The purpose of this document is to explain how to setup and Cisco Aironet 1130ag with two SSIDs one for internal users which will authenticate via a radius server and the other for visitors that will use a wpa pass-phrase and will restrict users to Internet access only. This has (hopefully) been written in such a way that even someone with virtually no knowledge of Cisco should be able to read it and deploy a system successfully.
I should add at this point that I am not a Cisco guru in any way shape or form (though I am intending to get a CCNA & CCNP). So (I got my CCNA on the 20th August 2010) If you are and are reading this and happen to notice any bits that could be done better or are just plain wrong please leave a comment.
This is all based on some work that I have done recently, so I’ll give an example infrastructure and match the config to that example.
All commands should be entered in lowercase, User-defined parts excepted.
All code expects you to be in “configure terminal” mode
en – enters enable mode
conf t – enters configure mode
A good indicator of each mode is:
Hostname>en Hostname#conf t Hostname(config)#
One space in indicates that the commands are within the preceding command:
interface fast 0 bridge-group 1
Appears in the terminal as
Hostname(config)#interface fast 0 Hostname(config-if)#bridge-group 1
On the same column
no username Cisco no secret
Hostname(config)#no username Cisco Hostname(config)#no secret
NINet is a small company with less than 100 users and computers. Following is a list of their current relvent infrastructure:
- DC1 – 192.168.1.1 : This is the domain controller it acts as a RADIUS server and an NTP server
- wlan1 – 192.168.1.250 : The first of two wireless routers we will configure with the 12.4 firmware
- wlan2 – 192.168.1.251 : The second of two wireless routers we will configure with the 12.4 firmware
- fw1 – 192.168.1.254 : The firewall and gateway everything connects to
- cs1 : The Cisco switch that handles all of the LAN traffic
- tftp1 – 192.168.1.2 : tftp server used to back up Cisco configs, and transfer IOS images.
Currently the two wireless routers have a single SSID that internal employees can connect to and are authenticated via radius. It has become a requirement that external visitors can connect to the wireless and have only internet access, this can have a simple pass-phrase just to keep most people out. There are two routers in order to provide the best signal strength ideally users should not notice any downtime.
cs1 will handle the VLANs:
- VLAN 1 (native)
- VLAN 2 (network-access)
- VLAN 300 (Internet-only)
Ok with that the stage is set see part two
Links to other parts