Cisco Aironet Configuration

DiscoDave · 13 Oct 2008 at 18:01

Hey Everyone,

At work I have a Cisco Aironet wireless access point. This was pre-configured prior to my arrival there.

It's broadcasting a SSID to our corporate lan, the name of which is Corp1. This all works fine etc. The AP is connected to a layer 3 switch with mulitple VLAN's:

Vlan 1 : corporate network
Vlan 2 : DMZ

Now, we have visitors in and I'm not comfortable with them accessing the corporate network just to access the net (I work for a small company, there is no proxy server) so I want to broadcast a secon SSID configured to run on VLAN2.

So, i dig out the config file from the AP's web page (Configuration settings > setup.txt). I find out that the config has already been set up for this:

dot11 vlan-name DMZ vlan 2
dot11 vlan-name corporate vlan 1
!
dot11 ssid Corp1
vlan 1
authentication open
authentication key-management wpa
guest-mode
mbssid guest-mode
wpa psk ascii .........................

dot11 ssid Guest
vlan 2
authentication open
authentication key-management wpa
wpa psk ascii

Odd.... As I'm not broadcasting any other SSID.

I proceed to check the SSID configuration in the Security tab on the AP's page.

This is where it gets confusing.... None of the settings and options are configured. There are no SSID configurations, no VLAN settings, no nothing. This is the same with all options from the ap's site.

And before any silly comments, it definately the AP im connecting to.

Any ideas anyone?

David

Chief Wiggum · 13 Oct 2008 at 18:53

Hi Dave,

The Aironet Web pages can be a bit confusing at times - you should be able to telnet / ssh to the IP of the AP and ammend the config.

I've got an Aironet 1100 at home and configured it for multiple vlans - works really well as you can have a corp and guest SSID (both being broadcast).

I'm happy to take a look - feel free to mail the config over (minus IP's and Passwords etc)
If you want to have a bash via the Web - it's under security and then vlans - create the vlans and then go into the SSID manager, you should then be able to setup a new SSID (this is from memory so may be a bit out)

Kev

DiscoDave · 13 Oct 2008 at 19:29

Chief Wiggum said:
Hi Dave,

The Aironet Web pages can be a bit confusing at times - you should be able to telnet / ssh to the IP of the AP and ammend the config.

I've got an Aironet 1100 at home and configured it for multiple vlans - works really well as you can have a corp and guest SSID (both being broadcast).

I'm happy to take a look - feel free to mail the config over (minus IP's and Passwords etc)
If you want to have a bash via the Web - it's under security and then vlans - create the vlans and then go into the SSID manager, you should then be able to setup a new SSID (this is from memory so may be a bit out)

Kev

Hey Kev,

Thanks for the reply. Is there anything specific from the config you need to look at? I don't have a electronic copy on me and don't really want to send the whole thing.

I'm tempted to use the web page to add a new SSID but because the web page is stating there are no SSID'sbeing broadcasted & no VLANS I'm a bit reluctant to add another in incase it all goes a bit **** up.

David

Chief Wiggum · 13 Oct 2008 at 19:55

Hi Dave,

The Dot11 radio and BVI bits are good - I've included my config below. Don't worry about borking the config too much - take a copy of the config.txt and you can always re-load it after (either by the web or by pasting in over telnet. The better way is via command line as it doesn't auto save the changes - that way if you lock yourself out, you can just reboot it without chopping yourself off at the knees! (Hard lessons learnt there as the ap1100 doesn't have a console port!)

The AP should only have one IP address on the native interface, all the others should just pass through, so will need to have a DHCP scope on the DMZ - the default gateway being the router or firewall.

If you decide to do it via the web:
Services > VLAN - define the vlan, then once you've clicked apply, go Security > SSID Manager - this allows you to setup the different networks.

Anywho - my config:

dot11 ssid wlan1
vlan 103
authentication open eap eap_methods
authentication network-eap eap_methods
mbssid guest-mode
infrastructure-ssid
admit-traffic
!
dot11 ssid wlan2
vlan 104
authentication open
authentication key-management wpa
guest-mode
mbssid guest-mode
wpa-psk ascii ...
!
dot11 ssid wlan3
vlan 105
authentication open
authentication key-management wpa
wpa-psk ascii ....
!
dot11 ssid wlan4
vlan 109
authentication open
authentication key-management wpa
wpa-psk ascii ....
!
bridge irb
!
!
interface Dot11Radio0
no ip address
no ip route-cache
!
encryption vlan 103 mode wep mandatory
!
encryption vlan 105 mode ciphers tkip
!
encryption vlan 104 mode ciphers tkip
!
encryption vlan 109 mode ciphers tkip
!
ssid wlan1
!
ssid wlan2
!
ssid wlan3
!
ssid wlan4
!
mbssid
speed basic-1.0 2.0 5.5 6.0 9.0 11.0 12.0 18.0 24.0 36.0 48.0 54.0
!
interface Dot11Radio0.103
encapsulation dot1Q 103 native
no ip route-cache
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
!
interface Dot11Radio0.104
encapsulation dot1Q 104
no ip route-cache
bridge-group 104
bridge-group 104 subscriber-loop-control
bridge-group 104 block-unknown-source
no bridge-group 104 source-learning
no bridge-group 104 unicast-flooding
bridge-group 104 spanning-disabled
!
interface Dot11Radio0.105
encapsulation dot1Q 105
no ip route-cache
bridge-group 105
bridge-group 105 subscriber-loop-control
bridge-group 105 block-unknown-source
no bridge-group 105 source-learning
no bridge-group 105 unicast-flooding
bridge-group 105 spanning-disabled
!
interface Dot11Radio0.109
encapsulation dot1Q 109
no ip route-cache
bridge-group 109
bridge-group 109 subscriber-loop-control
bridge-group 109 block-unknown-source
no bridge-group 109 source-learning
no bridge-group 109 unicast-flooding
bridge-group 109 spanning-disabled
!
interface FastEthernet0
no ip address
no ip route-cache
speed 100
full-duplex
!
interface FastEthernet0.103
encapsulation dot1Q 103 native
no ip route-cache
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
!
interface FastEthernet0.104
encapsulation dot1Q 104
no ip route-cache
bridge-group 104
no bridge-group 104 source-learning
bridge-group 104 spanning-disabled
!
interface FastEthernet0.105
encapsulation dot1Q 105
no ip route-cache
bridge-group 105
no bridge-group 105 source-learning
bridge-group 105 spanning-disabled
!
interface FastEthernet0.109
encapsulation dot1Q 109
no ip route-cache
bridge-group 109
no bridge-group 109 source-learning
bridge-group 109 spanning-disabled
!
interface BVI1
ip address 192.168.50.253 255.255.255.0
no ip route-cache

OK, the main points -
anything that says guest-mode means that the SSID is broadcast
The dot11 ssid is the ssid configuration
Interface dot11radio0 is all about the wireless - speed, channel, list of SSID that you've set above and encryption is also mentioned.
Interface dot11radio0.xxx interfaces (note the vlan id .xxx) this ties the radio interface to the SSID and to a Bridge Group (keep the bridge group the same as the vlan id - it doesn't matter but helps keep things tidy.
Interface FastEthernet0.xxx (note vlan id) this ties the Ethernet interface to a bridge group and also sets the vlan number on the wire

Further info :http://www.cisco.com/en/US/products...s_configuration_example09186a00801d0815.shtml

Kev

DiscoDave · 13 Oct 2008 at 20:38

Thanks again for the quick reply kev.

From looking at your config (especially at the guest-mode/mbssid guest-mode) commands I think this is where my problem is - my second SSID doesn't have either and I think this is why I can't see it, would you agree? Also, I hope you don't mind but I added you to MSN, I know quite a bit about networks but unfortunately I don't have any hands on experience or IOS experience...

David

Chief Wiggum · 13 Oct 2008 at 20:46

No problem

Could well be just the guest-mode / mbssid commands if all the outher bits are in place - the best way to try this is to try and connect to the guest ssid by manually configuring the settings on the wireless card (better if you're using anything other than the windows one as it'll be easier)

IOS is pretty cool once you've got some hands-on, like I mentioned, it's nicer if you're a little unsure on the AP's as it doesn't auto save so you can easily get yourself out of a sticky situation by power cycling.

The link in the last post should have a fairly good config for the command line as well as the web front end.