Re: Need help to setup wireless network on Cisco 1801W

kaya-saman · ‎11-14-2010

test

kaya-saman · ‎11-14-2010

Hi,

I am trying to setup my Cisco 1801W to be able to conenct through wireless with it apart from the fact that whenever I attempt a conenction from my notebook I am unable to authenticate or even connect to the unsecured network at all???

My notebook is an Hp Compaq 2230s with 802.11abgn interface and currently running Ubuntu 9.04 linux as the main OS.

The 802.11 manager sees the WiFi network as either WEP or unsecured when I specifically set it up to use WPA.....

I also attempted to connect to the unsecured network using my personal notebook and work notebook which runs Windows 7 but no luck at all in establishing a connection.

The version information is as follows:

Cisco IOS Software, C180X Software (C180X-ADVIPSERVICESK9-M), Version 12.4(6)T2, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2006 by Cisco Systems, Inc.
Compiled Tue 16-May-06 12:12 by kellythw

ROM: System Bootstrap, Version 12.3(8r)YH6, RELEASE SOFTWARE (fc1)

Cisco1801W uptime is 2 weeks, 9 hours, 10 minutes
System returned to ROM by reload at 02:13:58 EET Sun Oct 31 2010
System restarted at 02:14:41 EET Sun Oct 31 2010
System image file is "flash:c180x-advipservicesk9-mz.124-6.T2.bin"

kaya-saman · ‎11-14-2010

A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by sending email to
export@cisco.com.

Cisco 1801W (MPC8500) processor (revision 0x400) with 118784K/12288K bytes of memory.
Processor board ID FCZ1020138P, with hardware revision 0000

9 FastEthernet interfaces
1 ISDN Basic Rate interface
1 ATM interface
2 802.11 Radios
31360K bytes of ATA CompactFlash (Read/Write)

Configuration register is 0x2102

The wireless configuration is as this:

ip dhcp pool dpool30
    import all
    network 172.16.0.64 255.255.255.192
    default-router 172.16.0.65
    dns-server 172.16.0.200
!
ip dhcp pool dpool40
    import all
    network 172.16.0.128 255.255.255.192
    default-router 172.16.0.129
    dns-server 172.16.0.200

bridge irb

interface Dot11Radio0
no ip address
no ip route-cache
!
encryption vlan 30 mode ciphers tkip
!
ssid Cisco
     vlan 30
     authentication open
     authentication key-management wpa
     wpa-psk hex 0 12345.....
!
ssid Cisco-GHOST
     vlan 40
     authentication open
!
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
antenna receive left
antenna transmit right
station-role root
l2-filter bridge-group-acl
!
interface Dot11Radio0.30
description Radio inter for Vlan 30
encapsulation dot1Q 30
no ip route-cache
no snmp trap link-status
bridge-group 30
bridge-group 30 subscriber-loop-control
bridge-group 30 block-unknown-source
no bridge-group 30 source-learning
no bridge-group 30 unicast-flooding
!
interface Dot11Radio0.40
encapsulation dot1Q 40
no ip route-cache
no snmp trap link-status
bridge-group 40
bridge-group 40 subscriber-loop-control
bridge-group 40 block-unknown-source
no bridge-group 40 source-learning
no bridge-group 40 unicast-flooding
!
interface Dot11Radio1
no ip address
no ip route-cache
!
encryption vlan 30 mode ciphers tkip
!
ssid Cisco
     vlan 30
     authentication open
     authentication key-management wpa
     wpa-psk hex 0 12345.....
!
ssid Cisco-GHOST
     vlan 40
     authentication open
!
speed basic-6.0 9.0 basic-12.0 18.0 basic-24.0 36.0 48.0 54.0
antenna receive left
antenna transmit right
station-role root
l2-filter bridge-group-acl
!
interface Dot11Radio1.30
description Radio inter for Vlan 30
encapsulation dot1Q 30
no ip route-cache
no snmp trap link-status
bridge-group 30
bridge-group 30 subscriber-loop-control
bridge-group 30 block-unknown-source
no bridge-group 30 source-learning
no bridge-group 30 unicast-flooding
!
interface Dot11Radio1.40
encapsulation dot1Q 40
no ip route-cache
no snmp trap link-status
bridge-group 40
bridge-group 40 subscriber-loop-control
bridge-group 40 block-unknown-source
no bridge-group 40 source-learning
no bridge-group 40 unicast-flooding

