cs:spravce:ap:ciscoap1230:config

!
no service pad
service timestamps debug datetime localtime
service timestamps log datetime localtime
service password-encryption
service sequence-numbers
!
hostname APxx
!

!
no logging console
!

!
enable secret 5 xxxxxxxxxxxxxxxxxx
!

!
clock timezone MET 1
!

!
clock summer-time MET-DST recurring last Sun Mar 2:00 last Sun Oct 2:00
!

!
ip subnet-zero
!

!
ip domain name cesnet.cz
ip name-server 195.113.144.194
ip name-server 195.113.144.233
!

!
aaa new-model
!

!
aaa group server radius RAD_ACC
 server 10.1.1.1 auth-port 1812 acct-port 1813
 server 10.2.2.2 auth-port 1812 acct-port 1813
!
aaa group server radius RAD_AUTH
 server 10.1.1.1 auth-port 1812 acct-port 1813
 server 10.2.2.2 auth-port 1812 acct-port 1813
!

! 
aaa authentication login default group tacacs+ line
!

!
aaa authentication login cesnet-eap group RAD_AUTH
!
aaa authentication enable default group tacacs+ enable
!

!
aaa authorization config-commands
aaa authorization exec default group tacacs+ if-authenticated
aaa authorization commands 0 default group tacacs+ if-authenticated
aaa authorization commands 15 default group tacacs+ if-authenticated
aaa authorization network default group tacacs+ if-authenticated
aaa authorization reverse-access default group tacacs+ if-authenticated
!

! 
aaa accounting send stop-record authentication failure
aaa accounting update newinfo
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 0 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
!

!
aaa accounting network default start-stop group RAD_ACC
aaa accounting system default start-stop group tacacs+
aaa session-id common
!

!
dot11 mbssid
!

!
dot11 activity-timeout unknown default 1800
dot11 activity-timeout client maximum 3600
dot11 activity-timeout repeater default 1800 maximum 3600
dot11 activity-timeout workgroup-bridge default 1800 maximum 3600
dot11 activity-timeout bridge default 1800 maximum 3600
!

!
dot11 ssid eduroam-tkip
   vlan 102
   authentication open eap cesnet-eap
   authentication network-eap cesnet-eap
   authentication key-management wpa optional
   accounting RAD_ACC
   mbssid guest-mode
!

!
dot11 ssid cesnet
   vlan 101
   authentication open
   mbssid guest-mode
!

!
dot11 ssid eduroam
   vlan 100
   authentication open eap cesnet-eap
   authentication network-eap cesnet-eap
   authentication key-management wpa 
   accounting RAD_ACC
   mbssid guest-mode
!

!
dot11 holdoff-time 30
dot11 wpa handshake timeout 500
dot11 network-map
!

!
bridge irb
!

!
interface Dot11Radio0
no ip address
no ip route-cache
!

!
encryption vlan 102 mode ciphers tkip wep128
!
encryption vlan 100 mode ciphers aes-ccm tkip
!
broadcast-key change 600
!

!
ssid eduroam
!
ssid cesnet
!
ssid eduroam-tkip
!

!
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
power local cck 30
power local ofdm 20
no power client local
power client 30
channel 2432
station-role root
antenna receive right
antenna transmit right
!

!
no dot11 extension aironet
!
no cdp enable
!

!
dot1x reauth-period 3600
!

