Multi-Preshared Key • Information About Multi-Preshared Key, on page 1 • Restrictions on Multi-PSK, on page 2 • Configuring Multi-Preshared Key (GUI), on page 2 • Configuring Multi-Preshared Key (CLI), on page 5 • Verifying Multi-PSK Configurations, on page 6 Information About Multi-Preshared Key Multi-PSK feature supports multiple PSKs simultaneously on a single SSID. You can use any of the configured PSKs to join the network. This is different from the Identity PSK (iPSK), wherein unique PSKs are created for individuals or groups of users on the same SSID. From 16.10 onwards, each SSID supports five PSKs, which can be extended In a traditional PSK, all the clients joining the network use the same password as shown in the below figure. Figure 1: Traditional PSK But with multi-PSK, client can use any of the configured pre-shared keys to connect to the network as shown in the below figure. Multi-Preshared Key 1
8
Embed
Multi-PresharedKey - Cisco - Global Home Page · exit Example: Step8 Device(config-wlan) ... Splash-Page Web Redirect : Disabled Webauth On-mac-filter Failure : Disabled ... BSS Color
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Multi-Preshared Key
• Information About Multi-Preshared Key, on page 1• Restrictions on Multi-PSK, on page 2• Configuring Multi-Preshared Key (GUI), on page 2• Configuring Multi-Preshared Key (CLI), on page 5• Verifying Multi-PSK Configurations, on page 6
Information About Multi-Preshared KeyMulti-PSK feature supports multiple PSKs simultaneously on a single SSID. You can use any of the configuredPSKs to join the network. This is different from the Identity PSK (iPSK), wherein unique PSKs are createdfor individuals or groups of users on the same SSID.
From 16.10 onwards, each SSID supports five PSKs, which can be extended
In a traditional PSK, all the clients joining the network use the same password as shown in the below figure.
Figure 1: Traditional PSK
But with multi-PSK, client can use any of the configured pre-shared keys to connect to the network as shownin the below figure.
Multi-Preshared Key1
Figure 2: Multi-PSK
In Multi-PSK, two passwords are configured (deadbeef and beefdead) for the same SSID. In this scenario,clients can connect to the network using either of the passwords.
Restrictions on Multi-PSK• Central authentication is supported in local, flex, and fabric modes only.
• In central authentication flex mode, the standalone AP allows client join with the highest priority PSK(priority 0 key). New clients that do not use the highest priority PSK are rejected during the standalonemode.
• Multi-PSK does not support local authentication.
Configuring Multi-Preshared Key (GUI)Procedure
Step 1 Choose Configuration > Tags & Profiles > WLANs.Step 2 On the Wireless Networks page, click the name of the WLAN.Step 3 In the Edit WLAN window, click the Security tab.Step 4 In the Layer2 tab, choose the Layer2 Security Mode from the following options:
• None: No Layer 2 security• 802.1X: WEP 802.1X data encryption type• WPA + WPA2: Wi-Fi Protected Access• Static WEP: Static WEP encryption parameters• Static WEP+802.1X: Both Static WEP and 802.1X parameters
Multi-Preshared Key2
Multi-Preshared KeyRestrictions on Multi-PSK
DescriptionParameters
802.1X
Choose the key size. The available values are None,40 bits, and 104 bits.
WEP Key Size
WPA + WPA2
Choose from the following options:
• Disabled
• Optional
• Required
Protected Management Frame
Check the check box to enable WPA policy.WPA Policy
Choose the WPA encryption standard. A WPAencryption standard must be specified if you haveenabled WPA policy.
WPA Encryption
Check the check box to enable WPA2 policy.WPA2 Policy
Choose the WPA2 encryption standard. A WPAencryption standard must be specified if you haveenabled WPA policy.
WPA2 Encryption
Choose the rekeying mechanism from the followingoptions:
• 802.1X
• FT + 802.1X
• PSK: You must specify the PSK format and apreshared key
• Cisco Centralized Key Management: You mustspecify a Cisco Centralized Key ManagementTimestamp Tolerance value
• 802.1X + Cisco Centralized Key Management:You must specify a Cisco Centralized KeyManagement Timestamp Tolerance value
• FT + 802.1X + Cisco Centralized KeyManagement: You must specify a CiscoCentralized Key Management TimestampTolerance value
Choose a key index from 1 to 4. One unique WEPkey index can be applied to each WLAN. As thereare only four WEP key indexes, only four WLANscan be configured for static WEP Layer2 encryption.
Key Index
Choose the encryption key format as either ASCII orHEX.
Key Format
Enter an encryption key that is 13 characters long.Encryption Key
Static WEP + 802.1X
Choose the key size from the following options:
• 40 bits
• 104 bits
Key Size
Choose a key index from 1 to 4. One unique WEPkey index can be applied to each WLAN. As thereare only four WEP key indexes, only four WLANscan be configured for static WEP Layer2 encryption.
Key Index
Choose the encryption key format as either ASCII orHEX.
Key Format
Enter an encryption key that is 13 characters long.Encryption Key
Verifying Multi-PSK ConfigurationsTo verify the configuration of a WLAN and a client, use the following command:Device# show wlan id 8WLAN Profile Name : wlan_8================================================Identifier : 8Network Name (SSID) : ssid_8Status : EnabledBroadcast SSID : EnabledUniversal AP Admin : DisabledMax Associated Clients per WLAN : 0Max Associated Clients per AP per WLAN : 0Max Associated Clients per AP Radio per WLAN : 200Number of Active Clients : 0CHD per WLAN : EnabledMulticast Interface : UnconfiguredWMM : AllowedWifiDirect : InvalidChannel Scan Defer Priority:Priority (default) : 5Priority (default) : 6
Scan Defer Time (msecs) : 100Media Stream Multicast-direct : DisabledCCX - AironetIe Support : EnabledCCX - Diagnostics Channel Capability : DisabledPeer-to-Peer Blocking Action : DisabledRadio Policy : AllDTIM period for 802.11a radio : 1DTIM period for 802.11b radio : 1Local EAP Authentication : DisabledMac Filter Authorization list name : DisabledMac Filter Override Authorization list name : DisabledAccounting list name :802.1x authentication list name : Disabled802.1x authorization list name : DisabledSecurity
SUITEB192-1X : DisabledCCKM TSF Tolerance : 1000FT Support : Adaptive
FT Reassociation Timeout : 20FT Over-The-DS mode : Enabled
PMF Support : DisabledPMF Association Comeback Timeout : 1PMF SA Query Time : 200
Web Based Authentication : DisabledConditional Web Redirect : DisabledSplash-Page Web Redirect : DisabledWebauth On-mac-filter Failure : DisabledWebauth Authentication List Name : DisabledWebauth Authorization List Name : DisabledWebauth Parameter Map : DisabledTkip MIC Countermeasure Hold-down Timer : 60