Chapter 8 Wireless LAN Profiles
NWA/WAC Series CLI Reference Guide
59
[no] dot11w Data frames in 802.11 WLANs can be encrypted and
authenticated with WEP, WPA or WPA2. But 802.11 management
frames, such as beacon/probe response, association request,
association response, de-authentication and disassociation are
always unauthenticated and unencrypted. IEEE 802.11w
Protected Management Frames allows APs to use the existing
security mechanisms (encryption and authentication methods
defined in IEEE 802.11i WPA/WPA2) to protect management
frames. This helps prevent wireless DoS attacks.
Enables management frame protection (MFP) to add security to
802.11 management frames. Use the no parameter to disable it.
dot11w-op <1..2> Sets whether wireless clients have to support management frame
protection in order to access the wireless network.
1: if you do not require the wireless clients to support MFP.
Management frames will be encrypted if the clients support MFP.
2: wireless clients must support MFP in order to join the NWA/
WAC’s wireless network.
group-key <30..30000> Sets the interval (in seconds) at which the AP updates the group
WPA/WPA2 encryption key.
The default is 1800.
[no] dot1x-eap Enables 802.1x secure authentication. Use the no parameter to
disable it.
eap {external | internal auth_method} Sets the 802.1x authentication method.
[no] mac-auth activate MAC authentication has the AP use an external server to
authenticate wireless clients by their MAC addresses. Users
cannot get an IP address if the MAC authentication fails. The no
parameter turns it off.
RADIUS servers can require the MAC address in the wireless
client’s account (username/password) or Calling Station ID
RADIUS attribute.
mac-auth auth-method auth_method Sets the authentication method for MAC authentication.
mac-auth case account {upper | lower} Sets the case (upper or lower) the external server requires for
using MAC addresses as the account username and password.
For example, use mac-auth case account upper and mac-auth
delimiter account dash if you need to use a MAC address
formatted like 00-11-AC-01-A0-11 as the username and
password.
mac-auth case calling-station-id {upper |
lower}
Sets the case (upper or lower) the external server requires for
letters in MAC addresses in the Calling Station ID RADIUS
attribute.
mac-auth delimiter account {colon | dash |
none}
Specify the separator the external server uses for the two-
character pairs within MAC addresses used as the account
username and password.
For example, use mac-auth case account upper and mac-auth
delimiter account dash if you need to use a MAC address
formatted like 00-11-AC-01-A0-11 as the username and
password.
mac-auth delimiter calling-station-id
{colon |
dash | none}
Select the separator the external server uses for the pairs in MAC
addresses in the Calling Station ID RADIUS attribute.
[no] server-auth <1..2> activate Activates server authentication. Use the no parameter to
deactivate.
Table 26 Command Summary: Security Profile (continued)
COMMAND DESCRIPTION
To Next Page
Loading...
