SSID assignment

We plan on implementing a WLC4402/1252 APs at one of our locations. Currently we use "fat" 1242 APs in selected areas and also deploy MS-PEAP using a Microsoft RADIUS server. We would like to have the ability to assign SSIDs based on Active Directory user logins while keeping MS-PEAP in place. I saw some documentation that showed the WLC using a Microsoft RADIUS server for dynamic VLAN assignment. I am wondering if there is anyway to assign SSIDs as well VLAN based on AD user credentials using the WLC. Or perhaps the dynamic VLAN assignment is enough?
Any information, docs, examples configs, etc would be greatly appreciated. Thx.
Joe

Joe,
Please see this link,
http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a00807669af.shtml
If EAP and SSID-based authentication are successful, the user is allowed to access the WLAN or else the user is disassociated.
Regards,
~JG
Do rate helpful posts

Similar Messages

Dynamic VLAN/SSID assignment using 4402/MS IAS

Greetings,
In short we have a WLC4402 (50 AP license) and approx 30 1252s LAPs in place. Right now we have three VLANs/SSIDs in place - one for admin, one for teachers and one for students. The WLC uses a MS Windows 2003 server running IAS for PEAP authentication. The clients are Windows XP, the SSID is entered manually based on "pre-designation" of the laptop's "type" (either admin, teacher or student).
This is working fine. However more and more frequently our users have been "sharing" laptops so a student may need to use a teacher's laptop and vice-versa. In short we would like to use dynamic VLAN/SSID assignment so that if a student does have a teacher's laptop the "student" VLAN/SSID would be assigned to them when log in (and the proper ACLs, QoS policies, etc would be applied)
We have found documentation on how to perform this with an ACS but is there anything available for this configuration with a MS IAS server.
Any input/information would be greatly appreciated.
Joe

Shaun,
My LAG - etherchannel interface
interface Port-channel8
description WLC-portchannel
switchport
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1,3,24-26
switchport mode trunk
end
My 2 WLC Fiber ports:
Current configuration : 382 bytes
interface GigabitEthernet7/47
description CiscoWLC-LAG-Ports
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1,3,24-26
switchport mode trunk
service-policy output autoqos-voip-policy
qos trust cos
auto qos voip trust
tx-queue 3
bandwidth percent 33
priority high
shape percent 33
spanning-tree bpdufilter enable
channel-group 8 mode on
end
2200-3A#sh run int g7/48
Building configuration...
Current configuration : 382 bytes
interface GigabitEthernet7/48
description CiscoWLC-LAG-Ports
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1,3,24-26
switchport mode trunk
service-policy output autoqos-voip-policy
qos trust cos
auto qos voip trust
tx-queue 3
bandwidth percent 33
priority high
shape percent 33
spanning-tree bpdufilter enable
channel-group 8 mode on
end
I use vl1 for ap mgmt, vl3 for hotspot, and vl24-26 for WPA2 clients and wireless voip devices.
One of my AP switchports on the same switch. I let the trunk port to the AP carry a range of vlan's, and then a manage the vlans assigned to clients with IAS and the WLC.
interface FastEthernet4/48
description AP-PoE
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1-1004
switchport mode trunk
service-policy output autoqos-voip-policy
qos trust cos
auto qos voip trust
tx-queue 3
bandwidth percent 33
priority high
shape percent 33
end
Jim

Dynamic VLAN/SSID assignment w/IPv6

I have followed the answer in this discussion which instructs on how to get Dynamic VLAN/SSID assignments using WLCs + MS IAS:
https://supportforums.cisco.com/thread/339396
This works great for IPv4. This does not appear to work for IPv6.
I have CT2504 WLCs running v7.0.116.0 and AP 3502s. I have a Windows 2003 IAS working for 802.1x authentication using PEAP and per-user/group dynamic VLAN/SSID assignments. Based on who you authenticate as, you are placed on the appropriate VLAN.
However, IPv6 does not function properly. I believe this is due to the nature that the WLC only bridges IPv6 from the Interface Group that the WLAN is assigned to and/or whatever Multicast VLAN you assign.
If I connect as a user assigned to the same matching VLAN as the WLAN Interface / Multicast VLAN, IPv6 works just fine. I do not even have to have the "Enable IPv6" box checked in the Advanced tab, nor does the "Multicast Vlan Feature" need to be enabled - IPv6 still works.
If I connect as a user that is assigned to a different VLAN than the WLAN Interface / Multicast VLAN, I see the IPv6 Router Advertisement from the WLAN Interface / Multicast VLAN, and not the VLAN that "Allow AAA Override" switched me to. Naturally since I'm getting as IPv6 prefix for a different VLAN, when I try to route traffic through the IPv6 default gateway (which isn't on the VLAN I'm connected to), it doesn't work.
One work-around to have IPv6 support is to use distinct, non-dynamic per VLAN/SSID assignments. This is ugly and doesn't scale (16 max SSIDs).
Has anyone else experienced this and know of a solution?
For now I'll just have to set the WLAN Interface to a VLAN which does not have IPv6 enabled and my wireless users won't have IPv6 unless they VPN on top of Wifi. Rather disappointing.

this sounds alot like another implication of IPv6 with "more than one VLAN on the same SSID".
see this thread:
https://supportforums.cisco.com/thread/2157621?tstart=60
not with dynamic vlan, but vlan select - which, on the L2/L3 on SSID-side is essentially the same.
as mentioned in the thread, 7.2 has a feature that "automatically sends the correct RA to the correct clients via L2 wireless unicast. By unicasting the RA, clients on the same WLAN, but a different VLAN, do not receive the incorrect RA."
lucky for you, 7.2 is available for the 2504 - with my WiSM1s I am out of luck :-(
so this feature *could* solve this problem, as the problem is that the wrong IPv6-RAs are broadcasted for the client (because the SSID is the same)

WCS in monitor maps, any way to see SSID that AP is broadcasting

Hello,
In Cisco WCS (7.0.230.0), does anyone know if there is any way to show what SSIDs an LWAPP is broadcasting? I can see the SSIDs assigned to the group that the AP is a part of through the controller or templates, but is there an easy way to see what SSID an LWAPP is broadcasting maybe using the MONITOR > MAP or anything?
Maybe there is an easier way than using WCS?
Thank you for your time,
Steve

Steve,
Thank you for your reply on this matter.
What I'm hoping to find is a way after you assign an AP group name to an access point, so it knows what SSIDs to broadcast, is there a way while looking at the map of APs in WCS for a floor to show that the AP is actually broadcasting the SSIDs specified in the group without physically being at the location or do you just trust the Controller and the group that you assign that the AP is indeed broadcasting the SSIDs?
Thank you again,
Steve

Mixed H-REAP on a single SSID

Can I have a single SSID assigned to H-REAP sites and to my HQ site? The HQ site would not need H-REAP and runs mainly 1230 APs so it's not even possible.
--Patrick

Nope.... Your WLAN SSID's is either locally switched or centrally switched.... unless you have all traffic back to the WLC.

Clients not receiving DHCP on layer 2 Vlan

I have flexconnect WAPs with local switching and local dhcp server on the switch.
I have one SSID assigned to a layer 2 vlan. The wireless clients are unable to receive an ip address on this vlan. The wired clients are able to receive an ip address on this vlan with no problem.
The WAP switchport is trunked and all of the layer 3 vlans are working with no problem.
The layer 2 vlan interface is assign the DHCP - ip address pool Vendor_VLan
Any help would be appreciated.
Thanks
LH

Hi LH,
Have you configured the SSID with "Local Switching" feature.
Also did you do the vlan mapping on this FlexConnect AP for the configured SSID ?
HTH
Rasika
**** Pls rate all useful responses ****

Wireless connection issue with Apple product

Hi, This is Daniel Jung here.
I got a very strange happening with apple product.
Recently, I created one more SSID assign with particular dynamic interface, the problem is only Apple mobile product is not able to join. but Android and laptop are working very well.
I also tried to find out some solution like enable fast SSID switching, turn off and on for mobile device, re-configuring interface and WLAN, checking error log but there was nothing.
For your information, our WLC model is AIR-CT5508-K9 with 7.3.112.0 version.
Could you share information & solution if any one has?
Thank you.
Regards,
Daniel Jung Yoonho

Dear, Freerk.
Thank you for your information.
I'd like to try captive bypass function then look at the traffic flow to understand very well, however, it looks like required reboot the controller.
ours is not able to do rebooting process so that, only the choice will be I must search testing result by my self... if you have a result from your lab, could you share with me?
Result message after enable captive bypassing configuration.
(Cisco Controller) config>network web-auth captive-bypass enable
Web-auth support for Captive-Bypass will be enabled.
You must reset system for this setting to take effect.

"Fake AP or other attack may be in progress." WCS 4.1.83

Hello.
I am receiving this critical alarm usually 1-3 times a day and it doesn't make any sense. I was hoping someone here could let me know if this is a legit problem or just another convenient "cosmetic bug" (There seem to be alot of those with 4.1).
The full message is:
"Fake AP or other attack may be in progress. Rogue AP count on system 'xxx.xxx.xxx.xxx' has exceeded the security warning threshold of '625'."
(IP address above was purposely hidden)
There are, as of typing this, 200 rogue APs reported by both controllers (combined, one has 110 the other 90). This alarm is still 'active' in WCS. Even if there were "fake ap"s, wouldn't the controllers report them as rogues into their count?
Thanks for any input,
Jeff

Jeff:
I can relate to what you are saying about the so-called "cosmetic" or "feature request" status of these bugs.
TAC keeps bouncing us back to sales - who bounces us back to TAC... but I digress.
Back to your issue:
That sure is a lot of rogue APs!
One key is to determine if there really are 200 physical access points out there or if someone is out there "spoofing" multiple APs.
Do you think that these are real APs? Have you tried locating them (using the "High Resolution Map" drop down in the rogue AP detail screen) to see if a large number of these aps are in the same location or found by the same AP? If so, that may indicate that this is a spoofed attack going on.
Are you sure that your controllers are in the same mobility group? If not, I believe that one controller will see the other controller's APs as rogue (even though they are not).
Another observation, if the rogue APs you are seeing utilize the "virtual mac" (like Cisco), one physical AP can have multiple virtual mac addresses (one for each SSID with separate sets for 802.11b/g and 802.11a). That means that one physical AP could appear to be as many as 16 or even 32 APs (in the case of AireSpace LWAPS) if both bands are lit up and all SSIDs are lit up as well. One way to help identify this is to note that if you sort the radio mac addresses, you will note that the there will be blocks of APs with identical mac addreses except for the last character which might be nearly sequential.
For example, what appears to five APs is really the same AP with different SSIDs assigned to it:
01:02:03:04:05:00
01:02:03:04:05:01
01:02:03:04:05:03
01:02:03:04:05:02
01:02:03:04:05:04
Have you categorized at least some of these as "Known External" (assuming, of course, that they are)? I am wonding if that would help the system ignore some or not...
Please refer to the following link:
http://www.cisco.com/en/US/docs/wireless/wcs/4.0/configuration/guide/wcsevent.html
The following condition is referenced:
AP_MAX_ROGUE_COUNT_EXCEEDED
Field Description
MIB Name
bsnApMaxRogueCountExceeded.
WCS Message
Fake AP or other attack may be in progress. Rogue AP count on AP with MAC address ''{0}'' associated with Switch ''{2}'' has exceeded the security warning threshold of ''{1}''.
Symptoms
The number of rogues detected by a switch (controller) exceeds the internal threshold.
WCS Severity
Critical.
Probable Causes
?There may be too many rogue access points in the network.
?A fake access point attack may be in progress.
Recommended Actions
Identify the source of the rogue access points.
========================
As an aside,
We have asked Cisco for documentation of these various "attacks" as well as for some valid values for the IDS signature file in order to be able to "tune" some of these better as well.
- John

WLAN AP1200 configuration

Design Scenario
I have a project that requires 8 Access Points (AP1200) to be deployed in one single area (a 702sqm. Multi-purpose Training Room) using IEEE 802.11a standard. It requires maximum 300 wireless clients to be deployed during special events. All 8 APs are to be equally connected into two separate switches having the same subnet, and configured as Root. All 8 APs are to be mounted on the ceiling to operate in omni-directional instead of having a patch/directional radiation pattern.
Questions:
1. In configuring the Access Point to address clients seamless mobility, is it appropriate to have the same SSID to all 8 Access points or to assign a unique SSID to each AP? The design configuration calls for setting the Broadcast SSID in Beacon to No so that client devices must match exactly to the Access Points SSID. Should all APs have the same SSID so they could work seamlessly if the client moves (roaming) within a single area? What is the advantage of having a unique SSID assigned to each AP in terms of security and client seamless mobility? Please also note that the company does not want peer-to-peer roaming.
2. How many number of WLAN clients can AP1200 accommodate to maintain transmission bandwidth of 54Mbps?
3. What is the appropriate way to balance the data traffic load between 8 APs against 300 WLAN clients to minimize bottleneck while maintaining 54Mbps throughput over radio transmission?
4. In terms of data access security, is it appropriate to install the Cisco Secure Access Control Server locally, or in the main building where companys Enterprise Server is located? Please note that the Multi-purpose Training Hall is linked to the main building over ATM network using fiber optic cable.
5. Does 60 feet at 54Mbps data rate (indoor range) be attained by setting the antenna module to either Omni-directional or patch/directional?
6. Does Access Point attain the same range of 60 feet at 54Mbps (indoor range) while setting its power output to either 40 mW(16dBm) or 5 mW(7dBm)?
I am looking forward to have your answers soon. Thank you very much for your help.
Sincerely yours,
Sixto A. Mejia
[email protected]

These forums are a great place to get a quick tip or a highlevel summary of some part of the technology- they should not be considered a replacement for paying someone who knows what he's doing to come to your location for a survey and design. What you're asking leads me to suspect that what you need is the latter not the former.
With that said, see the following:
"1. In configuring the Access Point to address clients seamless mobility, is it appropriate to have the same SSID to all 8 Access points or to assign a unique SSID to each AP? .... Should all APs have the same SSID so they could work seamlessly if the client moves (roaming) within a single area? What is the advantage of having a unique SSID assigned to each AP in terms of security and client seamless mobility?"
If you want your clients to roam and loadbalance from one AP to another, your APs should be configured with the same SSID. Clients will try to stay with the same SSID if at all possible, but will roam freely between different APs on the same SSID.
"The design configuration calls for setting the Broadcast SSID in Beacon to No so that client devices must match exactly to the Access Points SSID."
This is bad design. Turning SSID broadcast off does nothing to improve security and decreases the efficiency of authorized communications- in much the same manner that taking the building numbers off of your house will not protect you from burglars but will make things more difficult for your guests. If you want to secure the WLAN, use security features like 802.1x. SSID name is not a security feature.
"Please also note that the company does not want peer-to-peer roaming."
If by this you mean that clients on the WLAN should not be able to communicate directly with other clients on the WLAN, you will want to enable PSPF on the access points.
"2. How many number of WLAN clients can AP1200 accommodate to maintain transmission bandwidth of 54Mbps?"
One.
The radio spectrum is shared medium, just like a 10base2 coax cable. Available bandwidth is divided among all clients on that frequency. If you want 54Mbps to a client, that must be the only client on that AP. (And he won't get 54 megs anyway, since some of that is used by overhead.)
"3. What is the appropriate way to balance the data traffic load between 8 APs against 300 WLAN clients to minimize bottleneck while maintaining 54Mbps throughput over radio transmission?"
Loadbalancing is handled internally to the 802.11 protocol suite; you don't need to worry about it. However, your 300 users will not all be getting 54 megs no matter what you do. If you require high guaranteed bandwidth to a dense and numerous user population, run Cat 5 and forget the wireless.
"4. In terms of data access security, is it appropriate to install the Cisco Secure Access Control Server locally, or in the main building where companys Enterprise Server is located? Please note that the Multi-purpose Training Hall is linked to the main building over ATM network using fiber optic cable."
Doesn't really matter. Radius traffic is not bandwidth-intensive; put it where it's most convenient.
"5. Does 60 feet at 54Mbps data rate (indoor range) be attained by setting the antenna module to either Omni-directional or patch/directional?"
No way to know without doing a survey. Every site's radio environment is different.
"6. Does Access Point attain the same range of 60 feet at 54Mbps (indoor range) while setting its power output to either 40 mW(16dBm) or 5 mW(7dBm)?"
As a rule of thumb, you can expect greater range at greater power levels, but see #5.
-Gabriel

