Guest

Cisco Aironet 350 Series

Wireless Virtual LAN Deployment Guide

 Feedback

Deployment Guide


Wireless Virtual LAN Deployment Guide


This deployment guide describes the implementation of wireless virtual LANs (VLANs) over the 802.11 interfaces for Cisco Aironet® 1200, 1100, 350, and 340 Series Access Points and the Cisco Aironet 350 Series Wireless Bridge. Within this document, the concept of wired and wireless VLANs is introduced, detailed feature descriptions of wireless VLANs are presented, and guidelines for deploying wireless VLANs are reviewed.

1  Wired VLAN Introduction

According to the IEEE, VLANs define broadcast domains in a Layer 2 network. Traditional networks use routers to define broadcast domain boundaries. Layer 2 switches create broadcast domains based on the configuration of the switch. Switches are multi-port bridges that allow the creation of multiple broadcast domains. Each broadcast domain is a distinct virtual bridge within a switch.

VLANs have the same attributes as physical LANs with the additional capability to group end stations physically to the same LAN segment regardless of the end stations' geographical location. Figure 1 shows an example of three wired VLANs in logically defined networks.


Figure 1   Example Deployment of Wired VLANs

Single or multiple virtual bridges can be defined within a switch. Each virtual bridge created in the switch defines a new broadcast domain (VLAN). Switch interfaces assigned to VLANs manually are referred to as interface-based or static membership-based VLANs. This type of VLAN is often associated with IP sub-networks. For example, when all of the end stations in a particular IP subnet belong to the same VLAN, traffic cannot pass directly to another VLAN (between broadcast domains) within the switch or between two switches. Traffic between VLANs must be routed.

To interconnect two different VLANs, routers or Layer 3 switches are used. These routers or Layer 3 switches execute inter-VLAN routing or routing of traffic between VLANs. Broadcast traffic is then terminated and isolated by these Layer 3 devices (for example, a router or Layer 3 switch will not route broadcast traffic from one VLAN to another).

The two most common VLAN trunking protocols used on Cisco switches and routers are Inter-Switch Link (ISL) and IEEE 802.1Q. ISL, a proprietary Cisco protocol, and 802.1Q are encapsulation standards used to interconnect multiple switches and routers via trunking. For more information on these VLAN trunking protocols, please refer to the following URL: http://www.cisco.com/pcgi-bin/Support/PSP/psp_view.pl?p=Internetworking:Trunking

2  Wireless VLAN Introduction

2.1  Wireless VLAN Overview

The concept of Layer 2 wired VLANs is extended to the wireless LAN (WLAN) with wireless VLANs. As with wired LANS, wireless VLANs define broadcast domains and segregate broadcast and multicast traffic between VLANs. When VLANs are not used, an IT administrator must install additional wireless LAN infrastructure to segment traffic between user groups or device groups. For example, to segment traffic between employee and guest VLANs, an IT administrator must install two access points at each location throughout an enterprise WLAN network (as shown in Figure 2). However, with the use of wireless VLANs, one access point at each location can be used to provide access to both groups.


Figure 2   User Segmentation Without Wireless VLANs

With VxWorks Firmware Release 12.00T or later and Cisco IOS® Software Release 12.2.4-JA or later, an 802.1Q trunk can be terminated on an access point (Cisco Aironet 1200, 1100, 350, or 340 Series) or on a bridge (Cisco Aironet 350 Series), allowing access up to 16 wired VLANs. A unique Service Set Identifier (SSID) defines a wireless VLAN on the access point and the bridge. Each SSID is mapped to a VLAN-ID on the wired side with a default SSID to VLAN-ID mapping. Additionally, with wireless LANs, a per-VLAN network security policy is defined on the access point and on the bridge by the IT administrator. Sections 3 and 4 discuss this in detail.

2.2  Wireless VLAN Deployment

Wireless VLAN deployment is different for indoor and outdoor environments. For indoor deployments, the access point is generally configured to map several wired VLANs to the wireless LAN. For outdoor environments, 802.1Q trunks are deployed between bridges with each bridge terminating and extending as an 802.1Q trunk, participating in the 802.1d-based Spanning-Tree Protocol process.

Figure 3 shows an indoor wireless VLAN deployment scenario. Four wireless VLANs are provisioned across the campus to provide WLAN access to full-time employees (segmented into engineering, marketing, and human resources user groups) and guests.


Figure 3   Indoor Wireless VL

ANs Deployment

As shown in Table 1, each wireless VLAN is configured with an appropriate network security policy and mapped to a wired VLAN. An IT administrator enforces the appropriate network security policies within the wired network for each different user group.

