Конфиг такой:
interface Dot11Radio0
no ip address
ip access-group firewall in
no ip route-cache
!
ssid Yang-Inform
!
short-slot-time
cca 75
concatenation
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
station-role root
antenna receive right
antenna transmit right
antenna gain 11
infrastructure-client
bridge-group 1
bridge-group 1 spanning-disabled
!
interface FastEthernet0
no ip address
no ip route-cache
bridge-group 1
bridge-group 1 spanning-disabled
!
interface BVI1
ip address 192.168.114.3 255.255.255.0
no ip route-cache
!
ip default-gateway 192.168.114.1
ip http server
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
ip radius source-interface BVI1
!
ip access-list extended firewall
permit tcp 192.168.114.0 0.0.0.255 192.168.114.3 0.0.0.0 eq 23
permit tcp 192.168.114.0 0.0.0.255 192.168.114.3 0.0.0.0 eq www
permit tcp any 192.168.114.1 0.0.0.0 eq domain
permit udp any 192.168.114.1 0.0.0.0 eq domain
permit udp any 192.168.114.1 0.0.0.0 eq 67
permit udp any 192.168.114.1 0.0.0.0 eq 68
permit tcp 192.168.114.0 0.0.0.255 192.168.114.1 0.0.0.0 eq www
permit tcp 192.168.114.0 0.0.0.255 any eq www
deny tcp 192.168.114.0 0.0.0.255 192.168.114.0 0.0.0.255 eq www
permit icmp 192.168.114.0 0.0.0.255 192.168.114.3 0.0.0.0
permit icmp 192.168.114.0 0.0.0.255 192.168.114.3 0.0.0.0
deny ip any any log

клиентские компьютера не могут получить ip от dhcp