Cisco Aironet 1140

jbohling1 · ‎10-14-2014

Hello, I am very new to the Cisco Aironet 1140 AP. I am trying to configure it the best and easiest possible way. I want to have two SSIDs one that is for the guest network with only internet access but still having a password. No internal access to resources. I also want to have 1 SSID that is private for company access. How should I go about doing this? I have been using the GUI I am running 12.4(21a)JA1

Thanks

singhmanaspratap · ‎10-14-2014

Hi,

As per the problem description it seems to be an Autonomous AP. Please confirm if you are using WLC or not. Send Show version from the AP.

I am not sure if webauth works fine with Autonomous APs though it is a feature.

Probably to restrict the client access you can put restrictions for the vlan at the wired side.

What are the two ssids you want to broadcast and the vlans from which you want the clients to get the IP on ssids. What is the security you are looking for (WPAv1/2 with TKIP/AES)

Do let me know the above details and I will let you know the entire configuration.

Thanks and regards,

Manas Pratap Singh

jbohling1 · ‎10-14-2014

Honestly I am not sure if it is a WLC.

!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname CISCO1142N37
!
enable secret 5 $1$2Tvm$Q.1xaeLOfxMWolFJ8kOJh1
!
aaa new-model
!
!
aaa group server radius rad_eap
!
aaa group server radius rad_mac
!
aaa group server radius rad_acct
!
aaa group server radius rad_admin
!
aaa group server tacacs+ tac_admin
!
aaa group server radius rad_pmip
!
aaa group server radius dummy
!
aaa authentication login eap_methods group rad_eap
aaa authentication login mac_methods local
aaa authorization exec default local 
aaa accounting network acct_methods start-stop group rad_acct
!
aaa session-id common
!
!
dot11 syslog
dot11 vlan-name VLAN-1 vlan 1
dot11 vlan-name VLAN-2 vlan 2
!
dot11 ssid GUESTWIFI
   authentication open 
   authentication key-management wpa version 2
   mbssid guest-mode
   wpa-psk ascii 7 00261F13017C1E031C351D1F5B4A504F
!
dot11 ssid COMPANYWIFI
   authentication open 
   authentication key-management wpa version 2
   guest-mode
   wpa-psk ascii 7 044C05330A321D1C1C081D390B050F063C122E0C35
!
!
!
username admin privilege 15 password 7 2341234123423421341234
!
!
bridge irb
!
!
interface Dot11Radio0
 no ip address
 no ip route-cache
 !
 encryption mode ciphers aes-ccm 
 !
 ssid GUESTWIFI
 !
 ssid COMPANYWIFI
 !
 antenna gain 0
 packet retries 128
 station-role root
 rts threshold 512
 rts retries 128
 bridge-group 1
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
 bridge-group 1 spanning-disabled
!
interface Dot11Radio1
 no ip address
 no ip route-cache
 !
 encryption mode ciphers aes-ccm 
 !
 ssid GUESTWIFI
 !
 ssid COMPANYWIFI
 !
 antenna gain 0
 dfs band 3 block
 packet retries 128
 channel dfs
 station-role root
 rts threshold 512
 rts retries 128
 bridge-group 1
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
 bridge-group 1 spanning-disabled
!
interface GigabitEthernet0
 no ip address
 no ip route-cache
 duplex auto
 speed auto
 no keepalive
 bridge-group 1
 no bridge-group 1 source-learning
 bridge-group 1 spanning-disabled
!
interface BVI1
 ip address x.x.x.x x.x.x.x
 no ip route-cache
!
ip default-gateway x.x.x.x
ip http server
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
ip radius source-interface BVI1 
radius-server local
!
radius-server attribute 32 include-in-access-req format %h
radius-server vsa send accounting
bridge 1 route ip
!
!
!
line con 0
line vty 0 4
!
end

singhmanaspratap · ‎10-16-2014

Hi ,

Please try the following configuration:

Note: XX and YY are the vlans and you have to put the values based on your setup

Settings for int gig0.0 and 1.0 may vary...please send the output of sh ip int br:

version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname CISCO1142N37
!
enable secret 5 $1$2Tvm$Q.1xaeLOfxMWolFJ8kOJh1
!
aaa new-model
!
!
aaa group server radius rad_eap
!
aaa group server radius rad_mac
!
aaa group server radius rad_acct
!
aaa group server radius rad_admin
!
aaa group server tacacs+ tac_admin
!
aaa group server radius rad_pmip
!
aaa group server radius dummy
!
aaa authentication login eap_methods group rad_eap
aaa authentication login mac_methods local
aaa authorization exec default local
aaa accounting network acct_methods start-stop group rad_acct
!
aaa session-id common
!
!
dot11 syslog
dot11 vlan-name VLAN-1 vlan 1
dot11 vlan-name VLAN-2 vlan 2
!
dot11 ssid GUESTWIFI
Vlan XX
authentication open
authentication key-management wpa version 2
mbssid guest-mode
wpa-psk ascii 7 00261F13017C1E031C351D1F5B4A504F
!
dot11 ssid COMPANYWIFI
Vlan YY
authentication open
authentication key-management wpa version 2
mbssis guest-mode
wpa-psk ascii 7 044C05330A321D1C1C081D390B050F063C122E0C35
!
!
!
username admin privilege 15 password 7 2341234123423421341234
!
!
bridge irb
!
!
interface Dot11Radio0
no ip address
no ip route-cache
!
no encryption mode ciphers aes-ccm
encryption mode vlan XX ciphers aes-ccm
encryption mode vlan YY ciphers aes-ccm
!
ssid GUESTWIFI
!
ssid COMPANYWIFI
!
antenna gain 0
packet retries 128
station-role root
rts threshold 512
rts retries 128
bridge-group 1
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
!
interface Dot11Radio1
no ip address
no ip route-cache
!
no encryption mode ciphers aes-ccm
encryption mode vlan XX ciphers aes-ccm
encryption mode vlan YY ciphers aes-ccm
!
ssid GUESTWIFI
!
ssid COMPANYWIFI
!
antenna gain 0
dfs band 3 block
packet retries 128
channel dfs
station-role root
rts threshold 512
rts retries 128
bridge-group 1
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
!
interface GigabitEthernet0
no ip address
no ip route-cache
duplex auto
speed auto
no keepalive
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
!

Interface dot11radio0.XX
encapsulation dot1Q XX native
no ip route-cache
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled

Interface dot11radio0.YY
encapsulation dot1Q YY
no ip route-cache
bridge-group 2
bridge-group 2 subscriber-loop-control
bridge-group 2 block-unknown-source
no bridge-group 2 source-learning
no bridge-group 2 unicast-flooding
bridge-group 2 spanning-disabled

Interface dot11radio1.XX
encapsulation dot1Q XX native
no ip route-cache
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled

Interface dot11radio1.YY
encapsulation dot1Q YY
no ip route-cache
bridge-group 2
bridge-group 2 subscriber-loop-control
bridge-group 2 block-unknown-source
no bridge-group 2 source-learning
no bridge-group 2 unicast-flooding
bridge-group 2 spanning-disabled

Interface gig 0.XX
encapsulation dot1Q XX native
no ip route-cache
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled

Interface gig0.YY
encapsulation dot1Q YY
no ip route-cache
bridge-group 2
bridge-group 2 subscriber-loop-control
bridge-group 2 block-unknown-source
no bridge-group 2 source-learning
no bridge-group 2 unicast-flooding
bridge-group 2 spanning-disabled

Interface gig 1.XX
encapsulation dot1Q XX native
no ip route-cache
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled

Interface gig1.YY
encapsulation dot1Q YY
no ip route-cache
bridge-group 2
bridge-group 2 subscriber-loop-control
bridge-group 2 block-unknown-source
no bridge-group 2 source-learning
no bridge-group 2 unicast-flooding
bridge-group 2 spanning-disabled

Thanks and regards,

Manas Pratap Singh

singhmanaspratap · ‎10-28-2014

Hi,

Did you try the suggested configuration

Thanks and regards,

Manas Pratap Singh

Venkatesh Attuluri · ‎10-14-2014

check the following link

http://www.cisco.com/c/en/us/td/docs/wireless/access_point/12-4_21a_JA1/configuration/guide/scg12421aJA1/scg12421aJA1-chap7-mbssid.html#wp1050170

Moin Ilyas · ‎12-04-2014

If it's an Autonomous AP, please refer to the following link:

http://www.cisco.com/c/en/us/support/docs/wireless-mobility/service-set-identifier-ssid/116118-configure-ap-ssid-ios.html