Solved: How to setup two Cisco Wireless Access Point to be seen as one with automatic balancing in a house ?

Elrick Landon · ‎07-28-2018

Hi to all,

I have two Cisco wireless access point (reference = AIR-CAP3702E-E-K9).

Each wireless access point will be pluged to a POE Cisco Switch (2960-XR).

I would like to use it in my house to have WiFi network everywhere.

The target is to have the same SSID to avoid to switch from one to another but i think that the device connected on one cannot change to another even with the same SSID, unless if it loses signal completely ?

Does someone can tell me how to configure properly these wireless access point to be seen as one with automatic/hidden switch between one to other when a wireless device is closer ?

Many thanks for your help in advance.

Rasika Nayanajith · ‎07-29-2018

Hi Elrick,

Does someone can tell me how to configure properly these wireless access point to be seen as one with automatic/hidden switch between one to other when a wireless device is closer ?

First of all check what sort of image got on those AP (k9w7-autonomous or k9w8-Lightweight).If it got lightweight, you require a Wireless LAN Controller (WLC) to manage it. Other option is you convert it to autonomous. To do that you need to have that k9w7 image (usually require cisco smartnet support to get it). Below post may help you in the conversion process

https://mrncciew.com/2013/12/13/ap-conversion-using-mode-button/

https://mrncciew.com/2012/10/20/lightweight-to-autonomous-conversion

Once converted it to autonomous, you can apply a simple configuration like below to both of your APs (make sure you configure DHCP on your switch & modify your AP hostname, SSID name & password appropriately)

conf t
hostname <AP_HOSTNAME>
!
dot11 ssid <SSID_NAME>
authentication open
authentication key-management wpa version 2
guest-mode
wpa-psk ascii <SSID_PASSWORD>
!
interface Dot11Radio0
encryption mode ciphers aes-ccm
ssid <SSID_NAME>
no shutdown
!
interface Dot11Radio1
channel width 40-above
encryption mode ciphers aes-ccm
ssid <SSID_NAME>
no shutdown
!
interface BVI1
ip address dhcp
!
end
write memory

Clients will be able to roam from one AP to another without any additional configs. As Leo said, roaming decision made by client, so you will see different clients behave differently (ie at what conditions it will roam to next AP)

Let us know how it goes.

HTH

Rasika

*** Pls rate all useful responses ***

View solution in original post

Rasika Nayanajith · ‎08-01-2018

"I would like to allow on port console access right (no telnet, no ssh), how can i do that ?"

You can achieve it using below

AAP1(config)#line vty 0 4
AAP1(config-line)#transport input none
AAP1(config-line)#do wr

HTH

Rasika

*** Pls rate all useful responses ***

View solution in original post

Rasika Nayanajith · ‎08-03-2018

Hi Elrick,

You are right, it can be done without vlans/sub-interfaces.

Pls do following configs & you should be good with that

dot11 ssid ELR AIR
authentication open
authentication key-management wpa version 2
guest-mode
wpa-psk ascii <password>
!
dot11 ssid ELR AIR+
authentication open
authentication key-management wpa version 2
guest-mode
wpa-psk ascii <password>
!
interface Dot11Radio0
encryption mode ciphers aes-ccm
ssid ELR AIR
no shutdown
!
interface Dot11Radio1
encryption mode ciphers aes-ccm
ssid ELR AIR+
channel width 40-above
!
interface BVI1
ip address dhcp

View solution in original post

balaji.bandi · ‎07-28-2018

The target is to have the same SSID to avoid to switch from one to another but i think that the device connected on one cannot change to another even with the same SSID, unless if it loses signal completely ?

Yes you can achieve this by configuring AP autonomous mode with same SSID.

Roaming 1 AP to another AP depends on how you position the AP in the radius.

Worth do some survey using wifi client with AP, where you see loosing the signal, then position another AP to extend signal.

Sample example can be found here :

https://www.cisco.com/c/en/us/support/docs/wireless-mobility/service-set-identifier-ssid/210516-SSIDs-and-VLANs-configuration-on-Autonom.html

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Leo Laohoo · ‎07-28-2018

At the end of the day it is the wireless client that chooses which AP to join. On the wireless client side, make sure the wireless NIC drivers are updated. The older the driver versions means the wireless client is going to have the worst "roaming" decision.

Rasika Nayanajith · ‎07-29-2018

Hi Elrick,

Does someone can tell me how to configure properly these wireless access point to be seen as one with automatic/hidden switch between one to other when a wireless device is closer ?

First of all check what sort of image got on those AP (k9w7-autonomous or k9w8-Lightweight).If it got lightweight, you require a Wireless LAN Controller (WLC) to manage it. Other option is you convert it to autonomous. To do that you need to have that k9w7 image (usually require cisco smartnet support to get it). Below post may help you in the conversion process

https://mrncciew.com/2013/12/13/ap-conversion-using-mode-button/

https://mrncciew.com/2012/10/20/lightweight-to-autonomous-conversion

Once converted it to autonomous, you can apply a simple configuration like below to both of your APs (make sure you configure DHCP on your switch & modify your AP hostname, SSID name & password appropriately)

conf t
hostname <AP_HOSTNAME>
!
dot11 ssid <SSID_NAME>
authentication open
authentication key-management wpa version 2
guest-mode
wpa-psk ascii <SSID_PASSWORD>
!
interface Dot11Radio0
encryption mode ciphers aes-ccm
ssid <SSID_NAME>
no shutdown
!
interface Dot11Radio1
channel width 40-above
encryption mode ciphers aes-ccm
ssid <SSID_NAME>
no shutdown
!
interface BVI1
ip address dhcp
!
end
write memory

Clients will be able to roam from one AP to another without any additional configs. As Leo said, roaming decision made by client, so you will see different clients behave differently (ie at what conditions it will roam to next AP)

Let us know how it goes.

HTH

Rasika

*** Pls rate all useful responses ***

Elrick Landon · ‎07-31-2018

Hi,

i switch both access point to AP mode.

i notice that the ip adress was provided from the switch, is there a way to allocate ip address on dedicated subnet from AP directly with NAT function ? it's more secure... how to do that ?

About channel width 40-above, do you think that i need to fix a value on both AP to have automatic switch or it will works fine if they are different on both ?

Could you tell me if the web interface of the access point is only available from LAN (not wireless)... if not, is there a way to fix it ? how can i do ?

I retrieve these information on other configuration but i dunno if they are usefull in my case :

Interface Dot11Radio 0.50
Encapsulation dot1Q 50 native
Bridge-group 1
Exit

Interface GigabitEthernet 0
Bridge-group 1

Interface GigabitEthernet 0.50
Encapsulation dot1Q 50 native
Bridge-group 1

Could you give me your advise ?

Many thanks for your help.

Scott Pickles · ‎07-31-2018

For the 40 MHz wide channels, you don't need to do anything other than select the channel width. The AP can select a primary and secondary (bonded channel) automatically. You can set them yourself if you want to, but you only set the primary channel. The AP will select the bonded channel either 1 channel above or one below the primary channel. If it's on the low end, such as channel 36, it will only bond to 40 as an example. The APs should never be on the same channel unless you're doing a wireless bridge, which you are not. The client can roam between the two APs on different channels because it scans the environment looking for other APs using SSID that it's configured with. Part of that information is which channel to use when switching to another AP.

As far as access to the web GUI via wireless, you should be able to access that. You just have to make sure that whatever network you are on and the BVI1 interface on the AP can be reached. If you can reach the CLI via SSH you should have no problems reaching the web GUI.

From the configuration snippet you posted, that is correct for using MBSSID or multiple SSIDs. If you only use one SSID on the AP you don't need VLANs or sub interfaces. Once you have a need for more than one SSID then you MUST use 802.1q tagged VLANs and bridge groups. You can find examples of full configs online. You must create sub interfaces on BOTH the radio interface (Dot11Radio0 or Dot11Radio1) and the wired interface (GigabitEthernet0). You must plug the AP into an 802.1q trunk on the switch side, and the BVI1 interface MUST be on the native VLAN of the trunk.

Hope that helps.

Scott

Elrick Landon · ‎07-31-2018

Thanks for your quick reply.

So you suggest to leave channel width 40-above on both instead of channel least-congested ?

I notice that the ip adress was provided from the switch, is there a way to provide ip address from AP directly with NAT function ? it's more secure... if it's possible, how can i do that please ?

About AP web interface, it available from wireless device (WLAN) and LAN, authentication is required but the log/password doesn't work, i have no idea about the reason, i post my conf below ...

If NAT function is possible (or other secure option is possible), i prefer to leave web interface reachable only from LAN ip address, not from Wifi LAN, how to do it ?

If not possible, is there a way to disable web interface ?

Using 1988 out of 32768 bytes
!
! Last configuration change at 19:31:36 UTC Tue Mar 2 1993
version 15.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname C3702E-AP-1
!
!
logging rate-limit console 9
!
aaa new-model
!
aaa authorization exec default local
!
aaa session-id common
no ip source-route
no ip cef
ip domain name *********.com
!
!
!
!
dot11 pause-time 100
dot11 syslog
!
dot11 ssid ELR AIR
   authentication open
   authentication key-management wpa version 2
   guest-mode
   wpa-psk ascii 7 06552B2xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx105
!
no ipv6 cef
!
username Exxxxxx5 privilege 15 password 7 035xxxxxxxxxxxxxx50
!
bridge irb
!
interface Dot11Radio0
 no ip address
 !
 encryption mode ciphers aes-ccm
 !
 ssid ELR AIR
 !
 antenna gain 0
 stbc
 station-role root
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 spanning-disabled
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
!
interface Dot11Radio1
 no ip address
 !
 encryption mode ciphers aes-ccm
 !
 ssid ELR AIR
 !
 antenna gain 0
 peakdetect
 no dfs band block
 stbc
 channel width 40-above
 channel dfs
 station-role root
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 spanning-disabled
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
!
interface GigabitEthernet0
 no ip address
 duplex auto
 speed auto
 bridge-group 1
 bridge-group 1 spanning-disabled
 no bridge-group 1 source-learning
!
interface BVI1
 mac-address 3cxx.f6xx.cfxx
 ip address dhcp
 ipv6 address dhcp
 ipv6 address autoconfig
 ipv6 enable
!
ip forward-protocol nd
no ip http server
ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
!
bridge 1 route ip
!
line con 0
line vty 0 4
 transport input ssh
line vty 5 15
 transport input ssh
!
end

Rasika Nayanajith · ‎07-31-2018

I notice that the ip adress was provided from the switch, is there a way to provide ip address from AP directly with NAT function ? it's more secure... if it's possible, how can i do that please ?

Not possible, AP is just a layer 2 device, It cannot perform any L3 functions such as NAT.

About AP web interface, it available from wireless device (WLAN) and LAN, authentication is required but the log/password doesn't work, i have no idea about the reason, i post my conf below ...

Default username/password is Cisco/Cisco, try that & see. You can configure new user via "username xxx password xxx" CLI command & get rid of default username Cisco.

If you want to disable GUI access, try below command

no ip http secure-server

HTH

Rasika

*** Pls rate all useful responses ***

Elrick Landon · ‎08-01-2018

About GUI access issue, i find why i still have no access, i forgot to add this line to allow http access with local credential

C3702(config)#ip http authentication aaa

I think that http access can be a security breach, so i prefer to disable it with these command :

no ip http server
no ip http secure-server

I would like to allow on port console access right (no telnet, no ssh), how can i do that ?

Many thanks for your help.

Best Regards

Rasika Nayanajith · ‎08-01-2018

"I would like to allow on port console access right (no telnet, no ssh), how can i do that ?"

You can achieve it using below

AAP1(config)#line vty 0 4
AAP1(config-line)#transport input none
AAP1(config-line)#do wr

HTH

Rasika

*** Pls rate all useful responses ***

Elrick Landon · ‎08-03-2018

I notice that my phone (Galaxy S8) is trying to connect on Dot11Radio0 instead of Dot11Radio1.

I use band-select but it doesn't fix all time this issue.

Does it make sense to keep different SSIDs for 2.4GHz and 5GHz wireless networks in this case to avoid this problem ?

How can i add new SSID only for 5Ghz ?

i would like to have ELR AIR for 2.4Ghz and ELR AIR + for 5Ghz.

