Cisco Wireless AP Configuration Guide requirements in complex enterprise environments Overview: using Cisco AP to build an enterprise wireless LAN, users' laptops do not need to be added to the AD domain,
You can log on to the wireless network. the user name and password of the domain are used for Logon. SSIDS hides the password,
Therefore, you cannot select the SSID on your own. The administrator must configure a wireless network for the notebook;
The administrator configures different SSID for different users and logs on to different VLANs to divide network permissions. Configuration Requirements for www.2cto.com: VLAN: Multiple VLANs of one AP, similar to switches. SSID hiding: Is the PEAPRADIUS server under the encryption protocol: WPA2 Authentication Protocol: 801x: Internet Authentication Service (IAS) user directory in Windows 2003: build an integrated environment with the Enterprise's Microsoft Active Directory: AP: Cisco AIR-AP1231G-A-K9, IOS version: 13 (2) JA www.2cto.com certified Server: Windows 2003 Enterprise Server with SP1, installed with the IAS service. Client: Windows XP with SP2. the Wireless network card is Intel PRO Wireless LAN 2100 3B Mini PCI Adapter. wireless AP configuration: IP configuration: Find IP: Cisco AP gets IP through DHCP by default. Therefore, if your network has a DHCP server, please first query the MAC address of the AP, go to the allocated address pool of your DHCP server and find the address obtained by the AP. If there is no DHCP server in your network, connect to the AP through the Console. configure IP Address: If you connect to an AP through the Console, go to interface BVI1 to configure an IP address for the AP. if you configure an IP address on the web page, go to Express SetUp to configure an IP address for the AP. the default username and password are Cisco. Remember to make them case sensitive. Configure VLAN: Enter the Service-VLAN, enter the VLAN and VLAN name, and click Apply to create a new VLAN. Repeat the above action until all the VLANs are created. Confirm that the switch port connected to the AP is set to Trunk Mode. configure the encryption protocol: select the VLAN to be configured. go to Security-Encryption Manager. In Encryption Modes, select Cipher-TKIP. Configure the authentication Server: Go to Security-Server Manager and select <NEW>,
Enter the IP address or FQDN of the IAS server, enter Secret, select 1645 as the port number, and click Apply.
After an authentication Server is created, it is still in Security-Server Manager, in Default Server Priorities,
Set the created Authentication server to the default EAP Authentication server. www.2cto.com.
Configure SSIDs: Enter Security-SSID Manager. In SSID Properties, select New,
Enter the name of the SSID, the vlan id, and check the wireless port to confirm that the wireless port is used;
The Network ID can be left empty. In Client Authentication Settings, select Open Authentication with EAP. in Client Authentication Key Management, select Mandatory of WPA. in Multiple BSSID Beacon Settings, check that "Set SSID as Guest Mode" is not selected. Www.2cto.com
Check Configuration: Check the Wireless Configuration in Security. The final configuration figure should be similar to: authentication server configuration: Install the IAS service for the server. Embed the IAS server into Active Directory. Only with this configuration can IAS verify the authenticity of users in the Active Directory. In the IAS Action menu, select Register Server in Active Directory to complete registration. Configure a certificate for the IAS Server (this step is critical): first configure the certificate Server in the AD domain and then apply for a certificate for the IAS Server. The certificate type is Computer or Server, and cannot be User or DC. After the certificate application is complete, import the applied certificate to the IAS server and restart it once. Create a RADIUS client in RADIUS Clients and select create a client. Set a memorable name for the Client, which is usually the AP Hostname. Then fill in the ap ip address or FQDN. Client-Vendor to select Cisco or RADIUS Standard. Enter the Shared secret, which must be consistent with that entered in the AP. Www.2cto.com Click OK to create the client. Create Policy in Remote Access Policies ies, and select new. Start a memorable name for the policy. Here we use Temp. In Access Method, select Wireless. In user or group selection, select user or group. If you select a user, go to user management of AD to enable remote dial-in permission for the user. If you select a group, first create a user group to add all user accounts that want to use wireless login to the group. The group mode is recommended. In Authentication Methods, select PEAP and click Configure to check whether the certificate of the IAS server is installed successfully.
If the certificate is not installed, it cannot be configured here. Www.2cto.com
After the policy is created, you need to configure it further. Go to the attributes of the Policy and select Edit Profile,
On the certification page, check MS-CHAP v2. If this policy is only for one user, you can also bind the MAC address of the user's wireless network card.
Add a "12356790AB" Calling-Station-id to the policy conditions. Complete the configuration of the user end: Create a wireless network on the user's wireless network card. Enter the SSID name, select WPA for network authentication, and select TKIP for Data Encryption. The key is automatically obtained. On the certification page of www.2cto.com, select 801x, select PEAP, and click its properties. In PEAP properties, if verify server certificate is not checked, the authentication method is MS-CHAP v2,
Click Configure to remove the "check box before automatic use of Windows login name and password verification" (important ). Allows fast reconnection. By default.
This article is from the guest Network Customer Alliance