cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
538
Views
0
Helpful
3
Replies

Security on 1130ag

Armegeden
Level 1
Level 1

I'm new to Cisco AP's. I'm trying to setup security per VLAN on a new 1130ag.

I finally got the Guest VLAN configured for Open Authentication (I'll lock down VLAN access after I get AP setup, it's not live yet). Where is the option to broadcast SSID for this Guest access? I have to manually enter in the network...

But more importantly, I'm trying to setup an INT VLAN on the AP with security enabled. Looking through the SSID Management section, here is what I have:

INT should be the SSID name, and I'm wanting to broadcast this, but like the Guest VLAN, it's not showing up.

VLAN1

radio ag

Open Auth no addition

Key Mngmnt Mandatory

enable WPA WPAv2

WPA pre-shared key: cisco ASCII

These are the options I've enabled in hopes of requiring a client to type "cisco" to connect, and have WPA2 for encryption.

Am I doing something wrong? I manually enter the INT for the wireless network and get "Connection timed out", but am able to connect to the Open 'Guest' network.

And again, I see the "Broadcast SSID" in the Quick Security Setup option, but not in the SSID Management section.

Thanks for reading. And thanks for any advice/tips.

Be well.

3 Replies 3

andrew.prince
Level 10
Level 10

I got this working in a test lab a long time ago with a AP1131AG, below is part of the config, I hope is relevant:-

!

dot11 ssid <>

vlan 5

mbssid guest-mode

!

dot11 ssid <>

vlan 10

mbssid guest-mode

!

interface Dot11Radio0

no ip address

no ip route-cache

!

ssid <>

!

ssid <>

!

mbssid

!

interface Dot11Radio0.5

encapsulation dot1Q 5 native

no ip route-cache

bridge-group 5

bridge-group 5 subscriber-loop-control

bridge-group 5 block-unknown-source

no bridge-group 5 source-learning

no bridge-group 5 unicast-flooding

bridge-group 5 spanning-disabled

!

interface Dot11Radio0.10

encapsulation dot1Q 10

no ip route-cache

bridge-group 10

bridge-group 10 subscriber-loop-control

bridge-group 10 block-unknown-source

no bridge-group 10 source-learning

no bridge-group 10 unicast-flooding

bridge-group 10 spanning-disabled

!

HTH.

Hello and thanks for the reply. I'm doing side-by-side comparison with my config and I'm not seeing much difference.

Here is a clip of mine:

!

dot11 vlan-name GUEST vlan 3

dot11 vlan-name SCHOOL vlan 2

!

dot11 ssid GUEST

vlan 3

authentication open

!

dot11 ssid INT

vlan 1

authentication open

authentication key-management wpa version 2

wpa-psk ascii 7 05giberish123

!

dot11 ssid SCHOOL

vlan 2

authentication open

authentication key-management wpa version 2

wpa-psk ascii 7 12giberish123

!

interface Dot11Radio0

no ip address

no ip route-cache

!

encryption vlan 1 mode ciphers tkip

!

encryption vlan 2 mode ciphers aes-ccm tkip

!

ssid GUEST

!

ssid INT

!

ssid SCHOOL

!

!

station-role root

!

interface Dot11Radio0.1

encapsulation dot1Q 1 native

no ip route-cache

bridge-group 1

bridge-group 1 subscriber-loop-control

bridge-group 1 block-unknown-source

no bridge-group 1 source-learning

no bridge-group 1 unicast-flooding

bridge-group 1 spanning-disabled

!

interface Dot11Radio0.2

encapsulation dot1Q 2

no ip route-cache

bridge-group 2

bridge-group 2 subscriber-loop-control

bridge-group 2 block-unknown-source

no bridge-group 2 source-learning

no bridge-group 2 unicast-flooding

bridge-group 2 spanning-disabled

!

interface Dot11Radio0.3

encapsulation dot1Q 3

no ip route-cache

bridge-group 3

bridge-group 3 subscriber-loop-control

bridge-group 3 block-unknown-source

no bridge-group 3 source-learning

no bridge-group 3 unicast-flooding

bridge-group 3 spanning-disabled

!

Pardon if this is too much info, not really sure which is vital.

Does this look correct for setting up WPA2? How about having the SSID's non-hidden?

A side-by-side comparison would have shown that you have missed:-

"mbssid guest-mode" in each of the dot11 ssid configurations i.e:-

dot11 ssid GUEST

mbssid guest-mode

"mbssid" is required under the dot11radio0 interface to actually indicate more than one ssid should be sent in the beacon i.e:-

interface Dot11Radio0

mbssid

Add the above and test, let me know of your results.

The WPA2 config looks ok.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: