AIR-AP1252AG-A-K9 and WPA2 and AES?

William Pearson · ‎04-30-2015

I recently purchased this AP used for home use. I wanted an AP with A/B/G/N. When I look at the Cisco Sales Page, http://www.cisco.com/c/en/us/products/collateral/wireless/aironet-1250-series/product_data_sheet0900aecd806b7c5c.html

It clearly states this access point supports WPA2 and AES. Yet when I try to configure this in the GUI or in CLI, I don't see these options. All I get is WEP, and WPA1 if I use a radius server. What am I missing here? The documentation page reflects what I am seeing.

http://www.cisco.com/c/en/us/td/docs/wireless/access_point/12-4-25d-JA/Configuration/guide/cg_12_4_25d_JA.html

No examples on configured WPA2 or AES.

I am using Version 15.2(2)JA1 IOS.

Rasika Nayanajith · ‎04-30-2015

Hi,

It should be supported. Here is what you want. Modify <SSID_NAME> & <PASSWORD> as you like & then plug this to your home DSL router/modem.

conf t
hostname <AP_HOSTNAME>
!
dot11 ssid <SSID_NAME>
   authentication open
   authentication key-management wpa version 2
   guest-mode
   wpa-psk ascii <SSID_PASSWORD>
!
interface Dot11Radio0
 encryption mode ciphers aes-ccm
 ssid <SSID_NAME>
 no shutdown
!
interface Dot11Radio1
 channel width 40-above
 encryption mode ciphers aes-ccm
 ssid <SSID_NAME>
 no shutdown
!
interface BVI1
 ip address dhcp
!
end
write memory
!

HTH

Rasika

**** Pls rate all useful responses ****

William Pearson · ‎05-01-2015

Thank you, that worked perfectly. But now I am seeing different issues, hopefully you or someone else can help. Both my Radios are 802.11N, the 2.4GHZ and the 5GHZ. And neither one has configurable speeds above 54mpbs. I know N speeds should be much higher than this. I read on another forum to perform these steps to fix the issue.

1. For encryption only completely open or wpa2/aes will work.
2. On the WLAN, WMM needs to be allowed.
3. antennas are recommended.
4. MCS rates upto 15 should be enabled.
5. Channel bonding can be enabled ( not recommended on the 2.4 GHz channel)

I am now performing step 1. In the GUI, I found WMM and enabled it. I have all 6 antennas on the AP. MCS rates are at 15. I am not sure about step 5.

int d1

speed ?

12.0        Allow 12.0 Mb/s rate
18.0        Allow 18.0 Mb/s rate
24.0        Allow 24.0 Mb/s rate
36.0        Allow 36.0 Mb/s rate
48.0        Allow 48.0 Mb/s rate
54.0        Allow 54.0 Mb/s rate
6.0         Allow 6.0 Mb/s rate
9.0         Allow 9.0 Mb/s rate
basic-12.0 Require 12.0 Mb/s rate
basic-18.0 Require 18.0 Mb/s rate
basic-24.0 Require 24.0 Mb/s rate
basic-36.0 Require 36.0 Mb/s rate
basic-48.0 Require 48.0 Mb/s rate
basic-54.0 Require 54.0 Mb/s rate
basic-6.0   Require 6.0 Mb/s rate
basic-9.0   Require 9.0 Mb/s rate
default     Set default rates
m0-7        Allow MCS rate indices 0-7
m0.         Allow MCS rate index 0
m1.         Allow MCS rate index 1
m10.        Allow MCS rate index 10
m11.        Allow MCS rate index 11
m12.        Allow MCS rate index 12
m13.        Allow MCS rate index 13
m14.        Allow MCS rate index 14
m15.        Allow MCS rate index 15
m2.         Allow MCS rate index 2
m3.         Allow MCS rate index 3
m4.         Allow MCS rate index 4
m5.         Allow MCS rate index 5
m6.         Allow MCS rate index 6
m7.         Allow MCS rate index 7
m8-15       Allow MCS rate indices 8-15
m8.         Allow MCS rate index 8
m9.         Allow MCS rate index 9
range       Set rates for best range
throughput Set rates for best throughput
<cr>

Here is my current config.

version 15.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname HomeAP
!
logging rate-limit console 9
enable secret 5
!
no aaa new-model
!
!
dot11 syslog
!
dot11 ssid whzap
   authentication open
   authentication key-management wpa version 2
   guest-mode
   wpa-psk ascii 7
!
crypto pki token default removal timeout 0
!
!
username Cisco password 7 112A1016141D
!
!
bridge irb
!
!
interface Dot11Radio0
no ip address
no ip route-cache
!
encryption mode ciphers aes-ccm
!
ssid whzap
!
antenna gain 0
station-role root
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface Dot11Radio1
no ip address
no ip route-cache
!
encryption mode ciphers aes-ccm
!
ssid whzap
!
antenna gain 0
dfs band 3 block
channel width 40-above
channel dfs
station-role root
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface GigabitEthernet0
no ip address
no ip route-cache
duplex auto
speed auto
bridge-group 1
bridge-group 1 spanning-disabled
no bridge-group 1 source-learning
!
interface BVI1
ip address dhcp client-id GigabitEthernet0
no ip route-cache
!
ip http server
ip http authentication local
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
bridge 1 route ip
!
!
!
line con 0
line vty 0 4
login local
transport input all
!
end

How do I get the throughput of 802.11N on the 5GHZ channel or the 2.4GHZ channel?

1. For encryption only completely open or wpa2/aes will work.
2. On the WLAN, WMM needs to be allowed.
3. antennas are recommended.
4. MCS rates upto 15 should be enabled.
5. Channel bonding can be enabled ( not recommended on the 2.4 GHz channel) - See more at: https://supportforums.cisco.com/discussion/10932026/cisco-ap-1252ag-cannot-setup-more-54mbs-speed-radio-0-24g#sthash.ESpneBsu.dpuf

Rasika Nayanajith · ‎05-01-2015

Both my Radios are 802.11N, the 2.4GHZ and the 5GHZ.  And neither one has configurable speeds above 54mpbs.  I know N speeds should be much higher than this.  I read on another forum to perform these steps to fix the issue.

You do not require any additional configs, all 5 points you mentioned is included in that config.

Connect your 802.11n client & do the "show dot11 association <client_mac_add>" you would see the connectivity details.

Post that output if you are not sure

HTH

Rasika

*** Pls rate all useful responses ***

William Pearson · ‎05-01-2015

I do that command and see my client connected. Then I perform a speed test and get 1-2MB/s download speeds. I can then go connect to my best buy linksys AP 802.11N and do the same bandwidth test and get close to 20MB/s.

Should the Cisco AP not have a configuration option for speeds higher than 54Mpbs?

William Pearson · ‎05-02-2015

This is from the 1252 Data Sheet. So it seems to me, if my 5GHz Radio is at 40-MHz and using 15 MCS, I should have wireless rates up to 300Mbps. Yet I still have only the option for 54Mbps. And the throughput test is way less than 54. Anyone have any ideas how I can get my 802.11N configured for at least half the speeds it is supposedly capable of?

Data Rates Supported	802.11a: 6, 9, 12, 18, 24, 36, 48, and 54 Mbps
	802.11g: 1, 2, 5.5, 6, 9, 11, 12, 18, 24, 36, 48, and 54 Mbps
	802.11n data rates (2.4 GHz and 5 GHz):
	MCS Index¹	GI² = 800ns		GI = 400ns
		20-MHz Rate (Mbps)	40-MHz Rate (Mbps)	20-MHz Rate (Mbps)	40-MHz Rate (Mbps)
	0	6.5	13.5	7.2	15
	1	13	27	14.4	30
	2	19.5	40.5	21.7	45
	3	26	54	28.9	60
	4	39	81	43.3	90
	5	52	108	57.8	120
	6	58.5	121.5	65	135
	7	65	135	72.2	150
	8	13	27	14.4	30
	9	26	54	28.9	60
	10	39	81	43.3	90
	11	52	108	57.8	120
	12	78	162	86.7	180
	13	104	216	115.6	240
	14	117	243	130	270
	15	130	270	144.4	300

Rasika Nayanajith · ‎05-02-2015

By default these MCS data rate is configured (you do not want to manually configure). So as long as your clients is connect with 5GHz & 40Mz & capable of two Spatial Stream connection then you should get 300Mbps data rate.

Pls attach "show run" & "show dot11 <client_mac_address>" output to see what's happening.

HTH

Rasika

William Pearson · ‎05-03-2015

HomeAP#sh run
Building configuration...

Current configuration : 1885 bytes
!
! Last configuration change at 16:21:42 UTC Mon Mar 1 1993
version 15.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname HomeAP
!
logging rate-limit console 9
enable secret 5 $1$eSJK$t/MaUCeLSQddN05nElJvB0
!
no aaa new-model
!
!
dot11 syslog
!
dot11 ssid whzap
   authentication open
   authentication key-management wpa version 2
   guest-mode
   wpa-psk ascii 7
!
crypto pki token default removal timeout 0
!
!
username Cisco password 7 112A1016141D
!
!
bridge irb
!
!
interface Dot11Radio0
no ip address
no ip route-cache
!
encryption mode ciphers aes-ccm
!
ssid whzap
!
antenna gain 0
station-role root
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface Dot11Radio1
no ip address
no ip route-cache
!
encryption mode ciphers aes-ccm
!
ssid whzap
!
antenna gain 0
dfs band 3 block
channel width 40-above
channel dfs
station-role root
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface GigabitEthernet0
no ip address
no ip route-cache
duplex auto
speed auto
bridge-group 1
bridge-group 1 spanning-disabled
no bridge-group 1 source-learning
!
interface BVI1
ip address dhcp client-id GigabitEthernet0
no ip route-cache
!
ip http server
ip http authentication local
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
bridge 1 route ip
!
!
!
line con 0
line vty 0 4
login local
transport input all
!
end

HomeAP#

HomeAP#sh dot11 assoc b418.d172.453a
Address           : b418.d172.453a     Name             : NONE
IP Address        : 192.168.1.122
Gateway Address   : 0.0.0.0
Netmask Address   : 0.0.0.0            Interface        : Dot11Radio 1
Device            : unknown            Software Version : NONE
CCX Version       : NONE               Client MFP       : Off

State             : Assoc              Parent           : self
SSID              : whzap
VLAN              : 0
Hops to Infra     : 1                  Association Id   : 1
Clients Associated: 0                  Repeaters associated: 0
Tunnel Address    : 0.0.0.0
Key Mgmt type     : WPAv2 PSK          Encryption       : AES-CCMP
Current Rate      : m7-4               Capability       : WMM 11h
Supported Rates   : 6.0 9.0 12.0 18.0 24.0 36.0 48.0 54.0 m0-2 m1-2 m2-2 m3-2 m4-2 m5-2 m6-2 m7-2
Voice Rates       : disabled           Bandwidth        : 40 MHz
Signal Strength   : -52 dBm           Connected for    : 304 seconds
Signal to Noise   : 44 dB            Activity Timeout : 40 seconds
Power-save        : On                 Last Activity    : 20 seconds ago
Apsd DE AC(s)     : NONE

Packets Input     : 883                Packets Output   : 697
Bytes Input       : 114084             Bytes Output     : 263401
Duplicates Rcvd   : 0                  Data Retries     : 77
Decrypt Failed    : 0                  RTS Retries      : 0
MIC Failed        : 0                  MIC Missing      : 0
Packets Redirected: 0                  Redirect Filtered: 0
Session timeout   : 0 seconds
Reauthenticate in : never

Rasika Nayanajith · ‎05-03-2015

Current Rate      : m7-4               Capability       : WMM 11h
Supported Rates   : 6.0 9.0 12.0 18.0 24.0 36.0 48.0 54.0 m0-2 m1-2 m2-2 m3-2 m4-2 m5-2 m6-2 m7-2
Voice Rates       : disabled           Bandwidth        : 40 MHz

As per this you client connected at 135Mbps (MCS7, 40MHz). See below for reference as well.