Configure wpa2-psk encryption via CLI on Autonomous Cisco AP

In a previous blog article I outlined the CLI commands used to configure an autonomous AP for APoS for survey work.

I configured the SSIDs with no encryption, this is not really an issue because I am only using this SSID to measure the RF attenuation in my environment environment, I am not passing sensitive data over this link. However it does invite the possibility that ‘some joker’ at the customer’s site could join this unprotected network. Admittedly they will not be assigned an IP address, nor is it likely they will log in to the AP and change any parameters. The most likely outcome is the LED on the AP will change colour and I will notice this, nevertheless in order to prevent this from happening we can configure our SSIDs with wpa2-psk encryption to prevent any ‘funny guys’ trying to muscle-in on my survey AP.

To achieve this, 3 steps are required:

  • dot11radio encryption mode
  • dot11 ssid authentication mode
  • dot11 ssid wpa-psk to be set

dot11radio encryption mode

 SURVEY#
 SURVEY#conf t
 Enter configuration commands, one per line. End with CNTL/Z.
 SURVEY(config)#int dot11Radio 0
 SURVEY(config-if)#encryption ?
   key­ ‏  Set one encryption key
   mode  encryption mode
   vlan  vlan

 SURVEY(config-if)#encryption mode ?
   ciphers  Optional data ciphers
   wep      Classic 802.11 privacy algorithm

 SURVEY(config-if)#encryption mode ciphers ?
   aes-ccm    WPA AES CCMP
   ckip       Cisco Per packet key hashing
   ckip-cmic  Cisco Per packet key hashing and MIC (MMH)
   cmic       Cisco MIC (MMH)
   tkip       WPA Temporal Key encryption
   wep128     128 bit key
   wep40      40 bit key

 SURVEY(config-if)#encryption mode ciphers aes-ccm
 SURVEY(config-if)#end
 SURVEY#

dot11 SSID authentication mode

 SURVEY#
 SURVEY#conf t
 Enter configuration commands, one per line. End with CNTL/Z.
 SURVEY(config)#dot11 ssid CISCO-SURVEY 2.4
 SURVEY(config-ssid)#authentication ?
   client EAP      client information
   key-management  key management
   network-eap     leap method
   open open       method
   shared          shared method

 SURVEY(config-ssid)#authentication key-management ?
   cckm  allow CCKM clients
   wpa   allow WPA clients

 SURVEY(config-ssid)#authentication key-management wpa ?
   cckm      allow CCKM clients
   optional  allow legacy clients
   version   Specify WPA version
   <cr>

 SURVEY(config-ssid)#authentication key-management wpa version ?
   1  WPA version 1
   2  WPA version 2

 SURVEY(config-ssid)#authentication key-management wpa version 2
 SURVEY(config-ssid)#

dot11 SSID wpa-psk

 SURVEY(config-ssid)#
 SURVEY(config-ssid)#wpa-psk ?
   ascii  Key entered as ascii chars
   hex    Key entered as hex chars

 SURVEY(config-ssid)#wpa-psk ascii ?
   0     Specifies an UNENCRYPTED key will follow
   7     Specifies a HIDDEN key will follow
   LINE  Clear WPA password

 SURVEY(config-ssid)#wpa-psk ascii 0 ?
   LINE  Clear WPA password

 SURVEY(config-ssid)#wpa-psk ascii 0 CiscoCisco
 SURVEY(config-ssid)#end
 SURVEY#

Summary

That is it, SSID CISCO-SURVEY 2.4 is now protected with wpa-psk.

This needs to be done again in order to protect the SSID CISCO-SURVEY 5.

 SURVEY(config)#int dot11Radio 1
 SURVEY(config-if)#encryption mode ciphers aes-ccm

 SURVEY(config)#dot11 ssid CISCO-SURVEY 5
 SURVEY(config-ssid)#authentication key-management wpa version 2

 SURVEY(config-ssid)#wpa-psk ascii 0 CiscoCisco

Don’t forget to save your changes, assuming you are happy with the results.

 SURVEY#copy run start

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s