authentication-type [eap|eap-mac|eap-psk|kerberos|mac|none|sae|sae-psk]
authentication-type [eap|eap-mac|eap-psk|kerberos|mac|none|sae|sae-psk]
| authentication-type | Configures a WLAN's authentication type The authentication types are: EAP, EAP-MAC, EAP-PSK, Kerberos, MAC, and none. |
| eap | Configures EAP authentication (802.1X) EAP is the de-facto standard authentication method used to provide secure authenticated access to controller managed WLANs. EAP provides mutual authentication, secured credential exchange, dynamic keying and strong encryption. 802.1X EAP can be deployed with WEP, WPA or WPA2 encryption schemes to further protect user information forwarded over controller managed WLANs. The EAP process begins when an unauthenticated supplicant (client device) tries to connect with an authenticator (in this case, the authentication server). An Access Point passes EAP packets from the client to an authentication server on the wired side of the Access Point. All other packet types are blocked until the authentication server (typically, a RADIUS server) verifies the client‘s identity. If using EAP authentication ensure that a AAA policy is mapped to the WLAN. |
| eap-mac | Configures EAP or MAC authentication depending on
client. (This setting is valid only with the None
encryption type. EAP-MAC is useful when in a hotspot environment, as some clients support EAP and an administrator may want to authenticate based on just the MAC address of the device. |
| eap-psk | Configures EAP authentication or pre-shared keys
depending on client (This setting is only valid with
TKIP (Temporal Key Integrity Protocol) or
Counter Mode with CCMP (Cipher Block Chaining
Message Authentication Code Protocol)
encryption types. When using PSK with EAP, the controller sends a packet requesting a secure link using a pre-shared key. The controller and authenticating device must use the same authenticating algorithm and passcode during authentication. EAP-PSK is useful when transitioning from a PSK network to one that supports EAP. If using eap-psk authentication ensure that a AAA policy is mapped to the WLAN. |
| kerberos | Configures Kerberos authentication (encryption will
change to WEP128 if it‘s not already WEP128 or
Keyguard) Kerberos (designed and developed by MIT) provides strong authentication for client/server applications using secret-key cryptography. Using Kerberos, a client must prove its identity to a server (and vice versa) across an insecure network connection. Once a client and server use Kerberos to validate their identity, they encrypt all communications to assure privacy and data integrity. Kerberos can only be used on the access point with 802.11b clients. Kerberos uses Network Time Protocol (NTP) for synchronizing the clocks of its Key Distribution Center (KDC) server(s). |
| mac | Configures MAC authentication (RADIUS lookup of MAC
address) MAC is a device level authentication method used to augment other security schemes when legacy devices are deployed using static WEP. MAC authentication can be used for device level authentication by permitting WLAN access based on device MAC address. MAC authentication is typically used to augment WLAN security options that do not use authentication (such as static WEP, WPA-PSK and WPA2-PSK) MAC authentication can also be used to assign VLAN memberships, firewall policies and time and date restrictions. MAC authentication can only identify devices, not users. If using mac authentication ensure that an AAA policy is mapped to the WLAN. |
| none | No authentication is used or the client uses pre-shared keys |
| sae | Enables WPAv3-Personal (SAE
Authentication) on this WLAN. Note: SAE-PSK authentication is only supported with
mandatory protected management frames.
For more information, see protected-mgmt-frames.
WPAv3 is the latest security protocol developed by the WiFi Alliance as part of its series of WPA (Wi-Fi Protected Access) protocols. It is has stronger configuration, authentication, and encryption features. WPAv3 is more secure and protects against offline brute force attacks that WPAv2 could not provide. WPAv3 offers two levels of protection: WPA3-Personal (with 12-bit encryption) and WPA3-Enterprise (with 192-bit encryption). WPAv3-Personal uses SAE
(Simultaneous Authentication of Equals)
authentication method. SAE was first defined
in the IEEE 802.11s standard for authentication
between 802.11s enabled mesh peers. SAE is a
zero-knowledge proof key exchange protocol that uses
finite group cryptography. The client and access
point go through an SAE handshake to negotiate a
fresh PMK (Pairwise Master Key) . This
PMK is used in a traditional four-way handshake to
generate a session key.
Note: The
32-byte PMK negotiated through the SAE handshake
cannot be guessed using offline dictionary
attacks, even though it is later used in a
four-way handshake.
Enable this option to allow only WPAv3-capable clients authenticate with the access point and access the wireless network. |
| sae-psk | Enables WPAv3-Compatibility mode. Use this
option to enable WPAv2 in addition with WPAv3-Personal.
When enabled, both WPAv3-capable and WPAv2-capable
clients can authenticate with the access point and
access the wireless network. Note: SAE-PSK authentication is only supported with
optional or mandatory protected management frames.
For more information, see protected-mgmt-frames.
|
Print
this page
Email this topic
Feedback
View PDF
Download EPUBnx9500-6C8809(con fig-wlan-test)#authentication-type eap
nx9500-6C8809(con fig-wlan-test)#show context wlan test said test bridging-mode tunnel encryption-type none authentication-type eap accounting slog host 172.16.10.4 port 2 cal exceed-rate wireless-client-denied-traffic 20 disassociate nx9500-6C8809(con fig-wlan-test)#
ap505-13403B(config-wlan-test)#authentication-type sae-psk
ap505-13403B(config-wlan-test)#show context wlan test ssid test vlan 1 bridging-mode local encryption-type gcmp256 authentication-type eap dynamic-vlan-assignment allowed-vlans 2-4 protected-mgmt-frames mandatory protected-mgmt-frames sa-query attempts 1 use aaa-policy test http-analyze syslog host 10.234.160.4 port 21 proxy-mode through-controller controller-assisted-mobility opendns device-id 0014AADF8EDC6C59 dpi metadata http ap505-13403B(config-wlan-test)#
|