Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
535
Views
0
Helpful
3
Replies

Best way to secure dot11Radio between 2 1300 bridges

jilahbg
Level 1
Level 1

‎01-09-2006 05:55 AM - edited ‎07-04-2021 11:29 AM

Hi

I want to secure the communications between 2 Br1310 acting as point2point bridges. That is, I want to make it as close as impossible for anyone except eachother to talk/listen/whatever the radiotraffic inbetween.

I have done this:

ssid <long random characters ssid>

authentication open

authentication key-management wpa

wpa-psk hex 0 <64 digits hex key>

dot11 association mac-list 700

access-list 700 permit <peer bridge mac address> 0000.0000.0000

access-list 700 deny 0000.0000.0000 ffff.ffff.ffff

Is there anything else I can do to make this radio connection as protected as possible?

Labels:
0 Helpful
3 Replies 3

kka
Level 5
Level 5

‎01-09-2006 01:56 PM

In the SSID configuration limit the number of allowed associations:

dot11 ssid

max-associations 1

You didn't show the cipher configuration for the radio IF,

but use AES as cipher only, disabling all fallback methods:

interface Dot11Radio0

encryption mode ciphers aes-ccm

or if VLANs are enabled:

interface Dot11Radio0

encryption vlan mode ciphers aes-ccm

Use a random string as PSK.

0 Helpful

jilahbg
Level 1
Level 1
In response to kka

‎01-11-2006 12:04 AM

Now I have added the max-associations command. Great!

I dont have any cipher-configuration on the radio IF. Does that mean that my radio traffic is unencrypted, even thou I have PWA configured like this:

dot11 ssid

max-associations 1

authentication open

wpa-psk hex 7

Regards Jimmy

0 Helpful

kka
Level 5
Level 5
In response to jilahbg

‎01-11-2006 02:06 AM

IF the bridges are associated you can see the actual

encryption with the following command:

brige> sh dot11 associations all

...

Key Mgmt type : WPAv2 PS Encryption : AES-CCMP

...

Not sure if there is a default if "encryption mode" isn't

visible in the config.

Your first post looks like you are using the pre 12.3(4) syntax,

where the SSID configuration is part of the IF configuration:

interface Dot11Radio0

encryption mode ciphers aes-ccm

ssid XYZ

authentication open

authentication key-management wpa

wpa-psk ...

As of 12.3(4) it's possible to configure the SSID global

and "apply" it to the radio interface:

dot11 ssid XYZ

authentication open

authentication key-management wpa

wpa-psk

interface Dot11Radio0

encryption mode ciphers aes-ccm

ssid XYZ

I prefer the global SSID configuration.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card