Cisco 1941 with AIR-SAP 1602E-E-K9 Standalone
Revision as of 20:02, 8 June 2014 by Pio2pio (talk | contribs) (→Basic AP config with WPA2-PSK auth)
Here below you will find a basic configuration of AIR-SAP 1602E-E-K9 access point connected to 4-port EHWIC card inserted into Cisco 1941 ISR G2 modular router.
Product codding
Product/Model Number: AIR-SAP1602E-E-K9 IOS C1600 Software (AP1G2-K9W7-M), Version 15.2(2)JB2, RELEASE SOFTWARE (fc1) Regulatory Domain / AIR-SAP 1602E-E-K9 \ \_External antenna \_C_ stands for: Control and Provisioning of Wireless Access Points Protocol CAPWAP require WLC (Wireless Lan Controller) \_S_ stands for: Standalone AP
- Router
show inventory
#show inventory NAME: "CISCO1941/K9", DESCR: "CISCO1941/K9 chassis, Hw Serial#: ***********, Hw Revision: 1.0" PID: CISCO1941/K9 , VID: V05 , SN: *********** NAME: "3G WWAN EHWIC-QuadBand HSPA+R7/HSPA/UMTS QuadBand EDGE/GPRS and GPS on Slot 0 SubSlot 0", DESCR: "3G WWAN EHWIC-QuadBand HSPA+R7/HSPA/UMTS QuadBand EDGE/GPRS and GPS" PID: EHWIC-3G-HSPA+7 , VID: V01 , SN: *********** NAME: "Modem 0 on Cellular0/0/0", DESCR: "Sierra Wireless MC8705" PID: MC8705 , VID: 1.0, SN: *********** NAME: "4 Port GE POE EHWIC Switch on Slot 0 SubSlot 1", DESCR: "4 Port GE POE EHWIC Switch" PID: EHWIC-4ESG-P , VID: V01 , SN: *********** NAME: "C1941 AC-POE Power Supply", DESCR: "C1941 AC-POE Power Supply" PID: PWR-1941-POE , VID: , SN:
- Access point
show inventory
NAME: "AP1600", DESCR: "Cisco Aironet 1600 Series (IEEE 802.11n) Access Point" PID: AIR-SAP1602E-E-K9 , VID: V01, SN: ********x11
Please notice that access points are powered by Power Over Ethernet. There is a difference power consumption for AIR-CAP (managed) access point that uses 13W vs AIR-SAP (standalone) uses 15.4W.
#sh power inline PowerSupply SlotNum. Maximum Allocated Status ----------- -------- ------- --------- ------ INT-PS 0 80.000 46.200 PS GOOD Interface Config Device Powered PowerAllocated State --------- ------ ------ ------- -------------- ----- Gi0/1/0 auto Unknown Off 0.000 Watts NOT_PHONE Gi0/1/1 auto IEEE-3 On 15.400 Watts PHONE Gi0/1/2 auto IEEE-3 On 15.400 Watts PHONE Gi0/1/3 auto IEEE-3 On 15.400 Watts PHONE
Basic router config
Applying config
- Shape config to your needs following color coding and place into TFTP root folder
- change update system users and passwords
- change hostname
- update with APs ethernet mac addresses
- update the router serial number
- Connect Interface Gi0/0 to a laptop running TFTP server
- Optional, issue from Windows
route CHANGE 0.0.0.0 MASK 0.0.0.0 10.10.10.2 METRIC 50 IF 13
to maintain access to internet. - At router, issue
copy tftp: startup-config
and follow the wizard - Reload the router issuing
reload
but do not save changes to nvram configuration - Activate the licence
license udi pid CISCO1941/K9 sn $routerserialnumber
license accept end user agreement
- Generate RSA crypto key to enable ssh 2
- Apply VLANs
Router config
! Last configuration change at ##:##:## UTC Wed Oct ## 2013 by tech version 15.2 service timestamps debug datetime msec localtime show-timezone service timestamps log datetime msec localtime show-timezone service password-encryption ! hostname $ID-r1 ! boot-start-marker boot-end-marker ! ! logging userinfo logging buffered 50000 logging console warnings enable secret enablepassword ! aaa new-model ! ! aaa authentication password-prompt LocalPassword: aaa authentication username-prompt LocalUsername: aaa authentication login default local ! force to use aaa auth on console line aaa authentication login admin-con line aaa authorization exec default local ! ! ! ! ! aaa session-id common clock timezone GMT 0 0 clock summer-time BST recurring last Sun Mar 1:00 last Sun Oct 2:00 ! no ipv6 cef no ip source-route ip cef ! ! ! ip dhcp excluded-address 10.0.10.1 10.0.10.10 ip dhcp excluded-address 10.0.11.240 10.0.11.254 ip dhcp excluded-address 10.0.20.1 10.0.20.10 ip dhcp excluded-address 10.0.21.240 10.0.21.254 ip dhcp excluded-address 10.0.99.100 ip dhcp excluded-address 10.0.99.1 10.0.99.10 ! ip dhcp pool WIRELESS import all network 10.0.10.0 255.255.254.0 default-router 10.0.10.1 dns-server 10.0.10.1 8.8.8.8 domain-name lan.gateway lease 0 2 ! ip dhcp pool WIRELESS-GUEST network 10.0.20.0 255.255.254.0 default-router 10.0.20.1 dns-server 10.0.20.1 8.8.8.8 domain-name lan-guest.gateway lease 0 2 ! ip dhcp pool MANAGEMENT network 10.0.99.0 255.255.255.128 default-router 10.0.99.100 dns-server 10.0.99.100 8.8.8.8 domain-name lan.management lease 0 2 ! ip dhcp pool AP1 host 10.0.99.1 255.255.255.128 client-identifier 017c.69f6.e1d8.7d ! ip dhcp pool AP2 host 10.0.99.2 255.255.255.128 client-identifier 017c.69f6.e1d9.18 ! ip dhcp pool AP3 host 10.0.99.3 255.255.255.128 client-identifier 017c.69f6.e1d9.78 ! ip dhcp pool LAN network 10.0.30.0 255.255.254.0 default-router 10.0.30.1 ! line below is optional in case you want to hand out different DNS servers than the router itself is using dns-server primary_dns secondary_dns domain-name lan.gateway lease 0 2 ! no ip bootp server ip domain name lma.geteway ! ip name-server $primary_dns ip name-server $secondary_dns ! login block-for 300 attempts 3 within 300 no ipv6 cef multilink bundle-name authenticated ! chat-script hspa "" "AT!SCACT=1,1" TIMEOUT 60 "OK" chat-script LTE "" "AT!CALL1" TIMEOUT 20 "OK" ! ! license udi pid CISCO1941/K9 sn £routerserialnumber ! license accept end user agreement license boot module c1900 technology-package securityk9 disable license boot module c1900 technology-package datak9 disable ! ! username ****tech privilege 0 secret 0 password username **neteng privilege 15 secret 0 password ! ! controller Cellular 0/0 controller Cellular 0/0 controller VDSL 0/0/0 controller VDSL 0/0/0 ! ip ssh version 2 ! ! ! ! interface Embedded-Service-Engine0/0 no ip address shutdown ! interface GigabitEthernet0/0 no ip address duplex auto speed auto shutdown ! interface GigabitEthernet0/0 description --> WAN $WiMAX ##Mbps down/up ip address $public_ip subnet_mask ! Comment out 'access-group' lines only when you applying ACLs at the same time ! ip access-group INTERNET-IN in ! ip access-group INTERNET-OUT out ip verify unicast reverse-path ip nat enable ntp disable no shutdown ! ! interface GigabitEthernet0/1 description Wired user LAN ip address 10.0.30.1 255.255.254.0 ip nat enable duplex auto speed auto no shutdown ! interface ATM0/0/0 no ip address no ip redirects no ip unreachables no ip proxy-arp no atm ilmi-keepalive ntp disable pvc 0/38 encapsulation aal5mux ppp dialer dialer pool-member 1 ! ! ! BT Infinity - PPPoE, interface atm0/0/0 need to be shutdown interface Ethernet0/0/0 no ip address ! interface Ethernet0/0/0.101 encapsulation dot1Q 101 pppoe enable group global pppoe-client dial-pool-number 1 ! interface GigabitEthernet0/1/0 description --> trunk to AP switchport trunk native vlan 99 switchport trunk allowed vlan 1,10,20,99,1002-1005 switchport mode trunk no ip address no shutdown ! interface GigabitEthernet0/1/1 description --> trunk to AP switchport trunk native vlan 99 switchport trunk allowed vlan 1,10,20,99,1002-1005 switchport mode trunk no ip address no shutdown ! interface GigabitEthernet0/1/2 description --> trunk to AP switchport trunk native vlan 99 switchport trunk allowed vlan 1,10,20,99,1002-1005 switchport mode trunk no ip address no shutdown ! interface GigabitEthernet0/1/3 description Management VLAN99 access port switchport access vlan 99 no ip address no shutdown ! interface Cellular0/0/0 description WAN link to 3G Vodafone-APN ip address negotiated ip nat enable encapsulation slip dialer in-band dialer string hspa dialer-group 1 async mode interactive ! interface Cellular0/0/1 no ip address encapsulation slip ! interface Cellular0/0/0 description WAN link to 4G Vodafone-APN ip address negotiated encapsulation slip dialer in-band dialer pool-member 1 dialer-group 1 async mode interactive routing dynamic ! interface Vlan1 no ip address shutdown ! interface Vlan10 ip address 10.0.10.1 255.255.254.0 ip nat enable no shutdown ! interface Vlan20 ip address 10.0.20.1 255.255.254.0 ip nat enable no shutdown ! interface Vlan99 description Eherswitch Management Interface ip address 10.0.99.100 255.255.255.128 ntp broadcast no shutdown ! interface Dialer0 description BT Infinity 40Mb down / 10 Mb upload mtu 1492 ip address ip.add.re.ss m.a.s.k ! no ip redirects #removed due to causing VPN reconnection no ip unreachables no ip proxy-arp ip nat enable ip virtual-reassembly in encapsulation ppp ip tcp adjust-mss 1452 dialer pool 1 dialer-group 1 ntp disable ppp authentication pap chap ms-chap callin ppp chap hostname D******@hg52.btclick.com ppp chap password 0 ****** ppp pap sent-username D******@hg52.btclick.com password 0 ****** ppp ipcp dns request no cdp enable ! interface Dialer0 description BT ADSL 5Mdown/1Mup acc: WM****** no:0******** ! for dynamic public ip replace a lien below with 'ip address negotiated' ip address $static_public_ip $subnet_mask no ip redirects no ip unreachables no ip proxy-arp ip nat enable ip virtual-reassembly in encapsulation ppp dialer pool 1 dialer-group 1 ntp disable ppp authentication chap callin ppp chap hostname D******@hg52.btclick.com ppp chap password 0 ****** ppp pap sent-username D******@hg52.btclick.com password 0 ****** ppp ipcp dns request no cdp enable ! interface Dialer1 ip address negotiated ip nat enable encapsulation slip dialer pool 1 dialer idle-timeout 0 dialer string LTE dialer persistent dialer-group 1 ! ip forward-protocol nd ! no ip http server no ip http secure-server ! ip dns server ! ip nat source list 1 interface Cellular0/0/0 overload ip route 0.0.0.0 0.0.0.0 Cellular0/0/0 ! access-list 1 permit any dialer-list 1 protocol ip permit ! ip nat source list 1 interface Dialer1 overload ip route 0.0.0.0 0.0.0.0 Dialer1 ! access-list 1 permit any dialer-list 1 protocol ip permit ! ip nat source list 1 interface Dialer0 overload ip route 0.0.0.0 0.0.0.0 Dialer0 ! access-list 1 permit 10.0.0.0 0.0.255.255 dialer-list 1 protocol ip permit ! ip nat source list 