Re: Is WPA2 available on an AP-1200

guydestefano · ‎08-27-2005

Currently I have set my AP 1200 to use WEP. Have been reading far too many discussions that state this is not secure. What is the best/highest security that I can change the AP 1200 to. Thanks in advance.

travis-dennis_2 · ‎08-27-2005

My vote is for EAP-TLS. Take a look at the follwoing link. It should give you a good starting point.

http://www.cisco.com/en/US/netsol/ns340/ns394/ns171/ns128/networking_solutions_white_paper09186a008009c8b3.shtml

Hope this helps.

Please remember to arate all replies

scottmac · ‎08-27-2005

The 1200 *can* be WPA2 compliant, but it requires hardware levels (he radio modules) to be at a certain level (air 21, I think).

If the hardware is at the right level, next the IOS has to be at least 12.3(2), with 12.3(4) or 12.3(7) *highly* recommended.

With the hardware and firmware levels up-to-date, the AP can do WPA2 (otherwise, it'll do WPA - TKIP versus AES encryption).

I have been unable to get WPA2 to come up with anything other than the Cisco nic. I've tried Linksys, 3com (175), and D-Link.... all with the latest driver/applications.

With either WPA or WPA2, you can use WPA-PSK, PEAP, EAP-TLS, etc. Which you choose will depend on the resources available; PEAP, EAP-TLS, and EAP-TTLS require certificates (and Certificate Servers), the others require a RADIUS server (can ue the local RADIUS in the AP, if you have 50 or less users or NASs) except WPA-PSK, which is a pre-shared key, like WEP, but more secure.

You can check your hardware levels in the Web GUI by clicking the "Interfaces", then the specific interface. The Hardware level is at the top of the form.

Gather your information ar post it up, then we can discuss specific options.

Good Luck

Scott

guydestefano · ‎08-27-2005

ScottMac, Thanks for the prompt reply. I'll be brief,

a while back, I had a Cisco AP-1200, and a HP laptop with a Cisco AIR CB21AG-A-K9 PCMCIA card. Knowing nothing, I set it up as a simple WEP, and it worked great. Recently, laptop gave out, bought a new one ( IBM ) that comes with an internal wireless adapter. I set up the wireless, and used the same setup sheet as I had on the old laptop ( using WEP ). Surprisingly it immediately came up, and works great with excellent speed and connection, throughout the whole townhouse. Finding one of the display menus, it shows that there area number of other wireless users that I can see, so I am sure they can see me. I am in an area of many townhouses, so I want to change the AP for security. I am a novice, so please is there a method ( ex: WPA-PSK ) that I can change the AP-1220 to, without expert knowledge, ( I have a small home network, three computers couting the laptop ) no server, just three computers using DSL 3MB thru a Pix 501. Any help will be greatly appreciated. Thanks in advance.

scottmac · ‎08-28-2005

WPA-PSK (PSK= "Pre-Shared Key") is pretty much the same setup as WEP, but the underlying protocol is much more secure .... if done properly.

With WPA-PSK (also available in WPA2), you enter a key/passphrase on the AP and the client. That's it. Just like WEP.

The caveat is that the system is only as secure as you passphrase. If you use easily guessed passwords, or you use "dictionary" words, then the system is easier to break.

For passphrases, you want to break up normal words or phrases with numbers or non-alphanumerics (i.e., not "ScottsAP" ... something like $c0tt$@p ... something you can remember, but not something that can be matched by scanning through a dictionary file.

It can still theoretically be broken by brute force, so "longer is better" ... the more there is to match (brute force) the less likely that they'll hit the correct combination over a period of weeks or months.

For a business or handler of sensitive information that can't / won't use RADIUS, PSKs should be changed periodically. Since this is a home system, if you use a fairly long, non-dictionary key/phrase (spaces are OK), you're probably good to go.

If you're not using Cisco wireless NICS, I don't think you're going to get WPA2 up. You may also have to update your IOS to 12.3 to get WPA2. 12.3(7) is new/current as of ~ the middle of August.

WPA-PSK (with a good passphrase) will be secure enough to protect your system. Give it a shot. It's supported by all current wireless clients, regardless of vendor.

Good Luck

Scott

guydestefano · ‎08-28-2005

ScottMac. Thank you very much for the prompt and valued reply. I will definitely do that today. When I set it up originally, I think I had only heard/thought of WEP. My current version is 12.2(31)JA. I will try it with that version. Again thanks.

Guy

guydestefano · ‎08-29-2005

ScottMac Please just a little more help. I was able to get into the AP-1200 thru my IE web browser, and have read the directions on the Cisco web site. Althought it does not show what has to be entered. I currently have a WEP 22 character setup. I want to use a 63? character WPA-PSK. When I go to the WPA Shared Key block, I can only enter 22 digits, whether I enter ascii or hexidecimal. I am not adept in using the command line, can I make all the changes I need thru the web browser? I have found on the web, a WPA generator that generated the 63 character key. Do I need to entirely eliminate all the settings for the WEP. Thanks in advance for all of your help.

Guy