Configuration Guide
Page 2
... No: Version / date: Original language : Original title: Original version / date: Contact: GN3-NA3-T4-UFS127 December 2010 Norwegian "Veiledning for eduroam oppsett med Cisco trådløs controller" September 2010 [email protected] UNINETT bears responsibility for the content of this document. Stian Lysberg has contributed to the project 'Multi-Gigabit...
... No: Version / date: Original language : Original title: Original version / date: Contact: GN3-NA3-T4-UFS127 December 2010 Norwegian "Veiledning for eduroam oppsett med Cisco trådløs controller" September 2010 [email protected] UNINETT bears responsibility for the content of this document. Stian Lysberg has contributed to the project 'Multi-Gigabit...
Configuration Guide
Page 3
... 29 30 32 33 33 34 35 36 37 37 3 Table of Contents Executive Summary Introduction 6 1 Network planning 1.1 Necessary components 1.2 IP addresses and subnets 1.3 The wireless controller (WLC) 1.4 The WCS, MSE and LA administration software 1.5 Access points 1.5.1 The access point connection process 1.6 Users 2 Configuring RADIUS 3 Configuring...
... 29 30 32 33 33 34 35 36 37 37 3 Table of Contents Executive Summary Introduction 6 1 Network planning 1.1 Necessary components 1.2 IP addresses and subnets 1.3 The wireless controller (WLC) 1.4 The WCS, MSE and LA administration software 1.5 Access points 1.5.1 The access point connection process 1.6 Users 2 Configuring RADIUS 3 Configuring...
Configuration Guide
Page 5
... and 4400 Series controllers (WLC). The guide applies both to and from Cisco lightweight access points (LAP). Any differences in configuration between the 5500 Series and the 4400 Series are specified. UFS127 is a UNINETT Technical Specification prepared by suppliers other than Cisco. In principle the guide will also apply to wireless systems provided by...
... and 4400 Series controllers (WLC). The guide applies both to and from Cisco lightweight access points (LAP). Any differences in configuration between the 5500 Series and the 4400 Series are specified. UFS127 is a UNINETT Technical Specification prepared by suppliers other than Cisco. In principle the guide will also apply to wireless systems provided by...
Configuration Guide
Page 6
... able to access VLANs that it is the controller which govern the traffic to and from Cisco lightweight access points (LAP). When configuring a controller-based wireless network, there are many things which need to an access point. Configuring a controller 4. Radio planning 5. However, in the correct...which in -the-middle attack. Network planning 2. As an alternative to wireless systems provided by suppliers other than Cisco. Guidelines for how to configure eduroam without the use of a controller are nevertheless provided in configuration between the 5500 Series and the 4400 Series...
... able to access VLANs that it is the controller which govern the traffic to and from Cisco lightweight access points (LAP). When configuring a controller-based wireless network, there are many things which need to an access point. Configuring a controller 4. Radio planning 5. However, in the correct...which in -the-middle attack. Network planning 2. As an alternative to wireless systems provided by suppliers other than Cisco. Guidelines for how to configure eduroam without the use of a controller are nevertheless provided in configuration between the 5500 Series and the 4400 Series...
Configuration Guide
Page 7
...manage with WCS, up to plan which IP addresses and VLANs are used for the various purposes: • The Wireless LAN Controller (WLC) must have administrative IP addresses • Any Wireless Control System (WCS), Mobility Service Engine (MSE) and/or Location Appliance (LA) must have IP addresses • The... of licences later. It is the WiSM module for the sake of access points. The controller must have their own subnet or user class. The 4400 Series includes two different products: 4402 (with two GE ports) and 4404 (with eight GE ports) is currently recommended. However...
...manage with WCS, up to plan which IP addresses and VLANs are used for the various purposes: • The Wireless LAN Controller (WLC) must have administrative IP addresses • Any Wireless Control System (WCS), Mobility Service Engine (MSE) and/or Location Appliance (LA) must have IP addresses • The... of licences later. It is the WiSM module for the sake of access points. The controller must have their own subnet or user class. The 4400 Series includes two different products: 4402 (with two GE ports) and 4404 (with eight GE ports) is currently recommended. However...
Configuration Guide
Page 8
... since these network points are located in the same subnet. Figure 1: Proposed subnets and necessary traffic pattern 1.3 The wireless controller (WLC) The 5500 controller has one which ports must select a configuration in which is also used for communication with the access points, but ...and services are in different subnets). The Management address is used for general administration of two 4400 controllers and consequently requires four administrative IP addresses. The controller(s) (WLC(s)) should also be separated from other systems such as WCS and RADIUS server. The...
... since these network points are located in the same subnet. Figure 1: Proposed subnets and necessary traffic pattern 1.3 The wireless controller (WLC) The 5500 controller has one which ports must select a configuration in which is also used for communication with the access points, but ...and services are in different subnets). The Management address is used for general administration of two 4400 controllers and consequently requires four administrative IP addresses. The controller(s) (WLC(s)) should also be separated from other systems such as WCS and RADIUS server. The...
Configuration Guide
Page 9
... Management IP address: In a restricted administration network AP Manager IP address : In the same restricted administration network NB: For 5500 series controllers, it is protected against general access, designated "Admin Network" in Figure 1. The Management interface acts as the router address. WCS's address...can be represented in all the VLANs it is used for administration (*) Beginning with this purpose, but access to serve via the wireless network. It does not matter which IP addresses in a subnet are separate hardware platforms which is to these applications must also ...
... Management IP address: In a restricted administration network AP Manager IP address : In the same restricted administration network NB: For 5500 series controllers, it is protected against general access, designated "Admin Network" in Figure 1. The Management interface acts as the router address. WCS's address...can be represented in all the VLANs it is used for administration (*) Beginning with this purpose, but access to serve via the wireless network. It does not matter which IP addresses in a subnet are separate hardware platforms which is to these applications must also ...
Configuration Guide
Page 10
...previously have access and this is not currently supported. 1.5.1 The access point connection process Communication between an access point and a controller is recommended that the access points can represent a security risk. The methods supported by using RFC1918 addresses for all the access ...DNS (to tap into the cable. Further information regarding how this case we recommend Layer 3 mode in the management of a controller vary somewhat depending on users. The network should therefore be rendered futile. The assignment of version 5.2, the standard-based CAPWAP ...
...previously have access and this is not currently supported. 1.5.1 The access point connection process Communication between an access point and a controller is recommended that the access points can represent a security risk. The methods supported by using RFC1918 addresses for all the access ...DNS (to tap into the cable. Further information regarding how this case we recommend Layer 3 mode in the management of a controller vary somewhat depending on users. The network should therefore be rendered futile. The assignment of version 5.2, the standard-based CAPWAP ...
Configuration Guide
Page 11
... network specification for the subnet or globally. It is recommended that both faults and breaches of UFS112 [1]. Configure a VLAN with "CISCO-CAPWAP-CONTROLLER" gives "CISCO-CAPWAP-CONTROLLER.uninett.no "; ...in the DNS. Configure DHCP support for example "eduroam"). As a rule, a typical educational institution will not.... The configuration of employees, students and guests. All ingoing and outgoing traffic in the access point subnet shall be used for wireless access as option domain-name "uninett.no win.uninett.no home.uninett.no ", in Chapter 9 of ICT rules and security...
... network specification for the subnet or globally. It is recommended that both faults and breaches of UFS112 [1]. Configure a VLAN with "CISCO-CAPWAP-CONTROLLER" gives "CISCO-CAPWAP-CONTROLLER.uninett.no "; ...in the DNS. Configure DHCP support for example "eduroam"). As a rule, a typical educational institution will not.... The configuration of employees, students and guests. All ingoing and outgoing traffic in the access point subnet shall be used for wireless access as option domain-name "uninett.no win.uninett.no home.uninett.no ", in Chapter 9 of ICT rules and security...
Configuration Guide
Page 12
...server and the relevant user database. Several VLANs with the filtering rules for each VLAN which is to be used simultaneously in the controller, can be served - In addition, Attachment A2 [2] of assistance. In addition it is used simultaneously both will still benefit from...the RADIUS server. The server certificate is difficult to choose from. In other words, it is recommended. Restricting the subnet to include only wireless connections is easy to institution: there are : • Microsoft Active Directory (AD) • OpenLDAP • Novell eDirectory • ...
