It is possible to configure WPA2 (AES-CCMP) on a Cisco 877w Router and these are the steps required to achieve them.
First of all, do make sure you have the right IOS version. This is important because some versions of the IOS does not support the latest WPA2 Key Management type along with AES-CCMP Encryption. This configuration is based on the following IOS.
Cisco IOS Software, C870 Software (C870-ADVIPSERVICESK9-M), Version 12.4(22)T5, RELEASE SOFTWARE (fc3)
We will be using VLAN 2 for Wireless
! interface Vlan2 description WIRELESS VLAN 2 no ip address !
Configure the DHCP Pool which the Wireless clients will use.
! ip dhcp excluded-address 10.10.1.1 ! ip dhcp pool WIRELESS network 10.10.1.0 255.255.255.0 default-router 10.10.1.1 dns-server 22.214.171.124 126.96.36.199 !
Configure the SSID
! dot11 syslog ! dot11 ssid Fnode vlan 2 authentication open authentication key-management wpa guest-mode wpa-psk ascii PASSWORD-HERE !
Configure the Radio Interface, make sure you are using the
ciphers aes-ccm to achieve WPA2 AES-CCMP Encryption. If the option is not there, the current ISO does not support it. (Refer to the IOS Above)
! interface Dot11Radio0 no ip address ! encryption vlan 2 mode ciphers aes-ccm ! ssid Fnode ! speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0 channel least-congested 2412 2442 2462 station-role root no cdp enable !
Make sure you are using VLAN 2 on the dot1Q encapsulation, along with the IP address configured on the DHCP Section.
! interface Dot11Radio0.1 description WLAN VLAN2 encapsulation dot1Q 2 ip address 10.10.1.1 255.255.255.0 ip nat inside ip virtual-reassembly no cdp enable !
Configure the access-list for the Wireless clients. It is best practice to create extended access-list so is becomes intuitive while looking at them…
! ip access-list extended WIRELESS permit ip 10.10.1.0 0.0.0.255 any !
Add the NAT translation as follows…
I am using VLAN 20 as the External Interface to NAT out, use the corresponding External Interface on your configuration.
! ip nat inside source list WIRELESS interface Vlan20 overload !
Once you have successfully connected a device to the configured SSID, Use the command to verify WPA2/AES-CCMP association.
Router#show dot11 associations all should show the following.
Key Mgmt type: WPAv2 PS
Along with a similar log message.
*Feb 26 23:30:54.669: %DOT11-6-ASSOC: Interface Dot11Radio0, Station Border 0013.02de.xxxx Associated SSID[Fnode] AUTH_TYPE[OPEN] KEY_MGMT[WPAv2 PSK]
Once you have configured and verified, use the command
(config)#service password-encryption to encrypt the WPA2 Password entered above.