Cisco Aironet 1602i and WPA2

Cisco AironetIt happening! Finally!

One of our sites urgently needed new Wi-Fi upgrade. It needed badly! I thought it is not possible what I saw. Whole Wi-Fi infrastructure was based on bunch of randomly picked access points, placed in a raisers or ducts surrounded with different type of pipes and hight voltage cables.

Don’t need to be a genius to know that it wont work. And it wont.

Now new infrastructure is build based on Cisco Aironet 1602i APs powerd by PoE 1 from switch. Ideally would be if there was a WLC2 involved but… seems we can’t have everything though.

Now, fun part. APs configuration. 
A 1602i comes with two radios: 2.4GHz and 5GHz. I need one SSID for all two networks, protected by a WPA2 password. Let’s not forget to protect AP itself and change default username and password and enable SSH.

I’m learning Cisco, so if there are some mistakes, bad habits, please leave your comment and I will be happy to read them and learn something new – I know, I am not using VLANs 😉

First thing first, let’s change a host name, disable current default username and password by setting up our own and secure privilege mode with a different than default password:

I am using MySecretPassword as an access to privilege mode and username:some_admin and password: ssh_secret_password

ap>en
put a default password for privilege mode (Cisco)
ap#conf t
ap(config)#hostname MyAP
MyAP(config)#enable secret MySecretPassword

Now with secure privilege mode let’s get rid of Cisco default username and password:

MyAP(config)#
MyAP(config)#no username Cisco

…and set up our own account:

MyAP(config)#username some_admin secret ssh_secret_password

I named password as a ssh_secret_password but it not only be used during SSH connection but also in telnet, because Cisco by default has set this up to use local user name database instead using enable password option.

Cisco sends for as a lot of logs during work with a console so to make our live much easiest and prevent to split our commands in the middle by some interface status going up and down let’s run logging synchronous command (I also set up an exec time-out  option to 3 hours to prevent from log me out when I am idle):

MyAP(config)#
MyAP(config) line console 0
MyAP(config-line)#logging synchronous
MyAP(config-line)#exec-timeout 180 0
MyAP(config-line)#exit
MyAP(config)#

Let’s summarized what we have. We changed host name and also default username and password to access telnet and SSH (we didn’t enabled SSH yet). We changed password to access privilege mode. We prevent syslogs from disturbing us while we type commands by executing logging synchronous command, and also we increased logout time out to 3 hours.

Now, it is time to do it right and use SSH instead telnet to access our AP remotely.

To enable SSH we need to generate some cryptographic keys. These keys (private an public) are used to cipher communication between our AP and us so the password to log in is not sent as a plain text as it is during telnet session.

Before we can generate those keys, we need to set up a domain first.
All host are identified by a username.domain_name.com and so keys are generate for a specific username in a specific domain only.

MyAP(config)#
MyAP(config)#ip domain-name mydomain.local

Now we can generate crypto keys:

MyAP(config)#crypto key generate rsa
The name for the keys will be: MyAP.mydomain.local
Choose the size of the key modulus in the range of 360 to 2048 for your
 General Purpose Keys. Choosing a key modulus greater than 512 may take a few minutes.

Let’s choose 2048 bit key: 

How many bits in the modulus [512]: 2048
% Generating 2048 bit RSA keys, keys will be non-exportable...[OK]
MyAP(config)#
*Mar 1 00:47:50.067: %SSH-5-ENABLED: SSH 1.99 has been enabled

As you can see above SSH has just been enable. We didn’t need to do anything else. SSH other than telnet is using pairs of username and passwords, and crypto keys. Because we had username and password setted up, by generating keys we enabled SSH.

Just to be up to date let’s change SSH version to 2.0

MyAP(config)#ip ssh version 2

Base configuration finished. We have changed all default usernames and passwords, enabled SSH and change host name for our AP. Some may say that we left option to log in using telnet, but I left it just because we may not have SSH client and we may have to use telnet instead. If it is really required to disable telnet access, we should run transport input option for a VTY lines:

MyAP(config)#line vty 0 4
MyAP(config-line)#transport input ssh
MyAP(config-line)#exit
MyAP(config)#

Now it is time to set up our SSID. As I mention before, we need one SSID for both radios, it has to be protected by a shared WPA2 key and, I didn’t mention that before, SSID has to be a visible to our clients. Our SSID will be My_Wi-Fi and the password will be pa$$w0rd1.
So let’s do it.

MyAP(config)#dot11 ssid My_Wi-Fi
MyAP(config-ssid)#authentication open
MyAP(config-ssid)#authentication key-management wpa version 2
MyAP(config-ssid)#wpa-psk asci pa$$w0rd1
MyAP(config-ssid)#guest-mode
MyAP(config-ssid)#exit
MyAP(config)#

Open authentications allows any wireless device to authenticate with our access point, of course it provides correct WPA2 password. Guest-mode option it enables beacon to broadcast SSID so a client can see our Wi-Fi.

Now at least we need to configure our two radios.
This configuration will look exactly the same for radio 0 and 1.
I fund that it is not possible to use interface range option to configure both radios at the same time so we need to repeat this for each interface at a time. However I provide that configuration only once:

MyAP(config)#interface dot11Radio 0
MyAP(config-if)#encryption mode ciphers aes-ccm
MyAP(config-if)#ssid My_Wi-Fi
MyAP(config-if)#no shutdown
MyAP(config-if)#exit
MyAP(config)#

To use WPA2 we must use cipher encryption suit. In this example aes 3-ccm, then assign SSID to the radio and at the end turn the radio on, as all Cisco APs ships with radios switched off.

Last but not least all it left it’s to save our job.

MyAP(config)#exit
MyAP#copy running-config startup-config
Destination filename [startup-config]?[Press Enter]
Building configuration...
[OK]

We have a secure access point with two radios configured to use one SSID protected by WPA2 password. I left BRI interface in default configuration.
It picks up address from DHCP 4 and I found it helpful instead setting a static IP to it.

Our job is done 🙂

  1. Power Over Ethernet
  2. Wireless LAN Controller
  3. Advanced Encryption Standard
  4. Dynamic Host Configuration Protocol