Tags
In this post we will see how to configure WLAN security settings via CLI. Here are the security related config options in CLI “config wlan x” command.
security Configures the security policy for a WLAN. webauth-exclude Enable/Disable WebAuth Exclusion custom-web Configures the Web Authentication Page per Profile. radius_server Configures the WLAN's RADIUS Servers. ldap Configures the WLAN's LDAP servers. local-auth Configures Local EAP Authentication. mac-filtering Configures MAC filtering on a WLAN.
If you want to configure layer2 security settings you can use the following CLI options. Let’s say you want to enable WPA2/AES with Pre-Shared Key.
(4402-c) >config wlan security ? 802.1X Configures 802.1X. cond-web-redir Configured Conditional Web Redirect. passthru Configures IPSec passthru. splash-page-web-redir Configured Splash-Page Web Redirect. static-wep-key Configures static WEP keys on a WLAN. web-auth Configures Web authentication. web-passthrough Configures Web Captive Portal with no authentication required. wpa Configures WPA/WPA2 Support for a WLAN ckip Configures CKIP Security on WLAN. tkip Configures TKIP MIC countermeasures hold-down timer (0-60 seconds) (4402-c) >config wlan security wpa ? akm Configures Auth Key Management disable Disables WPA/WPA2 Support for a WLAN enable Enables WPA/WPA2 Support for a WLAN wpa1 Configures WPA support wpa2 Configures WPA2 support (4402-c) >config wlan security wpa wpa2 ciphers Configures WPA2 ciphers disable Disables WPA2 support enable Enables WPA2 support (4402-c) >config wlan security wpa wpa2 ciphers ? aes Configures WPA2/AES support tkip Configures WPA2/TKIP support (4402-c) >config wlan security wpa wpa2 ciphers aes disable Disables WPA2/AES support enable Enables WPA2/AES support (4402-c) >config wlan security wpa wpa2 ciphers aes enable 17 (4402-c) >config wlan security wpa akm ? 802.1x Configures 802.1x support cckm Configures CCKM support ft Configures 802.11r fast transition 802.1x support psk Configures PSK support (4402-c) >config wlan security wpa akm psk ? disable Disables PSK support enable Enables PSK support set-key Configures the pre-shared-key (4402-c) >config wlan security wpa akm psk set-key ? <ascii/hex> Specificies for key format (ascii or hex) (4402-c) >config wlan security wpa akm psk set-key ascii ? <psk> Enter the pre-shared-key (PSK) (4402-c) >config wlan security wpa akm psk set-key ascii Cisco123 ? <WLAN id> Enter WLAN Identifier between 1 and 512. (4402-c) >config wlan security wpa akm psk set-key ascii Cisco123 17
Above settings is identical to what you have seen in the below screen.
Now let’s say you want to create a WLAN with no layer2 security & only with layer3 webauth. Let’s create WLAN called guest with WLAN ID 18 & assign it to AP-Group (mrn-apgroup) created. You can practice this via CLI & you should enter following CLI to do this.
(WLC2) >config wlan create 18 guest guest (WLC2) >config wlan radio 18 802.11a-only (WLC2) >config wlan interface 18 vlan12 (WLC2) >config wlan qos 18 bronze (WLC2) >config wlan apgroup interface-mapping add mrn-apgroup 18 vlan12
Now let’s change security settings of this WLAN. We will use the Web Passthrough with Email Input as web auth method.
(WLC2) >config wlan security wpa ? akm Configures Auth Key Management disable Disables WPA/WPA2 Support for a WLAN enable Enables WPA/WPA2 Support for a WLAN wpa1 Configures WPA support wpa2 Configures WPA2 support (WLC2) >config wlan security wpa disable ? <WLAN id> Enter WLAN Identifier between 1 and 512. (WLC2) >config wlan security wpa disable 18 (WLC2) >config wlan security ? 802.1X Configures 802.1X. cond-web-redir Configured Conditional Web Redirect. passthru Configures IPSec passthru. splash-page-web-redir Configured Splash-Page Web Redirect. static-wep-key Configures static WEP keys on a WLAN. web-auth Configures Web authentication. web-passthrough Configures Web Captive Portal with no authentication required. wpa Configures WPA/WPA2 Support for a WLAN ckip Configures CKIP Security on WLAN. tkip Configures TKIP MIC countermeasures hold-down timer (0-60 seconds) (WLC2) >config wlan security web-passthrough ? acl Configures Access Control List. disable Disables Web Captive Portal with no authentication required. email-input Configures Web Captive Portal using email address. enable Enables Web Captive Portal with no authentication required. (WLC2) >config wlan security web-passthrough enable 18 (WLC2) >config wlan security web-passthrough email-input ? enable Enables Web Captive Portal using email address. disable Disables Web Captive Portal using email address. (WLC2) >config wlan security web-passthrough email-input enable 18
Now your Guest WLAN is ready from the security perspective. If you look at the WLC configuration you would see the following in your configuration.The two config lines in purple color automatically added once you disable the WPA as those settings enabled by default when you create a WLAN.
