Difference between revisions of "Cisco 1941 with AIR-SAP 1602E-E-K9 Standalone"

From Ever changing code
Jump to navigation Jump to search
(Created page with "Here below you will find a basic configuration of AIR-SAP 1602E-E-K9 access point connected to 4-port EHWIC card inserted into Cisco 1941 ISR G2 modular router. = Product codd...")
 
 
(83 intermediate revisions by the same user not shown)
Line 28: Line 28:
  PID: AIR-SAP1602E-E-K9 , VID: V01, SN: ********x11
  PID: AIR-SAP1602E-E-K9 , VID: V01, SN: ********x11


Please notice that the access point is powered by Power Over Ethernet. Note AIR-CAP ap uses 13W AIR-SAP uses 15.4W
Please notice that access points are powered by Power Over Ethernet. There is a difference power consumption for AIR-CAP (managed) access point that uses 13W vs AIR-SAP (standalone) uses 15.4W.
  r1-basic#sh power inline
 
#sh power inline
  PowerSupply  SlotNum.  Maximum  Allocated      Status
  PowerSupply  SlotNum.  Maximum  Allocated      Status
  -----------  --------  -------  ---------      ------
  -----------  --------  -------  ---------      ------
Line 40: Line 41:
  Gi0/1/3    auto    IEEE-3  On        15.400 Watts      PHONE
  Gi0/1/3    auto    IEEE-3  On        15.400 Watts      PHONE


= Basic router config =
== Applying config ==
#Shape config to your needs following color coding and place into TFTP root folder
#*change update system users and passwords
#*change hostname
#*update with APs ethernet mac addresses
#*update the router serial number
#Connect Interface Gi0/0 to a laptop running TFTP server
#Optional, issue from Windows <code>route CHANGE 0.0.0.0 MASK 0.0.0.0 10.10.10.2 METRIC 50 IF 13</code> to maintain access to internet.
#At router, issue <code>copy tftp: startup-config</code> and follow the wizard
#Reload the router issuing <code>reload</code> but do not save changes to nvram configuration
#Activate the licence<br/><code>license udi pid CISCO1941/K9 sn $routerserialnumber</code><br/><code>license accept end user agreement</code>
#Generate RSA crypto key to enable ssh 2
#Apply VLANs
== Router config ==
! Last configuration change at ##:##:## UTC Wed Oct ## 2013 by tech
version 15.2
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
!
hostname <span style="color: blue">$ID-r1</span>
!
boot-start-marker
boot-end-marker
!
!
logging userinfo
logging buffered 50000
logging console warnings
enable secret <span style="color: blue">enablepassword</span>
!
aaa new-model
!
!
aaa authentication password-prompt LocalPassword:
aaa authentication username-prompt LocalUsername:
aaa authentication login default local
! force to use aaa auth on console line
aaa authentication login admin-con line
aaa authorization exec default local
!
!
!
!
!
aaa session-id common
clock timezone GMT 0 0
clock summer-time BST recurring last Sun Mar 1:00 last Sun Oct 2:00
!
no ipv6 cef
no ip source-route
ip cef
!
!
!
ip dhcp excluded-address 10.0.10.1 10.0.10.10
ip dhcp excluded-address 10.0.11.240 10.0.11.254
ip dhcp excluded-address 10.0.20.1 10.0.20.10
ip dhcp excluded-address 10.0.21.240 10.0.21.254
ip dhcp excluded-address 10.0.99.100
ip dhcp excluded-address 10.0.99.1 10.0.99.10
!
ip dhcp pool WIRELESS
  import all
  network 10.0.10.0 255.255.254.0
  default-router 10.0.10.1
  dns-server 10.0.10.1 8.8.8.8
  domain-name lan.gateway
  lease 0 2
!
ip dhcp pool WIRELESS-GUEST
  network 10.0.20.0 255.255.254.0
  default-router 10.0.20.1
  dns-server 10.0.20.1 8.8.8.8
  domain-name lan-guest.gateway
  lease 0 2
!
ip dhcp pool MANAGEMENT
  network 10.0.99.0 255.255.255.128
  default-router 10.0.99.100
  dns-server 10.0.99.100 8.8.8.8
  domain-name lan.management
  lease 0 2
!
ip dhcp pool AP1
  host 10.0.99.1 255.255.255.128
  client-identifier 01<span style="color: blue">7c.69f6.e1d8.7d</span>
!
ip dhcp pool AP2
  host 10.0.99.2 255.255.255.128
  client-identifier 01<span style="color: blue">7c.69f6.e1d9.18</span>
!
ip dhcp pool AP3
  host 10.0.99.3 255.255.255.128
  client-identifier 01<span style="color: blue">7c.69f6.e1d9.78</span>
!
ip dhcp pool LAN
  network 10.0.30.0 255.255.254.0
  default-router 10.0.30.1
  ! line below is optional in case you want to hand out different DNS servers than the router itself is using
  dns-server <span style="color: blue">primary_dns secondary_dns</span>
  domain-name lan.gateway
  lease 0 2
!
no ip bootp server
ip domain name lma.geteway
!
<span style="color: grey">ip name-server <span style="color: blue">$primary_dns</span>
ip name-server <span style="color: blue">$secondary_dns</span></span>
!
login block-for 300 attempts 3 within 300
no ipv6 cef
multilink bundle-name authenticated
!
<span style="color: green">chat-script hspa "" "AT!SCACT=1,1" TIMEOUT 60 "OK"</span>
<span style="color: red">chat-script LTE "" "AT!CALL1" TIMEOUT 20 "OK"</span>
!
!
license udi pid CISCO1941/K9 sn <span style="color: blue">£routerserialnumber</span>
!
license accept end user agreement
license boot module c1900 technology-package securityk9 disable
license boot module c1900 technology-package datak9 disable
!
!
username <span style="color: blue">****tech</span> privilege 0 secret 0 <span style="color: blue">password</span>
username <span style="color: blue">**neteng</span>  privilege 15 secret 0 <span style="color: blue">password</span>
!
!
<span style="color: green">controller Cellular 0/0</span>
<span style="color: red">controller Cellular 0/0</span>
<span style="color: purple">controller VDSL 0/0/0</span>
<span style="color: orange">controller VDSL 0/0/0</span>
!
ip ssh version 2
!
!
!
!
interface Embedded-Service-Engine0/0
  no ip address
  shutdown
!
interface GigabitEthernet0/0
  no ip address
  duplex auto
  speed auto
  shutdown
!
<span style="color: grey">interface GigabitEthernet0/0
description --> WAN $WiMAX ##Mbps down/up
ip address <span style="color: blue">$public_ip subnet_mask</span>
! Comment out 'access-group' lines only when you applying ACLs at the same time
! ip access-group INTERNET-IN in
! ip access-group INTERNET-OUT out
ip verify unicast reverse-path
ip nat enable
ntp disable
no shutdown</span>
!
!
interface GigabitEthernet0/1
  description Wired user LAN
  ip address 10.0.30.1 255.255.254.0
  ip nat enable
  duplex auto
  speed auto
  no shutdown
!
<span style="color: purple">interface ATM0/0/0
  no ip address
  no ip redirects
  no ip unreachables
  no ip proxy-arp
  no atm ilmi-keepalive
  ntp disable
  pvc 0/38
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
  !</span>
!
<span style="color: orange">! BT Infinity - PPPoE, interface atm0/0/0 need to be shutdown
interface Ethernet0/0/0
  no ip address
!
interface Ethernet0/0/0.101
  encapsulation dot1Q 101
  pppoe enable group global
  pppoe-client dial-pool-number 1</span>
!
interface GigabitEthernet0/1/0
  description --> trunk to AP
  switchport trunk native vlan 99
  switchport trunk allowed vlan 1,10,20,99,1002-1005
  switchport mode trunk
  no ip address
  no shutdown
!
interface GigabitEthernet0/1/1
  description --> trunk to AP
  switchport trunk native vlan 99
  switchport trunk allowed vlan 1,10,20,99,1002-1005
  switchport mode trunk
  no ip address
  no shutdown
!
interface GigabitEthernet0/1/2
  description --> trunk to AP
  switchport trunk native vlan 99
  switchport trunk allowed vlan 1,10,20,99,1002-1005
  switchport mode trunk
  no ip address
  no shutdown
!
interface GigabitEthernet0/1/3
  description Management VLAN99 access port
  switchport access vlan 99
  no ip address
  no shutdown
!
  <span style="color: green">interface Cellular0/0/0
  description WAN link to 3G Vodafone-APN
  ip address negotiated
  ip nat enable
  encapsulation slip
  dialer in-band
  dialer string hspa
  dialer-group 1
  async mode interactive
!
interface Cellular0/0/1
  no ip address
  encapsulation slip</span>
!
<span style="color: red">interface Cellular0/0/0
  description WAN link to 4G Vodafone-APN
  ip address negotiated
  encapsulation slip
  dialer in-band
  dialer pool-member 1
  dialer-group 1
  async mode interactive
  routing dynamic</span>
!
interface Vlan1
  no ip address
  shutdown
!
interface Vlan10
  ip address 10.0.10.1 255.255.254.0
  ip nat enable
  no shutdown
!
interface Vlan20
  ip address 10.0.20.1 255.255.254.0
  ip nat enable
  no shutdown
!
interface Vlan99
  description Eherswitch Management Interface
  ip address 10.0.99.100 255.255.255.128
  ntp broadcast
  no shutdown
!
<span style="color: orange">interface Dialer0
  description BT Infinity 40Mb down / 10 Mb upload
  mtu 1492
  ip address ip.add.re.ss m.a.s.k
  ! no ip redirects #removed due to causing VPN reconnection
  no ip unreachables
  no ip proxy-arp
  ip nat enable
  ip virtual-reassembly in
  encapsulation ppp
  ip tcp adjust-mss 1452
  dialer pool 1
  dialer-group 1
  ntp disable
  ppp authentication pap chap ms-chap callin
  ppp chap hostname D******@hg52.btclick.com
  ppp chap password 0 ******
  ppp pap sent-username D******@hg52.btclick.com password 0 ******
  ppp ipcp dns request
  no cdp enable</span>
!
<span style="color: purple">interface Dialer0
  description BT ADSL 5Mdown/1Mup acc: WM****** no:0********
  ! for dynamic public ip replace a lien below with 'ip address negotiated'
  ip address <span style="color: blue">$static_public_ip $subnet_mask</span>
  no ip redirects
  no ip unreachables
  no ip proxy-arp
  ip nat enable
  ip virtual-reassembly in
  encapsulation ppp
  dialer pool 1
  dialer-group 1
  ntp disable
  ppp authentication chap callin
  ppp chap hostname <span style="color: blue">D******@hg52.btclick.com</span>
  ppp chap password 0 <span style="color: blue">******</span>
  ppp pap sent-username <span style="color: blue">D******@hg52.btclick.com</span> password 0 <span style="color: blue">******</span>
  ppp ipcp dns request
  no cdp enable</span>
!
<span style="color: red"> interface Dialer1
  ip address negotiated
  ip nat enable
  encapsulation slip
  dialer pool 1
  dialer idle-timeout 0
  dialer string LTE
  dialer persistent
  dialer-group 1</span>
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip dns server
!
<span style="color: green">ip nat source list 1 interface Cellular0/0/0 overload
ip route 0.0.0.0 0.0.0.0 Cellular0/0/0
!
access-list 1 permit any
dialer-list 1 protocol ip permit</span>
!
<span style="color: red">ip nat source list 1 interface Dialer1 overload
ip route 0.0.0.0 0.0.0.0 Dialer1
!
access-list 1 permit any
dialer-list 1 protocol ip permit</span>
!
<span style="color: purple">ip nat source list 1 interface Dialer0 overload
ip route 0.0.0.0 0.0.0.0 Dialer0
!
access-list 1 permit 10.0.0.0 0.0.255.255
dialer-list 1 protocol ip permit</span>
!
<span style="color: grey">ip nat source list 1 interface Gi0/0 overload
ip route 0.0.0.0 0.0.0.0 Gi0/0
!
access-list 1 permit 10.0.0.0 0.0.255.255</span>
!
access-list 20 remark Allow Management devices sync NTP clock
access-list 20 permit 10.0.99.0 0.0.0.127 log
access-list 20 deny  any
!
!
snmp-server community contingency RO site
snmp-server enable traps entity-sensor threshold
!
!
!
control-plane
!
!
banner motd ^
This system is for COMPANY authorized use only. It is
monitored to detect improper use and other illicit activity.
There is no expectation of privacy while using this system.
^
!
line con 0
  exec-timeout 5 0
  password 0 <span style="color: blue">consolepassword</span>
  logging synchronous
  login authentication admin-con
line aux 0
line 2
  no activation-character
  no exec
  transport preferred none
  transport input all
  transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
  stopbits 1
<span style="color: green">line 0/0/0
  exec-timeout 0 0
  script dialer hspa
  script activation hspa
  modem InOut
  no exec
line 0/0/1
  no exec</span>
!
<span style="color: red">line 0/0/0
  exec-timeout 0 0
  script dialer LTE
  script activation LTE
  modem InOut
  no exec</span>
!
line vty 0 4
  logging synchronous
  transport input ssh
!
scheduler allocate 20000 1000
ntp logging
ntp access-group peer 20
ntp master
!
end
;Key:
*<span style="color: blue">Blue - variables: passwords, host names, serial numbers</span>
*<span style="color: green">Green - Cellular/3G card configuration</span>
*<span style="color: red">Red - Cellular/4G card configuration</span>
*<span style="color: purple">Purple - ATM/ADSL card configuration, BT Business ADSL</span>
*<span style="color: orange">Orange - PPPoE, BT Infinity</span>
*<span style="color: grey">Grey - WAN Ethernet RJ45 from ISP</span>
== Applying VLANs ==
conf t
vlan 10
name WIRELESS
vlan 20
name GUEST-WIRELESS
vlan 99
name MANAGEMENT&NATIVE
^Z
;Verify
R1#sh vlan-switch
VLAN Name                            Status    Ports
---- -------------------------------- --------- -------------------------------
1    default                          active    Gi0/1/1, Gi0/1/2
10  WIRELESS                        active
20  GUEST-WIRELESS                  active
99  MANAGEMENT&NATIVE                active    Gi0/1/3
1002 fddi-default                    act/unsup
1003 token-ring-default              act/unsup
1004 fddinet-default                  act/unsup
1005 trnet-default                    act/unsup
VLAN Type  SAID      MTU  Parent RingNo BridgeNo Stp  BrdgMode Trans1 Trans2
---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------
1    enet  100001    1500  -      -      -        -    -        1002  1003
10  enet  100010    1500  -      -      -        -    -        0      0
20  enet  100020    1500  -      -      -        -    -        0      0
99  enet  100099    1500  -      -      -        -    -        0      0
1002 fddi  101002    1500  -      -      -        -    -        1      1003
1003 tr    101003    1500  1005  0      -        -    srb      1      1002
1004 fdnet 101004    1500  -      -      1        ibm  -        0      0
1005 trnet 101005    1500  -      -      1        ibm  -        0      0
== Apply Access Lists ==
Please make sure you are connected through a console cable as you will lock out yourself.
;Variables:
*<span style="color: blue">$WAN</span> = it is WAN Interface '''Dialer1''' or '''ATM0/0/0''' or '''Gi0/0/0'''
ip access-list extended INTERNET-OUT
  permit tcp any any reflect REMEMBER timeout 300
  permit udp any any reflect REMEMBER timeout 300
  permit icmp any any reflect REMEMBER timeout 300
  deny  ip any any log
!
ip access-list extended INTERNET-IN
permit udp any eq domain any
permit tcp any any eq 22
permit icmp host <span style="color: blue">$monitoring_host_ip</span> any echo
evaluate REMEMBER
deny  ip any any log
!
! Apply access lists to WAN interface
!
interface <span style="color: blue">$WAN</span>
  ip access-group INTERNET-IN in
  ip access-group INTERNET-OUT out
== Disable unnecessary services ==
no ip source-route
ip options drop
no ip http server
no ip http secure-server
no service tcp-small-servers
no service udp-small-servers
service tcp-keepalives-in
service tcp-keepalives-out
no ip bootp server
no ip finger
no ip identd
no service config
no lldp run
no service pad
Verify you have still access to Internet.
== Configure NTP ==
;Router NTP config
! Protect sync time to hosts permitted by access-list
access-list 20 remark Allow Management devices sync NTP clock
access-list 20 permit 10.0.99.0 0.0.0.127
access-list 20 deny  any log
! Disable sending ntp messages on WAN interfaces
Interface Dialer 0
  ntp disable
Interface Vlan99
  ntp broadcast
Interface ATM0/0/0
  ntp disable
ntp logging
ntp access-group peer 20
ntp master
;Access point NTP config
sntp server 10.0.99.100
== Configure SNMP ==
! protect snmp RO (readonly) with access-list
access-list 60 remark Access to read SNMP messages
access-list 60 permit 10.0.10.0 0.0.1.255
access-list 60 permit 10.0.99.0 0.0.0.127
access-list 60 deny  any log
! SNMP configuration
snmp-server community <span style="color: blue">hardpassword</span> RO 60
snmp-server location BuldingID
snmp-server contact AdminID
! log wrong community string attempts
logging snmp-authfail
;Test
Device
snmpstatus -c 'communitystring' -v2c <span style="color: blue">DEV_IP_ADDRESS</span>
List of interfaces
snmpwalk -c 'communitystring' -v2c 10.0.99.100 .1.3.6.1.2.1.2.2.1.2
iso.3.6.1.2.1.2.2.1.2.1 = STRING: "Embedded-Service-Engine0/0"
iso.3.6.1.2.1.2.2.1.2.2 = STRING: "GigabitEthernet0/0"
iso.3.6.1.2.1.2.2.1.2.3 = STRING: "GigabitEthernet0/1"
<-- output ommited -->
iso.3.6.1.2.1.2.2.1.2.15 = STRING: "Vlan20"
iso.3.6.1.2.1.2.2.1.2.16 = STRING: "Vlan99"
iso.3.6.1.2.1.2.2.1.2.17 = STRING: "Dialer1"
Uptime
snmpget -M MIBs -v1 -c hardpassword 10.0.99.100 .1.3.6.1.2.1.1.3.0
iso.3.6.1.2.1.1.3.0 = Timeticks: (591121) 1:38:31.21
= Basic AP config with WPA2-PSK auth =
;Default account credentials on the access point
;Default account credentials on the access point
  Username: Cisco
  Username: Cisco
Line 45: Line 589:
  Enabled mode: Cisco
  Enabled mode: Cisco


