Thursday, August 27, 2015

Convert Cisco 1700/2700 Series APs to Autonomous Mode

For smaller environments it's not always cost effective to buy a WLC so the need arises to put the APs into autonomous mode.

Since the 1700/2700 series APs ship in lightweight mode, here's how to change them over to autonomous mode:

1.  Log in to www.cisco.com
2.  Click on "Support" at the top of the page.
3.  Click the "Downloads" button.
4.  Select "Wireless" from the left side.
5.  Select "Access Points".
6.  Select "Cisco 1700 Series Access Points".
7.  Select Cisco Aironet 1702i Access Points".
8.  Click "Autonomous AP IOS Software".  As of this writing the latest version is 15.3.3-JBB1(ED)
9.  Connect to the AP using a console cable.
10.  Power on the AP.  If you have a POE switch then that way is best.  If not use a power injector or power cord for the AP.
11.  Start a TFTP server on your laptop or PC and set the LAN interface to 10.0.0.1 255.25.255.0
12.  Open a serial connection to the AP.  Once the boot up finishes log in.  Remember the default password is Cisco.
13.  Enter the following commands in this order:

  • enable
  • debug capwap console cli
  • debug capwap client no-reload
  • capwap ap ip address 10.0.0.2 255.255.255.0
  • capwap ap ip default-gateway 10.0.0.1
  • archive download-sw /force /overwrite tftp://10.0.0.1/filename.tar
14.  Once the upload, extraction, and installation is complete (3 to 5 minutes) the AP will restart.
15.  Once the restart is completed log in and do a show version command.
16.  Verify the AP now provides access to the full suite of IOS commands.
17.  Configure as needed.

If you get any errors from the AP while it is still in lightweight mode during this process I find it easiest to just put these commands into a text file and then paste them into Putty vs trying to type them in with the lines scrolling.

I hope this helps you get your APs setup faster and don't have to deal with a complicated process.

Good luck.


Monday, August 24, 2015

Time Based ACL for Cisco Wireless AP Access

Recently I was tasked with setting up two Cisco 1142 APs in autonomous mode with restrictions on access between the hours of 6AM and 11PM.  Anytime outside that range, wireless SSIDs would be on and broadcasting but there would be no traffic allow out.

After doing some research I have gotten it working and here's how to pull this off.  Pretty simple really.  Make sure before you do this that the time on the APs is set correctly.  I have the two I configured in this example setup to use NTP to pool.ntp.org and verified the time is set correctly.

1.  Create a time range:
     time-range BusinessHours
     periodic weekdays 6:00 to 23:00

2.  Create an ACL
     ip access-list extended 101
     permit ip any any time-range BusinessHours

3.  Apply the ACL to the appropriate interface
     interface Dot11Radio0.1 (.1 is the only VLAN configured on these APs on interface 0)
     ip access-group 101 out
     end

4.  Check the work
     show time-range BusinessHours
     show access-list 101 (this is how it determines the toggle between active and inactive)
     show running-config (verify the ACL is applied to the correct interface)

One thing to make sure of is that you do no apply this config to the Ethernet interface on the AP because then you will lose internal communication from the LAN as well.  By applying it to the Radio interface this only stops traffic coming in via the wireless Radio.

Hope this helps with security on your network OR if you happen to use these at home and have teenagers that don't want to obey bedtime for school.  Works for both.

Good luck.

Thursday, August 06, 2015

Stop Windows 10 Pushing to Domain Computers

Many networks I work on have appeared to be slow the past several days.  After doing some research I found out that Microsoft is pushing Windows 10 to domain joined machines even though they don't qualify for the "free" upgrade.

This is causing many networks internally and their Internet connections to slow to a crawl because of all of the data saturation.

Here's how to shut it off using Group Policy:  (You will need at least one Server 2012R2 Domain Controller for this to work)

The setting is located via [Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Update].  The name of the policy is "Turn off upgrade to the latest version of Windows through Windows Update"

Given that these files can be between 2G and 3G (stored in a hidden folder on the local disk called #Windows.~BT) it is easy to see how this can impact a network of several hundred machines.  My research says this happens without the end user ever seeing the white 'Get Windows 10 flag'.

I put this policy in place on our network tonight as researching network traffic through our ASA has proven this to be true.

I like what Microsoft has done with Windows 10 so far but this is taking things a bit too far.