Management vlan on access point

Similar Messages

• Dynamic VLAN on Access Point using RADIUS

  Hi.
  I am using a single Cisco 1130AG authenticating to RADIUS on Microsoft IAS (I do NOT have a WLC)
  I was wondering is it possible to use one flat SSID in my network and then dynamically assign VLANs to users based on matching of RADIUS Policy and RADIUS Return attributes?
  I have configured the attributes on radius as per documentation;
  * IETF 64 (Tunnel Type)—Set this to VLAN.
  * IETF 65 (Tunnel Medium Type)—Set this to 802.
  * IETF 81 (Tunnel Private Group ID)—Set this to VLAN ID.
  The returned VLAN ID exists on the Access Point and direct connection to the SSID without the return value works okay.
  Each time I connect the VLAN just defaults to the native VLAN for the SSID
  I think it may be impossible without WLC!
  HELP!!

  From what I found when using MBSSID it appears you cannot use dynamic VLANs.
  However you can use a single broadcasted SSID and various non-broadcast SSIDs with dynamic VLANs.
  Ideally a single SSID and dynamic VLANs via dot1x would be fine for my setup.
  However I have a specific wireless device which cannot use dot1x/EAP and therefore I need an second broadcast SSID to use for this. Which then causes the dynamic VLAN setup not to work.

• Security and Management of Wireless Access Points

  We have a network of eight (8) Cisco 350 Access Points.
  We would like to enable security through WEP and designating specific MAC (Hardware) addresses.
  Please advise as to the most efficient manner of inputting hardware addresses into all of our access points and managing many access points.

  Hmmm....all these replies, with good information, and no one answered your question!
  You can't cut and paste a list of MACs into a Cisco AP (how come, I don't know). What you need to do is enter one MAC address. Then download a non-default config file out of the AP. Then find the lines that changed, and you have your template for adding MAC address lists in one fell swoop. I made a little excel spreadsheet to let me paste in a list of MACs, then spit out the config file lines that you can add as an "additional configuration file" via the web gui.
  You could also add the list via SNMP.
  There's also an import utility in the cli for the ACS server that will let you suck in MAC addresses.
  Hope this helps.
  Just remembered, the APs for some reason convert the hex format of a MAC into dotted decimal. So, when you paste your list in, you need to convert it from hex to dotted decimal, produce your config lines with those, and then shoot those config lines to the AP. I couldn't find anyone in the TAC that could explain why adding a list of MACs was such a chore.

• SSIDs and VLAN on access points

  The commands to map an SSID to a VLAN on an IOS access point are basically like this:
  [snip]
  dot11 ssid MYSSID
  vlan 5
  interface Dot11Radio0
  ssid MYSSID
  interface Dot11Radio0.5
  encapsulation dot1q 5
  bridge-group 5
  interface FastEthernet0
  interface FastEthernet0.5
  encapsulation dot1q 5
  bridge-group 5
  [snip]
  My question is this: what does the command "vlan 5" actually do? Does it map MYSSID to bridge-group 5, which is then mapped to 802.1q tag 5 by the subinterface configurations (so that the tag number is arbitrary), or does it map MYSSID to 802.1q tag 5 on the radio interface, which is then bridged to the appropriate dot1q subinterface on the wired side by the bridge group (so that the bridge group number is arbitrary)?

  Vlan tag is tied to SSID and Bridge group is also tagged to appropriate vlan mentioned as bridge group number

• Multiple vlan on Access point

  Hi,
  I have three AP but one one is connected with a network cable and the other work on a repeater mode.
  I need to create two vlans which will broadcast two ssid one for office and one for guest. I know you can't create multiple vlan on a repeater but is there any way round then with only one AP which connected to the network and other working in repeater mode?
  Thanks

  You can probably is you configure one radio as a repeater and the other radio for client access, but they will be placed on the same subnet which is your native vlan. I'm not 100% sure that would work anyways, but I know you can't separate the traffic.
  Thanks,
  Scott Fella
  Sent from my iPhone

• WLC 5508 and remote site (DMVPN) Access Points

  Hi All,
  We just purchased a WLC 5508 and would like to know if it will control remote VPN site Access Points.  Here are the details:
  The 5508 will live at our home office.  We have multiple remote sites that are connected via Cisco's DMVPN.  Each site has one Cisco 1131 Access Point hanging off of either a Cisco 1841 or a 2811 that is using DMVPN back to the home office 2811.  Can the 5508 manage the remote Access Points?
  Thanks for your help guys!

  Are you are talking about OfficeExtend?
  Cisco OfficeExtend
  https://www.cisco.com/en/US/solutions/collateral/ns340/ns517/ns430/solution_overview_c22-523307_ns348_Networking_Solution_Solution_Overview.html
  OfficeExtend supports 1130 & 1140 as long as you have the Wireless PLUS (WPLUS) Software.
  OfficeExtend Access Point
  http://www.cisco.com/en/US/docs/wireless/wcs/6.0/configuration/guide/6_0apcfg.html#wp1069890

• Configure Access point 1140

  Dear All,
           I am not expert in wireless and cisco.  I need to configure accesspoint 1140 in my network.  I have 10 vlans in my network (Switch 2960)
  how i can configure accesspoint to used two ssid, one for lan and one for guest this two ssid in separate vlans.  I was try like this...
  i create vlans on 3750 switch.  I connected my accesspoint to switch 2960 (2960 switch is enduser switch).  I trunk the port on 2960 switch is connected to access point.  I assign ip address to BVI Interface in accesspoint static.  i am unable to ping from access point to other vlans, from other vlans to access point.
  can any one help to configure access point.
  regards.,

  Basic Wireless LAN Connection Configuration Example
  http://www.cisco.com/en/US/customer/tech/tk722/tk809/technologies_configuration_example09186a008055c39a.shtml

• IOS Access Point Bombards TACACS+ Server with Requests

  Problem: When using the web GUI to manage an IOS access point such as the AP350, AP1100, or AP1200, and when using TACACS+ to authenticate the HTTP accesses, the access point will send numerous authentication requests to the TACACS+ server for each web page accessed.
  Workaround given by cisco was to use single-connection tacacs server.
  My question:
  How to implement this command? Is it as below
  "tacacs-server host x.x.x.x single-connection port 49 key test".
  I've tried using this command but still getting numerous authentication request.
  Any help?
  regards,
  Ganesh

  We experienced similar problems. We were instructed to use local authentication at the current time. Something about HTTP requiring authentication for each part of the page that accesses data. The configuration line is:
  ip http authentication local
  The single connection did not help. We were also advised that if we required ACS HTTP authentication to use RADIUS because it scaled better than TACACS and would not be as impacted as TACACS. If neither of these are an option, another workaround is to, disable logging "passed authentications". We tested this and it prevented our ACS server from pegging the cpu, memory and I/O write queues. We opted for local authentication because the lack of "passed authentication" logs impacted our troubleshooting.
  Good Luck
  Gerry

• Multiple Cisco Aironet 1131AG access points and same SSID?

  We have multiple Cisco Aironet 1131AG devices, all wired on one Cisco L2 switch(2560)  who is connected to L3 switch (3550). We assigned one VLAN for access point in L3 switch who acts as vtp server (L2 switch is vtp client). All ap's will have static ip address and all will have same SSID and no security and they will be using multiple channels (ex. 1,6,11).  They will operate in 3 floor building for roaming wireless client. We won't using any wireless controller.
  So my question is this: How to configure APs-all the same with different ip's, can we use L3 switch to create dhcp server for access points VLAN (pool for clients, and the rest for static ip for ap's)? Can one of the ap's be WDS and in the same time local radius server with users without Cisco Secure ACS or similar controller or I didn't understand this quite well :-). I followed guide http://www.cisco.com/en/US/docs/wireless/access_point/12.3_2_JA/configuration/guide/s32roamg.html for WDS where the part abou Cisco ACS is a problem, so I can use same ap as Local Authenticator as in guide  http://www.cisco.com/en/US/docs/wireless/access_point/12.3_4_JA/configuration/guide/s34local.html#wp1035723.
  Many thanks...

