debianit
asked on
How to configure Multiple SSIDs on a Cisco 1131AG Access Point
Hi there,
I'm trying to configure a Cisco 1131AG Access Point with dual SSIDs. SSID1 -> INTERNAL should allow users to access network resources, while SSID2 - GUEST should only allow guests to access the internet. My setup is as follows:
1 ASA 5505
1 Unmanaged switch
1 Cisco 1131AG Access Point
The ASA connects to my ISP and then to the switch. The Access Point is then connected to a port on the switch. I do also have the option of possibly using a DELL managed switch if needs be. I have been able to get the AP to show both SSIDs thus far and am able to connect to both (WPA encryption), but I am not getting an ip address from either. I have included my current config below. PLEASE HELP!!! and thanks in advance.
I'm trying to configure a Cisco 1131AG Access Point with dual SSIDs. SSID1 -> INTERNAL should allow users to access network resources, while SSID2 - GUEST should only allow guests to access the internet. My setup is as follows:
1 ASA 5505
1 Unmanaged switch
1 Cisco 1131AG Access Point
The ASA connects to my ISP and then to the switch. The Access Point is then connected to a port on the switch. I do also have the option of possibly using a DELL managed switch if needs be. I have been able to get the AP to show both SSIDs thus far and am able to connect to both (WPA encryption), but I am not getting an ip address from either. I have included my current config below. PLEASE HELP!!! and thanks in advance.
Current configuration : 3042 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname TEST-AP
!
logging buffered 51200 debugging
enable secret 5 $1$gA5p$ZGBO/R1oAR7jynIlBXcOc/
!
no aaa new-model
!
dot11 ssid INTERNAL
vlan 10
authentication open
authentication key-management wpa
mbssid guest-mode
wpa-psk ascii 7 106E1B0A0010020A1F173D24362C
!
dot11 ssid GUEST
vlan 20
authentication open
authentication key-management wpa
mbssid guest-mode
wpa-psk ascii 7 08015E5D0C1E0B1805
!
power inline negotiation prestandard source
!
username user1 privilege 15 secret 5 $1$HApr$1ZbxmhvICOtPbCQ1Af.uP/
!
bridge irb
!
interface Dot11Radio0
ip dhcp client client-id BVI1
no ip address
no ip route-cache
!
encryption mode ciphers tkip
encryption vlan 10 mode ciphers tkip
encryption vlan 20 mode ciphers tkip
!
ssid INTERNAL
!
ssid GUEST
!
mbssid
station-role root
!
interface Dot11Radio0.2
encapsulation dot1Q 2 native
no ip route-cache
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
!
interface Dot11Radio0.10
encapsulation dot1Q 10
no ip route-cache
bridge-group 10
bridge-group 10 subscriber-loop-control
bridge-group 10 block-unknown-source
no bridge-group 10 source-learning
no bridge-group 10 unicast-flooding
bridge-group 10 spanning-disabled
!
interface Dot11Radio0.20
encapsulation dot1Q 20
no ip route-cache
bridge-group 20
bridge-group 20 subscriber-loop-control
bridge-group 20 block-unknown-source
no bridge-group 20 source-learning
no bridge-group 20 unicast-flooding
bridge-group 20 spanning-disabled
!
interface Dot11Radio1
no ip address
no ip route-cache
shutdown
dfs band 3 block
channel dfs
station-role root
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
!
interface FastEthernet0
no ip address
no ip route-cache
duplex auto
speed auto
!
interface FastEthernet0.2
encapsulation dot1Q 2 native
no ip route-cache
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
!
interface FastEthernet0.10
encapsulation dot1Q 10
no ip route-cache
bridge-group 10
no bridge-group 10 source-learning
bridge-group 10 spanning-disabled
!
interface FastEthernet0.20
encapsulation dot1Q 20
no ip route-cache
bridge-group 20
no bridge-group 20 source-learning
bridge-group 20 spanning-disabled
!
interface BVI1
ip address dhcp client-id FastEthernet0
no ip route-cache
!
ip http server
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
bridge 1 route ip
!
line con 0
line vty 0 4
privilege level 15
password 7 03005E090F0E2F4D4A04100B
login local
transport input telnet ssh
!
end
ASKER
Thanks for the quick response jjmartineziii. I'm running Windows Server 2003 Enterprise for my DHCP server.
Do you already have ip helper configure on the VLAN interfaces?
