Introduction
Hello again, welcome to the third and final part of this tutorial. Hopefully you have enjoyed reading Part 1 & Part 2 and have understood it all, so without further adue lets get started.
Configure the Ethernet Interface
interface FastEthernet 0
no ip address
no ip route-cache
duplex auto
speed auto
Set some generic bits for the overall interface.
interface FastEthernet 0.2
encapsulation dot1Q 2 native
no ip unreachables
no ip route-cache
no cdp enable
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabledinterface FastEthernet 0.300
encapsulation dot1Q 300
no ip unreachables
no ip route-cache
no cdp enable
bridge-group 2
no bridge-group 2 source-learning
bridge-group 2 spanning-disabled
exit
encapsulation dot1Q 2 native – tells the router to use vlan 2 as the default vlan for all traffic.
Configure the bridge virtual interface
bridge 1 route ip
interface BVI1
ipaddress 192.168.1.250 255.255.255.0
no ip route-cache
Configure IP
ip default-gateway 192.168.1.254
ip http server
ip http authentication aaa
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
ip domain name ninet.org
ip radius source-interface BVI1
Configure the access list
access-list 111 permit tcp any any neq telnet
This allows any connection except telnet to the router.
Configure SNMP
snmp-server view dot11view ieee802dot11 included
snmp-server community ninet-ro RO
snmp-server community ninet-rw RW
snmp-server location <Location of router>
snmp-server chassis-id wlan1
Unless you are going to manage the router via snmp leave out the line with RW in it as network monitors should only need read only access.
The chassis-id & location are optional as well, however I find it useful to have them filled it.
Configure SNTP
sntp server 192.168.1.1
sntp broadcast client
Configure the terminals
line con 0
access-class 111 in
transport preferred ssh
transport output all
line vty 0 4
access-class 111 in
transport preferred ssh
transport input all
transport output all
line vty 5 15
access-class 111 in
transport preferred ssh
transport input all
transport output all
Make the changes persistant
exit
write
reload
Now test everything works as expected. If so it’s time to do wlan2 this one is much easier.
log in to wlan 1 and change to the enable prompt and copy the config to the tftp server
copy system:running-config tftp://1922.168.1.2/wlan1.cfg
Log on to the tftp server and edit the config to replace all references of wlan1 to wlan2, change the IP address in interface BVI1 to “192.168.1.251” and change the snmp location. Save the file as “wlan2.cfg”
Log on to wlan2, change to the enable prompt and run the following
copy system:running-config tftp://192.168.1.2/wlan2-orig.cfg
write erase
delete vlan.dat
copy tftp://192.168.1.2/wlan2.cfg startup-config
reload
Congratulations you should now have 2 working routers with separate vlans for internal & external traffic.
Hopefully this has been of use to you. As usual feel free to comment with improvements / corrections.
Links to other parts
Sure, I’ve sent you a direct email.
Yes, i installed IAS in one server, but our AD is another server but it doesn’t matter right?!
I added client and created shared key and configured on the ap, but still some of configurations not so clear, i scan the ssid’s but they are not allowing to connect.
Ryan would u mind to give me your email address to ask more detailed information?!
Yes it is.
Install Internet Authentication Service on a DC.
Configure the Policies
Add a client (the client in this case is the AP that the users will connect to)
You then need to add the shared key to the cisco AP.
NInet-INT is the SSID in my example that talks to a RADIUS server, Part 2: Configure the Router has the RAIDUS config for the router.
Ryan
Hi,
Is that possible to use Active Directory for Radius server purpose? to authenticate domain users allow to login the one ssid?