Configuration Guide
Page 3
Table of Contents Executive Summary Introduction 6 1 Network planning 1.1 Necessary components 1.2 IP addresses and subnets 1.3 The wireless controller (WLC) 1.4 The WCS, MSE and LA administration software 1.5 Access points 1.5.1 The access point connection process 1.6 Users 2 Configuring RADIUS 3 Configuring a controller 3.1 Initial configuration on a console 3.2 Further configuration via web browser 3.2.1 Creating a virtual interface 3.2.2 Defining a RADIUS server 3.2.3 Creating a WLAN...
Table of Contents Executive Summary Introduction 6 1 Network planning 1.1 Necessary components 1.2 IP addresses and subnets 1.3 The wireless controller (WLC) 1.4 The WCS, MSE and LA administration software 1.5 Access points 1.5.1 The access point connection process 1.6 Users 2 Configuring RADIUS 3 Configuring a controller 3.1 Initial configuration on a console 3.2 Further configuration via web browser 3.2.1 Creating a virtual interface 3.2.2 Defining a RADIUS server 3.2.3 Creating a WLAN...
Configuration Guide
Page 5
... eduroam, including IEEE 802.1X, in a Cisco controller-based environment, i.e. Executive Summary UFS127 is a guide to Cisco 5500 Series and 4400 Series controllers (WLC). In principle the guide will also apply to and from Cisco lightweight access points (LAP). The Technical Specification ... the configuration of RADIUS, the configuration of a controller, radio planning and the physical installation of attachments, a "cookbook" for configuration based on one or more Cisco controllers which govern the traffic to wireless systems provided by UNINETT in configuration between the 5500 ...
... eduroam, including IEEE 802.1X, in a Cisco controller-based environment, i.e. Executive Summary UFS127 is a guide to Cisco 5500 Series and 4400 Series controllers (WLC). In principle the guide will also apply to and from Cisco lightweight access points (LAP). The Technical Specification ... the configuration of RADIUS, the configuration of a controller, radio planning and the physical installation of attachments, a "cookbook" for configuration based on one or more Cisco controllers which govern the traffic to wireless systems provided by UNINETT in configuration between the 5500 ...
Configuration Guide
Page 6
... be located in the correct order. In principle the guide will be chosen which need to configuring eduroam in Attachment A. 6 When configuring a controller-based wireless network, there are nevertheless provided in a Cisco controller-based environment, i.e. Configuring RADIUS 3. Radio planning 5. A configuration using autonomous access points requires the use of users. Network planning 2. The guide applies...
... be located in the correct order. In principle the guide will be chosen which need to configuring eduroam in Attachment A. 6 When configuring a controller-based wireless network, there are nevertheless provided in a Cisco controller-based environment, i.e. Configuring RADIUS 3. Radio planning 5. A configuration using autonomous access points requires the use of users. Network planning 2. The guide applies...
Configuration Guide
Page 7
...which can also be integrated with four GE ports). Remember to plan which should consider using more controllers, for the sake of fault tolerance. The 4400 Series includes two different products: 4402 (with two GE ports) and 4404 (with WCS, up to 18,000 Wi-Fi units ...manage with WCS. It is easy to Chapter 4 Radio planning, for guidelines for the various purposes: • The Wireless LAN Controller (WLC) must have administrative IP addresses • Any Wireless Control System (WCS), Mobility Service Engine (MSE) and/or Location Appliance (LA) must have IP addresses • The access...
...which can also be integrated with four GE ports). Remember to plan which should consider using more controllers, for the sake of fault tolerance. The 4400 Series includes two different products: 4402 (with two GE ports) and 4404 (with WCS, up to 18,000 Wi-Fi units ...manage with WCS. It is easy to Chapter 4 Radio planning, for guidelines for the various purposes: • The Wireless LAN Controller (WLC) must have administrative IP addresses • Any Wireless Control System (WCS), Mobility Service Engine (MSE) and/or Location Appliance (LA) must have IP addresses • The access...
Configuration Guide
Page 8
..., the operating network and services are exposed in different subnets). Figure 1: Proposed subnets and necessary traffic pattern 1.3 The wireless controller (WLC) The 5500 controller has one which ports must select a configuration in the same subnet. The Management address is also used for general administration...the initial contact has been 8 The arrows between the clouds indicate the necessary traffic pattern and form the basis for switches. The controller(s) (WLC(s)) should also be opened in package filters (if the units are located in open premises and risk being tapped. ...
..., the operating network and services are exposed in different subnets). Figure 1: Proposed subnets and necessary traffic pattern 1.3 The wireless controller (WLC) The 5500 controller has one which ports must select a configuration in the same subnet. The Management address is also used for general administration...the initial contact has been 8 The arrows between the clouds indicate the necessary traffic pattern and form the basis for switches. The controller(s) (WLC(s)) should also be opened in package filters (if the units are located in open premises and risk being tapped. ...
