Manuals+

Configuring Layer 2 Security

Prerequisites for Layer 2 Security

WLANs with the same SSID must have unique Layer 2 security policies so that clients can make a WLAN selection based on information advertised in beacon and probe responses. The available Layer 2 security policies are as follows:

  • None (open WLAN)
  • Static WEP or 802.1X
Note
  • Because static WEP and 802.1X are both advertised by the same bit in beacon and probe responses, they cannot be differentiated by clients. Therefore, they cannot both be used by multiple WLANs with the same SSID.
  • WLAN WEP is not supported in 1810w Access Point.
  • CKIP
  • WPA/WPA2

Configuring Static WEP Keys (CLI)

Note
  • Although WPA and WPA2 cannot be used by multiple WLANs with the same SSID, you can configure two WLANs with the same SSID with WPA/TKIP with PSK and Wi-Fi Protected Access (WPA)/Temporal Key Integrity Protocol (TKIP) with 802.1X, or with WPA/TKIP with 802.1X or WPA/AES with 802.1X.
  • A WLAN that is configured with TKIP support will not be enabled on an RM3000AC module.

Controllers can control static WEP keys across access points. Use these commands to configure static WEP for WLANs:

  • Disable the 802.1X encryption by entering this command:
    config wlan security 802.1X disable wlan_id
  • Configure 40/64-bit or 104/128-bit WEP keys by entering this command:
    config wlan security static-wep-key encryption wlan_id {40 | 104} {hex | ascii} key key_index

    Use the 40 or 104 option to specify 40/64-bit or 104/128-bit encryption. The default setting is 104/128.

    Use the hex or ascii option to specify the character format for the WEP key.

    Enter 10 hexadecimal digits (any combination of 0-9, a-f, or A-F) or five printable ASCII characters for 40-bit/64-bit WEP keys or enter 26 hexadecimal or 13 ASCII characters for 104-bit/128-bit keys.

    Enter a key index (sometimes called a key slot). The default value is 0, which corresponds to a key index of 1; the valid values are 0 to 3 (key index of 1 to 4).

Configuring Dynamic 802.1X Keys and Authorization (CLI)

Controllers can control 802.1X dynamic WEP keys using Extensible Authentication Protocol (EAP) across access points and support 802.1X dynamic key settings for WLANs.

Note

To use LEAP with lightweight access points and wireless clients, make sure to choose Cisco-Aironet as the RADIUS server type when configuring the CiscoSecure Access Control Server (ACS).

  • Check the security settings of each WLAN by entering this command:
    show wlan wlan_id

The default security setting for new WLANs is 802.1X with dynamic keys enabled. To maintain robust Layer 2 security, leave 802.1X configured on your WLANs.

Configuring 802.11r BSS Fast Transition

Disable or enable the 802.1X authentication by entering this command:
config wlan security 802.1X {enable | disable} wlan_id

After you enable 802.1X authentication, the controller sends EAP authentication packets between the wireless client and the authentication server. This command allows all EAP-type packets to be sent to and from the controller.

Note

The controller performs both web authentication and 802.1X authentication in the same WLAN. The clients are initially authenticated with 802.1X. After a successful authentication, the client must provide the web authentication credentials. After a successful web authentication, the client is moved to the run state.

Change the 802.1X encryption level for a WLAN by entering this command:
config wlan security 802.1X encryption wlan_id [0 | 40 | 104]

  • Use the 0 option to specify no 802.1X encryption.
  • Use the 40 option to specify 40/64-bit encryption.
  • Use the 104 option to specify 104/128-bit encryption. (This is the default encryption setting.)

Restrictions for 802.11r Fast Transition

  • This feature is not supported on Mesh access points.
  • For access points in FlexConnect mode:
    • 802.11r Fast Transition is supported in central and locally switched WLANs.
    • This feature is not supported for the WLANs enabled for local authentication.
  • 802.11r client association is not supported on access points in standalone mode.
  • 802.11r fast roaming is not supported on access points in standalone mode.
  • 802.11r fast roaming between local authentication and central authentication WLAN is not supported.
  • 802.11r fast roaming works only if the APs are in the same FlexConnect group.
  • This feature is not supported on Linux-based APs such as Cisco 600 Series OfficeExtend Access Points.
  • 802.11r fast roaming is not supported if the client uses Over-the-DS preauthentication in standalone mode.
  • EAP LEAP method is not supported. WAN link latency prevents association time to a maximum of 2 seconds.
  • The service from standalone AP to client is only supported until the session timer expires.

Information About 802.11r Fast Transition

TSpec is not supported for 802.11r fast roaming. Therefore, RIC IE handling is not supported.

If WAN link latency exists, fast roaming is also delayed. Voice or data maximum latency should be verified. The Cisco WLC handles 802.11r Fast Transition authentication request during roaming for both Over-the-Air and Over-the-DS methods.

This feature is supported only on open and WPA2 configured WLANs.

Legacy clients cannot associate with a WLAN that has 802.11r enabled if the driver of the supplicant that is responsible for parsing the Robust Security Network Information Exchange (RSN IE) is old and not aware of the additional AKM suites in the IE. Due to this limitation, clients cannot send association requests to WLANs. These clients, however, can still associate with non-802.11r WLANs. Clients that are 802.11r capable can associate as 802.11i clients on WLANs that have both 802.11i and 802.11r Authentication Key Management Suites enabled.

The workaround is to enable or upgrade the driver of the legacy clients to work with the new 802.11r AKMs, after which the legacy clients can successfully associate with 802.11r enabled WLANs.

Another workaround is to have two SSIDs with the same name but with different security settings (FT and non-FT).

Fast Transition resource request protocol is not supported because clients do not support this protocol. Also, the resource request protocol is an optional protocol.

To avoid any Denial of Service (DoS) attack, each Cisco WLC allows a maximum of three Fast Transition handshakes with different APs.

Non-802.11r capable devices will not be able to associate with FT-enabled WLAN.

802.11r FT + PMF is not recommended.

802.11r FT Over-the-Air roaming is recommended for FlexConnect deployments.

802.11r, which is the IEEE standard for fast roaming, introduces a new concept of roaming where the initial handshake with the new AP is done even before the client roams to the target AP, which is called Fast Transition (FT). The initial handshake allows the client and APs to do the Pairwise Transient Key (PTK) calculation in advance. These PTK keys are applied to the client and AP after the client does the reassociation request or response exchange with new target AP.

802.11r provides two methods of roaming:

  • Over-the-Air
  • Over-the-DS (Distribution System)

The FT key hierarchy is designed to allow clients to make fast BSS transitions between APs without requiring reauthentication at every AP. WLAN configuration contains a new Authenticated Key Management (AKM) type called FT (Fast Transition).

From Release 8.0, you can create an 802.11r WLAN that is also an WPAv2 WLAN. In earlier releases, you had to create separate WLANs for 802.11r and for normal security. Non-802.11r clients can now join 802.11r-enabled WLANs as the 802.11r WLANs can accept non-802.11r associations. If clients do not support mixed mode or 802.11r join, they can join non-802.11r WLANS. When you configure FT PSK and later define PSK, clients that can join only PSK can now join the WLAN in mixed mode.

How a Client Roams

For a client to move from its current AP to a target AP using the FT protocols, the message exchanges are performed using one of the following two methods:

  • Over-the-Air—The client communicates directly with the target AP using IEEE 802.11 authentication with the FT authentication algorithm.
  • Over-the-DS—The client communicates with the target AP through the current AP. The communication between the client and the target AP is carried in FT action frames between the client and the current AP and is then sent through the controller.

This figure shows the sequence of message exchanges that occur when Over the Air client roaming is configured.

Figure 1: Message Exchanges when Over the Air client roaming is configured

The diagram depicts a mobility domain (M1) with two controllers (Controller-1, Controller-2) and two access points (AP1, AP2). AP1 is connected to Controller-1, and AP2 is connected to Controller-2. Client C1 is associated with AP1. A dotted line indicates the roaming direction from AP1 towards AP2. The actual communication path is shown as a solid line from Client C1 to AP1, then dashed lines connecting AP1 to Controller-1, Controller-1 to Controller-2, and Controller-2 to AP2. An arrow from AP1 to Client C1 signifies an '802.11 auth request', and an arrow from Client C1 to AP1 signifies an '802.11 auth response'. A line from Controller-1 to Controller-2 is labeled 'Mobility update for C1'.

Configuring 802.11r Fast Transition (GUI)

This figure shows the sequence of message exchanges that occur when Over the DS client roaming is configured.

Figure 2: Message Exchanges when Over the DS client roaming is configured

The diagram illustrates a mobility domain (M1) with two controllers (Controller-1, Controller-2) and two access points (AP1, AP2). Client C1 is associated with AP1. A dotted line indicates the roaming direction from AP1 towards AP2. The actual communication path is shown as a solid line from Client C1 to AP1. A dashed line represents the client's logical FT communication, extending from Client C1 to AP1, then to Controller-1, Controller-2, and finally to AP2. An arrow from AP1 to Client C1 is labeled 'FT Request', and an arrow from Client C1 to AP1 is labeled 'FT Response'. A line from Controller-1 to Controller-2 is labeled 'Mobility update for C1'.

  1. Choose WLANs to open the WLANs window.
  2. Click a WLAN ID to open the WLANs > Edit window.
  3. Choose Security > Layer 2 tab.
  4. From the Layer 2 Security drop-down list, choose WPA+WPA2. The Authentication Key Management parameters for Fast Transition are displayed.
  5. From the Fast Transition drop-down list, choose Fast Transition on the WLAN.
  6. Check or uncheck the Over the DS check box to enable or disable Fast Transition over a distributed system. This option is available only if you enable Fast Transition or if Fast Transition is adaptive. To use 802.11r Fast Transition over-the-air and over-the-ds must be disabled.
  7. In the Reassociation Timeout field, enter the number of seconds after which the reassociation attempt of a client to an AP should time out. The valid range is 1 to 100 seconds.

Configuring 802.11r Fast Transition (CLI)

  1. To enable or disable 802.11r fast transition parameters, use the command:
    config wlan security ft {enable | disable} wlan-id
  2. To enable or disable 802.11r fast transition parameters over a distributed system, use the command:
    config wlan security ft over-the-ds {enable | disable} wlan-id

    The Client devices normally prefer fast transition over-the-ds if the capability is advertised in the WLAN. To force a client to perform fast transition over-the-air, disable fast transition over-the-ds.

  3. To enable or disable the authentication key management for fast transition using preshared keys (PSK), use the command:
    config wlan security wpa akm ft psk {enable | disable} wlan-id

    By default, the authentication key management using PSK is disabled.

  4. To enable or disable authentication key management for adaptive using PSK, use the command:
    config wlan security wpa akm psk {enable | disable} wlan-id
  5. To enable or disable authentication key management for fast transition using 802.1X, use the command:
    config wlan security wpa akm ft-802.1X {enable | disable} wlan-id

    By default, authentication key management using 802.1X is enabled.

  6. To enable or disable authentication key management for adaptive using 802.1x, use the command:
    config wlan security wpa akm 802.1x {enable | disable} wlan-id
    Note

    When Fast Transition adaptive is enabled, you can use only 802.1X and PSK AKM.

  7. To enable or disable 802.11r fast transition reassociation timeout, use the command:
    config wlan security ft reassociation-timeout timeout-in-seconds wlan-id

    The valid range is 1 to 100 seconds. The default value of reassociation timeout is 20 seconds.

  8. To view the fast transition configuration on a WLAN, use the command:
    show wlan wlan-id
  9. To view the fast transition configuration on a client, use the command:
    show client detail client-mac
    Note

    This command is relevant only for a connected or connecting client station (STA).

