In this post we will see how to configure WLAN security settings via CLI. Here are the security related config options in CLI “config wlan x” command.
security Configures the security policy for a WLAN. webauth-exclude Enable/Disable WebAuth Exclusion custom-web Configures the Web Authentication Page per Profile. radius_server Configures the WLAN's RADIUS Servers. ldap Configures the WLAN's LDAP servers. local-auth Configures Local EAP Authentication. mac-filtering Configures MAC filtering on a WLAN.
If you want to configure layer2 security settings you can use the following CLI options. Let’s say you want to enable WPA2/AES with Pre-Shared Key.
(4402-c) >config wlan security ? 802.1X Configures 802.1X. cond-web-redir Configured Conditional Web Redirect. passthru Configures IPSec passthru. splash-page-web-redir Configured Splash-Page Web Redirect. static-wep-key Configures static WEP keys on a WLAN. web-auth Configures Web authentication. web-passthrough Configures Web Captive Portal with no authentication required. wpa Configures WPA/WPA2 Support for a WLAN ckip Configures CKIP Security on WLAN. tkip Configures TKIP MIC countermeasures hold-down timer (0-60 seconds) (4402-c) >config wlan security wpa ? akm Configures Auth Key Management disable Disables WPA/WPA2 Support for a WLAN enable Enables WPA/WPA2 Support for a WLAN wpa1 Configures WPA support wpa2 Configures WPA2 support (4402-c) >config wlan security wpa wpa2 ciphers Configures WPA2 ciphers disable Disables WPA2 support enable Enables WPA2 support (4402-c) >config wlan security wpa wpa2 ciphers ? aes Configures WPA2/AES support tkip Configures WPA2/TKIP support (4402-c) >config wlan security wpa wpa2 ciphers aes disable Disables WPA2/AES support enable Enables WPA2/AES support (4402-c) >config wlan security wpa wpa2 ciphers aes enable 17 (4402-c) >config wlan security wpa akm ? 802.1x Configures 802.1x support cckm Configures CCKM support ft Configures 802.11r fast transition 802.1x support psk Configures PSK support (4402-c) >config wlan security wpa akm psk ? disable Disables PSK support enable Enables PSK support set-key Configures the pre-shared-key (4402-c) >config wlan security wpa akm psk set-key ? <ascii/hex> Specificies for key format (ascii or hex) (4402-c) >config wlan security wpa akm psk set-key ascii ? <psk> Enter the pre-shared-key (PSK) (4402-c) >config wlan security wpa akm psk set-key ascii Cisco123 ? <WLAN id> Enter WLAN Identifier between 1 and 512. (4402-c) >config wlan security wpa akm psk set-key ascii Cisco123 17
Above settings is identical to what you have seen in the below screen.
Now let’s say you want to create a WLAN with no layer2 security & only with layer3 webauth. Let’s create WLAN called guest with WLAN ID 18 & assign it to AP-Group (mrn-apgroup) created. You can practice this via CLI & you should enter following CLI to do this.
(WLC2) >config wlan create 18 guest guest (WLC2) >config wlan radio 18 802.11a-only (WLC2) >config wlan interface 18 vlan12 (WLC2) >config wlan qos 18 bronze (WLC2) >config wlan apgroup interface-mapping add mrn-apgroup 18 vlan12
Now let’s change security settings of this WLAN. We will use the Web Passthrough with Email Input as web auth method.
(WLC2) >config wlan security wpa ? akm Configures Auth Key Management disable Disables WPA/WPA2 Support for a WLAN enable Enables WPA/WPA2 Support for a WLAN wpa1 Configures WPA support wpa2 Configures WPA2 support (WLC2) >config wlan security wpa disable ? <WLAN id> Enter WLAN Identifier between 1 and 512. (WLC2) >config wlan security wpa disable 18 (WLC2) >config wlan security ? 802.1X Configures 802.1X. cond-web-redir Configured Conditional Web Redirect. passthru Configures IPSec passthru. splash-page-web-redir Configured Splash-Page Web Redirect. static-wep-key Configures static WEP keys on a WLAN. web-auth Configures Web authentication. web-passthrough Configures Web Captive Portal with no authentication required. wpa Configures WPA/WPA2 Support for a WLAN ckip Configures CKIP Security on WLAN. tkip Configures TKIP MIC countermeasures hold-down timer (0-60 seconds) (WLC2) >config wlan security web-passthrough ? acl Configures Access Control List. disable Disables Web Captive Portal with no authentication required. email-input Configures Web Captive Portal using email address. enable Enables Web Captive Portal with no authentication required. (WLC2) >config wlan security web-passthrough enable 18 (WLC2) >config wlan security web-passthrough email-input ? enable Enables Web Captive Portal using email address. disable Disables Web Captive Portal using email address. (WLC2) >config wlan security web-passthrough email-input enable 18
Now your Guest WLAN is ready from the security perspective. If you look at the WLC configuration you would see the following in your configuration.The two config lines in purple color automatically added once you disable the WPA as those settings enabled by default when you create a WLAN.
config wlan security wpa disable 18 config wlan security wpa wpa2 disable 18 config wlan security wpa akm 802.1x disable 18 config wlan security web-passthrough enable 18 config wlan security web-passthrough email-input enable 18
This is the identical GUI setting for the above scenario.
If you want to configure this Guest WLAN for Web Authentication instead of Web Passthrough you can do this as follows. First you have to disable web passthrough which you enabled in the previous task. Also you have to configure radius authentication on the WLAN if your user credential verified via radius.
(WLC2) >config wlan security web-passthrough disable 18 (WLC2) >config wlan security web-passthrough email-input disable 18 (WLC2) >config wlan security web-auth ? acl Configures Access Control List. disable Disables Web authentication. enable Enables Web authentication. on-macfilter-failure Enables Web authentication on MAC filter failure. server-precedence Configures the authentication server precedence order for Web-Auth users. (WLC2) >config wlan security web-auth enable 18 (WLC2) >config wlan radius_server auth ? add Adds a link to a configured RADIUS Server. delete Deletes a link to a configured RADIUS Server. disable Disable RADIUS authentication for this WLAN enable Enable RADIUS authentication for this WLAN (WLC2) >config wlan radius_server auth enable ? <WLAN id> Enter WLAN Identifier between 1 and 512. (WLC2) >config wlan radius_server auth enable 18 (WLC2) >config wlan radius_server auth add ? <WLAN id> Enter WLAN Identifier between 1 and 512. (WLC2) >config wlan radius_server auth add 18 ? <Server id> Enter the RADIUS Server Index. (WLC2) >config wlan radius_server auth add 18 1
In GUI you will see something like this once you configured above on CLI.
In next post we will see how to configure WLAN advanced settings via CLI
Related Posts
1. Configuring WLAN via CLI – Part 1
2. Configuring WLAN via CLI – Part 2
3. Configuring WLAN via CLI – Part 3
4. Configuring WLAN via CLI – Part 5
