! no service pad service timestamps debug datetime localtime service timestamps log datetime localtime service password-encryption service sequence-numbers ! hostname APxx ! ! no logging console ! ! enable secret 5 xxxxxxxxxxxxxxxxxx ! ! clock timezone MET 1 ! ! clock summer-time MET-DST recurring last Sun Mar 2:00 last Sun Oct 2:00 ! ! ip subnet-zero ! ! ip domain name cesnet.cz ip name-server 195.113.144.194 ip name-server 195.113.144.233 ! ! aaa new-model ! ! aaa group server radius RAD_ACC server 10.1.1.1 auth-port 1812 acct-port 1813 server 10.2.2.2 auth-port 1812 acct-port 1813 ! aaa group server radius RAD_AUTH server 10.1.1.1 auth-port 1812 acct-port 1813 server 10.2.2.2 auth-port 1812 acct-port 1813 ! ! aaa authentication login default group tacacs+ line ! ! aaa authentication login cesnet-eap group RAD_AUTH ! aaa authentication enable default group tacacs+ enable ! ! aaa authorization config-commands aaa authorization exec default group tacacs+ if-authenticated aaa authorization commands 0 default group tacacs+ if-authenticated aaa authorization commands 15 default group tacacs+ if-authenticated aaa authorization network default group tacacs+ if-authenticated aaa authorization reverse-access default group tacacs+ if-authenticated ! ! aaa accounting send stop-record authentication failure aaa accounting update newinfo aaa accounting exec default start-stop group tacacs+ aaa accounting commands 0 default start-stop group tacacs+ aaa accounting commands 15 default start-stop group tacacs+ ! ! aaa accounting network default start-stop group RAD_ACC aaa accounting system default start-stop group tacacs+ aaa session-id common ! ! dot11 mbssid ! ! dot11 activity-timeout unknown default 1800 dot11 activity-timeout client maximum 3600 dot11 activity-timeout repeater default 1800 maximum 3600 dot11 activity-timeout workgroup-bridge default 1800 maximum 3600 dot11 activity-timeout bridge default 1800 maximum 3600 ! ! dot11 ssid eduroam-tkip vlan 102 authentication open eap cesnet-eap authentication network-eap cesnet-eap authentication key-management wpa optional accounting RAD_ACC mbssid guest-mode ! ! dot11 ssid cesnet vlan 101 authentication open mbssid guest-mode ! ! dot11 ssid eduroam vlan 100 authentication open eap cesnet-eap authentication network-eap cesnet-eap authentication key-management wpa accounting RAD_ACC mbssid guest-mode ! ! dot11 holdoff-time 30 dot11 wpa handshake timeout 500 dot11 network-map ! ! bridge irb ! ! interface Dot11Radio0 no ip address no ip route-cache ! ! encryption vlan 102 mode ciphers tkip wep128 ! encryption vlan 100 mode ciphers aes-ccm tkip ! broadcast-key change 600 ! ! ssid eduroam ! ssid cesnet ! ssid eduroam-tkip ! ! speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0 power local cck 30 power local ofdm 20 no power client local power client 30 channel 2432 station-role root antenna receive right antenna transmit right ! ! no dot11 extension aironet ! no cdp enable ! ! dot1x reauth-period 3600 ! ! bridge-group 1 bridge-group 1 subscriber-loop-control bridge-group 1 block-unknown-source no bridge-group 1 source-learning no bridge-group 1 unicast-flooding bridge-group 1 spanning-disabled ! interface Dot11Radio0.100 encapsulation dot1Q 100 no ip route-cache no cdp enable bridge-group 100 bridge-group 100 subscriber-loop-control bridge-group 100 block-unknown-source no bridge-group 100 source-learning no bridge-group 100 unicast-flooding bridge-group 100 spanning-disabled ! interface Dot11Radio0.101 encapsulation dot1Q 101 no ip route-cache no cdp enable bridge-group 101 bridge-group 101 subscriber-loop-control bridge-group 101 