02-14-2006 09:15 AM - edited 07-04-2021 11:38 AM
I have a 871W at a remote site that VPN's into the corporate office via DSL. Trusted wireless clients are configured for WPA-PKS/TKIP desktops are hard wired. I am trying to configure a guest ssid that has only access to the internet while letting the trusted client use the tunnel. I've been poking at this for a couple of days and I could really use some help.
I've discovered that removing the default dot0 bridge group and creating a new ssid, dot0.x, int vlanx, int bvix and add bridge x route IP, that I can attach to the new group but then I am unable to attach to the WPA group. It seems that the most recent BVI interface assumes the AP identity.
I know this is very vague and I would be glad to post my config. I am really curious if I am trying something that can't be done on the 871W.
Thanks in advanced!!
Greg
02-14-2006 01:34 PM
I have been fighting the same problem for over 6 months with no help from Cisco TAC. No one in their TAC has any clue about this router. I just don't think it works. I was told you can't do 802.1x with bridge interface so I'm curious how yours is working. I'll be happy to share my config with you. please respond or call me 434 951-3265.
02-15-2006 11:47 AM
I think I finally have it figured out.
Create 3 DHCP pools
**********************************************************
ip dhcp excluded-address 192.168.12.1
ip dhcp excluded-address 192.168.36.1 192.168.36.9
ip dhcp excluded-address 192.168.36.25 192.168.36.254
ip dhcp excluded-address 10.10.100.1 10.10.100.9
ip dhcp excluded-address 10.10.100.25 10.10.100.254
!
ip dhcp pool Wired
import all
network 192.168.12.0 255.255.255.0
default-router 192.168.12.1
lease 0 2
!
ip dhcp pool EmployeeW
import all
network 192.168.36.0 255.255.255.0
default-router 192.168.36.1
lease 0 2
!
ip dhcp pool guest
import all
network 10.10.100.0 255.255.255.0
default-router 10.10.100.1
lease 0 2
!
*****************************************************
Create 2 SSID's and add them to different VLAN's (Both are open authentication for test)
***********************************************************
bridge irb
!
interface Dot11Radio0
no ip address
!
ssid employee
vlan 2
authentication open
!
ssid guest
vlan 100
authentication open
guest-mode
!
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
station-role root
no cdp enable
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
*****************************************************
Create 2 sub interfaces set the encapsulation and assign them addesses within the DHCP ranges
*****************************************************
!
interface Dot11Radio0.2
encapsulation dot1Q 2
ip address 192.168.36.1 255.255.255.0
ip nat inside
ip virtual-reassembly
no snmp trap link-status
no cdp enable
!
interface Dot11Radio0.100
encapsulation dot1Q 100
ip address 10.10.100.1 255.255.255.0
ip nat inside
ip virtual-reassembly
no snmp trap link-status
no cdp enable
!
interface Vlan1
no ip address
bridge-group 1
!
interface BVI1
description Wired LAN
ip address 192.168.12.1 255.255.255.0
ip access-group Inside_access_out in
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
bridge 1 protocol ieee
bridge 1 route ip
*****************************************************
Then use access-lists to control access to and from resources. I have a dsl connected to FA4 and a dialer group that I use to connect to the internet. I have a default route that points to Dialer0 and use a access list to control what traffic gets tunnelled back to the main office. I have had a couple of times where I couldn't ping the internet from the employee SSID but I think it's an ACL problem. (or this is just flaky!!)
Give it a try and let me know if it works for you....I'm going to keep on working on it
this afternoon to make sure that it's stable.
*****************************************************
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide