Cisco avpair SSID and WLC
Hi!
I'd like to differenciate users sharing the same ldap directory and radius authentication.
For example, if I have a student and a teacher, i'd like to be sure that the student will stay on its vlans and so on.
I can do this by using vlan attributes and aaa override but if I do that, I will have for example a student connected to the teacher SSID but on the student vlan. It's not a pretty situation...
I read that we can use an cisco avpair attribute to force users to connect only on their SSID but it doesn't seem to work with controller.
Is anybody have a solution for my case?
Thanks
I've used av-pair on the WLC for Web Splash Page, but not ssid restrictions.
I did however find this documentation: http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a00807669af.shtml
It refers to configuing a NAR (Network Access Restriction) in ACS which makes it sound like you can limit a user to a specific SSID.
Similar Messages
-
Web Redirection Problem on Cisco ISE 1.2 and WLC 7.5
Hello,
We are at initial phase of deploying ISE 1.2 in our environment for Wireless Guest Users.
I have configured ISE and WLC to talk to each other which is working fine. An SSID with MAC-Filtering is also configured on WLC and ACL only allowing ISE and DNS traffice.
I have configured proper authentication and authorization policies on ISE. Now, when I try to connect my device (laptop and android mobile), I see my device gets associated with the SSID (Demo) and gets the right IP Address from DHCP and right VLAN from WLC. The log process on ISE is as follows.
11001
Received RADIUS Access-Request
11017
RADIUS created a new session
11027
Detected Host Lookup UseCase (Service-Type = Call Check (10))
15049
Evaluating Policy Group
15008
Evaluating Service Selection Policy
15048
Queried PIP
15048
Queried PIP
15004
Matched rule
15041
Evaluating Identity Policy
15006
Matched Default Rule
15013
Selected Identity Source - Internal Endpoints
24210
Looking up User in Internal Users IDStore - B8:B4:2E:A6:7D:75
24216
The user is not found in the internal users identity store
24209
Looking up Endpoint in Internal Endpoints IDStore - B8:B4:2E:A6:7D:75
24211
Found Endpoint in Internal Endpoints IDStore
22037
Authentication Passed
15036
Evaluating Authorization Policy
15048
Queried PIP
15048
Queried PIP
15048
Queried PIP
15004
Matched rule - Guest Redirection
15016
Selected Authorization Profile - Test_Profile
11002
Returned RADIUS Access-Accept
I also see a redirect url in the detailed authentication logs. But the problem is that when I open my browser on my device, it doesn't get redirected to the guest portal url. Now since I can't get there, I can't continue with the rest of the process of authentication, COA and final ACL for internet access.
Can some one please either guide me the correct steps that I need to follow, if I have mis configured something or advise if this is a bug.
Thanks in advance.
JayThe ACL is definitely used to define what traffic is re-directed to ISE and what traffic is not redirected. Having the permit-all statement at the end will break redirection. If you are using flex-connect then you will need to use flex-connect ACLs and apply those to the flex-connect APs. The links below should give you an idea of what needs to be done:
http://www.cisco.com/c/en/us/support/docs/wireless/5500-series-wireless-controllers/113606-byod-flexconnect-dg-000.html
http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/116087-configure-cwa-wlc-ise-00.html
Thank you for rating helpful posts! -
Wireless Max SSID on WLC and AP
Hi,
I'm using a NME-AIR-WLC6-K9, Software Version 7.0.235.3.
I have 6x Access Points AIR-LAP1142N.
The limitation on the WLC is only 16 SSIDs, I'm not sure what the AP is capable of max SSID broadcast. Does any one have this information?
My question, is there a way of expanding the controller to allow for more WLAN? Our floor would like to use another SSID on top of the 16 already configured.
ThanksThe limitation on the WLC is only 16 SSIDs,
Each AP can broadcast a maximum of 16 SSID and nothing more. You can configure a WLC with more than 16 SSID.
When you say AP/WLAN Groups would be a more efficient means of providing SSIDs per location, is there a Cisco document explaining this and how it will work. We provide services to our clients by providing SSID on a floor with roaming service any where within the Wifi coverage. Right now, due to the limitations of 16 SSIDs on a WLCM (SRE-710) we have ran into problems. I notice that other Cisco products such as Virtual Controller (small to mid scale) and Wireless Appliance Servers (mid to large scale) provides 512 WLANs.
Wow. Someone's over-complicated your WLAN network. That ain't going to be good at all.
How many clients do you provide WLAN service? Like what Eric said, with AP Groups you can do the following scenario:
Client A and B have three SSIDs each with the 3rd SSID as "Guest".
APs inside client A premises will broadcast SSID A1, A2 and A3.
APs inside cient B premises will broadcast SSID B1, B2 and B3.
In the foyer area, you can have an AP broadcasting only A3 and B3.
Very doable and this is what the main selling point of AP Groups.
With a newer WLC, like the 2504, 5508 and the WiSM-2, you can even specify the data rates for each AP groups. So you can say that A3 and B3 will only broadcast in 802.11 g. -
Ask the Expert: Cisco BYOD Wireless Solution: ISE and WLC Integration
With Jacob Ideji, Richard Hamby and Raphael Ohaemenyi
Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions about the new Identity Solutions Engine (ISE) and Wireless LAN Controller (WLC) hardware/software, integration, features, specifications, client details, or just questions about Cisco's Bring-your-own device (BYOD) solution with cisco Experts Richard Hamby, Jacob Ideji, and Raphael Ohaemenyi. The interest in BYOD (Bring You Own Device) solutions in the enterprise has grown exponentially as guests and company users increasingly desire to use personal devices to access . Cisco BYOD enhances user experience and productivity while providing security, ease-of-administration, and performance. The heart of the Cisco wireless BYOD solution is Identity Solutions Engine (ISE) utilizing the Cisco Unified Wireless portfolio. Starting with ISE v1.1.1MR and WLC (Wireless LAN Controller) code v7.2.110.0 and higher, end-to-end wireless BYOD integration is reality.
Jacob Ideji is the technical team lead in the Cisco authentication, authorization and accounting (AAA) security team in Richardson, Texas. During his four years of experience at Cisco he has worked with Cisco VPN products, Cisco Network Admission Control (NAC) Appliance, Cisco Secure Access Control Server, and Dot1x technology as well as the current Cisco Identity Services Engine. He has a total of more than 12 years experience in the networking industry. Ideji holds CCNA, CCNP, CCSP, CCDA, CCDP, and CISM certifications from Cisco plus other industry certifications.
Richard Hamby works on the Cisco BYOD Plan, Design, Implement (PDI) Help Desk for Borderless Networks, where he is the subject matter expert on wireless, supporting partners in the deployment of Cisco Unified Wireless and Identity Services Engine solutions. Prior to his current position, Hamby was a customer support engineer with the Cisco Technical Assistance Center for 3 years on the authentication, authorization, accounting (AAA) and wireless technology teams.
Raphael Ohaemenyi Raphael Ohaemenyi is a customer support engineer with the authentication, authorization and accounting (AAA) team in the Technical Assistance Center in Richardson, Texas, where he supports Cisco customers in identity management technologies. His areas of expertise include Cisco Access Control Server, Cisco Network Admission Control (NAC) Appliance, Cisco Identity Services Engine, and IEEE 802.1X technologies. He has been at Cisco for more than 2 years and has worked in the networking industry for 8 years. He holds CCNP, CCDP, and CCSP certification.
Remember to use the rating system to let Jacob, Richard and Raphael know if you have received an adequate response.
Jacob, Richard and Raphael might not be able to answer each question due to the volume expected during this event. Remember that you can continue the conversation on the wireless mobility sub community forum shortly after the event. This event lasts through Oct 5th, 2012. Visit this forum often to view responses to your questions and the questions of other community members.OOPS !!
I will repost the whole messaqge with the correct external URL's:
In general, the Trustsec design and deployment guides address the specific support for the various features of the 'whole' Cisco TS (and other security) solution frameworks. And then a drill-down (usually the proper links are embedded) to the specifc feature, and then that feature on a given device. TS 2.1 defines the use of ISE or ACS5 as the policy server, and confiugration examples for the platforms will include and refer to them.
TrustSec Home Page
http://www.cisco.com/en/US/netsol/ns1051/index.html
http://www.cisco.com/en/US/solutions/collateral/ns170/ns896/ns1051/product_bulletin_c25-712066.html
http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5712/ps11637/ps11195/at_a_glance_c45-654884.pdf
I find this page very helpful as a top-level start to what features and capabilities exist per device:
http://www.cisco.com/en/US/solutions/ns170/ns896/ns1051/trustsec_matrix.html
The TS 2.1 Design Guides
http://www.cisco.com/en/US/solutions/ns340/ns414/ns742/ns744/landing_DesignZone_TrustSec.html
DesignZone has some updated docs as well
http://www.cisco.com/en/US/netsol/ns982/networking_solutions_program_home.html#~bng
As the SGT functionality (at this point) is really more of a router/LAN/client solution, the most detailed information will be in the IOS TS guides like :
http://www.cisco.com/en/US/docs/switches/datacenter/sw/6_x/nx-os/security/configuration/guide/b_Cisco_Nexus_7000_NX-OS_Security_Configuration_Guide__Release_6.x.html
http://www.cisco.com/en/US/docs/ios-xml/ios/sec_usr_cts/configuration/xe-3s/asr1000/sec-usr-cts-xe-3s-asr1000-book.html
http://www.cisco.com/en/US/docs/switches/lan/trustsec/configuration/guide/trustsec.html -
Cisco-avpair for both NX-OS and IOS
Using freeradius2-2.1.12. I need to setup read-write access for both Cisco NX-OS and IOS devices. I did the following,
DEFAULT Group == operator-rw, Auth-Type = System
Service-Type = NAS-Prompt-User,
cisco-avpair := "shell:roles*\"network-admin vdc-admin priv-lvl=15\""
I can log into both NX-OS and IOS devices; however, IOS devices only permits exec mode not the privileged exec (enable) mode.
Is there a different syntax that can make this work for both NX-OS and IOS?
NormanAs you have noticed IOS and NX-OS are a little bit different. With NX-OS there isn't a "disabled" mode but just netowrk roles. For IOS can try pushing for example "cisco-avpair =shell:priv-lvl=7" and then define a local priv level 7 on the network device with the needed commands
Thank you for rating! -
WCS and WLC versions for Cisco 3600 WAP
Hi,
I got a few Cisco Aironet 3602i. The minimum WLC version to support these is 7.1.91.0. I am planning to upgrade to 7.2.103.0. The minimum WCS version to support these WAP is 7.0.220.0 and the next available 7.0.230.0. Checking the release notes for both of these WCS versions, there is no mention of support for WLC versions listed above.
http://www.cisco.com/en/US/docs/wireless/wcs/release/notes/WCS_RN7_0_230.html#wp152663
Am I missing something here ? What versions would be required on WCS and WLC to make all the three entities (WLC, WCS, WAP) inter-operable ?
Thanks,
Regards, Rashid.Thanks Scott.
Table-5 from your link indicates WCS 7.0.230.0 support for WLC 7.1.91.0, although release notes for WCS fails to mention this. I think thats the only option in the our existing WCS based network then. Other option being to upgrade to NCS.
The NCS page http://www.cisco.com/en/US/products/ps6305/index.html indicates it will be offered to existing WCS customers when releases. Would we be required to pay for the product or both product and licenses or none ? -
Hello Experts
We have one WLC 5508 in Building1, few 2700 Series AP in Building1, and one 1252AG in Building2. The LAN subnet is same for both Buildings connected via a dark fiber.
My requirement is to have Central Switching in Building1 since WLC is located locally, and Local Switching in Building2 to avoid inter-building traffic, for both Buildings we already one VLAN/IP Subnet. (Both Buildings access resources from a central Datacenter which hosts all the servers.)
Questions:
1. Is the above scenario possible using single SSID ? My understanding is that one WLAN+SSID can't have both Local and Central switching enabled.
2. In Flexconnect Central Switching mode, during WLC failure, does the switching change to Local switching automatically ?
3. When I choose Local Switching for a specific WLAN, does it Locally switch always , or does it Locally switch only when WLC is down ?
4. We want to use Microsoft PEAP using AD User Authentication. When Local Authentication is enabled on WLC, I understand that when WLC fails (and RADIUS Server is still reachable), can we still have the AP directly contact RADIUS server as a direct client and provide 802.1X Microsoft PEAP authentication. Guess this is Primary Backup Radius Server configuration. Is this understanding correct ?
Thanks.Hi
The LAN subnet is same for both Buildings connected via a dark fiber.
If this is the case there is no need of FlexConnet, as you have enough bandwidth & same L2 extended in those two buildings. Typically FlexConnect is for branch deployment where WAN link bandwidth is a concern.
Anyway if you want to do this & here is the answer for your specific queries.
1. Is the above scenario possible using single SSID ? My understanding is that one WLAN+SSID can't have both Local and Central switching enabled.
You can have both local switching & central switching available for a given SSID. Only FlexConnect mode AP will do Local switching & all Local mode AP will do central switching, though both using the same SSID.
2. In Flexconnect Central Switching mode, during WLC failure, does the switching change to Local switching automatically ?
No, if it is central switching SSID, when WLC is not available client won't able to join this SSID. It is not fall back to Local switching.
3. When I choose Local Switching for a specific WLAN, does it Locally switch always , or does it Locally switch only when WLC is down ?
This is applicable only to FlexConnect mode APs & it always do local switching if that configured. If WLC is not reachable AP will go on "standalone mode" & still do local switching.
4. We want to use Microsoft PEAP using AD User Authentication. When Local Authentication is enabled on WLC, I understand that when WLC fails (and RADIUS Server is still reachable), can we still have the AP directly contact RADIUS server as a direct client and provide 802.1X Microsoft PEAP authentication. Guess this is Primary Backup Radius Server configuration. Is this understanding correct ?
Yes, when this option configured & WLC is not reachable (but RADIUS is reachable) then AP will act as Authenticator & pass radius messages to Auth Server directly.
This is a very good Ciscolive presentation you should see as it describe lots of these features & which WLC codes they introduced.
BRKEWN-2016 - Architecting Network for Branch Offices with Cisco Unified Wireless
HTH
Rasika
**** Pls rate all useful responses **** -
ISE 1.04 and WLC 7.2 - CWA Config?
Hello, I'm currently deploying a POC for Central WebAuthentication with the new 7.2 Wireless Lan Controller code.
I'm aware of the differences between LWA and CWA in Catalyst Switches, but I'm having trouble grasping how to configure the CWA on the WLC for wireless guests with open web auth.
For LWA I did get:
1- User opens browser
2- WLC redirects user to ISE Guest page
3- ISE Guest page sends username/password to WLC,
4- WLC does a RADIUS PAP request to ISE in order to authenticate user.
5- ISE authenticates (or not) and send Access-Accept to WLC
6- WLC lets user go through.
For CWA the way I see it, it should be:
1- User opens browser
2- WLC redirects user to ISE Guest page
3- ISE Guest page processes username/password internally
4- ISE authenticates (or not) and sends Access-Accept to WLC
5- WLC lets user go through.
The way I see it, we should define a WLAN's L3 security policy as webauth, with no L2 security, but the question is how to configure the controller so that the ISE doesn't just serve as an external web server and the WLC is not waiting for a username/password from this external webserver, as would LWA work, but instead just gets an Access-Accept from the ISE.
For the moment LWA is more intuitive given the WLC philosophy of operation. I'm not really seeing how/where to configure 7.2 code to just expect an access-accept from ISE.
Can anybody enlighten me on how this should be configured/work?
Any insight is very much appreciated.
Thanks
Gustavo NovaisHi Brian,
Complementing Nicolas Darchis idea:
On SSID Security settings, set Open Authentication and check the MAC Filtering box, do NOT check any type of L3 authentication.
Then define your RADIUS/ISE servers (enable support for RFC 5734 when defining them) on the SSID, and on the advanced tab of the ssid, enable RADIUS NAC (and aaa override too).
It is exactly the same thing as when you do RADIUS based mac authentication, except on this case, the RADIUS server will reply with an access-accept + a few attributes (namely airespace-acl/vlan/url-redirect).
On the ISE, you'll need to match service type: call-check (MAB) RADIUS authentication in order to match requests coming from WLC CWA.
Then the order will be the exact same as for a switch:
http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_guest_pol.html#wp1112855
I needed to put the redirect access-list referenced on ISE CWA, statically on the WLC as a pre-auth ACL (you'll need to define it statically on the WLC - security access-lists).
Nicolas, I've seen trustsec design guide 2.0 but no CWA on wireless was included... do you have any idea if will it be on trustsec 2.1?
Thanks & Regards
Gustavo -
Multiple SSIDS and disappearing
We have Cisco 3602i access points for the most part, all of which advertise multiple SSIDs.
Very occasionally we see an SSID completely disappear from view, even though others remain solid (I can't say it's all devices as the majority of people who raise the issue have apple devices, but there are the odd one or two who use Windows laptops).
Also, the RSSI seems to fluctuate wildly.
I should add that we have disabled up to 11mbps data rates on the controller and we're running 7.6.100.0 currently, but plan to upgrade to 7.6.110.0 tonight.
I guess my question is how can an SSID just drop off the client view if others on the same AP are fine?
How does the AP deal with multiple SSIDs and does it prioritise?
I have to add that I've never had this issue and I'm just using a company standard HP laptop with an Intel chipset.Hello,
See my comments:
Also, the RSSI seems to fluctuate wildly.
A: This is often how a device hears the frames. Sometimes in high interference you can epxect this to jump around. I normally like to see if all the devices are doing this or just a select few. Sometimes poor clients jump around more than others.
I should add that we have disabled up to 11mbps data rates on the controller and we're running 7.6.100.0 currently, but plan to upgrade to 7.6.110.0 tonight.
A: I dont think turning off lower rates are bad unless your WiFi cant support the design. Good call get on the latest.
I guess my question is how can an SSID just drop off the client view if others on the same AP are fine?
A: Again, its a client missing frames like beacons.
How does the AP deal with multiple SSIDs and does it prioritise?
A: This SSIDs are virtualized. I blogged how this is done:
http://www.my80211.com/home/2011/5/2/wlc-how-cisco-virtualizes-the-base-radio-mac-address-on-the.html
I have to add that I've never had this issue and I'm just using a company standard HP laptop with an Intel chipset.
A: Again I think if you search you might see this is more around specific devices. I would do a packet capture and see what is going on. Recently had to troubleshoot an Android only to find out it was just bad wifi client. Always sending NULL frames and scanning and not passing traffic -
Binding multiple VLANs to single SSID on WLC
I have a building with over 4000 users and would like to bind multiple VLANs for user access to a single SSID in WLC. Can this be done? I would rather not have 4000 wireless users on a single VLAN.
the question is tough. You can not use the SSID in on AP for multiple vlans. Once you assign the AP to the vlan then you will have to make all traffic in the vlan. With that being said. you could assign the AP's to specific vlans, but if you roam from one vlan to another you will have problems at L3. But you can use WDS to make that happen.
Here are a couple of links tha might help.
http://www.cisco.com/en/US/tech/tk722/tk809/technologies_q_and_a_item09186a00804d4421.shtml
http://www.cisco.com/en/US/products/hw/wireless/ps4570/products_configuration_guide_chapter09186a0080184ace.html -
Cisco Wireless SSID broadcast restriction
Dear Team,
I have 12 Cisco 3602 access point and 2 Cisco 5508 WLC with HA. I want to create one new SSID which i do not need to broadcast in all pf my access point. I need to broadcast this SSID only with 3 of my access point. Kinldy advise, how will I achieve this.