  Well, just so you know, WDS and local RADIUS authentication is only needed if you're using authentication on your wireless connection.  You say you're not planning to use security, so this isn't necessary.  However, I'd highly recommend at least using a simple WPA2-PSK to lock down your connection, otherwise you might end up giving free Internet access at best, and at worst you might be giving access to company PCs and servers.  If you want to further use an 802.1x or WPA authentication method, then yes, you can use an AP as a RADIUS server and WDS to improve authenticated roaming, but this is far more limited than using a Cisco ACS.
  As for your other questions, yes, your APs can all be configured the same except for at least three parameters: IP address, channel, and hostname.  Configure your static IP addresses on the AP's BVI1 interface.  Don't place it on the Radio or Ethernet interfaces, because if either of these interfaces goes down you'll lose the ability to configure the AP, so it's best to use the BVI1 interface.
  And yes, configuring a DHCP scope for your clients on your L3 switch is a good design, or you could also use your DHCP server on a different subnet by using the ip helper-address command on the L3 interface.  I hope this helps!  Let me know if you need help configuring any of this.
  Merry Christmas!
  Jeff

• Cisco Access point management vlan

  Hi All, 
  I have  all my switches configured to run on native vlan 500 and management on vlan 10 
  with the cisco access point , if I make 500 native or another word trunk untagged vlan then I can't access the router using the BVI interface which is meant to have ip from vlan 10.
  vlan 10 is the management network across our business and all management ips are on that range.
  what are the possible solutions?

  When you connect the access point to the wired LAN, the access point links to the network using a bridge virtual interface (BVI) that it creates automatically. Instead of tracking separate IP addresses for the access point's Ethernet and radio ports, the network uses the BVI.
  When you assign an IP address to the access point using the CLI, you must assign the address to the BVI. Beginning in privileged EXEC mode, follow these steps to assign an IP address to the access point's BVI:
  Step 1 
  configure terminal
  Enter global configuration mode.
  Step 2 
  interface bvi1
  Enter interface configuration mode for the BVI.
  Step 3 
  ip address address
  mask
  Assign an IP address and address mask to the BVI. Note If you are connected to the access point using a Telnet session, you lose your connection to the access point when you assign a new IP address to the BVI. If you need to continue configuring the access point using Telnet, use the new IP address to open another Telnet session to the access point.

• Access Point management in VLAN other than native

  Hi all,
  I'm using VLAN 2 in my network as management VLAN. All network devices have the management IP address in this VLAN. I have some problems though to connect to 2 access points 1602. I set up VLAN 2 and configure the subinterface Gi0.2 and the bridge group 2. Then, I configure the BVI2 with the managemente IP address, I enable "bridge 2 route ip" and it works. However, when I reload the AP I cannont connect any more to the IP address. If I erase the configuration, reload and paste the previous running-configuration, it works again (until I reload).
  Any clue why this happen?
  Thanks,
  Andres

  When you connect the access point to the wired LAN, the access point links to the network using a bridge virtual interface (BVI) that it creates automatically. Instead of tracking separate IP addresses for the access point's Ethernet and radio ports, the network uses the BVI.
  When you assign an IP address to the access point using the CLI, you must assign the address to the BVI. Beginning in privileged EXEC mode, follow these steps to assign an IP address to the access point's BVI:
  Step 1 
  configure terminal
  Enter global configuration mode.
  Step 2 
  interface bvi1
  Enter interface configuration mode for the BVI.
  Step 3 
  ip address address
  mask
  Assign an IP address and address mask to the BVI. Note If you are connected to the access point using a Telnet session, you lose your connection to the access point when you assign a new IP address to the BVI. If you need to continue configuring the access point using Telnet, use the new IP address to open another Telnet session to the access point.

• Wlc 5508 management interface vlan - access point vlan

  Is it required that the access points are in the same vlan as the management interface on a wlc 5508?

  There is a story behind this .. Just yesterday my guy was like "aps wont join" .. I let him hammer away at it .. It was the check box
  "Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
  ‎"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."

• Light weight access point, vlans, multiple ssids

  Hi everybody
  Let say we have an light weight access point ap1.  Ap1 is broadcasting two ssids:
  cisco1  which is mapped to vlan 1
  cisco 2  which is mapped to vlan 2
  If ap1 is using channel 6 for cisco 1, does it mean ap1 will also use same channel i.e channel 6 for cisco2?
  thanks and have a great weekend.

  sarahr202 wrote:Hi everybodyLet say we have an light weight access point ap1.  Ap1 is broadcasting two ssids:cisco1  which is mapped to vlan 1cisco 2  which is mapped to vlan 2If ap1 is using channel 6 for cisco 1, does it mean ap1 will also use same channel i.e channel 6 for cisco2?thanks and have a great weekend.
  Lightweight WAP right?  As in controller-based WAP?
  If this is the case, then the answer is both a yes and a no.
  Let me explain:
  Throw away the notion that you can set the channel down.  I mean, if you have a controller-based WAP, the last thing you want to do is "micro-manage" which channels your WAPs operate on.   I mean, you can but as a rule-of-thumb, you don't and let the controller sort things out.
  So, going back to your question:  You whave multiple WAPs and two SSID:  1 and 2.  Let's presume that you've configured that all your WAPs will be broadcasting SSID 1 and SSID 2.
  The decision about what channels each WAP will be operating on falls squarely on the Wireless LAN Controller (WLC).  The WLC makes this decision based on a blah-blah-blah algorythm.  If, for example, WAP A and, say, WAP R can "hear" each other on the same channel, the WLC will make the decision and say, "Hey WAP R, since you and WAP A are operating in the same channel and both of you can hear each other, why don't you, WAP R, operate in channel 11.".
  However, if WAP A and WAP R can't see each other then both of them can operate in the same channel.
  NOW, here's comes the tricky question ... Here's the scenario:  You have SSID 1 and SSID 2.  You want all your WAPs to broadcast both SSID.  HOWEVER, you want SSID 1 to operate at, say, 1 Mbps rate only while SSID 2 can operate at all other data rates.
  Yes, this can be done using RF Profile and AP Groups.
  Is this what you are asking?

• VLANs thru a 350 Access Point

  I'm considering use of 350 access points connected to Catalyst 4000 switches with a few Symbol phones & Call Manager. There may also be some (few) wireless PC cards also connecting thru the same APs. On my wired network, the phones, gateways, etc are on separate VLANs than the data devices. Is this possible using wireless APs? Do APs know anything about trunking or VLANs or is this strictly up to the switch port to which they are connected?

  Is that true?
  I had that question too before. I did call Cisco Tac, but they confirm me that was not supported.Because the Vlan trunk frame is a little difference with normal ethernet frame, so the AP doesn't recogonize it ,and will drop it.
  Actaully it is simmilar as you put a hub between a trunk line, the trunk doesn't work with that.
  In theory , it is reasonable not to work with vlan trunk, but I didn't do any lab to test it.
  Icarr , are you really sure it works? There is not any problem ?
  Thanks

• Access point VLANS and IP Addresses for RADIUS servers

  Hi, i would like to have my IAS radius server authenticate clients. I have done that, so my question is about routing and VLANS and incorporating into my existing network.
  What VLAN does the access point communicate to the RADIUS server on? I need to tell the access point to communicate on VLAN1, any other VLAN will not goto the radius server. The access point only has one setable ip address through the http config, is this for management or communication with the radius server?
  Thanks in advance,
  Chris

  Hello,
  Would you mind sharing how you configured both the AP and IAS to work together? I'm not finding anything in the Cisco documentation that shows how to do that and I need to use my IAS server to authenticate clients who connect to the inside SSID on my AP.
  By the way, I have successfully configured an AP with two SSIDs - one for guests that connects those clients to the guest VLAN (a DMZ on my PIX), and one for trusted users that connects them to the VLAN for my inside, secure network). If you haven't got that working, I'd be glad to help.