Friday, June 16, 2017

Cisco 1242 AP IOS Upgrade for WPA2 Support

I needed some old Cisco 1242 APs to support WPA 2 wireless clients. The AP support AES-CCM encryption which is primarily used by WPA2 (TKIP for WPA) but there's no option for WPA version 2 under the SSID key management configuration.


ap#show version
Cisco IOS Software, C1240 Software (C1240-K9W7-M), Version 12.3(7)JA1, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2005 by Cisco Systems, Inc.
Compiled Thu 06-Oct-05 09:45 by evmiller

ROM: Bootstrap program is C1240 boot loader
BOOTLDR: C1240 Boot Loader (C1240-BOOT-M) Version 12.3(7)JA1, RELEASE SOFTWARE (fc1)

ap uptime is 5 weeks, 14 hours, 1 minute
System returned to ROM by power-on
System image file is "flash:/c1240-k9w7-mx.123-7.JA1/c1240-k9w7-mx.123-7.JA1"

This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by sending email to
export@cisco.com.

cisco AIR-AP1242AG-A-K9    (PowerPCElvis) processor (revision A0) with 24566K/8192K bytes of memory.
Processor board ID FOC09400ABC
PowerPCElvis CPU at 266Mhz, revision number 0x0950
Last reset from power-on
1 FastEthernet interface
2 802.11 Radio(s)

32K bytes of flash-simulated non-volatile configuration memory.
Base ethernet MAC Address: 00:14:69:40:12:34
Part Number                          : 73-9921-23
PCA Assembly Number                  : 800-26574-56
PCA Revision Number                  : A0
PCB Serial Number                    : FOC09400ABC
Top Assembly Part Number             : 800-26807-89
Top Assembly Serial Number           : FTX09451234
Top Revision Number                  : B0
Product/Model Number                 : AIR-AP1242AG-A-K9 
        
Configuration register is 0xF

ap#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
ap(config)#dot11 ssid WPA2-SSID
ap(config-ssid)#authentication key-management wpa ?
  cckm      allow CCKM clients
  optional  allow legacy clients

ap(config)#interface Dot11Radio0   
ap(config-if)#encryption vlan 1 mode ciphers ?
  aes-ccm    WPA AES CCMP      // WPA 2
  ckip       Cisco Per packet key hashing
  ckip-cmic  Cisco Per packet key hashing and MIC (MMH)
  cmic       Cisco MIC (MMH)
  tkip       WPA Temporal Key encryption      // WPA
  wep128     128 bit key
  wep40      40 bit key

ap(config-if)#encryption vlan 1 mode ciphers aes-ccm


You'll need to upgrade the IOS of a Cisco 1242 AP to 12.4(10b)JDA3 in order to support WPA2. I've used the command archive tar /xtract tftp://<TFTP IP>/c1240-k9w7-mx.124-10b.JDA3.tar flash: in privileged mode.


ap#show version
Cisco IOS Software, C1240 Software (C1240-K9W7-M), Version 12.4(10b)JA, RELEASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2007 by Cisco Systems, Inc.
Compiled Wed 24-Oct-07 15:31 by prod_rel_team

ROM: Bootstrap program is C1240 boot loader
BOOTLDR: C1240 Boot Loader (C1240-BOOT-M) Version 12.4(13d)JA, RELEASE SOFTWARE (fc2)

ap uptime is 4 days, 3 hours, 13 minutes
System returned to ROM by reload
System image file is "flash:/c1240-k9w7-mx.124-10b.JA/c1240-k9w7-mx.124-10b.JA"


<OUTPUT TRUNCATED>


ap#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
ap(config)#dot11 ssid WPA2-SSID
ap(config-ssid)#authentication key-management wpa ?
  cckm      allow CCKM clients
  optional  allow legacy clients
  version   Specify WPA version
  <cr>

ap(config-ssid)#authentication key-management wpa version ?
  <1-2>  WPA version

ap(config-ssid)#authentication key-management wpa version 2

No comments:

Post a Comment