Question

How to configure Multiple SSIDs on a Cisco 1131AG Access Point

Asked by: debianit

Hi there,
I'm trying to configure a Cisco 1131AG Access Point with dual SSIDs.  SSID1 -> INTERNAL should allow users to access network resources, while SSID2 - GUEST should only allow guests to access the internet.  My setup is as follows:
1 ASA 5505
1 Unmanaged switch
1 Cisco 1131AG Access Point

The ASA connects to my ISP and then to the switch.  The Access Point is then connected to a port on the switch.  I do also have the option of possibly using a DELL managed switch if needs be.  I have been able to get the AP to show both SSIDs thus far and am able to connect to both (WPA encryption), but I am not getting an ip address from either.  I have included my current config below.  PLEASE HELP!!! and thanks in advance.

Current configuration : 3042 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname TEST-AP
!
logging buffered 51200 debugging
enable secret 5 $1$gA5p$ZGBO/R1oAR7jynIlBXcOc/
!
no aaa new-model
!
dot11 ssid INTERNAL
   vlan 10
   authentication open
   authentication key-management wpa
   mbssid guest-mode
   wpa-psk ascii 7 106E1B0A0010020A1F173D24362C
!
dot11 ssid GUEST
   vlan 20
   authentication open
   authentication key-management wpa
   mbssid guest-mode
   wpa-psk ascii 7 08015E5D0C1E0B1805
!
power inline negotiation prestandard source
!
username user1 privilege 15 secret 5 $1$HApr$1ZbxmhvICOtPbCQ1Af.uP/
!
bridge irb
!
interface Dot11Radio0
 ip dhcp client client-id BVI1
 no ip address
 no ip route-cache
 !
 encryption mode ciphers tkip
 encryption vlan 10 mode ciphers tkip
 encryption vlan 20 mode ciphers tkip
 !
 ssid INTERNAL
 !
 ssid GUEST
 !
 mbssid
 station-role root
!
interface Dot11Radio0.2
 encapsulation dot1Q 2 native
 no ip route-cache
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
 bridge-group 1 spanning-disabled
!
interface Dot11Radio0.10
 encapsulation dot1Q 10
 no ip route-cache
 bridge-group 10
 bridge-group 10 subscriber-loop-control
 bridge-group 10 block-unknown-source
 no bridge-group 10 source-learning
 no bridge-group 10 unicast-flooding
 bridge-group 10 spanning-disabled
!
interface Dot11Radio0.20
 encapsulation dot1Q 20
 no ip route-cache
 bridge-group 20
 bridge-group 20 subscriber-loop-control
 bridge-group 20 block-unknown-source
 no bridge-group 20 source-learning
 no bridge-group 20 unicast-flooding
 bridge-group 20 spanning-disabled
!
interface Dot11Radio1
 no ip address
 no ip route-cache
 shutdown
 dfs band 3 block
 channel dfs
 station-role root
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
 bridge-group 1 spanning-disabled
!
interface FastEthernet0
 no ip address
 no ip route-cache
 duplex auto
 speed auto
!
interface FastEthernet0.2
 encapsulation dot1Q 2 native
 no ip route-cache
 bridge-group 1
 no bridge-group 1 source-learning
 bridge-group 1 spanning-disabled
!
interface FastEthernet0.10
 encapsulation dot1Q 10
 no ip route-cache
 bridge-group 10
 no bridge-group 10 source-learning
 bridge-group 10 spanning-disabled
!
interface FastEthernet0.20
 encapsulation dot1Q 20
 no ip route-cache
 bridge-group 20
 no bridge-group 20 source-learning
 bridge-group 20 spanning-disabled
!
interface BVI1
 ip address dhcp client-id FastEthernet0
 no ip route-cache
!
ip http server
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
 
bridge 1 route ip
!
line con 0
line vty 0 4
 privilege level 15
 password 7 03005E090F0E2F4D4A04100B
 login local
 transport input telnet ssh
!
end

                                  
1:
2:
3:
4:
5:
6:
7:
8:
9:
10:
11:
12:
13:
14:
15:
16:
17:
18:
19:
20:
21:
22:
23:
24:
25:
26:
27:
28:
29:
30:
31:
32:
33:
34:
35:
36:
37:
38:
39:
40:
41:
42:
43:
44:
45:
46:
47:
48:
49:
50:
51:
52:
53:
54:
55:
56:
57:
58:
59:
60:
61:
62:
63:
64:
65:
66:
67:
68:
69:
70:
71:
72:
73:
74:
75:
76:
77:
78:
79:
80:
81:
82:
83:
84:
85:
86:
87:
88:
89:
90:
91:
92:
93:
94:
95:
96:
97:
98:
99:
100:
101:
102:
103:
104:
105:
106:
107:
108:
109:
110:
111:
112:
113:
114:
115:
116:
117:
118:
119:
120:
121:
122:
123:
124:
125:
126:
127:
128:
129:
130:
131:
132:
133:
134:
135:
136:
137:
138:
139:
140:

Select allOpen in new window

This Question has been solved and asker verified All Experts Exchange premium technology solutions are available to subscription members.

Subscribe now for full access to Experts Exchange and get

Instant Access to this Solution

  • Plus...
  • 30 Day FREE access, no risk, no obligation
  • Collaborate with the world's top tech experts
  • Unlimited access to our exclusive solution database
  • Never be left without tech help again

Subscribe Now

Asked On
2009-01-26 at 23:39:24ID24086207
Tags

Cisco Access Points

,

Multiple SSID

,

Cisco 1131AG

Topics

Wireless Technologies

,

Wireless Network Access Points

,

Wireless Local Area Network

Participating Experts
1
Points
150
Comments
16

Trusted by hundreds of thousands everyday for fast, accurate and reliable tech support.

  • "The time we save is the biggest benefit of Experts Exchange to Warner Bros. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange." Mike Kapnisakis, Warner Bros.
  • "Our team likes having a resource that is more secure than just using Google and most experts using this service really know their stuff. It's nice to look here first versus using Google." Dayna Sellner, Lockheed Martin
  • "Anytime that I've been stumped with a problem, 9 out of 10 times Experts Exchange has either the accepted solution or an open discussion of the potential solution to the problem." Kenny Red, eBay Inc.

See what Experts Exchange can do for you.

Got a question?

We've got the answer.

Experts Exchange has been collecting answers to technology questions since 1996…3 million and counting! If you have a question, chances are we already have your answer.

Screenshot of Experts Exchange Knowledgebase

Need individual assistance?

Our experts are ready to help.

If you can't find the exact answer you're looking for, ask our exclusive community of 50,000 experts. You’ll get a personalized answer from a trusted professional.

Screenshot of Experts Exchange Knowledgebase

Want to learn from the best?

Read articles from industry experts.

Thousands of free tech tips, tricks, how-to’s and tutorials are available in our peer reviewed articles section. See for yourself how smart our experts are, no login required.

Screenshot of an Article

Working on a long term project?

Store your work and research.

Save solutions to your questions, answers you’ve discovered through searching plus helpful articles in your personal knowledgebase for easy future access.

Screenshot of Experts Exchange Knowledgebase

Access the answers to your technology questions today.

Subscribe Now

30-day free trial. Register in 60 seconds.

What Makes Experts Exchange Unique?

Members of the expert community talk about why the experience at Experts Exchange is different than what you will find anywhere else.

Trusted by the world's most respected brands.

image of each brand's logo

Faithfully serving IT professionals since 1996.

Experts Exchange Logo

Try it out and discover for yourself.

Subscribe Now

30-day free trial. Register in 60 seconds.

Related Solutions

  1. Wireless access Point not broadcasting Multi SSID's
    I have configured my Cisco AP with 2 SSID's It only broadcasts the Guest SSID and not the corpate SSID.
  2. SSID,VLAN question
    Hi experts! We are close to buy a cisco 526 lan controller at one of our offices. We have a ASA5505 ( sec + bundle ) at that office. I want to have 2 different SSIDs and i will use 2 APs. I understand that i must have one vlan/SSID. I am gonna connect the WLC and the APs di...
  3. Cisco Wireless Two SSID's
    I've got a cisco aironet and I'm trying to have two SSID's one with WPA security the other with wep (for our kids nintendo ds's). Or if I must no security at all on the second SSID (nintendo) if it can't be done, but in that case i'd prefer the SSID was hidden. Our neighbor...
  4. Configuring Multiple SSIDs on a Cisco AP
    I am looking for step by step instructions on how to set up multi SSID on a Cisco AP? Examples would be greatly appreciated.
  5. %DOT11-4-NO_SSID: No SSID configured. Dot11…
    I keep getting this error message: %DOT11-4-NO_SSID: No SSID configured. Dot11Radio0 not started Also yes I cannot see my wireless on the laptops Below is my code, what am I doing wrong? This is on an 881w router by the way
  6. Cisco 1131ag multiple SSIDs
    Hello. I have a Cisco 1131ag plugged into my LAN switch (a DLink managed switch). I configured the AP to have 2 VLANs (1 and 2). VLAN1 is configured for my WPA SSID which works fine. I can connect and get an IP from my domain controller. I created a second SSID on VLAN2 and...

Free Tech Articles

  1. WARNING: 5 Reasons why you should NEVER fix a computer for free.
    It is in our nature to love the puzzle. We are obsessed. The lot of us. We love puzzles. We love the challenge. We thrive on finding the answer. We hate disarray. It bothers us deep in our soul. W...
  2. SCCM OSD Basic troubleshooting
    SCCM 2007 OSD is a fantastic way to deploy operating systems, however, like most things SCCM issues can sometimes be difficult to resolve due to the sheer volume of logs to sift through and the dispe...
  3. Migrate Small Business Server 2003 to Exchange 2010 and Windows 2008 R2
    This guide is intended to provide step by step instructions on how to migrate from Small Business Server 2003 to Windows 2008 R2 with Exchange 2010. For this migration to work you will need the fo...
  4. Create a Win7 Gadget
    This article shows you how to create a simple "Gadget" -- a sort of mini-application supported by Windows 7 and Vista. Gadgets can be dropped anywhere on the desktop to provide instant information, ...
  5. Outlook continually prompting for username and password
    There have been a lot of questions recently regarding Outlook prompting for a username and password whilst using Exchange 2007. There are a few reasons why this would happen and I will try to cover t...
  6. Backup Exchange 2010 Information Store using Windows Backup
    There seems to be quite a lot of confusion around the ability to backup Exchange 2010 using the built in Windows Backup feature. This stems from the omission of this feature prior to Exchange 2007 s...

Cloud Class Webinars

  1. Avoiding Bugs in Microsoft Access
    Alison Balter takes and in-depth look at avoiding bugs in Access. In this webinar you will learn about using the immediate window to debug your applications, invoking the debugger, using breakpoints to troubleshoot, stepping through code, setting the next statement to execute, ...
  2. Top 10 Best New Features in Visio 2010
    Scott Helmers gives live demonstrations of the top 10 new features in Visio 2010. This webinar will teach you how to create compelling diagrams by adding shapes to the page with a single click, linking the shapes in a diagram to data in Excel (or SQL Server, or SharePoint), ...
  3. IT Consultant Business Secrets Revealed
    Michael Munger, Experts Exchange tech pro and IT consultant, pulls back the curtain on his very successful businesses and answers question on every IT consultant and business owner should know about. He shares secrets on what he did to solve the 5 most common problems in IT, ...
  4. Disaster Recovery and Business Continuity
    Quest CTO, Mike Billon, gives an overview of the steps involved in building a dunamic disaster recovery plan. Through case studies and an examination of software/hardware tooles for monitoring and testing, you'll gain a better understandin of where you are, where you want ...
  5. Organize Your Visio Diagrams with Containers and Lists
    Scott Helmers uses cross functional flowcharts, wireframe diagrams, data graphic legends and seating charts to teach you: how to ustilize all three new structured diagram components in Visio 2010, the best practices for organizeing shapes in previous version of Visio, how to organize ...
  6. How to Us Objects, Properties, Events and Methods in Microsoft Access
    Alison Dalter gives an in-depbth look at objects, properties, events and methods in Microsoft Access. In this webinar you will learn about using the object browser, referring to objects, working with properties and methods, working with object variables, understanding the ...

Join the Community

Give a Little. Get a Lot.

Join the community of experts here and help other tech pros by answering question in your area of expertise. You can earn FREE access to all Experts Exchange's premium features and resources.

Join the Community

Answers

 

by: jjmartineziiiPosted on 2009-01-27 at 06:42:20ID: 23476769

Who's doing DHCP?

If it's your ASA, can you post your ASA config with public ips and passwords removed?

 

by: debianitPosted on 2009-01-27 at 09:04:59ID: 23478597

Thanks for the quick response jjmartineziii.  I'm running Windows Server 2003 Enterprise for my DHCP server.

 

by: jjmartineziiiPosted on 2009-01-27 at 10:12:24ID: 23479331

Do you already have ip helper configure on the VLAN interfaces?

 

by: debianitPosted on 2009-01-27 at 11:14:37ID: 23479919

I'm nto familiar with IP helper setup.  Could you please direct me as to where to begin?

thanks

 

by: jjmartineziiiPosted on 2009-01-27 at 11:20:07ID: 23479971

sure, since your dhcp server is going to be receiving dhcp requests from two different networks.

What are your two subnetworks?

Can you provide IP ranges and VLAN numbers?

 

by: debianitPosted on 2009-01-27 at 22:25:01ID: 23483930

Hi jjmartineziii
Here is a copy of the current ASA config.  thx

hostname test-asa-5510
domain-name test.local
enable password 2KFQnbNIdI.2KYOU encrypted
names
dns-guard
!
interface Ethernet0/0
 speed 10
 duplex full
 nameif outside
 security-level 0
 ip address x.x.x.x  255.255.255.248
!
interface Ethernet0/1
 nameif inside
 security-level 100
 ip address 192.168.50.254 255.255.255.0
!
interface Ethernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 nameif management
 security-level 100
 no ip address
 management-only
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
access-list inside_nat0_outbound extended permit ip any 192.168.50.0 255.255.255.128
access-list acl_out extended permit icmp any any
access-list acl_out extended permit tcp any host x.x.x.x eq pptp
access-list acl_out extended permit tcp any host x.x.x.x eq 3389
access-list acl_out extended permit tcp any host x.x.x.x eq smtp
access-list acl_out extended permit tcp any host x.x.x.x eq https
access-list acl_out extended permit tcp any host x.x.x.x eq www
access-list acl_out extended permit tcp any host x.x.x.x eq pop3
access-list acl_out extended permit tcp any host x.x.x.x eq ftp
access-list acl_out extended permit tcp any host x.x.x.x eq ftp
access-list acl_out extended permit tcp any host x.x.x.x eq www
access-list acl_out extended permit tcp any host x.x.x.x eq www
access-list acl_out extended permit tcp any host x.x.x.x eq 3399
access-list acl_out extended permit tcp any host x.x.x.x eq 3391
access-list acl_out extended permit tcp any host x.x.x.x eq 3393
access-list acl_out extended permit tcp any host x.x.x.x eq 3394
access-list acl_out extended permit tcp any host x.x.x.x eq 3392
access-list acl_out extended permit tcp any host x.x.x.x eq 3500
access-list acl_out extended permit tcp any host x.x.x.x eq ftp-data
access-list acl_out extended permit tcp any host x.x.x.x eq 3389
access-list acl_out extended permit tcp any host x.x.x.x eq 3395
access-list acl_out extended permit tcp any host x.x.x.x eq 3396
access-list acl_out extended permit tcp any host x.x.x.x eq 3377
access-list acl_out extended permit tcp any host x.x.x.x eq 9987
access-list acl_out extended permit tcp any host x.x.x.x eq 993
access-list acl_out extended permit tcp any host x.x.x.x eq 8001
access-list acl_out extended permit tcp any host x.x.x.x eq 8000
access-list acl_out extended permit tcp any host x.x.x.x eq 3389
access-list test2_splitTunnelAcl remark Network behind NAT
access-list test2_splitTunnelAcl standard permit 192.168.50.0 255.255.255.0
access-list test_splitTunnelAcl standard permit any
access-list acl_blocked extended permit tcp host 192.168.50.2 any eq smtp
access-list acl_blocked extended permit tcp host 192.168.50.8 any eq smtp
access-list acl_blocked extended permit udp any any
access-list acl_blocked extended permit esp any any
access-list acl_blocked extended permit tcp any any
access-list acl_blocked extended permit icmp any any
access-list acl_blocked extended permit gre any any
access-list acl_blocked extended permit tcp host 192.168.50.5 any eq smtp
access-list acl_blocked extended permit tcp host 192.168.50.7 any eq smtp
access-list acl_blocked extended permit tcp host 192.168.50.4 any eq smtp
access-list acl_blocked extended permit tcp host 192.168.50.15 any eq smtp
access-list acl_blocked extended deny tcp host 192.168.50.121 any eq smtp
pager lines 24
logging enable
logging asdm errors
mtu outside 1500
mtu inside 1500
mtu management 1500
ip local pool FIREWALL 192.168.50.40-192.168.50.99 mask 255.255.255.0
no failover
asdm image disk0:/asdm506.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp x.x.x.x www 192.168.50.3 www netmask 255.255.255.255
static (inside,outside) tcp x.x.x.x 3399 192.168.50.122 3399 netmask 255.255.255.255
static (inside,outside) tcp x.x.x.x 3391 192.168.50.6 3391 netmask 255.255.255.255
static (inside,outside) tcp x.x.x.x 3393 192.168.50.104 3393 netmask 255.255.255.255
static (inside,outside) tcp x.x.x.x 3394 192.168.50.110 3394 netmask 255.255.255.255
static (inside,outside) tcp x.x.x.x 3392 192.168.50.99 3392 netmask 255.255.255.255
static (inside,outside) tcp x.x.x.x 3500 192.168.50.98 3500 netmask 255.255.255.255
static (inside,outside) tcp x.x.x.x ftp-data 192.168.50.99 ftp-data netmask 255.255.255.255
static (inside,outside) tcp x.x.x.x 3389 192.168.50.3 3389 netmask 255.255.255.255
static (inside,outside) tcp x.x.x.x 3395 192.168.50.149 3395 netmask 255.255.255.255
static (inside,outside) tcp x.x.x.x 3396 192.168.50.108 3396 netmask 255.255.255.255
static (inside,outside) tcp x.x.x.x 3377 192.168.50.121 3377 netmask 255.255.255.255
static (inside,outside) tcp x.x.x.x 9987 192.168.50.120 9987 netmask 255.255.255.255
static (inside,outside) tcp x.x.x.x 8001 192.168.50.159 8001 netmask 255.255.255.255
static (inside,outside) tcp x.x.x.x 8000 192.168.50.161 8000 netmask 255.255.255.255
static (inside,outside) x.x.x.x 192.168.50.2 netmask 255.255.255.255
static (inside,outside) x.x.x.x 192.168.50.7 netmask 255.255.255.255
access-group acl_out in interface outside
access-group acl_blocked in interface inside
route outside 0.0.0.0 0.0.0.0 x.x.x.x 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
url-list Internal_Webmail "TEST Webmail Access" http://192.168.50.2/exchange
port-forward Tech 1 192.168.50.8 3389 TESTsrv1
group-policy TEST_1 internal
group-policy TEST_1 attributes
 vpn-tunnel-protocol IPSec webvpn
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value TEST_splitTunnelAcl
 webvpn
group-policy DfltGrpPolicy attributes
 banner none
 wins-server none
 dns-server none
 dhcp-network-scope none
 vpn-access-hours none
 vpn-simultaneous-logins 3
 vpn-idle-timeout 30
 vpn-session-timeout none
 vpn-filter none
 vpn-tunnel-protocol IPSec
 password-storage disable
 ip-comp disable
 re-xauth disable
 group-lock none
 pfs disable
 ipsec-udp disable
 ipsec-udp-port 10000
 split-tunnel-policy tunnelall
 split-tunnel-network-list none
 default-domain none
 split-dns none
 secure-unit-authentication disable
 user-authentication disable
 user-authentication-idle-timeout 30
 ip-phone-bypass disable
 leap-bypass disable
 nem disable
 backup-servers keep-client-config
 client-firewall none
 client-access-rule none
 webvpn
  functions url-entry
  ip-phone-bypass disable
 leap-bypass disable
 nem disable
 backup-servers keep-client-config
 client-firewall none
 client-access-rule none
 webvpn
  functions url-entry
  port-forward-name value Application Access
.
.
.
--- List of VPN Usernames and Passwords ---
.
.
.
aaa authorization command LOCAL
http server enable
http 192.168.50.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 60 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 80 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 100 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp nat-traversal  20
tunnel-group TEST type ipsec-ra
tunnel-group TEST general-attributes
 address-pool FIREWALL
 default-group-policy TEST_1
tunnel-group TEST ipsec-attributes
 pre-shared-key *
no vpn-addr-assign aaa
no vpn-addr-assign dhcp
telnet 192.168.50.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd lease 3600
dhcpd ping_timeout 50
!
class-map inspection_default
 match default-inspection-traffic
class-map class_pptp
 match port tcp eq 47
!
policy-map global_policy
 class class_pptp
  inspect pptp
 class inspection_default
  inspect pptp
!
service-policy global_policy global
webvpn
 enable outside
 title TEST WebVPN Service
 logo file disk0:/home_biglogo.jpg
 title-color 255,153,51
 secondary-color 204,204,255
 nbns-server 192.168.50.2 master timeout 2 retry 2
 authorization-server-group LOCAL
 default-group-policy TEST_1
 authorization-required
 authorization-dn-attributes CN
Cryptochecksum:7050a6f7fc086553f63194aa346e7df5
: end
[OK]

                                              
1:
2:
3:
4:
5:
6:
7:
8:
9:
10:
11:
12:
13:
14:
15:
16:
17:
18:
19:
20:
21:
22:
23:
24:
25:
26:
27:
28:
29:
30:
31:
32:
33:
34:
35:
36:
37:
38:
39:
40:
41:
42:
43:
44:
45:
46:
47:
48:
49:
50:
51:
52:
53:
54:
55:
56:
57:
58:
59:
60:
61:
62:
63:
64:
65:
66:
67:
68:
69:
70:
71:
72:
73:
74:
75:
76:
77:
78:
79:
80:
81:
82:
83:
84:
85:
86:
87:
88:
89:
90:
91:
92:
93:
94:
95:
96:
97:
98:
99:
100:
101:
102:
103:
104:
105:
106:
107:
108:
109:
110:
111:
112:
113:
114:
115:
116:
117:
118:
119:
120:
121:
122:
123:
124:
125:
126:
127:
128:
129:
130:
131:
132:
133:
134:
135:
136:
137:
138:
139:
140:
141:
142:
143:
144:
145:
146:
147:
148:
149:
150:
151:
152:
153:
154:
155:
156:
157:
158:
159:
160:
161:
162:
163:
164:
165:
166:
167:
168:
169:
170:
171:
172:
173:
174:
175:
176:
177:
178:
179:
180:
181:
182:
183:
184:
185:
186:
187:
188:
189:
190:
191:
192:
193:
194:
195:
196:
197:
198:
199:
200:
201:
202:
203:
204:
205:
206:
207:
208:
209:
210:
211:
212:
213:
214:
215:
216:
217:
218:
219:
220:
221:
222:
223:
224:
225:
226:
227:
228:
229:
230:
231:
232:
233:
234:
235:
236:
237:
238:
239:

Select allOpen in new window

 

by: debianitPosted on 2009-01-27 at 22:28:13ID: 23483940

If possible, I would like the Internal SSID to grab an address from the current dhcp subnet, as they will be utilizing the network resources anyway.  As or the Guest SSID, if needs be, we can probably configure another dhcp pool for that one.

Thanks again...

 

by: jjmartineziiiPosted on 2009-01-29 at 11:24:41ID: 23501383

So are your vlans configured on your dell switch?

I'm trying to understand your network. Basically, what you need to do is configure a second scope for the Guest SSID. Then create a second VLAN, trunk the port the AP is connected to and create multiple SSIDs on there.

 

by: debianitPosted on 2009-01-29 at 13:18:35ID: 23502685

As of tihs moment, I have yet to setup the VLANs.  I assume that since I'm using dumb switches, I just need to set them up on the ASA right?  Also, if I created a new scope on the server, would that not, in a sense, be giving the guests access to the network?  I was hoping there was some way of simply creating a DHCP scope on the access point itself and have all traffic from that scope redirected straight to the internet.  Is this at all possible?  Please let me know...

Thanks jjmartineziii

Chyke McFarlane
Systems Analyst

 

by: jjmartineziiiPosted on 2009-01-29 at 13:38:51ID: 23502939

Yes, you can configure the VLAN's on the ASA. You would have to plug the AP into the ASA unless your managed switch supports trunking and vlan tagging.

You can also defiantly configure the AP to act as a dhcp server.

AP# configure terminal
AP(config)# ip dhcp excluded-address 172.16.1.100 172.16.1.117
AP(config)# ip dhcp pool wishbone
AP(dhcp-config)# network 172.16.1.0 255.255.255.0
AP(dhcp-config)# lease 10
AP(dhcp-config)# end

That's the process of doing that.

