Here below you will find a basic configuration of AIR-SAP 1602E-E-K9 access point connected to 4-port EHWIC card inserted into Cisco 1941 ISR G2 modular router.

Product codding

Product/Model Number: AIR-SAP1602E-E-K9
IOS C1600 Software (AP1G2-K9W7-M), Version 15.2(2)JB2, RELEASE SOFTWARE (fc1)

                Regulatory Domain
               /
AIR-SAP 1602E-E-K9
     \       \_External antenna
      \_C_ stands for: Control and Provisioning of Wireless Access Points Protocol CAPWAP require WLC (Wireless Lan Controller)
       \_S_ stands for: Standalone AP

Router show inventory

#show inventory
NAME: "CISCO1941/K9", DESCR: "CISCO1941/K9 chassis, Hw Serial#: ***********, Hw Revision: 1.0"
PID: CISCO1941/K9      , VID: V05 , SN: ***********
NAME: "3G WWAN EHWIC-QuadBand HSPA+R7/HSPA/UMTS QuadBand EDGE/GPRS and GPS on Slot 0 SubSlot 0", DESCR: "3G WWAN EHWIC-QuadBand HSPA+R7/HSPA/UMTS QuadBand  EDGE/GPRS and GPS"
PID: EHWIC-3G-HSPA+7   , VID: V01 , SN: ***********
NAME: "Modem 0 on Cellular0/0/0", DESCR: "Sierra Wireless MC8705"
PID: MC8705            , VID: 1.0, SN: ***********
NAME: "4 Port GE POE EHWIC Switch on Slot 0 SubSlot 1", DESCR: "4 Port GE POE EHWIC Switch"
PID: EHWIC-4ESG-P      , VID: V01 , SN: ***********
NAME: "C1941 AC-POE Power Supply", DESCR: "C1941 AC-POE Power Supply"
PID: PWR-1941-POE      , VID:    , SN:

Access point show inventory

NAME: "AP1600", DESCR: "Cisco Aironet 1600 Series (IEEE 802.11n) Access Point"
PID: AIR-SAP1602E-E-K9 , VID: V01, SN: ********x11

Please notice that access points are powered by Power Over Ethernet. There is a difference power consumption for AIR-CAP (managed) access point that uses 13W vs AIR-SAP (standalone) uses 15.4W.

#sh power inline
PowerSupply   SlotNum.   Maximum   Allocated       Status
-----------   --------   -------   ---------       ------
INT-PS           0        80.000    46.200         PS GOOD
Interface   Config   Device   Powered    PowerAllocated   State
---------   ------   ------   -------    --------------   -----
Gi0/1/0     auto     Unknown  Off        0.000 Watts      NOT_PHONE
Gi0/1/1     auto     IEEE-3   On        15.400 Watts      PHONE
Gi0/1/2     auto     IEEE-3   On        15.400 Watts      PHONE
Gi0/1/3     auto     IEEE-3   On        15.400 Watts      PHONE

Default account credentials on the access point

Username: Cisco
Password: Cisco
Enabled mode: Cisco

Basic AP config with WPA2-PSK auth

• remember to issue 'no shutdown' on radio interfaces as these are administratively down on brand new switches. No shutdown is added in the config below for interface Dot11Radio0
• remember change 'password' and AP 'hostname' when deploying config
• not sure why but when applying config BVI1 interface does not take any changes
• remember to give domain name and generate crypto key otherwise you will not login using ssh, follow below:

conf t
ip domain name lma.gateway
!label for hostname: ap1 ipdomainname: lma.gateway will be ap1.lma.gateway
crypto key generate rsa label hostname.ipdomainname general-keys modulus 1024
^Z

! Last configuration change at 01:54:45 UTC Mon Mar 1 1993 by tech
version 15.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname ap1
!
!
logging rate-limit console 9
enable secret secretpassword
!
aaa new-model
!
!
aaa authentication login default local
aaa authorization exec default local
!
!
!
!
!
aaa session-id common
no ip routing
no ip cef
ip domain name lma.gateway
!
!
!
dot11 syslog
dot11 vlan-name Management vlan 99
dot11 vlan-name Wireless vlan 10
dot11 vlan-name Wireless-guest vlan 20
!
dot11 ssid DS_Guest
   vlan 20
   authentication open
   authentication key-management wpa version 2
   mbssid guest-mode
   wpa-psk ascii 0 guestpassword
!
dot11 ssid DS_MGM
   vlan 99
   authentication open
   authentication key-management wpa version 2
   ! mbssid guest-mode commented out to prevent broadcasting BSSID
   wpa-psk ascii 0 managementpassword
!
dot11 ssid DS_WPA2
   vlan 10
   authentication open
   authentication key-management wpa version 2
   mbssid guest-mode
   wpa-psk ascii 0 wirelesspassword
!
!
crypto pki token default removal timeout 0
!
!
username ****tech privilege 1 secret 0 techpassword
username **neteng privilege 15 secret 0 netengpassword
!
ip ssh time-out 180
ip ssh authentication-retries 5
ip ssh version 2
bridge irb
!
!
!
interface Dot11Radio0
 no ip address
 no ip route-cache
 !
 encryption mode ciphers aes-ccm
 !
 encryption vlan 10 mode ciphers aes-ccm
 !
 encryption vlan 20 mode ciphers aes-ccm
 !
 encryption vlan 99 mode ciphers aes-ccm
 !
 ssid DS_Guest
 !
 ssid DS_MGM
 !
 ssid DS_WPA2
 !
 antenna gain 0
 stbc
 beamform ofdm
 mbssid
 station-role root
 no shutdown
!
interface Dot11Radio0.10
 encapsulation dot1Q 10
 no ip route-cache
 bridge-group 10
 bridge-group 10 subscriber-loop-control
 bridge-group 10 spanning-disabled
 bridge-group 10 block-unknown-source
 no bridge-group 10 source-learning
 no bridge-group 10 unicast-flooding
!
interface Dot11Radio0.20
 encapsulation dot1Q 20
 no ip route-cache
 bridge-group 20
 bridge-group 20 subscriber-loop-control
 bridge-group 20 spanning-disabled
 bridge-group 20 block-unknown-source
 no bridge-group 20 source-learning
 no bridge-group 20 unicast-flooding
!
interface Dot11Radio0.99
 encapsulation dot1Q 99 native
 no ip route-cache
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 spanning-disabled
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
!
interface Dot11Radio1
 no ip address
 no ip route-cache
 shutdown
 antenna gain 0
 no dfs band block
 channel dfs
 station-role root
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 spanning-disabled
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
!
interface GigabitEthernet0
 no ip address
 no ip route-cache
 duplex auto
 speed auto
 no shutdown
!
interface GigabitEthernet0.10
 encapsulation dot1Q 10
 no ip route-cache
 bridge-group 10
 bridge-group 10 spanning-disabled
 no bridge-group 10 source-learning
!
interface GigabitEthernet0.20
 encapsulation dot1Q 20
 no ip route-cache
 bridge-group 20
 bridge-group 20 spanning-disabled
 no bridge-group 20 source-learning
!
interface GigabitEthernet0.99
 encapsulation dot1Q 99 native
 no ip route-cache
 bridge-group 1
 bridge-group 1 spanning-disabled
 no bridge-group 1 source-learning
!
interface BVI1
 ip address dhcp client-id GigabitEthernet0
 no ip route-cache
 no shutdown
!
ip forward-protocol nd
ip http server
ip http authentication aaa
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
!
!
bridge 1 route ip
!
!
!
line con 0
line vty 0 4
 transport input ssh
!
end

Configure WPA2 from WEB

Security > Encription Manager

1. Set Encryption Mode and Keys for VLAN: from drop down menu
2. Tick Cipher and from drop down menu AES CCMP

Security > SSID Manager

1. Select <NEW>
2. Type SSID_name into SSID box
3. Select VLAN
4. Tick Interface Radio0 (2.4 GHz)
5. Key Management: Mandatory
6. Tick: Enable WPA and select WPAv2 from drop down menu
7. Enter your WPA Pre-shared Key into a box
8. Enable SSID broadcast in beacons (requires enabling per SSID)
   1. Go to section: Multiple BSSID Beacon Settings
   2. Check: Set SSID as Guest Mode
9. Press Apply
10. Enable multiple SSIDs to be broadcasted (requires enabling once per AP/radio)
    1. Go to section: Guest Mode/Infrastructure SSID Settings
    2. Check: Multiple BSSID
    3. Press Apply

Error message when ticking CCKM

ERROR:
VLAN 99 cannot support CCKM.
Set 'Encryption Mode' to 'Cipher' on all radio interfaces before selecting CCKM (See Security> Encryption  Manager).

