Choose WLANs > WLAN ID to open the WLANs > Edit page.

In the Security tab, choose the Layer 2 security tab.

From the Layer 2 Security drop-down list, choose WPA+WPA2.

Choose the PMF state from the drop-down list

If you choose the PMF state as either Optional or Required, do the following:

1. In the Comeback Timer box, enter the association comeback interval in milliseconds. It is the time within which the access point reassociates with the client after a valid security association.

2. In the SA Query Timeout box, enter the maximum time before an Security Association (SA) query times out.

In the Authentication Key Management section, follow these steps:

1. Select or unselect the PMF 802.1X check box to configure the 802.1X authentication for the protection of management frames.

2. Select or unselect the PMF PSK check box to configure the preshared keys for PMF. Choose the PSK format as either ASCII or Hexadecimal and enter the PSK.

Click Apply.

Click Save Configuration.

Choose WLANs to open the WLANs window.

Click a WLAN ID to open the WLANs > Edit window.

Choose Security > Layer 2 tab.

From the Layer 2 Security drop-down list, choose WPA+WPA2.

From the Fast Transition drop-down list, choose Fast Transition on the WLAN.

Uncheck the Over the DS check box to enable Fast Transition Over the Air.

In the Reassociation Timeout field, enter the number of seconds after which the reassociation attempt of a client to an AP should time out. The valid range is 1 to 100 seconds.

Under Authentication Key Management, choose FT 802.1X or FT PSK. Check or uncheck the corresponding check boxes to enable or disable the keys. If you check the FT PSK check box, from the PSK Format drop-down list, choose ASCII or Hex and enter the key value.

From the WPA gtk-randomize State drop-down list, choose Enable or Disable to configure the Wi-Fi Protected Access (WPA) group temporal key (GTK) randomize state.

Click Apply to save your settings.

To enable or disable 802.11r fast transition parameters, use the config wlan security ft { adaptive | enable | disable} wlan-id command.

To enable or disable 802.11r fast transition parameters over a distributed system, use the config wlan security ft over-the-ds { enable | disable} wlan-id command.

To enable or disable the authentication key management for fast transition using preshared keys (PSK), use the config wlan security wpa akm ft psk { enable | disable} wlan-id command.

To enable or disable authentication key management for adaptive using PSK, use the config wlan security wpa akm psk { enable | disable} wlan-id command.

To enable or disable authentication key management for fast transition using 802.1X, use the config wlan security wpa akm ft-802.1X { enable | disable} wlan-id command.

To enable or disable authentication key management for adaptive using 802.1x, use the config wlan security wpa akm 802.1x { enable | disable} wlan-id command.

To enable or disable 802.11r fast transition reassociation timeout, use the config wlan security ft reassociation-timeout timeout-in-seconds wlan-id command.

To view the fast transition configuration on a WLAN, use the show wlan wlan-id command.

To view the fast transition configuration on a client, use the show client detail client-mac command.

To enable or disable debugging of fast transition events, use the debug ft events { enable | disable} command.

Disable the WLAN by entering this command:

Enable sticky key caching by entering this command:

WLAN Identifier.................................. 2
Profile Name..................................... new
Network Name (SSID).............................. new
Status........................................... Disabled
MAC Filtering.................................... Disabled
Security
   802.11 Authentication:........................ Open System
   Static WEP Keys............................... Disabled
   802.1X........................................ Disabled
   Wi-Fi Protected Access (WPA/WPA2)............. Enabled
      WPA (SSN IE)............................... Disabled
      WPA2 (RSN IE).............................. Enabled
         TKIP Cipher............................. Disabled
         AES Cipher.............................. Enabled
      Auth Key Management
         802.1x.................................. Disabled
         PSK..................................... Enabled
         CCKM.................................... Disabled
         FT(802.11r)............................. Disabled
         FT-PSK(802.11r)......................... Disabled
     SKC Cache Support......................... Enabled 
      FT Reassociation Timeout................... 20
      FT Over-The-Air mode....................... Enabled
      FT Over-The-Ds mode........................ Enabled
CCKM tsf Tolerance............................... 1000
   Wi-Fi Direct policy configured................ Disabled
   EAP-Passthrough............................... Disabled



Enable the WLAN by entering this command:

Save your settings by entering this command:

Choose WLANs to open the WLANs page.

Click the ID number of the desired WLAN to open the WLANs > Edit page.

Choose the Security and Layer 2 tabs to open the WLANs > Edit (Security > Layer 2) page.

Choose WPA+WPA2 from the Layer 2 Security drop-down list.

Under WPA+WPA2 Parameters, select the WPA Policy check box to enable WPA1, select the WPA2 Policy check box to enable WPA2, or select both check boxes to enable both WPA1 and WPA2.

Select the WPA2 Policy-AES check box to enable AES data encryption .

Choose one of the following key management methods from the Auth Key Mgmt drop-down list: 802.1X, CCKM, PSK, or 802.1X+CCKM.

If you chose PSK, choose ASCII or HEX from the PSK Format drop-down list and then enter a preshared key in the blank text box. WPA preshared keys must contain 8 to 63 ASCII text characters or 64 hexadecimal characters.

Save the configuration.

Disable the WLAN by entering this command:

Enable or disable WPA for the WLAN by entering this command:

Enable or disable WPA1 for the WLAN by entering this command:

Enable or disable WPA2 for the WLAN by entering this command:

Enable or disable AES or TKIP data encryption for WPA1 or WPA2 by entering one of these commands:

Enable or disable 802.1X, PSK, or CCKM authenticated key management by entering this command:

If you enabled PSK in Step 6, enter this command to specify a preshared key:

Enable or disable authentication key management suite for fast transition by entering this command:

Enable or disable randomization of group temporal keys (GTK) between AP and clients by entering this command:

If you enabled WPA2 with 802.1X authenticated key management or WPA1 or WPA2 with CCKM authenticated key management, the PMK cache lifetime timer is used to trigger reauthentication with the client when necessary. The timer is based on the timeout value received from the AAA server or the WLAN session timeout setting. To see the amount of time remaining before the timer expires, enter this command:

Enable the WLAN by entering this command:

Save your settings by entering this command:

Choose WLANs to open the WLANs page.

Click the WLAN ID.

Click the Security tab and then click the Layer 3 tab.

From the Captive Network Assistant Bypass drop-down list, choose:

Click Apply to commit your changes.

