WEP & WPA on single SSID

Similar Messages

• Multiple Passphrases for a Single SSID ?

  We are getting ready to deploy a special SSID for handheld devices to be used on.
  Is there any way to have multiple passphrases for a single SSID ?  The reason I am looking at this is that we may have users who come into one of our offices and may not have gotten/received the email advising of the passphrase change.  My hope would be that we could implement Passphrase A when we initially deploy the new SSID and then in say 3 months, change the password.  We would like to leave the Passphrase A active for about a week which should be sufficient time for them to change it and then we could delete Passphrase A, leaving only Passphrase B active.  In WEP there was something like this but I dont see this as an option in WPA2.  Unfortunately with some of the devices that I have looked at, WPA2 Enterprise isnt an option, so that is why I am looking at things from this perspective.
  Any suggestions would be appreciated.
  Ron

  Hello Ronald,
  No you cannot have multiple passphrase or WPA-PresharedKey for the same SSID.
  Thank you,
  Serge

• Problem with wpa and hidden ssid

  hi,
  I have a powerbook g4 (1,67ghz). i am having trouble connecting to a netgear router mr814 v3 if i use wpa and hidden ssid, i get a message, that the router would not support wpa!
  there is no problem with wep and hidden ssid or wpa with no hidden ssid.
  is also have no problems with wpa and hidden ssid with an ibook.
  the problems occur only with the powerbook with os x 10.3.9 as well as 10.4.2. even after the recent airport update, no change.
  thanks for the help,
  ben

  I would use WPA and broadcast your SSID.
  It use to be useful, but closing your Airport or wireless network (sometimes referred to as not broadcasting your SSID) is really no longer a real option when it comes to wireless security.
  Unfortunately "Closed" networks, MAC access control lists, and reduction in transmission power are all more "feel good" security rather than real security. All these various approaches are dated and mistakenly lead to overconfidence.
  WPA is your friend if you value wireless security.
  My recommendation is not to worry about broadcasting your SSID but use WPA. This will be more secure than a closed WEP encrypted network. Closing your network makes it very difficult for neighbouring networks to see which channels are free thus causing potential interference problems.
  Another thing to consider is that a closed network is still broadcasting and therefore is detectable (regardless of whether it is broadcasting a SSID). If someone was determined to hack into your network, then not broadcasting your SSID and MAC address access control is not going to stop them.
  WPA is virtually uncrackable (only really vunerable to a dictionary attack if a real word is used as a password) and therefore will stop the casual user and the determined hacker.

• Cisco ISE 1.1.1 - Single SSID

  I'm working on our ISE implementation and these are my two goals.
  1.  Single SSID for BYOD users and corporate managed systems.
  Login to the NAC agent if not part of the domain (EX: windows laptop not part of the domain joins the SSID, goes through the self service portal, downloads NAC agent, must login to NAC agent whenever joining network with AD credentials)
  AD login required to join this SSID, no guests allowed
  2.  Guest SSID
  Guest login only - requires sponsor
  web agent required for windows machine
  AV required
  Current AV definitions required
  Are these goals attainable or am I better to go in a different direction is my first question.
  Second, using the Cisco BYOD Smart Solution Guide (link at bottom of post) it mentions the single SSID as not being a complicated component but it only runs through the dual SSID solution, what settings are needed for a single SSID? I'm using Open + MAC Filtering but when the supplicant attempts to connect it doesn't work because it's looking for a WPA2 network with the same SSID name.
  http://www.cisco.com/en/US/docs/solutions/Enterprise/Borderless_Networks/Unified_Access/byoddg.html
  Single SSID is specifically mentioned here:
  http://www.cisco.com/en/US/docs/solutions/Enterprise/Borderless_Networks/Unified_Access/byoddg.html#wp504735

  David,
  What the documentation did was that it created a condition which does the check for the ssid in the access-request:
  Guest_Authz is a user-defined simple authorization condition for guests  accessing the Internet via Web authentication through the WLAN  corresponding to the open guest SSID. It matches the following RADIUS AV  pair from the Airespace dictionary:
       Airespace-Wlan-Id - [1] EQUALS 1
  So that when the user connects to the network they are connecting through the guest ssid in which this has the wlan id of 1. Either you can do that in your authorization rule right in the screenshot or you can create this condition under the policy elements tab.
  Thanks,
  Tarik Admani
  *Please rate helpful posts*

• ISE Single SSID BYOD - Windows Endpoint user experience

  We are implementing wireless BYOD using Cisco ISE 1.2 and WLC 7.4x. We are using PEAP / MS-CHAP v2 for wireless security. We are able to on-board iOS, Adroid, and MAC OS endpoints using single SSID and Native supplicant provisiong seems to work fine with these endpoints. We are having issues with Windows clients. On Windows client, when the user selects the SSID, it is prompting for userid/password, but never gets a pop-up for server certificate. We are using a third party public wildcard certificate on ISE for HTTP/EAP authentication.  On ISE, we are getting: 12511 Unexpectedly received TLS alert message; treating as a rejection by the client.                

  12511
  EAP
  Unexpectedly   received TLS alert message; treating as a rejection by the client
  While trying to   negotiate a TLS handshake with the client, ISE received an unexpected TLS   alert message. This might be due to the supplicant not trusting the ISE   server certificate for some reason. ISE treated the unexpected message as a   sign that the client rejected the tunnel establishment.
  Warn

• ISE and Selfservice with single SSID

  Hi, i have:
  WLAN 2504 Controller with 7.2 Software
  ISE 1.1.2
  A single SSID with 802.1x Authentication
  Today the wireless users are authenticated against an cisco acs. I want to switch to the ISE and make use of the mydevices portal. I want to re-use my single SSID and don't want to make any provisioning.
  - The user connects to the single SSID
  - The user configures peap authentication on his device
  - The user authenticates to a ldap directory with username and password
  - After successfull authentication the user will be redirected to the mydevices portal
  - he logs in with his ldap credentials
  - the mac address of his current device is listed in the mydevice portal
  - user adds his device to the known devices list
  - manual reconnect to my ssid
  Is this possible with ISE? Is there a howto out there with exact this scenario?
  Kind regards

  Hello Andreas,
  WLC 2504 supports CWA, CoA & dACL.
  This wireless controller also supports MAC filtering with RADIUS lookup. For WLCs that support version 7.2.103.0, there is support for session ID and COA with MAC filtering so it is more MAB-like. So it should fulfill your requirement and you can use single SSID.
  For more detailed help review “Universal WLC Configuration Guide” & “ISE 1.1.x Network Component Compatibility” at the following location:
  http://www.cisco.com/en/US/solutions/collateral/ns340/ns414/ns742/ns744/docs/howto_11_universal_wlc_config.pdf
  http://www.cisco.com/en/US/partner/docs/security/ise/1.1.1/compatibility/ise_sdt.html
  Regards,
  Ashok

• Setting up iPad, don't know what to select for security; WEP, WPA, WPA2, WPA Enterprise or WPA2 Enterprise.  We have service through Charter cable.

  Setting up iPad, don't know what to select for security; WEP, WPA, WPA2, WPA Enterprise or WPA2 Enterprise.  We have service through Charter cable.
  Thanks for your help!

  Choose the strongest security available on your router, preferably WPA2 using AES encryption and a long complex passphrase with at least 14 characters (the maximum is 63 characters).

• I cannot get my iMac with built-in airport to allow internet connections to Nook and PS3. The devices access the network, but internet connection fails. Internet sharing is enabled, network security (WEP, WPA) is completely off.  What to check next?

  I cannot get my iMac with built-in airport wi-fi to allow internet connections to Nook and PS3. The devices access the network, but internet connection fails. Internet sharing is enabled, network security (WEP, WPA) is disabled.  What to check next?

  On an additional note, I've purchased a wireless router and everything connected on the first attempt.  It just vexes me that the built-in wireless isn't working as a router.  Is this another example of "Mac only plays with Mac"?

• Dynamic vlan assignment with single SSID

  Hi All,
  I have 300 APs deployed  and  concurrent client associations that number 3000+ daily
  at the moment I have a single subnet for all users, there is no authentication just a click through
  page with email entry to gain access.
  The APs are assigned to groups based upon the building zone they are in, is it possible to
  assign a vlan based upon the AP the user is associated to but still only broadcast a single SSID.
  TIA

  You can assign dynamic vlan for 802.1X authentication using aaa override from RADIUS server.
  In your case, since it is webconsent ssid you can use AP groups to put clients on differnt vlans per the AP group
  Sent from Cisco Technical Support iPhone App

• Administrative credentials when adding a WEP/WPA/WPA2 Enterprise wifi profile?

  Hello,
  Why do users need to provide administrative credentials when they install a configuration profile containing installation of a WEP Enterprise or WPA/WPA2 Enterprise Wifi-profile? This is not the case when installing a Wifi-profile usning standad WEP, WPA or WPA2.
  Is this a bug? It confuses users with user profiles when they need to confirm the installation with administrative credentials.

  I don't know the answer to your question. Maybe you can find something here:
  http://training.apple.com/pdf/WP_8021X_Authentication.pdf

• 10.4.9 Killed my WEP/WPA abilities

  Just updated to 10.4.9 on my Core 2 Duo black Macbook, and I can no longer connect to my home network via WEP or WPA. If I remove all encryption from the network, then 10.4.9 will work. The network is ok, because my Powerbook running Panther continues to work fine, whether the network is WEP or WPA.
  My router is a D-Link DI-624, but the MacBook worked fine with it before the update.
  Anyone else seeing anything like this? I need WEP/WPA access on my MacBook.

  Jay, I just upgraded and see exactly the same behavior on my MBP 17. It would appear its not WPA that is the problem but rather that the Airport Network password item in the KeyChain cannot be accessed and its an outright frigging bug that should have been caught in testing. Try this:
  Open Keychain access and find the entry in the System chain. Open it and check the box to show the password. Enter your keychain master password and you'll get an error accessing the password. Change to the access control pane and you'll be asked for the keychain password. It is accepted and works, but if you go back to the Attributes pane you get the same error for the show password value when you check the box on the Attributes pane.. pane.
  FWIW I checked the disk and permissions before installing the update AND I ran first aid on the keychain, trying to avoid EXACTLY this problem. I saw similar though more easily fixable problems upgrading to 10.4.7 and 10.4.8. I hate doing Mac upgrades you can gaurantee SOMETHING will break! Look like a trip to the genius bar tomorrow!
  My Access point is a DI-624 like yours and other system can aceess it just fine so its NOT the AP, its the software.
  Phil

• Large Subnet for single SSID

  I am looking for a design guide to help me split up a large subnet for a Cisco Wireless network.  We have a Campus with a centralised Wsim and a single SSID.  We are hoping to be able to keep the single SSID but split the subnet as it is now quite large and we would like to reduce the broadcast domain to a manageable size.  I have found a number which have different SSID but we would like to keep only 1 as it simplifies the user experience. 

  Adding to Scotts post.  If you are doing 802.1x you can use dynamic VLAN assignment to achieve the results as well.
  AAA returns attributes 64/65/81 to the WLC, to change the VLAN the user gets put into.  You do still need to create the dynamic interfaces on the WLC.
  HTH,
  Steve
  Please remember to rate useful posts, and mark questions as answered

• Binding multiple VLANs to single SSID on WLC

  I have a building with over 4000 users and would like to bind multiple VLANs for user access to a single SSID in WLC. Can this be done? I would rather not have 4000 wireless users on a single VLAN.

  the question is tough. You can not use the SSID in on AP for multiple vlans. Once you assign the AP to the vlan then you will have to make all traffic in the vlan. With that being said. you could assign the AP's to specific vlans, but if you roam from one vlan to another you will have problems at L3. But you can use WDS to make that happen.
  Here are a couple of links tha might help.
  http://www.cisco.com/en/US/tech/tk722/tk809/technologies_q_and_a_item09186a00804d4421.shtml
  http://www.cisco.com/en/US/products/hw/wireless/ps4570/products_configuration_guide_chapter09186a0080184ace.html

• I have multiple SSID, but want users of a single SSID to be redirected to a HTTP or HTTPS URL (LAN SERVER for authentication)

  Hi team,
  I  have multiple SSID, but want users of a single SSID to be redirected to a HTTP or HTTPS URL (LAN SERVER for authentication)
  I am very curious and it is important. I want to see how to achieve this with CISCO WLC !!!

  http://10.229.3.99/login.html?switch_url=https://1.1.1.1/login.html&ap_mac=e8:40:40:ad:cc:80&wlan=MO-GUEST&redirect=/login.html?switch_url=https://1.1.1.1/login.html&ap_mac=e8:40:40:ad:cc:80&wlan=MO-GUEST&redirect=/login.html?switch_url=https://1.1.1.1/login.html&ap_mac=e8:40:40:ad:cc:80&wlan=MO-GUEST&redirect=/login.html?switch_url=https://1.1.1.1/login.html&ap_mac=e8:40:40:ad:cc:80&wlan=MO-GUEST&redirect=/login.html?switch_url=https://1.1.1.1/login.html&ap_mac=e8:40:40:ad:cc:80&wlan=MO-GUEST&redirect=/login.html?switch_url=https://1.1.1.1/login.html&ap_mac=e8:40:40:ad:cc:80&wlan=MO-GUEST&redirect=/login.html?switch_url=https://1.1.1.1/login.html&ap_mac=e8:40:40:ad:cc:80&wlan=MO-GUEST&redirect=/login.html?switch_url=https://1.1.1.1/login.html&ap_mac=e8:40:40:ad:cc:80&wlan=MO-GUEST&redirect=10.229.3.99/login.html?switch_url=https://1.1.1.1/login.html&ap_mac=e8:40:40:ad:cc:80&wlan=MO-GUEST&redirect=www.geo.tv/
  I wanted if someone connects to WLAN "MO-GUEST" automatically the user should be redirected to http://10.229.3.99/login.html and once authenticated by 10.229.3.99 , he/she should be allowed to access anything as normal. [ actually i just want automatic url redirection for the first time for the user of wlan "MO-GUEST"
  waiting expert opinions.

• Single SSID and ACS

  Hi,
  I would like your help in the following scenario, we currently have a setup of CAS CAM, LDAP, WISM and ACS,
  The main point I'm focusing on is the ACS and WISM.
  Users are to obtain wireless access using a single SSID, and upon validation of credentials, they should gain access to one of 3 vlans, guest, data and voice, the use of separate SSID per vlan was highly discouraged by customer.
  Would appreciate your advice on the best feasible way to implement this.
  Regards,

  Hi,
  You can have single SSID in your setup. You need to set up feature called Dynamic VLAN Assignment.
  Check out this link,
  http://www.cisco.com/en/US/partner/tech/tk722/tk809/technologies_configuration_example09186a008076317c.shtml
  Regards,
  ~JG
  Please rate if that helps !