WiFi w 1812

[vienio]

Uruchamiam WiFi w cisco 1812. Bardzo duzo pomógł mi gonte. Połączenie działa kiedy nie jest zaszyfrowane. Z chwilą zabezpieczenia połączenia, dhcp nie wiadomo dlaczego nie przydziela adresu z zadeklarowanej puli i połączenie nie działa.
Poniżej zamieszczam fragment configu. Widać z niego jakieś moje błędy?

Kod: Zaznacz cały

!
aaa group server radius rad_eap
!
aaa group server radius rad_mac
!
aaa group server radius rad_acct
!
aaa group server radius rad_admin
!
aaa group server tacacs+ tac_admin
!
aaa group server radius rad_pmip
!
aaa group server radius dummy
!
aaa authentication login userlist local
aaa authentication login eap_methods group rad_eap
aaa authentication login mac_methods local
aaa authentication dot1x default none
aaa authorization ipmobile default group rad_pmip 
aaa authorization network grouplist local 
aaa accounting network acct_methods start-stop group rad_acct
!
!
aaa session-id common
!
!
dot11 syslog
dot11 vlan-name wifi vlan 2
!
!
dot11 ssid wifi-psk
   vlan 2
   authentication open 
   wpa-psk ascii 7 1542295C16242227033264704556
!
!
!
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.1.1 192.168.1.4
ip dhcp excluded-address 192.168.1.11 192.168.1.254
!
ip dhcp pool vlan2
   import all
   network 192.168.1.0 255.255.255.0
   default-router 192.168.1.1 
   dns-server 194.204.152.34 194.204.159.1 
!
!
!
!
!
!
crypto ipsec transform-set ASA-IPSEC esp-des esp-sha-hmac 
crypto ipsec transform-set AES esp-aes esp-sha-hmac 
!
crypto dynamic-map DYNAMIC 10
 set transform-set AES 
!
!
 set transform-set ASA-IPSEC 
 match address SDM_1
crypto map SDM_CMAP_1 65000 ipsec-isakmp dynamic DYNAMIC 
!
!
interface Dot11Radio0
 no ip address
 !
 ssid wifi-psk
 !
 speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
 station-role root
!
interface Dot11Radio0.2
 encapsulation dot1Q 2
 ip virtual-reassembly
 no cdp enable
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 spanning-disabled
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
!
interface Dot11Radio1
 no ip address
 no dot11 extension aironet
 speed basic-6.0 9.0 basic-12.0 18.0 basic-24.0 36.0 48.0 54.0
 station-role root
!
!
interface Vlan2
 no ip address
 bridge-group 1
 bridge-group 1 spanning-disabled
!
interface BVI1
 ip address 192.168.1.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
!
ip local pool PULA 192.168.100.1 192.168.100.10
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 79.187.248.169
!
!
access-list 10 permit 192.168.0.0 0.0.0.255
access-list 100 remark SDM_ACL Category=18
access-list 100 deny   ip 192.168.0.0 0.0.0.255 host 192.168.100.1
access-list 100 deny   ip 192.168.0.0 0.0.0.255 host 192.168.100.2
access-list 100 deny   ip 192.168.0.0 0.0.0.255 host 192.168.100.3
access-list 100 deny   ip 192.168.0.0 0.0.0.255 host 192.168.100.4
access-list 100 deny   ip 192.168.0.0 0.0.0.255 host 192.168.100.5
access-list 100 deny   ip 192.168.0.0 0.0.0.255 host 192.168.100.6
access-list 100 deny   ip 192.168.0.0 0.0.0.255 host 192.168.100.7
access-list 100 deny   ip 192.168.0.0 0.0.0.255 host 192.168.100.8
access-list 100 deny   ip 192.168.0.0 0.0.0.255 host 192.168.100.9
access-list 100 deny   ip 192.168.0.0 0.0.0.255 host 192.168.100.10
access-list 100 deny   ip 192.168.0.0 0.0.0.255 192.168.100.0 0.0.0.255
access-list 100 deny   ip 0.0.0.0 255.255.255.0 any
access-list 100 remark IPSec Rule
access-list 100 deny   ip 192.168.0.0 0.0.0.255 10.10.10.0 0.0.0.255
access-list 100 deny   ip any 192.168.0.0 0.0.0.255
access-list 100 permit ip host 192.168.0.3 any
access-list 100 permit ip host 192.168.0.11 any
access-list 100 permit ip host 192.168.0.12 any
access-list 100 permit ip host 192.168.0.20 any
access-list 100 permit ip host 192.168.0.21 any
access-list 100 permit ip host 192.168.0.22 any
access-list 100 permit ip host 192.168.0.23 any
access-list 100 permit ip host 192.168.0.26 any
access-list 100 permit ip host 192.168.0.27 any
access-list 100 permit ip host 192.168.0.28 any
access-list 100 permit ip host 192.168.0.29 any
access-list 100 permit ip host 192.168.0.31 any
access-list 100 permit ip host 192.168.0.44 any
access-list 100 permit ip host 192.168.0.66 any
access-list 100 permit ip host 192.168.0.67 any
access-list 100 permit ip host 192.168.0.75 any
access-list 100 permit ip host 192.168.0.77 any
access-list 100 permit ip host 192.168.0.88 any
access-list 100 permit ip host 192.168.0.99 any
access-list 100 permit tcp host 192.168.0.124 host 10.10.10.1 eq 3389
access-list 100 permit tcp host 192.168.0.125 host 10.10.10.1 eq 3389
access-list 100 permit ip 192.168.1.0 0.0.0.255 any
access-list 101 remark SDM_ACL Category=4
access-list 101 remark IPSec Rule
access-list 101 permit ip 192.168.0.0 0.0.0.255 10.10.10.0 0.0.0.255
access-list 199 permit ip 192.168.0.0 0.0.0.255 any
no cdp run
arp 192.168.0.31 0011.095e.705f ARPA
!
!
!
route-map SDM_RMAP_1 permit 1
 match ip address 100
!
route-map SDM_RMAP_2 permit 1
 match ip address 100
!
!
!
radius-server attribute 32 include-in-access-req format %h
radius-server vsa send accounting
!
control-plane
!
bridge 1 protocol ieee
bridge 1 route ip
!
end

