Multiple SSID on AP with no Layer 3 switch

Unanswered Question
Jan 20th, 2010

I have from years three AP1231G working in autonomous mode.

To improve security, I would like to setup my wireless lan for multiple SSID, with a different authentication method on each.

So, as it is the only way to do that, I defined one VLAN per SSID, each with it's own security scheme :

dot11 vlan-name Default vlan 1
dot11 vlan-name Wireless_WEP vlan 34
dot11 vlan-name Wireless_WPA2 vlan 37
!
dot11 ssid LAPTOPS
   vlan 37
   authentication open
   authentication key-management wpa
   wpa-psk ascii 7 052A0A0D245E5A584C201E1C1818012325
!
dot11 ssid STOCK
   vlan 34
   authentication open mac-address mac_methods

Vlan 34, ssid STOCK is used for old warehouse terminals that only support WEP.

Vlan 37, ssid LAPTOPS is for all other wireless devices belonging tto the company, for which I want to setup WPA2-PSK authentication.

Vlan 1 is the native vlan, and is not associated to an ssid.

Then comes my problem, as I have only a Layer 2 switch, but no Layer 3 device to bridge traffic between these VLANs. So I can associate devices to the AP, but can't communicate with the rest of the lan as all traffic is tagged for Vlans 34 and 37.

After many searches and readings, I found no solution except "buy a layer 3 switch"... okay ...

So I made my own tests with one the APs, an finally found one working configuration : put all subinterfaces in the same Bridge Group, so that, as I understand, all traffic is bridged internally to the untagged native Vlan 1.

I am then able to associate with each SSID using the required authentication method, get an IP address from DHCP and then communicate with the rest of the world ... which was my goal :

interface Dot11Radio0.1
encapsulation dot1Q 1 native
no ip route-cache
bridge-group 1
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
!
interface Dot11Radio0.34
encapsulation dot1Q 34
no ip route-cache
bridge-group 1
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
!
interface Dot11Radio0.37
encapsulation dot1Q 37
no ip route-cache
bridge-group 1
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
!
interface FastEthernet0
no ip address
no ip route-cache
duplex auto
speed auto
hold-queue 160 in
!
interface FastEthernet0.1
encapsulation dot1Q 1 native
no ip route-cache
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
!
interface FastEthernet0.34
encapsulation dot1Q 34
no ip route-cache
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
!
interface FastEthernet0.37
encapsulation dot1Q 37
no ip route-cache
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled

But as it is an "abnormal" and at least undocumented configuration, I would like some advices from experts before deploying it.

Should I expect any issue with this setting ?

And if not, why is it not documented as a "simple" way to implement multiple SSID with multiple authentication ?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 0 (0 ratings)
ruimartins1000 Fri, 01/29/2010 - 03:29

I'm planning to do a similar setup. I'll need some lab testing then I'll post.

BR,

Rui

ObliqueYCalistri Fri, 01/29/2010 - 06:00

I have put this configuration in test on one AP for the past week, and all seemed to work correctly.

So, I decided to deploy it, but then I had an issue :

One of the APs is far form the Lan backbone. It is connected to an unmanaged switch, and interconnection between the main layer 2 switch and this one is done by optical fiber with transceivers.

The problem was that immediately after configuring this AP, all stations connected to the same switch loosed connection to servers and other parts of the lan. Curiously, I was able to ping some stations that are not directly connected to one of these two switchs, but not the main infrastructure.

What I am thinking about this behavior is that even if traffic from AP is carried out by the management VLAN, ethernet frames are still modified : probably tagged first with the SSID VLAN number, then untagged when bridging to VLAN 1, but without removing the extra bytes added by tagging. Then either the unmanaged switch or the transceivers are confused by these frames and loose part of the traffic from any other station.

I would probably have exactly the same issue with a standard VLAN configuration and a layer 3 backbone switch to bridge traffic. But currently, my problem is only solved on 2 APs of 3.

Yves

tcording Fri, 01/29/2010 - 23:41

/* Style Definitions */ table.MsoNormalTable {mso-style-name:"Table Normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-priority:99; mso-style-qformat:yes; mso-style-parent:""; mso-padding-alt:0cm 5.4pt 0cm 5.4pt; mso-para-margin-top:0cm; mso-para-margin-right:0cm; mso-para-margin-bottom:10.0pt; mso-para-margin-left:0cm; line-height:115%; mso-pagination:widow-orphan; font-size:11.0pt; font-family:"Calibri","sans-serif"; mso-ascii-font-family:Calibri; mso-ascii-theme-font:minor-latin; mso-fareast-font-family:"Times New Roman"; mso-fareast-theme-font:minor-fareast; mso-hansi-font-family:Calibri; mso-hansi-theme-font:minor-latin; mso-bidi-font-family:"Times New Roman"; mso-bidi-theme-font:minor-bidi;}

Hi Yves

First off what you are trying to do won’t actually improve the security of you network as it will only be as strong as the weakest security mechanism, in this case WEP.

You haven’t detailed if the two SSID’s networks are using different subnet or not and I assume that they are both in the same subnet, i.e 192.168.0.X/24.

From your post I think you may be getting mixed up a little bit

VLAN’s are a layer 2 protocol but you will need a switch that supports VLAN’s and recognises VLAN tags, not all switches do this. Without this the switch does not support VLAN’s.

Routing two different subnets requires router, i.e. 192.160.0.X/24 to 192.168.1.X/24

And connecting two VLAN’s with different IP address ranges will require a switch that supports inter-VLAN routing or an external router that supports VLAN trunks or has two Ethernet interface that can connect to two switch ports associated to the different VLAN’s.

If I read you post right, what you are trying to do is have an access point with two SSID’s with different security mechanism on the one network (i.e.192.168.0.X/24 only)

This is possible with the following configuration:

version 12.4

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname ap

!

enable secret 5 $1$LzON$80sFFKeN.NICOxGBZEeJo.

!

no aaa new-model

!

!

dot11 syslog

!

dot11 ssid WEP

   authentication open

!

dot11 ssid WPA2

   authentication open

   authentication key-management wpa optional

   wpa-psk ascii 7 12485744465E5A53727274796166764651415B5806080A00005B55

!

!

!

username Cisco password 7 106D000A0618

!

!

bridge irb

!

!

interface Dot11Radio0

no ip address

no ip route-cache

!

encryption key 2 size 128bit 7 AC0E02242175496E7C4A724B2772 transmit-key

encryption mode ciphers aes-ccm tkip wep128

!

ssid WEP

!

ssid WPA2

!

antenna gain 0

station-role root

bridge-group 1

bridge-group 1 block-unknown-source

no bridge-group 1 source-learning

no bridge-group 1 unicast-flooding

bridge-group 1 spanning-disabled

!

!        

interface GigabitEthernet0

no ip address

no ip route-cache

duplex auto

speed auto

no keepalive

bridge-group 1

no bridge-group 1 source-learning

bridge-group 1 spanning-disabled

!

interface BVI1

ip address 192.168.0.1 255.255.255.0

no ip route-cache

!

ip http server

no ip http secure-server

ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag

bridge 1 route ip

!

!

!

line con 0

line vty 0 4

login local

!

end

Basically this configuration bridges the two SSID’s to the Ethernet port and has WEP and WPA2 configured.

Again, I’ll state that this will not improve security as the least secure wireless network is not being segmented in any way and this would still apply if you just dropped a layer 3 switch in to route between the two networks.

The only way to secure this would be to use a router (or layer 3 switch) and add access lists to control/restrict the traffic destination. Alternatively use a firewall.

Troy

ObliqueYCalistri Mon, 02/01/2010 - 02:52

Hi Troy,

First of all, thanks for your detailed answer.

You're right, my goal is to have two SSID's with different security schemes, both on the same subnet.

I don't really need to have a VLAN implementation, but though it was the only way to to do that with these AP's, and IOS versions that manage WPA2.

About the fact that global security will not be ehanced, I have no real choice, as I have old warehouse management devices with DOS software, that can't use WPA2.

Until now, all WIFI devices were using this same WEP SSID, with additionnal MAC address authentication. But with multiplication of laptops, I would like to change this and both enhance security, and simplify administration (each time I have to connect a new laptop, I have to add it's MAC address to list in all AP's).

So, following is my planned configuration :

  • SSID WEP : WEP128 + MAC authentication, association limit to the number of warehouse devices, IP filter to only allow traffic to the RF server application.
  • SSID WPA2 : all other devices, WPA2-PSK authentication.

 

I will try your proposed configuration, and post here with the results.

Yves

ruimartins1000 Tue, 02/02/2010 - 03:05

Hello,

I've a similar setup that I'm trying to make it work.

I'm starting with 8 autonomous APs which have 2 SSIDs configured in VLAN 1 and 2. One for data (normal machines data and warehouse terminal data) and other (on VLAN 2) for Voice.

My BVI is attached to bridge-group 1 -> VLAN 1 -> sub-interfaces .1 that are native, and has IP Address of data network.

So far so good.

Here is the the config:

dot11 mbssid

!

dot11 ssid XPTO_AP

   vlan 1

   authentication open

   mbssid guest-mode

   admit-traffic

!

dot11 ssid XPTO_VoIP

   vlan 2

   authentication open

   mbssid guest-mode

   admit-traffic

!

dot11 network-map

dot11 arp-cache

dot11 phone

bridge irb

!

!

interface Dot11Radio0

no ip address

no ip route-cache

!

encryption vlan 1 key 1 size 128bit 7 XXXXXXXXXXXXXXX transmit-key

encryption vlan 1 mode wep mandatory

!

encryption vlan 2 key 1 size 128bit 7 XXXXXXXXXXXXXXXXX transmit-key

encryption vlan 2 mode wep mandatory

!

ssid XPTO_AP

!

ssid XPTO_VoIP

interface Dot11Radio0.1

encapsulation dot1Q 1 native

no ip route-cache

bridge-group 1

bridge-group 1 subscriber-loop-control

bridge-group 1 block-unknown-source

no bridge-group 1 source-learning

no bridge-group 1 unicast-flooding

bridge-group 1 spanning-disabled

!

interface Dot11Radio0.2

encapsulation dot1Q 2

no ip route-cache

bridge-group 2

bridge-group 2 subscriber-loop-control

bridge-group 2 block-unknown-source

no bridge-group 2 source-learning

no bridge-group 2 unicast-flooding

bridge-group 2 spanning-disabled

!

interface FastEthernet0

no ip address

no ip route-cache

duplex auto

speed auto

!

interface FastEthernet0.1

encapsulation dot1Q 1 native

no ip route-cache

bridge-group 1

no bridge-group 1 source-learning

bridge-group 1 spanning-disabled

!

interface FastEthernet0.2

encapsulation dot1Q 2

no ip route-cache

bridge-group 2

no bridge-group 2 source-learning

bridge-group 2 spanning-disabled

!

interface BVI1

ip address 10.242.14.241 255.255.255.0

no ip route-cache

!

ip default-gateway 10.242.14.250

ip http server

Now I plan to implement another SSID with different authentication on only 2 APs WITHOUT implementing another IP network; splitting normal data and terminal data.

I've added these commands but then I lost IP connectivity with the AP...

!

dot11 ssid XPTO_Terminais

   vlan 3

   authentication open

   mbssid guest-mode

!

!

interface Dot11Radio0

no ip address

no ip route-cache

!

!

encryption vlan 3 key 1 size 128bit 0 XXXXXXXXXXXX transmit-key

encryption vlan 3 mode wep mandatory

!

ssid XPTO_Terminais

!

!

interface Dot11Radio0.3

encapsulation dot1Q 3

no ip route-cache

bridge-group 1

!

interface FastEthernet0.3

encapsulation dot1Q 3

no ip route-cache

bridge-group 1

I didn't configured the VLAN 3 on the Switching side and those ports are on trunking mode.

Any hints?

Thx in advance,

Rui

tcording Tue, 02/02/2010 - 05:12

Hi Rui

Try adding this only for the additional WLAN

!
dot11 ssid XPTO_Terminais
   vlan 1
   authentication open
   mbssid guest-mode
!
encryption vlan 1 key 1 size 128bit 0 XXXXXXXXXXXX transmit-key

encryption vlan 1 mode wep mandatory 
!
ssid XPTO_Terminais
!

Troy

ruimartins1000 Wed, 02/17/2010 - 07:33

Hello,

I cannot add those commands because the IOS tells me that I can only have 1 SSID on 1 specific VLAN on 1 interface. The idea was to put 2 VLANs within the same bridge-group, which is possible as stated before.

But my problem is that on lab it works, because I was using Cisco WS3500 Switching. My client has all CE500 switching and after I tested the same setup on lab with CE500 Switches, I come up with random connectivity problems, which I relate to CE500.

So my solution I'll have to get a L3 interVLAN routing to make it work.

BRs,

Rui

ObliqueYCalistri Tue, 02/02/2010 - 05:22

As said in my last message, I tried to implement Troy's proposed setup.

The problem is that to activate "aes-ccm tkip wep128" encprytion mode, I should set WPA encryption to optional on the WPA2 SSID.

This means that I can connect to both SSID's using either WEP or WPA2, which I confirmed by testing.

I can then bypass MAC authentication and IP filter I've setup on the WEP SSID, just by connecting through the WPA2 SSID with the WEP key.

It's clear that in this case, I have no security enhancement, and anybody who is able to crack the wep key can have full access to the lan using the WPA2 SSID.

It is not my goal : I want to force an authentication mode and encryption method for each SSID. It could probably be done with a Radius server, but I'm trying to do that without, and VLAN's seems to be the only way to isolate SSID's and authentication methods from each other.

So, I'm still stick with the altered frames issue on the unmanaged switch, which concern one AP of 3, but nearest to my goal with my first configuration.

Yves

Actions

Login or Register to take actions

This Discussion

Posted January 20, 2010 at 8:14 AM
Stats:
Replies:8 Avg. Rating:
Views:1372 Votes:0
Shares:0
Tags: No tags.

Discussions Leaderboard