Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
8817
Views
25
Helpful
17
Replies

WLAN profiles with the same SSIDs

cgonzalezlozada
Level 1
Level 1

‎10-11-2011 08:04 AM - edited ‎07-03-2021 08:54 PM

Hi, I´m doing a new implementation with hreap, i have 2 WLC 5508, in the HQ i have one SSID with l2 security wpa+wpa2 with AES and 802.1X, i configured the same ssid to remote location and i associated that ssid with a hreap group and an access point in hreap mode, every thing working fine and the users can be associated with this ssid and this HREAP AP in local switching, but when a want to apply the same l2 security (wpa+wpa2 with AES and 802.1X) to this new wlan profile with same ssid the following error is showed:

"The following errors occurred while updating the WLAN:

WLAN with duplicate SSID and L2 security policy found"

It´s possible to do this? Can´t i have two SSID with same L2 security?

Thanks

Labels:
0 Helpful
17 Replies 17

George Stefanick
VIP Alumni
VIP Alumni

‎10-11-2011 08:17 AM

Yes (i think so), but your profile name must be different. So you can use the same WLAN with the same security, but chnage the profile name..

THATS SHOULD WORK... try it and let me know ..

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________
0 Helpful

Stephen Rodriguez
Cisco Employee
Cisco Employee
In response to George Stefanick

‎10-11-2011 12:22 PM

Yes, and no.

Yes, you can have 2 profiles with the same SSID, as long as the profile names are different.  The 'no', is that the security can't match exactly.

Think of this like the migration mode that was out there in IOS.  You can do, basic 802.1x(WEP), and then a secondary WLAN with WPA2/AES/802.1x.

But it does not allow you to do WPA2/AES/802.1x on both profiles with the same SSID.

Now, to your scenario, if you are using the same SSID and security settings, you should only need the one WLAN.  One WLAN can be used for both HREAP and local mode, all depending on the mode of the AP.

HTH,

Steve

----------------------------------------------------------------------------------------------------------

Please remember to rate helpful posts or to mark the question as answered so that it can be found later.

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered

cgonzalezlozada
Level 1
Level 1
In response to Stephen Rodriguez

‎10-11-2011 01:07 PM

OK, i´m agree, but i tried with a single ssid and configured this ssid like hreap at same time but then the hreap AP broadcast this ssid but the users could not authenticate, i am not sure if is correct config a single SSID for use in the central Offces (local) and remote (hreap).

0 Helpful

Stephen Rodriguez
Cisco Employee
Cisco Employee
In response to cgonzalezlozada

‎10-11-2011 01:16 PM

if the internal users can authenticate, the ones at the remote site should be able to as well.

If you run a debug client < client mac address > what does it show happening?  Is the AAA rejecting or nt answering?

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered
0 Helpful

George Stefanick
VIP Alumni
VIP Alumni
In response to Stephen Rodriguez

‎10-11-2011 09:37 PM

+5 Steve .. I did not know that !

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________
0 Helpful

arun.mohan
Level 1
Level 1
In response to Stephen Rodriguez

‎01-18-2012 08:36 AM

Steve,

Thanks for this valuable information. Now the info that i need to know is that we have few APs in Local mode and few in Hreap mode. As you said if we use the same SSID for both the local AP group and Hreap AP group, can we set the Hreap local switching to the SSID. If we set so, local switching will be enable only for the Hreap groups. Also i need to set the DHCP server for the HREAP separately. Immediate response would be highly appricated.:)

merci,

arun

0 Helpful

marosh_po
Level 1
Level 1
In response to Stephen Rodriguez

‎02-19-2015 06:45 AM

what about if I want to have different rate limiting but the same security?

 

0 Helpful

skronawithleitner
Level 1
Level 1

‎10-12-2011 01:22 AM

If I may follow up on this one:

"But it does not allow you to do WPA2/AES/802.1x on both profiles with the same SSID."

Why not? This would be very handy, but is - like you said - not allowed.