Click Save Configuration to save your changes.

Choose WLANs to open the WLANs page.

Click the ID number of the WLAN for which you want to configure the fallback policy for web authentication. The WLANs > Edit page appears.

Choose the Security and Layer 3 tabs to open the WLANs > Edit (Security > Layer 3) page.

From the Layer 3 Security drop-down list, choose None.

Select the Web Policy check box.

Click On MAC Filter Failure.

Click Apply to commit your changes.

Click Save Configuration to save your settings.

Enable or disable web authentication on a particular WLAN by entering this command:

See the web authentication status by entering this command:

FT Over-The-Ds mode.............................. Enabled
CKIP ......................................... Disabled
   IP Security................................... Disabled
   IP Security Passthru.......................... Disabled
   Web Based Authentication...................... Enabled-On-MACFilter-Failure
        ACL............................................. Unconfigured
        Web Authentication server precedence:
        1............................................... local
        2............................................... radius
        3............................................... ldap

Choose WLANs.

Click the corresponding WLAN ID.

Click the Security tab and then click the Layer 3 tab.

Select the Sleeping Client check box to enable authentication for sleeping clients.

Enter the Sleeping Client Timeout, which is the duration for which the sleeping clients are to be remembered before reauthentication becomes necessary.

Click Apply.

Click Save Configuration.

From the CiscoSecure ACS main menu, choose Group Setup.

Click Edit Settings.

From the Jump To drop-down list, choose RADIUS (Cisco IOS/PIX 6.0).

Select the [009\001] cisco-av-pair check box.

Enter the following Cisco AV-pairs in the [009\001] cisco-av-pair edit box to specify the URL to which the user is redirected and, if configuring conditional web redirect, the conditions under which the redirect takes place, respectively:

Choose WLANs to open the WLANs page.

Click the ID number of the desired WLAN. The WLANs > Edit page appears.

Choose the Security and Layer 2 tabs to open the WLANs > Edit (Security > Layer 2) page.

From the Layer 2 Security drop-down list, choose 802.1X or WPA+WPA2.

Set any additional parameters for 802.1X or WPA+WPA2.

Choose the Layer 3 tab to open the WLANs > Edit (Security > Layer 3) page.

From the Layer 3 Security drop-down list, choose None.

Check the Web Policy check box.

Choose one of the following options to enable conditional or splash page web redirect: Conditional Web Redirect or Splash Page Web Redirect. The default value is disabled for both parameters.

If the user is to be redirected to a site external to the controller, choose the ACL that was configured on your RADIUS server from the Preauthentication ACL drop-down list.

Click Apply to commit your changes.

Click Save Configuration to save your changes.

Enable or disable conditional web redirect by entering this command:

Enable or disable splash page web redirect by entering this command:

Save your settings by entering this command:

See the status of the web redirect features for a particular WLAN by entering this command:

WLAN Identifier.................................. 1
Profile Name..................................... test
Network Name (SSID).............................. test
...
Web Based Authentication......................... Disabled
Web-Passthrough.................................. Disabled
Conditional Web Redirect......................... Disabled
Splash-Page Web Redirect......................... Enabled
...


Choose Controller > General

From the WebAuth Proxy Redirection Mode drop-down list, choose Enabled or Disabled.

In the WebAuth Proxy Redirection Port text box, enter the port number of the web auth proxy.

Click Apply.

Choose Security > AAA > LDAP to open the LDAP Servers page.

• If you want to delete an existing LDAP server, hover your cursor over the blue drop-down arrow for that server and choose Remove.

• If you want to make sure that the controller can reach a particular server, hover your cursor over the blue drop-down arrow for that server and choose Ping.

Perform one of the following:

• To edit an existing LDAP server, click the index number for that server. The LDAP Servers > Edit page is displayed.

• To add an LDAP server, click New. The LDAP Servers > New page is displayed. If you are adding a new server, choose a number from the Server Index (Priority) drop-down list to specify the priority order of this server in relation to any other configured LDAP servers. You can configure up to 17 servers. If the controller cannot reach the first server, it tries the second one in the list and so on.

If you are adding a new server, enter the IP address of the LDAP server in the Server IP Address field. Both IPv4 and IPv6 addresses are supported.

If you are adding a new server, enter the LDAP server’s TCP port number in the Port Number field. The valid range is 1 to 65535, and the default value is 389.

From the Server Mode (via TLS) drop-down list, choose Disabled to establish LDAP connection (without secure tunnel) between LDAP server and the Cisco WLC using TCP or Enabled to establish a secure LDAP connection using TLS.

Check the Enable Server Status check box to enable this LDAP server or unselect it to disable it. The default value is disabled.

From the Simple Bind drop-down list, choose Anonymous or Authenticated to specify the local authentication bind method for the LDAP server. The Anonymous method allows anonymous access to the LDAP server. The Authenticated method requires that a username and password be entered to secure access. The default value is Anonymous.

If you chose Authenticated in the previous step, follow these steps:

1. In the Bind Username field, enter a username to be used for local authentication to the LDAP server. The username can contain up to 80 characters.

   Note	If the username starts with “cn=” (in lowercase letters), the controller assumes that the username includes the entire LDAP database path and does not append the user base DN. This designation allows the authenticated bind user to be outside the user base DN.

2. In the Bind Username field, enter a username to be used for local authentication to the LDAP server. The username can contain up to 80 characters.

In the User Base DN field, enter the distinguished name (DN) of the subtree in the LDAP server that contains a list of all the users. For example, ou=organizational unit, .ou=next organizational unit, and o=corporation.com. If the tree containing users is the base DN, type.

In the User Attribute field, enter the name of the attribute in the user record that contains the username. You can obtain this attribute from your directory server.

In the User Object Type field, enter the value of the LDAP objectType attribute that identifies the record as a user. Often, user records have several values for the objectType attribute, some of which are unique to the user and some of which are shared with other object types.

In the Server Timeout field, enter the number of seconds between retransmissions. The valid range is 2 to 30 seconds, and the default value is 2 seconds.

Click Apply to commit your changes.

Click Save Configuration to save your changes.

Specify LDAP as the priority backend database server for local EAP authentication as follows:

1. Choose Security > Local EAP > Authentication Priority to open the Priority Order > Local-Auth page.

2. Highlight LOCAL and click < to move it to the left User Credentials field.

3. Highlight LDAP and click > to move it to the right User Credentials field. The database that is displayed at the top of the right User Credentials field is used when retrieving user credentials.

