1. Home
  2. Cisco Systems
  3. Cisco 1200

Cisco 1200

Quick question and I may already know the answer.

Here is the setup first. We have several Cisco 1200 APs currently with only 1 SSID and an access-list to limit where clients go. The current authentication is WEP with MAC authentication to a Radius server. Also important is the AP is not connected to a Cisco switch. I think it is Nortel... The reason for the WEP/MAC authentication is a limitation of the devices that are connecting to the AP (DOS based terminals), which is also the reason for the access-lists. I have read up on creating a

2nd SSID on 1200, but it requires a second VLAN, which if I'm correct would require a Cisco switch or at least a switch that understood VLANs(not sure if other manufacturers make any). My end goal is to have a connection that our DOS based terminals can connect to easily with little issue, but extremely limited as to where they can go and another connection (whether it be a different SSID or not) that I can use for Windows/Linux clients to connect to that has a tougher authentication (WPA/WPA2) and tougher encryption capabilities.

Any ideas or thoughts are greatly appreciated.

Jon

Reply to
jspinney
Loading thread data ...

Hi Jon,

~ Quick question and I may already know the answer. ~ ~ Here is the setup first. ~ We have several Cisco 1200 APs currently with only 1 SSID and an ~ access-list to limit where clients go. The current authentication is ~ WEP with MAC authentication to a Radius server. Also important is the ~ AP is not connected to a Cisco switch. I think it is Nortel... ~ The reason for the WEP/MAC authentication is a limitation of the ~ devices that are connecting to the AP (DOS based terminals), which is ~ also the reason for the access-lists. I have read up on creating a ~ 2nd SSID on 1200, but it requires a second VLAN,

Not strictly true. You can configure multiple SSIDs (with different wireless authentication methods) even if you only have one VLAN on the wired side. However, you will be subject to the restriction that all wireless SSIDs use the same crypto scheme. If you have multiple SSIDs mapped to different wired VLANs, then you can use independent crypto schemes per SSID.

~ which if I'm correct ~ would require a Cisco switch or at least a switch that understood ~ VLANs(not sure if other manufacturers make any).

What you're looking for is "802.1q trunking support". 802.1q is an industry standard, so non-Cisco switches support it, maybe even your Nortel.

To hook up the AP to an 802.1q trunk, the best practice would be:

- have the native VLAN be called "VLAN 1" on the switch, and the AP's IP address (BVI1) must be in this native VLAN

- have the wireless clients mapped to non-native VLANs

~ My end goal is to ~ have a connection that our DOS based terminals can connect to easily ~ with little issue, but extremely limited as to where they can go and ~ another connection (whether it be a different SSID or not) that I can ~ use for Windows/Linux clients to connect to that has a tougher ~ authentication (WPA/WPA2) and tougher encryption capabilities.

See if you can't configure 802.1q in your non-Cisco infrastructure. If your AP can only connect to a non-trunk port (access port), then your options are not so good. You could configure "WPA migration mode", which purports to support both WPA and WEP clients, but bear in mind that this scheme would require that your static WEP clients use a key index other than 1, and typically proves in practice to be not wholly satisfactory.

Regards,

Aaron

Reply to
Aaron Leonard

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.