  10. To enable or disable debugging of fast transition events, use the command:
    debug ft events {enable | disable}

Troubleshooting 802.11r BSS Fast Transition

SymptomResolution
Non-802.11r legacy clients are no longer connecting.Check if the WLAN has FT enabled. If so, non-FT WLAN will need to be created.
When configuring WLAN, the FT setup options are not shown.Check if WPA2 is being used (802.1x / PSK). FT is supported only on WPA2 and OPEN SSIDs.
802.11r clients appear to reauthenticate when they do a Layer 2 roam to a new controller.Check if the reassociation timeout has been lowered from the default of 20 by navigating to WLANs > WLAN Name > Security > Layer 2 on the controller GUI.

Configuring MAC Authentication Failover to 802.1X Authentication

You can configure the controller to start 802.1X authentication when MAC authentication with static WEP for the client fails. If the RADIUS server rejects an access request from a client instead of deauthenticating the client, the controller can force the client to undergo an 802.1X authentication. If the client fails the 802.1X authentication too, then the client is deauthenticated.

If MAC authentication is successful and the client requests for an 802.1X authentication, the client has to pass the 802.1X authentication to be allowed to send data traffic. If the client does not choose an 802.1X authentication, the client is declared to be authenticated if the client passes the MAC authentication.

Note

WLAN with WPA2 + 802.1X + WebAuth with WebAuth on MAC failure is not supported.

Configuring MAC Authentication Failover to 802.1x Authentication (GUI)

  1. Choose WLANs > WLAN ID to open the WLANs > Edit page.
  2. In the Security tab, click the Layer 2 tab.
  3. Select the MAC Filtering check box.
  4. Select the Mac Auth or Dot1x check box.

Configuring MAC Authentication Failover to 802.1X Authentication (CLI)

To configure MAC authentication failover to 802.1X authentication, enter this command:
config wlan security 802.1X on-macfilter-failure {enable | disable} wlan-id

Configuring 802.11w

Restrictions for 802.11w

  • Cisco's legacy Management Frame Protection is not related to the 802.11w standard that is implemented in the 7.4 release.
  • The 802.11w standard is supported on all 802.11n capable APs except those that are configured for FlexConnect operation.
  • The 802.11w standard is supported on the following Cisco Wireless LAN Controller model series: 2500, 5500, 8500, and WiSM2. The 802.11w standard is not supported on the following Cisco Wireless LAN Controller models: Flex 7500 and Virtual Wireless LAN Controller.
  • When 802.11w is set to optional and the keys are set, the AKM suite still shows 802.11w as disabled; this is a Wi-Fi limitation.
  • 802.11w cannot be applied on an open WLAN, WEP-encrypted WLAN, or a TKIP-encrypted WLAN.
  • The WLAN on which 802.11w is configured must have either WPA2-PSK or WPA2-802.1x security configured.

Information About 802.11w

Wi-Fi is a broadcast medium that enables any device to eavesdrop and participate either as a legitimate or rogue device. Control and management frames such as authentication/deauthentication, association/disassociation, beacons, and probes are used by wireless clients to select an AP and to initiate a session for network services.

Unlike data traffic which can be encrypted to provide a level of confidentiality, these frames must be heard and understood by all clients and therefore must be transmitted as open or unencrypted. While these frames cannot be encrypted, they must be protected from forgery to protect the wireless medium from attacks. For example, an attacker could spoof management frames from an AP to tear down a session between a client and AP.

The 802.11w standard for Management Frame Protection is implemented in the 7.4 release.

Configuring 802.11w (GUI)

The 802.11w protocol applies only to a set of robust management frames that are protected by the Management Frame Protection (PMF) service. These include Disassociation, Deauthentication, and Robust Action frames. Management frames that are considered as robust action and therefore protected are the following:

  • Spectrum Management
  • QoS
  • DLS
  • Block Ack
  • Radio Measurement
  • Fast BSS Transition
  • SA Query
  • Protected Dual of Public Action
  • Vendor-specific Protected

When 802.11w is implemented in the wireless medium, the following occur:

  • Client protection is added by the AP adding cryptographic protection (by including the MIC information element) to deauthentication and disassociation frames preventing them from being spoofed in a DOS attack.
  • Infrastructure protection is added by adding a Security Association (SA) teardown protection mechanism consisting of an Association Comeback Time and an SA-Query procedure preventing spoofed association request from disconnecting an already connected client.
  1. Choose WLANs > WLAN ID to open the WLANs > Edit page.
  2. In the Security tab, choose the Layer 2 security tab.
  3. From the Layer 2 Security drop-down list, choose WPA+WPA2. The 802.11w IGTK Key is derived using the 4-way handshake, which means that it can only be used on WLANs that are configured for WPA2 security at Layer 2.
    Note

    WPA2 is mandatory and encryption type must be AES. TKIP is not valid.

  4. Choose the PMF state from the drop-down list. The following options are available:
    • Disabled—Disables 802.11w MFP protection on a WLAN
    • Optional—To be used if the client supports 802.11w.
    • Required—Ensures that the clients that do not support 802.11w cannot associate with the WLAN.
  5. If you choose the PMF state as either Optional or Required, do the following:
    • In the Comeback Timer box, enter the association comeback interval in milliseconds. It is the time within which the access point reassociates with the client after a valid security association.
    • In the SA Query Timeout box, enter the maximum time before an Security Association (SA) query times out.
  6. In the Authentication Key Management section, follow these steps:
    • Select or unselect the PMF 802.1X check box to configure the 802.1X authentication for the protection of management frames.
    • Select or unselect the PMF PSK check box to configure the preshared keys for PMF. Choose the PSK format as either ASCII or Hexadecimal and enter the PSK.
  7. Click Apply.
  8. Click Save Configuration.

Configuring 802.11w (CLI)

  • Configure the 802.1X authentication for PMF by entering this command:
    config wlan security wpa akm pmf 802.1x {enable | disable} wlan-id
  • Configure the preshared key support for PMF by entering this command:
    config wlan security wpa akm pmf psk {enable | disable} wlan-id
  • If not done, configure a preshared key for a WLAN by entering this command:
    config wlan security wpa akm psk set-key {ascii | hex} psk wlan-id
  • Configure protected management frames by entering this command:
    config wlan security pmf {disable | optional | required} wlan-id
  • Configure the association comeback time settings by entering this command:
    config wlan security pmf association-comeback timeout-in-seconds wlan-id
  • Configure the SA query retry timeout settings by entering this command:
    config wlan security pmf saquery-retrytimeout timeout-in-milliseconds wlan-id
  • See the 802.11w configuration status for a WLAN by entering this command:
    show wlan wlan-id
  • Configure the debugging of PMF by entering this command:
    debug pmf events {enable | disable}

Configuring 802.11v

Prerequisites for Configuring 802.11v

In Cisco Wireless LAN Controller Release 8.1, the 802.11v feature:

  • Applies for Apple clients like Apple iPad, iPhone and so on that run on Apple IOS version 7 or later.
  • Supports local mode; also supports FlexConnect access points in central authentication modes only.

Restrictions for Configuring 802.11v

In Cisco Wireless Controller Release 8.1, the 802.11v feature is applicable only on the following Cisco Wireless Controller models:

  • Cisco 5500 Series Wireless Controllers
  • Cisco WiSM2
  • Cisco Flex 7500 Series Wireless Controllers
  • Cisco 8500 Series Wireless Controllers

Information About 802.11v

From Release 8.1, controller supports 802.11v amendment for wireless networks, which describes numerous enhancements to wireless network management.

One such enhancement is Network assisted Power Savings which helps clients to improve battery life by enabling them to sleep longer. As an example, mobile devices typically use a certain amount of idle period to ensure that they remain connected to access points and therefore consume more power when performing the following tasks while in a wireless network.

Another enhancement is Network assisted Roaming which enables the WLAN to send requests to associated clients, advising the clients as to better APs to associate to. This is useful for both load balancing and in directing poorly connected clients.

Enabling 802.11v Network Assisted Power Savings

Wireless devices consume battery to maintain their connection to the clients, in several ways:

  • By waking up at regular intervals to listen to the access point beacons containing a DTIM, which indicates buffered broadcast or multicast traffic that the access point will deliver to the clients.
  • By sending null frames to the access points, in the form of keepalive messages to maintain connection with access points.
  • Devices also periodically listen to beacons (even in the absence of DTIM fields) to synchronize their clock to that of the corresponding access point.

