1

I'm using a Cisco AIR-1252AG (IOS 12.4(10b)JDA3) and I must provide both a WEP128 wlan (for compatibility with older embedded devices, this will go to a firewalled vlan) and a WPA2 (WPA1 would be ok too) wlan on the same 2.4GHz radio. Both with pre shared keys.

While I can set WPA options in the SSID, the WEP encryption seems to apply to the whole radio interface. I've built the WEP config using the 'express security' (lol) wizard and then proceeded to add WPA. WPA is already working on the 5GHz radio (I don't need wep there) but I need to also support 2.4GHz devices, and I can't even understand if this should be possible at all!

This will probably apply to many Cisco AIR-* access points (but some of them are limited to WPA1 and/or a single radio).

Relevant config so far:

dot11 ssid my_wpa_network
   authentication open 
   authentication key-management wpa version 2
   guest-mode
   infrastructure-ssid optional
   wpa-psk ascii 7 [...cut...]
!
dot11 ssid my_wep_network
   authentication open 
!
interface Dot11Radio0
 encryption key 1 size 128bit 7 [...cut...] transmit-key
 encryption mode wep mandatory
 ssid my_wep_network
 [... other stuff here ...]
!
interface Dot11Radio1
 encryption mode ciphers aes-ccm 
 ssid my_wpa_network
 [... other stuff here ...]

I want to get a WEP ssid with psk on Radio0 (not broadcasted) and a WPA2 (or WPA+WPA2, or WPA) ssid with psk on both Radio0 and Radio1 (broadcasted).

Luke404
  • 5,826
  • 4
  • 47
  • 58

2 Answers2

1

I believe you have to use VLANs to configure different types of authentication/encryption for separate SSIDs on the same radio. For example

dot11 ssid my_wpa_network
   vlan 1
   authentication open 
   authentication key-management wpa version 2
   guest-mode
   infrastructure-ssid optional
   wpa-psk ascii 7 [...cut...]
!
dot11 ssid my_wep_network
   vlan 2
   authentication open 
!
interface Dot11Radio0
 encryption vlan 1 mode ciphers aes-ccm
 encryption vlan 2 key 1 size 128bit 7 [...cut...] transmit-key
 encryption vlan 2 mode wep mandatory
 ssid my_wep_network
 ssid my_wpa_network
 [... other stuff here ...]
!
interface Dot11Radio0.1
  encapsulation dot1q 1 native
  bridge-group 1
!
interface Dot11Radio0.2
  encapsulation dot1q 2
  bridge-group 2
!
interface Dot11Radio1
 encryption vlan 1 mode ciphers aes-ccm 
 ssid my_wpa_network
 [... other stuff here ...]
!
interface Dot11Radio1.1
  encapsulation dot1q 1 native
  bridge-group 1
!
interface FastEthernet0.1
  encapsulation dot1q 1 native
  bridge-group 1
!
interface FastEternet0.2
  encapsulation dot1q 2
  bridge-group 2

If you are not using VLANs on the wired side I have found that you can adjust the bridge group statement for the other radio subinterfaces to reflect the native bridge group 1 and get them all to connect to a single Layer 2 LAN but that is not a supported configuration by Cisco.

0

You can have multiple SSID on a single radio, but it looks like you are missing some VLAN settings. So assuming that you want to trunk multiple VLANS it's going to be something like:

dot11 ssid my_wpa_network
   vlan 111
   authentication open 
   authentication key-management wpa version 2
   guest-mode
   infrastructure-ssid optional
   wpa-psk ascii 7 [...cut...]
!
dot11 ssid my_wep_network
   vlan 666
   authentication open 
!

interface Dot11Radio0
 no ip address
 no ip route-cache
 encryption vlan 666 key 1 size 128bit 7 [...cut...] transmit-key
 encryption vlan 666 mode wep [..cut..]
 encryption vlan 111 mode ciphers aes-ccm 

interface Dot11Radio0.1
 encapsulation dot1Q 666
 bridge-group 666
 encryption key 1 size 128bit 7 [...cut...] transmit-key
 encryption mode wep mandatory
 ssid my_wep_network
 [... other stuff here ...]
!
interface Dot11Radio0.2
 encapsulation dot1Q 111
 bridge-group 111
 encryption mode ciphers aes-ccm 
 ssid my_wpa_network
 [... other stuff here ...]
!
interface FastEthernet0.1
 encapsulation dot1Q 666
 bridge-group 666
 [... other stuff here ...]
!
interface FastEthernet0.2
 encapsulation dot1Q 111
 bridge-group 111
 [... other stuff here ...]
monomyth
  • 971
  • 1
  • 5
  • 9