ASKER
I'm nto familiar with IP helper setup. Could you please direct me as to where to begin?
thanks
thanks
sure, since your dhcp server is going to be receiving dhcp requests from two different networks.
What are your two subnetworks?
Can you provide IP ranges and VLAN numbers?
What are your two subnetworks?
Can you provide IP ranges and VLAN numbers?
ASKER
Hi jjmartineziii
Here is a copy of the current ASA config. thx
Here is a copy of the current ASA config. thx
hostname test-asa-5510
domain-name test.local
enable password 2KFQnbNIdI.2KYOU encrypted
names
dns-guard
!
interface Ethernet0/0
speed 10
duplex full
nameif outside
security-level 0
ip address x.x.x.x 255.255.255.248
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.50.254 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
no ip address
management-only
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
access-list inside_nat0_outbound extended permit ip any 192.168.50.0 255.255.255.128
access-list acl_out extended permit icmp any any
access-list acl_out extended permit tcp any host x.x.x.x eq pptp
access-list acl_out extended permit tcp any host x.x.x.x eq 3389
access-list acl_out extended permit tcp any host x.x.x.x eq smtp
access-list acl_out extended permit tcp any host x.x.x.x eq https
access-list acl_out extended permit tcp any host x.x.x.x eq www
access-list acl_out extended permit tcp any host x.x.x.x eq pop3
access-list acl_out extended permit tcp any host x.x.x.x eq ftp
access-list acl_out extended permit tcp any host x.x.x.x eq ftp
access-list acl_out extended permit tcp any host x.x.x.x eq www
access-list acl_out extended permit tcp any host x.x.x.x eq www
access-list acl_out extended permit tcp any host x.x.x.x eq 3399
access-list acl_out extended permit tcp any host x.x.x.x eq 3391
access-list acl_out extended permit tcp any host x.x.x.x eq 3393
access-list acl_out extended permit tcp any host x.x.x.x eq 3394
access-list acl_out extended permit tcp any host x.x.x.x eq 3392
access-list acl_out extended permit tcp any host x.x.x.x eq 3500
access-list acl_out extended permit tcp any host x.x.x.x eq ftp-data
access-list acl_out extended permit tcp any host x.x.x.x eq 3389
access-list acl_out extended permit tcp any host x.x.x.x eq 3395
access-list acl_out extended permit tcp any host x.x.x.x eq 3396
access-list acl_out extended permit tcp any host x.x.x.x eq 3377
access-list acl_out extended permit tcp any host x.x.x.x eq 9987
access-list acl_out extended permit tcp any host x.x.x.x eq 993
access-list acl_out extended permit tcp any host x.x.x.x eq 8001
access-list acl_out extended permit tcp any host x.x.x.x eq 8000
access-list acl_out extended permit tcp any host x.x.x.x eq 3389
access-list test2_splitTunnelAcl remark Network behind NAT
access-list test2_splitTunnelAcl standard permit 192.168.50.0 255.255.255.0
access-list test_splitTunnelAcl standard permit any
access-list acl_blocked extended permit tcp host 192.168.50.2 any eq smtp
access-list acl_blocked extended permit tcp host 192.168.50.8 any eq smtp
access-list acl_blocked extended permit udp any any
access-list acl_blocked extended permit esp any any
access-list acl_blocked extended permit tcp any any
access-list acl_blocked extended permit icmp any any
access-list acl_blocked extended permit gre any any
access-list acl_blocked extended permit tcp host 192.168.50.5 any eq smtp
access-list acl_blocked extended permit tcp host 192.168.50.7 any eq smtp
access-list acl_blocked extended permit tcp host 192.168.50.4 any eq smtp
access-list acl_blocked extended permit tcp host 192.168.50.15 any eq smtp
access-list acl_blocked extended deny tcp host 192.168.50.121 any eq smtp
pager lines 24
logging enable
logging asdm errors
mtu outside 1500
mtu inside 1500
mtu management 1500
ip local pool FIREWALL 192.168.50.40-192.168.50.99 mask 255.255.255.0
no failover
asdm image disk0:/asdm506.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp x.x.x.x www 192.168.50.3 www netmask 255.255.255.255
static (inside,outside) tcp x.x.x.x 3399 192.168.50.122 3399 netmask 255.255.255.255
static (inside,outside) tcp x.x.x.x 3391 192.168.50.6 3391 netmask 255.255.255.255
static (inside,outside) tcp x.x.x.x 3393 192.168.50.104 3393 netmask 255.255.255.255
static (inside,outside) tcp x.x.x.x 3394 192.168.50.110 3394 netmask 255.255.255.255
static (inside,outside) tcp x.x.x.x 3392 192.168.50.99 3392 netmask 255.255.255.255
static (inside,outside) tcp x.x.x.x 3500 192.168.50.98 3500 netmask 255.255.255.255
static (inside,outside) tcp x.x.x.x ftp-data 192.168.50.99 ftp-data netmask 255.255.255.255
static (inside,outside) tcp x.x.x.x 3389 192.168.50.3 3389 netmask 255.255.255.255
static (inside,outside) tcp x.x.x.x 3395 192.168.50.149 3395 netmask 255.255.255.255
static (inside,outside) tcp x.x.x.x 3396 192.168.50.108 3396 netmask 255.255.255.255
static (inside,outside) tcp x.x.x.x 3377 192.168.50.121 3377 netmask 255.255.255.255
static (inside,outside) tcp x.x.x.x 9987 192.168.50.120 9987 netmask 255.255.255.255
static (inside,outside) tcp x.x.x.x 8001 192.168.50.159 8001 netmask 255.255.255.255
static (inside,outside) tcp x.x.x.x 8000 192.168.50.161 8000 netmask 255.255.255.255
static (inside,outside) x.x.x.x 192.168.50.2 netmask 255.255.255.255
static (inside,outside) x.x.x.x 192.168.50.7 netmask 255.255.255.255
access-group acl_out in interface outside
access-group acl_blocked in interface inside
route outside 0.0.0.0 0.0.0.0 x.x.x.x 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
url-list Internal_Webmail "TEST Webmail Access" http://192.168.50.2/exchange
port-forward Tech 1 192.168.50.8 3389 TESTsrv1
group-policy TEST_1 internal
group-policy TEST_1 attributes
vpn-tunnel-protocol IPSec webvpn
split-tunnel-policy tunnelspecified
split-tunnel-network-list value TEST_splitTunnelAcl
webvpn
group-policy DfltGrpPolicy attributes
banner none
wins-server none
dns-server none
dhcp-network-scope none
vpn-access-hours none
vpn-simultaneous-logins 3
vpn-idle-timeout 30
vpn-session-timeout none
vpn-filter none
vpn-tunnel-protocol IPSec
password-storage disable
ip-comp disable
re-xauth disable
group-lock none
pfs disable
ipsec-udp disable
ipsec-udp-port 10000
split-tunnel-policy tunnelall
split-tunnel-network-list none
default-domain none
split-dns none
secure-unit-authentication disable
user-authentication disable
user-authentication-idle-timeout 30
ip-phone-bypass disable
leap-bypass disable
nem disable
backup-servers keep-client-config
client-firewall none
client-access-rule none
webvpn
functions url-entry
ip-phone-bypass disable
leap-bypass disable
nem disable
backup-servers keep-client-config
client-firewall none
client-access-rule none
webvpn
functions url-entry
port-forward-name value Application Access
.
.
.
--- List of VPN Usernames and Passwords ---
.
.
.
aaa authorization command LOCAL
http server enable
http 192.168.50.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 60 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 80 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 100 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp nat-traversal 20
tunnel-group TEST type ipsec-ra
tunnel-group TEST general-attributes
address-pool FIREWALL
default-group-policy TEST_1
tunnel-group TEST ipsec-attributes
pre-shared-key *
no vpn-addr-assign aaa
no vpn-addr-assign dhcp
telnet 192.168.50.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd lease 3600
dhcpd ping_timeout 50
!
class-map inspection_default
match default-inspection-traffic
class-map class_pptp
match port tcp eq 47
!
policy-map global_policy
class class_pptp
inspect pptp
class inspection_default
inspect pptp
!
service-policy global_policy global
webvpn
enable outside
title TEST WebVPN Service
logo file disk0:/home_biglogo.jpg
title-color 255,153,51
secondary-color 204,204,255
nbns-server 192.168.50.2 master timeout 2 retry 2
authorization-server-group LOCAL
default-group-policy TEST_1
authorization-required
authorization-dn-attributes CN
Cryptochecksum:7050a6f7fc086553f63194aa346e7df5
: end
[OK]
ASKER
If possible, I would like the Internal SSID to grab an address from the current dhcp subnet, as they will be utilizing the network resources anyway. As or the Guest SSID, if needs be, we can probably configure another dhcp pool for that one.
