Here is brief information about wireless security and encryption methods. Also, sample configuration of how to setup WPA2 on Cisco Aironet AP 1240 series
WEP(IEEE 802.11)
Wired Equivalent Privacy, introduced 1999, using key 10 or 26 hexadecimal digits, 40 or 104bit encryption key, weak protection.
WPA(IEEE 802.11i)
Wi-Fi Protected Access, introduced 2003, using Temporal Key Integrity Protocol(TKIP) that employs a per-packet key, meaning that it dynamically generates a new 128-bit key for each packet.
WPA2(IEEE 802.11i-2004)
Introduced 2004, CCMF that a new AES-based encryption mode, h/w based, 256 bit key.
AES(Advanced Encryption Standard)
WPA2-Personal(WPA-PSK)
Pre-shared key, not required 802.1x authentication server, Encrypts the network traffic using a 256 bit key(as a string of 64 hexadecimal digits, or as a passphrase of 8 to 63printable ASCII characters.
WPA2-Enterprise(WPA-802.1x)
RADIUS Authentication Server required, an Extensible Authentication Protocol (EAP) is used for authentication.
Sample configuration on Cisco Aironet AP 1240 series
Admin access of AP thru external RADIUS Server(192.168.77.5)
Cisco_1240AG# configure terminal
Cisco_1240AG(config)# aaa new-model
Cisco_1240AG(config)# aaa group server radius rad_admin
Cisco_1240AG(config-sg-radius)# server 192.168.77.5 auth-port 1645 acct-port 1646
Cisco_1240AG(config-sg-radius)# exit
Cisco_1240AG(config)# aaa authentication login default group rad_admin local
Cisco_1240AG(config)# radius-server host 192.168.77.5 auth-port 1645 acct-port 1646 [ your key ]
Cisco_1240AG(config)# user cisco password cisco
WPA2-Personal with AES-CCM + TKIP
Cisco_1240AG# configure terminal
Cisco_1240AG(config)# interface dot11radio 0 <— 2.4GHz
Cisco_1240AG(config-if)# encryption mode ciphers aes-ccm tkip
Cisco_1240AG(config-if)# exit
Cisco_1240AG(config)# dot11 ssid IPBalance
Cisco_1240AG(config-ssid)# authentication open
Cisco_1240AG(config-ssid)# authentication key-management wpa version 2
Cisco_1240AG(config-ssid)# infrastructure-ssid optional
Cisco_1240AG(config-ssid)# wpa-psk ascii 7 [your key]
Cisco_1240AG# configure terminal
Cisco_1240AG(config)# interface dot11radio 1 <— 5GHz
Cisco_1240AG(config-if)# encryption mode ciphers aes-ccm tkip
Cisco_1240AG(config-if)# exit
Cisco_1240AG(config)# dot11 ssid IPBalance
Cisco_1240AG(config-ssid)# authentication open
Cisco_1240AG(config-ssid)# authentication key-management wpa wpa version 2
Cisco_1240AG(config-ssid)# infrastructure-ssid optional
Cisco_1240AG(config-ssid)# wpa-psk ascii [your key]
WPA2-Enterprise with Local RADIUS Server(192.168.88.3) Authentication
Cisco_1240AG# configure terminal
Cisco_1240AG(config)# aaa new-model
Cisco_1240AG(config)# aaa group server radius rad_eap
Cisco_1240AG(config-sg-radius)# server 192.168.88.3 auth-port 1645 acct-port 1646
Cisco_1240AG(config-sg-radius)# exit
Cisco_1240AG(config)# aaa group server radius rad_acct
Cisco_1240AG(config-sg-radius)# server 192.168.88.3 auth-port 1645 acct-port 1646
Cisco_1240AG(config-sg-radius)# exit
Cisco_1240AG(config)# aaa authentication login eap_methods group rad_eap
Cisco_1240AG(config)# aaa accounting network acct_methods start-stop group rad_acct
Cisco_1240AG(config)# dot11 ssid WT
Cisco_1240AG(config-ssid)# vlan 1
Cisco_1240AG(config-ssid)# authentication open eap eap_methods
Cisco_1240AG(config-ssid)# authentication network-eap eap_methods
Cisco_1240AG(config-ssid)# authentication key-management wpa version 2
Cisco_1240AG(config)# interface Dot11Radio0
Cisco_1240AG(config-if)# encryption mode ciphers aes-ccm tkip
Cisco_1240AG(config-if)# encryption vlan 1 mode ciphers aes-ccm tkip
Cisco_1240AG(config-if)# broadcast-key change 150
Cisco_1240AG(config-if)# broadcast-key vlan 1 change 300
Cisco_1240AG(config-if)# ssid WT
Cisco_1240AG(config)# interface Dot11Radio1
Cisco_1240AG(config-if)# encryption mode ciphers aes-ccm tkip
Cisco_1240AG(config-if)# encryption vlan 1 mode ciphers aes-ccm tkip
Cisco_1240AG(config-if)# broadcast-key change 150
Cisco_1240AG(config-if)# broadcast-key vlan 1 change 300
Cisco_1240AG(config-if)# ssid WT
Cisco_1240AG(config)# radius-server local
Cisco_1240AG(config-radsrv)# nas 192.168.88.3 key [shard-key]
Cisco_1240AG(config-radsrv)# group wirethink
Cisco_1240AG(config-radsrv-group)# vlan 1
Cisco_1240AG(config-radsrv-group)# ssid WT
Cisco_1240AG(config-radsrv-group)# exit
Cisco_1240AG(config-radsrv)# user user1 password user1 group wirethink
Cisco_1240AG(config)# radius-server host 192.168.88.3 auth-port 1645 acct-port 1646 [ your key ]
* Both interfaces of Radio shoud be configured same authentication commands.
** When you are using local RADIUS server, use same username and password. (If IOS is 12.25d or before)
Troubleshooting commands
Testing an external or internal radius host from AP.
Cisco_1240AG# test aaa group radius [user] [password] new
Trying to authenticate with Servergroup radius
User successfully authenticated
Cisco_1240AG# test aaa group rad_admin [user] [password] new
Trying to authenticate with Servergroup radius
User rejected
Cisco_1240AG# test aaa group rad_eap [user] [password] new
Trying to authenticate with Servergroup radius
User successfully authenticated
Show and statistics
Cisco_1240AG# sh radius local-server statistics
Show and statistics
Cisco_1240AG# show dot11 statistics client-traffic
Show and statistics
Cisco_1240AG# terminal monitor
Cisco_1240AG# debug radius authentication
Cisco_1240AG# debug radius local-server client
Cisco_1240AG# debug radius local-server error
Cisco_1240AG# debug radius local-server packets
Cisco_1240AG# debug dot11 aaa authenticator all
Cisco_1240AG# u all