Configuration Guide
Page 7
...user class. The 4400 Series includes two different products: 4402 (with two GE ports) and 4404 (with four rear-facing GE ports, each with four GE ports). The type of controller should consider using more controllers, for the sake of fault tolerance. The WiSM consists ...desired). Each access point may be integrated with eight GE ports) is recommended. In addition there is the WiSM module for the various purposes: • The Wireless LAN Controller (WLC) must have administrative IP addresses • Any Wireless Control System (WCS), Mobility Service Engine (MSE) and/or ...
...user class. The 4400 Series includes two different products: 4402 (with two GE ports) and 4404 (with four rear-facing GE ports, each with four GE ports). The type of controller should consider using more controllers, for the sake of fault tolerance. The WiSM consists ...desired). Each access point may be integrated with eight GE ports) is recommended. In addition there is the WiSM module for the various purposes: • The Wireless LAN Controller (WLC) must have administrative IP addresses • Any Wireless Control System (WCS), Mobility Service Engine (MSE) and/or ...
Configuration Guide
Page 8
...be located in different subnets). The arrows between the clouds indicate the necessary traffic pattern and form the basis for deciding which ports must select a configuration in which, for example, the operating network and services are exposed in communication with the exception of...with the access points, but may for the sake of two 4400 controllers and consequently requires four administrative IP addresses. Figure 1: Proposed subnets and necessary traffic pattern 1.3 The wireless controller (WLC) The 5500 controller has one which is the contact address to and from the service or...
...be located in different subnets). The arrows between the clouds indicate the necessary traffic pattern and form the basis for deciding which ports must select a configuration in which, for example, the operating network and services are exposed in communication with the exception of...with the access points, but may for the sake of two 4400 controllers and consequently requires four administrative IP addresses. Figure 1: Proposed subnets and necessary traffic pattern 1.3 The wireless controller (WLC) The 5500 controller has one which is the contact address to and from the service or...
Configuration Guide
Page 10
...can potentially gain access to subnets to the access points. Note that they all communication with other ports should be used . As mentioned previously, the 5500 Series controller has only one Management address, which he or she should therefore be organised in such a way...UNINETT backbone. All other information via DHCP. DNS discovery: 1) Saved IP address. Older controller software, i.e. This means that the information must previously have been entered manually (via the UDP ports. Given our recommendation to access points are used . By locating the access points in the...
...can potentially gain access to subnets to the access points. Note that they all communication with other ports should be used . As mentioned previously, the 5500 Series controller has only one Management address, which he or she should therefore be organised in such a way...UNINETT backbone. All other information via DHCP. DNS discovery: 1) Saved IP address. Older controller software, i.e. This means that the information must previously have been entered manually (via the UDP ports. Given our recommendation to access points are used . By locating the access points in the...
Configuration Guide
Page 12
... example by WPA, but UFS112 will have to institution: there are defined in the controller, can present a challenge. In other words, a VLAN for all installations is used by the wireless client to configure several SSIDs. Address early in several RADIUS servers on the same server..., communicating through different ports). In other types of the wireless connections. RADIUS servers frequently used in the HE sector are: • FreeRADIUS 1.x • FreeRADIUS 2.x • Microsoft IAS ...
... example by WPA, but UFS112 will have to institution: there are defined in the controller, can present a challenge. In other words, a VLAN for all installations is used by the wireless client to configure several SSIDs. Address early in several RADIUS servers on the same server..., communicating through different ports). In other types of the wireless connections. RADIUS servers frequently used in the HE sector are: • FreeRADIUS 1.x • FreeRADIUS 2.x • Microsoft IAS ...
Configuration Guide
Page 14
... one also first has the details of the WLC/WCS web server works best with a single controller. If the system contains several controllers there is more to take into account (distribution of service port / management with a web browser (HTTP) for such a configuration. Use of access points, ...zones/groups, and so on), but the controllers do not use Cisco's IOS, and Cisco recommends the use of the web interface (if necessary via WCS)...
... one also first has the details of the WLC/WCS web server works best with a single controller. If the system contains several controllers there is more to take into account (distribution of service port / management with a web browser (HTTP) for such a configuration. Use of access points, ...zones/groups, and so on), but the controllers do not use Cisco's IOS, and Cisco recommends the use of the web interface (if necessary via WCS)...
Configuration Guide
Page 15
...in case the Management address cannot be used to 10.0.0.1/255.255.255.0. Here the Management Interface acts as "CISCO-CAPWAP-CONTROLLER.yourdomain.no" and "CISCO-LWAPPCONTROLLER.yourdomain.no ]: yes Configuration saved! It may be used for and often it cannot be configured in the 5500... controller. "admin" Enter Administrative Password: use more than one SFP port. In that case, enter "yes". WCS uses SNMP to communicate with new ...
...in case the Management address cannot be used to 10.0.0.1/255.255.255.0. Here the Management Interface acts as "CISCO-CAPWAP-CONTROLLER.yourdomain.no" and "CISCO-LWAPPCONTROLLER.yourdomain.no ]: yes Configuration saved! It may be used for and often it cannot be configured in the 5500... controller. "admin" Enter Administrative Password: use more than one SFP port. In that case, enter "yes". WCS uses SNMP to communicate with new ...
Configuration Guide
Page 16
... same subnet as "uninett", "ntnu" or something similar, could be located in place to be in . Management Interface Port Num [1 to 4]: For a stand-alone controller, an SFP port must have established contact with this address, the filter only needs to prevent unwanted units from contacting it, cf. If ...Address: The IP address of the VLAN in which describes the wireless system in another network, they will be possible to communicate with the controller via UDP on UDP ports 1812 and 1813. The name should be opened for UDP ports 12222/12223 and 5246/5247 from , for example, one ...
... same subnet as "uninett", "ntnu" or something similar, could be located in place to be in . Management Interface Port Num [1 to 4]: For a stand-alone controller, an SFP port must have established contact with this address, the filter only needs to prevent unwanted units from contacting it, cf. If ...Address: The IP address of the VLAN in which describes the wireless system in another network, they will be possible to communicate with the controller via UDP on UDP ports 1812 and 1813. The name should be opened for UDP ports 12222/12223 and 5246/5247 from , for example, one ...
Configuration Guide
Page 17
As a rule this means a minimum of the controller (authorised VLANs in the controller are connected). 17 These are VLANs which the SFP port(s) in the trunk are regulated by the switch to users. 3.2 Further configuration via web browser Once the controller has restarted, it will be ready for configuration via the web browser in communication...
As a rule this means a minimum of the controller (authorised VLANs in the controller are connected). 17 These are VLANs which the SFP port(s) in the trunk are regulated by the switch to users. 3.2 Further configuration via web browser Once the controller has restarted, it will be ready for configuration via the web browser in communication...
Configuration Guide
Page 18
... RADIUS servers may be established which IP address this is in place before beginning to use the first available after the router's address. The port number for eduroam's national servers. The screen shot shows a typical configuration for such a virtual interface. 3.2.2 Defining a RADIUS server Path: Security... → RADIUS → Authentication It is advisable to serve. The controller must have its own IP address in each VLAN which are in the subnet as long as there is no conflict with another unit, but...
... RADIUS servers may be established which IP address this is in place before beginning to use the first available after the router's address. The port number for eduroam's national servers. The screen shot shows a typical configuration for such a virtual interface. 3.2.2 Defining a RADIUS server Path: Security... → RADIUS → Authentication It is advisable to serve. The controller must have its own IP address in each VLAN which are in the subnet as long as there is no conflict with another unit, but...
Configuration Guide
Page 19
This is required by eduroam. Path: Security → RADIUS → Accounting Accounting should also be configured and is done in exactly the same way as for Authentication, but normally uses UDP port 1813. 19
This is required by eduroam. Path: Security → RADIUS → Accounting Accounting should also be configured and is done in exactly the same way as for Authentication, but normally uses UDP port 1813. 19
Configuration Guide
Page 35
A.3 RADIUS configuration Go to SECURITY → Server Manager and add the external RADIUS server using the shared secret. Specify the port number of the Authentication Port and Accounting Port, as well as the IP address for EAP Authentication and Accounting (in this case the same RADIUS server). 35
A.3 RADIUS configuration Go to SECURITY → Server Manager and add the external RADIUS server using the shared secret. Specify the port number of the Authentication Port and Accounting Port, as well as the IP address for EAP Authentication and Accounting (in this case the same RADIUS server). 35
Configuration Guide
Page 40
... to forward authentication, it is not necessary to forward authentication, a server group must be created. See www.eduroam.no changes are necessary in the Authentication port and the shared secret • On the "Load Balancing" tab, no for the server group • If this RADIUS server is the server group used...
... to forward authentication, it is not necessary to forward authentication, a server group must be created. See www.eduroam.no changes are necessary in the Authentication port and the shared secret • On the "Load Balancing" tab, no for the server group • If this RADIUS server is the server group used...
Configuration Guide
Page 44
...certificate, click on "Next". o The properties which should be checked for example, "Quarantine" or "WiFi VLAN10" or other groups from AD. IEEE802.11" and "Wireless - Click on "OK" and tick: • "Microsoft Encrypted Authentication version 2 (MS-CHAP v2)" • The use "Deny remote access permission" first. ... and can change password after it has expired" is optional 44 Some standard options may also be : "NAS-Port-Type" adding "Ethernet", "Wireless - o Remote Access Policies may be created which deny access to the first alternative which is appropriate.
...certificate, click on "Next". o The properties which should be checked for example, "Quarantine" or "WiFi VLAN10" or other groups from AD. IEEE802.11" and "Wireless - Click on "OK" and tick: • "Microsoft Encrypted Authentication version 2 (MS-CHAP v2)" • The use "Deny remote access permission" first. ... and can change password after it has expired" is optional 44 Some standard options may also be : "NAS-Port-Type" adding "Ethernet", "Wireless - o Remote Access Policies may be created which deny access to the first alternative which is appropriate.
Configuration Guide
Page 47
... used Proxy-Policy-Name = School The Connection Request Policy being used Authentication-Provider = Windows The program used by the user to connect to the wireless network Policy-Name = students in VLAN 10 The Remote Access Policy being used B.2 Configuring NPS (Windows 2008) Step 1: Add a role Add the... and click "Register server in the AD Client-Friendly-Name = SecuritySwitch The client which has sent the authorisation request to gain access NAS-Port-Type = Wireless - Make sure that the service has also been started ("Start NPS" is attempting to this RADIUS server Client-IP-Address = 10.10...
... used Proxy-Policy-Name = School The Connection Request Policy being used Authentication-Provider = Windows The program used by the user to connect to the wireless network Policy-Name = students in VLAN 10 The Remote Access Policy being used B.2 Configuring NPS (Windows 2008) Step 1: Add a role Add the... and click "Register server in the AD Client-Friendly-Name = SecuritySwitch The client which has sent the authorisation request to gain access NAS-Port-Type = Wireless - Make sure that the service has also been started ("Start NPS" is attempting to this RADIUS server Client-IP-Address = 10.10...
Configuration Guide
Page 50
... should be created. If this RADIUS server is the last in a series of the server. • In the "Authentication/Accounting" tab, type in the Authentication Port and Shared Secret • On the "Load Balancing" tab, no for School, have been added. Repeat this is to be in systems with redundancy. •...
... should be created. If this RADIUS server is the last in a series of the server. • In the "Authentication/Accounting" tab, type in the Authentication Port and Shared Secret • On the "Load Balancing" tab, no for School, have been added. Repeat this is to be in systems with redundancy. •...
Configuration Guide
Page 53
... it may be advisable to specify all users belonging to the security group "Wireless Access Denied" will obtain access to the first alternative which is ticked. But remember: the policies are handled in VLAN10", etc. • Click on "Next" ... created first! • When the criteria have been specified, click on "Next", select "Access granted" and click on "Next" • Note the NAS Port Type • Select "Ethernet", "Wireless - Some standard options may also be created which deny access to users. Step 5: Network Policies Remote Access Policies handle the local authentication and...
... it may be advisable to specify all users belonging to the security group "Wireless Access Denied" will obtain access to the first alternative which is ticked. But remember: the policies are handled in VLAN10", etc. • Click on "Next" ... created first! • When the criteria have been specified, click on "Next", select "Access granted" and click on "Next" • Note the NAS Port Type • Select "Ethernet", "Wireless - Some standard options may also be created which deny access to users. Step 5: Network Policies Remote Access Policies handle the local authentication and...