Aironet WAP
Basic configuration
- Find the MAC address on the sticker on the bottom
- Add a fixed address entry for it to the DHCP server
- Reset configuration. Power AP down, find the "MODE" button near the Ethernet and power jacks, hold MODE button, apply power, wait for Ethernet LED to turn amber, release MODE button.
- Point a web browser at the WAP's IP address (HTTP on port 80 for now. A factory reset turns off the HTTPS and SSH servers if they were on) and log in with the default user name and password. You should be prompted with a dialog asking for Level 15 access credentials. Username and password will both be
Cisco. - In the SERVICES section of the menu on the left side of the web interface, go the the Telnet/SSH page. Disable telnet, enable Secure Shell, specify a host key length of 2048 bits, and hit the Apply button.
- On the SERVICES -> HTTP configuration page, turn off the "Enable Standard (HTTP) Browsing" checkbox, turn on the "Enable Secure (HTTPS) Browsing" checkbox, and hit the Apply button. You will connect to the HTTPS server on the WAP now (https://... instead of http://...)
Current config
Here's the config file after making these changes and re-starting the WAP:
! version 12.4 no service pad service timestamps debug datetime msec service timestamps log datetime msec service password-encryption ! hostname theciscowap ! enable secret 5 $1$RimF$9wOIIG2xNNb9RRP40X2aL. ! no aaa new-model ! ! power inline negotiation prestandard source ! crypto pki trustpoint TP-self-signed-2221812482 enrollment selfsigned subject-name cn=IOS-Self-Signed-Certificate-2221812482 revocation-check none rsakeypair TP-self-signed-2221812482 ! ! crypto pki certificate chain TP-self-signed-2221812482 certificate self-signed 01 nvram:IOS-Self-Sig#3232.cer username Cisco password 7 00271A150754 ! bridge irb ! ! interface Dot11Radio0 no ip address no ip route-cache shutdown station-role root bridge-group 1 bridge-group 1 subscriber-loop-control bridge-group 1 block-unknown-source no bridge-group 1 source-learning no bridge-group 1 unicast-flooding bridge-group 1 spanning-disabled ! interface Dot11Radio1 no ip address no ip route-cache shutdown dfs band 3 block channel dfs station-role root bridge-group 1 bridge-group 1 subscriber-loop-control bridge-group 1 block-unknown-source no bridge-group 1 source-learning no bridge-group 1 unicast-flooding bridge-group 1 spanning-disabled ! interface GigabitEthernet0 no ip address no ip route-cache duplex auto speed auto bridge-group 1 no bridge-group 1 source-learning bridge-group 1 spanning-disabled ! interface BVI1 ip address dhcp client-id GigabitEthernet0 no ip route-cache ! no ip http server ip http secure-server ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag bridge 1 route ip ! ! ! line con 0 line vty 0 4 login local ! end
Next up, authentication
Want something better than WEP? Cisco doesn't support Personal WPA (static pre-shared key) on this device, so a RADIUS authentication server is going to be needed. :( (Or :) depending on how much work you thought you were in for.)
apt-get install freeradius freeradius-utils
Create a RADIUS shared secret for the WAP.
# pwgen here makes 3000 30 character passwords with punctuation, capitals, and digits
# The greps are filtering out generated passwords without 4 capitals, then without 4 punctuation
# characters, then without 4 digits. The last grep filters out question marks, dollar signs,
# plus signs, and left square braces. The Cisco WAP doesn't like those punctuation characters.
# Pick one from the resulting set and add an entry to /etc/freeradius/clients.conf
pwgen -y -n -c 30 3000 |
grep [[:upper:]].*[[:upper:]].*[[:upper:]].*[[:upper:]] |
grep [[:punct:]].*[[:punct:]].*[[:punct:]].*[[:punct:]] |
grep [[:digit:]].*[[:digit:]].*[[:digit:]].*[[:digit:]] |
grep -v -e \\? -e \\\$ -e + -e \\[