Dot1x with port security and redundant radius servers

Similar Messages

• Port security and 802.1x (ISE)

  Hi everyone,
  I'm implemmenting ISE in a network with Port Security enabled.
  According the book Cisco ISE for BYOD and Secure Unified Access Port-security is not compatible with 802.1x.
  I want to know what is the affectation of to have Port-security and 802.1x enabled on the same SW Port.
  Someone?
  Thanks!

  Hi Neno,
  Thanks for the reply.. As we checked the port is going in error-disable with by phone mac address wherein phone is connected 24/7 and machine connects from phone.
  Please find below logs from switch - 
  Oct  1 09:21:11: %AUTHMGR-5-START: Starting 'dot1x' for client (e804.62eb.b435) on Interface Gi5/30 AuditSessionID AC1232470000E906E5392F07 ======Phone MAC
  Oct  1 09:21:12: %AUTHMGR-5-START: Starting 'dot1x' for client (0026.b9eb.28ec) on Interface Gi5/30 AuditSessionID AC1232470000E907E53931BF ======Laptop MAC
  Oct  1 09:21:12: %AUTHMGR-5-START: Starting 'dot1x' for client (0026.b9eb.28ec) on Interface Gi5/30 AuditSessionID AC1232470000E908E539329B
  Oct  1 09:21:12: %DOT1X-5-SUCCESS: Authentication successful for client (0026.b9eb.28ec) on Interface Gi5/30 AuditSessionID AC1232470000E908E539329B
  Oct  1 09:21:12: %AUTHMGR-7-RESULT: Authentication result 'success' from 'dot1x' for client (0026.b9eb.28ec) on Interface Gi5/30 AuditSessionID AC1232470000E908E539329B
  Oct  1 09:21:12: %EPM-6-POLICY_REQ: IP 0.0.0.0| MAC 0026.b9eb.28ec| AuditSessionID AC1232470000E908E539329B| AUTHTYPEDOT1X| EVENT APPLY
  Oct  1 09:21:12: %EPM-6-IPEVENT: IP 0.0.0.0| MAC 0026.b9eb.28ec| AuditSessionID AC1232470000E908E539329B| AUTHTYPE DOT1X| EVENT IP-WAIT
  Oct  1 09:21:13: %AUTHMGR-5-SECURITY_VIOLATION: Security violation on the interface GigabitEthernet5/30, new MAC address (e804.62eb.b435) is seen.AuditSessionID  Unassigned
  Oct  1 09:21:13: %PM-4-ERR_DISABLE: security-violation error detected on Gi5/30, putting Gi5/30 in err-disable state
  Oct  1 09:21:13: %AUTHMGR-5-START: Starting 'dot1x' for client (e804.62eb.b435) on Interface Gi5/30 AuditSessionID AC1232470000E909E53935F3
  Oct  1 09:21:13: %EPM-6-POLICY_REQ: IP 0.0.0.0| MAC 0026.b9eb.28ec| AuditSessionID AC1232470000E908E539329B| AUTHTYPEDOT1X| EVENT REMOVE
  Oct  1 09:21:13: %PM-4-ERR_DISABLE: STANDBY:security-violation error detected on Gi5/30, putting Gi5/30 in err-disable state
  Can you guide us how to fix this one
  Regards
  Pranav

• Cisco ISE with both internal and External RADIUS Server

  Hi
  I have ISE 1.2 , I configured it as management monitor and PSN and it work fine
  I would like to know if I can integrate an external radius server and work with both internal and External RADIUS Server simultanously
  So some computer (groupe_A in active directory ) will continu to made radius authentication on the ISE internal radius and other computer (groupe_B in active directory) will made radius authentication on an external radius server
  I will like to know if it is possible to configure it and how I can do it ?
  Thanks in advance for your help
  Regards
  Blaise

