Cisco Aironet 1130 AG

OK thanks.  But How do you configure this?  command line?

Yes, in all honesty that's the easiest way by a mile.  It's a bit confusing to do it via the GUI.

OK thx I'll give it a try

OK I use wpa2 got all that in.  I'm just confused about
interface dot11Radio0
encryption mode ciphers aes-ccm
ssid?

I got the 1st part with my ssid but what's this part?  

we use aes-psk

aes-ccm is the ciphering method.  There is no aes-psk option on the AP.  You have to tell the radio which cipher to use, so you enter the encryption command under the radio interface.

You're telling the SSID to use a PSK by entering the wpa-psk command.

OK I think i have it set up correctly but I'm not seeing any clients.  DO I need to put IP's in the dot11radio0?

dott ssid (our ssid)
authentication open
authentication key-management wpa version 2
guest-mode
wpa-psk ascii (preshared key)
interface dot11radio0
no ip address
no ip route-cache
!
encryption mode ciphers aes-ccm
ssid (our ssid)

No the IP address will be on the BVI1 interface.

Can you post the complete config (without passwords)?

Using 1575 out of 32768 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname ap
!
enable secret 5 $1$4l1Z$vP2FEqOjACKPPm3.KSlyi.
!
no aaa new-model
!
!
dot11 syslog
!
dot11 ssid XXXXXXXX#
   authentication open
   authentication key-management wpa version 2
   guest-mode
   wpa-psk ascii 7 03336926254208627A2C2B2B363E (this is the presharedkey)
!
!
!
username Cisco password 7 112A1016141D
!
!
bridge irb
!
!
interface Dot11Radio0
 no ip address
 no ip route-cache
 !
 encryption mode ciphers aes-ccm
 !
 ssid *******!#
 !
 station-role root
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
 bridge-group 1 spanning-disabled
!
interface Dot11Radio1
 no ip address
 no ip route-cache
 shutdown
 dfs band 3 block
 channel dfs
 station-role root
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
 bridge-group 1 spanning-disabled
!
interface FastEthernet0
 no ip address
 no ip route-cache
 duplex auto
 speed auto
 bridge-group 1
 no bridge-group 1 source-learning
 bridge-group 1 spanning-disabled
!
interface BVI1
 ip address 10.186.65.205 255.255.254.0
 no ip route-cache
!
ip default-gateway 10.186.64.1
ip http server
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
bridge 1 route ip
!
!
!
line con 0
line vty 0 4
 login local

Select allOpen in new window

I did this via the Web Gui execpt for the commands you gave me.  I also noticed it appears in the GUI but no VLAN info. I'm wondering if I need to set that.  When I set the guest ssid I had to enable the vlan for that which is why i'm suggesting that.  I don't know what comand I'd use for that.  I have to add vlan 4, 7,2,6, 20.

Lastly, I think I'm confused between the SSID and the KEY.  The SSID is what's broadcasted and the code is what you add when you're connecting right?

I actually got the VLANS in there but it's not showing clients.

ap#show config
Using 1590 out of 32768 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname ap
!
enable secret 5 $1$4l1Z$vP2FEqOjACKPPm3.KSlyi.
!
no aaa new-model
!
!
dot11 syslog
!
dot11 ssid Broadcasts - xxxxx-xxxx
   vlan 7
   authentication open
   guest-mode
!
!
!
username Cisco password 7 112A1016141D
!
!
bridge irb
!
!
interface Dot11Radio0
 no ip address
 no ip route-cache
 !
 encryption mode ciphers aes-ccm
 !
 ssid xxxx-xxxx
 !
 station-role root
 bridge-group 1
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
 bridge-group 1 spanning-disabled
!
interface Dot11Radio0.7
 encapsulation dot1Q 7
 no ip route-cache
!
interface Dot11Radio1
 no ip address
 no ip route-cache
 shutdown
 dfs band 3 block
 channel dfs
 station-role root
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
 bridge-group 1 spanning-disabled
!
interface FastEthernet0
 no ip address
 no ip route-cache
 duplex auto
 speed auto
 bridge-group 1
 no bridge-group 1 source-learning
 bridge-group 1 spanning-disabled
!
interface FastEthernet0.7
 encapsulation dot1Q 7
 no ip route-cache
!
interface BVI1
 ip address 10.186.65.205 255.255.254.0
 no ip route-cache
!
ip default-gateway 10.186.64.1
ip http server
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
bridge 1 route ip
!
!
!
line con 0
line vty 0 4

Select allOpen in new window

Yes the config that's on the AP right now won't work.  You've got the SSID configured in a VLAN, but the radio interface has the wrong config to suit the SSID.

You need something like this...

