У меня проблемы с подключением гостевой сети. У меня есть VLAN 1, которая содержит все наши сетевые ресурсы (серверы, настольные компьютеры, принтеры и т. Д.). У меня есть беспроводная сеть, настроенная на использование VLAN1, но аутентификацию с помощью wpa2 enterprise. Гостевая сеть, которую я просто хотел открыть или настроить с помощью простого личного пароля WPA2 в ее собственной VLAN2. Я просмотрел массу документации, и она должна работать, но я даже не могу пройти аутентификацию в гостевой сети! Я разместил это на форуме поддержки cisco неделю назад, но на самом деле никто не ответил. Мне действительно нужна помощь. Так что, если бы кто-нибудь мог взглянуть на опубликованные мной конфигурации и направить меня в правильном направлении, я был бы чрезвычайно благодарен.
Спасибо!
Маршрутизатор:
version 15.0
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname ESI
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
!
aaa new-model
!
aaa authentication login userauthen local
aaa authorization network groupauthor local
!
aaa session-id common
!
clock timezone EST -5
clock summer-time EDT recurring
service-module wlan-ap 0 bootimage autonomous
!
crypto pki trustpoint TP-self-signed-3369945891
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3369945891
revocation-check none
rsakeypair TP-self-signed-3369945891
!
crypto pki certificate chain TP-self-signed-3369945891
certificate self-signed 01
(cert is here) quit
ip source-route
!
ip dhcp excluded-address 192.168.1.1
ip dhcp excluded-address 192.168.1.5
ip dhcp excluded-address 192.168.1.2
ip dhcp excluded-address 192.168.1.200 192.168.1.210
ip dhcp excluded-address 192.168.1.6
ip dhcp excluded-address 192.168.1.8
ip dhcp excluded-address 192.168.3.1
!
ip dhcp pool ccp-pool
import all
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
dns-server 10.171.12.5 10.171.12.37
lease 0 2
!
ip dhcp pool guest
import all
network 192.168.3.0 255.255.255.0
default-router 192.168.3.1
dns-server 10.171.12.5 10.171.12.37
!
ip cef
no ip domain lookup
no ipv6 cef
!
multilink bundle-name authenticated
license udi pid CISCO891W-AGN-A-K9 sn FTX153085WL
!
username ESIadmin privilege 15 secret 5 $1$g1..$JSZ0qxljZAgJJIk/anDu51
username user1 password 0 pass !
!
class-map type inspect match-any ccp-cls-insp-traffic
match protocol cuseeme
match protocol dns
match protocol ftp
match protocol h323
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol netshow
match protocol shell
match protocol realmedia
match protocol rtsp
match protocol smtp
match protocol sql-net
match protocol streamworks
match protocol tftp
match protocol vdolive
match protocol tcp
match protocol udp
class-map type inspect match-all ccp-insp-traffic
match class-map ccp-cls-insp-traffic
class-map type inspect match-any ccp-cls-icmp-access
match protocol icmp
class-map type inspect match-all ccp-invalid-src
match access-group 100
class-map type inspect match-all ccp-icmp-access
match class-map ccp-cls-icmp-access
class-map type inspect match-all ccp-protocol-http
match protocol http
!
policy-map type inspect ccp-permit-icmpreply
class type inspect ccp-icmp-access
inspect
class class-default
pass
policy-map type inspect ccp-inspect
class type inspect ccp-invalid-src
drop log
class type inspect ccp-protocol-http
inspect
class type inspect ccp-insp-traffic
inspect
class class-default
drop
policy-map type inspect ccp-permit
class class-default
drop
!
zone security out-zone
zone security in-zone
zone-pair security ccp-zp-self-out source self destination out-zone
service-policy type inspect ccp-permit-icmpreply
zone-pair security ccp-zp-in-out source in-zone destination out-zone
service-policy type inspect ccp-inspect
zone-pair security ccp-zp-out-self source out-zone destination self
service-policy type inspect ccp-permit
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group 3000client
key 67Nif8LLmqP_
dns 10.171.12.37 10.171.12.5
pool dynpool
acl 101
!
crypto ipsec transform-set myset esp-3des esp-sha-hmac
!
crypto dynamic-map dynmap 10
set transform-set myset
!
crypto map clientmap client authentication list userauthen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address initiate
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
!
interface FastEthernet5
!
interface FastEthernet6
!
interface FastEthernet7
!
interface FastEthernet8
ip address dhcp
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
interface GigabitEthernet0
description $FW_OUTSIDE$$ES_WAN$
ip address 10...* 255.255.254.0
ip nat outside
ip virtual-reassembly
zone-member security out-zone
duplex auto
speed auto
crypto map clientmap
!
