Online Help for Cisco IOS Release 12.3(04)JA
Home
Express Set-up
Express Security
Network Map
Association
Network Interfaces
Security
Admin Access
SSID Manager
Encryption Manager
Local RADIUS Server
Server Manager
Advanced Security
Services
Wireless Services
System Software
Event Log

 

  
Express Security Setup
 

SSID Configuration

Just as you use the Express Setup page to assign basic settings, you can the Express Security page to create unique SSIDs and assign one of three security types to them. The Express Security page helps you configure your basic security settings. You can use the web-browser interface's main Security page to configure more advanced security settings. Because the Express Security page is designed for simple configuration of basic security, the options available are a subset of the access point's security capabilities. Refer to the Cisco IOS Software Configuration Guide for the limitations when using the Express Security page.

SSID

In Cisco IOS Release 12.3(4)JA, there is no default SSID. You must configure an SSID before client devices can associate to the access point. The SSIDs that you create appear in the SSID table at the bottom of the page. You can create up to 16 SSIDs on the wireless device. On dual-radio wireless devices, the SSIDs that you create are enabled on both radio interfaces. Refer to Configuring Multiple BSSIDs for further procedural information.

Broadcast SSID in Beacon

This setting is active only when the device is in the Root AP mode. When you broadcast the SSID, devices that do not specify an SSID can associate to the bridge when it is a root access point. This is a useful option for an SSID used by guests or by client devices in a public space. If you do not broadcast the SSID, client devices cannot associate to the access point unless their SSID matches this SSID. Only one SSID can be included in the beacon.

VLAN

If you use VLANs on your wireless LAN and assign SSIDs to VLANs, you can create multiple SSIDs using any of the four security settings on the Express Security page. However, if you do not use VLANs on your wireless LAN, the security options that you can assign to SSIDs are limited because, on the Express Security page, encryption settings and authentication types are linked. Without VLANs, encryption settings (WEP and ciphers) apply to an interface, such as the 2.4-GHz radio, and you cannot use more than one encryption setting on an interface.

No VLAN

Select this if you are not using VLANs.

Enable VLAN ID

Select this if you want to specify the virtual Ethernet LAN identification number tied to the SSID.

Native VLAN

Select this if you want this VLAN ID to be the native VLAN.

Security

You can assign four security types to an SSID.

  • No Security - This is the least secure option. You should use this option only for SSIDs used in a public space and assign it to a VLAN that restricts access to your network.
  • Static WEP Key - This option is more secure than no security. However, static WEP keys are vulnerable to attack. If you configure this setting, you should consider limiting association to the access point based on MAC address or, if your network does not have a RADIUS server, consider using an access point as a local authentication server. This security feature enables mandatory WEP. Client devices cannot associate using this SSID without a WEP key that matches the access point's key.
  • EAP Authentication - This option enables 802.1x authentication (such as LEAP, PEAP, EAP-TLS, EAP-GTC, EAP-SIM, and others) and requires you to enter the IP address and shared secret for an authentication server on your network (server authentication port 1645). Because 802.1x authentication provides dynamic encryption keys, you do not need to enter a WEP key. This security features enables mandatory 802.1x authentication. Client devices that associate using this SSID must perform 802.1 authentication.
  • WPA - Wi-Fi Protected Access (WPA) permits wireless access to users authenticated against a database through the services of an authentication server, then encrypts their IP traffic with stronger algorithms than those used in WEP. As with EAP authentication, you must enter the IP address and shared secret for an authentication server on your network (server authentication port 1645). This security feature enables mandatory WPA authentication. Client devices that associate using this SSID must be WPA-capable.

SSID Table

This table displays the SSID and the VLAN, encryption, authentication, and key management options associated with it.

 

See Also: Using Express Security

 

 

 
   
Copyright (c) 2005 by Cisco Systems, Inc.