Currently, i have dot11 ssid = ELR AIR and Dot11Radio0 and Dot11Radio1 are equal to ssid ELR AIR

How can i do that ?

dot11 ssid ELR AIR
   band-select
   authentication open
   authentication key-management wpa version 2
   guest-mode
   wpa-psk ascii 7 06552XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX105
!
interface Dot11Radio0
 no ip address
 !
 encryption mode ciphers aes-ccm
 !
 ssid ELR AIR
 !
 antenna gain 0
 stbc
 channel least-congested 2412 2437 2462
 station-role root
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 spanning-disabled
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
!
interface Dot11Radio1
 no ip address
 !
 encryption mode ciphers aes-ccm
 !
 ssid ELR AIR
 !
 antenna gain 0
 peakdetect
 no dfs band block
 stbc
 channel width 80
 channel dfs
 station-role root
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 spanning-disabled
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning

Best Regards.

Rasika Nayanajith · ‎08-03-2018

If you want to create multiple SSIDs, then you have to create vlans & sub-interfaces. Sample config shown below (first take backup of what you got for roll-back purposes, then erase AP config & apply below with required modification)

hostname AP-01
!
dot11 ssid <SSID1>
vlan 10
authentication open
authentication key-management wpa version 2
mbssid guest-mode
wpa-psk ascii <SSID1_PASSWORD>
!
dot11 ssid <SSID2>
vlan 20
authentication open
authentication key-management wpa version 2
mbssid guest-mode
wpa-psk ascii <SSID2_PASSWORD>
!
interface Dot11Radio0
encryption vlan 10 mode ciphers aes-ccm
encryption vlan 20 mode ciphers aes-ccm
mbssid
ssid SSID1
no shut
!
interface Dot11Radio1
channel width 40-above
encryption vlan 10 mode ciphers aes-ccm
encryption vlan 20 mode ciphers aes-ccm
mbssid
ssid SSID2
no shut
!
interface Dot11Radio0.10
encapsulation dot1Q 10
bridge-group 10
!
interface Dot11Radio0.20
encapsulation dot1Q 20
bridge-group 20
!
interface Dot11Radio0.1
encapsulation dot1Q 1 native
bridge-group 1
!
interface Dot11Radio1.10
encapsulation dot1Q 10
bridge-group 10
!
interface Dot11Radio1.20
encapsulation dot1Q 20
bridge-group 20
!
interface Dot11Radio1.1
encapsulation dot1Q 1 native
bridge-group 1
!
interface GigabitEthernet0.10
encapsulation dot1Q 10
bridge-group 10
!
interface GigabitEthernet0.20
encapsulation dot1Q 20
bridge-group 20
!
interface GigabitEthernet0.1
encapsulation dot1Q 1 native
bridge-group 1
!
interface BVI1
ip address <AP_MGT_IP_ADDR> <SUBNET_MASK>
ip default-gateway <DEFAULT_GATEWAY_IP>
!

write memory

Switch port connecting this AP should be configured like below (as long as you use vlan 1 as native vlan).

interface GigabitEthernet x/x
Description AP-01
switchport trunk allowed vlan 1,10,20
switchport mode trunk
spanning-tree portfast trunk

HTH

Rasika

*** Pls rate all useful responses ***

Elrick Landon · ‎08-03-2018

Hello,

I read that here > 2-ssid-on-same-vlan-for-autonomous-aps

the access point allows you to configure several SSIDs with out
using VLANs but you will need to use the same security method on
both, and this could be configured via the CLI but not the GUI since
the GUI will give you an error saying that you need to work with
VLANs and link each SSID to an specifc VLAN.

Is it possible to avoid vlans creation & sub-interfaces to simplify the configuration ?

If it cannot be possible, could it please to disable 2,4Ghz radio ?

All my device are new, so 2,4Ghz doesn't reflect any interest sincerely.

Best Regards.

Rasika Nayanajith · ‎08-03-2018

Hi Elrick,

You are right, it can be done without vlans/sub-interfaces.

Pls do following configs & you should be good with that

dot11 ssid ELR AIR
authentication open
authentication key-management wpa version 2
guest-mode
wpa-psk ascii <password>
!
dot11 ssid ELR AIR+
authentication open
authentication key-management wpa version 2
guest-mode
wpa-psk ascii <password>
!
interface Dot11Radio0
encryption mode ciphers aes-ccm
ssid ELR AIR
no shutdown
!
interface Dot11Radio1
encryption mode ciphers aes-ccm
ssid ELR AIR+
channel width 40-above
!
interface BVI1
ip address dhcp

Elrick Landon · ‎08-04-2018

Many thanks, it works like a charm ;)

Could you explain me why this command is present ? what does it do ?

ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag

Best Regards.