Online Help for Cisco IOS Release 12.3(02)JA
Home
Express Setup
Express Security
Network Map
Association
Network Interfaces
Security
Services
System Software
Event Log

 

  
Home: Configuring/Enabling Network EAP
 

A bridge uses the Extensible Authentication Protocol (EAP) to interact with an EAP-compatible RADIUS server on your network to provide authentication for wireless client devices.

In order to configure Network EAP, you must first configure the SSID. Complete the following steps to configure the SSID.

  1. From the navigation menu, click Security to go the Security Summary page.
  2. From the expanded Security menu, click SSID Manager to go to the SSID Manager page.



  3. In the Current SSID list, select the SSID for the EAP authentication type. If you need to create a new SSID, continue to Step 4. Otherwise, skip to Step 7.
  4. Select <NEW> from the Current SSID List.
  5. Provide the SSI name in the SSID text field.
  6. At the VLAN drop-down list, select the VLAN to be used for this SSID. Select <NONE> if VLANS ar enot enabled.
  7. Under Athentication Methods Accepted, check the Network EAP check box.
  8. Click Apply to create the SSID.

Now that the SSID is configured, you must configure the encryption. Complete the following steps to configure the encryption.

  1. From the navigation menu, click Security to go the Security Summary page.
  2. From the expanded Security menu, click Encryption Manager to go to the Encryption Manager page.



  3. From the Set Encryption Mode and Keys for VLAN drop-down menu, select the VLAN corresponding to the SSID you added above. Select <NONE> if VLANs are not enabled.
  4. Under the Encryption Mode section, click the WEP Encryption radio button to enable encryption. You can choose either Optional or Mandatory from the drop-down menu.
  5. This step is optional and can be skipped to expedite setup. If you want to set the broadcast key rotation interval, continue with this step. Otherwise, skip to Step 7. At the Broadcast Key Rotation Interval parameter, select Enable Rotation with Interval to enable this feature. This feature enables you to enter the frequency with which the broadcast key is changed.
  6. Enter the frequency with which the broadcast key is changed.
  7. Click Apply.

Now that encryption is configured, you must add a RADIUS or TACACS+ server. Complete the following steps to add the server.

  1. From the navigation menu, click Security to go the Security Summary page.
  2. From the expanded Security menu, click Server Manager to go to the Server Manager screen.
  3. In the Current Server List, select the server to be used for EAP authentication. If you need to create a new server, continue to step 4. Otherwise, skip to Step 10.
  4. Select <NEW> from the Current Server List.
  5. Enter the server host name or IP address in the Server text field.
  6. Use the drop-down menu to select either a RADIUS or TACACS+ server.
  7. In the Shared Secret text field, enter the shared secret used by your specified server that matches the one on the bridge.
  8. Enter the port number your server uses for authentication in the Authentication Port parameter. The port setting for the Cisco RADIUS server (the Access Control Server [ACS]) is 1645, and the port setting for many RADIUS servers is 1812.
  9. Enter the port number your RADIUS server uses for accounting. The port setting for Cisco's RADIUS server (the Access Control Server [ACS]) is 1646, and the port setting for many RADIUS servers is 1813. Check your server's product documentation to find the correct accounting port setting.
  10. Use the drop-down menus to determine which level of priority you want to assign to each server.
  11. Click the Apply button to add the server.
  12. Steps 12 through 17 are optional tasks and can be skipped to expedite setup.

    Click the Global Properties tab. Specify the interval at which the accounting updates should be performed in the Accounting Updates Interval field.
  13. In the TACACS+ Server Timeout field, specify the number of seconds an access point waits for a reply to a TACACS+ request before resending the request.
  14. In the RADIUS Server Timeout field, specify the number of seconds an access point waits for a reply to a RADIUS request before resending the request.
  15. In the RADIUS Server Retransmit Retries field, specify the number of times the access point sends each RADIUS request to the server before giving up.
  16. If more than one RADIUS server is configured for EAP authentication, enable the Dead Server List option. Specify how long unresponsive RADIUS servers should be skipped over when the access point is attempting RADIUS server authentication. Enter this amount in the Server remains on list for text field.
  17. Click Apply in the Global Server Properties section.

Configuring advanced EAP parameters

Now that the RADIUS server is added, you can configure advanced EAP parameters. These steps are optional and can be skipped to expedite setup.

  1. From the navigation menu, click Security to go the Security Summary page.
  2. From the expanded Security navigation menu, click Advanced Security to go to the Advanced Security screen.



  3. Choose either the second or third option to enable authentication. These interval options set how often EAP authentication is reattempted. You can enter your own interval or use the one provided by the RADIUS server.
  4. In the EAP Client Timeout text field, enter the amount of time the access point should wait for wireless clients to respond to EAP authentication requests.
  5. Click Apply.

 

 

 
   
Copyright (c) 2004 by Cisco Systems, Inc.