Regards,
Jubair.SHello Jubair,
Yes, you can create new SSID and limit them to only 3 APs
For this
1. you have to create new WLAN profile for seperate SSID name
WLANs > Create New > Go
2. you have to create new group and then add all those APs in this group which you want to assign new SSID
and call newly created profile in this group as well, that's it.
WLANs > Advanced > AP Groups > Add Group -
Hello,
I am trying to connect the 7921 Wireless phones on a WLC SSID and association fails...
I know there is a world mode option on autonomous APs that corresponds to Dynamic Transmit Power Control (DTPC) on WLCs but it seems to be activated by default.
Is there any other options to make it work?
Thanks by advance.
\Fran?oisYes 802.11d is enabled by default on airespace and would be required for -W 7921G models.
See the 7921G deployment guide or WLAN SRND for more info.
http://www.cisco.com/univercd/cc/td/doc/product/voice/c_ipphon/english/wip7921/7921dply.pdf
http://www.cisco.com/univercd/cc/td/doc/solution/emblty30.pdf -
Is it possible to do multiple ssids and encryptions on an autonomous AP without vlans?
I got a customer who just has autonomous APs. They are upgrading from 1210s to 1262s. They are currently running a config that is wide open with no authentication or encryption and using a VPN tunnel on the wireless clients for security. They want to switch to using WPA2/PSK with the new APs. They have existing clients that have to continue to work during the upgrade to the new APs. They run 3 shifts so it is a 24 hr operation with no downtime. What I was thinking would be to configure the 1262 with multiple SSIDs, one with their existing settings and one with the new. Then I could swap the APs one at a time and it would only impact service for a short period of time while I was mounting the new AP. Then once all the new APs are installed I could transition the clients over to the new SSID and encryption then disable the old SSID once all the clients are switched over. I've done this before with a WLC but not with an autonomous APs. The only config examples I can find uses VLANs. This customer is not using VLANs. Is there anyway to use multiple SSIDs with different encryption on a single radio on an autonomous 1262 without VLANs?
The site has about 30 APs and 100 clients. Yes I know a controller would be preferred for a site of this size but that is a question for sales and why they didn't see them a controller. I just get stuck with what they sell them.
thanksHi Don,
Im afraid on the autonmous platform you can not map multiple WLANS to a single vlan.
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
"I'm in a serious relationship with my Wi-Fi. You could say we have a connection." -
Prime 1.3 and WLC 7.6 Can I push guest accounts?
Hi all
My Customer needs to update the WLC to 7.6 (from 7.4) due to 3700 APs, but does not use the ac or other new features (yet).
He has a Prime 1.3 update 4, where the guest Account are created.
Can he, after the WLC Upgrade to 7.6.130.0 still see the WLC from Prime 1.3 and Push guest accounts to the WLC?
The migration to PI 2.1 will be planned.
Thanks
WillemCisco Prime 1.3 doesn't support 7.6 please check the compatibility matrix
Table 4 Cisco Prime Infrastructure and Cisco Wireless Release Compatibility Matrix
Cisco Prime Infrastructure
Cisco WLC
Cisco MSE
ISE
Remarks
Update 4 for 1.3.0.20
Update 1 for 1.3.0.20
1.3.0.20
7.4.121.0
7.4.110.0
7.4.100.60
7.4.100.0
7.3.112.0
7.3.101.0
7.2.115.2
7.2.111.3
7.2.110.0
7.2.103.0
7.0.250.0
7.0.240.0
7.0.235.3
7.0.235.0
7.0.230.0
7.1.91.0
7.0.220.0
7.0.116.0
7.0.98.218
7.0.98.0
7.4.121.0
7.4.110.0
7.4.100.0
7.3.101.0
7.2.110.0
7.2.103.0
7.0.240.0
7.0.230.0
7.0.220.0
7.0.201.204
7.0.112.0
7.0.105.0
1.0
1.1
1.2 -
Problem with Cisco 861W router and outgoing VPN
We have a Cisco 861W router that is blocking an outgoing PPTP on the internal access point only. The outgoing VPN works when the traffic is through a wired connection or the connection is on another access point. We fail to make a connection only when connection to the 861W's internal Access Point.
