Autonomous AP with WPA-PSK Security

Tags

AES-CCM, Autonomous AP CLI, TKIP, WPA-PSK

In this post, we will see how to configure WPA-PSK (WiFi Protected Access – Pre Shared Key).

WPA key management support two mutually exclusive management types: WPA & WPA-PSK. Using WPA key management client & authentication server authenticate to each other using an EAP (Extensible Authentication Protocol) method and client & server generate a pairwise master key(PMK). Using WPA server generate the PMK dynamically and passes it to the Access point.

Using WPA-PSK, however you configure a pre-shared key on both the client & the access point (AAP) and that pre-shared key is used as the PMK.

We will configure “data2” SSID with WPA-PSK. Highlighted the WPA-PSK related commands. Keep in mind “open” or “network-eap” authentication required for WPA

dot11 ssid data2
   vlan 13
   mbssid guest-mode
   authentication open 
   authentication key-management wpa
   wpa-psk ascii 0 1234567890
!
interface Dot11Radio1
  encryption vlan 13 mode ciphers tkip

You can verify the configuration by using Anyconnect client to connect to this SSID as shown below

There are additional configurations you can do under authentication key-managment section as shown in the below. You can specify WPA “version 2 ” if you require highest security. If you configure CCKM (Cisco Centralized Key Management) this will enhance fast-roaming of cisco compatible clients. If you specify “optional” any other types of key management can be used associate to this SSID & not limited to WPA & CCKM. You can configure all these options if required.

dot11 ssid data2
   vlan 13
   mbssid guest-mode
   authentication open 
   authentication key-management wpa version 2|cckm|optional
   wpa-psk ascii 0 1234567890

Under Radio interface vlan encryption section you can configure multicple encryption methods in order to support different type of encryption (in case certain clients may have limitations). Below shows both AES-CCM & TKIP encryption allowed configuration.

interface Dot11Radio1
 encryption vlan 13 mode ciphers aes-ccm tkip

1. Autonomous AP with WEP Security
2. Autonomous AP as Local Radius Server
3. Autonomous AP with LEAP Security
4 Autonomous AP with EAP-FAST Security
5 Autonomous AP with EAP-TLS Security
6.
7.
8.
9. Autonomous AP – QoS

6 thoughts on “Autonomous AP with WPA-PSK Security”

Cesar said:

August 19, 2014 at 3:57 am

Thanks so much!!!

Tim said:

August 12, 2015 at 1:39 pm

I’m grateful for all your stuff. To me you are better than the Cisco manuals at explaining Theory Of Operation.

Verrry grateful.

- nayarasi said:
  
  August 12, 2015 at 3:04 pm
  
  ThanksTim . Keep learning & sharing your knowledge
  
Andrés Jiménez said:

April 1, 2017 at 10:21 am

Hi, i have the config you explained but WPA for iphone is not working. I tried to do it with WPA2 but still not working. What do you think about?

- nayarasi said:
  
  April 4, 2017 at 8:04 am
  
  Only used WPA2 with AES (not combined with WPA or TKIP).
  
  HTH
  Rasika
  
keav said:

September 24, 2020 at 4:43 pm

hi, Some AP have configured WPA PSK(TKIP), four handshake processes and group key (GTK)exchange processes; some AP have configured WPA PSK(TKIP), only four handshake processes, but no group key(GTK) exchange processes, what do you think abort?