Difference between revisions of "Aironet WAP"
Jump to navigation
Jump to search
| (6 intermediate revisions by the same user not shown) | |||
| Line 2: | Line 2: | ||
* Find the MAC address on the sticker on the bottom |
* Find the MAC address on the sticker on the bottom |
||
* Add a fixed address entry for it to the DHCP server |
* Add a fixed address entry for it to the DHCP server |
||
| − | * Reset configuration. Power AP down, find the "MODE" button near the Ethernet and power jacks, hold MODE button, apply power, wait for Ethernet LED to turn amber, release MODE button. |
+ | * Reset configuration. Power AP down, find the "MODE" button near the Ethernet and power jacks, hold MODE button, apply power, wait for Ethernet LED to turn amber, release MODE button. |
| + | * Point a web browser at the WAP's IP address (HTTP on port 80 for now. A factory reset turns off the HTTPS and SSH servers if they were on) and log in with the default user name and password. You should be prompted with a dialog asking for Level 15 access credentials. Username and password will both be '''<code>Cisco</code>'''. |
||
| − | * WAP should now be reset to a blank factory config. Radios are off, AP is getting its IP addresses by DHCP, default username and password are set. |
||
| + | * In the SERVICES section of the menu on the left side of the web interface, go the the Telnet/SSH page. Disable telnet, enable Secure Shell, specify a host key length of 2048 bits, and hit the Apply button. |
||
| + | * On the SERVICES -> HTTP configuration page, turn off the "Enable Standard (HTTP) Browsing" checkbox, turn on the "Enable Secure (HTTPS) Browsing" checkbox, and hit the Apply button. You will connect to the HTTPS server on the WAP now (https://... instead of http://...) |
||
| + | |||
| + | = Current config = |
||
| + | Here's the config file after making these changes and re-starting the WAP: |
||
| + | ! |
||
| + | version 12.4 |
||
| + | no service pad |
||
| + | service timestamps debug datetime msec |
||
| + | service timestamps log datetime msec |
||
| + | service password-encryption |
||
| + | ! |
||
| + | hostname theciscowap |
||
| + | ! |
||
| + | enable secret 5 $1$RimF$9wOIIG2xNNb9RRP40X2aL. |
||
| + | ! |
||
| + | no aaa new-model |
||
| + | ! |
||
| + | ! |
||
| + | power inline negotiation prestandard source |
||
| + | ! |
||
| + | crypto pki trustpoint TP-self-signed-2221812482 |
||
| + | enrollment selfsigned |
||
| + | subject-name cn=IOS-Self-Signed-Certificate-2221812482 |
||
| + | revocation-check none |
||
| + | rsakeypair TP-self-signed-2221812482 |
||
| + | ! |
||
| + | ! |
||
| + | crypto pki certificate chain TP-self-signed-2221812482 |
||
| + | certificate self-signed 01 nvram:IOS-Self-Sig#3232.cer |
||
| + | username Cisco password 7 00271A150754 |
||
| + | ! |
||
| + | bridge irb |
||
| + | ! |
||
| + | ! |
||
| + | interface Dot11Radio0 |
||
| + | no ip address |
||
| + | no ip route-cache |
||
| + | shutdown |
||
| + | station-role root |
||
| + | bridge-group 1 |
||
| + | bridge-group 1 subscriber-loop-control |
||
| + | bridge-group 1 block-unknown-source |
||
| + | no bridge-group 1 source-learning |
||
| + | no bridge-group 1 unicast-flooding |
||
| + | bridge-group 1 spanning-disabled |
||
| + | ! |
||
| + | interface Dot11Radio1 |
||
| + | no ip address |
||
| + | no ip route-cache |
||
| + | shutdown |
||
| + | dfs band 3 block |
||
| + | channel dfs |
||
| + | station-role root |
||
| + | bridge-group 1 |
||
| + | bridge-group 1 subscriber-loop-control |
||
| + | bridge-group 1 block-unknown-source |
||
| + | no bridge-group 1 source-learning |
||
| + | no bridge-group 1 unicast-flooding |
||
| + | bridge-group 1 spanning-disabled |
||
| + | ! |
||
| + | interface GigabitEthernet0 |
||
| + | no ip address |
||
| + | no ip route-cache |
||
| + | duplex auto |
||
| + | speed auto |
||
| + | bridge-group 1 |
||
| + | no bridge-group 1 source-learning |
||
| + | bridge-group 1 spanning-disabled |
||
| + | ! |
||
| + | interface BVI1 |
||
| + | ip address dhcp client-id GigabitEthernet0 |
||
| + | no ip route-cache |
||
| + | ! |
||
| + | no ip http server |
||
| + | ip http secure-server |
||
| + | ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag |
||
| + | bridge 1 route ip |
||
| + | ! |
||
| + | ! |
||
| + | ! |
||
| + | line con 0 |
||
| + | line vty 0 4 |
||
| + | login local |
||
| + | ! |
||
| + | end |
||
| + | |||
| + | = Next up, authentication = |
||
| + | Want something better than WEP? Cisco doesn't support Personal WPA (static pre-shared key) on this device, so a RADIUS authentication server is going to be needed. :( (Or :) depending on how much work you thought you were in for.) |
||
| + | |||
| + | '''<code>apt-get install freeradius freeradius-utils</code>''' |
||
| + | |||
| + | Create a RADIUS shared secret for the WAP. |
||
| + | <code><pre># pwgen here makes 3000 30 character passwords with punctuation, capitals, and digits |
||
| + | # The greps are filtering out generated passwords without 4 capitals, then without 4 punctuation |
||
| + | # characters, then without 4 digits. The last grep filters out question marks, dollar signs, |
||
| + | # plus signs, and left square braces. The Cisco WAP doesn't like those punctuation characters. |
||
| + | # Pick one from the resulting set and add an entry to /etc/freeradius/clients.conf |
||
| + | pwgen -y -n -c 30 3000 | |
||
| + | grep [[:upper:]].*[[:upper:]].*[[:upper:]].*[[:upper:]] | |
||
| + | grep [[:punct:]].*[[:punct:]].*[[:punct:]].*[[:punct:]] | |
||
| + | grep [[:digit:]].*[[:digit:]].*[[:digit:]].*[[:digit:]] | |
||
| + | grep -v -e \\? -e \\\$ -e + -e \\[</pre></code> |
||
Latest revision as of 19:01, 1 April 2013
Basic configuration
- Find the MAC address on the sticker on the bottom
- Add a fixed address entry for it to the DHCP server
- Reset configuration. Power AP down, find the "MODE" button near the Ethernet and power jacks, hold MODE button, apply power, wait for Ethernet LED to turn amber, release MODE button.
