Configuration Guide
Page 3
... VLAN B. Table of Contents Executive Summary Introduction 6 1 Network planning 1.1 Necessary components 1.2 IP addresses and subnets 1.3 The wireless controller (WLC) 1.4 The WCS, MSE and LA administration software 1.5 Access points 1.5.1 The access point connection process 1.6 Users 2 Configuring RADIUS 3 Configuring a controller 3.1 Initial configuration on a console 3.2 Further configuration via web browser 3.2.1 Creating a virtual interface 3.2.2 Defining a RADIUS server...
... VLAN B. Table of Contents Executive Summary Introduction 6 1 Network planning 1.1 Necessary components 1.2 IP addresses and subnets 1.3 The wireless controller (WLC) 1.4 The WCS, MSE and LA administration software 1.5 Access points 1.5.1 The access point connection process 1.6 Users 2 Configuring RADIUS 3 Configuring a controller 3.1 Initial configuration on a console 3.2 Further configuration via web browser 3.2.1 Creating a virtual interface 3.2.2 Defining a RADIUS server...
Configuration Guide
Page 5
...). The recommendation also includes a number of attachments, a "cookbook" for configuration based on one or more Cisco controllers which govern the traffic to wireless systems provided by UNINETT in co-operation with the HE sector. The guide applies both to configuring eduroam, ... mobility, [email protected]. Executive Summary UFS127 is a guide to Cisco 5500 Series and 4400 Series controllers (WLC). UFS127 is a UNINETT Technical Specification prepared by suppliers other than Cisco. The Technical Specification has received final approval after a four-week open consultation...
...). The recommendation also includes a number of attachments, a "cookbook" for configuration based on one or more Cisco controllers which govern the traffic to wireless systems provided by UNINETT in co-operation with the HE sector. The guide applies both to configuring eduroam, ... mobility, [email protected]. Executive Summary UFS127 is a guide to Cisco 5500 Series and 4400 Series controllers (WLC). UFS127 is a UNINETT Technical Specification prepared by suppliers other than Cisco. The Technical Specification has received final approval after a four-week open consultation...
Configuration Guide
Page 6
... -the-middle attack. A configuration using autonomous access points requires the use of users. For information on the use of a dot1q trunk with in a Cisco controller-based environment, i.e. When configuring a controller-based wireless network, there are specified. Configuring RADIUS 3. Radio planning 5. Guidelines for how to configuring eduroam in the following chapters: 1. The guide applies both...
... -the-middle attack. A configuration using autonomous access points requires the use of users. For information on the use of a dot1q trunk with in a Cisco controller-based environment, i.e. When configuring a controller-based wireless network, there are specified. Configuring RADIUS 3. Radio planning 5. Guidelines for how to configuring eduroam in the following chapters: 1. The guide applies both...
Configuration Guide
Page 7
... interface directly to be used , WCS is capable of which should consider using more controllers, for the various purposes: • The Wireless LAN Controller (WLC) must have administrative IP addresses • Any Wireless Control System (WCS), Mobility Service Engine (MSE) and/or Location Appliance (LA) must ...the premises. The WiSM consists of two 4404 controllers each of handling up to use a primary and a secondary controller (and a tertiary one purchases. MSE can be obtained. The 4400 Series includes two different products: 4402 (with two GE ports) and 4404 (with ...
... interface directly to be used , WCS is capable of which should consider using more controllers, for the various purposes: • The Wireless LAN Controller (WLC) must have administrative IP addresses • Any Wireless Control System (WCS), Mobility Service Engine (MSE) and/or Location Appliance (LA) must ...the premises. The WiSM consists of two 4404 controllers each of handling up to use a primary and a secondary controller (and a tertiary one purchases. MSE can be obtained. The 4400 Series includes two different products: 4402 (with two GE ports) and 4404 (with ...
Configuration Guide
Page 8
...units are in different subnets). The Management address is also used in a general management network for the sake of two 4400 controllers and consequently requires four administrative IP addresses. Figure 1 provides a summary. Each network cloud represents an IP subnet with the access...with the access points after the initial contact has been 8 Figure 1: Proposed subnets and necessary traffic pattern 1.3 The wireless controller (WLC) The 5500 controller has one which ports must select a configuration in open premises and risk being tapped. A WiSM module consists of simplicity...
...units are in different subnets). The Management address is also used in a general management network for the sake of two 4400 controllers and consequently requires four administrative IP addresses. Figure 1 provides a summary. Each network cloud represents an IP subnet with the access...with the access points after the initial contact has been 8 Figure 1: Proposed subnets and necessary traffic pattern 1.3 The wireless controller (WLC) The 5500 controller has one which ports must select a configuration in open premises and risk being tapped. A WiSM module consists of simplicity...
Configuration Guide
Page 9
...should be located in Figure 1. It does not matter which address is used as the router address. This is to serve via the wireless network. WCS's address in all the VLANs it is protected against general access, designated "Admin Network" in Figure 1. If CAPWAP(*): UDP...Filter: - Management IP address: In a restricted administration network AP Manager IP address : In the same restricted administration network NB: For 5500 series controllers, it is represented by the "Operational Network" in the same subnet. UDP 1813 to RADIUS - Ideally they can be on a subnet restricted...
...should be located in Figure 1. It does not matter which address is used as the router address. This is to serve via the wireless network. WCS's address in all the VLANs it is protected against general access, designated "Admin Network" in Figure 1. If CAPWAP(*): UDP...Filter: - Management IP address: In a restricted administration network AP Manager IP address : In the same restricted administration network NB: For 5500 series controllers, it is represented by the "Operational Network" in the same subnet. UDP 1813 to RADIUS - Ideally they can be on a subnet restricted...
Configuration Guide
Page 11
...level of access of ICT rules and security if one is 11 Of course, this requires the controller to trace both the "CISCO-CAPWAP-CONTROLLER" and "CISCO-LWAPP-CONTROLLER" names be used for wireless access as option domain-name "uninett.no win.uninett.no home.uninett.no"; All ingoing and ...also wish to /from access point VLAN - The configuration of UFS112 [1]. The same VLAN should not be entered in connection with "CISCO-CAPWAP-CONTROLLER" gives "CISCO-CAPWAP-CONTROLLER.uninett.no "; ...in the DNS. It is described in detail in Chapter 9 of FreeRADIUS in the DNS, since older access ...
...level of access of ICT rules and security if one is 11 Of course, this requires the controller to trace both the "CISCO-CAPWAP-CONTROLLER" and "CISCO-LWAPP-CONTROLLER" names be used for wireless access as option domain-name "uninett.no win.uninett.no home.uninett.no"; All ingoing and ...also wish to /from access point VLAN - The configuration of UFS112 [1]. The same VLAN should not be entered in connection with "CISCO-CAPWAP-CONTROLLER" gives "CISCO-CAPWAP-CONTROLLER.uninett.no "; ...in the DNS. It is described in detail in Chapter 9 of FreeRADIUS in the DNS, since older access ...
Configuration Guide
Page 12
...the RADIUS server before 802.1X 12 It is also desirable to reduce broadcast traffic to a minimum so that it is possible to control what forms of traffic are to be permitted, for a guest network with the filtering rules for all installations is a good way ...to institution: there are a number of alternatives to choose from the encryption in the controller, can present a challenge. A common requirement for the network which is defined in a virtual interface in the wireless network provided by not distributing multicast traffic. The server certificate is provided in several RADIUS...
...the RADIUS server before 802.1X 12 It is also desirable to reduce broadcast traffic to a minimum so that it is possible to control what forms of traffic are to be permitted, for a guest network with the filtering rules for all installations is a good way ...to institution: there are a number of alternatives to choose from the encryption in the controller, can present a challenge. A common requirement for the network which is defined in a virtual interface in the wireless network provided by not distributing multicast traffic. The server certificate is provided in several RADIUS...
Configuration Guide
Page 13
... certificate and your RADIUS server. UNINETT is necessary to perform a separate certificate installation in your own certificate hierarchy is described in Norway is to the wireless network.
... certificate and your RADIUS server. UNINETT is necessary to perform a separate certificate installation in your own certificate hierarchy is described in Norway is to the wireless network.
Configuration Guide
Page 16
... use. AP Manager Interface DHCP Server: As for example, the clients which describes the wireless system in which layer the LWAPP/CAPWAP traffic is to communicate with which the access points are several controllers (mobility managers). in . It is asked, you must be located in a web portal... cf. Since only the access points need to be selected. AP Manager Interface IP Address: (not applicable to 4]: For a stand-alone controller, an SFP port must choose LAYER3. Strict filters should be in at random, since they must obtain access only via the Management address. ...
