wpa2 (meshpoint-config)

Use this command to configure the parameters of authentication mode specified using the ‘security-mode‘ keyword. This command also allows you to set a unicast and broadcast key rotation interval.

Supported on the following platforms:

Syntax

wpa2 [eap|psk|key-rotation]
wpa2 key-rotation [broadcast|unicast] <30-86400>
wpa2 psk [0 <SECRET>|2 <SECRET>|<SECRET>]
wpa2 eap [auth-type|identity|peap-mschapv2|tls]
wpa2 eap [auth-type [peap-mschapv2|tls]|identity <WORD>]
wpa2 eap peap-mschapv2 user <USER-NAME> password [0 <WORD>|2 <WORD>|<WORD>] 
{trustpoint <TRUSTPOINT-NAME>}
wpa2 eap tls trustpoint <TRUSTPOINT-NAME>

Parameters

wpa2 key-rotation [broadcast|unicast] <30-86400>
wpa2 key-rotation Enables periodic rotation of encryption keys used for broadcast and unicast traffic
broadcast Configures key rotation interval for broadcast and multicast traffic. This option is disabled by default.

When enabled, the key indices used for encrypting/decrypting broadcast traffic is alternatively rotated based on the defined interval. Key rotation enhances the broadcast traffic security on the WLAN.

unicast Configures key rotation interval for unicast traffic. This option is disabled by default.
<30-86400> Configures key rotation interval from 30 - 86400 seconds for unicast or broadcast transmission
wpa2 psk [0 <SECRET>|2 <SECRET>|<SECRET>]
wpa2 psk Configures the shared key for authentication mode PSK. If the security mode is set as ‘psk‘ using the ‘security-mode‘ keyword, use this command to configure the pre-shared key.
secret [0 <SECRET>| 2 <SECRET>|<SECRET>] Configures the PSK used to authenticate this meshpoint with other meshpoints in the network
  • 0 <SECRET> – Configures a clear text secret
  • 2 <SECRET> – Configures an encrypted secret
  • <SECRET> – Specify the secret key. The pre-shared key can be in ASCII (8 to 63 characters in length) or Hexadecimal (not exceeding 64 characters in length) formats.
wpa2 eap [auth-type [peap-mschapv2|tls]|identity <WORD>]
wpa2 eap Configures the 802.1X/EAP based authentication type for this meshpoint. If the security mode is set as ‘eap‘ using the ‘security-mode‘ keyword, use this command to specify the EAP type. The options are: peap-mschapv2 and tls.
auth-type [peap-mschapv2|tls] Specifies the EAP authentication type. The options are:
  • peap-mschapv2 – Configures EAP authentication type as Protected Extensible Authentication Protocol (PEAP) with default auth type MSCHAPv2. This is the default setting.

    If using auth-type as ‘peap-mschapv2‘, use the ‘peap-mschapv2‘ keyword to configure user credentials and trustpoint details.

  • tls – Configures EAP authentication type as Transport Layer Security (TLS)

    If using auth-type as ‘tls‘, use the ‘tls‘ keyword to configure trustpoint details.

Note: The certificate should be issued from an Enterprise or public certificate authority to allow 802.1X clients to validate the identity of the authentication server prior to forwarding credentials.
identity <WORD> Configures identity to be used during phase1 authentication
  • <WORD> – Enter a string up to 256 characters in length (this should not be actual identity of user but some anonymous/bogus username).
wpa2 eap peap-mschapv2 user <USER-NAME> password [0 <WORD>|2 <WORD>|<WORD>] 
{trustpoint <TRUSTPOINT-NAME>}
wpa2 eap peap-mschapv2 Configures PEAP-related user credentials and trustpoint details
user <USER-NAME> password [0 <WORD>|2 <WORD>|<WORD>] Specify the user credentials used for authentication
  • user <USER-NAME> – Specify the user name
  • password [0 <WORD>|2 <WORD>|<WORD>] – Specify the password associated with the specified user.
trustpoint <TRUSTPOINT-NAME> Optional. Associates a trustpoint used for installing CA certificate and verifying server certificate
  • <TRUSTPOINT-NAME> – Specify the trustpoint name (should be existing and configured).
wpa2 eap tls trustpoint <TRUSTPOINT-NAME>
wpa2 eap tls Configures TLS client related parameters
trustpoint <TRUSTPOINT-NAME> Configures trustpoint details trustpoint
  • <TRUSTPOINT-NAME> – Assigns a trustpoint to be used for installing TLS client certificate, client private key, and CA certificate
  • <TRUSTPOINT-NAME> – Specify the trustpoint name (should be existing and configured)

Examples

nx9500-6C8809(config-meshpoint-test)#wpa2 key-rotation broadcast 600
nx9500-6C8809(config-meshpoint-test)#wpa2 key-rotation unicast 1200
nx9500-6C8809(config-meshpoint-test)#wpa2 psk Test Company
nx9500-6C8809(config-meshpoint-test)#show context
meshpoint test
 description "This is an example of a meshpoint description"
 meshid TestingMeshPoint
 shutdown
 beacon-format mesh-point
 control-vlan 1
 allowed-vlans 1,10-16,18-23	
 neighbor inactivity-timeout 300
 data-rates 2.4GHz bgn
 data-rates 5GHz an
 security-mode psk
 wpa2 psk 0 Test Company
 wpa2 key-rotation unicast 1200
 wpa2 key-rotation broadcast 600
 root
nx9500-6C8809(config-meshpoint-test)#
The following example shows root meshpoint configuration with EAP authentication enabled:
nx9500-6C8809(config-meshpoint-root)#show context
meshpoint root
 meshid test
 beacon-format mesh-point
 control-vlan 101
 allowed-vlans 101,103
 use aaa-policy test
 security-mode eap
 root
nx9500-6C8809(config-meshpoint-test)#
The following example shows non-root meshpoint configuration with EAP PEAP-MSCHAPv2 authentication:
nx9500-6C8809(config-meshpoint-testNoRoot)#show context
meshpoint testNoRoot
 meshid test
 beacon-format mesh-point
 control-vlan 101
 allowed-vlans 101,103
 security-mode eap
 wpa2 eap peap-mschapv2 user tester123 password 0 testing1234 trustpoint mesh1
 wpa2 eap identity tester123
 no root
nx9500-6C8809(config-meshpoint-testNoRoot)#
The following example shows non-root meshpoint configuration with EAP TLS authentication:
nx9500-6C8809(config-meshpoint-testNoRoot)#show context
meshpoint testNoRoot
 meshid test
 beacon-format mesh-point
 control-vlan 101
 allowed-vlans 101,103
 security-mode eap
 wpa2 eap peap-mschapv2 user tester123 password 0 testing1234 trustpoint mesh1
 wpa2 eap tls trustpoint mesh1
 wpa2 eap identity tester123
 no root
nx9500-6C8809(config-meshpoint-testNoRoot)#

Related Commands

no (meshpoint-config) Resets PSK configuration and key rotation duration