Welcome to the Cisco Networking Professionals Ask the Expert conversation. This is an opportunity to discuss Wireless Networking Solutions with Cisco expert Pejman Roshan. Pejman is currently a Product Manager for the Wireless Networking Business Unit for Cisco Systems. He is focused on 802.11 based wireless LAN security and network services. Feel free to post any questions relating to Wireless Networking Solutions. Remember to use the rating system to let Pejman know if youve received an adequate response.
Pejman might not be able to answer each question due to the volume expected during this event. Our moderators will post many of the unanswered questions in other discussion forums shortly after the event. This event lasts through May 23. Visit this forum often to view responses to your questions and the questions of other community members.
If you a wireless network spanning across a campus. For wireless roaming across from one access point to the other without having to changed IP address or loose sessions, would mean using the same VLAN at all the APs, which obviously creates a great concern in terms of having L2 vlans span across the network core and spanning tree issues. What would be a recommendation in such situation in terms of VLANs ? Can something like Mobile IP be used to circumvent using the singe L2 VLAN and rather use one VLAN per AP ? Appreciate your thoughts ?
What we are hearing from most customers is that they are opting for flat deployments on a per bldg or per floor basis, or stated another way a VLAN per roaming domain. In these scenarios a L3 mobility solution is not required. Obviously there will be scenarios where L3 roaming is required, where the roaming domain spans several L3 broadcast domains, and in those cases, we recommend the use of Mobile IP on the wired infrastructure with Proxy Mobile IP services running on the APs. This solution allows seamless secure roaming with the requirement for any special client software.
Hello, If a user has AP1200s that are authenticating against a Cisco Secure ACS serve with dynamic WEP keys, has a MAC filter in place, is using TKIP and MIC is there anything else that can be done to secure the APs against compromise?
I will give you the classic Cisco answer: It depends! Certainly use of TKIP/MIC with 802.1X authentication is very strong security, mitigating the most common and fearsome WLAN attacks, and further augmenting that with MAC authentication makes the implementation that much more secure.
Some implementations leverage Cisco's IOS based ACLs to restrict traffic on the WLAN, for example to prevent SNMP traffic on the wireless interface, or to harden the APs themselves by restricting access to the AP console via telnet. Also requiring the use of SSH to access the APs further strengths the deployment.
Many of these scenarios are covered in the SAFE for WLAN document available at:
When can we expect to see a 100Mbps card and a 100Mbps module for the AP1200? Shall I assume that when the module does come it will be able to drop into existing AP1200s?
Are you referring to a 100 Mbps wireless interface, or the wired uplink on the AP?
If you are referring to the wireless interface, there are no plans that I can discuss publicly. We are not allowed to comment on product futures.
If you are referring to the wired uplink interface, the interface is a 10/100 interface today.
We have VxWorks as well as the IOS version of the AP1200; both with different problems. The most annoying problem with the AP1200 running IOS (and I think our only problem with this IOS-version, that is why I start with that) is with the VLAN-assignment (on one single SSID) by RADIUS; something that works fine with an VxWorks AP.
With exactly the same RADIUS configuration as with the VxWorks AP's the IOS AP seems to ignore the attributes defining the users VLAN. I know they are sent by RADIUS, since they are in the logfile, and I see them when capturing packets on the wire.
EAP authentication goes just fine, so that confirms RADIUS is working as well.
I'm also able to assign the VLAN's to different SSID's.
I used the VLAN Deployment Guide found on CCO, so I assume I did everything correct. However, I placed my configuration at
It's essential in our setup that the VLAN's are assigned by RADIUS on a single SSID, so I hope that there is a solution to this.
I will forward this message to one of our technical marketing engineers to follow up on. Also, feel free to open a TAC case against this issue.
I want to know what solutions are available from Cisco in order to have complete tracking of any user trying to access a wireless network. A big customer in education needs a solution that includes:
- Validating any user with some kind of login.
- keep record of passed and unpassed users.
