Specifications

ManualsBrandsCisco ManualsComputer equipmentAironet 340 Series

100

4-6

Cisco Aironet Access Point Software Configuration Guide

OL-0657-07

Chapter 4 Configuring VLANs

RADIUS-Based VLAN Access Control

In these scenarios, Cisco recommends that you configure an infrastructure SSID for each access point.

Figure 4-3 illustrates combined deployment of infrastructure devices along with noninfrastructure

devices in an enterprise LAN. As the figure shows, the native VLAN of the access point is mapped to

the infrastructure SSID. WEP encryption along with TKIP (at least per packet key hashing) should be

turned on for the infrastructure SSID. Cisco also recommends that you configure a secondary SSID as

the infrastructure SSID. The concepts of primary and secondary SSIDs are explained in the next section.

Figure 4-3 Deployment of Infrastructure and Noninfrastructure Devices

Primary and Secondary SSIDs

When multiple wireless VLANs are enabled on an access point or bridge, multiple SSIDs are created.

Each SSID maps to a default VLAN ID on the wireless side. IEEE 802.11 specifications require that only

one SSID be broadcast in the beacons, so you must define a primary SSID to be broadcast in the IEEE

802.11 beacon management frames. All other SSIDs are secondary SSIDs and are not broadcast in the

beacon management frames.

If a client or infrastructure device (such as a workgroup bridge) sends a probe request with a secondary

SSID, the access point or bridge responds with a probe response with a secondary SSID.

You can map the primary SSID to the VLAN ID on the wired infrastructure in different ways. For

example, in an enterprise rollout scenario, the primary SSID could be mapped to the unencrypted VLAN

on the wired side to provide guest VLAN access.

RADIUS-Based VLAN Access Control

You may want to impose RADIUS-based VLAN access control. For example, if the WLAN setup is such

that all VLANs use IEEE 802.1x and similar encryption mechanisms for WLAN user access, the user

can hop from one VLAN to another by changing the SSID and successfully authenticating to the access

point. However, this process may not be ideal if the wireless user is to be confined to a particular VLAN.

SSID = Guest

SSID = Employee

Infrastructure SSID:

VLAN = 10

Nonroot

Bridge

SSID = Infrastructure

802.1Q Trunk

Native

VLAN = 10

Root

access

point

Root

Bridge

802.1Q Trunk

(native VLAN = 10)

Workgroup

bridge repeater

Branch

office

Management

VLAN

(VLAN = 10)

RADIUS

server

Enterprise

network

81665