Michael McNamara

technology, networking, virtualization and IP telephony

Cisco Aironet 1200 Series WPA2 Enterprise with AES Encryption

by

I was looking for something to blog about and @fryguy_pa posted about his difficulties with the Cisco Aironet 1200 series and configuring them for WPA2. I had the pleasure of recently reconfiguring 70+ Cisco Aironet 1200 series, mostly AIR-AP1231G-A-K9 running the latest software 12.3(8)JEC, in an effort to deploy a new WLAN with 802.1x WPA2 Enterprise utilizing AES encryption. It took myself and another engineer a few days to come up with a working configuration.

You’ll notice in the example below that I’m using two RADIUS servers, actually two Microsoft Internet Authentication Servers running Windows 2003. I created a SSID (or WLAN) of “love” and bridged it to VLAN 802. I had to utilize bridge group 254 because the bridge groups only go from 1-255. I also only configured the WLAN on the 802.11b/g radio (Dott11Radio0) and not the 802.11a radio (Dott11Radio1). I also utilized a RADIUS secret of “radiuspass” in the example below.

aaa group server radius acme_eap
 server 10.1.4.21 auth-port 1812 acct-port 1813
 server 10.2.4.21 auth-port 1812 acct-port 1813

aaa authentication login acme_methods group acme_eap

dot11 ssid love
   vlan 802
   authentication open eap acme_methods
   authentication network-eap acme_methods
   authentication key-management wpa 

interface Dot11Radio0

ssid love

encryption vlan 802 mode ciphers aes-ccm

interface Dot11Radio0.802
 encapsulation dot1Q 802
 no ip route-cache
 bridge-group 254
 bridge-group 254 subscriber-loop-control
 bridge-group 254 block-unknown-source
 no bridge-group 254 source-learning
 no bridge-group 254 unicast-flooding
 bridge-group 254 spanning-disabled

interface FastEthernet0.802
 encapsulation dot1Q 802
 no ip route-cache
 bridge-group 254
 no bridge-group 254 source-learning
 bridge-group 254 spanning-disabled

interface Dot11Radio0

ssid love

encryption vlan 802 mode ciphers aes-ccm

radius-server host 10.1.4.21 auth-port 1812 acct-port 1813 key radiuspass
radius-server host 10.2.4.21 auth-port 1812 acct-port 1813 key radiuspass
radius-server deadtime 5

If you need to debug the AAA or RADIUS process here are the commands that can help provide additional detail from the Access Point. It should be noted that some of the commands below are software and version dependent and might throw you an error.

debug dot11 aaa manager keys
debug dot11 aaa authenticator state-machine
debug dot11 aaa dot1x state-machine
debug dot11 aaa authenticator process
debug dot11 aaa dot1x process
debug radius authentication 

terminal monitor

While this example won’t translate directly for @fryguy_pa it might help others trying to deploy 802.1x WPA2 Enterprise with AES encryption in an enterprise network.

Cheers!

Recent Posts

Categories

SUBSCRIBE BY EMAIL