Guest SSID broadcasting option

Hi,
In my network design, I have two WLCs. I have kept one WLC in the LAN and one in DMZ. The WLC in Lan has 90 access points associated to it. These access points are in different locations and is configured HREAP.
I have created Guest SSID and i want this SSID to be broadcasted and used only for one location.
Is there any way to do so that Guest SSID will be used in one location only and remaining locations will not use guest feature;.
Please reply. Thanks in advance

Hi,
Yes you can do this.. This feature is called AP Grouping if we are using 4.2 and above WLC software.. if we are using 4.2 and below, then its called WLAN Override..
here is the link to configure the same
http://www.cisco.com/en/US/docs/wireless/controller/4.2/configuration/guide/c42wlan.html#wp1127323
http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008073c723.shtml
http://www.cisco.com/en/US/products/ps6366/products_qanda_item09186a00808b4c61.shtml
Lemme know if this answered your question!!
Regards
Surendra

Similar Messages

Router Cisco 891-w SSID BroadCast

i have successfully been able to configure my 891w router with a wireless network, but even when i allow the SSID to broadcast (Using the GUI option Enable Broadcast), as soon as i save the settings with the SSID broadcast enabled. it goes back to SSID broadcast not enabled.
Thanks

Hi,
This command should be entered inside the radio module..
Issue the command on the router
service module wlan-ap 0 session
U will go into the AP module..
here, configure the guest-mode
en
conf t
dot11 ssid
guest-mode
end
lemme know if this helps..
Regards
Surendra

AIR-AP1142N-A-K9 configuration issue for guest ssid

I'm trying to get the guest ssid working. I was frustrated so saved my old config and wiped out everything on this AP. Now my bvi1 does not come online.
ap#sh ip int bri
Interface                  IP-Address      OK? Method Status                Protocol
BVI1                       192.168.2.249   YES NVRAM down                  down
Dot11Radio0                unassigned      YES NVRAM up                    up
Dot11Radio0.50             unassigned      YES unset up                    up
Dot11Radio0.51             unassigned      YES unset up                    up
Dot11Radio1                unassigned      YES NVRAM administratively down down
GigabitEthernet0           unassigned      YES NVRAM up                    up
GigabitEthernet0.50        unassigned      YES unset up                    up
GigabitEthernet0.51        unassigned      YES unset up                    up
ap#
ap#sh int bvi
*May 6 15:05:24.611: %DOT11-6-ASSOC: Interface Dot11Radio0, Station 847a.8835.4f22 Associated KEY_MGMT[WPAv2 PSK]1
BVI1 is down, line protocol is down
Hardware is BVI, address is 003a.99eb.8d00 (bia b862.1fe9.9af0)
Internet address is 192.168.2.249/24
MTU 1500 bytes, BW 54000 Kbit, DLY 5000 usec,
     reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
ARP type: ARPA, ARP Timeout 04:00:00
Last input never, output never, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
     0 packets input, 0 bytes, 0 no buffer
     Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
     3 packets output, 180 bytes, 0 underruns
     0 output errors, 0 collisions, 0 interface resets
     0 unknown protocol drops
     0 output buffer failures, 0 output buffers swapped out
ap#
I have a private vlan 50 and the public vlan 51. The private ssid seems to work and allow connectivity to the internet but I don't understand with the same configuration the Public ssid doesn't seem to work.
I get this output when trying to connect with my cell phone.
*May 6 15:00:37.288: %DOT11-6-DISASSOC: Interface Dot11Radio0, Deauthenticating Station 847a.8835.4f22 Reason: Sending station has left the BSS
*May 6 15:00:38.432: %DOT11-6-ASSOC: Interface Dot11Radio0, Station TYLOR-NB 9c4e.3617.483c Reassociated KEY_MGMT[WPAv2 PSK]
*May 6 15:00:42.935: %DOT11-6-ASSOC: Interface Dot11Radio0, Station 847a.8835.4f22 Associated KEY_MGMT[WPAv2 PSK]
*May 6 15:00:54.320: %DOT11-6-ASSOC: Interface Dot11Radio0, Station   2c44.01c3.70a6 Associated KEY_MGMT[WPAv2 PSK]
*May 6 15:01:13.913: %DOT11-6-DISASSOC: Interface Dot11Radio0, Deauthenticating Station 847a.8835.4f22 Reason: Sending station has left the BSS
*May 6 15:01:17.281: %DOT11-6-ASSOC: Interface Dot11Radio0, Station 847a.8835.4f22 Associated KEY_MGMT[WPAv2 PSK]
*May 6 15:01:48.181: %DOT11-6-DISASSOC: Interface Dot11Radio0, Deauthenticating Station 847a.8835.4f22 Reason: Sending station has left the BSS
*May 6 15:01:51.583: %DOT11-6-ASSOC: Interface Dot11Radio0, Station 847a.8835.4f22 Associated KEY_MGMT[WPAv2 PSK]
*May 6 15:02:22.500: %DOT11-6-DISASSOC: Interface Dot11Radio0, Deauthenticating Station 847a.8835.4f22 Reason: Sending station has left the BSS
*May 6 15:03:41.852: %DOT11-6-ASSOC: Interface Dot11Radio0, Station 847a.8835.4f22 Associated KEY_MGMT[WPAv2 PSK]
SSID [PUBLIC] :
MAC Address    IP address      Device        Name            Parent         State
847a.8835.4f22 0.0.0.0         ccx-client    -               self           Assoc
ap#
ap#show run
Building configuration...
Current configuration : 2746 bytes
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
hostname ap
enable secret 5 $1$4jEJ$ajpjBvSx3DUhxyvLADj.91
aaa new-model
aaa authentication login default local
aaa authorization exec default local
aaa session-id common
dot11 syslog
dot11 ssid PRIVATE
   vlan 50
   authentication open
   authentication key-management wpa version 2
   mbssid guest-mode
   wpa-psk ascii 7 01150F035E050E0A2D
dot11 ssid PUBLIC
   vlan 51
   authentication open
   authentication key-management wpa version 2
   mbssid guest-mode
   wpa-psk ascii 7 045D02010A2F444B05
username Admin privilege 15 password 7 0526071D3545175840
bridge irb
interface Dot11Radio0
no ip address
no ip route-cache
encryption vlan 50 mode ciphers aes-ccm
encryption vlan 51 mode ciphers aes-ccm
encryption mode ciphers aes-ccm tkip
ssid PRIVATE
ssid PUBLIC
antenna gain 0
mbssid
station-role root
interface Dot11Radio0.50
encapsulation dot1Q 50 native
no ip route-cache
bridge-group 50
bridge-group 50 subscriber-loop-control
bridge-group 50 block-unknown-source
no bridge-group 50 source-learning
no bridge-group 50 unicast-flooding
bridge-group 50 spanning-disabled
interface Dot11Radio0.51
encapsulation dot1Q 51
no ip route-cache
bridge-group 51
bridge-group 51 subscriber-loop-control
bridge-group 51 block-unknown-source
no bridge-group 51 source-learning
no bridge-group 51 unicast-flooding
bridge-group 51 spanning-disabled
interface Dot11Radio1
no ip address
no ip route-cache
shutdown
antenna gain 0
dfs band 3 block
channel dfs
station-role root
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
interface GigabitEthernet0
no ip address
no ip route-cache
duplex auto
speed auto
no keepalive
interface GigabitEthernet0.50
encapsulation dot1Q 50 native
no ip route-cache
bridge-group 50
no bridge-group 50 source-learning
bridge-group 50 spanning-disabled
interface GigabitEthernet0.51
encapsulation dot1Q 51
no ip route-cache
bridge-group 51
no bridge-group 51 source-learning
bridge-group 51 spanning-disabled
interface BVI1
ip address 192.168.2.249 255.255.255.0
no ip route-cache
ip default-gateway 192.168.2.1
ip http server
ip http authentication aaa
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
bridge 1 route ip
line con 0
line vty 0 4
end
switch config:
interface FastEthernet1/0/46
switchport trunk encapsulation dot1q
switchport trunk native vlan 50
switchport trunk allowed vlan 50,51
switchport mode trunk

Hi
I know the bridge-group have to be identical to the sub interface number and vlan number
This is true for all other vlans except for native vlan. For native vlan sub-interfaces bridge group number always should be 1. In your case, if vlan 50 is the native vlan (192.168.2.x/24 belong vlan) then configure bridge-group 1 under those .50 sub-interfaces. Then everything should work :)
It is ideal if you could put AP management (BVI IP) into separate vlan & two user groups put vlan 50 & 51. Here is a sample configuration where vlan 110 is Mgmt & vlan 12,13 for user vlans.
http://mrncciew.com/2012/10/24/multiple-ssid-config-on-autonomous-ap/
HTH
Rasika
**** Pls rate all useful responses ****

IPod Touch - WiFi - SSID Broadcast Works/SSID No Broadcast Doesn't Work

This is maddening in so many different ways:
I have two (2) 2nd Generation iPod Touch 8Gb products. Both are nearly identical in every way -- how they connect, OS, Library, similar Apps (but not the same all the time), etc.
iPod Touch "A" works flawlessly. No issues, no problems, no complaints
iPod Touch "B" started behaving badly by first loosing my WPA security but recognizing my home network. Strong password creation was a hassle but I got cleaver. Over time, it got worse to the point that it would not even recognize the existence of my 802.11g home network.
CAVEATS 1) We live in a rural area and on my property, not another network can be found. 2) Plenty of 2.4 Ghz stuff around including other wireless computers but... 3) This is my profession and I am flummoxed but have ideas....
FINDINGS: 1) iPod "B" works fine in the public space. All wireless networks work just fine and dandy. 2) I turn on my home network SSID BROADCAST and this iPod works fine (after being set up again). 3) Turn off SSID Broadcast and once this iPod sleeps or is turned off/on, no more network but go to any place that has a public broadcast SSID and no security and it's fine again... 4) No matter what I have and what I do, iPOD "A" works flawlessly.
WHAT I HAVE DONE: 1) made sure that I have plenty of DHCP scope -- yup. 2) Checked my leases - when connected I see perfectly valid MACs and leases without incident. 3) Check for overlapping or conflicts in IP Address allocation and MAC addresses (you never know...) - no problems there. 4) Quadruple checked "A" vs. "B" settings -- identical. 5) Dumped the entire flash and OS and started with a clean slate -- same issues with no apps, music, photos, movies -- nada... just a raw iPod like it came out of the box... same problem 6) Asked Apple to replace it as it's under warranty -- done. 7) Started testing again as a clean slate and found that it worked... replacing the iPod did the trick...
So, I "RESTORE" the iPOD to garner all the hard work that was put into it -- contacts, settings, etc. I "SYNCH" the iPOD to recover my angel's precious photos, apps, movies, music.... I return it back to it's originally desired state EXCEPT that one must completely reconfigure things like networking by hand -- OK.
It's back to normal, as desired, in the configuration we want and it WORKS!!!! Albeit... only for a day... and now we are back to where we started -- again...
iPod "A" works flawlessly and the new "B" is back to it's same old tricks --
OK - What does a restore do anyway? Is there some small pile of firmware that writes over the fresh load from OS? In order to preserve my contacts and other things a restore supports, did I uncover the super secret bug that Apple will refuse to acknowledge? Can I still say that I hate iTunes without being flamed a thousand deaths? Is there a diagnostic easter egg I can try?
And before I started this soliloquy -- I watched my functioning iPod "B" go to sleep with a working home network... only to wake her from her slumber... tuned out - with Not Connected living in her Wi-Fi field.... <sigh - simply maddening>
The only thing that sets these two apart are the nuances associated with configs that are part of the user's own personal interface desires and resident app input (contacts, calendar, etc...).
AGE

First off -- thank you all for replying and providing your insight, stories, and findings with your own iPod Touch, MAC, and iPhone WiFi fun...
You are all wonderful contributors.
Just to be clear, as others have mentioned -- this is not a feature and we should not have to tolerate it. This iPod, like the other one and yours too, once worked flawlessly and then continued to degrade to a point of not functioning according the 802.11g ieee standard. Something that has been in development for over 10 years and has been an adopted standard in consumer electronics for more than 7 years -- an eternity in this industry.
To be clear, I performed TWO ultimate resets -- completely wiping the firmware and OS of the original hardware and tested a completely wiped iPod Touch to no avail and the second "reset" was a brand new replacement -- right out of the box -- under warranty. No network resets necessary. The new iPod worked as expected without any original data loaded. Once a backup was "restored," and the iPod was synch'd with the library of choice, then the troubles started again. The networking does not restore -- you have to build a secure network from scratch. And again, the "A" iPod exhibits none of this odd behavior.
It is a testament that Apple has a problem in code when other iPods running similar OS behave the same. The reason that I mention the geeky standard above is because we should not have to broadcast our SSID for this to work -- it's an open standard, not something proprietary. We should not have to conform to "work around" solutions. And, yes, NOT broadcasting SSID is part of the entire package of sound security. I have to strongly disagree with all the nay-sayers. You don't go walking around the streets with money hanging out of your pockets or your wallet sticking out of your shirt pocket for a reason -- but I bet that you have cash on you and I can find it pretty quickly. It's why purse snatching is a crime of violence and rampant in larger cities and pick-pockets use finesse. One is easy pickings for anyone to try and the other requires tools and skills. If you don't flaunt it, the low level threat is removed.
As for strong security, the option for WEP is not an option. I use multiple levels of acceptable stronger encryption, logging, limited DHCP scopes, MAC controls at times, stateful firewall controls, and other radio tricks of the trade. My only failings is having to pander to the lowest common denominator within my home network.
Anyway, I spent a bit more time surfing and find this problem ubiquitous in 2.2.1 and forward. Something is amiss at Apple. All my Window based products work just fine (as does my Wii).
Keep those cards and letters coming folks.
AGE

How to enable SSID broadcast? (E4200 Cloud f/w)

I got E4200 v.2 with the latest cloud firmware. On the previous (non-cloud) firmware there was an option to enable or disable SSID broadcast, and I disable it. Now I want to enable it back, but can not find this option in Cisco Connect Cloud.
So there is a question: how to enable SSID broadcast on the E4200 v.2 with Cisco Connect Cloud firmware?
wbr, bg

In your case, you need to reset the router to factory defaults, at which point the SSID will be set to broadcast and it cannot be disabled. To know more about why there is no option to disable the SSID broadcast anymore on the Cloud firmware, click here.

How to stop SSID broadcasting

Where do I find the option to stop SSID broadcasting in my Actiontec MI424WR Rev. F Router?
The user guide is located here:
http://onlinehelp.verizon.net/consumer/bin/pdf/ActiontecMI1424WRUserManual.pdf
and it shows where that option is but the screens in the manual do not match the screens you see when you login into the router (not even close). I looked through every screen while logged into the router and I could not find it. I would expect it to be a check box to turn broadcasting on or off in the same screen that you assign the SSID name but the option is not there.
In addition, where can I find a link to download the user guide that matches this router?
I wanted to email Verizon tech support to ask them this but they do not accept email questions concerning Wireless issues. They should accept email questions about any issues concerning their equipment. I tried thrie chat support a few times but it keeps saying it is unavailable even during the listed hours of operation.
Thanks to anyone who can help me out.
Solved!
Go to Solution.

The following FAQ will help you
http://www.dslreports.com/faq/11468
If you are the original poster (OP) and your issue is solved, please remember to click the "Solution?" button so that others can more easily find it. If anyone has been helpful to you, please show your appreciation by clicking the "Kudos" button.

