Topic: tech cisco next
tech cisco > Cisco WiFi Access Point Configuration
Cisco WiFi access points can be configured in lightweight or autonomous modes. Lightweight mode is for use with a wireless LAN controller, typically as part of a large deployment of many APs. Autonomous mode is for a single access point to act independently and maintain its own configuration, ideal for a home network.
You should use this document when you’ve stolen a Cisco WiFi access point from a network managed by a wireless LAN controller and wish to configure it for use as part of your own home network.
Connect a console cable. Power up the AP with Power over Ethernet or DC adapter.
sudo screen /dev/ttyUSB0
Assuming access to the command line (login and enable passwords are known). Log in via the console cable. Enter the following command to enable configuration mode.
debug capwap console cli
If required, enter configuration terminal mode and apply a static IP address to the GigabitEthernet0 interface. This step is likely not required; the AP will often have been configured to use DHCP on this interface to find a WLC, so it will acquire an IP address automatically. Exit configuration mode.
Reset the stored configuration.
write default-config
Optionally, backup the current firmware to the TFTP server. The firmware is stored locally as a file tree, but it will be stored remotely as a .tar archive. Choose a name for the uploaded firmware by examining the filesystem.
dir flash:
..
8 drwx 896 Aug 19 2020 01:44:22 +00:00 ap1g2-k9w8-mx.ap_umr6_esc.202005010941
..
Create a file on the tftp server for the upload to use. Of course, the filename doesn’t matter, but it makes sense to stick to Cisco’s format.
sudo touch /srv/tftp/ap1g2-k9w8-mx.ap_umr6_esc.tar
sudo chmod a+rw /srv/tftp/ap1g2-k9w8-mx.ap_umr6_esc.tar
Then, upload the firmware from the AP to the TFTP server.
archive upload-sw tftp://172.27.2.1/ap1g2-k9w8-mx.ap_umr6_esc.tar
Copy the new firmware from a TFTP server, from the console connection.
archive download-sw /overwrite /force-reload tftp://172.27.2.1/ap1g2-k9w7-tar.152-4.JB6.tar
The AP will download the new firmware and reload. This takes a while (ten minutes or so).
Connect via the console cable and enter enable mode. The password is ‘Cisco’.
ap>enable
Password:
Assign a static IP address to the bridged virtual interface. This IP address will be used for management access.
ip default-gateway 172.27.2.1
interface BVI1
ip address 172.27.2.3 255.255.255.0
Get the AP ready for configuration over SSH.
ip domain-name lan
hostname ap2
crypto key gen rsa modulus 2048
username james password ...
enable secret ...
The remaining steps can be carried out via the console cable or SSH.
Define an SSID with a WPA pre-shared key. My SSID is ‘Ben’ and the password is represented here by ‘…’.
dot11 ssid Ben
authentication open
authentication key-management wpa
guest-mode
wpa-psk ascii ...
!
Apply the SSID to a radio device. Enable encryption for WPA and Tell the radio device to use radio frequencies allowed in the UK.
interface Dot11Radio0
encryption mode ciphers aes-ccm tkip
ssid Ben
world-mode dot11d country-code GB indoor
!
It should now be possible to connect to the WiFi network from a WiFi client device.
This is a minimal, but functional, configuration for the AP. Improvements might be to split management and data traffic into separate VLANs, enable multiple SSIDs with different VLANs, etc..
A CAP702W AP has four Ethernet ports for connecting wired devices. They are shut by default.
lan-port port-id 1
no shutdown
!
lan-port port-id 2
no shutdown
!
lan-port port-id 3
no shutdown
!
lan-port port-id 4
no shutdown
!
I use the command ‘screen /dev/ttyUSB0’ to connect via the console cable to the AP. Once, I closed the terminal window, then realised that I had forgotten a configuration command, so opened a new screen session. This session only received roughly half of the characters from the AP;
a#
ap2#a
2#
aen
P
The other screen session was still running and stealing half of my characters. Remember to kill screen sessions properly with ctrl-a k y.