Solved: Question about existing radio config

John Blakley · ‎10-09-2008

All,

I have an AP that was configured like this:

dot11 ssid <ssid-wep>

authen open

Do0

ip address 1.1.1.1 255.255.255.0

encryption key 1 size 128bit <wep key> transmit-key

encryption mode wep mandatory

ssid <SSID>

bridge-group 1

fa0

ip address 1.1.1.1 255.255.255.0 (yes, they are the same on both interfaces)

bridge-group 1

bvi1

ip address 1.1.1.1 255.255.255.0 (yep, again)

Okay, so this configuration works, but I want to convert it to wpa with a broadcasted and secured side. I've created my ssid's, vlans, subinterfaces, and cannot connect.

Current config is this:

dot11 ssid <SSID 1>

vlan 150

authentication open

guest-mode

wpa-psk ...

dot11 ssid <ssid 2>

vlan 151

authen open

wpa-psk

do0

ip address 1.1.1.1 255.255.255.0

encryption key 1 size 128bit <wep key> transmit-key

encryption mode wep mandatory

ssid <ssid-wep>

ssid <ssid-1>

ssid <ssid-2>

bridge-group 1

do0.150

encapsulation dot1q 150

bridge 150

do0.151

encap dot1q 151

bridge 151

fa0

ip address 1.1.1.1 255.255.255.0

bridge 1

fa0.150

encap dot 150

bridge 150

fa0.151

encap dot 151

bridge 151

My question is this: Do I have to remove the current configuration for d0, and create a subinterface for vlan 1 to keep the wep configuration? I'm not able to connect at all. The guest ssid is broadcasted, but it almost immediately says disconnected, so I'm not sure where to look.

Thanks,

John

HTH, John *** Please rate all useful posts ***

jeff.kish · ‎10-09-2008

I notice a few things that you can do to fix this configuration:

1. Remove the IP address that's on fa0. This should not have an IP address on it.

2. You are missing a configuration line under your SSIDs. You need "authentication key-management wpa" in addition to "authentication open". Both are needed to make WPA-PSK work.

3. Under dot0, you should remove the WEP encryption commands and WEP SSID since they're no longer used. You'll then need to issue "encryption vlan XXX mode ciphers tkip aes-ccmp". You can pick tkip, aes, or both in that command, use whichever is appropriate.

This is all assuming that you no longer want WEP, which I assume is the case since both SSIDs have wpa-psk configured. Let me know if I'm misunderstanding.

View solution in original post

jeff.kish · ‎10-09-2008

I notice a few things that you can do to fix this configuration:

1. Remove the IP address that's on fa0. This should not have an IP address on it.

2. You are missing a configuration line under your SSIDs. You need "authentication key-management wpa" in addition to "authentication open". Both are needed to make WPA-PSK work.

3. Under dot0, you should remove the WEP encryption commands and WEP SSID since they're no longer used. You'll then need to issue "encryption vlan XXX mode ciphers tkip aes-ccmp". You can pick tkip, aes, or both in that command, use whichever is appropriate.

This is all assuming that you no longer want WEP, which I assume is the case since both SSIDs have wpa-psk configured. Let me know if I'm misunderstanding.