SSID broadcasts a secure network but no security configured

Hi,
I have a wireless network using Cisco 1231G AP's in autonomous mode. Each AP is configured with a guest VLAN and this points to a BBSM server.
The issue I'm having is the SSID for guest access is configured as open with no security parameters set. However, my client (CB21AG) sees the network being broadcast sometimes as open and other times as secure.
AP configuration:
ssid bbsm
vlan 295
authentication open
guest-mode
IOS Version: 12.2(13)JA4
Output captured from AP scan logs:
2008-10-01 12:43:36 ,bbsm,00:12:DA:A7:F5:30,-50,Secure,G,1
2008-10-01 12:43:36 ,bbsm,00:12:DA:A7:F3:B0,-71,Open,G,11
2008-10-01 12:43:36 ,bbsm,00:12:DA:AE:A7:B0,-78,Secure,G,2
2008-10-01 12:43:36 ,bbsm,00:12:DA:AE:7B:90,-91,Open,G,10
2008-10-01 12:43:36 ,bbsm,00:12:DA:B6:58:60,-91,Secure,G,13
2008-10-01 12:43:36 ,bbsm,00:12:DA:B6:66:F0,-92,Secure,G,13
2008-10-01 12:43:36 ,BTOpenzone,00:02:8A:A3:04:A4,-71,Open,B,6
2008-10-01 12:43:36 ,hpsetup,02:13:02:00:02:15,-88,Open,G,11
2008-10-01 12:43:36 ,Voyager test,00:16:E3:32:58:A9,-43,Open,G,5
2008-10-01 12:43:56 ,bbsm,00:12:DA:A7:F5:30,-52,Secure,G,1
2008-10-01 12:43:56 ,bbsm,00:12:DA:A7:F3:B0,-69,Secure,G,11
2008-10-01 12:43:56 ,bbsm,00:12:DA:AE:A7:B0,-77,Secure,G,2
2008-10-01 12:43:56 ,bbsm,00:12:DA:AE:7B:90,-89,Secure,G,10
2008-10-01 12:43:56 ,bbsm,00:12:DA:B6:58:60,-91,Secure,G,13
2008-10-01 12:43:56 ,bbsm,00:12:DA:B6:66:F0,-92,Secure,G,13
2008-10-01 12:43:56 ,bbsm,00:12:DA:AE:9B:00,-93,Secure,G,5
2008-10-01 13:20:36 ,bbsm,00:12:DA:A7:F5:30,-52,Open,G,1
2008-10-01 13:20:36 ,bbsm,00:12:DA:A7:F3:B0,-67,Open,G,11
2008-10-01 13:20:36 ,bbsm,00:12:DA:B6:58:60,-91,Open,G,13
2008-10-01 13:20:36 ,bbsm,00:12:DA:AE:A7:B0,-75,Open,G,2
2008-10-01 13:20:36 ,bbsm,00:12:DA:AE:7B:90,-94,Open,G,10
2008-10-01 13:20:36 ,BTOpenzone,00:02:8A:A3:04:A4,-69,Open,B,6
2008-10-01 13:20:36 ,Voyager test,00:16:E3:32:58:A9,-40,Open,G,5
Any ideas or help on why I sometimes see the ssid broadcast as secure?
Thanks
Simon

It is one of mine. Yes. It connects to it no problem, just doesn't connect to the actual internet. Network diagnostics has all green lights until the ISP and/or Internet point. If I walk through diagnostics, it will get to the point where it says that the network requires a WEP password. I don't know why it does that because my network is not password-protected (husband claims it doesn't work well with his VPN system to get into work network). If I leave it blank, the connection will work. Eventually, after the computer is put to sleep, I will have the same problem upon waking up. I just tried renaming the network and removing all preferred networks and rebooting. Let's see how that works.

Rate limit guest ssid 5500 foreign to 2504 anchor

Hi
We have a need to limit bandwidth on guest ssid that is tunnelled to anchor controller. The 2504 doesn't have rate limiting options but the 5500 does. If we enabled the rate limit on the SSID details on the foreign would it work (seeing as though the anchor can't have same settings). I would have thought that the access points terminate on the foreign therefore the rate limit would apply there.
Would this work or do I need another 5500 as the anchor so that rate limits can match on the SSID?

Thanks. It would be nice if Cisco documentation actually clarified this as all guest anchor docs seem not to mention having to have both controllers supporting QoS profiles.

