7
FIPS 140-2 Security Policy for Cisco 4402 and 4404 Wireless LAN Controllers
OL-9658-06
Secure Configuration
Configure MFP (Management Frame Protection)
Infrastructure MFP enables one access point to validate a neighboring Access Point's management
frames. Configuring the module to use MFP is optional. The following CLI command is used to enable
infrastructure MFP:
> config wps mfp infrastructure enable
Client MFP is used to encrypt and sign management frames between the AP and the client. The following
CLI command is used to enable client MFP:
> config wlan mfp client enable index required
Refer to the Cisco Wireless LAN Controller Configuration Guide for additional instructions.
Configure Local EAP
The module can be optionally configured as a local EAP authentication server to authenticate wireless
clients. Both EAP-TLS and EAP-FAST are supported and permitted by this security policy.
Refer to the Cisco Wireless LAN Controller Configuration Guide for instructions on configuring Local
EAP server to authenticate wireless clients without a RADIUS server.
Configure EAP-FAST
EAP-FAST is an Extensible Authentication protocol and can be used as an authentication method
between the Controller and the wireless client. When a RADIUS server is used to authenticate clients,
no extra EAP-FAST configuration is required.
The following CLI command is used by the crypto officer to enter a new EAP-FAST server key, where
hex-key can be up to 32 hex digits or 16 bytes.
> config local-auth method fast server-key hex-key
Refer to the Cisco Wireless LAN Controller Configuration Guide for instructions on configuring Local
EAP server with EAP-FAST as the authentication method for the wireless clients.
Configure EAP-TLS
EAP-TLS is an Extensible Authentication protocol and can be used as an authentication method between
the Controller and the wireless client. It requires configuration based on certificates issued from a PKI.
Refer to the Cisco EAP-TLS Deployment Guide for Wireless LAN Networks configuration instructions to
use EAP-TLS as the authentication method for the wireless clients.
Click this URL for an example configuration: