SSID Properties

Current SSID List

Enter the unique identifier that client devices use to associate with the access point. The SSID helps client devices distinguish between multiple wireless networks in the same vicinity. The SSID can be any alphanumeric, case-sensitive entry from 2 to 32 characters.

SSID

The service set identifier (SSID) - also called the radio SSID - is a unique identifier that clients use to associate with the radio. You can add up to 16 SSIDs.

Note: In this text field, the following six characters are not allowed: ?, ", $, [, \, ], and +. In addition, the following three characters cannot be the first character: !, #, and ;.

VLAN

A VLAN is a switched network that is logically segmented, by functions, project teams, or applications rather than on a physical or geographical basis. For example, all workstations and servers used by a particular workgroup team can be connected to the same VLAN regardless of their physical connections to the network or the fact that they might be intermingled with other teams.

Define VLANs

Click this link to move to the Services: VLAN page. If any configuration changes were not applied before clicking this link, those changes will be lost. On this page you set default VLANs and assign current VLANs and their ID and information. For instance, enterprise customers can use different VLANs to segregate employee traffic from guest traffic, and further segregate those traffic groups from that of high-priority voice. Traffic to and from wireless clients with varying security capabilities can be segregated into VLANs with varying security policies.

Network ID

Specifies the Layer 3 mobility network identification number for the SSID.

Authentication Settings / Methods Accepted:

Open Authentication

Choose Open Authentication by checking the check box. This enables any device to authenticate and then attempt to communicate with the access point. If the access point is using WEP and the other device is not, the other device does not attempt to authenticate. If the other device is using WEP but its WEP keys do not match the keys on the access point, the other device authenticates with the access point but does not pass data through it.

After you choose Open Authentication, you can select the additional method to use from the drop-down menu. The options in the drop-down are MAC authentication, EAP, MAC authentication and EAP, or MAC authentication or EAP. To fully enable EAP, EAP Authentication Servers must be set on this window or in the Server Manager window. To fully enable MAC Authentication, you must either enter the MAC address locally or select the Authentication Server Only option on the Advanced Security window. In the case of Authentication Server Only option, MAC Authentication Servers must be set in this page or in the Server Manager page.

Note: Although an access point can use Open Authentication with EAP method to authenticate a wireless client device, an access point cannot use EAP to authenticate another access point. In other words, access points must authenticate each other using either open, shared, or Network EAP authentication methods.

Shared Authentication

Choose shared authentication by checking the Shared Authentication check box. The access point sends an unencrypted challenge string to any device attempting to communicate with the access point. The device requesting authentication encrypts the challenge text and sends it back to the access point. If the challenge text is encrypted correctly, the access point enables the requesting device to authenticate. Both the unencrypted challenge and the encrypted challenge can be monitored; however, this leaves the access point open to attack from an intruder who guesses the WEP key by comparing the unencrypted and encrypted text strings. Because of this weakness, shared key authentication can be less secure than open authentication. Only one SSID can use shared authentication.

After you choose Shared Authentication, you can select the method to use from the drop-down menu. The choices are MAC Authentication, EAP, or MAC Authentication and EAP.

Network EAP

Choose network EAP by checking the Network EAP check box. The device uses the Extensible Authentication Protocol (EAP) to interact with an EAP-compatible RADIUS server on your network to provide authentication for wireless client devices. Client devices use dynamic WEP keys to authenticate to the network.

After you choose Network EAP, you can select MAC Authentication. To fully enable MAC authentication, you must either enter the MAC address locally or select the Authentication Server Only option on the Advanced Security window. In the case of Authentication Server Only option, MAC Authentication Servers must be set in this window or in the Server Manager window.

EAP Authentication Servers must be set in this window or in the Server Manager window.

Server Priorities

Determine how you are going to use specific RADIUS servers on this SSID. In the EAP and MAC Authentication Server sections, you can choose to use the defaults or customize the priority by using the drop-down menu. If you click to enable the use of the defaults, click the Define Defaults link to move into the Server Manager window.

Authenticated Key Management

WPA and CCKM are the new authenticated key management solutions. Wi-Fi Protected Access (WPA) is the new interim solution from the Wireless Ethernet Compatibility Alliance (WECA). WPA, mostly synonymous to Simple Security Network (SSN), relies on the interim version of IEEE standard 802.11i. WPA supports TKIP and WEP encryption algorithms as well as 802.1X and EAP for simple integration with existing authentication system. WPA key management uses a combination of encryption methods to protect communication between client devices and the access point. Currently, WPA key management supports two mutually exclusive authenticated key management: WPA and WPA-PSK.

If authentication key management is WPA, the client and authentication server authenticate to each other using an EAP authentication method (such as EAP-TLS) and generate a Pairwise Master Key (PMK). If authentication key management is WPA-PSK, the pre-shared key is used directly as the PMK.

Using Cisco Centralized Key Management (CCKM), authenticated client devices can roam from one access point to another without any perceptible delay during reassociation. An access point on your network acts as a wireless domain service (WDS) and creates a cache of security credentials for CCKM-enabled client devices on the subnet. The WDS cache of credentials dramatically reduces the time required for reassociation when a CCKM-enabled client device roams to a new access point.

To enable CCKM for an SSID, you must configure network-EAP authentication. To enable WPA for an SSID, you must also enable open authentication or network-EAP or both.

Note: Before you can enable CCKM or WPA, you must set the encryption mode for the SSIDs VLAN to one of the cipher suite options.

Key Management

Use the drop-down menu to determine if you want key management to be mandatory or optional. You can select CCKM and WPA authentication key management at the same time for radio 802.11b or 802.11g. For radio 802.11a, only one key management can be selected.

WPA Pre-shared Key

To support client devices using static WEP keys and WPA key management, you must configure a pre-shared key on the access point. Enter the key and indicate whether it is represented as CCKM or WPA. For the 802.11b or gradio, you can select WPA and CCKM concurrently for your authentication key management.

Accounting Settings

Enable Accounting

Indicate whether you want this server to record usage data of clients associating with the access point. Some usage data may be used for billing or usage tracking.

Accounting Server Priorities

You can choose to use the defaults or customize the priority by using the drop-down menu. If you choose to enable the use of the defaults, click the Define Defaults link to move into the Server Manager screen.

General Settings

Enable Proxy Mobile IP on this SSID

Enable Proxy mobile IP for the SSID. To fully enable Proxy mobile IP, it must be globally configured in the Proxy Mobile IP window.

Association Limit

The maximum number of clients that may associate to a particular SSID. This limit prevents access points from getting overloaded and helps to provide an adequate level of service to associated clients.

EAP Client (optional)

Username

Indicates the username used for Network EAP authentication when the repeater access point is associating with a parent access point or when a Hot Standby access point is associating with a monitored access point.

Password

Indicates the password used for NEtwork EAP authentication when the repeater access point is associating with a parent access point or when a Hot Standby access point is associating with a monitored access point.

Note: The following six characters are not allowed: ?, ", $, [, and + in passwords.

Global SSID Properties

Set Guest Mode SSID

Displays the SSID in plain text in the access point beacon messages (broadcast SSID). Setting guest mode enables clients without any SSID to associate to this access point; therefore, use caution when setting this parameter.

Set Infrastructure SSID

When the access point is in repeater mode, this SSID is used to associate with a parent access point.

Check the check box by the drop-down menu if you want to force infrastructure devices to associate only to this SSID.

See Also: Enabling and Configuring Local MAC Authenticatio