dot11 ssid SSID1
   vlan 1
   authentication open
   authentication key-management wpa
   mbssid guest-mode
   wpa-psk ascii 7 03336926254208627A2C2B2B363E
!
dot11 ssid SSID2
   vlan 2
   authentication open
   authentication key-management wpa version 2
   mbssid guest-mode
   wpa-psk ascii 7 03336926254208627A2C2B2B363E
!
dot11 ssid SSID3
   vlan 3
   authentication open
   authentication key-management wpa version 2
   guest-mode
   mbssid guest-mode
   wpa-psk ascii 7 03336926254208627A2C2B2B363E
!
!
interface Dot11Radio0
 no ip address
 no ip route-cache
 encryption mode ciphers aes-ccm
 encryption vlan 1 mode ciphers aes-ccm
 encryption vlan 2 mode ciphers aes-ccm
 encryption vlan 3 mode ciphers aes-ccm
 ssid SSID1
 ssid SSID2
 ssid SSID3
 mbssid
!
interface Dot11Radio0.1
 encapsulation dot1Q 1 native
 no ip route-cache
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 spanning-disabled
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
!
interface Dot11Radio0.2
 encapsulation dot1Q 2
 no ip route-cache
 bridge-group 2
 bridge-group 2 subscriber-loop-control
 bridge-group 2 spanning-disabled
 bridge-group 2 port-protected
 bridge-group 2 block-unknown-source
 no bridge-group 2 source-learning
 no bridge-group 2 unicast-flooding
!
interface Dot11Radio0.3
 encapsulation dot1Q 3
 no ip route-cache
 bridge-group 3
 bridge-group 3 subscriber-loop-control
 bridge-group 3 spanning-disabled
 bridge-group 3 port-protected
 bridge-group 3 block-unknown-source
 no bridge-group 3 source-learning
 no bridge-group 3 unicast-flooding
!
interface GigabitEthernet0
 no ip address
 no ip route-cache
 duplex auto
 speed auto
 no keepalive
!
interface GigabitEthernet0.1
 encapsulation dot1Q 1 native
 no ip route-cache
 bridge-group 1
 bridge-group 1 spanning-disabled
 no bridge-group 1 source-learning
!
interface GigabitEthernet0.2
 encapsulation dot1Q 2
 no ip route-cache
 bridge-group 2
 bridge-group 2 spanning-disabled
 no bridge-group 2 source-learning
!
interface GigabitEthernet0.3
 encapsulation dot1Q 3
 no ip route-cache
 bridge-group 3
 bridge-group 3 spanning-disabled
 no bridge-group 3 source-learning
!

ok since this is Vlan 7 I need to make it
interface eth0.7
encapsulation dot1q 7
no ip route-cache
etc...

Strictly speaking you only need to change the encapsulation dot1q command, and the VLAN ID in the radio interface and SSID, but to make it easier, yes just change all the numbers.

Password:
ap#show config
Using 2072 out of 32768 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname ap
!
enable secret 5 $1$4l1Z$vP2FEqOjACKPPm3.KSlyi.
!
no aaa new-model
!
!
dot11 syslog
!
dot11 ssid GUEST
   vlan 4
   authentication open
!
dot11 ssid xxxxx
   vlan 7
   authentication open
   authentication key-management wpa version 2
   mbssid guest-mode
   wpa-psk ascii 7 1332441E075D0A3E7B2A697276
!
!
!
username Cisco password 7 112A1016141D
!
!
bridge irb
!
!
interface Dot11Radio0
 no ip address
 no ip route-cache
 !
 encryption mode ciphers aes-ccm
 !
 encryption vlan 7 mode ciphers aes-ccm
 !
 ssid GUEST
 !
 mbssid
 station-role root
!
interface Dot11Radio0.4
 encapsulation dot1Q 4 native
 no ip route-cache
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
 bridge-group 1 spanning-disabled
!
interface Dot11Radio0.7
 encapsulation dot1Q 7
 no ip route-cache
!
interface Dot11Radio1
 no ip address
 no ip route-cache
 shutdown
 !
 ssid GUEST
 !
 dfs band 3 block
 channel dfs
 station-role root
!
interface Dot11Radio1.4
 encapsulation dot1Q 4 native
 no ip route-cache
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
 bridge-group 1 spanning-disabled
!
interface FastEthernet0
 no ip address
 no ip route-cache
 duplex auto
 speed auto
!
interface FastEthernet0.4
 encapsulation dot1Q 4 native
 no ip route-cache
 bridge-group 1
 no bridge-group 1 source-learning
 bridge-group 1 spanning-disabled
!
interface FastEthernet0.7
 encapsulation dot1Q 7
 no ip route-cache
!
interface BVI1
 ip address 10.186.65.205 255.255.254.0
 no ip route-cache
!
ip default-gateway 10.186.64.1
ip http server
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
bridge 1 route ip
!
!
!
line con 0
line vty 0 4

Select allOpen in new window

have to test this out someplace, I'll get back to you. Thx.

Ok I've been trying to make this work for days and days, but no luck.  I'm just going to give it up and use a Radius.

I doubt RADIUS would help... you'd still need the VLAN and cipher configs.

Going to set up a radius server and see.  I have to close this for now.

No real answer for this.  I'm going to have to try setting up Radius and seeing what happens.

As per the ONLY question in the OP...

Is there any way to add wpa2 without a radius server?

...my comment in post ID: 39529839 IS correct.

Therefore that comment should be chosen as the answer and points awarded as such.

Just an FYI it's not that I couldn't make it work.  I did added everything.  It's when I checked with CISCO they told me that that particular model can not do WPA2 which is the main reason why I closed this.  I have no doubt that this information is correct.  So with that in mind you can reward the points.

If the 1130 couldn't do WPA2, I would have said that.  I'm a Cisco WLAN consultant for one of the biggest resellers in the world.

I think the tech you spoke to must have been mistaken!

FYI...

http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008054339e.shtml

Pay particular attention to the following bookmarked section within that link...

http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008054339e.shtml#supp

That maybe because I owe you 500 points.  I just reconfigured it again attached it to my radius server that I built and it's working.  I apologizes to you!  Can someone please reward the points.

The settings are the correct way to go.  However, in my case I used the GUI because of all the VLANS.  Once I got that everything else fell into place. Thank you so much for all of this I appreciate it.  I'm sorry about that mix up.