wpa-wpa2

Modifies TKIP-CCMP (WPA/WPA2) related parameters

Supported on the following devices:

Syntax

wpa-wpa2 [exclude-wpa2-tkip|handshake|key-rotation|opp-pmk-caching|pmk-caching|
preauthentication|server-only-authentication|psk|sae|tkip-countermeasures|use-sha256-akm]
wpa-wpa2 [exclude-wpa2-tkip|opp-pmk-caching|pmk-caching|preauthentication|
server-only-authentication|use-sha256-akm]
wpa-wpa2 handshake [attempts|init-wait|priority|timeout]
wpa-wpa2 handshake [attempts <1-5>|init-wait <5-1000000>|priority [high|normal]|
timeout <10-5000> {10-5000}]
wpa-wpa2 key-rotation [broadcast|unicast] <30-86400>
wpa-wpa2 psk [0 <LINE>|2 <LINE>|<LINE>]
wpa-wpa2 tkip-countermeasures holdtime <0-65535>
wpa-wpa2 sae hash-to-element

Parameters

wpa-wpa2 [exclude-wpa2-tkip|opp-pmk-caching|pmk-caching|preauthentication|
server-only-authentication|use-sha256-akm]
wpa-wpa2 Modifies TKIP-CCMP (WPA/WPA2) related parameters
exclude-wpa2-tkip Excludes the Wi-Fi Protected Access II (WPA2) version of TKIP. It supports the WPA version of TKIP only. This option is disabled by default.
opp-pmk-caching Uses opportunistic key caching (same Pairwise Master Key (PMK) across APs for fast roaming with EAP.802.1x. This option is enabled by default.
pmk-caching Uses cached pair-wise master keys (fast roaming with eap/802.1x). This option is enabled by default.
preauthentication Uses pre-authentication mode (WPA2 fast roaming)
use-sha256-akm Uses sha256 authentication key management suite
wpa-wpa2 handshake [attempts <1-5>|init-wait <5-1000000>|priority [high|normal]|
timeout <10-5000> {10-5000}]
wpa-wpa2 Modifies TKIP-CCMP (WPA/WPA2) related parameters
handshake Configures WPA/WPA2 handshake parameters
attempts <1-5> Configures the total number of times a message is transmitted towards a non-responsive client
  • <1-5> – Specify a value from 1 - 5. The default is 2.
init-wait <5-1000000> Configures a minimum wait-time period, in microseconds, before the first handshake message is transmitted from the AP. This option is disabled by default.
  • <5-1000000> – Specify a value from 5 - 1000000 microseconds.
priority [high|normal] Configures the relative priority of handshake messages compared to other data traffic
  • high – Treats handshake messages as high priority packets on a radio. This is the default setting.
  • normal – Treats handshake messages as normal priority packets on a radio
timeout <10-5000> <10-5000> Configures the timeout period, in milliseconds, for a handshake message to retire. Once this period is exceeded, the handshake message is retired.
  • <10-5000> – Specify a value from 10 - 5000 millisceonds. The default is 500 milliseconds.
  • <10-5000> – Optional. Configures a different timeout between the second and third attempts'
wpa-wpa2 key-rotation [broadcast|unicast] <30-86400>
wpa-wpa2 Modifies TKIP-CCMP (WPA/WPA2) related parameters
key-rotation Configures parameters related to periodic rotation of encryption keys. The periodic key rotation parameters are broadcast, multicast, and unicast traffic.
broadcast <30-86400> Configures the periodic rotation of keys used for broadcast and multicast traffic. This parameter specifies the interval, in seconds, at which keys are rotated. This option is disabled by default.
  • <30-86400> – Specify a value from 30 - 86400 seconds.
unicast <30-86400> Configures a periodic interval for the rotation of keys, used for unicast traffic. This option is disabled by default.
  • <30-86400> – Specify a value from 30 - 86400 seconds.
wpa-wpa2 psk [0 <LINE>|2 <LINE>|<LINE>]
wpa-wpa2 Modifies TKIP-CCMP (WPA/WPA2) related parameters
psk Configures a pre-shared key.
0 <LINE> Configures a clear text key
2 <LINE> Configures an encrypted key
<LINE> Enter the pre-shared key either as a passphrase not exceeding 8 - 63 characters, or as a 64 character (256bit) hexadecimal value.
wpa-wpa2 tkip-countermeasures holdtime <0-65535>
wpa-wpa2 Modifies TKIP-CCMP (WPA/WPA2) parameters
tkip-countermeasures Configures a hold time period for implementation of TKIP counter measures
holdtime <0-65535> Configures the amount of time a WLAN is disabled when TKIP counter measures are invoked
  • <0-65535> – Specify a value from 0 - 65536 seconds. <0-65535> – Specify a value from 0 - 65535 seconds. The default is 60 seconds.
hash-to-element Enable the use of SAE Hash-to-Element for password element generation.

Examples

nx9500-6C8809(config-wlan-test)#wpa-wpa2 tkip-countermeasures hold-time 2
nx9500-6C8809(config-wlan-test)#show context
wlan test
 ssid testWLAN1
 vlan-pool-member 1 limit 1
 vlan-pool-member 2 limit 1
 vlan-pool-member 3 limit 1
 vlan-pool-member 4 limit 1
 vlan-pool-member 5 limit 1
 vlan-pool-member 6 limit 1
 vlan-pool-member 7 limit 1
 vlan-pool-member 8 limit 1
 vlan-pool-member 9 limit 1
 vlan-pool-member 10 limit 1
 bridging-mode local
 encryption-type none
 authentication-type none
 wireless-client hold-time 200
 wireless-client cred-cache-ageout 65
 wireless-client max-firewall-sessions 100
 protected-mgmt-frames mandatory
 wireless-client reauthentication 35
 wpa-wpa2 tkip-countermeasures hold-time 2
 wep64 key 1 hex 0 7465737431
 wep128 key 1 hex 0 25f6e7ed9718918a87a75acc75
--More--
nx9500-6C8809(config-wlan-test)#

Related Commands

no (wlan-config-mode) Removes or reverts to default TKIP-CCMP (WPA/WPA2) related parameters