Cisco Cisco IOS Software Release 12.2(4)XR
Cisco IOS WAP Gateway with WTLS Class 2 Support
Configuration Tasks
8
Cisco IOS WAP Gateway with WTLS Class 2 Support
To create a proxy list, use the following command in global configuration mode. The proxy list records
are searched in the order in which they are entered.
are searched in the order in which they are entered.
Configuring Security Features on the WAP Gateway
The Cisco IOS WAP Gateway with WTLS Class 2 Support feature implements an optional cryptographic
method for clients to authenticate the WAP gateway, and encryption between the wireless device and the
gateway. Several commands have been implemented in the software to allow the customer to configure
the behavior of the gateway.
method for clients to authenticate the WAP gateway, and encryption between the wireless device and the
gateway. Several commands have been implemented in the software to allow the customer to configure
the behavior of the gateway.
The gateway implements a number of different encryption, hash, and key-exchange algorithms. The use
of each algorithm can be explicitly enabled or disabled. Deciding which algorithm to enable may depend
on your company policy or the set of algorithms supported by the wireless devices with which the WAP
gateway must communicate. Many wireless devices only support a subset of the available algorithms.
While a WAP session is being established, the WAP-enabled device proposes the use of an algorithm and
the gateway agrees to the proposal if it supports the proposed algorithm. That algorithm is then enabled.
Unless you have a specific security requirement, the default configurations of both the wireless devices
and the Cisco IOS WAP Gateway will usually work for all wireless devices.
of each algorithm can be explicitly enabled or disabled. Deciding which algorithm to enable may depend
on your company policy or the set of algorithms supported by the wireless devices with which the WAP
gateway must communicate. Many wireless devices only support a subset of the available algorithms.
While a WAP session is being established, the WAP-enabled device proposes the use of an algorithm and
the gateway agrees to the proposal if it supports the proposed algorithm. That algorithm is then enabled.
Unless you have a specific security requirement, the default configurations of both the wireless devices
and the Cisco IOS WAP Gateway will usually work for all wireless devices.
For each type of algorithm you can select different strengths of security. A shorter key length is easier
to compute and will impose less overhead on the processor than a longer key length, but a shorter key
length offers weaker security. The level of security you need to configure will be determined by the type
of information that can be accessed through the gateway. Confidential corporate information requires a
higher level of security than information about the weather, for example, although having current access
to such information may be invaluable.
to compute and will impose less overhead on the processor than a longer key length, but a shorter key
length offers weaker security. The level of security you need to configure will be determined by the type
of information that can be accessed through the gateway. Confidential corporate information requires a
higher level of security than information about the weather, for example, although having current access
to such information may be invaluable.
Timeout intervals for idle WTLS sessions or connections can also be configured. A balance must be
found between configuring a shorter interval in the interests of security and allowing a reasonable
interval that stops the user from constantly needing to reauthenticate or reconnect when the interval
expires.
found between configuring a shorter interval in the interests of security and allowing a reasonable
interval that stops the user from constantly needing to reauthenticate or reconnect when the interval
expires.
Command
Purpose
Router(config)# wap proxy-list http-server[:port-number]
[proxy-server[:port-number]]
Specifies a filter record that the gateway can use to
filter requests to be forwarded to a proxy server,
and not passed directly to the server specified in
the request.
filter requests to be forwarded to a proxy server,
and not passed directly to the server specified in
the request.
The http-server argument identifies a Domain
Name System (DNS) name or IP address
corresponding to an HTTP server. Asterisk (*)
wildcard symbols can be used. The optional
proxy-server argument identifies a DNS name or
IP address corresponding to a proxy server. Both
arguments may include an optional port-number
argument separated by a colon. The default port
number is 8080.
Name System (DNS) name or IP address
corresponding to an HTTP server. Asterisk (*)
wildcard symbols can be used. The optional
proxy-server argument identifies a DNS name or
IP address corresponding to a proxy server. Both
arguments may include an optional port-number
argument separated by a colon. The default port
number is 8080.
Repeat the command, as needed, to create a list of
filter records.
filter records.