Wireless 2106 Controler


I have a Cisco 2601 set up with a basic wireless network. However at the moment it is running WPA-WPA2 security for users to log in.

What I want is for users to use 802.1x security, so they have to enter a user name and password, and then each client negoatates its own shared key with the controler for that session.

I have seen this done via a web page where you open up a web browser and are taken to a web apge where you have to enter your details before you can use the wireless network.

I am sure you can set this up on the controler its self, however I am not sure how to do this, Never played with this type of authentication before.

If any one knows what I am going on about, would you be able to point me in the correct direction of how to do this.

I just want each session to have its own shared key, and for log on to be via a user name and password. (dosent have to be a web page log on, if there are other ways I would be intrested)

Thank you

LVL 16
Aaron StreetTechnical infrastructure architectureAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Probably you're talking about a Captive Portal...
Not sure if it can be done in that cisco model, lets see if others have any idea.
Not sure on that model Cisco, on the ones we have (1300 series) we would need a central appliance for that. You could set up free-radius on a Linux server, but the configuration is far from simple*
(I know that it is possible, but I have not managed to successfully create it. I am also not a Linux guy, so that may be the problem)
Aaron StreetTechnical infrastructure architectureAuthor Commented:
yer see I really dont know my wireless stuff. and like you hamare I am not a linux person.

there are loads of setings on the controler. and I can see the seting up a central radius server.

but there are also options for settign up local users for use with authentication to the SSID's but I havent got a clue how to do it.

At the moment I am just using a basic Per shared key on the SSID, but this means if I want to cahnge it it kicks every one off, and every one is using this same key for the connection.

What I am looking for is a way for every one to have the same log on authentication. but then have each connection use its own PSK for the session.

so it would be more secure, and changing the password could be doone with out people dropping the connection.
Challenges in Government Cyber Security

Has cyber security been a challenge in your government organization? Are you looking to improve your government's network security? Learn more about how to improve your government organization's security by viewing our on-demand webinar!

A suggestion can be to use ZeroShell:


Extensive docs on how to setup RADIUS and Captive Portal through a nice and very easy web interface...
Definitely give it a try

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Aaron StreetTechnical infrastructure architectureAuthor Commented:
Cheers guys, but does no one know if the 2106 has any of this built in. I will deffently be looking at that zeroshell stuff, looks very intresting
Aaron StreetTechnical infrastructure architectureAuthor Commented:
Ok so I got zero shell up and running :) nice litlte system and runs great on an old MAgnia SG20 box I have laying around!

next how do I  / Can I set this up.

This is for an open access network, for members of the public to connect to.

what my idea is that layer 2 wpa/802.1x security is transparrent to the user, no log on just the data gets encrypted securley. or with a simple username and password set on the radius server so that each conenction is secure,
at the moment every one uses the same PSK... waht I want is for there to be a single log on, but each connection has its own PSK given from radius server.

my question is, can i get the radius server to authenticate 802.1x, with out the need to install a certificate on the client PC/ laptops? as simpley as possible for the users.

this is a stand alone network for internet, and the zeroshell server is the only server on the network and will have to do all the work.

the trouble i see with captive portal is it dose not encrypt the layer two traffic? I will be looking at this next but I would like to get a good undersanding of the layer 2 part of wireless first. Also the captive poral bit looks a bit simpler :)

Any ideas ? or should I open a new questions on Radius servers?

Cheers for all the help guys
Aaron StreetTechnical infrastructure architectureAuthor Commented:
Zero shell is coolll!!!!!!!!!!! cheers, so much more than just sorted my wireless issue!
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Wireless Networking

From novice to tech pro — start learning today.