How to enable WPA2-PSK AES on Cisco AP1231G

I own two (I know these are older ones) Cisco 1231 with a G-radio, software version 12.3(8)JEE, RELEASE SOFTWARE (fc1), cisco AIR-AP1231G-E-K9.

The APs are setup using WPA-PSK TKIP and I would like to switch to WPA2. There are many pages describing how to enable WPA2-PSK AES, but my tries to enable wpa2 always stopped with an error message.

The normal documented way to enable WPA2-PSK is:

configure terminal
dot11 ssid <SSID_NAME>
authentication open
authentication key-management wpa version 2
guest-mode
wpa-psk ascii <SSID_PASSWORD>
!
interface Dot11Radio0
encryption mode ciphers aes-ccm
ssid <SSID_NAME>
no shutdown
!

Every time I got an error entering this line:

AP1(config-ssid)#authentication key-management wpa version 2
                                                    ^ 
% Invalid input detected at '^' marker.

The trick is to ignore the “version 2”. The software will automatically use WPA2 when you enter “aes-ccm” as the encryption mode cipher. So instead of the above use the following config commands:

configure terminal
dot11 ssid <SSID_NAME>
authentication open
authentication key-management wpa
guest-mode
wpa-psk ascii <SSID_PASSWORD>
!
interface Dot11Radio0
encryption mode ciphers aes-ccm
ssid <SSID_NAME>
no shutdown
!

Thanks to Cisco not mentioning that in there standard documenation and thanks for one or two guys pointing that out in internet.

*replace the text inside the <> brackets with your SSID and password.

2 Comments

  1. Anthony says:

    Massive thank you dude. You saved my day 😉 Works perfectly

  2. BritannyTech says:

    Hello.
    A lot of thanks. It also works on an AP 1702i standalone. With wpa version 2 setting, the client negociate in WPA2-PSK mode at far slower speeds.

    Removing “version 2” from the config keeps WPA2 mode but in AES, allowing fat better and modern throughput.

Leave a Reply