Table 1   Configuration for Wireless VLANs in Figure 3

SSID VLAN-ID Security Policy
Engineering

14

802.1X with Dynamic WEP + TKIP

Marketing

24

802.1X with Dynamic WEP + TKIP

Human Resources

34

802.1X with Dynamic WEP + TKIP

Guest

44

Open/no WEP

WEP = Wired Equivalent Privacy, TKIP = Temporal Key Integrity Protocol

An outdoor wireless VLAN deployment scenario is shown in Figure 4. In this example, wireless trunking is used to connect the root bridge to the non-root bridges. The root and non-root bridges terminate the 802.1Q trunk and participate in the Spanning-Tree Protocol process of bridging networks together.


Figure 4   Outdoor Wireless VLANs Deployment

3  Wireless VLANs: Detailed Feature Description

This section discusses the wireless VLAN features available with VxWorks Firmware Release 12.00T or later and Cisco IOS Software Release 12.2.4-JA or later. With these releases, an 802.1Q trunk can be enabled between the access point or bridge and the wired infrastructure, allowing up to 16 wired VLANs to be extended to the WLAN.

3.1  Configuration Parameters Per VLAN

As discussed in Section 2.0, a per-VLAN network security policy can be defined on the access point to allow the IT administrator to define appropriate restrictions per VLAN. The following parameters are configurable on the SSID wireless VLAN:

  • SSID name: Configures a unique name per wireless VLAN
  • Default VLAN ID: Default VLAN-ID mapping on the wired side
  • Authentication types: Open, shared, and network-Extensible Authentication Protocol (EAP) types
  • Media Access Control (MAC) authentication: Under open, shared, and network-EAP
  • EAP authentication: Under open and shared authentication types
  • Maximum number of associations: Ability to limit maximum number of WLAN clients per SSID

The following parameters are configurable on the wired VLAN side:

  • Encryption key: This is the key used for broadcast and multicast traffic segmentation per VLAN. It is also used for static Wired Equivalent Privacy (WEP) clients (for both unicast and multicast traffic). This is a component of the Cisco Wireless Security Suite.

Note:    The IT administrator must define a unique encryption key per VLAN. This is discussed more in detail in Section 3.2.


  • Enhanced Message Integrity Check (MIC) verification for WEP: Enables MIC per VLAN. This is a component of the Cisco Wireless Security Suite.
  • Temporal Key Integrity Protocol (TKIP): Enables per-packet key hashing per VLAN. This is a component of the Cisco Wireless Security Suite.
  • WEP (broadcast) key rotation interval: Enables broadcast WEP key rotation per VLAN. This is only supported for wireless VLANs with IEEE 802.1X EAP protocols enabled (such as EAP Cisco Wireless [LEAP], EAP-Transport Layer Security [EAP-TLS], Protected Extensible Authentication Protocol [PEAP], and EAP-Subscriber Identity Module [EAP-SIM]). This is a component of the Cisco Wireless Security Suite.
  • Default policy group: Applies policy group (set of Layer 2, 3, and 4 filters) per VLAN. Each filter (within a policy group) is configurable to allow or deny certain types of traffic.
  • Default priority: Applies default class of service (CoS) priority per VLAN.

With an encryption key configured, the VLAN supports standardized WEP. However, Cisco TKIP, MIC, and broadcast key rotation features are optionally configurable as noted above. Table 2 lists the SSID and VLAN-ID configuration parameters.

Table 2   SSID and VLAN-ID Configuration Parameters

SSID Parameter VLAN-ID Parameter
Authentication types

X

 

Maximum number of associations

X

 

Encryption key (broadcast key)

 

X

TKIP/MIC

 

X

WEP (broadcast) key rotation interval

 

X

Policy group

 

X

Default priority (CoS mapping)

 

X

3.2  Broadcast Domain Segmentation

All Layer 2 broadcast and multicast wireless LAN messages are propagated over the air. Thus, each WLAN client receives broadcast and multicast traffic belonging to different VLANs. This is different from wired VLAN broadcast and multicast traffic.

With wired LANs, a wired client receives Layer 2 broadcast or multicast traffic for its own VLAN only. Thus, a unique encryption (broadcast or multicast) key per VLAN is used to segment the Layer 2 broadcast domains on the wireless LAN. This unique encryption key must be configured during initial VLAN setup. If broadcast key rotation is enabled, this encryption key is generated dynamically and delivered to WLAN clients in 802.1X messages.

The requirement to segment broadcast domains on the wireless side restricts the use of unencrypted VLAN per WLAN Extended Sub System (ESS). A maximum of one VLAN can be unencrypted per WLAN ESS. Also, the behavior of a WLAN client on an encrypted VLAN should lead to the discarding of unencrypted Layer 2 broadcast or multicast traffic.

3.3  Native (Default) VLAN Configuration

The access point or the bridge native VLAN (the default VLAN) must be set to the native VLAN of the wired trunk. This allows the access point or bridge to receive and communicate using the Inter-Access Point Protocol (IAPP) with other access points or bridges in the same wireless LAN ESS.

It is a requirement that all access points and bridges in an ESS must use the same native VLAN-ID. All Telnet and http management traffic as well as the Remote Authentication Dial-In User Service (RADIUS) server traffic is routed to the access point via the native VLAN. Cisco recommends that IT managers restrict user access to the default VLAN of the access points and bridges by using Layer 3 access control lists (ACLs) and policies on the wired infrastructure side.

The IT administrator may or may not wish to map the native VLAN of the access point or bridge to an SSID (the WLAN ESS). Scenarios where the native VLAN should be mapped to an SSID include:

1. An associated workgroup bridge is treated as an infrastructure device

2. Connection of a root bridge to a non-root bridge

In the above scenarios, Cisco Systems recommends configuring an "Infrastructure" SSID per access point or bridge.

Figure 5 illustrates the combined deployment of infrastructure devices (such as workgroup bridges, non-root bridges, and repeaters) along with non-infrastructure devices (such as WLAN clients) in an enterprise WLAN. Native VLAN of the access point is mapped to the "Infrastructure" SSID. WEP encryption along with TKIP (at least per-packet key hashing) should be turned on for the "Infrastructure" SSID. Configuration of a secondary SSID as the "Infrastructure" SSID is also recommended. The concepts of primary and secondary SSIDs are explained in the next section.


Figure 5   Combined Deployment of Infrastructure and Non-Infrastructure Devices

3.4  Primary (Guest) and Secondary SSIDs

When enabling multiple wireless VLANs on the access point or bridge, multiple SSIDs are created with each SSID mapping to a default VLAN-ID on the wired side. However, as per 802.11 specifications, only one SSID can be broadcast in the beacons. The IT administrator defines a primary (Guest) SSID that is broadcast in the 802.11 beacon management frames. All other SSIDs are secondary SSIDs and are not broadcast in the 802.11 beacon management frames.

If a client or infrastructure device (such as a workgroup bridge) sends a probe request with a secondary SSID, the access point or bridge will respond with a probe response with that secondary SSID.

An IT administrator can also map the primary SSID to the VLAN-ID on the wired infrastructure in different ways. For example, in an enterprise rollout scenario, the primary SSID could be mapped to the unencrypted VLAN on the wired side to provide "Guest" VLAN access.

3.5  RADIUS-Based VLAN Access Control

As discussed earlier, each SSID is mapped to a default VLAN-ID on the wired side. The IT administrator may wish to impose back end (such as RADIUS)-based VLAN access control using 802.1X or MAC address authentication mechanisms. For example, if the WLAN is set up such that all VLANs use 802.1X and similar encryption mechanisms for WLAN user access, then a user can "hop" from one VLAN to another by simply changing the SSID and successfully authenticating to the access point (using 802.1X). This may not be preferred if the WLAN user is confined to a particular VLAN.

There are two different ways to implement RADIUS-based VLAN access control features:

1. RADIUS-based SSID access control: Upon successful 802.1X or MAC address authentication, the RADIUS server passes back the allowed SSID list for the WLAN user to the access point or bridge. If the user used an SSID on the allowed SSID list, then the user is allowed to associate to the WLAN. Otherwise, the user is disassociated from the access point or bridge.

2. RADIUS-based VLAN assignment: Upon successful 802.1X or MAC address authentication, the RADIUS server assigns the user to a predetermined VLAN-ID on the wired side. The SSID used for WLAN access doesn't matter because the user is always assigned to this predetermined VLAN-ID.

Figure 6 illustrates both RADIUS-based VLAN access control methods: VLAN assignment and SSID access control.

VLAN assignment: Both "Engineering" and "Marketing" VLANs are configured to only allow 802.1X authentication (LEAP, EAP-TLS, PEAP, and so on). As shown in Figure 6, when John uses the "Engineering" SSID to gain access to the wireless LAN, the RADIUS server maps John to VLAN-ID 24. This may or may not be the default VLAN-ID mapping for the "Engineering" SSID. Using this method, a user is mapped to a fixed wired VLAN throughout an enterprise network.

RADIUS-based SSID access control: David uses the "Marketing" SSID to gain access to the wireless LAN. However, the permitted SSID list sent back by the RADIUS server indicates that David is only allowed access to the "Engineering" SSID. Upon receipt of this information, the access point disassociates David from the wireless LAN network. Using this method, a user is given access to only one SSID or to predetermined SSIDs throughout an enterprise network.


Figure 6   RADIUS-Based VLAN Access Control

RADIUS user attributes used for VLAN-ID assignment are:

  • IETF 64 (Tunnel Type): Set this to "VLAN"
  • IETF 65 (Tunnel Medium Type): Set this to "802"
  • IETF 81 (Tunnel Private Group ID): Set this to VLAN-ID

RADIUS user attribute used for SSID access control is:

  • Cisco IOS/PIX RADIUS Attribute, 009\001 cisco-av-pair
    • Example: Configure the above attribute to allow a user to access the WLAN using "Engineering" and "Marketing" SSIDs only:
    • ssid = Engineering
    • ssid = Marketing

4  Guidelines for Deploying Wireless VLANs

In order to properly deploy wireless VLANs, an IT administrator should evaluate the need for deploying wireless VLANs within their environment. Existing wired VLAN deployment rules and policies should be reviewed. Existing wired VLAN policies can be used as the basis for wireless VLAN deployment policies.

This section details selection criteria for wireless VLAN deployment, provides a deployment example, summarizes the of rules for wireless VLAN deployment, and provides best practices to use on the wired infrastructure when deploying wireless VLANs.

4.1  Criteria for Wireless VLAN Deployment

While the full criteria for each wireless VLAN deployment is likely to be unique, some standard criteria exist for most rollouts. These include:

1. Common applications used by all wireless LAN users. The IT administrator should define:

  • Wired network resources (such as servers) commonly accessed by WLAN users
  • Quality of service (QoS) level needed by each application (default CoS, voice CoS, and so on)

2. Common devices used to access the wireless LAN. The IT administrator should define:

  • Security mechanisms (Static WEP, MAC authentication, EAP authentication [LEAP, EAP-TLS or PEAP], virtual private network [VPN], and so on) supported by each device type
  • Wired network resources (such as servers) commonly accessed by WLAN device groups
  • QoS level needed by each device group (default CoS, voice CoS, and so on)

3. Revise the existing wired VLAN deployment design guidelines:

  • Existing policies for VLAN access (for example, are policies implemented for different user groups?)
  • Localized wired VLANs with Layer 3 core or "flat" Layer 2 switched network

After the wireless VLAN deployment criteria have been defined, the deployment strategy needs to be determined. Two standard deployment strategies are:

1. Segmentation by user groups: Segmentation of the WLAN user community and enforcement of specific access-security policies per user group. For example, three wired and wireless VLANs in an enterprise environment could be created for full-time employee, part-time employee and guest access.

2. Segmentation by device types: Segmentation of the WLAN to allow different devices with different access-security "levels" to access the WLAN. For example, it is not recommended to allow handheld computers that support only 40/128-bit static-WEP to co-exist with other WLAN client devices using 802.1X with dynamic WEP in the same VLAN. In this scenario, devices are grouped and isolated with different "levels" of access security into separate VLANs.

Implementation criteria such as those listed below are then defined:

1. Use of policy group (set of filters) to map wired policies to the wireless side

2. Use of 802.1X to control user access to VLANs using either RADIUS-based VLAN assignment or RADIUS-based SSID access control

3. Use of separate VLANs to implement different CoS

4.2  Wireless VLAN Deployment Example

A wireless VLAN deployment example is outlined below. The IT administrator of company XYZ determines the need for wireless LANs in his network. Using the guidelines described in Section 4.1, his findings are as follows:

1. Three different user groups are commonly present across Company XYZ: full-time employees, contract employees, and guests.

2. Full-time and contract employees use company-supplied PCs to access the wireless network. These PCs are capable of supporting 802.1X authentication methods for accessing the WLAN.

3. Full-time employees need full access to the wired network resources. The IT department has implemented application-level privileges for each user (using Microsoft Windows NT or Active Directory (AD) mechanisms).

4. Part-time employees are not allowed access to certain wired resources (such as human resource servers, data storage servers, and so on). Furthermore, the IT department has implemented application-level privileges for part-time employees (using Microsoft Windows NT or AD mechanisms).

5. Guest users need access to the Internet to launch a VPN tunnel back to their company headquarters.

6. Maintenance personal (electrical, facilities, and others) use specialized handheld computers that support static 40- or 128-bit encryption to access trouble ticket information via an application server VLAN.

7. Existing wired VLANs deployment:

  • Wired VLANs are localized per building (use of unique VLAN-IDs per building).
  • Layer 3 policies are implemented on all VLANs to prevent users from accessing critical applications such as network management servers, and so on.

In the above case, the IT administrator can deploy four wireless VLANs as follows:

1. Create "Full-Time" and "Part-Time" VLANs—Implement 802.1X with dynamic WEP along with TKIP capability for WLAN access. Tie user login on the RADIUS server with Microsoft back-end user database to enable "single sign-on" for WLAN users.

Implement RADIUS-based SSID access control for both "Full-Time" and "Part-Time" employees to access WLAN. This is recommended to prevent part-time employees from VLAN "hopping" (for example, trying to access the WLAN using "Full-Time" VLAN).


Note:    In this deployment scenario, VLANs are localized per building with user group mapping to wired VLAN-IDs different for each building. In order to enable users to access the WLAN from anywhere on campus, SSID access control is recommended rather than fixed VLAN-ID assignments.


2. Create a "Guest" VLAN: Implement open/no WEP access with a broadcast SSID by using the primary SSID for "Guest" VLAN. Enforce policies on the wired network side to force all "Guest" VLAN access to an Internet gateway and deny access into the corporate network.

3. Create a "Maintenance" VLAN—Implement open/with WEP plus MAC authentication for this VLAN. Enforce policies on the wired infrastructure to only allow access to the maintenance server on the application server's VLAN.

Figure 7 illustrates this WLAN deployment scenario. Table 3 lists the configuration details for Figure 7 VLANs.


Figure 7   Wireless VLAN Deployment Example

Table 3   Configuration for VLANs in Figure 7

SSID VLAN-ID Security Policy RADIUS-Based VLAN Access Control
Full-Time

16

802.1X with Dynamic WEP + TKIP/MIC

Yes

Part-Time

26

802.1X with Dynamic WEP + TKIP/MIC

Yes

Maintenance

36

Open/with WEP + MAC Authentication

No

Guest

46

Open/no WEP

No

4.3  Summary of Rules for Wireless VLAN Deployment

This section summarizes the VLAN rules and guidelines discussed in this document:

1. 802.1Q VLAN trunking (hybrid mode only) is supported between the switch and the access point or bridge.

2. A maximum of 16 VLANs per ESS are supported with each wireless VLAN represented with a unique SSID name.

3. IT administrator must configure a unique encryption key per VLAN.

4. A maximum of one unencrypted VLAN per ESS is supported.

5. A maximum of one primary/guest SSID per ESS is supported.

6. TKIP, MIC, and broadcast key rotation can be enabled per VLAN.

7. Open, shared-key, MAC, network-EAP (LEAP), and EAP authentication types are supported per SSID.

8. Shared-key authentication is supported only on the SSID mapped to the native VLAN. (This is most likely to be the "Infrastructure" SSID.)

9. One unique policy group (set of Layer 2, 3 and 4 filters) is allowed per VLAN.

10. Each SSID is mapped to a default wired VLAN where the ability to override this default SSID to VLAN-ID mapping is provided via RADIUS-based VLAN access-control mechanisms.

  • RADIUS-based VLAN-ID assignment per user is supported.
  • RADIUS-based SSID access control per user is supported.

11. The ability to assign a CoS mapping per VLAN with eight different levels of priorities is supported.

12. The ability to control several clients per SSID is supported.

13. All access points and bridges in the same ESS must use the same native VLAN-ID to facilitate Inter-Access Point Protocol (IAPP) communication between access points and bridges.

14. All wireless LAN security policies should be mapped to the wired LAN security policies on the switches and routers.

4.4  Best Practices for the Wired Infrastructure

The following best practices are recommended for the wired infrastructure when 802.1Q trunking is extended to the access points and bridges:

1. Limit broadcast and multicast traffic to the access point and bridge by enabling VLAN filtering and Internet Group Management Protocol (IGMP) snooping on the switch ports. On the 802.1Q trunks to the access point and bridge, filter to allow only active VLANs in the ESS. Enabling IGMP snooping prevents the switch from flooding all switch ports with Layer 3 multicast traffic.

2. Map wireless security policies to the wired infrastructure with ACLs and other mechanisms.

3. The access point does not support Virtual Terminal Protocol (VTP) or Generic Attribute Registration Protocol VLAN Registration Protocol (GVRP) protocols for dynamic management of VLANs because the access point acts as a "stub" node. The IT administrator must use the wired infrastructure to maintain and manage the wired VLANs.

4. Enforce network security policies via Layer 3 ACLs on the "guest" and management VLANs (recommended).

  • The IT administrator could implement ACLs on the wired infrastructure to force all "guest" VLAN traffic to the Internet gateway.
  • The IT administrator should restrict user access to the native/default VLAN of the access points and bridges with the use of Layer 3 ACLs and policies on the wired infrastructure.
  • Example: Traffic to access points and bridges via the native/default VLAN is only allowed to and from the management VLAN where all the management servers including the RADIUS server reside.

5  Appendix A: VLAN Configuration Example for VxWorks Software Release 12.00T or Later

This section provides configuration examples for VxWorks Software Release 12.00T or later for Cisco Aironet 1200, 350, and 340 Series Access Points and the Cisco Aironet 350 Series Wireless Bridge.

1. Figure 8. Setup Page: VLAN and Service Set Identifiers (SSID) Options (Figure 8).

2. Figure 8. Click on Setup > VLAN: Add the native VLAN of the 802.1Q trunk to the access point.


Figure 8   Main Setup Page

3. Figure 9 and Figure 10. Native VLAN configuration: Enable this VLAN and set a unique encryption key and enable TKIP (recommended).


Figure 9   Main VLAN Set Up Page


Figure 10   Native VLAN Configuration


4. Figure 11. Enable 802.1Q Trunking: Set the Native VLAN ID of the access point and enable 802.1Q tagging.


Figure 11   Enabling 802.1Q Trunking

5. Figure 12. Enable 802.1Q Trunking: Upon successful completion of Steps 2 to 4, 802.1Q Encapsulation Mode is displayed as "Hybrid Trunk."


Figure 12   802.1Q Encapsulation Mode

6. Figure 13. Create a "guest" VLAN with open/no WEP configuration: Do not set an encryption key. Apply a policy group (set of Layer 2, 3, and 4 filters) for this VLAN.


Figure 13   "Guest" VLAN Configuration

7. Figure 14. Create a "guest" VLAN: Set the unencrypted VLAN (guest VLAN created in Step 6) in the main VLAN setup page.


Figure 14   Enabling the Unencrypted VLAN

8. Figure 15. Adding an encrypted VLAN. Set a unique encryption key.


Figure 15   Encrypted VLAN Configuration

9. Figure 16. List of VLANs are displayed on the main VLAN setup page.


Figure 16   List of VLANs

10. Figure 17. Click on "VLAN Summary Status" link to view the summary table.


Figure 17   VLAN Summary Status Table

11. Figure 18. Click on Setup > Service Sets. (This is the same screen as shown in Step 1 of this Appendix.) The SSIDs lists are configurable per radio. On a Cisco Aironet 1200 Series Access Point with two radios, 802.11b radio SSIDs are referred to as "Internal" SSIDs and 802.11a radio SSIDs are referred to as "Module" SSIDs.


Figure 18   Main Setup Page

12. Figure 19. On the SSID main setup page, select the primary SSID > Click on "Edit."


Figure 19   Access Point Radio Internal Service Sets—Primary SSID

13. Figure 20. Primary SSID setup: Rename the primary SSID to "guest" and map it to "Open/no WEP" VLAN.


Figure 20   Access Point Radio Internal Primary SSID Configuration

14. Figure 21. Create a secondary SSID: Create a SSID called "OPEN_WEP."


Figure 21   Creating a Secondary SSID

15. Figure 22. Create a secondary SSID: Map "OPEN_WEP" SSID to Open/with WEP VLAN and allow "Open" 802.11 authentication.


Figure 22   Secondary SSID "Open_WEP" Configuration

16. Figure 23. Create an SSID for infrastructure devices: Map the native VLAN of the access point to this SSID in order to allow infrastructure devices (such as workgroup bridges and repeaters) to associate to the access point using this SSID.


Figure 23   SSID for Infrastructure Devices

17. Figure 24. Infrastructure SSID configuration: Set the index of the SSID created in Step 16 as the "Infrastructure" SSID. Disallow all infrastructure devices on non-Infrastructure SSIDs (recommended).


Figure 24   Infrastructure SSID Configuration

18. Figure 25. Click on the Service Set Summary Status link to view the SSID summary table.


Figure 25   Internal Service Set Summary Status Table

6  Appendix B: VLAN Configuration Example for Cisco IOS Software Release 12.2.4-JA for Cisco Aironet 1100 Series Access Point

This section provides configuration examples for Cisco IOS Software Release 12.2.4-JA for the Cisco Aironet 1100 Series Access Point.

1. Figure 26. Enabling VLAN trunking: Create a VLAN and map it to an existing SSID. In the example configuration, VLAN-ID 11 is mapped to "guest" SSID.

a. Click on Security > SSID Manager. Rename the existing SSID to "guest."


Figure 26   "Guest" SSID Configuration

b. Figure 27. Click on Services > VLAN. Create VLAN-ID 11 and map to SSID "guest." This enables 802.1Q trunking on the Cisco Aironet 1100 Series Access Point.


Figure 27   Enabling 802.1Q Trunking

2. Figure 28. Create the default VLAN: Click on Services > VLAN. Create the default (native) VLAN-ID for the Cisco Aironet 1100 Series Access Point.


Figure 28   Creating the Default VLAN

3. Figure 29. Set the native VLAN-ID: Click on Services > VLAN. Set the default VLAN-ID (native VLAN-ID) of the Cisco Aironet 1100 Series Access Point. A WARNING message will be displayed, click "OK."


Figure 29   Set the Default (Native) VLAN-ID

4. Figure 30. Create other VLANs as needed. The screen capture shows the creation of VLAN-ID 12.


Figure 30   Creation of VLAN-ID 12

5. Figure 31. List display of active VLANs.


Figure 31   List of Active VLANs

6. Figure 32. SSID to VLAN-ID mapping: Click on Security > SSID Manager. Create and map SSIDs to the active VLANs.


Figure 32   Create and Map SSIDs to the Active VLANs

7. Figure 33. Example SSID-to-VLAN ID mapping: "EAP-TKIP" SSID is configured to allow LEAP, PEAP, and EAP-TLS authentication. As shown "EAP_TKIP" SSID is mapped to VLAN-ID 14.


Figure 33   Example SSID to VLAN ID Mapping

8. Figure 34. Guest (primary) SSID for the Cisco Aironet 1100 Series Access Point: Click on Security > SSID Manager. Set the guest SSID (created in Step 1) under "Global SSID Properties."


Figure 34   Setting the Guest (Primary) SSID

9. Figure 35. Create an Infrastructure SSID and map to native VLAN (if there is a requirement): This is only needed if Infrastructure devices (such as workgroup bridges and repeaters) will associate to the access point.


Figure 35   Creating an Infrastructure SSID with Mapping to Native VLAN

10. Figure 36. Infrastructure SSID: Click on Security > SSID Manager. Set the Infrastructure SSID on the access point.


Figure 36   Setting the Infrastructure SSID

11. Figure 37. Enable VLAN encryption: Click on Security > WEP Key Manager. For VLAN-ID 12 (mapped to "OPEN_WEP" SSID), encryption is enabled and a unique encryption key is set.


Figure 37   Enabling VLAN Encryption for VLAN-ID 12

12. Figure 38. Enable VLAN encryption: Click on Security > WEP Key Manager. For VLAN-ID 10 (native VLAN), WEP encryption is enabled along with per-packet key hashing (as part of Cisco TKIP). A unique encryption key is set for the native (default) VLAN.


Figure 38   Enabling Encryption for VLAN-ID 10 (Default VLAN

)

Table 4 shows the Cisco Aironet 1100 Series Access Point CLI configuration for VLANs.

Table 4   Cisco Aironet 1100 Series Access Point CLI Configuration for VLANs

version 12.2
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
!
interface Dot11Radio0
no ip address
no ip route-cache
encryption vlan 12 key 1 size 128bit 7 CD347815487006141F21001123D4 transmit-key
encryption vlan 12 mode wep mandatory
!
encryption vlan 10 key 1 size 128bit 7 104A7204161D23021321D61C6238 transmit-key
encryption vlan 10 mode wep mandatory key-hash
!
!
ssid EAP_TKIP
vlan 14
authentication open eap eap_methods
authentication network-eap eap_methods
!
ssid Infrastructure
vlan 10
authentication open
infrastructure-ssid optional
!
ssid OPEN_WEP
vlan 12
authentication open
!
ssid guest
vlan 11
authentication open
guest-mode
!
.
!
interface Dot11Radio0.10
encapsulation dot1Q 10 native
no ip route-cache
no cdp enable
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
!
interface Dot11Radio0.11
encapsulation dot1Q 11
no ip route-cache
no cdp enable
bridge-group 11
bridge-group 11 subscriber-loop-control
bridge-group 11 block-unknown-source
no bridge-group 11 source-learning
no bridge-group 11 unicast-flooding
bridge-group 11 spanning-disabled
!
interface Dot11Radio0.12
encapsulation dot1Q 12
no ip route-cache
bridge-group 12
bridge-group 12 subscriber-loop-control
bridge-group 12 block-unknown-source
no bridge-group 12 source-learning
no bridge-group 12 unicast-flooding
bridge-group 12 spanning-disabled
!
interface Dot11Radio0.13
encapsulation dot1Q 13
no ip route-cache
bridge-group 13
bridge-group 13 subscriber-loop-control
bridge-group 13 block-unknown-source
no bridge-group 13 source-learning
no bridge-group 13 unicast-flooding
bridge-group 13 spanning-disabled
!
interface Dot11Radio0.14
encapsulation dot1Q 14
no ip route-cache
bridge-group 14
bridge-group 14 subscriber-loop-control
bridge-group 14 block-unknown-source
no bridge-group 14 source-learning
no bridge-group 14 unicast-flooding
bridge-group 14 spanning-disabled
!
interface Dot11Radio0.15
encapsulation dot1Q 15
no ip route-cache
bridge-group 15
bridge-group 15 subscriber-loop-control
bridge-group 15 block-unknown-source
no bridge-group 15 source-learning
no bridge-group 15 unicast-flooding
bridge-group 15 spanning-disabled
!
!
interface FastEthernet0.10
encapsulation dot1Q 10 native
no ip route-cache
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
!
interface FastEthernet0.11
encapsulation dot1Q 11
no ip route-cache
bridge-group 11
no bridge-group 11 source-learning
bridge-group 11 spanning-disabled
!
interface FastEthernet0.12
encapsulation dot1Q 12
no ip route-cache
bridge-group 12
no bridge-group 12 source-learning
bridge-group 12 spanning-disabled
!
interface FastEthernet0.13
encapsulation dot1Q 13
no ip route-cache
bridge-group 13
no bridge-group 13 source-learning
bridge-group 13 spanning-disabled
!
interface FastEthernet0.14
encapsulation dot1Q 14
no ip route-cache
bridge-group 14
no bridge-group 14 source-learning
bridge-group 14 spanning-disabled
!
interface FastEthernet0.15
encapsulation dot1Q 15
no ip route-cache
bridge-group 15
no bridge-group 15 source-learning
bridge-group 15 spanning-disabled
!
.

7  Appendix C: Procedure to Configure RADIUS-Based User Access Control on Cisco Secure Access Control Server Software

The procedure to configure RADIUS-based user access control on Cisco Secure ACS Version 2.6 or later is provided below. This procedure provides configuration information for Internet Engineering Task Force (IETF), Cisco IOS Software and Cisco PIX® Firewall options that enable RADIUS-based user access control (using VLAN-ID and/or SSID-list).

1. Select Interface Configuration > Advanced Options; Enable "Per-user TACACS+/RADIUS Attributes" > Click on "Submit."

2. Select Interface Configuration > RADIUS (IETF).

  • Enable IETF attributes 64, 65, and 81. Enable these options at both User and Group levels.
  • Click on "Submit."

3. Select Network Configuration:

  • Confirm that the following option is available on the Cisco Secure ACS: Configuration > RADIUS (Cisco IOS/PIX). If this option is not available, add a device with network access server-type RADIUS (Cisco IOS/PIX). This device is needed to enable Cisco IOS/PIX attributes.
  • After adding a Cisco IOS Software or Cisco PIX Firewall device, select Interface Configuration > RADIUS (Cisco IOS/PIX):
  • Enable the "[026/009/001] cisco-av-pair" option. Enable this option at both User and Group levels.
  • Click on "Submit."

4. Add a User (User Setup > Add/Edit).

  • To restrict user by VLAN-ID:
  • Enable and set IETF 64 (Tunnel Type) to "VLAN."
  • Enable and set IETF 65 (Tunnel Medium Type) to "802."
  • Enable and set IETF 81 (Tunnel Private Group ID) to VLAN-ID.

Note:    Use the same Tag numbers (example: Tag 1) for all the above parameters.


  • To restrict user by SSID (note: SSID is case-sensitive):
  • Enable and configure Cisco IOS/PIX RADIUS Attribute, 009\001 cisco-av-pair
  • Example: ssid=LEAP_WEP

8  Appendix D: Example Switch and Router Configuration for Wireless VLAN Deployment

Cisco Catalyst® 3524 XL Switch Configuration:

version 12.0
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname Switch_1
!
enable password twinpeaks
!
ip subnet-zero
!
interface FastEthernet0/1
switchport trunk encapsulation dot1q
switchport trunk native vlan 10
switchport mode trunk
!
interface FastEthernet0/2
switchport trunk encapsulation dot1q
switchport trunk native vlan 10
switchport mode trunk
!
interface FastEthernet0/3
switchport trunk encapsulation dot1q
switchport trunk native vlan 10
switchport mode trunk
!
interface FastEthernet0/4
!
interface FastEthernet0/5
!
interface FastEthernet0/6
!
interface FastEthernet0/7
!
interface FastEthernet0/8
!
interface FastEthernet0/9
switchport access vlan 10
!
interface FastEthernet0/10
switchport access vlan 10
!
!
interface FastEthernet0/21
!
interface FastEthernet0/22
!
interface FastEthernet0/23
!
interface FastEthernet0/24
switchport access vlan 10
!
interface GigabitEthernet0/1
!
interface GigabitEthernet0/2
!
interface VLAN1
no ip directed-broadcast
no ip route-cache
shutdown
!
interface VLAN10
ip address 10.10.10.4 255.255.255.0
no ip directed-broadcast
no ip route-cache
!
!
line con 0
password twinpeaks
transport input none
stopbits 1
line vty 0 4
timeout login response 0
password twinpeaks
login
line vty 5 15
login
!
end

Router (Cisco 2621 Multiservice Platform) Configuration:

version 12.2
no service single-slot-reload-enable
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname Router_1
!
enable password twinpeaks
!
ip subnet-zero
!
interface FastEthernet0/0
no ip address
duplex auto
speed auto
!
interface FastEthernet0/0.10
encapsulation dot1Q 10 native
ip address 10.10.10.1 255.255.255.0
ip helper-address 10.10.10.2
!
interface FastEthernet0/0.11
encapsulation dot1Q 11
ip address 10.11.11.1 255.255.255.0
ip helper-address 10.10.10.2
!
interface FastEthernet0/0.12
encapsulation dot1Q 12
ip address 10.12.12.1 255.255.255.0
ip helper-address 10.10.10.2
!
interface FastEthernet0/0.13
encapsulation dot1Q 13
ip address 10.13.13.1 255.255.255.0
ip helper-address 10.10.10.2
!
interface FastEthernet0/0.14
encapsulation dot1Q 14
ip address 10.14.14.1 255.255.255.0
ip helper-address 10.10.10.2
!
interface FastEthernet0/0.15
encapsulation dot1Q 15
ip address 10.15.15.1 255.255.255.0
ip helper-address 10.10.10.2
!
interface FastEthernet0/0.16
encapsulation dot1Q 16
ip address 10.16.16.1 255.255.255.0
ip helper-address 10.10.10.2
!
interface FastEthernet0/1
ip address 192.168.200.62 255.255.255.224
duplex auto
speed auto
!
router eigrp 88
network 10.11.11.0 0.0.0.255
network 10.12.12.0 0.0.0.255
network 10.13.13.0 0.0.0.255
network 10.14.14.0 0.0.0.255
network 10.15.15.0 0.0.0.255
network 10.16.16.0 0.0.0.255
no auto-summary
no eigrp log-neighbor-changes
!
ip classless
no ip http server