Cisco Aironet 1602i and WPA2

Cisco AironetIt happening! Finally!

One of our sites urgently needed new Wi-Fi upgrade. It needed badly! I thought it is not possible what I saw. Whole Wi-Fi infrastructure was based on bunch of randomly picked access points, placed in a raisers or ducts surrounded with different type of pipes and hight voltage cables.

Don’t need to be a genius to know that it wont work. And it wont.

Now new infrastructure is build based on Cisco Aironet 1602i APs powerd by PoE 1 from switch. Ideally would be if there was a WLC2 involved but… seems we can’t have everything though.

Now, fun part. APs configuration. 
A 1602i comes with two radios: 2.4GHz and 5GHz. I need one SSID for all two networks, protected by a WPA2 password. Let’s not forget to protect AP itself and change default username and password and enable SSH.

I’m learning Cisco, so if there are some mistakes, bad habits, please leave your comment and I will be happy to read them and learn something new – I know, I am not using VLANs 😉

First thing first, let’s change a host name, disable current default username and password by setting up our own and secure privilege mode with a different than default password:

I am using MySecretPassword as an access to privilege mode and username:some_admin and password: ssh_secret_password

ap>en
put a default password for privilege mode (Cisco)
ap#conf t
ap(config)#hostname MyAP
MyAP(config)#enable secret MySecretPassword

Now with secure privilege mode let’s get rid of Cisco default username and password:

MyAP(config)#
MyAP(config)#no username Cisco

…and set up our own account:

MyAP(config)#username some_admin secret ssh_secret_password

I named password as a ssh_secret_password but it not only be used during SSH connection but also in telnet, because Cisco by default has set this up to use local user name database instead using enable password option.

Cisco sends for as a lot of logs during work with a console so to make our live much easiest and prevent to split our commands in the middle by some interface status going up and down let’s run logging synchronous command (I also set up an exec time-out  option to 3 hours to prevent from log me out when I am idle):

MyAP(config)#
MyAP(config) line console 0
MyAP(config-line)#logging synchronous
MyAP(config-line)#exec-timeout 180 0
MyAP(config-line)#exit
MyAP(config)#

Let’s summarized what we have. We changed host name and also default username and password to access telnet and SSH (we didn’t enabled SSH yet). We changed password to access privilege mode. We prevent syslogs from disturbing us while we type commands by executing logging synchronous command, and also we increased logout time out to 3 hours.

Now, it is time to do it right and use SSH instead telnet to access our AP remotely.

To enable SSH we need to generate some cryptographic keys. These keys (private an public) are used to cipher communication between our AP and us so the password to log in is not sent as a plain text as it is during telnet session.

Before we can generate those keys, we need to set up a domain first.
All host are identified by a username.domain_name.com and so keys are generate for a specific username in a specific domain only.

MyAP(config)#
MyAP(config)#ip domain-name mydomain.local

Now we can generate crypto keys:

MyAP(config)#crypto key generate rsa
The name for the keys will be: MyAP.mydomain.local
Choose the size of the key modulus in the range of 360 to 2048 for your
 General Purpose Keys. Choosing a key modulus greater than 512 may take a few minutes.

Let’s choose 2048 bit key: 

How many bits in the modulus [512]: 2048
% Generating 2048 bit RSA keys, keys will be non-exportable...[OK]
MyAP(config)#
*Mar 1 00:47:50.067: %SSH-5-ENABLED: SSH 1.99 has been enabled

As you can see above SSH has just been enable. We didn’t need to do anything else. SSH other than telnet is using pairs of username and passwords, and crypto keys. Because we had username and password setted up, by generating keys we enabled SSH.

Just to be up to date let’s change SSH version to 2.0

MyAP(config)#ip ssh version 2

Base configuration finished. We have changed all default usernames and passwords, enabled SSH and change host name for our AP. Some may say that we left option to log in using telnet, but I left it just because we may not have SSH client and we may have to use telnet instead. If it is really required to disable telnet access, we should run transport input option for a VTY lines:

MyAP(config)#line vty 0 4
MyAP(config-line)#transport input ssh
MyAP(config-line)#exit
MyAP(config)#

Now it is time to set up our SSID. As I mention before, we need one SSID for both radios, it has to be protected by a shared WPA2 key and, I didn’t mention that before, SSID has to be a visible to our clients. Our SSID will be My_Wi-Fi and the password will be pa$$w0rd1.
So let’s do it.