Thanks again...
Thanks again...
So are your vlans configured on your dell switch?
I'm trying to understand your network. Basically, what you need to do is configure a second scope for the Guest SSID. Then create a second VLAN, trunk the port the AP is connected to and create multiple SSIDs on there.
I'm trying to understand your network. Basically, what you need to do is configure a second scope for the Guest SSID. Then create a second VLAN, trunk the port the AP is connected to and create multiple SSIDs on there.
ASKER
As of tihs moment, I have yet to setup the VLANs. I assume that since I'm using dumb switches, I just need to set them up on the ASA right? Also, if I created a new scope on the server, would that not, in a sense, be giving the guests access to the network? I was hoping there was some way of simply creating a DHCP scope on the access point itself and have all traffic from that scope redirected straight to the internet. Is this at all possible? Please let me know...
Thanks jjmartineziii
Chyke McFarlane
Systems Analyst
Thanks jjmartineziii
Chyke McFarlane
Systems Analyst
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks jjmartineziii...
After I have configured the DHCP on the AP, how do I tell the AP to direct all traffic from that pool to the internet? Can this be done using IP Redirection or something of the sort? If so, where then would I redirect it? Or does it just simply redirect it back on it's own through the trunk port on the ASA. Keep in mind also, that I DO NOT HAVE A MANAGED SWITCH. I just have a basic switch (cannot be configured).
Thanks again...
After I have configured the DHCP on the AP, how do I tell the AP to direct all traffic from that pool to the internet? Can this be done using IP Redirection or something of the sort? If so, where then would I redirect it? Or does it just simply redirect it back on it's own through the trunk port on the ASA. Keep in mind also, that I DO NOT HAVE A MANAGED SWITCH. I just have a basic switch (cannot be configured).
Thanks again...
Sorry, I confused you with another question! In this case, you would create an ACL to block any traffic from 192.168.51.X to 192.168.50.X.
In your DHCP settings, you would tell it that the gateway is 192.168.51.1 which is the Virtual Interface of the ASA. The ASA would process the packets and only allows it to talk to address other than 192.168.50.X because of the ACL you would implement.
In your DHCP settings, you would tell it that the gateway is 192.168.51.1 which is the Virtual Interface of the ASA. The ASA would process the packets and only allows it to talk to address other than 192.168.50.X because of the ACL you would implement.
ASKER
I think I got it. I also just realized that because the ASA only has a basic license, it has a standard 3 VLANS maximum.
VLAN1 = Inside
VLAN2 = Outside
VLAN3 = Will be created for the AP
In creating a third VLAN, the device only allows for communication to one of the previous VLANs. I will simply set it to restrict access to VLAN1, and pass all traffic to VLAN2. I assume that should be enough to take care of the routing issue.
Thanks again for all your help.
Chyke McFarlane
Systems Analyst
VLAN1 = Inside
VLAN2 = Outside
VLAN3 = Will be created for the AP
In creating a third VLAN, the device only allows for communication to one of the previous VLANs. I will simply set it to restrict access to VLAN1, and pass all traffic to VLAN2. I assume that should be enough to take care of the routing issue.
Thanks again for all your help.
Chyke McFarlane
Systems Analyst
cool let me know!
ASKER
Hi jjmartineziii,
Sorry for the delay in getting back to you on this. I had to give it a few days before I could actually implement the change, as it would affect the client's entire network. Anyway, just to let you know, it did in fact work out. I now have dual SSID's running on my 1131-G Access Point. In the end, I did actually have to enable managed mode on the DELL switch and configure the trunk ports. The ASA only allowed for automatic trunking, therefore I was not able to specify what VLANs were required. Once the switch was enabled, everything was up and running. Thanks again for your assistance with this.
Chyke McFarlane
Systems Analyst
Sorry for the delay in getting back to you on this. I had to give it a few days before I could actually implement the change, as it would affect the client's entire network. Anyway, just to let you know, it did in fact work out. I now have dual SSID's running on my 1131-G Access Point. In the end, I did actually have to enable managed mode on the DELL switch and configure the trunk ports. The ASA only allowed for automatic trunking, therefore I was not able to specify what VLANs were required. Once the switch was enabled, everything was up and running. Thanks again for your assistance with this.
Chyke McFarlane
Systems Analyst
No problem. Glad you got it working :)
If it's your ASA, can you post your ASA config with public ips and passwords removed?