Configure wpa2-psk encryption via CLI on Autonomous Cisco AP

In a previous blog article I outlined the CLI commands used to configure an autonomous AP for APoS for survey work.

I configured the SSIDs with no encryption, this is not really an issue because I am only using this SSID to measure the RF attenuation in my environment environment, I am not passing sensitive data over this link. However it does invite the possibility that 'some joker' at the customer's site could join this unprotected network. Admittedly they will not be assigned an IP address, nor is it likely they will log in to the AP and change any parameters. The most likely outcome is the LED on the AP will change colour and I will notice this, nevertheless in order to prevent this from happening we can configure our SSIDs with wpa2-psk encryption to prevent any 'funny guys' trying to muscle-in on my survey AP.

To achieve this, 3 steps are required:

dot11radio encryption mode

  • dot11 ssid authentication mode
  • dot11 ssid wpa-psk to be set

dot11radio encryption mode

SURVEY#
SURVEY#conf t
Enter configuration commands, one per line. End with CNTL/Z.
SURVEY(config)#int dot11Radio 0
SURVEY(config-if)#encryption ?
    key­ ‏  Set one encryption key
    mode  encryption mode
    vlan  vlan

SURVEY(config-if)#encryption mode ?
    ciphers  Optional data ciphers
    wep      Classic 802.11 privacy algorithm

SURVEY(config-if)#encryption mode ciphers ?
    aes-ccm    WPA AES CCMP
    ckip       Cisco Per packet key hashing
    ckip-cmic  Cisco Per packet key hashing and MIC (MMH)
    cmic       Cisco MIC (MMH)
    tkip       WPA Temporal Key encryption
    wep128     128 bit key
    wep40      40 bit key

SURVEY(config-if)#encryption mode ciphers aes-ccm
SURVEY(config-if)#end
SURVEY#

dot11 SSID authentication mode

SURVEY#
SURVEY#conf t
Enter configuration commands, one per line. End with CNTL/Z.
SURVEY(config)#dot11 ssid CISCO-SURVEY 2.4
SURVEY(config-ssid)#authentication ?
    client EAP      client information
    key-management  key management
    network-eap     leap method
    open open       method
    shared          shared method

SURVEY(config-ssid)#authentication key-management ?
    cckm  allow CCKM clients
    wpa   allow WPA clients

SURVEY(config-ssid)#authentication key-management wpa ?
    cckm      allow CCKM clients
    optional  allow legacy clients
    version   Specify WPA version

SURVEY(config-ssid)#authentication key-management wpa version ?
    1  WPA version 1
    2  WPA version 2

SURVEY(config-ssid)#authentication key-management wpa version 2
SURVEY(config-ssid)#

dot11 SSID wpa-psk

SURVEY(config-ssid)#
SURVEY(config-ssid)#wpa-psk ?
    ascii  Key entered as ascii chars
    hex    Key entered as hex chars

SURVEY(config-ssid)#wpa-psk ascii ?
    0     Specifies an UNENCRYPTED key will follow
    7     Specifies a HIDDEN key will follow
    LINE  Clear WPA password

SURVEY(config-ssid)#wpa-psk ascii 0 ?
    LINE  Clear WPA password

SURVEY(config-ssid)#wpa-psk ascii 0 CiscoCisco
SURVEY(config-ssid)#end
SURVEY#

Summary

That is it, SSID CISCO-SURVEY 2.4 is now protected with wpa-psk.

This needs to be done again in order to protect the SSID CISCO-SURVEY 5.

SURVEY(config)#int dot11Radio 1
SURVEY(config-if)#encryption mode ciphers aes-ccm

SURVEY(config)#dot11 ssid CISCO-SURVEY 5
SURVEY(config-ssid)#authentication key-management wpa version 2

SURVEY(config-ssid)#wpa-psk ascii 0 CiscoCisco

Don't forget to save your changes, assuming you are happy with the results.

SURVEY#copy run start