WellingtonIS
asked on
Cisco Aironet 1130 AG
I have a bunch of Cisco Aironet 1130 AG Access Points. I don't want to configure them with my controller, instead I'm hooking them up to my network and giving them access to my guest network. However, I need to now add wpa2 psk to them. The only options I'm given are wep, eap and wpa. Is there any way to add wpa2 without a radius server?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Yes, in all honesty that's the easiest way by a mile. It's a bit confusing to do it via the GUI.
ASKER
OK thx I'll give it a try
ASKER
OK I use wpa2 got all that in. I'm just confused about
interface dot11Radio0
encryption mode ciphers aes-ccm
ssid?
I got the 1st part with my ssid but what's this part?
we use aes-psk
interface dot11Radio0
encryption mode ciphers aes-ccm
ssid?
I got the 1st part with my ssid but what's this part?
we use aes-psk
aes-ccm is the ciphering method. There is no aes-psk option on the AP. You have to tell the radio which cipher to use, so you enter the encryption command under the radio interface.
You're telling the SSID to use a PSK by entering the wpa-psk command.
You're telling the SSID to use a PSK by entering the wpa-psk command.
ASKER
OK I think i have it set up correctly but I'm not seeing any clients. DO I need to put IP's in the dot11radio0?
dott ssid (our ssid)
authentication open
authentication key-management wpa version 2
guest-mode
wpa-psk ascii (preshared key)
interface dot11radio0
no ip address
no ip route-cache
!
encryption mode ciphers aes-ccm
ssid (our ssid)
dott ssid (our ssid)
authentication open
authentication key-management wpa version 2
guest-mode
wpa-psk ascii (preshared key)
interface dot11radio0
no ip address
no ip route-cache
!
encryption mode ciphers aes-ccm
ssid (our ssid)
No the IP address will be on the BVI1 interface.
Can you post the complete config (without passwords)?
Can you post the complete config (without passwords)?
ASKER
Using 1575 out of 32768 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname ap
!
enable secret 5 $1$4l1Z$vP2FEqOjACKPPm3.KSlyi.
!
no aaa new-model
!
!
dot11 syslog
!
dot11 ssid XXXXXXXX#
authentication open
authentication key-management wpa version 2
guest-mode
wpa-psk ascii 7 03336926254208627A2C2B2B363E (this is the presharedkey)
!
!
!
username Cisco password 7 112A1016141D
!
!
bridge irb
!
!
interface Dot11Radio0
no ip address
no ip route-cache
!
encryption mode ciphers aes-ccm
!
ssid *******!#
!
station-role root
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
!
interface Dot11Radio1
no ip address
no ip route-cache
shutdown
dfs band 3 block
channel dfs
station-role root
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
!
interface FastEthernet0
no ip address
no ip route-cache
duplex auto
speed auto
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
!
interface BVI1
ip address 10.186.65.205 255.255.254.0
no ip route-cache
!
ip default-gateway 10.186.64.1
ip http server
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
bridge 1 route ip
!
!
!
line con 0
line vty 0 4
login local
I did this via the Web Gui execpt for the commands you gave me. I also noticed it appears in the GUI but no VLAN info. I'm wondering if I need to set that. When I set the guest ssid I had to enable the vlan for that which is why i'm suggesting that. I don't know what comand I'd use for that. I have to add vlan 4, 7,2,6, 20.
Lastly, I think I'm confused between the SSID and the KEY. The SSID is what's broadcasted and the code is what you add when you're connecting right?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I actually got the VLANS in there but it's not showing clients.
ap#show config
Using 1590 out of 32768 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname ap
!
enable secret 5 $1$4l1Z$vP2FEqOjACKPPm3.KSlyi.
!
no aaa new-model
!
!
dot11 syslog
!
dot11 ssid Broadcasts - xxxxx-xxxx
vlan 7
authentication open
guest-mode
!
!
!
username Cisco password 7 112A1016141D
!
!
bridge irb
!
!
interface Dot11Radio0
no ip address
no ip route-cache
!
encryption mode ciphers aes-ccm
!
ssid xxxx-xxxx
!
station-role root
bridge-group 1
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
!
interface Dot11Radio0.7
encapsulation dot1Q 7
no ip route-cache
!
interface Dot11Radio1
no ip address
no ip route-cache
shutdown
dfs band 3 block
channel dfs
station-role root
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
!
interface FastEthernet0
no ip address
no ip route-cache
duplex auto
speed auto
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
!
interface FastEthernet0.7
encapsulation dot1Q 7
no ip route-cache
!
interface BVI1
ip address 10.186.65.205 255.255.254.0
no ip route-cache
!
ip default-gateway 10.186.64.1
ip http server
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
bridge 1 route ip
!
