Cisco Aironet 1232 access point

[fourmyskull]

I have another question on my access point, I set up a Unified Callmanager express on my 2611 router, I have it hooked to a 2950 and its programed like a router on a stick. I have my vlans set up with a vlan 10 for data and a vlan 15 for telephony. I have hooked my 7912 phone up and have dial tone and everything works just fine.

But I also have a 7920 wireless voip phone and want to be able to get it to access my voip system through my 1232 access point. I set the ssid through the gui but the 7920 does not see the access point.

Below is the config I have set up on my 2950. I have the 7912 plugged into FA0/4 and I have the 1232 plugged into FA/23

Below is the config for the 2950, can someone give me a text file for the config on how the aironet 1232 should be config to make this work. If you past one dont worry about the ip addresses I can change them.

Thank You for all your help..

hostname CMESwitch1
!
enable secret 5
!
ip subnet-zero
!
ip ssh time-out 120
ip ssh authentication-retries 3
!
spanning-tree mode pvst
no spanning-tree optimize bpdu transmission
spanning-tree extend system-id
!
!
!
!
interface FastEthernet0/1
switchport trunk native vlan 10
switchport mode trunk
!
interface FastEthernet0/2
!
interface FastEthernet0/3
!
interface FastEthernet0/4
switchport trunk native vlan 10
switchport mode trunk
switchport voice vlan 15
spanning-tree portfast
!
interface FastEthernet0/5
!
interface FastEthernet0/6
switchport trunk native vlan 10
switchport mode trunk
switchport voice vlan 15
spanning-tree portfast
!
interface FastEthernet0/7
!
interface FastEthernet0/8
!
interface FastEthernet0/9
!
interface FastEthernet0/10
!
interface FastEthernet0/11
!
interface FastEthernet0/12
!
interface FastEthernet0/13
!
interface FastEthernet0/14
!
interface FastEthernet0/15
!
interface FastEthernet0/16
!
interface FastEthernet0/17
!
interface FastEthernet0/18
!
interface FastEthernet0/19
!
interface FastEthernet0/20
!
interface FastEthernet0/21
!
interface FastEthernet0/22
!
interface FastEthernet0/23
switchport trunk native vlan 10
switchport mode trunk
switchport voice vlan 15
spanning-tree portfast
!
interface FastEthernet0/24
switchport trunk native vlan 10
switchport mode trunk
switchport voice vlan 15
spanning-tree portfast
!
interface Vlan1
description Management Vlan
ip address 192.168.0.14 255.255.255.192
no ip route-cache
!
ip default-gateway 192.168.0.1
ip http server
!
line con 0
password
login
line vty 0 4
password
login
line vty 5 15
password
login
!
!
end

 

[Viconsul]

The config looks okay, but you need to specify the encapsulation which can be either isl or 802.1q but if I remember correctly the Cisco AP1232 only support 802.1q.
So add the code below to your int fa0/23.

 switchport trunk encapsulation dot1q

If that fails, post the config on your AP.

HTH

 

[fourmyskull]

The switch Im useing is a older model it defaults to Encapsulation dot1q, I think the command I used was switch trunk mode.

But really what I am asking if someone could give me a config file that was copied to notepad with the config for a Aironet 1232 access point. So I can go through and see how it was set up because I am having no luck on my wireless phone seeing my Call manager, The 7912 desk voip phone registers and set up just fine on fa 0/4 or fa 0/6 I am connecting the access point up through fa 0/23, My 2611 router is connected through fa 0/1.

All of this config works fine it's just I'm not real up to speed on the Aironet's config and if I could find someone to set the config up that should work with how I have the switch and router set up then that would be a good starting point for me.

Thanks again for your help.

 

[Viconsul]

Below is a sample config, utilising mac address authentication and wep encryption.

version 12.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname Cisco1231
!
enable secret 5 42638353636328365
!
ip subnet-zero
ip domain name testlab.com
ip name-server 10.0.0.5
!
!
ip dhcp-server 10.0.0.11
aaa new-model
!
!
aaa group server radius rad_eap
!
aaa group server radius rad_mac
!
aaa group server radius rad_acct
!
aaa group server radius rad_admin
!
aaa group server tacacs+ tac_admin
!
aaa group server radius rad_pmip
!
aaa group server radius dummy
!
aaa authentication login eap_methods group rad_eap
aaa authentication login mac_methods local
aaa authorization exec default local 
aaa accounting network acct_methods start-stop group rad_acct
aaa session-id common
dot11 association mac-list 700
dot11 vlan-name Data vlan 10
dot11 vlan-name Voip vlan 80
!
dot11 ssid Data
   vlan 10
   authentication open mac-address mac_methods 
!
dot11 ssid Voip
   vlan 80
   authentication open mac-address mac_methods 
!
dot11 network-map
dot11 phone dot11e
!
!
username 0040.laptop.mac password 7 15425B42373937634276272646
username 0040.laptop.mac autocommand exit
username 001c.phone.mac password 7 040B5B55273935363736353144
username 001c.phone.mac autocommand exit
username Cisco1231 privilege 15 password 7 153235378374534637
!
!
class-map match-all _class_Voip2
 match ip protocol 119
class-map match-all _class_Voip3
 match access-group 702
class-map match-all _class_Voip0
 match ip precedence 2 
class-map match-all _class_Voip1
 match ip dscp ef 
!
!
policy-map Voip
 class _class_Voip0
  set cos 6
 class _class_Voip1
  set cos 6
 class _class_Voip2
  set cos 6
 class _class_Voip3
  set cos 6
!
bridge irb
!
!
interface Dot11Radio0
 no ip address
 no ip route-cache                                                                              
                                       
 !
 encryption vlan 10 key 1 size 128bit 7 4D36538373453442r25262t252   transmit-key
 encryption vlan 10 mode wep mandatory 
 !
 encryption vlan 80 key 1 size 128bit 7 412632837353442725242416175  transmit-key
 encryption vlan 80 mode wep mandatory 
 !
 ssid Data 
 !
 ssid Voip
 !
 speed basic-1.0 2.0 5.5 6.0 9.0 11.0 12.0 18.0 24.0 36.0 48.0 54.0
 channel 2412
 station-role root
 dot11 qos class video local
    admission-control
    admit-traffic signaling infinite
 !
 dot11 qos class voice local
    admission-control
    admit-traffic narrowband max-channel 75 roam-channel 6
 !
 dot11 qos class video cell
    admission-control
 !
 dot11 qos class voice cell
    admission-control
 !
 l2-filter bridge-group-acl
 bridge-group 1
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
 bridge-group 1 spanning-disabled
!
interface Dot11Radio0.10
 encapsulation dot1Q 10
 no ip route-cache
 bridge-group 10
 bridge-group 10 subscriber-loop-control
 bridge-group 10 input-address-list 701
 bridge-group 10 output-address-list 701
 bridge-group 10 block-unknown-source
 no bridge-group 10 source-learning
 no bridge-group 10 unicast-flooding
 bridge-group 10 spanning-disabled
!
interface Dot11Radio0.80
 encapsulation dot1Q 80
 service-policy input Voip
 service-policy output Voip
 no ip route-cache
 bridge-group 80
 bridge-group 80 subscriber-loop-control
 bridge-group 80 input-address-list 702
 bridge-group 80 block-unknown-source
 no bridge-group 80 source-learning
 no bridge-group 80 unicast-flooding
 bridge-group 80 spanning-disabled
!
interface Dot11Radio1
 no ip address
 no ip route-cache
 !
 encryption vlan 10 key 1 size 128bit 7 CB4AF5503E354856427E9C39AEDD transmit-key
 encryption vlan 10 mode wep mandatory 
 !
 encryption vlan 80 key 1 size 128bit 7 8B4AF5503E354856427E9C39AEDD transmit-key
 encryption vlan 80 mode wep mandatory 
 !
 ssid Data 
 !
 ssid Voip
 !
 speed basic-6.0 9.0 12.0 18.0 24.0 36.0 48.0 54.0
 station-role root
 l2-filter bridge-group-acl
 bridge-group 1
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
 bridge-group 1 spanning-disabled
!
interface Dot11Radio1.10
 encapsulation dot1Q 10
 no ip route-cache
 bridge-group 10
 bridge-group 10 subscriber-loop-control
 bridge-group 10 input-address-list 701
 bridge-group 10 output-address-list 701
 bridge-group 10 block-unknown-source
 no bridge-group 10 source-learning
 no bridge-group 10 unicast-flooding
 bridge-group 10 spanning-disabled
!
interface Dot11Radio1.80
 encapsulation dot1Q 80
 service-policy input Voip
 service-policy output Voip
 no ip route-cache
 bridge-group 80
 bridge-group 80 subscriber-loop-control
 bridge-group 80 input-address-list 702
 bridge-group 80 block-unknown-source
 no bridge-group 80 source-learning
 no bridge-group 80 unicast-flooding
 bridge-group 80 spanning-disabled
!
interface FastEthernet0
 no ip address
 no ip route-cache
 speed 100
 full-duplex
 l2-filter bridge-group-acl
 bridge-group 1
 no bridge-group 1 source-learning
 bridge-group 1 spanning-disabled
!
interface FastEthernet0.10
 encapsulation dot1Q 10
 no ip route-cache
 bridge-group 10
 no bridge-group 10 source-learning
 bridge-group 10 spanning-disabled
!
interface FastEthernet0.80
 encapsulation dot1Q 80
 service-policy input Voip
 service-policy output Voip
 no ip route-cache
 bridge-group 80
 no bridge-group 80 source-learning
 bridge-group 80 spanning-disabled
!
interface BVI1
 ip address 10.0.0.4 255.0.0.0
 no ip route-cache
!
ip default-gateway 10.0.0.1
ip http server
no ip http secure-server
ip http help-path [URL unfurl="true"]http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag[/URL]
ip radius source-interface BVI1 
!
logging 10.0.0.11
access-list 700 permit 0040.laptop.mac  0000.0000.0000
access-list 700 permit 001c.phone.mac 	0000.0000.0000
access-list 700 deny   0000.0000.0000   ffff.ffff.ffff
access-list 701 permit 0040.laptop.mac  0000.0000.0000
access-list 703 permit 001c.phone.mac   0000.0000.0000
access-list 703 deny   0000.0000.0000   ffff.ffff.ffff
snmp-server community public  RO
snmp-server community home    RW
snmp-server trap-source BVI1
snmp-server location home  
snmp-server contact administrator
snmp-server chassis-id Cisco1231
snmp-server enable traps disassociate
snmp-server enable traps deauthenticate
snmp-server enable traps authenticate-fail
snmp-server enable traps dot11-qos
snmp-server enable traps switch-over
snmp-server enable traps rogue-ap
snmp-server enable traps wlan-wep
snmp-server enable traps syslog
snmp-server host 10 .0 . 0.11 home disassociate deauthenticate authenticate-fail dot11-qos switch-over rogue-ap wlan-wep syslog
snmp-server host 10 .0 . 0.5 version 2c public  
radius-server attribute 32 include-in-access-req format %h
radius-server vsa send accounting
bridge 1 route ip
!
!
banner motd 
=============================================================================
                            PRIVATE NETWORK                                                          
=============================================================================

!
line con 0
 session-timeout 30
 exec-timeout 0 0
 password 7 5435748949047 
 logging synchronous
line vty 0 4
 session-timeout 30 
 exec-timeout 0 0
 password 7 6797021417393     
 logging synchronous
line vty 5 15
 session-timeout 30 
 exec-timeout 0 0
 password 7 09770011834784     
 logging synchronous
!
sntp logging
sntp server  10.0 .0 .5
sntp broadcast client
end

 

[fourmyskull]

So by looking at this config, it looks like you have the access point set up in trunk mode just like I have the switch correct?

If I am then it is just like setting up a router on a stick with a switch it is just that we are extending out the switch to the access point for wireless devices to connect wirelessly (correct?)

 

[Viconsul]

Yeah , that is correct. The AP is just extending the lan to wireless devices and that is why the link from the AP back to the switch is a trunk.

 

[fourmyskull]

Ok great thank you that helps allot!!

Ok now that I have that straight, if I took this config and edited the vlans to match my vlan set up, how could I take out the authentication out and the wep? So I can paste it into my AP config, I do not wish to have any athentication at this point. This is just a lab I have set up for testing and I will mess with the security settings at a later date.

Can you let me know what to edit out or if you do it I can compare the two so I know how it is set up? Either way is fine to me I just don't want you to think I am wanting someone else to do all the work. I know that in the short future I will be dealing with a voip system at my job so I'm trying to get a jump start on figuring it out, I am maintaining a Nortel TDM system right now and my boss is wanting to go all Cisco.

Below is the config I have set up on my 2611 just for reference so you can see how my Call Manager is set up.


THANK YOU FOR ALL YOUR HELP!!!

hostname CMERouter1
!
boot-start-marker
boot-end-marker
!
!
memory-size iomem 10
no network-clock-participate slot 1
no network-clock-participate wic 0
voice-card 1
!
no aaa new-model
ip subnet-zero
ip cef
!
!
ip dhcp excluded-address 192.168.0.1 192.168.0.150
!
ip dhcp pool ITS
network 192.168.0.0 255.255.255.0
option 150 ip 192.168.0.13
default-router 192.168.0.13
!
ip dhcp pool Data
!
!
no ip domain lookup
no ftp-server write-enable
!
!
!
!
!
!
!
!
!
!
!
!
!
!
controller T1 1/0
framing sf
linecode ami
!
!
!
interface FastEthernet0/0
duplex auto
speed auto
!
interface FastEthernet0/0.1
encapsulation dot1Q 1
ip address 192.168.0.13 255.255.255.192
!
interface FastEthernet0/0.10
encapsulation dot1Q 10 native
ip address 192.168.0.66 255.255.255.192
!
interface FastEthernet0/0.15
encapsulation dot1Q 15
ip address 192.168.0.130 255.255.255.192
!
router eigrp 100
network 192.168.0.0
auto-summary
!
ip default-gateway 192.168.0.1 <---this is my home router so I have access to that router for my internet access
ip classless
!
ip http server
!
!
!
control-plane
!
!
!
!
!
!
!
telephony-service
max-ephones 4
max-dn 4
ip source-address 192.168.0.13 port 2000
auto assign 1 to 4
create cnf-files version-stamp Jan 01 2002 00:00:00
max-conferences 4
transfer-system full-consult
!
!
ephone-dn 1 dual-line
number 65694
!
!
ephone-dn 2 dual-line
number 65695
!
!
ephone-dn 3 dual-line
number 65696
!
!
ephone-dn 4 dual-line
number 65697
!
!
ephone 1
!
!
!
ephone 2
!
!
!
ephone 3
!
!
!
ephone 4
!
!
!
line con 0
password
logging synchronous
login
line aux 0
line vty 0 4
password
logging synchronous
login
!
!
end

 

[burtsbees]

Just FYI for posting level 7 passwords...

http://www.ifm.net.nz/cookbooks/passwordcracker.html

not a biggie since yours is all internal, but users who are privy to this forum could potentially do some bad stuff. Anywho...

/

tim@tim-laptop ~ $ sudo apt-get install windows
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Couldn't find package windows...Thank Goodness!

 

[Viconsul]

Four*,
You will need atleast one form of encryption on your wireless network and if I remember correctly the Cisco 7920 ip phone only supports wep and eap. Mac authentication is the only thing you may be able to do without. So you will need to take out the acls and the mac authentication. If you are stuck post your scrubbed config.

Burt,
The level 7 passwords and wep keys in the config are just arbitrary numbers I came up with. BTW would you know of any for Cisco level 5 passwords?

 

[burtsbees]

Just brute force, impossible to reverse MD5. Your password numbers output a result, so they are actually valid cyphers.

/

tim@tim-laptop ~ $ sudo apt-get install windows
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Couldn't find package windows...Thank Goodness!

 

[fourmyskull]

Thank you for your help again, below I have attached your config viconsul. I went through and edited the stuff that I knew about, and the config that I'm not up to speed on I marked questions out beside them. As of encryption and mac address filtering I would like to take all that out. This system is in my garage and it is just a lab I have set up for testing and does not need to be secured. Later I will mess with the secureing options in the GUI after I get the system up and going the way I want it to work. So can you run through this config and see what you think and what I can delete. I have took out the passwords and some of the encryption also change the hostnames and vlan 80 to 15 to match my voip sub interface on my call manager.

Thanks again for your help.


version 12.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname CMEAP
!
enable secret 5
!
ip subnet-zero
ip domain name <----- I don't need this correct
ip name-server 192.168.0.13
!
!
ip dhcp-server 192.168.0.13
aaa new-model <------------- What is this???
!
!
aaa group server radius rad_eap <------------- What is this???
!
aaa group server radius rad_mac <------------- What is this???
!
aaa group server radius rad_acct <------------- What is this???
!
aaa group server radius rad_admin <------------- What is this???
!
aaa group server tacacs+ tac_admin <------------- What is this???
!
aaa group server radius rad_pmip <------------- What is this???
!
aaa group server radius dummy <------------- What is this???
!
aaa authentication login eap_methods group rad_eap <------------- can I just delete the encrypttion?
aaa authentication login mac_methods local <------------- can I just delete the encrypttion?
aaa authorization exec default local <------------- can I just delete the encrypttion?
aaa accounting network acct_methods start-stop group rad_acct <----can I just delete the encrypttion?
aaa session-id common <------------- can I just delete the encrypttion?
dot11 association mac-list 700 <------------- can I just delete the encrypttion?
dot11 vlan-name Data vlan 10
dot11 vlan-name Voip vlan 15
!
dot11 ssid Data
vlan 10
authentication open mac-address mac_methods
!
dot11 ssid Voip
vlan 15
authentication open mac-address mac_methods
!
dot11 network-map
dot11 phone dot11e
!
!
username CMEAP privilege 15 password 7
!
!
class-map match-all _class_Voip2 <------------- What is this???
!
match ip protocol 119<------------- What is this???
!
class-map match-all _class_Voip3<------------- What is this???
!
match access-group 702<------------- What is this???
!
class-map match-all _class_Voip0
match ip precedence 2 <------------- What is this???
!
class-map match-all _class_Voip1<------------- What is this???
!
match ip dscp ef <------------- What is this???
!
!
policy-map Voip <------------- What is this???
class _class_Voip0 <------------- What is this???
set cos 6
class _class_Voip1 <------------- What is this???
set cos 6
class _class_Voip2 <------------- What is this???
set cos 6
class _class_Voip3 <------------- What is this???
set cos 6
!
bridge irb
!
!
interface Dot11Radio0
no ip address
no ip route-cache