1300 Bridge: VLAN and encryption question

Hi!
I configured a 1300 bridge with dot1q-VLANs and tkip/wpa encryption:
interface Dot11Radio0
no ip address
no ip route-cache
encryption vlan 1 mode ciphers tkip
encryption vlan 91 mode ciphers tkip
encryption vlan 150 mode ciphers tkip
ssid skylink
vlan 1
authentication open
authentication key-management wpa
infrastructure-ssid
wpa-psk ascii 7 xxxx
short-slot-time
cca 0
concatenation
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
rts threshold 4000
channel 2472
station-role root
payload-encapsulation dot1h
antenna receive right
antenna transmit right
infrastructure-client
interface Dot11Radio0.1
encapsulation dot1Q 1 native
no ip route-cache
bridge-group 1
bridge-group 1 spanning-disabled
interface Dot11Radio0.91
encapsulation dot1Q 91
no ip route-cache
bridge-group 91
bridge-group 91 spanning-disabled
interface Dot11Radio0.150
encapsulation dot1Q 150
no ip route-cache
bridge-group 150
bridge-group 150 spanning-disabled
interface FastEthernet0
no ip address
no ip route-cache
duplex auto
speed auto
ntp broadcast client
interface FastEthernet0.1
encapsulation dot1Q 1 native
no ip route-cache
bridge-group 1
bridge-group 1 spanning-disabled
interface FastEthernet0.91
encapsulation dot1Q 91
no ip route-cache
bridge-group 91
bridge-group 91 spanning-disabled
interface FastEthernet0.150
encapsulation dot1Q 150
no ip route-cache
bridge-group 150
bridge-group 150 spanning-disabled
Is it necessary to set the
encryption vlan 91 mode ciphers tkip
encryption vlan 150 mode ciphers tkip
so that all VLANs are crypted?
How can I examine that all VLANs are crypted?
Best regards
Michael Simon

No. As there is no SSID assigned to VLAN 91 and 150, I was by the TME (Technical Marketing Engineer) that the 1300 should use the encryption defined in the native VLAN (VLAN 1 in your case) to transport traffic on VLAN 91 and 150. I have not taken any wireless sniffer trace to verify it though.
There are a couple of ways to verify it:
1. a wireless sniffer trace
2. debug dot dot 0 trace print xmt rcv
Please be very careful when use option #2. Option #2 turns the wireless bridge into a wireless sniffer. If there are heavy traffic between the two bridges, the wireless bridges will crash. Please use option # 2 in test environment or limited traffic.

Advice on VLAN network using RV180W

Hello!
I want to create a network that can separate the traffic between two or three VLANs. I want to be able to connect wireless using two SSIDs assigned to particular VLAN. Also I would like to be able to extend the wireless area using another Access Point. So far I searched for the best equipment solution and I am planning to buy RV180W Wireless router and WAP121 as an extension Access Point. Is this configuration possible on such devices?
The network structure should look like this:
The second Access Point on PORT 4 is just a future extension. It is not necessary at the beginning. I just want to know if it will be possible.
I would also bind PORT 2 to VLAN2 and connect it to the switch for computers using Ethernet.
Should I make both VLAN2 and VLAN3 tagged on PORT3 and PORT4?
Thanks in advance!

Hi Michal,
In theory what you are attempting should work perfectly, and yes you should make VLAN 2 and 3 tagged on ports 3 and 4. Unfortunately there is some issue with the RV180W that prevents it from working properly with access points attached. Hopefully this issue will be resolved in a future firmware release but at this time I cannot recommend the router for your particular scenario. Other than this issue I like and recommend the RV180W for a general purpose Small Business firwewall/router. There are a few threads on this forum that describe the AP issue in more detail:
https://supportforums.cisco.com/message/3770136#3770136
https://supportforums.cisco.com/message/3980504#3980504
The above is not an issue with any other SMB wireless routers as far as I know. I recommend that you consider the RV220W which has a better built-in wireless AP than the RV180W. It also has a more powerful processor and is very stable with the latest firmware installed. I tested an RV180W at my home and ended up purchasing the RV220W. I found that the range in my environment was much better with the RV220W.
Please reply if you have any questions.
- Marty

Assigning DHCP IP address by SSID

Hello,
I want to assign IP addreses by SSID on the 861W. I have two Vlans on the router on two different subnets, and one DHCP pool for each subnet. On the AP I have two SSIDs on each of the Vlans.
However, when I associate with the different SSIDs, I get an ip address from the same DHCP pool, instead of different pools. I want ip from different subnets with different SSIDs.
Any help is greatly appreciated.
Here's the AP config:
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
hostname ap
enable secret 5 <hash>
no aaa new-model
clock timezone EST -5
clock summer-time EDT recurring
dot11 ssid Public
vlan 1
authentication open
dot11 ssid Voices
vlan 2
authentication open
username Cisco password 7 <hash>
bridge irb
interface Dot11Radio0
no ip address
no ip route-cache
ssid Public
ssid Voices
station-role root access-point
interface Dot11Radio0.1
encapsulation dot1Q 1 native
no ip route-cache
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
interface Dot11Radio0.2
encapsulation dot1Q 2
no ip route-cache
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
interface GigabitEthernet0
description the embedded AP GigabitEthernet 0 is an internal interface connecting AP with the host router
no ip address
no ip route-cache
interface GigabitEthernet0.1
encapsulation dot1Q 1 native
no ip route-cache
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
interface GigabitEthernet0.2
encapsulation dot1Q 2
no ip route-cache
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
interface BVI1
ip address dhcp client-id GigabitEthernet0
no ip route-cache
ip http server
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
bridge 1 route ip
line con 0
no activation-character
line vty 0 4
login local
end

Thanks for the suggestion. However, when I implement these commands clients on SSID Voices (Vlan2) cannot connect to the DHCP server on the router.
Here is my config on the router:
Current configuration : 2200 bytes
! Last configuration change at 10:45:20 EDT Mon Apr 27 2009 by Thomas
! NVRAM config last updated at 15:26:52 EDT Sat Apr 25 2009 by Thomas
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname pa-router
boot-start-marker
boot-end-marker
logging message-counter syslog
no aaa new-model
clock timezone EST -5
clock summer-time EDT recurring
no ip source-route
no ip dhcp conflict logging
ip dhcp pool 0
network 192.168.0.0 255.255.255.0
default-router 192.168.0.1
dns-server 65.19.88.195
ip dhcp pool 1
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
dns-server 65.19.88.195
ip cef
username Thomas privilege 15 secret 5
archive
log config
hidekeys
interface FastEthernet0
no cdp enable
interface FastEthernet1
no cdp enable
interface FastEthernet2
switchport access vlan 2
no cdp enable
interface FastEthernet3
switchport access vlan 2
no cdp enable
interface FastEthernet4
ip address 65.19.88.211 255.255.255.224
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
interface wlan-ap0
description Service module interface to manage the embedded AP
ip unnumbered Vlan1
arp timeout 0
interface Wlan-GigabitEthernet0
description Internal switch interface connecting to the embedded AP
interface Vlan1
ip address 192.168.0.1 255.255.255.0
ip nat inside
ip virtual-reassembly
interface Vlan2
ip address 192.168.1.1 255.255.255.0 secondary
ip address 207.136.203.109 255.255.255.252
ip nat inside
ip virtual-reassembly
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 65.19.88.193 permanent
no ip http server
no ip http secure-server
ip nat inside source list NAT interface FastEthernet4 overload
ip access-list standard NAT
permit 192.168.0.0 0.0.0.255
permit 192.168.1.0 0.0.0.255
no cdp run
control-plane
line con 0
no modem enable
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
line vty 0 4
exec-timeout 120 0
privilege level 15
login local
scheduler max-task-time 5000
end

The same SSID used at 3 sites and the same vlan for client IP assignment?

we are deploying 5508 controller and LW APs for wireless IP phone 7925G
Controller is installed at site A and there are APs and wireless phones at site B and C as well.
1. can I use the same SSID for all three sites for wireless phones? or have to use 3 distinct SSIDs?
2. If I can use the same SSID, can I associate one subnet e.g 10.10.131.0/24 for wireless IP phones at 3 sites? (our Cisco UCM is fine with this)
3. if I have use 3 distinct SSIDs, do I have to assign three subnets for IP phones at three sites?
thanks for the help!
Eric

yes.. this is done by HREAP mode.. the below link will help you out!!
http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a00807cc3b8.shtml
That is, by default the WLAN will get pushed to all APs.. so if you have a single wlan then this will broadcast the SSID and the remotre site clients will connect to it..
Lemme know if this answered your question!!
Regards
Surendra

VLAN assignment depending on AP for one SSID

Hi,
I read the AP Group VLANs with WLC configuration examples but did not find exactly what I look for. I'm on a WLC 5500.
I try to create AP groups which broadcast a set of SSID, but inside AP groups, depending on the AP on which the connection is made, i want to assign a specific VLAN for the clients.
If connection is made on SSID1 and AP1 -> one VLAN, for example VLAN_SSID1_AP1
same for SSID1 and AP2 -> another VLAN, for example VLAN_SSID1_AP2
I want to assign some VLANs to one of my networks to get local IPs depending on the AP.
The VLAN are all defined as dynamic interfaces, currently the SSID matches one VLAN, but i did not find how to do this assignment. I cannot define a VLAN for a network(SSID) and an AP.
Thanks for your ideas,
Christophe

You need to create two AP Groups. Both will have the SSID, but AP Group #1 will have SSID mapped to vlan 1 and AP Group #2 will have SSID mapped to vlan 2. Then you add the appropriate ap's to which group you want.

Dynamic vlan assignment with single SSID

Hi All,
I have 300 APs deployed and concurrent client associations that number 3000+ daily
at the moment I have a single subnet for all users, there is no authentication just a click through
page with email entry to gain access.
The APs are assigned to groups based upon the building zone they are in, is it possible to
assign a vlan based upon the AP the user is associated to but still only broadcast a single SSID.
TIA

You can assign dynamic vlan for 802.1X authentication using aaa override from RADIUS server.
In your case, since it is webconsent ssid you can use AP groups to put clients on differnt vlans per the AP group
Sent from Cisco Technical Support iPhone App

SSID assignment

Similar Messages

Maybe you are looking for