Cisco Cisco Aironet 1524 Lightweight Outdoor Mesh Access Point
23
Mobile Access Router and Mesh Networks Design Guide
OL-11823-01
Security
Configuring the Root Device Interaction with WDS
To support non-root bridges using CCKM, your root device must interact with the WDS device on your
network, and your authentication server must be configured with a username and password for the root
device. For more information on configuring WDS and CCKM on your wireless LAN, refer to Chapter
11 in the Cisco IOS Software Configuration Guide for Cisco Access Points at the following URL:
network, and your authentication server must be configured with a username and password for the root
device. For more information on configuring WDS and CCKM on your wireless LAN, refer to Chapter
11 in the Cisco IOS Software Configuration Guide for Cisco Access Points at the following URL:
Step 1
On your root device, enter global configuration mode:
Router# configure terminal
Step 2
Configure a username and password for the AP to use for authentication.
You must configure the same username and password pair when you set up the root device as a client on
your authentication server:
your authentication server:
bridge(configure)# wlccp ap username
username
password
password
Configuring Additional WPA Settings
This section provides information on the addition settings that can be configured for WPA.
Setting a Pre-Shared Key
To support WPA on a wireless LAN where 802.1x-based authentication is not available, you must
configure a pre-shared key on the bridge. You can enter the pre-shared key as ASCII or hexadecimal
characters. If you enter the key as ASCII characters, you enter between eight and 63 characters, and the
bridge expands the key using the process described in the Password-based Cryptography Standard
(RFC2898). If you enter the key in hexadecimal characters, you must enter 64 hexadecimal characters.
configure a pre-shared key on the bridge. You can enter the pre-shared key as ASCII or hexadecimal
characters. If you enter the key as ASCII characters, you enter between eight and 63 characters, and the
bridge expands the key using the process described in the Password-based Cryptography Standard
(RFC2898). If you enter the key in hexadecimal characters, you must enter 64 hexadecimal characters.
Configuring Group Key Updates
In the last step in the WPA process, the root device distributes a group key to the authenticated non-root
bridge. You can use these optional settings to configure the root device to change and distribute the group
key based on association and disassociation of non-root bridges:
bridge. You can use these optional settings to configure the root device to change and distribute the group
key based on association and disassociation of non-root bridges:
•
Membership termination—The root device generates and distributes a new group key when any
authenticated non-root bridge disassociates from the root device. This feature keeps the group key
private for associated bridges.
authenticated non-root bridge disassociates from the root device. This feature keeps the group key
private for associated bridges.
•
Capability change—The root device generates and distributes a dynamic group key when the last
non-key management (static WEP) non-root bridge disassociates, and it distributes the statically
configured WEP key when the first non-key management (static WEP) non-root bridge
authenticates. In WPA migration mode, this feature significantly improves the security of
key-management capable clients when there are no static WEP bridges associated to the root device.
non-key management (static WEP) non-root bridge disassociates, and it distributes the statically
configured WEP key when the first non-key management (static WEP) non-root bridge
authenticates. In WPA migration mode, this feature significantly improves the security of
key-management capable clients when there are no static WEP bridges associated to the root device.