  Cisco ISE can function both as a RADIUS server and as a RADIUS proxy server. When it acts as a proxy server, Cisco ISE receives authentication and accounting requests from the network access server (NAS) and forwards them to the external RADIUS server. Cisco ISE accepts the results of the requests and returns them to the NAS.
  Cisco ISE can simultaneously act as a proxy server to multiple external RADIUS servers. You can use the external RADIUS servers that you configure here in RADIUS server sequences. The External RADIUS Server page lists all the external RADIUS servers that you have defined in Cisco ISE. You can use the filter option to search for specific RADIUS servers based on the name or description, or both. In both simple and rule-based authentication policies, you can use the RADIUS server sequences to proxy the requests to a RADIUS server.
  The RADIUS server sequence strips the domain name from the RADIUS-Username attribute for RADIUS authentications. This domain stripping is not applicable for EAP authentications, which use the EAP-Identity attribute. The RADIUS proxy server obtains the username from the RADIUS-Username attribute and strips it from the character that you specify when you configure the RADIUS server sequence. For EAP authentications, the RADIUS proxy server obtains the username from the EAP-Identity attribute. EAP authentications that use the RADIUS server sequence will succeed only if the EAP-Identity and RADIUS-Username values are the same.

• Reverse a receipt with appropriate security and approval ()

  Hi,
  Reverse a receipt with appropriate security and approval ()
  Need to make security and approval on making reverse receipt according to amount limit for user combined with the Reverse
  reason
  thanks

  You are trying to do the process which you ahve already transferred through Transaction QA11.
  The role of Cancel return Process has already been done by this transaction as the Stock has already been into Un- restricted.
  Best Regards,
  Ankur

• Problems with re authentications in a wireless with WLC working with web authentication and a radius server

  Hi everyone, im having problems in a wireless network, the SSID has security layer 2 WPA, layer 3 web authentication (internal default page), and external RADIUS.
  When a client makes a roaming from one AP to another one or when he has a idle time, he needs to re authenticate in the web login page. Somebody knows a solution to avoid this behavior?. Or somebody has a troubleshooting way to determine why the clients have this problems??

  A few things I can share that might help .. Your actually feet on the ground will be importnat to see this issue for yourself.
  I know when a client or if the AP sends a DEAUTH frame the client will need to reestablish its connection and it will 100% of the time require a new web auth. If a client loses connection while roaming and a DEAUTH is sent on either side you will get the page. If youre client isnt romaing cleanly this can be a problem.
  Another problem is your using EAP. Are you using CCK or a device that supports OKC. What does your radius server say when a client roams ?
  You could also simply your config and then reapply your security and see where it breaks. By this I mean. For testing, create a SSID turn off security and leave layer 3 web auth on. Roam and see what happens. If it works, then start to apply the security and see where it breaks.
  "Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
  ‎"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."

• Packet drops on 2960 with port-security enabled

  Hello,
  We are using the following port-security configuration on user access ports on Cisco 2960 switches, in order to protect the infrastructure to prevent MAC flooding attacks:
  switchport port-security maximum 10 switchport port-security switchport port-security aging time 1 switchport port-security violation restrict switchport port-security aging type inactivity
  There is a problem with the more "quiet" hosts, especially in technology - every time the MAC address ages out, the first packets (an ARP request usually) sent by the host is dropped by the switch. There is no violation logged, the switch should be OK to forward the packets but doesn't:
  Port Security              : EnabledPort Status                : Secure-upViolation Mode             : RestrictAging Time                 : 1 minsAging Type                 : InactivitySecureStatic Address Aging : DisabledMaximum MAC Addresses      : 10Total MAC Addresses        : 0Configured MAC Addresses   : 0Sticky MAC Addresses       : 0Last Source Address:Vlan   : 0011.aabb.ccdd:11Security Violation Count   : 0
  When port-security is turned off, all packets are forwarded without trouble. This is happening on both WS-C2960-24TT-L and WS-C2960-8TC-L, with IOS 12.2(35)SE1 and 12.2(50)SE5, respectively. I didn't check other models yet.
  I have found similar reports and bugs for the 2950 and 3750:
  https://supportforums.cisco.com/thread/163910
  https://supportforums.cisco.com/message/89560
  https://tools.cisco.com/bugsearch/bug/CSCeg63177
  https://tools.cisco.com/bugsearch/bug/CSCec21652
  Is there anything we can do to fix this?
  Is there an access switch that would not suffer from this problem? (Like 2960-S maybe?)
  Thank you.

