Networks Training

Configuration of Cisco WPA2 Enterprise and Personal

What is WPA2:

WPA2 is short for Wi-Fi Protected Access 2 and is standardized under the IEEE 802.11i standard. WPA2 is a security protocol framework that is used to protect wireless networks. WPA2 is currently considered as the most secure method to protect a Wi-Fi network. It provides layer 2 based security and uses IEEE 802.1x port based authentication protocol. Compared to the older Wi-Fi security standards, WPA2 is much more secure than WPA and WEP because it uses the much stronger Advanced Encryption Standard (AES) together with some other key exchange, authentication and ciphering algorithms. For example, WPA2 creates new session keys on every association. The encryption keys that are used for each client on the network are unique and specific to that client. This means that every packet that is sent over the air is encrypted with a unique key.

WPA2 Modes of Operation:

WPA2 supports two modes of operation depending on the environment which is implemented and the level of security you want to provide. These are WPA2 Personal and WPA2 Enterprise.

WPA2 Personal : A pre-shared key is used to authenticate clients on the WLAN and this is the most applicable mode for home use or for small WiFi networks. This is still very secure provided that the pre-shared key remains strictly private within the users of the WiFi network.

WPA2 Enterprise : This is the most secure mode of operation and – as the name suggests – it is mostly used in Enterprise networks. An 802.1x EAP-based authentication method must be used to authenticate the clients. You need an External RADIUS server in order to configure WPA2 Enterprise. Moreover, if you use the widely used EAP-PEAP authentication protocol, you will need to install a trusted Digital Certificate on the RADIUS server.

A very common scenario with Enterprises that have a Microsoft Active Directory server installed, is to integrate the RADIUS server with the Microsoft AD in order to provide user authentication via the AD user directory.

Next we will see how to Configure WPA2 Personal and WPA2 Enterprise on a Cisco WLAN Controller and also directly on Access Point devices.

Configuring WPA2 Personal on Cisco 5508 Wireless LAN Controller:

See the screenshots and steps below for the configurations:

  1. Connect your PC on the network where controller has been set up.
  2. Access controller’s GUI with its management IP address.
  3. Navigate to WLANs tab and select Create New or select the existing WLAN id to edit.
  4. Select the Security > layer 2
  5. In the layer 2 Security drop-down menu select WPA+WPA2.
  6. In the WPA+WPA2 Parameters section enable the WPA2 Policy-AES.
  7. Under Authentication Key Management Section, enable PSK for WPA2 personal mode.
  8. Select PSK Format either ASCII or HEX and enter the desired pre-shared key.
MORE READING:  Cisco Wireless LAN Controller Basic Configuration

This will use a pre-shared key to authenticate the wireless clients on that WLAN.

WPA2-Personal-WLC

WPA2-Personal-WLC

Configuring WPA2 Enterprise on Cisco 5508 Wireless LAN Controller:

To configure WPA2 Enterprise mode you need a RADIUS server for external authentication. The WLC needs to be configured in order to forward the user credentials to an external RADIUS server. The external RADIUS server then validates the user credentials and provides access to the wireless clients. The RADIUS server also needs to be configured for WLC.

Follow the steps below to configure the WLC for an external RADIUS server:

  1. ChooseSecurity > RADIUS Authentication from the controller GUI.
  2. Click Newin order to define a RADIUS server.
  3. Define the RADIUS server parameters on theRADIUS Authentication Servers > New as shown below.

In the figure, WLC is being configured for a new RADIUS server. Enter the IP address and the shared key (defined in the RADIUS server) that the controller will use to communicate with the server.

Default port number is 1812. The server status should be Enabled. To authenticate wireless clients, check the box next to Network User. Click apply button on the top right corner to apply the new settings.

 WPA2-Enterprise-WLC

Next we need to enable 802.1x authentication on the WLAN.

  1. Navigate to WLANs and select a new or existing WLAN to edit.
  2. Under Security > Layer2 tab, select WPA+WPA2 from drop-down menu.
  3. Check WPA2 Policy-AES
  4. Select 802.1x box under the Authentication Key Management.

WPA2-Enterprise-WLC2

Next we need to configure RADIUS server for the selected WLAN

  1. Select Security > AAA server.
  2. Select the RADIUS server from the drop-down menu for Authentication Services and Accounting Services.
  3. Click apply button to make your configuration changes operational.

WPA2-Enterprise-WLC3

Configuring WPA2 Personal on Autonomous Access Point:

I’m using Cisco Aironet 1252 for this tutorial. See the steps and screenshots below to see how to configure WPA2 Personal on a Cisco Autonomous AP.