Here is the Access Point Configuration:
Current configuration : 2100 bytes
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname obap
enable secret 5 $1$.1RF$go1D7WITXUn3s8TUaw3tC.
no aaa new-model
dot11 syslog
dot11 ssid OLIVER
authentication open
authentication key-management wpa
guest-mode
wpa-psk ascii 0 XXXXXXXXXXX
username XXXXXX privilege 15 secret 5 $1$Wc0K$OzcQDDQfjHP6La31eXMoG/
bridge irb
interface Dot11Radio0
no ip address
no ip route-cache
encryption mode ciphers aes-ccm tkip
ssid OLIVER
antenna gain 0
station-role root
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
interface GigabitEthernet0
description the embedded AP GigabitEthernet 0 is an internal interface connecti
ng AP with the host router
no ip address
no ip route-cache
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
interface BVI1
ip address 192.168.0.2 255.255.255.0
no ip route-cache
ip http server
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
bridge 1 route ip
banner login ^CC
% Password change notice.
Default username/password setup on AP is cisco/cisco with priv¾ilege level 15.
It is strongly suggested that you create a new username with privilege level
15 using the following command for console security.
username <myuser> privilege 15 secret 0 <mypassword>
no username cisco
Replace <myuser> and <mypassword> with the username and password you want to
use. After you change your username/password you can turn off this message
by configuring "no banner login" and "no banner exec" in privileged mode.
^C
line con 0
privilege level 15
login local
no activation-character
line vty 0 4
login local
cns dhcp
end
obap#
Here is the Router's Configuration:
Current configuration : 5908 bytes
! No configuration change since last restart
version 15.0
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
hostname obrouter
boot-start-marker
boot-end-marker
logging buffered 51200
logging console critical
enable secret 5 $1$i9XE$DjxFVAEC9nC4/r6EQKCd6/
no aaa new-model
memory-size iomem 10
clock timezone PCTime -5
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
crypto pki trustpoint TP-self-signed-1856757619
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1856757619
revocation-check none
rsakeypair TP-self-signed-1856757619
crypto pki certificate chain TP-self-signed-1856757619
certificate self-signed 01
3082024D 308201B6 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 31383536 37353736 3139301E 170D3036 30313032 31323030
34345A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 38353637
35373631 3930819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100B1A4 FB786547 3D582260 03DB768D 116BDE9A 309FBA04 B53F77B0 BFE32344
7C3439B3 97192B36 760A9411 1D5C7549 8D86F532 ABA44F53 0D08B7F4 A9A747D5
071330C3 65BF25A8 927F3596 29BB5A80 90C8D169 22268476 3B8DDE1E FDB7170D
B4820D03 5580A849 A92C7E76 9AC10867 505A2FEE 64360741 7F9DBDBF 3D79982C
F81D0203 010001A3 75307330 0F060355 1D130101 FF040530 030101FF 30200603
551D1104 19301782 156F6272 6F757465 722E6272 75736868 6F672E63 6F6D301F
0603551D 23041830 168014D8 5BC2FFB2 967A4C7B 11B44122 5C8D31F7 749B9230
1D060355 1D0E0416 0414D85B C2FFB296 7A4C7B11 B441225C 8D31F774 9B92300D
06092A86 4886F70D 01010405 00038181 005901F1 C239074B B8213567 CF7B65BF
DAFE4557 69B2A3B1 5F2593C7 A54B9598 23FD5E7A 563AA6E0 AFB25801 FA0061E8
F9545372 DB600B3A BE68AE65 1EDA593E 6A0C96B8 5A4136AF 393F9AAC 651E1C36
B8B7C6C0 47936C24 D2ECE9A5 9446EE32 FC7461FA AD8CF1CE A7FBF341 07E9C3C6
505AB88D 0E7FCAFC 5792298A E5E4D1FE CC
quit
no ip source-route
ip dhcp excluded-address 192.168.0.1 192.168.0.99
ip dhcp pool ccp-pool1
import all
network 192.168.0.0 255.255.255.0
dns-server 216.49.160.10 216.49.160.66
default-router 192.168.0.1
ip cef
no ip bootp server
ip domain name brushhog.com
ip name-server 216.49.160.10
ip name-server 216.49.160.66
license udi pid CISCO861W-GN-A-K9 sn FTX155281FY
username tech38 privilege 15 secret 5 $1$d/4Z$n/23EsXbzfHF5XfJ8Nv.y0
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh authentication-retries 2
interface FastEthernet0
interface FastEthernet1
interface FastEthernet2
interface FastEthernet3
interface FastEthernet4
description $ES_WAN$$FW_OUTSIDE$
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
duplex auto
speed auto
pppoe-client dial-pool-number 1
interface wlan-ap0
description Service module interface to manage the embedded AP
ip unnumbered Vlan1
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
arp timeout 0
interface Wlan-GigabitEthernet0
description Internal switch interface connecting to the embedded AP
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$
ip address 192.168.0.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1412
interface Dialer0
ip address negotiated
no ip redirects
no ip unreachables
no ip proxy-arp
ip mtu 1452
ip flow ingress
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname XXXXXXXXXXXXX
ppp chap password 7 XXXXXXXXXXXXXXXX
ppp pap sent-username XXXXXXXXXXXXXX password 7 XXXXXXXXXXX
no cdp enable
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source static tcp 192.168.0.25 80 interface Dialer0 80
ip nat inside source list 1 interface Dialer0 overload
ip route 0.0.0.0 0.0.0.0 Dialer0
logging trap debugging
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 192.168.0.0 0.0.0.255
dialer-list 1 protocol ip permit
no cdp run
control-plane
banner exec ^C
% Password expiration warning.
Cisco Configuration Professional (Cisco CP) is installed on this device
and it provides the default username "cisco" for one-time use. If you have
already used the username "cisco" to login to the router and your IOS image
supports the "one-time" user option, then this username has already expired.
You will not be able to login to the router with this username after you exit
this session.
It is strongly suggested that you create a new username with a privilege level
of 15 using the following command.
username <myuser> privilege 15 secret 0 <mypassword>
Replace <myuser> and <mypassword> with the username and password you
want to use.
^C
banner login ^CAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!^C
line con 0
login local
no modem enable
transport output telnet
line aux 0
login local
transport output telnet
line 2
no activation-character
no exec
transport preferred none
transport input all
line vty 0 4
privilege level 15
login local
transport input telnet ssh
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
end
Any help would be appreciatedHello,
i have the same problem with router CISCO861W-GN-E-K9. Version 12.4(22r)YB5, RELEASE SOFTWARE (fc1)
Can someone help?
Thank you.
Here is my config for internal AP and router.
Maybe you are looking for
-
Tx2000 wireless does not work all of a sudden
I just found out one morning that my WLAN doesn't work anymore and my laptop could not search for wireless networks. Actually, I experienced the same problem a couple of months after I bought my laptop (by that time it was still under warranty). To a
-
Standard workflow for downpayment request approval
Hi, Is there any standard workflow for downpayment request approval? Please suggest.
-
No image when embedding a video/movie into my PDF file,just a black screen?
I cannot embed videos with an image on my computer into my Acrobat Pro 8 file. I get only a black screen, which I must click on to play the video. How do I import the visual image along with an arrow for playing or a navigation bar at the bottom for
-
Number of elements in target to host DMA FIFO
Hi everyone, I'd like to transfer a set of datapoints from a FPGA to a RT-host controller using a DMA fifo. If I use the "Get Number of Elements to Write" function on the FPGA target, do I get the total number of elements in both buffers, or just the
-
TE over ospf virtual-link does not work
Hi Expert, I want to practise the TE over ospf virtual-link. The topo is like this one: R1 R2 | | R3---R4 | | R5 R6 all links are in area 0 except link between R3 and R4. rt5_1#ro router ospf 1 router-id 1.1.1.1 log-adjacency-changes network 0.0.0.0