SSID access

Hi..
I currently have multiple SSID's on my access points. I'd like to create an NPS network policy that the condition is met based upon the SSID that the user is on..
Example: If a user is on the user-wlan they would get this policy and only be able to join this SSID only.
I don't want users to be able to join any SSID. Currently they can join any SSID
Do I have to create a separate NPS server for each SSID that I want a different condition for??
If it helps, I'm running Windows 2012 R2 Domain Member Server with NPS installed.

Hi,
According to my research, you may use the Called Station ID to distinguish different SSIDs.
To add a condition to a network policy using the Windows interface, follow the steps below,
Open the Network Policy Server (NPS) Microsoft Management Console      (MMC) snap-in, double-click
Policies, and then click Network      Policies.
In the upper details pane, double-click the network policy to which      you want to add a condition, and then click the
Conditions tab.
In Available Conditions, browse to the appropriate conditions      group, and then click the condition you want to add to the policy.
In the details pane, configure the value for the condition.
Click Add, and then click OK.
Here are related threads,
NPS Wireless
http://social.technet.microsoft.com/Forums/windowsserver/en-US/78566fbb-5636-45af-b81b-e3c024e40dcc/nps-wireless?forum=winserverNAP
NPS Network Policy based on SSID??
http://social.technet.microsoft.com/Forums/en-US/adfedcfe-8409-4242-9843-0ef184f38b0d/nps-network-policy-based-on-ssid?forum=winserverNAP
Hope this helps.
Steven Lee
TechNet Community Support

Similar Messages

Ssid access control with WPA Ent and RADIUS author

Hi, I'd like to control the ssid requested in WPA Enterprise with RADIUS authorization: how to ?
Is there an attribute in RADIUS IOS or Cisco Aironet ?
thanks

Depends on what you are using for a radius server.
Here are some links that might help.
http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a00807917aa.shtml
http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a0080921f67.shtml

Multiple SSIDs with Multiple (split) VLANs & GW ---- for shopping mall

Hi Experts,
I suppose to sell the shared infrastructure service. Now I'm holding a couple of 8500 (HA). With almost 450 APs.
I'm designing my actual WiFi service for this "Shopping Mall" to retails.
Each of retail shop should own his AP inside their own shop. The AP should ONLY broadcast his own SSID such "Starbucks-WIFI". Each shop sholud not be able to hook into the other shops network.
Problem are
If I have 100-500 customers/retail shops. Can I achieve my goal with a ginven WLC8500?
How many SSID can be actived at once?
How many AP group can be configured and turned on at once?
What would be the actual topology which is the best practice for? --- IMO, shop broadcast their own SSID >> access switch dedicated VLAN >> VRF (64VRF max @ CAT4500) or dedicated GW at Firewall >> dedicated internet link.
I found some relevant post but it not explitict to my env. Wireless Max SSID on WLC and AP | Getting Started with Wireless ...
Cheer & Br,
Nipat.p

How many SSID can be actived at once?
Go to WLAN > Advanced > AP Groups.
All APs fall into the default-group. Each AP can advertise a maximum of 16 SSIDs. If you are smart, you can create a number of AP Groups and individual APs can be assigned to a specific AP Group. One of the main selling point with AP Groups is the ability to assign specific SSIDs. So if you create an AP Group called Starsbuck and in the AP Group you assign only the Starsbuck SSID and then assign only one AP then this AP will ONLY advertise the specified SSID.
Good news is the 8500 can support up to 6K AP Groups (read THIS).

Wireless Virtual LAN - SSID and ACS User Mapping

Hi Everybody
We have the following senario:
- WLC 4402 and ACS 3.3
- 2 SSID's , One for Emploies - one for gests
- All users are (guest and emploies) are authentication against the ACS Server.
We would like to only permit Guest users to use the Guest SSID.
I've been reading the Wireless Virtual LAN Deployment Guide :
http://www.cisco.com/warp/public/cc/pd/witc/ao1200ap/prodlit/wvlan_an.pdf
and have tried to use methode 1.
- RADIUS-based SSID access control:
"Upon successful 802.1X or MAC address authentication, the RADIUS server
passes back the allowed SSID list for the WLAN user to the access point or bridge. If the user used an SSID on the allowed SSID list, then the user is allowed to associate to the WLAN. Otherwise, the user is disassociated from the access point or bridge."
"This is configured by enableling the ?[026/009/001] cisco-av-pair? option. On the ACS Server
- Enable and configure Cisco IOS/PIX RADIUS Attribute,
009\001 cisco-av-pair
- Example: ssid=LEAP_WEP"
I've tried this, but regardless of wich SSID the user(-group) has configured, it sill can access all SSID's?
Does anyone have any idea of what I'm doing wrong?
Does this setting only apply to Accesspoint, or is it also valid for the WLC 44xx series?
Greetings
Jarle

Hi I'm sorry but this still does not help.
We have now upgraded ACS to version 4.0 and I'm still having the same problems.
This is what i have configured:
WLC:
- WLAN
- SSID : Public
- WLAN id = 3
- L2 Security : 802.1x
- Interface Name : GuestVLAN
- Controller - Interface
- management - Untagged
- GuestVLAN - VLAN 112
- Security
- RADIUS Servers
When authenticating a Guest(belonging to the proper group in acs) - the right VLAN is used, IP Adresses from DHCP is recieved, and the Guest can access internet.
Switch:
- Port connected to WLC uses Trunking.
- Guests are connected to VLAN 112 and "native VLAN" is used to connect the Private Users.
ACS:
- AAA Client is the WLC, Authenticating using Cisco Airespace
- Guest Users are member of Group 11
- Private Users are member of Group 1
Group 11
- Use Per Group NAR to only allow WLAN Access
- Cisco Airespace RADIUS Attributes
x 14179\001 - Aire-WLAN-ID = 3
- Cisco IOS / PIX RADIUS Attributes
x 009\001 Ciso-av-pair = "ssid=Public"
- IETF Radius Attributes
x 006 Service Type = Login
x 007 Framed-Prot = ppp
x 064 Tunnel-Type = VLAN
x 065 Tunnel-Medium-tye = 802.1x
x 081 Tunnel-Private-Group-ID = 112
Group (default Group)
- Cisco Airespace RADIUS
x 14179\001 Aire-WLAN-ID = 1
- Cisco IOS/PIX Radius Attrib
x 009\001 Cisco-av-pair = "ssid=Private"
- IETF RADIUS
x 008 Service-type = Login
x 064 Tunnel-Type = VLAN
x 065 Tunnel-Medium-tye = 802.1x
x 081 Tunnel-Private-Group-ID = 1
Do you have any idea of what i should change?
Greetings
Jarle

Restrict Access Vlan with WLC 4402

Folks, I have three SSID configured on WLC and three groups configured on ACS and I need to restrict SSID access based on ACS group.
I tried to use this guide below.
http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a00807669af.shtml
How you can see, this example is aplicable to 802.1x and work out fine with 2 SSIDs that I have but the third SSID don't work because it use the NAC Web login to Auth the user, I needed to fallback because this configuration blocked my NAC Authentication.
Although I have configured NAR just Group2 and Group3, users on Group1 that are Auth with NAC were blocked.
Anyone Know Why this or How can i configure this restriction on WLC and ACS?
thanks a lot

Hi,
You could be hitting DDTS CSCdu52690.
I will suggest to do an upgrade ACS version 3.0 is old and unsupported.
Thanks,

Dynamic VLAN Assignment with RADIUS Server and Aironet Access Points

Hi Guys,
I would like to go for "Dynamic VLAN Assignment with RADIUS Server and Aironet Access Points 1300". I want the AP to broadcast only 1 SSID. The client find the SSID ->put in his user credential->Raudius athentication->assign him to an specific vlan based on his groupship.
The problem here is that I don't have a AP controller but only configurable Aironet Access Points 1300. I can connect to the radius server, but I am not sure how to confirgure the AP's port, radio port, vlan and SSID.
http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008076317c.shtml#switch
I go through some references:
3.5 RADIUS-Based VLAN Access Control
As discussed earlier, each SSID is mapped to a default VLAN-ID on the wired side. The IT administrator may wish to impose back end (such as RADIUS)-based VLAN access control using 802.1X or MAC address authentication mechanisms. For example, if the WLAN is set up such that all VLANs use 802.1X and similar encryption mechanisms for WLAN user access, then a user can "hop" from one VLAN to another by simply changing the SSID and successfully authenticating to the access point (using 802.1X). This may not be preferred if the WLAN user is confined to a particular VLAN.
There are two different ways to implement RADIUS-based VLAN access control features:
1. RADIUS-based SSID access control: Upon successful 802.1X or MAC address authentication, the RADIUS server passes back the allowed SSID list for the WLAN user to the access point or bridge. If the user used an SSID on the allowed SSID list, then the user is allowed to associate to the WLAN. Otherwise, the user is disassociated from the access point or bridge.
2. RADIUS-based VLAN assignment: Upon successful 802.1X or MAC address authentication, the RADIUS server assigns the user to a predetermined VLAN-ID on the wired side. The SSID used for WLAN access doesn't matter because the user is always assigned to this predetermined VLAN-ID.
extract from: Wireless Virtual LAN Deployment Guide
http://www.cisco.com/en/US/products/hw/wireless/ps430/prod_technical_reference09186a00801444a1.html
==============================================================
Dynamic VLAN Assignment with RADIUS Server and Wireless LAN Controller Configuration Example
http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008076317c.shtml#switch
==============================================================
Controller: Wireless Domain Services Configuration
http://www.cisco.com/en/US/products/hw/wireless/ps4570/products_configuration_example09186a00801c951f.shtml
Any help on this issue is appreicated.
Thanks.

I'm not sure if the Autonomous APs have the option for AAA Override. On the WLC, I can go into the BSSID, Security, Advanced, and there's a checkbox that I would check to allow a Radius server to send back the VLAN.
I did a little research and it looks like the 1300 may give this option but instead is defined as "VLAN Override". I've found the release notes for 12.3(7)JA5 (not sure what version you're running) that give mention and a link to configuring EAP on page 4: http://www.ciscosystems.ch/en/US/docs/wireless/access_point/1300/release/notes/o37ja5rn.pdf
Hope this helps

SSID Broadcast Over 1552E

Hi All,
I got big problem with 1552E aps. Can i broadcast a ssid over 1552e ap' s? i m using 2504 controller and i didn t success broadcast a ssid over 1552e. if i can, can anyone send me a documentation about it? thanks...

Hello Ilkay,
As per your query i can suggest you the following solution-
Yes, you can broadcast a ssid over 1552e ap's using 2504 controller
Configuring Multiple Basic SSIDs
Access point 802.11a and 802.11g radios now support up to 8 basic SSIDs (BSSIDs), which are similar to MAC addresses. You use multiple BSSIDs to assign a unique DTIM setting for each SSID and to broadcast more than one SSID in beacons. A large DTIM value increases battery life for power-save client devices that use an SSID, and broadcasting multiple SSIDs makes your wireless LAN more accessible to guests.
For more details refer to the link-
http://www.cisco.com/en/US/docs/wireless/access_point/12.3_7_JA/configuration/guide/s37ssid.html
Hope this will help you.

Move wifi users to guest, if not authenticated by RADIUS

Hi
In our switched network, there is a feature that moves any device that is not authentified against RADIUS over to a guest LAN. I want to configure the same functionality on WLC. Currently, there is a corporate SSID and a guest SSID. If anyone tries to access corporate wifi, but fails RADIUS authentication, I want them to be automaticly moved to guest SSID. Is this possible ?
As an alternative, they may stay on the corporate SSID, if only they get piped over in the guest LAN in another way.

If anyone tries to access corporate wifi, but fails RADIUS authentication, I want them to be automaticly moved to guest SSID. Is this possible ?
I do not think this is possible. Also due to various reasons client authentication may fail (to your corporate SSID), still they may be valid users who require corporate SSID access. So if you forced them to Guest SSID, it make no sense to them.
HTH
Rasika
**** Pls rate all useful responses ***

WLC+Anchor+Guest NAC

Hello all
I have few basic clarifications on these components.. i have a network, with LWAPP's and WLC on one site - say site A. lets consider only the guest SSID, access as of now.. The Anchor guest controller is positioned on a DMZ segment on Site B. Site A & B are connected through a routed network. I also have a NAC guest server, on Site C. Now, i want to integrate all these components. As per my knowledge following is the traffic flow:
1) When guest users access their SSID, they are mapped to the anchor controller in DMZ, throu mobililty groups.. the WLC then initiates a EoIP tunnel to DMZ controller.. Firewall rules allow,all reuired ports (IP 97, 16666 UDP etc), and end to end ip communication happens.
2) Upon the reuest, the Anchor controller provides an Ip address from DHCP configured locally. In this case, will the default gateway of the PC's be Anchor DMZ controller's WLAN IP or will it be local to Site A (say L3 switch) ?
3) Then when the user tries to access any site, he is given a web authentication portal, which is linked to the radius server/nac guest server. during authentication, dmz controller again tries speaking to the nac guest server in site c. hence the firewall has to alow for UDP 1812/1813 radius ports..
4) after authentication, the user browses internet. Now, what will be the ip packet flow in this instance. Will all traffic be first tunneled across LWAPP to the controller, and from there EoIP'ed to the Anchor ? Anchor then forwards it to the internet gateway, through DMZ ? as asked before, will the default gateway of the PC's be the WLAN IP of the anchor ? if there are too many users, will I create many WLAN SSID's for guests, for Site A ?
Sorry for the long post..
Raj

Greg
Thanks again.. that was useful too. One last query.. and this was grilling my head:
1) how does the guest vlan egress work ? I have a WLC on a new DMZ of PIX, with /27 subnet.. This WLAN is used only for EoIP communication.. now, when the guest user gets a DHCP IP, what IP pool should i define here ? since the default route is going to be towards the PIX, it should be one among the 4 interfaces, right now ? or should I have another interface or VLAN dmz for the egress traffic from WLC ? SRND says something about dynamic interfaces, but not been explained at all :(
2) will the foreign WLC talk to the Anchor controller 1 & 2, in load balancing mode ? why i'm asking is, if the dhcp is defined on Anchor 1 and if the request goest to anchor 2, then it will be an issue.. otherwise is it advicible to split up dhcp scopes between the two Anchors ? say 1-127 in one anchor and 128-254 on other ?
3) Lastly.. about guest nac servers.. i have 2 of them in place.. will the guest database be replicated between them , like what ACS does ? if so, is the replication bidirectional ? If lobby admin creates an account, it will be good if he just creates in one box, and the other box replicates it ..
Thanks for all your answers.. it has been really useful to me.. and i think will be useful for anyone who works on Anchor+guest+foreign WLC designs :)
Raj

WAP551 Guest Wifi problem

I have just purchased this unit and am struggling with the guest vlan. I have configured the unit with the wizard, set up guest vlan (30) , connected that to a vlan aware switch (GS110TPv2), plugged the AP into a port that tags Vlan 30. The router connects to the switch in this vlan, and hands out an IP address to the client in the expected range for the guest network, but I cant get any internet, or even ping the router when on the guest ssid.
If connected to the office vlan 1, all works fine.
I have contacted netgear support and they have said the switch config is ok for what I am trying to achieve, so am now stuck.

Hello jonmeacham1,
Thanks for using the Cisco Small Business Support Community. I'm sorry to hear that you are having trouble configuring your Guest Wireless, and I hope that we can help you find a solution.
I am not familiar with the GS100TPv2-- are you able to configure Layer 3 interfaces on it for each VLAN in order to handle routing, or do you have the switch plugged in to a router that can handle the VLANs?
I have also looked through our Knowledge Base to find information that might help out with configuring the captive portal itself, and I found the following article that might provide some additional information on setting up Guest Wireless. While not specifically being for your devices, I hope that this will provide some insight into how to handle the routing of VLANs to provide multiple SSIDs access to your internet connection:
Enabling Multiple Wireless Networks on RV320 VPN Router, WAP321 Wireless-N Access Point, and Sx300 Series Switches
Please reply back with any additional information and we will do our best to help resolve your problem!
If this post solves your issue, please remember to mark your question and resolved and rate any helpful posts to help other members in the community! Thanks!
Best,
Gunner

Single access point with multiple ssids and single channel possible?

Hi everybody.
I have this silly question.
Let say we have three vlans, vlan1,2,3 and they are mapped to wlans as follows:
Vlan 1 ssid1
Vlan 2 ssid2
Vlan3 ssid 3
AP --------trunk------Switchted network.
Our Ap has mobile devices in three wlans, i.e ssid1ssid2 and ssid3
Since AP uses half duplex mode, mobile devices need positive ack from ap before they can send data, therefore once channel let say channel 3( assuming 802.11b is used) can be shared by all mobile devices in three wlans.
Is my understanding correct?
Thanks and have a great weekend.

Hii ,
Yes ,that is pretty much possible as suggested by other experts on board. Depending on your access point you will have 1 (2.4 GHz) or both 2.4 & 5GHz radios.
You can configure multiple SSIDs (up to 16 ) known as MBSSID mode in autonomous environment. In Controller based architecture you can configure up to 512 WLAN (SSID) and transmit any 16 of them per AP (using AP group feature). However , it is recommended to keep multiple SSID count below 8 as for each SSID separate beacon will be sent on air which consumes more air time.
Hope this helps
Thanks
Vinay

Access connections does not see wireless networks but can connect if you know the SSID

Running a Thinkpad x200 using windows 7 and Access Connections 5.42.
A few weeks ago i was traveling and was connecting to a hotel wireless network.
Could receive email but wasn't able to send email due to hotel port restrictions so long-story short version-- IT staff at hotel told me to connect via LAN. Which i did by simply plugging in LAN line to the thinkpad and to the hotel -- port -- no other changes. have done this a million times at home and elsewhere.
All is well....
until....
I get home and i notice that when i use access connections, it doesn't see any wireless connections (no icons in the radar screen). It automatically connects to my home network and i can use the home profile to connect. Same for any connection that i know the SSID for -- i can't see it but i can connect to it.
But it doesn't show any icons during "find" or find again. It only shows the home icon i am connected to. If i disconnect and try to find wireless networks. It doesn't show any.
So i know
1) radio is working
2) can connect via lan
3) can connect to a known wireless if i know the SSID and either manually configure it or if i have the profile saved
4) i have run antivirus, malwarebytes - etc -- all clean
5) have rebooted, turned radio on off
6) system restore doesn't help
7) all wireless networks are now invisible to radar screen. Have tried this at starbucks, around town - etc -- available wireless network icons are invisible
I'm not sure that hooking up LAN in the hotel did anything but it seems too coincidental. Also seem to recall a thread where this has been known to happen.
Help!!!

First off, it sees the networks. That's good. You reset network settings which usually corrects a number of problems. Let's focus on your home network and getting connected to that.
1. Reboot your router (just power it off for 10 secs). Try to connect. If it works, you are done. If not, step 2
2. Reset your network settings again. However, this time log onto your network by tapping Settings > WiFi > Other and re-entering your network name, security settings, and password.
Check your connection by tapping the blue > next to the network name with the checkmark. If your IP starts with 169.x, then you are connected but your router is not issuing you an IP address. This leads to a couple of additional problem areas - WEP encryption and outdated router firmware.
If you continue to have problems, tell us which router/model, security settings used, etc.

Is there any way I can control which specific access point I connect (and stay connected) to from amongst a set of access points with the same SSID?

I'm working from a boat in a harbor in which the ISP has deployed numerous access points around the periphery. All the access points share the same SSID and each is configured to use either channel 1, 6 or 11. From my location, there are over a dozen of these access points "visible" (based on the the output of WiFi Scanner) with a range of RSSI and S/N values that vary over time.
The ISP has told me that the quality of my connection should be "perfectly fine" for any access point with an RSSI value better than -75, but I know from experience that my connection quality is miserable (i.e. < 50Kbps download) for almost all of these, including those with RSSI values better than -75. There is at least one exception, however, which gives me on the order of 2Mbps download, which is "great" in this context.
I've tried using a more powerful USB antenna plugged into my MacBook Air (mid 2011), but as far as I can tell, it really doesn't make much difference. Neither does my location within the boat. The overriding factor seems to be which access point I happen to connect up to.
I should point out that the closest access points are about 75 yards away, with many of them being several hundred yards away or more. I'm guessing that even though the signal strength of some of the distant access points is causing them to get "chosen" some times, the results are unacceptable due to the distance.
I'm hoping that I can determine, through experimentation, which access point(s) provide(s) acceptable performance and then configure my Mac to limit my connection to those points through whatever mechanism I need to use (e.g. channel, MAC id, etc.).

Establishing a wireless connection with a client computer is left to the access point for various reasons. One reason that your Mac may not connect to the strongest access point is that it may have reached a limit of the number of clients it can serve, leaving it unable to accept a connection with another. The limit may not be very large.
Suppose that happens, and your Mac establishes a connection with a more distant access point having a weaker signal. Then, suppose a client drops off the network. Doesn't this mean your Mac will switch to the stronger access point? Not necessarily. The throughput delivered to and from your Mac would have to drop below a threshold specified in the AP for it to drop the client, leaving your Mac free to connect with another one. The reason for this is to prevent rapid switching from one AP to another in an area in which two signals are of approximately equal quality. If that were to occur the frequent and repetitive handshaking between the two devices would slow throughput to zero.
In an environment in which several access points are broadcasting the same SSID, Apple provides no insight as to how it determines which access point to choose. This is the reason I suspect this "choice" is a function of the router, or access point. The connection originates with it, not the Mac.
Now, what would solve your dilemma would be to determine a way to control the access point with which your Mac connects, by specifying the access point's unique MAC address for example. In this happy circumstance, you could maintain an editable "whitelist" or "blacklist" of the harbor's access points and be able to choose which among them you prefer.
I do not believe OS X maintains such a record of MAC addresses though, only those of the routers it uses. If I am correct about that, such a solution is unlikely to exist. Don't let that discourage you from searching for one though... I would concentrate on something like "selecting access point by specific MAC address".
I did find this patent application though:
Roaming Network Stations Using A Mac Address Identifier To Select New Access Point
Perhaps it's a start

1242AG Wireless Access Point - Cannot Get DHCP IP for BVI1 interface - Multiple SSIDs...

Hello,
I am attempting to set up three Cisco 1242AG Wireless Access Points with multiple SSID's. I used the web interface and directions online to set up the two networks I want and at least one of the networks work wirelessly.
However, I have two problems:
The first, which is the most important, is that the "management" interface, BVI1, doesn't get an ip address from our DHCP server. I set the VLAN 60 (which you'll see in the documenation below) to be the native VLAN on the device as well as on the switch that the device is connected to as well as other settings in the configeration file below. Because of this, I can only manage the device via the console port which would be a huge pain once all of the devices are mounted.
The second problem is that I am not sure how to get both wireless networks broadcasting their SSID's. I have to manually type in the SSID for the second wireless network I have which I would prefer I don't have to. Anyway I can enable broadcasting on all of the SSID's?
Thank you for your time.
Regards,
Christopher Koeber
Using 7916 out of 32768 bytes
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
hostname AP-18.wesleysem.edu
enable secret {Number Here} {Encrypted Password Here}
enable password {Number Here} {Encrypted Password Here}
aaa new-model
aaa session-id common
dot11 syslog
dot11 vlan-name Kresge vlan 20
dot11 vlan-name Library vlan 30
dot11 vlan-name Public vlan 60
dot11 vlan-name Secure_Public vlan 70
dot11 vlan-name Secure_Seminary vlan 80
dot11 vlan-name Server_Room vlan 1
dot11 vlan-name Straughn vlan 40
dot11 vlan-name Trott vlan 10
dot11 vlan-name Web_Room vlan 50
dot11 ssid (Secure) Wesley Campus
vlan 80
authentication open
authentication key-management wpa version 2
wpa-psk ascii {Number Here} {WPA Key Here}
dot11 ssid Public
vlan 60
authentication open
mobility network-id 60
username Cisco password {Number Here} {Encrypted Password Here}
username admin privilege 15 secret {Number Here} {Encrypted Password Here}!
bridge irb
interface Dot11Radio0
no ip address
no ip route-cache
encryption vlan 80 mode ciphers aes-ccm
ssid (Secure) Campus
ssid Public
mbssid
station-role root
interface Dot11Radio0.1
encapsulation dot1Q 1
no ip route-cache
bridge-group 254
bridge-group 254 block-unknown-source
no bridge-group 254 source-learning
no bridge-group 254 unicast-flooding
bridge-group 254 spanning-disabled
interface Dot11Radio0.10
encapsulation dot1Q 10
no ip route-cache
bridge-group 10
bridge-group 10 subscriber-loop-control
bridge-group 10 block-unknown-source
no bridge-group 10 source-learning
no bridge-group 10 unicast-flooding
bridge-group 10 spanning-disabled
interface Dot11Radio0.20
encapsulation dot1Q 20
no ip route-cache
bridge-group 20
bridge-group 20 subscriber-loop-control
bridge-group 20 block-unknown-source
no bridge-group 20 source-learning
no bridge-group 20 unicast-flooding
bridge-group 20 spanning-disabled
interface Dot11Radio0.30
encapsulation dot1Q 30
no ip route-cache
bridge-group 30
bridge-group 30 subscriber-loop-control
bridge-group 30 block-unknown-source
no bridge-group 30 source-learning
no bridge-group 30 unicast-flooding
bridge-group 30 spanning-disabled
interface Dot11Radio0.40
encapsulation dot1Q 40
no ip route-cache
bridge-group 40
bridge-group 40 subscriber-loop-control
bridge-group 40 block-unknown-source
no bridge-group 40 source-learning
no bridge-group 40 unicast-flooding
bridge-group 40 spanning-disabled
interface Dot11Radio0.50
encapsulation dot1Q 50
no ip route-cache
bridge-group 50
bridge-group 50 subscriber-loop-control
bridge-group 50 block-unknown-source
no bridge-group 50 source-learning
no bridge-group 50 unicast-flooding
bridge-group 50 spanning-disabled
interface Dot11Radio0.60
encapsulation dot1Q 60 native
no ip route-cache
bridge-group 1
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
interface Dot11Radio0.70
encapsulation dot1Q 70
no ip route-cache
bridge-group 70
bridge-group 70 subscriber-loop-control
bridge-group 70 block-unknown-source
no bridge-group 70 source-learning
no bridge-group 70 unicast-flooding
bridge-group 70 spanning-disabled
interface Dot11Radio0.80
encapsulation dot1Q 80
no ip route-cache
bridge-group 80
bridge-group 80 subscriber-loop-control
bridge-group 80 block-unknown-source
no bridge-group 80 source-learning
no bridge-group 80 unicast-flooding
bridge-group 80 spanning-disabled
interface Dot11Radio1
no ip address
no ip route-cache
shutdown
encryption vlan 80 mode ciphers aes-ccm
dfs band 3 block
channel dfs
station-role root
interface Dot11Radio1.1
encapsulation dot1Q 1
no ip route-cache
bridge-group 254
bridge-group 254 block-unknown-source
no bridge-group 254 source-learning
no bridge-group 254 unicast-flooding
bridge-group 254 spanning-disabled
interface Dot11Radio1.10
encapsulation dot1Q 10
no ip route-cache
bridge-group 10
bridge-group 10 subscriber-loop-control
bridge-group 10 block-unknown-source
no bridge-group 10 source-learning
no bridge-group 10 unicast-flooding
bridge-group 10 spanning-disabled
interface Dot11Radio1.20
encapsulation dot1Q 20
no ip route-cache
bridge-group 20
bridge-group 20 subscriber-loop-control
bridge-group 20 block-unknown-source
no bridge-group 20 source-learning
no bridge-group 20 unicast-flooding
bridge-group 20 spanning-disabled
interface Dot11Radio1.30
encapsulation dot1Q 30
no ip route-cache
bridge-group 30
bridge-group 30 subscriber-loop-control
bridge-group 30 block-unknown-source
no bridge-group 30 source-learning
no bridge-group 30 unicast-flooding
bridge-group 30 spanning-disabled
interface Dot11Radio1.40
encapsulation dot1Q 40
no ip route-cache
bridge-group 40
bridge-group 40 subscriber-loop-control
bridge-group 40 block-unknown-source
no bridge-group 40 source-learning
no bridge-group 40 unicast-flooding
bridge-group 40 spanning-disabled
interface Dot11Radio1.50
encapsulation dot1Q 50
no ip route-cache
bridge-group 50
bridge-group 50 subscriber-loop-control
bridge-group 50 block-unknown-source
no bridge-group 50 source-learning
no bridge-group 50 unicast-flooding
bridge-group 50 spanning-disabled
interface Dot11Radio1.60
encapsulation dot1Q 60 native
no ip route-cache
bridge-group 1
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
interface Dot11Radio1.70
encapsulation dot1Q 70
no ip route-cache
bridge-group 70
bridge-group 70 subscriber-loop-control
bridge-group 70 block-unknown-source
no bridge-group 70 source-learning
no bridge-group 70 unicast-flooding
bridge-group 70 spanning-disabled
interface Dot11Radio1.80
encapsulation dot1Q 80
no ip route-cache
bridge-group 80
bridge-group 80 subscriber-loop-control
bridge-group 80 block-unknown-source
no bridge-group 80 source-learning
no bridge-group 80 unicast-flooding
bridge-group 80 spanning-disabled
interface FastEthernet0
ip dhcp client update dns
no ip address
no ip route-cache
duplex auto
speed auto
interface FastEthernet0.1
encapsulation dot1Q 1
no ip route-cache
bridge-group 254
no bridge-group 254 source-learning
bridge-group 254 spanning-disabled
interface FastEthernet0.10
encapsulation dot1Q 10
no ip route-cache
bridge-group 10
no bridge-group 10 source-learning
bridge-group 10 spanning-disabled
interface FastEthernet0.20
encapsulation dot1Q 20
no ip route-cache
bridge-group 20
no bridge-group 20 source-learning
bridge-group 20 spanning-disabled
interface FastEthernet0.30
encapsulation dot1Q 30
no ip route-cache
bridge-group 30
no bridge-group 30 source-learning
bridge-group 30 spanning-disabled
interface FastEthernet0.40
encapsulation dot1Q 40
no ip route-cache
bridge-group 40
no bridge-group 40 source-learning
bridge-group 40 spanning-disabled
interface FastEthernet0.50
encapsulation dot1Q 50
no ip route-cache
bridge-group 50
no bridge-group 50 source-learning
bridge-group 50 spanning-disabled
interface FastEthernet0.60
encapsulation dot1Q 60 native
no ip route-cache
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
interface FastEthernet0.70
encapsulation dot1Q 70
no ip route-cache
bridge-group 70
no bridge-group 70 source-learning
bridge-group 70 spanning-disabled
interface FastEthernet0.80
encapsulation dot1Q 80
no ip route-cache
bridge-group 80
no bridge-group 80 source-learning
bridge-group 80 spanning-disabled
interface BVI1
ip address dhcp client-id FastEthernet0
no ip route-cache
ip http server
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
bridge 1 route ip
line con 0
line vty 0 4
end

