Wireless Security and Authentication in cnWave 60 GHz

cnWave offers feature where node should authenticate themselves during the Ignition procedure.
By default link authentication is disabled.

There are two secure authentication available to cnWave node.

Authentication mode can be configured from Network level which is applicable to entire network.

image

WPA-PSK:
Passphare is the pre-shared key
WPA2 protocol is currently supported.
For encryption, AES-GCMP-128 bit is supported.

802.1X
802.1x authentication on a sector from a POP node. This is a network level configuration and is common to entire sector.

image

RADIUS Server IP: IPv6 address of RADIUS server. In future release we will support IPv4 address as well.

RADIUS server port: UDP Port number where server is running , default is 1812.

RADIUS Server shared secret: shared secret.

For RADIUS authentication cnWave support EAP-TLS only where each node should have client certificate and private key. In addition , node should also have CA certificate to verify the RADIUS server. These files can be uploaded from the device GUI of each node.

Configuration to be done on Controller GUI for each node
image

Configuration to be done on Node GUI
image

Note : It is important for both the configuration to be done for a successful authentication.

RADIUS Server Configuration:

Any radius server can be used for authentication. The following configuration to be done.

  • Make sure RADIUS packets from IPv6 subnet i.e. lo IP subnet is accepted in radius configuration.
  • Configure EAP-TLS for radius server and set up server certificate, key. Note that server certificate is signed by CA uploaded in node configuration.
  • Set the the CA certificate which signed the client certificate installed on each node.

:point_right: Both PSK and 802.1X require initial provisioning directly on the node.

2 Likes

hi, is it possible to configure a psk or 802.1X key without having a radius server?

PSK does not require radius server.

When will cnWave will support TACACS+?

Thank you!

Dave

I have been trying to get 802.1x working on cnWave but have not had any success. I have followed all the available documentation and guidelines but the link keeps trying to come up and going down again, the logs seem to indicate that it is not authenticating properly on our radius server. We are using freeradius and the client cert is signed by the same CA as our server cert. Would you be able to provide any further guidelines for using freeradius? For example, are there any non-standard configuration options required in the eap.conf file? Do you have any guidelines for generating the client cert? I need to get this to work as our PMP450 and ePMP networks all use radius and we do not want to deploy cnWave without proper integration with our backend authentication systems.

Thanks,
Des.

Hello Des,

Can you please send us the field diags of the device . The 802.1x should work. Which build are you using ?

Regards,
Anil

In case you haven’t already, I recommend you create a support ticket

As @Anilkumarreddy suggests understanding what version of software you are running on the Radio’s, E2E and cnMaestro will be key and we can get those from the Tech Dumps. Have those available for the ticket would be ideal.

Please see the KB article Download Field Diags of 60 GHz cnWave device and E2E Controller Tech Support dump in cnMaestro .

Once we understand the issue we can let others know the solution on this forum topic.

Please also attach radius server logs and wireshark capture if possible(run wireshark on radius server with RADIUS pkt type as filter).