Solved: Need to configure different SSIDs on same VLAN on 1142

baskervi · ‎06-03-2014

We're having a problem with interference in the B/G range due to the large number of access points owned by other companies in a fairly small area. The various laptops keep deauthenticating, which is causing problems with applications. I'd like to configure two SSIDs on the same VLAN but have them broadcasted on different frequencies. The AP complained about the configuration when I added the Company5.8 SSID below stating another SSID can't be added to a VLAN, but it shows in the configuration. Does any one have a suggestion as to what I can try? Thanks

interface Dot11Radio0
no ip address
no ip route-cache
!
encryption vlan 1 mode ciphers aes-ccm
!
encryption vlan 3 mode ciphers aes-ccm
!
ssid Moleculera Labs
!
ssid Moleculera Labs-guest
!
antenna gain 0
mbssid
channel least-congested 2412 2437 2462
station-role root
!
interface Dot11Radio0.1
encapsulation dot1Q 1 native
no ip route-cache
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
!
interface Dot11Radio0.3
encapsulation dot1Q 3
no ip route-cache
bridge-group 3
bridge-group 3 subscriber-loop-control
bridge-group 3 block-unknown-source
no bridge-group 3 source-learning
no bridge-group 3 unicast-flooding
bridge-group 3 spanning-disabled
!
interface Dot11Radio1
no ip address
no ip route-cache
!
encryption mode ciphers aes-ccm
!
encryption vlan 1 mode ciphers aes-ccm
!
encryption vlan 3 mode ciphers aes-ccm
!
ssid Moleculera Labs
!
ssid Moleculera Labs-guest
!
antenna gain 0
dfs band 3 block
mbssid
channel dfs
station-role root
!
interface Dot11Radio1.1
encapsulation dot1Q 1 native
no ip route-cache
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
!
interface Dot11Radio1.3
encapsulation dot1Q 3
no ip route-cache
bridge-group 3
bridge-group 3 subscriber-loop-control
bridge-group 3 block-unknown-source
no bridge-group 3 source-learning
no bridge-group 3 unicast-flooding
bridge-group 3 spanning-disabled
!

Amjad Abdullah · ‎06-17-2014

Please post the full configuration (including SSID's config).

Try also to remove the command

encryption mode ciphers aes-ccm

from under radio 1 (5 GHz)

Rating useful replies is more useful than saying "Thank you"

View solution in original post

kcnajaf · ‎06-17-2014

Hi,

Little fine tuning on configuration.

Only suggested change is to use wpa2 if your ap supports it. This can be done with below command.

under dot11 SSID add below line.

authentication key-management wpa version 2

If device does not support version v2 then modify the encryption for all vlan to support TKIP with below command.

encryption vlan 1 mode ciphers aes-ccm tkip

Since your are specifying encryption for each vlan separately you can remove the encryption statement under radio 1 like Amjed mentioned.Either way it won't harm you

Hope that helps.

Regards

Najaf

View solution in original post

mohanak · ‎06-17-2014

Try this :

If you use VLANs on your wireless LAN and assign SSIDs to VLANs, you can create multiple SSIDs by using any of the four security settings on the Express Security page. However, if you do not use VLANs on your wireless LAN, the security options that you can assign to SSIDs are limited because of the limited Express Security page encryption options. Without VLANs, encryption settings (WEP and ciphers) apply to an interface, such as the radio, and you cannot use more than one encryption setting on an interface. For example, when you create an SSID with static WEP with VLANs disabled, you cannot create additional SSIDs with WPA authentication because they use different encryption settings. If you find that the security setting for an SSID conflicts with another SSID, you can delete one or more SSIDs to eliminate the conflict.

http://www.cisco.com/c/en/us/td/docs/wireless/access_point/1140/autonomous/getting_started/guide/ap1140aut_getstart.html

baskervi · ‎06-17-2014

Amjad, if I delete "encryption mode ciphers aes-ccm" what kind of encryption will the AP use?

Mohanak, I'm using the same encryption settings with VLANs

Here is the more complete configuration:

version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname COMPANY-AP
!
no logging console
enable secret 5 *
!
no aaa new-model
no ip domain lookup
ip domain name COMPANY.local
!
!
dot11 syslog
!
dot11 ssid COMPANY-2.4
vlan 1
authentication open
authentication key-management wpa
mbssid guest-mode
wpa-psk ascii 7 *
!
dot11 ssid COMPANY-5.8
vlan 1
authentication open
authentication key-management wpa
mbssid guest-mode
wpa-psk ascii 7 *
!
dot11 ssid COMPANY-guest
vlan 3
authentication open
authentication key-management wpa
guest-mode
mbssid guest-mode
wpa-psk ascii 7 *
!
!
!
bridge irb
!
!
interface Dot11Radio0
no ip address
no ip route-cache
!
encryption vlan 1 mode ciphers aes-ccm
!
encryption vlan 3 mode ciphers aes-ccm
!
ssid COMPANY-2.4
!
ssid COMPANY-guest
!
antenna gain 0
mbssid
station-role root
!
interface Dot11Radio0.1
encapsulation dot1Q 1 native
no ip route-cache
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
!
interface Dot11Radio0.3
encapsulation dot1Q 3
no ip route-cache
bridge-group 3
bridge-group 3 subscriber-loop-control
bridge-group 3 block-unknown-source
no bridge-group 3 source-learning
no bridge-group 3 unicast-flooding
bridge-group 3 spanning-disabled
!
interface Dot11Radio1
no ip address
no ip route-cache
!
encryption mode ciphers aes-ccm
!
encryption vlan 1 mode ciphers aes-ccm
!
encryption vlan 3 mode ciphers aes-ccm
!
ssid COMPANY-2.4 (Want this to be COMPANY-5.8)
!
ssid COMPANY-guest
!
antenna gain 0
dfs band 3 block
mbssid
channel dfs
station-role root
!
interface Dot11Radio1.1
encapsulation dot1Q 1 native
no ip route-cache
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
!
interface Dot11Radio1.3
encapsulation dot1Q 3
no ip route-cache
bridge-group 3
bridge-group 3 subscriber-loop-control
bridge-group 3 block-unknown-source
no bridge-group 3 source-learning
no bridge-group 3 unicast-flooding
bridge-group 3 spanning-disabled
!
interface GigabitEthernet0
no ip address
no ip route-cache
duplex auto
speed auto
no keepalive
!
interface GigabitEthernet0.1
encapsulation dot1Q 1 native
no ip route-cache
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
!
interface GigabitEthernet0.3
encapsulation dot1Q 3
no ip route-cache
bridge-group 3
no bridge-group 3 source-learning
bridge-group 3 spanning-disabled
!
interface BVI1
ip address 192.168.67.3 255.255.255.0
no ip route-cache
!
ip default-gateway 192.168.67.1
ip http server
ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
bridge 1 route ip
!
!
!
line con 0
line vty 0 4
exec-timeout 30 0
password 7 *
login local
!
end

COMPANY-AP#

kcnajaf · ‎06-17-2014

Hi,

Little fine tuning on configuration.

Only suggested change is to use wpa2 if your ap supports it. This can be done with below command.

under dot11 SSID add below line.

authentication key-management wpa version 2

If device does not support version v2 then modify the encryption for all vlan to support TKIP with below command.

encryption vlan 1 mode ciphers aes-ccm tkip

Since your are specifying encryption for each vlan separately you can remove the encryption statement under radio 1 like Amjed mentioned.Either way it won't harm you

Hope that helps.

Regards

Najaf

Amjad Abdullah · ‎06-21-2014

The encryption will be used as it is already configured.

The command:

encryption vlan 1 mode ciphers aes-ccm

describes the encrypiton for vlan 1 (there is another command for vlan 3 as well).

That should be enough.

now, you are also using the command

encryption mode ciphers aes-ccm

under the Radio1. This command can be used when you are not using vlans. try to delete this and ope that will improve something.

Regards,

Amjad

Rating useful replies is more useful than saying "Thank you"

Amjad Abdullah · ‎06-17-2014

Please post the full configuration (including SSID's config).

Try also to remove the command

encryption mode ciphers aes-ccm

from under radio 1 (5 GHz)

Rating useful replies is more useful than saying "Thank you"