  1. Connect access point to your PC with a console cable.
  2. Set IP address and subnet mask on interface BVI1.
  3. Configure IP address on your PC in the same subnet the access point is.
  4. Enter IP address of the access point in the browser to access the GUI of the access point.
  5. Enter username and password (Cisco, Cisco by default).
  6. Click on Security > Encryption Manager.
  7. Check Cipher and select AES CCMP from the drop down menu.
  8. Click Apply.
  9. Select Security > SSID manager from the left menu.
  10. Enter SSID name.
  11. Check Open Authentication box under the Client Authentication Settings.
  12. Scroll Down and choose Mandatory for Key management and check WPA box and select WPA2.
  13. Enter the desired WPA Pre-shared Key. (Either ASCII or Hexadecimal).
  14. Click Apply.
MORE READING:  Cisco Aironet Wireless for Challenging Environments

WPA2-Personal-AP1

WPA2-Personal-AP2

WPA2-Personal-AP3

Configuring WPA2 Enterprise on Autonomous Access Point:

I’m using Cisco Aironet 1252 for this tutorial. See the steps and screenshots below to see how to configure WPA2 Enterprise on a Cisco Autonomous AP.

If you don’t have an external Radius Server, you can configure an access point as local radius server.

  1. Access the GUI of the access point from your computer as you did in the last topic.
  2. Select Security > Server Manager from the left menu.
  3. Under Corporate Servers, enter the IP address of the AP to configure it as a local Radius Server or better to configure an external RADIUS such as Cisco ACS.
  4. Enter the Shared Secret.
  5. Use 1812 and 1813 for Authentication Port and Accounting Port and click Apply.
  6. In the Default Server Priorities, select EAP authentication Priority as the IP address of the server from the drop down menu and click Apply.
  7. Select Security > Encryption Manager in the left menu.
  8. From the Cipher drop down select AES CCMP. Click
  9. Select Security > SSID manager from the left menu.
  10. Create a new SSID to use WPA2 enterprise.
  11. In Client Authentication Settings, select Network EAP check box.
  12. Scroll Down. In Client Authenticated Key Management, choose Mandatory for Key Management and Enable WPA and select WPAv2 from the drop down menu. Click
  13. Select Security > Local Radius Server > General Set-up.
  14. Under Local Radius Server Authentication Settings Check Leap for Enable Authentication Protocol. Click Apply.
  15. Under Network Access Servers, Enter ip address of the local server and shared secret. Click Apply.
  16. Scroll Down, under Individual Users, Define user’s credentials to authenticate with the local server.

WPA2-Enterprise-AP

WPA2-Enterprise-AP2

WPA2-Enterprise-AP3

WPA2-Enterprise-AP4

WPA2-Enterprise-AP5

 

Related Posts

Filed Under: Cisco Wireless

Download Cisco Commands Cheat Sheets

Enter your Email below to Download our Free Cisco Commands Cheat Sheets for Routers, Switches and ASA Firewalls


By submitting this form, you agree that the information you provide will be transferred to Elastic Email for processing in accordance with their Terms of Use and Privacy Policy. Also, you allow me to send you informational and marketing emails from time-to-time.












Comments

  1. Matt says

    Hi. Good tutorial. Are you able to show the finished config from the AP CLI? I don’t use the GUI for configuring these devices.

    Matt.

  2. Harris Andrea says

    Hi Matt,

    Unfortunately I don’t have that CLI config right now. Its been a long time since I did that configuration, sorry about that.

    Harris

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

About Networks Training

We Provide Technical Tutorials and Configuration Examples about TCP/IP Networks with focus on Cisco Products and Technologies. This blog entails my own thoughts and ideas, which may not represent the thoughts of Cisco Systems Inc. This blog is NOT affiliated or endorsed by Cisco Systems Inc. All product names, logos and artwork are copyrights/trademarks of their respective owners.

Amazon Disclosure

We are a participant in the Amazon Services LLC Associates Program, an affiliate advertising program designed to provide a means for us to earn fees by linking to amazon.com, amazon.co.uk , amazon.de, amazon.it, amazon.es and affiliated sites.
Amazon and the Amazon logo are trademarks of Amazon.com, Inc. or its affiliates.

Suggested Cisco Training

CISCO CERTIFICATION TRAINING
CISCO CCNA 200-120 TRAINING
CCNA SECURITY 640-554 TRAINING
CCENT ICND1 TRAINING
CISCO ICND2 TRAINING
CISCO CCNP TRAINING