background image
9
FIPS 140-2 Security Policy for Cisco 5508 Wireless LAN Controller
OL-9658-09
Secure Configuration
Configure EAP-FAST
EAP-FAST is an Extensible Authentication protocol and can be used as an authentication method
between the Controller and the wireless client. When a RADIUS server is used to authenticate clients,
no extra EAP-FAST configuration is required.
When the Controller is configured as an EAP-FAST authentication server, the following CLI command
is used by the crypto officer to enter a new EAP-FAST server key, where hex-key can be up to 32 hex
digits or 16 bytes.
> config local-auth method fast server-key hex-key
Refer to the Cisco Wireless LAN Controller Configuration Guide for instructions on configuring Local
EAP server with EAP-FAST as the authentication method for the wireless clients.
Configure EAP-TLS
EAP-TLS is an Extensible Authentication protocol and can be used as an authentication method between
the Controller and the wireless client. When a RADIUS server is used to authenticate clients, no extra
EAP-TLS configuration is required.
When the Controller is configured as an EAP-TLS authentication server, it requires configuration based
on certificates issued from a PKI. Refer to the Cisco EAP-TLS Deployment Guide for Wireless LAN
Networks configuration instructions to use EAP-TLS as the authentication method for the wireless
clients.
Click this URL for an example configuration:
http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a0080851b4
2.shtml
Configure Data DTLS (optional)
The crypto officer may configure the module to use CAPWAP data encryption. CAPWAP data packets
encapsulate forwarded wireless frames. Configuring the module to use CAPWAP data encryption is
optional.
The following CLI commands enable DTLS data encryption for access points on the controller:
Step 1
To enable or disable data encryption for all access points or a specific access point, enter this command:
> config ap link-encryption {enable | disable} {all | Cisco_AP}
Step 2
When prompted to confirm that you want to disconnect the access point(s) and attached client(s), enter
> Y
Step 3
To save your changes, enter this command:
> save config
Refer to the Cisco Wireless LAN Controller Configuration Guide for additional instructions.