Hello everyone.
In this post, we still go to Wireless LAN feature -- EAP-FAST. The process of EAP-FAST is very similar with LEAP, which we had introduced in last post.
EAP-FAST (EAP Flexiable Authentication via securei tunneling) is more security than LEAP
If you wan to understand it more, please read the 1. and 2. reference
// Topology //
Client )) (( AP ----- Switch ---- WLC (local authentication)
// How to //
1. Create LEAP profile, Go to [Security] > [Local EAP] > [Profiles] and create LEAP-FAST
profile
2. Add EAP-FAST support to our profile
In this post, we still go to Wireless LAN feature -- EAP-FAST. The process of EAP-FAST is very similar with LEAP, which we had introduced in last post.
EAP-FAST (EAP Flexiable Authentication via securei tunneling) is more security than LEAP
If you wan to understand it more, please read the 1. and 2. reference
// Topology //
Client )) (( AP ----- Switch ---- WLC (local authentication)
// How to //
1. Create LEAP profile, Go to [Security] > [Local EAP] > [Profiles] and create LEAP-FAST
profile
2. Add EAP-FAST support to our profile
3. Go to the [Security] > [Local EAP] > [EAP-FAST Parameters] and leave the default setting as the following
Of course, you can change these parameters based on the customer's request. For example, we can chose 16 days instead of the default days as the specific life duration for PACKERS.
4. Create one WLAN and Setup Layer-2 security parameters. For example, we give the following setting
*
In this example, we use "802.1x + CCKM" at Auth Key Mgmt. But, in the real lab, this part should depend on your clients.
If there are only Cisco 7921 phones in your network development, you should select CCKM. For Cisco 7921 phones, "802.1x + CCKM" is very bad for Cisco 7921 phones
Since the laptop pc is may support 802.1x or CCKM., you should clarify it. Then, you can decide to select 802.1x, CCKM or 802.1x + CCKM.
5. Enable local EAP-FAST authentication in the AAA servers tab
6. Create a local user as the following
*
Since Cisco 792.1 phones' CPU is slower than a PC CPU, these phones take longer to process the PAC than a PC. It is better to set a longer EAP request than the default. 20 is the default value. Unfortunately, you cannot set the time of eap request though GUI.
[CLI]
config advanced eap request-timeout 30
(WLC)
>config advanced eap request-timeout 20
(WLC) >show advanced eap
EAP-Identity-Request
Timeout (seconds)........... 30
EAP-Identity-Request
Max Retries................. 2
EAP
Key-Index for Dynamic WEP.................... 0
EAP
Max-Login Ignore Identity Response........... enable
EAP-Request Timeout (seconds).................... 30
EAP-Request
Max Retries.......................... 2
EAPOL-Key
Timeout (milliseconds)................. 1000
EAPOL-Key
Max Retries............................ 2
EAP-Broadcast
Key Interval....................... 3600
OK, see you next time.
// reference //
1.
http://www.opus1.com/nac/whitepapers-old/e-eapfast-lv05.pdf
2.
http://www.cisco.com/c/en/us/products/collateral/wireless/aironet-1300-series/prod_qas09186a00802030dc.html
No comments:
Post a Comment