Cisco 1941 with AIR-SAP 1602E-E-K9 Standalone

From Ever changing code
Revision as of 20:02, 8 June 2014 by Pio2pio (talk | contribs) (→‎Basic AP config with WPA2-PSK auth)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

Here below you will find a basic configuration of AIR-SAP 1602E-E-K9 access point connected to 4-port EHWIC card inserted into Cisco 1941 ISR G2 modular router.

Product codding

Product/Model Number: AIR-SAP1602E-E-K9
IOS C1600 Software (AP1G2-K9W7-M), Version 15.2(2)JB2, RELEASE SOFTWARE (fc1)

                Regulatory Domain
               /
AIR-SAP 1602E-E-K9
     \       \_External antenna
      \_C_ stands for: Control and Provisioning of Wireless Access Points Protocol CAPWAP require WLC (Wireless Lan Controller)
       \_S_ stands for: Standalone AP
Router show inventory
#show inventory
NAME: "CISCO1941/K9", DESCR: "CISCO1941/K9 chassis, Hw Serial#: ***********, Hw Revision: 1.0"
PID: CISCO1941/K9      , VID: V05 , SN: ***********
NAME: "3G WWAN EHWIC-QuadBand HSPA+R7/HSPA/UMTS QuadBand EDGE/GPRS and GPS on Slot 0 SubSlot 0", DESCR: "3G WWAN EHWIC-QuadBand HSPA+R7/HSPA/UMTS QuadBand  EDGE/GPRS and GPS"
PID: EHWIC-3G-HSPA+7   , VID: V01 , SN: ***********
NAME: "Modem 0 on Cellular0/0/0", DESCR: "Sierra Wireless MC8705"
PID: MC8705            , VID: 1.0, SN: ***********
NAME: "4 Port GE POE EHWIC Switch on Slot 0 SubSlot 1", DESCR: "4 Port GE POE EHWIC Switch"
PID: EHWIC-4ESG-P      , VID: V01 , SN: ***********
NAME: "C1941 AC-POE Power Supply", DESCR: "C1941 AC-POE Power Supply"
PID: PWR-1941-POE      , VID:    , SN:
Access point show inventory
NAME: "AP1600", DESCR: "Cisco Aironet 1600 Series (IEEE 802.11n) Access Point"
PID: AIR-SAP1602E-E-K9 , VID: V01, SN: ********x11

Please notice that access points are powered by Power Over Ethernet. There is a difference power consumption for AIR-CAP (managed) access point that uses 13W vs AIR-SAP (standalone) uses 15.4W.

#sh power inline
PowerSupply   SlotNum.   Maximum   Allocated       Status
-----------   --------   -------   ---------       ------
INT-PS           0        80.000    46.200         PS GOOD
Interface   Config   Device   Powered    PowerAllocated   State
---------   ------   ------   -------    --------------   -----
Gi0/1/0     auto     Unknown  Off        0.000 Watts      NOT_PHONE
Gi0/1/1     auto     IEEE-3   On        15.400 Watts      PHONE
Gi0/1/2     auto     IEEE-3   On        15.400 Watts      PHONE
Gi0/1/3     auto     IEEE-3   On        15.400 Watts      PHONE

Basic router config

Applying config

  1. Shape config to your needs following color coding and place into TFTP root folder
    • change update system users and passwords
    • change hostname
    • update with APs ethernet mac addresses
    • update the router serial number
  2. Connect Interface Gi0/0 to a laptop running TFTP server
  3. Optional, issue from Windows route CHANGE 0.0.0.0 MASK 0.0.0.0 10.10.10.2 METRIC 50 IF 13 to maintain access to internet.
  4. At router, issue copy tftp: startup-config and follow the wizard
  5. Reload the router issuing reload but do not save changes to nvram configuration
  6. Activate the licence
    license udi pid CISCO1941/K9 sn $routerserialnumber
    license accept end user agreement
  7. Generate RSA crypto key to enable ssh 2
  8. Apply VLANs

Router config

! Last configuration change at ##:##:## UTC Wed Oct ## 2013 by tech
version 15.2
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
!
hostname $ID-r1
!
boot-start-marker
boot-end-marker
!
!
logging userinfo
logging buffered 50000
logging console warnings
enable secret enablepassword
!
aaa new-model
!
!
aaa authentication password-prompt LocalPassword:
aaa authentication username-prompt LocalUsername:
aaa authentication login default local
! force to use aaa auth on console line
aaa authentication login admin-con line
aaa authorization exec default local 
!
!
!
!
!
aaa session-id common
clock timezone GMT 0 0
clock summer-time BST recurring last Sun Mar 1:00 last Sun Oct 2:00
!
no ipv6 cef
no ip source-route
ip cef
!
!
!
ip dhcp excluded-address 10.0.10.1 10.0.10.10
ip dhcp excluded-address 10.0.11.240 10.0.11.254
ip dhcp excluded-address 10.0.20.1 10.0.20.10
ip dhcp excluded-address 10.0.21.240 10.0.21.254
ip dhcp excluded-address 10.0.99.100
ip dhcp excluded-address 10.0.99.1 10.0.99.10
!
ip dhcp pool WIRELESS
 import all
 network 10.0.10.0 255.255.254.0
 default-router 10.0.10.1 
 dns-server 10.0.10.1 8.8.8.8 
 domain-name lan.gateway
 lease 0 2
!
ip dhcp pool WIRELESS-GUEST
 network 10.0.20.0 255.255.254.0
 default-router 10.0.20.1 
 dns-server 10.0.20.1 8.8.8.8 
 domain-name lan-guest.gateway
 lease 0 2
!
ip dhcp pool MANAGEMENT
 network 10.0.99.0 255.255.255.128
 default-router 10.0.99.100 
 dns-server 10.0.99.100 8.8.8.8 
 domain-name lan.management
 lease 0 2
!
ip dhcp pool AP1
 host 10.0.99.1 255.255.255.128
 client-identifier 017c.69f6.e1d8.7d
!
ip dhcp pool AP2
 host 10.0.99.2 255.255.255.128
 client-identifier 017c.69f6.e1d9.18
!
ip dhcp pool AP3
 host 10.0.99.3 255.255.255.128
 client-identifier 017c.69f6.e1d9.78
!
ip dhcp pool LAN
 network 10.0.30.0 255.255.254.0
 default-router 10.0.30.1 
 ! line below is optional in case you want to hand out different DNS servers than the router itself is using
 dns-server primary_dns secondary_dns
 domain-name lan.gateway
 lease 0 2
!
no ip bootp server
ip domain name lma.geteway
!
ip name-server $primary_dns
ip name-server $secondary_dns
!
login block-for 300 attempts 3 within 300
no ipv6 cef
multilink bundle-name authenticated
!
chat-script hspa "" "AT!SCACT=1,1" TIMEOUT 60 "OK"
chat-script LTE "" "AT!CALL1" TIMEOUT 20 "OK"
!
!
license udi pid CISCO1941/K9 sn £routerserialnumber
!
license accept end user agreement
license boot module c1900 technology-package securityk9 disable
license boot module c1900 technology-package datak9 disable
!
!
username ****tech privilege 0 secret 0 password
username **neteng  privilege 15 secret 0 password
!
!
controller Cellular 0/0
controller Cellular 0/0
controller VDSL 0/0/0
controller VDSL 0/0/0
!
ip ssh version 2
!
!
!
!
interface Embedded-Service-Engine0/0
 no ip address
 shutdown
!
interface GigabitEthernet0/0
 no ip address
 duplex auto
 speed auto
 shutdown
!
interface GigabitEthernet0/0
description --> WAN $WiMAX ##Mbps down/up
ip address $public_ip subnet_mask
! Comment out 'access-group' lines only when you applying ACLs at the same time
! ip access-group INTERNET-IN in
! ip access-group INTERNET-OUT out
ip verify unicast reverse-path
ip nat enable
ntp disable
no shutdown
!
!
interface GigabitEthernet0/1
 description Wired user LAN
 ip address 10.0.30.1 255.255.254.0
 ip nat enable
 duplex auto
 speed auto
 no shutdown
!
interface ATM0/0/0
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 no atm ilmi-keepalive
 ntp disable
 pvc 0/38 
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
 !
!
! BT Infinity - PPPoE, interface atm0/0/0 need to be shutdown
interface Ethernet0/0/0
 no ip address
!
interface Ethernet0/0/0.101
 encapsulation dot1Q 101
 pppoe enable group global
 pppoe-client dial-pool-number 1
!
interface GigabitEthernet0/1/0
 description --> trunk to AP
