AP1100

Материал из Wiki
Перейти к: навигация, поиск

Cisco AP1100

Скорее всего все что тут написано будет работать и с другими точками доступа.

У меня есть несколько точек доступа "для дома", настраиваю роуминг в пределах квартиры/подъезда.

  • Мульти SSID для гостей/своих/чужих и т.п.
  • Разные методы авторизации
  • Прочее

Авторизация

Метод авторизации определяется для SSID.

Без авторизации

dot11 ssid sirmax
   vlan 195
   authentication open 
   mbssid guest-mode

Авторизация по мак-адресу клиента

aaa new-model
!
!
aaa group server radius RADIUS-SIRMAX
 server 192.168.15.198 auth-port 1812 acct-port 1813
 ip radius source-interface BVI1
!
aaa authentication login MAC-LOCAL local
aaa accounting update periodic 1
aaa accounting network RADIUS-ACCT start-stop group RADIUS-SIRMAX
aaa session-id common
!
dot11 ssid sirmax-1
   vlan 194
   authentication open mac-address MAC-LOCAL
   accounting RADIUS-ACCT
   mbssid guest-mode
!
!
radius-server attribute 188 format non-standard
radius-server attribute 32 include-in-access-req
radius-server attribute 32 include-in-accounting-req
radius-server host 192.168.15.198 auth-port 1812 acct-port 1813 non-standard key 7 02250D480809
radius-server vsa send accounting
radius-server vsa send authentication

EAP/802.1x

Полный конфиг

Current configuration : 9139 bytes

version 12.3
no service pad
service timestamps debug uptime
service timestamps log datetime localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname ap-sirmax-2
!
no logging console
enable secret 5 XXX
!
username sirmax privilege 15 password 7 XXX
username 74f06d72c7a5 password 7 03530F0D5659251B1C0A4E0442
username 74f06d72c7a5 autocommand exit

clock timezone Kharkov 2
clock summer-time Kharkov recurring
ip subnet-zero
ip icmp rate-limit unreachable 1000
ip domain lookup source-interface BVI1
ip domain name noname.com.ua

ip name-server 193.33.48.33
ip name-server 193.33.49.160
!
!
aaa new-model
!
!
aaa group server radius RADIUS-SIRMAX
 server 192.168.15.198 auth-port 1812 acct-port 1813
 ip radius source-interface BVI1
!
aaa authentication login default local
aaa authentication login MAC-LOCAL local
aaa authentication login RADIUS group RADIUS-SIRMAX
aaa authentication login EAP group RADIUS-SIRMAX
aaa authentication dot1x RADIUS-DOT1X group RADIUS-SIRMAX
aaa accounting update periodic 1
aaa accounting network RADIUS-ACCT start-stop group RADIUS-SIRMAX
aaa session-id common
!
dot11 ssid sirmaax-5
   authentication open eap RADIUS
   authentication key-management wpa
!
dot11 ssid sirmax
   vlan 195
   authentication open
   accounting RADIUS-ACCT
   mbssid guest-mode
   wpa-psk ascii 7 09584B1A0D1112011F
   ip redirection host 192.168.131.1
!
dot11 ssid sirmax-1
   vlan 194
   authentication open mac-address MAC-LOCAL
   accounting RADIUS-ACCT
   mbssid guest-mode
!
dot11 ssid sirmax-2
   vlan 193
   authentication open mac-address RADIUS
   accounting RADIUS-ACCT
   mbssid guest-mode
!
dot11 ssid sirmax-3
   vlan 192
   authentication open
   mbssid guest-mode
   wpa-psk ascii 7 101F5B4A5142445C545D7A6B
!
dot11 ssid sirmax-4
   vlan 191
   authentication open
   authentication key-management wpa
   accounting RADIUS-ACCT
   mbssid guest-mode
   mobility network-id 191
   wpa-psk ascii 7 03105E18121B245F5A
!
dot11 ssid sirmax-5
   vlan 190
   authentication open eap RADIUS
   authentication network-eap RADIUS
   authentication key-management wpa
   accounting RADIUS-ACCT
   mbssid guest-mode
!
!
crypto ca trustpoint TP-self-signed-1126158194
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-1126158194
 revocation-check none
 rsakeypair TP-self-signed-1126158194
!
!
crypto ca certificate chain TP-self-signed-1126158194
 certificate self-signed 01
  308202A5 3082020E A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  5B312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 31313236 31353831 39343128 30260609 2A864886 F70D0109
  02161961 702D7369 726D6178 2D322E6E 6F6E616D 652E636F 6D2E7561 301E170D
  30323033 30313030 34343234 5A170D32 30303130 31303030 3030305A 305B312F
  302D0603 55040313 26494F53 2D53656C 662D5369 676E6564 2D436572 74696669
  63617465 2D313132 36313538 31393431 28302606 092A8648 86F70D01 09021619
  61702D73 69726D61 782D322E 6E6F6E61 6D652E63 6F6D2E75 6130819F 300D0609
  2A864886 F70D0101 01050003 818D0030 81890281 8100C003 F3A15392 FCB49746
  1F4F047E 2A976F95 7F14A102 D23B165C 09C0739A 2552D8B4 F279045D A5255E23
  E5F99A33 3DFD5BFD 27BE7ADA E6DAC502 901BD0FA 2A1B94E1 E97AC4ED D6E29951
  1E1309D4 261FF308 BA5322AE 19EE2DA5 7A5BC66C F5D950FF 6704E871 68C56275
  131C7FFC C16B5091 43A20C28 8B666D6D CEE854F5 A8BD0203 010001A3 79307730
  0F060355 1D130101 FF040530 030101FF 30240603 551D1104 1D301B82 1961702D
  7369726D 61782D32 2E6E6F6E 616D652E 636F6D2E 7561301F 0603551D 23041830
  168014D7 466C27E7 F3BD2154 EA502EC1 8F964D27 D9952830 1D060355 1D0E0416
  0414D746 6C27E7F3 BD2154EA 502EC18F 964D27D9 9528300D 06092A86 4886F70D
  01010405 00038181 00AB42A1 27DD6CE4 8D69DD00 99242963 07AAD2AF B24E9983
  1785CA05 18344281 A52B617B 649BD5D5 A0D1828E 7329F84B 8B0587FA 06FD925C
  9F1F1797 6140CFD5 89158022 03F643E7 3FB81941 3C0E8B7D 6D74E623 73935DF0
  11255817 A58DE6DF 779FA3C6 EAE0AD7A 985B62E1 393B27EB 9D1D0B6B 3A66BE0F
  A2B04113 0E1A0617 7D
  quit
!
bridge irb
!
!
interface Loopback0
 no ip address
 no ip route-cache
!
interface Dot11Radio0
 no ip address
 no ip route-cache
 logging event subif-link-status
 !
 encryption vlan 191 mode ciphers aes-ccm tkip
 !
 encryption vlan 190 mode ciphers aes-ccm tkip
 !
 ssid sirmax
 !
 ssid sirmax-1
 !
 ssid sirmax-2
 !
 ssid sirmax-3
 !
 ssid sirmax-4
 !
 ssid sirmax-5
 !
 mbssid
 short-slot-time
 speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
 channel 2412
 station-role root
 no cdp enable
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
 bridge-group 1 spanning-disabled
!
interface Dot11Radio0.190
 encapsulation dot1Q 190
 no ip route-cache
 no cdp enable
 bridge-group 190
 bridge-group 190 subscriber-loop-control
 bridge-group 190 block-unknown-source
 no bridge-group 190 source-learning
 no bridge-group 190 unicast-flooding
 bridge-group 190 spanning-disabled
!
interface Dot11Radio0.191
 encapsulation dot1Q 191
 no ip route-cache
 no cdp enable
 bridge-group 191
 bridge-group 191 subscriber-loop-control
 bridge-group 191 block-unknown-source
 no bridge-group 191 source-learning
 no bridge-group 191 unicast-flooding
 bridge-group 191 spanning-disabled
!
interface Dot11Radio0.192
 encapsulation dot1Q 192
 no ip route-cache
 no cdp enable
 bridge-group 192
 bridge-group 192 subscriber-loop-control
 bridge-group 192 block-unknown-source
 no bridge-group 192 source-learning
 no bridge-group 192 unicast-flooding
 bridge-group 192 spanning-disabled
!
interface Dot11Radio0.193
 encapsulation dot1Q 193
 no ip route-cache
 no cdp enable
 bridge-group 193
 bridge-group 193 subscriber-loop-control
 bridge-group 193 block-unknown-source
 no bridge-group 193 source-learning
 no bridge-group 193 unicast-flooding
 bridge-group 193 spanning-disabled
!
interface Dot11Radio0.194
 encapsulation dot1Q 194
 no ip route-cache
 no cdp enable
 bridge-group 194
 bridge-group 194 subscriber-loop-control
 bridge-group 194 block-unknown-source
 no bridge-group 194 source-learning
 no bridge-group 194 unicast-flooding
 bridge-group 194 spanning-disabled
!
interface Dot11Radio0.195
 encapsulation dot1Q 195
 no ip route-cache
 no cdp enable
 bridge-group 195
 bridge-group 195 subscriber-loop-control
 bridge-group 195 block-unknown-source
 no bridge-group 195 source-learning
 no bridge-group 195 unicast-flooding
 bridge-group 195 spanning-disabled
!
interface FastEthernet0
 no ip address
 no ip route-cache
 duplex auto
 speed auto
 no cdp enable
 bridge-group 1
 no bridge-group 1 source-learning
 bridge-group 1 spanning-disabled
!
interface FastEthernet0.190
 encapsulation dot1Q 190
 no ip route-cache
 no cdp enable
 bridge-group 190
 no bridge-group 190 source-learning
 bridge-group 190 spanning-disabled
!
interface FastEthernet0.191
 encapsulation dot1Q 191
 no ip route-cache
 no cdp enable
 bridge-group 191
 no bridge-group 191 source-learning
 bridge-group 191 spanning-disabled
!
interface FastEthernet0.192
 encapsulation dot1Q 192
 no ip route-cache
 no cdp enable
 bridge-group 192
 no bridge-group 192 source-learning
 bridge-group 192 spanning-disabled
!
interface FastEthernet0.193
 encapsulation dot1Q 193
 no ip route-cache
 no cdp enable
 bridge-group 193
 no bridge-group 193 source-learning
 bridge-group 193 spanning-disabled
!
interface FastEthernet0.194
 encapsulation dot1Q 194
 no ip route-cache
 no cdp enable
 bridge-group 194
 no bridge-group 194 source-learning
 bridge-group 194 spanning-disabled
!
interface FastEthernet0.195
 encapsulation dot1Q 195
 no ip route-cache
 no cdp enable
 bridge-group 195
 no bridge-group 195 source-learning
 bridge-group 195 spanning-disabled
!
interface BVI1
 ip address 192.168.130.130 255.255.255.0
 no ip route-cache
!
ip default-gateway 192.168.130.1
ip http server
ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
ip radius source-interface BVI1
!
logging snmp-trap emergencies
logging snmp-trap alerts
logging snmp-trap critical
logging snmp-trap errors
logging snmp-trap warnings
no cdp run
snmp ifmib ifalias long
radius-server attribute 188 format non-standard
radius-server attribute 32 include-in-access-req
radius-server attribute 32 include-in-accounting-req
radius-server host 192.168.15.198 auth-port 1812 acct-port 1813 non-standard key 7 02250D480809
radius-server vsa send accounting
radius-server vsa send authentication
!
control-plane
!
bridge 1 route ip
!
!
!
line con 0
 transport preferred all
 transport output all
line vty 0 4
 transport preferred all
 transport input all
 transport output all
line vty 5 15
 transport preferred all
 transport input all
 transport output all
!
sntp server 193.33.48.5
end

ссылки