Cisco Wireless AP – VLANs and Multiple SSIDs Part 3


Hello again, welcome to the third and final part of this tutorial.  Hopefully you have enjoyed reading Part 1 & Part 2 and have understood it all, so without further adue lets get started.

Configure the Ethernet Interface

interface FastEthernet 0
 no ip address
 no ip route-cache
 duplex auto
 speed auto

Set some generic bits for the overall interface.

interface FastEthernet 0.2
 encapsulation dot1Q 2 native
 no ip unreachables
 no ip route-cache
 no cdp enable
 bridge-group 1
 no bridge-group 1 source-learning
 bridge-group 1 spanning-disabled

interface FastEthernet 0.300
 encapsulation dot1Q 300
 no ip unreachables
 no ip route-cache
 no cdp enable
 bridge-group 2
 no bridge-group 2 source-learning
 bridge-group 2 spanning-disabled

encapsulation dot1Q 2 native – tells the router to use vlan 2 as the default vlan for all traffic.

Configure the bridge virtual interface

bridge 1 route ip
interface BVI1
 no ip route-cache

Configure IP

ip default-gateway
ip http server
ip http authentication aaa
no ip http secure-server
ip http help-path
ip domain name
ip radius source-interface BVI1

Configure the access list

access-list 111 permit tcp any any neq telnet

This allows any connection except telnet to the router.

Configure SNMP

snmp-server view dot11view ieee802dot11 included
snmp-server community ninet-ro RO
snmp-server community ninet-rw RW
snmp-server location 
snmp-server chassis-id wlan1

Unless you are going to manage the router via snmp leave out the line with RW in it as network monitors should only need read only access.
The chassis-id & location are optional as well, however I find it useful to have them filled it.

Configure SNTP

sntp server
sntp broadcast client

Configure the terminals

line con 0
 access-class 111 in
 transport preferred ssh
 transport output all
line vty 0 4
 access-class 111 in
 transport preferred ssh
 transport input all
 transport output all
line vty 5 15
 access-class 111 in
 transport preferred ssh
 transport input all
 transport output all

Make the changes persistant


Now test everything works as expected. If so it’s time to do wlan2 this one is much easier.

log in to wlan 1 and change to the enable prompt and copy the config to the tftp server

copy system:running-config tftp://1922.168.1.2/wlan1.cfg

Log on to the tftp server and edit the config to replace all references of wlan1 to wlan2, change the IP address in interface BVI1 to “” and change the snmp location. Save the file as “wlan2.cfg”

Log on to wlan2, change to the enable prompt and run the following

copy system:running-config tftp://
write erase
delete vlan.dat
copy tftp:// startup-config

Congratulations you should now have 2 working routers with separate vlans for internal & external traffic.

Hopefully this has been of use to you. As usual feel free to comment with improvements / corrections.

Links to other parts

4 thoughts to “Cisco Wireless AP – VLANs and Multiple SSIDs Part 3”

  1. Yes, i installed IAS in one server, but our AD is another server but it doesn’t matter right?!
    I added client and created shared key and configured on the ap, but still some of configurations not so clear, i scan the ssid’s but they are not allowing to connect.

    Ryan would u mind to give me your email address to ask more detailed information?!

  2. Yes it is.

    Install Internet Authentication Service on a DC.
    Configure the Policies
    Add a client (the client in this case is the AP that the users will connect to)

    You then need to add the shared key to the cisco AP.

    NInet-INT is the SSID in my example that talks to a RADIUS server, Part 2: Configure the Router has the RAIDUS config for the router.


  3. Hi,

    Is that possible to use Active Directory for Radius server purpose? to authenticate domain users allow to login the one ssid?

Leave a Reply

Your email address will not be published. Required fields are marked *


This blog is kept spam free by WP-SpamFree.