Buy or Renew
Buy or Renew
NEW: Try the Beta AI Summary feature on posts in the Routing and SD-WAN forum. Click to go to the forum.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5314
Views
0
Helpful
36
Replies

Wi-Fi

Mohammed Yusuf
Level 3
Level 3

‎01-13-2014 08:38 AM - edited ‎07-04-2021 11:57 PM

Can you please advise which cisco solution for wifi is better for bigger office.
I am looking to implement on two floors.
Thanks

Sent from Cisco Technical Support iPhone App

Labels:
0 Helpful
36 Replies 36

Scott Fella
Hall of Fame
Hall of Fame
In response to Mohammed Yusuf

‎03-03-2014 12:53 PM

You need to bring everything back to the FW and create rules to block guest traffic from the internal network.  That is the only good way...

Thanks,

Scott

*****Help out other by using the rating system and marking answered questions as "Answered"*****

-Scott
*** Please rate helpful posts ***
0 Helpful

Mohammed Yusuf
Level 3
Level 3
In response to Scott Fella

‎03-03-2014 12:57 PM

Do you think Access point can create Guest subnet and forward the request on the internet. Plus create a rule on the ASA to block guest subnet traffic ? Are you sure it is feasible?

Sent from Cisco Technical Support iPad App

0 Helpful

Scott Fella
Hall of Fame
Hall of Fame
In response to Mohammed Yusuf

‎03-03-2014 01:26 PM

No... The Ap is a layer 2 device and does not do routing not will it do any NAT. You need to use ACL's or FW rules. The gateway for both networks resides on your FW correct? So that's where you would define your rules.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***
0 Helpful

Mohammed Yusuf
Level 3
Level 3
In response to Scott Fella

‎03-03-2014 11:11 PM

Have you got any example like I enable Guest DHCP on the AP and connect it on one of the switch? Or connect it on the ASA?
What would be the rule look like? Thanks.

Sent from Cisco Technical Support iPad App

0 Helpful

liztechdata
Community Member

‎09-08-2019 07:30 AM

i don't know what you have but i did build script for air 1701 Cisco Version 15.3(3)JAB 

on my script you don't need management for WiFi they all will be mange by 1 WiFi

here is my script let me know if that help 

main WiFi script and back up script i will post for you 

don't copy and past use notepad to do your changes  

Building configuration...

Current configuration : 4695 bytes
!
! Last configuration change at 12:58:15 UTC Fri Mar 26 1993
version 15.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname APmainfloorTV
!
!
logging rate-limit console 100

!
aaa new-model
!
!
aaa group server radius rad_eap
server name Local-Radius
server name WDS-Radius
!
aaa group server radius Infrastructure
server name Local-Radius
!
aaa group server radius rad_mac
!
aaa group server radius rad_acct
!
aaa group server radius rad_admin
!
aaa group server tacacs+ tac_admin
!
aaa group server radius rad_pmip
!
aaa group server radius dummy
!
aaa authentication login eap_methods group rad_eap
aaa authentication login method_Infrastructure group Infrastructure
aaa authentication login mac_methods local
aaa authorization exec default local
aaa accounting network acct_methods start-stop group rad_acct
!
!
!
!
!
aaa session-id common
no ip source-route
no ip cef
ip domain name DomaninNameHere <-------- change Dns name
ip name-server 192.168.2.1 <--------- change for your DNS
!
!
!
!
dot11 syslog
!
dot11 ssid YourSSid <--------- change SSID
vlan 1
authentication open
authentication key-management wpa version 2
accounting acct_methods
dot1x eap profile WDS-AP
guest-mode
infrastructure-ssid
mobility network-id 1
wpa-psk ascii 7 115B4E5D414B5F5956 <-WiFi password demo is 27869452
information-element ssidl wps
!
!
dot11 network-map
!
eap profile WDS-AP
method leap
!
!
!
username CISCO password 7 062506324F41 <the password is Cisco
username MY3602 privilege 15 password 7 045802150C2E1D1C5A <password is cisco123
username MY2602 privilege 15 password 7 110A1016141D5A5E57 <password is cisco123
!
!
bridge irb
!
!
!
interface Dot11Radio0
no ip address
no ip route-cache
!
encryption mode ciphers aes-ccm
!
encryption vlan 1 mode ciphers aes-ccm
!
ssid demo <change SSID
!
antenna gain 0
traffic-metrics aggregate-report
stbc
speed basic-1.0 basic-2.0 basic-5.5 basic-11.0 basic-6.0 basic-9.0 basic-12.0 basic-18.0 basic-24.0 basic-36.0 basic-48.0 basic-54.0 m0. m1. m2. m3. m4. m5. m6. m7. m8. m9. m10. m11. m12. m13. m14. m15.
station-role root
dot11 dot11r pre-authentication over-ds
!
interface Dot11Radio0.1
encapsulation dot1Q 1 native
no ip route-cache
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 port-protected
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface Dot11Radio1
no ip address
no ip route-cache
!
encryption mode ciphers aes-ccm
!
encryption vlan 1 mode ciphers aes-ccm
!
ssid demo <---- change SSid here
!
antenna gain 0
traffic-metrics aggregate-report
peakdetect
dfs band 3 block
stbc
speed basic-6.0 basic-9.0 basic-12.0 basic-18.0 basic-24.0 basic-36.0 basic-48.0 basic-54.0 m0. m1. m2. m3. m4. m5. m6. m7. m8. m9. m10. m11. m12. m13. m14. m15. a1ss7 a2ss7 a3ssnone
channel dfs
station-role root
dot11 dot11r pre-authentication over-ds
!
interface Dot11Radio1.1
encapsulation dot1Q 1 native
no ip route-cache
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 port-protected
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface GigabitEthernet0
no ip address
no ip route-cache
duplex auto
speed auto
!
interface GigabitEthernet0.1
encapsulation dot1Q 1 native
no ip route-cache
bridge-group 1
bridge-group 1 spanning-disabled
no bridge-group 1 source-learning
!
interface GigabitEthernet1
no ip address
shutdown
duplex auto
speed auto
!
interface GigabitEthernet1.1
encapsulation dot1Q 1 native
bridge-group 1
bridge-group 1 spanning-disabled
!
interface BVI1
mac-address 0000.0000.0000 <-change to your mac or remove line
ip address 192.168.2.214 255.255.255.0 <-change to your ip Set
no ip route-cache
ipv6 address dhcp
ipv6 address autoconfig
ipv6 enable
!
ip forward-protocol nd
ip http server
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
ip radius source-interface BVI1
!
!
radius-server local
no authentication eapfast
no authentication mac
nas 192.168.2.214 key 7 045802150C2E1D1C5A <-pasword = cisco123
user WDSClient1 nthash 7 15335D2E220C7F7C0A1565743553452224017F7A0A045D203D417B080776777406 <---paswword is maithri1234!
!
radius-server attribute 32 include-in-access-req format %h
!
radius server Local-Radius
address ipv4 192.168.2.214 auth-port 1812 acct-port 1813 <-change IP
key 7 110A1016141D5A5E57 <--paswsod ciaco123
!
radius server WDS-Radius
key 7 045802150C2E1D1C5A <password = cisco123
!
bridge 1 route ip
!
!
wlccp ap username WDSClient1 password 7 070C285F4D06485744 <-password = cisco123
wlccp ap wds ip address 192.168.2.214 <-change IP
wlccp authentication-server infrastructure method_Infrastructure
wlccp authentication-server client mac mac_methods
wlccp wds priority 254 interface BVI1 <--the higher the # the main he will be come
!
line con 0
line vty 0 4
transport input all
!
end

 

0 Helpful

liztechdata
Community Member
In response to liztechdata

‎09-08-2019 07:40 AM

the setup i did post is without WLC i will post the 2nd script for the next WiFi to connect to main WiFi 

my Setup you will have to setup every WiFi 

hope it will help you

that will give you Wifi with 1 name all over the floor add more names if you need 

0 Helpful

liztechdata
Community Member
In response to liztechdata

‎09-08-2019 08:13 AM

Building configuration...

Current configuration : 5386 bytes
!
version 15.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname hotname <- cahnge the name of the Wifi
!
!
logging rate-limit console 100
!
aaa new-model
!
!
aaa group server radius rad_eap
server name WDS-Radius
server name Local-Radius
!
aaa group server radius Infrastructure
server name Local-Radius
!
aaa group server radius rad_mac
server name WDS-Radius
server name Local-Radius
!
aaa group server radius rad_acct
server name WDS-Radius
server name Local-Radius
!
aaa group server radius rad_admin
server name WDS-Radius
server name Local-Radius
!
aaa group server tacacs+ tac_admin
!
aaa group server radius rad_pmip
!
aaa group server radius dummy
!
aaa authentication login eap_methods group rad_eap
aaa authentication login method_Infrastructure group Infrastructure
aaa authentication login mac_methods local
aaa authorization exec default local
aaa accounting network acct_methods start-stop group rad_acct
!
!
!
!
!
aaa session-id common
clock timezone -0700 -7 0
no ip source-route
no ip cef
ip domain name DNSname <-change
ip name-server 192.168.2.1 <- change DNS ip
!
!
!
!
dot11 syslog
!
dot11 ssid NAME <- change SSID you want
vlan 1
authentication open
authentication key-management wpa version 2
accounting acct_methods
dot1x credentials APmainfloorTV
dot1x eap profile WDS-AP
guest-mode
infrastructure-ssid
mobility network-id 1
wpa-psk ascii 7 08731B165F40514240 <paswword wifi 27869452
information-element ssidl wps
!
!
dot11 network-map
dot11 arp-cache optional
!
eap profile WDS-AP
method leap
!
!
!
dot1x credentials APmainfloorTV <-the main dns name for the 1st ap
username APmainfloorTV <-the main dns name for the 1st ap

password 7 045802150C2E1D1C5A <password cisco123
anonymous-id APmainfloorTV <-the main dns name for the 1st ap

pki-trustpoint APmainfloorTV <-the main dns name for the 1st ap

!
username CISCO password 7
username MY3602 privilege 15 password 7 045802150C2E1D1C5A = cisco123
username MY2602 privilege 15 password 7 045802150C2E1D1C5A = cisco123

!
!
bridge irb
!
!
!
interface Dot11Radio0
no ip address
no ip route-cache
!
encryption mode ciphers aes-ccm
!
encryption vlan 1 mode ciphers aes-ccm
!
ssid SSID <-change to your SSID
!
antenna gain 0
stbc
speed basic-1.0 basic-2.0 basic-5.5 basic-11.0 basic-6.0 basic-9.0 basic-12.0 basic-18.0 basic-24.0 basic-36.0 basic-48.0 basic-54.0 m0. m1. m2. m3. m4. m5. m6. m7. m8. m9. m10. m11. m12. m13. m14. m15.
station-role root
dot11 dot11r pre-authentication over-ds
!
interface Dot11Radio0.1
encapsulation dot1Q 1 native
no ip route-cache
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 port-protected
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface Dot11Radio1
no ip address
no ip route-cache
!
encryption mode ciphers aes-ccm
!
encryption vlan 1 mode ciphers aes-ccm
!
ssid SSID <change to your SSD
!
antenna gain 0
traffic-metrics aggregate-report
peakdetect
dfs band 3 block
stbc
speed basic-6.0 basic-9.0 basic-12.0 basic-18.0 basic-24.0 basic-36.0 basic-48.0 basic-54.0 m0. m1. m2. m3. m4. m5. m6. m7. m8. m9. m10. m11. m12. m13. m14. m15. a1ss7 a2ss7 a3ssnone
channel dfs
station-role root
dot11 dot11r pre-authentication over-ds
!
interface Dot11Radio1.1
encapsulation dot1Q 1 native
no ip route-cache
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 port-protected
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface GigabitEthernet0
no ip address
no ip route-cache
duplex auto
speed auto
dot1x credentials APmainfloorTV <-change to main WIFI NAme
!
interface GigabitEthernet0.1
encapsulation dot1Q 1 native
no ip route-cache
bridge-group 1
bridge-group 1 spanning-disabled
no bridge-group 1 source-learning
!
interface GigabitEthernet1
no ip address
shutdown
duplex auto
speed auto
!
interface GigabitEthernet1.1
encapsulation dot1Q 1 native
bridge-group 1
bridge-group 1 spanning-disabled
!
interface BVI1
mac-address 286f.7f64.be50 <- change to your mac if you dont know del the line
ip address 192.168.2.215 255.255.255.0 <-chance to the ip you want for that wifi
no ip route-cache
ipv6 address dhcp
ipv6 address autoconfig
ipv6 enable
!
ip default-gateway 192.168.2.1 <-change to your getway
ip forward-protocol nd
ip http server
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
ip radius source-interface BVI1
!
!
snmp-server view dot11view ieee802dot11 included
snmp-server community <removed> view dot11view RO
radius-server local
nas 192.168.2.215 key 7 045802150C2E1D1C5A <-cahnge ip to 2nd wifi password cisco123
nas 192.168.2.214 key 7 045802150C2E1D1C5A <- change to main wifi ip password cisco123
group Infrastructure
vlan 1
ssid SSID <-change to your SSID
block count 4294967295 time 1
reauthentication time 4294967295
!
user WDSClient1 nthash 7 143644292A227E73060E6363044754372656707B0103072D264F34090872767307 group Infrastructure <password = maithri1234!
!
radius-server attribute 32 include-in-access-req format %h
!
radius server WDS-Radius
address ipv4 192.168.2.214 auth-port 1812 acct-port 1813 <-change to main wifi IP
key 7 045802150C2E1D1C5A <-password cisco123
!
radius server Local-Radius
address ipv4 192.168.2.215 auth-port 1812 acct-port 1813 <-change to 2nd wifi ip
key 7 045802150C2E1D1C5A <-password cisco123

!
bridge 1 route ip
!
!
wlccp ap username WDSClient1 password 7 070C285F4D06485744 <-password cisco123
wlccp ap wds ip address 192.168.2.214 <-change to main wifi ip
wlccp ap eap profile WDS-AP
wlccp authentication-server infrastructure method_Infrastructure
wlccp authentication-server client mac mac_methods
wlccp wds priority 253 interface BVI1 <- the higer the # the main is it
!
line con 0
line vty 0 4
transport input all
!
sntp broadcast client
end

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card