I was looking for something to blog about and @fryguy_pa posted about his difficulties with the Cisco Aironet 1200 series and configuring them for WPA2. I had the pleasure of recently reconfiguring 70+ Cisco Aironet 1200 series, mostly AIR-AP1231G-A-K9 running the latest software 12.3(8)JEC, in an effort to deploy a new WLAN with 802.1x WPA2 Enterprise utilizing AES encryption. It took myself and another engineer a few days to come up with a working configuration.
You’ll notice in the example below that I’m using two RADIUS servers, actually two Microsoft Internet Authentication Servers running Windows 2003. I created a SSID (or WLAN) of “love” and bridged it to VLAN 802. I had to utilize bridge group 254 because the bridge groups only go from 1-255. I also only configured the WLAN on the 802.11b/g radio (Dott11Radio0) and not the 802.11a radio (Dott11Radio1). I also utilized a RADIUS secret of “radiuspass” in the example below.
aaa group server radius acme_eap server 10.1.4.21 auth-port 1812 acct-port 1813 server 10.2.4.21 auth-port 1812 acct-port 1813 aaa authentication login acme_methods group acme_eap dot11 ssid love vlan 802 authentication open eap acme_methods authentication network-eap acme_methods authentication key-management wpa interface Dot11Radio0 ssid love encryption vlan 802 mode ciphers aes-ccm interface Dot11Radio0.802 encapsulation dot1Q 802 no ip route-cache bridge-group 254 bridge-group 254 subscriber-loop-control bridge-group 254 block-unknown-source no bridge-group 254 source-learning no bridge-group 254 unicast-flooding bridge-group 254 spanning-disabled interface FastEthernet0.802 encapsulation dot1Q 802 no ip route-cache bridge-group 254 no bridge-group 254 source-learning bridge-group 254 spanning-disabled interface Dot11Radio0 ssid love encryption vlan 802 mode ciphers aes-ccm radius-server host 10.1.4.21 auth-port 1812 acct-port 1813 key radiuspass radius-server host 10.2.4.21 auth-port 1812 acct-port 1813 key radiuspass radius-server deadtime 5
If you need to debug the AAA or RADIUS process here are the commands that can help provide additional detail from the Access Point. It should be noted that some of the commands below are software and version dependent and might throw you an error.
debug dot11 aaa manager keys debug dot11 aaa authenticator state-machine debug dot11 aaa dot1x state-machine debug dot11 aaa authenticator process debug dot11 aaa dot1x process debug radius authentication terminal monitor
While this example won’t translate directly for @fryguy_pa it might help others trying to deploy 802.1x WPA2 Enterprise with AES encryption in an enterprise network.
Cheers!
Andrew says
Hi Michael,
You should be aware that even newer versions of code (12.4(x)) allow the administrator to specify WPA2 explicitly under the SSID key-management command. An example would be:
authentication key-management wpa version 2
Cheers,
Andrew
Michael McNamara says
Thanks for the comment Andrew!
In 12.3.8 that configuration option isn’t avaiable as you know. I also have the order the script a little backwards that’s why I repeat some of the commands, I should probably clean it up.
Cheers!