Chapter 6
Configuring WLANs
IKE Authentication
IPSec IKE (Internet Key Exchange) uses pre-shared key exchanges, x.509 (RSA Signatures) certificates,
and XAuth-psk for authentication. Enter these commands to enable IPSec IKE on a wireless LAN that
uses IPSec:
•
•
•
•
IKE Diffie-Hellman Group
IPSec IKE uses Diffie-Hellman groups to block easily-decrypted keys. Enter these commands to
configure the Diffie-Hellman group on a wireless LAN with IPSec enabled:
•
•
IKE Phase 1 Aggressive and Main Modes
IPSec IKE uses the Phase 1 Aggressive (faster) or Main (more secure) mode to set up encryption between
clients and the controller. Enter these commands to specify the Phase 1 encryption mode for a wireless
LAN with IPSec enabled:
•
•
IKE Lifetime Timeout
IPSec IKE uses its timeout to limit the time that an IKE key is active. Enter these commands to configure
an IKE lifetime timeout:
•
•
OL-8335-02
config wlan security ipsec ike authentication certificates wlan-id
Use the certificates option to specify RSA signatures.
–
config wlan security ipsec ike authentication xauth-psk wlan-id key
Use the xauth-psk option to specify XAuth pre-shared key.
–
For key, enter a pre-shared key from 8 to 255 case-sensitive ASCII characters.
–
config wlan security ipsec ike authentication pre-shared-key wlan-id key
Enter show wlan to verify that IPSec IKE is enabled.
config wlan security ipsec ike DH-Group wlan-id group-id
–
For group-id, enter group-1, group-2 (this is the default setting), or group-5.
Enter show wlan to verify that IPSec IKE DH group is configured.
config wlan security ipsec ike phase1 {aggressive | main} wlan-id
Enter show wlan to verify that the Phase 1 encryption mode is configured.
config wlan security ipsec ike lifetime wlan-id seconds
For seconds, enter a number of seconds from 1800 to 345600 seconds. The default timeout is
–
28800 seconds.
Enter show wlan to verify that the key timeout is configured.
Cisco Wireless LAN Controller Configuration Guide
Configuring Wireless LANs
6-7