Multiple SSID on cisco AP

fid500

I want to configure mutliple SSIDs on a cisco AP. We have vlan1 as native vlan on our core, distribution and access switches. All switches have managment IPs in vlan 8 with IPs as 192.168.8.0/24. I gave BVI1 an IP in 192.168.8.0/24 and made vlan 8 as native vlan on AP and trunk port on the switch connecting to AP and was not to get to anything on the network. DHCP did not work either.
I then gave BVI1 an IP in vlan1 range (192.168.1.0) and setup vlan 1 as native vlan on AP, I was able to ping everything and get DHCP working on other vlans.
What I want to achieve is this: Keep native vlan 1 on the cores and distribution switches for now. Give the BVI1 an IP in vlan 8. Have multiple vlans thus multiple ssids, on the AP.
I really dont want an IP in vlan 1 on BVI 1 since we are moving from vlan 1 some time in the near future.
Does having a wireless controller facilitates this scenario?
And thanks for your input

keenon

its been a while since i have done stand alone aps but its pretty basic from memory with multiple ssid

bvi interface in management network
ip default gateway in management
fa interface should be configured like a router trunk port
the ssids have to be bound to each of the vlans in the trunk.

if your not great on the ap cli i would suggest getting it up on the management network and using the gui for the remainder of the config

I will look for a backup of some of the crazy configs we used to use that had the same thing your trying to accomplish

Trifidw

Define your vlans
Define the vlan to SSID associations
define the SSIDs on the radio interface
sub interfaces on both the ethernet port and radio.


dot11 vlan-name SSID1 vlan 101
dot11 vlan-name SSID2 vlan 102

dot11 ssid SSID1
vlan 101
dot11 ssid SSID2
vlan 102

interface Dot11Radio0
ssid SSID1
ssid SSID2

interface Dot11Radio0.101
interface Dot11Radio0.102

interface fa0.101
interface fa0.102


I think that is everything. We have since moved to lightweight.

fid500

Thanks for your responses.
I have the AP already working with multiple SSIDs and VLANs and using EAP for authentication. My only issue is that I had to give my BVI1 interface an IP in vlan 1 (native). That s the only way I got to communicate with other vlans. What I want is give it an IP from a different VLAN say VLAN 8 which is no my native vlan. As I have stated before the native vlan on switches is vlan1.

CCNAwannabe

Here is the working config off of my autonomous AP, It's a C1100 with version 12.3.

It is using the 222 VLAN as the management VLAN and is using the BVI interface. The switch port config is below this one.

version 12.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname dss-okc-ap-01
!
no logging console
enable secret 5 asdf
!
ip subnet-zero
!
!
aaa new-model
!
!
aaa group server radius rad_eap
server 172.16.8.223 auth-port 1645 acct-port 1646
server 172.16.100.10 auth-port 1645 acct-port 1646
!
aaa group server radius rad_mac
!
aaa group server radius rad_acct
!
aaa group server radius rad_admin
cache expiry 1
cache authorization profile admin_cache
cache authentication profile admin_cache
!
aaa group server tacacs+ tac_admin
cache expiry 1
cache authorization profile admin_cache
cache authentication profile admin_cache
!
aaa group server radius rad_pmip
!
aaa group server radius dummy
!
aaa authentication login default local
aaa authentication login eap_methods group rad_eap
aaa authentication login mac_methods local
aaa authorization exec default local
aaa accounting network acct_methods start-stop group rad_acct
aaa cache profile admin_cache
all
!
aaa session-id common
dot11 vlan-name Dowley_Main vlan 108
dot11 vlan-name Guest vlan 252
dot11 vlan-name Management_VLAN vlan 222
!
dot11 ssid MAINSSID
vlan 108
authentication open eap eap_methods
authentication key-management wpa
!
dot11 ssid GUESTSSID
vlan 252
authentication open
authentication key-management wpa
guest-mode
wpa-psk ascii 7 !
!
!
username admin password 7
!
bridge irb
!
!
interface Dot11Radio0
no ip address
no ip route-cache
!
encryption vlan 108 mode ciphers tkip
!
encryption vlan 252 mode ciphers tkip
!
ssid MAINSSID
!
ssid GUESTSSID
!
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
station-role root
!
interface Dot11Radio0.108
encapsulation dot1Q 108
no ip route-cache
bridge-group 108
bridge-group 108 subscriber-loop-control
bridge-group 108 block-unknown-source
no bridge-group 108 source-learning
no bridge-group 108 unicast-flooding
bridge-group 108 spanning-disabled
!
interface Dot11Radio0.222
encapsulation dot1Q 222 native
no ip route-cache
bridge-group 1
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
!
interface Dot11Radio0.252
encapsulation dot1Q 252
no ip route-cache
bridge-group 252
bridge-group 252 subscriber-loop-control
bridge-group 252 block-unknown-source
no bridge-group 252 source-learning
no bridge-group 252 unicast-flooding
bridge-group 252 spanning-disabled
!
interface FastEthernet0
no ip address
no ip route-cache
duplex auto
speed auto
hold-queue 80 in
!
interface FastEthernet0.108
encapsulation dot1Q 108
no ip route-cache
bridge-group 108
no bridge-group 108 source-learning
bridge-group 108 spanning-disabled
!
interface FastEthernet0.222
encapsulation dot1Q 222 native
no ip route-cache
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
!
interface FastEthernet0.252
encapsulation dot1Q 252
no ip route-cache
bridge-group 252
no bridge-group 252 source-learning
bridge-group 252 spanning-disabled
!
interface BVI1
ip address 172.16.10.20 255.255.255.0
no ip route-cache
!
ip default-gateway 172.16.10.1
ip http server
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
ip radius source-interface BVI1
!
radius-server attribute 32 include-in-access-req format %h
radius-server host 172.16.8.223 auth-port 1645 acct-port 1646 key
radius-server host 172.16.100.10 auth-port 1645 acct-port 1646 key
radius-server deadtime 5
radius-server vsa send accounting
!
control-plane
!
bridge 1 route ip
!
!
!
line con 0
line vty 5 15
!
end

The switch interface is configured with these commands:

switchport trunk encapsulation dot1q
switchport trunk native vlan 222
switchport trunk allowed vlan 108,222,252
switchport mode trunk
switchport nonegotiate


Hope this helps. -Robbie

fid500

Robbie
I will try it once I get to work tomorrow.
Quick question. What s ur native clan accross the rest of the network? Is it VLAN 222 all over?

Sorry I mispelled your name. I was using my droid.

CCNAwannabe

fid500 wrote: »

Ronnie
I will try it once I get to work tomorrow.
Quick question. What s ur native clan accross the rest of the network? Is it VLAN 222 all over?

No the native vlan is 999 the management vlan is 222

fid500

Thanks for the quick response.
I apologize for mispelling your name.

CCNAwannabe

fid500 wrote: »

Thanks for the quick response.
I apologize for mispelling your name.

No biggie, it's better than being called Robin! You have to set the native vlan on the trunk to the ap native vlan. All untagged traffic is routed to the BVI. (From experience I don't know if it can work differently but my config is in production and working fine.)

Trifidw

fid500 wrote: »

Robbie
I will try it once I get to work tomorrow.
Quick question. What s ur native clan accross the rest of the network? Is it VLAN 222 all over?

We have 1 vlan for network, 1 for management and then had 1 for the native vlan for the AP's.

fid500

BIG THANKS to ROBBIE
I have made some progress and I was able to get multiple SSIDs working. The only thing that did not work, was the SSID attached to the native vlan on the trunk ports. I had to create another vlan and made it the native on the trunk ports and everything worked.
Now I have a different question concerning NPS on windows 2008.
I have setup multiple policies for different groups. Is there a way to attach a policy to a specific SSID. I couldnt find anywhere where to add an SSID constraint.

And Thank You

CCNAwannabe

fid500 wrote: »

BIG THANKS to ROBBIE
I have made some progress and I was able to get multiple SSIDs working. The only thing that did not work, was the SSID attached to the native vlan on the trunk ports. I had to create another vlan and made it the native on the trunk ports and everything worked.
Now I have a different question concerning NPS on windows 2008.
I have setup multiple policies for different groups. Is there a way to attach a policy to a specific SSID. I couldnt find anywhere where to add an SSID constraint.

And Thank You

Glad to help you out. I don't think their is a way to define SSI's.. I think the only thing you can define is 802.11 wireless as the type.. Uhm what are you trying to do?

Cookie001

Same here dude vlan1 native it's goind to be shutdown in a few months but still active
so vlan 147 officeclient // vlan 136 productionclent // vlan 128 access point management

on switch
interface FastEthernet2/6
switchport trunk encapsulation dot1q
switchport trunk native vlan 128
switchport trunk allowed vlan 1,128,136,147
switchport mode trunk
switchport nonegotiate
on AP


XXXXAP#show run
Building configuration...
Current configuration : 3013 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname XXXXAP
!
enable secret 5 $1$/GzP$81meETt4ubSmDocOg8y8Q0
!
no aaa new-model
ip domain name Availmed.com
!
!
!
dot11 ssid xxx-Prod
vlan 136
authentication open
authentication key-management wpa
guest-mode
wpa-psk ascii 7 045D07031736455C0C15000401
!
dot11 ssid xxx-Admin
vlan 147
authentication open eap eap_methods
authentication network-eap eap_methods
authentication key-management wpa
!
power inline negotiation prestandard source
!
!
username Cisco password 7 062506324F41
!
bridge irb
!
!
interface Dot11Radio0
no ip address
no ip route-cache
!
encryption vlan 147 mode ciphers aes-ccm tkip
!
encryption vlan 136 mode ciphers aes-ccm tkip
!
ssid xxx-Prod
!
ssid xxx-Admin
!
power local 14
channel 2412
station-role root
!
interface Dot11Radio0.1
no ip route-cache
!
interface Dot11Radio0.128
encapsulation dot1Q 128 native
no ip route-cache
bridge-group 1
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
!
interface Dot11Radio0.136
encapsulation dot1Q 136
no ip route-cache
bridge-group 136
bridge-group 136 subscriber-loop-control
bridge-group 136 block-unknown-source
no bridge-group 136 source-learning
no bridge-group 136 unicast-flooding
bridge-group 136 spanning-disabled
!
interface Dot11Radio0.147
encapsulation dot1Q 147
no ip route-cache
bridge-group 147
bridge-group 147 subscriber-loop-control
bridge-group 147 block-unknown-source
no bridge-group 147 source-learning
no bridge-group 147 unicast-flooding
bridge-group 147 spanning-disabled
!
interface Dot11Radio1
no ip address
no ip route-cache
shutdown
dfs band 3 block
channel dfs
station-role root
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
!
interface FastEthernet0
no ip address
no ip route-cache
duplex auto
speed auto
!
interface FastEthernet0.1
no ip route-cache
!
interface FastEthernet0.128
encapsulation dot1Q 128 native
no ip route-cache
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
!
interface FastEthernet0.136
encapsulation dot1Q 136
no ip route-cache
bridge-group 136
no bridge-group 136 source-learning
bridge-group 136 spanning-disabled
!
interface FastEthernet0.147
encapsulation dot1Q 147
no ip route-cache
bridge-group 147
no bridge-group 147 source-learning
bridge-group 147 spanning-disabled
!
interface BVI1
ip address 10.105.128.211 255.255.255.0
no ip route-cache
!
ip default-gateway 10.105.128.1
ip http server
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
bridge 1 route ip
!
!
!
line con 0
line vty 0 4
login local
!
end