wpa2 (meshpoint-config)
Use this command to configure the parameters of
authentication mode specified using the ‘security-mode‘ keyword. This command also allows
you to set a unicast and broadcast key rotation interval.
Supported on the following devices:
- Access Points: AP5010, AP310i/e, AP410i/e, AP505i, AP510i, AP510e, AP560i, AP6522, AP6562, AP7161, AP7502,
AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP763, AP7662, AP8163, AP8543,
AP8533.
- Service Platforms:
NX5500, NX7500, NX9500, NX9600
- Virtual Platforms: CX9000, VX9000
Syntax
wpa2 [eap|psk|key-rotation]
wpa2 key-rotation [broadcast|unicast] <30-86400>
wpa2 psk [0 <SECRET>|2 <SECRET>|<SECRET>]
wpa2 eap [auth-type|identity|peap-mschapv2|tls]
wpa2 eap [auth-type [peap-mschapv2|tls]|identity <WORD>]
wpa2 eap peap-mschapv2 user <USER-NAME> password [0 <WORD>|2 <WORD>|<WORD>]
{trustpoint <TRUSTPOINT-NAME>}
wpa2 eap tls trustpoint <TRUSTPOINT-NAME>
Parameters
wpa2 key-rotation [broadcast|unicast] <30-86400>
| wpa2 key-rotation |
Enables periodic rotation of encryption keys used for broadcast and
unicast traffic |
| broadcast |
Configures key rotation interval for broadcast and multicast traffic.
This option is disabled by default. When enabled, the key indices used
for encrypting/decrypting broadcast traffic is alternatively rotated
based on the defined interval. Key rotation enhances the broadcast
traffic security on the WLAN.
|
| unicast |
Configures key rotation interval for unicast traffic. This option is
disabled by default. |
| <30-86400> |
Configures key rotation interval from 30 - 86400 seconds for unicast or
broadcast transmission |
wpa2 psk [0 <SECRET>|2 <SECRET>|<SECRET>]
|
wpa2 psk
|
Configures the shared key for authentication mode
PSK. If the security mode is set as ‘psk‘ using the ‘security-mode‘ keyword,
use this command to configure the pre-shared key. |
| secret [0 <SECRET>| 2
<SECRET>|<SECRET>] |
Configures the PSK used to authenticate this
meshpoint with other meshpoints in the network |
wpa2 eap [auth-type [peap-mschapv2|tls]|identity <WORD>]
| wpa2 eap |
Configures the 802.1X/EAP based authentication type for this meshpoint.
If the security mode is set as ‘eap‘ using the ‘security-mode‘ keyword, use
this command to specify the EAP type. The options are: peap-mschapv2 and
tls. |
| auth-type [peap-mschapv2|tls] |
Specifies the EAP authentication type. The options are:
- peap-mschapv2 – Configures EAP authentication type as PEAP
(Protected Extensible Authentication Protocol) with
default auth type MSCHAPv2. This is the default setting.
If using
auth-type as ‘peap-mschapv2‘, use the ‘peap-mschapv2‘ keyword to
configure user credentials and trustpoint details.
- tls – Configures EAP authentication type as TLS (Transport
Layer Security)
If using auth-type as ‘tls‘, use the
‘tls‘ keyword to configure trustpoint details.
Note: The certificate should be issued from an Enterprise or public
certificate authority to allow 802.1X clients to validate the identity of
the authentication server prior to forwarding credentials.
|
| identity <WORD> |
Configures identity to be used during phase1 authentication
- <WORD> – Enter a string up to 256 characters in length (this
should not be actual identity of user but some anonymous/bogus
username).
|
wpa2 eap peap-mschapv2 user <USER-NAME> password [0 <WORD>|2 <WORD>|<WORD>]
{trustpoint <TRUSTPOINT-NAME>}
| wpa2 eap peap-mschapv2 |
Configures PEAP-related user credentials and
trustpoint details |
| user <USER-NAME> password [0 <WORD>|2
<WORD>|<WORD>] |
Specify the user credentials used for
authentication
- user <USER-NAME> – Specify the user
name
- password [0 <WORD>|2
<WORD>|<WORD>] – Specify the password associated with the
specified user.
|
| trustpoint <TRUSTPOINT-NAME> |
Optional. Associates a trustpoint used for
installing CA certificate and verifying server certificate
- <TRUSTPOINT-NAME> – Specify the trustpoint
name (should be existing and configured).
|
wpa2 eap tls trustpoint <TRUSTPOINT-NAME>
| wpa2 eap tls |
Configures TLS client related parameters |
| trustpoint <TRUSTPOINT-NAME> |
Configures trustpoint details trustpoint
- <TRUSTPOINT-NAME> – Assigns a trustpoint to be used for installing
TLS client certificate, client private key, and CA certificate
- <TRUSTPOINT-NAME> – Specify the trustpoint name (should be
existing and configured)
|
Examples
nx9500-6C8809(config-meshpoint-test)#wpa2 key-rotation broadcast 600
nx9500-6C8809(config-meshpoint-test)#wpa2 key-rotation unicast 1200
nx9500-6C8809(config-meshpoint-test)#wpa2 psk Test Company
nx9500-6C8809(config-meshpoint-test)#show context
meshpoint test
description "This is an example of a meshpoint description"
meshid TestingMeshPoint
shutdown
beacon-format mesh-point
control-vlan 1
allowed-vlans 1,10-16,18-23
neighbor inactivity-timeout 300
data-rates 2.4GHz bgn
data-rates 5GHz an
security-mode psk
wpa2 psk 0 Test Company
wpa2 key-rotation unicast 1200
wpa2 key-rotation broadcast 600
root
nx9500-6C8809(config-meshpoint-test)#
The following example shows root meshpoint configuration with EAP authentication
enabled:
nx9500-6C8809(config-meshpoint-root)#show context
meshpoint root
meshid test
beacon-format mesh-point
control-vlan 101
allowed-vlans 101,103
use aaa-policy test
security-mode eap
root
nx9500-6C8809(config-meshpoint-test)#
The following example shows non-root meshpoint configuration with EAP PEAP-MSCHAPv2
authentication:
nx9500-6C8809(config-meshpoint-testNoRoot)#show context
meshpoint testNoRoot
meshid test
beacon-format mesh-point
control-vlan 101
allowed-vlans 101,103
security-mode eap
wpa2 eap peap-mschapv2 user tester123 password 0 testing1234 trustpoint mesh1
wpa2 eap identity tester123
no root
nx9500-6C8809(config-meshpoint-testNoRoot)#
The following example shows non-root meshpoint configuration with EAP TLS
authentication:
nx9500-6C8809(config-meshpoint-testNoRoot)#show context
meshpoint testNoRoot
meshid test
beacon-format mesh-point
control-vlan 101
allowed-vlans 101,103
security-mode eap
wpa2 eap peap-mschapv2 user tester123 password 0 testing1234 trustpoint mesh1
wpa2 eap tls trustpoint mesh1
wpa2 eap identity tester123
no root
nx9500-6C8809(config-meshpoint-testNoRoot)#
