1. Home
  2. Cisco Systems
  3. BR1310 as an Access Point

BR1310 as an Access Point

I've been trying to setup a BR1310 as an Access Point, and have had no luck. All my searches for insight only give info on a bridged configuration, so any help would be appreciated.

My wireless devices do associate to the 1310, however, they never get an address assigned, and the log on the 1310 shows this message

Mar 14 20:12:44.914: %DOT11-6-DISASSOC: Interface Dot11Radio0, Deauthenticating Station 0023.7657.732c Reason: Sending station has left the BSS

I've seen indications saying the device is out of range, however, I know that's not the reason as I have the wireless device within feet of the 1310's Antenna.

Here's the config as it is now...

version 12.4 no service pad service timestamps debug datetime msec service timestamps log datetime msec service password-encryption ! hostname BR1310 ! logging rate-limit console 9 enable secret 5 XXXXXXXXXXXXXXXX ! no aaa new-model clock timezone PST -8 clock summer-time PDT recurring ip domain name domain.com ip name-server 192.168.156.86 ip dhcp database nvram:dhcp-leases.txt no ip dhcp use vrf connected ip dhcp excluded-address 192.168.11.1 192.168.11.100 ip dhcp ping packets 1 ! ip dhcp pool dhcppool network 192.168.11.0 255.255.255.0 subnet prefix-length 24 domain-name domain.com default-router 192.168.11.1 dns-server 8.8.8.8 192.168.11.1 lease 0 12 ! ! dot11 syslog ! dot11 ssid BR1310 authentication open guest-mode !bridge irb ! ! interface Dot11Radio0 ip address 192.168.11.1 255.255.255.0 no ip route-cache ! encryption key 1 size 128bit 7 XXXXXXXXXXXXXXXXXXXXXXXXXXXX transmit- key encryption mode wep mandatory ! ssid BR1310 ! antenna gain 5 station-role root ap-only concatenation no dot11 qos mode infrastructure-client bridge-group 1 bridge-group 1 subscriber-loop-control bridge-group 1 spanning-disabled ! interface FastEthernet0 no ip address no ip route-cache bridge-group 1 bridge-group 1 spanning-disabled ! interface BVI1 ip address 192.168.155.91 255.255.255.0 no ip route-cache ! ip default-gateway 192.168.155.1 ip http server ip http secure-server ip http help-path

formatting link
radius source-interface BVI1 bridge 1 route ip ! ! banner login ^C Anyone using this system expressly consents to such monitoring and is advised that if such monitoring reveals possible evidence of criminal activity, information security personnel may provide the evidence of such monitoring to law enforcement officials.

Inappropriate system use may result in penalties up to and including termination of employment and/or contractual relationships, in addition to other legal remedies.

^C banner motd ^C This system is for the use of authorized users only. Individuals using this computer system are subject to having all of their activities on this system monitored and recorded by information security personnel. In the course of monitoring individuals improperly using this system, or in the course of system maintenance, the activities of authorized users may also be monitored.

^C ! end

Reply to
retlaw
Loading thread data ...

Configuring a BR1310 as an AP is just like any other AP.

Tell me about your 1310. How many antennas does it have? 1? 2? What kind? You don't have the one with the integrated 13dBi antenna, do you?

Hm. It looks like you have your Dot11Radio0 configured with 192.168.11.1, and your DHCP pool is in 192.168.11 /24 also. But your BVI1 is in

192.168.155.91.

So there's two things wrong with this ...

a) an AP can only have one IP address on it, which must be on the BVI1, and which must be bridged to the native VLAN.

b) the DHCP pool must be in the same subnet as the BVI. (Theoretically the AP could be DHCP server for other subnets ... in that case, those subnets would need IP helper configs to send the DHCP broadcasts to the AP's BVI address.)

So take the IP address off the Dot11radio0, and configure a DHCP pool in

192.168.155 /24. Or else give BVI1 an address in 192.168.11. That should probably get DHCP working.

If you suspect an RF problem, then, while a client is associated, get "show dot11 association all" and see if the signal level from the client is what you want, etc.

Cheer,

Aaron

Reply to
Aaron Leonard

te:

OK, well.. this is the first IOS based AP I've done.. so I'm learning.

2 Antenna, external AIR-ANT1728 (5.2dBi)

Hmmm.. I was hoping to have the AP do NAT and have all it's wireless clients appear to be in the 192.168.155/24 network, but I'm getting the impression this device won't support that?

I'll try your suggestion regarding using a single network for both the wireless and the wired and putting the DHCP pool into that range.

I've included the output as suggested, the thing is I'm not sure what a good strength is? It came back at -75dBm with me about 100 feet away.

show dot11 association all Address : b407.f9a6.3e30 Name : NONE IP Address : 0.0.0.0 Interface : Dot11Radio 0 Device : unknown Software Version : NONE CCX Version : NONE Client MFP : Off

State : Assoc Parent : self SSID : FDSwep01 VLAN : 0 Hops to Infra : 1 Association Id : 1 Clients Associated: 0 Repeaters associated: 0 Tunnel Address : 0.0.0.0 Key Mgmt type : NONE Encryption : WEP Current Rate : 54.0 Capability : ShortHdr ShortSlot Supported Rates : 1.0 2.0 5.5 11.0 6.0 9.0 12.0 18.0 24.0 36.0 48.0

54.0 Voice Rates : disabled Bandwidth : 20 MHz Signal Strength : -75 dBm Connected for : 15 seconds Signal to Noise : 23 dB Activity Timeout : 58 seconds Power-save : Off Last Activity : 2 seconds ago Apsd DE AC(s) : NONE

Packets Input : 71 Packets Output : 5 Bytes Input : 4641 Bytes Output : 378 Duplicates Rcvd : 1 Data Retries : 0 Decrypt Failed : 0 RTS Retries : 0 MIC Failed : 0 MIC Missing : 0 Packets Redirected: 0 Redirect Filtered: 0

Reply to
retlaw

No, an access point or bridge isn't a router. NAT is typically only done in a router or firewall.

Having the access-point not do NAT is a benefit for most enterprise type networks. Most access-point WiFi devices way back when started out as bridges only until the home market starting wrapping them all up in routers doing NAT.

Although, I've been in some small business offices that have NAT layer after NAT layer after NAT layer. Sometimes 4-5 deep. Very difficult to troubleshoot what is going on then.

Reply to
Doug McIntyre

I'm beginning to see....

OK, so here's the latest config.. I ended up using the web interface rather than command line because I kept getting errors that what I was doing wasn't supported...

The problem is now I can't even associate to the WAP and it doesn't appear in my list of available SSID's on the wireless device.. I can manually enter the in, and then I get a status on the the signal strength, however it's now indicating WEAK or NOT-IN-RANGE even when I'm just feet away from it?? Ideas?

thanks

Using 5037 out of 32768 bytes ! ! Last configuration change at 11:32:08 PDT Thu Mar 17 2011 by root ! NVRAM config last updated at 11:32:08 PDT Thu Mar 17 2011 by root ! version 12.4 no service pad service timestamps debug datetime msec service timestamps log datetime msec service password-encryption ! hostname FDSDMZ ! logging rate-limit console 9 enable secret 5 $1$XJ4/$egyH5hcl2/r88br3ymF4J/ ! no aaa new-model clock timezone PST -8 clock summer-time PDT recurring ip domain name fdbs.com ip name-server 192.168.155.86 ip dhcp database nvram:dhcp-leases.txt no ip dhcp use vrf connected ip dhcp excluded-address 192.168.155.1 192.168.155.200 ip dhcp ping packets 1 ! ip dhcp pool fdswep network 192.168.155.0 255.255.255.0 subnet prefix-length 24 domain-name fdbs.com default-router 192.168.155.1 dns-server 8.8.8.8 192.168.155.86 lease 0 12 ! ! dot11 syslog dot11 activity-timeout client default 360 dot11 vlan-name FDSwep vlan 155 ! dot11 ssid FDSwep01 vlan 155 authentication open mobility network-id 155 bridge irb ! ! interface Dot11Radio0 no ip address no ip route-cache ! encryption vlan 155 key 1 size 128bit 7 048492AE82F31C056E3B510F447B transmit-key encryption vlan 155 mode wep mandatory ! ssid FDSwep01 ! antenna gain 5 speed basic-1.0 2.0 5.5 11.0 6.0 9.0 12.0 18.0 24.0 36.0 48.0 54.0 station-role root ap-only concatenation no dot11 qos mode infrastructure-client ! interface Dot11Radio0.155 encapsulation dot1Q 155 native no ip route-cache bridge-group 1 bridge-group 1 subscriber-loop-control bridge-group 1 port-protected bridge-group 1 block-unknown-source no bridge-group 1 source-learning no bridge-group 1 unicast-flooding bridge-group 1 spanning-disabled ! interface FastEthernet0 no ip address no ip route-cache ! interface FastEthernet0.155 encapsulation dot1Q 155 native no ip route-cache bridge-group 1 no bridge-group 1 source-learning bridge-group 1 spanning-disabled ! interface BVI1 ip address 192.168.155.91 255.255.255.0 no ip route-cache ! ip default-gateway 192.168.155.1 ip http server ip http secure-server ip http help-path

formatting link
ip radius source-interface BVI1 bridge 1 route ip

Reply to
retlaw

As I, too, am currently studying Aironet-Wireless (AP1231G-E, also first IOS-AP I configure), I have looked into your config. Found some mistake I made, too:

"mobility network ID": I, too, made the mistake to believe, this has sth. to do with my VLANS, which is not true when you only have a single AP. I still have to learn what mGRE-Tunnels are, but they seem to be used in roaming environments/WDS. Consult e.g. the Cisco Command Lookup Tool for more information on this. I had to remove "mobility network id" from my SSID-Configs to make it work.

As you now know, Cisco APs are layer-2 devices and don't do routing, while NAT is layer-3 feature. But you can use IP ACLs. Layer-3-support is not completely missing :)

I am unsure about your "antenna gain" Config. AFAIK this one defines the gain compared to a standard dipole antenna (2,2dBi), so the value should reflect your dBd-Gain, in your special case 3 dBd. Someone please correct me if I am wrong! I am still learning!

I also don't know what "concatenation" in your dot11radio-config means. But I am sure you don't need it. "infrastructure client" is not needed when your AP is root-only, this one is for Repeater- or WGB-Configs. Remove it from your config.

I, too, still have to find out, why IP addresses can be assigned to other interfaces than BVI1. Catalyst switches don't allow this. And I still have to find out, why a "shutdown" on FastEthernet0 doesn't take the Ethernet link down. Other Cisco devices work different here. Maybe there are design-flaws left in the wireless IOS ;)

have fun

Thomas Caspari

Am 17.03.2011 20:24, schrieb retlaw:

formatting link
ip radius source-interface BVI1

Reply to
Thomas Caspari

...one thought that just jumped into my mind: maybe the ethernet layer stays up because this AP supports to be powered via POE, which _must_ work regardless of shutdown status. But I am not sure...the documentation did not tell me anything about this behaviour...

...but that's not YOUR Problem :) it's MINE.

regards

Thomas Caspari

Reply to
Thomas Caspari

On Mar 18, 10:40=A0am, Thomas Caspari wrote:

OK, I took your suggestions and it's better....

I now have syslog messages "DHCPD-3-WRITE_ERROR: DHCP could not write bindings to nvram:dhcp-leases.txt."

however, "show ip dhcp database" says

URL : nvram:dhcp-leases.txt Read : Mar 18 2011 12:30 PM Written : Mar 18 2011 12:39 PM Status : Last write succeeded. Agent information is up-to-date. Delay : 300 seconds Timeout : 300 seconds Failures : 3 Successes: 2

here's the latest config....

Using 4588 out of 32768 bytes ! ! Last configuration change at 12:34:34 PDT Fri Mar 18 2011 by root ! NVRAM config last updated at 12:35:21 PDT Fri Mar 18 2011 by root ! version 12.4 no service pad service timestamps debug datetime msec service timestamps log datetime msec service password-encryption ! hostname WAP ! logging rate-limit console 9 enable secret 5 xxxxxxxxxxxxxxxxxxxxxxxx ! no aaa new-model clock timezone PST -8 clock summer-time PDT recurring ip domain name domain.com ip name-server 192.168.155.86 ip dhcp database nvram:dhcp-leases.txt no ip dhcp use vrf connected ip dhcp excluded-address 192.168.155.1 192.168.155.200 ip dhcp ping packets 1 ! ip dhcp pool fdswep network 192.168.155.0 255.255.255.0 subnet prefix-length 24 domain-name fdbs.com default-router 192.168.155.1 dns-server 8.8.8.8 192.168.155.86 lease 0 12 ! ! dot11 syslog ! dot11 ssid WAP1310 authentication open ! bridge irb ! ! interface Dot11Radio0 no ip address no ip route-cache ! encryption key 1 size 128bit 7 E7D3C409175A6C377B164B721406 transmit- key encryption mode wep mandatory ! ssid WAP1310 ! antenna gain 3 station-role root ap-only no dot11 qos mode bridge-group 1 bridge-group 1 subscriber-loop-control bridge-group 1 block-unknown-source no bridge-group 1 source-learning no bridge-group 1 unicast-flooding bridge-group 1 spanning-disabled ! interface FastEthernet0 no ip address no ip route-cache bridge-group 1 no bridge-group 1 source-learning bridge-group 1 spanning-disabled ! interface BVI1 ip address 1928168.155.91 255.255.255.0 no ip route-cache ! ip default-gateway 192.168.155.1 ip http server ip http secure-server ip http help-path

formatting link
ip radius source-interface BVI1 bridge 1 route ip !

Reply to
retlaw

On Mar 18, 10:40=A0am, Thomas Caspari wrote:

OK, I took your suggestions and it's better....

I now have syslog messages "DHCPD-3-WRITE_ERROR: DHCP could not write bindings to nvram:dhcp-leases.txt."

however, "show ip dhcp database" says

URL : nvram:dhcp-leases.txt Read : Mar 18 2011 12:30 PM Written : Mar 18 2011 12:39 PM Status : Last write succeeded. Agent information is up-to-date. Delay : 300 seconds Timeout : 300 seconds Failures : 3 Successes: 2

here's the latest config....

Using 4588 out of 32768 bytes ! ! Last configuration change at 12:34:34 PDT Fri Mar 18 2011 by root ! NVRAM config last updated at 12:35:21 PDT Fri Mar 18 2011 by root ! version 12.4 no service pad service timestamps debug datetime msec service timestamps log datetime msec service password-encryption ! hostname WAP ! logging rate-limit console 9 enable secret 5 xxxxxxxxxxxxxxxxxxxxxxxx ! no aaa new-model clock timezone PST -8 clock summer-time PDT recurring ip domain name domain.com ip name-server 192.168.155.86 ip dhcp database nvram:dhcp-leases.txt no ip dhcp use vrf connected ip dhcp excluded-address 192.168.155.1 192.168.155.200 ip dhcp ping packets 1 ! ip dhcp pool fdswep network 192.168.155.0 255.255.255.0 subnet prefix-length 24 domain-name fdbs.com default-router 192.168.155.1 dns-server 8.8.8.8 192.168.155.86 lease 0 12 ! ! dot11 syslog ! dot11 ssid WAP1310 authentication open ! bridge irb ! ! interface Dot11Radio0 no ip address no ip route-cache ! encryption key 1 size 128bit 7 E7D3C409175A6C377B164B721406 transmit- key encryption mode wep mandatory ! ssid WAP1310 ! antenna gain 3 station-role root ap-only no dot11 qos mode bridge-group 1 bridge-group 1 subscriber-loop-control bridge-group 1 block-unknown-source no bridge-group 1 source-learning no bridge-group 1 unicast-flooding bridge-group 1 spanning-disabled ! interface FastEthernet0 no ip address no ip route-cache bridge-group 1 no bridge-group 1 source-learning bridge-group 1 spanning-disabled ! interface BVI1 ip address 192.168.155.91 255.255.255.0 no ip route-cache ! ip default-gateway 192.168.155.1 ip http server ip http secure-server ip http help-path

formatting link
ip radius source-interface BVI1 bridge 1 route ip !

Reply to
retlaw

Update......

I took the DHCP out of the equation, and setup a separate DHCP server.. still no joy.

Then, I removed WEP encryption from the Dot11Radio.. I now get connected and an address from the new server...

next step, put DHCP back on the AP and see if it works without WEP.

Reply to
retlaw

When configuring a Cisco functionality for the very first time, it's generally a good idea to proceed step-by-step. The same applies to e.g. radius-servers (Linux/Freeradius - not running here yet).

With WEP/WPA/WPA2 i can help you out, as I have an experimental _working_ config with 5 SSIDs, 5 VLANs with seperate encryption types and keys for each VLAN, an external DHCP Server for ALL wireless VLANs (2621-Router, 5 pools) and any PSK-Encryption available. The enterprise functions I am still studying. I have not used the internal DHCP function, as DHCP should also be available for ethernet connections.

Have you read the manual for your AP? Encryption is not intutitive, you have to know significantly more compared to the installation of cheap SOHO-WLAN devices.

I will give you a simplified extract from my config with dummy passwords. No VLAN, one SSID, encryption WPA and/or WPA2. This option is called "migration mode". You can also add WEP (see commented lines in config example), which I have left out here. Your client should be able to associate using: WPA-PSK or WPA2-PSK (both working simultaneously on same SSID) SSID: "my-experimental-ssid" password: "my-experimental-password"

---cut--- dot11 ssid my-experimental-ssid authentication open authentication key-management wpa ! to add WEP, replace with: ! authentication key-management wpa optional ! ! make SSID "visible": guest-mode wpa-psk ascii 0 my-experimental-password

interface Dot11Radio0 no ip address no ip route-cache ! here you define your encryption modes ! "migration mode" if more than one cipher selected ! to add WEP, change this to: ! "encryption mode ciphers aes-ccm tkip wep128" ! or: ! "encryption mode ciphers aes-ccm tkip wep40" ! then change your SSID-config as remarked under SSID config ! and add a WEP-transmit-key, e.g. ! encryption key 1 size 128bit 0 12345678901234567890123456 encryption mode ciphers aes-ccm tkip ssid my-experimental-ssid ! speed default no power client local station-role root access-point ! the rest is default: no cdp enable bridge-group 1 bridge-group 1 subscriber-loop-control bridge-group 1 block-unknown-source no bridge-group 1 source-learning no bridge-group 1 unicast-flooding bridge-group 1 spanning-disabled

interface BVI1 ip address no ip route-cache

interface FastEthernet0 no ip address no ip route-cache duplex auto speed auto no cdp enable bridge-group 1 no bridge-group 1 source-learning bridge-group 1 spanning-disabled

---cut---

I do not post the complete config, as I have the EMEA version, we have different regulations here. I do not use "antenna gain". The manual of my AP1231G says it's only an informational setting for use with WLSE, it doesn't change the APs behaviour. The manual doesn't explain if this value reflects dBi or dBd. I use "power local" settings which I calculate manually for my antennas.

Now have success and fun ;)

Greets from germany

Thomas Caspari

Am 18.03.2011 23:02, schrieb retlaw:

Reply to
Thomas Caspari

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.