Re: Aironet 1250 series broadcasting multiple SSID

martintony3422 · ‎12-12-2013

After configuring the AP (hopefully it's correct), I have multiple devices such as phones, laptops, touchapds that detect the same SSID twice.

For example, my ssid is CISCOCONNECT

the device will detect two identical ssid however one is an open network and the other is secure with WEP.

1. CISCOCONNECT (Open)

2. CISCOCONNECT (WEP)

I associated CISCOCONNECT to a VLAN with WEP encryption. I can connect to CISCOCONNECT (WEP) fine on all devices. Not sure why there is a second CISCOCONNECT (OPEN) and how can I disable it? It shouldnt even exist.

I am new with CISCO equipment so I appologize if this was discussed in the past.

Rasika Nayanajith · ‎12-13-2013

Hi Martin,

If you could, console into this AP & post "show run" output.

That will help us to see how we can get it fixed

HTH

Rasika

Rasika Nayanajith · ‎12-13-2013

Hi Martin,

If that is the case, you should be able to telnet to the AP using its IP address & get that output. If you haven't set a username/password by default cisco/Cisco should work for username/password.

Give it a try & see

Rasika

martintony3422 · ‎12-13-2013

Rasika,

I believe this is what you are looking for: Thanks for your help in advance.

login as: admin

admin@10.243.0.15's password:

CORPAP1252_1#show run

Building configuration...

Current configuration : 4773 bytes

!

! No configuration change since last restart

!

version 12.4

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec localtime show-timezone

service password-encryption

!

hostname CORPAP1252

!

aaa new-model

!

aaa authentication login default local

aaa authorization exec default local

!

aaa session-id common

clock timezone -0800 -8

clock summer-time -0700 recurring

ip domain name Test.com

!

no vlan accounting output

!

dot11 ssid WIRELESS A_GUEST

vlan 4

authentication open

!

dot11 ssid WIRELESS A

vlan 8

authentication open

guest-mode

!

dot11 network-map

power inline negotiation prestandard source

!

username admin privilege 15 password 7 02001264C043C003259C

!

bridge irb

!

interface Dot11Radio0

no ip address

no ip route-cache

!

encryption vlan 8 key 1 size 128bit 7 56JUKLP098I87YCR6567UJ3EDFR5 transmit-key

encryption vlan 8 mode wep mandatory

!

encryption vlan 8 mode ciphers aes-ccm tkip

!

ssid WIRELESS A_GUEST

!

ssid WIRELESS A

!

packet retries 128 drop-packet

station-role root

!

interface Dot11Radio0.5

encapsulation dot1Q 5

no ip route-cache

bridge-group 5

bridge-group 5 subscriber-loop-control

bridge-group 5 block-unknown-source

no bridge-group 5 source-learning

no bridge-group 5 unicast-flooding

bridge-group 5 spanning-disabled

!

interface Dot11Radio0.7

encapsulation dot1Q 7

no ip route-cache

bridge-group 7

bridge-group 7 subscriber-loop-control

bridge-group 7 block-unknown-source

no bridge-group 7 source-learning

no bridge-group 7 unicast-flooding

bridge-group 7 spanning-disabled

!

interface Dot11Radio0.8

encapsulation dot1Q 8

no ip route-cache

bridge-group 8

bridge-group 8 subscriber-loop-control

bridge-group 8 block-unknown-source

no bridge-group 8 source-learning

no bridge-group 8 unicast-flooding

bridge-group 8 spanning-disabled

!

interface Dot11Radio0.15

encapsulation dot1Q 15 native

no ip route-cache

bridge-group 1

bridge-group 1 subscriber-loop-control

bridge-group 1 block-unknown-source

no bridge-group 1 source-learning

no bridge-group 1 unicast-flooding

bridge-group 1 spanning-disabled

!

interface Dot11Radio1

no ip address

no ip route-cache

!

encryption vlan 8 key 1 size 128bit 7 56JUKLP098I87YCR6567UJ3EDFR5 transmit-key

encryption vlan 8 mode wep mandatory

!

encryption vlan 8 mode ciphers aes-ccm tkip

!

ssid WIRELESS A

!

no dfs band block

channel dfs

station-role root

!

interface Dot11Radio1.5

encapsulation dot1Q 5

no ip route-cache

bridge-group 5

bridge-group 5 subscriber-loop-control

bridge-group 5 block-unknown-source

no bridge-group 5 source-learning

no bridge-group 5 unicast-flooding

bridge-group 5 spanning-disabled

!

interface Dot11Radio1.7

encapsulation dot1Q 7

no ip route-cache

bridge-group 7

bridge-group 7 subscriber-loop-control

bridge-group 7 block-unknown-source

no bridge-group 7 source-learning

no bridge-group 7 unicast-flooding

bridge-group 7 spanning-disabled

!

interface Dot11Radio1.8

encapsulation dot1Q 8

no ip route-cache

bridge-group 8

bridge-group 8 subscriber-loop-control

bridge-group 8 block-unknown-source

no bridge-group 8 source-learning

no bridge-group 8 unicast-flooding

bridge-group 8 spanning-disabled

!

interface Dot11Radio1.15

encapsulation dot1Q 15 native

no ip route-cache

bridge-group 1

bridge-group 1 subscriber-loop-control

bridge-group 1 block-unknown-source

no bridge-group 1 source-learning

no bridge-group 1 unicast-flooding

bridge-group 1 spanning-disabled

!

interface GigabitEthernet0

ip address dhcp

no ip route-cache

duplex auto

speed auto

!

interface GigabitEthernet0.5

encapsulation dot1Q 5

no ip route-cache

bridge-group 5

no bridge-group 5 source-learning

bridge-group 5 spanning-disabled

!

interface GigabitEthernet0.7

encapsulation dot1Q 7

no ip route-cache

bridge-group 7

no bridge-group 7 source-learning

bridge-group 7 spanning-disabled

!

interface GigabitEthernet0.8

encapsulation dot1Q 8

no ip route-cache

bridge-group 8

no bridge-group 8 source-learning

bridge-group 8 spanning-disabled

!

interface GigabitEthernet0.15

encapsulation dot1Q 15 native

no ip route-cache

bridge-group 1

no bridge-group 1 source-learning

bridge-group 1 spanning-disabled

!

interface BVI1

ip address 10.243.0.15 255.255.252.0

no ip route-cache

!

ip default-gateway 10.243.0.1

ip http server

ip http authentication aaa

no ip http secure-server

ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag

logging history warnings

logging trap warnings

logging 10.243.0.10

snmp-server community lmfk12 RO

bridge 1 route ip

!

line con 0

line vty 0 4

password 7 23WDD4765GHY8945HYJCD

!

sntp server 10.243.0.5

sntp broadcast client

end

Rasika Nayanajith · ‎12-13-2013

Hi Martin,

Thanks for this, Yes that is what I have requested.

As you can see in the configuration your are advertising two SSIDs are "WIRELESS A_GUEST" & "WIRELESS A". In your mobile devices Full SSID name is not vissbile & you may think it is same SSID advertising twice. It is not the case

dot11 ssid WIRELESS A_GUEST

vlan 4

authentication open

!

dot11 ssid WIRELESS A

vlan 8

authentication open

guest-mode

!

If you do not want the WIRELESS A_GUEST SSID which is the Open Authentication, you can simply remove it form current configuration as below.

conf t

no dot11 ssid WIRELESS A_GUEST

int d0

no ssid WIRELESS A_GUEST

end

wr mem

HTH

Rasika

**** Pls rate all useful responses ****

martintony3422 · ‎12-13-2013

Thanks for the quick reply.

I changed the SSID of WIRELESS A_GUEST to WIRELESS B_GUEST yet I still see the WIRELESS A twice on the phone. One as being open and the other WEP.

I beleive the GUEST SSID is already hidden since I'm unable to see it on the phone.

Rasika Nayanajith · ‎12-13-2013

Yes, you are correct, I missed that point (Guest is not broadcasting its SSID). Anyway remove it if you are not using it.

Then I would suggest to try this.

dot11 ssid WIRELESS A

vlan 8

authentication open

no guest-mode

 mbssid guest-mode

!

interface Dot11Radio0

mbssid

no encryption vlan 8 mode ciphers aes-ccm tkip

!

interface Dot11Radio1

mbssid

no encryption vlan 8 mode ciphers aes-ccm tkip

Here is a reference post for WEP configuration in Autonomous

http://mrncciew.com/2013/03/02/autonomous-ap-with-wep-security/

On a side note I should let you know WEP is very weak security mechanism & no body should use it. It is better if you could configure WPA2/AES with a PSK if all your client devices support it.

HTH

Rasika

**** Pls rate all useful responses ****

martintony3422 · ‎12-13-2013

Hi Rasika,

What exactly is this changing? Again im very new to this

Rasika Nayanajith · ‎12-13-2013

In the current configuration under radio interfaces you have configured different encryptions (WEP, AES, TKIP) since you are using only WEP, the given command will remove the otherone.

Also under SSID, it would allow you to create another SSID (for testing) with broadcast capability

HTH

Rasika

martintony3422 · ‎12-13-2013

The problem is still there.

Rasika Nayanajith · ‎12-13-2013

If you check this from a Laptop, do you see the SSID twice ?

Pls attach the current "show run" configuration to see the current status.

Are you ok to change this to WPA2/AES & check ?

Rasika

martintony3422 · ‎12-13-2013

Ironically it does not happen on Windows laptop, just MACs and some phones.

Rasika Nayanajith · ‎12-13-2013

Ok, those devices may not like WEP

Let's create a new SSID for WPA2/AES & see if that works, while keeping the existing one as it is. Will use vlan 7 (subinterfaces already there in your AP), assuming you have gateway created for this vlan on your switch where this AP connected.

Create a SSID called "TEST" as shown below & see what is the behaviour of that new SSID. Hopefully you will see this on all devices & you should be albe to connect with "Cisco123" password.

interface Dot11Radio0

vlan 7 encryption mode ciphers aes-ccm

ssid TEST

!

interface Dot11Radio1

vlan 7 encryption mode ciphers aes-ccm

ssid TEST

!

dot11 ssid TEST

vlan 7

authentication open

authentication key-management wpa version 2

mbssid guest-mode

wpa-psk ascii Cisco123

Give it a try & let me know

HTH

Rasika

**** Pls rate all useful responses ****