12 November 2008

Configuring WPA and WPA2 on Cisco Aironet


The last post I talked about configuring WEP authentication on Cisco Aironet wireless access point.
Now I want to configure WPA and WPA2 to give more strength in the wireless security.

Just for a note I put an image of padlock on the last post and now I give a picture of a vault to give the image of stronger security.
You know what I mean, padlock versus vault, oh just forget it.

Back to the topic, when first posting about WEP I said that WEP encryption is weak, you better use encryption like WPA and WPA2.

WPA gives better key management and stronger cipher encryption. For those who don't know about cipher, it's kinda algorithm for encryption and decryption, we'll be configuring the cipher when dealing with WPA and WPA2. WPA uses what is called TKIP or Temporal Key Integrity Protocol for the cipher encryption.

WPA2 is even better than WPA, it uses a stronger encryption called AES or Advanced Encryption Standard, it creates fresh sessions key so every packet sent are encrypted with different key.

One other thing to know, the WPA and WPA2 come with two flavors, the Personal and Enterprise. In enterprise mode we need to have authentication server such as RADIUS, I don't have RADIUS server currently so I'll skip to the Personal mode instead.
The personal mode of WPA and WPA2 have what is called WPA-PSK the WPA Pre-Shared Key, we have to configure the WPA-PSK on both the Access Point and the clients.

So get on to the configuration of WPA first for my SSID Guest on VLAN 40:

1240AG> enable
1240AG# configure terminal
1240AG (config)# interface dot11radio 0
1240AG (config-if)# encryption vlan 40 mode ciphers tkip
1240AG (config-if)# ssid Guest
1240AG (config-if-ssid)# vlan 40
1240AG (config-if-ssid)# authentication open
1240AG (config-if-ssid)# authentication key-management wpa
1240AG (config-if-ssid)# wpa-psk ascii your-key-here

That's it you've successfully configured WPA on Cisco Aironet Wireless Access Point. Just configure the ciphers to tkip, set the authentication to open, use the wpa key management and the great thing in WPA is that we can set ascii characters as the key instead of hexadecimal like we did on configuring WEP.

The difference of WPA with WPA2 configurations is just some small things. We have to set the ciphers to AES and the key management to WPA version 2. Let's get started to configure WPA2 for my SSID Admin on VLAN 30:

1240AG> enable
1240AG# configure terminal
1240AG (config)# interface dot11radio 0
1240AG (config-if)# encryption vlan 30 mode ciphers aes-ccm
1240AG (config-if)# ssid Admin
1240AG (config-if-ssid)# vlan 30
1240AG (config-if-ssid)# authentication open
1240AG (config-if-ssid)# authentication key-management wpa version 2
1240AG (config-if-ssid)# wpa-psk ascii your-key-here

Don't forget to check out how to set up Wireless Network and the SSID on my last posts. Cheers.