Solved

How to config Cisco 871W as access point

Posted on 2008-06-11
5
2,889 Views
Last Modified: 2013-11-12
Hello, I would like to use a cisco 871W router as an access point in the network.
The device was previous used as bridge/router but the router functionality is not necessary anymore because of the installation of an asa 5505 in the network. (isp = cable provider)
Has someone a config to transform the 871W as an Access Point so i can use only the SSID if and the bvi1 interface?thanks in advance.
original config :

version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname router
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 debugging
logging console critical
!
no aaa new-model
!
resource policy
!
clock timezone PCTime 1
clock summer-time PCTime date Mar 30 2003 2:00 Oct 26 2003 3:00
ip subnet-zero
no ip source-route
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.0.1 192.168.0.100
!
ip dhcp pool sdm-pool1
   import all
   network 192.168.0.0 255.255.255.0
   dns-server 192.168.0.100
   default-router 192.168.0.1
!
!
ip inspect name DEFAULT100 cuseeme
ip inspect name DEFAULT100 ftp
ip inspect name DEFAULT100 h323
ip inspect name DEFAULT100 icmp
ip inspect name DEFAULT100 netshow
ip inspect name DEFAULT100 rcmd
ip inspect name DEFAULT100 realaudio
ip inspect name DEFAULT100 rtsp
ip inspect name DEFAULT100 esmtp
ip inspect name DEFAULT100 sqlnet
ip inspect name DEFAULT100 streamworks
ip inspect name DEFAULT100 tftp
ip inspect name DEFAULT100 tcp
ip inspect name DEFAULT100 udp
ip inspect name DEFAULT100 vdolive
ip tcp synwait-time 10
no ip bootp server
ip domain name
ip name-server 192.168.0.100
ip ssh time-out 60
ip ssh authentication-retries 2
!
!
crypto pki trustpoint TP-self-signed-3150041687
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-3150041687
 revocation-check none
 rsakeypair TP-self-signed-3150041687
!
!
crypto pki certificate chain TP-self-signed-3150041687
 certificate self-signed 01
  3082024D 308201B6 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 33313530 30343136 3837301E 170D3038 30353234 31343538
  34395A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 31353030
  34313638 3730819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
  8100BD89 2A5B984B 5CABB291 4C2FC70D 3C706314 EC27ACB9 676DE654 8528B2AE
  82B02CB0 3A21B15D 57FCDDD3 9F8A8C63 F91D627D EC76878A 9414CCCD 38C5B93D
  81A432E9 80725034 B916EAF2 719A23A7 F09178E1 A0A3DD7F 7B9F99DF D17A5063
  D281F93A C9E76E18 5A62EF8B D6BA9F61 B474CACB 757E1A6F 5295456C F190D590
  43AF0203 010001A3 75307330 0F060355 1D130101 FF040530 030101FF 30200603
  551D1104 19301782 15726F75 7465722E 736C6565 70657273 2E6C6F63 616C301F
  0603551D 23041830 1680148D 7F48EB5F 710F4BD6 60CAC95A E1CC30B2 64B8FA30
  1D060355 1D0E0416 04148D7F 48EB5F71 0F4BD660 CAC95AE1 CC30B264 B8FA300D
  06092A86 4886F70D 01010405 00038181 00B86DB8 FF255A62 947BFC8B 6091A828
  1EA25095 A67ACCDF 3821BB56 B7DE35C9 DFC5676A 0FBE90D0 F2CC78B6 3839D41B
  3087AB33 8E5D5C2C DA79E773 BA104AFE 2F170D75 C56C62A3 24D57601 19DFFD37
  AB8CB2FA CEA67230 4971AFCD 362BE1C1 85096567 23C93526 953BE127 F3575A09
  85753EEB 4A045F9A 0564EEC7 EDBF5748 17
  quit
username admin privilege 15
!
!
!
bridge irb
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
 description $ES_WAN$$FW_OUTSIDE$
 ip address dhcp client-id FastEthernet4
 ip access-group 101 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip inspect DEFAULT100 out
 ip nat outside
 ip virtual-reassembly
 ip route-cache flow
 duplex auto
 speed auto
!
interface Dot11Radio0
 no ip address
 !
 encryption key 1 size 40bit 7 24D6F3FBBA5D transmit-key
 encryption mode wep mandatory
 !
 ssid sleepers
    authentication open
    guest-mode
 !
 speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
 station-role root
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 spanning-disabled
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
!
interface Vlan1
 description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$FW_INSIDE$
 no ip address
 ip tcp adjust-mss 1452
 bridge-group 1
!
interface BVI1
 description $ES_LAN$$FW_INSIDE$
 ip address 192.168.0.1 255.255.255.0
 ip access-group 100 in
 ip nat inside
 ip virtual-reassembly
 ip tcp adjust-mss 1412
!
ip classless
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 1 interface FastEthernet4 overload
!
logging trap debugging
access-list 1 remark INSIDE_IF=BVI1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.0.0 0.0.0.255
access-list 100 remark auto generated by Cisco SDM Express firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 deny   ip host 255.255.255.255 any
access-list 100 deny   ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 remark auto generated by Cisco SDM Express firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 permit udp host 192.168.0.100 eq domain any
access-list 101 permit udp any eq bootps any eq bootpc
access-list 101 deny   ip 192.168.0.0 0.0.0.255 any
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any time-exceeded
access-list 101 permit icmp any any unreachable
access-list 101 deny   ip 10.0.0.0 0.255.255.255 any
access-list 101 deny   ip 172.16.0.0 0.15.255.255 any
access-list 101 deny   ip 192.168.0.0 0.0.255.255 any
access-list 101 deny   ip 127.0.0.0 0.255.255.255 any
access-list 101 deny   ip host 255.255.255.255 any
access-list 101 deny   ip any any
no cdp run
!
control-plane
!
bridge 1 protocol ieee
bridge 1 route ip
banner login ^CAuthorized access only!
 Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
 login local
 no modem enable
 transport output telnet
line aux 0
 login local
 transport output telnet
line vty 0 4
 privilege level 15
 login local
 transport input telnet ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
end


0
Comment
Question by:antwerp2007
5 Comments
 
LVL 5

Expert Comment

by:rslqld
ID: 21775160
How much of this configuration do you really feel you need?

I personally would be tempted to bust out the 'write erase' and 'reload' then start from scratch.
0
 
LVL 7

Accepted Solution

by:
kanlue earned 125 total points
ID: 21781372
or the following step by step setup/configure may help you understand the commands:
-----------------------
871W Router Configuration

Complete these steps to configure the 871W ISR as an access point to accept association requests from the wireless clients.

Configure Integrated Routing and Bridging (IRB) and setup the bridge group.

Type these commands from global configuration mode in order to enable IRB.

WirelessRouter<config>#bridge irb


!--- Enables IRB.

WirelessRouter<config>#bridge 1 protocol ieee
 

!--- Defines the type of Spanning Tree Protocol as ieee.

WirelessRouter<config>#bridge 1 route ip


!--- Enables the routing of the specified protocol in a bridge group.

Configure the bridged virtual interface (BVI).

Assign an IP address to the BVI. Type these commands from global configuration mode.

WirelessRouter<config>#interface bvi1


!--- Enter interface configuration mode for the BVI.

WirelessRouter<config-if>#ip address 172.16.1.100 255.255.0.0


Refer to the Bridge Group Configuration on Access Points and Bridges section of Using VLANs with Cisco Aironet Wireless Equipment for more information about the functionality of Bridge Groups in access points.

Configure the internal DHCP server feature on the 871W ISR.

The internal DHCP server feature on the router can be used to assign IP addresses to wireless clients that associate to the router. Complete these commands in global configuration mode.

WirelessRouter<config>#ip dhcp excluded-address 172.16.1.100 172.16.1.100


!--- Excludes IP addresses from the DHCP pool.
!--- This address is used on the BVI interface, so it is excluded.


WirelessRouter<config>#ip dhcp pool 870-ISR

WirelessRouter<dhcp-config>#network 172.16.1.0 255.255.0.0

Note: The client adapter should also be configured to accept IP addresses from a DHCP server.

Configure the 871W ISR as a local RADIUS server.

In global configuration mode, type these commands to configure the 871W ISR as a local RADIUS server.

WirelessRouter<config>#aaa new-model

!--- Enable the authentication, authorization, and accounting
!--- (AAA) access control model.


WirelessRouter<config>#radius-server local

!--- Enables the 871 wireless-aware router as a local
!--- authentication server and enters into configuration
!--- mode for the authenticator.

WirelessRouter<config-radsrv)#nas 172.16.1.100 key Cisco


!--- Adds the 871 router to the list of devices that use
!--- the local authentication server.

WirelessRouter<config-radsrv>#user ABCD password ABCD

WirelessRouter<config-radsrv)#user XYZ password XYZ


!--- Configure two users ABCD and XYZ on the local RADIUS server.

WirelessRouter<config-radsrv)#exit
WirelessRouter<config>#radius-server host 172.16.1.100 auth-port 1812 acct-port 1813 key Cisco


!--- Specifies the RADIUS server host.

Note: Use ports 1812 and 1813 for authentication and accounting for the local RADIUS server.

WirelessRouter<config>#aaa group server radius rad_eap


!--- Maps the RADIUS server to the group rad_eap

.
WirelessRouter<config-sg-radius>#server 172.16.1.100 auth-port 1812 acct-port 1813


!--- Define the server that falls in the group rad_eap.

WirelessRouter<config>#aaa authentication login eap_methods group rad_eap


!--- Enable AAA login authentication.

Configure the radio interface.

The configuration of the radio interface involves the configuration of various wireless parameters on the router including the SSID, the encryption mode, the authentication type, speed, and the role of the wireless router. This example uses the SSID called Test.

Type these commands to configure the radio interface in global configuration mode.

WirelessRouter<config>#interface dot11radio0

!--- Enter radio interface configuration mode.

WirelessRouter<config-if>#ssid Test


!--- Configure an SSID test.

irelessRouter<config-ssid>#authentication open eap eap_methods

WirelessRouter<config-ssid>#authentication network-eap eap_methods


!--- Expect that users who attach to SSID 'Test'
!--- are requesting authentication with the type 128
!--- Network Extensible Authentication Protocol (EAP)
!--- authentication bit set in the headers of those requests.
!--- Group these users into a group called 'eap_methods'.

WirelessRouter<config-ssid>#exit

!--- Exit interface configuration mode.

WirelessRouter<config-if>#encryption mode wep mandatory

!--- Enable WEP encryption.

WirelessRouter<config-if>#encryption key 1 size 128 1234567890ABCDEF1234567890


!--- Define the 128-bit WEP encryption key.

WirelessRouter<config-if>#bridge-group 1

WirelessRouter<config-if>#no shut

!--- Enables the radio interface.

The 870 router accepts association requests from the wireless clients once this procedure is done.

When you configure EAP authentication type on the router, it is recommended to choose both Network-EAP and Open with EAP as authentication types in order to avoid any authentication issues.

WirelessRouter<config-ssid>#authentication network-eap eap_methods

WirelessRouter<config-ssid>#authentication open eap eap_methods

-----------------------

you can find more info here:
http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a0080608364.shtml

hope it helps.
0
 
LVL 1

Author Comment

by:antwerp2007
ID: 21789577
Kanlue, Thanks for the configuration!
Do i need also to specifiy a station-role such as root ...?
0
 
LVL 1

Author Comment

by:antwerp2007
ID: 21802586
Kanlue, i used your config but needed to bridge also vlan1 interface with  SSID if and bvi1.
i also added ip default-gateway in the global config.
0
 

Expert Comment

by:Nexplicit
ID: 21867748
Could you please post the final configuration that is working?  Thx.
0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Shadow IT is coming out of the shadows as more businesses are choosing cloud-based applications. It is now a multi-cloud world for most organizations. Simultaneously, most businesses have yet to consolidate with one cloud provider or define an offic…
For Sennheiser, comfort, quality and security are high priority areas. This paper addresses the security of Bluetooth technology and the supplementary security that Sennheiser’s Contact Center and Office (CC&O) headsets provide.  
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now