How to config Cisco 871W as access point

Hello, I would like to use a cisco 871W router as an access point in the network.
The device was previous used as bridge/router but the router functionality is not necessary anymore because of the installation of an asa 5505 in the network. (isp = cable provider)
Has someone a config to transform the 871W as an Access Point so i can use only the SSID if and the bvi1 interface?thanks in advance.
original config :

version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
hostname router
logging buffered 51200 debugging
logging console critical
no aaa new-model
resource policy
clock timezone PCTime 1
clock summer-time PCTime date Mar 30 2003 2:00 Oct 26 2003 3:00
ip subnet-zero
no ip source-route
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address
ip dhcp pool sdm-pool1
   import all
ip inspect name DEFAULT100 cuseeme
ip inspect name DEFAULT100 ftp
ip inspect name DEFAULT100 h323
ip inspect name DEFAULT100 icmp
ip inspect name DEFAULT100 netshow
ip inspect name DEFAULT100 rcmd
ip inspect name DEFAULT100 realaudio
ip inspect name DEFAULT100 rtsp
ip inspect name DEFAULT100 esmtp
ip inspect name DEFAULT100 sqlnet
ip inspect name DEFAULT100 streamworks
ip inspect name DEFAULT100 tftp
ip inspect name DEFAULT100 tcp
ip inspect name DEFAULT100 udp
ip inspect name DEFAULT100 vdolive
ip tcp synwait-time 10
no ip bootp server
ip domain name
ip name-server
ip ssh time-out 60
ip ssh authentication-retries 2
crypto pki trustpoint TP-self-signed-3150041687
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-3150041687
 revocation-check none
 rsakeypair TP-self-signed-3150041687
crypto pki certificate chain TP-self-signed-3150041687
 certificate self-signed 01
  3082024D 308201B6 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 33313530 30343136 3837301E 170D3038 30353234 31343538
  34395A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 31353030
  34313638 3730819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
  8100BD89 2A5B984B 5CABB291 4C2FC70D 3C706314 EC27ACB9 676DE654 8528B2AE
  82B02CB0 3A21B15D 57FCDDD3 9F8A8C63 F91D627D EC76878A 9414CCCD 38C5B93D
  81A432E9 80725034 B916EAF2 719A23A7 F09178E1 A0A3DD7F 7B9F99DF D17A5063
  D281F93A C9E76E18 5A62EF8B D6BA9F61 B474CACB 757E1A6F 5295456C F190D590
  43AF0203 010001A3 75307330 0F060355 1D130101 FF040530 030101FF 30200603
  551D1104 19301782 15726F75 7465722E 736C6565 70657273 2E6C6F63 616C301F
  0603551D 23041830 1680148D 7F48EB5F 710F4BD6 60CAC95A E1CC30B2 64B8FA30
  1D060355 1D0E0416 04148D7F 48EB5F71 0F4BD660 CAC95AE1 CC30B264 B8FA300D
  06092A86 4886F70D 01010405 00038181 00B86DB8 FF255A62 947BFC8B 6091A828
  1EA25095 A67ACCDF 3821BB56 B7DE35C9 DFC5676A 0FBE90D0 F2CC78B6 3839D41B
  3087AB33 8E5D5C2C DA79E773 BA104AFE 2F170D75 C56C62A3 24D57601 19DFFD37
  AB8CB2FA CEA67230 4971AFCD 362BE1C1 85096567 23C93526 953BE127 F3575A09
  85753EEB 4A045F9A 0564EEC7 EDBF5748 17
username admin privilege 15
bridge irb
interface FastEthernet0
interface FastEthernet1
interface FastEthernet2
interface FastEthernet3
interface FastEthernet4
 description $ES_WAN$$FW_OUTSIDE$
 ip address dhcp client-id FastEthernet4
 ip access-group 101 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip inspect DEFAULT100 out
 ip nat outside
 ip virtual-reassembly
 ip route-cache flow
 duplex auto
 speed auto
interface Dot11Radio0
 no ip address
 encryption key 1 size 40bit 7 24D6F3FBBA5D transmit-key
 encryption mode wep mandatory
 ssid sleepers
    authentication open
 speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
 station-role root
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 spanning-disabled
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
interface Vlan1
 no ip address
 ip tcp adjust-mss 1452
 bridge-group 1
interface BVI1
 description $ES_LAN$$FW_INSIDE$
 ip address
 ip access-group 100 in
 ip nat inside
 ip virtual-reassembly
 ip tcp adjust-mss 1412
ip classless
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 1 interface FastEthernet4 overload
logging trap debugging
access-list 1 remark INSIDE_IF=BVI1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit
access-list 100 remark auto generated by Cisco SDM Express firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 deny   ip host any
access-list 100 deny   ip any
access-list 100 permit ip any any
access-list 101 remark auto generated by Cisco SDM Express firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 permit udp host eq domain any
access-list 101 permit udp any eq bootps any eq bootpc
access-list 101 deny   ip any
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any time-exceeded
access-list 101 permit icmp any any unreachable
access-list 101 deny   ip any
access-list 101 deny   ip any
access-list 101 deny   ip any
access-list 101 deny   ip any
access-list 101 deny   ip host any
access-list 101 deny   ip any any
no cdp run
bridge 1 protocol ieee
bridge 1 route ip
banner login ^CAuthorized access only!
 Disconnect IMMEDIATELY if you are not an authorized user!^C
line con 0
 login local
 no modem enable
 transport output telnet
line aux 0
 login local
 transport output telnet
line vty 0 4
 privilege level 15
 login local
 transport input telnet ssh
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500

Who is Participating?