AP1231G and guest ssid

standalone AP1231G running c1200-k9w7-mx.123-8.JEC2 setup with internal SSID (VLAN 24)and guest SSID (VLAN 124). Here's the problem
Both SSID picks up the native VLAN 1 dhcp address and not it's respective VLAN. I verify that dhcp server is working on vlan 24 and 124 on the switch but on the AP it always stays with Vlan 1. The AP can ping all vlan interface on the router. DHCP server hangs off the router.
topology is 3725(with NMD-36-ESW port 2/2) trunk to AP. Below is the relevant configs:
*************3725***************
interface FastEthernet2/2
switchport trunk native vlan 9
switchport mode trunk
interface Vlan1
description Data
ip address 10.7.1.254 255.255.255.0
interface Vlan9
description MANAGEMENT
ip address 10.7.9.1 255.255.255.0
ip helper-address 10.7.1.10
ip helper-address 10.7.1.11
interface Vlan24
description WIRELESS
ip address 10.7.24.1 255.255.255.0
ip helper-address 10.7.1.10
ip helper-address 10.7.1.11
interface Vlan124
description *****WIRELESS GUEST*****
ip address 10.7.124.1 255.255.255.0
ip helper-address 10.7.1.10
ip helper-address 10.7.1.11
**************AP CONFIGS***********
aaa group server radius rad_eap
server 10.0.21.121 auth-port 1812 acct-port 1813
aaa group server radius rad_acct
server 10.0.21.121 auth-port 1812 acct-port 1813
aaa authentication login eap_methods group rad_eap
aaa accounting network acct_methods start-stop group rad_acct
dot11 vlan-name rms-guest vlan 124
dot11 vlan-name wavenet vlan 24
dot11 ssid rms-guest
vlan 124
authentication open
authentication key-management wpa
guest-mode
wpa-psk ascii 7 <removed>
dot11 ssid wavenet
vlan 24
authentication open eap eap_methods
authentication network-eap eap_methods
accounting acct_methods
bridge irb
interface Dot11Radio0
no ip address
no ip route-cache
encryption vlan 124 mode ciphers tkip
encryption vlan 24 mode wep mandatory
broadcast-key vlan 124 change 360
ssid rms-guest
ssid wavenet
interface Dot11Radio0.1
description MANAGEMENT AND NATIVE
encapsulation dot1Q 9 native
no ip route-cache
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
interface Dot11Radio0.24
description WAVENET SSID
encapsulation dot1Q 24
no ip route-cache
bridge-group 24
bridge-group 24 subscriber-loop-control
bridge-group 24 block-unknown-source
no bridge-group 24 source-learning
no bridge-group 24 unicast-flooding
bridge-group 24 spanning-disabled
interface Dot11Radio0.124
description RMS-GUEST SSID
encapsulation dot1Q 124
no ip route-cache
bridge-group 124
bridge-group 124 subscriber-loop-control
bridge-group 124 block-unknown-source
no bridge-group 124 source-learning
no bridge-group 124 unicast-flooding
bridge-group 124 spanning-disabled
interface FastEthernet0.1
description MANAGEMENT AND NATIVE
encapsulation dot1Q 9 native
no ip route-cache
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
interface FastEthernet0.24
description WAVENET SSID
encapsulation dot1Q 24
no ip route-cache
bridge-group 24
no bridge-group 24 source-learning
bridge-group 24 spanning-disabled
interface FastEthernet0.124
description RMS-GUEST SSID
encapsulation dot1Q 124
no ip route-cache
bridge-group 124
no bridge-group 124 source-learning
bridge-group 124 spanning-disabled
interface BVI1
ip address 10.7.9.10 255.255.255.0
no ip route-cache
ip default-gateway 10.7.9.1
ip radius source-interface BVI1
radius-server host 10.0.21.121 auth-port 1812 acct-port 1813 key 7 <removed>
bridge 1 route ip

Is it possible that you're VLAN hopping? VLAN 1 is normally the native VLAN, and you have VLAN 9 configured. Check your config carefully and make sure that your native VLAN on all your uplinks is consistent, assuming there are any uplinks. What you posted appears correct, though.
Honestly, I don't see a problem with the configuration your posted. You might want to reset the device to factory defaults or upgrade the IOS to ensure it's not a bug.
You aren't using dynamic VLAN assignment, are you?
Let us know if you figure it out, I'm curious what's going on here :D

How can I disable SSID broadcast with Time Capsule?

I have always disabled the SSID broadcast with other devices. It is a big help with securing the networks. Can this be done with Time Capsule? If yes, please tell me how.
Thanks.

I have always disabled the SSID broadcast with other devices. It is a big help with securing the networks. Can this be done with Time Capsule? If yes, please tell me how.
You can by turning on hidden network.
Open the airport utility .. click on your TC, and then edit.. go to the wireless TAB. Click on wireless options. Click Create hidden network.
Let me add in modern world.. it is totally useless. A person can see your hidden network using any standard wireless analysis software. It adds no security at all.. and WPA2 Personal with a decent password 10-20 characters mix of upper and lower case plus numbers is still solid.. add more characters if you are paranoid.. but honestly hiding SSID does nothing.
http://www.howtogeek.com/howto/28653/debunking-myths-is-hiding-your-wireless-ssi d-really-more-secure/
If you did not know it is not part of the IEEE wireless standard.. it therefore often leads to problems with clients.
There are many other reasons given in the article above..

Disabling SSID broadcast sets NAT to strict for XBOX 360, even if wired to WRT160N

I don't know if this is true with all routers, but with my WRT160N, I found that disabling SSID broadcast causes NAT to go into STRICT mode, and there's no way to get back to OPEN (port forwarding, DMZ, etc, unless you enable it.) Unfortunately I had just upgraded my firmware, which sent me and the Linksys tech down the wrong path. The bummer is that XBOX is wired to my router, so not sure why this would've been affected. Hopefully this helps, since I've seen several **bleep**!?! threads around this. I just happened to stumble across this after my NAT opened up when I reset my router to factory settings. Stepped through the changes I had made from default, and wallah, it was the the stupid disabled SSID broadcasting.
Message Edited by daveyhatton on 01-26-2010 01:42 PM

You are wasting more "cycles" if you disable the broadcast because your wireless devices have to actively search your network instead of simply listening to the list of broadcast SSIDs and connect to the correct one.
If "normal folk" want to crack your network they will quickly give up if they do it manually (assuming you have a strong WPA2 passphrase set on your router). Those few attempts won't cause you problems. Your router and wireless network will far more affected by other wireless networks and interference then some failing connection attempts.
Of course, I assume here that you have changed the SSID from "linksys" to something unique. If you still use "linksys" you will probably see quite a few failing connection attempts, not intentionally but because some people had their computer configured to connect to "linksys" before and still use it or did not remove it from their list of preferred networks. And if it is still "linksys" hiding the SSID won't make a change here, too...
They provide the option because that's what people want to see and buy. It does not matter whether it is really useful or not. Marketing says you can "hide" your router and people believe it. If you take the first computer at hand and look for networks the normal way it won't list it. Great, people believe it's "invisible". Sells good. Just like people need firewalls to "stealth" their computers in the internet which neither hides their computer not makes it any more secure...
As long as marketing does not mention that a simple network sniffer will immediately show the existence of the router and very soon will also reveal the SSID... It wouldn't sell so good anymore...
Of course, the setting should not affect port forwarding and your "NAT" level. Could be a firmware bug in the WRT160N.
Message Edited by gv on 01-27-2010 07:40 PM

Clients not receiving DHCP IP address from HREAP centrally Switched Guest SSID

Hi All,
I am facing a problem in a newly deployed branch site where the Clients are not receiving DHCP IP address from a centrally switched Guest SSID. I see the client status is associated but the policy manager state is in DHCP_REQD.
The dhcp pool is configured on the controller itself. The local guest clients are able to get DHCP and all works fine, the issue is only with the clients in the remote site. The Hreap APs are in connected mode. Could you please suggest what could be the problem. Below is the out of the debug client.
*apfMsConnTask_3: May 24 13:26:49.372: 10:40:f3:91:7e:24 Adding mobile on LWAPP AP 3c:ce:73:6d:37:00(1)
*apfMsConnTask_3: May 24 13:26:49.372: 10:40:f3:91:7e:24 Reassociation received from mobile on AP 3c:ce:73:6d:37:00
*apfMsConnTask_3: May 24 13:26:49.372: 10:40:f3:91:7e:24 0.0.0.0 START (0) Changing ACL 'Guest-ACL' (ACL ID 0) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:1393)
*apfMsConnTask_3: May 24 13:26:49.372: 10:40:f3:91:7e:24 Applying site-specific IPv6 override for station 10:40:f3:91:7e:24 - vapId 17, site 'APG-MONZA', interface 'vlan_81'
*apfMsConnTask_3: May 24 13:26:49.372: 10:40:f3:91:7e:24 0.0.0.0 START (0) Changing ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:1393)
*apfMsConnTask_3: May 24 13:26:49.372: 10:40:f3:91:7e:24 Applying IPv6 Interface Policy for station 10:40:f3:91:7e:24 - vlan 81, interface id 13, interface 'vlan_81'
*apfMsConnTask_3: May 24 13:26:49.372: 10:40:f3:91:7e:24 Applying site-specific override for station 10:40:f3:91:7e:24 - vapId 17, site 'APG-MONZA', interface 'vlan_81'
*apfMsConnTask_3: May 24 13:26:49.372: 10:40:f3:91:7e:24 0.0.0.0 START (0) Changing ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:1393)
*apfMsConnTask_3: May 24 13:26:49.372: 10:40:f3:91:7e:24 STA - rates (8): 140 18 152 36 176 72 96 108 0 0 0 0 0 0 0 0
*apfMsConnTask_3: May 24 13:26:49.372: 10:40:f3:91:7e:24 0.0.0.0 START (0) Initializing policy
*apfMsConnTask_3: May 24 13:26:49.372: 10:40:f3:91:7e:24 0.0.0.0 START (0) Change state to AUTHCHECK (2) last state AUTHCHECK (2)
*apfMsConnTask_3: May 24 13:26:49.372: 10:40:f3:91:7e:24 0.0.0.0 AUTHCHECK (2) Change state to L2AUTHCOMPLETE (4) last state L2AUTHCOMPLETE (4)
*apfMsConnTask_3: May 24 13:26:49.372: 10:40:f3:91:7e:24 0.0.0.0 L2AUTHCOMPLETE (4) Plumbed mobile LWAPP rule on AP 3c:ce:73:6d:37:00 vapId 17 apVapId 1
*apfMsConnTask_3: May 24 13:26:49.372: 10:40:f3:91:7e:24 0.0.0.0 L2AUTHCOMPLETE (4) Change state to DHCP_REQD (7) last state DHCP_REQD (7)
*apfMsConnTask_3: May 24 13:26:49.372: 10:40:f3:91:7e:24 apfMsAssoStateInc
*apfMsConnTask_3: May 24 13:26:49.373: 10:40:f3:91:7e:24 apfPemAddUser2 (apf_policy.c:222) Changing state for mobile 10:40:f3:91:7e:24 on AP 3c:ce:73:6d:37:00 from Idle to Associated
*apfMsConnTask_3: May 24 13:26:49.373: 10:40:f3:91:7e:24 Scheduling deletion of Mobile Station: (callerId: 49) in 28800 seconds
*apfMsConnTask_3: May 24 13:26:49.373: 10:40:f3:91:7e:24 Sending Assoc Response to station on BSSID 3c:ce:73:6d:37:00 (status 0) ApVapId 1 Slot 1
*apfMsConnTask_3: May 24 13:26:49.373: 10:40:f3:91:7e:24 apfProcessAssocReq (apf_80211.c:4672) Changing state for mobile 10:40:f3:91:7e:24 on AP 3c:ce:73:6d:37:00 from Associated to Associated
*apfReceiveTask: May 24 13:26:49.373: 10:40:f3:91:7e:24 0.0.0.0 DHCP_REQD (7) State Update from Mobility-Incomplete to Mobility-Complete, mobility role=Local, client state=APF_MS_STATE_ASSOCIATED
*apfReceiveTask: May 24 13:26:49.373: 10:40:f3:91:7e:24 0.0.0.0 DHCP_REQD (7) pemAdvanceState2 4183, Adding TMP rule
*apfReceiveTask: May 24 11:35:53.373: 10:40:f3:91:7e:24 0.0.0.0 DHCP_REQD (7) Adding Fast Path rule
type = Airespace AP - Learn IP address
on AP 3c:ce:73:6d:37:00, slot 1, interface = 13, QOS = 3
ACL Id = 255, Jumbo F
*apfReceiveTask: May 24 13:26:49.373: 10:40:f3:91:7e:24 0.0.0.0 DHCP_REQD (7) Fast Path rule (contd...) 802.1P = 0, DSCP = 0, TokenID = 7006 IPv6 Vlan = 81, IPv6 intf id = 13
*apfReceiveTask: May 24 13:26:49.373: 10:40:f3:91:7e:24 0.0.0.0 DHCP_REQD (7) Successfully plumbed mobile rule (ACL ID 255)
*pemReceiveTask: May 24 13:26:49.373: 10:40:f3:91:7e:24 0.0.0.0 Added NPU entry of type 9, dtlFlags 0x0
*pemReceiveTask: May 24 13:26:49.373: 10:40:f3:91:7e:24 Sent an XID frame
*apfMsConnTask_3: May 24 13:26:49.401: 10:40:f3:91:7e:24 Updating AID for REAP AP Client 3c:ce:73:6d:37:00 - AID ===> 1
*apfReceiveTask: May 24 13:28:49.315: 10:40:f3:91:7e:24 0.0.0.0 DHCP_REQD (7) DHCP Policy timeout
*apfReceiveTask: May 24 13:28:49.315: 10:40:f3:91:7e:24 0.0.0.0 DHCP_REQD (7) Pem timed out, Try to delete client in 10 secs.
*apfReceiveTask: May 24 13:28:49.315: 10:40:f3:91:7e:24 Scheduling deletion of Mobile Station: (callerId: 12) in 10 seconds
*osapiBsnTimer: May 24 13:28:59.315: 10:40:f3:91:7e:24 apfMsExpireCallback (apf_ms.c:599) Expiring Mobile!
*apfReceiveTask: May 24 13:28:59.315: 10:40:f3:91:7e:24 apfMsExpireMobileStation (apf_ms.c:4897) Changing state for mobile 10:40:f3:91:7e:24 on AP 3c:ce:73:6d:37:00 from Associated to Disassociated
*apfReceiveTask: May 24 13:28:59.315: 10:40:f3:91:7e:24 Scheduling deletion of Mobile Station: (callerId: 45) in 10 seconds
*osapiBsnTimer: May 24 13:29:09.315: 10:40:f3:91:7e:24 apfMsExpireCallback (apf_ms.c:599) Expiring Mobile!
*apfReceiveTask: May 24 13:29:09.316: 10:40:f3:91:7e:24 Sent Deauthenticate to mobile on BSSID 3c:ce:73:6d:37:00 slot 1(caller apf_ms.c:4981)
*apfReceiveTask: May 24 13:29:09.316: 10:40:f3:91:7e:24 apfMsAssoStateDec
*apfReceiveTask: May 24 13:29:09.316: 10:40:f3:91:7e:24 apfMsExpireMobileStation (apf_ms.c:5018) Changing state for mobile 10:40:f3:91:7e:24 on AP 3c:ce:73:6d:37:00 from Disassociated to Idle
*apfReceiveTask: May 24 13:29:09.316: 10:40:f3:91:7e:24 0.0.0.0 DHCP_REQD (7) Deleted mobile LWAPP rule on AP [3c:ce:73:6d:37:00]
*apfReceiveTask: May 24 13:29:09.316: 10:40:f3:91:7e:24 Deleting mobile on AP 3c:ce:73:6d:37:00(1)
*pemReceiveTask: May 24 13:29:09.317: 10:40:f3:91:7e:24 0.0.0.0 Removed NPU entry.

#does the client at the remote site roams between AP that connects to different WLC?
#type 9 is not good.
*pemReceiveTask: May 24 13:26:49.373: 10:40:f3:91:7e:24 0.0.0.0 Added NPU entry of type 9, dtlFlags 0x0
#Does your dhcp server getting hits.
#Also, get debug dhcp message & packet.
#Dhcp server is not responding.
*apfReceiveTask: May 24 13:28:49.315: 10:40:f3:91:7e:24 0.0.0.0 DHCP_REQD (7) DHCP Policy timeout
*apfReceiveTask: May 24 13:28:49.315: 10:40:f3:91:7e:24 0.0.0.0 DHCP_REQD (7) Pem timed out, Try to delete client in 10 secs.

SSID Broadcasting even when disabled

I have two 5508 wireless controllers with two WLANS. One is public and SSID broadcasting is enabled. The other is our secured network and was configured with broadcasting disable. When looking at the controlling both through prime and on the controller itself, broadcasting is still not enabled, however the SSID is showing up in the available networks list on our computers. We haven't changed anything on the wireless network for quite a long time and this is a recent discovery. Anyone know how to remedy this situation?

Id like to add.
Your PCs that show the SSID mean they are configured for that WLAN. This is why you see it someone configure these clients for this WLAN.
If you have devices not seeing this its becuase they havent been configure for it.
As for the 'hidden' you need to mark this if your wlan is not broadcasting the SSID. No checky checky no worky worky ..
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
‎"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."

3850 WLC - 5760 Anchor: Multiple Guest SSIDs issue

Hi,
I have configured a 3850 Foreign WLC and a 5760 as anchor WLC in a DMZ behind an ASA FW. The Anchor Controller is configured to advertise 3 GUEST Wireless:
(INSIDE) ---- ASA FW (guest in interface) -------------------------- (Te1/0/1) 5760 ANCHOR (Te1/0/2) -------------------- L3 Link-------------------- (guest out interface) ASA FW ---- (OUTSIDE)
GUEST1: 10.9.65.0/24 – VLAN 11
GUEST2: 10.9.66.0/24 – VLAN 12
GUEST3: 10.9.67.0/24 – VLAN 13
Management VLAN 1: 10.8.252.1 (Anchor Management VLAN – Mobility)
The link between the WLC and the Guest OUT Interface on the ASA Firewall is a L3 Link, NOT a Trunk.
The 5760 WLC is also a DHCP server for the three client VLANs above. I have also configured 3 SVIs as default gateways for these VLANs:
Interface vlan 11 – 10.9.65.1
Interface vlan 12 – 10.9.66.1
Interface vlan 13 – 10.9.67.1
wgh-anchorwlc5760-primary#show ip interface brief
Interface              IP-Address      OK? Method Status                Protocol
Vlan1                  10.8.252.1      YES NVRAM up                    up
Vlan11                 10.9.65.1       YES manual up                    up
Vlan12                 10.9.66.1       YES manual up                    up
Vlan13                 10.9.67.1       YES manual up                    up
GigabitEthernet0/0     10.8.252.85     YES NVRAM down                  down
Te1/0/1                unassigned      YES unset up                    up
Te1/0/2                10.8.253.1      YES NVRAM up                    up
Capwap0                unassigned      YES unset up                    up
If a client connects to GUEST1 SSID it gets an IP address in VLAN 11 and its default gateway is 10.9.65.1.
If a client connects to GUEST2 SSID it gets an IP address in VLAN 12 and its default gateway is 10.9.66.1.
If a client connects to GUEST3 SSID it gets an IP address in VLAN 13 and its default gateway is 10.9.67.1.
Mobility is UP and I can see clients connected to the Anchor WLC either in IPLEARN or WEBAUTH_PEND state. DHCP is working fine, clients get an IP and the right default gateway and DNS servers when connect, for example, to GUEST1.
anchorwlc5760-primary#show wireless client summary
Number of Local Clients : 3
MAC Address    AP Name                          WLAN State              Protocol
04f7.e482.b21c N/A                              2    IPLEARN            Mobile
bc3e.6d32.17f6 N/A                              2    IPLEARN            Mobile
a826.d5b3.5ae8 N/A                              2    WEBAUTH_PEND       Mobile
However, they are not able to ping the default gateway – SVI VLAN 11: 10.9.65.1, so I can not see any traffic leaving the Anchor WLC to continue with the Web Authentication Process (cwa) using ISE. I can see that the authorization policy (“unkown” and the URL to ISE) has been pushed to the clients but I am not redirected to ISE Web Authentication Portal when I open my web browser. I have done some captures on the FW interfaces but I cannot see any traffic coming from the clients.
I know that usually there is a Trunk (that allows client VLANs) between a WLC and L3 Switch when you configure multiples SSIDs and then configure the SVIs on the L3 Switch. However, I think this design with a L3 Link should work too because 5760 is a WLC+L3Switch.
My question is: Why clients are not able to ping their default gateway?
I hope it makes sense.
I appreciate any thoughts and help. Thanks in advance.
Joana.

Hi,
I couldn't get it working (I doubt if it is really possible). I had to add a switch between the 5760 Anchor Controller and the ASA Firewall:
(INSIDE) ---- ASA FW (guest in interface) -------------------------- (Te1/0/1) 5760 ANCHOR (Te1/0/2) -------------------- SWITCH-------------------- (guest out interface) ASA FW ---- (OUTSIDE)
The link between the 5760 and the Switch is configured as a Trunk and it allows the 3 Guest SSIDs (VLANs). The link between the Switch and the ASA FW is configured as a Layer 3 link. I also set up the default gateways for the 3 GUEST VLANs in the Switch (3 vlan interfaces) and the 5760 as DHCP Server.
I hope it helps.
Joana.

WRT54G with USB11 v 2.6: Can't automaticaly reconnect after SSID broadcast disabled

Hi All,
I'm trying to make my network more secure. I've done all the basics, including disabling the SSID broadcast. The only problem is that after a few hours, I lose connectivity on the USB 11 wireless adapter and have to directly connect to the router via a cat 5 cable and reset the SSID to broadcast, which causes my network to find it and logs in. I reset the SSID broadcast to disable and get a few more hours of conenctivity until it drops again.
My router is ver 2.0 and my adapter is 2.6. This is the first time in 4 years I've had any probs with my wireless network.
My PC is brand new and pretty mid-high-end. Intel duo-core, 2 GB ram, etc...
Any help would be appreciated.

Best thing is to just enable SSID. It's a myth that disablling helps with security, it does for the average joe... a bit. but not really.
I found a great article about how disabling SSID doesn'treally do much for security at all, but i can't seem to laocte ti right now. I was googling wireless security stuff about a month or so ago, guess i should have bookmarked that one.

Guest SSID broadcasting option

Similar Messages

Maybe you are looking for