Solved: Cisco Aironet SAP1602E - Changing from Open to WPA-PSK via Remote Access (RAP and MAP)

spoofneted · ‎11-17-2015

I currently have a point-to-point Cisco Aironet SAP1602E Wireless Bridge deployment (using RAP and MAP, Wireless Root Bridge and Non-Root Bridge) to extend a Layer 2 VLAN from one Building to another. Currently, this operates uisng Open Authentication, and with no Encryption - and is remotely administered via the Root Wireless Bridge, to get to (manage) the Non-Root Bridge - the remote Wireless RAP.

Upon trying to remotely configure WPA2-PSK via either the GUI or CLI - configuring the PSK first - I inform an error similar to the below stating that:

Error: Key-management WPA is requried for WPA-PSK

Reading around, it seems this is an order-of-configuration issue, and that I need to specify the mode as being WPA2-PSK first, before then being able to specify the applicable PSK to use. However, as soon as this mode is specified on the RAP, my remote management is severed - as presumably the RAP is trying to use WPA2-PSK to look for a PSK that has not yet been configured.

Am I missing something obvious here, or is the order of CLI operations (1] Convert to WPA-PSK; 2] Apply PSK shared secret) such that a migration from Open to WPA2-PSK cannot be configured remotely (short of preparing a startup-config; TFTPing this over; and issuing a remote "reload" command)?

Can someone please enlighten me as to what the logic is here - surely I should be able to specify a PSK first (regardless fo whether I actually use WPA, WPA2 or whatever), and then be able to specify that I want the Encryption Layer (WPA) to make use of this pre-configured PSK?

If this were a Router, you wouldn't pevent me adding something to the OSPF Authentication Keychain; prior to specifying its use - so why is the Aironet Wireless IOS different?

Freerk Terpstra · ‎11-19-2015

You are right and because you have to enter multiple lines of configuration to switch to WPA2-PSK with AES it does not really matter; the AP would reset the radio anyway because you make a change related to the radio interface. It would be very helpful if Cisco made the router/switch IOS "macro" feature available on AP's as well for changes like this, sadly this is not the case.

Start with the non-root AP and make sure that the lines below are being added to your configuration. If you add it by console the order needs to be like this, doing it by uploading a new start-up config with tftp it should not matter.

interface Dot11Radio0
encryption mode ciphers aes-ccm

dot11 ssid TEST
authentication key-management wpa
wpa-psk ascii 0 <key>

Please rate useful posts... :-)

View solution in original post

Freerk Terpstra · ‎11-19-2015

You are right and because you have to enter multiple lines of configuration to switch to WPA2-PSK with AES it does not really matter; the AP would reset the radio anyway because you make a change related to the radio interface. It would be very helpful if Cisco made the router/switch IOS "macro" feature available on AP's as well for changes like this, sadly this is not the case.

Start with the non-root AP and make sure that the lines below are being added to your configuration. If you add it by console the order needs to be like this, doing it by uploading a new start-up config with tftp it should not matter.

interface Dot11Radio0
encryption mode ciphers aes-ccm

dot11 ssid TEST
authentication key-management wpa
wpa-psk ascii 0 <key>

Please rate useful posts... :-)

spoofneted · ‎11-20-2015

Thanks - so it is as I thought; I'll have to take the "TFTP new startup-config; reload & hope" approach.

I still don't understand the logic here - surely I should be able to set the PSK non-intrusively then apply it?