Error message when enabling WPA

ERROR:
VLAN 99 cannot support WPA optional.
Set 'Encryption Mode' to 'Cipher', 'TKIP + WEP 40 bit' or 'TKIP + WEP 128 bit' 
or 'AES CCMP + TKIP + WEP 40  bit', or 'AES CCMP + TKIP + WEP 128 bit' on all radio interfaces before selecting WPA.
(See Security>  Encryption Manager)

To set the correct 'Key Management', follow the steps below:
STEP 1:Set the 'Key Management' to 'None'.
STEP 2:Set the 'Cipher' to 'TKIP' or 'AES CCMP' or 'AES CCMP + TKIP'.(see Security>Encryption Manager)
STEP 3:Set the 'Authenticated Key Management' to 'WPA' and 'Mandatory'.

Basic router config

!
! Last configuration change at 00:50:58 UTC Wed Oct 23 2013 by tech
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
!
logging buffered 10000
logging console warnings
enable secret secretpassword
!
aaa new-model
!
!
aaa authentication login default local
aaa authorization exec default local 
!
!
!
!
!
aaa session-id common
!
ip cef
!
!
!
ip dhcp excluded-address 10.0.10.1 10.0.10.10
ip dhcp excluded-address 10.0.11.240 10.0.11.254
ip dhcp excluded-address 10.0.20.1 10.0.20.10
ip dhcp excluded-address 10.0.21.240 10.0.21.254
ip dhcp excluded-address 10.0.99.100
ip dhcp excluded-address 10.0.99.1 10.0.99.10
!
ip dhcp pool WIRELESS
 import all
 network 10.0.10.0 255.255.254.0
 default-router 10.0.10.1 
 dns-server 10.0.10.1 8.8.8.8 
 domain-name lan.gateway
 lease 0 2
!
ip dhcp pool WIRELESS-GUEST
 network 10.0.20.0 255.255.254.0
 default-router 10.0.20.1 
 dns-server 10.0.20.1 8.8.8.8 
 domain-name lan-guest.gateway
 lease 0 2
!
ip dhcp pool MANAGEMENT
 network 10.0.99.0 255.255.255.128
 default-router 10.0.99.100 
 dns-server 10.0.99.100 8.8.8.8 
 domain-name lan.management
 lease 0 2
!
ip dhcp pool AP1
 host 10.0.99.1 255.255.255.128
 client-identifier 017c.69f6.e1d8.7d
!
ip dhcp pool AP2
 host 10.0.99.2 255.255.255.128
 client-identifier 017c.69f6.e1d9.18
!
ip dhcp pool AP3
 host 10.0.99.3 255.255.255.128
 client-identifier 017c.69f6.e1d9.78
!
ip dhcp pool LAN
 network 10.0.30.0 255.255.254.0
 default-router 10.0.30.1 
 dns-server 194.72.0.114 194.72.0.114 
 domain-name lan.gateway
 lease 0 2
!
ip domain name lma.geteway
no ipv6 cef
multilink bundle-name authenticated
!
chat-script hspa "" "AT!SCACT=1,1" TIMEOUT 60 "OK"
!
!
license udi pid CISCO1941/K9 sn routerserialnumber
!
license accept end user agreement
license boot module c1900 technology-package securityk9 disable
license boot module c1900 technology-package datak9 disable
!
!
username ****tech privilege 0 secret 0 techpassword
username **neteng  privilege 15 secret 0 netengpassword
!
!
controller Cellular 0/0
controller VDSL 0/0/0
!
ip ssh version 2
!
!
!
!
interface Embedded-Service-Engine0/0
 no ip address
 shutdown
!
interface GigabitEthernet0/0
 no ip address
 duplex auto
 speed auto
 shutdown
!
interface GigabitEthernet0/1
 ip address 10.0.30.1 255.255.254.0
 ip nat enable
 duplex auto
 speed auto
 no shutdown
!
interface ATM0/0/0
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 no atm ilmi-keepalive
 pvc 0/38 
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
 !
!
interface GigabitEthernet0/1/0
 description Trunk Port to Cisco AP AIR-SAP1602
 switchport trunk native vlan 99
 switchport trunk allowed vlan 1,10,20,99,1002-1005
 switchport mode trunk
 no ip address
!
interface GigabitEthernet0/1/1
 description Trunk Port to Cisco AP AIR-SAP1602
 switchport trunk native vlan 99
 switchport trunk allowed vlan 1,10,20,99,1002-1005
 switchport mode trunk
 no ip address
!
interface GigabitEthernet0/1/2
 description Trunk Port to Cisco AP AIR-SAP1602
 switchport trunk native vlan 99
 switchport trunk allowed vlan 1,10,20,99,1002-1005
 switchport mode trunk
 no ip address
!
interface GigabitEthernet0/1/3
 description Management VLAN99 access port
 switchport access vlan 99
 no ip address
!
 interface Cellular0/0/0
 description WAN link to Vodafone-APN
 ip address negotiated
 ip nat enable
 encapsulation slip
 dialer in-band
 dialer string hspa
 dialer-group 1
 async mode interactive
!
interface Cellular0/0/1
 no ip address
 encapsulation slip
!
interface Vlan1
 no ip address
!
interface Vlan10
 ip address 10.0.10.1 255.255.254.0
 ip nat enable
!
interface Vlan20
 ip address 10.0.20.1 255.255.254.0
 ip nat enable
!
interface Vlan99
 description Eherswitch Management Interface
 ip address 10.0.99.100 255.255.255.128
 ip virtual-reassembly in
!
interface Dialer0
 description BT ADSL 5Mdown/1Mup acc: WM****** no:0********
 ip address ip.add.re.ss m.a.s.k
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat enable
 ip virtual-reassembly in
 encapsulation ppp
 dialer pool 1
 dialer-group 1
 ppp authentication chap callin
 ppp chap hostname D******@hg52.btclick.com
 ppp chap password 0 ******
 ppp pap sent-username D******@hg52.btclick.com password 0 ******
 ppp ipcp dns request
 no cdp enable
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip dns server
 
 ip nat source list 1 interface Cellular0/0/0 overload
 ip route 0.0.0.0 0.0.0.0 Cellular0/0/0
!
access-list 1 permit any
dialer-list 1 protocol ip permit

ip nat source list 1 interface Dialer0 overload
ip route 0.0.0.0 0.0.0.0 Dialer0
!
access-list 1 permit 10.0.0.0 0.0.255.255
dialer-list 1 protocol ip permit
!
!
snmp-server community contingency RO site
snmp-server enable traps entity-sensor threshold
!
!
!
control-plane
!
!
banner motd ^C
This system is for COMPANY authorized use only. It is
monitored to detect improper use and other illicit activity.
There is no expectation of privacy while using this system.

^C
!
line con 0
 logging synchronous
line aux 0
line 2
 no activation-character
 no exec
 transport preferred none
 transport input all
 transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
 stopbits 1
line 0/0/0
 exec-timeout 0 0
 script dialer hspa
 script activation hspa
 modem InOut
 no exec
 rxspeed 21600000
 txspeed 5760000
line 0/0/1
 no exec
line vty 0 4
 logging synchronous
 transport input ssh
!
scheduler allocate 20000 1000
!
end

Key

• Blue - variables: passwords, host names, serial numbers
• Green - Cellular/3G card configuration
• Purple - ATM/ADSL card configuration

Applying VLANs

conf t
vlan 10
name WIRELESS
vlan 20
name GUEST-WIRELESS
vlan 99
name MANAGEMENT&NATIVE
^Z

Verify

R1#sh vlan-switch

VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
1    default                          active    Gi0/1/1, Gi0/1/2
10   WIRELESS                         active
20   GUEST-WIRELESS                   active
99   MANAGEMENT&NATIVE                active    Gi0/1/3
1002 fddi-default                     act/unsup
1003 token-ring-default               act/unsup
1004 fddinet-default                  act/unsup
1005 trnet-default                    act/unsup

VLAN Type  SAID       MTU   Parent RingNo BridgeNo Stp  BrdgMode Trans1 Trans2
---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------
1    enet  100001     1500  -      -      -        -    -        1002   1003
10   enet  100010     1500  -      -      -        -    -        0      0
20   enet  100020     1500  -      -      -        -    -        0      0
99   enet  100099     1500  -      -      -        -    -        0      0
1002 fddi  101002     1500  -      -      -        -    -        1      1003
1003 tr    101003     1500  1005   0      -        -    srb      1      1002
1004 fdnet 101004     1500  -      -      1        ibm  -        0      0
1005 trnet 101005     1500  -      -      1        ibm  -        0      0

References

• Cisco Aironet 1600 Series Access Points Getting Started Guide, December, 2012 Revised: April 16, 2013
• Cisco Aironet 1600 Series Access Point Data Sheet
• Wireless LAN Controller and Lightweight Access Point Basic Configuration Example
• Cisco IOS Software Configuration Guide for Cisco Aironet Access Points for Cisco IOS Releases 15.2(4)JA
• VLANs on Aironet Access Points Configuration Example
• Release Notes for Cisco Aironet Access Points and Bridges for Cisco IOS Release 15.2(2)JB Default behavior changes on AP pior IOS15