Configuration Guide
Page 9
...acts as they should be located on a subnet restricted to these applications must also be located in the subnet is to serve via the wireless network. If LWAPP(*): UDP 12222 and UDP 12223 to configure an AP Manager address. TCP 443 or 80, 22 or 23 from access... against general access, designated "Admin Network" in all the VLANs it is not necessary to /from units for communication between access pointaccess points and controller. 1.4 The WCS, MSE and LA administration software WCS runs under either Windows Server or Red Hat Linux. WCS address: In a restricted administration ...
...acts as they should be located on a subnet restricted to these applications must also be located in the subnet is to serve via the wireless network. If LWAPP(*): UDP 12222 and UDP 12223 to configure an AP Manager address. TCP 443 or 80, 22 or 23 from access... against general access, designated "Admin Network" in all the VLANs it is not necessary to /from units for communication between access pointaccess points and controller. 1.4 The WCS, MSE and LA administration software WCS runs under either Windows Server or Red Hat Linux. WCS address: In a restricted administration ...
Configuration Guide
Page 11
...filters to be used for wireless access as option domain-name "uninett.no win.uninett.no home.uninett.no "; ...in the shared network specification for all access pointaccess points with the unit name "CISCO-CAPWAP-CONTROLLER" or "CISCO-LWAPP-CONTROLLER" and then looks this ...subnets or VLANs using the same SSID (for this up in connection with "CISCO-CAPWAP-CONTROLLER" gives "CISCO-CAPWAP-CONTROLLER.uninett.no". Configure DHCP support for example "eduroam"). http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008 08714fe.shtml 3) DNS discovery. It may...
...filters to be used for wireless access as option domain-name "uninett.no win.uninett.no home.uninett.no "; ...in the shared network specification for all access pointaccess points with the unit name "CISCO-CAPWAP-CONTROLLER" or "CISCO-LWAPP-CONTROLLER" and then looks this ...subnets or VLANs using the same SSID (for this up in connection with "CISCO-CAPWAP-CONTROLLER" gives "CISCO-CAPWAP-CONTROLLER.uninett.no". Configure DHCP support for example "eduroam"). http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008 08714fe.shtml 3) DNS discovery. It may...
Configuration Guide
Page 12
...RADIUS Experience shows that for some systems, it is recommended. In addition, Attachment A2 [2] of the "eduroam cookbook" is possible to control what forms of traffic are defined in several RADIUS servers on the same server, communicating through different ports). unable to distinguish between RADIUS ...are , for the RADIUS server. RADIUS servers frequently used by WPA, but UFS112 will have to include only wireless connections is defined in a virtual interface in the controller, can vary from . The server certificate is difficult to serve the relevant user group -
...RADIUS Experience shows that for some systems, it is recommended. In addition, Attachment A2 [2] of the "eduroam cookbook" is possible to control what forms of traffic are defined in several RADIUS servers on the same server, communicating through different ports). unable to distinguish between RADIUS ...are , for the RADIUS server. RADIUS servers frequently used by WPA, but UFS112 will have to include only wireless connections is defined in a virtual interface in the controller, can vary from . The server certificate is difficult to serve the relevant user group -
Configuration Guide
Page 16
...must have established contact with this address, the filter only needs to be able to communicate with the WLC's address using a 4400 Series controller, this address internally and preferably also externally if, for example, the clients which the Management address is located. Management Interface Netmask: Self-... the LWAPP/CAPWAP traffic is also compulsory for UDP ports 12222/12223 and 5246/5247 from the subnet in which describes the wireless system in use. Almost all the remaining options can be filled in . One exception: Enter Country Code: NO (to be selected....
...must have established contact with this address, the filter only needs to be able to communicate with the WLC's address using a 4400 Series controller, this address internally and preferably also externally if, for example, the clients which the Management address is located. Management Interface Netmask: Self-... the LWAPP/CAPWAP traffic is also compulsory for UDP ports 12222/12223 and 5246/5247 from the subnet in which describes the wireless system in use. Almost all the remaining options can be filled in . One exception: Enter Country Code: NO (to be selected....
Configuration Guide
Page 25
... are TOS (Type Of Service) values for those clients with this , so we recommend "Disabled", but as employee, student or guest, without using different wireless profiles. Unfortunately this tagging will result in its network. The first QoS options are able to another VLAN. Aironet IE: Enabled - Useful for IP tagging. ... organisation otherwise supports QoS in the user being assigned to the VLAN which has been assigned to separate VLANs depending on the relationship between the controller (access point) and clients, and may provide measurable benefits for the WLAN.
... are TOS (Type Of Service) values for those clients with this , so we recommend "Disabled", but as employee, student or guest, without using different wireless profiles. Unfortunately this tagging will result in its network. The first QoS options are able to another VLAN. Aironet IE: Enabled - Useful for IP tagging. ... organisation otherwise supports QoS in the user being assigned to the VLAN which has been assigned to separate VLANs depending on the relationship between the controller (access point) and clients, and may provide measurable benefits for the WLAN.
Configuration Guide
Page 26
...to define its own IP address statically. In case of a temporary loss of connectivity, the controller will require a renewal of times, there will be more irritating than useful, so we ...also a security feature. If, for the virtual interface. One can set a condition that clients must support CCX (Cisco Compatible eXtension program). Attempts to authenticate itself a certain number of DHCP address and some clients. This is not permitted...against DoS, man-in-themiddle and dictionary attacks on the wireless network. Client Exclusion: Disabled - Management Frame Protection (MFP) -
...to define its own IP address statically. In case of a temporary loss of connectivity, the controller will require a renewal of times, there will be more irritating than useful, so we ...also a security feature. If, for the virtual interface. One can set a condition that clients must support CCX (Cisco Compatible eXtension program). Attempts to authenticate itself a certain number of DHCP address and some clients. This is not permitted...against DoS, man-in-themiddle and dictionary attacks on the wireless network. Client Exclusion: Disabled - Management Frame Protection (MFP) -
Configuration Guide
Page 30
...prevailing conditions, but this is essential. One must take place outside of normal working hours, when rooms and auditoriums are vacant. The controller assists to use as few access points as possible. Simple measuring tools are broadly the same in several copies printed on one of ... regarding signal strength and noise level. • Plan drawings of the access points. If the properties of the building are : • A wireless client with radios of lower quality. • An application such as possible. • Covering the required area using the smallest possible number of ...
...prevailing conditions, but this is essential. One must take place outside of normal working hours, when rooms and auditoriums are vacant. The controller assists to use as few access points as possible. Simple measuring tools are broadly the same in several copies printed on one of ... regarding signal strength and noise level. • Plan drawings of the access points. If the properties of the building are : • A wireless client with radios of lower quality. • An application such as possible. • Covering the required area using the smallest possible number of ...
Configuration Guide
Page 39
o A different Shared Secret must be used for a wireless network one can be added here may be access points, a control unit for each client Repeat this , contact [email protected] ) Friendly Name: eduroam Shared Secret: If you have been added, remembering that ... If this will be added. Step 3: Adding clients in IAS The clients are Accesspoint1, AP-E314, SecuritySwitch, SchoolRADIUS: select one which is used for wireless equipment (such as a Security Switch) or other RADIUS servers which the server then grants locally or forwards. The clients which can select "RADIUS Standard"...
o A different Shared Secret must be used for a wireless network one can be added here may be access points, a control unit for each client Repeat this , contact [email protected] ) Friendly Name: eduroam Shared Secret: If you have been added, remembering that ... If this will be added. Step 3: Adding clients in IAS The clients are Accesspoint1, AP-E314, SecuritySwitch, SchoolRADIUS: select one which is used for wireless equipment (such as a Security Switch) or other RADIUS servers which the server then grants locally or forwards. The clients which can select "RADIUS Standard"...
Configuration Guide
Page 48
... "File" and then "Add/Remove Snap-in front of "Certificates". A certificate is used for wireless equipment (such as a Security Switch or similar, is required to activate PEAP. NB: When a control unit, such as a Security Switch) or other RADIUS servers forwarding authentication. For more information about...and "Request New Certificate" Follow the instructions on "Add..." The clients which can be added here may be access points, a control unit for a wireless network one usually only needs to add it as a client and not all the windows that are permitted to submit authentication requests ...
... "File" and then "Add/Remove Snap-in front of "Certificates". A certificate is used for wireless equipment (such as a Security Switch or similar, is required to activate PEAP. NB: When a control unit, such as a Security Switch) or other RADIUS servers forwarding authentication. For more information about...and "Request New Certificate" Follow the instructions on "Add..." The clients which can be added here may be access points, a control unit for a wireless network one usually only needs to add it as a client and not all the windows that are permitted to submit authentication requests ...
Configuration Guide
Page 59
Software for multimedia properties. 59 Plug-in card for Cisco Catalyst 6500 containing two Cisco 4404 wireless controllers Cisco Wireless LAN Controller The Wi-Fi Alliance's Wi-Fi Multimedia™ certification programme for the administration of Wireless Access Points protocol, defined in RFC5415 Command Line Interface Cisco Location Appliance. Optional software application which provides location services. Glossary CAPWAP CLI LA LAP...
Software for multimedia properties. 59 Plug-in card for Cisco Catalyst 6500 containing two Cisco 4404 wireless controllers Cisco Wireless LAN Controller The Wi-Fi Alliance's Wi-Fi Multimedia™ certification programme for the administration of Wireless Access Points protocol, defined in RFC5415 Command Line Interface Cisco Location Appliance. Optional software application which provides location services. Glossary CAPWAP CLI LA LAP...