All these processes consume battery and this consumption particularly impacts devices (such as Apple), because these devices use a conservative session timeout estimation, and therefore, wake up often to send keepalive messages. The 802.11 standard, without 802.11v, does not include any mechanism for the controller or the access points to communicate to wireless clients about the session timeout for the local client.

To save the power of clients due to the mentioned tasks in wireless network, the following features in the 802.11v standard are used:

  • Directed Multicast Service
  • Base Station Subsystem (BSS) Max Idle Period

Configuring 802.11v Network Assisted Power Savings (CLI)

Using Directed Multicast Service (DMS), the client requests the access point to transmit the required multicast packet as unicast frames. This allows the client to receive the multicast packets it has ignored while in sleep mode and also ensures Layer 2 reliability. Furthermore, the unicast frame will be transmitted to the client at a potentially higher wireless link rate which enables the client to receive the packet quickly by enabling the radio for a shorter duration, thus also saving battery power. Since the wireless client also does not have to wake up at each DTIM interval in order to receive multicast traffic, longer sleeping intervals are allowed.

The BSS Max Idle period is the timeframe during which an access point (AP) does not disassociate a client due to nonreceipt of frames from the connected client. This helps ensure that the client device does not send keepalive messages frequently. The idle period timer value is transmitted using the association and reassociation response frame from the access point to the client. The idle time value indicates the maximum time a client can remain idle without transmitting any frame to an access point. As a result, the clients remain in sleep mode for a longer duration without transmitting the keepalive messages often. This in turn contributes to saving battery power.

  • Configure the value of BSS Max Idle period by entering these commands:
    • config wlan usertimeout wlan-id
    • config wlan bssmaxidle {enable | disable} wlan-id
  • Configure DMS by entering this command:
    config wlan dms {enable | disable} wlan-id

Monitoring 802.11v Network Assisted Power Savings (CLI)

Execute the commands described in this section to monitor the DMS and BSS Max Idle time using the CLI.

  • Display DMS information on each radio slot on an access point by entering the show controller d1/d0 | begin DMS command on the access point.
  • Track the DMS requests processed by the controller by entering the following commands:
    • debug 11v all {enable | disable}
    • debug 11v errors {enable | disable}
    • debug 11v detail {enable | disable}
  • Enable or disable 802.11v debug by entering the debug 11v detail command on the WLC.
  • Track the DMS requests processed by an access point by entering the debug dot11 dot11v command on the access point.

Configuration Examples for 802.11v Network Assisted Power Savings

The following example displays a BSS Max Idle period value seen in an access point's association and reassociation response:

Tag: BSS Max Idle Period
Tag number: BSS Max Idle Period (90)
Tag Length: 3
BSS Max Idle Period (1000 TUS) :300
...0 = BSS Max Idle Period Options: Protected Keep-Alive Required:0

The following example displays the DMS information (if enabled) for each client in an access point:

Global DMS - requests:1 uc:0 drop:0
DMS enabled on WLAN(s): 11v
DMS Database:
Entry 1: mask=0x55 version=4 dstIp=0xE00000FB srcIp=0x00000000 dstPort=9 srcPort=0 dcsp=0 protocol=17
{Client, SSID}: {8C:29:37:7B:D0:4E, 11v},

The following example displays a sample output for the show wlan wlan-id command with 802.11v parameters:

WLAN Identifier................4
Profile Name...................Mynet
802.11v Directed Multicast Service........Disabled
802.11v BSS Max Idle Service..............Enabled
802.11v BSS Max Idle Protected Mode..............Disabled
802.11v TFS Service..............Disabled
802.11v BSS Transition Service..............Disabled
802.11v WNM Sleep Mode Service..............Disabled
DMS DB is emptyTag: BSS Max Idle Period
Tag number: BSS Max Idle Period (90)
Tag Length: 3
BSS Max Idle Period (1000 TUS) :300
...0 = BSS Max Idle Period Options: Protected Keep-Alive Required:0

Enabling 802.11v BSS Transition Management

802.11v BSS Transition is applied in the following three scenarios:

  • Solicited request—Client can send an 802.11v Basic Service Set (BSS) Transition Management Query before roaming for a better option of AP to reassociate with.
  • Unsolicited Load Balancing request—If an AP is heavily loaded, it sends out an 802.11v BSS Transition Management Request to an associated client.
  • Unsolicited Optimized Roaming request—If a client's RSSI and rate do not meet the requirements, the corresponding AP sends out an 802.11v BSS Transition Management Request to this client.
Note

802.11v BSS Transition Management Request is a suggestion (or advice) given to a client, which the client can choose to follow or ignore. To force the task of disassociating a client, turn on the disassociation-imminent function. This disassociates the client after a period of time if the client is not reassociated to another AP.

Restrictions

Client needs to support 802.11v BSS Transition.

Enable 802.11v BSS Transition Management on the Cisco WLC

To enable 802.11v BSS transition management on a controller, enter the following commands:

config wlan bss-transition enable wlan-id

config wlan disassociation-imminent enable wlan-id

Troubleshooting

To troubleshoot 802.11v BSS transition, enter the following command:

debug 11v all

PDF preview unavailable. Download the PDF instead.

b cg81 chapter 01010010 XEP 4.9 build 20070312; modified using iText 2.1.7 by 1T3XT

Related Documents

Preview Cisco 802.11r BSS Fast Transition: Configuration Guide for Catalyst 9800 Wireless Controllers
Learn about IEEE 802.11r BSS Fast Transition for faster Wi-Fi roaming. This guide details configuration steps for Cisco Catalyst 9800 Series Wireless Controllers using CLI and GUI, covering Cisco IOS XE Amsterdam.
Preview Cisco IOS-XE Release 3.3: Deployment Guide for 802.11r, 802.11k, and 802.11w
This guide provides comprehensive instructions for deploying and monitoring Cisco IOS XE Release 3.3 features, focusing on 802.11r Fast Transition Roaming, 802.11k Assisted Roaming, and 802.11w Protected Management Frames. It covers configuration, troubleshooting, and best practices for optimizing wireless network performance and security.
Preview Cisco WLAN Security Configuration and Best Practices
A detailed guide to Cisco Wireless LAN security, covering protocols like 802.11w, 802.11r, WPA2, MAC filtering, AAA, LDAP, and ISE integration for enterprise networks.
Preview WLANセキュリティガイド: WPA1、WPA2、および設定方法
Cisco WLANセキュリティに関する包括的なガイド。WPA1、WPA2、TKIP、AES、802.1X、PSK、CCKMなどのプロトコルと、GUIおよびCLIを使用した設定手順を解説。
Preview Cisco Catalyst 1300 Series Switches: Get To Know Your Switch
A comprehensive guide to Cisco Catalyst 1300 Series Switches, covering essential information on features, front panel components, installation methods (rack and wall mounting), stacking capabilities, configuration via web interface and console, and navigation within the device's UI. Includes product highlights and technical specifications.
Preview Cisco WLAN Configuration and Management Guide
This guide provides detailed instructions for configuring, managing, and verifying Wireless Local Area Networks (WLANs) on Cisco access points. It covers essential features, prerequisites, restrictions, and step-by-step procedures for both GUI and CLI management.
Preview Cisco Embedded Wireless Controller on Catalyst Access Points Configuration Guide, IOS XE Dublin 17.11.x
A comprehensive guide for configuring the Cisco Embedded Wireless Controller on Catalyst Access Points, covering various aspects of network setup, management, and optimization with IOS XE Dublin 17.11.x.
Preview Configuring Cisco FlexConnect Groups
A comprehensive guide to configuring Cisco FlexConnect Groups on Wireless LAN Controllers, covering RADIUS server integration, CCKM and Opportunistic Key Caching for fast roaming, local authentication methods, and detailed VLAN-ACL and WLAN-VLAN mapping configurations via both GUI and CLI.