≡ Menu

Configure WPA2 (AES-CCMP) on Cisco 877w

It is possible to configure WPA2 (AES-CCMP) on a Cisco 877w Router and these are the steps required to achieve them.

First of all, do make sure you have the right IOS version. This is important because some versions of the IOS does not support the latest WPA2 Key Management type along with AES-CCMP Encryption. This configuration is based on the following IOS.

Cisco IOS Software, C870 Software (C870-ADVIPSERVICESK9-M), Version 12.4(22)T5, RELEASE SOFTWARE (fc3)
c870-advipservicesk9-mz.124-22.T5.bin

We will be using VLAN 2 for Wireless

!
interface Vlan2
description WIRELESS VLAN 2
no ip address
!

Configure the DHCP Pool which the Wireless clients will use.

!
ip dhcp excluded-address 10.10.1.1
!
ip dhcp pool WIRELESS
network 10.10.1.0 255.255.255.0
default-router 10.10.1.1 
dns-server 208.67.222.222 208.67.220.220 
!

Configure the SSID

!
dot11 syslog
!
dot11 ssid Fnode
vlan 2
authentication open 
authentication key-management wpa
guest-mode
wpa-psk ascii PASSWORD-HERE
!

Configure the Radio Interface, make sure you are using the

ciphers aes-ccm

to achieve WPA2 AES-CCMP Encryption. If the option is not there, the current ISO does not support it. (Refer to the IOS Above)

!
interface Dot11Radio0
no ip address
!
encryption vlan 2 mode ciphers aes-ccm 
!
ssid Fnode
!
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
channel least-congested 2412 2442 2462
station-role root
no cdp enable
!

Make sure you are using VLAN 2 on the dot1Q encapsulation, along with the IP address configured on the DHCP Section.

!
interface Dot11Radio0.1
description WLAN VLAN2
encapsulation dot1Q 2
ip address 10.10.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
no cdp enable
!

Configure the access-list for the Wireless clients. It is best practice to create extended access-list so is becomes intuitive while looking at them…

!
ip access-list extended WIRELESS
permit ip 10.10.1.0 0.0.0.255 any
!

Add the NAT translation as follows…

I am using VLAN 20 as the External Interface to NAT out, use the corresponding External Interface on your configuration.

!
ip nat inside source list WIRELESS interface Vlan20 overload
!

Verification Method.

Once you have successfully connected a device to the configured SSID, Use the command to verify WPA2/AES-CCMP association.

Router#show dot11 associations all

should show the following.

Key Mgmt type: WPAv2 PS
Encryption: AES-CCMP

Along with a similar log message.

*Feb 26 23:30:54.669: %DOT11-6-ASSOC: Interface Dot11Radio0, Station Border 0013.02de.xxxx Associated SSID[Fnode] AUTH_TYPE[OPEN] KEY_MGMT[WPAv2 PSK]

Once you have configured and verified, use the command to encrypt the WPA2 Password entered above.

(config)#service password-encryption

Comments on this entry are closed.

Next post:

Previous post:

Copyright © Nish Vamadevan 2002-2017. All Rights Reserved. Terms and Policies.