= Basic AP config with WPA2-PSK auth =
*remember to issue 'no shutdown' on radio interfaces as these are administratively down on brand new switches. No shutdown is added in the config below for <tt>interface Dot11Radio0</tt>
*remember change 'password' and AP 'hostname' when deploying config
* not sure why but when applying config BVI1 interface does not take any changes
* remember to give domain name and generate crypto key otherwise you will not login using ssh, follow below:
 
conf t
hostname <span style="color: red">ap1</span>
ip domain name <span style="color: orange">home.gateway</span>
! label for '''hostname''':<span style="color: red">ap1</span> and '''ipdomainname''':<span style="color: orange">home.gateway</span> will be <span style="color: red">ap1</span>.<span style="color: orange">home.gateway</span>
crypto key generate rsa label <span style="color: red">ap1</span>.<span style="color: orange">home.gateway</span> general-keys modulus 1024


  ! Last configuration change at 01:27:06 UTC Mon Mar 1 1993 by tech
  ! Last configuration change at 01:54:45 UTC Mon Mar 1 1993 by tech
  version 15.2
  version 15.2
  no service pad
  no service pad
Line 54: Line 607:
  service password-encryption
  service password-encryption
  !
  !
!please change name as required
  hostname <span style="color: blue">ap1</span>
  hostname ap1
  !
  !
  !
  !
  logging rate-limit console 9
  logging rate-limit console 9
enable secret <span style="color: blue">secretpassword</span>
  !
  !
  aaa new-model
  aaa new-model
  !
  !
  !
  !
aaa authentication password-prompt LocalPassword:
aaa authentication username-prompt LocalUsername:
  aaa authentication login default local
  aaa authentication login default local
  aaa authorization exec default local
  aaa authorization exec default local
Line 73: Line 628:
  no ip routing
  no ip routing
  no ip cef
  no ip cef
ip domain name home.gateway
  !
  !
  !
  !
  !
  !
  dot11 syslog
  dot11 syslog
dot11 vlan-name Management vlan 99
dot11 vlan-name Wireless vlan 10
dot11 vlan-name Wireless-guest vlan 20
!
dot11 ssid DS_Guest
    vlan 20
    authentication open
    authentication key-management wpa version 2
    mbssid guest-mode
    wpa-psk ascii 0 <span style="color: blue">guestpassword</span>
  !
  !
  dot11 ssid DS_WPA2
  dot11 ssid DS_MGM
    vlan 99
     authentication open
     authentication open
     authentication key-management wpa version 2
     authentication key-management wpa version 2
     guest-mode
     ! mbssid guest-mode commented out to prevent broadcasting BSSID
     infrastructure-ssid optional
     wpa-psk ascii 0 <span style="color: blue">managementpassword</span>
     !set password as required
!
     wpa-psk ascii WPA2_password
dot11 ssid <span style="color: blue">DS_WPA2</span>
     vlan 10
    authentication open
    authentication key-management wpa version 2
    mbssid guest-mode
     wpa-psk ascii 0 <span style="color: blue">wirelesspassword</span>
  !
  !
  !
  !
Line 90: Line 662:
  !
  !
  !
  !
  username Cisco password 7 00271A150754
  username <span style="color: blue">tech</span> privilege 1 secret 0 <span style="color: blue">techpassword</span>
  username tech privilege 15 secret tech
  username <span style="color: blue">admin</span> privilege 15 secret 0 <span style="color: blue">adminpassword</span>
!
  !
  !
ip ssh time-out 180
ip ssh authentication-retries 5
ip ssh version 2
  bridge irb
  bridge irb
  !
  !
Line 104: Line 678:
   encryption mode ciphers aes-ccm
   encryption mode ciphers aes-ccm
   !
   !
   ssid DS_WPA2
  encryption vlan 10 mode ciphers aes-ccm
  !
  encryption vlan 20 mode ciphers aes-ccm
  !
  encryption vlan 99 mode ciphers aes-ccm
  !
   ssid DS_Guest
  !
  ssid DS_MGM
  !
  <span style="color: blue">ssid DS_WPA2</span>
   !
   !
   antenna gain 0
   antenna gain 0
   stbc
   stbc
   beamform ofdm
   beamform ofdm
  mbssid
   station-role root
   station-role root
  no shutdown
!
interface Dot11Radio0.10
  encapsulation dot1Q 10
  no ip route-cache
  bridge-group 10
  bridge-group 10 subscriber-loop-control
  bridge-group 10 spanning-disabled
  bridge-group 10 block-unknown-source
  no bridge-group 10 source-learning
  no bridge-group 10 unicast-flooding
!
interface Dot11Radio0.20
  encapsulation dot1Q 20
  no ip route-cache
  bridge-group 20
  bridge-group 20 subscriber-loop-control
  bridge-group 20 spanning-disabled
  bridge-group 20 block-unknown-source
  no bridge-group 20 source-learning
  no bridge-group 20 unicast-flooding
!
interface Dot11Radio0.99
  encapsulation dot1Q 99 native
  no ip route-cache
   bridge-group 1
   bridge-group 1
   bridge-group 1 subscriber-loop-control
   bridge-group 1 subscriber-loop-control
Line 137: Line 747:
   duplex auto
   duplex auto
   speed auto
   speed auto
  no shutdown
!
interface GigabitEthernet0.10
  encapsulation dot1Q 10
  no ip route-cache
  bridge-group 10
  bridge-group 10 spanning-disabled
  no bridge-group 10 source-learning
!
interface GigabitEthernet0.20
  encapsulation dot1Q 20
  no ip route-cache
  bridge-group 20
  bridge-group 20 spanning-disabled
  no bridge-group 20 source-learning
!
interface GigabitEthernet0.99
  encapsulation dot1Q 99 native
  no ip route-cache
   bridge-group 1
   bridge-group 1
   bridge-group 1 spanning-disabled
   bridge-group 1 spanning-disabled
Line 144: Line 773:
   ip address dhcp client-id GigabitEthernet0
   ip address dhcp client-id GigabitEthernet0
   no ip route-cache
   no ip route-cache
  no shutdown
  !
  !
  ip forward-protocol nd
  ip forward-protocol nd
Line 158: Line 788:
  line con 0
  line con 0
  line vty 0 4
  line vty 0 4
   transport input all
   transport input ssh
sntp server 10.0.99.100
  !
  !
  end
  end


==== Where is AP management? is WLC missing on ISR G2 routers? ====
;Enable sending logs to syslog server
SRE is needed to provide WLC functionality. You can read more about it following this link [http://www.cisco.com/en/US/prod/collateral/modules/ps10598/data_sheet_c78-553913.html Cisco Services-Ready Engine]. It is worth it to mention that Cisco 1941 ISR G2 router can support only '''1x Cisco SRE Internal Services Module (ISM)'''.
logging source-interface GigabitEthernet0
;These applications but not limited are supported on Cisco SRE Modules:
logging 10.0.10.5
*'''Network services:''' Cisco Wireless LAN Controller (WLC), Infoblox Core Network Services, Cisco Prime™ Network Analysis Module (NAM), NetScout nGenius Integrated Agent, BlueCat Adonis DNS/DHCP and Proteus IPAM, LogLogic MX-Virtual Appliance, Visual Network Systems OmniPoint Element, Uplogix Local Management Platform
 
*'''Application services:''' Cisco Wide Area Application Services (WAAS), Cisco UCS Express, Cisco Application Extension Platform (AXP)
= Configure WPA2 from WEB =
*'''Security:''' Cisco Video Surveillance, SecureLogix Voice Policy Firewall
;Security > Encription Manager
# Set Encryption Mode and Keys for VLAN: from drop down menu
# Tick <tt>Cipher</tt> and from drop down menu <tt>AES CCMP</tt>
 
;Security > SSID Manager
# Select <NEW>
# Type SSID_name into SSID box
# Select VLAN
# Tick Interface Radio0 (2.4 GHz)
# Key Management: <tt>Mandatory</tt>
# Tick: Enable WPA and select <tt>WPAv2</tt> from drop down menu
# Enter your WPA Pre-shared Key into a box
# Enable SSID broadcast in beacons (requires enabling per SSID)
## Go to section: Multiple BSSID Beacon Settings
## Check: Set SSID as Guest Mode
# Press <tt>Apply</tt>
# Enable multiple SSIDs to be broadcasted (requires enabling once per AP/radio)
## Go to section: Guest Mode/Infrastructure SSID Settings
## Check: <tt>Multiple BSSID</tt>
## Press <tt>Apply</tt>
 
;Error message when ticking CCKM
ERROR:
  VLAN 99 cannot support CCKM.
Set 'Encryption Mode' to 'Cipher' on all radio interfaces before selecting CCKM (See Security> Encryption Manager).


=== References ===
;Error message when enabling WPA
ERROR:
VLAN 99 cannot support WPA optional.
Set 'Encryption Mode' to 'Cipher', 'TKIP + WEP 40 bit' or 'TKIP + WEP 128 bit' <br>or 'AES CCMP + TKIP + WEP 40  bit', or 'AES CCMP + TKIP + WEP 128 bit' on all radio interfaces before selecting WPA.<br>(See Security>  Encryption Manager)
To set the correct 'Key Management', follow the steps below:
STEP 1:Set the 'Key Management' to 'None'.
STEP 2:Set the 'Cipher' to 'TKIP' or 'AES CCMP' or 'AES CCMP + TKIP'.(see Security>Encryption Manager)
STEP 3:Set the 'Authenticated Key Management' to 'WPA' and 'Mandatory'.
= References =
*[http://www.cisco.com/en/US/docs/wireless/access_point/1600/quick/guide/ap1600getstart.pdf Cisco Aironet 1600 Series Access Points] Getting Started Guide, December, 2012 Revised: April 16, 2013
*[http://www.cisco.com/en/US/docs/wireless/access_point/1600/quick/guide/ap1600getstart.pdf Cisco Aironet 1600 Series Access Points] Getting Started Guide, December, 2012 Revised: April 16, 2013
*[http://www.cisco.com/en/US/prod/collateral/wireless/ps5678/ps12555/data_sheet_c78-715702.html Cisco Aironet 1600 Series Access Point Data Sheet]
*[http://www.cisco.com/en/US/prod/collateral/wireless/ps5678/ps12555/data_sheet_c78-715702.html Cisco Aironet 1600 Series Access Point Data Sheet]
*[http://www.cisco.com/en/US/docs/wireless/controller/7.3/configuration/guide/b_wlc-cg_chapter_01.html Cisco Wireless LAN Controller Configuration Guide]  Release 7.3
*[http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a0080665cdf.shtml#wlc Wireless LAN Controller and Lightweight Access Point Basic Configuration Example]
*[http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a0080665cdf.shtml#wlc Wireless LAN Controller and Lightweight Access Point Basic Configuration Example]
*[http://www.cisco.com/en/US/tech/tk722/tk809/technologies_tech_note09186a00806c9e51.shtml Lightweight AP (LAP) Registration to a Wireless LAN Controller (WLC)]
*[http://www.cisco.com/en/US/docs/wireless/access_point/15_2_4_JA/configuration/guide/scg15.2.4_book.html Cisco IOS Software Configuration Guide for Cisco Aironet Access Points for Cisco IOS Releases 15.2(4)JA]
*[http://www.cisco.com/en/US/docs/wireless/access_point/15_2_4_JA/configuration/guide/scg15.2.4_book.html Cisco IOS Software Configuration Guide for Cisco Aironet Access Points for Cisco IOS Releases 15.2(4)JA]
[[Category:cisco]]
[[Category:cisco]]
*[http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a0080665ceb.shtml#native VLANs on Aironet Access Points Configuration Example]
*[http://www.cisco.com/en/US/docs/wireless/access_point/ios/release/notes/15.2_2_JB.html Release Notes for Cisco Aironet Access Points and Bridges for Cisco IOS Release 15.2(2)JB] Default behavior changes on AP pior IOS15
*[http://www.cisco.com/en/US/products/ps5855/products_password_recovery09186a0080b3911d.shtml Password Recovery Procedure for the Cisco 1900 Integrated Services Router]

Latest revision as of 21:02, 8 June 2014

Here below you will find a basic configuration of AIR-SAP 1602E-E-K9 access point connected to 4-port EHWIC card inserted into Cisco 1941 ISR G2 modular router.

Product codding

Product/Model Number: AIR-SAP1602E-E-K9
IOS C1600 Software (AP1G2-K9W7-M), Version 15.2(2)JB2, RELEASE SOFTWARE (fc1)

                Regulatory Domain
               /
AIR-SAP 1602E-E-K9
     \       \_External antenna
      \_C_ stands for: Control and Provisioning of Wireless Access Points Protocol CAPWAP require WLC (Wireless Lan Controller)
       \_S_ stands for: Standalone AP
Router show inventory
#show inventory
NAME: "CISCO1941/K9", DESCR: "CISCO1941/K9 chassis, Hw Serial#: ***********, Hw Revision: 1.0"
PID: CISCO1941/K9      , VID: V05 , SN: ***********
NAME: "3G WWAN EHWIC-QuadBand HSPA+R7/HSPA/UMTS QuadBand EDGE/GPRS and GPS on Slot 0 SubSlot 0", DESCR: "3G WWAN EHWIC-QuadBand HSPA+R7/HSPA/UMTS QuadBand  EDGE/GPRS and GPS"
PID: EHWIC-3G-HSPA+7   , VID: V01 , SN: ***********
NAME: "Modem 0 on Cellular0/0/0", DESCR: "Sierra Wireless MC8705"
PID: MC8705            , VID: 1.0, SN: ***********
NAME: "4 Port GE POE EHWIC Switch on Slot 0 SubSlot 1", DESCR: "4 Port GE POE EHWIC Switch"
PID: EHWIC-4ESG-P      , VID: V01 , SN: ***********
NAME: "C1941 AC-POE Power Supply", DESCR: "C1941 AC-POE Power Supply"
PID: PWR-1941-POE      , VID:    , SN:
Access point show inventory
NAME: "AP1600", DESCR: "Cisco Aironet 1600 Series (IEEE 802.11n) Access Point"
PID: AIR-SAP1602E-E-K9 , VID: V01, SN: ********x11

Please notice that access points are powered by Power Over Ethernet. There is a difference power consumption for AIR-CAP (managed) access point that uses 13W vs AIR-SAP (standalone) uses 15.4W. 

#sh power inline
PowerSupply   SlotNum.   Maximum   Allocated       Status
-----------   --------   -------   ---------       ------
INT-PS           0        80.000    46.200         PS GOOD
Interface   Config   Device   Powered    PowerAllocated   State
---------   ------   ------   -------    --------------   -----
Gi0/1/0     auto     Unknown  Off        0.000 Watts      NOT_PHONE
Gi0/1/1     auto     IEEE-3   On        15.400 Watts      PHONE
Gi0/1/2     auto     IEEE-3   On        15.400 Watts      PHONE
Gi0/1/3     auto     IEEE-3   On        15.400 Watts      PHONE

Basic router config

Applying config

  1. Shape config to your needs following color coding and place into TFTP root folder
    • change update system users and passwords
    • change hostname
    • update with APs ethernet mac addresses
    • update the router serial number
  2. Connect Interface Gi0/0 to a laptop running TFTP server
  3. Optional, issue from Windows route CHANGE 0.0.0.0 MASK 0.0.0.0 10.10.10.2 METRIC 50 IF 13 to maintain access to internet.
  4. At router, issue copy tftp: startup-config and follow the wizard
  5. Reload the router issuing reload but do not save changes to nvram configuration
  6. Activate the licence
    license udi pid CISCO1941/K9 sn $routerserialnumber
    license accept end user agreement
  7. Generate RSA crypto key to enable ssh 2
  8. Apply VLANs

Router config

! Last configuration change at ##:##:## UTC Wed Oct ## 2013 by tech
version 15.2
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
!
hostname $ID-r1
!
boot-start-marker
boot-end-marker
!
!
logging userinfo
logging buffered 50000
logging console warnings
enable secret enablepassword
!
aaa new-model
!
!
aaa authentication password-prompt LocalPassword:
aaa authentication username-prompt LocalUsername:
aaa authentication login default local
! force to use aaa auth on console line
aaa authentication login admin-con line
aaa authorization exec default local 
!
!
!
!
!
aaa session-id common
clock timezone GMT 0 0
clock summer-time BST recurring last Sun Mar 1:00 last Sun Oct 2:00
!
no ipv6 cef
no ip source-route
ip cef
!
!
!
ip dhcp excluded-address 10.0.10.1 10.0.10.10
ip dhcp excluded-address 10.0.11.240 10.0.11.254
ip dhcp excluded-address 10.0.20.1 10.0.20.10
ip dhcp excluded-address 10.0.21.240 10.0.21.254
ip dhcp excluded-address 10.0.99.100
ip dhcp excluded-address 10.0.99.1 10.0.99.10
!
ip dhcp pool WIRELESS
 import all
 network 10.0.10.0 255.255.254.0
 default-router 10.0.10.1 
 dns-server 10.0.10.1 8.8.8.8 
 domain-name lan.gateway
 lease 0 2
!
ip dhcp pool WIRELESS-GUEST
 network 10.0.20.0 255.255.254.0
 default-router 10.0.20.1 
 dns-server 10.0.20.1 8.8.8.8 
 domain-name lan-guest.gateway
 lease 0 2
!
ip dhcp pool MANAGEMENT
 network 10.0.99.0 255.255.255.128
 default-router 10.0.99.100 
 dns-server 10.0.99.100 8.8.8.8 
 domain-name lan.management
 lease 0 2
!
ip dhcp pool AP1
 host 10.0.99.1 255.255.255.128
 client-identifier 017c.69f6.e1d8.7d
!
ip dhcp pool AP2
 host 10.0.99.2 255.255.255.128
 client-identifier 017c.69f6.e1d9.18
!
ip dhcp pool AP3
 host 10.0.99.3 255.255.255.128
 client-identifier 017c.69f6.e1d9.78
!
ip dhcp pool LAN
 network 10.0.30.0 255.255.254.0
 default-router 10.0.30.1 
 ! line below is optional in case you want to hand out different DNS servers than the router itself is using
 dns-server primary_dns secondary_dns
 domain-name lan.gateway
 lease 0 2
!
no ip bootp server
ip domain name lma.geteway
!
ip name-server $primary_dns
ip name-server $secondary_dns
!
login block-for 300 attempts 3 within 300
no ipv6 cef
multilink bundle-name authenticated
!
chat-script hspa "" "AT!SCACT=1,1" TIMEOUT 60 "OK"
chat-script LTE "" "AT!CALL1" TIMEOUT 20 "OK"
!
!
license udi pid CISCO1941/K9 sn £routerserialnumber
!
license accept end user agreement
license boot module c1900 technology-package securityk9 disable
license boot module c1900 technology-package datak9 disable
!
!
username ****tech privilege 0 secret 0 password
username **neteng  privilege 15 secret 0 password
!
!
controller Cellular 0/0
controller Cellular 0/0
controller VDSL 0/0/0
controller VDSL 0/0/0
!
ip ssh version 2
!
!
!
!
interface Embedded-Service-Engine0/0
 no ip address
 shutdown
!
interface GigabitEthernet0/0
 no ip address
 duplex auto
 speed auto
 shutdown
!
interface GigabitEthernet0/0
description --> WAN $WiMAX ##Mbps down/up
ip address $public_ip subnet_mask
! Comment out 'access-group' lines only when you applying ACLs at the same time
! ip access-group INTERNET-IN in
! ip access-group INTERNET-OUT out
ip verify unicast reverse-path
ip nat enable
ntp disable
no shutdown
!
!
interface GigabitEthernet0/1
 description Wired user LAN
 ip address 10.0.30.1 255.255.254.0
 ip nat enable
 duplex auto
 speed auto
 no shutdown
!
interface ATM0/0/0
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 no atm ilmi-keepalive
 ntp disable
 pvc 0/38 
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
 !
!
! BT Infinity - PPPoE, interface atm0/0/0 need to be shutdown
interface Ethernet0/0/0
 no ip address
!
interface Ethernet0/0/0.101
 encapsulation dot1Q 101
 pppoe enable group global
 pppoe-client dial-pool-number 1
!
interface GigabitEthernet0/1/0
 description --> trunk to AP
 switchport trunk native vlan 99
 switchport trunk allowed vlan 1,10,20,99,1002-1005
 switchport mode trunk
 no ip address
 no shutdown
!
interface GigabitEthernet0/1/1
 description --> trunk to AP
 switchport trunk native vlan 99
 switchport trunk allowed vlan 1,10,20,99,1002-1005
 switchport mode trunk
 no ip address
 no shutdown
!
interface GigabitEthernet0/1/2
 description --> trunk to AP
 switchport trunk native vlan 99
 switchport trunk allowed vlan 1,10,20,99,1002-1005
 switchport mode trunk
 no ip address
 no shutdown
!
interface GigabitEthernet0/1/3
 description Management VLAN99 access port
 switchport access vlan 99
 no ip address
 no shutdown
!
 interface Cellular0/0/0
 description WAN link to 3G Vodafone-APN
 ip address negotiated
 ip nat enable
 encapsulation slip
 dialer in-band
 dialer string hspa
 dialer-group 1
 async mode interactive
!
interface Cellular0/0/1
 no ip address
 encapsulation slip
!
interface Cellular0/0/0
 description WAN link to 4G Vodafone-APN
 ip address negotiated
 encapsulation slip
 dialer in-band
 dialer pool-member 1
 dialer-group 1
 async mode interactive
 routing dynamic
!
interface Vlan1
 no ip address
 shutdown
!
interface Vlan10
 ip address 10.0.10.1 255.255.254.0
 ip nat enable
 no shutdown
!
interface Vlan20
 ip address 10.0.20.1 255.255.254.0
 ip nat enable
 no shutdown
!
interface Vlan99
 description Eherswitch Management Interface
 ip address 10.0.99.100 255.255.255.128
 ntp broadcast
 no shutdown
!
interface Dialer0
 description BT Infinity 40Mb down / 10 Mb upload
 mtu 1492
 ip address ip.add.re.ss m.a.s.k
 ! no ip redirects #removed due to causing VPN reconnection
 no ip unreachables
 no ip proxy-arp
 ip nat enable
 ip virtual-reassembly in
 encapsulation ppp
 ip tcp adjust-mss 1452
 dialer pool 1
 dialer-group 1
 ntp disable
 ppp authentication pap chap ms-chap callin
 ppp chap hostname D******@hg52.btclick.com
 ppp chap password 0 ******
 ppp pap sent-username D******@hg52.btclick.com password 0 ******
 ppp ipcp dns request
 no cdp enable
!
interface Dialer0
 description BT ADSL 5Mdown/1Mup acc: WM****** no:0********
 ! for dynamic public ip replace a lien below with 'ip address negotiated'
 ip address $static_public_ip $subnet_mask
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat enable
 ip virtual-reassembly in
 encapsulation ppp
 dialer pool 1
 dialer-group 1
 ntp disable
 ppp authentication chap callin
 ppp chap hostname D******@hg52.btclick.com
 ppp chap password 0 ******
 ppp pap sent-username D******@hg52.btclick.com password 0 ******
 ppp ipcp dns request
 no cdp enable
!
 interface Dialer1
 ip address negotiated
 ip nat enable
 encapsulation slip
 dialer pool 1
 dialer idle-timeout 0
 dialer string LTE
 dialer persistent
 dialer-group 1
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip dns server
!
ip nat source list 1 interface Cellular0/0/0 overload
ip route 0.0.0.0 0.0.0.0 Cellular0/0/0
!
access-list 1 permit any
dialer-list 1 protocol ip permit
!
ip nat source list 1 interface Dialer1 overload
ip route 0.0.0.0 0.0.0.0 Dialer1
!
access-list 1 permit any
dialer-list 1 protocol ip permit
!
ip nat source list 1 interface Dialer0 overload
ip route 0.0.0.0 0.0.0.0 Dialer0
!
access-list 1 permit 10.0.0.0 0.0.255.255
dialer-list 1 protocol ip permit
!
ip nat source list 1 interface Gi0/0 overload
ip route 0.0.0.0 0.0.0.0 Gi0/0
!
access-list 1 permit 10.0.0.0 0.0.255.255
!
access-list 20 remark Allow Management devices sync NTP clock
access-list 20 permit 10.0.99.0 0.0.0.127 log
access-list 20 deny   any
!
!
snmp-server community contingency RO site
snmp-server enable traps entity-sensor threshold
!
!
!
control-plane
!
!
banner motd ^
This system is for COMPANY authorized use only. It is
monitored to detect improper use and other illicit activity.
There is no expectation of privacy while using this system.

^
!
line con 0
 exec-timeout 5 0
 password 0 consolepassword
 logging synchronous
 login authentication admin-con
line aux 0
line 2
 no activation-character
 no exec
 transport preferred none
 transport input all
 transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
 stopbits 1
line 0/0/0
 exec-timeout 0 0
 script dialer hspa
 script activation hspa
 modem InOut
 no exec
line 0/0/1
 no exec
!
line 0/0/0
 exec-timeout 0 0
 script dialer LTE
 script activation LTE
 modem InOut
 no exec
!
line vty 0 4
 logging synchronous
 transport input ssh
!
scheduler allocate 20000 1000
ntp logging
ntp access-group peer 20
ntp master
!
end
Key
  • Blue - variables: passwords, host names, serial numbers
  • Green - Cellular/3G card configuration
  • Red - Cellular/4G card configuration
  • Purple - ATM/ADSL card configuration, BT Business ADSL
  • Orange - PPPoE, BT Infinity
  • Grey - WAN Ethernet RJ45 from ISP

Applying VLANs

conf t
vlan 10
name WIRELESS
vlan 20
name GUEST-WIRELESS
vlan 99
name MANAGEMENT&NATIVE
^Z
Verify
R1#sh vlan-switch

VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
1    default                          active    Gi0/1/1, Gi0/1/2
10   WIRELESS                         active
20   GUEST-WIRELESS                   active
99   MANAGEMENT&NATIVE                active    Gi0/1/3
1002 fddi-default                     act/unsup
1003 token-ring-default               act/unsup
1004 fddinet-default                  act/unsup
1005 trnet-default                    act/unsup

VLAN Type  SAID       MTU   Parent RingNo BridgeNo Stp  BrdgMode Trans1 Trans2
---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------
1    enet  100001     1500  -      -      -        -    -        1002   1003
10   enet  100010     1500  -      -      -        -    -        0      0
20   enet  100020     1500  -      -      -        -    -        0      0
99   enet  100099     1500  -      -      -        -    -        0      0
1002 fddi  101002     1500  -      -      -        -    -        1      1003
1003 tr    101003     1500  1005   0      -        -    srb      1      1002
1004 fdnet 101004     1500  -      -      1        ibm  -        0      0
1005 trnet 101005     1500  -      -      1        ibm  -        0      0

Apply Access Lists

Please make sure you are connected through a console cable as you will lock out yourself.

Variables
  • $WAN = it is WAN Interface Dialer1 or ATM0/0/0 or Gi0/0/0
ip access-list extended INTERNET-OUT
 permit tcp any any reflect REMEMBER timeout 300
 permit udp any any reflect REMEMBER timeout 300
 permit icmp any any reflect REMEMBER timeout 300
 deny   ip any any log
!
ip access-list extended INTERNET-IN
permit udp any eq domain any
permit tcp any any eq 22
permit icmp host $monitoring_host_ip any echo
evaluate REMEMBER
deny   ip any any log
!
! Apply access lists to WAN interface
!
interface $WAN
 ip access-group INTERNET-IN in
 ip access-group INTERNET-OUT out

Disable unnecessary services

no ip source-route 
ip options drop 
no ip http server 
no ip http secure-server 
no service tcp-small-servers 
no service udp-small-servers 
service tcp-keepalives-in 
service tcp-keepalives-out 
no ip bootp server 
no ip finger 
no ip identd 
no service config 
no lldp run 
no service pad

Verify you have still access to Internet.

Configure NTP

Router NTP config
! Protect sync time to hosts permitted by access-list
access-list 20 remark Allow Management devices sync NTP clock
access-list 20 permit 10.0.99.0 0.0.0.127
access-list 20 deny   any log
! Disable sending ntp messages on WAN interfaces
Interface Dialer 0
 ntp disable
Interface Vlan99
 ntp broadcast
Interface ATM0/0/0
 ntp disable
ntp logging
ntp access-group peer 20
ntp master
Access point NTP config
sntp server 10.0.99.100

Configure SNMP

! protect snmp RO (readonly) with access-list 
access-list 60 remark Access to read SNMP messages
access-list 60 permit 10.0.10.0 0.0.1.255
access-list 60 permit 10.0.99.0 0.0.0.127
access-list 60 deny   any log
! SNMP configuration
snmp-server community hardpassword RO 60
snmp-server location BuldingID
snmp-server contact AdminID
! log wrong community string attempts
logging snmp-authfail
Test

Device 

snmpstatus -c 'communitystring' -v2c DEV_IP_ADDRESS

List of interfaces 

snmpwalk -c 'communitystring' -v2c 10.0.99.100 .1.3.6.1.2.1.2.2.1.2
iso.3.6.1.2.1.2.2.1.2.1 = STRING: "Embedded-Service-Engine0/0"
iso.3.6.1.2.1.2.2.1.2.2 = STRING: "GigabitEthernet0/0"
iso.3.6.1.2.1.2.2.1.2.3 = STRING: "GigabitEthernet0/1"
<-- output ommited -->
iso.3.6.1.2.1.2.2.1.2.15 = STRING: "Vlan20"
iso.3.6.1.2.1.2.2.1.2.16 = STRING: "Vlan99"
iso.3.6.1.2.1.2.2.1.2.17 = STRING: "Dialer1"

Uptime 

snmpget -M MIBs -v1 -c hardpassword 10.0.99.100 .1.3.6.1.2.1.1.3.0
iso.3.6.1.2.1.1.3.0 = Timeticks: (591121) 1:38:31.21

Basic AP config with WPA2-PSK auth

Default account credentials on the access point
Username: Cisco
Password: Cisco
Enabled mode: Cisco
  • remember to issue 'no shutdown' on radio interfaces as these are administratively down on brand new switches. No shutdown is added in the config below for interface Dot11Radio0
  • remember change 'password' and AP 'hostname' when deploying config
  • not sure why but when applying config BVI1 interface does not take any changes
  • remember to give domain name and generate crypto key otherwise you will not login using ssh, follow below:
conf t
hostname ap1
ip domain name home.gateway
! label for hostname:ap1 and ipdomainname:home.gateway will be ap1.home.gateway
crypto key generate rsa label ap1.home.gateway general-keys modulus 1024

! Last configuration change at 01:54:45 UTC Mon Mar 1 1993 by tech
version 15.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname ap1
!
!
logging rate-limit console 9
enable secret secretpassword
!
aaa new-model
!
!
aaa authentication password-prompt LocalPassword:
aaa authentication username-prompt LocalUsername:
aaa authentication login default local
aaa authorization exec default local
!
!
!
!
!
aaa session-id common
no ip routing
no ip cef
ip domain name home.gateway
!
!
!
dot11 syslog
dot11 vlan-name Management vlan 99
dot11 vlan-name Wireless vlan 10
dot11 vlan-name Wireless-guest vlan 20
!
dot11 ssid DS_Guest
   vlan 20
   authentication open
   authentication key-management wpa version 2
   mbssid guest-mode
   wpa-psk ascii 0 guestpassword
!
dot11 ssid DS_MGM
   vlan 99
   authentication open
   authentication key-management wpa version 2
   ! mbssid guest-mode commented out to prevent broadcasting BSSID
   wpa-psk ascii 0 managementpassword
!
dot11 ssid DS_WPA2
   vlan 10
   authentication open
   authentication key-management wpa version 2
   mbssid guest-mode
   wpa-psk ascii 0 wirelesspassword
!
!
crypto pki token default removal timeout 0
!
!
username tech privilege 1 secret 0 techpassword
username admin privilege 15 secret 0 adminpassword
!
ip ssh time-out 180
ip ssh authentication-retries 5
ip ssh version 2
bridge irb
!
!
!
interface Dot11Radio0
 no ip address
 no ip route-cache
 !
 encryption mode ciphers aes-ccm
 !
 encryption vlan 10 mode ciphers aes-ccm
 !
 encryption vlan 20 mode ciphers aes-ccm
 !
 encryption vlan 99 mode ciphers aes-ccm
 !
 ssid DS_Guest
 !
 ssid DS_MGM
 !
 ssid DS_WPA2
 !
 antenna gain 0
 stbc
 beamform ofdm
 mbssid
 station-role root
 no shutdown
!
interface Dot11Radio0.10
 encapsulation dot1Q 10
 no ip route-cache
 bridge-group 10
 bridge-group 10 subscriber-loop-control
 bridge-group 10 spanning-disabled
 bridge-group 10 block-unknown-source
 no bridge-group 10 source-learning
 no bridge-group 10 unicast-flooding
!
interface Dot11Radio0.20
 encapsulation dot1Q 20
 no ip route-cache
 bridge-group 20
 bridge-group 20 subscriber-loop-control
 bridge-group 20 spanning-disabled
 bridge-group 20 block-unknown-source
 no bridge-group 20 source-learning
 no bridge-group 20 unicast-flooding
!
interface Dot11Radio0.99
 encapsulation dot1Q 99 native
 no ip route-cache
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 spanning-disabled
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
!
interface Dot11Radio1
 no ip address
 no ip route-cache
 shutdown
 antenna gain 0
 no dfs band block
 channel dfs
 station-role root
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 spanning-disabled
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
!
interface GigabitEthernet0
 no ip address
 no ip route-cache
 duplex auto
 speed auto
 no shutdown
!
interface GigabitEthernet0.10
 encapsulation dot1Q 10
 no ip route-cache
 bridge-group 10
 bridge-group 10 spanning-disabled
 no bridge-group 10 source-learning
!
interface GigabitEthernet0.20
 encapsulation dot1Q 20
 no ip route-cache
 bridge-group 20
 bridge-group 20 spanning-disabled
 no bridge-group 20 source-learning
!
interface GigabitEthernet0.99
 encapsulation dot1Q 99 native
 no ip route-cache
 bridge-group 1
 bridge-group 1 spanning-disabled
 no bridge-group 1 source-learning
!
interface BVI1
 ip address dhcp client-id GigabitEthernet0
 no ip route-cache
 no shutdown
!
ip forward-protocol nd
ip http server
ip http authentication aaa
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
!
!
bridge 1 route ip
!
!
!
line con 0
line vty 0 4
 transport input ssh
sntp server 10.0.99.100
!
end
Enable sending logs to syslog server
logging source-interface GigabitEthernet0
logging 10.0.10.5

Configure WPA2 from WEB

Security > Encription Manager
  1. Set Encryption Mode and Keys for VLAN: from drop down menu
  2. Tick Cipher and from drop down menu AES CCMP
Security > SSID Manager
  1. Select <NEW>
  2. Type SSID_name into SSID box
  3. Select VLAN
  4. Tick Interface Radio0 (2.4 GHz)
  5. Key Management: Mandatory
  6. Tick: Enable WPA and select WPAv2 from drop down menu
  7. Enter your WPA Pre-shared Key into a box
  8. Enable SSID broadcast in beacons (requires enabling per SSID)
    1. Go to section: Multiple BSSID Beacon Settings
    2. Check: Set SSID as Guest Mode
  9. Press Apply
  10. Enable multiple SSIDs to be broadcasted (requires enabling once per AP/radio)
    1. Go to section: Guest Mode/Infrastructure SSID Settings
    2. Check: Multiple BSSID
    3. Press Apply
Error message when ticking CCKM
ERROR:
VLAN 99 cannot support CCKM.
Set 'Encryption Mode' to 'Cipher' on all radio interfaces before selecting CCKM (See Security> Encryption  Manager).
Error message when enabling WPA
ERROR:
VLAN 99 cannot support WPA optional.
Set 'Encryption Mode' to 'Cipher', 'TKIP + WEP 40 bit' or 'TKIP + WEP 128 bit' 
or 'AES CCMP + TKIP + WEP 40  bit', or 'AES CCMP + TKIP + WEP 128 bit' on all radio interfaces before selecting WPA.
(See Security>  Encryption Manager)

To set the correct 'Key Management', follow the steps below:
STEP 1:Set the 'Key Management' to 'None'.
STEP 2:Set the 'Cipher' to 'TKIP' or 'AES CCMP' or 'AES CCMP + TKIP'.(see Security>Encryption Manager)
STEP 3:Set the 'Authenticated Key Management' to 'WPA' and 'Mandatory'.

References

Retrieved from ‘http://wiki.ciscolinux.co.uk/index.php?title=Cisco_1941_with_AIR-SAP_1602E-E-K9_Standalone&oldid=1208