I've reset and just trying to setup 1 SSID on the 5Ghz.

I is just on my home network which is a flat network with a basic ISP router.  I assume it's just VLAN 1.  I can see my SSID but it never accepts my password. 

What have I done wrong?

Cisco-AP1#sh run
Building configuration...

Current configuration : 2236 bytes
!
! Last configuration change at 03:20:29 UTC Mon Mar 1 1993
version 15.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname Cisco-AP1
!
!
logging rate-limit console 9
enable secret 5 $1$ixbW$6V0IJ8.n3gJIdf5xir/CI/
!
no aaa new-model
no ip source-route
no ip cef
!
!
!
!
dot11 pause-time 100
dot11 syslog
!
dot11 ssid Area51-5Ghz
   vlan 1
   authentication open
   authentication key-management wpa version 2
   guest-mode
   mobility network-id 1
   wpa-psk ascii 7 122A150200185D547A
!
!
!
no ipv6 cef
!
!
username Cisco password 7 1531021F0725
username ***** privilege 15 secret 5 $1$dMlY$4tZHLRaPyVztaJtXn/.
!
!
bridge irb
!
!
!
interface Dot11Radio0
 no ip address
 !
 encryption mode ciphers aes-ccm
 antenna gain 0
 station-role root
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 spanning-disabled
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
!
interface Dot11Radio1
 no ip address
 !
 encryption mode ciphers aes-ccm
 !
 encryption vlan 1 mode ciphers aes-ccm
 !
 ssid Area51-5Ghz
 !
 antenna gain 0
 peakdetect
 no dfs band block
 stbc
 channel dfs
 station-role root
!
interface Dot11Radio1.11
 encapsulation dot1Q 1 native
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 spanning-disabled
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
!
interface Dot11Radio1.111
!
interface GigabitEthernet0
 no ip address
 duplex auto
 speed auto
!
interface GigabitEthernet0.1
 encapsulation dot1Q 1 native
 bridge-group 1
 bridge-group 1 spanning-disabled
 no bridge-group 1 source-learning
!
interface GigabitEthernet0.11
!
interface GigabitEthernet0.111
!
interface BVI1
 mac-address 80e0.1dbc.df30
 ip address dhcp client-id GigabitEthernet0
 ipv6 address dhcp
 ipv6 address autoconfig
 ipv6 enable
!
ip forward-protocol nd
ip http server
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
!
!
snmp-server community m0n1t0r RO
bridge 1 route ip
!
!
!
line con 0
line vty 0 4
 login local
 transport input all
!
end

Hi Andrew,

I would erase startup config & reload without saving. In that way AP comes with zero config. 

Then apply below simple configuration (modify parameters within <> sections) & plug it to your ISP modem. That should work.

To access AP Web GUI, you need to know which IP AP got via your ISP modem and then use http://<ap_ipaddr> with that admin user credentials.

To connect to SSID, you have to use the <SSID_Password> configured.

conf t
hostname Cisco-AP1
username <ADMIN_USER> privilege 15 secret <ADMIN_PASSWORD>
!
dot11 ssid Area51-5Ghz
authentication open
authentication key-management wpa version 2
guest-mode
wpa-psk ascii <SSID_PASSWORD>
!
interface Dot11Radio1
channel width 40-above
encryption mode ciphers aes-ccm
ssid Area51-5Ghz
no shutdown
!
interface BVI1
ip address dhcp
!
end
write memory
!

By the way, what is the AP model, I have set it to 40MHz on 5GHz radio, assuming it is 802.11n model. If it is not 11n, that command will reject (you can ignore it).If it is 11ac, then you can configure it to use 80MHz if needed.

HTH

Rasika

*** Pls rate all useful responses ***

Thanks this all worked!  It's as AC AP so I set the 5Ghz to 80 and my 2.4Ghz on the default of 20.

1.) Now how would I set the the 'Area51-5Ghz' SSID to VLAN 140 and the other to 141?  My switch port is set to a trunk at the moment and I have DHCP running on both VLANs.

2.) Also I need to turn on SSH and https and turn off telnet and http.

Thanks 

Hi Andrew,

That's good to hear.

1. For multiple vlan, where to you configure dhcp for those multiple vlan ? typically service provider modem is not capable of multi-vlan & 802.1Q trunk configuration.

2. You can simply configure SSH like below (you can modify domain-name as necessary)

AAP1(config)#ip domain-name mrn.local
AAP1(config)#crypto key generate rsa modulus 2048
AAP1(config)#ip ssh version 2
!
AAP1(config)#line vty 0 4
AAP1(config-line)#transport input ssh
!
AAP1#wr mem

You can simply disable http & enable https like below

AAP1(config)#no ip http server
AAP1(config)#ip http secure-server
% Generating 1024 bit RSA keys, keys will be non-exportable...
[OK] (elapsed time was 1 seconds)

HTH

Rasika

*** Pls rate all useful responses ***

Ok, if that is the case you have to configure switchport end where you plug your AP as trunk port. Your AP management vlan has to be untagged (native vlan) on that trunk.

Here is a sample config with 3 SSID. In this config vlan 999 is native vlan with 192.168.99.0/24 is subnet assigned to it. Vlan numbers 1,2,& 3 used with respective SSIDs. Note that bridge-group 1 has to associate with native vlan mapped interfaces (x.999 in my case)

hostname AP-01
!
dot11 ssid SSID-1
vlan 1
authentication open
authentication key-management wpa version 2
mbssid guest-mode
wpa-psk ascii <SSID_1_PASSWORD>
!
dot11 ssid SSID-2
vlan 2
authentication open
authentication key-management wpa version 2
mbssid guest-mode
wpa-psk ascii <SSID_2_PASSWORD>
!
dot11 ssid SSID-3
vlan 3
authentication open
authentication key-management wpa version 2
mbssid guest-mode
wpa-psk ascii <SSID_3_PASSWORD>
!
interface Dot11Radio0
encryption vlan 1 mode ciphers aes-ccm
encryption vlan 2 mode ciphers aes-ccm
encryption vlan 3 mode ciphers aes-ccm
mbssid
ssid SSID-1
ssid SSID-2
ssid SSID-3
no shut
!
interface Dot11Radio1
channel width 40-above
encryption vlan 1 mode ciphers aes-ccm
encryption vlan 2 mode ciphers aes-ccm
encryption vlan 3 mode ciphers aes-ccm
mbssid
ssid SSID-1
ssid SSID-2
ssid SSID-3
no shut
!
interface Dot11Radio0.1
encapsulation dot1Q 1
bridge-group 10
!
interface Dot11Radio0.2
encapsulation dot1Q 2
bridge-group 20
!
interface Dot11Radio0.3
encapsulation dot1Q 3
bridge-group 30
!
interface Dot11Radio0.999
encapsulation dot1Q 999 native
bridge-group 1
!
interface Dot11Radio1.1
encapsulation dot1Q 1
bridge-group 10
!
interface Dot11Radio1.2
encapsulation dot1Q 2
bridge-group 20
!
interface Dot11Radio1.3
encapsulation dot1Q 3
bridge-group 30
!
interface Dot11Radio1.999
encapsulation dot1Q 999 native
bridge-group 1
!
interface GigabitEthernet0.1
encapsulation dot1Q 1
bridge-group 10
!
interface GigabitEthernet0.2
encapsulation dot1Q 2
bridge-group 20
!
interface GigabitEthernet0.3
encapsulation dot1Q 3
bridge-group 30
!
interface GigabitEthernet0.999
encapsulation dot1Q 999 native
bridge-group 1
!
interface BVI1
ip address 192.168.99.101 255.255.255.0
ip default-gateway 192.168.99.1
!
end
write memory

HTH

Rasika

*** Pls rate all helpful responses ***

Wow this great, I will certainly try this.

Also I've attached this 3702i AP to my PoE Ubiquiti switch and it's powering it fine and we are connecting, but I get a warning it doesn't have enough power.  I think it needs 15.4w and uses 802.3af which my switch supports, but the switch shows it's only using 7w.  I'm not sure if I can lower the power for the AP or the mimo?

Hi Rasika,

Sorry to trouble you.  Are you able to help me with a simple config for my Cisco 3702i AP.  You example is great, but I'm not sure how to do the following:

My home LAN is on 192.168.0.x/24 and I have 2 Cisco APs.  Only one is in use at them moment in autonomous mode on 192.168.0.x and plugged into my Ubiquiti UniFi switch and has 2 SSIDS 1 for 2.4Ghz and the other on 5Ghz and works well.

I now want to get my second AP on it's own VLAN.  I have a pfSense firewall as a VM in my ESXi host and I've created VLAN 141 (192.168.141.x) and from my PC I can ping the virtual gateway on 192.168.141.1.  I now want to configure the new AP with 2 SSIDs for 2.4/5Ghz on VLAN 141.  Are you able to provide a config that might help?  I'm not sure if the Ubiquiti switch understands native VLANs.  Would it looks something like this?

hostname AP-01
!
dot11 ssid SSID-1
vlan 141
authentication open
authentication key-management wpa version 2
mbssid guest-mode
wpa-psk ascii <SSID_1_PASSWORD>
!
dot11 ssid SSID-2
vlan 141
authentication open
authentication key-management wpa version 2
mbssid guest-mode
wpa-psk ascii <SSID_2_PASSWORD>
!
interface Dot11Radio0
encryption vlan 141 mode ciphers aes-ccm
mbssid
ssid SSID-1
no shut
!
interface Dot11Radio1
channel width 40-above
encryption vlan 141 mode ciphers aes-ccm
mbssid
ssid SSID-2
no shut
!
interface Dot11Radio0.141
encapsulation dot1Q 141
bridge-group 141
!
interface Dot11Radio0.999
encapsulation dot1Q 999 native
bridge-group 1
!
interface Dot11Radio1.141
encapsulation dot1Q 141
bridge-group 141
!
interface Dot11Radio1.999
encapsulation dot1Q 999 native
bridge-group 1
!
interface GigabitEthernet0.141
encapsulation dot1Q 141
bridge-group 141
!
interface GigabitEthernet0.999
encapsulation dot1Q 999 native
bridge-group 1
!
interface BVI1
ip address 192.168.99.101 255.255.255.0
ip default-gateway 192.168.99.1
!
end
write memory

To do this you need to plug AP on vlan 141 switch port. 

How are you extend that vlan 141 out of firewall/VM ? Is it connect to your switch ?

For testing I would suggest, you wired connect a PC (configured with vlan 141 IP)to your switch  & see if you can ping your firewall gateway IP from that PC.

If that works, then it is straight forward. First check it and let me know

Regards

Rasika

Wow thanks.

My Home Wifi will be on VLAN 141 so will my BVI interface be something like this:

ip address 192.168.141.10 255.255.255.0 (IP for AP management)

ip default-gateway 192.168.141.1 (virtual interface on pfSense.  This is setup and pingable)

Plus I would need to enable DHCP on pfSense for VLAN 141.