Chapter 12. WLAN Security Configuration Guidelines and Examples

This chapter provides detailed configuration examples and guidelines for various security implementations such as guest access (open/no Wired Equivalent Privacy [WEP]), static WEP, MAC-address authentication, 802.1x authentication protocol with dynamic WEP, 802.1x authentication protocol with Wi-Fi Protected Access (WPA), WPA Preshared Key (WPA-PSK), multiple Service Set Identifiers (SSIDs) along with wired VLANs, and IP security?based virtual private network (IPSec VPN). It provides secure management configuration examples to secure management traffic to the WLAN infrastructure devices and discusses secure wired policies (for example, Layer 3/Layer 4 ACLs) to match wireless policies.

This chapter covers various WLAN products that are available for deployment from Cisco. It also discusses capabilities of currently available products; however, you are encouraged to consult the Cisco Systems website ( for up-to-date information on products and capabilities.

Cisco WLAN products can be deployed in three modes as discussed in Chapter 9, "SWAN: End-to-End Security Deployment." The possible deployment modes include the following:

  • Standalone AP deployment mode

  • SWAN nonswitching deployment mode

  • SWAN central switching deployment mode

Note that the radio interface configuration for security policies and quality-of-service (QoS) policies is the same across all three deployment modes. Furthermore, the AP locally supports the 802.11/WPA functions across the three modes. However, RADIUS server authentication configuration, RF management, configuration/software management, Layer 3 roaming, and data aggregation are different across the three deployment modes.