Cisco Aironet 1130 AG

I have a bunch of Cisco Aironet 1130 AG Access Points.  I don't want to configure them with my controller, instead I'm hooking them up to my network and giving them access to my guest network.  However, I need to now add wpa2 psk to them.  The only options I'm given are wep, eap and wpa.  Is there any way to add wpa2 without a radius server?
WellingtonISAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Craig BeckCommented:
Here's a generic config to configure the SSID with WPA2/AES...

dot11 ssid YOURSSID
 authentication open
 authentication key-management wpa version 2
 guest-mode
 wpa-psk ascii PRESHAREDKEY
!
interface dot11Radio0
 encryption mode ciphers aes-ccm
 ssid YOURSSID
!
0
WellingtonISAuthor Commented:
OK thanks.  But How do you configure this?  command line?
0
Craig BeckCommented:
Yes, in all honesty that's the easiest way by a mile.  It's a bit confusing to do it via the GUI.
0
Redefine Your Security with AI & Machine Learning

The implications of AI and machine learning in cyber security are massive and constantly growing, creating both efficiencies and new challenges across the board. Check out our on-demand webinar to learn more about how AI can help your organization!

WellingtonISAuthor Commented:
OK thx I'll give it a try
0
WellingtonISAuthor Commented:
OK I use wpa2 got all that in.  I'm just confused about
interface dot11Radio0
encryption mode ciphers aes-ccm
ssid?

I got the 1st part with my ssid but what's this part?  

we use aes-psk
0
Craig BeckCommented:
aes-ccm is the ciphering method.  There is no aes-psk option on the AP.  You have to tell the radio which cipher to use, so you enter the encryption command under the radio interface.

You're telling the SSID to use a PSK by entering the wpa-psk command.
0
WellingtonISAuthor Commented:
OK I think i have it set up correctly but I'm not seeing any clients.  DO I need to put IP's in the dot11radio0?

dott ssid (our ssid)
authentication open
authentication key-management wpa version 2
guest-mode
wpa-psk ascii (preshared key)
interface dot11radio0
no ip address
no ip route-cache
!
encryption mode ciphers aes-ccm
ssid (our ssid)
0
Craig BeckCommented:
No the IP address will be on the BVI1 interface.

Can you post the complete config (without passwords)?
0
WellingtonISAuthor Commented:
Using 1575 out of 32768 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname ap
!
enable secret 5 $1$4l1Z$vP2FEqOjACKPPm3.KSlyi.
!
no aaa new-model
!
!
dot11 syslog
!
dot11 ssid XXXXXXXX#
   authentication open
   authentication key-management wpa version 2
   guest-mode
   wpa-psk ascii 7 03336926254208627A2C2B2B363E (this is the presharedkey)
!
!
!
username Cisco password 7 112A1016141D
!
!
bridge irb
!
!
interface Dot11Radio0
 no ip address
 no ip route-cache
 !
 encryption mode ciphers aes-ccm
 !
 ssid *******!#
 !
 station-role root
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
 bridge-group 1 spanning-disabled
!
interface Dot11Radio1
 no ip address
 no ip route-cache
 shutdown
 dfs band 3 block
 channel dfs
 station-role root
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
 bridge-group 1 spanning-disabled
!
interface FastEthernet0
 no ip address
 no ip route-cache
 duplex auto
 speed auto
 bridge-group 1
 no bridge-group 1 source-learning
 bridge-group 1 spanning-disabled
!
interface BVI1
 ip address 10.186.65.205 255.255.254.0
 no ip route-cache
!
ip default-gateway 10.186.64.1
ip http server
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
bridge 1 route ip
!
!
!
line con 0
line vty 0 4
 login local

Open in new window


I did this via the Web Gui execpt for the commands you gave me.  I also noticed it appears in the GUI but no VLAN info. I'm wondering if I need to set that.  When I set the guest ssid I had to enable the vlan for that which is why i'm suggesting that.  I don't know what comand I'd use for that.  I have to add vlan 4, 7,2,6, 20.

Lastly, I think I'm confused between the SSID and the KEY.  The SSID is what's broadcasted and the code is what you add when you're connecting right?
0
Craig BeckCommented:
Ah well you didn't say you had multiple SSIDs.

You're better doing this in the GUI then as the VLAN config is very complicated if you're not used to the IOS AP's command-set.  Also, if you do configure VLANs then edit via the CLI later you'll probably just get errors all the time when making changes via the GUI again.

To configure WPA in the GUI you have to create the SSIDs and VLANs first, with no encryption.  Then go to the encryption manager page and configure each VLAN's encryption to use the AES-CCM cipher.  Then go back to the SSID page and configure each SSID to use WPA.

As I said, it's a mare to do in the GUI.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
WellingtonISAuthor Commented:
I actually got the VLANS in there but it's not showing clients.

ap#show config
Using 1590 out of 32768 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname ap
!
enable secret 5 $1$4l1Z$vP2FEqOjACKPPm3.KSlyi.
!
no aaa new-model
!
!
dot11 syslog
!
dot11 ssid Broadcasts - xxxxx-xxxx
   vlan 7
   authentication open
   guest-mode
!
!
!
username Cisco password 7 112A1016141D
!
!
bridge irb
!
!
interface Dot11Radio0
 no ip address
 no ip route-cache
 !
 encryption mode ciphers aes-ccm
 !
 ssid xxxx-xxxx
 !
 station-role root
 bridge-group 1
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
 bridge-group 1 spanning-disabled
!
interface Dot11Radio0.7
 encapsulation dot1Q 7
 no ip route-cache
!
interface Dot11Radio1
 no ip address
 no ip route-cache
 shutdown
 dfs band 3 block
 channel dfs
 station-role root
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
 bridge-group 1 spanning-disabled
!
interface FastEthernet0
 no ip address
 no ip route-cache
 duplex auto
 speed auto
 bridge-group 1
 no bridge-group 1 source-learning
 bridge-group 1 spanning-disabled
!
interface FastEthernet0.7
 encapsulation dot1Q 7
 no ip route-cache
!
interface BVI1
 ip address 10.186.65.205 255.255.254.0
 no ip route-cache
!
ip default-gateway 10.186.64.1
ip http server
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
bridge 1 route ip
!
!
!
line con 0
line vty 0 4

Open in new window

0
Craig BeckCommented:
Yes the config that's on the AP right now won't work.  You've got the SSID configured in a VLAN, but the radio interface has the wrong config to suit the SSID.

You need something like this...

dot11 ssid SSID1
   vlan 1
   authentication open
   authentication key-management wpa
   mbssid guest-mode
   wpa-psk ascii 7 03336926254208627A2C2B2B363E
!
dot11 ssid SSID2
   vlan 2
   authentication open
   authentication key-management wpa version 2
   mbssid guest-mode
   wpa-psk ascii 7 03336926254208627A2C2B2B363E
!
dot11 ssid SSID3
   vlan 3
   authentication open
   authentication key-management wpa version 2
   guest-mode
   mbssid guest-mode
   wpa-psk ascii 7 03336926254208627A2C2B2B363E
!
!
interface Dot11Radio0
 no ip address
 no ip route-cache
 encryption mode ciphers aes-ccm
 encryption vlan 1 mode ciphers aes-ccm
 encryption vlan 2 mode ciphers aes-ccm
 encryption vlan 3 mode ciphers aes-ccm
 ssid SSID1
 ssid SSID2
 ssid SSID3
 mbssid
!
interface Dot11Radio0.1
 encapsulation dot1Q 1 native
 no ip route-cache
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 spanning-disabled
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
!
interface Dot11Radio0.2
 encapsulation dot1Q 2
 no ip route-cache
 bridge-group 2
 bridge-group 2 subscriber-loop-control
 bridge-group 2 spanning-disabled
 bridge-group 2 port-protected
 bridge-group 2 block-unknown-source
 no bridge-group 2 source-learning
 no bridge-group 2 unicast-flooding
!
interface Dot11Radio0.3
 encapsulation dot1Q 3
 no ip route-cache
 bridge-group 3
 bridge-group 3 subscriber-loop-control
 bridge-group 3 spanning-disabled
 bridge-group 3 port-protected
 bridge-group 3 block-unknown-source
 no bridge-group 3 source-learning
 no bridge-group 3 unicast-flooding
!
interface GigabitEthernet0
 no ip address
 no ip route-cache
 duplex auto
 speed auto
 no keepalive
!
interface GigabitEthernet0.1
 encapsulation dot1Q 1 native
 no ip route-cache
 bridge-group 1
 bridge-group 1 spanning-disabled
 no bridge-group 1 source-learning
!
interface GigabitEthernet0.2
 encapsulation dot1Q 2
 no ip route-cache
 bridge-group 2
 bridge-group 2 spanning-disabled
 no bridge-group 2 source-learning
!
interface GigabitEthernet0.3
 encapsulation dot1Q 3
 no ip route-cache
 bridge-group 3
 bridge-group 3 spanning-disabled
 no bridge-group 3 source-learning
!
0
WellingtonISAuthor Commented:
ok since this is Vlan 7 I need to make it
interface eth0.7
encapsulation dot1q 7
no ip route-cache
etc...
0
Craig BeckCommented:
Strictly speaking you only need to change the encapsulation dot1q command, and the VLAN ID in the radio interface and SSID, but to make it easier, yes just change all the numbers.
0
WellingtonISAuthor Commented:
Password:
ap#show config
Using 2072 out of 32768 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname ap
!
enable secret 5 $1$4l1Z$vP2FEqOjACKPPm3.KSlyi.
!
no aaa new-model
!
!
dot11 syslog
!
dot11 ssid GUEST
   vlan 4
   authentication open
!
dot11 ssid xxxxx
   vlan 7
   authentication open
   authentication key-management wpa version 2
   mbssid guest-mode
   wpa-psk ascii 7 1332441E075D0A3E7B2A697276
!
!
!
username Cisco password 7 112A1016141D
!
!
bridge irb
!
!
interface Dot11Radio0
 no ip address
 no ip route-cache
 !
 encryption mode ciphers aes-ccm
 !
 encryption vlan 7 mode ciphers aes-ccm
 !
 ssid GUEST
 !
 mbssid
 station-role root
!
interface Dot11Radio0.4
 encapsulation dot1Q 4 native
 no ip route-cache
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
 bridge-group 1 spanning-disabled
!
interface Dot11Radio0.7
 encapsulation dot1Q 7
 no ip route-cache
!
interface Dot11Radio1
 no ip address
 no ip route-cache
 shutdown
 !
 ssid GUEST
 !
 dfs band 3 block
 channel dfs
 station-role root
!
interface Dot11Radio1.4
 encapsulation dot1Q 4 native
 no ip route-cache
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
 bridge-group 1 spanning-disabled
!
interface FastEthernet0
 no ip address
 no ip route-cache
 duplex auto
 speed auto
!
interface FastEthernet0.4
 encapsulation dot1Q 4 native
 no ip route-cache
 bridge-group 1
 no bridge-group 1 source-learning
 bridge-group 1 spanning-disabled
!
interface FastEthernet0.7
 encapsulation dot1Q 7
 no ip route-cache
!
interface BVI1
 ip address 10.186.65.205 255.255.254.0
 no ip route-cache
!
ip default-gateway 10.186.64.1
ip http server
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
bridge 1 route ip
!
!
!
line con 0
line vty 0 4

Open in new window


have to test this out someplace, I'll get back to you. Thx.
0
WellingtonISAuthor Commented:
Ok I've been trying to make this work for days and days, but no luck.  I'm just going to give it up and use a Radius.
0
Craig BeckCommented:
I doubt RADIUS would help... you'd still need the VLAN and cipher configs.
0
WellingtonISAuthor Commented:
Going to set up a radius server and see.  I have to close this for now.
0
WellingtonISAuthor Commented:
No real answer for this.  I'm going to have to try setting up Radius and seeing what happens.
0
Craig BeckCommented:
As per the ONLY question in the OP...
Is there any way to add wpa2 without a radius server?
...my comment in post ID: 39529839 IS correct.

Therefore that comment should be chosen as the answer and points awarded as such.
0
WellingtonISAuthor Commented:
Just an FYI it's not that I couldn't make it work.  I did added everything.  It's when I checked with CISCO they told me that that particular model can not do WPA2 which is the main reason why I closed this.  I have no doubt that this information is correct.  So with that in mind you can reward the points.
0
Craig BeckCommented:
If the 1130 couldn't do WPA2, I would have said that.  I'm a Cisco WLAN consultant for one of the biggest resellers in the world.

I think the tech you spoke to must have been mistaken!

FYI...

http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008054339e.shtml

Pay particular attention to the following bookmarked section within that link...

http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008054339e.shtml#supp
0
WellingtonISAuthor Commented:
That maybe because I owe you 500 points.  I just reconfigured it again attached it to my radius server that I built and it's working.  I apologizes to you!  Can someone please reward the points.
0
WellingtonISAuthor Commented:
The settings are the correct way to go.  However, in my case I used the GUI because of all the VLANS.  Once I got that everything else fell into place. Thank you so much for all of this I appreciate it.  I'm sorry about that mix up.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Wireless Hardware

From novice to tech pro — start learning today.