09-29-2008 12:26 PM - edited 07-03-2021 04:32 PM
We use an Aironet 1220 AP. We have 2 SSID's, 1 with 802.1x and the other we want to not use any encryption and this one will not broadcast. The 802.1x SSID uses WEP for encryption. The firmware is 12.3(8)JA2. Is it possible to do have 2 SSID's, 1 with encryption and 1 without? If so, how can we achieve this?
09-30-2008 06:55 AM
Hi carnold5.
The easiest/best way to do this is to have two VLAN's. Set the switch port to a trunk with both VLAN's on it. Then tie each SSID to one of the VLAN's. You can then have multiple SSID's with different encryption settings and they won't interfere at all.
Hope this helps!
10-08-2008 08:08 AM
I have a similar scenario, I have Cisco 1200APs and I would like to configure one SSID with security and one without, but both must be on the same VLAN. (We have a BlueSocket box handling authentication, but we want staff connections to be encrypted, but still have open access)
My configuratin currently looks like this for the radio:
interface Dot11Radio0
no ip address
no ip route-cache
!
encryption mode ciphers tkip
!
ssid Staff
authentication open
authentication key-management wpa
wpa-psk ascii 7 *******************
!
ssid Students
authentication open
guest-mode
!
Thank you,
Chris
10-08-2008 11:03 AM
Unfortunately, there's no way to link 2 SSIDs to a single VLAN using autonomous access points. You can do this using the lightweight architecture, but that won't help unless you upgrade your entire network.
The only solution here would be to place two access points in close proximity to each other, each with a different SSID for your VLAN. Not exactly a clean solution.
10-08-2008 11:22 AM
The 2 APs is not possible, I have heard that it is possible to do it with 2 SSID mapped to two different VLANS, each with its own encryption. Is that true? If so I think I may be able to make it work.
10-08-2008 01:14 PM
Ok... I got as far as configuring it on the access point and I was able to get one of the SSIDs to go all the way through to our appliance, the unsecured "Student" SSID. Here is my configuration, am I missing something?
Also on the switch I have a dot1q trunk configured. VLAN 90 is the staff wireless VLAN and vlan 91 is the student wireless VLAN.
dot11 ssid Staff
vlan 90
authentication open
authentication key-management wpa
wpa-psk ascii 7 *****************************
!
dot11 ssid Students
vlan 91
authentication open
guest-mode
!
!
!
username hec privilege 15 password 7 **********************
!
bridge irb
!
!
interface Dot11Radio0
no ip address
no ip route-cache
!
encryption vlan 90 mode ciphers tkip
!
ssid Staff
!
ssid Students
!
speed basic-1.0 basic-2.0 basic-5.5 basic-11.0
station-role root
rts threshold 2312
bridge-group 1
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
!
interface Dot11Radio0.90
encapsulation dot1Q 90
no ip route-cache
no cdp enable
bridge-group 3
bridge-group 3 subscriber-loop-control
bridge-group 3 block-unknown-source
no bridge-group 3 source-learning
no bridge-group 3 unicast-flooding
bridge-group 3 spanning-disabled
!
interface Dot11Radio0.91
encapsulation dot1Q 91
no ip route-cache
no cdp enable
bridge-group 2
bridge-group 2 subscriber-loop-control
bridge-group 2 block-unknown-source
no bridge-group 2 source-learning
no bridge-group 2 unicast-flooding
bridge-group 2 spanning-disabled
!
interface FastEthernet0
no ip address
no ip route-cache
duplex auto
speed auto
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
hold-queue 160 in
!
interface FastEthernet0.90
encapsulation dot1Q 90
no ip route-cache
bridge-group 3
no bridge-group 3 source-learning
bridge-group 3 spanning-disabled
!
interface FastEthernet0.91
encapsulation dot1Q 91
no ip route-cache
bridge-group 2
no bridge-group 2 source-learning
bridge-group 2 spanning-disabled
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: