Authentication Types
Configuring Certificates Using the crypto pki CLI
7
Cisco 3200 Series Wireless MIC Software Configuration Guide
Note
Unicast and multicast cipher suites advertised in the WPA information element (and negotiated during
802.11 association) might potentially mismatch with the cipher suite supported in an explicitly assigned
VLAN. If the RADIUS server assigns a new VLAN ID which uses a different cipher suite from the
previously negotiated cipher suite, there is no way for the root device and the client device to switch back
to the new cipher suite. Currently, the WPA and CCKM protocols do not allow the cipher suite to be
changed after the initial 802.11 cipher negotiation phase. In this scenario, the non-root bridge is
disassociated from the wireless LAN.
See the
“Assigning Authentication Types to an SSID” section on page 16
for instructions on configuring
WPA key management on your bridge.
Configuring Certificates Using the crypto pki CLI
This section explains how to import CA and router certificates using the crypto PKI CLI and how to add
a trustpoint to the dot1x credentials. Before any PKI operations can begin, the CA generates its own
public key pair and creates a self-signed CA certificate; thereafter, the CA can sign certificate requests
and begin peer enrollment for the PKI.
Note
The domain name and clock must be set prior to enrollment of certificates.
You can import the CA and router certificates in any of the following ways:
•
Configuration using cut and paste—This is useful when there is no connection between the router
and the CA or in cases where scripting is required. In this method, the certificate request generated
on the router is copied to the CA server to receive certificate for the router’s key pair. Both the CA
and router certificate are imported using the CLI.
•
Configuration using TFTP—In this method, the certificate request generated on the router is
automatically copied to the TFTP server. The CA and router certificates are automatically imported
from the TFTP server after they are copied to the TFTP server from the CA server.
•
Configuration using SCEP—In this method, the CA and router certificates are automatically
imported from the CA server.
Configuration Using the Cut and Paste Method
To manually configure a trustpoint and import the CA and router certificate, follow these steps:
Command
Purpose
Step 1
configure terminal
Enters global configuration mode.
Step 2
crypto pki trustpoint
name
Specifies the name of the trustpoint.
Step 3
enrollment terminal
Specifies that the terminal is to be used for certificate
enrollment.
Step 4
rsakeypair
name
1024
Specifies that a manual key with the given name will be
generated with length 1024.