As for creating VLAN's on the ASA:

hostname(config-if)# interface vlan 200
hostname(config-if)# nameif ap
hostname(config-if)# security-level 100
hostname(config-if)# ip address 192.168.51.1 255.255.255.0
hostname(config-if)# no shutdown


You would then trunk the port the AP is connected to:

hostname(config-if)# interface ethernet 0/3
hostname(config-if)# switchport mode trunk
hostname(config-if)# switchport trunk allowed vlan 100
hostname(config-if)# switchport trunk native vlan 100
hostname(config-if)# no shutdown

And that should be it. This is just a general guide to get you on your way. You have to change numbers and parameters to fit your environment.

 

by: debianitPosted on 2009-01-29 at 13:49:06ID: 23503058

Thanks jjmartineziii...
After I have configured the DHCP on the AP, how do I tell the AP to direct all traffic from that pool to the internet?  Can this be done using IP Redirection or something of the sort?  If so, where then would I redirect it?  Or does it just simply redirect it back on it's own through the trunk port on the ASA.  Keep in mind also, that I DO NOT HAVE A MANAGED SWITCH.  I just have a basic switch (cannot be configured).

Thanks again...

 

by: jjmartineziiiPosted on 2009-01-29 at 13:53:21ID: 23503106

Sorry, I confused you with another question! In this case, you would create an ACL to block any traffic from 192.168.51.X to 192.168.50.X.


In your DHCP settings, you would tell it that the gateway is 192.168.51.1 which is the Virtual Interface of the ASA. The ASA would process the packets and only allows it to talk to address other than 192.168.50.X because of the ACL you would implement.

 

by: debianitPosted on 2009-01-29 at 14:16:00ID: 23503358

I think I got it.  I also just realized that because the ASA only has a basic license, it has a standard 3 VLANS maximum.  
VLAN1 = Inside
VLAN2 = Outside
VLAN3 = Will be created for the AP
In creating a third VLAN, the device only allows for communication to one of the previous VLANs.  I will simply set it to restrict access to VLAN1, and pass all traffic to VLAN2.  I assume that should be enough to take care of the routing issue.

Thanks again for all your help.

Chyke McFarlane
Systems Analyst

 

by: jjmartineziiiPosted on 2009-01-29 at 14:16:43ID: 23503367

cool let me know!

 

by: debianitPosted on 2009-02-10 at 07:47:18ID: 23601575

Hi jjmartineziii,
Sorry for the delay in getting back to you on this.  I had to give it a few days before I could actually implement the change, as it would affect the client's entire network.  Anyway, just to let you know, it did in fact work out.  I now have dual SSID's running on my 1131-G Access Point.  In the end, I did actually have to enable managed mode on the DELL switch and configure the trunk ports.  The ASA only allowed for automatic trunking, therefore I was not able to specify what VLANs were required.  Once the switch was enabled, everything was up and running.  Thanks again for your assistance with this.


Chyke McFarlane
Systems Analyst

 

by: jjmartineziiiPosted on 2009-02-10 at 07:55:12ID: 23601660

No problem. Glad you got it working :)

20120131-EE-VQP-002

3 Ways to Join

30-Day Free Trial

The Experts

98% positive feedback on 31,087 answers since March 2000. angeliii is a Microsoft Most Valuable Professional for his work with MS SQL Server & Develoment.

He has also proven his knowledge of Visual Basic Programming, PHP Scripting and Oracle Databases.

The Experts

97% positive feedback on 10,752 answers since July 2000. lrmoore has more than 18 years experience in the networking industry.

The six-time Mircosoft MVPs specialties include firewalls, virtual private networking, and network management.

Testimonials

"...and excellent source for support... Kind of like having your very own IT dept." Electriciansnet

Testimonials

"I was apprehensive at signing up at first. However... it has already made my life as an IT administrator much easier." JaCrews

Testimonials

"WOW! You guys have great, active, and knowledgeable people on here." moore50

Business Clients

Business Clients

In the Press

"If you’ve got a question... Experts Exchange can supply an answer.”

In the Press

"...an invaluable aid for both IT professionals and those who require tech support."

In the Press

"where IT professionals provide quick answers on just about any topic"

Business Account Plans

Loading Advertisement...