Device configs can be tricky. Particularly if they’re platforms that you don’t touch frequently. You may find yourself in situations where you have to reconfigure a device, or or make a tweak to existing config. In there instances, it’s not uncommon that you think to yourself: Where do I start?
This post will take a look at the building blocks for a Cisco Aironet wirelss access point. I am by no means a Cisco guru, so this is by no means an end-to-end guide on how properly configure an Aironet device. This is what’s worked for me so far.
Building-blocks example
The below example is adapted from an operational Cisco Aironet 3702i, running IOS 15.3(3)JH (ap3g2-k9w7-mx.153-3.JH).
version 15.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname C3700
!
!
logging rate-limit console 9
!
aaa new-model
!
!
aaa group server radius rad_mac
!
aaa group server radius rad_admin
!
aaa group server tacacs+ tac_admin
!
aaa group server radius rad_pmip
!
aaa group server radius dummy
!
aaa group server radius radServer_eap
server name radServer
!
aaa group server radius radServer_acct
server name radServer
!
aaa authentication login default local
aaa authentication login eap_methods group radServer_eap
aaa authentication login mac_methods local
aaa authorization exec default local
aaa accounting network acct_methods start-stop group radServer_acct
!
!
!
!
!
aaa session-id common
clock timezone +1000 10 0
no ip source-route
no ip cef
ip domain name domain.com
ip name-server 9.9.9.9
ip name-server 8.8.8.8
ip name-server 4.4.2.2
!
!
!
!
dot11 pause-time 100
dot11 syslog
!
dot11 ssid WifiSSID
band-select
authentication open
authentication key-management wpa version 2
wpa-psk ascii 0 wifipsk123
!
dot11 ssid GuestSSID
band-select
authentication open
authentication key-management wpa version 2
guest-mode
wpa-psk ascii 7 guestpsk1234
!
dot11 ssid RadiusSSID
authentication open eap eap_methods
authentication key-management wpa version 2
guest-mode
!
!
!
no ipv6 cef
!
username admin privilege 15 password 0 securep@ssword
!
!
lldp run
bridge irb
!
!
!
interface Dot11Radio0
no ip address
!
encryption mode ciphers aes-ccm
!
ssid WifiSSID
!
antenna gain 0
stbc
station-role root
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface Dot11Radio1
no ip address
!
encryption mode ciphers aes-ccm
!
ssid WifiSSID
!
ssid RadiusSSID
!
antenna gain 0
peakdetect
no dfs band block
stbc
channel dfs
station-role root
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface GigabitEthernet0
no ip address
duplex auto
speed auto
bridge-group 1
bridge-group 1 spanning-disabled
no bridge-group 1 source-learning
!
interface BVI1
mac-address 0000.0000.0000
ip address 203.45.146.56 255.255.255.0
!
ip default-gateway 203.45.146.1
ip forward-protocol nd
ip http server
ip http authentication aaa
ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
ip radius source-interface BVI1
!
no cdp run
!
snmp-server view dot11view ieee802dot11 included
snmp-server community public RO
snmp-server location Conference room
snmp-server contact Network Services ext: 4490
snmp-server chassis-id C3700
radius-server attribute 32 include-in-access-req format %h
!
radius server radServer
address ipv4 203.45.146.57 auth-port 1812 acct-port 1813
key 0 radiusS3cret
!
access-list 111 permit tcp any any neq telnet
bridge 1 route ip
!
!
!
line con 0
access-class 111 in
line vty 0 4
transport input all
!
sntp server pool.ntp.org
sntp broadcast client
endNetwork configuration
ip domain name domain.com
ip name-server 9.9.9.9
ip name-server 8.8.8.8
ip name-server 4.4.2.2
!
interface GigabitEthernet0
no ip address
duplex auto
speed auto
bridge-group 1
bridge-group 1 spanning-disabled
no bridge-group 1 source-learning
!
interface BVI1
! The BVI interface is used for network management
mac-address 0000.0000.0000
ip address 203.45.146.56 255.255.255.0
!
ip default-gateway 203.45.146.1
ip forward-protocol nd
ip http server
ip http authentication aaa
! HTTPS doesn't work on modern browsers due to lacking TLS cipher capabilities of the IOS :(
ip http secure-server
!
snmp-server view dot11view ieee802dot11 included
snmp-server community public RO
snmp-server location Conference room
snmp-server contact Network Services ext: 4490
snmp-server chassis-id C3700
!
sntp server pool.ntp.org
sntp broadcast clientAAA
Authentication, authorisation, accounting – AAA. How the AP manages users.
aaa new-model
!
! Authenticate using local credentials by default
aaa authentication login default local
!
! Which defined group to use for eap authentication
aaa authentication login eap_methods group radServer_eap
!
! Authenticate locally for mac authentication
aaa authentication login mac_methods local
!
! Authorise exec shell locally
aaa authorization exec default local
!
! Which defined group to use for accounting
aaa accounting network acct_methods start-stop group radServer_acct
!
! Define local users
username admin privilege 15 password 0 securep@sswordSSIDs
dot11 ssid WifiSSID
! Use band-select to suppress 2.4GHz probes and make the 5.8GHz band more attractive to clients
band-select
authentication open
authentication key-management wpa version 2
wpa-psk ascii 0 wifipsk123
!
dot11 ssid GuestSSID
band-select
authentication open
authentication key-management wpa version 2
! guest-mode broadcasts the SSID
guest-mode
wpa-psk ascii 7 guestpsk1234
!
dot11 ssid RadiusSSID
! eap_methods enables authentication using EAP
authentication open eap eap_methods
authentication key-management wpa version 2
guest-modeWiFi
! 0 is the 2.4GHz radio interface
interface Dot11Radio0
no ip address
!
! The ciphers for encryption. aes-ccm is used for WPA2
encryption mode ciphers aes-ccm
!
! Associate SSIDs to the interface
ssid WifiSSID
!
antenna gain 0
stbc
station-role root
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
! 1 is the 2.4GHz radio interface
interface Dot11Radio1
no ip address
!
encryption mode ciphers aes-ccm
!
ssid WifiSSID
!
ssid RadiusSSID
!
antenna gain 0
peakdetect
no dfs band block
stbc
channel dfs
station-role root
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-floodingRADIUS
! Create AAA radius groups and assign servers
aaa group server radius rad_mac
!
aaa group server radius rad_admin
!
aaa group server radius rad_pmip
!
aaa group server radius dummy
!
aaa group server radius radServer_eap
server name radServer
!
aaa group server radius radServer_acct
server name radServer
!
! Assign radius groups to AAA mechanisms
aaa authentication login eap_methods group radServer_eap
aaa accounting network acct_methods start-stop group radServer_acct
!
! Define the interface to use for radius communications
ip radius source-interface BVI1
!
! Send the RADIUS attribute 32 (NAS-Identifier) in an access-request or accounting-request to the server
radius-server attribute 32 include-in-access-req format %h
!
! Define radius servers and their details
radius server radServer
address ipv4 203.45.146.57 auth-port 1812 acct-port 1813
key 0 radiusS3cret
!