   Note

   If both LDAP and LOCAL appear in the right User Credentials field with LDAP on the top and LOCAL on the bottom, local EAP attempts to authenticate clients using the LDAP backend database and fails over to the local user database if the LDAP servers are not reachable. If the user is not found, the authentication attempt is rejected. If LOCAL is on the top, local EAP attempts to authenticate using only the local user database. It does not fail over to the LDAP backend database.

4. Click Apply to commit your changes.

5. Click Save Configuration to save your changes.

(Optional) Assign specific LDAP servers to a WLAN as follows:

1. Choose WLANs to open the WLANs page.

2. Click the ID number of the desired WLAN.

3. When the WLANs > Edit page is displayed, choose the Security > AAA Servers tabs to open the WLANs > Edit (Security > AAA Servers) page.

4. From the LDAP Servers drop-down lists, choose the LDAP server(s) that you want to use with this WLAN. You can choose up to three LDAP servers, which are tried in priority order.

   Note	These LDAP servers apply only to WLANs with web authentication enabled. They are not used by local EAP.

5. Click Apply to commit your changes.

6. Click Save Configuration to save your changes.

Specify the LDAP server fallback behavior, as follows:

1. Choose WLAN > AAA Server to open the Fallback Parameters page.

2. From the LDAP Servers drop-down list, choose the LDAP server in the order of priority when the controller attempts to authenticate management users. The order of authentication is from server.

3. Choose Security > AAA > LDAP to view the list of global LDAP servers configured for the controller.

If you are configuring local EAP to use one of the EAP types listed in the note above, make sure that the appropriate certificates and PACs (if you will use manual PAC provisioning) have been imported on the controller.

If you want the controller to retrieve user credentials from the local user database, make sure that you have properly configured the local network users on the controller.

If you want the controller to retrieve user credentials from an LDAP backend database, make sure that you have properly configured an LDAP server on the controller.

Specify the order in which user credentials are retrieved from the backend database servers as follows:

1. Choose Security > Local EAP > Authentication Priority to open the Priority Order > Local-Auth page.

2. Determine the priority order in which user credentials are to be retrieved from the local and/or LDAP databases. For example, you may want the LDAP database to be given priority over the local user database, or you may not want the LDAP database to be considered at all.

3. When you have decided on a priority order, highlight the desired database. Then use the left and right arrows and the Up and Down buttons to move the desired database to the top of the right User Credentials box.

   Note

   If both LDAP and LOCAL appear in the right User Credentials box with LDAP on the top and LOCAL on the bottom, local EAP attempts to authenticate clients using the LDAP backend database and fails over to the local user database if the LDAP servers are not reachable. If the user is not found, the authentication attempt is rejected. If LOCAL is on the top, local EAP attempts to authenticate using only the local user database. It does not fail over to the LDAP backend database.

4. Click Apply to commit your changes.

Specify values for the local EAP timers as follows:

1. Choose Security > Local EAP > General to open the General page.

2. In the Local Auth Active Timeout field, enter the amount of time (in seconds) in which the controller attempts to authenticate wireless clients using local EAP after any pair of configured RADIUS servers fails. The valid range is 1 to 3600 seconds, and the default setting is 300 seconds.

Specify values for the Advanced EAP parameters as follows:

1. Choose Security> Advanced EAP.

2. In the Identity Request Timeout field, enter the amount of time (in seconds) in which the controller attempts to send an EAP identity request to wireless clients using local EAP. The valid range is 1 to 120 seconds, and the default setting is 30 seconds.

3. In the Identity Request Max Retries field, enter the maximum number of times that the controller attempts to retransmit the EAP identity request to wireless clients using local EAP. The valid range is 1 to 20 retries, and the default setting is 2 retries.

4. In the Dynamic WEP Key Index field, enter the key index used for dynamic wired equivalent privacy (WEP). The default value is 0, which corresponds to a key index of 1; the valid values are 0 to 3 (key index of 1 to 4).

   This feature is no longer supported.

5. In the Request Timeout field, enter the amount of time (in seconds) in which the controller attempts to send an EAP request to wireless clients using local EAP. The valid range is 1 to 120 seconds, and the default setting is 30 seconds.

6. In the Request Max Retries field, enter the maximum number of times that the controller attempts to retransmit the EAP request to wireless clients using local EAP. The valid range is 1 to 120 retries, and the default setting is 2 retries.

7. From the Max-Login Ignore Identity Response drop-down list, enable the feature if you want to ignore the EAP identity responses when enforcing the net user login limit.

8. In the EAPOL-Key Timeout field, enter the amount of time (in seconds) in which the controller attempts to send an EAP key over the LAN to wireless. The valid range is 200 to 5000 milliseconds, and the default setting is 1000 milliseconds.

9. In the EAPOL-Key Max Retries field, enter the maximum number of times that the controller attempts to send an EAP key over the LAN to wireless clients using local EAP. The valid range is 0 to 4 retries, and the default setting is 2 retries.

10. In the EAP-Broadcast Key Interval field, enter the interval between the Group Temporal Key (GTK) key rotation for all the stations on a BSSID that is using WPA protocol. The default interval is 3600 seconds.

11. Click Apply to commit your changes.

Create a local EAP profile, which specifies the EAP authentication types that are supported on the wireless clients as follows:

1. Choose Security > Local EAP > Profiles to open the Local EAP Profiles page.

   This page lists any local EAP profiles that have already been configured and specifies their EAP types. You can create up to 16 local EAP profiles.

   Note	If you want to delete an existing profile, hover your cursor over the blue drop-down arrow for that profile and choose Remove.

2. Click New to open the Local EAP Profiles > New page.

3. In the Profile Name field, enter a name for your new profile and then click Apply.

   Note	You can enter up to 63 alphanumeric characters for the profile name. Make sure not to include spaces.

4. When the Local EAP Profiles page is displayed again, click the name of your new profile. The Local EAP Profiles > Edit page is displayed.

5. Check the LEAP, EAP-FAST, EAP-TLS, and/or PEAP check boxes to specify the EAP type that can be used for local authentication.

   Note	You can specify more than one EAP type per profile. However, if you choose multiple EAP types that use certificates (such as EAP-FAST with certificates, EAP-TLS, PEAPv0/MSCHAPv2, and PEAPv1/GTC), all the EAP types must use the same certificate (from either Cisco or another vendor).

