How to configure multple SSIDs on same VLAN (Autonom. AP1231G)

Answered Question
Dec 8th, 2008

Hi all,

I got a couple of AIR-AP1231G (autonomous, without WLC). There are several SSID's mapped to several VLAN's. Everything is fine.

Now, I have to configure a second SSID (with different authentication) on an, already "SSID-associated" VLAN.

Unfortunately, the AP shows me the following error:

"Warning: Vlan xxx already mapped to SSID xxx. SSIDs with same vlan association cannot be attached to the same interface.

Dot11Radio0: VLAN xxx is already mapped to SSID xxxx, SSID to VLAN mapping should be unique on interface".

I know, with WLC440x it can be done. Without VLAN-SSID association on an autonomous it works as well.

What about this setup? Do I have do build up a new VLAN?

Thanks,

Norbert

I have this problem too.
0 votes
Correct Answer by rob.huffman about 7 years 11 months ago

Hi Norbert,

Hope all is well my friend!

Autonomous 1100 and 1200 Series;

You can configure up to 16 SSIDs on your access point and assign different configuration settings to each SSID.These are the settings you can assign to each SSID:

*** Note: SSIDs, VLANs, and encryption schemes are mapped together on a one-to-one-to-one basis; one SSID can be mapped to one VLAN, and one VLAN can be mapped to one encryption scheme.

•VLAN

•Client authentication method

•Maximum number of client associations using the SSID

•RADIUS accounting for traffic using the SSID

•Guest mode

•Repeater mode, including authentication username and password

•Redirection of packets received from client devices

If you want the access point to allow associations from client devices that do not specify an SSID in their configurations, you can set up a guest SSID. The access point includes the guest SSID in its beacon.

If your access point will be a repeater or will be a root access point that acts as a parent for a repeater, you can set up an SSID for use in repeater mode. You can assign an authentication username and password to the repeater-mode SSID to allow the repeater to authenticate to your network like a client device.

If your network uses VLANs, you can assign one SSID to a VLAN, and client devices using the SSID are grouped in that VLAN.

From this doc;

http://www.cisco.com/en/US/docs/wireless/access_point/12.4_10b_JA/configuration/guide/scg12410b-chap7-mbssid.html#wpxref78332

Hope this helps!

Rob

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.3 (3 ratings)
Loading.
Correct Answer
rob.huffman Mon, 12/08/2008 - 05:42

Hi Norbert,

Hope all is well my friend!

Autonomous 1100 and 1200 Series;

You can configure up to 16 SSIDs on your access point and assign different configuration settings to each SSID.These are the settings you can assign to each SSID:

*** Note: SSIDs, VLANs, and encryption schemes are mapped together on a one-to-one-to-one basis; one SSID can be mapped to one VLAN, and one VLAN can be mapped to one encryption scheme.

•VLAN

•Client authentication method

•Maximum number of client associations using the SSID

•RADIUS accounting for traffic using the SSID

•Guest mode

•Repeater mode, including authentication username and password

•Redirection of packets received from client devices

If you want the access point to allow associations from client devices that do not specify an SSID in their configurations, you can set up a guest SSID. The access point includes the guest SSID in its beacon.

If your access point will be a repeater or will be a root access point that acts as a parent for a repeater, you can set up an SSID for use in repeater mode. You can assign an authentication username and password to the repeater-mode SSID to allow the repeater to authenticate to your network like a client device.

If your network uses VLANs, you can assign one SSID to a VLAN, and client devices using the SSID are grouped in that VLAN.

From this doc;

http://www.cisco.com/en/US/docs/wireless/access_point/12.4_10b_JA/configuration/guide/scg12410b-chap7-mbssid.html#wpxref78332

Hope this helps!

Rob

alig.norbert Mon, 12/08/2008 - 08:13

Hi Rob,

Thank you, I'm very well.

Great link and it explain that it can't be done:

- vlan vlan-id

(Optional) Assign the SSID to a VLAN on

your network.

Client devices that associate using the

SSID are grouped into this VLAN.

You can assign only one SSID to a VLAN.

Greets,

Norbert

There is a way to do it in that you put all SSIds into the same bridge group and the bridge group is a single VLAN. I was looking at doing this for a client on a WLSE but it was just getting far to complex, also difficult to manage. Its definitly not best practice and doesnt enhance security. Id say it cant be done though technically it can but its not pretty.

I had this issue and investigated it and set it up in a small lab, then decided there was no real way that it would be manageble

nitass Wed, 12/24/2008 - 05:15

Hi Wynneit,

I am looking for how to configure multiple SSIDs on same VLAN. Would you mind explaining me more about it or could you please provide me an example of configuration?

Thank you very much,

Nitass

alig.norbert Wed, 12/24/2008 - 06:32

Hi Nitass,

here is an example with multiple SSID's on the default-vlan (works only on the default one!!!)

.....

dot11 ssid test1

authentication open

authentication key-management wpa

wpa-psk ascii 7 75A6D

!

dot11 ssid test2

authentication open

authentication key-management wpa

guest-mode

wpa-psk ascii 7 64940

....

bridge irb

!

!

interface Dot11Radio0

no ip address

no ip route-cache

!

encryption mode ciphers tkip

!

ssid test1

!

ssid test2

!

speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0

channel 2412

station-role root

bridge-group 1

bridge-group 1 subscriber-loop-control

bridge-group 1 block-unknown-source

no bridge-group 1 source-learning

no bridge-group 1 unicast-flooding

bridge-group 1 spanning-disabled

!

interface FastEthernet0

no ip address

no ip route-cache

duplex auto

speed auto

bridge-group 1

no bridge-group 1 source-learning

bridge-group 1 spanning-disabled

!

interface BVI1

ip address 192.168.254.21 255.255.255.0

no ip route-cache

!

ip default-gateway 192.168.254.1

no ip http server

no ip http secure-server

ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag

!

control-plane

!

bridge 1 route ip

nitass Wed, 12/24/2008 - 06:43

Hi alig.norbet,

Thank you so much. :-) I'll try and let you know if getting any problems.

Thanks again,

Nitass

jnitisopa Wed, 12/24/2008 - 18:30

Hi alig.norbert,

I'm Nitass's friend i tried your example config but cannot see 2 SSID on client.

I use AP1121G,

Thank.

Jakkrit

nitass Thu, 12/25/2008 - 18:15

Hi Both,

This is Nitass. Thank you both very much for help. The reason to have 2 SSIDs on the same VLAN is to separate security policy (i.e. authentication, encryption) on each SSID. Anyway, I have heard from my colleague (Mr.Jakkrit) that he had to create sub interfaces for each SSID to let alig.norbert configuration work. I do not understand why we need to configure like that because actually, you know, we need only 1 VLAN. The test configuration is listed below. Could you please advice?

dot11 ssid test1

vlan 1

authentication …(snip)…

information-element ssidl advertisement

!

dot11 ssid test2

vlan 2

authentication …(snip)…

information-element ssidl advertisement

!

!

!

bridge irb

!

!

interface Dot11Radio0

no ip address

no ip route-cache

!

ssid test1

!

ssid test2

!

speed basic-1.0 2.0 5.5 6.0 9.0 11.0 12.0 18.0 24.0 36.0 48.0 54.0

channel 2412

station-role root

!

interface Dot11Radio0.1

encapsulation dot1Q 1 native

no ip route-cache

bridge-group 1

bridge-group 1 subscriber-loop-control

bridge-group 1 block-unknown-source

no bridge-group 1 source-learning

no bridge-group 1 unicast-flooding

bridge-group 1 spanning-disabled

!

interface Dot11Radio0.2

encapsulation dot1Q 2

no ip route-cache

bridge-group 1

bridge-group 1 subscriber-loop-control

bridge-group 1 block-unknown-source

no bridge-group 1 source-learning

no bridge-group 1 unicast-flooding

bridge-group 1 spanning-disabled

!

interface FastEthernet0

no ip address

no ip route-cache

duplex auto

speed auto

bridge-group 1

no bridge-group 1 source-learning

bridge-group 1 spanning-disabled

!

interface BVI1

ip address 192.168.10.1 255.255.255.0

no ip route-cache

!

ip default-gateway 192.168.10.254

ip http server

no ip http secure-server

ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag

!

control-plane

!

bridge 1 route ip

Thanks,

Nitass

alig.norbert Fri, 12/26/2008 - 12:10

Hi Nitass

My sample only works with the default(native)-vlan. So, no vlan configuration, as well no encapsulation config (fastethernet).

