Setup WPA2 on Cisco Aironet AP 1240 series

   January 9, 2013  Leave a comment

Here is brief information about wireless security and encryption methods. Also, sample configuration of how to setup WPA2 on Cisco Aironet AP 1240 series

 

WEP(IEEE 802.11)

Wired Equivalent Privacy, introduced 1999, using key 10 or 26 hexadecimal digits, 40 or 104bit encryption key, weak protection.

 

WPA(IEEE 802.11i)

Wi-Fi Protected Access, introduced 2003, using Temporal Key Integrity Protocol(TKIP) that employs a per-packet key, meaning that it dynamically generates a new 128-bit key for each packet.

 

WPA2(IEEE 802.11i-2004)

Introduced 2004, CCMF that a new AES-based encryption mode, h/w based, 256 bit key.
AES(Advanced Encryption Standard)

 

WPA2-Personal(WPA-PSK)

Pre-shared key, not required 802.1x authentication server, Encrypts the network traffic using a 256 bit key(as a string of 64 hexadecimal digits, or as a passphrase of 8 to 63printable ASCII characters.
 

WPA2-Enterprise(WPA-802.1x)

RADIUS Authentication Server required,  an Extensible Authentication Protocol (EAP) is used for authentication.

 

Sample configuration on  Cisco Aironet AP 1240 series

Admin access of AP thru external RADIUS Server(192.168.77.5)

Cisco_1240AG# configure terminal
Cisco_1240AG(config)# aaa new-model
Cisco_1240AG(config)# aaa group server radius rad_admin
Cisco_1240AG(config-sg-radius)# server 192.168.77.5 auth-port 1645 acct-port 1646
Cisco_1240AG(config-sg-radius)# exit
Cisco_1240AG(config)# aaa authentication login default group rad_admin local
Cisco_1240AG(config)# radius-server host 192.168.77.5 auth-port 1645 acct-port 1646 [ your key ]
Cisco_1240AG(config)# user cisco password cisco
 

 

 

WPA2-Personal with AES-CCM + TKIP

  

Cisco_1240AG# configure terminal
Cisco_1240AG(config)# interface dot11radio 0  <— 2.4GHz
Cisco_1240AG(config-if)# encryption mode ciphers aes-ccm tkip
Cisco_1240AG(config-if)# exit
Cisco_1240AG(config)# dot11 ssid IPBalance
Cisco_1240AG(config-ssid)# authentication open
Cisco_1240AG(config-ssid)# authentication key-management wpa version 2
 Cisco_1240AG(config-ssid)# infrastructure-ssid optional
Cisco_1240AG(config-ssid)# wpa-psk ascii 7 [your key]

Cisco_1240AG# configure terminal
Cisco_1240AG(config)# interface dot11radio 1  <— 5GHz
Cisco_1240AG(config-if)# encryption mode ciphers aes-ccm tkip
Cisco_1240AG(config-if)# exit
Cisco_1240AG(config)# dot11 ssid IPBalance
Cisco_1240AG(config-ssid)# authentication open
Cisco_1240AG(config-ssid)# authentication key-management wpa wpa version 2
Cisco_1240AG(config-ssid)# infrastructure-ssid optional
Cisco_1240AG(config-ssid)# wpa-psk ascii [your key]

 

 

WPA2-Enterprise with Local RADIUS Server(192.168.88.3) Authentication
 

Cisco_1240AG# configure terminal
Cisco_1240AG(config)# aaa new-model
Cisco_1240AG(config)# aaa group server radius rad_eap
Cisco_1240AG(config-sg-radius)# server 192.168.88.3 auth-port 1645 acct-port 1646
Cisco_1240AG(config-sg-radius)# exit
Cisco_1240AG(config)# aaa group server radius rad_acct
Cisco_1240AG(config-sg-radius)# server 192.168.88.3 auth-port 1645 acct-port 1646
Cisco_1240AG(config-sg-radius)# exit
Cisco_1240AG(config)# aaa authentication login eap_methods group rad_eap
Cisco_1240AG(config)# aaa accounting network acct_methods start-stop group rad_acct

Cisco_1240AG(config)# dot11 ssid WT
Cisco_1240AG(config-ssid)# vlan 1
Cisco_1240AG(config-ssid)# authentication open eap eap_methods
Cisco_1240AG(config-ssid)# authentication network-eap eap_methods
Cisco_1240AG(config-ssid)# authentication key-management wpa version 2

Cisco_1240AG(config)# interface Dot11Radio0
Cisco_1240AG(config-if)# encryption mode ciphers aes-ccm tkip
Cisco_1240AG(config-if)# encryption vlan 1 mode ciphers aes-ccm tkip
Cisco_1240AG(config-if)# broadcast-key change 150
Cisco_1240AG(config-if)# broadcast-key vlan 1 change 300
Cisco_1240AG(config-if)# ssid WT
 

Cisco_1240AG(config)# interface Dot11Radio1
Cisco_1240AG(config-if)# encryption mode ciphers aes-ccm tkip
Cisco_1240AG(config-if)# encryption vlan 1 mode ciphers aes-ccm tkip
Cisco_1240AG(config-if)# broadcast-key change 150
Cisco_1240AG(config-if)# broadcast-key vlan 1 change 300
Cisco_1240AG(config-if)# ssid WT

Cisco_1240AG(config)# radius-server local
Cisco_1240AG(config-radsrv)# nas 192.168.88.3 key [shard-key]
Cisco_1240AG(config-radsrv)#  group wirethink
Cisco_1240AG(config-radsrv-group)#  vlan 1
Cisco_1240AG(config-radsrv-group)# ssid WT
Cisco_1240AG(config-radsrv-group)# exit
Cisco_1240AG(config-radsrv)# user user1 password user1 group wirethink

Cisco_1240AG(config)# radius-server host 192.168.88.3 auth-port 1645 acct-port 1646 [ your key ]

 

* Both interfaces of Radio shoud be configured same authentication commands.
** When you are using local RADIUS server, use same username and password. (If IOS is 12.25d or before)

 

 

Troubleshooting commands

Testing an external or internal radius host from AP.

Cisco_1240AG# test aaa group radius [user] [password] new

Trying to authenticate with Servergroup radius
User successfully authenticated
 

Cisco_1240AG# test aaa group rad_admin [user] [password] new

Trying to authenticate with Servergroup radius
User rejected

 

Cisco_1240AG# test aaa group rad_eap [user] [password] new

Trying to authenticate with Servergroup radius
User successfully authenticated

 

Show and statistics

Cisco_1240AG# sh radius local-server statistics
 

Show and statistics

Cisco_1240AG# show dot11 statistics client-traffic

 

Show and statistics

Cisco_1240AG# terminal monitor
Cisco_1240AG# debug radius authentication
Cisco_1240AG# debug radius local-server client
Cisco_1240AG# debug radius local-server error
Cisco_1240AG# debug radius local-server packets
Cisco_1240AG# debug dot11 aaa authenticator all
Cisco_1240AG# u all

 

 

Leave a Reply