The WLAN ports support the following security options:
open
WPA2-PSK
WPA2-Enterprise
When no WLAN security is required, a WLAN port is configured with no wlan-security and WLAN port security is open.
When WLAN security is required, a WLAN port can be configured with WPA2-PSK or WPA2-Enterprise security. When configuring either of these security types, the encryption must be set to either TKIP or AES using the wpa-encryption command. AES is the default.
When a WLAN port is configured for WPA2-PSK security, operators must use the wpa-passphrase command to configure a pre-shared secret passphrase that is used by clients to connect to the AP.
When the WLAN AP port is configured for WPA2-Enterprise security, operators must configure a RADIUS policy under the config>system>security>dot1x context in the CLI. For information about configuring a RADIUS policy in this context, see the 7450 ESS, 7750 SR, 7950 XRS, and VSR System Management Guide. The dot1x RADIUS policy ID used to configure the RADIUS policy is then configured on the WLAN AP port using the config>port>wlan>access-point>dot1x>radius-plcy command.
The retry and timeout commands in the config>system>security>dot1x> radius-plcy context are ignored by the WLAN AP port. Instead, the retry count is set to 3 and the timeout value is set to 5 s so that the node will try each server four times before moving on to the next server if multiple servers are configured.
When the WLAN station port is configured with WPA2-Enterprise security, operators must configure the authentication type as one of EAP-TTLS, EAP-FAST, or EAP-PEAP using the config>port>wlan>network>wlan-security>station>authentication command. If the port is configured with WPA2-PSK security, the authentication type defaults to none and cannot be changed.
When the WLAN AP port is configured for WPA2-Enterprise security, connected clients are required to periodically reauthenticate themselves to the WLAN network. The interval is configured using the re-auth-period command.
Table: WLAN client authentication types lists the authentication methods that the node supports.
Authentication type |
Description |
User password |
User certificate |
Server certificate |
|---|---|---|---|---|
EAP-TTLS |
The EAP-Tunneled Transport Layer Security (TTLS) authentication type establishes a tunnel in which the username and password are verified. A user and server certificate are optional. The username, password, and certificates are programmed on the client device. |
Yes |
Optional |
Optional |
EAP-FAST |
The EAP-Flexible Authentication via Secure Tunneling (FAST) authentication type uses Protected Access Credentials (PAC) to establish a tunnel and the selected tunnel type to verify username and password credentials. PACs are handled behind the scenes, transparently to the user. Automatic PAC provisioning can require a user certificate and the validation of a server certificate depending on the tunnel type. The username, password, and certificates are programmed on the client device. |
Yes |
Optional |
Optional |
EAP-PEAP |
The EAP-Protected Extensible Authentication Protocol (PEAP) authentication type establishes a tunnel and based on the tunnel type, uses a user certificate and/or a username and password. Validating a server certificate is optional. The username, password, and certificates are programmed on the client device. |
Optional |
Optional |
Optional |
Security parameters can only be modified when the WLAN port is shut down.