I mean, of course this setup does not make sense on *ONE ACCESSPOINT* - but I can use AP-groups and do something like this:

AP1 = SSID "TEST", VLAN 20, 802.1x, Radius-server 10.10.10.10

AP2 = SSID "TEST", VLAN 30, 802.1x, Radius-server 20.20.20.20

The key here is that I want to do different Auth-servers, depending on the location of the AP. But it is not possible, because the controller does not allow it - even though it would make sense on different APs. So either I use a second controller - and third, fourth, fifth, ... or I give up?

Any thoughts, comments, hints on that?

0 Helpful

Stephen Rodriguez
Cisco Employee
Cisco Employee
In response to skronawithleitner

‎01-18-2012 08:49 AM

Correct, the point of Profiles is to do different security types. 

In your scenario, do the users exist in 10. and 20. or just in one?

if they only exist in one, then you can list both the AAA servers in the list on that WLAN, and the one they do not exist in should not respond, and the WLAN will then send the request to the second.

Steve

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered
0 Helpful

arun.mohan
Level 1
Level 1
In response to Stephen Rodriguez

‎01-18-2012 08:59 AM

Steve,

The AAA servers is one in my present case. And there are 10 users in the HREAP location and 50 users in Local mode location. Is there a Way to set the location DHCP server for the single SSID? The local DHCP server is the WLC and Hreap DHCP server is a Cisco switch which is present locally.

0 Helpful

Stephen Rodriguez
Cisco Employee
Cisco Employee
In response to arun.mohan

‎01-18-2012 09:10 AM

With the local mode AP, the user will get DHCP from the DHCP server listed in the interface linked to the WLAN.

In the HREAP AP, the client will get DHCP from the local subnet.  This is by default, there is no configuration needed beyond the standard HREAP configs.

Steve

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered

arun.mohan
Level 1
Level 1
In response to Stephen Rodriguez

‎01-18-2012 09:21 AM

Steve,

There is setting to have the DHCP server override in the advanced tab of WLAN config. I have a local DHCP server in the HREAP for providing IP for the HREAP clients. And i have set that in the DHCP server override option for the HREAP SSID, now how do we unite both the local and hreap SSID to single one.

Correct me if am wrong, you mean to say that the DHCP server is not issue here, as in the local AP group the client traffic will be tunnel to the WLC and it will provide the IP address. Incase of the Hreap location, will the local DHCP server on the same VLAN provide the IP address without the DHCP override options enabled?

merci,

arun

0 Helpful

Stephen Rodriguez
Cisco Employee
Cisco Employee
In response to arun.mohan

‎01-18-2012 09:30 AM

The DHCP override under the WLAN was to temporarily change the server the WLAN used, instead of changing it at the interface.  Kind of legacy from the Airespace days, either one you change will bounce the WLAN.

So all you need to do, is configure the interface the client needs to be on locally and set the DHCP server there.  When the local client connects it's traffic is ingress/egress from the WLC, so it gets DHCP from the conifgured server.

In HREAP, only the 802.1x flows back to the WLC.  All client traffic is ingress/egress right to the port the AP is connected to.  So when the client sends the DHCP request packet, it gets bridged right to the VLAN you linked the WLAN to in the HREAP config on the AP.  So it hits the wire in the proper VLAN and the local DHCP server responds with the DHCP offered address.

Steve

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered

arun.mohan
Level 1
Level 1
In response to Stephen Rodriguez

‎01-18-2012 09:44 AM

Steve,

You are the PRO, +10 for this. Just for confirmation i'm repeating my setting, please let me if it would work.

SSID: CISCO_PROD

One profile, one SSID, with WPA2 802.1x auth mapped to Vlan 100(local wireless user vlan). DHCP override not required, enable HREAP local switching and learn client IP.

Local AP group:

Map the SSID CISCO_PROD, User will be able to connect using AAA server auth, IP assigned by WLC DHCP pool.

HREAP AP group:

Map same SSID CISCO_PROD, Hreap local switching will work only for Hreap APs, not for local APs, users connected via  AAA server auth, IP assigned from local DHCP server.

Is the above explained thing correct?

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card