wifi & dhcp TODO -> Radius

aa12ad71 · Theo Maillart · 57b7ae6f · aa12ad71 · aa12ad71 · aa12ad71
Commit aa12ad71 authored Dec 03, 2017 by Theo Maillart
Hide whitespace changes
Inline Side-by-side

Showing with 102 additions and 34 deletions

Cisco/routeur Cisco/routeur +24 -16

Cisco/wifi Cisco/wifi +62 -2

host_conf/dhcpd.conf host_conf/dhcpd.conf +16 -16

No files found.
--- a/Cisco/routeur
+++ b/Cisco/routeur
-# VLAN -> Admin: 81 Personnel: 82 Invite: 83
+! VLAN -> Admin: 81 Personnel: 82 Invite: 83

-# reset conf
+! reset conf
 enable
 write erase
 delete flash:vlan.dat
 reload

-# base conf
-## create VLAN
+! base conf
+!! create VLAN
 conf t
 vlan 81
 name VLAN_ADM
@@ -22,7 +22,7 @@ name VLAN_INVITE
 state active
 exit

-## conf ip
+!! conf ip
 int vlan 81
 ip address 100.81.0.1 255.255.255.0
 int vlan 82
@@ -30,20 +30,28 @@ ip address 10.0.82.1 255.255.255.0
 int vlan 83
 ip address 10.0.83.1 255.255.255.0

-## conf physic port
+!! conf physic port
 int fastethernet0
 switchport mode trunk
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,81-83,1002-1005
 switchport trunk native vlan 81
-exit
-exit
+end
+
+!! conf physic port for wifi
+int FastEthernet1
+switchport mode trunk
+switchport trunk encapsulation dot1q
+switchport trunk allowed vlan 81-83
+switchport trunk native vlan 81
+no shutdown
+end

-# save startup-conf
+! save startup-conf
 write memory

-# filtering
-## allow icmp/http/ssh/ftp to outside
+! filtering
+!! allow icmp/http/ssh/ftp to outside
 access-list 101 permit icmp 10.0.83.0 0.0.0.255 any echo
 access-list 102 permit tcp any any eq 80
 access-list 103 permit tcp any any eq 22
@@ -66,7 +74,7 @@ ip access-group 107 in
 ip access-group 108 in
 ip access-group 105 in

-## ACL for vlan_pers
+!! ACL for vlan_pers
 access-list 111 permit icmp 10.0.83.0 0.0.0.255 10.0.82.0 0.0.0.255 echo
 access-list 112 permit tcp any 10.0.82.3 0.0.0.255 eq 80
 access-list 113 permit tcp any 10.0.82.3 0.0.0.255 eq 22
@@ -88,7 +96,10 @@ ip access-group 117 out
 ip access-group 118 out
 ip access-group 105 out

-# NAT inside = priv outside =target
+! PAT
+ip nat inside source static tcp 10.0.83.1 3128 10.0.82.3 80
+
+! NAT inside = priv outside =target
 interface vlan 83
 ip nat inside
 interface vlan 82
@@ -96,6 +107,3 @@ ip nat outside
 ip nat pool ovrld 10.0.82.1 10.0.82.1 prefix 24
 ip nat inside source list 9 pool ovrld overload
 access-list 9 permit 10.0.83.0 0.0.0.255
-
-# PAT
-ip nat inside source static tcp 10.0.83.1 3128 10.0.82.3 80
--- a/Cisco/wifi
+++ b/Cisco/wifi
-# VLAN -> Admin: 81 Personnel: 82 Invite: 83
-# address 100.81.0.5
+! VLAN -> Admin: 81 Personnel: 82 Invite: 83
+! address 100.81.0.5
+! SSID Personnel82
+! SSID Invite83
+
+! configure connection to routeur - check MAC addr from DHCP conf
+enable
+conf t
+int BVI 1
+ip address dhcp
+end
+
+! channel choice
+conf t
+int Dot11radio0
+no shut
+channel 06
+end
+int Dot11radio1
+no shut
+channel 06
+end
+
+! configure VLANs 82-83 via web interface
+
+! ssid conf
+conf t
+dot11 ssid Personnel82
+vlan 82
+authentication open
+dot11 ssid Invite83
+vlan 83
+authentication open
+int Dot11Radio0
+ssid pers
+ssid invite
+int Dot11Radio1
+ssid pers
+ssid invite
+end
+
+! configure WPA first then use radius
+conf t
+dot11 ssid Personnel82
+authentication key-management wpa version 2
+wpa-psk ascii UtiliserRadius
+dot11 ssid Invite83
+authentication key-management wpa version 2
+wpa-psk ascii UtiliserRadius
+end
+
+! SSID broadcast
+conf t
+dot11 ssid Personnel82
+mbssid guest-mode
+dot11 ssid Invite83
+mbssid guest-mode
+int Dot11Radio0
+mbssid
+int Dot11Radio0
+mbssid
+end
--- a/host_conf/dhcpd.conf
+++ b/host_conf/dhcpd.conf
+
+subnet 100.81.0.0 netmask 255.255.255.0 {
+	range 100.81.0.10 100.81.0.70;
+}
+host ap-grapcli08{
+	hardware ethernet 00:1f:ca:27:99:ce;
+	fixed-address 100.81.0.5;
+}
+subnet 10.0.82.0 netmask 255.255.255.0 {
+	range 10.0.82.10 10.0.82.70;
+}
+subnet 10.0.83.0 netmask 255.255.255.0 {
+	range 10.0.83.10 10.0.83.70;
+}
+
 # dhcpd.conf
 #
 # Sample configuration file for ISC dhcpd
@@ -24,7 +39,7 @@ ddns-update-style none;
 # have to hack syslog.conf to complete the redirection).
 #log-facility local7;

-# No service will be given on this subnet, but declaring it helps the 
+# No service will be given on this subnet, but declaring it helps the
 # DHCP server to understand the network topology.

 #subnet 10.152.187.0 netmask 255.255.255.0 {
@@ -105,18 +120,3 @@ ddns-update-style none;
 #    range 10.0.29.10 10.0.29.230;
 #  }
 #}
-
-
-subnet 100.21.0.0 netmask 255.255.255.0 {
-	range 100.21.0.10 100.21.0.70;
-}
-host ap-grapcli02{
-	hardware ethernet 00:1f:ca:27:99:ce;
-	fixed-address 100.21.0.3;
-}
-subnet 10.0.22.0 netmask 255.255.255.0 {
-	range 10.0.22.10 10.0.22.70;
-}
-subnet 10.0.23.0 netmask 255.255.255.0 {
-	range 10.0.23.10 10.0.23.70;
-}