Configuring Security Settings for a WLAN SSID Profile

The following procedure describes how to configure security settings for an Employee or Voice network. If you are creating a new SSID Service Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network. profile, configure the WLAN Wireless Local Area Network. WLAN is a 802.11 standards-based LAN that the users access through a wireless connection. and VLAN Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. settings before defining security settings. For more information, see Configuring WLAN Settings for an SSID Profile and Configuring VLAN Settings for a WLAN SSID Profile.

The following procedure configures the security settings on an Instant AP:

  1. Navigate to Configuration > Networks page.
  2. Under Networks, select the network you want to configure and click edit.
  3. Under Security, specify any one of the following types of security by moving the slider to the desired level:
    • Enterprise—On selecting the enterprise security level, the authentication options applicable to the enterprise network are displayed.
    • Personal—On selecting the personal security level, the authentication options applicable to the personalized network are displayed.
    • Open—On selecting the open security level, the authentication options applicable to an open network are displayed.

Based on the security level selected, specify the following parameters.

Table 1: Configuration Parameters for WLAN Security Settings in an Employee or Voice Network

Parameter

Description

Security Level

Key Management

Click the Enterprise security level, select any of the following options from the Key management drop-down list:

NOTE: 6 GHz Gigahertz. networks only support WPA3 and Enhanced Open encryption methods.

Applicable to Enterprise and Personal security levels only.

For the Open security level, no encryption settings are required.

 

 

For the Personal security level, select any of the following encryption keys from the Key management drop-down list.

NOTE: 6 GHz Gigahertz. networks only support WPA3 and Enhanced Open encryption methods.

If a WPA2 Wi-Fi Protected Access 2. WPA2 is a certification program maintained by IEEE that oversees standards for security over wireless networks. WPA2 supports IEEE 802.1X/EAP authentication or PSK technology, but includes advanced encryption mechanism using CCMP that is referred to as AES., WPA Wi-Fi Protected Access. WPA is an interoperable wireless security specification subset of the IEEE 802.11 standard. This standard provides authentication capabilities and uses TKIP for data encryption. encryption, or Both (WPA2 Wi-Fi Protected Access 2. WPA2 is a certification program maintained by IEEE that oversees standards for security over wireless networks. WPA2 supports IEEE 802.1X/EAP authentication or PSK technology, but includes advanced encryption mechanism using CCMP that is referred to as AES. & WPA Wi-Fi Protected Access. WPA is an interoperable wireless security specification subset of the IEEE 802.11 standard. This standard provides authentication capabilities and uses TKIP for data encryption.) is selected, configure the passphrase:

  1. Select a passphrase format from the Passphrase format  drop-down list. The options available are 8–63 alphanumeric characters and 64 hexadecimal characters.
  2. Enter a passphrase in the Passphrase text box. To reconfirm, update the passphrase in the Retype text box.

    NOTE: The Passphrase may contain any special character except for ".

For Static WEP, specify the following parameters:

  1. Select an appropriate value for WEP key size from the WEP Wired Equivalent Privacy. WEP is a security protocol that is specified in 802.11b and is designed to provide a WLAN with a level of security and privacy comparable to what is usually expected of a wired LAN. key size drop-down list. You can specify 64-bit or 128-bit .
  2. Select an appropriate value for Tx key from the Tx Key drop-down list. You can specify 1, 2, 3, or 4.
  3. Enter an appropriate WEP key and reconfirm.

Enhanced Open

Toggle the Enhanced Open switch to enable or disable the Enhanced Open security standard.

NOTE: 6 GHz Gigahertz. networks only support WPA Wi-Fi Protected Access. WPA is an interoperable wireless security specification subset of the IEEE 802.11 standard. This standard provides authentication capabilities and uses TKIP for data encryption. 3 and Enhanced Open encryption methods.

Open security level

EAP Offload

To terminate the EAP Extensible Authentication Protocol. An authentication protocol for wireless networks that extends the methods used by the PPP, a protocol often used when connecting a computer to the Internet. EAP can support multiple authentication mechanisms, such as token cards, smart cards, certificates, one-time passwords, and public key encryption authentication.  portion of 802.1X 802.1X is an IEEE standard for port-based network access control designed to enhance 802.11 WLAN security. 802.1X provides an authentication framework that allows a user to be authenticated by a central authority. authentication on the Instant AP instead of the RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  server, toggle the EAP Offload switch to enabled. Enabling termination can reduce network traffic to the external RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  server by terminating the authorization protocol on the Instant AP. By default, for 802.1X 802.1X is an IEEE standard for port-based network access control designed to enhance 802.11 WLAN security. 802.1X provides an authentication framework that allows a user to be authenticated by a central authority. authorization, the client conducts an EAP Extensible Authentication Protocol. An authentication protocol for wireless networks that extends the methods used by the PPP, a protocol often used when connecting a computer to the Internet. EAP can support multiple authentication mechanisms, such as token cards, smart cards, certificates, one-time passwords, and public key encryption authentication.  exchange with the RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  server, and the Instant AP acts as a relay for this exchange.

When EAP Offload is enabled, the Instant AP by itself acts as an authentication server and terminates the outer layers of the EAP Extensible Authentication Protocol. An authentication protocol for wireless networks that extends the methods used by the PPP, a protocol often used when connecting a computer to the Internet. EAP can support multiple authentication mechanisms, such as token cards, smart cards, certificates, one-time passwords, and public key encryption authentication.  protocol, only relaying the innermost layer to the external RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  server. It can also reduce the number of exchange packets between the Instant AP and the authentication server.

Enterprise security level

Authentication server 1 and Authentication server 2

Select any of the following options from the Authentication server 1 drop-down list:

If an external server is selected, you can also configure an additional authentication server.

Enterprise, Personal, and Open security levels.

Load balancing

Toggle the switch to enabled to use two RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  authentication servers, so that the load across the two RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  servers is balanced. For more information on the dynamic load balancing mechanism, see Dynamic Load Balancing between Two Authentication Servers.

Enterprise, Personal, and Open security levels.

Reauth interval

Specify a value for Reauth interval. When set to a value greater than zero, Instant APs periodically reauthenticate all associated and authenticated clients.

The following list provides descriptions for three reauthentication interval configuration scenarios:

Enterprise, Personal, and Open security levels.

Denylisting

To enable denylisting of clients with a specific number of authentication failures, enable the Denylisting toggle switch and specify a value for Max authentication failures. The users who fail to authenticate the number of times specified in Max authentication failures are automatically denylisted.

Enterprise, Personal, and Open security levels.

Accounting

Select any of the following options:

Enterprise, Personal, and Open security levels.

Authentication survivability

To enable authentication survivability, toggle the Authentication survivability switch to enabled. Specify a value in hours for Cache timeout (global) to set the duration after which the authenticated credentials in the cache must expire. When the cache expires, the clients are required to authenticate again. You can specify a value within a range of 1–99 hours and the default value is 24 hours.

NOTE: The authentication survivability feature requires ClearPass Policy Manager 6.0.2 or later, and is available only when the New server option is selected. On setting this parameter to Enabled, Instant authenticates the previously connected clients using EAP-PEAP EAP–Protected EAP. A widely used protocol for securely transporting authentication data across a network (tunneled). authentication even when connectivity to ClearPass Policy Manager is temporarily lost. The Authentication survivability feature is not applicable when a RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  server is configured as an internal server.

Open, Personal (MPSK-AES) and Enterprise security levels.

MAC authentication

To enable MAC Media Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. -address-based authentication for Personal and Open security levels, enable the MAC Media Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. authentication toggle switch.

For Enterprise security level, the following options are available:

NOTE: If Enterprise Security level is chosen, the server used for MAC Media Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. authentication will be the same as the server defined for 802.1X 802.1X is an IEEE standard for port-based network access control designed to enhance 802.11 WLAN security. 802.1X provides an authentication framework that allows a user to be authenticated by a central authority. authentication. You will not be able to use the Instant APs internal database for MAC Media Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. authentication and external RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  server for 802.1x authentication on the same SSID Service Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network..

Enterprise, Personal, and Open security levels.

Delimiter character

Specify a character (for example, colon or dash) as a delimiter for the MAC Media Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. address string. When configured, the Instant AP will use the delimiter in the MAC Media Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. authentication request. For example, if you specify colon as the delimiter, MAC Media Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. addresses in the xx:xx:xx:xx:xx:xx format are used. If the delimiter is not specified, the MAC Media Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. address in the xxxxxxxxxxxx format is used.

NOTE: This option is available only when MAC Media Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. authentication is enabled.

Enterprise, Personal, and Open security levels.

Uppercase support

Click the toggle switch to allow the Instant AP to use uppercase letters in MAC Media Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. address string for MAC Media Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. authentication.

NOTE: This parameter is available only when MAC Media Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. authentication is enabled.

Enterprise, Personal, and Open security levels.

Upload Certificate

Click Upload Certificate to upload a certificate file from your PC for the internal server. For more information on certificates, see Authentication Certificates.

Enterprise, Personal, and Open security levels

Fast Roaming

You can configure the following fast roaming options for the WLAN Wireless Local Area Network. WLAN is a 802.11 standards-based LAN that the users access through a wireless connection. SSID Service Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network.:

Enterprise, Personal, and Open security levels.

Enforce DHCP Dynamic Host Configuration Protocol. A network protocol that enables a server to automatically assign an IP address to an IP-enabled device from a defined range of numbers configured for a given network. 

Instant AOS-8 allows you to configure a WLAN Wireless Local Area Network. WLAN is a 802.11 standards-based LAN that the users access through a wireless connection. SSID Service Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network. profile to enforce DHCP Dynamic Host Configuration Protocol. A network protocol that enables a server to automatically assign an IP address to an IP-enabled device from a defined range of numbers configured for a given network.  on clients connecting to it. This is disabled by default.

When Enforce DHCP Dynamic Host Configuration Protocol. A network protocol that enables a server to automatically assign an IP address to an IP-enabled device from a defined range of numbers configured for a given network.  is enabled:

NOTE: Aruba recommends you to enable Enforce DHCP Dynamic Host Configuration Protocol. A network protocol that enables a server to automatically assign an IP address to an IP-enabled device from a defined range of numbers configured for a given network.  to ensure that the correct IP information in sent in RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  accounting messages when clients are expected to change roles in the network.

Enterprise, Personal, and Open security levels.

Click Next to configure access rules. For more information, see Configuring Access Rules for a WLAN SSID Profile.

The following commands configure enterprise security settings for the Employee and Voice network SSID Service Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network. profiles:

(Instant AP)(config)# wlan ssid-profile <name>

(Instant AP)(SSID Profile <name>)# opmode {wpa2-aes|wpa2-psk-aes|wpa-tkip|wpa-psk-tkip|wpa-tkip,wpa2-aes|wpa-psk-tkip,wpa2-psk-aes|static-wep|dynamic-wep|mpsk-aes|wpa3-sae-aes|wpa3-aes-ccm-128|wpa3-cnsa|wpa3-aes-gcm-256}}

(Instant AP)(SSID Profile <name>)# leap-use-session-key

(Instant AP)(SSID Profile <name>)# termination

(Instant AP)(SSID Profile <name>)# auth-server <server-name>

(Instant AP)(SSID Profile <name>)# external-server

(Instant AP)(SSID Profile <name>)# server-load-balancing

(Instant AP)(SSID Profile <name>)# denylist

(Instant AP)(SSID Profile <name>)# mac-authentication

(Instant AP)(SSID Profile <name>)# l2-auth-failthrough

(Instant AP)(SSID Profile <name>)# auth-survivability

(Instant AP)(SSID Profile <name>)# radius-accounting

(Instant AP)(SSID Profile <name>)# radius-accounting-mode {user-association|user-authentication}

(Instant AP)(SSID Profile <name>)# radius-interim-accounting-interval <minutes>

(Instant AP)(SSID Profile <name>)# radius-reauth-interval <minutes>

(Instant AP)(SSID Profile <name>)# max-authentication-failures <number>

(Instant AP)(SSID Profile <name>)# okc

(Instant AP)(SSID Profile <name>)# dot11r

(Instant AP)(SSID Profile <name>)# dot11k

(Instant AP)(SSID Profile <name>)# dot11v

(Instant AP)(SSID Profile <name>)# exit

(Instant AP)(config)# auth-survivability cache-time-out

The following commands configure personal security settings for the Employee and Voice users:

(Instant AP)(config)# wlan ssid-profile <name>

(Instant AP)(SSID Profile <name>)# opmode {enhanced-open|wpa2-psk-aes|wpa-tkip|wpa-psk-tkip|wpa-psk-tkip,wpa2-psk-aes|static-wep|mpsk-aes}

(Instant AP)(SSID Profile <name>)# mac-authentication

(Instant AP)(SSID Profile <name>)# auth-server <server-name>

(Instant AP)(SSID Profile <name>)# external-server

(Instant AP)(SSID Profile <name>)# server-load-balancing

(Instant AP)(SSID Profile <name>)# denylist

(Instant AP)(SSID Profile <name>)# max-authentication-failures <number>

(Instant AP)(SSID Profile <name>)# radius-accounting

(Instant AP)(SSID Profile <name>)# radius-accounting-mode {user-association|user-authentication}

(Instant AP)(SSID Profile <name>)# radius-interim-accounting-interval <minutes>

(Instant AP)(SSID Profile <name>)# radius-reauth-interval <minutes>

The following commands configure open security settings for Employee and Voice users of a WLAN Wireless Local Area Network. WLAN is a 802.11 standards-based LAN that the users access through a wireless connection. SSID Service Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network. profile:

(Instant AP)(config)# wlan ssid-profile <name>

(Instant AP)(SSID Profile <name>)# opmode opensystem

(Instant AP)(SSID Profile <name>)# mac-authentication

(Instant AP)(SSID Profile <name>)# auth-server <server-name>

(Instant AP)(SSID Profile <name>)# external-server

(Instant AP)(SSID Profile <name>)# server-load-balancing

(Instant AP)(SSID Profile <name>)# denylist

(Instant AP)(SSID Profile <name>)# max-authentication-failures <number>

(Instant AP)(SSID Profile <name>)# radius-accounting

(Instant AP)(SSID Profile <name>)# radius-accounting-mode {user-association|user-authentication}

(Instant AP)(SSID Profile <name>)# radius-interim-accounting-interval <minutes>

(Instant AP)(SSID Profile <name>)# radius-reauth-interval <minutes>

The following command configures enforce DHCP Dynamic Host Configuration Protocol. A network protocol that enables a server to automatically assign an IP address to an IP-enabled device from a defined range of numbers configured for a given network.  on a WLAN Wireless Local Area Network. WLAN is a 802.11 standards-based LAN that the users access through a wireless connection. SSID Service Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network. profile:

(Instant AP)(config)# wlan ssid-profile <name>

(Instant AP)(SSID Profile <name>)# enforce-dhcp

Configuring Multiple PSK For WLAN SSID Profiles

WPA2 Wi-Fi Protected Access 2. WPA2 is a certification program maintained by IEEE that oversees standards for security over wireless networks. WPA2 supports IEEE 802.1X/EAP authentication or PSK technology, but includes advanced encryption mechanism using CCMP that is referred to as AES. PSK Pre-shared key. A unique shared secret that was previously shared between two parties by using a secure channel. This is used with WPA security, which requires the owner of a network to provide a passphrase to users for network access. -based deployments generally consist of a single passphrase configured as part of the WLAN Wireless Local Area Network. WLAN is a 802.11 standards-based LAN that the users access through a wireless connection. SSID Service Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network. profile. This single passphrase is applicable for all clients that associate with the SSID Service Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network.. Aruba Instant also supports multiple PSKs in conjunction with ClearPass Policy Manager for WPA2 Wi-Fi Protected Access 2. WPA2 is a certification program maintained by IEEE that oversees standards for security over wireless networks. WPA2 supports IEEE 802.1X/EAP authentication or PSK technology, but includes advanced encryption mechanism using CCMP that is referred to as AES. PSK Pre-shared key. A unique shared secret that was previously shared between two parties by using a secure channel. This is used with WPA security, which requires the owner of a network to provide a passphrase to users for network access. -based deployments. Every client connected to the WLAN Wireless Local Area Network. WLAN is a 802.11 standards-based LAN that the users access through a wireless connection. SSID Service Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network. will have its own unique PSK Pre-shared key. A unique shared secret that was previously shared between two parties by using a secure channel. This is used with WPA security, which requires the owner of a network to provide a passphrase to users for network access. .

MPSK enhances the WPA2 Wi-Fi Protected Access 2. WPA2 is a certification program maintained by IEEE that oversees standards for security over wireless networks. WPA2 supports IEEE 802.1X/EAP authentication or PSK technology, but includes advanced encryption mechanism using CCMP that is referred to as AES. PSK Pre-shared key. A unique shared secret that was previously shared between two parties by using a secure channel. This is used with WPA security, which requires the owner of a network to provide a passphrase to users for network access. mode by allowing device-specific or group-specific passphrases, which are generated at ClearPass Policy Manager and sent to the Instant AP.

A MPSK passphrase requires MAC Media Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. authentication against a ClearPass Policy Manager server. The MPSK passphrase works only with wpa2-psk-aes encryption and not with any other PSK Pre-shared key. A unique shared secret that was previously shared between two parties by using a secure channel. This is used with WPA security, which requires the owner of a network to provide a passphrase to users for network access. based encryption. The Aruba-MPSK-Passphrase radius VSA Vendor-Specific Attribute. VSA is a method for communicating vendor-specific information between NASs and RADIUS servers. is added and the ClearPass Policy Manager server populates this VSA Vendor-Specific Attribute. VSA is a method for communicating vendor-specific information between NASs and RADIUS servers. with the encrypted passphrase for the device.

A user registers the device on a ClearPass Policy Manager guest-registration or device-registration webpage and receives a device-specific or group-specific passphrase. The device associates with the SSID Service Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network. using wpa2-psk-aes encryption and uses MPSK passphrase. The Instant AP performs MAC Media Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. authentication of the client against the ClearPass Policy Manager server. On successful MAC Media Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. authentication, the ClearPass Policy Manager returns Access-Accept Response from the RADIUS server indicating successful authentication and containing authorization information. with the VSA Vendor-Specific Attribute. VSA is a method for communicating vendor-specific information between NASs and RADIUS servers. containing the encrypted passphrase. The Instant AP generates a PSK Pre-shared key. A unique shared secret that was previously shared between two parties by using a secure channel. This is used with WPA security, which requires the owner of a network to provide a passphrase to users for network access. from the passphrase and performs 4-way key exchange. If the device uses the correct per-device or per-group passphrase, the authentication succeeds. If the ClearPass Policy Manager server returns Access-Reject Response from RADIUS server indicating that a user is not authorized. or the client uses incorrect passphrase, authentication fails.

When multiple PSK Pre-shared key. A unique shared secret that was previously shared between two parties by using a secure channel. This is used with WPA security, which requires the owner of a network to provide a passphrase to users for network access. is enabled on the WLAN Wireless Local Area Network. WLAN is a 802.11 standards-based LAN that the users access through a wireless connection. SSID Service Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network. profile, make sure that MAC Media Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network.  authentication is not configured for RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  authentication. Multiple PSK Pre-shared key. A unique shared secret that was previously shared between two parties by using a secure channel. This is used with WPA security, which requires the owner of a network to provide a passphrase to users for network access. and MAC Media Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network.  authentication are mutually exclusive and follows a special procedure which does not require enabling MAC Media Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. authentication in the WLAN Wireless Local Area Network. WLAN is a 802.11 standards-based LAN that the users access through a wireless connection. SSID Service Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network. manually. Also, ensure that the RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  server configured for the WLAN Wireless Local Area Network. WLAN is a 802.11 standards-based LAN that the users access through a wireless connection. SSID Service Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network. profile is not an internal server.

The following procedure configures MPSK authentication:

  1. Navigate to the Configuration > Networks page.
  2. Under Networks, select the network you want to configure and click the edit icon.
  3. Select Security tab. In the Security Level drop-down list, select Personal.
  4. Select MPSK-AES from the Key Management drop-down list.
  5. Ensure a RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  server is selected from the Authentication server 1 drop-down list for MPSK authentication. Additionally, you may select a second authentication server for MPSK authentication from the Authentication server 2 drop-down list.

The following command enables the multiple PSK Pre-shared key. A unique shared secret that was previously shared between two parties by using a secure channel. This is used with WPA security, which requires the owner of a network to provide a passphrase to users for network access.  feature on the WLAN Wireless Local Area Network. WLAN is a 802.11 standards-based LAN that the users access through a wireless connection. SSID Service Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network. profile:

(Instant AP)(configure)# wlan ssid-profile <profile_name>

(Instant AP)(SSID Profile <profile_name>)# opmode mpsk-aes

The following command is used to verify the status of the MPSK configuration on the WLAN Wireless Local Area Network. WLAN is a 802.11 standards-based LAN that the users access through a wireless connection. SSID Service Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network. profile:

(Instant AP)# show network <ssid profile name>

RADIUS Accounting with MPSK

Instant supports RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  accounting with multiple PSKs in conjunction with ClearPass Policy Manager for WPA2 Wi-Fi Protected Access 2. WPA2 is a certification program maintained by IEEE that oversees standards for security over wireless networks. WPA2 supports IEEE 802.1X/EAP authentication or PSK technology, but includes advanced encryption mechanism using CCMP that is referred to as AES. PSK Pre-shared key. A unique shared secret that was previously shared between two parties by using a secure channel. This is used with WPA security, which requires the owner of a network to provide a passphrase to users for network access. -based deployments. When RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  accounting is enabled and MPSK authentication is successful, the AP sends an accounting start message to the ClearPass Policy Manager server to gather the accounting updates. The accounting updates are periodically sent based on the time interval configured on the AP.

The following procedure configures RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  accounting with MPSK:

  1. Navigate to the Configuration > Networks page.
  2. Under Networks, select the network you want to configure and click the edit icon.
  3. Select Security tab. In the Security Level drop-down list, select Personal.
  4. Select MPSK-AES from the Key Management drop-down list.
  5. Ensure a RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  server is selected from the Authentication server 1 drop-down list for MPSK authentication.
  6. Select one of the following from the Accounting drop-down list:
    1. Disabled—Choose this option to disable RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  accounting.
    2. Use authentication servers—Choose this option to use the same authentication servers for accounting.
    3. Use separate servers—Choose this option to configure Accounting server 1 and Accounting server 2 separately.
  7. Use separate servers—Choose this option to configure Accounting server 1 and Accounting server 2 separately.
  8. Enter a value in minutes in the Accounting interval text box.
  9. Click Next and then Finish.

The following CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. command configures RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  accounting with MPSK:

(Instant AP)(configure)# wlan ssid-profile <profile-name>

(Instant AP)(WLAN SSID Profile "name")# opmode mpsk-aes

(Instant AP)(WLAN SSID Profile "name")# radius-accounting

The following CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. command configures an accounting interval:

(Instant AP)(configure)# wlan ssid-profile <profile-name>

(Instant AP)(WLAN SSID Profile "name")# radius-interim-accounting-interval <minutes>

Points to Remember

The following configurations are mutually exclusive with MPSK for the WLAN Wireless Local Area Network. WLAN is a 802.11 standards-based LAN that the users access through a wireless connection. SSID Service Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network. profile and does not require to be configured manually:

MPSK Cache

The Instant AP stores the MPSK passphrase in its local cache for client roaming. The cache is shared between all the Instant APs within a single cluster. The cache can also be shared with standalone Instant APs in a different cluster provided the APs belong to the same multicast VLAN Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN.. Each Instant AP will first search the local cache for the MPSK information. If the local cache has the corresponding mPSK passphrase, the Instant AP skips the MAC Media Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. authentication procedure, and provides access to the client. If the MPSK passphrase is not found in the local cache, you must manually configure the MPSK passphrase as shown in the above section.

The cached MPSK passphrase can be used only if the client connects to the same WLAN Wireless Local Area Network. WLAN is a 802.11 standards-based LAN that the users access through a wireless connection. SSID Service Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network.. The entire MPSK local cache is erased in the following scenarios:

The MPSK passphrase in the local cache automatically expires if the client disconnects and does not connect again during the inactivity-timeout window.

To view the details of the MPSK local cache:

(Instant AP)# show ap mpskcache

Local Multiple PSK Operating Mode

In the Local MPSK operating mode, you can define upto 24 pre-shared keys per SSID Service Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network. on the gateway Gateway is a network node that allows traffic to flow in and out of the network. or the Instant AP without actually requiring an external policy engine like ClearPass Policy Manager. These local PSKs would serve as an extension of the base pre-shared key functionality. Local MPSK only supports passphrases in the form of strings. It does not support passphrases in the form of hex. The local MPSK is currently supported only on an employee and personal security level SSIDs Service Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network.. Additionally, you may also configure a user role for each passphrase from which the user VLAN Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. and access rules can be derived.

The following commands configure a local MPSK profile:

(Instant AP)(config)# wlan-mpsk-local <profile_name>

(Instant AP)(MPSK Local "profile_name")# mpsk-local-passphrase <key_name> <key> [role_name]