- Point a web browser at the WAP's IP address (HTTP on port 80 for now. A factory reset turns off the HTTPS and SSH servers if they were on) and log in with the default user name and password. You should be prompted with a dialog asking for Level 15 access credentials. Username and password will both be
Cisco. - In the SERVICES section of the menu on the left side of the web interface, go the the Telnet/SSH page. Disable telnet, enable Secure Shell, specify a host key length of 2048 bits, and hit the Apply button.
- On the SERVICES -> HTTP configuration page, turn off the "Enable Standard (HTTP) Browsing" checkbox, turn on the "Enable Secure (HTTPS) Browsing" checkbox, and hit the Apply button. You will connect to the HTTPS server on the WAP now (https://... instead of http://...)
Current config
Here's the config file after making these changes and re-starting the WAP:
! version 12.4 no service pad service timestamps debug datetime msec service timestamps log datetime msec service password-encryption ! hostname theciscowap ! enable secret 5 $1$RimF$9wOIIG2xNNb9RRP40X2aL. ! no aaa new-model ! ! power inline negotiation prestandard source ! crypto pki trustpoint TP-self-signed-2221812482 enrollment selfsigned subject-name cn=IOS-Self-Signed-Certificate-2221812482 revocation-check none rsakeypair TP-self-signed-2221812482 ! ! crypto pki certificate chain TP-self-signed-2221812482 certificate self-signed 01 nvram:IOS-Self-Sig#3232.cer username Cisco password 7 00271A150754 ! bridge irb ! ! interface Dot11Radio0 no ip address no ip route-cache shutdown station-role root bridge-group 1 bridge-group 1 subscriber-loop-control bridge-group 1 block-unknown-source no bridge-group 1 source-learning no bridge-group 1 unicast-flooding bridge-group 1 spanning-disabled ! interface Dot11Radio1 no ip address no ip route-cache shutdown dfs band 3 block channel dfs station-role root bridge-group 1 bridge-group 1 subscriber-loop-control bridge-group 1 block-unknown-source no bridge-group 1 source-learning no bridge-group 1 unicast-flooding bridge-group 1 spanning-disabled ! interface GigabitEthernet0 no ip address no ip route-cache duplex auto speed auto bridge-group 1 no bridge-group 1 source-learning bridge-group 1 spanning-disabled ! interface BVI1 ip address dhcp client-id GigabitEthernet0 no ip route-cache ! no ip http server ip http secure-server ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag bridge 1 route ip ! ! ! line con 0 line vty 0 4 login local ! end
Next up, authentication
Want something better than WEP? Cisco doesn't support Personal WPA (static pre-shared key) on this device, so a RADIUS authentication server is going to be needed. :( (Or :) depending on how much work you thought you were in for.)
apt-get install freeradius freeradius-utils
Create a RADIUS shared secret for the WAP.
# pwgen here makes 3000 30 character passwords with punctuation, capitals, and digits
# The greps are filtering out generated passwords without 4 capitals, then without 4 punctuation
# characters, then without 4 digits. The last grep filters out question marks, dollar signs,
# plus signs, and left square braces. The Cisco WAP doesn't like those punctuation characters.
# Pick one from the resulting set and add an entry to /etc/freeradius/clients.conf
pwgen -y -n -c 30 3000 |
grep [[:upper:]].*[[:upper:]].*[[:upper:]].*[[:upper:]] |
grep [[:punct:]].*[[:punct:]].*[[:punct:]].*[[:punct:]] |
grep [[:digit:]].*[[:digit:]].*[[:digit:]].*[[:digit:]] |
grep -v -e \\? -e \\\$ -e + -e \\[