  Hi Alioune,
  This is expected behaviour on the Nexus 1000v Ethernet interfaces when the uplinks are configured with MAC pinning.
  When using MAC pinning there's no special configuration of the ports on the upstream physical switches and so any broadcast packets are sent by the upstream switches on all uplinks towards the Nexus 1000v switch.
  On each VEM of the Nexus there's one uplink interface that is chosen as the Designated Receiver for broadcast traffic, and the function of the DR is to forward received broadcast traffic to VMs within the VLAN. The broadcast traffic received on any other uplinks of the VEM i.e., those that are not the acting as DR, drop the received broadcast traffic on ingress to the VEM.
  The drops you're seeing on the uplink interfaces are almost certainly the broadcast traffic being received on one or more non DR uplinks.
  Regards

• Port-security and Nexus 1000v

  Is there really any true need for port-security on Nexus 1000v for vethernet ports? Can a VM be assigned a previously used vethernet port that would trigger a port-security action?

  If you want to prevent admins or malicious users from being able change the mac address of a VM then port-security is a useful feature. Especially in VDI environments where users might have full admin control of the VM and can change the mac of the vnic.
  Now about veths ports. A veth gets assigned to a VM and stays with that VM. A veth is only released when either the nic on the VM is deleted or the nic is assigned to another port-profile on the N1KV or a port-group on a vSwitch or VMware DVS. Now when the veth is released it does not retain any of the piror information. It's freed up and added to a pool of available veths. When a veth is needed for a VM in either the same port-profile or a different port-profile the free veth will be grabbed and initialized. It does not retain any of the previous settings.
  So assigning a VM to a previsously used veth port should not trigger a violation. The MAC should get learned and traffic should be able to flow.

• Problem with ADF security and task flow calls

  Hi.
  I am using JDeveloper 11.1.2.0.0.
  I encountered a problem when tried to apply ADF security to my application.
  The way to reproduce the problem:
  1. Create new Fusion Web Application;
  2. Import Business Components from Tables from any existing schema and add at least one table to the ApplicationModule.
  3. Create "welcome page" (for instance, welcome.jsf). Add a button with fixed action outcome "test".
  4. Create test page, for instance, test.jsf. Drag and drop any view object from Data Controls onto the page and create a form with navigation controls. Add a button with fixed action outcome "return".
  5. Create bounded task flow, name it "test", drag and drop our test page on it - the page will be the default activity. Add a task flow return activity. Add a control flow case from the default view activity to the return activity, set From Outcome property to "return". So our return button should cause the task flow to exit.
  6. Open adfc-config.xml in diagram mode and place our welcome page on it. Then drag and drop the test task flow to create a task flow call activity. Add a control flow case from welcome page to task flow call activity, set the From Outcome property to "test". So our test button should call the test task flow.
  7. Configure application to run the unbounded task flow starting with Welcome view activity.
  At this point all works as expected: when application runs, the welcome page is displayed with test button. Pressing the test button results in displaying the test page, return button leads back to the welcome page.
  Now let's configure ADF Security.
  Run the ADF Security configuration wizard, choose ADF Authentication and Authorization.
  On the second page select Form-Based Authentication, check the Generate Default Pages flag.
  On the third page choose No Automatic Grants.
  On the next page keep the Redirect Upon Successful Authentication unchecked. Press Finish.
  Open jazn-data.xml to configure roles, users and resource grants:
  1. Create application role test-role.
  2. Grant the test-role privileges to view the test task flow.
  3. Create user and grant him the test-role.
  Now we have the public available welcome page and the test page with restricted access.
  When application runs, the welcome page is displayed as expected. Pressing the test button redirect us to auto-generated login page. After successful authorization the test page is displayed. But nothing happens if we click now the return button for the first time. When we click the return button once more, the application crushes with Error-500 and message "Target Unreachable, identifier 'bindings' resolved to null". The exact error trace depends on UI control bindings, but looks like this:
  javax.el.PropertyNotFoundException: //C:/Users/DUDKIN/AppData/Roaming/JDeveloper/system11.1.2.0.38.60.17/o.j2ee/drs/Test1/ViewControllerWebApp.war/test.jsf @10,120 value="#{bindings.Id.inputValue}": Target Unreachable, identifier 'bindings' resolved to null
       at com.sun.faces.facelets.el.TagValueExpression.isReadOnly(TagValueExpression.java:122)
       at oracle.adfinternal.view.faces.renderkit.rich.EditableValueRenderer._getUncachedReadOnly(EditableValueRenderer.java:476)
       at oracle.adfinternal.view.faces.renderkit.rich.EditableValueRenderer.getReadOnly(EditableValueRenderer.java:390)
       at oracle.adfinternal.view.faces.renderkit.rich.EditableValueRenderer.wasSubmitted(EditableValueRenderer.java:345)
       at oracle.adfinternal.view.faces.renderkit.rich.EditableValueRenderer.decodeInternal(EditableValueRenderer.java:116)
       at oracle.adfinternal.view.faces.renderkit.rich.LabeledInputRenderer.decodeInternal(LabeledInputRenderer.java:56)
       at oracle.adf.view.rich.render.RichRenderer.decode(RichRenderer.java:342)
       at org.apache.myfaces.trinidad.render.CoreRenderer.decode(CoreRenderer.java:274)
       at org.apache.myfaces.trinidad.component.UIXComponentBase.__rendererDecode(UIXComponentBase.java:1324)
  (the rest of lines skipped).
  Any suggestions?
  Edited by: user13307311 on Apr 16, 2013 11:39 PM

  @Lovin_JV_941794
  The welcome page is public available since it does not have appropriate PageDef file.
  Login page comes not from the welcome page, it comes after attempt to access the test page. So after the login succeeded the test page appears, because redirect to welcome page after successful login is not configured. I do not need to return the welcome page at this moment, I need to go to the test page.
  It seems the task flow call stack to be destroyed after redirect to login page.
  Edited by: user13307311 on Apr 17, 2013 12:45 AM

• Is apple working on a fix so it plays nice with internet security and filtering programs?

  Question is in the title.
  The conflict that causes us to disable internet security and filtering programs to get iTunes Store to open. Is that planning on being resolved?

  None of us know, and you won't get an answer from Apple on here. We are users just like you. Although not everyone has problems with that, I know I didn't when I used iTunes on my PC.

• RV220W - Problems with Port 25 and SMTP

  Hello. I'm really new to networking but I've been given the task of fixing a problem with our RV220W. Up until about two weeks ago our VOIP service would send our voicemails to our emails in a wav. file. But that's stopped completely when we came back last monday. I contacted our VOIP provider and they said they only send emails on port 25 and that our port must not be open anymore. (No network changes have taken place on our end)
  So I did the following to open up port 25:
  Then I
  Still didn't work and they ran a diagnostic and got the following:
  (10:42:30 AM) Liz: I restarted the postfix service and then tried to send a test:
  (10:42:52 AM) Liz: Unfortunately, same timeout:
  Oct 3 10:41:55 pbxtra6939 postfix/smtp[12538]: connect to ratsound.mail.pairserver.com[66.39.4.106]: Connection timed out (port 25)
  Oct 3 10:41:55 pbxtra6939 postfix/smtp[12538]: AB9472EC010: to=<[email protected]>, relay=none, delay=30, status=deferred (connect to ratsound.mail.pairserver.com[66.39.4.106]: Connection timed out)
  Our normal email service reported that they received no activity on there end and our ISP said they were not blocking port 25. So it must be something in the network settings right?
  Any help would be appreciated as this is driving me bananas.
  Thank You
  Kea Kanamu

  @indicter 
  Thank you for using HP support forum. I have sent you a private message. If you’re unsure how to check your private messages please click here.
  Thank you,
  Omar
  I Work for HP

• Problem with ws-security and MTOM

  Hi all,
  I have seriuos problem with WS-Swcurity and MTOM. When I anebled WS-Swcusriy on WSDl, MTOM messagies have all attachments inline, not as a part of message. Here my WSDL definition:
  <wsp:Policy wsu:Id="WSMTOMPolicy">
       <wsp:ExactlyOne>
           <wsp:All>
               <wsoma:OptimizedMimeSerialization
                      xmlns:wsoma="http://schemas.xmlsoap.org/ws/2004/09/policy/optimizedmimeserialization" />
           </wsp:All>
       </wsp:ExactlyOne>
         </wsp:Policy>
         <wsp:Policy name="UsernameToken" wsu:Id="WSSecurityPolicy">
        <sp:SupportingTokens>
              <wsp:Policy>
                    <sp:UsernameToken
                          sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
                          <wsp:Policy>
                               <sp:WssUsernameToken11 />
                          </wsp:Policy>
                    </sp:UsernameToken>
              </wsp:Policy>
        </sp:SupportingTokens>
      </wsp:Policy>    
  Does anybody advise for me, some solution of this problem?
  Martin

