Cisco

Ultimate wireless security guide: Configure Aironet access points for enterprise security

Enterprise wireless LAN security is a persistent concern for every system administrator and CIO. This article, part of the TechRepublic ultimate guide to enterprise wireless LAN security, explains how to configure an Aironet access point, which are common in enterprise grade wireless networks.

The complete TechRepublic Ultimate Wireless Security Guide is available as a download in PDF form.

The Cisco Aironet class of wireless access points is very common in business and enterprise grade wireless networks. This tutorial is part of the ten-part Ultimate guide to enterprise wireless LAN security series and will tie in to the infrastructure described in the other nine articles.

Enterprise class Wireless LANs with Aironet access points

In this tutorial, I will show you how to configure a Cisco Aironet IOS-based access point to setup the following things:

  • Multiple Wireless LANs
  • One VLAN (Virtual LAN) per virtual Wireless LAN
  • Secure internal Wireless LAN that ties in to RADIUS and Active Directory
  • Guest Wireless LAN with Internet only access

Figure TTT below shows a physical layout of the configuration while Figure UUU shows the logical link.

Figure TTT

Physical layout

Figure UUU

Logical link

Initial hardware setup

After you've removed the Aironet access point from the box and plugged in the power adapter, plug the supplied console cable to a valid serial port on your computer. If you have a laptop that doesn't have a serial port, you will need to get a USB to Serial adapter.

Once you boot up the Aironet access point, it will ask you to log in. The default user name and password are both usually set to Cisco by default. For example, here is a hardware installation guide for the Cisco 1100 series access point. Procedures for the Aironet 1100, 1200, and 1300 IOS-based stand-alone access points are all very similar. You will need to make sure you're running a more recent Aironet IOS for this guide to work since there are minor differences in the configuration and some features like multiple SSID broadcast weren't available in the older firmware.

Wiping the default configuration

The first thing I do with all the newer Cisco access points is wipe the default configuration on them. Older firmware didn't have any username and passwords assigned to them but the newer devices are different. Once you've logged in you'll need to type the following commands.

  • enable
  • write erase
  • reload (confirm reboot)

Once the router is rebooted, you'll see a ">" prompt and you will be able to go in to "enable" mode without a password. You now need to enter global configuration mode by typing the old "config t" command.

CLI configuration template for Aironet IOS

Since I've always thought that the Cisco configuration guides were too difficult to use with their inline comments and hints, I've created my own system of a configuration template in Microsoft Excel. Thanks to help from our development blogger Justin James, who wrote a quick replacement button that automatically generates a ready-to-use configuration output, we have a very useful tool for documenting and creating new CLI configuration files. For this specific tutorial, I've created this Aironet IOS template embedded with Justin's automation script.

How to use CLI template

Once you've downloaded the template for this tutorial, it's quick and easy to generate your own Cisco Aironet IOS configuration. All you need to do is fill out the yellow section shown in Figure VVV on the "Variables" tab page. The "Reference" sheet below in Figure VVV is the configuration template. It shows the configuration template with substitute variable names in RED colored fonts that are enclosed in [brackets].

Figure VVV:

Configuration template

In Figure WWW below, the "Replace" button coded by Justin James will copy the content of the reference tab on to a new tab with the name Aironet (You can rename cell G5). You can use it multiple times and it will auto-increment the sheet names for each new configuration you create. This allows you to make slight modifications to the user defined variables to create a new sheet.

Figure WWW:

Reference Variables

Insert configuration on the Aironet access points

Once the configuration with your variables are created in a new worksheet, you literally copy the "Command" column with your customized settings (starting below the "Command" label) and paste it in to your console. Note that all the Excel formatting will be excluded from the paste command which is exactly what we want.

Also note that some commands take longer than others to insert because the device has to catch up so I would recommend you paste in a small section at a time and verify each of the commands executed properly without errors (some warnings notices are ok). The console is also known to drop certain statements at times if you paste too fast so make sure the router takes every single command. You can verify with the "show run" command to check the configuration. When you're satisfied, be sure to issue the "write mem" command to commit all the changes permanently so that the settings will remain intact the next time you reboot the router.

On the reference page, I've taken the time to label all of the commands with their purpose. This is for reference, learning, and documentation purposes. It would be wise to look through the entire reference page and understand what most or all the lines are doing. The more you understand the reference page the better off you will be in the long run.

The final Excel file is not only helpful for the configuration setup; it's also great for permanent documentation. The table format, the highlighting, and all the text formatting help make Cisco CLI more readable and understandable. You can also change the reference page to your liking if you want to modify the template to suit your own purposes.


13 comments
latebeat
latebeat

This article does almost nothing from the things it promises in the introduction. All cisco aironets can be configured from the web interface exactly like a consumer/home access point to the extent that this article presents here. No multiple SSIDS or guest vlans were configured. This has been mentioned in the comments already. This is not a bad article I'm just upset that I wasted my time registering in order to download the template and read through it only to find out from the comments that article doesn't describe the things it said it would..

robo_dev
robo_dev

Besides the fact that most Cisco people might not remember Aironet anymore, Cisco has a muuuuuch better solution today in terms of the Wireless LAN controller products. Instead of having to manage/configure a couple dozen APs individually, you do all the config from one pretty console. Oh, and it's about three times more secure, five times more foolproof, and twice the throughput. http://www.cisco.com/en/US/products/ps6302/Products_Sub_Category_Home.html

tef8
tef8

Download link for the tool? Instead of ignoring the many requests for that it'd be better to answer the question that many of us have.

roeseler
roeseler

Hello! Where can I find the download link? I guess it should be over "Aironet IOS template" but there's no link there. Thanks! Cheers, Pedro

jsadony
jsadony

George, I must say that this and the related articles you've written on wireless security are gold nuggets I found when mining the internet for exactly this information. Thank you and great job!

morten
morten

Cisco IOS Software, C1130 Software (C1130-K9W7-M), Version 12.3(8)JEA, RELEASE SOFTWARE (fc2) On this version the write erasereload does nothing. After reload the old configuration is back again.

morten
morten

The indroduction in this article tricked me into reading it.. Where is the article for multiple ssid? Link? Anyone?

wizard57m-cnet
wizard57m-cnet

Which in IT is something like 3 product cycles. I wouldn't say registering for TR is a waste, there is a wide variety of information available. Welcome aboard the crazy train!

rufusion
rufusion

This has nothing to do with trilokn's post, but I can't figure out any other way to post this and have it attached to the article. The introduction to this section says, --- In this tutorial, I will show you how to configure a Cisco Aironet IOS-based access point to setup the following things: ? Multiple Wireless LANs ? One VLAN (Virtual LAN) per virtual Wireless LAN ? Secure internal Wireless LAN that ties in to RADIUS and Active Directory ? Guest Wireless LAN with Internet only access --- Which is pretty much exactly what I'd like to do. But the template given does not appear to allow for any more than one SSID, and does not have any VLAN/trunking commands in it that I can see. I also don't see any configuration for the Guest WLAN. Am I missing something? How do I use this template to configure a wireless router for multiple SSID/VLANs?

georgeou
georgeou

Umm, do you have a comment or question?