!
!
line con 0
line vty 0 4
Yes the config that's on the AP right now won't work. You've got the SSID configured in a VLAN, but the radio interface has the wrong config to suit the SSID.
You need something like this...
dot11 ssid SSID1
vlan 1
authentication open
authentication key-management wpa
mbssid guest-mode
wpa-psk ascii 7 03336926254208627A2C2B2B36 3E
!
dot11 ssid SSID2
vlan 2
authentication open
authentication key-management wpa version 2
mbssid guest-mode
wpa-psk ascii 7 03336926254208627A2C2B2B36 3E
!
dot11 ssid SSID3
vlan 3
authentication open
authentication key-management wpa version 2
guest-mode
mbssid guest-mode
wpa-psk ascii 7 03336926254208627A2C2B2B36 3E
!
!
interface Dot11Radio0
no ip address
no ip route-cache
encryption mode ciphers aes-ccm
encryption vlan 1 mode ciphers aes-ccm
encryption vlan 2 mode ciphers aes-ccm
encryption vlan 3 mode ciphers aes-ccm
ssid SSID1
ssid SSID2
ssid SSID3
mbssid
!
interface Dot11Radio0.1
encapsulation dot1Q 1 native
no ip route-cache
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface Dot11Radio0.2
encapsulation dot1Q 2
no ip route-cache
bridge-group 2
bridge-group 2 subscriber-loop-control
bridge-group 2 spanning-disabled
bridge-group 2 port-protected
bridge-group 2 block-unknown-source
no bridge-group 2 source-learning
no bridge-group 2 unicast-flooding
!
interface Dot11Radio0.3
encapsulation dot1Q 3
no ip route-cache
bridge-group 3
bridge-group 3 subscriber-loop-control
bridge-group 3 spanning-disabled
bridge-group 3 port-protected
bridge-group 3 block-unknown-source
no bridge-group 3 source-learning
no bridge-group 3 unicast-flooding
!
interface GigabitEthernet0
no ip address
no ip route-cache
duplex auto
speed auto
no keepalive
!
interface GigabitEthernet0.1
encapsulation dot1Q 1 native
no ip route-cache
bridge-group 1
bridge-group 1 spanning-disabled
no bridge-group 1 source-learning
!
interface GigabitEthernet0.2
encapsulation dot1Q 2
no ip route-cache
bridge-group 2
bridge-group 2 spanning-disabled
no bridge-group 2 source-learning
!
interface GigabitEthernet0.3
encapsulation dot1Q 3
no ip route-cache
bridge-group 3
bridge-group 3 spanning-disabled
no bridge-group 3 source-learning
!
You need something like this...
dot11 ssid SSID1
vlan 1
authentication open
authentication key-management wpa
mbssid guest-mode
wpa-psk ascii 7 03336926254208627A2C2B2B36
!
dot11 ssid SSID2
vlan 2
authentication open
authentication key-management wpa version 2
mbssid guest-mode
wpa-psk ascii 7 03336926254208627A2C2B2B36
!
dot11 ssid SSID3
vlan 3
authentication open
authentication key-management wpa version 2
guest-mode
mbssid guest-mode
wpa-psk ascii 7 03336926254208627A2C2B2B36
!
!
interface Dot11Radio0
no ip address
no ip route-cache
encryption mode ciphers aes-ccm
encryption vlan 1 mode ciphers aes-ccm
encryption vlan 2 mode ciphers aes-ccm
encryption vlan 3 mode ciphers aes-ccm
ssid SSID1
ssid SSID2
ssid SSID3
mbssid
!
interface Dot11Radio0.1
encapsulation dot1Q 1 native
no ip route-cache
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface Dot11Radio0.2
encapsulation dot1Q 2
no ip route-cache
bridge-group 2
bridge-group 2 subscriber-loop-control
bridge-group 2 spanning-disabled
bridge-group 2 port-protected
bridge-group 2 block-unknown-source
no bridge-group 2 source-learning
no bridge-group 2 unicast-flooding
!
interface Dot11Radio0.3
encapsulation dot1Q 3
no ip route-cache
bridge-group 3
bridge-group 3 subscriber-loop-control
bridge-group 3 spanning-disabled
bridge-group 3 port-protected
bridge-group 3 block-unknown-source
no bridge-group 3 source-learning
no bridge-group 3 unicast-flooding
!
interface GigabitEthernet0
no ip address
no ip route-cache
duplex auto
speed auto
no keepalive
!
interface GigabitEthernet0.1
encapsulation dot1Q 1 native
no ip route-cache
bridge-group 1
bridge-group 1 spanning-disabled
no bridge-group 1 source-learning
!
interface GigabitEthernet0.2
encapsulation dot1Q 2
no ip route-cache
bridge-group 2
bridge-group 2 spanning-disabled
no bridge-group 2 source-learning
!
interface GigabitEthernet0.3
encapsulation dot1Q 3
no ip route-cache
bridge-group 3
bridge-group 3 spanning-disabled
no bridge-group 3 source-learning
!
ASKER
ok since this is Vlan 7 I need to make it
interface eth0.7
encapsulation dot1q 7
no ip route-cache
etc...
interface eth0.7
encapsulation dot1q 7
no ip route-cache
etc...
Strictly speaking you only need to change the encapsulation dot1q command, and the VLAN ID in the radio interface and SSID, but to make it easier, yes just change all the numbers.
ASKER
Password:
ap#show config
Using 2072 out of 32768 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname ap
!
enable secret 5 $1$4l1Z$vP2FEqOjACKPPm3.KSlyi.
!
no aaa new-model
!
!
dot11 syslog
!
dot11 ssid GUEST
vlan 4
authentication open
!
dot11 ssid xxxxx
vlan 7
authentication open
authentication key-management wpa version 2
mbssid guest-mode
wpa-psk ascii 7 1332441E075D0A3E7B2A697276
!
!
!
username Cisco password 7 112A1016141D
!
!
bridge irb
!
!
interface Dot11Radio0
no ip address
no ip route-cache
!
encryption mode ciphers aes-ccm
!
encryption vlan 7 mode ciphers aes-ccm
!
ssid GUEST
!
mbssid
station-role root
!
interface Dot11Radio0.4
encapsulation dot1Q 4 native
no ip route-cache
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
!
interface Dot11Radio0.7
encapsulation dot1Q 7
no ip route-cache
!
interface Dot11Radio1
no ip address
no ip route-cache
shutdown
!
ssid GUEST
!
dfs band 3 block
channel dfs
station-role root
!
interface Dot11Radio1.4
encapsulation dot1Q 4 native
no ip route-cache
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
!
interface FastEthernet0
no ip address
no ip route-cache
duplex auto
speed auto
!
interface FastEthernet0.4
encapsulation dot1Q 4 native
no ip route-cache
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
!
interface FastEthernet0.7
encapsulation dot1Q 7
no ip route-cache
!
interface BVI1
ip address 10.186.65.205 255.255.254.0
no ip route-cache
!
ip default-gateway 10.186.64.1
ip http server
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
bridge 1 route ip
!
!
!
line con 0
line vty 0 4
have to test this out someplace, I'll get back to you. Thx.
ASKER
Ok I've been trying to make this work for days and days, but no luck. I'm just going to give it up and use a Radius.
I doubt RADIUS would help... you'd still need the VLAN and cipher configs.
ASKER
Going to set up a radius server and see. I have to close this for now.
ASKER
No real answer for this. I'm going to have to try setting up Radius and seeing what happens.
As per the ONLY question in the OP...
Therefore that comment should be chosen as the answer and points awarded as such.
Is there any way to add wpa2 without a radius server?...my comment in post ID: 39529839 IS correct.
Therefore that comment should be chosen as the answer and points awarded as such.
ASKER
Just an FYI it's not that I couldn't make it work. I did added everything. It's when I checked with CISCO they told me that that particular model can not do WPA2 which is the main reason why I closed this. I have no doubt that this information is correct. So with that in mind you can reward the points.
If the 1130 couldn't do WPA2, I would have said that. I'm a Cisco WLAN consultant for one of the biggest resellers in the world.
I think the tech you spoke to must have been mistaken!
FYI...
http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008054339e.shtml
Pay particular attention to the following bookmarked section within that link...
http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008054339e.shtml#supp
I think the tech you spoke to must have been mistaken!
FYI...
http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008054339e.shtml
Pay particular attention to the following bookmarked section within that link...
http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008054339e.shtml#supp
ASKER
That maybe because I owe you 500 points. I just reconfigured it again attached it to my radius server that I built and it's working. I apologizes to you! Can someone please reward the points.
ASKER
The settings are the correct way to go. However, in my case I used the GUI because of all the VLANS. Once I got that everything else fell into place. Thank you so much for all of this I appreciate it. I'm sorry about that mix up.
ASKER