Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Autonomous APs with more than one SSIDs in one VLAN?

Hello,

We are using Cisco's autonomous APs in our several locations wit an SSID configured with WPA-PSK.

Now we want to add another SSID that uses WPA-EAP authentication.

Since many of our locations have flat VLAN architecture with a single VLAN, we would like to have both SSIDs in the same VLAN, in one subnet.

Is this supported in autonomous APs?

Regards,

Sinan

1 ACCEPTED SOLUTION

Accepted Solutions
VIP Purple

Re: Autonomous APs with more than one SSIDs in one VLAN?

It is possible, though it is not a standard way of configuring it.

Here is a solution if you willing to give it a try. If you have a flat vlan, then you can configure your AP connected switchport as access vlan & configure your two SSID like this. It should work (I have tested with Open Auth & you can try adding security as well). You may not be able to broadcast both SSID, but that's something you have to compromise if you want this.

***** SWITCH PORT CONFIG ****

interface GigabitEthernet1/0/11

description AAP-1142

switchport access vlan 143

switchport mode access

spanning-tree portfast

***** AP CONFIG ****

hostname A1140

!

dot11 ssid ARH

   authentication open

!

dot11 ssid MRN

   authentication open

   guest-mode

!

interface Dot11Radio1

ssid ARH

ssid MRN

station-role root

bridge-group 1

no shutdown

!

interface GigabitEthernet0

bridge-group 1

!

interface BVI1

ip address dhcp

!

Once you do this you can associate client to different SSID, but all get IP from same flat vlan (143 in my example)

A1140#show dot11 associations

802.11 Client Stations on Dot11Radio1:

SSID [ARH] :

MAC Address    IP address      Device        Name            Parent         State   

a088.b435.c2f0 192.168.143.63  ccx-client    A1140           self           Assoc  

SSID [MRN] :

MAC Address    IP address      Device        Name            Parent         State   

04f7.e4ea.5b66 192.168.143.64  unknown       -               self           Assoc  

A1140#sh ver

Cisco IOS Software, C1140 Software (C1140-K9W7-M), Version 12.4(25d)JA, RELEASE SOFTWARE (fc1)

HTH

Rasika

**** Pls rate all useful responses ****

6 REPLIES
VIP Purple

Autonomous APs with more than one SSIDs in one VLAN?

HI Sinan,

This is as per my idea:

On autonomous access points you can configure multiple SSIDs on your access point if you don’t have multiple VLANs configured already. If your access point supports several radios (802.11a and 802.11b/g) then you can configure an SSID linked to one radio, and then another SSID linked to the other radio.

Anyways having two SSIDs configured to have access to the same network (VLAN) using two different Keys would not make sense because it would be like having a door with a lock that can be opened with two different keys, I mean, the clients that have access to the network on any SSID will have access to the same VLAN and the same resources.

But to answer your question, yes, the access point let you configure this, you only have to be aware that you will have the same encryption for both SSIDs, you can use different keys but since the encryption is set per radio and you are not using different VLAN you cannot select multiple encryption methods (like TKIP for WPA on one SSID and AES for WPA2 or WEP for the other SSID).

Now what cisco tells us:

No its not possible... its always 1:1 mapping between the SSID and the VLAN in autonomous infrastructure.

ITS ONLY POSSIBLE IF YOU HAVE DUAL RADIO AP AND YOU CONFIGURE 2 SSIDS, MAPPING EACH TO RESPECTIVE RADIOS AND THEN USING THE SAME ENCRYPTION TO SAME.

Regards

Dont forget to rate helpful posts

Hall of Fame Super Silver

Autonomous APs with more than one SSIDs in one VLAN?

Like sandeep mentioned, this is not possible on autonomous.  With a WLC you can map multiple SSID's to a single vlan, but autonomous is limited.

Thanks,

Scott

Help out other by using the rating system and marking answered questions as "Answered"

-Scott
*** Please rate helpful posts ***
VIP Purple

Re: Autonomous APs with more than one SSIDs in one VLAN?

It is possible, though it is not a standard way of configuring it.

Here is a solution if you willing to give it a try. If you have a flat vlan, then you can configure your AP connected switchport as access vlan & configure your two SSID like this. It should work (I have tested with Open Auth & you can try adding security as well). You may not be able to broadcast both SSID, but that's something you have to compromise if you want this.

***** SWITCH PORT CONFIG ****

interface GigabitEthernet1/0/11

description AAP-1142

switchport access vlan 143

switchport mode access

spanning-tree portfast

***** AP CONFIG ****

hostname A1140

!

dot11 ssid ARH

   authentication open

!

dot11 ssid MRN

   authentication open

   guest-mode

!

interface Dot11Radio1

ssid ARH

ssid MRN

station-role root

bridge-group 1

no shutdown

!

interface GigabitEthernet0

bridge-group 1

!

interface BVI1

ip address dhcp

!

Once you do this you can associate client to different SSID, but all get IP from same flat vlan (143 in my example)

A1140#show dot11 associations

802.11 Client Stations on Dot11Radio1:

SSID [ARH] :

MAC Address    IP address      Device        Name            Parent         State   

a088.b435.c2f0 192.168.143.63  ccx-client    A1140           self           Assoc  

SSID [MRN] :

MAC Address    IP address      Device        Name            Parent         State   

04f7.e4ea.5b66 192.168.143.64  unknown       -               self           Assoc  

A1140#sh ver

Cisco IOS Software, C1140 Software (C1140-K9W7-M), Version 12.4(25d)JA, RELEASE SOFTWARE (fc1)

HTH

Rasika

**** Pls rate all useful responses ****

New Member

Autonomous APs with more than one SSIDs in one VLAN?

Hi guys, thank you all for the help.

I was always trying to broadcast one of the SSIDs but the non-broadcasted one could not be associated.

When I configured both SSIDs hidden, I can associate with both SSIDs and get an IP address from the same subnet.

Using both SSIDs hiddes won't be a problem for us, so we sill proceed this way.

Regards,

Sinan

VIP Purple

Autonomous APs with more than one SSIDs in one VLAN?

HI Sinan,

yes you can process this way as rasika mention or but cisco doesnt recomamnd this type of ways.

Its alwayes good to have each ssid to each vlan mapping.Even I mention in my first posts that u can do thi but personally I will not recommand this.

Hope it helps.

Regards

Dont forget to rate helpful posts

Autonomous APs with more than one SSIDs in one VLAN?

Configuring Additional WPA Settings

Use two optional settings to configure a pre-shared key on the access point and adjust the frequency of group key updates.

Setting a Pre-Shared Key

To support WPA on a wireless LAN where 802.1x-based authentication is  not available, you must configure a pre-shared key on the access point.  You can enter the pre-shared key as ASCII or hexadecimal characters. If  you enter the key as ASCII characters, you enter between 8 and 63  characters, and the access point expands the key using the process  described in the Password-based Cryptography Standard (RFC2898). If you  enter the key as hexadecimal characters, you must enter 64 hexadecimal  characters.

Configuring Group Key Updates

In the last step in the WPA process, the access point distributes a  group key to the authenticated client device. You can use these optional  settings to configure the access point to change and distribute the  group key based on client association and disassociation:

•Membership termination—the access point generates and distributes a new  group key when any authenticated device disassociates from the access  point. This feature keeps the group key private for associated devices,  but it might generate some overhead traffic if clients on your network  roam frequently among access points.

•Capability change—the access point generates and distributes a dynamic  group key when the last non-key management (static WEP) client  disassociates, and it distributes the statically configured WEP key when  the first non-key management (static WEP) client authenticates. In WPA  migration mode, this feature significantly improves the security of  key-management capable clients when there are no static-WEP clients  associated to the access point.

1230
Views
5
Helpful
6
Replies
CreatePlease login to create content