Cisco Router 860, 880 Series User Manual

							 
PART 3
Configuring and Administering the 
Wireless Device 
						

							Americas Headquarters:
Cisco Systems, Inc., 170 West Tasman Drive, San Jose, CA 95134-1706 USA
© 2008 Cisco Systems, Inc. All rights reserved.
Service Set Identifier (SSID)
In the role of an access point, a wireless device can support up to 16 SSIDs. In the role of a wireless 
bridge, the device is typically configured with one SSID. In the following sections, this module describes 
how to configure and manage service set identifiers (SSIDs) on the wireless device:
 Understanding SSIDs, page 1
 Configuring SSIDs, page 2
 Guest Mode SSID, page 4
 Including an SSID in an SSIDL IE, page 5
 Assigning IP Redirection for an SSID, page 6
 Multiple Basic SSIDs, page 8
 Using a RADIUS Server for SSID Authorization, page 11
 NAC Support for MBSSID, page 12
Understanding SSIDs
The Service Set Identifier (SSID) is a unique token that identifies an 802.11 wireless network. It is used 
by wireless devices to identify a network, and establish and maintain wireless connectivity. An SSID 
must be configured and assigned to an interface before a wireless client device can associate with an 
access point. 
Multiple SSIDs on Wireless Devices in the Access Point Role
You can configure up to 16 SSIDs on a wireless device in the role of an access point and configure a 
unique set of parameters for each SSID. For example, you might use one SSID to allow guests limited 
access to the network and another SSID to allow authorized users access to secure data. 
All SSIDs are active at the same time. Client devices can associate to the access point if the wireless 
client device SSID matches one of the access point SSIDs configured. If the client device meets the other 
security requirements configured on the access point for that SSID, the client device is allowed to join 
a network.  
						

							Service Set Identifier (SSID)
  Configuring SSIDs
2
Configuring SSIDs
OL-11499-01
SSIDs on Wireless Devices in Other Roles
In the role of a wireless bridge, typically the bridges are configured with one SSID, as a bridge does not 
associate wirelessly with clients. (A wireless device in the role of a workgroup bridge can associate with 
wireless clients and might be configured with multiple SSIDs. For a complete description of wireless 
device roles, see the “Roles and the Associations of Wireless Devices” module.)
Configuring SSIDs
SSIDs are created globally and then assigned to an interface. The SSID is inactive until you use the ssid 
configuration interface command to assign the SSID to a specific radio interface. 
In Cisco IOS Release 12.3(4)JA and later, you can configure SSIDs globally or on a specific radio 
interface. When you create an SSID using the ssid interface command, the access point stores the SSID 
in global configuration mode. 
SSID Parameters
These are the parameters you can configure for each SSID:
 Guest mode
 VLAN
 Client authentication method
NoteFor detailed information on supported client authentication types, see the software 
configuration guide for your wireless device.
 Maximum number of client associations
 RADIUS accounting for traffic using the SSID 
 Redirection of packets received from client devices
If your network uses VLANs, you can assign one SSID to a VLAN, and client devices using the SSID 
are grouped in that VLAN.
Using Spaces in SSIDs
In Cisco IOS Release 12.4 and later, you can include spaces in an SSID. Trailing spaces (spaces at the 
end of an SSID) are invalid. However, earlier versions of Cisco IOS allowed SSIDs to include trailing 
spaces. Trailing spaces make it appear that you have identical SSIDs configured on the access point; 
however, the trailing spaces make each SSID unique. 
For example, this sample output from a show configuration privileged EXEC command does not show 
spaces in SSIDs:
ssid buffalo
    vlan 77
    authentication open 
						

