topic Re: Wireless 877W in Wireless

Wireless 877W

andrew100 — Sun, 04 Jul 2021 19:48:46 GMT

Hi,

I posted a question a week or so ago about setting up an 877W with wireless and VPN back to headend site. The requirement is for the remote site (5 + users) to VPN to main site but have wireless locally with authentication via PEAP into headend site were ACS into AD is configured. I have installed the Router, but at the minute only with VPN access. I was not able to get the wireless working! I'm having issues with the BVI/Radio/Vlan interfaces. The remote site is to only have one subnet with some wireless and some not. My subnet is 172.16.0.96/28. Do i only need one Ip address on the router, as i can't assign the Vlan and BVI interface in the same subnet? Should my Default Gateway be the BVI Interface? I have also configured WEP 128 (Customer asked for) but Windows displays this an 'Open Network' and only one laptop can see it? And this can't connect. i tried to forget the PEAP and just get wireless working locally for some security but with no luck 😞

I have posted the config, can somebody help me and tell me what i have done wrong?

Any help is appreciated!!

Andy

Re: Wireless 877W

mchin345 — Fri, 11 Aug 2006 13:20:07 GMT

Two subnets one for each interface.If only one laptop can see it,try changing the channel numbers.PEAP is supported only in win Xp.Laptops not running win XP cant connect.

Re: Wireless 877W

pbroa1iss — Fri, 09 Feb 2007 13:43:18 GMT

I'm struggling with excatly the same problem. Got a few access points on our LAN using PEAP fine but can't seem to get it working on a 877w. Can get the VPN connection back to our concentrator working. Has anyone got any ideas.

Thanks,

Phil

Re: Wireless 877W

Benjamin Solero — Sat, 10 Feb 2007 01:57:29 GMT

Hi Andy,

The common configuration for this type of scenario is to bridge the VLAN1 and Dot11radio interfaces together in order to place both wired and wireless clients on the same VLAN/network.

If the customer's requirement is to allow both static WEP128 and PEAP clients to co-exist on a single SSID, then that's not going to work. PEAP uses dynamic encryption keys, so when EAP is configured on the SSID, the encryption keys are dynamic. You'd have to create a separate SSID on a separate VLAN to support static WEP in addition to PEAP on the same router.

Try reconfiguring (based upon your attached configs) as follows to support PEAP on VLAN 1 (use CONSOLE port, not telnet when configuring):

conf t

bridge irb

int do 0

no encryption key 1

no encryption mode wep mandatory

encryption vlan 1 mode wep mandatory

no bridge-group 1

int do 0.1

bridge-group 1

int vlan 1

no ip address

bridge-group 1

int bvi 1

ip address 172.16.0.97 255.255.255.240

ip radius source-interface bvi 1

bridge 1 route ip

bridge 1 protocol ieee

end

*******************

The 'radius source-interface bvi 1' forces the router to use 172.0.16.97 as the source of all RADIUS packets; therefore, you want to make sure the ACS Server has this router configured as an AAA Client with ip address 172.0.16.97.

Try this out, if it works, then do a 'wr mem' on the router to save the config to nvram.

Best Regards,

Ben

Re: Wireless 877W

pbroa1iss — Tue, 13 Feb 2007 11:54:56 GMT

Hi,

That?s a great help, but I'm still having problems getting peap working. I have checked our firewall and the ACS server and am not getting any failed attempts but I am getting failed attempts when I remove the AAA account so I know it's hitting the ACS server. According to the debugging on the router It looks to be a problem with the shared key, but I have checked and doubled checked that. I have attached both the router config and the debugging. Can anyone shed any light? Thanks is advance,

Phil

Re: Wireless 877W

andrew100 — Tue, 13 Feb 2007 12:22:39 GMT

Hi Phil,

Are you using NDG's on your AAA server? Your Pre-shared key is that of the NDG?

Andy

Re: Wireless 877W

pbroa1iss — Tue, 13 Feb 2007 13:09:49 GMT

Yes it sits in the NDG authenticating using RADIUS (cisco aironet)

Thanks,

Phil