6-7
Cisco Wireless LAN Controller Configuration Guide
OL-8335-02
Chapter 6 Configuring WLANs
Configuring Wireless LANs
IKE Authentication
IPSec IKE (Internet Key Exchange) uses pre-shared key exchanges, x.509 (RSA Signatures) certificates,
and XAuth-psk for authentication. Enter these commands to enable IPSec IKE on a wireless LAN that
uses IPSec:
•
config wlan security ipsec ike authentication certificates
wlan-id
–
Use the
certificates
option to specify RSA signatures.
•
config wlan security ipsec ike authentication xauth-psk
wlan-id
key
–
Use the
xauth-psk
option to specify XAuth pre-shared key.
–
For key, enter a pre-shared key from 8 to 255 case-sensitive ASCII characters.
•
config wlan security ipsec ike authentication pre-shared-key
wlan-id
key
•
Enter
show wlan
to verify that IPSec IKE is enabled.
IKE Diffie-Hellman Group
IPSec IKE uses Diffie-Hellman groups to block easily-decrypted keys. Enter these commands to
configure the Diffie-Hellman group on a wireless LAN with IPSec enabled:
•
config wlan security ipsec ike DH-Group
wlan-id group-id
–
For
group-id
, enter
group-1
,
group-2
(this is the default setting), or
group-5
.
•
Enter
show wlan
to verify that IPSec IKE DH group is configured.
IKE Phase 1 Aggressive and Main Modes
IPSec IKE uses the Phase 1 Aggressive (faster) or Main (more secure) mode to set up encryption between
clients and the controller. Enter these commands to specify the Phase 1 encryption mode for a wireless
LAN with IPSec enabled:
•
config wlan security ipsec ike phase1
{
aggressive
|
main
}
wlan-id
•
Enter
show wlan
to verify that the Phase 1 encryption mode is configured.
IKE Lifetime Timeout
IPSec IKE uses its timeout to limit the time that an IKE key is active. Enter these commands to configure
an IKE lifetime timeout:
•
config wlan security ipsec ike lifetime
wlan-id
seconds
–
For seconds, enter a number of seconds from 1800 to 345600 seconds. The default timeout is
28800 seconds.
•
Enter
show wlan
to verify that the key timeout is configured.
