01-09-2006 05:55 AM - edited 07-04-2021 11:29 AM
Hi
I want to secure the communications between 2 Br1310 acting as point2point bridges. That is, I want to make it as close as impossible for anyone except eachother to talk/listen/whatever the radiotraffic inbetween.
I have done this:
ssid <long random characters ssid>
authentication open
authentication key-management wpa
wpa-psk hex 0 <64 digits hex key>
dot11 association mac-list 700
access-list 700 permit <peer bridge mac address> 0000.0000.0000
access-list 700 deny 0000.0000.0000 ffff.ffff.ffff
Is there anything else I can do to make this radio connection as protected as possible?
01-09-2006 01:56 PM
In the SSID configuration limit the number of allowed associations:
dot11 ssid
max-associations 1
You didn't show the cipher configuration for the radio IF,
but use AES as cipher only, disabling all fallback methods:
interface Dot11Radio0
encryption mode ciphers aes-ccm
or if VLANs are enabled:
interface Dot11Radio0
encryption vlan
Use a random string as PSK.
01-11-2006 12:04 AM
Now I have added the max-associations command. Great!
I dont have any cipher-configuration on the radio IF. Does that mean that my radio traffic is unencrypted, even thou I have PWA configured like this:
dot11 ssid
max-associations 1
authentication open
wpa-psk hex 7
Regards Jimmy
01-11-2006 02:06 AM
IF the bridges are associated you can see the actual
encryption with the following command:
brige> sh dot11 associations all
...
Key Mgmt type : WPAv2 PS Encryption : AES-CCMP
...
Not sure if there is a default if "encryption mode" isn't
visible in the config.
Your first post looks like you are using the pre 12.3(4) syntax,
where the SSID configuration is part of the IF configuration:
interface Dot11Radio0
encryption mode ciphers aes-ccm
ssid XYZ
authentication open
authentication key-management wpa
wpa-psk ...
As of 12.3(4) it's possible to configure the SSID global
and "apply" it to the radio interface:
dot11 ssid XYZ
authentication open
authentication key-management wpa
wpa-psk
interface Dot11Radio0
encryption mode ciphers aes-ccm
ssid XYZ
I prefer the global SSID configuration.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: