In this post we will see how we can add security into SSID configured in Autonomous AP. Here is the basic configuration for a Autonomous AP (AAP) without any security (ie open authentication). This is the basic configuration you need to practice many times. Prior to add any security your SSID should work with this basic config.

I have configured two SSID (data1 & data2 ) with vlan 12 & 13 assigned to each SSID on 5GHz  band (Radio 1) . Native vlan is 110 & your switch-port connected to this AAP need to configure as trunk port with native vlan 110.

hostname AAP1
dot11 ssid data1
   vlan 12
   authentication open
   mbssid guest-mode
dot11 ssid data2
   vlan 13
   authentication open
   mbssid guest-mode

interface Dot11Radio1
 ssid data1
 ssid data2
 mbssid
!
interface Dot11Radio1.12
 encapsulation dot1Q 12
 bridge-group 12
interface Dot11Radio1.13
 encapsulation dot1Q 13
 bridge-group 13
interface Dot11Radio1.110
 encapsulation dot1Q 110 native
 bridge-group 1
!
interface GigabitEthernet0.12
 encapsulation dot1Q 12
 bridge-group 12
interface GigabitEthernet0.13
 encapsulation dot1Q 13
 bridge-group 13
interface GigabitEthernet0.110
 encapsulation dot1Q 110 native
 bridge-group 1
!
interface BVI1
 ip address 10.10.110.100 255.255.255.0
ip default-gateway 10.10.110.3

First we will look at WEP (Wired Equivalent Privacy) security method one of this SSID. Keep note this is very weak (can be cracked within few minutes) security method and should not configure nowadays wireless network.

interface Dot11Radio1
 encryption vlan 12 key 1 size 40bit 1234567890
 encryption vlan 12 mode wep mandatory

Now you can check this with Anyconnect client by associating to “data1” SSID. Here is the screenshot of anyconnect client.

In this method following is the sequence of packet flows.

1. Authentication Request (Client -> AAP)
2. Authentication Response (AAP -> Client)
3. Association Request (Client – > AAP)
4. Association Response (AAP -> Client)
5. WEP data frame to network ( Client -> AP )
6. If WEP key mismatch AAP discard packet.

You can verify above by taking a wireshark capture of the wireless frame.

In WEP, you can configure shared key authentication (it is least secure as challenge text send by AP to client). To configure this you have to type “authentication shared” command  under dot11 ssid. In this method traffic flow is like this.

1. Authentication Request (Client -> AAP)
2. Unencrypted Challenge Text (AAP -> Client)
3. Encrypted Challenge Text (Client – > AAP)
4. Authentication Success (AAP -> Client)

Related Posts

1. Autonomous AP with  WPA-PSK Security
2. Autonomous AP as Local Radius Server
3. Autonomous AP with  LEAP Security
4  Autonomous AP with  EAP-FAST Security
5  Autonomous AP with  EAP-TLS Security
6.
7.
8.
9.