Multiple Cisco Aironet 1131AG access points and same SSID?

Answered Question
Dec 23rd, 2009

We have multiple Cisco Aironet 1131AG devices, all wired on one Cisco L2 switch(2560)  who is connected to L3 switch (3550). We assigned one VLAN for access point in L3 switch who acts as vtp server (L2 switch is vtp client). All ap's will have static ip address and all will have same SSID and no security and they will be using multiple channels (ex. 1,6,11).  They will operate in 3 floor building for roaming wireless client. We won't using any wireless controller.

So my question is this: How to configure APs-all the same with different ip's, can we use L3 switch to create dhcp server for access points VLAN (pool for clients, and the rest for static ip for ap's)? Can one of the ap's be WDS and in the same time local radius server with users without Cisco Secure ACS or similar controller or I didn't understand this quite well :-). I followed guide http://www.cisco.com/en/US/docs/wireless/access_point/12.3_2_JA/configuration/guide/s32roamg.html for WDS where the part abou Cisco ACS is a problem, so I can use same ap as Local Authenticator as in guide  http://www.cisco.com/en/US/docs/wireless/access_point/12.3_4_JA/configuration/guide/s34local.html#wp1035723.

Many thanks...

I have this problem too.
0 votes
Correct Answer by jeff.kish about 6 years 11 months ago

Well, just so you know, WDS and local RADIUS authentication is only needed if you're using authentication on your wireless connection.  You say you're not planning to use security, so this isn't necessary.  However, I'd highly recommend at least using a simple WPA2-PSK to lock down your connection, otherwise you might end up giving free Internet access at best, and at worst you might be giving access to company PCs and servers.  If you want to further use an 802.1x or WPA authentication method, then yes, you can use an AP as a RADIUS server and WDS to improve authenticated roaming, but this is far more limited than using a Cisco ACS.

As for your other questions, yes, your APs can all be configured the same except for at least three parameters: IP address, channel, and hostname.  Configure your static IP addresses on the AP's BVI1 interface.  Don't place it on the Radio or Ethernet interfaces, because if either of these interfaces goes down you'll lose the ability to configure the AP, so it's best to use the BVI1 interface.

And yes, configuring a DHCP scope for your clients on your L3 switch is a good design, or you could also use your DHCP server on a different subnet by using the ip helper-address command on the L3 interface.  I hope this helps!  Let me know if you need help configuring any of this.

Merry Christmas!


Jeff

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
jeff.kish Thu, 12/24/2009 - 06:29

Well, just so you know, WDS and local RADIUS authentication is only needed if you're using authentication on your wireless connection.  You say you're not planning to use security, so this isn't necessary.  However, I'd highly recommend at least using a simple WPA2-PSK to lock down your connection, otherwise you might end up giving free Internet access at best, and at worst you might be giving access to company PCs and servers.  If you want to further use an 802.1x or WPA authentication method, then yes, you can use an AP as a RADIUS server and WDS to improve authenticated roaming, but this is far more limited than using a Cisco ACS.

As for your other questions, yes, your APs can all be configured the same except for at least three parameters: IP address, channel, and hostname.  Configure your static IP addresses on the AP's BVI1 interface.  Don't place it on the Radio or Ethernet interfaces, because if either of these interfaces goes down you'll lose the ability to configure the AP, so it's best to use the BVI1 interface.

And yes, configuring a DHCP scope for your clients on your L3 switch is a good design, or you could also use your DHCP server on a different subnet by using the ip helper-address command on the L3 interface.  I hope this helps!  Let me know if you need help configuring any of this.

Merry Christmas!


Jeff

Upgraded the firmware, but despite seeing slight changes in the interface for configuring logging (and having to go back in and re-do my selections), the logging still produces only blank results. Even when I click on the actual warning in the dashboard, which takes me to logs and that warning shows me something like "820", there's nothing in the logs.

p.s. it would also be nice if I could see who is logged on to/through the device (by ip or machine name would be fine) --and verify that my single ssid setup is working right (discontinuing use of an old repeater and sort of trying to use two rw120's in the same manner...

Actions

This Discussion