2 SSIDs, One with password, One without

jenebo001 · ‎06-09-2014

I want to create a wireless network with 2 SSIDs. I am using 4 Cisco 1602 Model APs. I can get the password protected SSID to work. When I try to create the guest SSID I can get it to broadcast, but it keeps asking for a password even though I haven't set one. Here is my current config:

!
! Last configuration change at 00:18:42 UTC Mon Mar 1 1993
version 15.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname AberdeenAP1
!
!
logging rate-limit console 9
enable secret 5 $1$gePP$q8Ny/Vk0xNkLq/w6mwwLP1
!
no aaa new-model
ip cef
!
!
!
dot11 syslog
!
dot11 ssid GS-Guest
   vlan 2
   authentication open
   mbssid guest-mode
   mobility network-id 2
!
dot11 ssid GS-Wireless
   vlan 1
   authentication open
   authentication key-management wpa
   guest-mode
   mbssid guest-mode
   infrastructure-ssid optional
   wpa-psk ascii 7 045C021403324F411C0D16051D0807567A7A70
!
!
crypto pki token default removal timeout 0
!
!
username Cisco password 7 106D000A0618
username admin privilege 15 password 7 096B5D0D115445415F
!
!
bridge irb
!
!
!
interface Dot11Radio0
no ip address
!
encryption mode ciphers aes-ccm tkip
!
encryption vlan 2 mode ciphers aes-ccm tkip
!
encryption vlan 1 mode ciphers aes-ccm tkip
!
ssid GS-Guest
!
ssid GS-Wireless
!
antenna gain 0
stbc
beamform ofdm
mbssid
speed basic-1.0 basic-2.0 basic-5.5 basic-11.0 basic-6.0 basic-9.0 basic-12.0 basic-18.0 basic-24.0 basic-36.0 basic-48.0 basic-54.0 m0. m1. m2. m3. m4. m5. m6. m7. m8. m9. m10. m11. m12. m13. m14. m15.
station-role root
!
interface Dot11Radio0.1
encapsulation dot1Q 1 native
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface Dot11Radio0.2
encapsulation dot1Q 2
bridge-group 2
bridge-group 2 subscriber-loop-control
bridge-group 2 spanning-disabled
bridge-group 2 block-unknown-source
no bridge-group 2 source-learning
no bridge-group 2 unicast-flooding
!
interface Dot11Radio1
no ip address
!
encryption mode ciphers aes-ccm tkip
!
encryption vlan 2 mode ciphers aes-ccm tkip
!
encryption vlan 1 mode ciphers aes-ccm tkip
!
ssid GS-Guest
!
ssid GS-Wireless
!
antenna gain 0
dfs band 3 block
stbc
beamform ofdm
mbssid
channel dfs
station-role root
!
interface Dot11Radio1.1
encapsulation dot1Q 1 native
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface Dot11Radio1.2
encapsulation dot1Q 2
bridge-group 2
bridge-group 2 subscriber-loop-control
bridge-group 2 spanning-disabled
bridge-group 2 block-unknown-source
no bridge-group 2 source-learning
no bridge-group 2 unicast-flooding
!
interface GigabitEthernet0
no ip address
duplex auto
speed auto
!
interface GigabitEthernet0.1
encapsulation dot1Q 1 native
bridge-group 1
bridge-group 1 spanning-disabled
no bridge-group 1 source-learning
!
interface GigabitEthernet0.2
encapsulation dot1Q 2
bridge-group 2
bridge-group 2 spanning-disabled
no bridge-group 2 source-learning
!
interface BVI1
ip address 192.168.1.51 255.255.255.0
!
ip default-gateway 192.168.1.1
ip forward-protocol nd
ip http server
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
ip route 0.0.0.0 0.0.0.0 10.251.10.1
!
bridge 1 route ip
!
!
!
line con 0
line vty 0 4
login local
transport input all
!
end

Sandeep Choudhary · ‎06-10-2014

Hi,

You are using vlan 2 as guest vlan and you are also applying encryption to it thats is the main reason you asked for a password.

Remove this line and try again:

interface Dot11Radio0
no ip address
!
encryption mode ciphers aes-ccm tkip
!
~~encryption vlan 2 mode ciphers aes-ccm tkip~~
!
encryption vlan 1 mode ciphers aes-ccm tkip
!
ssid GS-Guest
!
ssid GS-Wireless
!
antenna gain 0
stbc
beamform ofdm
mbssid
speed basic-1.0 basic-2.0 basic-5.5 basic-11.0 basic-6.0 basic-9.0 basic-12.0 basic-18.0 basic-24.0 basic-36.0 basic-48.0 basic-54.0 m0. m1. m2. m3. m4. m5. m6. m7. m8. m9. m10. m11. m12. m13. m14. m15.
station-role root

Regards

Dont forget to rate helpful posts

jenebo001 · ‎06-10-2014

Removing that line did not work and has locked up my AP. On another AP I was able to take encryption off of vlan 2 in the encryption manager of the GUI. When I take the encryption off of vlan 2 the SSID associated with that vlan no longer requires a password, but does not allow us to connect. It simply states "Unable to connect to GS-Guest" from an array of devices. Any other suggestions?

Sandeep Choudhary · ‎06-10-2014

Hi,

You have to remove these and try again:

dot11 ssid GS-Guest
   vlan 2
   authentication open
   mbssid guest-mode
   ~~mobility network-id 2~~
!
dot11 ssid GS-Wireless
   vlan 1
   authentication open
   authentication key-management wpa
   ~~guest-mode~~
   mbssid guest-mode
   ~~infrastructure-ssid optional~~
   wpa-psk ascii 7 045C021403324F411C0D16051D0807567A7A70

interface Dot11Radio0
no ip address
!
~~encryption mode ciphers aes-ccm tkip~~
!
~~encryption vlan 2 mode ciphers aes-ccm tkip~~
!
encryption vlan 1 mode ciphers aes-ccm tkip
!
ssid GS-Guest
!
ssid GS-Wireless
!

interface Dot11Radio1
no ip address
!
~~encryption mode ciphers aes-ccm tkip~~
!
~~encryption vlan 2 mode ciphers aes-ccm tkip~~
!
encryption vlan 1 mode ciphers aes-ccm tkip
!
ssid GS-Guest
!
ssid GS-Wireless
!
antenna gain 0
dfs band 3 block

If you have any doubts then follow this blog:

http://rscciew.wordpress.com/2014/05/24/multiple-ssid-configurations-on-autonomous-ap/

Regards

Dont forget to rate helpful posts