Specifications
2-12
Cisco IOS Software Configuration Guide for Cisco Aironet Access Points
OL-5260-01
Chapter 2 Configuring the Access Point for the First Time
Configuring Basic Security Settings
Understanding Express Security Settings
When the access point configuration is at factory defaults, the first SSID that you create using the
Express security page overwrites the default SSID, tsunami, which has no security settings. The SSIDs
that you create appear in the SSID table at the bottom of the page. You can create up to 16 SSIDs on the
access point. On dual-radio access points, the SSIDs that you create are enabled on both radio interfaces.
Using VLANs
If you use VLANs on your wireless LAN and assign SSIDs to VLANs, you can create multiple SSIDs
using any of the four security settings on the Express Security page. However, if you do not use VLANs
on your wireless LAN, the security options that you can assign to SSIDs are limited because on the
Express Security page encryption settings and authentication types are linked. Without VLANs,
encryption settings (WEP and ciphers) apply to an interface, such as the 2.4-GHz radio, and you cannot
use more than one encryption setting on an interface. For example, when you create an SSID with static
WEP with VLANs disabled, you cannot create additional SSIDs with WPA authentication because they
use different encryption settings. If you find that the security setting for an SSID conflicts with another
SSID, you can delete one or more SSIDs to eliminate the conflict.
Express Security Types
Table 2-2 describes the four security types that you can assign to an SSID.
Table 2-2 Security Types on Express Security Setup Page
Security Type Description Security Features Enabled
No Security This is the least secure option. You
should use this option only for SSIDs
used in a public space and assign it to
a VLAN that restricts access to your
network.
None.
Static WEP Key This option is more secure than no
security. However, static WEP keys
are vulnerable to attack. If you
configure this setting, you should
consider limiting association to the
access point based on MAC address
(see the “Using MAC Address ACLs
to Block or Allow Client Association
to the Access Point” section on
page 16-5) or, if your network does
not have a RADIUS server, consider
using an access point as a local
authentication server (see Chapter 8,
“Configuring an Access Point as a
Local Authenticator”).
Mandatory WEP. Client devices
cannot associate using this SSID
without a WEP key that matches the
access point’s key.