≡ Menu

Configure WPA2 (AES-CCMP) on Cisco 877w

It is possible to configure WPA2 (AES-CCMP) on a Cisco 877w Router and these are the steps required to achieve them.

First of all, do make sure you have the right IOS version. This is important because some versions of the IOS does not support the latest WPA2 Key Management type along with AES-CCMP Encryption. This configuration is based on the following IOS.

Cisco IOS Software, C870 Software (C870-ADVIPSERVICESK9-M), Version 12.4(22)T5, RELEASE SOFTWARE (fc3)

We will be using VLAN 2 for Wireless

interface Vlan2
 description WIRELESS VLAN 2
 no ip address

Configure the DHCP Pool which the Wireless clients will use.

ip dhcp excluded-address
ip dhcp pool WIRELESS

Configure the SSID

dot11 syslog
dot11 ssid Fnode
 vlan 2
 authentication open 
 authentication key-management wpa
 wpa-psk ascii PASSWORD-HERE

Configure the Radio Interface, make sure you are using the

ciphers aes-ccm

to achieve WPA2 AES-CCMP Encryption. If the option is not there, the current ISO does not support it. (Refer to the IOS Above)

interface Dot11Radio0
 no ip address
 encryption vlan 2 mode ciphers aes-ccm 
 ssid Fnode
 speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
 channel least-congested 2412 2442 2462
 station-role root
 no cdp enable

Make sure you are using VLAN 2 on the dot1Q encapsulation, along with the IP address configured on the DHCP Section.

interface Dot11Radio0.1
 description WLAN VLAN2
 encapsulation dot1Q 2
 ip address
 ip nat inside
 ip virtual-reassembly
 no cdp enable

Configure the access-list for the Wireless clients. It is best practice to create extended access-list so is becomes intuitive while looking at them…

ip access-list extended WIRELESS
 permit ip any

Add the NAT translation as follows…

I am using VLAN 20 as the External Interface to NAT out, use the corresponding External Interface on your configuration.

ip nat inside source list WIRELESS interface Vlan20 overload

Verification Method.

Once you have successfully connected a device to the configured SSID, Use the command to verify WPA2/AES-CCMP association.

Router#show dot11 associations all

should show the following.

Key Mgmt type: WPAv2 PS
Encryption: AES-CCMP

Along with a similar log message.

*Feb 26 23:30:54.669: %DOT11-6-ASSOC: Interface Dot11Radio0, Station Border 0013.02de.xxxx Associated SSID[Fnode] AUTH_TYPE[OPEN] KEY_MGMT[WPAv2 PSK]

Once you have configured and verified, use the command to encrypt the WPA2 Password entered above.

(config)#service password-encryption

Comments on this entry are closed.

Next post:

Previous post:

Copyright © Nish Vamadevan 2002-2017. All Rights Reserved. Terms and Policies.