کد:
http://ciscoconfigs.net/index.php?option=com_content&task=view&id=15&Itemid=26
This configuration snippet shows how to setup an IOS access point supporting multiple vlans
each with a different authentication method. There are 4 vlans in this configuration.
Vlan 1 is for management use and therefore the IP address to manage the AP is configured in
Vlan 1. Vlan 10 is being used by some scanners that can support WPA-PSK. Vlan 20 is being
used by employees using WPA Enterprise. Vlan 30 is being used as a guest vlan with
no authentication.

# This configuration was taken from a 1231G AP.


version 12.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption

hostname AP

no logging console
enable secret ciscoconfigs

clock timezone EST -5
clock summer-time DST recurring 2 Sun Mar 2:00 1 Sun Nov 2:00
ip subnet-zero


aaa new-model


# Here we define a group called rad_eap that will define our radius server.
# In this case the radius ports being used are 1645 and 1646, in some
# cases you might use 1812 and 1813. It will depend on the radius server
# that is being used.

aaa group server radius rad_eap
server 10.1.1.18 auth-port 1645 acct-port 1646


# By default the AP will create a login authentication method called eap_methods. It also
# defines that this method will use any radius servers listed in the radius server
# group called rad_eap which was defined above, The next two lines are by default as
# well. First it defines authorization for the exec will be control by the local database.
# Then we we define and accounting method that will use the radius server that
# was defined in the group rad_eap.

aaa authentication login eap_methods group rad_eap
aaa authorization exec default local
aaa accounting network acct_methods start-stop group rad_eap
aaa session-id common


# In some AP IOS versions you might see the following statements contained under the
# interface Dot11Radio0. Basically these next few statement define the authentication
# methods that will be used for access to each vlan.
#
# A wireless ssid named scanners will be associated with vlan 10. Per standards there
# is an open authentication and a shared authentication. Shared authentication is
# not used due to security issues with this method. Open authentication is used which
# allows anyone to authenticate with the AP. Additional steps are neccessary based on
# the various security settings before communication will flow. In this case we have
# defined that we will be using WPA then we assign a pre-shared key. The scanners
# would then have to be configured to use WPA-PSK and have the pre-shared key
# defined. User that authenticate with this method will be placed in vlan 10.

dot11 ssid scanners
vlan 10
authentication open
authentication key-management wpa
wpa-psk ascii xxxxxxxxxxxx


# We then created another ssid called employees which will be associated to vlan 20.
# This time we again defined that we will be using WPA, however, we are not using
# WPA-PSK but rather WPA-Enterprise. The difference is that one uses a pre-shared
# key and the other relies on an 802.1x authenticaiton process. The pre-shared key
# method requires nothing other than the client and the access point, but WPA-Enterprise
# requires a back end authentication server. That is why we told the AP to use eap_methods
# for open and network-eap authentication. This again refers back to the authentication
# login methods defined above which utlimately defines the Radius server in use.


dot11 ssid employees
vlan 20
authentication open eap eap_methods
authentication network-eap eap_methods
authentication key-management wpa


# Finally we create another ssid called guest which will be associated to vlan 30.
# This time we simply set the authenticaiton to open with no additional securtity
# statements. The guest-mode sets this ssid to be broadcast.

dot11 ssid guest
vlan 30
authentication open
guest-mode



# Default dot1x timeout command and then a local username for managing the AP.
# Finally just like bridging in a router, we turn on IRB (Integrated Routing
# and Bridging)

dot1x timeout reauth-period server
username cisco privilege 15 secret cisco

bridge irb



# This AP only has a 802.11g radio in it on interface Dot11Radio0
# For the scanners and employees we need to define an ecryption method for
# those connections. The dot11 ssid statements aboved defined the authentication
# this section defines the encryption. So the two vlans for the scanners and
# employees are using the encryption mode of ciphers tkip. Below that we
# just have a reference to what ssid are under this radio.

interface Dot11Radio0
no ip address
no ip route-cache

encryption vlan 10 mode ciphers tkip

encryption vlan 20 mode ciphers tkip

ssid scanners

ssid employees

ssid guest


# Speed settings for G as well as the channel definition. The channel statement
# set the frequency of the channel to 2462Mhz which is channel 11. You can
# actually enter channel 11 but in the running config you will see the matching
# frequency instead of the actual channel. It is important in an 802.11g
# implementation that you only use channels 1, 6, and 11 as these are the only
# non-overlapping channels in the US. It is also a good idea to hard-code
# your channels instead of letting the AP decide. This way you know what it is
# and you can make sure that it is on one of those 3 channels. We then set
# station-role to root to designate it as a root AP able to accept client
# connections.

speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
channel 2462
station-role root
no cdp enable


# The following sections define the subinterfaces belonging to the Dot11Radio0.
# Since we will be trunking multiple VLANs to the AP, we will use subinterfaces
# to seperate out the functions. The number at the end of the interface
# is associated to the number of the vlan that we are referring to. Likewise,
# each subinterface has an encapsulation dot1q statement defining the vlan it
# is associated to.
#
# On interface dot11radio0.1 we see that the encapsulation statement also has the
# keyword native on it. This is the native vlan for the trunk. The native
# vlan always uses bridge group 1. The bridge group statement is what ties the
# the radio subinterfaces to the Fastethernet subinterfaces. This is how the AP
# knows how to bridge traffic coming off of the radio to the appropriate vlans.
# The native vlan on the AP is also where the AP will have its management IP
# address live. We will see more of this later.
#
# Below the bridge group 1 command we see several commands which are default
# commands entered once the bridge group command is set. Briefly what the
# commands do are as follows:
#
# subscriber-loop-control tries to help with possible loops in a bridge group
# If you are using spanning tree this must be disabled or STP will not work
# properly
#
# block-unknown-souce will block traffic from unknown mac address. Again
# this needs to be turned off if using STP.
#
# unicast flooding is what its name implies. We turn this off.
#
# spanning-disabled basically turns spanning tree off for this interface.



interface Dot11Radio0.1
encapsulation dot1Q 1 native
no ip route-cache
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled

interface Dot11Radio0.10
encapsulation dot1Q 10
no ip route-cache
bridge-group 10
bridge-group 10 subscriber-loop-control
bridge-group 10 block-unknown-source
no bridge-group 10 source-learning
no bridge-group 10 unicast-flooding
bridge-group 10 spanning-disabled

interface Dot11Radio0.20
encapsulation dot1Q 20
no ip route-cache
bridge-group 20
bridge-group 20 subscriber-loop-control
bridge-group 20 block-unknown-source
no bridge-group 20 source-learning
no bridge-group 20 unicast-flooding
bridge-group 20 spanning-disabled

interface Dot11Radio0.30
encapsulation dot1Q 30
no ip route-cache
bridge-group 30
bridge-group 30 subscriber-loop-control
bridge-group 30 block-unknown-source
no bridge-group 30 source-learning
no bridge-group 30 unicast-flooding
bridge-group 30 spanning-disabled


# The following sections define the subinterfaces belonging to the FastEthernet0.
# Since we will be trunking multiple VLANs to the AP, we will use subinterfaces
# to seperate out the functions. The number at the end of the interface
# is associated to the number of the vlan that we are referring to. Likewise,
# each subinterface has an encapsulation dot1q statement defining the vlan it
# is associated to.
#
# On interface FastEthernet0.1 we see that the encapsulation statement also has the
# keyword native on it. This is the native vlan for the trunk. The native
# vlan always uses bridge group 1. The bridge group statement is what ties the
# the radio subinterfaces to the Fastethernet subinterfaces. This is how the AP
# knows how to bridge traffic coming off of the radio to the appropriate vlans.
# The native vlan on the AP is also where the AP will have its management IP
# address live. We will see more of this later. Then we just have the physical
# settings on the interface.
#
# Below the bridge group 1 command we see several commands which are default
# commands entered once the bridge group command is set. Briefly what the
# commands do are as follows:
#
# source-learning is turned off
#
# spanning-disabled basically turns spanning tree off for this interface.

interface FastEthernet0
no ip address
no ip route-cache
speed 100
full-duplex
hold-queue 160 in

interface FastEthernet0.1
encapsulation dot1Q 1 native
no ip route-cache
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled

interface FastEthernet0.10
encapsulation dot1Q 10
no ip route-cache
bridge-group 10
no bridge-group 10 source-learning
bridge-group 10 spanning-disabled

interface FastEthernet0.20
encapsulation dot1Q 20
no ip route-cache
bridge-group 20
no bridge-group 20 source-learning
bridge-group 20 spanning-disabled

interface FastEthernet0.30
encapsulation dot1Q 30
no ip route-cache
bridge-group 30
no bridge-group 30 source-learning
bridge-group 30 spanning-disabled


# Now we get to the BVI. When doing IRB, interfaces that belong to a bridge
# group become layer 2 interfaces. Therefore they do not get a layer 3
# IP address. The BVI (Bridged Virtual Interface) is the layer 3 interface
# for a particular bridge group. Remember the native vlan for this was
# vlan 1, and vlan 1 had bridge-group 1. Well the 1 in the bridge group
# associates with the 1 in the BVI1 interface. Now remember this, it does
# not tie to the native vlan, it ties to the bridge group number. So we
# could have set the native vlan to 10 and used bridge group 1 on those
# subinterfaces. Then of course we need to define the default gateway for
# the AP.

interface BVI1
ip address 10.1.1.40 255.255.255.0
no ip route-cache

ip default-gateway 10.1.1.1

# Some default statements.

ip http server
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779...onfig/help/eag
ip radius source-interface BVI1

logging trap debugging
snmp-server community ciscoconfigs-pub RO
snmp-server enable traps tty


# So this next statement is easily missed. On first glance it appears that we
# already defined the radius server information neear the beginning of the
# configuration. The statement below is what defines the pre-shared key or
# password that is used between the AP and the radius server.

radius-server host 10.1.1.18 auth-port 1645 acct-port 1646 key ciscoconfigs-key

control-plane


# This statement tells us that we can route IP on this bridge group. That way
# we can process layer 3 packets with the BVI interface.

bridge 1 route ip


line con 0
line vty 5 15

end




Corresponding switch configuration for trunking to the IOS AP

This configuration shows the switchport configuration for the port that is physically connected to the AP's FastEthernet0 interface.

# On this interface we need to turn on trunking using 802.1q. We then define the vlans we need to trunk, in this case 1, 10, 20 and 30.
# The trunk native vlan by default is vlan 1. If the native vlan needed to be something other than 1 we would have needed to add
# the command switchport trunk native vlan #. In this case we are trunking 1, 10, 20 and 30.
#
# This snippet was taken from a 3750 running 12.2.25 IOS.

interface FastEthernet1/0/1
description Trunked connection to IOS AP
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 10,20,30
switchport mode trunk
no ip address
no mdix auto





موضوعات مشابه: