2 SSID's-1 not broadcasting and no encryption

carnold5 · ‎09-29-2008

We use an Aironet 1220 AP. We have 2 SSID's, 1 with 802.1x and the other we want to not use any encryption and this one will not broadcast. The 802.1x SSID uses WEP for encryption. The firmware is 12.3(8)JA2. Is it possible to do have 2 SSID's, 1 with encryption and 1 without? If so, how can we achieve this?

jwadleigh · ‎09-30-2008

Hi carnold5.

The easiest/best way to do this is to have two VLAN's. Set the switch port to a trunk with both VLAN's on it. Then tie each SSID to one of the VLAN's. You can then have multiple SSID's with different encryption settings and they won't interfere at all.

Hope this helps!

cmorrisHEC · ‎10-08-2008

I have a similar scenario, I have Cisco 1200APs and I would like to configure one SSID with security and one without, but both must be on the same VLAN. (We have a BlueSocket box handling authentication, but we want staff connections to be encrypted, but still have open access)

My configuratin currently looks like this for the radio:

interface Dot11Radio0

no ip address

no ip route-cache

!

encryption mode ciphers tkip

!

ssid Staff

authentication open

authentication key-management wpa

wpa-psk ascii 7 *******************

!

ssid Students

authentication open

guest-mode

!

Thank you,

Chris

jeff.kish · ‎10-08-2008

Unfortunately, there's no way to link 2 SSIDs to a single VLAN using autonomous access points. You can do this using the lightweight architecture, but that won't help unless you upgrade your entire network.

The only solution here would be to place two access points in close proximity to each other, each with a different SSID for your VLAN. Not exactly a clean solution.

cmorrisHEC · ‎10-08-2008

The 2 APs is not possible, I have heard that it is possible to do it with 2 SSID mapped to two different VLANS, each with its own encryption. Is that true? If so I think I may be able to make it work.

cmorrisHEC · ‎10-08-2008

Ok... I got as far as configuring it on the access point and I was able to get one of the SSIDs to go all the way through to our appliance, the unsecured "Student" SSID. Here is my configuration, am I missing something?

Also on the switch I have a dot1q trunk configured. VLAN 90 is the staff wireless VLAN and vlan 91 is the student wireless VLAN.

dot11 ssid Staff

vlan 90

authentication open

authentication key-management wpa

wpa-psk ascii 7 *****************************

!

dot11 ssid Students

vlan 91

authentication open

guest-mode

!

username hec privilege 15 password 7 **********************

!

bridge irb

!

interface Dot11Radio0

no ip address

no ip route-cache

!

encryption vlan 90 mode ciphers tkip

!

ssid Staff

!

ssid Students

!

speed basic-1.0 basic-2.0 basic-5.5 basic-11.0

station-role root

rts threshold 2312

bridge-group 1

bridge-group 1 block-unknown-source

no bridge-group 1 source-learning

no bridge-group 1 unicast-flooding

bridge-group 1 spanning-disabled

!

interface Dot11Radio0.90

encapsulation dot1Q 90

no ip route-cache

no cdp enable

bridge-group 3

bridge-group 3 subscriber-loop-control

bridge-group 3 block-unknown-source

no bridge-group 3 source-learning

no bridge-group 3 unicast-flooding

bridge-group 3 spanning-disabled

!

interface Dot11Radio0.91

encapsulation dot1Q 91

no ip route-cache

no cdp enable

bridge-group 2

bridge-group 2 subscriber-loop-control

bridge-group 2 block-unknown-source

no bridge-group 2 source-learning

no bridge-group 2 unicast-flooding

bridge-group 2 spanning-disabled

!

interface FastEthernet0

no ip address

no ip route-cache

duplex auto

speed auto

bridge-group 1

no bridge-group 1 source-learning

bridge-group 1 spanning-disabled

hold-queue 160 in

!

interface FastEthernet0.90

encapsulation dot1Q 90

no ip route-cache

bridge-group 3

no bridge-group 3 source-learning

bridge-group 3 spanning-disabled

!

interface FastEthernet0.91

encapsulation dot1Q 91

no ip route-cache

bridge-group 2

no bridge-group 2 source-learning

bridge-group 2 spanning-disabled