Deja vu - all over again.
Syndicate Posts

Cisco &Cisco Hardware Jl. on 07 Nov 2010 11:10 pm

Configure an Aironet 1200 (1231) for WPA-PSK

Have an Aironet 1231 i want to configure as a standalone access point, without Enterprise authentication/radius.  There are several ways this should be simple, and it is, but in a certain order.

I found it easier to set up a DHCP reservation on my server to make sure it gets the same IP address if/when I need to zero the config.  That way I can just hook it up to my network and not worry about having to change IPs, or console in and reset the network config.  Second thing is even though the most recent firmware says it became compatible with Firefox, it sucks.  IE was /way/ faster to work with, which is tragic.

- First, zero the config.  Cisco has factory reset instructions if you don’t have the password, otherwise you can telnet in, enable, then write erase.  The usual config wipe.

- Once it’s reset log in through the web UI.  No username, password is Cisco .  The eth interface will be up, both radios will be down.

- Open the Express Security menu on the left.  This takes you to the quick config page for a new SSID.  Enter the name of your soon-to-be network, check Broadcast SSID in Beacon if you want it advertised.

Most simple home networks won’t need a VLan, some corporate networks might.  For my purposes I leave it on No VLAN. Here’s the key part: Check “No Security”. .  Yes, check “No Security”.  We”ll fix it later.  Hit apply, this will create your network.  It still won’t be live because the radios aren’t activated, so no worries about someone “hacking” (ha) in through your unsecured network.

- Open the Security menu on the left, then go to the Encryption Manager.  Set the Cipher to TKIP , then apply (either to one radio or all.)

- Open the SSID Manager under the Security menu.  Your SSID should be listed, select it on the first window.  Pick the interfaces you want activated (I’m just using the b/g radio, not a).  For WPA-PSK mode, these are your settings:

- Client Authentication Settings:

Open Authentication CHECKED, No Addition selected.

Shared Authentication/Network EAP are UNCHECKED.

- Server priorities:  Use defaults on all.

- Client Authenticated Key Management

Key Management: MANDATORY

CCKM: UNCHECKED

WPA: CHECKED ((THIS IS CRITICAL))

WPA Pre-Shared Key: <Enter your Wifi passphrase here> .  Select ASCII.

Leave all other settings to default.  Click the first Apply button you reach (others won’t apply settings from the first few pages.)

This should have set the SSID to use WPA, and you’ve configured your passphrase.  Your network should be rigged and ready, now lets light it up.  (Some of the options here, especially on the last page, are customizable as you need.  I list what I used, and it worked for me right away.)

- Open Network Interfaces from the menu on the left.  Pick the radio you’re activating (G or A, or repeat these steps on both.)

- Click the Settings tab at the top.  Give it a minute to load the options (it seems to take a while on mine), then select the Enable button.  The “Role in Radio Network” should be set to Access Point by default – if you’re doing something a bit more complicated as a repeater, bridge, etc, pick your options.

- Pick your data rates options (I left it on Default to maintain OFDM compliance and allow me to use 802.11b devices).  Under Default Radio Channel, I picked Least Congested Frequency and selected 1, 6, and 11 (they’re the most separated frequencies).

- I’m also using an external antenna, so I enabled that option and set the gain.

Everything else I left on default.  Hit Apply.

This should activate your radio with your newly configured SSID/wifi network set up for WPA-PSK.  This took me most of the day to get straightened out, hope it helps you.  Good luck.

13 Responses to “Configure an Aironet 1200 (1231) for WPA-PSK”

  1. on 06 Jan 2011 at 10.50 am 1.IT dude said …

    Thank you very much for this guide. It helped me set up the AP so that I did not need to use a RADIUS server.

  2. on 19 Jan 2011 at 10.10 pm 2.Andrew said …

    It would be pretty helpful to those who are comfortable with the CLI to show the actual configuration once you’re done. If you have console/telnet/ssh access to the WAP, it’d be a snap to get it up and running by pasting the config rather than navigating webpages.

    Still, many thanks. I’m not sure why my manual/cli config wasn’t working, but it does work now.

  3. on 19 Jan 2011 at 10.19 pm 3.Jl. said …

    Andrew -

    Good call. I’ll get that pulled up and posted as a followup. Glad it helped!

  4. on 19 Jan 2011 at 10.19 pm 4.Jl. said …

    Glad to help! :) The Aironet is good hardware. I get WAY faster throughput than I did on my Linksys with DD-WRT. Cheers -

  5. on 18 Apr 2011 at 11.23 am 5.tomjac said …

    What a lifesaver your instructions were! I had given up on getting WPA security and was just using WEP, but decided to do one more Google search and found this. Thanks you!

  6. on 09 Feb 2012 at 11.46 am 6.Medium Dave said …

    Thanks for taking the trouble, mate – saved me a lot of faffing around.

  7. on 22 Sep 2012 at 12.12 pm 7.Miro Hetzel said …

    Thank you very much. This would have taken me hours to figure out from scratch — with your guide I was up and running in about 10 minutes (Aironet 1240ag). Talk about a productivity boost!

  8. on 16 Oct 2012 at 6.19 pm 8.Phil M said …

    Thanks for the GUI setup!!! I included my CLI setup for anyone looking to config this method.

    Enjoy!!

    AP_2#show run
    Building configuration…

    Current configuration : 1414 bytes
    !
    version 12.3
    no service pad
    service timestamps debug datetime msec
    service timestamps log datetime msec
    service password-encryption
    !
    hostname AP_1
    !
    enable secret 5 $1$2/L0$Ys9DWnHDEk6TYp/echh/b1
    !
    ip subnet-zero
    !
    !
    no aaa new-model
    !
    dot11 ssid Silly_Kitty
    authentication open
    authentication key-management wpa
    guest-mode
    wpa-psk ascii 7 151B050A24277B313B
    information-element ssidl wps
    !
    !
    !
    username Megatron privilege 15 password 7 0215545D0A0D5E2F4B
    !
    bridge irb
    !
    !
    interface Dot11Radio0
    no ip address
    no ip route-cache
    !
    encryption mode ciphers tkip
    !
    ssid Silly_Kitty
    !
    speed basic-24.0 basic-36.0 basic-48.0 basic-54.0
    channel 2412
    station-role root
    antenna gain 128
    bridge-group 1
    bridge-group 1 subscriber-loop-control
    bridge-group 1 block-unknown-source
    no bridge-group 1 source-learning
    no bridge-group 1 unicast-flooding
    bridge-group 1 spanning-disabled
    !
    interface FastEthernet0
    no ip address
    no ip route-cache
    duplex auto
    speed auto
    bridge-group 1
    no bridge-group 1 source-learning
    bridge-group 1 spanning-disabled
    !
    interface BVI1
    description UPLINK
    ip address 192.168.1.1 255.255.255.0
    no ip route-cache
    !
    ip default-gateway 192.168.1.254
    ip http server
    no ip http secure-server
    ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
    !
    !
    control-plane
    !
    bridge 1 route ip
    !
    !
    !
    line con 0
    line vty 0 4
    login local
    !
    end

  9. on 16 Oct 2012 at 6.47 pm 9.Jl. said …

    Awesome! Thanks Phil!

  10. on 17 Nov 2012 at 3.18 pm 10.Col said …

    Really apppreciate this. Been trying all day to get this sorted.

  11. on 15 Feb 2013 at 4.12 pm 11.DT said …

    hi i tried but fail

    can some one help correct my config ? my is cisco aironet 1140

    !
    version 12.4
    no service pad
    service timestamps debug datetime msec
    service timestamps log datetime msec
    service password-encryption
    !
    hostname DT-AP
    !
    enable secret 5 $1$lJsc$hsNJjZKy9et1UT/btSvyQ/
    !
    no aaa new-model
    !
    !
    dot11 syslog
    !
    dot11 ssid NST
    authentication open
    authentication key-management wpa
    guest-mode
    infrastructure-ssid optional
    wpa-psk ascii 7 12405340435B5C547C
    information-element ssidl wps
    !
    !
    crypto pki trustpoint TP-self-signed-165833829
    enrollment selfsigned
    subject-name cn=IOS-Self-Signed-Certificate-165833829
    revocation-check none
    rsakeypair TP-self-signed-165833829
    !
    !
    crypto pki certificate chain TP-self-signed-165833829
    certificate self-signed 01
    3082023B 308201A4 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
    30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
    69666963 6174652D 31363538 33333832 39301E17 0D303230 33303130 32313531
    395A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F
    532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3136 35383333
    38323930 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100
    BCA6BFB8 BE2C3207 E34287DF 05BA8713 0726974D 52B260DC 4CC3C60E 3B37E56A
    F2F78079 7EF4A3C7 7B829ECB AE42C906 8ED75121 9E7E974C 1341916C B59FAB53
    D7D865F8 A5E6812C 4140499B D06D940D E7E24904 EB090CCF 43ECAC6C 32BA84C8
    EC4DD193 F9A79DEF 975293D8 159471A1 C890FE92 6D6636C8 D5DC3ED6 CA56F751
    02030100 01A36530 63300F06 03551D13 0101FF04 05300301 01FF3010 0603551D
    11040930 07820544 542D4150 301F0603 551D2304 18301680 147C0403 E6D6407F
    C3C88773 EC16ED6A 215A9BA3 55301D06 03551D0E 04160414 7C0403E6 D6407FC3
    C88773EC 16ED6A21 5A9BA355 300D0609 2A864886 F70D0101 04050003 8181009B
    EE82C9E0 2A698BF3 9AE73F6B 6AB6CD12 317B5E3D DE8B9168 F1B06E53 D787BF46
    696710B2 D31D2728 C333860F 44B9DF0F 1FCF3D37 262460D7 60AB6F23 D632AD10
    2C052053 DCB3B6CD D3605CA4 D06B3B41 17E33B26 AF9808D4 23B42545 FAFD3618
    34A55A7D B752AE09 77464353 C9E08E28 CD8568F5 8DF4787F 7297364F 6EC6D5
    quit
    username Cisco password 7 062506324F41
    username admin password 7 121A0C041104
    !
    !
    bridge irb
    !
    !
    interface Dot11Radio0
    no ip address
    no ip route-cache
    !
    encryption vlan 40 mode ciphers tkip
    !
    encryption vlan 30 mode ciphers aes-ccm
    !
    encryption mode ciphers tkip
    !
    ssid NST
    !
    antenna gain 128
    mbssid
    speed basic-24.0 basic-36.0 basic-48.0 basic-54.0
    channel 2412
    station-role root
    bridge-group 1
    bridge-group 1 subscriber-loop-control
    bridge-group 1 block-unknown-source
    no bridge-group 1 source-learning
    no bridge-group 1 unicast-flooding
    bridge-group 1 spanning-disabled
    !
    interface GigabitEthernet0
    no ip address
    no ip route-cache
    duplex auto
    speed auto
    no keepalive
    bridge-group 1
    no bridge-group 1 source-learning
    bridge-group 1 spanning-disabled
    !
    interface BVI1
    description UPLINK
    ip address 192.168.13.254 255.255.255.0
    no ip route-cache
    !
    ip default-gateway 192.168.13.1
    ip http server
    no ip http secure-server
    ip http help-path http://www.ciso.com/warp/public/779/smbiz
    bridge 1 route ip
    !
    !
    !
    line con 0
    line vty 0 4
    login local
    !
    end

  12. on 12 Jul 2013 at 8.29 am 12.TomTomNavigator said …

    Thank you so much! It is still a great device :-)

  13. on 14 Feb 2014 at 8.21 pm 13.Abel said …

    Thanks!

    It´s 4AM and your tutorial saved my night !

Trackback This Post | Subscribe to the comments through RSS Feed

Leave a Reply


5 + nine =