 switchport trunk native vlan 99
 switchport trunk allowed vlan 1,10,20,99,1002-1005
 switchport mode trunk
 no ip address
 no shutdown
!
interface GigabitEthernet0/1/1
 description --> trunk to AP
 switchport trunk native vlan 99
 switchport trunk allowed vlan 1,10,20,99,1002-1005
 switchport mode trunk
 no ip address
 no shutdown
!
interface GigabitEthernet0/1/2
 description --> trunk to AP
 switchport trunk native vlan 99
 switchport trunk allowed vlan 1,10,20,99,1002-1005
 switchport mode trunk
 no ip address
 no shutdown
!
interface GigabitEthernet0/1/3
 description Management VLAN99 access port
 switchport access vlan 99
 no ip address
 no shutdown
!
 interface Cellular0/0/0
 description WAN link to 3G Vodafone-APN
 ip address negotiated
 ip nat enable
 encapsulation slip
 dialer in-band
 dialer string hspa
 dialer-group 1
 async mode interactive
!
interface Cellular0/0/1
 no ip address
 encapsulation slip
!
interface Cellular0/0/0
 description WAN link to 4G Vodafone-APN
 ip address negotiated
 encapsulation slip
 dialer in-band
 dialer pool-member 1
 dialer-group 1
 async mode interactive
 routing dynamic
!
interface Vlan1
 no ip address
 shutdown
!
interface Vlan10
 ip address 10.0.10.1 255.255.254.0
 ip nat enable
 no shutdown
!
interface Vlan20
 ip address 10.0.20.1 255.255.254.0
 ip nat enable
 no shutdown
!
interface Vlan99
 description Eherswitch Management Interface
 ip address 10.0.99.100 255.255.255.128
 ntp broadcast
 no shutdown
!
interface Dialer0
 description BT Infinity 40Mb down / 10 Mb upload
 mtu 1492
 ip address ip.add.re.ss m.a.s.k
 ! no ip redirects #removed due to causing VPN reconnection
 no ip unreachables
 no ip proxy-arp
 ip nat enable
 ip virtual-reassembly in
 encapsulation ppp
 ip tcp adjust-mss 1452
 dialer pool 1
 dialer-group 1
 ntp disable
 ppp authentication pap chap ms-chap callin
 ppp chap hostname D******@hg52.btclick.com
 ppp chap password 0 ******
 ppp pap sent-username D******@hg52.btclick.com password 0 ******
 ppp ipcp dns request
 no cdp enable
!
interface Dialer0
 description BT ADSL 5Mdown/1Mup acc: WM****** no:0********
 ! for dynamic public ip replace a lien below with 'ip address negotiated'
 ip address $static_public_ip $subnet_mask
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat enable
 ip virtual-reassembly in
 encapsulation ppp
 dialer pool 1
 dialer-group 1
 ntp disable
 ppp authentication chap callin
 ppp chap hostname D******@hg52.btclick.com
 ppp chap password 0 ******
 ppp pap sent-username D******@hg52.btclick.com password 0 ******
 ppp ipcp dns request
 no cdp enable
!
 interface Dialer1
 ip address negotiated
 ip nat enable
 encapsulation slip
 dialer pool 1
 dialer idle-timeout 0
 dialer string LTE
 dialer persistent
 dialer-group 1
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip dns server
!
ip nat source list 1 interface Cellular0/0/0 overload
ip route 0.0.0.0 0.0.0.0 Cellular0/0/0
!
access-list 1 permit any
dialer-list 1 protocol ip permit
!
ip nat source list 1 interface Dialer1 overload
ip route 0.0.0.0 0.0.0.0 Dialer1
!
access-list 1 permit any
dialer-list 1 protocol ip permit
!
ip nat source list 1 interface Dialer0 overload
ip route 0.0.0.0 0.0.0.0 Dialer0
!
access-list 1 permit 10.0.0.0 0.0.255.255
dialer-list 1 protocol ip permit
!
ip nat source list 1 interface Gi0/0 overload
ip route 0.0.0.0 0.0.0.0 Gi0/0
!
access-list 1 permit 10.0.0.0 0.0.255.255
!
access-list 20 remark Allow Management devices sync NTP clock
access-list 20 permit 10.0.99.0 0.0.0.127 log
access-list 20 deny   any
!
!
snmp-server community contingency RO site
snmp-server enable traps entity-sensor threshold
!
!
!
control-plane
!
!
banner motd ^
This system is for COMPANY authorized use only. It is
monitored to detect improper use and other illicit activity.
There is no expectation of privacy while using this system.

