10-14-2014 06:59 AM - edited 07-05-2021 01:43 AM
Hello, I am very new to the Cisco Aironet 1140 AP. I am trying to configure it the best and easiest possible way. I want to have two SSIDs one that is for the guest network with only internet access but still having a password. No internal access to resources. I also want to have 1 SSID that is private for company access. How should I go about doing this? I have been using the GUI I am running 12.4(21a)JA1
Thanks
10-14-2014 08:24 AM
Hi,
As per the problem description it seems to be an Autonomous AP. Please confirm if you are using WLC or not. Send Show version from the AP.
I am not sure if webauth works fine with Autonomous APs though it is a feature.
Probably to restrict the client access you can put restrictions for the vlan at the wired side.
What are the two ssids you want to broadcast and the vlans from which you want the clients to get the IP on ssids. What is the security you are looking for (WPAv1/2 with TKIP/AES)
Do let me know the above details and I will let you know the entire configuration.
Thanks and regards,
Manas Pratap Singh
10-14-2014 10:55 AM
Honestly I am not sure if it is a WLC.
! version 12.4 no service pad service timestamps debug datetime msec service timestamps log datetime msec service password-encryption ! hostname CISCO1142N37 ! enable secret 5 $1$2Tvm$Q.1xaeLOfxMWolFJ8kOJh1 ! aaa new-model ! ! aaa group server radius rad_eap ! aaa group server radius rad_mac ! aaa group server radius rad_acct ! aaa group server radius rad_admin ! aaa group server tacacs+ tac_admin ! aaa group server radius rad_pmip ! aaa group server radius dummy ! aaa authentication login eap_methods group rad_eap aaa authentication login mac_methods local aaa authorization exec default local aaa accounting network acct_methods start-stop group rad_acct ! aaa session-id common ! ! dot11 syslog dot11 vlan-name VLAN-1 vlan 1 dot11 vlan-name VLAN-2 vlan 2 ! dot11 ssid GUESTWIFI authentication open authentication key-management wpa version 2 mbssid guest-mode wpa-psk ascii 7 00261F13017C1E031C351D1F5B4A504F ! dot11 ssid COMPANYWIFI authentication open authentication key-management wpa version 2 guest-mode wpa-psk ascii 7 044C05330A321D1C1C081D390B050F063C122E0C35 ! ! ! username admin privilege 15 password 7 2341234123423421341234 ! ! bridge irb ! ! interface Dot11Radio0 no ip address no ip route-cache ! encryption mode ciphers aes-ccm ! ssid GUESTWIFI ! ssid COMPANYWIFI ! antenna gain 0 packet retries 128 station-role root rts threshold 512 rts retries 128 bridge-group 1 bridge-group 1 block-unknown-source no bridge-group 1 source-learning no bridge-group 1 unicast-flooding bridge-group 1 spanning-disabled ! interface Dot11Radio1 no ip address no ip route-cache ! encryption mode ciphers aes-ccm ! ssid GUESTWIFI ! ssid COMPANYWIFI ! antenna gain 0 dfs band 3 block packet retries 128 channel dfs station-role root rts threshold 512 rts retries 128 bridge-group 1 bridge-group 1 block-unknown-source no bridge-group 1 source-learning no bridge-group 1 unicast-flooding bridge-group 1 spanning-disabled ! interface GigabitEthernet0 no ip address no ip route-cache duplex auto speed auto no keepalive bridge-group 1 no bridge-group 1 source-learning bridge-group 1 spanning-disabled ! interface BVI1 ip address x.x.x.x x.x.x.x no ip route-cache ! ip default-gateway x.x.x.x ip http server no ip http secure-server ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag ip radius source-interface BVI1 radius-server local ! radius-server attribute 32 include-in-access-req format %h radius-server vsa send accounting bridge 1 route ip ! ! ! line con 0 line vty 0 4 ! end
10-16-2014 05:20 AM
Hi ,
Please try the following configuration:
Note: XX and YY are the vlans and you have to put the values based on your setup
Settings for int gig0.0 and 1.0 may vary...please send the output of sh ip int br:
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname CISCO1142N37
!
enable secret 5 $1$2Tvm$Q.1xaeLOfxMWolFJ8kOJh1
!
aaa new-model
!
!
aaa group server radius rad_eap
!
aaa group server radius rad_mac
!
aaa group server radius rad_acct
!
aaa group server radius rad_admin
!
aaa group server tacacs+ tac_admin
!
aaa group server radius rad_pmip
!
aaa group server radius dummy
!
aaa authentication login eap_methods group rad_eap
aaa authentication login mac_methods local
aaa authorization exec default local
aaa accounting network acct_methods start-stop group rad_acct
!
aaa session-id common
!
!
dot11 syslog
dot11 vlan-name VLAN-1 vlan 1
dot11 vlan-name VLAN-2 vlan 2
!
dot11 ssid GUESTWIFI
Vlan XX
authentication open
authentication key-management wpa version 2
mbssid guest-mode
wpa-psk ascii 7 00261F13017C1E031C351D1F5B4A504F
!
dot11 ssid COMPANYWIFI
Vlan YY
authentication open
authentication key-management wpa version 2
mbssis guest-mode
wpa-psk ascii 7 044C05330A321D1C1C081D390B050F063C122E0C35
!
!
!
username admin privilege 15 password 7 2341234123423421341234
!
!
bridge irb
!
!
interface Dot11Radio0
no ip address
no ip route-cache
!
no encryption mode ciphers aes-ccm
encryption mode vlan XX ciphers aes-ccm
encryption mode vlan YY ciphers aes-ccm
!
ssid GUESTWIFI
!
ssid COMPANYWIFI
!
antenna gain 0
packet retries 128
station-role root
rts threshold 512
rts retries 128
bridge-group 1
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
!
interface Dot11Radio1
no ip address
no ip route-cache
!
no encryption mode ciphers aes-ccm
encryption mode vlan XX ciphers aes-ccm
encryption mode vlan YY ciphers aes-ccm
!
ssid GUESTWIFI
!
ssid COMPANYWIFI
!
antenna gain 0
dfs band 3 block
packet retries 128
channel dfs
station-role root
rts threshold 512
rts retries 128
bridge-group 1
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
!
interface GigabitEthernet0
no ip address
no ip route-cache
duplex auto
speed auto
no keepalive
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
!
Interface dot11radio0.XX
encapsulation dot1Q XX native
no ip route-cache
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
Interface dot11radio0.YY
encapsulation dot1Q YY
no ip route-cache
bridge-group 2
bridge-group 2 subscriber-loop-control
bridge-group 2 block-unknown-source
no bridge-group 2 source-learning
no bridge-group 2 unicast-flooding
bridge-group 2 spanning-disabled
Interface dot11radio1.XX
encapsulation dot1Q XX native
no ip route-cache
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
Interface dot11radio1.YY
encapsulation dot1Q YY
no ip route-cache
bridge-group 2
bridge-group 2 subscriber-loop-control
bridge-group 2 block-unknown-source
no bridge-group 2 source-learning
no bridge-group 2 unicast-flooding
bridge-group 2 spanning-disabled
Interface gig 0.XX
encapsulation dot1Q XX native
no ip route-cache
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
Interface gig0.YY
encapsulation dot1Q YY
no ip route-cache
bridge-group 2
bridge-group 2 subscriber-loop-control
bridge-group 2 block-unknown-source
no bridge-group 2 source-learning
no bridge-group 2 unicast-flooding
bridge-group 2 spanning-disabled
Interface gig 1.XX
encapsulation dot1Q XX native
no ip route-cache
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
Interface gig1.YY
encapsulation dot1Q YY
no ip route-cache
bridge-group 2
bridge-group 2 subscriber-loop-control
bridge-group 2 block-unknown-source
no bridge-group 2 source-learning
no bridge-group 2 unicast-flooding
bridge-group 2 spanning-disabled
Thanks and regards,
Manas Pratap Singh
10-28-2014 08:56 AM
Hi,
Did you try the suggested configuration
Thanks and regards,
Manas Pratap Singh
10-14-2014 10:06 AM
check the following link
http://www.cisco.com/c/en/us/td/docs/wireless/access_point/12-4_21a_JA1/configuration/guide/scg12421aJA1/scg12421aJA1-chap7-mbssid.html#wp1050170
12-04-2014 06:14 AM
If it's an Autonomous AP, please refer to the following link:
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide