11-14
Cisco IOS Software Configuration Guide for Cisco Aironet Access Points
OL-29225-01
Chapter 11 Configuring Authentication Types
Configuring Authentication Types
Configuring Additional WPA Settings
Use two optional settings to configure a preshared key on the access point and adjust the frequency of
group key updates.
Setting a preshared Key
To support WPA on a wireless LAN where 802.1X-based authentication is not available, you must
configure a preshared key on the access point. You can enter the preshared key as ASCII or hexadecimal
characters. If you enter the key as ASCII characters, you enter between 8 and 63 characters, and the
access point expands the key using the process described in the Password-based Cryptography Standard
(RFC2898). If you enter the key as hexadecimal characters, you must enter 64 hexadecimal characters.
Configuring Group Key Updates
In the last step in the WPA process, the access point distributes a group key to the authenticated client
device. You can use these optional settings to configure the access point to change and distribute the
group key based on client association and disassociation:
• Membership termination—the access point generates and distributes a new group key when any
authenticated device disassociates from the access point. This feature keeps the group key private
for associated devices, but it might generate some overhead traffic if clients on your network roam
frequently among access points.
• Capability change—the access point generates and distributes a dynamic group key when the last
non-key management (static WEP) client disassociates, and it distributes the statically configured
WEP key when the first non-key management (static WEP) client authenticates. In WPA migration
mode, this feature significantly improves the security of key-management capable clients when
there are no static-WEP clients associated to the access point.
Beginning in privileged EXEC mode, follow these steps to configure a WPA preshared key and group
key update options:
Command Purpose
Step 1
configure terminal Enter global configuration mode.
Step 2
ssid ssid-string Enter SSID configuration mode for the SSID.
Step 3
wpa-psk { hex | ascii } [ 0 | 7 ]
encryption-key
Enter a preshared key for client devices using WPA that also
use static WEP keys.
Enter the key using either hexadecimal or ASCII characters. If
you use hexadecimal, you must enter 64 hexadecimal
characters to complete the 256-bit key. If you use ASCII, you
must enter a minimum of 8 letters, numbers, or symbols, and
the access point expands the key for you. You can enter a
maximum of 63 ASCII characters.
Step 4
interface dot11radio { 0 | 1 } Enter interface configuration mode for the radio interface.
The 2.4-GHz radio and the 2.4-GHz 802.11n radio is 0.
The 5-GHz radio and the 5-GHz 802.11n radio is 1.
Step 5
ssid ssid-string Enter the ssid defined in Step 2 to assign the ssid to the selected
radio interface.
Step 6
exit Return to privileged EXEC mode.