05-20-2009 01:24 PM - edited 07-03-2021 05:37 PM
I would like to enable a single SSID to support EAP and non-EAP clients. This is to enable non-EAP clients to be directed to a captive login portal, and EAP clients to go directly to the network.
I am able to make EAP optional for authentication, but can't seem to make WEP optional. (WEP is probably not the end-game, but I'm trying to get the lowest common denominator working)
my configuration contains:
dot11 ssid MYSSID
authentication open optional eap EAPAUTH
guest-mode
...
interface Dot11Radio0
encryption mode wep optional
This works fine for users using Open authentication, and no encryption.
Users using Open authentication, with 802.1x and WEP encryption are not able to associate with the AP, and I never even see an authentication/association attempt.
Thanks in advance.
05-26-2009 08:10 PM
Just making sure - did you put in an encryption key for WEP under the radio interface? Also, would it be possible to put the EAP clients on the 802.11a radio (if it has one)? Technically, you're using the same SSID, with the same authentication, but you can configure different encryption requirements.
05-27-2009 06:26 AM
I want to use dynamic WEP keys (generated by the EAP exchange), so no static WEP keys were configured.
Of course, I *could* put the EAP clients on the .11a radio, but that effectively puts them on a different SSID (logically the same, but physically different).
I need both radios to operate the same.
05-27-2009 06:41 PM
You may be out of luck. According to an older document at http://www.cisco.com/en/US/products/hw/wireless/ps430/products_qanda_item09186a008009483e.shtml, there's the following specific statement about static WEP and EAP:
Q. In Cisco IOS Software-based APs, can you run static Wired Equivalent Privacy (WEP) keys and Extensible Authentication Protocol (EAP) together on the same AP for authentication? This has worked with VxWorks-based APs.
A. No, you cannot run static WEP keys for encryption and EAP for authentication in the same service set identifier (SSID). VxWorks has allowed this configuration because of software vulnerability, but this ability is not a feature. What you can do is create two SSIDs and two VLANs (one per SSID). Then, configure open authentication with WEP for one SSID and EAP authentication for the other SSID.
I would seriously consider putting in 2 SSIDs, one for EAP and one for non-EAP. Associate each with a different VLAN (required for the configuration). However, if you want them to be on the same subnet, use bridge group 1 under both subinterfaces on a radio. I think it accomplishes what you are trying to do.
05-27-2009 07:23 PM
OK. So, I did some more digging. This stuff is great in preparing for the Wireless CCIE lab :) I found an example similar to what you are describing at http://www.cisco.com/en/US/docs/wireless/access_point/12.2_13_JA/configuration/guide/s13auth.html#wp1035193. So, I went and built an example. And, using the same SSID on the same interface, I was able to connect using static WEP and LEAP. Here's my SSID config and my interface config for that SSID:
dot11 ssid Test
authentication open
authentication network-eap eap_methods
authentication key-management wpa optional
interface Dot11Radio1
!
encryption key 3 size 40bit 12345ABCDE transmit-key
encryption mode ciphers tkip wep40
!
ssid Test
The client (I'm using the Cisco Aironet Desktop Utility with a Cisco a/b/g card) is configured for WEP, with Open authentication. I then change it to LEAP, and it changes right over. I'm using WDS on the AP, with radius-server local for the LEAP authentication piece.
05-28-2009 10:27 AM
So this is close to what I want, but not quite. You have Open with Static WEP or EAP with dynamic WEP as the two options.
This works for me, too.
I need Open with *NO* WEP or EAP with dynamic WEP.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide