Configure wpa2-psk encryption via CLI on Autonomous Cisco AP
In a previous blog article I outlined the CLI commands used to configure an autonomous AP for APoS for survey work.
I configured the SSIDs with no encryption, this is not really an issue because I am only using this SSID to measure the RF attenuation in my environment environment, I am not passing sensitive data over this link. However it does invite the possibility that 'some joker' at the customer's site could join this unprotected network. Admittedly they will not be assigned an IP address, nor is it likely they will log in to the AP and change any parameters. The most likely outcome is the LED on the AP will change colour and I will notice this, nevertheless in order to prevent this from happening we can configure our SSIDs with wpa2-psk encryption to prevent any 'funny guys' trying to muscle-in on my survey AP.
To achieve this, 3 steps are required:
dot11radio encryption mode
- dot11 ssid authentication mode
- dot11 ssid wpa-psk to be set
dot11radio encryption mode
SURVEY#
SURVEY#conf t
Enter configuration commands, one per line. End with CNTL/Z.
SURVEY(config)#int dot11Radio 0
SURVEY(config-if)#encryption ?
key Set one encryption key
mode encryption mode
vlan vlan
SURVEY(config-if)#encryption mode ?
ciphers Optional data ciphers
wep Classic 802.11 privacy algorithm
SURVEY(config-if)#encryption mode ciphers ?
aes-ccm WPA AES CCMP
ckip Cisco Per packet key hashing
ckip-cmic Cisco Per packet key hashing and MIC (MMH)
cmic Cisco MIC (MMH)
tkip WPA Temporal Key encryption
wep128 128 bit key
wep40 40 bit key
SURVEY(config-if)#encryption mode ciphers aes-ccm
SURVEY(config-if)#end
SURVEY#
dot11 SSID authentication mode
SURVEY#
SURVEY#conf t
Enter configuration commands, one per line. End with CNTL/Z.
SURVEY(config)#dot11 ssid CISCO-SURVEY 2.4
SURVEY(config-ssid)#authentication ?
client EAP client information
key-management key management
network-eap leap method
open open method
shared shared method
SURVEY(config-ssid)#authentication key-management ?
cckm allow CCKM clients
wpa allow WPA clients
SURVEY(config-ssid)#authentication key-management wpa ?
cckm allow CCKM clients
optional allow legacy clients
version Specify WPA version
SURVEY(config-ssid)#authentication key-management wpa version ?
1 WPA version 1
2 WPA version 2
SURVEY(config-ssid)#authentication key-management wpa version 2
SURVEY(config-ssid)#
dot11 SSID wpa-psk
SURVEY(config-ssid)#
SURVEY(config-ssid)#wpa-psk ?
ascii Key entered as ascii chars
hex Key entered as hex chars
SURVEY(config-ssid)#wpa-psk ascii ?
0 Specifies an UNENCRYPTED key will follow
7 Specifies a HIDDEN key will follow
LINE Clear WPA password
SURVEY(config-ssid)#wpa-psk ascii 0 ?
LINE Clear WPA password
SURVEY(config-ssid)#wpa-psk ascii 0 CiscoCisco
SURVEY(config-ssid)#end
SURVEY#
Summary
That is it, SSID CISCO-SURVEY 2.4 is now protected with wpa-psk.
This needs to be done again in order to protect the SSID CISCO-SURVEY 5.
SURVEY(config)#int dot11Radio 1
SURVEY(config-if)#encryption mode ciphers aes-ccm
SURVEY(config)#dot11 ssid CISCO-SURVEY 5
SURVEY(config-ssid)#authentication key-management wpa version 2
SURVEY(config-ssid)#wpa-psk ascii 0 CiscoCisco
Don't forget to save your changes, assuming you are happy with the results.
SURVEY#copy run start