Cisco 自立型APの設定方法

Cisco

今回は、Ciscoの自立型APの設定方法です。

 

設定内容は下記

・Ciscoの自立型APでIEEE802.1x認証 EAP-TLSを実施

・電波は5GHz帯も2.4GHz帯も有効

・端末はSSID:testにつなぐとDHCPでVLAN10のIPアドレスが払い出されます。また、そのためには、APと接続のスイッチのポート設定はTrunk vlan 1(native),10 にする必要があります。

 

GUIでも設定可能なので、下記を参考に。

自律型AP-WLAN作成方法(802.1X/EAP)
このドキュメントでは、自律型での 802.1X/EAP認証 WLAN (SSID) を作成する一般的な手順を案内します。   動作確認APバージョン: 15.3(3)JC   1. >> にて、SSIDを使用するインターフェイスのタブをクリックして、 を選択し、プルダウンリストから を選択し、 または ...

 

Ciscoの自立型APのサンプルコンフィグです。

——————————————————————————-

no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname AP-test
!
!
logging rate-limit console 9
enable secret 5
!
aaa new-model
!
!
aaa group server radius rad_eap
 server name server1
 server name server2
!
aaa group server radius rad_mac
 server name server1
 server name server2
!
aaa group server radius rad_acct
!
aaa group server radius rad_admin
!
aaa group server tacacs+ tac_admin
!
aaa group server radius rad_pmip
!
aaa group server radius dummy
!
aaa authentication login default line
aaa authentication login eap_methods group rad_eap
aaa authentication login mac_methods local
aaa authentication enable default enable
aaa authentication dot1x default group radius
aaa authorization exec default local
aaa accounting network acct_methods start-stop group rad_acct
!
!
!
!
!
aaa session-id common
clock timezone +0900 9 0
no ip source-route
no ip cef
ip domain name settsuad.local
!
!
!
!
dot11 pause-time 100
dot11 syslog
!
dot11 ssid test
   vlan 10
   authentication open eap eap_methods
   authentication key-management wpa version 2
!
!
!
no ipv6 cef
!
!
dot1x system-auth-control
username admin privilege 15 password 7
!
!
bridge irb
!
!
!
interface Dot11Radio0
 no ip address
 ip helper-address 192.168.1.100
 !
 encryption vlan 10 mode ciphers aes-ccm
 !
 ssid test
 !
 antenna gain 0
 stbc
 beamform ofdm
 station-role root
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 spanning-disabled
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
!
interface Dot11Radio0.10
 encapsulation dot1Q 10
 bridge-group 10
 bridge-group 10 subscriber-loop-control
 bridge-group 10 spanning-disabled
 bridge-group 10 block-unknown-source
 no bridge-group 10 source-learning
 no bridge-group 10 unicast-flooding
!
interface Dot11Radio1
 no ip address
 ip helper-address 192.168.1.100
 !
 encryption vlan 10 mode ciphers aes-ccm
 !
 ssid test
 !
 antenna gain 0
 peakdetect
 no dfs band block
 stbc
 beamform ofdm
 station-role root
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 spanning-disabled
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
!
interface Dot11Radio1.10
 encapsulation dot1Q 10
 bridge-group 10
 bridge-group 10 subscriber-loop-control
 bridge-group 10 spanning-disabled
 bridge-group 10 block-unknown-source
 no bridge-group 10 source-learning
 no bridge-group 10 unicast-flooding
!
interface GigabitEthernet0
 no ip address
 duplex auto
 speed auto
!
interface GigabitEthernet0.10
 encapsulation dot1Q 10
 bridge-group 10
 bridge-group 10 spanning-disabled
 no bridge-group 10 source-learning
!
interface GigabitEthernet0.1
 encapsulation dot1Q 1 native
 ip address 192.168.1.1 255.255.255.0
 bridge-group 1
 bridge-group 1 spanning-disabled
 no bridge-group 1 source-learning
!
interface BVI1
 mac-address
 ip address 192.168.1.1 255.255.255.0
 ipv6 address dhcp
 ipv6 address autoconfig
 ipv6 enable
!
ip default-gateway 192.168.1.254
ip forward-protocol nd
ip http server
no ip http secure-server
ip radius source-interface BVI1
!
!
radius-server attribute 32 include-in-access-req format %h
!
radius server server1
 address ipv4 192.168.2.1 auth-port 1812 acct-port 1646
 key 7
!
radius server server2
 address ipv4 192.168.2.2 auth-port 1812 acct-port 1646
 key 7
!
bridge 1 route ip
!
!
!
line con 0
 password 7
line vty 0 4
 password 7
 transport input telnet ssh
line vty 5 15
 password 7
 transport input telnet ssh
!
sntp server 192.168.1.200
sntp broadcast client
end

——————————————————————————-

コメント

タイトルとURLをコピーしました