^
!
line con 0
 exec-timeout 5 0
 password 0 consolepassword
 logging synchronous
 login authentication admin-con
line aux 0
line 2
 no activation-character
 no exec
 transport preferred none
 transport input all
 transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
 stopbits 1
line 0/0/0
 exec-timeout 0 0
 script dialer hspa
 script activation hspa
 modem InOut
 no exec
line 0/0/1
 no exec
!
line 0/0/0
 exec-timeout 0 0
 script dialer LTE
 script activation LTE
 modem InOut
 no exec
!
line vty 0 4
 logging synchronous
 transport input ssh
!
scheduler allocate 20000 1000
ntp logging
ntp access-group peer 20
ntp master
!
end
Key
  • Blue - variables: passwords, host names, serial numbers
  • Green - Cellular/3G card configuration
  • Red - Cellular/4G card configuration
  • Purple - ATM/ADSL card configuration, BT Business ADSL
  • Orange - PPPoE, BT Infinity
  • Grey - WAN Ethernet RJ45 from ISP

Applying VLANs

conf t
vlan 10
name WIRELESS
vlan 20
name GUEST-WIRELESS
vlan 99
name MANAGEMENT&NATIVE
^Z
Verify
R1#sh vlan-switch

VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
1    default                          active    Gi0/1/1, Gi0/1/2
10   WIRELESS                         active
20   GUEST-WIRELESS                   active
99   MANAGEMENT&NATIVE                active    Gi0/1/3
1002 fddi-default                     act/unsup
1003 token-ring-default               act/unsup
1004 fddinet-default                  act/unsup
1005 trnet-default                    act/unsup

VLAN Type  SAID       MTU   Parent RingNo BridgeNo Stp  BrdgMode Trans1 Trans2
---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------
1    enet  100001     1500  -      -      -        -    -        1002   1003
10   enet  100010     1500  -      -      -        -    -        0      0
20   enet  100020     1500  -      -      -        -    -        0      0
99   enet  100099     1500  -      -      -        -    -        0      0
1002 fddi  101002     1500  -      -      -        -    -        1      1003
1003 tr    101003     1500  1005   0      -        -    srb      1      1002
1004 fdnet 101004     1500  -      -      1        ibm  -        0      0
1005 trnet 101005     1500  -      -      1        ibm  -        0      0

Apply Access Lists

Please make sure you are connected through a console cable as you will lock out yourself.

Variables
  • $WAN = it is WAN Interface Dialer1 or ATM0/0/0 or Gi0/0/0
ip access-list extended INTERNET-OUT
 permit tcp any any reflect REMEMBER timeout 300
 permit udp any any reflect REMEMBER timeout 300
 permit icmp any any reflect REMEMBER timeout 300
 deny   ip any any log
!
ip access-list extended INTERNET-IN
permit udp any eq domain any
permit tcp any any eq 22
permit icmp host $monitoring_host_ip any echo
evaluate REMEMBER
deny   ip any any log
!
! Apply access lists to WAN interface
!
interface $WAN
 ip access-group INTERNET-IN in
 ip access-group INTERNET-OUT out

Disable unnecessary services

no ip source-route 
ip options drop 
no ip http server 
no ip http secure-server 
no service tcp-small-servers 
no service udp-small-servers 
service tcp-keepalives-in 
service tcp-keepalives-out 
no ip bootp server 
no ip finger 
no ip identd 
no service config 
no lldp run 
no service pad

Verify you have still access to Internet.

