04-14-2009 12:16 PM - edited 07-03-2021 05:26 PM
There are about 30 autonomous access points in this building. The are all configured with two SSIDs, each on their own VLAN. For some reason, clients started seeing the public SSID as WPA protected. It is an intermittant problem so I'm not sure what's happening. I sniffed around with Airmagent Spectrum Analyzer and all the public SSIDs are showing as open (without WEP, WPA, etc.). I matched all the radio interfaces from Airmagnet with the AP radios so I know there isn't some rogue around. The AP's are running 12.3.8. Here is the config:
!
version 12.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname AP20
!
enable secret
!
username Cisco password 7 062506324F41
ip subnet-zero
!
no aaa new-model
dot11 network-map
!
!
bridge irb
!
!
interface Dot11Radio0
no ip address
no ip route-cache
!
encryption vlan 2 mode ciphers tkip wep128
!
ssid GUEST
vlan 3
authentication open
guest-mode
!
ssid LSD
vlan 2
authentication open
authentication key-management wpa optional
wpa-psk ascii 7
!
short-slot-time
speed basic-1.0 2.0 5.5 6.0 9.0 11.0 12.0 18.0 24.0 36.0 48.0 54.0
rts threshold 2312
channel 2462
station-role root
!
interface Dot11Radio0.2
encapsulation dot1Q 2 native
no ip route-cache
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
!
interface Dot11Radio0.3
encapsulation dot1Q 3
no ip route-cache
bridge-group 3
bridge-group 3 subscriber-loop-control
bridge-group 3 block-unknown-source
no bridge-group 3 source-learning
no bridge-group 3 unicast-flooding
bridge-group 3 spanning-disabled
!
interface FastEthernet0
no ip address
no ip route-cache
speed 100
full-duplex
!
interface FastEthernet0.2
encapsulation dot1Q 2 native
no ip route-cache
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
!
interface FastEthernet0.3
encapsulation dot1Q 3
no ip route-cache
bridge-group 3
no bridge-group 3 source-learning
bridge-group 3 spanning-disabled
!
interface BVI1
ip address 172.x.x.x 255.255.0.0
no ip route-cache
!
ip default-gateway 172.x.x.x
ip http server
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
ip radius source-interface BVI1
logging snmp-trap emergencies
logging snmp-trap alerts
logging snmp-trap critical
logging snmp-trap errors
logging snmp-trap warnings
access-list 111 permit tcp any any neq telnet
bridge 1 route ip
!
!
!
line con 0
transport preferred all
transport output all
line vty 0 4
login local
transport preferred all
transport input all
transport output all
line vty 5 15
login
transport preferred all
transport input all
transport output all
!
end
I've tried my iphone and it connects just fine but an Intel 3945 and Dell card don't always see the SSID as open. Since this is a guest network, clients should be able to bring in any kind of client. I think this is a combo client/AP problem.
Solved! Go to Solution.
04-14-2009 12:34 PM
I guess this is what happens:
The AP is broadcasting the guest SSID. But it also sends beacons with the WPA SSID (non-broadcasting). Both SSIDs use the same BSSID (AP MAC address).
So the client sees the following:
- Beacon: SSID "guest" with no encryption (BSSID: 00:11:22:33:44:55)
- Beacon: SSID "" with WPA (RSN) (BSSID: 00:11:22:33:44:55)
- Beacon: SSID "guest" with no encryption (BSSID: 00:11:22:33:44:55)
- Beacon: SSID "" with WPA (RSN) (BSSID: 00:11:22:33:44:55)
[...]
I guess this is confusing some clients. The same BSSID is sending different beacon frames.
A workaround would be to use MBSSIDs. So each SSID is using it's unique BSSID. So each SSID has it's own virtual AP.
See this link for mbssids:
04-14-2009 12:34 PM
I guess this is what happens:
The AP is broadcasting the guest SSID. But it also sends beacons with the WPA SSID (non-broadcasting). Both SSIDs use the same BSSID (AP MAC address).
So the client sees the following:
- Beacon: SSID "guest" with no encryption (BSSID: 00:11:22:33:44:55)
- Beacon: SSID "" with WPA (RSN) (BSSID: 00:11:22:33:44:55)
- Beacon: SSID "guest" with no encryption (BSSID: 00:11:22:33:44:55)
- Beacon: SSID "" with WPA (RSN) (BSSID: 00:11:22:33:44:55)
[...]
I guess this is confusing some clients. The same BSSID is sending different beacon frames.
A workaround would be to use MBSSIDs. So each SSID is using it's unique BSSID. So each SSID has it's own virtual AP.
See this link for mbssids:
04-17-2009 10:42 AM
Thanks for the prompt reply. I tried enabling mbssid and verified through "show dot11 bssid" that I now had unique identifies:
Interface BSSID Guest SSID
Dot11Radio0 0012.80ed.6980 Yes GUEST
Dot11Radio0 0012.80ed.6981 No LSD
However, the problem still shows up. I have a TAC case open but they are having trouble with this too. Any other help would be appreciated.
Thanks again!
Tony
04-21-2009 07:10 AM
Enabling mbssid did solve the issue. I had to enable it on both SSID's. Here are the changes made from the original config:
dot11 ssid GUEST
vlan 3
authentication open
mbssid guest-mode
!
dot11 ssid LSD
vlan 2
authentication open
authentication key-management wpa
mbssid dtim-period 2
wpa-psk ascii 7 (hidden)
interface dot11radio 0
mbssid
Also, removing the WEP128 and optional security was a recommendation.
Thanks again!
04-21-2009 10:21 AM
I'm glad that helped. Sorry - I couldn't follow up your first reply.... this one sneaked through my fingers :-)
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide