Just as you use the Express Setup page to assign
basic settings, you can the Express Security page to create unique
SSIDs and assign one of three security types to them. The Express
Security page helps you configure your basic security settings.
You can use the web-browser interface's main Security page to configure
more advanced security settings. Because the Express Security page
is designed for simple configuration of basic security, the options
available are a subset of the access point's security capabilities.
Refer to the Cisco IOS Software Configuration Guide for the
limitations when using the Express Security page.
SSID
When the access point configuration is at factory
defaults, the first SSID that you create using the Express security
page overwrites the default SSID (tsunami for access points and
autoinstall for bridges), which has no security settings. The SSIDs
that you create appear in the SSID table at the bottom of the page.
You can create up to 16 SSIDs on the access point.
Broadcast SSID in Beacon
This setting is active only when the device is
in the Root AP mode. When you broadcast the SSID, devices that do
not specify an SSID can associate to the bridge when it is a root
access point. This is a useful option for an SSID used by guests
or by client devices in a public space. If you do not broadcast
the SSID, client devices cannot associate to the access point unless
their SSID matches this SSID. Only one SSID can be included in the
beacon.
VLAN
If you use VLANs on your wireless LAN and assign
SSIDs to VLANs, you can create multiple SSIDs using any of the four
security settings on the Express Security page. However, if you
do not use VLANs on your wireless LAN, the security options that
you can assign to SSIDs are limited because, on the Express Security
page, encryption settings and authentication types are linked. Without
VLANs, encryption settings (WEP and ciphers) apply to an interface,
such as the 2.4-GHz radio, and you cannot use more than one encryption
setting on an interface.
Security
You can assign four security
types to an SSID.
- No Security - This is the least secure
option. You should use this option only for SSIDs used in a public
space and assign it to a VLAN that restricts access to your network.
- Static WEP Key - This option is more
secure than no security. However, static WEP keys are vulnerable
to attack. If you configure this setting, you should consider
limiting association to the access point based on MAC address
or, if your network does not have a RADIUS server, consider using
an access point as a local authentication server. This security
feature enables mandatory WEP. Client devices cannot associate
using this SSID without a WEP key that matches the access point's
key.
- EAP Authentication - This option enables
802.1x authentication (such as LEAP, PEAP, EAP-TLS, EAP-GTC, EAP-SIM,
and others) and requires you to enter the IP address and shared
secret for an authentication server on your network (server authentication
port 1645). Because 802.1x authentication provides dynamic encryption
keys, you do not need to enter a WEP key. This security features
enables mandatory 802.1x authentication. Client devices that associate
using this SSID must perform 802.1 authentication.
- WPA - Wi-Fi Protected Access (WPA) permits
wireless access to users authenticated against a database through
the services of an authentication server, then encrypts their
IP traffic with stronger algorithms than those used in WEP. As
with EAP authentication, you must enter the IP address and shared
secret for an authentication server on your network (server authentication
port 1645). This security feature enables mandatory WPA authentication.
Client devices that associate using this SSID must be WPA-capable.
This table displays the SSID and the VLAN, encryption,
authentication, key management options associated with it.
See Also:
Using Express Security
|