authentication-type

Sets the WLAN's mode of authentication

Supported in the following platforms:

Syntax

authentication-type [eap|eap-mac|eap-psk|kerberos|mac|none|sae|sae-psk]

Parameters

authentication-type [eap|eap-mac|eap-psk|kerberos|mac|none|sae|sae-psk]
authentication-type Configures a WLAN's authentication type

The authentication types are: EAP, EAP-MAC, EAP-PSK, Kerberos, MAC, SAE , SAE-PSK, and none.

eap Configures EAP authentication (802.1X)

EAP is the de-facto standard authentication method used to provide secure authenticated access to controller managed WLANs. EAP provides mutual authentication, secured credential exchange, dynamic keying and strong encryption. 802.1X EAP can be deployed with WEP, WPA or WPA2 encryption schemes to further protect user information forwarded over controller managed WLANs.

The EAP process begins when an unauthenticated supplicant (client device) tries to connect with an authenticator (in this case, the authentication server). An access point passes EAP packets from the client to an authentication server on the wired side of the Access Point. All other packet types are blocked until the authentication server (typically, a RADIUS server) verifies the client‘s identity.

If using EAP authentication ensure that a AAA policy is mapped to the WLAN.

eap-mac Configures EAP or MAC authentication depending on client. (This setting is valid only with the None encryption type.

EAP-MAC is useful when in a hotspot environment, as some clients support EAP and an administrator may want to authenticate based on just the MAC address of the device.

eap-psk Configures EAP authentication or pre-shared keys depending on client (This setting is only valid with Temporal Key Integrity Protocol (TKIP) or Counter Mode with Cipher Block Chaining Message Authentication Code Protocol (CCMP) encryption types.

When using PSK with EAP, the controller sends a packet requesting a secure link using a pre-shared key. The controller and authenticating device must use the same authenticating algorithm and passcode during authentication. EAP-PSK is useful when transitioning from a PSK network to one that supports EAP.

If using eap-psk authentication ensure that a AAA policy is mapped to the WLAN.

kerberos Configures Kerberos authentication (encryption will change to WEP128 if it‘s not already WEP128 or Keyguard)

Kerberos (designed and developed by MIT) provides strong authentication for client/server applications using secret-key cryptography. Using Kerberos, a client must prove its identity to a server (and vice versa) across an insecure network connection.

Once a client and server use Kerberos to validate their identity, they encrypt all communications to assure privacy and data integrity. Kerberos can only be used on the access point with 802.11b clients. Kerberos uses Network Time Protocol (NTP) for synchronizing the clocks of its Key Distribution Center (KDC) server(s).

mac Configures MAC authentication (RADIUS lookup of MAC address)

MAC is a device level authentication method used to augment other security schemes when legacy devices are deployed using static WEP.

MAC authentication can be used for device level authentication by permitting WLAN access based on device MAC address. MAC authentication is typically used to augment WLAN security options that do not use authentication (such as static WEP, WPA-PSK and WPA2-PSK) MAC authentication can also be used to assign VLAN memberships, firewall policies and time and date restrictions.

MAC authentication can only identify devices, not users.

If using mac authentication ensure that an AAA policy is mapped to the WLAN.

none No authentication is used or the client uses pre-shared keys
sae Enables WPA3-Personal (SAE Authentication) on this WLAN.
Note: SAE authentication is only supported with mandatory protected management frames. For more information, see protected-mgmt-frames.

WPA3 is the latest security protocol developed by the WiFi Alliance as part of its series of Wi-Fi Protected Access (WPA) protocols. It is has stronger configuration, authentication, and encryption features. WPA3 is more secure and protects against offline brute force attacks that WPA2 could not provide. WPA3 offers two levels of protection: WPA3-Personal (with 128-bit encryption) and WPA3-Enterprise (with 192-bit encryption).

WPA3-Personal uses Simultaneous Authentication of Equals (SAE) authentication method. SAE was first defined in the IEEE 802.11s standard for authentication between 802.11s enabled mesh peers. SAE is a zero-knowledge proof key exchange protocol that uses finite group cryptography. The client and access point go through an SAE handshake to negotiate a fresh Pairwise Master Key (PMK). This PMK is used in a traditional four-way handshake to generate a session key.
Note: The 32-byte PMK negotiated through the SAE handshake cannot be guessed using offline dictionary attacks, even though it is later used in a four-way handshake.

Enable this option to allow only WPA3-capable clients authenticate with the access point and access the wireless network.

sae-psk Enables WPA3-Compatibility mode. Use this option to enable WPA2 in addition with WPA3-Personal. When enabled, both WPA3-capable and WPA2-capable clients can authenticate with the access point and access the wireless network.
Note: SAE-PSK authentication is supported with optional management frames. For more information, see protected-mgmt-frames.

Examples

nx9500-6C8809(con fig-wlan-test)#authentication-type eap
nx9500-6C8809(con fig-wlan-test)#show context
wlan test
 said test
 bridging-mode tunnel
 encryption-type none
authentication-type eap
 accounting slog host 172.16.10.4 port 2
 cal exceed-rate wireless-client-denied-traffic 20 disassociate
nx9500-6C8809(con fig-wlan-test)#
ap505-13403B(config-wlan-test)#authentication-type sae-psk
ap505-13403B(config-wlan-test)#show context
wlan test
 ssid test
 vlan 1
 bridging-mode local
 encryption-type gcmp256
 authentication-type eap
 dynamic-vlan-assignment allowed-vlans 2-4
 protected-mgmt-frames mandatory
 protected-mgmt-frames sa-query attempts 1
 use aaa-policy test
 http-analyze syslog host 10.234.160.4 port 21 proxy-mode through-controller
 controller-assisted-mobility
 opendns device-id 0014AADF8EDC6C59
 dpi metadata http
ap505-13403B(config-wlan-test)#
nx9500-6C8809(config-wlan-SAEAuth)#authentication-type sae
nx9500-6C8809(config-wlan-SAEAuth)#show context
wlan SAEAuth
 ssid sae
 vlan 203
 bridging-mode local
 encryption-type ccmp
 authentication-type sae
 protected-mgmt-frames mandatory
 wpa-wpa2 psk 0 12345678
nx9500-6C8809(config-wlan-SAEAuth)#

Related Commands

no (wlan-config-mode) Resets the authentication mode used with this WLAN to default (none/pre-shared keys)