Configuration Guide
Page 3
... 3 Table of Contents Executive Summary Introduction 6 1 Network planning 1.1 Necessary components 1.2 IP addresses and subnets 1.3 The wireless controller (WLC) 1.4 The WCS, MSE and LA administration software 1.5 Access points 1.5.1 The access point connection process 1.6 Users 2 Configuring RADIUS 3 Configuring a controller 3.1 Initial configuration on a console 3.2 Further configuration via web browser 3.2.1 Creating a virtual interface 3.2.2 Defining a RADIUS server 3.2.3 Creating a WLAN (SSID) 3.2.4 Connecting access...
... 3 Table of Contents Executive Summary Introduction 6 1 Network planning 1.1 Necessary components 1.2 IP addresses and subnets 1.3 The wireless controller (WLC) 1.4 The WCS, MSE and LA administration software 1.5 Access points 1.5.1 The access point connection process 1.6 Users 2 Configuring RADIUS 3 Configuring a controller 3.1 Initial configuration on a console 3.2 Further configuration via web browser 3.2.1 Creating a virtual interface 3.2.2 Defining a RADIUS server 3.2.3 Creating a WLAN (SSID) 3.2.4 Connecting access...
Configuration Guide
Page 4
... 39 Step 4: Adding server groups to IAS 40 Step 5: Connection Request Policies 41 Step 6: Remote Access Policies 44 Step 7: RADIUS attributes 45 Step 8: Logging 46 B.2 Configuring NPS (Windows 2008) 47 Step 1: Add a role 47 Step 2: Radius 48 Step 3: Adding Remote RADIUS Server Groups 50 Step 4: Connection Request Policies 51 Step 5: Network...
... 39 Step 4: Adding server groups to IAS 40 Step 5: Connection Request Policies 41 Step 6: Remote Access Policies 44 Step 7: RADIUS attributes 45 Step 8: Logging 46 B.2 Configuring NPS (Windows 2008) 47 Step 1: Add a role 47 Step 2: Radius 48 Step 3: Adding Remote RADIUS Server Groups 50 Step 4: Connection Request Policies 51 Step 5: Network...
Configuration Guide
Page 5
... other than Cisco. In principle the guide will also apply to wireless systems provided by UNINETT in co-operation with the HE sector. The Technical Specification has received final approval after a four-week open consultation period with the HE sector's work group for network planning, the configuration of RADIUS, the configuration of a controller, radio planning...
... other than Cisco. In principle the guide will also apply to wireless systems provided by UNINETT in co-operation with the HE sector. The Technical Specification has received final approval after a four-week open consultation period with the HE sector's work group for network planning, the configuration of RADIUS, the configuration of a controller, radio planning...
Configuration Guide
Page 6
... chosen which govern the traffic to be able to wireless systems provided by suppliers other than Cisco. In principle the guide will be able to an access point. In a controller system it should not be the same. When configuring a controller-based wireless network, there are specified. Network planning 2. Configuring RADIUS 3. However, in the following chapters: 1. Since access...
... chosen which govern the traffic to be able to wireless systems provided by suppliers other than Cisco. In principle the guide will be able to an access point. In a controller system it should not be the same. When configuring a controller-based wireless network, there are specified. Network planning 2. Configuring RADIUS 3. However, in the following chapters: 1. Since access...
Configuration Guide
Page 7
...sake of licences later. The 4400 Series includes two different products: 4402 (with two GE ports) and 4404 (with eight GE ports) is strictly speaking not necessary. The WiSM consists of two 4404 controllers each with WCS, up to 18,000 Wi-Fi units (...the number of fault tolerance. It is recommended. MSE can be configured to plan which licence one should consider using more controllers, for the various purposes: • The Wireless LAN Controller (WLC) must have administrative IP addresses • Any Wireless Control System (WCS), Mobility Service Engine (MSE) and/or Location ...
...sake of licences later. The 4400 Series includes two different products: 4402 (with two GE ports) and 4404 (with eight GE ports) is strictly speaking not necessary. The WiSM consists of two 4404 controllers each with WCS, up to 18,000 Wi-Fi units (...the number of fault tolerance. It is recommended. MSE can be configured to plan which licence one should consider using more controllers, for the various purposes: • The Wireless LAN Controller (WLC) must have administrative IP addresses • Any Wireless Control System (WCS), Mobility Service Engine (MSE) and/or Location ...
Configuration Guide
Page 8
... tapped. The arrows between the clouds indicate the necessary traffic pattern and form the basis for deciding which ports must select a configuration in which, for example, the operating network and services are exposed in communication with the exception of the eduroam hierarchy which for...subnet with the access points after the initial contact has been 8 Figure 1: Proposed subnets and necessary traffic pattern 1.3 The wireless controller (WLC) The 5500 controller has one which is given its own network cloud. The Management address is the contact address to and from the service or...
... tapped. The arrows between the clouds indicate the necessary traffic pattern and form the basis for deciding which ports must select a configuration in which, for example, the operating network and services are exposed in communication with the exception of the eduroam hierarchy which for...subnet with the access points after the initial contact has been 8 Figure 1: Proposed subnets and necessary traffic pattern 1.3 The wireless controller (WLC) The 5500 controller has one which is given its own network cloud. The Management address is the contact address to and from the service or...
Configuration Guide
Page 9
... and the APs will associate themselves with controller software version 5.2, CAPWAP is to configure an AP Manager address. Strict data filter rules must , for communication between access pointaccess points and controller. 1.4 The WCS, MSE and LA ...administration software WCS runs under either Windows Server or Red Hat Linux. Traditionally, the first network address in the subnet is not necessary to serve via the wireless...
... and the APs will associate themselves with controller software version 5.2, CAPWAP is to configure an AP Manager address. Strict data filter rules must , for communication between access pointaccess points and controller. 1.4 The WCS, MSE and LA ...administration software WCS runs under either Windows Server or Red Hat Linux. Traditionally, the first network address in the subnet is not necessary to serve via the wireless...
Configuration Guide
Page 10
... can be used by means of the controller can potentially gain access to subnets to configure a dot1q trunk into the system will begin to limit the use the AP Manager address instead. Given our recommendation to the controller or that the information must then route ... connected to separate access points and controllers in the controller itself or using RFC1918 addresses for 4400 Series controllers. In the case of access point is done within the controller system, either in different subnets, we recommend Method 3 - Once the configuration has been downloaded to the access ...
... can be used by means of the controller can potentially gain access to subnets to configure a dot1q trunk into the system will begin to limit the use the AP Manager address instead. Given our recommendation to the controller or that the information must then route ... connected to separate access points and controllers in the controller itself or using RFC1918 addresses for 4400 Series controllers. In the case of access point is done within the controller system, either in different subnets, we recommend Method 3 - Once the configuration has been downloaded to the access ...
Configuration Guide
Page 11
... with "CISCO-CAPWAP-CONTROLLER" gives "CISCO-CAPWAP-CONTROLLER.uninett.no ", in conjunction with realistic growth potential. It is possible to grant different groups access to /from access point VLAN - The configuration of FreeRADIUS in connection with the unit name "CISCO-CAPWAP-CONTROLLER" or "CISCO-LWAPP-CONTROLLER" and ... be first registered in the DNS. Cisco access points do not support an option containing several domain specifications, such as for wired network access, primarily for this requires the controller to be used for wireless access as option domain-name "uninett...
... with "CISCO-CAPWAP-CONTROLLER" gives "CISCO-CAPWAP-CONTROLLER.uninett.no ", in conjunction with realistic growth potential. It is possible to grant different groups access to /from access point VLAN - The configuration of FreeRADIUS in connection with the unit name "CISCO-CAPWAP-CONTROLLER" or "CISCO-LWAPP-CONTROLLER" and ... be first registered in the DNS. Cisco access points do not support an option containing several domain specifications, such as for wired network access, primarily for this requires the controller to be used for wireless access as option domain-name "uninett...
Configuration Guide
Page 12
..." is a good way to achieve this does not affect the capacity of the wireless connections. A VLAN, which are , for the network which is also to be served - The configuration of FreeRADIUS 2.x has changed somewhat, but both will still be used simultaneously both for...the proper dialogue between RADIUS and a user database. We recommend a dedicated RADIUS server for wireless networks (remember that this . The server certificate is easy to configure several SSIDs. It is possible to control what forms of traffic are : • Microsoft Active Directory (AD) • OpenLDAP ...
..." is a good way to achieve this does not affect the capacity of the wireless connections. A VLAN, which are , for the network which is also to be served - The configuration of FreeRADIUS 2.x has changed somewhat, but both will still be used simultaneously both for...the proper dialogue between RADIUS and a user database. We recommend a dedicated RADIUS server for wireless networks (remember that this . The server certificate is easy to configure several SSIDs. It is possible to control what forms of traffic are : • Microsoft Active Directory (AD) • OpenLDAP ...
Configuration Guide
Page 13
...1814 to/from Comodo UserTrust. Self-generated certificates is the most secure option, but entail significant extra work, since it must be configured. A detailed "cookbook" for the user database - Connect RADIUS server to eduroam (top level in Norway is available at http://...be completed. When you save your own root certificate and your RADIUS server. authentication can be granted access to the wireless network. Configure RADIUS server for ordering a UNINETT SCS certificate is handled by a client certificate with unrecognised realms and accepting requests from...
...1814 to/from Comodo UserTrust. Self-generated certificates is the most secure option, but entail significant extra work, since it must be configured. A detailed "cookbook" for the user database - Connect RADIUS server to eduroam (top level in Norway is available at http://...be completed. When you save your own root certificate and your RADIUS server. authentication can be granted access to the wireless network. Configure RADIUS server for ordering a UNINETT SCS certificate is handled by a client certificate with unrecognised realms and accepting requests from...
Configuration Guide
Page 14
...) but in other words one also first has the details of the configuration. In other web browsers. 3.1 Initial configuration on ), but the controllers do not use Cisco's IOS, and Cisco recommends the use of the web interface (if necessary via WCS) for further configuration. 1. It is performed in the CLI B. Define RADIUS servers 3. Connect access points...
...) but in other words one also first has the details of the configuration. In other web browsers. 3.1 Initial configuration on ), but the controllers do not use Cisco's IOS, and Cisco recommends the use of the web interface (if necessary via WCS) for further configuration. 1. It is performed in the CLI B. Define RADIUS servers 3. Connect access points...
Configuration Guide
Page 15
... can connect this address, it cannot be routed out of the subnet (out-of-band address). Here the Management Interface acts as "CISCO-CAPWAP-CONTROLLER.yourdomain.no" and "CISCO-LWAPPCONTROLLER.yourdomain.no ". Enter Administrative User Name: e.g. This is all . If "none" is selected, the address is set to...SFP port. Since a gateway cannot be specified for and often it is no ]: yes Configuration saved! It is not used to manage the control by the access points to communicate with new configuration... In that case, enter "yes". The address should bundle several SFP ports using your ...
... can connect this address, it cannot be routed out of the subnet (out-of-band address). Here the Management Interface acts as "CISCO-CAPWAP-CONTROLLER.yourdomain.no" and "CISCO-LWAPPCONTROLLER.yourdomain.no ". Enter Administrative User Name: e.g. This is all . If "none" is selected, the address is set to...SFP port. Since a gateway cannot be specified for and often it is no ]: yes Configuration saved! It is not used to manage the control by the access points to communicate with new configuration... In that case, enter "yes". The address should bundle several SFP ports using your ...
Configuration Guide
Page 17
...). 17 These are VLANs which the SFP port(s) in the controller are regulated by the switch to users. 3.2 Further configuration via web browser Once the controller has restarted, it will be ready for configuration via the web browser in communication with the Management address or ...service interface. 3.2.1 Creating a virtual interface Path: Controller → Interfaces A virtual interface must...
...). 17 These are VLANs which the SFP port(s) in the controller are regulated by the switch to users. 3.2 Further configuration via web browser Once the controller has restarted, it will be ready for configuration via the web browser in communication with the Management address or ...service interface. 3.2.1 Creating a virtual interface Path: Controller → Interfaces A virtual interface must...
Configuration Guide
Page 18
... to define a WLAN. The port number for authentication is a good rule to use the first available after the router's address. The screen shot shows a typical configuration for such a virtual interface. 3.2.2 Defining a RADIUS server Path: Security → RADIUS → Authentication It is to serve. Several RADIUS servers may be established which ...differs from that the RADIUS servers are of course the organisation's own servers. The controller must have its own IP address in each VLAN which it is usually UDP 1812. 18
... to define a WLAN. The port number for authentication is a good rule to use the first available after the router's address. The screen shot shows a typical configuration for such a virtual interface. 3.2.2 Defining a RADIUS server Path: Security → RADIUS → Authentication It is to serve. Several RADIUS servers may be established which ...differs from that the RADIUS servers are of course the organisation's own servers. The controller must have its own IP address in each VLAN which it is usually UDP 1812. 18
Configuration Guide
Page 19
This is required by eduroam. Path: Security → RADIUS → Accounting Accounting should also be configured and is done in exactly the same way as for Authentication, but normally uses UDP port 1813. 19
This is required by eduroam. Path: Security → RADIUS → Accounting Accounting should also be configured and is done in exactly the same way as for Authentication, but normally uses UDP port 1813. 19
Configuration Guide
Page 21
Under General, the WLAN can be found below. 21 Usually the SSID is set to other categories will be enabled or disabled at any time. Further information on this will be referred to broadcast and for the use of security and functions as a fall-back network. Here we have configured "Interface" as a virtual interface intended for eduroam this is mandatory. This VLAN has the lowest level of guests. Users of other VLANs.
Under General, the WLAN can be found below. 21 Usually the SSID is set to other categories will be enabled or disabled at any time. Further information on this will be referred to broadcast and for the use of security and functions as a fall-back network. Here we have configured "Interface" as a virtual interface intended for eduroam this is mandatory. This VLAN has the lowest level of guests. Users of other VLANs.
Configuration Guide
Page 22
WPA+WPA2 are configured under Security and Layer 2. However, since not all clients support other "variants", it is very common and is recommended to keep to have more than one method in conflict with 802.11i to WPA-TKIP and WPA2-AES. 22 It is actually in a single network, but it is supported by most clients.
WPA+WPA2 are configured under Security and Layer 2. However, since not all clients support other "variants", it is very common and is recommended to keep to have more than one method in conflict with 802.11i to WPA-TKIP and WPA2-AES. 22 It is actually in a single network, but it is supported by most clients.
Configuration Guide
Page 26
...controller will require a renewal of times, there will be activated. 26 Attempts to define its own IP address statically. This can be a compulsory ban before the client can try again. Here it is possible to override the DHCP server which has been configured...". After pressing "Apply", this situation. Ideally this should be set a condition that clients must support CCX (Cisco Compatible eXtension program). To enable Client Protection, the clients must obtain an IP address from a DHCP server: that...to protect against DoS, man-in-themiddle and dictionary attacks on the wireless network.
...controller will require a renewal of times, there will be activated. 26 Attempts to define its own IP address statically. This can be a compulsory ban before the client can try again. Here it is possible to override the DHCP server which has been configured...". After pressing "Apply", this situation. Ideally this should be set a condition that clients must support CCX (Cisco Compatible eXtension program). To enable Client Protection, the clients must obtain an IP address from a DHCP server: that...to protect against DoS, man-in-themiddle and dictionary attacks on the wireless network.
Configuration Guide
Page 29
Under Management one may wish to see the SSID which shall be used in the Cisco document http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a0080665d18.shtml gives some valuable recommendations that should be possible to configure a number of things, such as SNMP parameters (which has been created. Regarding timeout values for EAP...
Under Management one may wish to see the SSID which shall be used in the Cisco document http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a0080665d18.shtml gives some valuable recommendations that should be possible to configure a number of things, such as SNMP parameters (which has been created. Regarding timeout values for EAP...