In Autonomous AP configurations, authentications type configured under SSID section.Below shows the configuration options available for authentication.
AAP1(config-ssid)#authentication ? client EAP client information key-management key management network-eap leap method open open method shared shared method
1. Authentication Open:
Set authentication open for this SSID. There are optional configuration setting available as shown below. If you select “mac-address” option, AP forces all client devices to perform MAC-address authentication before they allow to network.
AAP1(config-ssid)#authentication open ? eap eap method mac-address mac-address authentication method optional optional eap method
If you select “eap” option with a list-name, AP forces all client devices to perform EAP authentication before they allow to network.
You can use “optional” keyword to allow client devices using either Open or EAP authentication to associate & become authenticated.
2. Authentication Shared:
Set the authentication type for the SSID to shared key.It is not an recommended setting due to security flaw of this method. Here are the configuration option comes with this. Like in the Open method here you can specify either MAC or EAP authentication to be used with Shared method.
AAP1(config-ssid)#authentication shared ? eap eap method mac-address mac-address authentication method <cr>
3. Authentication Key-management:
This sets the authentication type for the SSID to WPA, CCKM or both. If you use optional keyword (eg : “authentication key-management wpa cckm optional”), client devices other than WPA & CCKM clients can use this SSID.
AAP1(config-ssid)#authentication key-management ? cckm allow CCKM clients wpa allow WPA clients
This is the most important setting as this settings may depend on authentication method you configure. Here are few of them
a). To enable CCKM for an SSID, you must also enable Network-EAP authentication. When Network-EAP & CCKM enabled, client devices using LEAP, EAP-FAST, PEAP(MSCHAP/GTC), EAP-TLS can authenticate using the SSID.
b). To enable WPA for an SSID, you must also enable Open authentication or Network-EAP or both.
c). When you enable both WPA & CCKM for an SSID, you must enter WPA first & CCKM second.
d). Before you can enable CCKM or WPA, you must set the encryption mode for the SSID’s VLAN to one of the cipher suite option. If you want to enable both CCKM & WPA, cipher suite to include TKIP.
Here is an example how to configure a SSID for few of these authentication method. You have to external RADIUS server configured with AAP details for its client authentication. You can simply do that add AAP as AAA client to the ACS with the configured shared key as shown in the below.
In AAP side you have to configure SSID, Sub-interfaces & RADIUS server details as shown below. In this example WPA key management configured (both WPAv1 & WPAv2 supported in this way) with encryption method as CCKM or TKIP.(Specific configuration to SSID is shown)
dot11 ssid MRN-CCIEW vlan 15 authentication open eap EAP_METHOD_1 authentication key-management wpa mbssid guest-mode interface Dot11Radio1 encryption vlan 15 mode ciphers aes-ccm tkip ssid MRN-CCIEW interface Dot11Radio1.15 encapsulation dot1Q 15 bridge-group 15 interface GigabitEthernet0.15 encapsulation dot1Q 15 bridge-group 15 aaa new-model aaa group server radius RAD_GROUP server 192.168.100.2 auth-port 1812 acct-port 1813 aaa authentication login EAP_METHOD_1 group RAD_GROUP radius-server host 192.168.100.2 auth-port 1812 acct-port 1813 key 0 mrn-cciew
You can test different type of authentication using Anyconnect Client. Here is the successful connection of few types I have tested.
I tried to get it working these with WPA, but I cannot see how I can set WPA with TKIP. WPA Enterprise AES option seems not working under my configuration. I tried EAP-FAST, LEAP, PEAP like below & no luck with client association.