Skip to content

Configure WPA2 (AES-CCMP) on Cisco 877w

by Nish Vamadevan · Apr 22, 2012 · 2 min read

It is possible to configure WPA2 (AES-CCMP) on a Cisco 877w Router and these are the steps required to achieve them.

First of all, do make sure you have the right IOS version. This is important because some versions of the IOS does not support the latest WPA2 Key Management type along with AES-CCMP Encryption. This configuration is based on the following IOS.

Cisco IOS Software, C870 Software (C870-ADVIPSERVICESK9-M), Version 12.4(22)T5, RELEASE SOFTWARE (fc3)
c870-advipservicesk9-mz.124-22.T5.bin

We will be using VLAN 2 for Wireless

interface Vlan2
 description WIRELESS VLAN 2
 no ip address
!

Configure the DHCP Pool which the Wireless clients will use.

ip dhcp excluded-address 10.10.1.1
!
ip dhcp pool WIRELESS
   network 10.10.1.0 255.255.255.0
   default-router 10.10.1.1 
   dns-server 208.67.222.222 208.67.220.220 
!

Configure the SSID

dot11 syslog
!
dot11 ssid Fnode
 vlan 2
 authentication open 
 authentication key-management wpa
 guest-mode
 wpa-psk ascii PASSWORD-HERE
!

Configure the Radio Interface, make sure you are using the

ciphers aes-ccm

to achieve WPA2 AES-CCMP Encryption. If the option is not there, the current ISO does not support it. (Refer to the IOS Above)

interface Dot11Radio0
 no ip address
 !
 encryption vlan 2 mode ciphers aes-ccm 
 !
 ssid Fnode
 !
 speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
 channel least-congested 2412 2442 2462
 station-role root
 no cdp enable
!

Make sure you are using VLAN 2 on the dot1Q encapsulation, along with the IP address configured on the DHCP Section.

interface Dot11Radio0.1
 description WLAN VLAN2
 encapsulation dot1Q 2
 ip address 10.10.1.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 no cdp enable
!

Configure the access-list for the Wireless clients. It is best practice to create extended access-list so is becomes intuitive while looking at them…

ip access-list extended WIRELESS
 permit ip 10.10.1.0 0.0.0.255 any
!

Add the NAT translation as follows…

I am using VLAN 20 as the External Interface to NAT out, use the corresponding External Interface on your configuration. 

ip nat inside source list WIRELESS interface Vlan20 overload
!

Verification Method.

Once you have successfully connected a device to the configured SSID, Use the command to verify WPA2/AES-CCMP association.

Router#show dot11 associations all

should show the following.

Key Mgmt type: WPAv2 PS
Encryption: AES-CCMP

Along with a similar log message.

Once you have configured and verified, use the command to encrypt the WPA2 Password entered above.

(config)#service password-encryption

Networking 877w AES CCMP WPA2
comments powered by Disqus