...server and the relevant user database. Several VLANs with the filtering rules for each VLAN which is to be used simultaneously in the controller, can be served - In addition, Attachment A2 [2] of assistance. In addition it is used simultaneously both will still benefit from...the RADIUS server. The server certificate is difficult to choose from. In other words, it is recommended. Restricting the subnet to include only wireless connections is easy to institution: there are : • Microsoft Active Directory (AD) • OpenLDAP • Novell eDirectory • ...
Configuration Guide
Page 14
...points, zones/groups, and so on), but the controllers do not use Cisco's IOS, and Cisco recommends the use of the web interface (if necessary via the command line (CLI) but in the following example: Welcome to the Cisco Wizard Configuration Tool Use the '-' character to basic functionality... and for the first time. Create virtual interfaces 2. Note: Some versions of the WLC/WCS web server works best with a single controller. It is performed in principle this guide...
...points, zones/groups, and so on), but the controllers do not use Cisco's IOS, and Cisco recommends the use of the web interface (if necessary via the command line (CLI) but in the following example: Welcome to the Cisco Wizard Configuration Tool Use the '-' character to basic functionality... and for the first time. Create virtual interfaces 2. Note: Some versions of the WLC/WCS web server works best with a single controller. It is performed in principle this guide...
Configuration Guide
Page 15
Here the Management Interface acts as "CISCO-CAPWAP-CONTROLLER.yourdomain.no" and "CISCO-LWAPPCONTROLLER.yourdomain.no need to use something appropriate Service Interface IP Address Configuration [none][DHCP]: none The "service interface" is an ... for and often it cannot be specified for this port to the administration network or provide an RFC1918 address and connect directly to discover their controller. Management Interface Netmask: 255.255.255.0 Management Interface Default Router: 192.168.0.1 Management Interface VLAN Identifier (0 = untagged): 0 Management Interface Port Num [1 ...
Here the Management Interface acts as "CISCO-CAPWAP-CONTROLLER.yourdomain.no" and "CISCO-LWAPPCONTROLLER.yourdomain.no need to use something appropriate Service Interface IP Address Configuration [none][DHCP]: none The "service interface" is an ... for and often it cannot be specified for this port to the administration network or provide an RFC1918 address and connect directly to discover their controller. Management Interface Netmask: 255.255.255.0 Management Interface Default Router: 192.168.0.1 Management Interface VLAN Identifier (0 = untagged): 0 Management Interface Port Num [1 ...
Configuration Guide
Page 16
...It is compulsory for software version 5.2 and newer in another network, they have access to 4]: For a stand-alone controller, an SFP port must choose LAYER3. AP Manager Interface IP Address: (not applicable to access a web page requiring... by the system. Almost all the remaining options can be located in at random, since they are several controllers (mobility managers). This is being used . Since only the access points need to route this question is...be possible to communicate with which describes the wireless system in which layer the LWAPP/CAPWAP traffic is located.
...It is compulsory for software version 5.2 and newer in another network, they have access to 4]: For a stand-alone controller, an SFP port must choose LAYER3. AP Manager Interface IP Address: (not applicable to access a web page requiring... by the system. Almost all the remaining options can be located in at random, since they are several controllers (mobility managers). This is being used . Since only the access points need to route this question is...be possible to communicate with which describes the wireless system in which layer the LWAPP/CAPWAP traffic is located.
Configuration Guide
Page 17
... for every VLAN one wishes to make available to users. As a rule this means a minimum of the controller (authorised VLANs in the trunk are connected). 17 3.2 Further configuration via web browser Once the controller has restarted, it will be ready for configuration via the web browser in communication with the Management address...
... for every VLAN one wishes to make available to users. As a rule this means a minimum of the controller (authorised VLANs in the trunk are connected). 17 3.2 Further configuration via web browser Once the controller has restarted, it will be ready for configuration via the web browser in communication with the Management address...
Configuration Guide
Page 18
The controller must have its own IP address in each VLAN which it is to define a WLAN. The screen shot shows a typical configuration for such a virtual interface. 3.2.2 ...
The controller must have its own IP address in each VLAN which it is to define a WLAN. The screen shot shows a typical configuration for such a virtual interface. 3.2.2 ...
Configuration Guide
Page 25
.... In other words, a user of support. P2P Blocking Action: Disabled - What one must give some extent on the relationship between the controller (access point) and clients, and may provide measurable benefits for those clients with each organisation to consider this , so we recommend "Disabled",... but as employee, student or guest, without using different wireless profiles. In this type of a different category is possible to assign users to separate VLANs depending on their class, such as a ...
.... In other words, a user of support. P2P Blocking Action: Disabled - What one must give some extent on the relationship between the controller (access point) and clients, and may provide measurable benefits for those clients with each organisation to consider this , so we recommend "Disabled",... but as employee, student or guest, without using different wireless profiles. In this type of a different category is possible to assign users to separate VLANs depending on their class, such as a ...
Configuration Guide
Page 26
...authenticate itself a certain number of times, there will be set a condition that clients must support CCX (Cisco Compatible eXtension program). Client Exclusion: Disabled - If, for the virtual interface. In case of a ...DHCP server: that this situation. After pressing "Apply", this WLAN will require a renewal of connectivity, the controller will be more irritating than useful, so we recommend "Disabled". Here it is also a security feature. Management...themiddle and dictionary attacks on the wireless network. DHCP Server: No Override - DHCP Addr. Assignment: Required -
...authenticate itself a certain number of times, there will be set a condition that clients must support CCX (Cisco Compatible eXtension program). Client Exclusion: Disabled - If, for the virtual interface. In case of a ...DHCP server: that this situation. After pressing "Apply", this WLAN will require a renewal of connectivity, the controller will be more irritating than useful, so we recommend "Disabled". Here it is also a security feature. Management...themiddle and dictionary attacks on the wireless network. DHCP Server: No Override - DHCP Addr. Assignment: Required -
Configuration Guide
Page 30
...a good result manual radio planning is considered of the building. not the client with the best radio, since the controller is planning to determine the optimal location of the wireless network, i.e. If one is not yet 30 To carry out effective radio planning it may be taken into account if... one is important to use as few access points as possible, one of two criteria: • Optimal capacity and coverage of the access points. The controller assists...
...a good result manual radio planning is considered of the building. not the client with the best radio, since the controller is planning to determine the optimal location of the wireless network, i.e. If one is not yet 30 To carry out effective radio planning it may be taken into account if... one is important to use as few access points as possible, one of two criteria: • Optimal capacity and coverage of the access points. The controller assists...
Configuration Guide
Page 32
... In other words, it generates. Install access point/access points - That solution also results in the loss of the possibility of remotely controlling the power supply in smaller rooms and cabinets where they are often placed. 5 Physical installation of access points Where the access points are... to install a Cisco AP1130/AP1140/3500i is with the flat, plastic surface down. Naturally, one will need either a PoE-compatible switch or a PoE injector....
... In other words, it generates. Install access point/access points - That solution also results in the loss of the possibility of remotely controlling the power supply in smaller rooms and cabinets where they are often placed. 5 Physical installation of access points Where the access points are... to install a Cisco AP1130/AP1140/3500i is with the flat, plastic surface down. Naturally, one will need either a PoE-compatible switch or a PoE injector....
Configuration Guide
Page 37
Now click on "OK", "Next" and "Apply" to Control Panel → Add or Remove Programs → Add/Remove Windows Components Select "Networking Services" and click on "Details" Tick "Internet Authentication Service". Step 1: Installation of IAS Go to install IAS. 37 B. Configuring Microsoft RADIUS servers B.1 Configuring IAS (Windows 2003) NB: This explanation assumes that the Windows 2003 server is registered in the domain.
Now click on "OK", "Next" and "Apply" to Control Panel → Add or Remove Programs → Add/Remove Windows Components Select "Networking Services" and click on "Details" Tick "Internet Authentication Service". Step 1: Installation of IAS Go to install IAS. 37 B. Configuring Microsoft RADIUS servers B.1 Configuring IAS (Windows 2003) NB: This explanation assumes that the Windows 2003 server is registered in the domain.