Configure NTP

Router NTP config
! Protect sync time to hosts permitted by access-list
access-list 20 remark Allow Management devices sync NTP clock
access-list 20 permit 10.0.99.0 0.0.0.127
access-list 20 deny   any log
! Disable sending ntp messages on WAN interfaces
Interface Dialer 0
 ntp disable
Interface Vlan99
 ntp broadcast
Interface ATM0/0/0
 ntp disable
ntp logging
ntp access-group peer 20
ntp master
Access point NTP config
sntp server 10.0.99.100

Configure SNMP

! protect snmp RO (readonly) with access-list 
access-list 60 remark Access to read SNMP messages
access-list 60 permit 10.0.10.0 0.0.1.255
access-list 60 permit 10.0.99.0 0.0.0.127
access-list 60 deny   any log
! SNMP configuration
snmp-server community hardpassword RO 60
snmp-server location BuldingID
snmp-server contact AdminID
! log wrong community string attempts
logging snmp-authfail
Test

Device

snmpstatus -c 'communitystring' -v2c DEV_IP_ADDRESS

List of interfaces

snmpwalk -c 'communitystring' -v2c 10.0.99.100 .1.3.6.1.2.1.2.2.1.2
iso.3.6.1.2.1.2.2.1.2.1 = STRING: "Embedded-Service-Engine0/0"
iso.3.6.1.2.1.2.2.1.2.2 = STRING: "GigabitEthernet0/0"
iso.3.6.1.2.1.2.2.1.2.3 = STRING: "GigabitEthernet0/1"
<-- output ommited -->
iso.3.6.1.2.1.2.2.1.2.15 = STRING: "Vlan20"
iso.3.6.1.2.1.2.2.1.2.16 = STRING: "Vlan99"
iso.3.6.1.2.1.2.2.1.2.17 = STRING: "Dialer1"

Uptime

snmpget -M MIBs -v1 -c hardpassword 10.0.99.100 .1.3.6.1.2.1.1.3.0
iso.3.6.1.2.1.1.3.0 = Timeticks: (591121) 1:38:31.21

Basic AP config with WPA2-PSK auth

Default account credentials on the access point
Username: Cisco
Password: Cisco
Enabled mode: Cisco
  • remember to issue 'no shutdown' on radio interfaces as these are administratively down on brand new switches. No shutdown is added in the config below for interface Dot11Radio0
  • remember change 'password' and AP 'hostname' when deploying config
  • not sure why but when applying config BVI1 interface does not take any changes
  • remember to give domain name and generate crypto key otherwise you will not login using ssh, follow below:
conf t
hostname ap1
ip domain name home.gateway
! label for hostname:ap1 and ipdomainname:home.gateway will be ap1.home.gateway
crypto key generate rsa label ap1.home.gateway general-keys modulus 1024
! Last configuration change at 01:54:45 UTC Mon Mar 1 1993 by tech
version 15.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname ap1
!
!
logging rate-limit console 9
enable secret secretpassword
!
aaa new-model
!
!
aaa authentication password-prompt LocalPassword:
aaa authentication username-prompt LocalUsername:
aaa authentication login default local
aaa authorization exec default local
!
!
!
!
!
aaa session-id common
no ip routing
no ip cef
ip domain name home.gateway
!
!
!
dot11 syslog
dot11 vlan-name Management vlan 99
dot11 vlan-name Wireless vlan 10
dot11 vlan-name Wireless-guest vlan 20
!
dot11 ssid DS_Guest
   vlan 20
   authentication open
   authentication key-management wpa version 2
   mbssid guest-mode
   wpa-psk ascii 0 guestpassword
!
dot11 ssid DS_MGM
   vlan 99
   authentication open
   authentication key-management wpa version 2
   ! mbssid guest-mode commented out to prevent broadcasting BSSID
   wpa-psk ascii 0 managementpassword
!
dot11 ssid DS_WPA2
   vlan 10
   authentication open
   authentication key-management wpa version 2
   mbssid guest-mode
   wpa-psk ascii 0 wirelesspassword
!
!
crypto pki token default removal timeout 0
!
!
username tech privilege 1 secret 0 techpassword
username admin privilege 15 secret 0 adminpassword
!
ip ssh time-out 180
ip ssh authentication-retries 5
ip ssh version 2
bridge irb
!
!
!
interface Dot11Radio0
 no ip address
 no ip route-cache
 !
 encryption mode ciphers aes-ccm
 !
 encryption vlan 10 mode ciphers aes-ccm
 !
 encryption vlan 20 mode ciphers aes-ccm
 !
 encryption vlan 99 mode ciphers aes-ccm
 !
 ssid DS_Guest
 !
 ssid DS_MGM
 !
 ssid DS_WPA2
 !
 antenna gain 0
 stbc
 beamform ofdm
 mbssid
 station-role root
 no shutdown
!
interface Dot11Radio0.10
 encapsulation dot1Q 10
 no ip route-cache
 bridge-group 10
 bridge-group 10 subscriber-loop-control
 bridge-group 10 spanning-disabled
 bridge-group 10 block-unknown-source
 no bridge-group 10 source-learning
 no bridge-group 10 unicast-flooding
!
interface Dot11Radio0.20
 encapsulation dot1Q 20
 no ip route-cache
 bridge-group 20
 bridge-group 20 subscriber-loop-control
 bridge-group 20 spanning-disabled
 bridge-group 20 block-unknown-source
 no bridge-group 20 source-learning
 no bridge-group 20 unicast-flooding
!
interface Dot11Radio0.99
 encapsulation dot1Q 99 native
 no ip route-cache
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 spanning-disabled
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
!
interface Dot11Radio1
 no ip address
 no ip route-cache
 shutdown
 antenna gain 0
 no dfs band block
 channel dfs
 station-role root
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 spanning-disabled
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
!
interface GigabitEthernet0
 no ip address
 no ip route-cache
 duplex auto
 speed auto
 no shutdown
!
interface GigabitEthernet0.10
 encapsulation dot1Q 10
 no ip route-cache
 bridge-group 10
 bridge-group 10 spanning-disabled
 no bridge-group 10 source-learning
!
interface GigabitEthernet0.20
 encapsulation dot1Q 20
 no ip route-cache
 bridge-group 20
 bridge-group 20 spanning-disabled
 no bridge-group 20 source-learning
!
interface GigabitEthernet0.99
 encapsulation dot1Q 99 native
 no ip route-cache
 bridge-group 1
 bridge-group 1 spanning-disabled
 no bridge-group 1 source-learning
!
interface BVI1
 ip address dhcp client-id GigabitEthernet0
 no ip route-cache
 no shutdown
!
ip forward-protocol nd
ip http server
ip http authentication aaa
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
!
!
bridge 1 route ip
!
!
!
line con 0
line vty 0 4
 transport input ssh
sntp server 10.0.99.100
!
end
Enable sending logs to syslog server
logging source-interface GigabitEthernet0
logging 10.0.10.5

