Cisco Aironet Access Points

Note: In this text field, the following six characters are not allowed: ?, ", $, [, \, ], and +. In addition, the following three characters cannot be the first character: !, #, and ;.

VLAN

A VLAN is a switched network that is logically segmented on an organizational basis, by functions, project teams, or applications rather than on a physical or geographical basis. For example, all workstations and servers used by a particular workgroup team can be connected to the same VLAN, regardless of their physical connections to the network or the fact that they might be intermingled with other teams.

Define VLANs

Click this link to move to the Services: VLAN page. If any configuration changes were not applied before clicking this link, those changes will be lost. On this page you set default VLANs and assign current VLANs and their ID and information. For instance, enterprise customers can use different VLANs to segregate employee traffic from guest traffic, and further segregate those traffic groups from that of high-priority voice. Traffic to and from wireless clients with varying security capabilities can be segregated into VLANs with varying security policies.

Authentication Settings

Methods Accepted:

Open Authentication

Choose Open Authentication by checking the check box. This enables any bridge to authenticate and then attempt to communicate with the access point. If the access point is using WEP and the other bridge is not, the other bridge does not attempt to authenticate. If the other bridge is using WEP but its WEP keys do not match the keys on the access point, the other bridge authenticates with the access point but does not pass data through it.

Note: Although an access point can use the EAP method to authenticate a wireless client device, an access point cannot use EAP to authenticate another access point. In other words, bridges must authenticate each other using either open, shared, or Network EAP authentication methods.

After you choose Open Authentication, you can additionally select EAP authentication from the drop-down menu.

Shared Authentication

Choose Shared Authentication by checking the check box. The access point sends an unencrypted challenge string to any bridge attempting to communicate with the access point. The bridge requesting authentication encrypts the challenge text and sends it back to the access point. If the challenge text is encrypted correctly, the access point enables the requesting bridge to authenticate. Both the unencrypted challenge and the encrypted challenge can be monitored; however, this leaves the access point open to attack from an intruder who guesses the WEP key by comparing the unencrypted and encrypted text strings. Because of this weakness, shared key authentication can be less secure than open authentication. Only one SSID can use Shared Authentication.

After you choose Open Authentication, you can additionally select EAP authentication from the drop-down menu.

Network EAP

Choose Network EAP by checking the check box. The bridge uses the Extensible Authentication Protocol (EAP) to interact with an EAP-compatible RADIUS server on your network to provide authentication for wireless client devices. Client devices use dynamic WEP keys to authenticate to the network.

Authenticated Key Management

WPA and CCKM are the new authenticated key management solutions. Wi-Fi Protected Access (WPA) is the new interim solution from the Wireless Ethernet Compatibility Alliance (WECA). WPA, mostly synonymous to Simple Security Network (SSN), relies on the interim version of IEEE standard 802.11i. WPA supports TKIP and WEP encryption algorithms as well as 802.1X and EAP for simple integration with existing authentication system. WPA key management uses a combination of encryption methods to protect communication between client devices and the access point. Currently, WPA key management supports two mutually exclusive authenticated key management: WPA and WPA-PSK.

If authentication key management is WPA, the client and authentication server authenticate to each other using an EAP authentication method (such as EAP-TLS) and generate a Pairwise Master Key (PMK). If authentication key management is WPA-PSK, the pre-shared key is used directly as the PMK.

Using Cisco Centralized Key Management (CCKM), authenticated client devices can roam from one access point to another without any perceptible delay during reassociation. An access point on your network acts as a wireless domain service (WDS) and creates a cache of security credentials for CCKM-enabled client devices on the subnet. The WDS cache of credentials dramatically reduces the time required for reassociation when a CCKM-enabled client device roams to a new access point.

To enable CCKM for an SSID, you must configure network-EAP authentication. To enable WPA for an SSID, you must also enable open authentication or network-EAP or both.

Note: Before you can enable CCKM or WPA, you must set the encryption mode for the SSIDs VLAN to one of the cipher suite options.

Key Management

Use the drop-down menu to determine if you want key management to be mandatory or optional. You can select CCKM and WPA authentication key management at the same time for radio 802.11b or 802.11g. For radio 802.11a, only one key management can be selected.

WPA Pre-shared Key

To support client devices using static WEP keys and WPA key management, you must configure a pre-shared key on the access point. Enter the key and indicate whether it is represented as CCKM or WPA. For the 802.11b or g radio, you can select WPA and CCKM concurrently for your authentication key management.

General Settings

Advertise Extended Capabilities of this SSID

This check box allows you to include the SSID name and capabilities in the Wireless Provisioning Service (WPS) information element.

Advertise Wireless Provisioning Services (WPS) Support

This check box allows you to enable the WPS capability flag in the WPS information element.

Advertise this SSID as a Secondary Broadcast SSID

This check box allows you to include the SSID name and capabilities in the WPS information element.

Enable IP Redirection on this SSID

When you configure IP redirection for an SSID, the access point redirects all packets sent from client devices associated to that SSID to a specific IP address. You can redirect all packets from client devices associated using an SSID or redirect only packets directed to specific TCP or UDP ports. When you configure the access point to redirect only packets addresses to specific ports, the access point redirects those packets from clients using the SSID and drops all other packets from clients using the SSID.

IP Address

Enter the IP address of the destination for redirected packets.

IP Filter

Once you enable IP redirection and enter the IP address, click on the Define Filter link to move to the IP Filters page where you can specify the appropriate TCP or UDP ports for redirection. If you do not specify TCP or UDP ports, the access point redirects all packets that is receives from client devices.

Association Limit (optional)

The maximum number of clients that may associate to a particular SSID. This limit prevents bridges from getting overloaded and helps to provide an adequate level of service to associated clients.

EAP Client (optional)

Username

Indicates the username used for EAP authentication when the non-root is associating with a parent access point.

Password

Indicates the password used for EAP authentication when the non-root bridge is associating with a root bridge.

Note: When entering a password, the following six characters are not allowed: ?, ", $, [, and +.

Global Radio0-802.11A SSID Properties

Set Guest Mode SSID

Displays the SSID in plain text in the access point beacon messages (broadcast SSID). Setting guest mode enables clients without any SSID to associate to this access point; therefore, use caution when setting this parameter.

Set Infrastructure SSID

When the bridge is in non-root mode, this SSID is used to associate with a root bridge.

Put a check in the check box by the drop-down menu if you want to force infrastructure devices to associate only to this SSID.