Iuwne10 S04 L03

© 2008 Cisco Systems, Inc. All rights reserved. IUWNE v1.0—4-1

WLAN Security

Centralizing WLAN Authentication


802.1X


802.1X over Wireless

John Bartenhagen

Q2Dev: On both left-pointing arrows, "success" should be capitalized. -EDIT.


Unique Encryption Keys


EAP Process


EAP Frame Format

EAP defines four message types: Request, Response, Success, and Failure


RADIUS


Security > AAA > RADIUS > Authentication


Security > AAA > RADIUS > Authentication > New


WLAN > Edit > Security > AAA Servers


Local EAP

The following EAP methods are supported with local EAP:

− LEAP

− EAP-FAST (both username and password with PAC and certificates)

− EAP-TLS

− PEAP

MAC authentication is also supported in addition to the above methods

Local EAP authentication can be used if the Cisco WLC fails to reach the configured RADIUS servers

Supports local users or LDAP users

Requires WLAN configuration


Security > Local EAP > Profiles

Local EAP is created in three steps: Creation and configuration of an EAP profile

Creation of local users or delegation to an LDAP server

Validation of the EAP profile in a WLAN


Security > Local EAP > Profiles > Edit


Security > Local EAP > EAP-FAST Parameters


Security > AAA > Local Net Users


Security > Local EAP > Authentication Priority

Only LDAP is used

LDAP is used only if the local list does not contain the user


Security >AAA > LDAP


WLAN > Edit


Summary

802.1X allows a port to be blocked while the client is authenticated.

EAP creates a framework to carry the typical steps in an authentication process.

WLAN controllers can relay the wireless client authentication task to an external RADIUS server.

WLAN controllers can also be configured to handle EAP locally, based on an internal user database or an external LDAP server.


Technology

Iuwne10 S04 L03