851W with dual wireless networks

[woter324]

Hi,

I've resently purchased a squeexbox radio that is missing the components to allow me to connect it to my wireless network currently using WPA Enterprise security. The workarround is to make use of my router's abillity to run two wireless networks.

I have used the information given here to modify my config.

After spending several hours I cannot get either of the wireless networks to connect. The guest-mode network should broadcast the SSID but doesn't either.

Here is my running config. I know there is a lot wrong with it, a bit of mess but it is a learning curve for me :

version 12.4
no service pad
no service timestamps debug uptime
no service timestamps log uptime
service password-encryption
!
hostname C851W
!
boot-start-marker
boot-end-marker
!
no logging buffered
enable secret 5 SOMEPASSWORD
!
aaa new-model
!
!
aaa group server radius rad_eap
 server 10.100.50.1 auth-port 1812 acct-port 1813
!
aaa authentication login eap_methods group rad_eap
aaa authentication login sdm_vpn_xauth_ml_1 local
aaa authorization network sdm_vpn_group_ml_1 local
!
!
aaa session-id common
clock summer-time BST recurring last Sun Mar 1:00 last Sun Oct 1:00
!
!
dot11 syslog
!
dot11 ssid 15CCC
   vlan 1
   authentication open eap eap_methods
   authentication network-eap eap_methods
   infrastructure-ssid
!
dot11 ssid 15CCG
   vlan 20
   authentication open
   authentication key-management wpa
   guest-mode
   wpa-psk ascii 7 SOMEPASSWORD
!
no ip dhcp use vrf connected
ip dhcp excluded-address 10.100.50.100
ip dhcp excluded-address 10.100.50.1 10.100.50.15
ip dhcp excluded-address 192.168.2.1 192.168.2.99
!
ip dhcp pool CLIENT
   network 10.100.50.0 255.255.255.0
   default-router 10.100.50.1
   import all
   domain-name mydomain.com
!
ip dhcp pool VLAN20
   import all
   network 192.168.2.0 255.255.255.0
   domain-name mydomain.com
   default-router 192.168.2.1
   lease 4
!
!
ip cef
ip inspect name MYFW tcp
ip inspect name MYFW udp
ip domain name mydomain.com
ip multicast-routing
ip ddns update method sdm_ddns1
 HTTP
  add [URL unfurl="true"]http://.com/dyn/ez-ipupdate.php?action=edit&myip=<a>&host_id=<h>[/URL]
  remove [URL unfurl="true"]http://.com/dyn/ez-ipupdate.php?action=edit&myip=<a>&host_id=<h>[/URL]
!
!
!
!
username user1 privilege 15 secret 5 SOMEPASSWORD
username user2 secret 5 SOMEPASSWORD
username user3 secret 7 SOMEPASSWORD
!
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key SOMEPASSWORD hostname ip.com no-xauth
!
crypto isakmp client configuration group WOTERVPN
 key SOMEPASSWORD
 pool SDM_POOL_1
 include-local-lan
 max-users 3
 netmask 255.255.255.0
crypto isakmp profile sdm-ike-profile-1
   match identity group WOTERVPN
   client authentication list sdm_vpn_xauth_ml_1
   isakmp authorization list sdm_vpn_group_ml_1
   client configuration address initiate
   client configuration address respond
   virtual-template 1
!
!
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto ipsec profile SDM_Profile1
 set transform-set ESP-3DES-SHA
 set pfs group2
 set isakmp-profile sdm-ike-profile-1
!
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
 description Tunnel to93.97.224.119
 set peer bonneys.getmyip.com dynamic
 set transform-set ESP-3DES-SHA1
 match address 101
!
archive
 log config
  hidekeys
!
!
!
bridge irb
!
!
interface FastEthernet0
 spanning-tree portfast
!
interface FastEthernet1
 spanning-tree portfast
!
interface FastEthernet2
 spanning-tree portfast
!
interface FastEthernet3
 spanning-tree portfast
!
interface FastEthernet4
 ip address dhcp
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
 crypto map SDM_CMAP_1
!
interface Dot11Radio0
 no ip address
 no dot11 extension aironet
 !
 encryption vlan 20 mode ciphers tkip
 !
 encryption vlan 1 mode wep mandatory
 speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
 channel 2412
 station-role root
 no cdp enable
!
interface Dot11Radio0.1
 encapsulation dot1Q 1 native
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 spanning-disabled
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
!
interface Dot11Radio0.20
 description Guest wireless LAN-routed WLAN
 encapsulation dot1Q 20
 ip address 192.168.2.1 255.255.255.0
 ip access-group Guest-ACL in
 ip inspect MYFW out
 ip nat inside
 ip virtual-reassembly
!
interface Vlan1
 description Internal Network
 no ip address
 ip nat inside
 ip virtual-reassembly
 bridge-group 1
 bridge-group 1 spanning-disabled
!
interface BVI1
 description Bridge to internal network
 ip address 10.100.50.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 ip tcp adjust-mss 1452
!
ip local pool SDM_POOL_1 10.100.50.240 10.100.50.245
no ip classless
ip forward-protocol nd
!
no ip http server
ip http secure-server
ip nat inside source static udp 10.100.50.5 57129 interface FastEthernet4 57129
ip nat inside source static tcp 10.100.50.5 29671 interface FastEthernet4 29671
ip nat inside source static tcp 10.100.50.5 4711 interface FastEthernet4 4711
ip nat inside source static tcp 10.100.50.5 85 interface FastEthernet4 85
ip nat inside source static tcp 10.100.50.5 80 interface FastEthernet4 80
ip nat inside source static udp 10.100.50.5 7 interface FastEthernet4 7
ip nat inside source route-map SDM_RMAP_1 interface FastEthernet4 overload
!
ip access-list extended Guest-ACL
 deny   ip any 10.100.50.0 0.0.0.255
 permit ip any any
ip access-list extended Internet-inbound-ACL
ip access-list extended SDM_AH
 remark SDM_ACL Category=1
 permit ahp any any
ip access-list extended SDM_ESP
 remark SDM_ACL Category=1
 permit esp any any
!
access-list 1 remark NAT_ACL Category=2
access-list 1 remark SDM_ACL Category=16
access-list 1 permit 10.100.50.0 0.0.0.255
access-list 1 permit 192.168.2.0 0.0.0.255
access-list 100 remark SDM_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 101 remark SDM_ACL Category=4
access-list 101 remark IPSec Rule
access-list 101 permit ip 10.100.50.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 102 remark SDM_ACL Category=2
access-list 102 remark IPSec Rule
access-list 102 deny   ip 10.100.50.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 102 permit ip 10.100.50.0 0.0.0.255 any
access-list 103 remark SDM_ACL Category=128
access-list 103 permit ip host 255.255.255.255 any
access-list 103 permit ip 127.0.0.0 0.255.255.255 any
access-list 104 remark SDM_ACL Category=128
access-list 104 permit ip host 94.192.126.147 any
access-list 105 remark SDM_ACL Category=0
access-list 105 remark IPSec Rule
access-list 105 permit ip 192.168.1.0 0.0.0.255 10.100.50.0 0.0.0.255
route-map SDM_RMAP_1 permit 1
 match ip address 102
!
radius-server local
  nas 10.100.50.1 key 7 SOMEPASSWORD
  user user1 nthash 7 SOMEPASSWORD
  user user2 nthash 7 SOMEPASSWORD
  user user3 nthash 7 SOMEPASSWORD
!
radius-server host 10.100.50.1 auth-port 1812 acct-port 1813 key 7 SOMEPASSWORD
!
control-plane
!
bridge 1 protocol ieee
bridge 1 route ip
banner login ^CCCCC
-----------------------------------------------------------------------

       This is a private network. No unauthorised access

   If you are not authorised to use this equipment you must

                   DISCONNECT IMMEDIATELY

-----------------------------------------------------------------------
^C
!
line con 0
 no modem enable
line aux 0
line vty 0 4
 exec-timeout 60 0
 transport input ssh
!
scheduler max-task-time 5000
sntp server 158.43.128.33
sntp source-interface FastEthernet4
end

If anyone can decipher what I have done wrong and point me in the correct direction, I'd be most grateful.

Many thanks

W

 

[woter324]

So sorry. I've put this in Citrix, not Cisco. D'oh. Is it possible for a mod to move it please?

Thanks

 

[woter324]

It should be in Cisco Routers. If that helps.

Thanks

 

[woter324]

I've put it in the correct forum now. If a mod could delete this one I'd be grateful.

Apologies once again.