MyAP(config)#dot11 ssid My_Wi-Fi
MyAP(config-ssid)#authentication open
MyAP(config-ssid)#authentication key-management wpa version 2
MyAP(config-ssid)#wpa-psk asci pa$$w0rd1
MyAP(config-ssid)#guest-mode
MyAP(config-ssid)#exit
MyAP(config)#

Open authentications allows any wireless device to authenticate with our access point, of course it provides correct WPA2 password. Guest-mode option it enables beacon to broadcast SSID so a client can see our Wi-Fi.

Now at least we need to configure our two radios.
This configuration will look exactly the same for radio 0 and 1.
I fund that it is not possible to use interface range option to configure both radios at the same time so we need to repeat this for each interface at a time. However I provide that configuration only once:

MyAP(config)#interface dot11Radio 0
MyAP(config-if)#encryption mode ciphers aes-ccm
MyAP(config-if)#ssid My_Wi-Fi
MyAP(config-if)#no shutdown
MyAP(config-if)#exit
MyAP(config)#

To use WPA2 we must use cipher encryption suit. In this example aes 3-ccm, then assign SSID to the radio and at the end turn the radio on, as all Cisco APs ships with radios switched off.

Last but not least all it left it’s to save our job.

MyAP(config)#exit
MyAP#copy running-config startup-config
Destination filename [startup-config]?[Press Enter]
Building configuration...
[OK]

We have a secure access point with two radios configured to use one SSID protected by WPA2 password. I left BRI interface in default configuration.
It picks up address from DHCP 4 and I found it helpful instead setting a static IP to it.

Our job is done 🙂

  1. Power Over Ethernet
  2. Wireless LAN Controller
  3. Advanced Encryption Standard
  4. Dynamic Host Configuration Protocol

11 thoughts on “Cisco Aironet 1602i and WPA2

  1. Hi, interesting article but despite lots of Googling I’m still stuck with step 0 – how do you make the connection to the console? What cable and program are required? Classic RJ45 and hyperterm of some sort? Thanks in advance.

  2. Many thanks, have ordered a cable and USB serial adaptor so will try your tutorial in a few days when this turns up. Currently being driven mad by an Aironet 1602i that won’t respond on the web interface.

  3. Good I was able to help. Let me know how it went 🙂

    Mine APs respond on web interface but I was lost there. I didn’t even know where to start to configure it:) Personally I prefer CLI.

  4. Marcin,

    A few more security measure you may want to take is to set these options:

    Public key authentication with SSH

    ip ssh pubkey-chain
    key-string
    key-hash key-type key-name

    http://www.cisco.com/c/en/us/td/docs/ios/sec_user_services/configuration/guide/15_0s/sec_securing_user_services_15_0S_book/sec_secure_shell_v2.html#wp1082784

    I like to setup an access list to limit traffic to just one IP for ssh sessions:

    access-list 1 remark “This allow only traffic from 192.168.1.66”
    access-list 1 permit 192.168.1.66 0.0.0.0
    access-list 1 deny any log
    line vty 0 15
    access-class 1 in
    exit

    This next one is a good one to set if you might have an issue with unsecure physical access to the AP; which may lead to tampering. This disables the option of recovering the configuration without a password. You can still recover a device if you forget the password at the cost of losing the configuration.

    no service password-recovery

    http://www.cisco.com/c/en/us/support/docs/routers/3600-series-multiservice-platforms/46104-no-service-pswdrec.html

    I use these commands to disable HTTP web interface connections, enable the best available encryption for HTTPS sessions, and limit to that webui access to one IP.

    ip http secure-server
    ip http secure-ciphersuite 3des-ede-cbc-sha
    ip http access-class 1
    no ip http server

    For more tips:
    http://www.cisco.com/c/en/us/support/docs/ip/access-lists/13608-21.html

    Thanks for the post. I hope these tips are helpful, this is just a hobby for me.

  5. Hi, nice tuto..

    I did all like you but my clients only connect by 54mbps. all clients b/g/n
    I would lik to conect 300 mbps.. all clients is close to the AP. In your case, what rate your clients connect?

    Thank you

  6. Thanks guys for the comments.
    Michael, unfortunately I cannot tell you at what rate clients are connecting because I have changed my employer 1.5 year ago and do not have an access to that environment any more. But you should find some help in web about the WiFi rate.

  7. Hi Tried this config on a Cisco 1520 and it went in fine, but the authentication does not seem to happen.
    Any simple way to debug Please

  8. regarding speed
    #interface Dot11Radio0
    #speed basic-1.0 2.0 5.5 11.0 6.0 9.0 12.0 18.0 24.0 36.0 48.0 54.0 m0. m1. m2. m3. m4. m5. m6. m7. m8. m9. m10. m11. m12. m13. m14. m15.
    #channel width 40-above

Leave a Reply

Your email address will not be published. Required fields are marked *