interface wlan-ap0
description Service module interface to manage the embedded AP
ip unnumbered Vlan1
arp timeout 0
!
interface Wlan-GigabitEthernet0
description Internal switch interface connecting to the embedded AP
switchport trunk allowed vlan 1-3,1002-1005
switchport mode trunk
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-FE 1$$FW_INSIDE$
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
zone-member security in-zone
ip tcp adjust-mss 1452
crypto map clientmap
!
interface Vlan2
description guest
ip address 192.168.3.1 255.255.255.0
ip access-group 120 in
ip nat inside
ip virtual-reassembly
zone-member security in-zone
!
interface Async1
no ip address
encapsulation slip
!
ip local pool dynpool 192.168.1.200 192.168.1.210
ip forward-protocol nd
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip dns server
ip nat inside source list 23 interface GigabitEthernet0 overload
ip route 0.0.0.0 0.0.0.0 10.165.0.1
!
access-list 23 permit 192.168.1.0 0.0.0.255
access-list 100 remark CCP_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip 10.165.0.0 0.0.1.255 any
access-list 110 permit ip 192.168.0.0 0.0.5.255 any
access-list 120 remark ESIGuest Restriction
no cdp run
!
control-plane
Точка доступа:
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname ESIRouter
!
no logging console
enable secret 5 $1$yEH5$CxI5.9ypCBa6kXrUnSuvp1
!
aaa new-model
!
aaa group server radius rad_eap
server 192.168.1.5 auth-port 1812 acct-port 1813
!
aaa group server radius rad_acct
server 192.168.1.5 auth-port 1812 acct-port 1813
!
aaa authentication login eap_methods group rad_eap
aaa authentication enable default line enable
aaa authorization exec default local
aaa authorization commands 15 default local
aaa accounting network acct_methods start-stop group rad_acct
!
aaa session-id common
clock timezone EST -5
clock summer-time EDT recurring
ip domain name ESI
!
dot11 syslog
dot11 vlan-name one vlan 1
dot11 vlan-name two vlan 2
!
dot11 ssid one vlan 1
authentication open eap eap_methods
authentication network-eap eap_methods
authentication key-management wpa version 2
accounting rad_acct
!
dot11 ssid two vlan 2
authentication open
guest-mode
!
dot11 network-map
!
username ESIadmin privilege 15 secret 5 $1$p02C$WVHr5yKtRtQxuFxPU8NOx.
!
bridge irb
!
interface Dot11Radio0
no ip address
no ip route-cache
!
encryption vlan 1 mode ciphers aes-ccm
!
broadcast-key vlan 1 change 30
!
ssid one !
ssid two !
antenna gain 0
station-role root
!
interface Dot11Radio0.1
encapsulation dot1Q 1 native
no ip route-cache
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
!
interface Dot11Radio0.2
encapsulation dot1Q 2
no ip route-cache
bridge-group 2
bridge-group 2 subscriber-loop-control
bridge-group 2 block-unknown-source
no bridge-group 2 source-learning
no bridge-group 2 unicast-flooding
bridge-group 2 spanning-disabled
!
interface Dot11Radio1
no ip address
no ip route-cache
shutdown
!
encryption vlan 1 mode ciphers aes-ccm
!
broadcast-key vlan 1 change 30
!
ssid one !
antenna gain 0
dfs band 3 block
channel dfs
station-role root
!
interface Dot11Radio1.1
encapsulation dot1Q 1 native
no ip route-cache
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
!
interface GigabitEthernet0
description the embedded AP GigabitEthernet 0 is an internal interface connecting AP with the host router
no ip address
no ip route-cache
!
interface GigabitEthernet0.1
encapsulation dot1Q 1 native
no ip route-cache
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
!
interface GigabitEthernet0.2
encapsulation dot1Q 2
no ip route-cache
bridge-group 2
no bridge-group 2 source-learning
bridge-group 2 spanning-disabled
!
interface BVI1
ip address 192.168.1.2 255.255.255.0
no ip route-cache
!
ip http server
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
access-list 10 permit 192.168.1.0 0.0.0.255
radius-server host 192.168.1.5 auth-port 1812 acct-port 1813 key ***** bridge 1 route ip
На стороне AP,
отсутствует конфигурация шифрования для второго SSID:
шифрование vlan 2 режим шифрует "что-то"
На стороне маршрутизатора
Вы не учли конфигурацию NAT для гостевой сети.
Указав вышесказанное, он все равно может не работать. Конфигурация у меня такая же. клиенты «ssid2» будут связываться, но не смогут получить IP-адрес от DHCP. Я ищу способы отладить это.