Cisco Aironet AP1142N configuration (WPAv2 PSK, local MAC-auth only, ...)

Unanswered Question
Aug 16th, 2011

Hi,

I am a total Cisco Aironet AP newbee, I previously owned and successfully operated a Linksys WRVS4400N and a WRT54G in my home network. We just build a new house and designwise the Cisco Aironet AP1142N was the only AP the wife was willing to accept on the wall in the living room.  OK, 100 times overkill in a private environment but you do as your wife tells you.

I've downloaded the "Cisco IOS Software Configuration Guide for Cisco Aironet Access Points", Cisco IOS Releases 12.4(21a)JA1 and 12.3(8)JEC, February 2010, but being the mechanical engineer that I am I utterly fail in configuring the AP using the handbook!

I just want my Cisco Aironet AP1142N-E-K9 to do some very simple things (at least I think they are simple):

  • Authenticate 4 WLAN users via MAC-authentication (maybe a maximum of 10 later)
  • WPA2-PSK for all of them plus n-speed
  • use both 2.4 and 5 GHz bands if the clients support it, depending on radio signal, etc.

Some info on the network:

  • no RADIUS etc. server in the network, I do have a file server and a print server and settign up a RADIUS server seems far beyond my capabilities to be honest.
  • DHCP is available through the SDSL-modem/router, SDSL-modem/router is also gateway
  • AP is connected to network via Cisco Small Business Smart Switch SLM2024

I've used the web browser interface to configure the AP, but as I said - I failed!

I've browsed through the "Got examples" pages but could not find anything.

OK, I think I would prefer some config file I can upload or some telnet input so I can feed my AP via the wired network.

Here is what I figured out sofar for telnet, italics will be replaced with actual MACs, names, etc.

1. Configuring the local authenticator access point, beginning in privileged exec mode:

enable

configure terminal

aaa new-model

radius server local

exit

user HHHH.HHHH.HHHH password HHHH.HHHH.HHHH mac-auth-only

user HHHH.HHHH.HHHH password HHHH.HHHH.HHHH mac-auth-only

user HHHH.HHHH.HHHH password HHHH.HHHH.HHHH mac-auth-only

user HHHH.HHHH.HHHH password HHHH.HHHH.HHHH mac-auth-only

end

2. Assigning authentication types to an SSID, again beginning in privileged exec mode:

enable

configure terminal

dot11 ssid ssid-string

authentication open mac-address ... ???

... ???

end

3. Configuring additional WPA settings, again beginning in privileged exec mode:

enable

configure terminal

ssid ssid-string

wpa-psk ascii encryption-key

interface dot11radio 0

ssid ssid-string

interface dot11radio 1

ssid ssid-string

exit

Any help is highly appreciated!

Thank you very very much!!!

Cheers,

Lars

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 3 (3 ratings)
Stephen Rodriguez Tue, 08/16/2011 - 07:38

Lars,

  You might be better off with:

access-list 700 permit HHHH.HHHH.HHHH

ssid

auth open

auth key wpa ver 2

wpa ascii

Interface dot11radio0-1

encryption mode ciphers aes-ccm

ssid

*back in global*

dot11 association mac-list 700

While it's not mac authentication, what this does is stop any device not in the 700 ACL from even associating to the radios.  Which is a bit better for keeping off those pesky neighbors.

larsbehnke Tue, 08/16/2011 - 13:28

Stephen, sorry, it didn't work out for me. I've attached the config.txt file for your reference. I got several error messages during the telnet session.

Result -  both radios enabled but I cannot connect to the AP with my notebook (Intel Centrino 6205).

[EDIT: Removed old config for reasons of clarity and thread readability.]

Looking forward to your input!

Cheers,

Lars

surbg Tue, 08/16/2011 - 17:24

In the mean time remove the below command which is under SSID

dot11 ssid aether
no infrastructure-ssid

Now try connecting..

Please dont forget to rate the usefull posts!!

Regards
Surendra
Stephen Rodriguez Wed, 08/17/2011 - 14:22

under the dot11radio 0

no l2-filter bridge-group-acl

this blocks arp, which is why you can't get to it

larsbehnke Thu, 08/18/2011 - 00:17

OK, I edited the configuration, as you can see in my posting, but I still cannot access my server via WLAN. Internet works just fine.

Cheers,

Lars

Stephen Rodriguez Thu, 08/18/2011 - 07:09

you should also remove

bridge-group 1 input-address-list 700

bridge-group 1 output-address-list 700

you can actually remove the ACL 700, dot11 mac association-list 700 as well, if you want.

HTH,

Steve

larsbehnke Thu, 08/18/2011 - 11:37

Why? I thought this was necessary for MAC filtering ...

MAC filtering and WPA2-PSK for both radios is what I want. OK, and I still have to figure out how to access my server via WLAN ...

Thanks!

Cheers,

Lars

Stephen Rodriguez Thu, 08/18/2011 - 11:51

mac filtering will work with just the ACL 700, and dot11 association mac-list 700.  This keeps clients not in the list from talking to the radio.

larsbehnke Fri, 08/19/2011 - 09:12

Stephen, OK, thanks! I modified the configuration above.

Now what about LAN/server access, any other idea?

Thank you!

Cheers,

Lars

larsbehnke Wed, 08/17/2011 - 14:19

Stephen, Surendra - thank you!

Below is a working config. There's a lot that I do not understand right now, I used both telnet and the web interface for the configuration and it took some trial and error as well ... Thank you very much for your help so far!!!

Here is a list of links that were useful:

The only thing I noticed is that I cannot access my file server via WLAN. Maybe because WLAN and LAN do have different names (Aether and Copper)? I can only access my server via my LAN connection at the moment. Any hints on that? I guess I have to configure both my AP and my switch (Cisco Small Business Smart Switch SLM2024) to some extend?

Also, if there is something that's simply bovine fecal matter in the config I posted below please let me know so I can optimize my config.txt.

THANK YOU!!!

Cheers,

Lars

!

! Last configuration change at 17:15:31 +0100 Wed Aug 17 2011 by Cisco

! NVRAM config last updated at 17:15:31 +0100 Wed Aug 17 2011 by Cisco

!

version 12.4

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname Cisco1142N

!

enable secret 5

!

aaa new-model

!

!

aaa group server radius rad_eap

!

aaa group server radius rad_mac

!

aaa group server radius rad_acct

!

aaa group server radius rad_admin

!

aaa group server tacacs+ tac_admin

!

aaa group server radius rad_pmip

!

aaa group server radius dummy

!

aaa authentication login eap_methods group rad_eap

aaa authentication login mac_methods local

aaa authorization exec default local

aaa accounting network acct_methods start-stop group rad_acct

!

aaa session-id common

clock timezone +0100 1

!

!

dot11 association mac-list 700

dot11 syslog

!

dot11 ssid Aether

authentication open

authentication key-management wpa version 2

guest-mode

wpa-psk ascii 7

!

dot11 network-map

!

!

username password 7

username autocommand exit

username Cisco privilege 15 password 7

!

!

bridge irb

!

!

interface Dot11Radio0

no ip address

no ip route-cache

!

encryption mode ciphers aes-ccm

!

ssid Aether

!

antenna gain 0

speed  basic-1.0 basic-2.0 basic-5.5 basic-11.0 basic-6.0 basic-9.0 basic-12.0 basic-18.0 basic-24.0 basic-36.0 basic-48.0 basic-54.0 m0. m1. m2. m3. m4. m5. m6. m7. m8. m9. m10. m11. m12. m13. m14. m15.

station-role root

no l2-filter bridge-group-acl

bridge-group 1

bridge-group 1 subscriber-loop-control

bridge-group 1 block-unknown-source

no bridge-group 1 source-learning

no bridge-group 1 unicast-flooding

bridge-group 1 spanning-disabled

!

interface Dot11Radio1

no ip address

no ip route-cache

!

encryption mode ciphers aes-ccm

!

ssid Aether

!

antenna gain 0

no dfs band block

speed  basic-6.0 basic-9.0 basic-12.0 basic-18.0 basic-24.0 basic-36.0 basic-48.0 basic-54.0 m0. m1. m2. m3. m4. m5. m6. m7. m8. m9. m10. m11. m12. m13. m14. m15.

channel dfs

station-role root

no l2-filter bridge-group-acl

bridge-group 1

bridge-group 1 subscriber-loop-control

bridge-group 1 block-unknown-source

no bridge-group 1 source-learning

no bridge-group 1 unicast-flooding

bridge-group 1 spanning-disabled

!

interface GigabitEthernet0

no ip address

no ip route-cache

duplex auto

speed auto

no keepalive

bridge-group 1

no bridge-group 1 source-learning

bridge-group 1 spanning-disabled

!

interface BVI1

ip address dhcp client-id GigabitEthernet0

no ip route-cache

!

ip http server

no ip http secure-server

ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag

ip radius source-interface BVI1

access-list 700 permit    0000.0000.0000

access-list 700 deny   0000.0000.0000   ffff.ffff.ffff

radius-server attribute 32 include-in-access-req format %h

radius-server vsa send accounting

bridge 1 route ip

!

!

!

line con 0

length 256

width 128

line vty 0 4

length 256

width 128

!

sntp server 192.43.244.18

sntp broadcast client

end

Actions

Login or Register to take actions

This Discussion

Posted August 16, 2011 at 7:02 AM
Stats:
Replies:11 Avg. Rating:3
Views:19240 Votes:0
Shares:0
Tags: ap, aironet, 1142n
+

Related Content

Discussions Leaderboard