- Keep a record of the AP where the user is logged on.
- Keep a record of the time that each user was logged on.
Cisco offers many solutions for the scenarios you mention:
1] Validating any user, (assuming you mean the worst case scenario which is 802.1X and non-802.1X) is possible by leveraging Cisco VLANs on our APs and use of the Cisco BBSM product. This allows 802.1X clients in their own VLAN for user based authentication and non-802.1X users in their own VLAN for web based authentication
2] The Cisco ACS server logs 802.1X passes/rejected authentications today as does the BBSM
3] & 4] are easily accomplished with RADIUS accounting, which tracks which users are connected to which APs, for how long, and how much data they transfer.
OK, I hope the technical marketing engineers have the sollution to my previous (1200-IOS) question/problem. I'm looking forward to it.
In the meantime maybe you have an answer on another question, this time for the VxWorks platform.
It seems that IPv6 packets are sometimes (about 50% of the time) dropped when VLAN's are enabled. (We are using 802.1X on the same AP, but I assume it has nothing to do with 802.1X since an SSID with no EAP enabled has the same problems on its Default VLAN.)
When I capture some packets on the wired side of the AP, I see that the packet's I sent out on my client (ping) never get to the wire, while IPv4 packets (at (almost) the same time) are transfered correctly. I can see the IPv6 packets are sent to the AP, since I see them in an wireless packet-dump.
(Normal TCP connections are dropped as well, we tested more then ping ;-))
There is something strange to add here: there is one single (tagged) VLAN where the IPv6-packets are transfered correctly, even with VLAN's enabled. The IPv6 traffic is routed through a different IOS-version however (T2 instead of T1, but on more or less the same (2600) router).
I think however that the AP-software is the problem, since it's only wrong when VLANs are enabled, even on the Native VLAN. (Besides, the IOS version works well with VLANs and IPv6.)
hello there. I have 2 AP's running into two seperate switches through trunk ports. If a client looses authentication from one AP and then authenticates with the other what happens to the mac address that was learned by the original switch? Is it flushed?
The APs have an inter access point protocol (IAPP) that they use communicate with one another. When a client roams from AP1 to AP2, AP1 sends an IAPP message to AP2 to update the MAC address tables on the switches.
Where can i find more info on this IAPP protocol ? Case scenarios, etc?
Will it work on a site configured with the cisco AP 1100 VLAN tutorial?
The IAPP is a Cisco specific protocol, not publicly available. The IAPP is designed to provide inter access point communications, and so by definition will work with all Cisco APs with or without VLANs enabled (the two are orthogonal).
I have the following doubt.
On a AP350 with version 12.00T, using Vlans, and having the AP ethernet link configured as a trunk, I'd like to have an AP's Management Vlan (I defined it as the trunk's native vlan), only to be accessed by the wired network (typically from the wired management vlan). I have defined an ssid to that vlan, but when it was time to choose the authentication/association (Open, shared) method, I cleared all checkboxes on the security page. What will that do? Will it prevent anyone from associating since I did't choose any method of association? I only want that people associate to other Vlans on that AP, thus not being able of reaching the AP's management interface.
What is the recommended way of managing AP's, but not allowing that someone wireless is able to do the same?
We are investigating a move from our current 900MHz wireless technology for inventory applications in our distribution centers to 802.11b. The clients would likely be Intermec PDTs with their cards or PSC PDTs which I believe are compatible with the Aironet PC cards. We intend to run all of our APs (estimating 100 per DC) on one VLAN although we would take advantage of dot1q trunking as we add apps such as wireless VoIP. We want to utilize 802.1x security although we have not decided whether we would use EAP-TTLS, LEAP, PEAP or whatever is available. At the same time, we were informed that the Cisco 802.1x re-authentication to RADIUS would cause unreasonable delays when moving from one AP to another. Our biggest concern is with truck-mounted devices that may move rapidly from one AP to another while transmitting and receiving data related to a particular transaction. Intermec claims that they have no such problem. I know you can't elaborate on Intermec's claims but could you discuss the potential issue with authentication delays in the Cisco environment?
Sr. Network Engineer
Dollar General Corporation
Your concerns are valid, as devices roam with 802.1X authentication there is a bit of a delay due to full reauthentication. There are solutions to this issue that you account team can describe to you in full detail. Feel free to have them contact me for for more information.
I have five Cisco 1200 series Access Points running 12.02T1 which intermittently all lose connection with each other. When viewing status from the HOME tab the message "Backbone Connectivity Lost. Switching to repeater to re-establish link to primary network" is displayed followed by "Lost Authentication with Parent" on all APs. The only way to resume service is to physically power off/on the AP that was configured first. Any ideas??
No idea off the top of my head (and without more info). I would open up a TAC case and be sure to provide the AP configs.
I'm using AP1200 @ home for my PC laptop. I have a Cable modem connection to my provider (Telenet Belgium). So the provider give me a RJ45 connection and he has a DHCP that can furnish me only one IP address (this is the abonnement formula). I connect the AP directly to the modem cable and I was waiting to receive an IP address from the provider. But I reveive nothing on my PC, because the AP1200 receive an IP address from the provider. As the AP1200 is a layer 2 device, can me fix an IP in a private range and then hope that my laptop PC will receive an IP address from the provider?
I made the test with an Orinoco AP, so I connect the Orinoco AP to the cable modem and my laptop PC (using a wireless card) recieves directly an IP address from my provider. So it is perfectly plug and play.
But this is not the case with the Cisco AP.
Can you give me a solution
The quick and easy solution here is to assign a static IP address to the AP1200. This will allow your PC to use DHCP to receive the IP address from your cable modem.
I'm trying to built a Wireless LAN using Aironet AP 350 series. I'd like to use EAP-TLS with dynamic WEP key using x.509 certificates on the clients and a ACS 3.1 with RADIUS.
The clients that have WIN-XP work fine.
My clients with WIN2K pro SP3 and 802.1x fix can not be assiociated to the AP.
The configuration is the same for both kind of clients. The only difference is that while in W2K the management has taken by operative system and cisco client ACU both, in WIN-XP the connection is managed only by Windows.
Anyone can give me some hint about other fix needed or configuration checks to do ???
tnx to all in advance.
We have a configuration guide available at:
We are testing wireless VLAN for our infrastructure network. Using a RADIUS server on CISCO ACS 3.1 the clients using XP are correctly autenticated. We cannot find anyway the ACS parameter to set VLAN-id to the clients for use different VLANs for different user.
This feature is instead present using a RADIUS server open source.
Can you help us to find where we can set this parameter on the Cisco product ??
Our project is to install up to 11 Cisco Aironet 350 Series Bridge. We are going to use them for data and voice. We've already installed 5.
Our question is how to do to increase the throughput?
I'm trying to understand some of the configuration settings on the AP1200's and why we're not getting the throughput I thought we would.
irght now we have 1220's with 802.11b radio's in them.
Could you explain the settings for what is meant by "Basic" versus "Yes" versus "No" for the access speeds. For example, it's not clear to me when I set 1 Mbps = Basic, 2 Mbps = Basic, 5.5 Mbps = Yes, 11 Mbps = Yes, what exactly is supposed to happen when a user associates and starts to transmit.
Do it mean that while they can associate at 11Mbps, and the ACU will show a linkspeed of 11Mbps, they are really only transmitting at 1 or 2 Mbps? (Does the ACU always show the actual throughput, or just the highest setting for the link speed that the user configured?)
I want to allow clients to associate at the fastest rates they can, given their locations. Should I be setting all my linkspeeds to "Basic"?
Thank you very much for any help you can give me.
The "Basic" setting indicates that beacons can be sent at that data rate, while the "Yes" setting indicates support for that data rate.
When the client associates to the AP, it will negoiate the fastest possible data rate support on both the client and the AP.