   Note	If you check the PEAP check box, both PEAPv0/MSCHAPv2 or PEAPv1/GTC are enabled on the controller.

6. If you chose EAP-FAST and want the device certificate on the controller to be used for authentication, check the Local Certificate Required check box. If you want to use EAP-FAST with PACs instead of certificates, leave this check box unselected, which is the default setting.

   Note	This option applies only to EAP-FAST because device certificates are not used with LEAP and are mandatory for EAP-TLS and PEAP.

7. If you chose EAP-FAST and want the wireless clients to send their device certificates to the controller in order to authenticate, check the Client Certificate Required check box. If you want to use EAP-FAST with PACs instead of certificates, leave this check box unchecked, which is the default setting.

   Note	This option applies only to EAP-FAST because client certificates are not used with LEAP or PEAP and are mandatory for EAP-TLS.

8. If you chose EAP-FAST with certificates, EAP-TLS, or PEAP, choose which certificates will be sent to the client, the ones from Cisco or the ones from another Vendor, from the Certificate Issuer drop-down list. The default setting is Cisco.

9. If you chose EAP-FAST with certificates or EAP-TLS and want the incoming certificate from the client to be validated against the CA certificates on the controller, check the Check against CA certificates check box. The default setting is enabled.

10. If you chose EAP-FAST with certificates or EAP-TLS and want the common name (CN) in the incoming certificate to be validated against the Local Net Users configured on the controller, check the Verify Certificate CN Identity check box. The default setting is disabled.

11. If you chose EAP-FAST with certificates or EAP-TLS and want the controller to verify that the incoming device certificate is still valid and has not expired, check the Check Certificate Date Validity check box. The default setting is enabled.

    Note	Certificate date validity is checked against the current UTC (GMT) time that is configured on the controller. Timezone offset will be ignored.

12. Click Apply to commit your changes.

If you created an EAP-FAST profile, follow these steps to configure the EAP-FAST parameters:

1. Choose Security > Local EAP > EAP-FAST Parameters to open the EAP-FAST Method Parameters page.

2. In the Server Key and Confirm Server Key fields, enter the key (in hexadecimal characters) used to encrypt and decrypt PACs.

3. In the Time to Live for the PAC field, enter the number of days for the PAC to remain viable. The valid range is 1 to 1000 days, and the default setting is 10 days.

4. In the Authority ID field, enter the authority identifier of the local EAP-FAST server in hexadecimal characters. You can enter up to 32 hexadecimal characters, but you must enter an even number of characters.

5. In the Authority ID Information field, enter the authority identifier of the local EAP-FAST server in text format.

6. If you want to enable anonymous provisioning, check the Anonymous Provision check box. This feature allows PACs to be sent automatically to clients that do not have one during PAC provisioning. If you disable this feature, PACS must be manually provisioned. The default setting is enabled.

   Note	If the local and/or client certificates are required and you want to force all EAP-FAST clients to use certificates, uncheck the Anonymous Provision check box.

7. Click Apply to commit your changes.

Enable local EAP on a WLAN as follows:

1. Choose WLANs to open the WLANs page.

2. Click the ID number of the desired WLAN.

3. When the WLANs > Edit page is displayed, choose the Security > AAA Servers tabs to open the WLANs > Edit (Security > AAA Servers) page.

4. Uncheck the Enabled check boxes for RADIUS Authentication Servers and Accounting Server to disable RADIUS accounting and authentication for this WLAN.

5. Check the Local EAP Authentication check box to enable local EAP for this WLAN.

6. From the EAP Profile Name drop-down list, choose the EAP profile that you want to use for this WLAN.

7. If desired, choose the LDAP server that you want to use with local EAP on this WLAN from the LDAP Servers drop-down lists.

8. Click Apply to commit your changes.

Enable EAP parameters on a WLAN as follows:

1. Choose WLANs to open the WLANs page.

2. Click the ID number of the desired WLAN.

3. When the WLANs > Edit page is displayed, choose the Security > AAA Servers tabs to open the WLANs > Edit (Security > AAA Servers) page.

4. Check the Enable check box to configure EAP parameters for this WLAN.

5. In the EAPOL Key Timeout (200 to 5000 millisec) field, enter the amount of time (in milliseconds) in which the controller attempts to send an EAP key over the WLAN to wireless clients using local EAP. The valid range is 200 to 5000 milliseconds and the default value is 1000 milliseconds.

6. In the EAPOL Key Retries (0 to 4) field, enter the maximum number of times that the controller attempts to send an EAP key over the WLAN to wireless clients using local EAP. The valid range is 0 to 4 retries and the default setting is 2 retries.

7. In the Identity Request Timeout (1 to 120 sec) field, enter the amount of time (in seconds) in which the controller attempts to send an EAP identity request to wireless clients within WLAN using local EAP. The valid range is 1 to 120 seconds and the default value is 30 seconds.

8. In the Identity Request Retries (1 to 20 sec) field, enter the maximum number of times that the controller attempts to retransmit the EAP identity request to wireless clients within WLAN using local EAP. The valid range is 1 to 20 retries, and the default setting is 2 retries.

9. In the Request Timeout (1 to 120 sec) field, enter the amount of time (in seconds) in which the controller attempts to send an EAP parameter request to wireless clients within WLAN using local EAP. The valid range is 1 to 120 seconds, and the default setting is 30 seconds.

10. In the Request Retries (1 to 20 sec) field, enter the maximum number of times that the controller attempts to retransmit the EAP parameter request to wireless clients within WLAN using local EAP. The valid range is 1 to 20 retries, and the default setting is 2 retries.

11. Click Apply to commit your changes.

Click Save Configuration to save your changes.

If you are configuring local EAP to use one of the EAP types listed in the note above, make sure that the appropriate certificates and PACs (if you will use manual PAC provisioning) have been imported on the controller.

If you want the controller to retrieve user credentials from the local user database, make sure that you have properly configured the local network users on the controller.

If you want the controller to retrieve user credentials from an LDAP backend database, make sure that you have properly configured an LDAP server on the controller.

