Online Help for Cisco IOS Release 12.3(08)JA
Home
Express Set-up
Express Security
Network Map
Association
Network Interfaces
Security
Admin Access
Encryption Manager
SSID Manager
Encryption Manager
Server Manager
AP Authentication
Intrusion Detection
Local RADIUS Server
Advanced Security
Services
Wireless Services
System Software
Event Log

 

  
Security: AP Authentication - General Setup
 

Credentials

Traditionally, the dot1x authenticator/client relationship has always been a network device and a PC client respectively, as it was the PC user that had to authenticate to gain access to the network. However, wireless networks introduce unique challenges to the traditional authenticator/client relationship. First, access points can be placed in public places, inviting the possibility that they could be unplugged and their network connection used by an outsider. Second, when a repeater access point is incorporated into a wireless network, the repeater access point must authenticate to the root access point in the same way as a client does.

You must first create and configure a credentials profile and apply the credentials to an interface or SSID. Credentials are used to authenticate the access point to the network.

Current Credentials

Choose <NEW> if you want to add a dot1x credentials profile.

Credentials Name

Enter a name for the dot1x credentials profile if you are adding a new profile. You can change the name if you have chosen an existing profile.

Username

Enter the authentication user id.

Password

Enter the authentication password.

Anonymous ID

Enter the anonymous identity to be used. Depending on your network authentication requirements, you may need to configure an anonymous ID instead of a username and password.

Trustpoint

Router certificates and the associated CA certificate are managed through a trustpoint. Enter the default pki-trustpoint. Enter the trustpoint if one is required for network authentication.

Define Trustpoints

If you need to define a trustpoint, click the link to go to the AP Authentication - Certificates page where you can configure the parameters for the trustpoint.

Authentication Methods Profile

Credential profiles are applied to an interface or an SSID in the same way. When an access point connects to the network, the access point and the network authentication device negotiate to agree upon an authentication method supported by both devices to complete authentication. An authentication methods profile is used to restrict the types of authentication that the access point agrees to use.

If you wish to restrict the authentication types used to authenticate to the network, define an authentication methods profile and assign it to the relevant SSIDs or FastEthernet interface. The restriction may be required to prevent the network authentication server and the access point from negotiating an authentication method such as LEAP rather than a more secure authentication method such as EAP-FAST.

Current Authentication Methods Profile

Choose <NEW> if you want to add an authentication methods profile.

Profile Name

Enter a name for the authentication methods profile if you are adding a new profile. You can change the name if you have chosen an existing profile.

Authentication Methods

Choose the authentication methods that the access point should use to authenticate to the network. By choosing a strong authentication method, you can prevent the access point from allowing weaker authentication methods to be approved. For example, if a RADIUS server supports EAP-FAST and LEAP, under certain configurations, the server might initially employ LEAP instead of a more secure method. If no preferred method list is defined in this parameter, LEAP may be chosen rather than the stronger, more advantageous EAP-FAST.

 

 

 
   
Copyright (c) 2006 by Cisco Systems, Inc.