Technology for Business

Indoor MESH with Cisco AP 1131

The Lightweight Access Point Cisco 1131 is a two-radio Wi-Fi infrastructure device that can be used for indoor mesh deployments. It is a CAPWAP/LWAPP based product. It provides a 2.4 GHz radio and a 5.8 GHz radio compatible with 802.11b/g and 802.11a. One radio can be used for local (client) access for the access point (AP) and the second radio can be configured for wireless backhaul. The AP 1131 supports P2P, P2MP, and mesh type of architectures. Other Cisco indoor AP models are also mesh capable.




Indoor mesh is a subset of the Enterprise mesh architecture deployed on Unified Wireless architecture. With indoor mesh, one of the radios (typically 802.11b/g) and/or the wired Ethernet link is used to connect to clients, while the second radio (typically 802.11a) is used to backhaul client traffic. A mesh AP can be either a RAP (Root AP) or a MAP (Mesh AP). A RAP act as bridge between the controller and other wireless APs. A MAP connects to a RAP or a MAP over the air on a 802.11a radio and also services clients on a 802.11b/g radio.


Basic Mesh Configuration

The first step consists in setting the AP in bridge mode. After the AP reboots, set the AP role to RAP. This root AP has a wired connection with the WLC controller (through a switch).



In this example, we set the bridge group name to BG1, the backhaul interface is 802.11a and we let the data rate to auto.



Configure the next AP as a bridge and set its AP Role to MeshAP. A MAP does not have a wired connection to the WLC. It communicates with the WLC through a RAP. In this example, we set the bridge group name to BG1 (so it matches the RAP), the backhaul interface is 802.11a and we let the data rate to auto.



I checked the Mesh DCA Channels and let the rest default values. Next, you must configure the desired DCA channels under Wireless > 802.11a/n.



As a basic security measure, you need to provide the AP MAC Address of each RAP/MAP in the Local MAC Filters. Not doing so will prevent the MESH APs to come up.


Note: the AP MAC Address is the wired side MAC address.







Authenticating MESH APs with RADIUS

MAC Filtering does not scale well across multiple controllers and provides minimum security. You are better off using central authentication for all your Mesh APs. Cisco uses EAP-FAST to authenticate its mesh APs. Here is how to do it.

From the Mesh Security section, choose EAP, and check both External MAC Filter Authorization and Force External Authentication, Then check a RADIUS server from the list.





To setup your RADIUS server, please complete these 2 steps:


1. Configure EAP-FAST on the RADIUS server and install the certificates.


EAP-FAST authentication is required if mesh access points are connected to the controller using an 802.11a interface; the external RADIUS servers need to trust Cisco Root CA 2048. You must download the EAP-FAST certs from For information about installing and trusting the CA certificates, see Configuring RADIUS Servers, Cisco Wireless Mesh Access Points, Design and Deployment Guide, Release 7.0


2. Configure MAC filters for MESH APs


For each RAP/MAP, you need to provide two credentials in RADIUS

- MAC filter / Password

- Username / Password


The MAC filter / password format are as follows:

AP_MAC_Address / AP_MAC_Address



001d451f5d22 / 001d451f5d22


User and password format are as follows:

AP_Model-AP_MAC_Address / AP_Model-AP_MAC_Address



C1130-001d451f5d22 / C1130-001d451f5d22


Note: the AP MAC Address is the wired side MAC address.



TIP: From this point, you no longer need Local MAC filtering for your MAPs. Please purge them from your WLC.

The following figure shows Cisco ACS Passed Authentications report for both the mesh AP MAC filter and the mesh AP username.




We covered the basics on how to use the Cisco AP 1131 to create an indoor mesh network. This can be useful for several reasons, such as extending a network where cabling is not always economical or for temporary work setups. MAC address filtering represents the least secure way of authenticating RAPs and MAPs. You should instead authenticate all APs with a RADIUS server. You may also want to authenticate the wired APs (RAP) using 802.1X, see my previous blog post for details.



Steve Williams

Steve is a consultant, coach, blogger who has consulted with several organizations in the past 20 years. His interests include WiFi / mobility technologies, next generation firewalls and identity management systems.

Facebook Twitter LinkedIn