Base wireless config - 1811w router

Unanswered Question
Mar 3rd, 2009


Is there any chance someone could sketch out a basic wireless configuration for a SOHO Cisco 1811W router? I just need the wireless to connect to the base wired LAN - with both WEP and MAC authentication. And - can the MAC auth. parameters be configured via CLI and not have to use either SDM or CP? I can access the router via SDM - but the Wirless Application will not fire up - and CP doesn't work at all.

Thanks for any assistance you can lend.

I have this problem too.
1 vote
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
jeff.kish Tue, 03/03/2009 - 13:35

I'm not too familiar with the web GUIs for Cisco routers. Can you upload your CLI configuration for us to take a look at? ISRs are tricky to configure properly. They require proper configuration of bridge-groups, which is automatically handled on Cisco APs via its web GUI.

iholdings Wed, 03/04/2009 - 05:32

I agree. APs are much easier to setup for wireless.

As I said - I basically just need to extend the wired LAN IP scheme to the wireless - but also need to force static WEP cypher and require MAC. It's probably easy to set this up using the Wireless Application in SDM (or CP), but in my case - SDM works but fails to load the wireless application.

Thanks for taking a swag at this. First time using the 1811W router.

jeff.kish Wed, 03/04/2009 - 05:57

I'm not sure what you mean by "require MAC". Are you saying that you want to do local MAC authentication?

Try these configuration lines:

conf t

ssid Wireless

authentication open

interface Dot11Radio0

encryption key 1 size 128bit WEP_KEY transmit-key

encryption mode wep mandatory

bridge-group 1

interface Vlan 1

bridge-group 1

bridge 1 route ip

Note that you can use 64bit instead of 128bit encryption if you so desire. Hopefully this works, let me know if it doesn't.

iholdings Wed, 03/04/2009 - 06:15

Yes - I need to be able to configure a list of MAC addresses on the router as a requirement for connecting approved devices. Simple on an AP (GUI), but I don't have that ability on this router - SDM works, but Wireless Application doesn't.


iholdings Wed, 03/04/2009 - 09:01

OK - tried your suggestions. Last command - 'bridge 1 route ip' triggered a prompt to turn irb on. The two radios immediately went to reset:

Dot11Radio0 unassigned YES NVRAM reset down

Dot11Radio1 unassigned YES NVRAM reset down

So I attempted to create BVI. Here is the current config - radios still in reset.

Hope I haven't messed things up too bad.

jeff.kish Wed, 03/04/2009 - 09:08

You're right that you need "bridge irb", I forgot about that command.

If you have the BVI enabled, you don't need the bridge-group 1 on your VLAN 1 interface. Remove that and see if it works.

Also, did your SSID get wiped? You'll need to create it again. That's probably why your radios are down - they are only up if there's an SSID attached.

Try this:

conf t

dot11 ssid Wireless

auth open

int dot0

ssid Wireless

iholdings Wed, 03/04/2009 - 11:39

Again - thank you for all of your assistance.

That did the trick - but I still don't see the ssid broadcast to be able to connect to the wireless. Also - will I need to add 'ssid Wireless' to Dot1 in order to have that working as well?

jeff.kish Wed, 03/04/2009 - 12:11

To enable the SSID broadcast, add the config line "guest-mode" to the dot11 ssid command:

conf t

dot11 ssid Wireless


And yes, adding "ssid Wireless" to your Dot1 interface will bring up that radio as well.

Glad to see this is working for you. Let me know if you continue to have issues.


iholdings Thu, 03/05/2009 - 10:46

OK - and thanks once more.

Attached is my final (hopefully) masked config. Still don't know how to set up the MAC address list for the 'authentication open mac-address . I originally set this up to test on my LAN, but need to get this out to the remote site - so going with best effort.

The guest-mode parameter worked for broadcasting the ssid and wep worked - but it only allowed access to the Internet and not the local LAN.

This config has the following req.'s:

1. wired and wireless LAN access

2. IPSEC to home office for both

3. wep amd mac-address authen. for wireless.

Is this coming close IYHO?


jeff.kish Mon, 03/09/2009 - 07:47

Sorry for the late response.

Try the following for local MAC authentication:

access-list 700 permit xxxx.xxxx.xxxx 0000.0000.0000

access-list 700 permit xxxx.xxxx.xxxx 0000.0000.0000




dot11 association mac-list 700

As for local/Internet traffic, if you can get to the Internet then your configuration on the AP is fine. It sounds like you have a problem with an ACL blocking you from local traffic. I don't see where it's getting blocked, though, unless it's somewhere else on the network. Try running a "show access-list" command while pinging local addresses and see if any of them are catching the traffic. You can tell by observing whether the matches are increasing as you ping.

iholdings Mon, 03/09/2009 - 11:36


Forgive my ignorance ...

is the access-list defined as

access-list 700 permit 0000.0000.0000.0000

... and there would need to be a similar entry for each allowed MAC?

jeff.kish Mon, 03/09/2009 - 12:52

Correct. Sorry, I should have clarified that in my post. List the MAC address in the form hhhh.hhhh.hhhh, where h = a hex number. 0000.0000.0000 is the mac wildcard mask to specify that only that address is specified. Simply list all of them out, then enter the permit any any statement at the end.

It's a pain to assemble, but you can easily copy/paste it to each AP. It's just cumbersome.

Just to toss this out there, but unless you need MAC authentication for a specific reason, there's almost no reason to use it. Wireless clients broadcast MAC addresses in the clear regardless of encryption used, and MAC addresses are easily spoofed. In other words, MAC authentication really only exists for organizational purposes. As for security, it's more or less worthless.

iholdings Mon, 03/09/2009 - 13:00


Thanks for all of you help. This will get me over the hurtle. I know MAC isn't the most trustworthy, but perhaps that coupled with WEP might be useful. I don't know what else I can use that could be enbabled on the router - since I do not have a RADIUS server avail.

Again, thank you!!

jeff.kish Mon, 03/09/2009 - 14:47

Glad to help!

Without a RADIUS server, the best thing you can use is WPA-PSK. It configures almost identically to a WEP key, but the encryption and handshake protocols are much stronger. If you want to give it a try:

dot11 ssid Wireless

authentication open

authentication key-management wpa

wpa-psk ascii WPA_PASSWORD


int dot0

encryption mode ciphers aes-ccm tkip

ssid Wireless

(The tkip is required for legacy WPA clients, but can/should be omitted if possible)

iholdings Fri, 03/13/2009 - 07:29

OK (sorry for the long delay)

I seem to have no problem authenticating to the router - using WPA-PSK - but cannot pick up an IP address via DHCP.

Does the config for that look correct?

Thanks again.

elaine1990 Fri, 02/22/2013 - 02:38


I have been following this discussion and I have exactly the same problem.

Everything is already set. I followed the configuration above and I'm stock at "Why can't the wireless device or the dot11 radio obtain ip from dhcp server?"

Any answer is very much appreciated.

elaine1990 Fri, 02/22/2013 - 02:39


I have been following this discussion and I have exactly the same problem.

Everything is already set. I followed the configuration above and I'm stock at "Why can't the wireless device or the dot11 radio obtain ip from dhcp server?"

Any answer is very much appreciated.


This Discussion