Legal Disclaimer: The resource assets in this website may include abbreviated and/or legacy terminology for HPE Aruba Networking products. See www.arubanetworks.com for current and complete HPE Aruba Networking product lines and names.
Configuring Security Settings for a WLAN SSID Profile
The following procedure describes how to configure security settings for an Employee or Voice network. If you are creating a new SSID Service Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network. profile, configure the WLAN Wireless Local Area Network. WLAN is a 802.11 standards-based LAN that the users access through a wireless connection. and VLAN Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. settings before defining security settings. For more information, see Configuring WLAN Settings for an SSID Profile and Configuring VLAN Settings for a WLAN SSID Profile.
The following procedure configures the security settings on an Instant AP:
- Navigate to Networks page. >
- Under , select the network you want to configure and click .
- Under
- Enterprise—On selecting the enterprise security level, the authentication options applicable to the enterprise network are displayed.
- Personal—On selecting the personal security level, the authentication options applicable to the personalized network are displayed.
- Open—On selecting the open security level, the authentication options applicable to an open network are displayed.
, specify any one of the following types of security by moving the slider to the desired level:
Based on the security level selected, specify the following parameters.
Click Configuring Access Rules for a WLAN SSID Profile.
to configure access rules. For more information, seeThe following commands configure enterprise security settings for the Employee and Voice network SSID Service Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network. profiles:
(Instant AP)(config)# wlan ssid-profile <name>
(Instant AP)(SSID Profile <name>)# opmode {wpa2-aes|wpa2-psk-aes|wpa-tkip|wpa-psk-tkip|wpa-tkip,wpa2-aes|wpa-psk-tkip,wpa2-psk-aes|static-wep|dynamic-wep|mpsk-aes|wpa3-sae-aes|wpa3-aes-ccm-128|wpa3-cnsa|wpa3-aes-gcm-256}}
(Instant AP)(SSID Profile <name>)# leap-use-session-key
(Instant AP)(SSID Profile <name>)# termination
(Instant AP)(SSID Profile <name>)# auth-server <server-name>
(Instant AP)(SSID Profile <name>)# external-server
(Instant AP)(SSID Profile <name>)# server-load-balancing
(Instant AP)(SSID Profile <name>)# denylist
(Instant AP)(SSID Profile <name>)# mac-authentication
(Instant AP)(SSID Profile <name>)# l2-auth-failthrough
(Instant AP)(SSID Profile <name>)# auth-survivability
(Instant AP)(SSID Profile <name>)# radius-accounting
(Instant AP)(SSID Profile <name>)# radius-accounting-mode {user-association|user-authentication}
(Instant AP)(SSID Profile <name>)# radius-interim-accounting-interval <minutes>
(Instant AP)(SSID Profile <name>)# radius-reauth-interval <minutes>
(Instant AP)(SSID Profile <name>)# max-authentication-failures <number>
(Instant AP)(SSID Profile <name>)# okc
(Instant AP)(SSID Profile <name>)# dot11r
(Instant AP)(SSID Profile <name>)# dot11k
(Instant AP)(SSID Profile <name>)# dot11v
(Instant AP)(SSID Profile <name>)# exit
(Instant AP)(config)# auth-survivability cache-time-out
The following commands configure personal security settings for the Employee and Voice users:
(Instant AP)(config)# wlan ssid-profile <name>
(Instant AP)(SSID Profile <name>)# opmode {enhanced-open|wpa2-psk-aes|wpa-tkip|wpa-psk-tkip|wpa-psk-tkip,wpa2-psk-aes|static-wep|mpsk-aes}
(Instant AP)(SSID Profile <name>)# mac-authentication
(Instant AP)(SSID Profile <name>)# auth-server <server-name>
(Instant AP)(SSID Profile <name>)# external-server
(Instant AP)(SSID Profile <name>)# server-load-balancing
(Instant AP)(SSID Profile <name>)# denylist
(Instant AP)(SSID Profile <name>)# max-authentication-failures <number>
(Instant AP)(SSID Profile <name>)# radius-accounting
(Instant AP)(SSID Profile <name>)# radius-accounting-mode {user-association|user-authentication}
(Instant AP)(SSID Profile <name>)# radius-interim-accounting-interval <minutes>
(Instant AP)(SSID Profile <name>)# radius-reauth-interval <minutes>
The following commands configure open security settings for Employee and Voice users of a WLAN Wireless Local Area Network. WLAN is a 802.11 standards-based LAN that the users access through a wireless connection. SSID Service Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network. profile:
(Instant AP)(config)# wlan ssid-profile <name>
(Instant AP)(SSID Profile <name>)# opmode opensystem
(Instant AP)(SSID Profile <name>)# mac-authentication
(Instant AP)(SSID Profile <name>)# auth-server <server-name>
(Instant AP)(SSID Profile <name>)# external-server
(Instant AP)(SSID Profile <name>)# server-load-balancing
(Instant AP)(SSID Profile <name>)# denylist
(Instant AP)(SSID Profile <name>)# max-authentication-failures <number>
(Instant AP)(SSID Profile <name>)# radius-accounting
(Instant AP)(SSID Profile <name>)# radius-accounting-mode {user-association|user-authentication}
(Instant AP)(SSID Profile <name>)# radius-interim-accounting-interval <minutes>
(Instant AP)(SSID Profile <name>)# radius-reauth-interval <minutes>
The following command configures enforce DHCP Dynamic Host Configuration Protocol. A network protocol that enables a server to automatically assign an IP address to an IP-enabled device from a defined range of numbers configured for a given network. on a WLAN Wireless Local Area Network. WLAN is a 802.11 standards-based LAN that the users access through a wireless connection. SSID Service Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network. profile:
(Instant AP)(config)# wlan ssid-profile <name>
(Instant AP)(SSID Profile <name>)# enforce-dhcp
Configuring Multiple PSK For WLAN SSID Profiles
WPA2 Wi-Fi Protected Access 2. WPA2 is a certification program maintained by IEEE that oversees standards for security over wireless networks. WPA2 supports IEEE 802.1X/EAP authentication or PSK technology, but includes advanced encryption mechanism using CCMP that is referred to as AES. PSK Pre-shared key. A unique shared secret that was previously shared between two parties by using a secure channel. This is used with WPA security, which requires the owner of a network to provide a passphrase to users for network access. -based deployments generally consist of a single passphrase configured as part of the WLAN Wireless Local Area Network. WLAN is a 802.11 standards-based LAN that the users access through a wireless connection. SSID Service Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network. profile. This single passphrase is applicable for all clients that associate with the SSID Service Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network.. Aruba Instant also supports multiple PSKs in conjunction with ClearPass Policy Manager for WPA2 Wi-Fi Protected Access 2. WPA2 is a certification program maintained by IEEE that oversees standards for security over wireless networks. WPA2 supports IEEE 802.1X/EAP authentication or PSK technology, but includes advanced encryption mechanism using CCMP that is referred to as AES. PSK Pre-shared key. A unique shared secret that was previously shared between two parties by using a secure channel. This is used with WPA security, which requires the owner of a network to provide a passphrase to users for network access. -based deployments. Every client connected to the WLAN Wireless Local Area Network. WLAN is a 802.11 standards-based LAN that the users access through a wireless connection. SSID Service Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network. will have its own unique PSK Pre-shared key. A unique shared secret that was previously shared between two parties by using a secure channel. This is used with WPA security, which requires the owner of a network to provide a passphrase to users for network access. .
MPSK enhances the WPA2 Wi-Fi Protected Access 2. WPA2 is a certification program maintained by IEEE that oversees standards for security over wireless networks. WPA2 supports IEEE 802.1X/EAP authentication or PSK technology, but includes advanced encryption mechanism using CCMP that is referred to as AES. PSK Pre-shared key. A unique shared secret that was previously shared between two parties by using a secure channel. This is used with WPA security, which requires the owner of a network to provide a passphrase to users for network access. mode by allowing device-specific or group-specific passphrases, which are generated at ClearPass Policy Manager and sent to the Instant AP.