I am using a third party DHCP server which is our Windows Domain Controller. I have the ip helper-address set for the native vlan of the Access Point through a layer 3 distribution switch (a Catalyst 4506) that the current switch connects to.
I didn't see any event on the logs for the AP.
Let me know if I need to do something else.
Thanks.

Light weight access point, vlans, multiple ssids

Hi everybody
Let say we have an light weight access point ap1. Ap1 is broadcasting two ssids:
cisco1 which is mapped to vlan 1
cisco 2 which is mapped to vlan 2
If ap1 is using channel 6 for cisco 1, does it mean ap1 will also use same channel i.e channel 6 for cisco2?
thanks and have a great weekend.

sarahr202 wrote:Hi everybodyLet say we have an light weight access point ap1. Ap1 is broadcasting two ssids:cisco1 which is mapped to vlan 1cisco 2 which is mapped to vlan 2If ap1 is using channel 6 for cisco 1, does it mean ap1 will also use same channel i.e channel 6 for cisco2?thanks and have a great weekend.
Lightweight WAP right? As in controller-based WAP?
If this is the case, then the answer is both a yes and a no.
Let me explain:
Throw away the notion that you can set the channel down. I mean, if you have a controller-based WAP, the last thing you want to do is "micro-manage" which channels your WAPs operate on. I mean, you can but as a rule-of-thumb, you don't and let the controller sort things out.
So, going back to your question: You whave multiple WAPs and two SSID: 1 and 2. Let's presume that you've configured that all your WAPs will be broadcasting SSID 1 and SSID 2.
The decision about what channels each WAP will be operating on falls squarely on the Wireless LAN Controller (WLC). The WLC makes this decision based on a blah-blah-blah algorythm. If, for example, WAP A and, say, WAP R can "hear" each other on the same channel, the WLC will make the decision and say, "Hey WAP R, since you and WAP A are operating in the same channel and both of you can hear each other, why don't you, WAP R, operate in channel 11.".
However, if WAP A and WAP R can't see each other then both of them can operate in the same channel.
NOW, here's comes the tricky question ... Here's the scenario: You have SSID 1 and SSID 2. You want all your WAPs to broadcast both SSID. HOWEVER, you want SSID 1 to operate at, say, 1 Mbps rate only while SSID 2 can operate at all other data rates.
Yes, this can be done using RF Profile and AP Groups.
Is this what you are asking?

SSID access

Similar Messages

Maybe you are looking for