Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Best way to secure dot11Radio between 2 1300 bridges

Hi

I want to secure the communications between 2 Br1310 acting as point2point bridges. That is, I want to make it as close as impossible for anyone except eachother to talk/listen/whatever the radiotraffic inbetween.

I have done this:

ssid <long random characters ssid>

authentication open

authentication key-management wpa

wpa-psk hex 0 <64 digits hex key>

dot11 association mac-list 700

access-list 700 permit <peer bridge mac address> 0000.0000.0000

access-list 700 deny 0000.0000.0000 ffff.ffff.ffff

Is there anything else I can do to make this radio connection as protected as possible?

3 REPLIES
kka
New Member

Re: Best way to secure dot11Radio between 2 1300 bridges

In the SSID configuration limit the number of allowed associations:

dot11 ssid

max-associations 1

You didn't show the cipher configuration for the radio IF,

but use AES as cipher only, disabling all fallback methods:

interface Dot11Radio0

encryption mode ciphers aes-ccm

or if VLANs are enabled:

interface Dot11Radio0

encryption vlan mode ciphers aes-ccm

Use a random string as PSK.

New Member

Re: Best way to secure dot11Radio between 2 1300 bridges

Now I have added the max-associations command. Great!

I dont have any cipher-configuration on the radio IF. Does that mean that my radio traffic is unencrypted, even thou I have PWA configured like this:

dot11 ssid

max-associations 1

authentication open

wpa-psk hex 7

Regards Jimmy

kka
New Member

Re: Best way to secure dot11Radio between 2 1300 bridges

IF the bridges are associated you can see the actual

encryption with the following command:

brige> sh dot11 associations all

...

Key Mgmt type : WPAv2 PS Encryption : AES-CCMP

...

Not sure if there is a default if "encryption mode" isn't

visible in the config.

Your first post looks like you are using the pre 12.3(4) syntax,

where the SSID configuration is part of the IF configuration:

interface Dot11Radio0

encryption mode ciphers aes-ccm

ssid XYZ

authentication open

authentication key-management wpa

wpa-psk ...

As of 12.3(4) it's possible to configure the SSID global

and "apply" it to the radio interface:

dot11 ssid XYZ

authentication open

authentication key-management wpa

wpa-psk

interface Dot11Radio0

encryption mode ciphers aes-ccm

ssid XYZ

I prefer the global SSID configuration.

338
Views
0
Helpful
3
Replies
CreatePlease to create content