Optional WEP on Autonomous AP1230

kevin_noll · ‎05-20-2009

I would like to enable a single SSID to support EAP and non-EAP clients. This is to enable non-EAP clients to be directed to a captive login portal, and EAP clients to go directly to the network.

I am able to make EAP optional for authentication, but can't seem to make WEP optional. (WEP is probably not the end-game, but I'm trying to get the lowest common denominator working)

my configuration contains:

dot11 ssid MYSSID

authentication open optional eap EAPAUTH

guest-mode

...

interface Dot11Radio0

encryption mode wep optional

This works fine for users using Open authentication, and no encryption.

Users using Open authentication, with 802.1x and WEP encryption are not able to associate with the AP, and I never even see an authentication/association attempt.

Thanks in advance.

JASON BOYERS · ‎05-26-2009

Just making sure - did you put in an encryption key for WEP under the radio interface? Also, would it be possible to put the EAP clients on the 802.11a radio (if it has one)? Technically, you're using the same SSID, with the same authentication, but you can configure different encryption requirements.

kevin_noll · ‎05-27-2009

I want to use dynamic WEP keys (generated by the EAP exchange), so no static WEP keys were configured.

Of course, I *could* put the EAP clients on the .11a radio, but that effectively puts them on a different SSID (logically the same, but physically different).

I need both radios to operate the same.

JASON BOYERS · ‎05-27-2009

You may be out of luck. According to an older document at http://www.cisco.com/en/US/products/hw/wireless/ps430/products_qanda_item09186a008009483e.shtml, there's the following specific statement about static WEP and EAP:

Q. In Cisco IOS Software-based APs, can you run static Wired Equivalent Privacy (WEP) keys and Extensible Authentication Protocol (EAP) together on the same AP for authentication? This has worked with VxWorks-based APs.

A. No, you cannot run static WEP keys for encryption and EAP for authentication in the same service set identifier (SSID). VxWorks has allowed this configuration because of software vulnerability, but this ability is not a feature. What you can do is create two SSIDs and two VLANs (one per SSID). Then, configure open authentication with WEP for one SSID and EAP authentication for the other SSID.

I would seriously consider putting in 2 SSIDs, one for EAP and one for non-EAP. Associate each with a different VLAN (required for the configuration). However, if you want them to be on the same subnet, use bridge group 1 under both subinterfaces on a radio. I think it accomplishes what you are trying to do.

JASON BOYERS · ‎05-27-2009

OK. So, I did some more digging. This stuff is great in preparing for the Wireless CCIE lab :) I found an example similar to what you are describing at http://www.cisco.com/en/US/docs/wireless/access_point/12.2_13_JA/configuration/guide/s13auth.html#wp1035193. So, I went and built an example. And, using the same SSID on the same interface, I was able to connect using static WEP and LEAP. Here's my SSID config and my interface config for that SSID:

dot11 ssid Test

authentication open

authentication network-eap eap_methods

authentication key-management wpa optional

interface Dot11Radio1

!

encryption key 3 size 40bit 12345ABCDE transmit-key

encryption mode ciphers tkip wep40

!

ssid Test

The client (I'm using the Cisco Aironet Desktop Utility with a Cisco a/b/g card) is configured for WEP, with Open authentication. I then change it to LEAP, and it changes right over. I'm using WDS on the AP, with radius-server local for the LEAP authentication piece.

kevin_noll · ‎05-28-2009

So this is close to what I want, but not quite. You have Open with Static WEP or EAP with dynamic WEP as the two options.

This works for me, too.

I need Open with *NO* WEP or EAP with dynamic WEP.