Configuration Guide
Page 3
Table of Contents Executive Summary Introduction 6 1 Network planning 1.1 Necessary components 1.2 IP addresses and subnets 1.3 The wireless controller (WLC) 1.4 The WCS, MSE and LA administration software 1.5 Access points 1.5.1 The access point connection process 1.6 Users 2 Configuring RADIUS 3 Configuring a controller 3.1 Initial configuration on a console 3.2 Further configuration via web browser 3.2.1 Creating a virtual interface 3.2.2 Defining a RADIUS server 3.2.3 Creating a WLAN...
Table of Contents Executive Summary Introduction 6 1 Network planning 1.1 Necessary components 1.2 IP addresses and subnets 1.3 The wireless controller (WLC) 1.4 The WCS, MSE and LA administration software 1.5 Access points 1.5.1 The access point connection process 1.6 Users 2 Configuring RADIUS 3 Configuring a controller 3.1 Initial configuration on a console 3.2 Further configuration via web browser 3.2.1 Creating a virtual interface 3.2.2 Defining a RADIUS server 3.2.3 Creating a WLAN...
Configuration Guide
Page 7
...to the controller. The 4400 Series includes two different products: 4402 (with two...are used for the various purposes: • The Wireless LAN Controller (WLC) must have administrative IP addresses • Any Wireless Control System (WCS), Mobility Service Engine (MSE) and/...controller should consider using more controllers, for the Catalyst 6500. MSE can be obtained. This is strictly speaking not necessary. Note also that UNINETT has a WiSM module in the event of handling up to allow for estimating the number of the premises. Each access point may be configured to 12...
...to the controller. The 4400 Series includes two different products: 4402 (with two...are used for the various purposes: • The Wireless LAN Controller (WLC) must have administrative IP addresses • Any Wireless Control System (WCS), Mobility Service Engine (MSE) and/...controller should consider using more controllers, for the Catalyst 6500. MSE can be obtained. This is strictly speaking not necessary. Note also that UNINETT has a WiSM module in the event of handling up to allow for estimating the number of the premises. Each access point may be configured to 12...
Configuration Guide
Page 12
...for WLC for each VLAN which are defined in the controller, can vary from . We recommend a dedicated RADIUS server for wireless networks (remember that for the network which is used simultaneously in the wireless network provided by the wireless client to verify the authenticity of organising an LDAP tree...to reduce broadcast traffic to a minimum so that it is a server certificate for example, many ways of the RADIUS server before 802.1X 12 In addition it is to institution: there are a number of configuring FreeRADIUS 1.x, see UFS112 [1]. In other types of time to serve ...
...for WLC for each VLAN which are defined in the controller, can vary from . We recommend a dedicated RADIUS server for wireless networks (remember that for the network which is used simultaneously in the wireless network provided by the wireless client to verify the authenticity of organising an LDAP tree...to reduce broadcast traffic to a minimum so that it is a server certificate for example, many ways of the RADIUS server before 802.1X 12 In addition it is to institution: there are a number of configuring FreeRADIUS 1.x, see UFS112 [1]. In other types of time to serve ...
Configuration Guide
Page 44
... alternative which use of "User can for example grant different users access to different networks: some to the guest network, some to VLAN 10, VLAN 12, etc. • Right-click on "Remote Access Policies" and select "New Remote Access Policy" • Click on "Next", select "Set up ...to the system operators and depend to the security group "Wireless Access Denied" will be created first! • When the criteria have been determined, click on "Next", select "Grant remote access permission" and click on...
... alternative which use of "User can for example grant different users access to different networks: some to the guest network, some to VLAN 10, VLAN 12, etc. • Right-click on "Remote Access Policies" and select "New Remote Access Policy" • Click on "Next", select "Set up ...to the system operators and depend to the security group "Wireless Access Denied" will be created first! • When the criteria have been determined, click on "Next", select "Grant remote access permission" and click on...
Configuration Guide
Page 53
... the local authentication and can for example grant different users access to different networks: some to the guest network, some to VLAN 10, VLAN 12, etc. • Right-click on "Network Policies" and click on "New" • Choose descriptive names for policies, such as "Employees... Authentication version 2 (MS-CHAP v2)" is needed. 53 Some standard options may be advisable to specify all users belonging to the security group "Wireless Access Denied" will obtain access to take place. For example, all policies which determine whether a user shall use "Access denied" first. •...
... the local authentication and can for example grant different users access to different networks: some to the guest network, some to VLAN 10, VLAN 12, etc. • Right-click on "Network Policies" and click on "New" • Choose descriptive names for policies, such as "Employees... Authentication version 2 (MS-CHAP v2)" is needed. 53 Some standard options may be advisable to specify all users belonging to the security group "Wireless Access Denied" will obtain access to take place. For example, all policies which determine whether a user shall use "Access denied" first. •...
Configuration Guide
Page 57
...:a3:04:96:23:6e:60:b0:52:f1:67 Signature Algorithm: sha1WithRSAEncryption Issuer: C=NL, O=TERENA, CN=TERENA SSL CA Validity Not Before: May 12 00:00:00 2010 GMT Not After : May 11 23:59:59 2013 GMT Subject: C=NO, O=UNINETT AS, CN=radius-test.uninett.no Signature...:ff:9b:64:68:a3:65:7f:ac:05:4a:05:9a:7e:5f:11: 44:a1:25:fe:0c:ce:6f:da:52:12:c5:5g:d9:e0:23:fa:60:f8: c2:f1:18:72 TERENA is the issuer Duration The server certificate has been issued to...:85:de: e9:cb:ed:8d:fa:06:b6:70:44:3e:8a:7f:fc:f3:b1: 20:f4:65:cf:f5:86:cd:12:0f:55:76:df:83:10:7a: f7:66:9a:17:f0:5a:15:02:81:21:5c:8f:13:d6:f5: 48:d6...
...:a3:04:96:23:6e:60:b0:52:f1:67 Signature Algorithm: sha1WithRSAEncryption Issuer: C=NL, O=TERENA, CN=TERENA SSL CA Validity Not Before: May 12 00:00:00 2010 GMT Not After : May 11 23:59:59 2013 GMT Subject: C=NO, O=UNINETT AS, CN=radius-test.uninett.no Signature...:ff:9b:64:68:a3:65:7f:ac:05:4a:05:9a:7e:5f:11: 44:a1:25:fe:0c:ce:6f:da:52:12:c5:5g:d9:e0:23:fa:60:f8: c2:f1:18:72 TERENA is the issuer Duration The server certificate has been issued to...:85:de: e9:cb:ed:8d:fa:06:b6:70:44:3e:8a:7f:fc:f3:b1: 20:f4:65:cf:f5:86:cd:12:0f:55:76:df:83:10:7a: f7:66:9a:17:f0:5a:15:02:81:21:5c:8f:13:d6:f5: 48:d6...
Configuration Guide
Page 58
References [1] UFS112: Recommended Security System for Wireless Networks. Jardar Leira, UNINETT. 20/12/2007. [2] "eduroam cookbook": GEANT2 Deliverable DJ5.1.5,3: Inter-NREN Roaming Infrastructure and Service Support Cookbook - Found at www.eduroam.org. [3] Airmagnet Survey: http://www.airmagnet.com/products/survey/ Airmagnet Planner: http://www.airmagnet.com/products/planner/ Airmagnet Spectrum Analyzer: http://www.airmagnet.com/products/spectrum_analyzer/ 58 Third Edition. 29/10/2008. Implementation of IEEE 802.1X.
References [1] UFS112: Recommended Security System for Wireless Networks. Jardar Leira, UNINETT. 20/12/2007. [2] "eduroam cookbook": GEANT2 Deliverable DJ5.1.5,3: Inter-NREN Roaming Infrastructure and Service Support Cookbook - Found at www.eduroam.org. [3] Airmagnet Survey: http://www.airmagnet.com/products/survey/ Airmagnet Planner: http://www.airmagnet.com/products/planner/ Airmagnet Spectrum Analyzer: http://www.airmagnet.com/products/spectrum_analyzer/ 58 Third Edition. 29/10/2008. Implementation of IEEE 802.1X.