Ultimate wireless security guide: Configure Aironet access points for enterprise security

Enterprise wireless LAN security is a persistent concern for every system administrator and CIO. This article, part of the TechRepublic ultimate guide to enterprise wireless LAN security, explains how to configure an Aironet access point, which are common in enterprise grade wireless networks.

The complete TechRepublic Ultimate Wireless Security Guide is available as a download in PDF form.

The Cisco Aironet class of wireless access points is very common in business and enterprise grade wireless networks. This tutorial is part of the ten-part Ultimate guide to enterprise wireless LAN security series and will tie in to the infrastructure described in the other nine articles.

Enterprise class Wireless LANs with Aironet access points

In this tutorial, I will show you how to configure a Cisco Aironet IOS-based access point to setup the following things:

  • Multiple Wireless LANs
  • One VLAN (Virtual LAN) per virtual Wireless LAN
  • Secure internal Wireless LAN that ties in to RADIUS and Active Directory
  • Guest Wireless LAN with Internet only access

Figure TTT below shows a physical layout of the configuration while Figure UUU shows the logical link.

Figure TTT

Physical layout

Figure UUU

Logical link

Initial hardware setup

After you've removed the Aironet access point from the box and plugged in the power adapter, plug the supplied console cable to a valid serial port on your computer. If you have a laptop that doesn't have a serial port, you will need to get a USB to Serial adapter.

Once you boot up the Aironet access point, it will ask you to log in. The default user name and password are both usually set to Cisco by default. For example, here is a hardware installation guide for the Cisco 1100 series access point. Procedures for the Aironet 1100, 1200, and 1300 IOS-based stand-alone access points are all very similar. You will need to make sure you're running a more recent Aironet IOS for this guide to work since there are minor differences in the configuration and some features like multiple SSID broadcast weren't available in the older firmware.

Wiping the default configuration

The first thing I do with all the newer Cisco access points is wipe the default configuration on them. Older firmware didn't have any username and passwords assigned to them but the newer devices are different. Once you've logged in you'll need to type the following commands.

  • enable
  • write erase
  • reload (confirm reboot)

Once the router is rebooted, you'll see a ">" prompt and you will be able to go in to "enable" mode without a password. You now need to enter global configuration mode by typing the old "config t" command.

CLI configuration template for Aironet IOS

Since I've always thought that the Cisco configuration guides were too difficult to use with their inline comments and hints, I've created my own system of a configuration template in Microsoft Excel. Thanks to help from our development blogger Justin James, who wrote a quick replacement button that automatically generates a ready-to-use configuration output, we have a very useful tool for documenting and creating new CLI configuration files. For this specific tutorial, I've created this Aironet IOS template embedded with Justin's automation script.

How to use CLI template

Once you've downloaded the template for this tutorial, it's quick and easy to generate your own Cisco Aironet IOS configuration. All you need to do is fill out the yellow section shown in Figure VVV on the "Variables" tab page. The "Reference" sheet below in Figure VVV is the configuration template. It shows the configuration template with substitute variable names in RED colored fonts that are enclosed in [brackets].

Figure VVV:

Configuration template

In Figure WWW below, the "Replace" button coded by Justin James will copy the content of the reference tab on to a new tab with the name Aironet (You can rename cell G5). You can use it multiple times and it will auto-increment the sheet names for each new configuration you create. This allows you to make slight modifications to the user defined variables to create a new sheet.

Figure WWW:

Reference Variables

Insert configuration on the Aironet access points

Once the configuration with your variables are created in a new worksheet, you literally copy the "Command" column with your customized settings (starting below the "Command" label) and paste it in to your console. Note that all the Excel formatting will be excluded from the paste command which is exactly what we want.

Also note that some commands take longer than others to insert because the device has to catch up so I would recommend you paste in a small section at a time and verify each of the commands executed properly without errors (some warnings notices are ok). The console is also known to drop certain statements at times if you paste too fast so make sure the router takes every single command. You can verify with the "show run" command to check the configuration. When you're satisfied, be sure to issue the "write mem" command to commit all the changes permanently so that the settings will remain intact the next time you reboot the router.

On the reference page, I've taken the time to label all of the commands with their purpose. This is for reference, learning, and documentation purposes. It would be wise to look through the entire reference page and understand what most or all the lines are doing. The more you understand the reference page the better off you will be in the long run.

The final Excel file is not only helpful for the configuration setup; it's also great for permanent documentation. The table format, the highlighting, and all the text formatting help make Cisco CLI more readable and understandable. You can also change the reference page to your liking if you want to modify the template to suit your own purposes.

Editor's Picks

Free Newsletters, In your Inbox