!

!

!
ssid Data
!
ssid Voip
!
speed basic-1.0 2.0 5.5 6.0 9.0 11.0 12.0 18.0 24.0 36.0 48.0 54.0
channel 2412
station-role root
dot11 qos class video local
admission-control
admit-traffic signaling infinite
!
dot11 qos class voice local
admission-control
admit-traffic narrowband max-channel 75 roam-channel 6
!
dot11 qos class video cell
admission-control
!
dot11 qos class voice cell
admission-control
!
l2-filter bridge-group-acl
bridge-group 1
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
!
interface Dot11Radio0.10
encapsulation dot1Q 10
no ip route-cache
bridge-group 10
bridge-group 10 subscriber-loop-control
bridge-group 10 input-address-list 701
bridge-group 10 output-address-list 701
bridge-group 10 block-unknown-source
no bridge-group 10 source-learning
no bridge-group 10 unicast-flooding
bridge-group 10 spanning-disabled
!
interface Dot11Radio0.15
encapsulation dot1Q 15
service-policy input Voip
service-policy output Voip
no ip route-cache
bridge-group 15
bridge-group 15 subscriber-loop-control
bridge-group 15 input-address-list 702
bridge-group 15 block-unknown-source
no bridge-group 15 source-learning
no bridge-group 15 unicast-flooding
bridge-group 15 spanning-disabled
!
interface Dot11Radio1
no ip address
no ip route-cache
!
!
ssid Data
!
ssid Voip
!
speed basic-6.0 9.0 12.0 18.0 24.0 36.0 48.0 54.0
station-role root
l2-filter bridge-group-acl
bridge-group 1
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
!
interface Dot11Radio1.10
encapsulation dot1Q 10
no ip route-cache
bridge-group 10
bridge-group 10 subscriber-loop-control
bridge-group 10 input-address-list 701
bridge-group 10 output-address-list 701
bridge-group 10 block-unknown-source
no bridge-group 10 source-learning
no bridge-group 10 unicast-flooding
bridge-group 10 spanning-disabled
!
interface Dot11Radio1.15
encapsulation dot1Q 15
service-policy input Voip
service-policy output Voip
no ip route-cache
bridge-group 15
bridge-group 15 subscriber-loop-control
bridge-group 15 input-address-list 702
bridge-group 15 block-unknown-source
no bridge-group 15 source-learning
no bridge-group 15 unicast-flooding
bridge-group 15 spanning-disabled
!
interface FastEthernet0
no ip address
no ip route-cache
speed 100
full-duplex
l2-filter bridge-group-acl
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
!
interface FastEthernet0.10
encapsulation dot1Q 10
no ip route-cache
bridge-group 10
no bridge-group 10 source-learning
bridge-group 10 spanning-disabled
!
interface FastEthernet0.15
encapsulation dot1Q 815
service-policy input Voip
service-policy output Voip
no ip route-cache
bridge-group 15
no bridge-group 15 source-learning
bridge-group 15 spanning-disabled
!
interface BVI1
ip address 192.168.0.13 255.255.255.192
no ip route-cache
!
ip default-gateway 192.168.0.13
ip http server
no ip http secure-server
ip http help-path

http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag

ip radius source-interface BVI1
!
logging 192.168.0.13

bridge 1 route ip
!
!
banner motd 
=============================================================================
PRIVATE NETWORK
=============================================================================

!
line con 0
session-timeout 30
exec-timeout 0 0
password 7
logging synchronous
line vty 0 4
session-timeout 30
exec-timeout 0 0
password 7
logging synchronous
line vty 5 15
session-timeout 30
exec-timeout 0 0
password 7
logging synchronous
!
sntp logging
sntp server 192.168.0.13
sntp broadcast client
end

 

[Viconsul]

Could you post your current config, and we can work on that to get you up and running, it is easier that way. You don't need the majority of the stuff you questioned just to get wireless working.