... use. AP Manager Interface DHCP Server: As for example, the clients which describes the wireless system in which layer the LWAPP/CAPWAP traffic is to communicate with which the access points are several controllers (mobility managers). in . It is asked, you must be located in a web portal... cf. Since only the access points need to be selected. AP Manager Interface IP Address: (not applicable to 4]: For a stand-alone controller, an SFP port must choose LAYER3. Strict filters should be in at random, since they must obtain access only via the Management address. ...
Configuration Guide
Page 25
... determines whether wireless clients are : Allow AAA Override: Enabled - Unfortunately this tagging will result in the user being assigned to the VLAN which has been assigned to some thought, but it is possible to assign users to separate VLANs depending on the relationship between the controller (access point...it is not advisable to allow clients to do this, so we recommend "Disabled", but as employee, student or guest, without using different wireless profiles. Failure to override will apply to all clients in practice is up to each other hand, WMM depends on their class, such ...
... determines whether wireless clients are : Allow AAA Override: Enabled - Unfortunately this tagging will result in the user being assigned to the VLAN which has been assigned to some thought, but it is possible to assign users to separate VLANs depending on the relationship between the controller (access point...it is not advisable to allow clients to do this, so we recommend "Disabled", but as employee, student or guest, without using different wireless profiles. Failure to override will apply to all clients in practice is up to each other hand, WMM depends on their class, such ...
Configuration Guide
Page 26
... with handling this situation. After pressing "Apply", this should be set a condition that clients must support CCX (Cisco Compatible eXtension program). Here it is also a security feature. Attempts to authenticate itself a certain number of DHCP address... and some clients. DHCP Addr. Assignment: Required - In case of a temporary loss of connectivity, the controller will require a renewal of times, there will be more irritating than useful, so we recommend "Disabled". This is ... against DoS, man-in-themiddle and dictionary attacks on the wireless network.
... with handling this situation. After pressing "Apply", this should be set a condition that clients must support CCX (Cisco Compatible eXtension program). Here it is also a security feature. Attempts to authenticate itself a certain number of DHCP address... and some clients. DHCP Addr. Assignment: Required - In case of a temporary loss of connectivity, the controller will require a renewal of times, there will be more irritating than useful, so we recommend "Disabled". This is ... against DoS, man-in-themiddle and dictionary attacks on the wireless network.
Configuration Guide
Page 30
... of secondary importance in this document. This means that 5 GHz will in practice reduce the power output at all potential locations. The controller assists to the best of its ability by copying the results from given positions in order to carry out the measurements. Radio planning consists... be based on paper. • Felt tip markers in an autonomous version, since the controller is to use as few access points as large a range. If the properties of the building are : • A wireless client with radios of lower quality. • An application such as NetStumbler, which can ...
... of secondary importance in this document. This means that 5 GHz will in practice reduce the power output at all potential locations. The controller assists to the best of its ability by copying the results from given positions in order to carry out the measurements. Radio planning consists... be based on paper. • Felt tip markers in an autonomous version, since the controller is to use as few access points as large a range. If the properties of the building are : • A wireless client with radios of lower quality. • An application such as NetStumbler, which can ...
Configuration Guide
Page 31
...other equipment to locate the access point temporarily as close as possible. 2. There is as near to see what may be remedied by Cisco), which are used for virtual planning while the Survey module displays actual measurements. This is defined as one determines what effect this product... in radio planning. The different marker colours are impossible to cover the entire area with colour but mark the plan drawing with a specific wireless card which should be borrowed from UNINETT for use a long Cat 5 cable and PoE for example, and the Planner module can import ...
...other equipment to locate the access point temporarily as close as possible. 2. There is as near to see what may be remedied by Cisco), which are used for virtual planning while the Survey module displays actual measurements. This is defined as one determines what effect this product... in radio planning. The different marker colours are impossible to cover the entire area with colour but mark the plan drawing with a specific wireless card which should be borrowed from UNINETT for use a long Cat 5 cable and PoE for example, and the Planner module can import ...
Configuration Guide
Page 39
... as clients. To add the eduroam core, follow the same procedure as a Security Switch or similar, is used for a wireless network one can be added here may be access points, a control unit for wireless equipment (such as a Security Switch) or other RADIUS servers which is running ). • Right-click on "RADIUS Clients", select...
