Wednesday, November 8, 2017

pfSense - Cisco Aironet AP's (only 1 works, all identical)

We have a pfSense server, with several VLAN's configured on it and this pfSense is direcftly connected to several Cisco AP's. Cisco AP configuration is basically an SSID and a VLAN number.

I recently upgraded all APs due to the KRACK vulnerability.

AP001 works fine. I have exported running-config to a configfile. AP002 is completely reset/cleared and configured from the same configfile (copy tftp: running-config).

Result: AP001 works fine. AP002 does not work at all. Same goes for any other AP. It kinda drives me crazy.

Any suggestions why this is no longer working. Should I be looking at pfSense or the APs? There is nothing specific configured for any AP in pfSense.

<code> ^ version 15.3

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname AP001

!

!

logging rate-limit console 9

enable secret 5 xxxxxxxxxx

!

no aaa new-model

no ip source-route

no ip cef

!

!

!

!

dot11 pause-time 100

dot11 syslog

!

dot11 ssid MY-SSID-1

 vlan 2 authentication open authentication key-management wpa version 2 mbssid guest-mode wpa-psk ascii 7 xxxxxxxxxxxx information-element ssidl advertisement 

!

dot11 ssid MY-SSID-2

 vlan 9 authentication open mbssid guest-mode information-element ssidl 

!

!

!

no ipv6 cef

!

!

username Cisco privilege 15 password 7 xxxxxxxxxxxx

!

!

bridge irb

!

!

!

interface Dot11Radio0

no ip address

no ip route-cache

!

encryption mode ciphers aes-ccm

!

encryption vlan 2 mode ciphers aes-ccm

!

ssid MY-SSID-1

!

ssid MY-SSID-2

!

antenna gain 0

mbssid

station-role root access-point

bridge-group 1

bridge-group 1 subscriber-loop-control

bridge-group 1 spanning-disabled

bridge-group 1 block-unknown-source

no bridge-group 1 source-learning

no bridge-group 1 unicast-flooding

!

interface Dot11Radio0.2

encapsulation dot1Q 2

no ip route-cache

bridge-group 2

bridge-group 2 subscriber-loop-control

bridge-group 2 spanning-disabled

bridge-group 2 block-unknown-source

no bridge-group 2 source-learning

no bridge-group 2 unicast-flooding

!

interface Dot11Radio0.9

encapsulation dot1Q 9

no ip route-cache

bridge-group 9

bridge-group 9 subscriber-loop-control

bridge-group 9 spanning-disabled

bridge-group 9 block-unknown-source

no bridge-group 9 source-learning

no bridge-group 9 unicast-flooding

!

interface GigabitEthernet0

no ip address

no ip route-cache

duplex auto

speed auto

no keepalive

bridge-group 1

bridge-group 1 spanning-disabled

no bridge-group 1 source-learning

!

interface GigabitEthernet0.2

encapsulation dot1Q 2

no ip route-cache

bridge-group 2

bridge-group 2 spanning-disabled

no bridge-group 2 source-learning

!

interface GigabitEthernet0.9

encapsulation dot1Q 9

no ip route-cache

bridge-group 9

bridge-group 9 spanning-disabled

no bridge-group 9 source-learning

!

interface BVI1

mac-address xxxxxxxxxxxx

ip address dhcp client-id GigabitEthernet0

no ip route-cache

!

ip forward-protocol nd

ip http server

no ip http secure-server

ip http help-path http://ift.tt/1M5jmKo

!

!

snmp-server community public RO

bridge 1 route ip

!

!

!

line con 0

password 7 xxxxxxxxxxxx

line vty 0 4

password 7 xxxxxxxxxxxx

login local

transport input all

!

end</code>



No comments:

Post a Comment