							Service Set Identifier (SSID)
  Configuring SSIDs
3
Configuring SSIDs
OL-11499-01
ssid buffalo    vlan 17
    authentication open
ssid buffalo
    vlan 7
    authentication open
The SSIDs appear to be identical, when in fact they are unique as a result of trailing spaces. This sample 
output from a show dot11 associations privileged EXEC command shows the spaces in the SSIDs:
SSID [buffalo] :
SSID [buffalo ] :
SSID [buffalo  ] : 
NoteThis command shows only the first 15 characters of the SSID. Use the show dot11 associations client 
command to see SSIDs having more than 15 characters.
Creating a Global SSID
Use the dot11 ssid global configuration command to create an SSID. Then you can apply the ssid 
configuration interface command to assign the SSID to a specific interface. 
When an SSID is created in global configuration mode, you use the ssid configuration interface 
command to attach the SSID to an interface without entering SSID configuration mode. If you create an 
SSID on the interface (in interface mode) that has not been created in global configuration mode, the 
ssid command puts you into SSID configuration mode for the new SSID.
NoteSSIDs created in Cisco IOS Releases 12.4 or later become invalid if you downgrade the IOS software to 
an earlier release.
To create a global SSID, follow these steps, beginning in privileged EXEC mode. After you create an 
SSID, you can assign it to specific radio interfaces.
Command Purpose
Step 1configure terminalEnters global configuration mode.
Step 2dot11 ssid ssid-stringCreates a global SSID and enter SSID configuration 
mode for this SSID. 
The SSID can consist of up to 32 alphanumeric, 
case-sensitive, characters.
The first character cannot contain the !, #, or ; 
character.
+, ], /, , TAB, and trailing spaces are invalid 
characters for SSIDs. 
Step 3interface dot11radio radio-interfaceEnters interface configuration mode for the radio 
interface to which you want to assign the SSID.  
						

							Service Set Identifier (SSID)
  Guest Mode SSID
4
Configuring SSIDs
OL-11499-01
SSID Configuration Example
This example shows how to:
 Name an SSID
 Configure the SSID for RADIUS accounting
 Set the maximum number of client devices that can associate using this SSID to 15
 Assign the SSID to a VLAN
 Assign the SSID to a radio interface
AP# configure terminal
AP(config)# dot11 ssid batman
AP(config-ssid)# accounting accounting-method-list
AP(config-ssid)# max-associations 15AP(config-ssid)# vlan 3762
AP(config-ssid)# exit
AP(config)# interface dot11radio 0AP(config-if)# ssid batman
AP(config-if)#end
Viewing Global SSIDs
Use this command to view configuration details for SSIDs that are configured globally:
AP# show running-config ssid ssid-string
Guest Mode SSID
The guest-mode SSID is included in beacon frames and in responses to probe requests without an SSID 
that matches the other access point SSIDs or with a wildcard SSID. Enabling guest mode for an SSID 
helps clients that passively scan (do not transmit probe requests) to associate with the access point. The 
access point can have one guest-mode SSID or none at all. (See the 
“Multiple Basic SSIDs” section on 
page 8 to learn how to include multiple SSIDs in a beacon.)
If no guest-mode SSID exists, the access point beacon contains no SSID and probe requests with a 
wildcard SSID are ignored. Disabling the guest mode makes the networks slightly more secure.
To enable a guest SSID, create the SSID and use the guest-mode command. For example:
AP(config-if-ssid)# guest-mode 
To disable a guest SSID, use the no guest-mode command.
NoteWhen you enable guest-SSID mode for the 802.11g radio, you will enable guest mode for the 802.11b 
radio as well, because they both operate in the same 2.4Ghz band.
Step 4ssid ssid-stringAssigns the global SSID that you created in Step 2 
to the radio interface.
Use the no form of the command to disable the 
SSID.
Step 5endReturns to privileged EXEC mode. 
						