[Webinar] Streamline your web hosting managementRegister Today

kanlueConnect With a Mentor Commented:
or the following step by step setup/configure may help you understand the commands:
871W Router Configuration

Complete these steps to configure the 871W ISR as an access point to accept association requests from the wireless clients.

Configure Integrated Routing and Bridging (IRB) and setup the bridge group.

Type these commands from global configuration mode in order to enable IRB.

WirelessRouter<config>#bridge irb

!--- Enables IRB.

WirelessRouter<config>#bridge 1 protocol ieee

!--- Defines the type of Spanning Tree Protocol as ieee.

WirelessRouter<config>#bridge 1 route ip

!--- Enables the routing of the specified protocol in a bridge group.

Configure the bridged virtual interface (BVI).

Assign an IP address to the BVI. Type these commands from global configuration mode.

WirelessRouter<config>#interface bvi1

!--- Enter interface configuration mode for the BVI.

WirelessRouter<config-if>#ip address

Refer to the Bridge Group Configuration on Access Points and Bridges section of Using VLANs with Cisco Aironet Wireless Equipment for more information about the functionality of Bridge Groups in access points.

Configure the internal DHCP server feature on the 871W ISR.

The internal DHCP server feature on the router can be used to assign IP addresses to wireless clients that associate to the router. Complete these commands in global configuration mode.

WirelessRouter<config>#ip dhcp excluded-address

!--- Excludes IP addresses from the DHCP pool.
!--- This address is used on the BVI interface, so it is excluded.

WirelessRouter<config>#ip dhcp pool 870-ISR


Note: The client adapter should also be configured to accept IP addresses from a DHCP server.

Configure the 871W ISR as a local RADIUS server.

In global configuration mode, type these commands to configure the 871W ISR as a local RADIUS server.

WirelessRouter<config>#aaa new-model

!--- Enable the authentication, authorization, and accounting
!--- (AAA) access control model.

WirelessRouter<config>#radius-server local

!--- Enables the 871 wireless-aware router as a local
!--- authentication server and enters into configuration
!--- mode for the authenticator.

WirelessRouter<config-radsrv)#nas key Cisco

!--- Adds the 871 router to the list of devices that use
!--- the local authentication server.

WirelessRouter<config-radsrv>#user ABCD password ABCD

WirelessRouter<config-radsrv)#user XYZ password XYZ

!--- Configure two users ABCD and XYZ on the local RADIUS server.

WirelessRouter<config>#radius-server host auth-port 1812 acct-port 1813 key Cisco

!--- Specifies the RADIUS server host.

Note: Use ports 1812 and 1813 for authentication and accounting for the local RADIUS server.

WirelessRouter<config>#aaa group server radius rad_eap

!--- Maps the RADIUS server to the group rad_eap

WirelessRouter<config-sg-radius>#server auth-port 1812 acct-port 1813

!--- Define the server that falls in the group rad_eap.

WirelessRouter<config>#aaa authentication login eap_methods group rad_eap

!--- Enable AAA login authentication.

Configure the radio interface.

The configuration of the radio interface involves the configuration of various wireless parameters on the router including the SSID, the encryption mode, the authentication type, speed, and the role of the wireless router. This example uses the SSID called Test.

Type these commands to configure the radio interface in global configuration mode.

WirelessRouter<config>#interface dot11radio0

!--- Enter radio interface configuration mode.

WirelessRouter<config-if>#ssid Test

!--- Configure an SSID test.

irelessRouter<config-ssid>#authentication open eap eap_methods

WirelessRouter<config-ssid>#authentication network-eap eap_methods

!--- Expect that users who attach to SSID 'Test'
!--- are requesting authentication with the type 128
!--- Network Extensible Authentication Protocol (EAP)
!--- authentication bit set in the headers of those requests.
!--- Group these users into a group called 'eap_methods'.


!--- Exit interface configuration mode.

WirelessRouter<config-if>#encryption mode wep mandatory

!--- Enable WEP encryption.

WirelessRouter<config-if>#encryption key 1 size 128 1234567890ABCDEF1234567890

!--- Define the 128-bit WEP encryption key.

WirelessRouter<config-if>#bridge-group 1

WirelessRouter<config-if>#no shut

!--- Enables the radio interface.

The 870 router accepts association requests from the wireless clients once this procedure is done.

When you configure EAP authentication type on the router, it is recommended to choose both Network-EAP and Open with EAP as authentication types in order to avoid any authentication issues.

WirelessRouter<config-ssid>#authentication network-eap eap_methods

WirelessRouter<config-ssid>#authentication open eap eap_methods


you can find more info here:

hope it helps.
How much of this configuration do you really feel you need?

I personally would be tempted to bust out the 'write erase' and 'reload' then start from scratch.
antwerp2007Author Commented:
Kanlue, Thanks for the configuration!
Do i need also to specifiy a station-role such as root ...?
antwerp2007Author Commented:
Kanlue, i used your config but needed to bridge also vlan1 interface with  SSID if and bvi1.
i also added ip default-gateway in the global config.
Could you please post the final configuration that is working?  Thx.
All Courses

From novice to tech pro — start learning today.