Mesh Security Configuration

Document created by linyan on Dec 11, 2014Last modified by linyan on May 14, 2015
Version 3Show Document
  • View in full screen mode

CGR Sample Configuration to enable CG Mesh Security:

 

If the CGR is running CG-OS:

 

Configuration:

feature dot1x
feature mesh-security
radius-server host 2001:DB8:1:1::53 key cisco123 authentication accounting
aaa group server radius cgcdn
server 2001:DB8:1:1::53
ip radius source-interface xxx  <--- this could be "Eth2/2" or your tunnel interface to CGREDI
aaa authentication dot1x default group cgcdn
aaa accounting dot1x default group cgcdn
int wpan4/1
dot1x pae authenticator

 

Configure mesh security keys:

 

CGE-IVT-CGR1120-3# mesh-security set mesh-key key 123
Key ID       : 0
Key expiry   : Fri Apr  4 16:08:50 2014
CGE-IVT-CGR1120-3# mesh-security set mesh-key key 1234
Key ID       : 1
Key expiry   : Sun May  4 16:08:50 2014
CGE-IVT-CGR1120-3# mesh-security set mesh-key key 12345
Key ID       : 2
Key expiry   : Tue Jun  3 16:08:50 2014
CGE-IVT-CGR1120-3# show mesh-security keys
Mesh Interace: Wpan4/1
Master Key Lifetime  : 120 Days 0 Hours 0 Minutes 0 Seconds
Temporal Key Lifetime: 60 Days 0 Hours 0 Minutes 0 Seconds
Mesh Key Lifetime    : 30 Days 0 Hours 0 Minutes 0 Seconds
Key ID         : 0 *
Key expiry     : Fri Apr  4 16:08:50 2014
Time remaining : 29 Days 20 Hours 35 Minutes 45 Seconds
Key ID         : 1
Key expiry     : Sun May  4 16:08:50 2014
Time remaining : 59 Days 20 Hours 35 Minutes 45 Seconds
Key ID         : 2
Key expiry     : Tue Jun  3 16:08:50 2014
Time remaining : 89 Days 20 Hours 35 Minutes 45 Seconds

If the CGR is running IOS:

 

Configuration:

aaa new-model

aaa session-id common

ipv6 radius source-interface Tunnel 1

 

radius server CA-NPS-Win2008R2

  address ipv6 2001:DB8:1:1::53 auth-port 1645 acct-port 1646

  key cisco123

aaa group server radius CGCDN

  server name CA-NPS-Win2008R2

  ipv6 radius source-interface Tunnel 1

aaa authentication dot1x default group CGCDN

dot1x system-auth-control

interface Wpan5/1

  authentication host-mode multi-auth

  authentication port-control auto

  dot1x pae authenticator

 

Configure Mesh Security Keys:

 

FAR-1240-CDN1-AS2#mesh-security set mesh-key interface wpan 5/1 key 1234

Key ID       : 0

Key expiry   : Sun Mar  2 19:05:59 2014

 

FAR-1240-CDN1-AS2#mesh-security set mesh-key interface wpan 5/1 key 123456

Key ID       : 1

Key expiry   : Tue Apr  1 19:05:59 2014

 

FAR-1240-CDN1-AS2#mesh-security set mesh-key interface wpan 5/1 key 12345678

Key ID       : 2

Key expiry   : Thu May  1 19:05:59 2014

 

FAR-1240-CDN1-AS2#show mesh-security keys

Mesh Interface: Wpan5/1

 

Master Key Lifetime  : 120 Days 0 Hours 0 Minutes 0 Seconds

Temporal Key Lifetime: 60 Days 0 Hours 0 Minutes 0 Seconds

Mesh Key Lifetime    : 30 Days 0 Hours 0 Minutes 0 Seconds

 

Key ID         : 0 *

Key expiry     : Sun Mar  2 19:05:59 2014

Time remaining : 29 Days 23 Hours 59 Minutes 40 Seconds

 

Key ID         : 1

Key expiry     : Tue Apr  1 19:05:59 2014

Time remaining : 59 Days 23 Hours 59 Minutes 40 Seconds

 

Key ID         : 2

Key expiry     : Thu May  1 19:05:59 2014

Time remaining : 89 Days 23 Hours 59 Minutes 40 Seconds

 

 

To reconfigure the mesh-key:

 

nxtFAR#mesh-security expire mesh-key interface wpan 5/1

 

This will expire one mesh key configured, from above output, this command nee to be executed 3 times to expire all the mesh keys.

Then issue "show mesh-security keys" to make sure there is no more mesh-key configure. And reconfigure the mesh key again. This will push a new mesh key.

###########################################################################################################
As PLC network is a relative slower network, we could slow down the dot1x and dot11i by adding below configuration

interface Wpan3/1

no ip address

ieee154 beacon-async min-interval 120 max-interval 900 suppression-coefficient 1

ieee154 panid 3031

ieee154 ssid plc

rpl dag-lifetime 240

rpl dio-min 21

rpl version-incr-time 240

authentication host-mode multi-auth

authentication port-control auto

ipv6 address 2001:DEAD:BEEF:100::3/64

ipv6 enable

ipv6 dhcp relay destination  2001:420:7BF:5F::500

dot1x pae authenticator

mesh-security max-active-key-exchange 1  ß-this will limit the key exchange 1 at a time

mesh-security max-active-authentication 1 ß this will limit the authentication 1 at a time

Attachments

    Outcomes