topic Re: Security on 1130ag in Wireless

Security on 1130ag

Armegeden — Sat, 03 Jul 2021 22:45:35 GMT

I'm new to Cisco AP's. I'm trying to setup security per VLAN on a new 1130ag.

I finally got the Guest VLAN configured for Open Authentication (I'll lock down VLAN access after I get AP setup, it's not live yet). Where is the option to broadcast SSID for this Guest access? I have to manually enter in the network...

But more importantly, I'm trying to setup an INT VLAN on the AP with security enabled. Looking through the SSID Management section, here is what I have:

INT should be the SSID name, and I'm wanting to broadcast this, but like the Guest VLAN, it's not showing up.

VLAN1

radio ag

Open Auth no addition

Key Mngmnt Mandatory

enable WPA WPAv2

WPA pre-shared key: cisco ASCII

These are the options I've enabled in hopes of requiring a client to type "cisco" to connect, and have WPA2 for encryption.

Am I doing something wrong? I manually enter the INT for the wireless network and get "Connection timed out", but am able to connect to the Open 'Guest' network.

And again, I see the "Broadcast SSID" in the Quick Security Setup option, but not in the SSID Management section.

Thanks for reading. And thanks for any advice/tips.

Be well.

Re: Security on 1130ag

andrew.prince — Tue, 22 Apr 2008 09:08:32 GMT

I got this working in a test lab a long time ago with a AP1131AG, below is part of the config, I hope is relevant:-

dot11 ssid <>

vlan 5

mbssid guest-mode

dot11 ssid <>

vlan 10

mbssid guest-mode

interface Dot11Radio0

no ip address

no ip route-cache

ssid <>

mbssid

interface Dot11Radio0.5

encapsulation dot1Q 5 native

no ip route-cache

bridge-group 5

bridge-group 5 subscriber-loop-control

bridge-group 5 block-unknown-source

no bridge-group 5 source-learning

no bridge-group 5 unicast-flooding

bridge-group 5 spanning-disabled

interface Dot11Radio0.10

encapsulation dot1Q 10

no ip route-cache

bridge-group 10

bridge-group 10 subscriber-loop-control

bridge-group 10 block-unknown-source

no bridge-group 10 source-learning

no bridge-group 10 unicast-flooding

bridge-group 10 spanning-disabled

HTH.

Re: Security on 1130ag

Armegeden — Wed, 30 Apr 2008 21:22:41 GMT

Hello and thanks for the reply. I'm doing side-by-side comparison with my config and I'm not seeing much difference.

Here is a clip of mine:

dot11 vlan-name GUEST vlan 3

dot11 vlan-name SCHOOL vlan 2

dot11 ssid GUEST

vlan 3

authentication open

dot11 ssid INT

vlan 1

authentication open

authentication key-management wpa version 2

wpa-psk ascii 7 05giberish123

dot11 ssid SCHOOL

vlan 2

authentication open

authentication key-management wpa version 2

wpa-psk ascii 7 12giberish123

interface Dot11Radio0

no ip address

no ip route-cache

encryption vlan 1 mode ciphers tkip

encryption vlan 2 mode ciphers aes-ccm tkip

ssid GUEST

ssid INT

ssid SCHOOL

station-role root

interface Dot11Radio0.1

encapsulation dot1Q 1 native

no ip route-cache

bridge-group 1

bridge-group 1 subscriber-loop-control

bridge-group 1 block-unknown-source

no bridge-group 1 source-learning

no bridge-group 1 unicast-flooding

bridge-group 1 spanning-disabled

interface Dot11Radio0.2

encapsulation dot1Q 2

no ip route-cache

bridge-group 2

bridge-group 2 subscriber-loop-control

bridge-group 2 block-unknown-source

no bridge-group 2 source-learning

no bridge-group 2 unicast-flooding

bridge-group 2 spanning-disabled

interface Dot11Radio0.3

encapsulation dot1Q 3

no ip route-cache

bridge-group 3

bridge-group 3 subscriber-loop-control

bridge-group 3 block-unknown-source

no bridge-group 3 source-learning

no bridge-group 3 unicast-flooding

bridge-group 3 spanning-disabled

Pardon if this is too much info, not really sure which is vital.

Does this look correct for setting up WPA2? How about having the SSID's non-hidden?

Re: Security on 1130ag

andrew.prince — Thu, 01 May 2008 06:49:45 GMT

A side-by-side comparison would have shown that you have missed:-

"mbssid guest-mode" in each of the dot11 ssid configurations i.e:-

dot11 ssid GUEST

mbssid guest-mode

"mbssid" is required under the dot11radio0 interface to actually indicate more than one ssid should be sent in the beacon i.e:-

interface Dot11Radio0

mbssid

Add the above and test, let me know of your results.

The WPA2 config looks ok.