID to the VLAN created in step 1 in order to enable the SSID on the radio interface.[*] Under the Authentication Settings section of this page, choose [B]Open Authentication[/B] and from the corresponding drop-down box, choose [B]EAP Authentication[/B]. Also, select the [B]Network EAP[/B] authentication type.[*] In order to configure the Server Priorities, choose [B]Customize[/B] under EAP Authenticate Servers and choose the IP address of the local RADIUS server [B]10.3.1.1[/B].[/LIST]
Here is an example that explains these steps:
[IMG]http://www.cisco.com/image/gif/paws/98584/isr-sdm-config27.gif[/IMG] [*] In order to configure the internal DHCP server for wireless clients of this VLAN, complete the same steps explained in the [URL="http://www.cisco.com/en/US/products/hw/routers/ps380/products_configuration_example09186a00808acf2f.shtml#dhcp"]Configure Internal DHCP Server for Wireless Clients of This VLAN[/URL] section of this document with these configuration parameters:
[LIST][*] DHCP Pool name: VLAN 3[*] DHCP Pool Network: 10.3.0.0[*] Subnet Mask: 255.255.0.0[*] Starting IP: 10.3.1.5[*] Ending IP: 10.3.1.10[*] Default Router: 10.3.1.1[/LIST]
[*] Configure the Cipher to be used for dynamic key management upon successful authentication of the wireless client.
[LIST=1][*] On the Wireless home page, select [B]Wireless Security[/B] > [B]Encryption Manager[/B] in order to configure the encryption settings.[*] On the Wireless Security > Encryption Manager screen on the Security: Encryption Manager page, enter [B]3[/B] for Set Encryption Mode and Keys for VLAN.[*] Choose [B]Cipher[/B] as the Encryption Mode, and choose a Cipher encryption algorithm from the drop-down box.
This example uses [B]TKIP[/B] as the Cipher algorithm:
[IMG]http://www.cisco.com/image/gif/paws/98584/isr-sdm-config28.gif[/IMG]
[B]Note: [/B]While configuring multiple authentication types on a wireless router through SDM, sometimes it might not be possible to configure two different authentication types both using cipher encryption mode on the same router. In such cases, the encryption setting configured through SDM might not be applied on the router. In order to overcome this, configure those authentication types through CLI.[/LIST]
[/LIST]
[B] Configure Shared Authentication [/B]
Cisco provides shared key authentication to comply with the IEEE 802.11b standard.
During shared key authentication, the AP sends an unencrypted challenge text string to any device that attempts to communicate with the AP. The device that requests authentication encrypts the challenge text and sends it back to the AP. If the challenge text is encrypted correctly, the AP allows the requesting device to authenticate. Both the unencrypted challenge and the encrypted challenge can be monitored. However, this leaves the AP open to attack from an intruder who calculates the WEP key by comparing the unencrypted and encrypted text strings.
Refer to [URL="http://www.cisco.com/en/US/docs/wireless/access_point/12.2_13_JA/configuration/guide/s13auth.html#wp1035341"]Shared Key Authentication to the Access Point[/URL] for more information.
This example uses these configuration parameters for shared authentication:
[LIST][*] SSID name: [B]shared[/B][*] VLAN id: [B]4[/B][*] VLAN IP address: [B]10.4.1.1/16[/B][*] DHCP address range for the Wireless clients of this VLAN/SSID: [B]10.4.1.5/16 - 10.4.1.10/16[/B][/LIST]
Complete these steps in order to configure shared authentication:
[LIST=1][*] Repeat steps 1 and 2 of [URL="http://www.cisco.com/en/US/products/hw/routers/ps380/products_configuration_example09186a00808acf2f.shtml#mac"]Configure Open with MAC Authentication[/URL] in order to create and configure VLAN with these configuration parameters:
[LIST][*] VLAN id: 4[*] Radio interface IP address: 10.4.1.1[*] subnet mask: 255.255.0.0[/LIST]
[*] On the Wireless Application home page, select [B]Wireless Security[/B] > [B]SSID Manager[/B] in order to configure the SSID and the authentication type.
[LIST=1][*] On the Security: SSID Manager page, configure the SSID and assign the SSID to the VLAN created in step1 in order to enable the SSID on the radio interface.[*] Under the Authentication Settings section of this page, choose [B]Shared Authentication[/B].
Here is the configuration screen that explains these steps:
[IMG]http://www.cisco.com/image/gif/paws/98584/isr-sdm-config29.gif[/IMG][*] Click [B]Apply[/B].[/LIST]
[*] Configure WEP encryption for this SSID/VLAN. Because it is the shared key authentication, the same key is used for authentication as well. On the Wireless home page, select [B]Wireless Security[/B] > [B]Encryption Manager[/B] in order to configure the encryption settings.
[LIST=1][*] On the Security: Encryption Manager page, enter [B]4[/B] for Set Encryption Mode and Keys for VLAN.[*] Choose [B]WEP Encryption: Mandatory[/B] as the Encryption Mode.[*] Set the Encryption Key for this VLAN.
This section uses these encryption key settings:
[LIST][*] Encryption Key slot 1: used as the Transmit Key[*] Encryption Key size: 40 bit[*] Encryption key in hexadecimal value: 1234567890[/LIST]
[B]Note: [/B]The same encryption key slot (1, in this case) should be used as the transmit key at the wireless client. Also, the wireless client should be configured with the same key value (1234567890 in this case) in order for the wireless client to communicate with this WLAN network.
[/LIST]
This configuration screen explains these steps:
[IMG]http://www.cisco.com/image/gif/paws/98584/isr-sdm-config30.gif[/IMG] [*] In order to configure the internal DHCP server for wireless clients of this VLAN, complete the same steps explained in [URL="http://www.cisco.com/en/US/products/hw/routers/ps380/products_configuration_example09186a00808acf2f.shtml#dhcp"]Configure Internal DHCP Server for Wireless Clients of This VLAN[/URL] section of this document with these configuration parameters:
[LIST][*] DHCP Pool name: VLAN 4[*] DHCP Pool Network: 10.4.0.0[*] Subnet Mask: 255.255.0.0[*] Starting IP: 10.4.1.5[*] Ending IP: 10.4.1.10[*] Default Router: 10.4.1.1[/LIST]
[/LIST]
[B] Configure WPA Authentication [/B]
WPA is a standards-based, interoperable security enhancement that strongly increases the level of data protection and access control for existing and future wireless LAN systems. WPA key management supports two mutually exclusive management types: WPA and WPA-PSK.
Refer to [URL="http://www.cisco.com/en/US/docs/wireless/access_point/12.2_13_JA/configuration/guide/s13auth.html#wp1038477"]Using WPA Key Management[/URL] for more information.
Using WPA key management, clients and the authentication server authenticate to each other using an EAP authentication method, and the client and server generate a pairwise master key (PMK). Using WPA, the server generates the PMK dynamically and passes it to the AP.
This example uses these configuration parameters for WPA authentication:
[LIST][*] SSID name: [B]wpa[/B][*] VLAN id: [B]5[/B][*] VLAN IP address: [B]10.5.1.1/16[/B][*] DHCP address range for the wireless clients of this VLAN/SSID: [B]10.5.1.5/16 - 10.5.1.10/16[/B][/LIST]
Complete these steps in order to configure WPA authentication:
[LIST=1][*] Repeat steps 1 and 2 of [URL="http://www.cisco.com/en/US/products/hw/routers/ps380/products_configuration_example09186a00808acf2f.shtml#mac"]Configure Open with MAC Authentication[/URL] in order to create and configure VLAN with these configuration parameters:
[LIST][*] VLAN id: 5[*] Radio interface IP address: 10.5.1.1[*] subnet mask: 255.255.0.0[/LIST]
[*] Because WPA is a key management standard, configure the cipher to be used for WPA key management.
[LIST=1][*] On the Wireless home page, select [B]Wireless Security[/B] > [B]Encryption Manager[/B] in order to configure the encryption settings.[*] On the Wireless Security > Encryption Manager screen on the Security: Encryption Manager page, enter [B]5[/B] for Set Encryption Mode and Keys for VLAN.[*] Choose [B]Cipher[/B] as Encryption Mode, and choose a Cipher encryption algorithm from the drop-down box.