config wlan security wpa disable 18 config wlan security wpa wpa2 disable 18 config wlan security wpa akm 802.1x disable 18 config wlan security web-passthrough enable 18 config wlan security web-passthrough email-input enable 18
This is the identical GUI setting for the above scenario.
If you want to configure this Guest WLAN for Web Authentication instead of Web Passthrough you can do this as follows. First you have to disable web passthrough which you enabled in the previous task. Also you have to configure radius authentication on the WLAN if your user credential verified via radius.
(WLC2) >config wlan security web-passthrough disable 18 (WLC2) >config wlan security web-passthrough email-input disable 18 (WLC2) >config wlan security web-auth ? acl Configures Access Control List. disable Disables Web authentication. enable Enables Web authentication. on-macfilter-failure Enables Web authentication on MAC filter failure. server-precedence Configures the authentication server precedence order for Web-Auth users. (WLC2) >config wlan security web-auth enable 18 (WLC2) >config wlan radius_server auth ? add Adds a link to a configured RADIUS Server. delete Deletes a link to a configured RADIUS Server. disable Disable RADIUS authentication for this WLAN enable Enable RADIUS authentication for this WLAN (WLC2) >config wlan radius_server auth enable ? <WLAN id> Enter WLAN Identifier between 1 and 512. (WLC2) >config wlan radius_server auth enable 18 (WLC2) >config wlan radius_server auth add ? <WLAN id> Enter WLAN Identifier between 1 and 512. (WLC2) >config wlan radius_server auth add 18 ? <Server id> Enter the RADIUS Server Index. (WLC2) >config wlan radius_server auth add 18 1
In GUI you will see something like this once you configured above on CLI.
In next post we will see how to configure WLAN advanced settings via CLI
Related Posts
1. Configuring WLAN via CLI – Part 1
2. Configuring WLAN via CLI – Part 2
3. Configuring WLAN via CLI – Part 3
4. Configuring WLAN via CLI – Part 5
5. Configuring WLAN via CLI – Part 6
mrn-cciew 
You’ve done a good job. Thank you very much, keep up the the good work. Have a nice day
Hi Jamal
Thank you very much for your feedback. I am preparing for the worst case 🙂
Regards
Rasika
its really good work from you..
Thanks Quisher…
Hi Rasika,
Great write-up.
Your blog has helped me a lot while configuring 5760 WLCs. Also you have re-ignited my desire to pursue CCIE 🙂
Can you please clear one doubt: I am trying to configure a few SSIDs with mac-based authentication. I have created different mac-filters on the local database of WLC (using command “aaa authorization network local”)and bound them to different SSIDs and assigned users’ mac addresses to corresponding filter (using the command “username mac aaa attribute list “). However, the users whose mac address is present in any list can connect to all mac-based SSIDs irrespective of their mac filter. Is it a limitation of 5760 or is there any mistake in the configuration? How can I overcome this issue and configure multiple SSIDs with mac-based authentication?
Regards,
Arun
Hi Arun,
Glad if my blog inspire you to continue on your CCIE dream.
Regarding 5760 MAC filters, I haven’t done any testing. I try to test what you asked & will give you a feedback.
HTH
Rasika
Thanks Rasika..
Hi Rasika,
I had opened a case with TAC, and they confirmed that it is a limitation with 5760. 5760 has only one local database, and all mac-filters are pointing to the same database, resulting in users getting connected to any SSID which relies on the local database.
I resolved the issue by implementing an external RADIUS server.
Also, I had received a response from Cisco Support Forum that the future release of IOS XE will address this issue.
Regards,
Arun
Hi Arun,
Thanks a lot for the follow up & the update.
Rasika
is there a cli command from where we can see what security is associated to particular SSID’s