2 APs as one plus guest access

Unanswered Question
Aug 14th, 2007
User Badges:

I have 2 1130AG in 2 adjacent buildings each connected to C2960 and using Windows IAS authentication. How do i configure them so when users move between buildings AP change occurs invisible to a users? Will it help/work if i have same name for SSID on both units?

And if int's not too much in one question, how one goes about creating Guest SSID? thanks

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
jake.kappus Thu, 08/16/2007 - 07:43
User Badges:

If you are just using this in a data deployment, the users shouldn't see much of a difference, provided there is adequate coverage in both buildings with these two access points. They should have the same SSID/Security scheme on both AP's to roam.

If there is any sort of voice or even handheld scanners involved, you will need to use WDS with CCKM. I'm guessing there isn't.

There are several ways to create a guest SSID. I've done it before using an ASA 5510, a new VLAN, and some access lists limiting the traffic on that SSID to a specific VLAN and then use the firewall as the gateway. I guess you could do it with a Pix 506e or higher, but I like having a physical interface to connect the VLAN to on the firewall and then route out to the internet.

To do it this way you would need to create another SSID (named something like guest), and create a VLAN on your switches to carry this traffic. Make sure you trunk the ports that the AP's are plugged into on the switch. Then make sure you apply that VLAN in the gui to that SSID. I would not broadcast the private SSID just to keep people from even attempting to connect.

On your firewall, if you are using a Pix506e or higher, you can make a subinterface for a "DMZ" like subnet. If you are using an ASA, Set up another interface using the address range in that VLAN. Make sure the switchport that interface is connected to has access to that VLAN and either setup DHCP on that interface to push out an IP (preferably not routable on your private LAN) or you can open port 67 and then set up a static NAT to your internal DHCP server from the DMZ subnet.

I may be missing a step here, I don't have my notes from the last time I did this in front of me, but it should give you a start.

Rob Huffman Sat, 08/18/2007 - 05:51
User Badges:
  • Super Red, 40000 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 IP Telephony, Unified Communications

Hi Jake,

Excellent answer here! 5 points for this in-depth info :)



optecdisplays Mon, 08/20/2007 - 15:29
User Badges:

Thank you Jake for you answer.

Yes it's for DATA only.

I do not have ASA and not planning on getting one either, but will try trunking to DMZ.

Never done this, so will have to read up more on this.



This Discussion