[vienio]

problem rozwiązany, dziekuję.

[Seba]

problem rozwiązany, dziekuję.

A co pomoglo, tak dla potomnych.

[mhuba]

Podziel się rozwiązaniem. Ja miałem podobny problem, ap nie przydzielał mi ip via dhcp
przy wpa2 dla wybranych klientów (szczególnie telefony nokia z symbianem).
Proteza która działa do dzisiaj to obniżenie poziomu zabezpieczeń do wpa.
Link do mojego topica http://ccie.pl/viewtopic.php?t=14321

Z góry dzięki.

Pozdrawiam
mhuba

[vienio]

przesyłam najistotniejsze linie configu:

Kod: Zaznacz cały

!
aaa new-model
!
!
!
aaa group server tacacs+ tac_admin
!
!
aaa authentication login userlist local
aaa authentication login eap_methods group rad_eap
aaa authentication login mac_methods local
aaa authentication dot1x default none
aaa authorization ipmobile default group rad_pmip 
aaa authorization network grouplist local 
aaa accounting network acct_methods start-stop group rad_acct
!
!
aaa session-id common
!
!
dot11 syslog
!
dot11 ssid PSK-RZI
   vlan 2
   authentication open 
   authentication key-management wpa
   wpa-psk ascii 0 twoj_key
!
!
!
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.1.1 192.168.1.4
ip dhcp excluded-address 192.168.1.11 192.168.1.254
!
ip dhcp pool vlan2
   import all
   network 192.168.1.0 255.255.255.0
   default-router 192.168.1.1 
   dns-server 194.204.152.34 194.204.159.1 
!
!
!
!
ip ssh version 1
bridge irb
!
!
!
!
interface Dot11Radio0
 no ip address
 !
 encryption vlan 2 mode ciphers tkip 
 !
 ssid PSK-RZI
 !
 speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
 station-role root
 world-mode dot11d country PL both
 no cdp enable
!
interface Dot11Radio0.2
 encapsulation dot1Q 2
 ip virtual-reassembly
 no cdp enable
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 spanning-disabled
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
!
interface Dot11Radio1
 no ip address
 no dot11 extension aironet
 !
 encryption vlan 2 mode ciphers tkip 
 !
 ssid PSK-RZI
 !
 speed basic-6.0 9.0 basic-12.0 18.0 basic-24.0 36.0 48.0 54.0
 station-role root
 no cdp enable
!
!
interface Vlan2
 no ip address
 bridge-group 1
 bridge-group 1 spanning-disabled
!
interface BVI1
 ip address 192.168.1.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
!
!
!
!
control-plane
!
bridge 1 protocol ieee
bridge 1 route ip
!
end

PS. jeszcze raz dziekuję 'gonte' za wszelakie wskazówki i cierpliwość!