BR1310 as an Access Point

Discussion in 'Cisco' started by retlaw, Mar 14, 2011.

  1. retlaw

    retlaw Guest

    I've been trying to setup a BR1310 as an Access Point, and have had no
    luck. All my searches for insight only give info on a bridged
    configuration, so any help would be appreciated.

    My wireless devices do associate to the 1310, however, they never get
    an address assigned, and the log
    on the 1310 shows this message

    Mar 14 20:12:44.914: %DOT11-6-DISASSOC: Interface Dot11Radio0,
    Deauthenticating Station 0023.7657.732c Reason: Sending station has
    left the BSS

    I've seen indications saying the device is out of range, however, I
    know that's not the reason as I have the wireless device within feet
    of the 1310's Antenna.

    Here's the config as it is now...

    version 12.4
    no service pad
    service timestamps debug datetime msec
    service timestamps log datetime msec
    service password-encryption
    !
    hostname BR1310
    !
    logging rate-limit console 9
    enable secret 5 XXXXXXXXXXXXXXXX
    !
    no aaa new-model
    clock timezone PST -8
    clock summer-time PDT recurring
    ip domain name domain.com
    ip name-server 192.168.156.86
    ip dhcp database nvram:dhcp-leases.txt
    no ip dhcp use vrf connected
    ip dhcp excluded-address 192.168.11.1 192.168.11.100
    ip dhcp ping packets 1
    !
    ip dhcp pool dhcppool
    network 192.168.11.0 255.255.255.0
    subnet prefix-length 24
    domain-name domain.com
    default-router 192.168.11.1
    dns-server 8.8.8.8 192.168.11.1
    lease 0 12
    !
    !
    dot11 syslog
    !
    dot11 ssid BR1310
    authentication open
    guest-mode
    !bridge irb
    !
    !
    interface Dot11Radio0
    ip address 192.168.11.1 255.255.255.0
    no ip route-cache
    !
    encryption key 1 size 128bit 7 XXXXXXXXXXXXXXXXXXXXXXXXXXXX transmit-
    key
    encryption mode wep mandatory
    !
    ssid BR1310
    !
    antenna gain 5
    station-role root ap-only
    concatenation
    no dot11 qos mode
    infrastructure-client
    bridge-group 1
    bridge-group 1 subscriber-loop-control
    bridge-group 1 spanning-disabled
    !
    interface FastEthernet0
    no ip address
    no ip route-cache
    bridge-group 1
    bridge-group 1 spanning-disabled
    !
    interface BVI1
    ip address 192.168.155.91 255.255.255.0
    no ip route-cache
    !
    ip default-gateway 192.168.155.1
    ip http server
    ip http secure-server
    ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
    ip radius source-interface BVI1
    bridge 1 route ip
    !
    !
    banner login ^C
    Anyone using this system expressly consents to such monitoring and
    is
    advised that if such monitoring reveals possible evidence of
    criminal
    activity, information security personnel may provide the evidence of
    such monitoring to law enforcement officials.

    Inappropriate system use may result in penalties up to and including
    termination of employment and/or contractual relationships, in
    addition
    to other legal remedies.

    ^C
    banner motd ^C
    This system is for the use of authorized users only. Individuals
    using
    this computer system are subject to having all of their activities
    on
    this system monitored and recorded by information security
    personnel.
    In the course of monitoring individuals improperly using this
    system,
    or in the course of system maintenance, the activities of authorized
    users may also be monitored.

    ^C
    !
    end
    retlaw, Mar 14, 2011
    #1
    1. Advertising

  2. retlaw

    retlaw Guest

    On Mar 16, 3:36 pm, Aaron Leonard <> wrote:
    > On Mon, 14 Mar 2011 13:39:06 -0700 (PDT), retlaw <> wrote:
    >
    > Configuring a BR1310 as an AP is just like any other AP.
    >


    OK, well.. this is the first IOS based AP I've done.. so I'm
    learning.

    >
    > Tell me about your 1310.  How many antennas does it have?  1?  2?
    > What kind?  You don't have the one with the integrated 13dBi antenna,
    > do you?
    >


    2 Antenna, external AIR-ANT1728 (5.2dBi)

    >
    > Hm.  It looks like you have your Dot11Radio0 configured with 192.168.11..1,
    > and your DHCP pool is in 192.168.11 /24 also.  But your BVI1 is in
    > 192.168.155.91.
    >
    > So there's two things wrong with this ...
    >
    > a) an AP can only have one IP address on it, which must be on the BVI1, and
    > which must be bridged to the native VLAN.
    >
    > b) the DHCP pool must be in the same subnet as the BVI.  (Theoreticallythe AP
    > could be DHCP server for other subnets ... in that case, those subnets would
    > need IP helper configs to send the DHCP broadcasts to the AP's BVI address.)
    >
    > So take the IP address off the Dot11radio0, and configure a DHCP pool in
    > 192.168.155 /24.  Or else give BVI1 an address in 192.168.11.  That should
    > probably get DHCP working.
    >
    > If you suspect an RF problem, then, while a client is associated, get
    > "show dot11 association all" and see if the signal level from the client is what
    > you want, etc.
    >


    Hmmm.. I was hoping to have the AP do NAT and have all it's wireless
    clients
    appear to be in the 192.168.155/24 network, but I'm getting the
    impression this device
    won't support that?

    I'll try your suggestion regarding using a single network for both the
    wireless and the wired
    and putting the DHCP pool into that range.

    I've included the output as suggested, the thing is I'm not sure what
    a good strength is?
    It came back at -75dBm with me about 100 feet away.


    show dot11 association all
    Address : b407.f9a6.3e30 Name : NONE
    IP Address : 0.0.0.0 Interface : Dot11Radio 0
    Device : unknown Software Version : NONE
    CCX Version : NONE Client MFP : Off

    State : Assoc Parent :
    self
    SSID : FDSwep01
    VLAN : 0
    Hops to Infra : 1 Association Id : 1
    Clients Associated: 0 Repeaters associated: 0
    Tunnel Address : 0.0.0.0
    Key Mgmt type : NONE Encryption : WEP
    Current Rate : 54.0 Capability : ShortHdr
    ShortSlot
    Supported Rates : 1.0 2.0 5.5 11.0 6.0 9.0 12.0 18.0 24.0 36.0 48.0
    54.0
    Voice Rates : disabled Bandwidth : 20 MHz
    Signal Strength : -75 dBm Connected for : 15 seconds
    Signal to Noise : 23 dB Activity Timeout : 58 seconds
    Power-save : Off Last Activity : 2 seconds
    ago
    Apsd DE AC(s) : NONE

    Packets Input : 71 Packets Output : 5
    Bytes Input : 4641 Bytes Output : 378
    Duplicates Rcvd : 1 Data Retries : 0
    Decrypt Failed : 0 RTS Retries : 0
    MIC Failed : 0 MIC Missing : 0
    Packets Redirected: 0 Redirect Filtered: 0
    retlaw, Mar 17, 2011
    #2
    1. Advertising

  3. retlaw <> writes:
    >Hmmm.. I was hoping to have the AP do NAT and have all it's wireless
    >clients
    >appear to be in the 192.168.155/24 network, but I'm getting the
    >impression this device
    >won't support that?



    No, an access point or bridge isn't a router. NAT is typically only
    done in a router or firewall.

    Having the access-point not do NAT is a benefit for most enterprise
    type networks. Most access-point WiFi devices way back when started
    out as bridges only until the home market starting wrapping them all
    up in routers doing NAT.

    Although, I've been in some small business offices that have NAT layer
    after NAT layer after NAT layer. Sometimes 4-5 deep. Very difficult to
    troubleshoot what is going on then.
    Doug McIntyre, Mar 17, 2011
    #3
  4. retlaw

    retlaw Guest

    On Mar 17, 8:30 am, Doug McIntyre <> wrote:
    >
    > Having the access-point not do NAT is a benefit for most enterprise
    > type networks. Most access-point WiFi devices way back when started
    > out as bridges only until the home market starting wrapping them all
    > up in routers doing NAT.
    >
    > Although, I've been in some small business offices that have NAT layer
    > after NAT layer after NAT layer. Sometimes 4-5 deep. Very difficult to
    > troubleshoot what is going on then.


    I'm beginning to see....

    OK, so here's the latest config.. I ended up using the web interface
    rather than command line because I kept getting
    errors that what I was doing wasn't supported...

    The problem is now I can't even associate to the WAP and it doesn't
    appear in my list of available
    SSID's on the wireless device.. I can manually enter the in, and then
    I get a status on the the signal strength, however
    it's now indicating WEAK or NOT-IN-RANGE even when I'm just feet away
    from it?? Ideas?

    thanks



    Using 5037 out of 32768 bytes
    !
    ! Last configuration change at 11:32:08 PDT Thu Mar 17 2011 by root
    ! NVRAM config last updated at 11:32:08 PDT Thu Mar 17 2011 by root
    !
    version 12.4
    no service pad
    service timestamps debug datetime msec
    service timestamps log datetime msec
    service password-encryption
    !
    hostname FDSDMZ
    !
    logging rate-limit console 9
    enable secret 5 $1$XJ4/$egyH5hcl2/r88br3ymF4J/
    !
    no aaa new-model
    clock timezone PST -8
    clock summer-time PDT recurring
    ip domain name fdbs.com
    ip name-server 192.168.155.86
    ip dhcp database nvram:dhcp-leases.txt
    no ip dhcp use vrf connected
    ip dhcp excluded-address 192.168.155.1 192.168.155.200
    ip dhcp ping packets 1
    !
    ip dhcp pool fdswep
    network 192.168.155.0 255.255.255.0
    subnet prefix-length 24
    domain-name fdbs.com
    default-router 192.168.155.1
    dns-server 8.8.8.8 192.168.155.86
    lease 0 12
    !
    !
    dot11 syslog
    dot11 activity-timeout client default 360
    dot11 vlan-name FDSwep vlan 155
    !
    dot11 ssid FDSwep01
    vlan 155
    authentication open
    mobility network-id 155
    bridge irb
    !
    !
    interface Dot11Radio0
    no ip address
    no ip route-cache
    !
    encryption vlan 155 key 1 size 128bit 7 048492AE82F31C056E3B510F447B
    transmit-key
    encryption vlan 155 mode wep mandatory
    !
    ssid FDSwep01
    !
    antenna gain 5
    speed basic-1.0 2.0 5.5 11.0 6.0 9.0 12.0 18.0 24.0 36.0 48.0 54.0
    station-role root ap-only
    concatenation
    no dot11 qos mode
    infrastructure-client
    !
    interface Dot11Radio0.155
    encapsulation dot1Q 155 native
    no ip route-cache
    bridge-group 1
    bridge-group 1 subscriber-loop-control
    bridge-group 1 port-protected
    bridge-group 1 block-unknown-source
    no bridge-group 1 source-learning
    no bridge-group 1 unicast-flooding
    bridge-group 1 spanning-disabled
    !
    interface FastEthernet0
    no ip address
    no ip route-cache
    !
    interface FastEthernet0.155
    encapsulation dot1Q 155 native
    no ip route-cache
    bridge-group 1
    no bridge-group 1 source-learning
    bridge-group 1 spanning-disabled
    !
    interface BVI1
    ip address 192.168.155.91 255.255.255.0
    no ip route-cache
    !
    ip default-gateway 192.168.155.1
    ip http server
    ip http secure-server
    ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
    ip radius source-interface BVI1
    bridge 1 route ip
    retlaw, Mar 17, 2011
    #4
  5. As I, too, am currently studying Aironet-Wireless (AP1231G-E, also first
    IOS-AP I configure), I have looked into your config. Found some mistake
    I made, too:

    "mobility network ID": I, too, made the mistake to believe, this has
    sth. to do with my VLANS, which is not true when you only have a single
    AP. I still have to learn what mGRE-Tunnels are, but they seem to be
    used in roaming environments/WDS. Consult e.g. the Cisco Command Lookup
    Tool for more information on this.
    I had to remove "mobility network id" from my SSID-Configs to make it work.

    As you now know, Cisco APs are layer-2 devices and don't do routing,
    while NAT is layer-3 feature. But you can use IP ACLs. Layer-3-support
    is not completely missing :)

    I am unsure about your "antenna gain" Config. AFAIK this one defines the
    gain compared to a standard dipole antenna (2,2dBi), so the value should
    reflect your dBd-Gain, in your special case 3 dBd. Someone please
    correct me if I am wrong! I am still learning!

    I also don't know what "concatenation" in your dot11radio-config means.
    But I am sure you don't need it. "infrastructure client" is not needed
    when your AP is root-only, this one is for Repeater- or WGB-Configs.
    Remove it from your config.

    I, too, still have to find out, why IP addresses can be assigned to
    other interfaces than BVI1. Catalyst switches don't allow this. And I
    still have to find out, why a "shutdown" on FastEthernet0 doesn't take
    the Ethernet link down. Other Cisco devices work different here. Maybe
    there are design-flaws left in the wireless IOS ;)

    have fun

    Thomas Caspari

    Am 17.03.2011 20:24, schrieb retlaw:
    > On Mar 17, 8:30 am, Doug McIntyre<> wrote:
    >>
    >> Having the access-point not do NAT is a benefit for most enterprise
    >> type networks. Most access-point WiFi devices way back when started
    >> out as bridges only until the home market starting wrapping them all
    >> up in routers doing NAT.
    >>
    >> Although, I've been in some small business offices that have NAT layer
    >> after NAT layer after NAT layer. Sometimes 4-5 deep. Very difficult to
    >> troubleshoot what is going on then.

    >
    > I'm beginning to see....
    >
    > OK, so here's the latest config.. I ended up using the web interface
    > rather than command line because I kept getting
    > errors that what I was doing wasn't supported...
    >
    > The problem is now I can't even associate to the WAP and it doesn't
    > appear in my list of available
    > SSID's on the wireless device.. I can manually enter the in, and then
    > I get a status on the the signal strength, however
    > it's now indicating WEAK or NOT-IN-RANGE even when I'm just feet away
    > from it?? Ideas?
    >
    > thanks
    >
    >
    >
    > Using 5037 out of 32768 bytes
    > !
    > ! Last configuration change at 11:32:08 PDT Thu Mar 17 2011 by root
    > ! NVRAM config last updated at 11:32:08 PDT Thu Mar 17 2011 by root
    > !
    > version 12.4
    > no service pad
    > service timestamps debug datetime msec
    > service timestamps log datetime msec
    > service password-encryption
    > !
    > hostname FDSDMZ
    > !
    > logging rate-limit console 9
    > enable secret 5 $1$XJ4/$egyH5hcl2/r88br3ymF4J/
    > !
    > no aaa new-model
    > clock timezone PST -8
    > clock summer-time PDT recurring
    > ip domain name fdbs.com
    > ip name-server 192.168.155.86
    > ip dhcp database nvram:dhcp-leases.txt
    > no ip dhcp use vrf connected
    > ip dhcp excluded-address 192.168.155.1 192.168.155.200
    > ip dhcp ping packets 1
    > !
    > ip dhcp pool fdswep
    > network 192.168.155.0 255.255.255.0
    > subnet prefix-length 24
    > domain-name fdbs.com
    > default-router 192.168.155.1
    > dns-server 8.8.8.8 192.168.155.86
    > lease 0 12
    > !
    > !
    > dot11 syslog
    > dot11 activity-timeout client default 360
    > dot11 vlan-name FDSwep vlan 155
    > !
    > dot11 ssid FDSwep01
    > vlan 155
    > authentication open
    > mobility network-id 155
    > bridge irb
    > !
    > !
    > interface Dot11Radio0
    > no ip address
    > no ip route-cache
    > !
    > encryption vlan 155 key 1 size 128bit 7 048492AE82F31C056E3B510F447B
    > transmit-key
    > encryption vlan 155 mode wep mandatory
    > !
    > ssid FDSwep01
    > !
    > antenna gain 5
    > speed basic-1.0 2.0 5.5 11.0 6.0 9.0 12.0 18.0 24.0 36.0 48.0 54.0
    > station-role root ap-only
    > concatenation
    > no dot11 qos mode
    > infrastructure-client
    > !
    > interface Dot11Radio0.155
    > encapsulation dot1Q 155 native
    > no ip route-cache
    > bridge-group 1
    > bridge-group 1 subscriber-loop-control
    > bridge-group 1 port-protected
    > bridge-group 1 block-unknown-source
    > no bridge-group 1 source-learning
    > no bridge-group 1 unicast-flooding
    > bridge-group 1 spanning-disabled
    > !
    > interface FastEthernet0
    > no ip address
    > no ip route-cache
    > !
    > interface FastEthernet0.155
    > encapsulation dot1Q 155 native
    > no ip route-cache
    > bridge-group 1
    > no bridge-group 1 source-learning
    > bridge-group 1 spanning-disabled
    > !
    > interface BVI1
    > ip address 192.168.155.91 255.255.255.0
    > no ip route-cache
    > !
    > ip default-gateway 192.168.155.1
    > ip http server
    > ip http secure-server
    > ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
    > ip radius source-interface BVI1
    > bridge 1 route ip
    Thomas Caspari, Mar 18, 2011
    #5
  6. Layer-2 stays up on shutdown...

    ....one thought that just jumped into my mind: maybe the ethernet layer
    stays up because this AP supports to be powered via POE, which _must_
    work regardless of shutdown status. But I am not sure...the
    documentation did not tell me anything about this behaviour...

    ....but that's not YOUR Problem :) it's MINE.

    regards

    Thomas Caspari
    Thomas Caspari, Mar 18, 2011
    #6
  7. retlaw

    retlaw Guest

    On Mar 18, 10:40 am, Thomas Caspari <> wrote:
    > As I, too, am currently studying Aironet-Wireless (AP1231G-E, also first
    > IOS-AP I configure), I have looked into your config. Found some mistake
    > I made, too:
    >
    > "mobility network ID": I, too, made the mistake to believe, this has
    > sth. to do with my VLANS, which is not true when you only have a single
    > AP. I still have to learn what mGRE-Tunnels are, but they seem to be
    > used in roaming environments/WDS. Consult e.g. the Cisco Command Lookup
    > Tool for more information on this.
    > I had to remove "mobility network id" from my SSID-Configs to make it work.
    >
    > As you now know, Cisco APs are layer-2 devices and don't do routing,
    > while NAT is layer-3 feature. But you can use IP ACLs. Layer-3-support
    > is not completely missing :)
    >
    > I am unsure about your "antenna gain" Config. AFAIK this one defines the
    > gain compared to a standard dipole antenna (2,2dBi), so the value should
    > reflect your dBd-Gain, in your special case 3 dBd. Someone please
    > correct me if I am wrong! I am still learning!
    >
    > I also don't know what "concatenation" in your dot11radio-config means.
    > But I am sure you don't need it. "infrastructure client" is not needed
    > when your AP is root-only, this one is for Repeater- or WGB-Configs.
    > Remove it from your config.
    >
    > I, too, still have to find out, why IP addresses can be assigned to
    > other interfaces than BVI1. Catalyst switches don't allow this. And I
    > still have to find out, why a "shutdown" on FastEthernet0 doesn't take
    > the Ethernet link down. Other Cisco devices work different here. Maybe
    > there are design-flaws left in the wireless IOS ;)
    >


    OK, I took your suggestions and it's better....

    I now have syslog messages "DHCPD-3-WRITE_ERROR: DHCP could not write
    bindings to nvram:dhcp-leases.txt."

    however, "show ip dhcp database" says

    URL : nvram:dhcp-leases.txt
    Read : Mar 18 2011 12:30 PM
    Written : Mar 18 2011 12:39 PM
    Status : Last write succeeded. Agent information is up-to-date.
    Delay : 300 seconds
    Timeout : 300 seconds
    Failures : 3
    Successes: 2



    here's the latest config....

    Using 4588 out of 32768 bytes
    !
    ! Last configuration change at 12:34:34 PDT Fri Mar 18 2011 by root
    ! NVRAM config last updated at 12:35:21 PDT Fri Mar 18 2011 by root
    !
    version 12.4
    no service pad
    service timestamps debug datetime msec
    service timestamps log datetime msec
    service password-encryption
    !
    hostname WAP
    !
    logging rate-limit console 9
    enable secret 5 xxxxxxxxxxxxxxxxxxxxxxxx
    !
    no aaa new-model
    clock timezone PST -8
    clock summer-time PDT recurring
    ip domain name domain.com
    ip name-server 192.168.155.86
    ip dhcp database nvram:dhcp-leases.txt
    no ip dhcp use vrf connected
    ip dhcp excluded-address 192.168.155.1 192.168.155.200
    ip dhcp ping packets 1
    !
    ip dhcp pool fdswep
    network 192.168.155.0 255.255.255.0
    subnet prefix-length 24
    domain-name fdbs.com
    default-router 192.168.155.1
    dns-server 8.8.8.8 192.168.155.86
    lease 0 12
    !
    !
    dot11 syslog
    !
    dot11 ssid WAP1310
    authentication open
    !
    bridge irb
    !
    !
    interface Dot11Radio0
    no ip address
    no ip route-cache
    !
    encryption key 1 size 128bit 7 E7D3C409175A6C377B164B721406 transmit-
    key
    encryption mode wep mandatory
    !
    ssid WAP1310
    !
    antenna gain 3
    station-role root ap-only
    no dot11 qos mode
    bridge-group 1
    bridge-group 1 subscriber-loop-control
    bridge-group 1 block-unknown-source
    no bridge-group 1 source-learning
    no bridge-group 1 unicast-flooding
    bridge-group 1 spanning-disabled
    !
    interface FastEthernet0
    no ip address
    no ip route-cache
    bridge-group 1
    no bridge-group 1 source-learning
    bridge-group 1 spanning-disabled
    !
    interface BVI1
    ip address 1928168.155.91 255.255.255.0
    no ip route-cache
    !
    ip default-gateway 192.168.155.1
    ip http server
    ip http secure-server
    ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
    ip radius source-interface BVI1
    bridge 1 route ip
    !
    retlaw, Mar 18, 2011
    #7
  8. retlaw

    retlaw Guest

    On Mar 18, 10:40 am, Thomas Caspari <> wrote:
    > As I, too, am currently studying Aironet-Wireless (AP1231G-E, also first
    > IOS-AP I configure), I have looked into your config. Found some mistake
    > I made, too:
    >
    > "mobility network ID": I, too, made the mistake to believe, this has
    > sth. to do with my VLANS, which is not true when you only have a single
    > AP. I still have to learn what mGRE-Tunnels are, but they seem to be
    > used in roaming environments/WDS. Consult e.g. the Cisco Command Lookup
    > Tool for more information on this.
    > I had to remove "mobility network id" from my SSID-Configs to make it work.
    >
    > As you now know, Cisco APs are layer-2 devices and don't do routing,
    > while NAT is layer-3 feature. But you can use IP ACLs. Layer-3-support
    > is not completely missing :)
    >
    > I am unsure about your "antenna gain" Config. AFAIK this one defines the
    > gain compared to a standard dipole antenna (2,2dBi), so the value should
    > reflect your dBd-Gain, in your special case 3 dBd. Someone please
    > correct me if I am wrong! I am still learning!
    >
    > I also don't know what "concatenation" in your dot11radio-config means.
    > But I am sure you don't need it. "infrastructure client" is not needed
    > when your AP is root-only, this one is for Repeater- or WGB-Configs.
    > Remove it from your config.
    >
    > I, too, still have to find out, why IP addresses can be assigned to
    > other interfaces than BVI1. Catalyst switches don't allow this. And I
    > still have to find out, why a "shutdown" on FastEthernet0 doesn't take
    > the Ethernet link down. Other Cisco devices work different here. Maybe
    > there are design-flaws left in the wireless IOS ;)
    >


    OK, I took your suggestions and it's better....

    I now have syslog messages "DHCPD-3-WRITE_ERROR: DHCP could not write
    bindings to nvram:dhcp-leases.txt."


    however, "show ip dhcp database" says


    URL : nvram:dhcp-leases.txt
    Read : Mar 18 2011 12:30 PM
    Written : Mar 18 2011 12:39 PM
    Status : Last write succeeded. Agent information is up-to-date.
    Delay : 300 seconds
    Timeout : 300 seconds
    Failures : 3
    Successes: 2


    here's the latest config....


    Using 4588 out of 32768 bytes
    !
    ! Last configuration change at 12:34:34 PDT Fri Mar 18 2011 by root
    ! NVRAM config last updated at 12:35:21 PDT Fri Mar 18 2011 by root
    !
    version 12.4
    no service pad
    service timestamps debug datetime msec
    service timestamps log datetime msec
    service password-encryption
    !
    hostname WAP
    !
    logging rate-limit console 9
    enable secret 5 xxxxxxxxxxxxxxxxxxxxxxxx
    !
    no aaa new-model
    clock timezone PST -8
    clock summer-time PDT recurring
    ip domain name domain.com
    ip name-server 192.168.155.86
    ip dhcp database nvram:dhcp-leases.txt
    no ip dhcp use vrf connected
    ip dhcp excluded-address 192.168.155.1 192.168.155.200
    ip dhcp ping packets 1
    !
    ip dhcp pool fdswep
    network 192.168.155.0 255.255.255.0
    subnet prefix-length 24
    domain-name fdbs.com
    default-router 192.168.155.1
    dns-server 8.8.8.8 192.168.155.86
    lease 0 12
    !
    !
    dot11 syslog
    !
    dot11 ssid WAP1310
    authentication open
    !
    bridge irb
    !
    !
    interface Dot11Radio0
    no ip address
    no ip route-cache
    !
    encryption key 1 size 128bit 7 E7D3C409175A6C377B164B721406
    transmit-
    key
    encryption mode wep mandatory
    !
    ssid WAP1310
    !
    antenna gain 3
    station-role root ap-only
    no dot11 qos mode
    bridge-group 1
    bridge-group 1 subscriber-loop-control
    bridge-group 1 block-unknown-source
    no bridge-group 1 source-learning
    no bridge-group 1 unicast-flooding
    bridge-group 1 spanning-disabled
    !
    interface FastEthernet0
    no ip address
    no ip route-cache
    bridge-group 1
    no bridge-group 1 source-learning
    bridge-group 1 spanning-disabled
    !
    interface BVI1
    ip address 192.168.155.91 255.255.255.0
    no ip route-cache
    !
    ip default-gateway 192.168.155.1
    ip http server
    ip http secure-server
    ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
    ip radius source-interface BVI1
    bridge 1 route ip
    !
    retlaw, Mar 18, 2011
    #8
  9. retlaw

    retlaw Guest

    Update......

    I took the DHCP out of the equation, and setup a separate DHCP
    server.. still no joy.

    Then, I removed WEP encryption from the Dot11Radio.. I now get
    connected and an address from the new server...

    next step, put DHCP back on the AP and see if it works without WEP.
    retlaw, Mar 18, 2011
    #9
  10. When configuring a Cisco functionality for the very first time, it's
    generally a good idea to proceed step-by-step. The same applies to e.g.
    radius-servers (Linux/Freeradius - not running here yet).

    With WEP/WPA/WPA2 i can help you out, as I have an experimental
    _working_ config with 5 SSIDs, 5 VLANs with seperate encryption types
    and keys for each VLAN, an external DHCP Server for ALL wireless VLANs
    (2621-Router, 5 pools) and any PSK-Encryption available. The enterprise
    functions I am still studying. I have not used the internal DHCP
    function, as DHCP should also be available for ethernet connections.

    Have you read the manual for your AP? Encryption is not intutitive, you
    have to know significantly more compared to the installation of cheap
    SOHO-WLAN devices.

    I will give you a simplified extract from my config with dummy
    passwords. No VLAN, one SSID, encryption WPA and/or WPA2. This option is
    called "migration mode". You can also add WEP (see commented lines in
    config example), which I have left out here. Your client should be able
    to associate using:
    WPA-PSK or WPA2-PSK (both working simultaneously on same SSID)
    SSID: "my-experimental-ssid"
    password: "my-experimental-password"

    ---cut---
    dot11 ssid my-experimental-ssid
    authentication open
    authentication key-management wpa
    ! to add WEP, replace with:
    ! authentication key-management wpa optional
    !
    ! make SSID "visible":
    guest-mode
    wpa-psk ascii 0 my-experimental-password

    interface Dot11Radio0
    no ip address
    no ip route-cache
    ! here you define your encryption modes
    ! "migration mode" if more than one cipher selected
    ! to add WEP, change this to:
    ! "encryption mode ciphers aes-ccm tkip wep128"
    ! or:
    ! "encryption mode ciphers aes-ccm tkip wep40"
    ! then change your SSID-config as remarked under SSID config
    ! and add a WEP-transmit-key, e.g.
    ! encryption key 1 size 128bit 0 12345678901234567890123456
    encryption mode ciphers aes-ccm tkip
    ssid my-experimental-ssid
    !
    speed default
    no power client local
    station-role root access-point
    ! the rest is default:
    no cdp enable
    bridge-group 1
    bridge-group 1 subscriber-loop-control
    bridge-group 1 block-unknown-source
    no bridge-group 1 source-learning
    no bridge-group 1 unicast-flooding
    bridge-group 1 spanning-disabled

    interface BVI1
    ip address <define_your_APs_IP_here>
    no ip route-cache

    interface FastEthernet0
    no ip address
    no ip route-cache
    duplex auto
    speed auto
    no cdp enable
    bridge-group 1
    no bridge-group 1 source-learning
    bridge-group 1 spanning-disabled
    ---cut---

    I do not post the complete config, as I have the EMEA version, we have
    different regulations here. I do not use "antenna gain". The manual of
    my AP1231G says it's only an informational setting for use with WLSE, it
    doesn't change the APs behaviour. The manual doesn't explain if this
    value reflects dBi or dBd. I use "power local" settings which I
    calculate manually for my antennas.

    Now have success and fun ;)

    Greets from germany

    Thomas Caspari

    Am 18.03.2011 23:02, schrieb retlaw:
    > Update......
    >
    > I took the DHCP out of the equation, and setup a separate DHCP
    > server.. still no joy.
    >
    > Then, I removed WEP encryption from the Dot11Radio.. I now get
    > connected and an address from the new server...
    >
    > next step, put DHCP back on the AP and see if it works without WEP.
    >
    Thomas Caspari, Mar 19, 2011
    #10
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. yar
    Replies:
    4
    Views:
    1,622
    Juan Carlos \(El fortinero\)
    Sep 21, 2004
  2. Ernie
    Replies:
    0
    Views:
    569
    Ernie
    Jan 18, 2004
  3. David Sudjiman
    Replies:
    0
    Views:
    1,022
    David Sudjiman
    Jun 8, 2006
  4. Igor Pinchevskiy

    Slow Point to Point T1 Access Please Help

    Igor Pinchevskiy, Mar 14, 2007, in forum: Cisco
    Replies:
    7
    Views:
    1,213
  5. Nate Goulet
    Replies:
    9
    Views:
    1,209
    Nate Goulet
    Dec 7, 2007
Loading...

Share This Page