							Service Set Identifier (SSID)
  Including an SSID in an SSIDL IE
5
Configuring SSIDs
OL-11499-01
SSID Guest Mode Configuration Example
This example shows how to:
 Name an SSID
 Configure the SSID for guest mode
 Assign the SSID to a radio interface
AP# configure terminal
AP(config)# dot11 ssid batman
AP(config-ssid)# guest-modeAP(config-ssid)# exit
AP(config)# interface dot11radio 0
AP(config-if)# ssid batmanAP(config-if)#end
Including an SSID in an SSIDL IE
The access point beacon can advertise only one SSID. However, you can use Service Set Identification 
List (SSIDL), information element (IE) in the access point beacon to alert client devices of additional 
SSIDs on the access point. When you designate an SSID to be included in an SSIDL IE, client devices 
detect that the SSID is available, and they also detect the security settings required to associate using 
that SSID. 
NoteWhen multiple BSSIDs is enabled on the access point, the SSIDL IE does not contain a list of SSIDs; it 
contains only extended capabilities. (See the 
“Multiple Basic SSIDs” section on page 8 to learn how to 
include multiple SSIDs in a beacon.)
To include an SSID in an SSIDL IE, follow these steps, beginning in privileged EXEC mode:
Use the no form of the command to disable SSIDL IEs.
CommandPurpose
Step 1configure terminalEnters global configuration mode.
Step 2interface dot11radio radio-interfaceEnters interface configuration mode for the radio 
interface. 
Step 3ssid ssid-stringEnters configuration mode for a specific SSID.
Step 4information-element ssidl [advertisement] [wps]Includes an SSIDL IE in the access point beacon that 
advertises the access point’s extended capabilities, 
such as 802.1x and support for Microsoft Wireless 
Provisioning Services (WPS).
Use the advertisement option to include the SSID 
name and capabilities in the SSIDL IE. Use the wps 
option to set the WPS capability flag in the SSIDL 
IE. 
						

							Service Set Identifier (SSID)
  Assigning IP Redirection for an SSID
6
Configuring SSIDs
OL-11499-01
Assigning IP Redirection for an SSID
IP redirection for an SSID on an access point redirects all packets sent from client devices associated to 
that SSID to a specific IP address. 
You can redirect all packets from client devices that are associated using an SSID, or you can redirect 
only packets that are directed to specific TCP or UDP ports. When you configure the access point to 
redirect only the packets that are addressed to specific ports, the access point redirects those packets 
from clients using the SSID and drops all other packets from clients.
IP redirection is used mainly on wireless LANs serving handheld devices that use a central software 
application and are statically configured to communicate with a specific IP address. For example, the 
wireless LAN administrator at a retail store or warehouse might configure IP redirection for its bar code 
scanners, which all use the same scanner application and all send data to the same IP address.
NoteWhen you ping from the access point to a client device that is associated by using an IP-redirect SSID, 
the response packets from the client are redirected to the specified IP address and are not received by the 
terminal that initiated the ping.
Figure 1 shows the processing flow that occurs when the access point receives client packets from clients 
associated using an IP-redirect SSID.
Figure 1 Processing Flow for IP Redirection
121298
Reset packets
destination address
to IP-redirect
addressIncrement 
IP-redirect
forward packet
counterForward 
packet
Drop 
packet Increment IP-
redirect drop
packet counter IP-redirect
enabled? Incoming packet
from client
TCP or
UDP port
filters enabled?
 Port number in 
packet match 
port permit
number?
N
N
N Y
Y
Y 
						

