Cisco Cisco Aironet 1524 Lightweight Outdoor Mesh Access Point
22
Mobile Access Router and Mesh Networks Design Guide
OL-11823-01
Security
EAP-TLS Authentication with AES Encryption Example
Use the no form of the SSID commands to disable the SSID or to disable SSID features. The following
example sets the authentication type for the SSID bridgeman to open with EAP authentication. Bridges
using the SSID bridgeman attempt EAP authentication using the eap method name adam. This example
sets the authentication type for the SSID bridgeman to perform EAP-TLS authentication with AES
encryption. Bridges using this SSID attempt EAP authentication using a server ID named adam.
example sets the authentication type for the SSID bridgeman to open with EAP authentication. Bridges
using the SSID bridgeman attempt EAP authentication using the eap method name adam. This example
sets the authentication type for the SSID bridgeman to perform EAP-TLS authentication with AES
encryption. Bridges using this SSID attempt EAP authentication using a server ID named adam.
bridge# configure terminal
bridge(config)# dot11 ssid bridgeman
bridge(config-ssid)# authentication open eap eap_adam
bridge(config-ssid)# authentication network-eap eap_adam
bridge(config-ssid)# authentication key-management wpa
bridge(config-ssid)# infrastructure-ssid
bridge(config-ssid)# exit
bridge(config)# interface dot11radio 0
bridge(config-if)# encryption mode ciphers aes-ccm
bridge(config-if)# ssid bridgeman
bridge(config-if)# end
The configuration on workgroup bridges, non-root bridges, and repeater bridges associated to this bridge
would also contain these commands:
would also contain these commands:
bridge# configure terminal
bridge(config)# eap profile authProfile
bridge(config-eap-profile)# method tls
bridge(config-eap-profile)# exit
bridge(config)# dot1x credentials authCredentials
bridge(config-dot1x-creden)# username adam
bridge(config-dot1x-creden)# password adam
bridge(config-dot1x-creden)# exit
bridge(config)# dot11 ssid bridgeman
bridge(config-ssid)# authentication open eap eap_adam
bridge(config-ssid)# authentication network-eap eap_adam
bridge(config-ssid)# authentication key-management wpa
bridge(config-ssid)# dot1x eap_profile authProfile
bridge(config-ssid)# dot1x credentials authCredentials
bridge(config-ssid)# infrastructure-ssid
bridge(config-ssid)# exit
bridge(config)# interface dot11radio 0
bridge(config-if)# encryption mode ciphers aes-ccm
bridge(config-if)# ssid bridgeman
bridge(config-if)# end
This example shows the RADIUS/AAA configuration on the root side for EAP authentication.
bridge# configure terminal
bridge(config)# aaa new-model
bridge(config)# aaa group server radius rad_eap
bridge(config-sg-radius)# server 13.1.1.99 auth-port 1645 acct-port 1646
bridge(config)# aaa authentication login eap_adam group rad_eap
bridge(config)# aaa session-id common
bridge(config)# radius-server host 13.1.1.99 auth-port 1645 acct-port 1646 key 7 141B1309
bridge(config)# radius-server authorization permit missing Service-Type
bridge(config)# ip radius source-interface BVI1
bridge(config)# end