Guest

Wireless, LAN (WLAN)

Autonomous Aironet Access Points and Multiple SSIDs on Cisco IOS Configuration Example

Techzone Article content

Document ID: 116118

Updated: May 29, 2013

Contributed by Surendra BG, Cisco TAC Engineer.

   Print

Introduction

This document describes how to configure multiple service set identifiers (SSIDs) with multiple VLANs on Cisco IOS® software and autonomous Cisco Aironet Access Points.

Prerequisites

Requirements

This configuration example assumes you have configured the DHCP pool on the Cisco IOS switch or router or on a dedicated DHCP server.

In order to complete this configuration, Cisco recommends that you have basic knowledge of Cisco IOS CLI commands.

Components Used

  • Any switch that runs Cisco IOS and supports Multilayer Switching (MLS)
  • Cisco Aironet Access Points

Background Information

The SSID is a unique identifier that wireless networking devices use to establish and maintain wireless connectivity. Multiple access points on a network or subnetwork can use the same SSIDs. SSIDs are case sensitive and can contain up to 32 alphanumeric characters. Do not include spaces in your SSIDs.

You can configure up to 16 SSIDs on your Cisco Aironet 1200 Series Access Point and assign different configuration settings to each SSID. All the SSIDs are active at the same time; that is, client devices can associate to the access point using any of the SSIDs.

If you want the access point to allow associations from client devices that do not specify an SSID in their configurations, you can set up a guest SSID. The access point includes the guest SSID in its beacon. The access point's default SSID, tsunami, is set to guest mode. However, to keep your network secure, you should disable the guest mode SSID on most access points.

If your access point will be a repeater or will be a root access point that acts as a parent for a repeater, you can set up an SSID for use in repeater mode. You can assign an authentication username and password to the repeater-mode SSID to allow the repeater to authenticate to your network like a client device.

If your network uses VLANs, you can assign one SSID to a VLAN. Client devices that use the SSID are grouped in that VLAN.

Video

This video shows the configuration described in this document:

AP Configuration

This configuration uses VLANs (1, 2, and 3) with native as V:LAN 1 and mapping to 3 different SSIDs (ONE , TWO, and THREE) on any Cisco Aironet Access Point.

  • SSID ONE uses WEP encryption.
  • SSID TWO uses WPA-PSK.
  • SSID THREE uses WPA-2-PSK.
  • Assuming the AP Ethernet port is connected to fa 2/1 port of the switch.
  • Broadcasting all 3 SSIDs.
  • If you use a single SSID, use the guest-mode command under the SSID.
  • If you use multiple SSIDs, use the mbssid command under the SSID and under Radio Interfaces

Note: Guest mode overrides multiple basic SSID (MBSSID).

Note: Use the Command Lookup Tool (registered customers only) in order to obtain more information on the commands used in this section.

Complete these steps in order to configure the AP:

Step 1. Configure the SSID and map it to respective VLANS.

Enable
Conf t
Dot11 ssid one
Vlan 1
Authentication open
Mbssid Guest-mode
End


Enable
Conf t
Dot11 ssid two
Vlan 2
authentication open
authentication key-management wpa
wpa-psk ascii 7
Mbssid Guest-mode
End


Enable
Conf t
Dot11 ssid three
Vlan 3
authentication key-management wpa version 2
wpa-psk ascii 7
Mbssid Guest-mode
End

Step 2. Assign encryption to different SSIDs with respective VLANs.

Enable
Int dot11 0
Mbssid
ssid one
ssid two
ssid three

encryption vlan 1 mode wep mandatory
encryption vlan 1 key 1 size 40bit
encryption vlan 2 mode ciphers tkip
encryption vlan 3 mode ciphers aes-ccm

Step 3. Configure the subinterface for Dot11 radio 0 and Ethernet.

On the AP:

AP# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
AP(config)# interface Dot11Radio0.1
AP(config-subif)# encapsulation dot1Q 1 native
AP(config-subif)# bridge group 1

AP(config-subif)# interface FastEthernet0.1
AP(config-subif)# bridge group 1
AP(config-subif)# encapsulation dot1Q 1 native
AP(config-subif)# end
AP# write memory

AP(config)# interface Dot11Radio0.2
AP(config-subif)# encapsulation dot1Q 2
AP(config-subif)# bridge group 2

AP(config-subif)# interface FastEthernet0.2
AP(config-subif)# bridge group 2
AP(config-subif)# encapsulation dot1Q 2
AP(config-subif)# end
AP# write memory

AP(config)# interface Dot11Radio0.3
AP(config-subif)# encapsulation dot1Q 3
AP(config-subif)# bridge group 3

AP(config-subif)# interface FastEthernet0.3
AP(config-subif)# bridge group 3
AP(config-subif)# encapsulation dot1Q 3
AP(config-subif)# end
AP# write memory

AP(config)# bridge irb
Ap(config)# bridge 1 route ip
Ap(config)# end
Ap# wr

On the switch:

en
conf t
int fa 2/1
switchport mode trunk
switchport trunk encapsulation dot1q
switchport trunk native vlan 1
switchport trunk allowed vlan 1,2,3
end

Step 4. Verify.

  • On the AP, use the show dot11 associations command. You must see all 3 SSIDs.
ap#show dot11 associations

802.11 Client Stations on Dot11Radio0:

SSID [one] :
SSID [two] :
SSID [three] :
  • Ping from the AP to the switch VLAN interface. You should be able to ping.

Manage the AP with a Management IP Address

Assign the IP address to the bridge virtual interface (BVI) of the AP:

Enable
Conf t
Int bvi 1
Ip address
No shut
End

Verify

Use the show ip int br command on the AP, and verify that all the interfaces are up and running.

Updated: May 29, 2013
Document ID: 116118