							Service Set Identifier (SSID)
  Assigning IP Redirection for an SSID
7
Configuring SSIDs
OL-11499-01
Guidelines for Using IP Redirection
Keep these guidelines in mind when using IP redirection:
 The access point does not redirect broadcast, unicast, or multicast BOOTP/DHCP packets from 
client devices.
 Access control list parameters take precedence over IP redirection.
Configuring IP Redirection
To configure IP redirection for an SSID, follow these steps, beginning in privileged EXEC mode:
NoteACL logging is not supported on the bridging interfaces of access point platforms. When applied on a 
bridging interface, it works as if the interface were configured without the log option, and logging does 
not take effect. However ACL logging does work for the BVI as long as a separate ACL is used for the 
BVI.
The following example shows how to configure IP redirection for an SSID without applying an ACL. 
The access point redirects all packets that it receives from client devices associated to the SSID batman 
to the IP address:
AP# configure terminal
AP(config)# interface dot11radio 0AP(config-if)# ssid batman
AP(config-if-ssid)# ip redirection host 10.91.104.91
AP(config-if-ssid-redirect)# end
Command Purpose
Step 1configure terminalEnters global configuration mode.
Step 2interface dot11radio radio-interfaceEnters interface configuration mode for the radio 
interface. 
Step 3ssid ssid-stringEnters configuration mode for a specific SSID.
Step 4ip redirection host ip-addressEnters IP-redirect configuration mode for the IP 
address. 
If you do not specify an access control list (ACL) 
which defines TCP or UDP ports for redirection, the 
access point redirects all packets that it receives 
from client devices.
Step 5ip redirection host ip-address access-group acl in(Optional) Specifies an ACL to apply to the 
redirection of packets. Only packets sent to the 
specific UDP or TCP ports defined in the ACL are 
redirected. The access point discards all received 
packets that do not match the parameters defined in 
the ACL. The in parameter specifies that the ACL is 
applied to the incoming interface of the access point. 
						

							Service Set Identifier (SSID)
  Multiple Basic SSIDs
8
Configuring SSIDs
OL-11499-01
The following example shows how to configure IP redirection only for packets sent to the specific TCP 
and UDP ports specified in an ACL applied to the BVI1 interface. When the access point receives 
packets from client devices associated by using the SSID robin, it redirects packets sent to the specified 
ports to the IP address and discards all other packets:
AP# configure terminal
AP(config)# interface bvi1AP(config-if-ssid)# ip redirection host 10.91.104.91 access-group redirect-acl in
AP(config-if-ssid)# end
Multiple Basic SSIDs
A standard beacon or responses to probe responses to probe requests with no SSID or a wildcard SSID 
contain only one SSID, the guest-mode SSID if a guest-mode SSID is configured. When multiple basic 
SSIDs (BSSIDs) are enabled, all the SSIDs are included in the beacon. Cisco 802.11a, 802.11b/g, and 
802.11n radios support up to 8 BSSIDs. 
NoteDevices on your wireless LAN that are configured to associate to a specific access point based on the 
access point MAC address (for example, client devices, hot standby units, or workgroup bridges) might 
lose their association when you add or delete a multiple BSSID. When you add or delete a multiple 
BSSID, check the association status of devices configured to associate to a specific access point. If 
necessary, reconfigure the disassociated device to use the BSSID’s new MAC address.
Configuring Multiple Basic SSIDs
This section describes how to enable multiple basic SSIDs on an access point radio interface. 
Requirements for Configuring Multiple BSSIDs
To configure multiple BSSIDs, your access points must meet these minimum requirements:
 VLANs must be configured.
 Access points must run Cisco IOS Release 12.4 or later.
 Wireless devices must contain a radio that supports multiple BSSIDs. To determine whether a radio 
supports multiple basic SSIDs, enter the show controllers radio_interface command. The radio 
supports multiple basic SSIDs if the results include this line:
Number of supported simultaneous BSSID on radio_interface: 8 
Guidelines for Using Multiple BSSIDs
Keep these guidelines in mind when configuring multiple BSSIDs:
 RADIUS-assigned VLANs are not supported when you enable multiple BSSIDs.
 When you enable BSSIDs, the access point automatically maps a BSSID to each SSID. You cannot 
manually map a BSSID to a specific SSID.
 When multiple BSSIDs are enabled on the access point, the Service Set Identification List (SSIDL), 
information element (IE) SSIDL IE does not contain a list of SSIDs; it contains only extended 
capabilities.