The dotRadio- and the fastethernet-interface must be in the same bridge-group. The connection form accesspoint to switch shouldn't be trunk.

BTW. you can only broadcast one single SSID as guest-mode, the second one is hidden.

your config should look somehow like this:

dot11 ssid test1

!!!!!vlan 1

authentication …(snip)…

information-element ssidl advertisement

!

dot11 ssid test2

!!!vlan 2

authentication …(snip)…

information-element ssidl advertisement

!

!

!

bridge irb

!

!

interface Dot11Radio0

no ip address

no ip route-cache

!

ssid test1

!

ssid test2

!

speed basic-1.0 2.0 5.5 6.0 9.0 11.0 12.0 18.0 24.0 36.0 48.0 54.0

channel 2412

station-role root

bridge-group 1

bridge-group 1 subscriber-loop-control

bridge-group 1 block-unknown-source

no bridge-group 1 source-learning

no bridge-group 1 unicast-flooding

bridge-group 1 spanning-disabled

!

interface FastEthernet0

no ip address

no ip route-cache

duplex auto

speed auto

bridge-group 1

no bridge-group 1 source-learning

bridge-group 1 spanning-disabled

!

interface BVI1

ip address 192.168.10.1 255.255.255.0

no ip route-cache

!

ip default-gateway 192.168.10.254

ip http server

no ip http secure-server

ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag

!

control-plane

!

bridge 1 route ip

Greets,

Norbert

nitass Sat, 12/27/2008 - 02:44

Hi Norbert,

I see. Please let me try again and I will let you know if getting any problems.

Thank you very much,

Nitass

nitass Mon, 01/05/2009 - 07:12

Hi,

Thank you very much. I got it right now. Anyway, I could broadcast only 1 SSID. I have tried “mbssid” but it did not work. I understand VLAN is needed for mbssid. Please let me know if you have any suggestions. The following is my configuration.

ap#sh run

Building configuration...

Current configuration : 1471 bytes

!

version 12.3

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname ap

!

no logging console

enable secret 5 xxxxxxxxxx

!

ip subnet-zero

!

!

no aaa new-model

!

dot11 ssid test1

authentication open

authentication key-management wpa

guest-mode

wpa-psk ascii 7 010703174F5A575D7218

!

dot11 ssid test2

authentication open

authentication key-management wpa

wpa-psk ascii 7 120D000406595D56797F

!

!

!

username xxxxx password 7 xxxxxxxxxx

!

bridge irb

!

!

interface Dot11Radio0

no ip address

no ip route-cache

!

encryption mode ciphers tkip

!

ssid test1

!

ssid test2

!

speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0

station-role root

bridge-group 1

bridge-group 1 subscriber-loop-control

bridge-group 1 block-unknown-source

no bridge-group 1 source-learning

no bridge-group 1 unicast-flooding

bridge-group 1 spanning-disabled

!

interface FastEthernet0

no ip address

no ip route-cache

duplex auto

speed auto

bridge-group 1

no bridge-group 1 source-learning

bridge-group 1 spanning-disabled

hold-queue 80 in

!

interface BVI1

ip address 192.168.2.171 255.255.255.0

no ip route-cache

!

ip http server

no ip http secure-server

ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag

!

!

control-plane

!

bridge 1 route ip

!

!

!

line con 0

line vty 0 4

login local

!

end

Thanks again,

Nitass

Actions

This Discussion

 

 

Trending Topics: Other Wireless Mobility

client could not be authenticated
Network Analysis Module (NAM) Products
Cisco 6500 nam
reason 440 driver failure
Cisco password cracker
Cisco Wireless mode