Basic configuration

• Find the MAC address on the sticker on the bottom
• Add a fixed address entry for it to the DHCP server
• Reset configuration. Power AP down, find the "MODE" button near the Ethernet and power jacks, hold MODE button, apply power, wait for Ethernet LED to turn amber, release MODE button.
• Point a web browser at the WAP's IP address (HTTP on port 80 for now. A factory reset turns off the HTTPS and SSH servers if they were on) and log in with the default user name and password. You should be prompted with a dialog asking for Level 15 access credentials. Username and password will both be Cisco.
• In the SERVICES section of the menu on the left side of the web interface, go the the Telnet/SSH page. Disable telnet, enable Secure Shell, specify a host key length of 2048 bits, and hit the Apply button.
• On the SERVICES -> HTTP configuration page, turn off the "Enable Standard (HTTP) Browsing" checkbox, turn on the "Enable Secure (HTTPS) Browsing" checkbox, and hit the Apply button. You will connect to the HTTPS server on the WAP now (https://... instead of http://...)

Current config

Here's the config file after making these changes and re-starting the WAP:

!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname theciscowap
!
enable secret 5 $1$RimF$9wOIIG2xNNb9RRP40X2aL.
!
no aaa new-model
!
!
power inline negotiation prestandard source
!
crypto pki trustpoint TP-self-signed-2221812482
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-2221812482
 revocation-check none
 rsakeypair TP-self-signed-2221812482
!
!
crypto pki certificate chain TP-self-signed-2221812482
 certificate self-signed 01 nvram:IOS-Self-Sig#3232.cer
username Cisco password 7 00271A150754
!
bridge irb
!
!
interface Dot11Radio0
 no ip address
 no ip route-cache
 shutdown
 station-role root
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
 bridge-group 1 spanning-disabled
!
interface Dot11Radio1
 no ip address
 no ip route-cache
 shutdown
 dfs band 3 block
 channel dfs
 station-role root
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
 bridge-group 1 spanning-disabled
!
interface GigabitEthernet0
 no ip address
 no ip route-cache
 duplex auto
 speed auto
 bridge-group 1
 no bridge-group 1 source-learning
 bridge-group 1 spanning-disabled
!
interface BVI1
 ip address dhcp client-id GigabitEthernet0
 no ip route-cache
!
no ip http server
ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
bridge 1 route ip
!
!
!
line con 0
line vty 0 4
 login local
!
end

Next up, authentication

Want something better than WEP? Cisco doesn't support Personal WPA (static pre-shared key) on this device, so a RADIUS authentication server is going to be needed. :( (Or :) depending on how much work you thought you were in for.)

apt-get install freeradius freeradius-utils

Create a RADIUS shared secret for the WAP.

# pwgen here makes 3000 30 character passwords with punctuation, capitals, and digits
# The greps are filtering out generated passwords without 4 capitals, then without 4 punctuation
# characters, then without 4 digits.  The last grep filters out question marks, dollar signs,
# plus signs, and left square braces.  The Cisco WAP doesn't like those punctuation characters.
# Pick one from the resulting set and add an entry to /etc/freeradius/clients.conf
pwgen -y -n -c 30 3000 | 
grep [[:upper:]].*[[:upper:]].*[[:upper:]].*[[:upper:]] | 
grep [[:punct:]].*[[:punct:]].*[[:punct:]].*[[:punct:]] |
grep [[:digit:]].*[[:digit:]].*[[:digit:]].*[[:digit:]] |
grep -v -e \\? -e \\\$ -e + -e \\[