A MPSK passphrase requires MAC Media Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. authentication against a ClearPass Policy Manager server. The MPSK passphrase works only with wpa2-psk-aes encryption and not with any other PSK Pre-shared key. A unique shared secret that was previously shared between two parties by using a secure channel. This is used with WPA security, which requires the owner of a network to provide a passphrase to users for network access. based encryption. The Aruba-MPSK-Passphrase radius VSA Vendor-Specific Attribute. VSA is a method for communicating vendor-specific information between NASs and RADIUS servers. is added and the ClearPass Policy Manager server populates this VSA Vendor-Specific Attribute. VSA is a method for communicating vendor-specific information between NASs and RADIUS servers. with the encrypted passphrase for the device.
A user registers the device on a ClearPass Policy Manager guest-registration or device-registration webpage and receives a device-specific or group-specific passphrase. The device associates with the SSID Service Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network. using wpa2-psk-aes encryption and uses MPSK passphrase. The Instant AP performs MAC Media Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. authentication of the client against the ClearPass Policy Manager server. On successful MAC Media Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. authentication, the ClearPass Policy Manager returns Access-Accept Response from the RADIUS server indicating successful authentication and containing authorization information. with the VSA Vendor-Specific Attribute. VSA is a method for communicating vendor-specific information between NASs and RADIUS servers. containing the encrypted passphrase. The Instant AP generates a PSK Pre-shared key. A unique shared secret that was previously shared between two parties by using a secure channel. This is used with WPA security, which requires the owner of a network to provide a passphrase to users for network access. from the passphrase and performs 4-way key exchange. If the device uses the correct per-device or per-group passphrase, the authentication succeeds. If the ClearPass Policy Manager server returns Access-Reject Response from RADIUS server indicating that a user is not authorized. or the client uses incorrect passphrase, authentication fails.
When multiple PSK Pre-shared key. A unique shared secret that was previously shared between two parties by using a secure channel. This is used with WPA security, which requires the owner of a network to provide a passphrase to users for network access. is enabled on the WLAN Wireless Local Area Network. WLAN is a 802.11 standards-based LAN that the users access through a wireless connection. SSID Service Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network. profile, make sure that MAC Media Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. authentication is not configured for RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources. authentication. Multiple PSK Pre-shared key. A unique shared secret that was previously shared between two parties by using a secure channel. This is used with WPA security, which requires the owner of a network to provide a passphrase to users for network access. and MAC Media Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. authentication are mutually exclusive and follows a special procedure which does not require enabling MAC Media Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. authentication in the WLAN Wireless Local Area Network. WLAN is a 802.11 standards-based LAN that the users access through a wireless connection. SSID Service Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network. manually. Also, ensure that the RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources. server configured for the WLAN Wireless Local Area Network. WLAN is a 802.11 standards-based LAN that the users access through a wireless connection. SSID Service Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network. profile is not an internal server.
The following procedure configures MPSK authentication:
- Navigate to the > page.
- Under , select the network you want to configure and click the icon.
- Select tab. In the drop-down list, select .
- Select from the drop-down list.
- Ensure a RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources. server is selected from the drop-down list for MPSK authentication. Additionally, you may select a second authentication server for MPSK authentication from the drop-down list.
The following command enables the multiple PSK Pre-shared key. A unique shared secret that was previously shared between two parties by using a secure channel. This is used with WPA security, which requires the owner of a network to provide a passphrase to users for network access. feature on the WLAN Wireless Local Area Network. WLAN is a 802.11 standards-based LAN that the users access through a wireless connection. SSID Service Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network. profile:
(Instant AP)(configure)# wlan ssid-profile <profile_name>
(Instant AP)(SSID Profile <profile_name>)# opmode mpsk-aes
The following command is used to verify the status of the MPSK configuration on the WLAN Wireless Local Area Network. WLAN is a 802.11 standards-based LAN that the users access through a wireless connection. SSID Service Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network. profile:
(Instant AP)# show network <ssid profile name>
RADIUS Accounting with MPSK
Instant supports RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources. accounting with multiple PSKs in conjunction with ClearPass Policy Manager for WPA2 Wi-Fi Protected Access 2. WPA2 is a certification program maintained by IEEE that oversees standards for security over wireless networks. WPA2 supports IEEE 802.1X/EAP authentication or PSK technology, but includes advanced encryption mechanism using CCMP that is referred to as AES. PSK Pre-shared key. A unique shared secret that was previously shared between two parties by using a secure channel. This is used with WPA security, which requires the owner of a network to provide a passphrase to users for network access. -based deployments. When RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources. accounting is enabled and MPSK authentication is successful, the AP sends an accounting start message to the ClearPass Policy Manager server to gather the accounting updates. The accounting updates are periodically sent based on the time interval configured on the AP.
