Introduction
Hello again, welcome to the third and final part of this tutorial. Hopefully you have enjoyed reading Part 1 & Part 2 and have understood it all, so without further adue lets get started.
Configure the Ethernet Interface
interface FastEthernet 0 no ip address no ip route-cache duplex auto speed auto
Set some generic bits for the overall interface.
interface FastEthernet 0.2 encapsulation dot1Q 2 native no ip unreachables no ip route-cache no cdp enable bridge-group 1 no bridge-group 1 source-learning bridge-group 1 spanning-disabled interface FastEthernet 0.300 encapsulation dot1Q 300 no ip unreachables no ip route-cache no cdp enable bridge-group 2 no bridge-group 2 source-learning bridge-group 2 spanning-disabled exit
encapsulation dot1Q 2 native – tells the router to use vlan 2 as the default vlan for all traffic.
Configure the bridge virtual interface
bridge 1 route ip interface BVI1 ipaddress 192.168.1.250 255.255.255.0 no ip route-cache
Configure IP
ip default-gateway 192.168.1.254 ip http server ip http authentication aaa no ip http secure-server ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag ip domain name ninet.org ip radius source-interface BVI1
Configure the access list
access-list 111 permit tcp any any neq telnet
This allows any connection except telnet to the router.
Configure SNMP
snmp-server view dot11view ieee802dot11 included snmp-server community ninet-ro RO snmp-server community ninet-rw RW snmp-server locationsnmp-server chassis-id wlan1
Unless you are going to manage the router via snmp leave out the line with RW in it as network monitors should only need read only access.
The chassis-id & location are optional as well, however I find it useful to have them filled it.
Configure SNTP
sntp server 192.168.1.1 sntp broadcast client
Configure the terminals
line con 0 access-class 111 in transport preferred ssh transport output all line vty 0 4 access-class 111 in transport preferred ssh transport input all transport output all line vty 5 15 access-class 111 in transport preferred ssh transport input all transport output all
Make the changes persistant
exit write reload
Now test everything works as expected. If so it’s time to do wlan2 this one is much easier.
log in to wlan 1 and change to the enable prompt and copy the config to the tftp server
copy system:running-config tftp://1922.168.1.2/wlan1.cfg
Log on to the tftp server and edit the config to replace all references of wlan1 to wlan2, change the IP address in interface BVI1 to “192.168.1.251” and change the snmp location. Save the file as “wlan2.cfg”
Log on to wlan2, change to the enable prompt and run the following
copy system:running-config tftp://192.168.1.2/wlan2-orig.cfg write erase delete vlan.dat copy tftp://192.168.1.2/wlan2.cfg startup-config reload
Congratulations you should now have 2 working routers with separate vlans for internal & external traffic.
Hopefully this has been of use to you. As usual feel free to comment with improvements / corrections.
Links to other parts
Sure, I’ve sent you a direct email.
Yes, i installed IAS in one server, but our AD is another server but it doesn’t matter right?!
I added client and created shared key and configured on the ap, but still some of configurations not so clear, i scan the ssid’s but they are not allowing to connect.
Ryan would u mind to give me your email address to ask more detailed information?!
Yes it is.
Install Internet Authentication Service on a DC.
Configure the Policies
Add a client (the client in this case is the AP that the users will connect to)
You then need to add the shared key to the cisco AP.
NInet-INT is the SSID in my example that talks to a RADIUS server, Part 2: Configure the Router has the RAIDUS config for the router.
Ryan
Hi,
Is that possible to use Active Directory for Radius server purpose? to authenticate domain users allow to login the one ssid?