Configure WPA2 from WEB

Security > Encription Manager
  1. Set Encryption Mode and Keys for VLAN: from drop down menu
  2. Tick Cipher and from drop down menu AES CCMP
Security > SSID Manager
  1. Select <NEW>
  2. Type SSID_name into SSID box
  3. Select VLAN
  4. Tick Interface Radio0 (2.4 GHz)
  5. Key Management: Mandatory
  6. Tick: Enable WPA and select WPAv2 from drop down menu
  7. Enter your WPA Pre-shared Key into a box
  8. Enable SSID broadcast in beacons (requires enabling per SSID)
    1. Go to section: Multiple BSSID Beacon Settings
    2. Check: Set SSID as Guest Mode
  9. Press Apply
  10. Enable multiple SSIDs to be broadcasted (requires enabling once per AP/radio)
    1. Go to section: Guest Mode/Infrastructure SSID Settings
    2. Check: Multiple BSSID
    3. Press Apply
Error message when ticking CCKM
ERROR:
VLAN 99 cannot support CCKM.
Set 'Encryption Mode' to 'Cipher' on all radio interfaces before selecting CCKM (See Security> Encryption  Manager).
Error message when enabling WPA
ERROR:
VLAN 99 cannot support WPA optional.
Set 'Encryption Mode' to 'Cipher', 'TKIP + WEP 40 bit' or 'TKIP + WEP 128 bit' 
or 'AES CCMP + TKIP + WEP 40 bit', or 'AES CCMP + TKIP + WEP 128 bit' on all radio interfaces before selecting WPA.
(See Security> Encryption Manager) To set the correct 'Key Management', follow the steps below: STEP 1:Set the 'Key Management' to 'None'. STEP 2:Set the 'Cipher' to 'TKIP' or 'AES CCMP' or 'AES CCMP + TKIP'.(see Security>Encryption Manager) STEP 3:Set the 'Authenticated Key Management' to 'WPA' and 'Mandatory'.

References