The following procedure configures RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources. accounting with MPSK:
- Navigate to the > page.
- Under , select the network you want to configure and click the icon.
- Select tab. In the drop-down list, select .
- Select from the drop-down list.
- Ensure a RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources. server is selected from the drop-down list for MPSK authentication.
- Select one of the following from the
- RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources. accounting. —Choose this option to disable
- —Choose this option to use the same authentication servers for accounting.
- —Choose this option to configure and separately.
drop-down list: - —Choose this option to configure and separately.
- Enter a value in minutes in the text box.
- Click and then .
The following CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. command configures RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources. accounting with MPSK:
(Instant AP)(configure)# wlan ssid-profile <profile-name>
(Instant AP)(WLAN SSID Profile "name")# opmode mpsk-aes
(Instant AP)(WLAN SSID Profile "name")# radius-accounting
The following CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. command configures an accounting interval:
(Instant AP)(configure)# wlan ssid-profile <profile-name>
(Instant AP)(WLAN SSID Profile "name")# radius-interim-accounting-interval <minutes>
Points to Remember
The following configurations are mutually exclusive with MPSK for the WLAN Wireless Local Area Network. WLAN is a 802.11 standards-based LAN that the users access through a wireless connection. SSID Service Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network. profile and does not require to be configured manually:
- MPSK and MAC Media Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. authentication
- MPSK and Denylisting
- MPSK and internal RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources. server
MPSK Cache
The Instant AP stores the MPSK passphrase in its local cache for client roaming. The cache is shared between all the Instant APs within a single cluster. The cache can also be shared with standalone Instant APs in a different cluster provided the APs belong to the same multicast VLAN Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN.. Each Instant AP will first search the local cache for the MPSK information. If the local cache has the corresponding mPSK passphrase, the Instant AP skips the MAC Media Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. authentication procedure, and provides access to the client. If the MPSK passphrase is not found in the local cache, you must manually configure the MPSK passphrase as shown in the above section.
The cached MPSK passphrase can be used only if the client connects to the same WLAN Wireless Local Area Network. WLAN is a 802.11 standards-based LAN that the users access through a wireless connection. SSID Service Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network.. The entire MPSK local cache is erased in the following scenarios:
- If the cached MPSK does not work.
- The client is manually disconnected
- The client is disconnected from the CoA Change of Authorization. The RADIUS CoA is used in the AAA service framework to allow dynamic modification of the authenticated, authorized, and active subscriber sessions. .
The MPSK passphrase in the local cache automatically expires if the client disconnects and does not connect again during the inactivity-timeout window.
To view the details of the MPSK local cache:
(Instant AP)# show ap mpskcache
Local Multiple PSK Operating Mode
In the Local MPSK operating mode, you can define upto 24 pre-shared keys per SSID Service Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network. on the gateway Gateway is a network node that allows traffic to flow in and out of the network. or the Instant AP without actually requiring an external policy engine like ClearPass Policy Manager. These local PSKs would serve as an extension of the base pre-shared key functionality. Local MPSK only supports passphrases in the form of strings. It does not support passphrases in the form of hex. The local MPSK is currently supported only on an and security level SSIDs Service Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network.. Additionally, you may also configure a user role for each passphrase from which the user VLAN Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. and access rules can be derived.
The following commands configure a local MPSK profile:
(Instant AP)(config)# wlan-mpsk-local <profile_name>
(Instant AP)(MPSK Local "profile_name")# mpsk-local-passphrase <key_name> <key> [role_name]