... as clients. To add the eduroam core, follow the same procedure as a Security Switch or similar, is used for a wireless network one can be added here may be access points, a control unit for wireless equipment (such as a Security Switch) or other RADIUS servers which is running ). • Right-click on "RADIUS Clients", select...
Configuration Guide
Page 44
... "Deny remote access permission" first. • Click on the application but the following must be : "NAS-Port-Type" adding "Ethernet", "Wireless - o The properties which should be assigned the criterion "Deny remote access permission". Step 6: Remote Access Policies Remote Access Policies handle the local authentication...after it may be wise to specify all users belonging to the security group "Wireless Access Denied" will obtain access to the first alternative which is appropriate. IEEE802.11" and "Wireless - For example, all policies which use of "User can for example grant ...
... "Deny remote access permission" first. • Click on the application but the following must be : "NAS-Port-Type" adding "Ethernet", "Wireless - o The properties which should be assigned the criterion "Deny remote access permission". Step 6: Remote Access Policies Remote Access Policies handle the local authentication...after it may be wise to specify all users belonging to the security group "Wireless Access Denied" will obtain access to the first alternative which is appropriate. IEEE802.11" and "Wireless - For example, all policies which use of "User can for example grant ...
Configuration Guide
Page 47
... a role Add the role "Network Policy and Access Services", the only role service required by the user to connect to gain access NAS-Port-Type = Wireless - Make sure that the service has also been started ("Start NPS" is attempting to the...
... a role Add the role "Network Policy and Access Services", the only role service required by the user to connect to gain access NAS-Port-Type = Wireless - Make sure that the service has also been started ("Start NPS" is attempting to the...
Configuration Guide
Page 48
... and Servers", right-click on "RADIUS Clients" and select "New RADIUS Client 48 The clients which can be added here may be access points, a control unit for a wireless network one usually only needs to the RADIUS server, which the server then grants locally or forwards. Open the Network Policy Server by "OK...
... and Servers", right-click on "RADIUS Clients" and select "New RADIUS Client 48 The clients which can be added here may be access points, a control unit for a wireless network one usually only needs to the RADIUS server, which the server then grants locally or forwards. Open the Network Policy Server by "OK...
Configuration Guide
Page 53
..." or "WiFi VLAN 10" or other groups from AD. NB: The AD groups must be advisable to specify all users belonging to the security group "Wireless Access Denied" will obtain access to the first alternative which use this for each Network Policy are up to the system operators and depend to...; When the criteria have been specified, click on "Next", select "Access granted" and click on "Next" • Note the NAS Port Type • Select "Ethernet", "Wireless - IEEE 802.11" and...
..." or "WiFi VLAN 10" or other groups from AD. NB: The AD groups must be advisable to specify all users belonging to the security group "Wireless Access Denied" will obtain access to the first alternative which use this for each Network Policy are up to the system operators and depend to...; When the criteria have been specified, click on "Next", select "Access granted" and click on "Next" • Note the NAS Port Type • Select "Ethernet", "Wireless - IEEE 802.11" and...
Configuration Guide
Page 58
Jardar Leira, UNINETT. 20/12/2007. [2] "eduroam cookbook": GEANT2 Deliverable DJ5.1.5,3: Inter-NREN Roaming Infrastructure and Service Support Cookbook - Implementation of IEEE 802.1X. Third Edition. 29/10/2008. Found at www.eduroam.org. [3] Airmagnet Survey: http://www.airmagnet.com/products/survey/ Airmagnet Planner: http://www.airmagnet.com/products/planner/ Airmagnet Spectrum Analyzer: http://www.airmagnet.com/products/spectrum_analyzer/ 58 References [1] UFS112: Recommended Security System for Wireless Networks.
Jardar Leira, UNINETT. 20/12/2007. [2] "eduroam cookbook": GEANT2 Deliverable DJ5.1.5,3: Inter-NREN Roaming Infrastructure and Service Support Cookbook - Implementation of IEEE 802.1X. Third Edition. 29/10/2008. Found at www.eduroam.org. [3] Airmagnet Survey: http://www.airmagnet.com/products/survey/ Airmagnet Planner: http://www.airmagnet.com/products/planner/ Airmagnet Spectrum Analyzer: http://www.airmagnet.com/products/spectrum_analyzer/ 58 References [1] UFS112: Recommended Security System for Wireless Networks.