Specify the order in which user credentials are retrieved from the local and/or LDAP databases by entering this command:

Specify values for the local EAP timers by entering these commands:

• config advanced eap identity-request-timeout timeout —Specifies the amount of time (in seconds) in which the controller attempts to send an EAP identity request to wireless clients using local EAP. The valid range is 1 to 120 seconds, and the default setting is 30 seconds.
• config advanced eap bcast-key-interval seconds —Configures EAP-broadcast key renew interval time in seconds. The valid range is 120 to 86400 seconds.
• config advanced eap identity-request-retries retries —Specifies the maximum number of times that the controller attempts to retransmit the EAP identity request to wireless clients using local EAP. The valid range is 1 to 20 retries, and the default setting is 20 retries.
• config advanced eap key-index index —Specifies the key index used for dynamic wired equivalent privacy (WEP). The default value is 0, which corresponds to a key index of 1; the valid values are 0 to 3 (key index of 1 to 4).
• config advanced eap request-timeout timeout —Specifies the amount of time (in seconds) in which the controller attempts to send an EAP request to wireless clients using local EAP. The valid range is 1 to 120 seconds, and the default setting is 30 seconds.
• config advanced eap request-retries retries —Specifies the maximum number of times that the controller attempts to retransmit the EAP request to wireless clients using local EAP. The valid range is 1 to 120 retries, and the default setting is 20 retries.
• config advanced eap eapol-key-timeout timeout —Specifies the amount of time (in seconds) in which the controller attempts to send an EAP key over the LAN to wireless clients. The valid range is 200 to 5000 milliseconds, and the default setting is 1000 milliseconds.

  Note	If the controller and access point are separated by a WAN link, the default timeout of 1 second may not be sufficient.

• config advanced eap eapol-key-retries retries —Specifies the maximum number of times that the controller attempts to send an EAP key over the LAN to wireless clients using local EAP. The valid range is 0 to 4 retries, and the default setting is 2 retries.
• config advanced eap max-login-ignore-identity-response {enable | disable} —

  Enable the feature if you want to ignore the EAP identity responses when enforcing the net user login limit. See the User Login Policies section for details.

Specify values for the local EAP timers on a WLAN by entering these commands:

• config wlan security eap-params {enable | disable} wlan_id —Specifies to enable or disable SSID specific EAP timeouts or retries. The default value is disabled.
• config wlan security eap-params eapol-key-timeout timeout wlan_id —Specifies the amount of time (in milliseconds) in which the controller attempts to send an EAP key over the WLAN to wireless clients using local EAP. The valid range is 200 to 5000 milliseconds, and the default setting is 1000 milliseconds.
• config wlan security eap-params eapol-key-retries retries wlan_id —Specifies the maximum number of times that the controller attempts to send an EAP key over the WLAN to wireless clients using local EAP. The valid range is 0 to 4 retries, and the default setting is 2 retries.
• config wlan security eap-params identity-request-timeout timeout wlan_id —Specifies the amount of time (in seconds) in which the controller attempts to send an EAP identity request to wireless clients within WLAN using local EAP. The valid range is 1 to 120 seconds, and the default setting is 30 seconds.
• config wlan security eap-params identity-request-retries retries wlan_id —Specifies the maximum number of times that the controller attempts to retransmit the EAP identity request to wireless clients within WLAN using local EAP. The valid range is 1 to 20 retries, and the default setting is 2 retries.
• config wlan security eap-params request-timeout timeout wlan_id —Specifies the amount of time (in seconds) in which the controller attempts to send an EAP parameter request to wireless clients within WLAN using local EAP. The valid range is 1 to 120 seconds, and the default setting is 30 seconds.
• config wlan security eap-params request-retries retries wlan_id —Specifies the maximum number of times that the controller attempts to retransmit the EAP parameter request to wireless clients within WLAN using local EAP. The valid range is 1 to 20 retries, and the default setting is 2 retries.

Create a local EAP profile by entering this command:

Add an EAP method to a local EAP profile by entering this command:

Configure EAP-FAST parameters if you created an EAP-FAST profile by entering this command:

Configure certificate parameters per profile by entering these commands:

• config local-auth eap-profile method fast local-cert {enable | disable} profile_name —
Specifies whether the device certificate on the controller is required for authentication.

  Note	This command applies only to EAP-FAST because device certificates are not used with LEAP and are mandatory for EAP-TLS and PEAP.

• config local-auth eap-profile method fast client-cert {enable | disable} profile_name —
Specifies whether wireless clients are required to send their device certificates to the controller in order to authenticate.

  Note	This command applies only to EAP-FAST because client certificates are not used with LEAP or PEAP and are mandatory for EAP-TLS.

• config local-auth eap-profile cert-issuer {cisco | vendor} profile_name —If you specified EAP-FAST with certificates, EAP-TLS, or PEAP, specifies whether the certificates that will be sent to the client are from Cisco or another vendor.
• config local-auth eap-profile cert-verify ca-issuer {enable | disable} profile_name —If you chose EAP-FAST with certificates or EAP-TLS, specifies whether the incoming certificate from the client is to be validated against the CA certificates on the controller.
• config local-auth eap-profile cert-verify cn-verify {enable | disable} profile_name —If you chose EAP-FAST with certificates or EAP-TLS, specifies whether the common name (CN) in the incoming certificate is to be validated against the CA certificates’ CN on the controller.
• config local-auth eap-profile cert-verify date-valid {enable | disable} profile_name —If you chose EAP-FAST with certificates or EAP-TLS, specifies whether the controller is to verify that the incoming device certificate is still valid and has not expired.

Enable local EAP and attach an EAP profile to a WLAN by entering this command:

Save your changes by entering this command:

View information pertaining to local EAP by entering these commands:

• show local-auth config— Shows the local EAP configuration on the controller.

