Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

Optional WEP on Autonomous AP1230

I would like to enable a single SSID to support EAP and non-EAP clients. This is to enable non-EAP clients to be directed to a captive login portal, and EAP clients to go directly to the network.

I am able to make EAP optional for authentication, but can't seem to make WEP optional. (WEP is probably not the end-game, but I'm trying to get the lowest common denominator working)

my configuration contains:

dot11 ssid MYSSID

authentication open optional eap EAPAUTH



interface Dot11Radio0

encryption mode wep optional

This works fine for users using Open authentication, and no encryption.

Users using Open authentication, with 802.1x and WEP encryption are not able to associate with the AP, and I never even see an authentication/association attempt.

Thanks in advance.

New Member

Re: Optional WEP on Autonomous AP1230

Just making sure - did you put in an encryption key for WEP under the radio interface? Also, would it be possible to put the EAP clients on the 802.11a radio (if it has one)? Technically, you're using the same SSID, with the same authentication, but you can configure different encryption requirements.

New Member

Re: Optional WEP on Autonomous AP1230

I want to use dynamic WEP keys (generated by the EAP exchange), so no static WEP keys were configured.

Of course, I *could* put the EAP clients on the .11a radio, but that effectively puts them on a different SSID (logically the same, but physically different).

I need both radios to operate the same.

New Member

Re: Optional WEP on Autonomous AP1230

You may be out of luck. According to an older document at, there's the following specific statement about static WEP and EAP:

Q. In Cisco IOS Software-based APs, can you run static Wired Equivalent Privacy (WEP) keys and Extensible Authentication Protocol (EAP) together on the same AP for authentication? This has worked with VxWorks-based APs.

A. No, you cannot run static WEP keys for encryption and EAP for authentication in the same service set identifier (SSID). VxWorks has allowed this configuration because of software vulnerability, but this ability is not a feature. What you can do is create two SSIDs and two VLANs (one per SSID). Then, configure open authentication with WEP for one SSID and EAP authentication for the other SSID.

I would seriously consider putting in 2 SSIDs, one for EAP and one for non-EAP. Associate each with a different VLAN (required for the configuration). However, if you want them to be on the same subnet, use bridge group 1 under both subinterfaces on a radio. I think it accomplishes what you are trying to do.

New Member

Re: Optional WEP on Autonomous AP1230

OK. So, I did some more digging. This stuff is great in preparing for the Wireless CCIE lab :) I found an example similar to what you are describing at So, I went and built an example. And, using the same SSID on the same interface, I was able to connect using static WEP and LEAP. Here's my SSID config and my interface config for that SSID:

dot11 ssid Test

authentication open

authentication network-eap eap_methods

authentication key-management wpa optional

interface Dot11Radio1


encryption key 3 size 40bit 12345ABCDE transmit-key

encryption mode ciphers tkip wep40


ssid Test

The client (I'm using the Cisco Aironet Desktop Utility with a Cisco a/b/g card) is configured for WEP, with Open authentication. I then change it to LEAP, and it changes right over. I'm using WDS on the AP, with radius-server local for the LEAP authentication piece.

New Member

Re: Optional WEP on Autonomous AP1230

So this is close to what I want, but not quite. You have Open with Static WEP or EAP with dynamic WEP as the two options.

This works for me, too.

I need Open with *NO* WEP or EAP with dynamic WEP.

CreatePlease to create content