Cisco 3200 Series Wireless MIC Software Configuration Guide
Multiple Client Profiles
Download this chapter
Multiple Client ProfilesMultiple Client Profiles
Download the complete book
Cisco 3200 Series Rugged ISRCisco 3200 Series Rugged ISR (PDF - 9 MB)
give_us_feedback

Table Of Contents

Multiple Client Profiles

MCP Support in the 12.3(8)JK Release

MCP Support in 12.4(3)JK and Later Releases

Setting Priority in 12.4(3)JK and Later Releases

Dynamic Channel Width (4.9GHz WMIC only)

Configuring a WMIC for MCP (12.4(3)JK or Later Releases)

Configuration Examples

Configuring a WMIC for MCP (12.3(8)JK Only)

Configuration Examples


Multiple Client Profiles

This document describes how to configure multiple client profiles (MCP).

MCP Support in the 12.3(8)JK Release

A universal workgroup bridge with multiple client profiles can automatically select a client profile, based on the available infrastructure and set of client profiles. A client profile consists of a service set identifier (SSID) and encryption settings that are bounded by a VLAN ID. To configure the SSID, you use the ssid command in global configuration mode. To configure encryption settings, you use the interface dot11radio command in global configuration mode.

For the 12.3(8)JK release, MCP is supported only on universal workgroup bridges and is subject to the following constraints:

To activate the feature, you must enable the universal workgroup bridge and multiple client profiles.

All universal workgroup bridge limitations and constraints apply to multiple client profiles.

Each SSID should have an assigned VLAN ID. The cipher suites and Wired Equivalent Privacy (WEP) for each SSID should be configured with the same assigned VLAN ID.

The infrastructure SSID and guest mode should not be configured.

Neither radio interface nor Ethernet interface should have the dot1q trunk configured.

Fast roaming is not supported. Fast roaming is supported only through a single SSID across the entire roaming network.

Support is provided for up to 16 multiple client profiles per WMIC.

Activated profiles will use the first available SSID. Priority setting among SSIDs is not supported.

MCP Support in 12.4(3)JK and Later Releases

In 12.4(3)JK and later releases, MCP has been redesigned to support the following client modes:

workgroup-bridge

universal workgroup-bridge

non-root bridge

You no longer need to enable MCP by running the client profile multiple command. Any SSID configured into the dot11 interface in these client modes is automatically picked up as an active client profile.

In addition, you no longer need a VLAN ID to combine each SSID with its encryption settings. Instead, the encryption settings have been moved from the dot11 interface into each SSID profile. For more information, see "Cipher Suites and WEP"

The new client profile supports priority setting. The higher priority SSID may have more opportunities to get associated compared to lower priority SSIDs.

Setting Priority in 12.4(3)JK and Later Releases

In 12.4(3)JK and later release, each SSID profile can be configured with a priority level (1 to 16) if the WMIC works in client modes. The highest priority level is 1 and the lowest is 16.

By default, each profile is configured with the lowest priority level. The priority level does not appear in the running configuration.

For example, to set an SSID with a scanning priority of 5, you would enter the following: 

client# configure terminal

client(config)# dot11 ssid sample

client(config-ssid)# priority 5

client(config-ssid)#end

The higher priority SSID may have more opportunities to get associated as opposed to lower priority SSIDs if their matching root devices all exist in the same wireless environment. However, there is no guarantee that the higher priority SSID will always get preference over lower priority SSIDs. There are many uncertainties in the wireless environment that affect association, such as signal strength, wireless qualities, root side traffic loads, and receiving collisions.

Dynamic Channel Width (4.9GHz WMIC only)

Cisco 3202 WMICs support dynamic channel width for 4.9GHz. For 4.9GHz WMIC, the channel width setting is added into SSID profile to achieve dynamic channel bandwidth selection.

All the 3200 WMIC platforms for the following client modes: non-root, workgroup-bridge, and universal workgroup-bridge support dynamic channel width for 4.9GHz.

To achieve dynamic bandwidth selection, each SSID can be configured with one of the channel bandwidths 5, 10 or 20MHz. This applies only to client modes of 4.9GHz WMIC. By default, each SSID is with 5MHz channel width. Below is the example to demonstrate how to configure the channel width under SSID: 

(config-ssid)#channel ?

         width Bandwidth used

(config-ssid)#channel width ?

  10  10 Mhz width

  20  20 Mhz width

  5   5 Mhz width

The channel width change updates the PHY timing settings, channelizations, and uplink association parameters and then triggers radio chipset to reset. In this case, the priority setting may bring more complexity and even conflicts to the dynamic channel bandwidth. For example, two SSIDs can have the same priority but different channel width settings. In this case, there is no way to scan them at the same time as they go through different channels and use different association and PHY parameters. Each SSID profile can be configured with different priority level and switching the profile as per the priority level will cause channel width update and radio reset which is inefficient and time consuming.

To avoid such conflict and inefficiency, the channel width can be treated as the first order priority, while the priority configured in 2.4.2 is treated as the second order. Each time the uplink scanning starts from channel width 5MHz to 10MHz and then 20MHz, only the SSIDs in the current active channel width own the go signal. If there are more than two SSIDs, the priority level will be applied to determine their scanning opportunities. Below is a sample of channel width configuration for each profile. 

dot11 ssid testMCP1        

   authentication open eap eap_method

   authentication network-eap eap_method

   authentication key-management wpa

   authentication client username yajunzhang password 7 021F05511E0815294D400E

   channel width 5    ? channel width setting

   encryption mode ciphers aes   

   priority 1

Configuring a WMIC for MCP (12.4(3)JK or Later Releases)

You can configure a WMIC with MCP in one of the following modes: workgroup-bridge, universal workgroup-bridge, or non-root bridge. In any of these configurations, the WMIC can support up to 16 different SSID profiles in the dot11 interface.

Each SSID profile may own different encryptions and priorities. Any SSID configured into the dot11 interface will be automatically picked up as an active client profile.

To configure a WMIC for MCP, predefine global SSID profiles and then follow these steps, beginning in privileged EXEC mode.

 
Command
Purpose

Step 1 

configure terminal

Enters global configuration mode.

Step 2 

interface dot11 radio 0

Enters interface configuration mode for radio interface 0.

Step 3 

station-role {workgroup-bridge [universal address] | non-root}

Changes station-role to permit support for workgroup-bridge, universal workgroup bridge, or non-root bridge modes.

The address is the MAC address of the router interface on the wireless and mobile router and is needed to instruct the router to associate with Cisco and non-cisco root devices.

Step 4 

ssid ssid-name

Configure the predefined SSID profile into this interface.

Examples:

#(config-if) ssid mcp_ssid1

#(config-if) ssid mcp_ssid2

#(config-if) ssid mcp_ssid3

#(config-if) ssid mcp_ssid4

Step 5 

end

Returns to privileged EXEC mode.

Step 6 

copy running-config startup-config

(Optional) Saves your entries in the configuration file.

To remove a client profile, simply remove the SSID from the dot11 interface.

Configuration Examples

The example in this section describes how to configure four client profiles with different encryption, authentication and priority settings.

Table 1 shows the settings for the four client profiles.

Table 1 Multiple Client Profile Example (12.4(3) Release or Later) 

Client Profile
A
B
C
D

SSID

FREE_NET

LEAP_TKIP

EAPTLS_AES

STATIC_WEP128

Authentication Type

open

LEAP

EAP_TLS

open

Encryption Type

none

TKIP

AES

WEP128

Priority

2

8

11

13


The following commands are used to configure the client profiles listed in Table 1. 

Client profile A:

client# configure terminal

client(config)# dot11 ssid FREE_NET

client(config-ssid)# authentication open

client(config-ssid)# priority 2

client(config-ssid)# end

client# config terminal

client(config)# interface dot11Radio 0

client(config-if)# ssid FREE_NET

client(config-if)# endf


Client profile B:

client# configure terminal

client(config)# dot11 ssid LEAP_TKIP

client(config-ssid)# authentication network-eap eap_methods

client(config-ssid)# authentication key-management wpa

client(config-ssid)# authentication client username aLeapUser password ciscoleap

client(config-ssid)# encryption mode cipher tkip

client(config-ssid)# priority 8

client(config-ssid)# end

client# config terminal

client(config)# interface dot11Radio 0

client(config-if)# ssid LEAP_TKIP

client(config-if)# endif


Client profile C:

client# configure terminal

client(config)# dot11 ssid EAPTLS_AES

client(config-ssid)# authentication open eap eap_methods

client(config-ssid)# authentication network-eap eap_methods

client(config-ssid)# authentication key-management wpa

client(config-ssid)# encryption mode cipher aes

client(config-ssid)# dot1x credentials authUserProfile

client(config-ssid)# dot1x eap profile tlsProfile

client(config-ssid)# priority 11

client(config-ssid)# end

client# config terminal

client(config)# interface dot11Radio 0

client(config-if)# ssid EAPTLS_AES

client(config-if)# endif


Client profile D:

client# configure terminal

client(config)# dot11 ssid STATIC_WEP128

client(config-ssid)# authentication open

client(config-ssid)# encryption mode cipher wep128

client(config-ssid)# encryption key 2 size 128bit 0 11223344556677889900112233

client(config-ssid)# priority 13

client(config-ssid)# end

client# config terminal

client(config)# interface dot11Radio 0

client(config-if)# ssid STATIC_WEP128

client(config-if)# endif

Configuring a WMIC for MCP (12.3(8)JK Only)

You can configure a WMIC device in universal workgroup bridge mode and enable multiple client profile. In this configuration, the WMIC can support up to 16 different SSIDs and encryption settings; by contrast, a single client profile consists of an SSID and encryption setting that are bounded by a VLANID through the vlan keyword.

To configure the WMIC for multiple client profiles, follow these steps, beginning in privileged EXEC mode.

 
Command
Purpose

Step 1 

configure terminal

Enters global configuration mode.

Step 2 

interface dot11 radio 0

Enters interface configuration mode for radio interface 0.

Step 3 

station-role workgroup-bridge universal address

Changes station-role to permit support for universal workgroup bridge. The address is the MAC address of the router interface on the wireless and mobile router and is needed to instruct the router to associate with Cisco and non-cisco root devices.

Step 4 

client profile multiple

Enables the multiple client profile.

Step 5 

encryption [vlan vlan-id ] key 1-4 size {40bit | 128Bit} encryption-key [transmit-key]

Configures proper encryption for each SSID bounded by dot11 VLANID. For this step, it is assumed that SSID security has already been configured.

Example:

#encryption vlan 11 key 3 size 40bit abcdef9876

#encryption vlan 11 mode wep mandatory

#encryption vlan 21 key 2 size 128bit 98765432109876543210abcdef

#encryption vlan 21 mode wep mandatory key-hash

#encryption vlan 34 mode wep mandatory mic key-hash

#encryption vlan 35 mode ciphers tkip wep128

Step 6 

ssid ssid-name

Enables the SSID for this interface.

Examples:

#ssid v11_open_wep40

#ssid v21_open_wep128

#ssid v34_wpapsk_tkip

#ssid v35_wpapsk_aes

Step 7 

end

Returns to privileged EXEC mode.

Step 8 

copy running-config startup-config

(Optional) Saves your entries in the configuration file.

When you enable or disable the multiple client profiles feature, all ssid and encryption commands are removed from the interface.

Configuration Examples

You can configure a WMIC device in universal workgroup bridge mode and enable multiple client profiles to support up to 16 client profiles. The example in this section describes four client profiles with different encryption and authentication settings and assigned VLAN IDs.

Table 2 shows the settings for the four client profiles.

Table 2 Multiple Client Profile Example 

Client Profile
A
B
C
D

SSID

FREE_NET

LEAP_TKIP

EAPTLS_AES

WPAPSK_WEP128

Authentication Type

open

LEAP

EAP_TLS

WPA PSK

Encryption Type

none

TKIP

AES

128bits WEP key

Assigned VLAN ID

8

25

102

11


The following commands are used to configure the client profiles.

Client profile A: 

client# configure terminal  

client(config)# dot11 ssid FREE_NET

client(config-ssid)# vlan 8

client(config-ssid)# authentication open 

client(config-ssid)# end

client# config terminal

client(config)# interface Dot11Radio 0

client(config-if)# ssid FREE_NET

client(config-if)# end

Client profile B: 

client# configure terminal

client(config)# dot11 ssid LEAP_TKIP

client(config-ssid)# vlan 25

client(config-ssid)authentication network-eap eap_methods 

client(config-ssid)authentication key-management wpa

client(config-ssid)authentication client username aLeapUser password ciscoleap

client(config-ssid)# end

client# config terminal

client(config)# interface Dot11Radio 0

client(config-if)# encryption vlan 25 mode ciphers tkip

client(config-if)# end

client# config terminal

client(config)# interface Dot11Radio 0

client(config-if)# ssid LEAP_TKIP

client(config-if)# end

Client profile C: 

client# configure terminal 

client(config)# dot11 ssid EAPTLS_AES

client(config-ssid)# vlan 102

client(config-ssid)# authentication open eap eap_methods 

client(config-ssid)# authentication network-eap eap_methods 

client(config-ssid)# authentication key-management wpa

client(config-ssid)# dot1x credentials authUserProfile

client(config-ssid)# dot1x eap profile tlsProfile

client(config-ssid)# end

client# config terminal 

client(config-if)# encryption vlan 102 mode ciphers aes-ccm 

client(config-if)# end

client# config terminal

client(config)# interface Dot11Radio 0

client(config-if)# ssid EAPTL_AES 

client(config-if)# end

Client profile D: 

client# config terminal 

client(config)# dot11 ssid WPAPSK_WEP128

client(config-ssid) vlan 11 

client(config-ssid)# authentication open 

client(config-ssid)# authentication key-management wpa optional

client(config-ssid)# wpa-psk ascii mobile11

client(config-ssid)# end

client# config terminal 

client(config-if)# encryption vlan 11 key 3 size 128bit 98765432109876543210abcdef 
transmit-key

client(config-if)# encryption vlan 11 mode ciphers tkip wep128 

client(config-if)# end

client# config terminal

client(config)# interface Dot11Radio 0

client(config-if)# ssid WPAPSK_WEP128 

client(config-if)# end