This example uses [B]TKIP[/B] as the Cipher algorithm:
[IMG]http://www.cisco.com/image/gif/paws/98584/isr-sdm-config31.gif[/IMG]
[B]Note: [/B]While configuring multiple authentication types on a wireless router through SDM, sometimes it might not be possible to configure two different authentication types both using cipher encryption mode on the same router. In such cases, the encryption setting configured through SDM might not be applied on the router. In order to overcome this, configure those authentication types through CLI.[/LIST]
[*] The next step is to configure local RADIUS server for client authentication. In order to perform this, repeat steps 3a to 3c of [URL="http://www.cisco.com/en/US/products/hw/routers/ps380/products_configuration_example09186a00808acf2f.shtml#mac"]Configure Open with MAC Authentication[/URL] with these configuration parameters:
[LIST][*] IP address of RADIUS server: 10.5.1.1[*] Shared Secret: cisco[/LIST]
[LIST=1][*] Scroll down the [B]Server Manager[/B] page to look for the Default Server Priorities section. In this section, choose this RADIUS server ([B]10.5.1.1[/B]) as the default priority server for EAP Authentication as shown in this example:
[IMG]http://www.cisco.com/image/gif/paws/98584/isr-sdm-config32.gif[/IMG][*] Repeat steps 3e and 3f of [URL="http://www.cisco.com/en/US/products/hw/routers/ps380/products_configuration_example09186a00808acf2f.shtml#mac"]Configure Open with MAC Authentication[/URL].[*] Repeat steps 3g and 3h of [URL="http://www.cisco.com/en/US/products/hw/routers/ps380/products_configuration_example09186a00808acf2f.shtml#mac"]Configure Open with MAC Authentication[/URL] with these configuration parameters for EAP authentication:
[LIST][*] AAA client IP address: 10.5.1.1[*] Shared Secret: cisco[/LIST]
[*] Under the Individual Users section, configure the username and password as [B]user2[/B].[/LIST]
[*] In order to enable WPA for an SSID, you need to enable Open with EAP or Network EAP on the SSID. In order to enable Network EAP, on the Wireless Application home page, select [B]Wireless Security[/B] > [B]SSID Manager[/B] to configure the SSID and the authentication type.
[LIST=1][*] On the Security: SSID Manager page, configure the SSID and assign the SSID to the VLAN created in step1 in order to enable the SSID on the radio interface.[*] Under the Authentication Settings section of this page, choose [B]Open Authentication[/B] and from the corresponding drop-down box, choose [B]EAP Authentication[/B]. Also, select the [B]Network EAP[/B] authentication type.[*] In order to configure Server Priorities, choose [B]Customize[/B] under EAP Authenticate Servers and choose the IP address of the local RADIUS server [B]10.5.1.1[/B].[/LIST]
Here is an example that explains these steps:
[IMG]http://www.cisco.com/image/gif/paws/98584/isr-sdm-config33.gif[/IMG] [*] Scroll down the SSID Manager page to look for the [B]Authenticated Key Management[/B] section.[*] In this section, choose [B]Mandatory[/B] from the Key Management drop-down box, and enable the [B]WPA[/B] check-box.
Here is the configuration window that explains these steps:
[IMG]http://www.cisco.com/image/gif/paws/98584/isr-sdm-config34.gif[/IMG][*] Click [B]Apply[/B].[*] In order to configure the internal DHCP server for wireless clients of this VLAN, complete the same steps explained in [URL="http://www.cisco.com/en/US/products/hw/routers/ps380/products_configuration_example09186a00808acf2f.shtml#dhcp"]Configure Internal DHCP Server for Wireless Clients of This VLAN[/URL] section of this document with these configuration parameters:
[LIST][*] DHCP Pool Name: VLAN 5[*] DHCP Pool Network: 10.5.0.0[*] Subnet Mask: 255.255.0.0[*] Starting IP: 10.5.1.5[*] Ending IP: 10.5.1.10[*] Default Router: 10.5.1.1[/LIST]
[/LIST]
[B] Configure WPA-PSK Authentication [/B]
The other WPA key management type is called the WPA-PSK. WPA-PSK is used to support WPA on a wireless LAN where 802.1x-based authentication is not available. With this type, you must configure a pre-shared key on the AP. You can enter the pre-shared key as ASCII or hexadecimal characters. If you enter the key as ASCII characters, you enter between 8 and 63 characters, and the AP expands the key using the process described in the Password-based Cryptography Standard (RFC2898). If you enter the key as hexadecimal characters, you must enter 64 hexadecimal characters.
This example uses these configuration parameters for WPA-PSK authentication:
[LIST][*] SSID name: [B]wpa-psk[/B][*] VLAN id: [B]6[/B][*] VLAN IP address: [B]10.6.1.1/16[/B][*] HCP address range for the wireless clients of this VLAN/SSID: [B]10.6.1.5/16 - 10.6.1.10/16[/B][/LIST]
Complete these steps in order to configure WPA-PSK:
[LIST=1][*] Repeat steps 1 and 2 of [URL="http://www.cisco.com/en/US/products/hw/routers/ps380/products_configuration_example09186a00808acf2f.shtml#mac"]Configure Open with MAC Authentication[/URL] in order to create and configure VLAN with these configuration parameters:
[LIST][*] VLAN id: 6[*] Radio interface IP address: 10.6.1.1[*] subnet mask: 255.255.0.0[/LIST]
[*] Because WPA-PSK is a key management standard, configure the cipher to be used for WPA key management.
[LIST=1][*] On the Wireless home page, select [B]Wireless Security[/B] > [B]Encryption Manager[/B] in order to configure the encryption settings.[*] On the [B]Wireless Security[/B] > [B]Encryption Manager[/B] window on the Security: Encryption Manager page, enter [B]6[/B] for Set Encryption Mode and Keys for VLAN.[*] Choose [B]Cipher[/B] as Encryption Mode, and choose a Cipher encryption algorithm from the drop-down box.
This example uses [B]TKIP+WEP 128bit[/B] as the Cipher algorithm.
[IMG]http://www.cisco.com/image/gif/paws/98584/isr-sdm-config35.gif[/IMG]
[B]Note: [/B]While configuring multiple authentication types on a wireless router through SDM, sometimes it might not be possible to configure two different authentication types both using cipher encryption mode on the same router. In such cases, the encryption setting configured through SDM might not be applied on the router. In order to overcome this, configure those authentication types through CLI.[/LIST]
[*] In order to enable WPA-PSK for an SSID, you need to enable open authentication on the SSID. In order to enable open authentication, repeat step 6 of [URL="http://www.cisco.com/en/US/products/hw/routers/ps380/products_configuration_example09186a00808acf2f.shtml#open"]Configure Open Authentication with WEP Encryption[/URL].
Here is the configuration window of WPA-PSK:
[IMG]http://www.cisco.com/image/gif/paws/98584/isr-sdm-config36.gif[/IMG][*] Scroll down the SSID Manager page to look for the [B]Authenticated Key Management[/B] section.[*] In this section, choose [B]Mandatory[/B] from the Key Management drop-down box, enable the [B]WPA[/B] check-box and enter the WPA Pre-shared Key in ASCII or Hexadecimal format.
This example uses ASCII format. The same format should be used at the client side configuration. Here is the configuration window that explains step 5:
[IMG]http://www.cisco.com/image/gif/paws/98584/isr-sdm-config37.gif[/IMG]
The WPA Pre-Shared Key used in this configuration is 1234567890.[*] Click [B]Apply[/B].[*] In order to configure the internal DHCP server for wireless clients of this VLAN, complete the same steps explained in [URL="http://www.cisco.com/en/US/products/hw/routers/ps380/products_configuration_example09186a00808acf2f.shtml#dhcp"]Configure Internal DHCP Server for Wireless Clients of This VLAN[/URL] section of this document with these configuration parameters:
[LIST][*] DHCP Pool Name: VLAN 6[*] DHCP Pool Network: 10.6.0.0[*] Subnet Mask: 255.255.0.0[*] Starting IP: 10.6.1.5[*] Ending IP: 10.6.1.10[*] Default Router: 10.6.1.1[/LIST]
[/LIST]
[B] Wireless Client Configuration [/B]
After you configure the ISR through SDM, you need to configure the wireless client for the different authentication types so that the router can authenticate these wireless clients and provide access to the WLAN network. This document uses ADU for client side configuration.
[B] Configure Wireless Client for Open Authentication with WEP Encryption [/B]
Complete these steps:
[LIST=1][*] In the Profile Management window on the ADU, click [B]New[/B] in order to create a new profile.
A new window displays where you can set the configuration for open authentication.[*] Under the [B]General[/B] tab, enter the Profile Name and the SSID that the client adapter will use.
In this example, the Profile Name and SSID are [B]openwep[/B].
[B]Note: [/B]The SSID must match the SSID that you configured on the ISR for open authentication.
[IMG]http://www.cisco.com/image/gif/paws/98584/isr-sdm-config38.gif[/IMG][*] Click the [B]Security[/B] tab and leave the security option as Pre-Shared Key (Static WEP) for WEP encryption.[*] Click [B]Configure[/B] and define the pre-shared key as shown in this example:
[IMG]http://www.cisco.com/image/gif/paws/98584/isr-sdm-config39.gif[/IMG][*] Click the [B]Advanced[/B] tab on the Profile Management page and set 802.11 Authentication Mode as [B]Open[/B] for open authentication.
[IMG]http://www.cisco.com/image/gif/paws/98584/isr-sdm-config40.gif[/IMG][*] In order to verify open with WEP authentication, activate the [B]openwep[/B] SSID configured.
[IMG]http://www.cisco.com/image/gif/paws/98584/isr-sdm-config41.gif[/IMG][*] Verify the wireless client is associated successfully with the router. This can be verified in detail from the wireless router using the [B]show dot11 associations[/B] command.
Here is an example:[INDENT] Router#[B]show dot11 associations[/B]
802.11 Client Stations on Dot11Radio0:
[B]SSID [openwep] :[/B]
MAC Address IP address Device Name Parent State
[B]0040.96ac.e657 10.1.1.5 [/B] CB21AG/PI21AG client self Assoc
Others: (not related to any ssid)[/INDENT][/LIST]
[B] Configure Wireless Client for Open with MAC Authentication [/B]
Complete these steps:
[LIST=1][*] In the Profile Management window on the ADU, click [B]New[/B] in order to create a new profile.
A new window displays where you can set the configuration for open authentication.[*] Under the [B]General[/B] tab, enter the Profile Name and the SSID that the client adapter will use.
In this example, the Profile Name and SSID are [B]openmac[/B].
[B]Note: [/B]The SSID must match the SSID that you configured on the ISR for open authentication.
[IMG]http://www.cisco.com/image/gif/paws/98584/isr-sdm-config42.gif[/IMG][*] Click the [B]Security[/B] tab and leave the security option as [B]None[/B] for open with MAC authentication. Then, click [B]OK[/B].
[IMG]http://www.cisco.com/image/gif/paws/98584/isr-sdm-config43.gif[/IMG][*] In order to verify open with MAC authentication, activate the [B]openmac[/B] SSID configured.
[IMG]http://www.cisco.com/image/gif/paws/98584/isr-sdm-config44.gif[/IMG][*] Verify the wireless client is associated successfully with the router. This can be verified in detail from the wireless router using the [B]show dot11 associations[/B] command.
Here is an example:[INDENT] Router#[B]show dot11 associations[/B]
802.11 Client Stations on Dot11Radio0:
[B]SSID [openmac] :[/B]
MAC Address IP address Device Name Parent State
[B]0040.96ac.e657 10.2.1.5 [/B] CB21AG/PI21AG client1 self [B]MAC-Assoc[/B]
SSID [openwep] :
Others: (not related to any ssid)[/INDENT][/LIST]
[B] Configure Wireless Client for 802.1x/EAP Authentication [/B]
Complete these steps:
[LIST=1][*] In the Profile Management window on the ADU, click [B]New[/B] in order to create a new profile.
A new window displays where you can set the configuration for open authentication.[*] Under the [B]General[/B] tab, enter the Profile Name and the SSID that the client adapter will use.
In this example, the Profile Name and SSID are [B]leap[/B].
[B]Note: [/B]The SSID must match the SSID that you configured on the ISR for 802.1x/EAP authentication.[*] Under Profile Management, click the [B]Security[/B] tab, set the security option as [B]802.1x[/B] and choose the appropriate EAP type.
This document uses [B]LEAP[/B] as the EAP type for authentication.[*] Click [B]Configure[/B] in order to configure the LEAP username and password settings.
[IMG]http://www.cisco.com/image/gif/paws/98584/isr-sdm-config45.gif[/IMG]
Under the username and password settings, this example chooses to [B]Manually Prompt for User Name and Password[/B] so that the client will be prompted to enter the correct username and password while trying to connect to the network.[*] Click [B]OK[/B].
[IMG]http://www.cisco.com/image/gif/paws/98584/isr-sdm-config46.gif[/IMG][*] In order to verify EAP authentication, activate the [B]leap[/B] SSID configured. You are prompted to enter a LEAP username and password. Enter both the credentials as [B]user1[/B] and click [B]OK[/B].[/LIST]
[/LEFT]