10-09-2008 07:32 AM - edited 07-03-2021 04:35 PM
All,
I have an AP that was configured like this:
dot11 ssid <ssid-wep>
authen open
Do0
ip address 1.1.1.1 255.255.255.0
encryption key 1 size 128bit <wep key> transmit-key
encryption mode wep mandatory
ssid <SSID>
bridge-group 1
fa0
ip address 1.1.1.1 255.255.255.0 (yes, they are the same on both interfaces)
bridge-group 1
bvi1
ip address 1.1.1.1 255.255.255.0 (yep, again)
Okay, so this configuration works, but I want to convert it to wpa with a broadcasted and secured side. I've created my ssid's, vlans, subinterfaces, and cannot connect.
Current config is this:
dot11 ssid <SSID 1>
vlan 150
authentication open
guest-mode
wpa-psk ...
dot11 ssid <ssid 2>
vlan 151
authen open
wpa-psk
do0
ip address 1.1.1.1 255.255.255.0
encryption key 1 size 128bit <wep key> transmit-key
encryption mode wep mandatory
ssid <ssid-wep>
ssid <ssid-1>
ssid <ssid-2>
bridge-group 1
do0.150
encapsulation dot1q 150
bridge 150
do0.151
encap dot1q 151
bridge 151
fa0
ip address 1.1.1.1 255.255.255.0
bridge 1
fa0.150
encap dot 150
bridge 150
fa0.151
encap dot 151
bridge 151
My question is this: Do I have to remove the current configuration for d0, and create a subinterface for vlan 1 to keep the wep configuration? I'm not able to connect at all. The guest ssid is broadcasted, but it almost immediately says disconnected, so I'm not sure where to look.
Thanks,
John
Solved! Go to Solution.
10-09-2008 08:27 AM
I notice a few things that you can do to fix this configuration:
1. Remove the IP address that's on fa0. This should not have an IP address on it.
2. You are missing a configuration line under your SSIDs. You need "authentication key-management wpa" in addition to "authentication open". Both are needed to make WPA-PSK work.
3. Under dot0, you should remove the WEP encryption commands and WEP SSID since they're no longer used. You'll then need to issue "encryption vlan XXX mode ciphers tkip aes-ccmp". You can pick tkip, aes, or both in that command, use whichever is appropriate.
This is all assuming that you no longer want WEP, which I assume is the case since both SSIDs have wpa-psk configured. Let me know if I'm misunderstanding.
10-09-2008 08:27 AM
I notice a few things that you can do to fix this configuration:
1. Remove the IP address that's on fa0. This should not have an IP address on it.
2. You are missing a configuration line under your SSIDs. You need "authentication key-management wpa" in addition to "authentication open". Both are needed to make WPA-PSK work.
3. Under dot0, you should remove the WEP encryption commands and WEP SSID since they're no longer used. You'll then need to issue "encryption vlan XXX mode ciphers tkip aes-ccmp". You can pick tkip, aes, or both in that command, use whichever is appropriate.
This is all assuming that you no longer want WEP, which I assume is the case since both SSIDs have wpa-psk configured. Let me know if I'm misunderstanding.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: