SSID Properties

Current SSID List

Enter the unique identifier that client devices use to associate with the access point. The SSID helps client devices distinguish between multiple wireless networks in the same vicinity. The SSID can be any alphanumeric, case-sensitive entry from 2 to 32 characters.

SSID

The service set identifier (SSID) - also called the radio SSID - is a unique identifier that clients use to associate with the radio. You can add up to 16 SSIDs.

Note: In this text field, the following six characters are not allowed: ?, ", $, [, \, ], and +. In addition, the following three characters cannot be the first character: !, #, and ;.

VLAN

A VLAN is a switched network that is logically segmented, by functions, project teams, or applications rather than on a physical or geographical basis. For example, all workstations and servers used by a particular workgroup team can be connected to the same VLAN regardless of their physical connections to the network or the fact that they might be intermingled with other teams.

Define VLANs

Click this link to move to the Services: VLAN page. If any configuration changes were not applied before clicking this link, those changes will be lost. On this page you set default VLANs and assign current VLANs and their ID and information. For instance, enterprise customers can use different VLANs to segregate employee traffic from guest traffic, and further segregate those traffic groups from that of high-priority voice. Traffic to and from wireless clients with varying security capabilities can be segregated into VLANs with varying security policies.

Interface

Click the check box to select which radio interfaces are enabled. The SSID remains inactive until you enable it for a radio interface.

Network ID

Specifies the Layer 3 mobility network identification number for the SSID.

Authentication Settings / Methods Accepted:

Open Authentication

Choose Open Authentication by checking the check box. This enables any device to authenticate and then attempt to communicate with the access point. If the access point is using WEP and the other device is not, the other device does not attempt to authenticate. If the other device is using WEP but its WEP keys do not match the keys on the access point, the other device authenticates with the access point but does not pass data through it.

After you choose Open Authentication, you can select the additional method to use from the drop-down menu. The options in the drop-down are MAC authentication, EAP, MAC authentication and EAP, or MAC authentication or EAP. To fully enable EAP, EAP Authentication Servers must be set on this window or in the Server Manager window. To fully enable MAC Authentication, you must either enter the MAC address locally or select the Authentication Server Only option on the Advanced Security window. In the case of Authentication Server Only option, MAC Authentication Servers must be set in this page or in the Server Manager page.

Note: Although an access point can use Open Authentication with EAP method to authenticate a wireless client device, an access point cannot use EAP to authenticate another access point. In other words, access points must authenticate each other using either open, shared, or Network EAP authentication methods.

Shared Authentication

Choose shared authentication by checking the Shared Authentication check box. The access point sends an unencrypted challenge string to any device attempting to communicate with the access point. The device requesting authentication encrypts the challenge text and sends it back to the access point. If the challenge text is encrypted correctly, the access point enables the requesting device to authenticate. Both the unencrypted challenge and the encrypted challenge can be monitored; however, this leaves the access point open to attack from an intruder who guesses the WEP key by comparing the unencrypted and encrypted text strings. Because of this weakness, shared key authentication can be less secure than open authentication. Only one SSID can use shared authentication.

After you choose Shared Authentication, you can select the method to use from the drop-down menu. The choices are MAC Authentication, EAP, or MAC Authentication and EAP.

Network EAP

Choose network EAP by checking the Network EAP check box. The device uses the Extensible Authentication Protocol (EAP) to interact with an EAP-compatible RADIUS server on your network to provide authentication for wireless client devices. Client devices use dynamic WEP keys to authenticate to the network.

After you choose Network EAP, you can select MAC Authentication. To fully enable MAC authentication, you must either enter the MAC address locally or select the Authentication Server Only option on the Advanced Security window. In the case of Authentication Server Only option, MAC Authentication Servers must be set in this window or in the Server Manager window.

EAP Authentication Servers must be set in this window or in the Server Manager window.

Server Priorities

Determine how you are going to use specific RADIUS servers on this SSID. In the EAP and MAC Authentication Server sections, you can choose to use the defaults or customize the priority by using the drop-down menu. If you click to enable the use of the defaults, click the Define Defaults link to move into the Server Manager window.

Authenticated Key Management

WPA and CCKM are the new authenticated key management solutions. Wi-Fi Protected Access (WPA) is the new interim solution from the Wireless Ethernet Compatibility Alliance (WECA). WPA, mostly synonymous to Simple Security Network (SSN), relies on the interim version of IEEE standard 802.11i. WPA supports TKIP and WEP encryption algorithms as well as 802.1X and EAP for simple integration with existing authentication system. WPA key management uses a combination of encryption methods to protect communication between client devices and the access point. Currently, WPA key management supports two mutually exclusive authenticated key management: WPA and WPA-PSK.

If authentication key management is WPA, the client and authentication server authenticate to each other using an EAP authentication method (such as EAP-TLS) and generate a Pairwise Master Key (PMK). If authentication key management is WPA-PSK, the pre-shared key is used directly as the PMK.

Using Cisco Centralized Key Management (CCKM), authenticated client devices can roam from one access point to another without any perceptible delay during reassociation. An access point on your network acts as a wireless domain service (WDS) and creates a cache of security credentials for CCKM-enabled client devices on the subnet. The WDS cache of credentials dramatically reduces the time required for reassociation when a CCKM-enabled client device roams to a new access point.

To enable CCKM for an SSID, you must also enable network-EAP authentication. When CCKM and Network EAP are enabled for an SSID, client devices using LEAP, EAP-FAST, PEAP/GTC, MSPEAP, and EAP-TLS can authenticate using the SSID.

To enable WPA for an SSID, you must also enable Open authentication or Network-EAP or both.

Note: Before you can enable CCKM or WPA, you must set the encryption mode for the SSIDs VLAN to one of the cipher suite options.

Key Management

Use the drop-down menu to determine if you want key management to be mandatory or optional. You can select CCKM and WPA authentication key management at the same time for radio 802.11b or 802.11g. For radio 802.11a, only one key management can be selected.

WPA Pre-shared Key

To support client devices using static WEP keys and WPA key management, you must configure a pre-shared key on the access point. Enter the key and choose the appropriate radio button to specify if you are entering hexadecimal or ASCII characters.

If you use hexadecimal, you must enter 64 hexadecimal character to complete the 256-bit key. If you use ASCII, you must enter a minimum of 8 letters, numbers, or symbols, and the access point expands the key for you. You can enter a maximum of 63 ASCII characters.

Accounting Settings

Enable Accounting

Indicate whether you want this server to record usage data of clients associating with the access point. Some usage data may be used for billing or usage tracking.

Accounting Server Priorities

You can choose to use the defaults or customize the priority by using the drop-down menu. If you choose to enable the use of the defaults, click the Define Defaults link to move into the Server Manager screen.

General Settings

Advertise Extended Capabilities of this SSID

This check box allows you to include the SSID name and capabilities in the Wireless Provisioning Service (WPS) information element.

Advertise Wireless Provisioning Services (WPS) Support

This check box allows you to enable the WPS capability flag in the WPS information element.

Advertise this SSID as a Secondary Broadcast SSID

This check box allows you to include the SSID name and capabilities in the WPS information element.

Enable IP Redirection on this SSID

When you configure IP redirection for an SSID, the access point redirects all packets sent from client devices associated to that SSID to a specific IP address. You can redirect all packets from client devices associated using an SSID or redirect only packets directed to specific TCP or UDP ports. When you configure the access point to redirect only packets addressed to specific ports, the access point redirects those packets from clients using the SSID and drops all other packets from clients using the SSID.

IP Address

Enter the IP address of the destination for redirected packets.

IP Filter

After you enable IP redirection and enter the IP address, click Define Filter to move to the IP Filters page where you can specify the appropriate TCP or UDP ports for redirection. If you do not specify TCP or UDP ports, the access point redirects all packets that it receives from client devices.

Association Limit (optional)

The maximum number of clients that may associate to a particular SSID. This limit prevents access points from getting overloaded and helps to provide an adequate level of service to associated clients.

EAP Client (optional)

Username

Indicates the username used for Network EAP authentication when the repeater access point is associating with a parent access point or when a Hot Standby access point is associating with a monitored access point.

Password

Indicates the password used for Network EAP authentication when the repeater access point is associating with a parent access point or when a Hot Standby access point is associating with a monitored access point.

Note: The following six characters are not allowed: ?, ", $, [, and + in passwords.

Multiple BSSID Beacon Settings

Multiple BSSID Beacon

Select the Set SSID as Guest Mode check box if you want to include the SSID in beacons. Refer to Configuring Multiple BSSIDs for further procedural information.

To increase the battery life for power-save clients that use this SSID, select the Set Data Beacon Rate (DTIM) check box and enter a beacon rate for the SSID. The beacon rate determines how often the access point sends a beacon containing a Delivery Traffic Indicator Message (DTIM).

When client devices receive a beacon that contains a DTIM, they normally wake up to check for pending packets. Longer intervals between DTIMs let clients sleep longer and preserve power. Conversely, shorter DTIM periods reduce the delay in receiving packets but use more battery power because clients wake up more often.

Guest Mode/Infrastructure SSID Settings

Set Beacon Mode

Click to choose if you want single access point beacon messages or multiple messages. Refer to Configuring Multiple BSSIDs for further procedural information. From the drop-down menu, set which guest mode enables clients without any SSID to associate to this access point.

Set Infrastructure SSID

When the access point is in repeater mode, this SSID is used to associate with a parent access point.

Check the check box by the drop-down menu if you want to force infrastructure devices to associate only to this SSID.

See Also: Enabling and Configuring Local MAC Authentication