1 interface Gi0/0 overload ip route 0.0.0.0 0.0.0.0 Gi0/0 ! access-list 1 permit 10.0.0.0 0.0.255.255 ! access-list 20 remark Allow Management devices sync NTP clock access-list 20 permit 10.0.99.0 0.0.0.127 log access-list 20 deny any ! ! snmp-server community contingency RO site snmp-server enable traps entity-sensor threshold ! ! ! control-plane ! ! banner motd ^ This system is for COMPANY authorized use only. It is monitored to detect improper use and other illicit activity. There is no expectation of privacy while using this system. ^ ! line con 0 exec-timeout 5 0 password 0 consolepassword logging synchronous login authentication admin-con line aux 0 line 2 no activation-character no exec transport preferred none transport input all transport output pad telnet rlogin lapb-ta mop udptn v120 ssh stopbits 1 line 0/0/0 exec-timeout 0 0 script dialer hspa script activation hspa modem InOut no exec line 0/0/1 no exec ! line 0/0/0 exec-timeout 0 0 script dialer LTE script activation LTE modem InOut no exec ! line vty 0 4 logging synchronous transport input ssh ! scheduler allocate 20000 1000 ntp logging ntp access-group peer 20 ntp master ! end
- Key
- Blue - variables: passwords, host names, serial numbers
- Green - Cellular/3G card configuration
- Red - Cellular/4G card configuration
- Purple - ATM/ADSL card configuration, BT Business ADSL
- Orange - PPPoE, BT Infinity
- Grey - WAN Ethernet RJ45 from ISP
Applying VLANs
conf t vlan 10 name WIRELESS vlan 20 name GUEST-WIRELESS vlan 99 name MANAGEMENT&NATIVE ^Z
- Verify
R1#sh vlan-switch VLAN Name Status Ports ---- -------------------------------- --------- ------------------------------- 1 default active Gi0/1/1, Gi0/1/2 10 WIRELESS active 20 GUEST-WIRELESS active 99 MANAGEMENT&NATIVE active Gi0/1/3 1002 fddi-default act/unsup 1003 token-ring-default act/unsup 1004 fddinet-default act/unsup 1005 trnet-default act/unsup VLAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2 ---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------ 1 enet 100001 1500 - - - - - 1002 1003 10 enet 100010 1500 - - - - - 0 0 20 enet 100020 1500 - - - - - 0 0 99 enet 100099 1500 - - - - - 0 0 1002 fddi 101002 1500 - - - - - 1 1003 1003 tr 101003 1500 1005 0 - - srb 1 1002 1004 fdnet 101004 1500 - - 1 ibm - 0 0 1005 trnet 101005 1500 - - 1 ibm - 0 0
Apply Access Lists
Please make sure you are connected through a console cable as you will lock out yourself.
- Variables
- $WAN = it is WAN Interface Dialer1 or ATM0/0/0 or Gi0/0/0
ip access-list extended INTERNET-OUT permit tcp any any reflect REMEMBER timeout 300 permit udp any any reflect REMEMBER timeout 300 permit icmp any any reflect REMEMBER timeout 300 deny ip any any log ! ip access-list extended INTERNET-IN permit udp any eq domain any permit tcp any any eq 22 permit icmp host $monitoring_host_ip any echo evaluate REMEMBER deny ip any any log ! ! Apply access lists to WAN interface ! interface $WAN ip access-group INTERNET-IN in ip access-group INTERNET-OUT out
Disable unnecessary services
no ip source-route ip options drop no ip http server no ip http secure-server no service tcp-small-servers no service udp-small-servers service tcp-keepalives-in service tcp-keepalives-out no ip bootp server no ip finger no ip identd no service config no lldp run no service pad
Verify you have still access to Internet.
Configure NTP
- Router NTP config
! Protect sync time to hosts permitted by access-list access-list 20 remark Allow Management devices sync NTP clock access-list 20 permit 10.0.99.0 0.0.0.127 access-list 20 deny any log ! Disable sending ntp messages on WAN interfaces Interface Dialer 0 ntp disable Interface Vlan99 ntp broadcast Interface ATM0/0/0 ntp disable ntp logging ntp access-group peer 20 ntp master
- Access point NTP config
sntp server 10.0.99.100
Configure SNMP
! protect snmp RO (readonly) with access-list
access-list 60 remark Access to read SNMP messages
access-list 60 permit 10.0.10.0 0.0.1.255
access-list 60 permit 10.0.99.0 0.0.0.127
access-list 60 deny any log
! SNMP configuration
snmp-server community hardpassword RO 60
snmp-server location BuldingID
snmp-server contact AdminID
! log wrong community string attempts
logging snmp-authfail
- Test
Device
snmpstatus -c 'communitystring' -v2c DEV_IP_ADDRESS
List of interfaces
snmpwalk -c 'communitystring' -v2c 10.0.99.100 .1.3.6.1.2.1.2.2.1.2 iso.3.6.1.2.1.2.2.1.2.1 = STRING: "Embedded-Service-Engine0/0" iso.3.6.1.2.1.2.2.1.2.2 = STRING: "GigabitEthernet0/0" iso.3.6.1.2.1.2.2.1.2.3 = STRING: "GigabitEthernet0/1" <-- output ommited --> iso.3.6.1.2.1.2.2.1.2.15 = STRING: "Vlan20" iso.3.6.1.2.1.2.2.1.2.16 = STRING: "Vlan99" iso.3.6.1.2.1.2.2.1.2.17 = STRING: "Dialer1"
Uptime
snmpget -M MIBs -v1 -c hardpassword 10.0.99.100 .1.3.6.1.2.1.1.3.0 iso.3.6.1.2.1.1.3.0 = Timeticks: (591121) 1:38:31.21
Basic AP config with WPA2-PSK auth
- Default account credentials on the access point
Username: Cisco Password: Cisco Enabled mode: Cisco
- remember to issue 'no shutdown' on radio interfaces as these are administratively down on brand new switches. No shutdown is added in the config below for interface Dot11Radio0
- remember change 'password' and AP 'hostname' when deploying config
- not sure why but when applying config BVI1 interface does not take any changes
- remember to give domain name and generate crypto key otherwise you will not login using ssh, follow below:
conf t hostname ap1 ip domain name home.gateway ! label for hostname:ap1 and ipdomainname:home.gateway will be ap1.home.gateway crypto key generate rsa label ap1.home.gateway general-keys modulus 1024
! Last configuration change at 01:54:45 UTC Mon Mar 1 1993 by tech version 15.2 no service pad service timestamps debug datetime msec service timestamps log datetime msec service password-encryption ! hostname ap1 ! ! logging rate-limit console 9 enable secret secretpassword ! aaa new-model ! ! aaa authentication password-prompt LocalPassword: aaa authentication username-prompt LocalUsername: aaa authentication login default local aaa authorization exec default local ! ! ! ! ! aaa session-id common no ip routing no ip cef ip domain name home.gateway ! ! ! dot11 syslog dot11 vlan-name Management vlan 99 dot11 vlan-name Wireless vlan 10 dot11 vlan-name Wireless-guest vlan 20 ! dot11 ssid DS_Guest vlan 20 authentication open authentication key-management wpa version 2 mbssid guest-mode wpa-psk ascii 0 guestpassword ! dot11 ssid DS_MGM vlan 99 authentication open authentication key-management wpa version 2 ! mbssid guest-mode commented out to prevent broadcasting BSSID wpa-psk ascii 0 managementpassword ! dot11 ssid DS_WPA2 vlan 10 authentication open authentication key-management wpa version 2 mbssid guest-mode wpa-psk ascii 0 wirelesspassword ! ! crypto pki token default removal timeout 0 ! ! username tech privilege 1 secret 0 techpassword username admin privilege 15 secret 0 adminpassword ! ip ssh time-out 180 ip ssh authentication-retries 5 ip ssh version 2 bridge irb ! ! ! interface Dot11Radio0 no ip address no ip route-cache ! encryption mode ciphers aes-ccm ! encryption vlan 10 mode ciphers aes-ccm ! encryption vlan 20 mode ciphers aes-ccm ! encryption vlan 99 mode ciphers aes-ccm ! ssid DS_Guest ! ssid DS_MGM ! ssid DS_WPA2 ! antenna gain 0 stbc beamform ofdm mbssid station-role root no shutdown ! interface Dot11Radio0.10 encapsulation dot1Q 10 no ip route-cache bridge-group 10 bridge-group 10 subscriber-loop-control bridge-group 10 spanning-disabled bridge-group 10 block-unknown-source no bridge-group 10 source-learning no bridge-group 10 unicast-flooding ! interface Dot11Radio0.20 encapsulation dot1Q 20 no ip route-cache bridge-group 20 bridge-group 20 subscriber-loop-control bridge-group 20 spanning-disabled bridge-group 20 block-unknown-source no bridge-group 20 source-learning no bridge-group 20 unicast-flooding ! interface Dot11Radio0.99 encapsulation dot1Q 99 native no ip route-cache bridge-group 1 bridge-group 1 subscriber-loop-control bridge-group 1 spanning-disabled bridge-group 1 block-unknown-source no bridge-group 1 source-learning no bridge-group 1 unicast-flooding ! interface Dot11Radio1 no ip address no ip route-cache shutdown antenna gain 0 no dfs band block channel dfs station-role root bridge-group 1 bridge-group 1 subscriber-loop-control bridge-group 1 spanning-disabled bridge-group 1 block-unknown-source no bridge-group 1 source-learning no bridge-group 1 unicast-flooding ! interface GigabitEthernet0 no ip address no ip route-cache duplex auto speed auto no shutdown ! interface GigabitEthernet0.10 encapsulation dot1Q 10 no ip route-cache bridge-group 10 bridge-group 10 spanning-disabled no bridge-group 10 source-learning ! interface GigabitEthernet0.20 encapsulation dot1Q 20 no ip route-cache bridge-group 20 bridge-group 20 spanning-disabled no bridge-group 20 source-learning ! interface GigabitEthernet0.99 encapsulation dot1Q 99 native no ip route-cache bridge-group 1 bridge-group 1 spanning-disabled no bridge-group 1 source-learning ! interface BVI1 ip address dhcp client-id GigabitEthernet0 no ip route-cache no shutdown ! ip forward-protocol nd ip http server ip http authentication aaa no ip http secure-server ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag ! ! bridge 1 route ip ! ! ! line con 0 line vty 0 4 transport input ssh sntp server 10.0.99.100 ! end
- Enable sending logs to syslog server
logging source-interface GigabitEthernet0 logging 10.0.10.5
Configure WPA2 from WEB
- Security > Encription Manager
- Set Encryption Mode and Keys for VLAN: from drop down menu
- Tick Cipher and from drop down menu AES CCMP
- Security > SSID Manager
- Select <NEW>
- Type SSID_name into SSID box
- Select VLAN
- Tick Interface Radio0 (2.4 GHz)
- Key Management: Mandatory
- Tick: Enable WPA and select WPAv2 from drop down menu
- Enter your WPA Pre-shared Key into a box
- Enable SSID broadcast in beacons (requires enabling per SSID)
- Go to section: Multiple BSSID Beacon Settings
- Check: Set SSID as Guest Mode
- Press Apply
- Enable multiple SSIDs to be broadcasted (requires enabling once per AP/radio)
- Go to section: Guest Mode/Infrastructure SSID Settings
- Check: Multiple BSSID
- Press Apply
- Error message when ticking CCKM
ERROR: VLAN 99 cannot support CCKM. Set 'Encryption Mode' to 'Cipher' on all radio interfaces before selecting CCKM (See Security> Encryption Manager).
- Error message when enabling WPA
ERROR: VLAN 99 cannot support WPA optional. Set 'Encryption Mode' to 'Cipher', 'TKIP + WEP 40 bit' or 'TKIP + WEP 128 bit'
or 'AES CCMP + TKIP + WEP 40 bit', or 'AES CCMP + TKIP + WEP 128 bit' on all radio interfaces before selecting WPA.
(See Security> Encryption Manager) To set the correct 'Key Management', follow the steps below: STEP 1:Set the 'Key Management' to 'None'. STEP 2:Set the 'Cipher' to 'TKIP' or 'AES CCMP' or 'AES CCMP + TKIP'.(see Security>Encryption Manager) STEP 3:Set the 'Authenticated Key Management' to 'WPA' and 'Mandatory'.
References
- Cisco Aironet 1600 Series Access Points Getting Started Guide, December, 2012 Revised: April 16, 2013
- Cisco Aironet 1600 Series Access Point Data Sheet
- Wireless LAN Controller and Lightweight Access Point Basic Configuration Example
- Cisco IOS Software Configuration Guide for Cisco Aironet Access Points for Cisco IOS Releases 15.2(4)JA
- VLANs on Aironet Access Points Configuration Example
- Release Notes for Cisco Aironet Access Points and Bridges for Cisco IOS Release 15.2(2)JB Default behavior changes on AP pior IOS15
- Password Recovery Procedure for the Cisco 1900 Integrated Services Router