Cisco AP – WPA2 configuration

This post describes the Cisco Aironet AP configuration with WPA2 security option.

Quick Notes

  1. WPA2 – Wi-Fi Protected Access version 2
  2. WPA = TKIP (encryption) + MIC (integrity)
  3. WPA2 = AES (encryption) + CCMP (encryption + integrity + authentication)
  4. However – nowadays you can configure WPA with AES+CCMP. It means that AP with WPA AES+CCMP allows the connection with WPA2 station. You can also configure WPA2 with TKIP.
  5. AES is more secure than TKIP (AES is recommended)
  6. WPA2 PSK (Pre-shared key) – AP and client share the common key. It is used in home offices. In enterprise you use radius server instead PSK.


This is example of WPA2 PSK configuration (with both AES and TKIP enabled).

ap(config)# dot11 ssid wpa2_ssid
ap(config-ssid)# guest-mode
ap(config-ssid)# authentication open
ap(config-ssid)# authentication key-management wpa version 2
ap(config-ssid)# wpa-psk ascii 0 MyWpaPassword // PSK (Pre-Shared Key)
ap(config-ssid)# exit
ap(config)# interface dot11Radio 0
ap(config-if)# ssid wpa2_ssid
ap(config-if)# encryption mode ciphers aes-ccm tkip // enable both aes and tkip
ap(config-if)# no shutdown

Useful links

  1. WLAN security options

Leave a Reply

Your email address will not be published. Required fields are marked *