Aironet 350 Access Point needs security

Similar Messages

• Securing Aironet 350 Access Point

  Hello -
  My small network is operating correctly using the Aironet 350 Access Point and multiple clients. However, the setup is not secure.
  How is it possible to secure access to our AP?
  Specifically: I would like to establish a WEP key, as some devices (i.e. pocket-pc's) do not support more advanced security schemes.
  Thanks,

  Extensible Authentication Protocol (EAP) authentication, also called 802.1x authentication, provides dynamic WEP keys to wireless users. Dynamic WEP keys are more secure than static, or unchanging, WEP keys.
  For more details on configuring both types of WEP refer the following document,
  http://www.cisco.com/univercd/cc/td/doc/product/wireless/airo1100/accsspts/i12215ja/i12215sc/s15wep.htm

• Can an Aironet WiFi Access Point bridge multiple internal VLANs?

  I have Cisco Aironet 2700e access points.  Historically they were configured with a single SSID on both radios with WEP 128bit security.
  I now need to add new WiFi devices to the network that have limited flexibility.  They must be associated only with a specific radio (2.4ghz or 5ghz) and WPA2PSK security.
  My thought was to create two additional SSIDs on the 2700 access points, one for 2.4gz WPA2PSK and the other for 5ghz WPA2PSK.  The pre-existing SSID will continue to use 128bit WEP.  To do that  I need to use VLANs on the 2700e.
  I have no other VLANS on my network.  I only need VLANs on the 2700e because I have different physical devices that support different WiFi frequencies and security options.  I don't need to segment the network.
  How do I bridge the VLANs on the 2700e?
  Devices that connect to the non-native VLANs appear to be isolated from the rest of the network (as I would suspect with VLANs).  But that's not what I want .  I'm only using VLANs because I need multiple SSIDs, and I need multiple SSIDs because I have different physical devices that want different WiFI access point configurations.  I can't seem to find any way to configure the 2700e to bridge the VLANs for the multiple SSIDs.
  Any guidance would be appreciated.  I could buy additional access points but that seems to be defeating the purpose of having a device like the 2700e.
  Any help would be appreciated.
  Thank you.

  I made these changes to the example here:
  https://supportforums.cisco.com/document/55561/multiple-ssid-multiple-vlans-configuration-example-cisco-aironet-aps
  and it seems to be working.  (By "working" I mean that I can now ping to/from devices connected on different SSIDs.) I had to make these changes from the CLI.  There does not seem to be a way to make these changes from the GUI.  Is that correct? If there is a way to make these changes from the GUI please let me know.
  The changes I made were to make the sub interface for Dot11 radio 0 on the VLANs part of bridge-group 1.  So assuming the config in the example:
  ap(config)#interface Dot11Radio0.2
  ap(config-subif)#no bridge-group 2
  ap(config-subif)#bridge-group 1
  ap(config-subif)#exit
  ap(config)#interface Dot11Radio0.3
  ap(config-subif)#no bridge-group 3
  ap(config-subif)#bridge-group 1
  ap(config-subif)#exit
  I did not change the bridge group on the Ethernet interface.
  Questions:
  1. Did I create any new problems making this change? It seems to work, but am I going to get myself in trouble somewhere else?  Intuitively it makes sense to me: the VLANs are now part of the same bridge group (1, the native VLAN).  So all traffic should be bridged together.  Correct?
  2. I didn't change the Ethernet sub interfaces.  I don't seem to need to make that change.  I also don't like things sitting out there that I don't understand.  Should I do anything to clean up the Ethernet interfaces?
  3. The original configuration was made entirely from the GUI.  This change needs to be made from the CLI.  Can it be done from the GUI?  I can't seem to find a way to change bridge groups for a sub interface from the GUI. It worried me that it can't be done from the GUI.
  Thank you.
  Larry

• IPhone4 and Cisco Aironet 1141 access point - fail using WPAv2 Personal

  I cannot get my iPhone4 (latest s/w) to connect to a Cisco Aironet 1141 access point if I specify WPAv2 Personal. It is a single access point without radius etc. I have no problems connecting using "no security", WEP or WPAv1. Is there a problem with the iPhone4 implementation of WPA2 as all my other PCs connect just fine on WPAv2?
  With the Aironet 1141 I can switch security between WPAv1 & WPAv2 while keeping all other settings identical. Thus I can clearly demonstrate how the iPhone4 connects when both devices are set to WPAv1 yet will fail to connect when I switch both to WPAv2. As I have said, all other PCs I have connect via WPAv2 without any issues.

  I cannot get my iPhone4 (latest s/w) to connect to a Cisco Aironet 1141 access point if I specify WPAv2 Personal. It is a single access point without radius etc. I have no problems connecting using "no security", WEP or WPAv1. Is there a problem with the iPhone4 implementation of WPA2 as all my other PCs connect just fine on WPAv2?
  With the Aironet 1141 I can switch security between WPAv1 & WPAv2 while keeping all other settings identical. Thus I can clearly demonstrate how the iPhone4 connects when both devices are set to WPAv1 yet will fail to connect when I switch both to WPAv2. As I have said, all other PCs I have connect via WPAv2 without any issues.

• Configuring Cisco Aironet 1100 Access Point. Please help!

  Hi all,
  I have dozens of Cisco Aironet 1100 access points, each is managing its own wi-fi with DHCP.
  I had to disable dhcp on them because they are on a wired subnet where I am using the static IPs and don't want my wired clients to get DHCP addresses, nor someone to be able to plug the wire into own laptop and get on the network.
  It's been working fine with one exception - I need to be able to ping my access points from the central site, and I can't.
  What IOS command would enable ICMP echo on my access points in this case?
  Please help!

  Hi all,
  I have dozens of Cisco Aironet 1100 access points, each is managing its own wi-fi with DHCP.
  I had to disable dhcp on them because they are on a wired subnet where I am using the static IPs and don't want my wired clients to get DHCP addresses, nor someone to be able to plug the wire into own laptop and get on the network.
  It's been working fine with one exception - I need to be able to ping my access points from the central site, and I can't.
  What IOS command would enable ICMP echo on my access points in this case?
  Please help!

• Blackberry Z10 connection with an Aironet Cisco Access Point 1200

  Hi everybody,
  I'm trying without success a connection between a Blackberry Z10 and an Aironet Cisco Access Point 1200.
  We have no BB Server, we would like just to connect the WIFI.
  I've checked this points during the activation of the device:
  There's no LEAP protocolle.
  There's an EAP-Fast possibility.
  There's Mac Address recognition possibility.
  When we try to use the EAP-Fast possibility, we generate a .pac file, but i don't know where i can put this file so that the Blackberry recognize this file. I've search the whole day and didn't find anything... there's simply no explanation with the Z10 around the .pac file without a BB Server.
  I've try the Mac Address recognition and it simply doesn't work (no error the search time is too long)
  Every other older smartphones - Blackberry (there's 4 devices) are working.
  Anyone have an idea about? a suggestion? a list of compatible WIFI Devices?
  Thank you ahead.
  Have a nice day.
  Joel.

  Sorry i don't understand your answer.
  I'm not a developper but a system administrator.
  I just would like to use a Balckberry Z10 with our Wifi/Router Aironet Access Point 1200.
  not more.
  Best regards,
  Joel

• Newbie help with Aironet 1200 access point

  Hello everybody,
  We "inherited" an Aironet 1200 access point with antenna's throughout our building. This was installed by a company that thought they would make money selling Wi-Fi access but now they have gone bankrupt.
  We eliminated their router and installed one of our own, and we have it handing out IP addresses. When I plug it into the Aironet 1200 it works just fine. Users are able to connect wirelessly and access the internet.
  I would like to change the SSID however so that it no longer reflects the now defunct companies name.
  I cannot determine what IP address is assigned to the access point so I can't figure out how to access the management page.
  I tried connecting to the ethernet port via a DB9 to RJ45 cable and hyper terminal. After connecting the cable and powering up the access point I am still unable to connect.
  I realize once I get connected I will probably run into password issues, but I'd like to figure out how to get at least that far.
  Any ideas?

  since ur gonna change the ssid and there is a password...
  1. reset the ap. before plugging power to ap, press hold the mode button for 3 sec or until the led becomes orange or amber, then release.
  2. the ap is reset to default setting with ip address 10.0.0.1
  3. either console or gui the ap and change the bvi to ur preferred ip address.
  4. configure everything else as you want.

• VLANs thru a 350 Access Point

  I'm considering use of 350 access points connected to Catalyst 4000 switches with a few Symbol phones & Call Manager. There may also be some (few) wireless PC cards also connecting thru the same APs. On my wired network, the phones, gateways, etc are on separate VLANs than the data devices. Is this possible using wireless APs? Do APs know anything about trunking or VLANs or is this strictly up to the switch port to which they are connected?

  Is that true?
  I had that question too before. I did call Cisco Tac, but they confirm me that was not supported.Because the Vlan trunk frame is a little difference with normal ethernet frame, so the AP doesn't recogonize it ,and will drop it.
  Actaully it is simmilar as you put a hub between a trunk line, the trunk doesn't work with that.
  In theory , it is reasonable not to work with vlan trunk, but I didn't do any lab to test it.
  Icarr , are you really sure it works? There is not any problem ?
  Thanks

• Multiple Cisco Aironet 1131AG access points and same SSID?

  We have multiple Cisco Aironet 1131AG devices, all wired on one Cisco L2 switch(2560)  who is connected to L3 switch (3550). We assigned one VLAN for access point in L3 switch who acts as vtp server (L2 switch is vtp client). All ap's will have static ip address and all will have same SSID and no security and they will be using multiple channels (ex. 1,6,11).  They will operate in 3 floor building for roaming wireless client. We won't using any wireless controller.
  So my question is this: How to configure APs-all the same with different ip's, can we use L3 switch to create dhcp server for access points VLAN (pool for clients, and the rest for static ip for ap's)? Can one of the ap's be WDS and in the same time local radius server with users without Cisco Secure ACS or similar controller or I didn't understand this quite well :-). I followed guide http://www.cisco.com/en/US/docs/wireless/access_point/12.3_2_JA/configuration/guide/s32roamg.html for WDS where the part abou Cisco ACS is a problem, so I can use same ap as Local Authenticator as in guide  http://www.cisco.com/en/US/docs/wireless/access_point/12.3_4_JA/configuration/guide/s34local.html#wp1035723.
  Many thanks...

  Well, just so you know, WDS and local RADIUS authentication is only needed if you're using authentication on your wireless connection.  You say you're not planning to use security, so this isn't necessary.  However, I'd highly recommend at least using a simple WPA2-PSK to lock down your connection, otherwise you might end up giving free Internet access at best, and at worst you might be giving access to company PCs and servers.  If you want to further use an 802.1x or WPA authentication method, then yes, you can use an AP as a RADIUS server and WDS to improve authenticated roaming, but this is far more limited than using a Cisco ACS.
  As for your other questions, yes, your APs can all be configured the same except for at least three parameters: IP address, channel, and hostname.  Configure your static IP addresses on the AP's BVI1 interface.  Don't place it on the Radio or Ethernet interfaces, because if either of these interfaces goes down you'll lose the ability to configure the AP, so it's best to use the BVI1 interface.
  And yes, configuring a DHCP scope for your clients on your L3 switch is a good design, or you could also use your DHCP server on a different subnet by using the ip helper-address command on the L3 interface.  I hope this helps!  Let me know if you need help configuring any of this.
  Merry Christmas!
  Jeff

• Aironet 1262N - Access Point behind Non-Root Bridge possible?

  Hi,
  I want to connect two buildings. Let's call them Building A (main) and Building B.
  „A“ is the main building and provides a wired LAN to an AAA server (192.168.1.2) and the WAN gateway (192.168.1.1).
  There I placed a 1262N with the IP 192.168.1.3 connected to the wired LAN and configured it as Root-Bridge. Let's call it AP01.
  „B“ is a pretty large building and has a wired LAN from one end to the other end.
  So I placed two 1262N there, each at one end.
  The first 1262N is configured as non-root Bridge (AP02) and connects to the Root Bridge (AP01).
  The IP address of AP02 is 192.168.1.4.
  The second 1262N is configured as Access Point (AP03) and connects to the non-root Bridge (AP02) via the wired LAN.
  The IP adress of AP03 is 192.168.1.5
  My Questions:
  1. Do I need tell AP02 about the AAA Server in Building A or acts AP01 like a AAA Proxy for AP02 because of it Root Bridge functionality?
  2. How Do I tell AP03 that it should use AP02 as a gateway to building A?
  I attached a diagram.

  Hello  Mr. Vogl,
  Thank you for your question.
  However, the Small Business Support Community is limited to Cisco Small Business Products, and the Aironet products are considered as a Enterprise level devices.
  I recommend you to post this question on the on the correct forum, in order to get a better response.
  You can move your post using the Actions panel on the right.
  Best regards,
  Diego Rodriguez
  Cisco Small Business Community Engineer

• Guest use of a Aironet 1131AG Access Point

  I have 2 WLAN's using (mostly) D-Link products - one is for staff only and the other is for guests, and is totally separate from our LAN.
  I'm disappointed with D-Link and want to change-over to all-Cisco AP's. I'm fairly satisfied with the 1131 and wish to build on it.
  The manual mentions a guest SSID, but I have reservations about network security. (I am thinking of using a single WLAN with multiple SSID's to handle the staff and guests.) What is the opinion on this forum on this issue? (I'm very new to Cisco and classify myself as little more than a beginner with wireless in general.)
  Mike Webb
  1-man IT shop for a conservation non-profit in central Nebraska

  Here's an overview of Cisco's "Granular Guest Access Management and Provisioning" (http://www.cisco.com/en/US/prod/collateral/wireless/ps5678/ps6973/ps8382/prod_brochure0900aecd806b8a72_ps6087_Product_Solution_Overview.html).
  Here's is a document on how to configure Guest Access on an Autonomous AP:
  VLANs on Aironet Access Points Configuration Example
  http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a0080665ceb.shtml

• Cisco 2500 controller with aironet 1600 access point

  Hi,
  This my first wireless project, and I have a few questions about the installation :
  1- some of the access point will be installed in branch offices, connected to the controller through the main MPLS netwrok ( is that possible).
  2- If for any reason the connectivity between the AP and the controller get disconnected what will happend to the users connected to the access point.
  3- can I have two vlan on the Aironet 1600, the first one to be connected to the controller through the MPLS netwrok and the second for users to public internet.(internet break out).
  Thanks,

  Yes that setup will work. What the others are trying to explain is authentication if your WAN goes down. If your AP's are setup for FlexConnect and you are indeed using AP groups, (using 802.1x) you need to have a radius server and a backup AD sever to allow for authentication to still happen if the WAN goes down. If you have resources centralized, then when the WAN goes down, everything else goes down and no new authentications will take place and any re-authentications will fail with 802.1x.
  Take a look at these links
  http://www.cisco.com/en/US/docs/wireless/controller/7.2/configuration/guide/cg_flexconnect.html
  http://www.cisco.com/en/US/docs/wireless/controller/7.4/configuration/guides/flexconnect/config_flexconnect_chapter_011.html
  Sent from Cisco Technical Support iPhone App

• Conection 1300 series Aironet As Access Point

  I´m thinking to install a 1300 series Cisco aironet on my network, i wish this network can offers remote access to my network as a Access point to Laptop or pc than works with a 54MB/s and 11 MB/s. I should configured my AP as a Repeater of my network. well all you can help. i really glad you.

  Hi Luis,
  Here are some docs for the 1300 to get you started:
  Cisco Aironet 1300 Series
  Read Me First
  http://www.cisco.com/en/US/products/ps5861/products_quick_start09186a00804fbd81.html
  Configuring the Access Point/Bridge as an Access Point
  http://www.cisco.com/en/US/products/ps5861/products_configuration_guide_chapter09186a008021e5e4.html#wp1043091
  Cisco Aironet 1300 Series Outdoor Access Point/Bridge Software Configuration Guide, 12.3(4) JA
  http://www.cisco.com/en/US/products/ps5861/products_configuration_guide_book09186a008041369a.html
  Hope this helps!
  Rob
  Please remember to rate helpful posts......

• Is my aironet 1100 access point dead?

  Hello,
  I purchased a second hand cisco aironet access point on Ebay and I am having trouble getting into the configuration program. I have reset the device back to factory defaults and I get green led's when I plug it in. I have it connected to a pc running win xp via an ethernet patch cable. I have assigned 10.0.0.2/24 to my pc and when I ping the access point I am getting over 75% packet loss. The web browser will bring up the login box after a minute but after that nothing. Any suggestions? Is it dead?
  With Regards,
  Aaron McQuaid

  Aaron,
  Did you get this resolved?
  I have the exact same problem. I am using an AIR-AP1121G and I can't see the AP anywhere. I can find it on my firewall sometimes, but sometimes the IP Address changes and sometimes it disappears completely.
  I am pretty new to this type of AP. We have one at work I love, but this is my first one I am configuring.
  TIA
  Bill

• Cisco Aironet 1700 access-point?

  Earlier this month Cisco released a new autonomous IOS for the 2700 and 3700 access-points. If I look at the release logs, they reference to a new 1700I access-point:
  Support for Cisco Aironet 1700 Series access point
  - This access point is built on 3x3:2(2.4GHz), 3x3:2(5GHz) MIMO technology, and comes with integrated antennas, and supports 802.11a,b,g,n,ac. This access point has both primary and secondary gigabit Ethernet ports. The primary port is gigabit Ethernet 0 and is the backhaul port. The primary port can be set as trunk port. The secondary port is gigabit Ethernet 1, and is the access port. You can configure the secondary port to a VLAN ID using the interface configuration command bridge multiple-port client-vlan vlan-id
  - Supported model is 1700I
  (http://www.cisco.com/c/en/us/td/docs/wireless/access_point/ios/release/notes/rn-15-3-3.html)
  Has anyone of you guys have some inside information about this new access-point? :-) My guess is that it is gonna be the successor for the 1600I, so the same price but 802.11ac and CleanAir Express (?)

  yes. It looks like 8.0.100.0 code  introduced this new AP model support for AireOS controllers.
  http://www.cisco.com/c/en/us/td/docs/wireless/compatibility/matrix/compatibility-matrix.html
  HTH
  Rasika