«

I've been trying to setup a BR1310 as an Access Point, and have had no
luck. All my searches for insight only give info on a bridged
configuration, so any help would be appreciated.

My wireless devices do associate to the 1310, however, they never get
an address assigned, and the log
on the 1310 shows this message

Mar 14 20:12:44.914: %DOT11-6-DISASSOC: Interface Dot11Radio0,
Deauthenticating Station 0023.7657.732c Reason: Sending station has
left the BSS

I've seen indications saying the device is out of range, however, I
know that's not the reason as I have the wireless device within feet
of the 1310's Antenna.

Here's the config as it is now...

version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname BR1310
!
logging rate-limit console 9
enable secret 5 XXXXXXXXXXXXXXXX
!
no aaa new-model
clock timezone PST -8
clock summer-time PDT recurring
ip domain name domain.com
ip name-server 192.168.156.86
ip dhcp database nvram:dhcp-leases.txt
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.11.1 192.168.11.100
ip dhcp ping packets 1
!
ip dhcp pool dhcppool
network 192.168.11.0 255.255.255.0
subnet prefix-length 24
domain-name domain.com
default-router 192.168.11.1
dns-server 8.8.8.8 192.168.11.1
lease 0 12
!
!
dot11 syslog
!
dot11 ssid BR1310
authentication open
guest-mode
!bridge irb
!
!
interface Dot11Radio0
ip address 192.168.11.1 255.255.255.0
no ip route-cache
!
encryption key 1 size 128bit 7 XXXXXXXXXXXXXXXXXXXXXXXXXXXX transmit-
key
encryption mode wep mandatory
!
ssid BR1310
!
antenna gain 5
station-role root ap-only
concatenation
no dot11 qos mode
infrastructure-client
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
!
interface FastEthernet0
no ip address
no ip route-cache
bridge-group 1
bridge-group 1 spanning-disabled
!
interface BVI1
ip address 192.168.155.91 255.255.255.0
no ip route-cache
!
ip default-gateway 192.168.155.1
ip http server
ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779...onfig/help/eag
ip radius source-interface BVI1
bridge 1 route ip
!
!
banner login ^C
Anyone using this system expressly consents to such monitoring and
is
advised that if such monitoring reveals possible evidence of
criminal
activity, information security personnel may provide the evidence of
such monitoring to law enforcement officials.

Inappropriate system use may result in penalties up to and including
termination of employment and/or contractual relationships, in
addition
to other legal remedies.

^C
banner motd ^C
This system is for the use of authorized users only. Individuals
using
this computer system are subject to having all of their activities
on
this system monitored and recorded by information security
personnel.
In the course of monitoring individuals improperly using this
system,
or in the course of system maintenance, the activities of authorized
users may also be monitored.

^C
!
end

On Mar 16, 3:36*pm, Aaron Leonard <Aa...@Cisco.COM> wrote:
> On Mon, 14 Mar 2011 13:39:06 -0700 (PDT), retlaw <wrwer...@gmail.com> wrote:
>
> Configuring a BR1310 as an AP is just like any other AP.
>

OK, well.. this is the first IOS based AP I've done.. so I'm
learning.

>
> Tell me about your 1310. *How many antennas does it have? *1? *2?
> What kind? *You don't have the one with the integrated 13dBi antenna,
> do you?
>

2 Antenna, external AIR-ANT1728 (5.2dBi)

>
> Hm. *It looks like you have your Dot11Radio0 configured with 192.168.11..1,
> and your DHCP pool is in 192.168.11 /24 also. *But your BVI1 is in
> 192.168.155.91.
>
> So there's two things wrong with this ...
>
> a) an AP can only have one IP address on it, which must be on the BVI1, and
> which must be bridged to the native VLAN.
>
> b) the DHCP pool must be in the same subnet as the BVI. *(Theoreticallythe AP
> could be DHCP server for other subnets ... in that case, those subnets would
> need IP helper configs to send the DHCP broadcasts to the AP's BVI address.)
>
> So take the IP address off the Dot11radio0, and configure a DHCP pool in
> 192.168.155 /24. *Or else give BVI1 an address in 192.168.11. *That should
> probably get DHCP working.
>
> If you suspect an RF problem, then, while a client is associated, get
> "show dot11 association all" and see if the signal level from the client is what
> you want, etc.
>

Hmmm.. I was hoping to have the AP do NAT and have all it's wireless
clients
appear to be in the 192.168.155/24 network, but I'm getting the
impression this device
won't support that?

I'll try your suggestion regarding using a single network for both the
wireless and the wired
and putting the DHCP pool into that range.

I've included the output as suggested, the thing is I'm not sure what
a good strength is?
It came back at -75dBm with me about 100 feet away.


show dot11 association all
Address : b407.f9a6.3e30 Name : NONE
IP Address : 0.0.0.0 Interface : Dot11Radio 0
Device : unknown Software Version : NONE
CCX Version : NONE Client MFP : Off

State : Assoc Parent :
self
SSID : FDSwep01
VLAN : 0
Hops to Infra : 1 Association Id : 1
Clients Associated: 0 Repeaters associated: 0
Tunnel Address : 0.0.0.0
Key Mgmt type : NONE Encryption : WEP
Current Rate : 54.0 Capability : ShortHdr
ShortSlot
Supported Rates : 1.0 2.0 5.5 11.0 6.0 9.0 12.0 18.0 24.0 36.0 48.0
54.0
Voice Rates : disabled Bandwidth : 20 MHz
Signal Strength : -75 dBm Connected for : 15 seconds
Signal to Noise : 23 dB Activity Timeout : 58 seconds
Power-save : Off Last Activity : 2 seconds
ago
Apsd DE AC(s) : NONE

Packets Input : 71 Packets Output : 5
Bytes Input : 4641 Bytes Output : 378
Duplicates Rcvd : 1 Data Retries : 0
Decrypt Failed : 0 RTS Retries : 0
MIC Failed : 0 MIC Missing : 0
Packets Redirected: 0 Redirect Filtered: 0

retlaw <> writes:
>Hmmm.. I was hoping to have the AP do NAT and have all it's wireless
>clients
>appear to be in the 192.168.155/24 network, but I'm getting the
>impression this device
>won't support that?


No, an access point or bridge isn't a router. NAT is typically only
done in a router or firewall.

Having the access-point not do NAT is a benefit for most enterprise
type networks. Most access-point WiFi devices way back when started
out as bridges only until the home market starting wrapping them all
up in routers doing NAT.

Although, I've been in some small business offices that have NAT layer
after NAT layer after NAT layer. Sometimes 4-5 deep. Very difficult to
troubleshoot what is going on then.

On Mar 17, 8:30*am, Doug McIntyre <mer...@geeks.org> wrote:
>
> Having the access-point not do NAT is a benefit for most enterprise
> type networks. Most access-point WiFi devices way back when started
> out as bridges only until the home market starting wrapping them all
> up in routers doing NAT.
>
> Although, I've been in some small business offices that have NAT layer
> after NAT layer after NAT layer. Sometimes 4-5 deep. Very difficult to
> troubleshoot what is going on then.

I'm beginning to see....

OK, so here's the latest config.. I ended up using the web interface
rather than command line because I kept getting
errors that what I was doing wasn't supported...

The problem is now I can't even associate to the WAP and it doesn't
appear in my list of available
SSID's on the wireless device.. I can manually enter the in, and then
I get a status on the the signal strength, however
it's now indicating WEAK or NOT-IN-RANGE even when I'm just feet away
from it?? Ideas?

thanks



Using 5037 out of 32768 bytes
!
! Last configuration change at 11:32:08 PDT Thu Mar 17 2011 by root
! NVRAM config last updated at 11:32:08 PDT Thu Mar 17 2011 by root
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname FDSDMZ
!
logging rate-limit console 9
enable secret 5 $1$XJ4/$egyH5hcl2/r88br3ymF4J/
!
no aaa new-model
clock timezone PST -8
clock summer-time PDT recurring
ip domain name fdbs.com
ip name-server 192.168.155.86
ip dhcp database nvram:dhcp-leases.txt
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.155.1 192.168.155.200
ip dhcp ping packets 1
!
ip dhcp pool fdswep
network 192.168.155.0 255.255.255.0
subnet prefix-length 24
domain-name fdbs.com
default-router 192.168.155.1
dns-server 8.8.8.8 192.168.155.86
lease 0 12
!
!
dot11 syslog
dot11 activity-timeout client default 360
dot11 vlan-name FDSwep vlan 155
!
dot11 ssid FDSwep01
vlan 155
authentication open
mobility network-id 155
bridge irb
!
!
interface Dot11Radio0
no ip address
no ip route-cache
!
encryption vlan 155 key 1 size 128bit 7 048492AE82F31C056E3B510F447B
transmit-key
encryption vlan 155 mode wep mandatory
!
ssid FDSwep01
!
antenna gain 5
speed basic-1.0 2.0 5.5 11.0 6.0 9.0 12.0 18.0 24.0 36.0 48.0 54.0
station-role root ap-only
concatenation
no dot11 qos mode
infrastructure-client
!
interface Dot11Radio0.155
encapsulation dot1Q 155 native
no ip route-cache
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 port-protected
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
!
interface FastEthernet0
no ip address
no ip route-cache
!
interface FastEthernet0.155
encapsulation dot1Q 155 native
no ip route-cache
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
!
interface BVI1
ip address 192.168.155.91 255.255.255.0
no ip route-cache
!
ip default-gateway 192.168.155.1
ip http server
ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779...onfig/help/eag
ip radius source-interface BVI1
bridge 1 route ip

As I, too, am currently studying Aironet-Wireless (AP1231G-E, also first
IOS-AP I configure), I have looked into your config. Found some mistake
I made, too:

"mobility network ID": I, too, made the mistake to believe, this has
sth. to do with my VLANS, which is not true when you only have a single
AP. I still have to learn what mGRE-Tunnels are, but they seem to be
used in roaming environments/WDS. Consult e.g. the Cisco Command Lookup
Tool for more information on this.
I had to remove "mobility network id" from my SSID-Configs to make it work.

As you now know, Cisco APs are layer-2 devices and don't do routing,
while NAT is layer-3 feature. But you can use IP ACLs. Layer-3-support
is not completely missing

I am unsure about your "antenna gain" Config. AFAIK this one defines the
gain compared to a standard dipole antenna (2,2dBi), so the value should
reflect your dBd-Gain, in your special case 3 dBd. Someone please
correct me if I am wrong! I am still learning!

I also don't know what "concatenation" in your dot11radio-config means.
But I am sure you don't need it. "infrastructure client" is not needed
when your AP is root-only, this one is for Repeater- or WGB-Configs.
Remove it from your config.

I, too, still have to find out, why IP addresses can be assigned to
other interfaces than BVI1. Catalyst switches don't allow this. And I
still have to find out, why a "shutdown" on FastEthernet0 doesn't take
the Ethernet link down. Other Cisco devices work different here. Maybe
there are design-flaws left in the wireless IOS

have fun

Thomas Caspari

Am 17.03.2011 20:24, schrieb retlaw:
> On Mar 17, 8:30 am, Doug McIntyre<mer...@geeks.org> wrote:
>>
>> Having the access-point not do NAT is a benefit for most enterprise
>> type networks. Most access-point WiFi devices way back when started
>> out as bridges only until the home market starting wrapping them all
>> up in routers doing NAT.
>>
>> Although, I've been in some small business offices that have NAT layer
>> after NAT layer after NAT layer. Sometimes 4-5 deep. Very difficult to
>> troubleshoot what is going on then.
>
> I'm beginning to see....
>
> OK, so here's the latest config.. I ended up using the web interface
> rather than command line because I kept getting
> errors that what I was doing wasn't supported...
>
> The problem is now I can't even associate to the WAP and it doesn't
> appear in my list of available
> SSID's on the wireless device.. I can manually enter the in, and then
> I get a status on the the signal strength, however
> it's now indicating WEAK or NOT-IN-RANGE even when I'm just feet away
> from it?? Ideas?
>
> thanks
>
>
>
> Using 5037 out of 32768 bytes
> !
> ! Last configuration change at 11:32:08 PDT Thu Mar 17 2011 by root
> ! NVRAM config last updated at 11:32:08 PDT Thu Mar 17 2011 by root
> !
> version 12.4
> no service pad
> service timestamps debug datetime msec
> service timestamps log datetime msec
> service password-encryption
> !
> hostname FDSDMZ
> !
> logging rate-limit console 9
> enable secret 5 $1$XJ4/$egyH5hcl2/r88br3ymF4J/
> !
> no aaa new-model
> clock timezone PST -8
> clock summer-time PDT recurring
> ip domain name fdbs.com
> ip name-server 192.168.155.86
> ip dhcp database nvram:dhcp-leases.txt
> no ip dhcp use vrf connected
> ip dhcp excluded-address 192.168.155.1 192.168.155.200
> ip dhcp ping packets 1
> !
> ip dhcp pool fdswep
> network 192.168.155.0 255.255.255.0
> subnet prefix-length 24
> domain-name fdbs.com
> default-router 192.168.155.1
> dns-server 8.8.8.8 192.168.155.86
> lease 0 12
> !
> !
> dot11 syslog
> dot11 activity-timeout client default 360
> dot11 vlan-name FDSwep vlan 155
> !
> dot11 ssid FDSwep01
> vlan 155
> authentication open
> mobility network-id 155
> bridge irb
> !
> !
> interface Dot11Radio0
> no ip address
> no ip route-cache
> !
> encryption vlan 155 key 1 size 128bit 7 048492AE82F31C056E3B510F447B
> transmit-key
> encryption vlan 155 mode wep mandatory
> !
> ssid FDSwep01
> !
> antenna gain 5
> speed basic-1.0 2.0 5.5 11.0 6.0 9.0 12.0 18.0 24.0 36.0 48.0 54.0
> station-role root ap-only
> concatenation
> no dot11 qos mode
> infrastructure-client
> !
> interface Dot11Radio0.155
> encapsulation dot1Q 155 native
> no ip route-cache
> bridge-group 1
> bridge-group 1 subscriber-loop-control
> bridge-group 1 port-protected
> bridge-group 1 block-unknown-source
> no bridge-group 1 source-learning
> no bridge-group 1 unicast-flooding
> bridge-group 1 spanning-disabled
> !
> interface FastEthernet0
> no ip address
> no ip route-cache
> !
> interface FastEthernet0.155
> encapsulation dot1Q 155 native
> no ip route-cache
> bridge-group 1
> no bridge-group 1 source-learning
> bridge-group 1 spanning-disabled
> !
> interface BVI1
> ip address 192.168.155.91 255.255.255.0
> no ip route-cache
> !
> ip default-gateway 192.168.155.1
> ip http server
> ip http secure-server
> ip http help-path http://www.cisco.com/warp/public/779...onfig/help/eag
> ip radius source-interface BVI1
> bridge 1 route ip

....one thought that just jumped into my mind: maybe the ethernet layer
stays up because this AP supports to be powered via POE, which _must_
work regardless of shutdown status. But I am not sure...the
documentation did not tell me anything about this behaviour...

....but that's not YOUR Problem it's MINE.

regards

Thomas Caspari

On Mar 18, 10:40*am, Thomas Caspari <ThomasCasp...@t-online.de> wrote:
> As I, too, am currently studying Aironet-Wireless (AP1231G-E, also first
> IOS-AP I configure), I have looked into your config. Found some mistake
> I made, too:
>
> "mobility network ID": I, too, made the mistake to believe, this has
> sth. to do with my VLANS, which is not true when you only have a single
> AP. I still have to learn what mGRE-Tunnels are, but they seem to be
> used in roaming environments/WDS. Consult e.g. the Cisco Command Lookup
> Tool for more information on this.
> I had to remove "mobility network id" from my SSID-Configs to make it work.
>
> As you now know, Cisco APs are layer-2 devices and don't do routing,
> while NAT is layer-3 feature. But you can use IP ACLs. Layer-3-support
> is not completely missing
>
> I am unsure about your "antenna gain" Config. AFAIK this one defines the
> gain compared to a standard dipole antenna (2,2dBi), so the value should
> reflect your dBd-Gain, in your special case 3 dBd. Someone please
> correct me if I am wrong! I am still learning!
>
> I also don't know what "concatenation" in your dot11radio-config means.
> But I am sure you don't need it. "infrastructure client" is not needed
> when your AP is root-only, this one is for Repeater- or WGB-Configs.
> Remove it from your config.
>
> I, too, still have to find out, why IP addresses can be assigned to
> other interfaces than BVI1. Catalyst switches don't allow this. And I
> still have to find out, why a "shutdown" on FastEthernet0 doesn't take
> the Ethernet link down. Other Cisco devices work different here. Maybe
> there are design-flaws left in the wireless IOS
>

OK, I took your suggestions and it's better....

I now have syslog messages "DHCPD-3-WRITE_ERROR: DHCP could not write
bindings to nvram:dhcp-leases.txt."

however, "show ip dhcp database" says

URL : nvram:dhcp-leases.txt
Read : Mar 18 2011 12:30 PM
Written : Mar 18 2011 12:39 PM
Status : Last write succeeded. Agent information is up-to-date.
Delay : 300 seconds
Timeout : 300 seconds
Failures : 3
Successes: 2



here's the latest config....

Using 4588 out of 32768 bytes
!
! Last configuration change at 12:34:34 PDT Fri Mar 18 2011 by root
! NVRAM config last updated at 12:35:21 PDT Fri Mar 18 2011 by root
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname WAP
!
logging rate-limit console 9
enable secret 5 xxxxxxxxxxxxxxxxxxxxxxxx
!
no aaa new-model
clock timezone PST -8
clock summer-time PDT recurring
ip domain name domain.com
ip name-server 192.168.155.86
ip dhcp database nvram:dhcp-leases.txt
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.155.1 192.168.155.200
ip dhcp ping packets 1
!
ip dhcp pool fdswep
network 192.168.155.0 255.255.255.0
subnet prefix-length 24
domain-name fdbs.com
default-router 192.168.155.1
dns-server 8.8.8.8 192.168.155.86
lease 0 12
!
!
dot11 syslog
!
dot11 ssid WAP1310
authentication open
!
bridge irb
!
!
interface Dot11Radio0
no ip address
no ip route-cache
!
encryption key 1 size 128bit 7 E7D3C409175A6C377B164B721406 transmit-
key
encryption mode wep mandatory
!
ssid WAP1310
!
antenna gain 3
station-role root ap-only
no dot11 qos mode
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
!
interface FastEthernet0
no ip address
no ip route-cache
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
!
interface BVI1
ip address 1928168.155.91 255.255.255.0
no ip route-cache
!
ip default-gateway 192.168.155.1
ip http server
ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779...onfig/help/eag
ip radius source-interface BVI1
bridge 1 route ip
!

On Mar 18, 10:40*am, Thomas Caspari <ThomasCasp...@t-online.de> wrote:
> As I, too, am currently studying Aironet-Wireless (AP1231G-E, also first
> IOS-AP I configure), I have looked into your config. Found some mistake
> I made, too:
>
> "mobility network ID": I, too, made the mistake to believe, this has
> sth. to do with my VLANS, which is not true when you only have a single
> AP. I still have to learn what mGRE-Tunnels are, but they seem to be
> used in roaming environments/WDS. Consult e.g. the Cisco Command Lookup
> Tool for more information on this.
> I had to remove "mobility network id" from my SSID-Configs to make it work.
>
> As you now know, Cisco APs are layer-2 devices and don't do routing,
> while NAT is layer-3 feature. But you can use IP ACLs. Layer-3-support
> is not completely missing
>
> I am unsure about your "antenna gain" Config. AFAIK this one defines the
> gain compared to a standard dipole antenna (2,2dBi), so the value should
> reflect your dBd-Gain, in your special case 3 dBd. Someone please
> correct me if I am wrong! I am still learning!
>
> I also don't know what "concatenation" in your dot11radio-config means.
> But I am sure you don't need it. "infrastructure client" is not needed
> when your AP is root-only, this one is for Repeater- or WGB-Configs.
> Remove it from your config.
>
> I, too, still have to find out, why IP addresses can be assigned to
> other interfaces than BVI1. Catalyst switches don't allow this. And I
> still have to find out, why a "shutdown" on FastEthernet0 doesn't take
> the Ethernet link down. Other Cisco devices work different here. Maybe
> there are design-flaws left in the wireless IOS
>

OK, I took your suggestions and it's better....

I now have syslog messages "DHCPD-3-WRITE_ERROR: DHCP could not write
bindings to nvram:dhcp-leases.txt."


however, "show ip dhcp database" says


URL : nvram:dhcp-leases.txt
Read : Mar 18 2011 12:30 PM
Written : Mar 18 2011 12:39 PM
Status : Last write succeeded. Agent information is up-to-date.
Delay : 300 seconds
Timeout : 300 seconds
Failures : 3
Successes: 2


here's the latest config....


Using 4588 out of 32768 bytes
!
! Last configuration change at 12:34:34 PDT Fri Mar 18 2011 by root
! NVRAM config last updated at 12:35:21 PDT Fri Mar 18 2011 by root
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname WAP
!
logging rate-limit console 9
enable secret 5 xxxxxxxxxxxxxxxxxxxxxxxx
!
no aaa new-model
clock timezone PST -8
clock summer-time PDT recurring
ip domain name domain.com
ip name-server 192.168.155.86
ip dhcp database nvram:dhcp-leases.txt
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.155.1 192.168.155.200
ip dhcp ping packets 1
!
ip dhcp pool fdswep
network 192.168.155.0 255.255.255.0
subnet prefix-length 24
domain-name fdbs.com
default-router 192.168.155.1
dns-server 8.8.8.8 192.168.155.86
lease 0 12
!
!
dot11 syslog
!
dot11 ssid WAP1310
authentication open
!
bridge irb
!
!
interface Dot11Radio0
no ip address
no ip route-cache
!
encryption key 1 size 128bit 7 E7D3C409175A6C377B164B721406
transmit-
key
encryption mode wep mandatory
!
ssid WAP1310
!
antenna gain 3
station-role root ap-only
no dot11 qos mode
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
!
interface FastEthernet0
no ip address
no ip route-cache
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
!
interface BVI1
ip address 192.168.155.91 255.255.255.0
no ip route-cache
!
ip default-gateway 192.168.155.1
ip http server
ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779...onfig/help/eag
ip radius source-interface BVI1
bridge 1 route ip
!

Update......

I took the DHCP out of the equation, and setup a separate DHCP
server.. still no joy.

Then, I removed WEP encryption from the Dot11Radio.. I now get
connected and an address from the new server...

next step, put DHCP back on the AP and see if it works without WEP.

When configuring a Cisco functionality for the very first time, it's
generally a good idea to proceed step-by-step. The same applies to e.g.
radius-servers (Linux/Freeradius - not running here yet).

With WEP/WPA/WPA2 i can help you out, as I have an experimental
_working_ config with 5 SSIDs, 5 VLANs with seperate encryption types
and keys for each VLAN, an external DHCP Server for ALL wireless VLANs
(2621-Router, 5 pools) and any PSK-Encryption available. The enterprise
functions I am still studying. I have not used the internal DHCP
function, as DHCP should also be available for ethernet connections.

Have you read the manual for your AP? Encryption is not intutitive, you
have to know significantly more compared to the installation of cheap
SOHO-WLAN devices.

I will give you a simplified extract from my config with dummy
passwords. No VLAN, one SSID, encryption WPA and/or WPA2. This option is
called "migration mode". You can also add WEP (see commented lines in
config example), which I have left out here. Your client should be able
to associate using:
WPA-PSK or WPA2-PSK (both working simultaneously on same SSID)
SSID: "my-experimental-ssid"
password: "my-experimental-password"

---cut---
dot11 ssid my-experimental-ssid
authentication open
authentication key-management wpa
! to add WEP, replace with:
! authentication key-management wpa optional
!
! make SSID "visible":
guest-mode
wpa-psk ascii 0 my-experimental-password

interface Dot11Radio0
no ip address
no ip route-cache
! here you define your encryption modes
! "migration mode" if more than one cipher selected
! to add WEP, change this to:
! "encryption mode ciphers aes-ccm tkip wep128"
! or:
! "encryption mode ciphers aes-ccm tkip wep40"
! then change your SSID-config as remarked under SSID config
! and add a WEP-transmit-key, e.g.
! encryption key 1 size 128bit 0 12345678901234567890123456
encryption mode ciphers aes-ccm tkip
ssid my-experimental-ssid
!
speed default
no power client local
station-role root access-point
! the rest is default:
no cdp enable
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled

interface BVI1
ip address <define_your_APs_IP_here>
no ip route-cache

interface FastEthernet0
no ip address
no ip route-cache
duplex auto
speed auto
no cdp enable
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
---cut---

I do not post the complete config, as I have the EMEA version, we have
different regulations here. I do not use "antenna gain". The manual of
my AP1231G says it's only an informational setting for use with WLSE, it
doesn't change the APs behaviour. The manual doesn't explain if this
value reflects dBi or dBd. I use "power local" settings which I
calculate manually for my antennas.

Now have success and fun

Greets from germany

Thomas Caspari

Am 18.03.2011 23:02, schrieb retlaw:
> Update......
>
> I took the DHCP out of the equation, and setup a separate DHCP
> server.. still no joy.
>
> Then, I removed WEP encryption from the Dot11Radio.. I now get
> connected and an address from the new server...
>
> next step, put DHCP back on the AP and see if it works without WEP.
>