Cisco 877w configurazione wireless

[Gibo®]

Salve a tutti non riesco a capire perchè il mio vista non si autentica alla WLAN:
Ho 3 Vlan una per la gestione dell'HW MGMT una interna LAn e una DMZ la VLAN1 mi serve per il trunking con un altro switch dove ci sono le stesse Vlan.
Non sò cosa sbaglio nella conf ma mi sembrerebbe "abbastanza" apposto
Grazie per il soccorso!



version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname router
!
boot-start-marker
boot-end-marker
!
logging buffered 4096
logging console critical
enable secret 5 $1$PydF$bHGBMALUIkiweaah6ct9M/
enable password 7 password
!
no aaa new-model
clock timezone UTC 1
!
crypto pki certificate chain TP-self-signed-3888322729
certificate self-signed 01
!
!
dot11 association mac-list 700
dot11 vlan-name WiFi vlan 4
!
dot11 ssid wifi2net
vlan 4
authentication open
authentication key-management wpa
guest-mode
infrastructure-ssid optional
wpa-psk ascii 7 passwordxpassword
!
no ip source-route
ip gratuitous-arps
ip cef
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 10.23.25.254
ip dhcp excluded-address 10.23.25.1
ip dhcp excluded-address 10.23.25.2
ip dhcp excluded-address 172.16.2.33
!
ip dhcp pool sdm-pool1
import all
network 10.23.25.0 255.255.255.0
default-router 10.23.25.254
domain-name net2mind.it.lan
dns-server 213.205.32.70 213.205.36.70
!
ip dhcp pool wifi2net
network 172.16.2.64 255.255.255.224
default-router 172.16.2.96
!
!
ip name-server 213.205.32.70
ip name-server 213.205.36.70
ip inspect log drop-pkt
!
!
multilink bundle-name authenticated
!
!
username admin privilege 15 password 7 password
log config
hidekeys
!
!
!
bridge irb
!
!
interface ATM0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip virtual-reassembly
no atm ilmi-keepalive
pvc 8/35
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
dsl operating-mode auto
dsl enable-training-log
!
interface FastEthernet0
switchport mode trunk
!
interface FastEthernet1
no cdp enable
!
interface FastEthernet2
switchport access vlan 2
no cdp enable
!
interface FastEthernet3
switchport access vlan 3
no cdp enable
!
interface Dot11Radio0
description WiFi Lan
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip local-proxy-arp
no dot11 extension aironet
!
encryption vlan 4 mode ciphers aes-ccm tkip
!
broadcast-key vlan 4 change 60
!
!
ssid wifi2net
!
speed basic-1.0 basic-2.0 basic-5.5 basic-6.0 basic-9.0 basic-11.0 basic-12.0 basic-18.0 basic-24.0 basic-36.0 basic-48.0 basic-54.0
station-role root
world-mode dot11d country IT both
l2-filter bridge-group-acl
no cdp enable
!
interface Dot11Radio0.1
encapsulation dot1Q 4 native
no cdp enable
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface Vlan1
description Mngmt Lan
ip address 192.168.200.225 255.255.255.224
no ip redirects
no ip unreachables
no ip proxy-arp
!
interface Vlan2
description Internal Lan
ip address 10.23.25.254 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
!
interface Vlan3
description DMZ Lan
ip address 172.16.1.1 255.255.255.224
ip nat inside
ip virtual-reassembly
!
interface Vlan4
description WiFi Lan
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip virtual-reassembly
ip route-cache flow
ip tcp adjust-mss 1452
bridge-group 1
!
interface Dialer0
description $FW_INSIDE$
ip address negotiated
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
no keepalive
no cdp enable
ppp authentication chap pap callin
ppp chap hostname xxxxx
ppp chap password 7 yyyyyy
ppp pap sent-username xxxxx password 7 yyyyyy
!
interface BVI1
ip address 172.16.2.33 255.255.255.224
ip access-group 102 in
ip mask-reply
ip directed-broadcast
ip nat inside
ip virtual-reassembly
!
ip route 0.0.0.0 0.0.0.0 Dialer0
!
!
no ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 600 life 86400 requests 10000
ip nat inside source list 101 interface Dialer0 overload
!
logging trap debugging
access-list 100 permit ip 10.23.25.0 0.0.0.255 any
access-list 101 permit ip 10.23.25.0 0.0.0.255 any
access-list 102 permit ip any any
access-list 700 permit 001b.7776.be1e 0000.0000.0000
access-list 700 deny 0000.0000.0000 ffff.ffff.ffff
dialer-list 1 protocol ip permit
no cdp run
!
!
!
!
control-plane
!
bridge 1 protocol ieee
bridge 1 route ip
!
line con 0
no modem enable
line aux 0
line vty 0 4
privilege level 15
password 7 password
login
transport input telnet ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
sntp server 193.204.114.232

!
webvpn cef
end

router#

[Wizard]

Guarda qua http://www.ciscoforums.it/viewtopic.php?t=9006

[Gibo®]

..già..l'avevo già vista anche io ma in quella la wifi è sulla Vlan1 mentre io devo metterla sulla 4 e dai tentativi fatti (anche con sdm) pare non gli vada bene e resti sempre down... (

Sicuramente faccio qlcs che non devo ma....cosaa?!! ;-O

...cmq grazie proverò a trarne spunto cmq....vi saprò dire!

Ciao!

[alfnetx]

Gibo, mi piacerebbe sapere se hai risolto e come.
Ho un problema simile.

Ciao

[Gibo®]

mmm sto ancora risolvendo il problema ma ho cambiato la conf ed ora ho creato anche una rete Free Public ma c'è sempre qulche problema sull'autenticazione che non riesco a risolvere.
Comunque ho cambiato:

dot11 ssid xxxx
vlan 4
authentication open
authentication key-management wpa
guest-mode
wpa-psk ascii 7 XXXXXXXXXX

ed anche:

interface Dot11Radio0
description WiFi Lan
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip local-proxy-arp
!
encryption vlan 4 mode ciphers aes-ccm tkip
!
ssid xxxx
!
speed basic-1.0 basic-2.0 basic-5.5 basic-6.0 basic-9.0 basic-11.0 basic-12.0 basic-18.0 basic-24.0 basic-36.0 basic-48.0 basic-54.0
station-role root
world-mode dot11d country IT both
l2-filter bridge-group-acl
no cdp enable
!
interface Dot11Radio0.1
encapsulation dot1Q 4
no cdp enable
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding

in modo tale da avere un alra autenticazione.
Temo però che il problema possa essere anche in client Vista.
Intanto faccio altre prove...
Grazie!

[alfnetx]

Mi sa che il tuo (ed il mio) problema sta nell'IOS...
Ho aperto un topic apposta
http://www.ciscoforums.it/viewtopic.php?t=10149

[alfnetx]

Ora e' certo che si tratta di un bug della 22T.
Io stasera faccio un downgrade alla 124-15.T7, poi faccio sapere, ma dovrebbe essere scontato.

[Gibo®]

Ciao,
fammi sapere come hai risolto perchè in occasione dell'upgrade di flash che devo fare cambierò anche lo IOS se nesessario....
Se hai una conf di base postala anche così posso confrontarla con la mia.
Grazie, a presto.

[Gibo®]

Hp fatto qualche modifica ala configurazione per ottenere l'autenticazione wifi. Con un client xp sembra accedere ma senza rilasciare nessun indirizzo ip.
Io non capisco se posso utilizzare lo stesso dhcp o devo crearne uno ad hoc per l'int dot110.

Questa la configurazione :




version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname router
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 5 log
logging count
logging message-counter syslog
logging userinfo
logging buffered 52000
logging console critical
enable secret xxx
enable password xxx

no aaa new-model
clock timezone UTC 1
clock summer-time MEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
!
crypto pki trustpoint TP-self-signed-xxx
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-xxx
revocation-check none
rsakeypair TP-self-signed-3888322729
!
!
crypto pki certificate chain TP-self-signed-xxx
certificate self-signed 01
............
quit
dot11 association mac-list 700
dot11 syslog
dot11 vlan-name WiFi vlan 1
!
dot11 ssid wifi2
vlan 1
authentication open
authentication key-management wpa
guest-mode
wpa-psk ascii xxx
!
no ip source-route
ip gratuitous-arps
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 10.23.25.254
ip dhcp excluded-address 10.23.25.1
ip dhcp excluded-address 10.23.25.2
ip dhcp excluded-address 172.16.1.1
!
ip dhcp pool sdm-pool1
import all
network 10.23.25.0 255.255.255.0
default-router 10.23.25.254
domain-name xxx
dns-server 213.205.32.70 213.205.36.70
!
!
ip cef
ip domain name xxx
ip name-server 213.205.32.70
ip name-server 213.205.36.70
ip inspect log drop-pkt
ip inspect name Fwall cuseeme
ip inspect name Fwall dns
ip inspect name Fwall ftp
ip inspect name Fwall h323
ip inspect name Fwall https
ip inspect name Fwall icmp
ip inspect name Fwall imap
ip inspect name Fwall pop3
ip inspect name Fwall rcmd
ip inspect name Fwall realaudio
ip inspect name Fwall rtsp
ip inspect name Fwall esmtp
ip inspect name Fwall sqlnet
ip inspect name Fwall streamworks
ip inspect name Fwall tftp
ip inspect name Fwall tcp
ip inspect name Fwall udp
ip inspect name Fwall vdolive
ip ddns update method DynDNS
HTTP
add http://xxx
interval maximum 27 23 59 59
!
no ipv6 cef
!
multilink bundle-name authenticated
!
vpdn enable
!
vpdn-group 1
!
archive
log config
hidekeys
!
bridge irb
!
!
interface ATM0
no ip address
ip verify unicast reverse-path
no ip redirects
no ip unreachables
no ip proxy-arp
ip virtual-reassembly
no atm ilmi-keepalive
pvc 8/35
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
dsl enable-training-log delay 10
snmp trap ip verify drop-rate
!
interface FastEthernet0
switchport mode trunk
!
interface FastEthernet1
no cdp enable
!
interface FastEthernet2
switchport access vlan 2
no cdp enable
!
interface FastEthernet3
switchport access vlan 3
no cdp enable
!
interface Dot11Radio0
description WiFi Lan
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip local-proxy-arp
!
encryption vlan 1 mode ciphers tkip
!
ssid wifi2
!
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
station-role root
world-mode dot11d country IT both
l2-filter bridge-group-acl
no cdp enable
!
interface Dot11Radio0.1
encapsulation dot1Q 1 native
no cdp enable
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface Vlan1
description Mngmt Lan
no ip address
bridge-group 1
!
interface Vlan2
description Internal Lan
ip address 10.23.25.254 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
!
interface Vlan3
description DMZ Lan
ip address 172.16.1.1 255.255.255.224
ip nat inside
ip virtual-reassembly
!
interface Vlan4
description WiFi Lan
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip virtual-reassembly
ip tcp adjust-mss 1452
!
interface Dialer0
description $FW_INSIDE$
ip ddns update hostname xxx
ip ddns update xxx
ip address negotiated
ip nat outside
ip inspect Fwall out
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
no keepalive
no cdp enable
ppp authentication chap pap callin
ppp chap hostname xxx
ppp chap password xxx
ppp pap sent-username xxx password xxx
!
interface BVI1
ip address 192.168.0.222 255.255.255.0
ip access-group 102 in
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 600 life 86400 requests 10000
!
!
ip nat inside source list 1 interface Dialer0 overload
ip nat inside source list 101 interface Dialer0 overload
!
logging trap debugging
access-list 1 permit 192.168.0.0 0.0.0.255
access-list 100 permit ip 10.23.25.0 0.0.0.255 any
access-list 101 permit ip 10.23.25.0 0.0.0.255 any
access-list 101 remark WAN traffic enabled
access-list 102 remark LAN traffic enabled
access-list 102 permit ip any host 192.168.0.222
access-list 102 deny ip any host 192.168.0.255
access-list 102 deny udp any any eq tftp log
access-list 102 deny ip any 0.0.0.0 0.255.255.255 log
access-list 102 deny ip any 10.0.0.0 0.255.255.255 log
access-list 102 deny ip any 127.0.0.0 0.255.255.255 log
access-list 102 deny ip any 172.16.0.0 0.15.255.255 log
access-list 102 deny ip any 192.168.0.0 0.0.255.255 log
access-list 102 deny udp any any eq 135 log
access-list 102 deny tcp any any eq 135 log
access-list 102 deny udp any any eq netbios-ns log
access-list 102 deny udp any any eq netbios-dgm log
access-list 102 permit ip 192.168.0.0 0.0.0.255 any
access-list 102 permit ip any host 255.255.255.255
access-list 102 deny ip any any log
access-list 700 permit 001b.7776.be1e 0000.0000.0000
access-list 700 permit 0014.6c09.c82c 0000.0000.0000
access-list 700 permit 0024.2b66.cc0c 0000.0000.0000
access-list 700 deny 0000.0000.0000 ffff.ffff.ffff
dialer-list 1 protocol ip permit
no cdp run
!
!
control-plane
!
bridge 1 protocol ieee
bridge 1 route ip
!
line con 0
no modem enable
line aux 0
line vty 0 4
privilege level 15
password xxx
login
transport input telnet ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
sntp server 193.204.114.232
sntp server 192.43.244.18
sntp server 207.46.197.32
end