Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2642
Views
0
Helpful
20
Replies

Converted AP to autonomous can telnet but no longer login to web page with credentials

Andrew White
Level 2
Level 2

‎10-05-2019 01:10 PM - edited ‎07-05-2021 11:05 AM

Hello,

 

I have converted an AP to autonomous for a small office, it rebooted and I could get onto the webpage fine until I changed the username and password, now it doesn't accept anything.

 

What is strange I can access it via telnet and I've added a priv 15 account and still can't access the web page, it does prompt though.  It seems only http is available and not https.

 

Any ideas?

 

Thanks

Labels:
0 Helpful
20 Replies 20

Rasika Nayanajith
VIP
VIP
In response to Andrew White

‎10-24-2019 03:03 PM - edited ‎10-24-2019 03:04 PM

If that is the case, simple config like below should work. Once configured, you should be able to ping 141.1 IP from your AP IP address.

I expect you connect this AP to a switch port that is configured for vlan 141

conf t
hostname <AP_NAME>
username <ADMIN_USER> privilege 15 secret <ADMIN_PASSWORD>
!
dot11 ssid <SSID_NAME>
authentication open
authentication key-management wpa version 2
guest-mode
wpa-psk ascii <SSID_PASSWORD>
!
interface Dot11Radio1
channel width 40-above
encryption mode ciphers aes-ccm
ssid <SSID_NAME>
no shutdown
!
interface BVI1
ip address 192.168.141.x 255.255.255.0
!
ip default-gateway 192.168.141.1
end
write memory

 

HTH

Rasika

*** Pls rate all useful responses ***

0 Helpful

Andrew White
Level 2
Level 2
In response to Rasika Nayanajith

‎11-10-2019 07:00 AM

Hello,

 

I appear to of confused myself with this and can't figure it out, maybe I've over complicated it.  I have the AP in my switch, the switch port is a trunk port.

 

On the AP I want 3 SSIDs:

 

SSID1 - MyNet-2.4Ghza (VLAN 140) - IP 192.168.140.x/24 gateway 192.168.140.1

SSID2 - MyNet-5Ghza    (VLAN 140) - IP 192.168.140.x/24 GW 192.168.140.1

SSID1 - MyNet-Guest     (VLAN 142) - IP 10.1.1.x/24 gateway 10.1.1.1

 

I've set up the above VLANs (gateways) on my firewall and I can ping them fine.  I'm not sure if I can have the My-Net SSIDs on the same VLAN?  If not I will put one on 140 and the other on 141.

 

This is my config which doesn't work.  If I set the trunk port to just an access port for VLAN 254 I can ping the APs IP of 192.168.254.8, if I set to a trunk I can't:

 

This config doesn't have the guest network I want on 10.1.1.x as I want to get the first 2 working.

 

Are you able to provide a config I can try?  Thanks again!

 

hostname Cisco-AP2
!
dot11 ssid MyNet-2.4Ghza
   vlan 141
   authentication open
   authentication key-management wpa version 2
   guest-mode
   wpa-psk ascii 7 xxxxxxxxxxxxxxxxxxxxx
!
dot11 ssid MyNet-5Ghza
   vlan 140
   authentication open
   authentication key-management wpa version 2
   guest-mode
   wpa-psk ascii 7 xxxxxxxxxxxxxxxxxxxxxx
!
!
dot11 ids mfp detector
!
power inline negotiation prestandard source
no ipv6 cef
!
bridge irb
!!
interface Dot11Radio0
 no ip address
 !
 encryption vlan 141 mode ciphers aes-ccm
 !
 ssid MyNet-2.4Ghza
 !
 antenna gain 0
 stbc
 mbssid
 speed  basic-1.0 2.0 5.5 11.0 6.0 9.0 12.0 18.0 24.0 36.0 48.0 54.0 m0. m1. m2. m3. m4. m5. m6. m7. m8. m9. m10. m11. m12. m13. m14. m15. m16. m17. m18. m19. m20. m21. m22. m23.
 station-role root
!
interface Dot11Radio0.141
 encapsulation dot1Q 141
 bridge-group 141
 bridge-group 141 subscriber-loop-control
 bridge-group 141 spanning-disabled
 bridge-group 141 block-unknown-source
 no bridge-group 141 source-learning
 no bridge-group 141 unicast-flooding
!
interface Dot11Radio0.254
 encapsulation dot1Q 1 native
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 spanning-disabled
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
!
interface Dot11Radio1
 no ip address
 !
 encryption vlan 141 mode ciphers aes-ccm
 !
 ssid MyNet-5Ghza
 !
 antenna gain 0
 peakdetect
 no dfs band block
 stbc
 mbssid
 channel width 40-below
 channel dfs
 station-role root
!
interface Dot11Radio1.140
 encapsulation dot1Q 140
 bridge-group 140
 bridge-group 140 subscriber-loop-control
 bridge-group 140 spanning-disabled
 bridge-group 140 block-unknown-source
 no bridge-group 140 source-learning
 no bridge-group 140 unicast-flooding
!
interface Dot11Radio1.254
 encapsulation dot1Q 1 native
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 spanning-disabled
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
!
interface GigabitEthernet0
 no ip address
 duplex auto
 speed auto
 bridge-group 1
 bridge-group 1 spanning-disabled
 no bridge-group 1 source-learning
!
interface BVI1
 mac-address 80e0.1dc6.508c
 ip address 192.168.254.8 255.255.255.0
 ipv6 address dhcp
 ipv6 address autoconfig
 ipv6 enable
!
ip default-gateway 192.168.254.1
ip forward-protocol nd
ip http server
ip http secure-server
!
access-list 111 permit tcp any any neq telnet
bridge 1 route ip

 

0 Helpful

Scott Fella
Hall of Fame
Hall of Fame
In response to Andrew White

‎11-10-2019 08:35 AM - edited ‎11-10-2019 09:16 AM

Make sure that the vlan for the ap management is configured as the native vlan. The ap doesn’t like tagged vlans for management.

-Scott
*** Please rate helpful posts ***
0 Helpful

Andrew White
Level 2
Level 2
In response to Scott Fella

‎11-10-2019 12:42 PM - edited ‎11-10-2019 02:00 PM

Thanks this, certainly helped, but I can't see the SSIDs broadcasting from any device.

I can log on to the AP via the management IP now (thanks) and I can ping the gateways for these new SSIDs (VLAN 140 and 141 etc).

 

I take it I can't have 2 SSIDs on one VLAN so ssid MyNet-2.4Ghza & ssid MyNet-5Ghza?

 

Latest config

hostname Cisco-AP2
!
!
logging rate-limit console 9
enable secret 5 $1$mJLV$wojoqyj3lxHF23F82UwUD/
!
no aaa new-model
no ip source-route
no ip cef
ip domain name home.andy-white.co.uk
!
!
!
!
dot11 pause-time 100
dot11 syslog
!
dot11 ssid MyNet-2.4Ghza
   vlan 141
   authentication open
   authentication key-management wpa version 2
   guest-mode
   wpa-psk ascii 7 xxx
!
dot11 ssid MyNet-5Ghza
   vlan 140
   authentication open
   authentication key-management wpa version 2
   guest-mode
   wpa-psk ascii 7 xxx
!
!
dot11 ids mfp detector
!
power inline negotiation prestandard source
no ipv6 cef
!
bridge irb
!
!
!
interface Dot11Radio0
 no ip address
 !
 encryption vlan 141 mode ciphers aes-ccm
 !
 ssid MyNet-2.4Ghza
 !
 antenna gain 0
 stbc
 mbssid
 speed  basic-1.0 2.0 5.5 11.0 6.0 9.0 12.0 18.0 24.0 36.0 48.0 54.0 m0. m1. m2. m3. m4. m5. m6. m7. m8. m9. m10. m11. m12. m13. m14. m15. m16. m17. m18. m19. m20. m21. m22. m23.
 station-role root
!
interface Dot11Radio0.141
 encapsulation dot1Q 141
 bridge-group 141
 bridge-group 141 subscriber-loop-control
 bridge-group 141 spanning-disabled
 bridge-group 141 block-unknown-source
 no bridge-group 141 source-learning
 no bridge-group 141 unicast-flooding
!
interface Dot11Radio0.254
 encapsulation dot1Q 254 native
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 spanning-disabled
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
!
interface Dot11Radio1
 no ip address
 !
 encryption vlan 141 mode ciphers aes-ccm
 !
 ssid MyNet-5Ghza
 !
 antenna gain 0
 peakdetect
 no dfs band block
 stbc
 mbssid
 channel width 40-below
 channel dfs
 station-role root
!
interface Dot11Radio1.140
 encapsulation dot1Q 140
 bridge-group 140
 bridge-group 140 subscriber-loop-control
 bridge-group 140 spanning-disabled
 bridge-group 140 block-unknown-source
 no bridge-group 140 source-learning
 no bridge-group 140 unicast-flooding
!
interface Dot11Radio1.254
 encapsulation dot1Q 254 native
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 spanning-disabled
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
!
interface GigabitEthernet0
 no ip address
 duplex auto
 speed auto
 bridge-group 1
 bridge-group 1 spanning-disabled
 no bridge-group 1 source-learning
!
interface BVI1
 mac-address 80e0.1dc6.508c
 ip address 192.168.254.8 255.255.255.0
 ipv6 address dhcp
 ipv6 address autoconfig
 ipv6 enable
!
ip default-gateway 192.168.254.1
ip forward-protocol nd
ip http server
ip http secure-server
!
snmp-server community m0n1t0r RO
access-list 111 permit tcp any any neq telnet
bridge 1 route ip

 

EDIT/UPDATE:  I removed "mbssid" and they now show up, but I don't get a password prompt.

 

Thanks

0 Helpful

Scott Fella
Hall of Fame
Hall of Fame
In response to Andrew White

‎11-10-2019 02:09 PM

That is correct. You should just have the SSID broadcast on both bands. To broadcast the SSID you need to enter guest-mode.

https://www.cisco.com/c/en/us/support/docs/interfaces-modules/security-modules-routers-switches/116586-config-ap-00.html
-Scott
*** Please rate helpful posts ***
0 Helpful

Scott Fella
Hall of Fame
Hall of Fame
In response to Andrew White

‎11-10-2019 03:20 PM

I’m on my mobile and your config doesn’t show up properly. Take a look at this config example:

https://www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/116599-config-wpa-psk-00.html
-Scott
*** Please rate helpful posts ***
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card