  @Lovin_JV_941794
  The welcome page is public available since it does not have appropriate PageDef file.
  Login page comes not from the welcome page, it comes after attempt to access the test page. So after the login succeeded the test page appears, because redirect to welcome page after successful login is not configured. I do not need to return the welcome page at this moment, I need to go to the test page.
  It seems the task flow call stack to be destroyed after redirect to login page.
  Edited by: user13307311 on Apr 17, 2013 12:45 AM

• JMS and loadbalanced Radius servers

  I have a problem with sending JMS messages to a queue where they get picked up and implemented upon by executing cisco cmds via ssh, i seem to get varied JMS commnds sent to two different VPNs.
  there are two cisco swithes and two jboss appserevers, each having a radius serever to authenticate the remote ip address and then assign some firewall rules to the cisco kits via the JMS service , which are just cisco cmd via ssh or some type of secure telnet - put problem is that instaed of the same rule-set being applied to both the cisco swithes i get varaition in the firewall rules being sent to the swithes - sometime i get half sent to one swith and rest to the other , what should i be looking at to isolate the problem the logs dont show much , i have radius server logs and server logs and firewall logs - but cant see what the problem is where could someone suggest i look to start figuring out what the problem is - is it something to do with the load balancing , the JMS stuff - if so what should i look at or the ssh type telnet session from Java - is there known unreliabilty type issues with regards to transactions when executing cmd line stuff via a secure telnet session from a java object. Or does any one know of any other firewall manager type utility that can be integrated with a radius server and java application inoder to dynamically set up a firewall congiguration of cisco kit

  The service is via a topic as a destination .....
  the basic idea of the functionality is as follows ...i'm hoping some one can clearly spot what the issue would be such as known issues with excuting IOS cmds via ...CiscoController object which knows how to use SSH-2 protocol to send IOS commands.
  the basic idea of functionality is as follows:-
  The network elements themselves are protected against intrusion by using standard Cisco firewall technologies. A PIX 515e redundant pair is employed to protect each of the Access Points and the Control and Monitoring platform.
  The Dynamic Firewall works in conjunction with the RADIUS server to dynamically apply access list entries to the interface of the VPN routers in the Access Point.
  Address Assignment
  The RADIUS Server is responsible for assigning an IP address to a terminal, once it has requested access to the network. Session notifications, which include the assigned ip address and firewall rules, are communicated via a JMS Topic called �xxxxxSessionTopic� The firewall manager listens for these notifications and uses them to dynamically add access list entries to the vpn router. When a session is closed, i.e. when a terminal detaches from the network, another notification is broadcast as such. This is used to remove the access list entries from the router.
  It is important to ensure that the correct access list entries are added and removed when updating the router. Newer versions of Cisco IOS allow serial numbers to be employed when applying access list entries, thus negating the necessity to remove and re-apply all entries to ensure that they retain the same order. The firewall manager there makes use of the value of the id field for the Address object allocated to the terminal as a basis for generating the unique serial number. This is multiplied by 20 and the rule priority number in the FirewallRule object is added to make the serial number unique, as the ip address is a unique entity on the platform. This makes management of the access list entries relatively simple.
  Connectivity
  In order to ensure access to the VPN routers remains secure, SSH-2 is used by the Dynamic Firewall software to connect to the VPN routers and deliver the necessary IOS commands to insert new rules into the access list. The necessary access details are started in the SAR files that package the code and are located in the JBoss hot deploy directory on the application servers.
  Software Objects
  The Dynamic firewall components are packaged in a file named xxxxFirewallManager.sar. This is a JBoss service archive and is started on deployment of the SAR file to the jboss hot deploy directory, or on start up of the JBoss application server. The archive contains the java objects listed below, which are responsible for the implementation of the Dynamic Firewall, along with necessary configuration files.
  FirewallManagerMBean
  This is a JBoss JMX Service object that is registered onto the JBoss JMX bus. Two of these objects will be configured for each Router firewall that is to be managed by the application server. The object has a number of properties that must be initialised through the jboss-service.xml file that is stored in the SAR file. These properties are listed in the following table. See the example jboss-service.xml file in the configuration section.
  FirewallManager
  Each MBean creates a FirewallManager. The FirewallManager is responsible for receiving session creation and deletion notification messages over the JMS Topic �xxxxxSessionTopic�. It then un-marshals a FirewallRuleSet object containing the rules (up to 20) that must be applied to the access list. A FirewallController is then used to deliver these rules to the router
  FirewallController
  This specialises a CiscoController object which knows how to use SSH-2 protocol to send IOS commands.
  Configuration
  Configuration is located in the root directory of the SAR. One jboss-service.xml file must exist and a separate properties file will exist for each of the router access lists that are managed (normally 2 per router)
  the problem is that even with this sound architecure it seems that the firewall rules are not correctly and equally applied to both the routers.
  it may be a transactional issue where the messages have to be set inside a transaction - but can somebody please shed some light on this issue so that i'm not blindly going down different paths. does any one know of any way to easliy set up a dynamic firewall list and apply that to cisco kit? via a java app

• 802.1x port authentication and Windows Radius, possible?

  Hello,
  I'm just testing at the moment before implementing on our netowrk, but has anyone implemented 802.1x port authentication on there Cisco switch and used a Windows IAS server?  See out users are all all on a Windows domain and I want to authenticate using their active directory credentials.  I think I am fine with the switch config, but it is the Windows IAS/Raduis server.  I have added the switch IP's and secret, but I need to create a policy to accept the domain users and need help.
  Thanks

  Andy:
  Yes of course you can use whatever radius server as a AAA server for 802.1x authentication on the switches. NPS, IAS, ACS, Open RADIUS ....etc.
  If you have problem with configuring the IAS then I would suggest that you post your quesiton in a microsoft forum and not here. They would be able to better assist you with your issue. But you can still look somewhere in this forum or in google to help yourself.
  See this link, it could be useful for you:  https://supportforums.cisco.com/thread/2090403
  Regards,
  Amjad
  Rating useful replies is more useful than saying "Thank you"

• Scripting 'Save PSD as PDF with password security' and 'Open PDF with password security' issue.

  Hi!
  I'm now building an extension for Photoshop. The script (jsx) should save the active document as Photoshop PDF secured with a password. The PW is the same all the time and is set in the script. Then the script is to open the PDF with that same password. I need all this to protect the PDF from opening by a user, so that only the script has access to the file.
  I've googled a lot. I've seen a similar topic on this community dated as 2012. It's not answered. With an only comment saying that saving with a password seems to be possible via GUI and not via a script.
  Has anything changed since 2012?
  P.S. Illustrator .documentPassword and .requireDocumentPassword don't work in PS and ScriptListener still gives nothing :-/

  ScriptListener still gives nothing
  Which probably means the task is (still) not possible to achieve with Photoshop Scripting.
  Both Photoshop DOM and AM seem to have weaknesses/omissions that I would consider more relevant but if you regard the issue as crucial you may want to post a Feature Request over at
  Photoshop Family Customer Community

• Can I have 2 routers with different security and broadcast modes off same modem?

  Hi
  Apologies for not being too technical.  The background is that I have a mac and a dell laptop, both of which used to work off a Linksys WRT54G wireless router even though both computers are set up for N routers.  I then bought a Logitech Squeezebox internet radio, again working off the Linksys G.  The security on all 3 was WEP.
  I was then advised to upgrade my router to N and change security to WPA.  I bought a Netgear WNR2000 N wireless router as the local shop did not have any linksys n routers.  I tried to set up the three devices to this router but it seems that the radio will only broadcast G and WEP security.
  It then appeared that I would have to downgrade the other two computers back to G and WEP also and when I did that the internet speed really slowed down.
  My query is this, can I set up the Netgear N to be linked to my modem and broadcasting at N and WPA, thus linking my computers at top speed, and then can I link my Linksys to my Netgear and have that broadcast a different network on G/WEP for my radio?  If I can or if there is a better solution could someone tell me in easy steps how to do it?
  Very much obliged.

  You don't have to downgrade your router. Just enable mixed mode so it will allow wireless N and G devices to connect to the router. However, it will share the same wireless security mode.
  With regards to your query, the answer is yes. You can setup two (2) wireless routers, one providing N and WPA while the other one providing G and WEP. It might be a little complicated though. You have to cascade the routers. Both should have different SSID and channel.
  Try this setup first before changing the wireless options.