  
  User credentials database search order:
     Primary ..................................... Local DB
  
  Timer:
      Active timeout .............................. 300
  
  Configured EAP profiles:
     Name ........................................ fast-cert
       Certificate issuer ........................ vendor
       Peer verification options:
         Check against CA certificates ........... Enabled
         Verify certificate CN identity .......... Disabled
         Check certificate date validity ......... Enabled
       EAP-FAST configuration:
         Local certificate required .............. Yes
         Client certificate required ............. Yes
       Enabled methods ........................... fast
       Configured on WLANs ....................... 1
  
     Name ........................................ tls
       Certificate issuer ........................ vendor
       Peer verification options:
         Check against CA certificates ........... Enabled
         Verify certificate CN identity .......... Disabled
         Check certificate date validity ......... Enabled
       EAP-FAST configuration:
         Local certificate required .............. No
         Client certificate required ............. No
       Enabled methods ........................... tls
       Configured on WLANs ....................... 2
  
  EAP Method configuration:
     Low-Cipher Support(TLSv1.0 for local EAP)..... Enabled
     EAP-FAST:
       Server key ................................ <hidden>
       TTL for the PAC ........................... 10
       Anonymous provision allowed ............... Yes
       Accept client on auth prov ................ No
       Authority ID ...... 436973636f0000000000000000000000
       Authority Information ..................... Cisco A-ID
  

• show local-auth statistics —Shows the local EAP statistics.
• show local-auth certificates —Shows the certificates available for local EAP.
• show local-auth user-credentials —Shows the priority order that the controller uses when retrieving user credentials from the local and/or LDAP databases.
• show advanced eap —Shows the timer values for local EAP.

  
  EAP-Identity-Request Timeout (seconds)........... 1
  EAP-Identity-Request Max Retries................. 20
  EAP Key-Index for Dynamic WEP.................... 0
  EAP Max-Login Ignore Identity Response........... enable
  EAP-Request Timeout (seconds).................... 20
  EAP-Request Max Retries.......................... 20
  EAPOL-Key Timeout (seconds)...................... 1
  EAPOL-Key Max Retries......................... 2

  

• show ap stats wlan Cisco_AP —Shows the EAP timeout and failure counters for a specific access point for each WLAN.
• show client detail client_mac —Shows the EAP timeout and failure counters for a specific associated client. These statistics are useful in troubleshooting client association issues.

  
  ...
  Client Statistics:
        Number of Bytes Received................... 10
        Number of Bytes Sent....................... 10
        Number of Packets Received................. 2
        Number of Packets Sent..................... 2
        Number of EAP Id Request Msg Timeouts...... 0
        Number of EAP Id Request Msg Failures...... 0
        Number of EAP Request Msg Timeouts......... 2
        Number of EAP Request Msg Failures......... 1
        Number of EAP Key Msg Timeouts............. 0
        Number of EAP Key Msg Failures............. 0
        Number of Policy Errors.................... 0
        Radio Signal Strength Indicator............ Unavailable
        Signal to Noise Ratio...................... Unavailable
  

• show wlan wlan_id —Shows the status of local EAP on a particular WLAN.

(Optional) Troubleshoot local EAP sessions by entering these commands:

• debug aaa local-auth eap method {all | errors | events | packets | sm} {enable | disable} —
Enables or disables debugging of local EAP methods.

• debug aaa local-auth eap framework {all | errors | events | packets | sm} {enable | disable} —
Enables or disables debugging of the local EAP framework.

  Note	In these two debug commands, sm is the state machine.

• clear stats local-auth —Clears the local EAP counters.

• clear stats ap wlan Cisco_AP —Clears the EAP timeout and failure counters for a specific access point for each WLAN.

  
  WLAN      1
     EAP Id Request Msg Timeouts................... 0
     EAP Id Request Msg Timeouts Failures.......... 0
     EAP Request Msg Timeouts...................... 2
     EAP Request Msg Timeouts Failures............. 1
     EAP Key Msg Timeouts.......................... 0
     EAP Key Msg Timeouts Failures................. 0
  WLAN      2
     EAP Id Request Msg Timeouts................... 1
     EAP Id Request Msg Timeouts Failures.......... 0
     EAP Request Msg Timeouts...................... 0
     EAP Request Msg Timeouts Failures............. 0
     EAP Key Msg Timeouts.......................... 3
  EAP Key Msg Timeouts Failures.............. 1
  

Choose Commands > Upload File to open the Upload File from Controller page.

From the File Type drop-down list, choose PAC (Protected Access Credential).

In the User field, enter the name of the user who will use the PAC.

In the Validity field, enter the number of days for the PAC to remain valid. The default setting is zero (0).

In the Password and Confirm Password text boxes, enter a password to protect the PAC.

From the Transfer Mode drop-down list, choose from the following options:

• TFTP
• FTP
• SFTP (available in 7.4 and later releases)

In the IP Address (IPv4/IPv6) field, enter the IPv4/IPv6 address of the server.

In the File Path field, enter the directory path of the PAC.

In the File Name field, enter the name of the PAC file. PAC files have a .pac extension.

If you are using an FTP server, follow these steps:

1. In the Server Login Username field, enter the username to log into the FTP server.

2. In the Server Login Password field, enter the password to log into the FTP server.

3. In the Server Port Number field, enter the port number on the FTP server through which the upload occurs. The default value is 21.

Click Upload to upload the PAC from the controller. A message appears indicating the status of the upload.

Follow the instructions for your wireless client to load the PAC on your client devices. Make sure to use the password that you entered above.

Log on to the controller CLI.

Specify the transfer mode used to upload the config file by entering this command:

Upload a Protected Access Credential (PAC) by entering this command:

Specify the identification of the user by entering this command:

Specify the IP address of the TFTP or FTP server by entering this command:

Specify the directory path of the config file by entering this command:

Specify the name of the config file to be uploaded by entering this command:

If you are using an FTP server, enter these commands:

View the updated settings by entering the transfer upload start command. Answer y when prompted to confirm the current settings and start the upload process.

Follow the instructions for your wireless client to load the PAC on your client devices. Make sure to use the password that you entered above.

Choose WLANs to open the WLANs page.

Click the ID number of the WLAN that you want to configure. The WLANs > Edit page appears.

Choose the Advanced tab.

Select the Allow AAA Override check box to enable AAA override or unselect it to disable this feature. The default value is disabled.

Click Apply.

Click Save Configuration.

Choose WLANs.

Click the WLAN ID.

Click the Advanced tab.

From the NAC State drop-down list, choose from the following options:

• None
• SNMP NAC—Uses SNMP NAC for the WLAN.
• ISE NAC—Uses ISE NAC for the WLAN.

  Note	AAA override is automatically enabled when you use ISE NAC on a WLAN.

Save the configuration.

Configure Cisco WLC:

1. Add Cisco ISE as RADIUS server in Cisco WLC with change of authorization (CoA) in Enabled state.

2. Configure a WLAN with Layer 2 security type set to WPA+WPA2, MAC filtering in Enabled state, Authentication Key Management set to PSK, and NAC state set to ISE NAC:

   1. Choose WLANs and click the WLAN ID.

   2. On the WLANs > Edit page, choose Security > Layer 2 tab.

   3. Set Layer 2 Security to WPA+WPA2.

   4. Enable MAC Filtering.

   5. Under Authentication Key Management, enable PSK and set the PSK format.

   6. In the Advanced tab, set the NAC State to ISE NAC.

3. Create a preauthentication ACL to communicate with only the Cisco ISE server. For instructions on how to create an ACL, see (Link to be provided to the Configuring Access Control Lists chapter).

   Note	In addition to ISE traffic, allow other necessary traffic such as DNS, DHCP to be specified to permit DNS and DHCP traffic on the redirect ACL. If the APs are in FlexConnect mode, a preauth ACL is irrelevant. FlexConnect ACLs can be used to allow access for clients that have not been authenticated.

Configure Cisco ISE:

1. Ensure that Cisco WLC is in Cisco ISE.

2. Add an authentication profile.

3. Add an authorization profile.

4. Add postauthentication policies.

5. Add authorization policy.

   Note

   The first instance is when a user associates with the SSID and when the central web authentication profile is returned (unknown MAC address; therefore, you must set the user for redirection). The second instance is when a user authenticated on the web portal, such that it matches the default rule (internal users) in this configuration (it can be configured to meet your requirements). It is important that the authorization part does not match the central web authentication profile again. Otherwise, there will be a redirection loop.

Choose Security > Wireless Protection Policies > Client Exclusion Policies to open the Client Exclusion Policies page.

Select any of these check boxes if you want the controller to exclude clients for the condition specified. The default value for each exclusion policy is enabled.

• Excessive 802.11 Association Failures: Clients are excluded on the sixth 802.11 association attempt, after five consecutive failures.
• Excessive 802.11 Authentication Failures: Clients are excluded on the sixth 802.11 authentication attempt, after five consecutive failures.

• Excessive 802.1X Authentication Failures: Clients are excluded on the fourth 802.1X authentication attempt, after three consecutive failures.

  Note	In some configurations, 802.1X exclusion may not occur. For more information, see https://www.cisco.com/c/en/us/support/docs/lan-switching/8021x/214466-802-1x-client-exclusion-on-an-aireos-wlc.html.

• Maximum 802.1x-AAA Failure Attempts: Clients are excluded after a maximum number of 802.1X-AAA failure attempts with the RADIUS server. Valid range of maximum number of 802.1X-AAA failure attempts that you can configure is 1 to 10 with the default value being 3.

• IP Theft or IP Reuse—Clients are excluded if the IP address is already assigned to another device.
• Excessive Web Authentication Failures—Clients are excluded on the fourth web authentication attempt, after three consecutive failures.

Save your configuration.

Enable or disable the controller to exclude clients on the sixth 802.11 association attempt, after five consecutive failures by entering this command:

Enable or disable the controller to exclude clients on the sixth 802.11 authentication attempt, after five consecutive failures by entering this command:

Enable or disable the controller to exclude clients on the fourth 802.1X authentication attempt, after three consecutive failures by entering this command:

Configure the controller to exclude clients after a maximum number of 802.1X-AAA failure attempts with the RADIUS server by entering this command:

Enable or disable the controller to exclude clients if the IP address is already assigned to another device by entering this command:

Enable or disable the controller to exclude clients on the fourth web authentication attempt, after three consecutive failures by entering this command:

Enable or disable the controller to exclude clients for all of the above reasons by entering this command:

Use the following command to add or delete client exclusion entries.

Save your changes by entering this command:

See a list of clients that have been dynamically excluded, by entering this command:

Dynamically Disabled Clients
----------------------------
  MAC Address      Exclusion Reason     Time Remaining (in secs)
  -----------      ----------------     ------------------------

00:40:96:b4:82:55    802.1X Failure            51

See the client exclusion policy configuration settings by entering this command:

Auto-Immune
	Auto-Immune.............................. Disabled

Client Exclusion Policy
  Excessive 802.11-association failures.......... Enabled
  Excessive 802.11-authentication failures....... Enabled
  Excessive 802.1x-authentication................ Enabled
  IP-theft....................................... Enabled
  Excessive Web authentication failure........... Enabled
  Maximum 802.1x-AAA failure attempts............ 3

Signature Policy
  Signature Processing........................ Enabled

Choose WLANs to open the WLANs page.

Click the ID number of the WLAN.

On the WLANs > Edit (Advanced) page, click the Advanced tab.

Locate the Client Exclusion label, check the check box adjacent to it to enable client exclusion policies, and enter the timeout value, in seconds. The timeout value represents the time period for which the excluded clients are prevented from sending 802.1X authentication attempts.

Save the configuration.

Configure client exclusion policies for a WLAN by entering this command:

Configure the client exclusion list timeout period by entering this command:

Save the configuration by entering this command:

Choose WLANs to open the WLANs page.

Click the WLAN ID of the WLAN for which you want to configure the Wi-Fi Direct Client Policy. The WLANs > Edit page appears.

Click the Advanced tab.

From the Wi-Fi Direct Clients Policy drop-down list, choose one of the following options:

• Disabled—Ignores the Wi-Fi Direct status of clients thereby allowing Wi-Fi Direct clients to associate
• Allow—Allows Wi-Fi Direct clients to associate with the WLAN
• Not-Allow—Disallows the Wi-Fi Direct clients from associating with the WLAN
• Xconnect-Not-Allow—Enables AP to allow a client with the Wi-Fi Direct option enabled to associate, but the client (if it works according to the Wi-Fi standards) will refrain from setting up a peer-to-peer connection

Save the configuration.

Configure the Wi-Fi Direct Client Policy on WLANs by entering this command:

• allow —Allows Wi-Fi Direct clients to associate with the WLAN

• disable —Ignores the Wi-Fi Direct status of clients thereby allowing Wi-Fi Direct clients to associate

• not-allow —Disallows the Wi-Fi Direct clients from associating with the WLAN

• xconnect-not-allow —Enables AP to allow a client with the Wi-Fi Direct option enabled to associate, but the client (if it works according to the Wi-Fi standards) will refrain from setting up a peer-to-peer connection

• wlan-id —WLAN identifier

Save your configuration by entering this command:

Choose WLANs to open the WLANs page.

Click the ID number of the WLAN for which you want to configure peer-to-peer blocking.

Choose the Advanced tab to open the WLANs > Edit (Advanced) page.

Choose one of the following options from the P2P Blocking drop-down list:

Click Apply to commit your changes.

Click Save Configuration to save your changes.

Configure a WLAN for peer-to-peer blocking by entering this command:

Save your changes by entering this command:

See the status of peer-to-peer blocking for a WLAN by entering this command:

WLAN Identifier.................................. 1
Profile Name..................................... test
Network Name (SSID).............................. test
Status........................................... Enabled
...
...
...
Peer-to-Peer Blocking Action..................... Disabled
Radio Policy..................................... All
Local EAP Authentication...................... Disabled


Choose Security > Local Policies.

Click New to create a new policy.

Enter the policy name and click Apply.

On the Policy List page, click the policy name to be configured.

On the Policy > Edit page, follow these steps:

1. In the Match Criteria area, enter a value for Match Role String. This is the user type or user group of the user, for example, student, teacher, and so on.

2. From the Match EAP Type drop-down list, choose the EAP authentication method used by the client.

3. From the Device Type drop-down list, choose the device type.

4. Click Add to add the device type to the policy device list.

   The device type you choose is listed in the Device List.

5. In the Action area, specify the policies that are to be enforced. From the IPv4 ACL drop-down list, choose an IPv4 ACL for the policy.

6. Enter the VLAN ID that should be associated with the policy.

7. From the QoS Policy drop-down list, choose a QoS policy to be applied.

8. Enter a value for Session Timeout. This is the maximum amount of time, in seconds, after which a client is forced to reauthenticate.

9. Enter a value for Sleeping Client Timeout, which is the timeout for sleeping clients.

   Sleeping clients are clients with guest access that have had successful web authentication that are allowed to sleep and wake up without having to go through another authentication process through the login page.

   This sleeping client timeout configuration overrides the WLAN-specific sleeping client timeout configuration.

10. From the AVC Profile drop-down list, choose an AVC profile to be applied based on the role defined in AAA.

11. In the Active Hours area, from the Day drop-down list, choose the days on which the policy has to be active.

12. Enter the Start Time and End Time of the policy.

13. Click Add.

    The day and start time and end time that you specify is listed.

14. Click Apply.

Copy the latest OUI list available at http://standards.ieee.org/develop/regauth/oui/oui.txt to the default directory on your server.

Choose Commands > Download File.

From the File Type drop-down list, choose OUI Update.

From the Transfer Mode drop-down list, choose the server type.

Click Download.

After the download is complete, reboot the Cisco WLC by choosing Commands > Reboot.

If prompted to save your changes, click Save and Reboot.

Click OK.

Copy the latest OUI list available at http://standards.ieee.org/develop/regauth/oui/oui.txt to the default directory on your server.

Specify the server type by entering this command:

Specify the file type by entering this command:

Begin the download of the file by entering this command:

Reboot the Cisco WLC by entering this command:

See the updated OUI list by entering this command:

Copy the latest device profile list file to the default directory on your server.

Choose Commands > Download File.

From the File Type drop-down list, choose Device Profile.

From the Transfer Mode drop-down list, choose the server type.

Click Download.

After the download is complete, reboot the Cisco WLC by choosing Commands > Reboot.

If prompted to save your changes, click Save and Reboot.

Click OK.

Copy the latest device profile list file to the default directory on your server.

Specify the server type by entering this command:

Specify the file type by entering this command:

Specify the file name by entering this command:

Begin the download of the file by entering this command:

Reboot the Cisco WLC by entering this command:

See the updated OUI list by entering this command:

To create a dynamic interface for wired guest user access, choose Controller > Interfaces. The Interfaces page appears.

Click New to open the Interfaces > New page.

Enter a name and VLAN ID for the new interface.

Click Apply to commit your changes.

In the Port Number text box, enter a valid port number. You can enter a number between 0 and 25 (inclusive).

Select the Guest LAN check box.

Click Apply to commit your changes.

To create a wired LAN for guest user access, choose WLANs.

On the WLANs page, choose Create New from the drop-down list and click Go. The WLANs > New page appears.

From the Type drop-down list, choose Guest LAN.

In the Profile Name text box, enter a name that identifies the guest LAN. Do not use any spaces.

From the WLAN ID drop-down list, choose the ID number for this guest LAN.

Click Apply to commit your changes.

Select the Enabled check box for the Status parameter.

Web authentication (Web-Auth) is the default security policy. If you want to change this to web passthrough, choose the Security tab after completing Step 16 and Step 17.

From the Ingress Interface drop-down list, choose the VLAN that you created in Step 3. This VLAN provides a path between the wired guest client and the controller by way of the Layer 2 access switch.

From the Egress Interface drop-down list, choose the name of the interface. This WLAN provides a path out of the controller for wired guest client traffic.

If you want to change the authentication method (for example, from web authentication to web passthrough), choose Security > Layer 3. The WLANs > Edit (Security > Layer 3) page appears.

From the Layer 3 Security drop-down list, choose one of the following:

If you choose the Web Passthrough option, an Email Input check box appears. Select this check box if you want users to be prompted for their e-mail address when attempting to connect to the network.

To override the global authentication configuration set on the Web Login page, select the Override Global Config check box.

When the Web Auth Type drop-down list appears, choose one of the following options to define the web authentication pages for wired guest users:

If you chose External as the web authentication type in Step 22, choose Security > AAA Servers and choose up to three RADIUS and LDAP servers using the drop-down lists.

To establish the priority in which the servers are contacted to perform web authentication as follows:

Click Apply.

Click Save Configuration.

Repeat this process if a second (anchor) controller is being used in the network.

Create a dynamic interface (VLAN) for wired guest user access by entering this command:

If link aggregation trunk is not configured, enter this command to map a physical port to the interface:

Enable or disable the guest LAN VLAN by entering this command:

Create a wired LAN for wired client traffic and associate it to an interface by entering this command:

Configure the wired guest VLAN’s ingress interface, which provides a path between the wired guest client and the controller by way of the Layer 2 access switch by entering this command:

Configure an egress interface to transmit wired guest traffic out of the controller by entering this command:

Configure the security policy for the wired guest LAN by entering this command:

Enable or disable a wired guest LAN by entering this command:

If you want wired guest users to log into a customized web login, login failure, or logout page, enter these commands to specify the filename of the web authentication page and the guest LAN for which it should display: