Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Community Member

Startup-config for a fat AIR-SAP1602I-A-K9

Hello, I configured my first fat AP and sent it out to a remote location.  It's been plugged into a switch and has an IP address, and I can see it on my network.  But I'm wondering if I've it configured optimally.  I've pasted the startup-config below (I've changed my company info and IPs numbers, for security reasons).  I'm specfically wondering about the "antenna gain 0" setting.  What does that mean?  I've also been told that when I send out a fat AP to a site that I should have the radio turned off.  Then when the AP is installed at the site, I should login to the AP and turn the radio on.  How do I do that?  And do you see any other settings that I should change?  Thanks!

                    

Building configuration...

Current configuration : 3752 bytes
!
! Last configuration change at 19:00:21 EST Sun Feb 28 1993
version 15.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname xxxxap02
!
!
logging rate-limit console 9
enable secret 5 $1$oBUH$5bsP8.8dumcqrCzNzub390
!
aaa new-model
!
!
aaa group server radius rad_mac
!
aaa group server radius rad_acct
!
aaa group server radius rad_admin
!
aaa group server tacacs+ tac_admin
server xx.xx.xx.x
server xx.xx.xx.x
!
aaa group server radius rad_pmip
!
aaa group server radius dummy
!
aaa authentication username-prompt Login:
aaa authentication login default group tac_admin local
aaa authentication login eap_methods group rad_eap
aaa authentication login mac_methods local
aaa authorization exec default group tac_admin local
aaa accounting network acct_methods start-stop group rad_acct
!
!
!
!
!
aaa session-id common
clock timezone EST -5 0
clock summer-time EDT recurring
no ip source-route
no ip gratuitous-arps
ip cef
ip domain name xxxxxxco.com
ip name-server xx.xx.xx.x
ip name-server xx.xx.xx.x
!
!
!
dot11 syslog
!
dot11 ssid universal
   authentication open
   authentication key-management wpa
   guest-mode
   wpa-psk ascii 7 025455580D5F0A244A1C08415C40445E0A022B2927786364734B041505030E58080A0457071E470A590E0A0B0C0D085807055E
!
!
dot11 wpa handshake timeout 1500
crypto pki token default removal timeout 0
!
!
username Cisco password 7 096F471A1A0A
!
!
bridge irb
!
!
!
interface Dot11Radio0
no ip address
shutdown
!
encryption mode ciphers tkip
!
ssid universal
!
antenna gain 0
stbc
station-role root
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface Dot11Radio1
no ip address
shutdown
antenna gain 0
dfs band 3 block
channel dfs
station-role root
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface GigabitEthernet0
no ip address
duplex auto
speed auto
no keepalive
bridge-group 1
bridge-group 1 spanning-disabled
no bridge-group 1 source-learning
!
interface BVI1
ip address dhcp client-id GigabitEthernet0
!        
ip forward-protocol nd
ip http server
ip http authentication aaa
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
ip route 0.0.0.0 0.0.0.0 xx.xx.xx.x
ip route 0.0.0.0 0.0.0.0 xx.xx.xx.x
!
logging trap notifications
logging xx.xx.xx.x
access-list 10 permit xx.xx.xx.x
access-list 10 permit xx.xx.xx.x
access-list 10 permit xx.xx.xx.x
access-list 10 permit xx.xx.xx.x
access-list 10 permit xx.xx.xx.x
access-list 10 permit xx.xx.xx.x
access-list 20 permit xx.xx.xx.x
access-list 20 permit xx.xx.xx.x
access-list 111 permit tcp any any neq telnet
snmp-server view iso iso included
snmp-server community xxxxxxxxxxx RW 20
snmp-server location xxxxxxxxxx
snmp-server contact xxxxxxxxxxx
snmp-server enable traps tty
snmp-server enable traps entity
snmp-server enable traps authenticate-fail
snmp-server enable traps config
snmp-server enable traps cpu threshold
snmp-server enable traps aaa_server
snmp-server host xx.xx.xx.x xxxxxxxxxxxx
tacacs-server host xx.xx.xx.x key 7 02050B021E070E22444C00032502080709
tacacs-server host xx.xx.xx.x key 7 02050B021E070E22444C00032502080709
tacacs-server directed-request
!
bridge 1 route ip
!
!
!
line con 0
access-class 111 in
line vty 0 4
access-class 111 in
exec-timeout 15 0
transport input all
line vty 5 15
access-class 111 in
transport input all
!
sntp server xx.xx.xx.x
end

2 REPLIES

Startup-config for a fat AIR-SAP1602I-A-K9

There are only a couple of things I would change.  Mainly related to the authentication/encryption.  I would use wpa version2 and ciphers aes-ccm.  This will allow the AP to use 802.11n rates instead of 802.11g rates.

i'd also go in and disable datarates below 12, and set 12 as the only mandatory rate.  This will help to keep the cell size smaller and keep the clients transmitting at higher rates.

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered

HTH, Steve ------------------------------------------------------------------------------------------------ Please remember to rate useful posts, and mark questions as answered
VIP Purple

Re: Startup-config for a fat AIR-SAP1602I-A-K9

Hi Gary,

I agreed with Steve's suggestion of using WPA2 & AES-CCM with disabling low data rate.

Additionally I would enable 5GHz band as well (configuring the same SSID on radio 1 band). This band give higher throughput for 802.11n clients (compare to 2.4 band) while having less interference.

 I've also been told that when I send out a fat AP to a site that I should have the radio turned off.  Then when the AP is installed at the site, I should login to the AP and turn the radio on.  How do I do that?

Then you can simply shutdown Radio 0 & Radio 1 interface prior to send to the site. Once you install it & connect to your network, you should be able to SSH/Telnet to the AP BVI IP address (assigned via DHCP) & enable both radio interfaces.

Also note that you have configured some RADIUS configurations, but using WPA2/PSK. So if you are not using RADIUS you can remove those specific commands.

Here is some reference posts if you like to configure it for RADIUS

http://mrncciew.com/2013/11/14/autonomous-ap-with-external-radius/

http://mrncciew.com/2013/03/03/autonomous-ap-as-local-radius-server/

HTH

Rasika

**** Pls rate all useful responses ****

994
Views
0
Helpful
2
Replies
CreatePlease to create content