This discussion is locked


Unanswered Question
Jul 2nd, 2010

Welcome to the Cisco Networking Professionals Ask the Expert conversation. This is an opportunity to get an update on different aspects of wireless network design and installation with Fred Niehaus.  Fred is a Technical Marketing Engineer for the Wireless Networking Business Unit at Cisco, where he is responsible for developing and marketing enterprise wireless solutions using Cisco Aironet and Airespace wireless LAN products. In addition to his participation in major deployments, Niehaus has served as technical editor for several Cisco Press books including the "Cisco 802.11 Wireless Networking Reference Guide" and "The Business Case for Enterprise-Class Wireless LANs." Prior to joining Cisco with the acquisition of Aironet, Niehaus was a support engineer for Telxon Corporation, supporting some of the very first wireless implementations for major corporate customers. Fred has been in the data communications and networking industry for more than 20 years and holds a Radio Amateur (Ham) License "N8CPI."

Remember to use the rating system to let Fred know if you have received an adequate response.

Fred might not be able to answer each question due to the volume expected during this event. Our moderators will post many of the unanswered questions in other discussion forums shortly after the event. This event lasts through July 16, 2010. Visit this forum often to view responses to your questions and the questions of other community members.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.3 (15 ratings)
cthrasher Fri, 07/02/2010 - 15:19


I have 2 Wism blades that I want to setup as redundant or failover for each other. I am using WCS and my 2 wism blades are on 2 different 6500 switches. My 6500's are connected via fiber at layer 2. I have a couple of wlans' setup on my primary controller and I am using dynamic interfaces to map the vlan supporting the wlan. If my primary controller fails, I understand I use templates on the WCS to apply secondary and tertiary controllers to the connected AP's. What happens to my session as a client if my primary controller fails, and I then begin to look for secondary controller and the secondary controller has a different IP address for vlan 300? Will a mobility group keep me connected or will my session fail and re-connect after finding the secondary controller? What are best practices for setting up what I want to achieve? Thank you!


Leo Laohoo Mon, 07/05/2010 - 15:27

IF your WLAN setup isn't that complicated (no 802.1x, for example), I'd recommend you look into H-REAP.  During a failover with H-REAP, the LWAPs don't loose sessions and it's "business as usual".

cthrasher Tue, 07/06/2010 - 09:10

I am using HREAP for my field sites, but these controllers are supporting my local campus.  Are you suggesting I use HREAP for my local campus?

shakeerali Sat, 07/03/2010 - 01:40


I want a Switch/Router to tranfer data from ATM (Automated Teller Machine) at one side using GPRS as medium and have a Router at the other end with VPN connectivity. Could you suggest me the Cisco part numbers for the Switch/Router with GRPS Modem and Router with VPN connectivity. And also I want to know what IP address will be used at the Switch/Router (ATM side) i.e is it a public IP address or private IP address ? and is it possible to use Cisco 880 Wireless Router at the ATM Machine side in my design ?


Mohammed Ali

Leo Laohoo Mon, 07/05/2010 - 15:25

Could you suggest me the Cisco part numbers for the Switch/Router with GRPS Modem and Router with VPN connectivity.

How many VPN tunnels do you have in mind?

The 880G series router has 3G capability and supports up to 20 VPN tunnels.

Cisco 880G Series 3G Wireless Integrated Services Router

3G Features for Cisco 880 Series Integrated Services Routers

Don't forget to rate useful posts.  Thanks.

praetoleiad Mon, 07/05/2010 - 18:01

Sir, how do we get the info about the number of VPN tunnels supported by a router. I can't find it in documentation provided by cisco. I still need to contact Cisco regarding some infos.

Leo Laohoo Mon, 07/05/2010 - 20:42

You gave me a "3" for giving you the correct answer????  

amila.bperera Sat, 07/03/2010 - 13:32

Hi there,

I am searching for wireless connectivity for two office premises which is 50m(line of sight) apart from each other, which should also support at least 30Mbps(this is impartive) traffic. Can I use 1300 series bridge  to accomplish my objective? Alternatively, anyone has a better suggestion other than 1300 series?

Please let  me know.

amila.bperera Tue, 07/06/2010 - 01:08

Hi Leo,

Thanks for you reply.Actually we selected wirless, as an alternative for fiber optic(its not cheap).Could you please tell me more about the antenna( directional dish) your using at the moment? Also gain of the antenna?

I cant access follwing link.Can you please attach it to me as a pdf or HTML format.

Many thanks,


Leo Laohoo Tue, 07/06/2010 - 14:59

Have a look at the following links:

Cisco Aironet 2.4 GHz and 5 GHz Antennas and Accessories

Cisco Aironet Antennas and Accessories Reference Guide

For the distance mentioned, a yagi antennae would be suitable.  AIR-ANT2410Y-R (between one or two) for the 2.4Ghz radio (with diversity turned off) would be suitable.

Hope this helps.

Please don't forget to rate useful posts.  Thanks.

amila.bperera Sun, 07/11/2010 - 11:03

Hi Leo,

Thank you very much.Can you please conform following sepc's are ok to deploy.

/* Style Definitions */ table.MsoNormalTable {mso-style-name:"Table Normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-priority:99; mso-style-parent:""; mso-padding-alt:0cm 5.4pt 0cm 5.4pt; mso-para-margin-top:0cm; mso-para-margin-right:0cm; mso-para-margin-bottom:10.0pt; mso-para-margin-left:0cm; line-height:115%; mso-pagination:widow-orphan; font-size:11.0pt; font-family:"Calibri","sans-serif"; mso-ascii-font-family:Calibri; mso-ascii-theme-font:minor-latin; mso-hansi-font-family:Calibri; mso-hansi-theme-font:minor-latin; mso-bidi-font-family:"Times New Roman"; mso-bidi-theme-font:minor-bidi; mso-fareast-language:EN-US;}

Use two Cisco Aironet 1252G (a/b/g/n compatible) AP’s between the two buildings. This Access point is also able to support external antenna connectivity.

But this option is more expensive than previous.
•    Wireless technology 802.11a/g/n
•    Data transfer rate (max) 300Mbit/s
•    Interfaces    1 x antenna - RP-TNC x 3

Antenna :
For the distance mentioned, a yagi antenna would be more suitable. 
AIR-ANT2410Y-R for the 2.4Ghz radio (with diversity turned off).
Gain -10 dBi
Connector- RP-TNC

However, I have a doubt with the antenna connector type (RP-TNC),I think AP has RP-TNC x 3interfaces(sockets), But the selected antenna(AIR-ANT2410Y-R) has only one RP-TNC jack.Is that correct?How it going to be connected to the AP(is there any special type of connecting arrangement available for this)?Please let me know.

Many thanks,


Leo Laohoo Sun, 07/11/2010 - 14:53

You could use only one antennae.  Just make sure you plug it directly into the "primary" and disable Diversity.

fredn Thu, 07/08/2010 - 12:01

You can use a pair of 1300 or 1400 Series Bridges for this link as each will support up to 54 MB data rate.

Keep in mind the 54 Mb is the radio data rate with actual throughput being approximately half the radio data rate .

50m is an easy link distance to attain providing there are no obstructions but actual throughput will not be 54 MB

Another option might be to use a pair of AP-1250's in Bridge mode as they support faster 802.11n throughput speeds but those are indoor devices so you would need to mount the units inside with the antennas located outside (keeping antenna cables to very short distances) as there is a lot of loss in the cable at 2.4 and 5 GHz.

Using the AP-1250 you can achieve a radio data rate of 150 Mb so half of that (actual throughput) might be closer to what you require.



jmprats Tue, 07/06/2010 - 03:12

/* Style Definitions */ table.MsoNormalTable {mso-style-name:"Tabla normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-priority:99; mso-style-qformat:yes; mso-style-parent:""; mso-padding-alt:0cm 5.4pt 0cm 5.4pt; mso-para-margin-top:0cm; mso-para-margin-right:0cm; mso-para-margin-bottom:10.0pt; mso-para-margin-left:0cm; line-height:115%; mso-pagination:widow-orphan; font-size:11.0pt; font-family:"Calibri","sans-serif"; mso-ascii-font-family:Calibri; mso-ascii-theme-font:minor-latin; mso-hansi-font-family:Calibri; mso-hansi-theme-font:minor-latin; mso-fareast-language:EN-US;}

Hi, I’m not finding any secure method to authenticate wireless users through web portal in the WLC 5508 with a backbend database.

-          We have the option of using radius, but in this case WLC can only use CHAP or PAP, but they are not secure access methods. I could use Ipsec in the radius access but to allow CHAP access I have to enable reversible passwords in the Active Directory which is not a secure method to store passwords. So I cannot use radius

-          I could use LDAP, but WLC doesn’t support LDAP over SSL, so it transmits passwords in clear text and there is no option to make an ipsec connection between WLC and LDAP server. So I cannot use LDAP

Any help? Is there any secure method to authenticate web users?


Leo Laohoo Tue, 07/06/2010 - 15:02

Is there any secure method to authenticate web users?

802.1x is an option but you won't be able to use H-REAP.
jmprats Wed, 07/07/2010 - 00:17

Sorry, but for web authentication the WLC only has radius, ldap or local authentication options.

802.1x is layer 2 authentication and web authentication is layer 3. I'm not doing layer 2 authentication for this wlan but I need to authenticate users with Active Directory through captive portal.

If I use radius, web authentication on the WLC only supports PAP or CHAP (I cannot understand why it doesn't support MSCHAPv2). If I use LDAP , it doesn't support LDAP over SSL. I think there is a lack of security for a device like this,


fredn Thu, 07/08/2010 - 12:44

Well Radius is how we do it today.

Given you do not wish to do CHAP or PAP this certainly limits your options.

You are correct when you say that WLC doesn't support LDAP over SSL but we are working to add this as I've seen some chatter where folks are working on this.

Unfortunately I can only recommend Radius.


jmprats Fri, 07/09/2010 - 00:25

/* Style Definitions */ table.MsoNormalTable {mso-style-name:"Tabla normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-priority:99; mso-style-qformat:yes; mso-style-parent:""; mso-padding-alt:0cm 5.4pt 0cm 5.4pt; mso-para-margin-top:0cm; mso-para-margin-right:0cm; mso-para-margin-bottom:10.0pt; mso-para-margin-left:0cm; line-height:115%; mso-pagination:widow-orphan; font-size:11.0pt; font-family:"Calibri","sans-serif"; mso-ascii-font-family:Calibri; mso-ascii-theme-font:minor-latin; mso-hansi-font-family:Calibri; mso-hansi-theme-font:minor-latin; mso-fareast-language:EN-US;}

I think it's a security hole for this device:

- LDAP without SSL transmits passwords in clear text, so I can't understand how this configuration option in the controller exists. In fact in older versions you could configure LDAP with TLS, so in newer versions there is less security! In this example you can see that: Choose Secure from the Server Mode drop-down box if you want all LDAP transactions to use a secure TLS tunnel

- And Radius with CHAP or PAP with Windows Active Directory backbend database force to store passwords using reversible encryption which is the same as storing plaintext versions of the passwords, which is not admissible

So we don't have an option with minimal security requirements.

Any help?

Carl Perkins Wed, 07/07/2010 - 02:04

Hi,  There

I have an issue that I hope you can help with. Wism controller with code with 136 remote cisco 1242 Ap's connected. As of late I'm having to reset the Ap's to restore connectivity. When the remote site rings in I can see clients Associated and Authenticated to the Ap's but cannot ping the clients from the local router on the same subnet as the Ap's but can ping the Ap's with no loss of connectivity. WCS is on ver I've just recently upgraded WISM from ver to to It almost seems as if the device is going to sleep or loses connectivity to the controller? This is happening at random sites but constantly resetting the Ap's cures the issue. Any help or suggestions would be greatly appreciated.

Kind Regards,


Leo Laohoo Wed, 07/07/2010 - 15:14

There's a bug in the 6.X code where clients stops responding for a duration in time.  Cisco is asking everyone listening/reading to avoid 5.X or 6.X codes.  Upgrade to the 7.X and see if you find any improvements.

Please don't forget to rate useful posts.  Thanks.

Leo Laohoo Wed, 07/07/2010 - 16:10

Fred?  Oh Fred, where are you????  

ahmedbishry Fri, 07/09/2010 - 05:21


I need your help, I setup AP-1310 as a Root Bridge in main site and AP-1310 as a Non Root Bridge in the Remote site, the Distance between them 2 Kilometers, I need to know the fellowing:

1- which the best power option for both.

2- what is best way to know the signal strength between Both Access points (because I don't know where to see the signal strength between the Root Bridge and Non Root Bridge) .

3- how Can I align the Antenna in both access point for the both sites.

Thanks in Advanced,


fredn Fri, 07/09/2010 - 07:24

The best power option for the 1300 is the standard power injector.

If however you are using mobility applications (say you were mounting the Bridge in a vehicle or on a mountain top using solar panels) then rather then using the standard injector that uses 48 VDC you would want to order the injector with a "T" in the part number as the T stands for "Transportation Injector" as that injector uses + 12 volts (for car and solar applications).

The best way to know the signal strength (without consoling in) would be to simply look at the LED lights the blink pattern will tell you.

Another way is to console or browse into the device.  For the LED patterns see the hardware installation guide at this URL

To align (for best performance) you should be able to see your other units (clear line of sight) some folks use binoculars or they might make a bigger target like a cluster of helium balloons and initially point the Root Bridge to the non root site.  Once you get the root unit installed then go to the non-Root and align to it (as previously described).



ahmedbishry Sat, 07/10/2010 - 15:02


I wonder if there is any easy way to know the signal strength of the 1300 bridge (except by lead light because the access point is up high on the tower), because always I wonder how much the signal strength become, after I successful connect the 1300 Bridge and I want to tel the client how much signal strength he has.

I also setup an(WLC V.6) 4402 and I add many 1130 LAP to it, every thing is works fine but suddenly there is a problem with some of the 1130LAP, when two or more 1130 LAP close to each other one of theme works by broadcasting SSID but the other who are close to it is not sending SSID, but when I turnoff one who is working the other works fine and send ssid, so at last one of theme works fine every time, and not all of theme at the same time, when I check in my WLC I found all of the LAP 1130 is registered and have the HREAP Mode.

Thanks in advanced,

karthikeyan gop... Fri, 07/09/2010 - 11:21


i have a wireless controller module( NME-AIR-WLC25-K9) installed in a Cisco 2851 ISR, this setup is in my remote site, we are connected through MAN network. In our main office i have a cisco 4402 wireless controller. so whenever i install a AP in my remote site instead of joiining the remote site WLC, the access point joins my main office 4402 controller, i dont why it is happening, the AP is not even trying to join the remote site WLC..please let me know what i need to check or if you need more info


Leo Laohoo Sun, 07/11/2010 - 14:55

Hi Karthik,

Did you configure High Availability on each of the WAPs?  What version is the firmware?

karthikeyan gop... Mon, 07/12/2010 - 15:07

High availability is not configured between these two controllers the firmware for one is NME) and 4402 is

Leo Laohoo Mon, 07/12/2010 - 22:47

1.  Configure High Availability for the AP and the AP will join the controller of your choice.

2.  You have two WLC running different codes?  Why?

3.  Cisco has been recommending for everyone to stay away from 5.X and 6.X like a plague.

karthikeyan gop... Tue, 07/13/2010 - 09:21

We upgraded to 6.x so that we can install 1142n Access points shall I upgrade to the newer version and check

fredn Wed, 07/14/2010 - 08:51

Hi John..  User Scottp... did a good job answering this.  If you are running Cisco client cards then disabling SSID broadcast is fine but as Scott said some clients have problems with this.  Disabling it used to be a great idea back before sniffers and WLAN tools became commonplace.

I don't think I'd bother with trying to hide the SSID anymore - Just enable good security upfront.



jcosgrove Tue, 07/13/2010 - 07:08

Hi Fred,  John N2IDN here thank you for taking questions.

SSID.... to broadcast or not to broadcast?

We have a wireless network that consists of greater then 600 AP's that covers a hospital and college campus.  We have deployed multiple SSID's for various functions thru the campus but are currently looking at merging the multiple SSID's to a common SSID for most enterprise users.  We also have a guest SSID that is open and broadcast.

The question is if we should broadcast our enterprise (secure WPA2) SSID as to make it easier for support people and students to connect to our wireless network.

Any issues come to mind it we broadcast both our guest and enterprise SSID?

I was thinking if guest users or guest devices try too much to connect to the enterprise SSID they may lock themselves out of the wireless network.  We also may have a lot of devices try by default to connect to the enterprise network and we may see these attemps and be detected by the IDS functions of the wireless network.

This is a semi public environment that has a lot of people that are guest coming into the building each day.

Any guidence would be great.


Scott Pickles Tue, 07/13/2010 - 09:16

JC -

Not broadcasting your SSIDs actually makes it more difficult and unstable for some clients to connect as they have to listen to more beacons to figure out what the SSID is.  Also, there are a lot of products out there that can capture the SSID regardless of whether or not it is being broadcast.  So by not broadcasting your SSIDs, you're decreasing the performance of your clients a little, and you're not providing yourself ANY security as security through obscurity is no security at all.  As you imply, broadcasting your SSIDs will help your users so that they don't fat finger the SSID name in setting up the wireless profile manually, as well as making it a bit more obvious as to what networks exist and what they're used for assuming the names are relevant.  By broadcasting your SSIDs, you're not necessarily alerting people to the presence of your wifi and encouraging them to hack it.  If properly secured, there is no reason not to broadcast the SSIDs.

A good article is here:


jcosgrove Tue, 07/13/2010 - 11:03

Thanks for responding Scott,

I agree with all that you posted.  I was not sure about any performance increases and/or roaming improvements.  My main concern was that I did not want to broadcast anything that some automated consumer devices may just randomly start trying to connect but fail and generate more IPS alarms with failed attempts.  Not a huge problem but I just wanted to make sure I was not missing something on that front.


jcosgrove Tue, 07/13/2010 - 11:15

I have a rather hard to cover environment that seems to have me going towards an AP in every room. 

The general sketch of the building is long and narrow.  Center Hallway with patient rooms off the Hallway.  Halway and patient rooms are all Cement Block walls and solid fire rated doors.  When I try to cover the building from the hallway and radiate out towards the room the coverage is not really bad but the AP's start to get placed at a rate of 1 every 30 feet or so.  Since the hallways all line up there tends to be a lot of AP's on the same channel that can see each other as you run down the hallway.

If I go towards covering from the room side I now have a lot more AP's and may end up putting an AP in each patient room.  This will really blow any budget and may cause too much channel re-use.

What success have anyone had with using some smaller distributed antenna system to help move the signal closer to the rooms without trying to blow the signal thru the walls? 

Any creative suggestions out there?  Let me know.

Thanks to all.


Scott Pickles Tue, 07/13/2010 - 11:30

JC -

You have to keep in mind what your ultimate goal is, irrespective of the environment.  If the building cannot be covered via the hallways, for the reasons you mentioned, then you have to bring your findings back to the customer and have them decide how they would like to proceed.  But you give them options such as:

1.  Can you move to 5 GHz and stay in the halls?

2.  Can you use a mixture of in the halls and in the rooms to at least reduce the number of APs?

3.  Can you alter the required signal strength/SNR values (allowing greater coverage per AP)?  Depends on what services the wireless network must provide.

4.  Are you still worried about co-channel interference if you place APs in the rooms?  If yes, then run the APs at 1/4 power or less.

5.  If you are using an AP with omnis, you may have to switch to 1242/1252/1260 with external antennas and use something with a lower e-plane, something around 60 degrees to allow APs to be placed closer together.

I think that the installation of the distribution system itself often costs a bit of money as well, so it's difficult to say that a DAS would be a better solution in this case.



Scott Pickles Tue, 07/13/2010 - 11:46

JC -

Another thought is to have them deploy in stages, thus spreading the cost out over a couple of budget cycles.  When we've suggested this in the past our concerns were these:

1.  Introduction of new equipment/models that the customer wants.  A mixture of APs essentially places the original survey and design in jeopardy.

2.  Deployment that targets disparate hot spot areas to provide immediate services to the areas needed most generally works ok, so long as the rest of the APs installed are the same model and type.

3.  Changes in management/staff that derails the continued plan to install.

4.  Availability of hardware when it's needed.


gjbotimer242 Wed, 07/14/2010 - 08:14

Hey guys!

Quick one for you: using autonomous 1141n WAPs, but none of the connected wireless clients are getting an IP address from the DHCP server (a router that the 1141n is connected to). They see the SSID just fine, connect just fine to the WPA2 encrypted broadcast, but once connected, cannot do anything (169.254.x.x address). Thanks for any help!


Scott Pickles Wed, 07/14/2010 - 08:24


Things to check:

1.  Can you set a port on the switch to the same VLAN as the wireless VLAN and have a wired client get an address?

2.  Do you have an ip-helper statement on the layer 3 interface?

3.  With pre-shared keys, you can still 'appear' to be associated, but if the PSK is wrong, you won't pass traffic and get an IP address.

4.  What do the logs indicate?

5.  Are there multiple SSIDs?  Do you have VLANs set?  Is the AP then connected to a trunk?  Is the trunk native VLAN correct?  Are your VLAN to SSID mappings correct? etc.


Mhon Baul Wed, 07/14/2010 - 11:34

Hi Experts,

I got few things to inquire regarding our deployment of wireless mesh. Currently, we deployed 2 1522 (MAP + RAP) with omni-antenna and this are managed by wlc 4402 version 6.x

Now, we are having problems regarding the signal strenght that we got. Even i was to closed on the MAP, the signal in laptop was still not full, i mean i don't get excellent connection. Also, when we are outside the rooms we get good signal but once we go inside the room the connection is lost.  Please advice on how we can improve our deployment, because maybe we missed somethings.

Thanks in advance and appreciate all your feedback


Scott Pickles Wed, 07/14/2010 - 13:42

Reymon -

It's difficult to speculate on what your issues are when we don't know enough about the physical structure and the environment in which you've set up your mesh APs.  However, I'm going to try and ask you a few more questions to get you going in the right direction:

1.  First, when something used to work and now does not, something has changed.  It may not be something you did, but could be something you didn't.  My suggestion here is to check your AP and its antenna connections.  If you did not seal them well enough against weather and water penetration, you may be having some hardware failures as the water begins to affect the radio.  So you may have to check that.

2.  Did you install the RAP + MAP using 5 GHz as the backhaul, client access on 2.4 GHz on the MAP, and no client access on the RAP?  If not, that is the recommended setting.  It doesn't mean you can't have clients on 5 GHz, but for each client you add on 5 GHz you cut down on your backhaul throughput, which is already cut in half for every hop back to the RAP since it's mesh.

3.  You mention going into rooms and losing the signal.  Mesh deployments with 1522 APs is typically outdoors (you can run mesh indoors with other APs such as 1240/1130/etc.).  Depending on the building construction, it would make sense that the signal won't penetrate well indoors as it's not designed to.  This will particularly be the case if you used the directional antennas on the RAP to MAP backhaul on 5 GHz and your clients are also on 5 GHz.  If you are using the omni directional antennas on 2.4 GHz, this would be less of an issue as omni has a 360 degree spread pattern and 2.4 GHz propagates building materials better.

So you can see it isn't a straightforward answer, but I hope I gave you some things to look into.  My suspicion is that the hardware may be having some issues if you say that this used to work and now does not.  I'd be able to comment a bit better if I also knew what you were trying to accomplish with the RAP + MAP setup.  Typically we would see this sort of setup with just 2 APs for either a bridge link, or extending a wired network to an outer lying area/structure.  Unfortunately, just relying on the placement of the MAP close to the outer lying area won't guarantee penetration into that area or structure.  You may have to use a wired bridge connection from that MAP into a switch for the second area for wired connections, or you could change antenna types and possibly continue mesh indoors.


Jean Paul Enerst Wed, 07/14/2010 - 12:12

Hi Expert,

                I am on the verge of rolling out my first wireless network! I have a few points that I'd you to shed for me. First let me tell you that i choice PEAP/MSCHAPv2.

1. What are the best practices for guess SSID?Open with no pass?

2. Can I use different encryption per vlan? Vlan 100 wpa? vlan 2 wep? 23 wap?

3. As there is only wpa option in the gui even in the cli, how the supplicant or the ap that it is wpa or wap2? I mean there is wpa with a check box,but there is not wpa2.

4. I want to use MAC auth end PEAP. But I read something like the AP will try to auth with the MAC first, if it pass the MAC auth it won't bother to try PEAP. Is that true? In my mind, i though the ACS checks the MAC, if the mac is there then the ACS proceed to PEAP auth.

5. The wired Network is already segmented in vlans- one vlan per dept, do I need to use different vlan for the wireless network or can I reuse the vlans in the wired network? In a PCI stand point what is the best way to do it?

Thanks, greatly appreciate.

---Jean Paul

Scott Pickles Wed, 07/14/2010 - 14:02

Jean Paul -

1.  Yes, the best practice is broadcast, but I wouldn't agree with no password.  You want to make it easy for your users to access the guest services, but not so easy that you expose yourself to risk.  Some common ways to deal with guest access is to use the web auth provided in the controller.  It can be as simple as a splash with a UAP (User Acceptance Policy) or you can use the lobby ambassador/administrator function of the controller to create username/password combinations.  I would definitely enforce ACLs that limit guest traffic to things like DHCP/DNS/HTTP/HTTPS etc. and bandwidth limit if necessary.  The other option is a guest anchor controller outside your firewall.  With the anchoring options configured on the guest VLAN, you can force guest traffic through a tunnel that has its endpoint on a controller outside your firewall.  With this approach, you're safe as the traffic is no longer on your network.  Other options are 3rd party products that are essentially a NAT/Firewall between wired and wireless, but we're talking Cisco here so I'll leave it at that since Cisco does a great job of securing guest traffic.  One final note is that the controller can also be used to authenticate guest wired traffic as well.

2. Yes, you can setup a different encryption/security paradigm per VLAN.  You'll have to create different WLANs and dynamic interfaces for each and then map them accordingly.  I don't recommend any more than 4 SSIDs active at a time to cut down on the amount of beacons that take up time slices on the AP.  I saw you mentioned WEP - please be careful if you must use this.  It can be hacked in seconds these days.  Place any requirements for WEP onto a separate VLAN that is appropriately ACL'd and use the highest encryption possible and rotate the key(s).

3.  You mention about the WPA option in the GUI - to answer your questions here I need to know the model of the AP and the IOS version.  However, I do understand your confusion about the WPA/WPA2 part.  To setup WPA and WPA2, they are both considered WPA for the 'checkbox' - it's the encryption that makes the difference.  The encryption must be configured first, and THEN select the WPA optional/mandatory.  When setting the encryption, if you select 'tkip' you'll be using WPA, if you select 'aes-ccmp' you'll be using WPA2.

4.  Not sure about this one - I don't know which one is performed first.  Generally people prefer PEAP because it allows for two factor authentication.  The first is typically in the form of username and password.  The second is usually in the form of a certificate from a trusted authority.  If the machine authenticating has the certificate installed, it is trusted as part of the system.  I personally wouldn't use MAC authentication as a second form because it can so easily be spoofed, but if your devices don't support certificates then I'm not sure what options you have.  Microsoft has a good guide on PEAP here:

5.  You can use the same VLANs as the wired side, but we generally don't recommend that.  You want to keep your broadcast domains smaller, and that makes for better performance.  In addition, wouldn't you like to write ACLs and manage traffic for wireless separate from wired?  That can only be done effectively from different VLANs.


Jean Paul Enerst Thu, 07/15/2010 - 20:54

Hi Expert,

                 Before all, thank you for your great advice and helps. I've decided to implement a few of them. However, during preliminary test , i run into some issues. Hopefully, you will be able to help one last time.

During my test, I implemented a few SSID wich worked fine in my lab with WEP encryption. And i decided to change the encryption, some of the SSID did work with wpa2. However, two remains my attention, the guess SSID which uses wpa with tkip and one of the test SSID. The guess SSID worked fine untill I decided to reload the AP. When the AP came back it could not grabs an ip, but sho commands shows that it is associate with the AP. See below. I am 100% certain that the config is correct as it was working fine before the reload.

a) Show commands

#sh dot11 associations

802.11 Client Stations on Dot11Radio0:


MAC Address    IP address      Device        Name            Parent         State
000e.9b6e.XXXX   ccx-client    -               self           Assoc

Address           : 000e.9b6e.XXX     Name             : NONE
IP Address        :      Interface        : Dot11Radio 0
Device            : ccx-client         Software Version : NONE
CCX Version       : 2

State             : Assoc              Parent           : self
SSID              : SAVY_GUESS
VLAN              : 9
Hops to Infra     : 1                  Association Id   : 13
Clients Associated: 0                  Repeaters associated: 0
Tunnel Address    :
Key Mgmt type     : WPA PSK            Encryption       : TKIP
Current Rate      : 54.0               Capability       : ShortHdr ShortSlot
Supported Rates   : 1.0 2.0 5.5 6.0 9.0 11.0 12.0 18.0 24.0 36.0 48.0 54.0
Voice Rates       : disabled
Signal Strength   : -31  dBm           Connected for    : 11592 seconds
Signal to Noise   : 61  dBm            Activity Timeout : 57 seconds
Power-save        : Off                Last Activity    : 3 seconds ago
Apsd DE AC(s)     : NONE

Packets Input     : 8830               Packets Output   : 9
Bytes Input       : 435094             Bytes Output     : 1154
Duplicates Rcvd   : 15                 Data Retries     : 0
Decrypt Failed    : 0                  RTS Retries      : 0
MIC Failed        : 0                  MIC Missing      : 0
Packets Redirected: 0                  Redirect Filtered: 0
Session timeout   : 0 seconds
Reauthenticate in : never

b) SSID config

   dot11 ssid SAVY_GUESS
   vlan 9
   authentication open
   authentication key-management wpa
   mbssid guest-mode
   wpa-psk ascii 7 1240321A241F5B367B29281F6200133524422D325C
interface Dot11Radio0
no ip address
no ip route-cache
encryption vlan 9 mode ciphers tkip
encryption vlan 16 mode ciphers aes-ccm
ssid Wireless-Test

interface Dot11Radio0.9
encapsulation dot1Q 164
no ip route-cache
bridge-group 9
bridge-group 9 subscriber-loop-control
bridge-group 164 block-unknown-source
no bridge-group 9 source-learning
no bridge-group 9 unicast-flooding
bridge-group 9 spanning-disabled
interface FastEthernet0.9
encapsulation dot1Q 9
ip helper-address 10.XXX.ZZZ.254
no ip route-cache
bridge-group 255
no bridge-group 255 source-learning
bridge-group 255 spanning-disabled

ps. Wired Device connected on the vlan did grab an IP.

2. Wireless_Test

This SSID was working fine until I change the vlan associate to it.

SSID [Wireless-Test] :

MAC Address    IP address      Device        Name            Parent         State
001f.3b51.XXXX  ccx-client    00C00070        self           EAP-Assoc

Address           : 001f.3b51.XXXX     Name             : I00000070
IP Address        :     Interface        : Dot11Radio 0
Device            : ccx-client         Software Version : NONE
CCX Version       : 4

State             : EAP-Assoc          Parent           : self
SSID              : Wireless-Test
VLAN              : 16
Hops to Infra     : 1                  Association Id   : 12
Clients Associated: 0                  Repeaters associated: 0
Tunnel Address    :
Key Mgmt type     : WPAv2              Encryption       : AES-CCMP
Current Rate      : 54.0               Capability       : WMM ShortHdr ShortSlot
Supported Rates   : 1.0 2.0 5.5 11.0 6.0 9.0 12.0 18.0 24.0 36.0 48.0 54.0
Voice Rates       : disabled
Signal Strength   : -43  dBm           Connected for    : 14298 seconds
Signal to Noise   : 52  dBm            Activity Timeout : 14 seconds
Power-save        : On                 Last Activity    : 6 seconds ago
Apsd DE AC(s)     : NONE

Packets Input     : 15322              Packets Output   : 256
Bytes Input       : 913707             Bytes Output     : 19866
Duplicates Rcvd   : 249                Data Retries     : 14
Decrypt Failed    : 0                  RTS Retries      : 0
MIC Failed        : 0                  MIC Missing      : 0
Packets Redirected: 0                  Redirect Filtered: 0
Session timeout   : 0 seconds
Reauthenticate in : never

b) config

dot11 ssid Wireless-Test
   vlan 16
   authentication open eap eap_methods2
   authentication network-eap eap_methods2
   authentication key-management wpa
   accounting acct_methods3
   mbssid guest-mode
interface Dot11Radio0.16
encapsulation dot1Q 16
no ip route-cache
bridge-group 16
bridge-group 16 subscriber-loop-control
bridge-group 16 block-unknown-source
no bridge-group 16 source-learning
no bridge-group 16 unicast-flooding
bridge-group 16 spanning-disabled
interface FastEthernet0.16
encapsulation dot1Q 16
ip helper-address
no ip route-cache
bridge-group 16
no bridge-group 16 source-learning
bridge-group 16 spanning-disabled

Can the radio interface get mess by the reload? How can I verify theradio? Debug did not show Client asking for IP...

3. My last question, my ACLs to limit guess access. Should i implement them in my firewall or in my distribution router? The distribution router has a sub_interface for each SSID. Would it be better  to block traffic right from the distribution router rather let unecessary traffic flow to the network?

Thanks a lot for great advice and guidance,

---Jean Paul.


This Discussion

Related Content