Cisco Wireless Access Points: Difference between revisions

From ITCwiki
Jump to navigation Jump to search
No edit summary
 
(No difference)

Latest revision as of 15:47, 5 March 2010

This article was written to set up a Cisco Aironet 1200 or 1242 series access point without connecting it to a wired network. These settings will enable basic wireless services including DHCP for wireless devices. The particular access point that was used to research and produce this article contained Cisco’s IOS operating system so much of the command line configuration is similar to that if Cisco’s switches and routers.

Plug in the access point

Create a physical connection to the access point.

  1. This can be done with a rollover cable and a DB-9 to RJ45 adapter
  2. Connect the DB-9 to RJ45 adapter to the 9-pin DB-9 serial port on the back of the host PC
  3. Connect one end for the rollover cable to the RJ-45 console port located at the rear of the access point between the two antennas
  4. Connect the other end of the rollover cable to the RJ-45 connecter on the DB-9 to RJ45 adapter.

Create an interface connection to the access point via HyperTerminal or other command line terminal

  1. Open HyperTerminal from Start>All Programs>Accessories>Communications
  2. Create a new connection
    1. HyperTerminal should prompt you to create a new connection when it first opens

Cisco recommends the following settings

  1. 9600 baud rate
  2. 8 data bits
  3. no parity
  4. 1 stop bit
  5. no flow control

Log in to the access point command line

Hyperterminal.jpg
  1. Once the HyperTerminal connection is made, press Enter to access the command line interface and User Exec mode command prompt. None of the configuration we are doing will be in user EXEC mode so we will not spend any time on this area.
  2. At the command prompt, issue the command enable and press enter. This is the command to enter the privileged EXEC mode prompt.
  3. At this point, the system will prompt you for a password. The default password for this line of access points is Cisco and is case sensitive. This will also be the default password for the web browser interface in later sections. Type the password at the command prompt and press Enter.
  4. This should result in a command prompt ending with the pound (#) character.

Remove the old configuration file

  1. To remove any old configurations and prevent old settings from interfering, remove the starting configuration file by issuing the command erase startup-config at the command prompt.
  2. At this point, the system will prompt you to confirm your actions. Press Enter to confirm and return to the command prompt.

Reload or restart the access point

  1. At this point, you may either unplug the access point and plug it back in, or issue the command reload at the command prompt. If you choose to issue the reload command, it will prompt you again to confirm your actions. Press Enter to confirm and proceed with restarting the access point.

Perform basic security configuration

  1. Issue the command configure terminal at the command prompt and press Enter. This is known as “Global Configuration Mode”.
  2. If you wish, here you may issue the command hostname <hostname> at the command prompt where hostname will be the name of the access point. For the purpose of this article, we left this as the default value of “ap”.
  3. You may also wish to change the default password with the command enable secret <password>. This will change the default password for the privileged EXEC mode. This will also change the default password to access the web browser interface.

Configure the BVI1 interface with an IP address

  1. At the command prompt, issue the command interface bvi 1 and press Enter to enter the interface configuration mode for the BVI1 interface. For the web browser interface to work, an IP address needs to be assigned to this interface. If you are configuring this on a wired network, this could be the network IP address of the access point. For our purposes, we configured this as a standalone access point and used the private address 192.168.1.1 with the subnet mask 255.255.255.0. Being as this address is in the subnet of the network that will occupy the access point, we then have the option use any device connected to the access point to access the web browser interface.
  2. At the command prompt, issue the command ip address ip address subnet mask, where ip address subnet mask is the combination of IP address and subnet mask that you wish to use.
  3. At this point, you can issue the command no shutdown as you would during most cases of interface configuration, but, like loopback interfaces, the BVI1 interface is a virtual interface and is always up so this step is not necessary.
  4. At the command prompt, issue the command end and press Enter to return to the global configuration command prompt.

Configure the Dynamic Host Configuration Protocol (DHCP)

  1. At this point we will configure the access point to provide DHCP service. To do this, choose a suitable network IP address and subnet mask to serve your purpose.
  2. At the command prompt, issue the command ip dhcp excluded-address <low address> <high address> and press Enter. The purpose of this command is to exclude a contiguous range of addresses used for management purposes such as static addresses for printers and other hardware and peripherals. You may enter a single address or a contiguous range of addresses.
  3. At the command prompt, issue the command ip dhcp pool <name>, where name is a name chosen to represent the IP address pool and press Enter. For our purposes, we used the SSID of the access point. At this point, after pressing Enter, you are placed in DHCP configuration mode.
  4. At the command prompt, issue the command network <ip address> <subnet mask> where ip address> <subnet mask> are the network IP address and subnet mask that you chose in step A. For our purposes, we stuck with the combination of 192.168.1.0 255.255.255.0.
  5. At the command prompt, issue the command lease <days> <hours> <minutes> to set the IP address lease period and press Enter. You may use infinite instead of defining the days, hours and minutes.
  6. At the command prompt issue the command end and press Enter to return to the privileged EXEC mode prompt.
  7. At this point, DHCP has been configured and the web browser interface should be operational and accessible. At the command prompt, issue the command copy running-config startup-config to save the changes.

Configure the host network interface card (NIC) IPv4 settings with an IP address

  1. Configure the IPv4 settings of the PC network interface card so that it has a static IP address that is on the same subnet as the BVI1 interface as well as the same subnet mask. For our purposes, we used 192.168.1.2 255.255.255.0.

Connect an Ethernet patch cable to the access point

  1. Here, we are using a cabled connection because the SSID and wireless interfaces have not yet been configured. Using an Ethernet patch cable, plug one RJ-45 connector in the NIC on the PC and the other RJ-45 connector into the Fast Ethernet interface located at the rear of the access point between the two antennas.

Cisco Aironet 1200

Connect to the web browser interface of the access point

9.jpg
  1. Open a web browser such as Internet Explorer or Firefox.
  2. In the address bar, type http://ip address where ip address is the IP address of the BVI1 interface, and press Enter.
  3. At this point, you will receive a login prompt window. Leaving the username field blank, press the Tab key to move the cursor to the password field. If you set the password in step C of section VII, then the password you chose there is the same password needed here. If you left it as the default, the password should be Cisco. Enter the password and press Enter. This step should end with the web browser interface being displayed on the web browser.

Configure service set identifier (SSID)

  1. When the web browser interface starts, you are placed on the home screen. Here you should see a router configuration summary on the main screen. On the left side of the summary is a navigation panel. For our configuration we are going to navigate directly to the Express Security page. We are doing this for two reasons. We need to configure an SSID for wireless devices to connect to and we need to enable the wireless interfaces which need the SSID to work.\
  2. On the top of the Express Security page, you will see a field for an SSID name and a check box to allow broadcasting of the SSID. Enter a name and check the box to enable SSID broadcast. There are a lot of other options on this page, but for our immediate purpose, these are the only changes we will make here. Once you have set the SSID name and allowed it to broadcast, scroll down to the bottom of the page and click Apply.

Enable the wireless interfaces

14.jpg
  1. Navigate to the Interfaces page in the navigation menu on the left side of the screen. You will notice that the navigation panel expands to show each of the individual interfaces.
  2. Navigate to the Radio0-802.11B interface page. Here you will notice four tabs.
    1. RADIO0-802.11B STATUS - shows a summary interface status
    2. DETAILED STATUS - self explanatory
    3. SETTINGS - the changeable settings page
    4. CARRIER BUSY TEST - self explanatory
    5. Navigate directly to the Settings tab. Here you will notice all the settings available to configure the interface.
    6. For our purpose, click the enable option to enable the interface.
    7. Scroll down to the Data Rates setting and click on the Best Throughput button.
    8. Scroll sown to the bottom of the page and click the Apply button. It will take a few seconds for the interfaces to show enabled. If you still have access to the command line interface session, you will notice some system messages as the interface comes up.
  3. Perform steps B through F for interface Radio0-802.11A.

Configure cipher type

  1. In the navigation menu on the left side of the screen, navigate to the Security page. Again you will notice that the navigation menu expands to show sub sections of the security menu.
  2. Navigate to the Encryption sub section. Here you will notice that there is a page tab for each of the wireless interfaces. In this access point, you can configure different security measures for each interface. You will be setting them both the same.
  3. Click on the Cipher option and then use the scroll menu to the right and select TKIP as the encryption type. We are bypassing WEP on this page as WEP has been found to be broken and insecure and we are choosing to use the more secure WPA option (next section).
  4. You will only be using one security key so choose an appropriate passphrase and type it into the Encryption Key 2 field. You can choose a different key size of you choose to do so, but for our purposes, we left ours at 128 bits.
  5. Scroll down to the bottom of the page. As we are applying these settings to both wireless interfaces, we can click on the Apply-All button. This will save you from having to configure encryption settings for both interfaces.

Configure WPA

  1. Here, we will now configure SSID authentication essentially by using the previously defined encryption key as the pre-shared key (PSK). In the navigation menu on the left side of the screen, navigate to the SSID Manager page.
  2. In the Current SSID List window, click and select the SSID name.
  3. Scroll down to the Authentication Settings section and make sure Open Authentication is selected. For a basic wireless configuration, you can leave the rest of this section configured with the defaults.
  4. Scroll down to the Authenticated Key Management section. Use the dropdown menu for Key Management to select Mandatory and then click and select the WPA option.
  5. Select either ASCII or Hexadecimal style passphrase, then enter an appropriate passphrase into the field for WPA Pre-shared Key.
  6. For the rest of this page, you can leave the rest of the configuration with the default settings. Scroll down to the bottom of the page and click on Apply.

Cisco 1242

The process for setting up a Cisco 1242 series access point and pretty much the same as the 1200. The main difference in the setup procedure is in the online interface. I am starting off right after you have configured the BVI1 interface on your access point.

Open Online Interface

  1. Open a web browser (Internet Explorer, Firefox, Google Chrome, etc).
  2. In the URL bar, type 192.168.1.1
  3. Use admin for the username and Cisco as the password.

Express Security

  1. Click on the "Express Security" tab on the left side of the page.
  2. Type a name for your new wireless network in the SSID field.
  3. If you want client to be able to easily find your network, then make sure to check the "Broadcast SSID in Beacon" box.
  4. If your network is configured to use VLANs, then enter in the VLAN ID into the "Enable VLAN ID" field.
  5. Click Apply at the bottom of the page.

Encryption Manager

  1. Click on the "Security" tab on the left side of the page.
  2. Click on "Encryption Manager" from the list that drops down below the Security tab.
  3. Make sure that "Cipher" is filled in.
  4. Select "AES CCMP + TKIP" from the dropdown menu.
  5. Click Apply-All at the bottom of the page.

SSID Manager

  1. Click on "SSID Manager" right below the "Encryption Manager" tab.
  2. Select your SSID from the list.
  3. Make sure the correct radio interfaces are selected.
  4. Scroll down to "Client Authenticated Key Management"
  5. Under Key Management, select "Mandatory" from the dropdown list.
  6. Check the "Enable WPA" box and select "WPAv2" from the second dropdown menu.
  7. Under WPA pre-shared key, type in a strong password that users will use to connect to your network.

Turn on Radio Interface

  1. Click on the "Network Interfaces" tab.
  2. Click on the "Radio0-802.11G" tab.
  3. Click on the "Settings" tab at the top of the page.
  4. Check the "Enable" circle.
  5. Click Apply at the bottom of the page.

You should now have completed setting up basic wireless service with DHCP enabled to automatically negotiate network addressing. You should be able to connect a wireless device with the NIC to set to obtain an IP address automatically. There are a couple of ways to check who is connected to your network at any given time. In the web browser interface, selecting the Association page from the navigation menu will show you a graphical table with a MAC address and the IP address that is associated with it. You can get this same information using the command line interface by issuing the command show ip dhcp binding in the privileged EXEC mode command prompt.