Anyone good with Cisco Wireless stuff?

oddjob62

oddjob62

oddjob62

Soldato
Joined
8 Nov 2002
Posts
9,128
Location
NW London
Trying to set up 2 SSIDs on 2 VLANS on a 1131AG WAP. Just can't seem to get it to work.

Can someone see any glaringly obvious error in my config? I have looked at quite a few "solution" on the web and they all seem the say that my config should work.

Code: 
no aaa new-model
!
!
!
dot11 ssid CANTEENWIFI
   vlan 110
   authentication open
   authentication key-management wpa
   guest-mode
   wpa-psk ascii 7 xxxxxxxxxxxxxxxxx
!
dot11 ssid PRIVWIFI
   vlan 401
   authentication open
   authentication key-management wpa
   wpa-psk ascii 7 xxxxxxxxxxxxxxxxx
!
power inline negotiation prestandard source
!
!
username Cisco password 7 xxxxxxxxxxx
!
bridge irb
!
!
interface Dot11Radio0
 no ip address
 no ip route-cache
 !
 encryption vlan 110 mode ciphers tkip
 !
 encryption vlan 401 mode ciphers tkip
 !
 ssid CANTEENWIFI
 !
 ssid PRIVWIFI
 !
 station-role root
!
interface Dot11Radio0.41
 encapsulation dot1Q 401 native
 no ip route-cache
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
 bridge-group 1 spanning-disabled
!
interface Dot11Radio0.110
 encapsulation dot1Q 110
 no ip route-cache
 bridge-group 110
 bridge-group 110 subscriber-loop-control
 bridge-group 110 block-unknown-source
 no bridge-group 110 source-learning
 no bridge-group 110 unicast-flooding
 bridge-group 110 spanning-disabled
!
interface FastEthernet0
 no ip address
 no ip route-cache
 duplex auto
 speed auto
!
interface FastEthernet0.41
 encapsulation dot1Q 401 native
 no ip route-cache
 bridge-group 1
 no bridge-group 1 source-learning
 bridge-group 1 spanning-disabled
!
interface FastEthernet0.110
 encapsulation dot1Q 110
 no ip route-cache
 bridge-group 110
 no bridge-group 110 source-learning
 bridge-group 110 spanning-disabled
!
interface BVI1
 ip address xx.xx.xx.xx 255.255.255.0
 no ip route-cache
!
ip default-gateway xx.xx.xx.xx
ip http server
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
ip radius source-interface BVI1
bridge 1 route ip

thanks in advance for any assistance.
 
add

Code: 
interface Dot11Radio0.110
 encapsulation dot1Q 110
 no ip route-cache
 bridge-group 110
 bridge-group 110 subscriber-loop-control
 bridge-group 110 block-unknown-source
 no bridge-group 110 source-learning
 no bridge-group 110 unicast-flooding
 bridge-group 110 spanning-disabled

but replace all the 110's with 401
 
Andyt_uk said:
add

Code: 
interface Dot11Radio0.110
 encapsulation dot1Q 110
 no ip route-cache
 bridge-group 110
 bridge-group 110 subscriber-loop-control
 bridge-group 110 block-unknown-source
 no bridge-group 110 source-learning
 no bridge-group 110 unicast-flooding
 bridge-group 110 spanning-disabled

but replace all the 110's with 401
Click to expand...

I'm not sure what you mean...

- There is already an subinterface set up for the 401 vlan (subint dot11radio0.41)
- Bridge group needs to be 1 because it's the native vlan (so i've read)
- Bridge groups only go up to 255.
 
from what i can see you dont currently have a Dot11Radio0 interface in the 401 VLAN.

so actually it should just be a case of correcting interface Dot11Radio0.41 to be 0.401 i believe. Your right about the bridge-group needing to be 1 for the native vlan as well.

Same with interface FastEthernet0.41 as well i think, if your meant to be using 401 as your vlan.
 
I wouldn't have thought that would make a difference. the subnet number is usually whatever you want, and it's the "encapsulation dot1Q 401" command that assigns the vlan to the subinterface. I'll give it a go, but it still doesn't explain why the other one doesn't work either.
 
Well it looks like i must take my hat off and salute you sir. However i don't recall ever having to have the subinterface as the same number as the vlan... good thing to know, well... if i ever have to set something like this up from scratch again. Andyt, if you're ever in my neighbourhood, i owe you a few beers. Many thanks :)
 
oddjob62 said:
Well it looks like i must take my hat off and salute you sir. However i don't recall ever having to have the subinterface as the same number as the vlan... good thing to know, well... if i ever have to set something like this up from scratch again. Andyt, if you're ever in my neighbourhood, i owe you a few beers. Many thanks :)
Click to expand...

You are correct the subinterface id doesnt have to match the vlan id, but is both best practise and realy helps when troubleshooting. It can also cause problems that you have been experiencing.
 
Last edited:
oddjob62 said:
Fair enough... think i've only used vlans with subinterfaces once in the past, probably made them the same without realising :p
Click to expand...

Sorry editited my response and eaten my words :D however from the day one i have always had it drummed into me to always match the two for the reasons described above. Had to check to make sure, interesting one though.

:)
 
Last edited:
Curiosityx said:
You are correct the subinterface id doesnt have to match the vlan id, but is both best practise and realy helps when troubleshooting. It can also cause problems that you have been experiencing.
Click to expand...

I guess it's a quirk specific to their wireless IOS. I'm just happy that AndyT knew of this quirk and saved me what could have been days of frustration. Now i need to get it working with 802.1x. Andy, i've now got you on forum speed dial just in case :p
 
802.1x is where the fun begins... :)

You using a Cisco ACS box or an alternative? We have a couple of ACS's but i'm in the process of moving them over to use a windows IAS box instead... Tough going so far, should really get around to actually testing my configs :)
 
Andyt_uk said:
802.1x is where the fun begins... :)

You using a Cisco ACS box or an alternative? We have a couple of ACS's but i'm in the process of moving them over to use a windows IAS box instead... Tough going so far, should really get around to actually testing my configs :)
Click to expand...

Sorry to take things OTT but can i ask why you are moving away from ACS?
 
oddjob62 said:
I guess it's a quirk specific to their wireless IOS. I'm just happy that AndyT knew of this quirk and saved me what could have been days of frustration. Now i need to get it working with 802.1x. Andy, i've now got you on forum speed dial just in case :p
Click to expand...

If your looking at EAP methods i would start with PEAP should you already have a Windows ADS Environment, EAP-FAST and EAP TLS are very good but can be a pain to configure not to mention that you need a well designed PKI to implement them efficiently.
 
Number of things really... I've not found our ACS's to be too stable and you quite often see security holes popping up meaning the need to patch/upgrade. IAS is quite the opposite, nice and easy to patch as well as stable. We can also run it on a couple of DCs so that means 2 less boxes in the DC as well. If we started afresh with the new versions of ACS then it would probably be alright but for us, the IAS route makes more sense.

We already use it to control authentication to the switches as well so for us it made sense for the AP's to use it as well.

Still quite a bit of work to do on it but it should work out better in the long run. :)
 
Last edited:
Andyt_uk said:
802.1x is where the fun begins... :)

You using a Cisco ACS box or an alternative? We have a couple of ACS's but i'm in the process of moving them over to use a windows IAS box instead... Tough going so far, should really get around to actually testing my configs :)
Click to expand...

I'm going to jump in to the deep end and try to get NAP working with windows 2008. We are hoping to run this for all our switched network as well (Extreme not Cisco)

Curiosityx: I have already set up the required PKI..... well designed??... we will have to wait and see :p
 
You must log in or register to reply here.
Back
Top Bottom