Назад | Перейти на главную страницу

Конфигурация нескольких VLAN Cisco 891w

У меня проблемы с подключением гостевой сети. У меня есть VLAN 1, которая содержит все наши сетевые ресурсы (серверы, настольные компьютеры, принтеры и т. Д.). У меня есть беспроводная сеть, настроенная на использование VLAN1, но аутентификацию с помощью wpa2 enterprise. Гостевая сеть, которую я просто хотел открыть или настроить с помощью простого личного пароля WPA2 в ее собственной VLAN2. Я просмотрел массу документации, и она должна работать, но я даже не могу пройти аутентификацию в гостевой сети! Я разместил это на форуме поддержки cisco неделю назад, но на самом деле никто не ответил. Мне действительно нужна помощь. Так что, если бы кто-нибудь мог взглянуть на опубликованные мной конфигурации и направить меня в правильном направлении, я был бы чрезвычайно благодарен.

Спасибо!

Маршрутизатор:

version 15.0  
service timestamps debug datetime msec  
service timestamps log datetime msec  
no service password-encryption  
!  
hostname ESI  
!  
boot-start-marker  
boot-end-marker  
!  
logging buffered 51200 warnings  
!  
aaa new-model  
!  
aaa authentication login userauthen local  
aaa authorization network groupauthor local   
!   
aaa session-id common  
!   
clock timezone EST -5  
clock summer-time EDT recurring  
service-module wlan-ap 0 bootimage autonomous  
!   
crypto pki trustpoint TP-self-signed-3369945891  
enrollment selfsigned  
subject-name cn=IOS-Self-Signed-Certificate-3369945891  
revocation-check none  
rsakeypair TP-self-signed-3369945891  
!   
crypto pki certificate chain TP-self-signed-3369945891  
certificate self-signed 01  
(cert is here) quit  
ip source-route  
!  
ip dhcp excluded-address 192.168.1.1  
ip dhcp excluded-address 192.168.1.5  
ip dhcp excluded-address 192.168.1.2  
ip dhcp excluded-address 192.168.1.200 192.168.1.210  
ip dhcp excluded-address 192.168.1.6  
ip dhcp excluded-address 192.168.1.8  
ip dhcp excluded-address 192.168.3.1  
!   
ip dhcp pool ccp-pool  
import all  
network 192.168.1.0 255.255.255.0  
default-router 192.168.1.1   
dns-server 10.171.12.5 10.171.12.37   
lease 0 2  
!   
ip dhcp pool guest  
import all  
network 192.168.3.0 255.255.255.0  
default-router 192.168.3.1   
dns-server 10.171.12.5 10.171.12.37   
!   
ip cef   
no ip domain lookup  
no ipv6 cef  
!   
multilink bundle-name authenticated  
license udi pid CISCO891W-AGN-A-K9 sn FTX153085WL  
!   
username ESIadmin privilege 15 secret 5 $1$g1..$JSZ0qxljZAgJJIk/anDu51  
username user1 password 0 pass !   
!   
class-map type inspect match-any ccp-cls-insp-traffic  
match protocol cuseeme  
match protocol dns  
match protocol ftp  
match protocol h323  
match protocol https  
match protocol icmp  
match protocol imap  
match protocol pop3  
match protocol netshow  
match protocol shell  
match protocol realmedia  
match protocol rtsp  
match protocol smtp  
match protocol sql-net  
match protocol streamworks  
match protocol tftp  
match protocol vdolive  
match protocol tcp  
match protocol udp  
class-map type inspect match-all ccp-insp-traffic  
match class-map ccp-cls-insp-traffic  
class-map type inspect match-any ccp-cls-icmp-access  
match protocol icmp  
class-map type inspect match-all ccp-invalid-src  
match access-group 100  
class-map type inspect match-all ccp-icmp-access  
match class-map ccp-cls-icmp-access  
class-map type inspect match-all ccp-protocol-http  
match protocol http  
!   
policy-map type inspect ccp-permit-icmpreply  
class type inspect ccp-icmp-access  
inspect   
class class-default  
pass   
policy-map type inspect ccp-inspect  
class type inspect ccp-invalid-src  
drop log  
class type inspect ccp-protocol-http  
inspect   
class type inspect ccp-insp-traffic  
inspect   
class class-default  
drop   
policy-map type inspect ccp-permit  
class class-default  
drop   
!   
zone security out-zone  
zone security in-zone  
zone-pair security ccp-zp-self-out source self destination out-zone  
service-policy type inspect ccp-permit-icmpreply  
zone-pair security ccp-zp-in-out source in-zone destination out-zone  
service-policy type inspect ccp-inspect  
zone-pair security ccp-zp-out-self source out-zone destination self  
service-policy type inspect ccp-permit  
!   
crypto isakmp policy 1  
encr 3des  
authentication pre-share  
group 2   
!   
crypto isakmp client configuration group 3000client  
key 67Nif8LLmqP_  
dns 10.171.12.37 10.171.12.5  
pool dynpool  
acl 101   
!   
crypto ipsec transform-set myset esp-3des esp-sha-hmac   
!   
crypto dynamic-map dynmap 10  
set transform-set myset   
!   
crypto map clientmap client authentication list userauthen  
crypto map clientmap isakmp authorization list groupauthor  
crypto map clientmap client configuration address initiate  
crypto map clientmap client configuration address respond  
crypto map clientmap 10 ipsec-isakmp dynamic dynmap   
!   
interface FastEthernet0  
!   
interface FastEthernet1  
!   
interface FastEthernet2  
!   
interface FastEthernet3  
!   
interface FastEthernet4  
!   
interface FastEthernet5  
!   
interface FastEthernet6  
!   
interface FastEthernet7  
!   
interface FastEthernet8  
ip address dhcp  
ip nat outside  
ip virtual-reassembly  
duplex auto  
speed auto  
!   
interface GigabitEthernet0  
description $FW_OUTSIDE$$ES_WAN$  
ip address 10...* 255.255.254.0  
ip nat outside  
ip virtual-reassembly  
zone-member security out-zone  
duplex auto  
speed auto  
crypto map clientmap  
!   
interface wlan-ap0  
description Service module interface to manage the embedded AP  
ip unnumbered Vlan1  
arp timeout 0  
!   
interface Wlan-GigabitEthernet0  
description Internal switch interface connecting to the embedded AP  
switchport trunk allowed vlan 1-3,1002-1005  
switchport mode trunk  
!   
interface Vlan1  
description $ETH-SW-LAUNCH$$INTF-INFO-FE 1$$FW_INSIDE$  
ip address 192.168.1.1 255.255.255.0  
ip nat inside  
ip virtual-reassembly  
zone-member security in-zone  
ip tcp adjust-mss 1452  
crypto map clientmap  
!   
interface Vlan2  
description guest  
ip address 192.168.3.1 255.255.255.0  
ip access-group 120 in  
ip nat inside  
ip virtual-reassembly  
zone-member security in-zone  
!   
interface Async1  
no ip address  
encapsulation slip  
!   
ip local pool dynpool 192.168.1.200 192.168.1.210  
ip forward-protocol nd  
ip http server  
ip http access-class 23   
ip http authentication local  
ip http secure-server  
ip http timeout-policy idle 60 life 86400 requests 10000  
!   
ip dns server  
ip nat inside source list 23 interface GigabitEthernet0 overload  
ip route 0.0.0.0 0.0.0.0 10.165.0.1  
!   
access-list 23 permit 192.168.1.0 0.0.0.255  
access-list 100 remark CCP_ACL Category=128  
access-list 100 permit ip host 255.255.255.255 any  
access-list 100 permit ip 127.0.0.0 0.255.255.255 any  
access-list 100 permit ip 10.165.0.0 0.0.1.255 any  
access-list 110 permit ip 192.168.0.0 0.0.5.255 any  
access-list 120 remark ESIGuest Restriction  
no cdp run  
!   
control-plane  

Точка доступа:

version 12.4  
no service pad  
service timestamps debug datetime msec  
service timestamps log datetime msec  
no service password-encryption  
!  
hostname ESIRouter  
!  
no logging console  
enable secret 5 $1$yEH5$CxI5.9ypCBa6kXrUnSuvp1  
!  
aaa new-model  
!  
aaa group server radius rad_eap  
server 192.168.1.5 auth-port 1812 acct-port 1813  
!  
aaa group server radius rad_acct  
server 192.168.1.5 auth-port 1812 acct-port 1813  
!  
aaa authentication login eap_methods group rad_eap  
aaa authentication enable default line enable  
aaa authorization exec default local   
aaa authorization commands 15 default local   
aaa accounting network acct_methods start-stop group rad_acct  
!   
aaa session-id common  
clock timezone EST -5  
clock summer-time EDT recurring  
ip domain name ESI  
!   
dot11 syslog  
dot11 vlan-name one vlan 1  
dot11 vlan-name two vlan 2  
!   
dot11 ssid one vlan 1   
authentication open eap eap_methods   
authentication network-eap eap_methods   
authentication key-management wpa version 2  
accounting rad_acct  
!   
dot11 ssid two vlan 2   
authentication open   
guest-mode  
!   
dot11 network-map  
!   
username ESIadmin privilege 15 secret 5 $1$p02C$WVHr5yKtRtQxuFxPU8NOx.  
!   
bridge irb  
!   
interface Dot11Radio0  
no ip address  
no ip route-cache  
!   
encryption vlan 1 mode ciphers aes-ccm   
!   
broadcast-key vlan 1 change 30  
!   
ssid one !   
ssid two !   
antenna gain 0  
station-role root  
!   
interface Dot11Radio0.1  
encapsulation dot1Q 1 native  
no ip route-cache  
bridge-group 1  
bridge-group 1 subscriber-loop-control  
bridge-group 1 block-unknown-source  
no bridge-group 1 source-learning  
no bridge-group 1 unicast-flooding  
bridge-group 1 spanning-disabled  
!   
interface Dot11Radio0.2  
encapsulation dot1Q 2  
no ip route-cache  
bridge-group 2  
bridge-group 2 subscriber-loop-control  
bridge-group 2 block-unknown-source  
no bridge-group 2 source-learning  
no bridge-group 2 unicast-flooding  
bridge-group 2 spanning-disabled  
!   
interface Dot11Radio1  
no ip address  
no ip route-cache  
shutdown   
!   
encryption vlan 1 mode ciphers aes-ccm   
!   
broadcast-key vlan 1 change 30  
!   
ssid one !   
antenna gain 0  
dfs band 3 block  
channel dfs  
station-role root  
!   
interface Dot11Radio1.1  
encapsulation dot1Q 1 native  
no ip route-cache  
bridge-group 1  
bridge-group 1 subscriber-loop-control  
bridge-group 1 block-unknown-source  
no bridge-group 1 source-learning  
no bridge-group 1 unicast-flooding  
bridge-group 1 spanning-disabled  
!   
interface GigabitEthernet0  
description the embedded AP GigabitEthernet 0 is an internal interface connecting AP with the host router  
no ip address  
no ip route-cache  
!   
interface GigabitEthernet0.1  
encapsulation dot1Q 1 native  
no ip route-cache  
bridge-group 1  
no bridge-group 1 source-learning  
bridge-group 1 spanning-disabled  
!   
interface GigabitEthernet0.2  
encapsulation dot1Q 2  
no ip route-cache  
bridge-group 2  
no bridge-group 2 source-learning  
bridge-group 2 spanning-disabled  
!   
interface BVI1  
ip address 192.168.1.2 255.255.255.0  
no ip route-cache  
!   
ip http server  
no ip http secure-server  
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag  
access-list 10 permit 192.168.1.0 0.0.0.255  
radius-server host 192.168.1.5 auth-port 1812 acct-port 1813 key ***** bridge 1 route ip  

На стороне AP,

отсутствует конфигурация шифрования для второго SSID:

шифрование vlan 2 режим шифрует "что-то"

На стороне маршрутизатора

Вы не учли конфигурацию NAT для гостевой сети.

Указав вышесказанное, он все равно может не работать. Конфигурация у меня такая же. клиенты «ssid2» будут связываться, но не смогут получить IP-адрес от DHCP. Я ищу способы отладить это.