block-unknown-source no bridge-group 101 source-learning no bridge-group 101 unicast-flooding bridge-group 101 spanning-disabled ! interface Dot11Radio0.102 encapsulation dot1Q 102 no ip route-cache no cdp enable bridge-group 102 bridge-group 102 subscriber-loop-control bridge-group 102 block-unknown-source no bridge-group 102 source-learning no bridge-group 102 unicast-flooding bridge-group 102 spanning-disabled ! ! interface FastEthernet0 no ip address no ip proxy-arp no ip route-cache duplex auto speed auto hold-queue 160 in ! interface FastEthernet0.100 description eduroam (802.1x autentizace) encapsulation dot1Q 100 no ip route-cache bridge-group 100 no bridge-group 100 source-learning bridge-group 100 spanning-disabled ! interface FastEthernet0.101 description cesnet (web based autentizace) encapsulation dot1Q 101 no ip route-cache bridge-group 101 no bridge-group 101 source-learning bridge-group 101 spanning-disabled ! interface FastEthernet0.102 description eduroam-tkip (802.1x autentizace - TKIP) encapsulation dot1Q 102 no ip route-cache bridge-group 102 no bridge-group 102 source-learning bridge-group 102 spanning-disabled ! interface FastEthernet0.998 description cesnet_mgmt encapsulation dot1Q 998 native no ip route-cache bridge-group 1 no bridge-group 1 source-learning bridge-group 1 spanning-disabled ! ! interface BVI1 ip address 10.3.3.3 255.255.255.0 no ip proxy-arp no ip route-cache ! ip default-gateway 10.3.3.1 no ip http server no ip http secure-server ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag ip tacacs source-interface BVI1 ip radius source-interface BVI1 ! ! ip access-list standard MANAGEMENT permit x.x.x.x ! ! logging history errors logging trap debugging logging IP_adresa_log_serveru ! ! access-list 50 permit x.x.x.x access-list 51 permit x.x.x.x ! ! snmp-server community xxxxxxxx RO 50 snmp-server community yyyyyyyy RW 51 snmp-server ifindex persist snmp-server location AP02 snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart snmp-server enable traps tty snmp-server enable traps entity snmp-server enable traps disassociate snmp-server enable traps deauthenticate snmp-server enable traps authenticate-fail snmp-server enable traps dot11-qos snmp-server enable traps switch-over snmp-server enable traps rogue-ap snmp-server enable traps wlan-wep snmp-server enable traps config snmp-server enable traps syslog snmp-server enable traps aaa_server snmp-server host x.x.x.x version 2c xxxxxxxx ! ! tacacs-server host 10.4.4.4 key 7 xxxxxxxxxxxxxxx tacacs-server host 10.5.5.5 key 7 xxxxxxxxxxxxxxx tacacs-server timeout 1 tacacs-server directed-request radius-server attribute 8 include-in-access-req radius-server host 10.1.1.1 auth-port 1812 acct-port 1813 key 7 xxxxxxxxxxxxxxx radius-server host 10.2.2.2 auth-port 1812 acct-port 1813 key 7 xxxxxxxxxxxxxxx radius-server vsa send accounting ! control-plane ! bridge 1 route ip ! ! banner exec ^C Text ktery se objevi po prihlaseni uzivatele do prikazove radky ^C ! ! banner login ^C The equipment now being accessed and information available through this equipment is confidential and proprietary, and may be accessed or used only as specifically authorized. All other access or use is prohibited and is subject to legal action. ^C ! ! line con 0 password 7 xxxxxxxxxxxx ! ! ! aaa authentication login default ... ! aaa authorization exec default ... ! line vty 0 4 session-timeout 120 access-class MANAGEMENT in exec-timeout 120 0 password 7 xxxxxxxxxxxx line vty 5 15 session-timeout 120 access-class MANAGEMENT in exec-timeout 120 0 password 7 xxxxxxxxxxxx ! ! sntp server 195.113.144.201 sntp server 195.113.144.238 end