!
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
!
interface Dot11Radio0.100
 encapsulation dot1Q 100
 no ip route-cache
 no cdp enable
 bridge-group 100
 bridge-group 100 subscriber-loop-control
 bridge-group 100 block-unknown-source
 no bridge-group 100 source-learning
 no bridge-group 100 unicast-flooding
 bridge-group 100 spanning-disabled
!
interface Dot11Radio0.101
 encapsulation dot1Q 101
 no ip route-cache
 no cdp enable
 bridge-group 101
 bridge-group 101 subscriber-loop-control
 bridge-group 101 block-unknown-source
 no bridge-group 101 source-learning
 no bridge-group 101 unicast-flooding
 bridge-group 101 spanning-disabled
!
interface Dot11Radio0.102
 encapsulation dot1Q 102
 no ip route-cache
 no cdp enable
 bridge-group 102
 bridge-group 102 subscriber-loop-control
 bridge-group 102 block-unknown-source
 no bridge-group 102 source-learning
 no bridge-group 102 unicast-flooding
 bridge-group 102 spanning-disabled
!
!
interface FastEthernet0
 no ip address
 no ip proxy-arp
 no ip route-cache
 duplex auto
 speed auto
 hold-queue 160 in
!
interface FastEthernet0.100
 description eduroam (802.1x autentizace)
 encapsulation dot1Q 100
 no ip route-cache
 bridge-group 100
 no bridge-group 100 source-learning
 bridge-group 100 spanning-disabled
!
interface FastEthernet0.101
 description cesnet (web based autentizace)
 encapsulation dot1Q 101
 no ip route-cache
 bridge-group 101
 no bridge-group 101 source-learning
 bridge-group 101 spanning-disabled
!
interface FastEthernet0.102
 description eduroam-tkip (802.1x autentizace - TKIP)
 encapsulation dot1Q 102
 no ip route-cache
 bridge-group 102
 no bridge-group 102 source-learning
 bridge-group 102 spanning-disabled
!
interface FastEthernet0.998
 description cesnet_mgmt
 encapsulation dot1Q 998 native
 no ip route-cache
 bridge-group 1
 no bridge-group 1 source-learning
 bridge-group 1 spanning-disabled
!

!
interface BVI1
 ip address 10.3.3.3 255.255.255.0
 no ip proxy-arp
 no ip route-cache
!
ip default-gateway 10.3.3.1
no ip http server
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
ip tacacs source-interface BVI1
ip radius source-interface BVI1
!

!
ip access-list standard MANAGEMENT
 permit x.x.x.x
!

! 
logging history errors
logging trap debugging
logging IP_adresa_log_serveru
!

!
access-list 50 permit x.x.x.x
access-list 51 permit x.x.x.x
!

!
snmp-server community xxxxxxxx RO 50
snmp-server community yyyyyyyy RW 51
snmp-server ifindex persist
snmp-server location AP02
snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart
snmp-server enable traps tty
snmp-server enable traps entity
snmp-server enable traps disassociate
snmp-server enable traps deauthenticate
snmp-server enable traps authenticate-fail
snmp-server enable traps dot11-qos
snmp-server enable traps switch-over
snmp-server enable traps rogue-ap
snmp-server enable traps wlan-wep
snmp-server enable traps config
snmp-server enable traps syslog
snmp-server enable traps aaa_server
snmp-server host x.x.x.x version 2c xxxxxxxx
!

!
tacacs-server host 10.4.4.4 key 7 xxxxxxxxxxxxxxx
tacacs-server host 10.5.5.5 key 7 xxxxxxxxxxxxxxx
tacacs-server timeout 1
tacacs-server directed-request
radius-server attribute 8 include-in-access-req
radius-server host 10.1.1.1 auth-port 1812 acct-port 1813 key 7 xxxxxxxxxxxxxxx
radius-server host 10.2.2.2 auth-port 1812 acct-port 1813 key 7 xxxxxxxxxxxxxxx
radius-server vsa send accounting
!
control-plane
!
bridge 1 route ip
!
!
banner exec ^C
Text ktery se objevi po prihlaseni uzivatele do prikazove radky
^C
!

!
banner login ^C

     The equipment now being accessed and information available through
     this equipment is confidential and proprietary, and may be accessed
     or used only as specifically authorized. All other access or use
     is prohibited and is subject to legal action.

^C
!

!
line con 0
 password 7 xxxxxxxxxxxx
!

! 
! aaa authentication login default ...
! aaa authorization exec default ...
!
line vty 0 4
 session-timeout 120
 access-class MANAGEMENT in
 exec-timeout 120 0
 password 7 xxxxxxxxxxxx
line vty 5 15
 session-timeout 120
 access-class MANAGEMENT in
 exec-timeout 120 0
 password 7 xxxxxxxxxxxx
!

!
sntp server 195.113.144.201
sntp server 195.113.144.238
end
Poslední úprava:: 2022/01/20 14:15