interface Vlan30
no ip address
no ip route-cache
bridge-group 30
!
interface Vlan40
description OPEN-ACCESS VLAN
no ip address
rate-limit input 1000000 1500 2000 conform-action continue exceed-action drop
no ip route-cache
bridge-group 40

interface BVI30
description Birdge between Vlan30 and Dot11Radio0.30 for wireless network
ip address 172.16.0.65 255.255.255.192
ip nat inside
no ip virtual-reassembly
no ip route-cache
ip tcp adjust-mss 1460
!
interface BVI40
ip address 172.16.0.129 255.255.255.192
ip access-group OPEN-ACCESS in
ip nat inside
no ip virtual-reassembly
no ip route-cache

ip access-list extended OPEN-ACCESS
permit udp 172.16.0.128 0.0.0.63 host 172.16.0.200 eq domain
permit tcp 172.16.0.128 0.0.0.63 host 172.16.0.200 eq domain
permit tcp 172.16.0.128 0.0.0.63 host 172.16.0.200 eq 8000
permit tcp 172.16.0.128 0.0.0.63 host 172.16.0.200 eq www
permit tcp 172.16.0.128 0.0.0.63 host 172.16.0.200 eq 123
deny   ip 172.16.0.128 0.0.0.63 172.16.0.0 0.0.0.127
deny   ip 172.16.0.128 0.0.0.63 172.16.0.192 0.0.0.63
deny   ip 172.16.0.128 0.0.0.63 172.16.1.0 0.0.0.63
permit ip 172.16.0.128 0.0.0.63 any

bridge 30 protocol ieee
bridge 30 route ip
bridge 40 protocol ieee
bridge 40 route ip

Both wireless VLANs are also in the VLAN DB:

VLAN ISL Id: 30
     Name: VLAN0030
     Media Type: Ethernet
     VLAN 802.10 Id: 100030
     State: Operational
     MTU: 1500

VLAN ISL Id: 40
     Name: VLAN0040
     Media Type: Ethernet
     VLAN 802.10 Id: 100040
     State: Operational
     MTU: 1500

Can anyone help me sort through this??

I had a similar sort of configuration for the Cisco 877W and 857W which worked pretty well even though they were using updated IOS images so I'm not quite sure what's wrong here.

Many thanks and regards,

Kaya

kayasaman · ‎12-02-2010

Ok, I figured this one out:

this statement was missing from the radio config of the WPA encrypted ESSID

encryption vlan 30 key 1 transmit-key

For my senario this should be wpa if I recall correctly!! (Config isn't infront of me now and VPN is down but using ? will clear things up on newly configured unit)

In addition to that the reason for the OPEN-ACCESS network not dishing out IP addresses was because there was an error in the ACL!

ip access-list extended OPEN-ACCESS

permit udp any any host 172.16.0.129 eq bootpc

permit udp any any host 172.16.0.129 eq bootps

permit udp 172.16.0.128 0.0.0.63 host 172.16.0.200 eq domain
permit tcp 172.16.0.128 0.0.0.63 host 172.16.0.200 eq domain
permit tcp 172.16.0.128 0.0.0.63 host 172.16.0.200 eq 8000
permit tcp 172.16.0.128 0.0.0.63 host 172.16.0.200 eq www
permit tcp 172.16.0.128 0.0.0.63 host 172.16.0.200 eq 123
deny   ip 172.16.0.128 0.0.0.63 172.16.0.0 0.0.0.127
deny   ip 172.16.0.128 0.0.0.63 172.16.0.192 0.0.0.63
deny   ip 172.16.0.128 0.0.0.63 172.16.1.0 0.0.0.63
permit ip 172.16.0.128 0.0.0.63 any

This will enable all broadcast messages coming in from 255.255.255.255 for which DHCP uses initially. Also the protocol (port) needs to be allowed and since DHCP is based around the now obsolete BOOTP protocol and uses the same port; the bootp client and bootp server ports have also been allowed!!

This has now established a fully functioning wireless network.

I hope this helps someone who may have run into similar problems.

Regards,

Kaya