authentication-type [eap|eap-mac|eap-psk|kerberos|mac|none|sae|sae-psk|owe]
authentication-type [eap|eap-mac|eap-psk|kerberos|mac|none|sae|sae-psk|owe]
| authentication-type | Configures a WLAN's authentication type The authentication types are: EAP, EAP-MAC, EAP-PSK, Kerberos, MAC, SAE , SAE-PSK, and none. |
| eap | Configures EAP authentication (802.1X) EAP is the de-facto standard authentication method used to provide secure authenticated access to controller managed WLANs. EAP provides mutual authentication, secured credential exchange, dynamic keying and strong encryption. 802.1X EAP can be deployed with WEP, WPA or WPA2 encryption schemes to further protect user information forwarded over controller managed WLANs. The EAP process begins when an unauthenticated supplicant (client device) tries to connect with an authenticator (in this case, the authentication server). An access point passes EAP packets from the client to an authentication server on the wired side of the Access Point. All other packet types are blocked until the authentication server (typically, a RADIUS server) verifies the client‘s identity. If using EAP authentication ensure that a AAA policy is mapped to the WLAN. |
| eap-mac | Configures EAP or MAC authentication depending on client. (This setting
is valid only with the None encryption type. EAP-MAC is useful when in a hotspot environment, as some clients support EAP and an administrator may want to authenticate based on just the MAC address of the device. |
| eap-psk | Configures EAP authentication or pre-shared keys depending on client
(This setting is only valid with Temporal Key Integrity
Protocol (TKIP) or Counter Mode with Cipher Block Chaining
Message Authentication Code Protocol (CCMP) encryption
types. When using PSK with EAP, the controller sends a packet requesting a secure link using a pre-shared key. The controller and authenticating device must use the same authenticating algorithm and passcode during authentication. EAP-PSK is useful when transitioning from a PSK network to one that supports EAP. If using eap-psk authentication ensure that a AAA policy is mapped to the WLAN. |
| kerberos | Configures Kerberos authentication (encryption will change to WEP128 if
it‘s not already WEP128 or Keyguard) Kerberos (designed and developed by MIT) provides strong authentication for client/server applications using secret-key cryptography. Using Kerberos, a client must prove its identity to a server (and vice versa) across an insecure network connection. Once a client and server use Kerberos to validate their identity, they encrypt all communications to assure privacy and data integrity. Kerberos can only be used on the access point with 802.11b clients. Kerberos uses Network Time Protocol (NTP) for synchronizing the clocks of its Key Distribution Center (KDC) server(s). |
| mac | Configures MAC authentication (RADIUS lookup of MAC address) MAC is a device level authentication method used to augment other security schemes when legacy devices are deployed using static WEP. MAC authentication can be used for device level authentication by permitting WLAN access based on device MAC address. MAC authentication is typically used to augment WLAN security options that do not use authentication (such as static WEP, WPA-PSK and WPA2-PSK) MAC authentication can also be used to assign VLAN memberships, firewall policies and time and date restrictions. MAC authentication can only identify devices, not users. If using mac authentication ensure that an AAA policy is mapped to the WLAN. |
| none | No authentication is used or the client uses pre-shared keys |
| sae | Enables WPA3-Personal (SAE Authentication) on this WLAN. Note: SAE authentication is only
supported with mandatory protected management frames. For more information,
see protected-mgmt-frames.
WPA3 is the latest security protocol developed by the WiFi Alliance as part of its series of Wi-Fi Protected Access (WPA) protocols. It is has stronger configuration, authentication, and encryption features. WPA3 is more secure and protects against offline brute force attacks that WPA2 could not provide. WPA3 offers two levels of protection: WPA3-Personal (with 128-bit encryption) and WPA3-Enterprise (with 192-bit encryption). WPA3-Personal uses
Simultaneous Authentication of Equals (SAE)
authentication method. SAE was first defined in the IEEE 802.11s standard
for authentication between 802.11s enabled mesh peers. SAE is a
zero-knowledge proof key exchange protocol that uses finite group
cryptography. The client and access point go through an SAE handshake to
negotiate a fresh Pairwise Master Key (PMK). This PMK is
used in a traditional four-way handshake to generate a session key.
Note: The 32-byte PMK
negotiated through the SAE handshake cannot be guessed using offline
dictionary attacks, even though it is later used in a four-way
handshake.
Enable this option to allow only WPA3-capable clients authenticate with the access point and access the wireless network. |
| sae-psk | Enables WPA3-Compatibility mode. Use this option to enable
WPA2 in addition with WPA3-Personal. When enabled, both WPA3-capable and
WPA2-capable clients can authenticate with the access point and access the
wireless network. Note: SAE-PSK authentication is supported with optional
management frames. For more information, see protected-mgmt-frames.
|
| owe | Opportunistic Wireless Encryption (OWE) offers security to open networks, ensuring that traffic between an AP and a client is encrypted. Other clients can sniff and record traffic, but cannot decrypt it. |
nx9500-6C8809(con fig-wlan-test)#authentication-type eap
nx9500-6C8809(con fig-wlan-test)#show context wlan test said test bridging-mode tunnel encryption-type none authentication-type eap accounting slog host 172.16.10.4 port 2 cal exceed-rate wireless-client-denied-traffic 20 disassociate nx9500-6C8809(con fig-wlan-test)#
ap505-13403B(config-wlan-test)#authentication-type sae-psk
ap505-13403B(config-wlan-test)#show context wlan test ssid test vlan 1 bridging-mode local encryption-type gcmp256 authentication-type eap dynamic-vlan-assignment allowed-vlans 2-4 protected-mgmt-frames mandatory protected-mgmt-frames sa-query attempts 1 use aaa-policy test http-analyze syslog host 10.234.160.4 port 21 proxy-mode through-controller controller-assisted-mobility opendns device-id 0014AADF8EDC6C59 dpi metadata http ap505-13403B(config-wlan-test)#
nx9500-6C8809(config-wlan-SAEAuth)#authentication-type sae
nx9500-6C8809(config-wlan-SAEAuth)#show context wlan SAEAuth ssid sae vlan 203 bridging-mode local encryption-type ccmp authentication-type sae protected-mgmt-frames mandatory wpa-wpa2 psk 0 12345678 nx9500-6C8809(config-wlan-SAEAuth)#
| no (wlan-config-mode) | Resets the authentication mode used with this WLAN to default (none/pre-shared keys) |