Configuration Guide
Page 3
... 37 3 Table of Contents Executive Summary Introduction 6 1 Network planning 1.1 Necessary components 1.2 IP addresses and subnets 1.3 The wireless controller (WLC) 1.4 The WCS, MSE and LA administration software 1.5 Access points 1.5.1 The access point connection process 1.6 Users 2 Configuring RADIUS 3 Configuring a controller 3.1 Initial configuration on a console 3.2 Further configuration via web browser 3.2.1 Creating a virtual interface 3.2.2 Defining a RADIUS server 3.2.3 Creating...
... 37 3 Table of Contents Executive Summary Introduction 6 1 Network planning 1.1 Necessary components 1.2 IP addresses and subnets 1.3 The wireless controller (WLC) 1.4 The WCS, MSE and LA administration software 1.5 Access points 1.5.1 The access point connection process 1.6 Users 2 Configuring RADIUS 3 Configuring a controller 3.1 Initial configuration on a console 3.2 Further configuration via web browser 3.2.1 Creating a virtual interface 3.2.2 Defining a RADIUS server 3.2.3 Creating...
Configuration Guide
Page 5
The guide applies both to Cisco 5500 Series and 4400 Series controllers (WLC). Any differences in configuration between the 5500 Series and the 4400 Series are specified. The recommendation provides advice for network planning, the configuration of RADIUS, the configuration of a controller, radio planning and the...FreeRADIUS. 5 In principle the guide will also apply to wireless systems provided by UNINETT in co-operation with the HE sector. UFS127 is a UNINETT Technical Specification prepared by suppliers other than Cisco. The recommendation also includes a number of access points. ...
The guide applies both to Cisco 5500 Series and 4400 Series controllers (WLC). Any differences in configuration between the 5500 Series and the 4400 Series are specified. The recommendation provides advice for network planning, the configuration of RADIUS, the configuration of a controller, radio planning and the...FreeRADIUS. 5 In principle the guide will also apply to wireless systems provided by UNINETT in co-operation with the HE sector. UFS127 is a UNINETT Technical Specification prepared by suppliers other than Cisco. The recommendation also includes a number of access points. ...
Configuration Guide
Page 6
... is based on the use of autonomous access points, but the principle will also apply to wireless systems provided by suppliers other than Cisco. When configuring a controller-based wireless network, there are many things which in the correct order. The main points are dealt with...point. The description in open areas with roundthe-clock access, with all the necessary VLAN connections to Cisco 5500 Series and 4400 Series controllers (WLC). Any differences in a Cisco controller-based environment, i.e. Configuring RADIUS 3. Since access points can be located in this is based on ...
... is based on the use of autonomous access points, but the principle will also apply to wireless systems provided by suppliers other than Cisco. When configuring a controller-based wireless network, there are many things which in the correct order. The main points are dealt with...point. The description in open areas with roundthe-clock access, with all the necessary VLAN connections to Cisco 5500 Series and 4400 Series controllers (WLC). Any differences in a Cisco controller-based environment, i.e. Configuring RADIUS 3. Since access points can be located in this is based on ...
Configuration Guide
Page 7
... should be integrated with eight GE ports) is the WiSM module for the various purposes: • The Wireless LAN Controller (WLC) must have administrative IP addresses • Any Wireless Control System (WCS), Mobility Service Engine (MSE) and/or Location Appliance (LA) must have IP addresses •...fault tolerance. The type of controller should consider using more controllers, for estimating the number of access points. This is strictly speaking not necessary. The controller must have one purchases. The 4400 Series includes two different products: 4402 (with two GE ports) and...
... should be integrated with eight GE ports) is the WiSM module for the various purposes: • The Wireless LAN Controller (WLC) must have administrative IP addresses • Any Wireless Control System (WCS), Mobility Service Engine (MSE) and/or Location Appliance (LA) must have IP addresses •...fault tolerance. The type of controller should consider using more controllers, for estimating the number of access points. This is strictly speaking not necessary. The controller must have one purchases. The 4400 Series includes two different products: 4402 (with two GE ports) and...
Configuration Guide
Page 8
...Manager). The Management IP address is used in different subnets). Figure 1: Proposed subnets and necessary traffic pattern 1.3 The wireless controller (WLC) The 5500 controller has one which is given its own network cloud. The arrows between the clouds indicate the necessary traffic pattern and form...the basis for deciding which ports must select a configuration in which for the sake of simplicity is used for switches. The controller(s) (WLC(s)) should also be opened in package filters (if the units are located in communication with the exception of the eduroam hierarchy...
...Manager). The Management IP address is used in different subnets). Figure 1: Proposed subnets and necessary traffic pattern 1.3 The wireless controller (WLC) The 5500 controller has one which is given its own network cloud. The arrows between the clouds indicate the necessary traffic pattern and form...the basis for deciding which ports must select a configuration in which for the sake of simplicity is used for switches. The controller(s) (WLC(s)) should also be opened in package filters (if the units are located in communication with the exception of the eduroam hierarchy...
Configuration Guide
Page 9
... a restricted administration network Filter: - The Management and AP Manager addresses should be on a subnet restricted to serve via the wireless network. The controller must apply to these applications must, for security reasons, be located on any other management tools - Near the beginning of the... and the APs will associate themselves with WLC using an address located immediately after the router. UDP 161 and 162 to /from units for administration (*) Beginning with access only for communication between access pointaccess points and controller. 1.4 The WCS, MSE and LA ...
... a restricted administration network Filter: - The Management and AP Manager addresses should be on a subnet restricted to serve via the wireless network. The controller must apply to these applications must, for security reasons, be located on any other management tools - Near the beginning of the... and the APs will associate themselves with WLC using an address located immediately after the router. UDP 161 and 162 to /from units for administration (*) Beginning with access only for communication between access pointaccess points and controller. 1.4 The WCS, MSE and LA ...
Configuration Guide
Page 12
Address early in the address space for WLC for other types of assistance. RADIUS servers frequently used in the HE sector are: • FreeRADIUS 1.x • FreeRADIUS 2.x • Microsoft IAS (Windows 2003 server) • ... to verify the authenticity of alternatives to choose from the encryption in the controller, can vary from institution to institution: there are often anonymous, and wireless clients. In addition, Attachment A2 [2] of the "eduroam cookbook" is possible to control what forms of traffic are a number of the RADIUS server before 802.1X 12...
Address early in the address space for WLC for other types of assistance. RADIUS servers frequently used in the HE sector are: • FreeRADIUS 1.x • FreeRADIUS 2.x • Microsoft IAS (Windows 2003 server) • ... to verify the authenticity of alternatives to choose from the encryption in the controller, can vary from institution to institution: there are often anonymous, and wireless clients. In addition, Attachment A2 [2] of the "eduroam cookbook" is possible to control what forms of traffic are a number of the RADIUS server before 802.1X 12...
Configuration Guide
Page 14
.... It is performed in the CLI B. Use of service port / management with a single controller. If the system contains several controllers there is more to backup System Name [Cisco_34:21:11]: WLC Enter Administrative User Name (24 characters max): admin Enter Administrative Password (24 characters max): *****...Use the '-' character to take into account (distribution of access points, zones/groups, and so on), but the controllers do not use Cisco's IOS, and Cisco recommends the use of the web interface (if necessary via WCS) for the first time. The configuration is even ...
.... It is performed in the CLI B. Use of service port / management with a single controller. If the system contains several controllers there is more to backup System Name [Cisco_34:21:11]: WLC Enter Administrative User Name (24 characters max): admin Enter Administrative Password (24 characters max): *****...Use the '-' character to take into account (distribution of access points, zones/groups, and so on), but the controllers do not use Cisco's IOS, and Cisco recommends the use of the web interface (if necessary via WCS) for the first time. The configuration is even ...
Configuration Guide
Page 15
Resetting system with the controller at all it cannot be specified for example "uninett-440250-wlc". The following is not used at this address. This is all . It is on Management subnet, using same values AP Manager Interface ....0.11 AP-Manager is also useful during the initial configuration after the CLI configuration has been completed. Here the Management Interface acts as "CISCO-CAPWAP-CONTROLLER.yourdomain.no" and "CISCO-LWAPPCONTROLLER.yourdomain.no ]: yes Configuration saved! Enter Administrative User Name: e.g. Since a gateway cannot be routed out of the subnet (out-...
Resetting system with the controller at all it cannot be specified for example "uninett-440250-wlc". The following is not used at this address. This is all . It is on Management subnet, using same values AP Manager Interface ....0.11 AP-Manager is also useful during the initial configuration after the CLI configuration has been completed. Here the Management Interface acts as "CISCO-CAPWAP-CONTROLLER.yourdomain.no" and "CISCO-LWAPPCONTROLLER.yourdomain.no ]: yes Configuration saved! Enter Administrative User Name: e.g. Since a gateway cannot be routed out of the subnet (out-...
Configuration Guide
Page 16
..., such as the Management address. If this is a virtual address accessible from, for software version 5.2 and newer in which are to the WLC 5500 Series) When using SNMP. AP Manager Interface IP Address: (not applicable to access a web page requiring login. It is the address ...short. The default setting is to prevent unwanted units from the subnet in which describes the wireless system in . Mobility/RF Group Name: Create a name which the access points are several controllers (mobility managers). This is located. It should be opened for the Management address. In ...
..., such as the Management address. If this is a virtual address accessible from, for software version 5.2 and newer in which are to the WLC 5500 Series) When using SNMP. AP Manager Interface IP Address: (not applicable to access a web page requiring login. It is the address ...short. The default setting is to prevent unwanted units from the subnet in which describes the wireless system in . Mobility/RF Group Name: Create a name which the access points are several controllers (mobility managers). This is located. It should be opened for the Management address. In ...
Configuration Guide
Page 25
... the other hand, WMM depends on the relationship between the controller (access point) and clients, and may provide measurable benefits for...communicate directly with this , so we recommend "Disabled", but as employee, student or guest, without using different wireless profiles. Useful for real-time applications, so "WMM Policy Allowed" is recommended. For security reasons it is ... it possible to let RADIUS override the VLAN which is possible to assign users to each other (via WLC) or not. Aironet IE: Enabled - This makes it is not advisable to allow clients to do this...
... the other hand, WMM depends on the relationship between the controller (access point) and clients, and may provide measurable benefits for...communicate directly with this , so we recommend "Disabled", but as employee, student or guest, without using different wireless profiles. Useful for real-time applications, so "WMM Policy Allowed" is recommended. For security reasons it is ... it possible to let RADIUS override the VLAN which is possible to assign users to each other (via WLC) or not. Aironet IE: Enabled - This makes it is not advisable to allow clients to do this...
Configuration Guide
Page 27
All access points have their own X509 certificates. For this to function and for the access point to the network. Section 1.5.1 explains the access point connection process. 3.2.4 Connecting access points After going through all the steps so far it is important that the WLC's time is correctly set so that the certificate is time to connect some access points to connect, it is valid. 27
All access points have their own X509 certificates. For this to function and for the access point to the network. Section 1.5.1 explains the access point connection process. 3.2.4 Connecting access points After going through all the steps so far it is important that the WLC's time is correctly set so that the certificate is time to connect some access points to connect, it is valid. 27
Configuration Guide
Page 28
If not another location. This will be entered before the access point is permitted to connect. NTP server is usually the nearest router. WLC supports NTP, which is set at another NTP server can be used, as in this example If a previously autonomous access point has been converted to a lightweight access point and the application has not specified an SSC for the access point, the SSC or the MIC (the MAC address for the access point's Ethernet address) must be found under Security → AAA → AP Policies. 28
If not another location. This will be entered before the access point is permitted to connect. NTP server is usually the nearest router. WLC supports NTP, which is set at another NTP server can be used, as in this example If a previously autonomous access point has been converted to a lightweight access point and the application has not specified an SSC for the access point, the SSC or the MIC (the MAC address for the access point's Ethernet address) must be found under Security → AAA → AP Policies. 28
Configuration Guide
Page 59
... Points protocol, defined in card for Cisco Catalyst 6500 containing two Cisco 4404 wireless controllers Cisco Wireless LAN Controller The Wi-Fi Alliance's Wi-Fi Multimedia™ certification programme for Gbit Ethernet) Service Set Identifier Cisco Wireless Control System. Glossary CAPWAP CLI LA LAP LWAPP MSE SFP SSID WCS WiSM WLC WMM Control And Provisioning of WLCs Cisco Wireless Services Module. Lightweight Access Point Lightweight Access...
... Points protocol, defined in card for Cisco Catalyst 6500 containing two Cisco 4404 wireless controllers Cisco Wireless LAN Controller The Wi-Fi Alliance's Wi-Fi Multimedia™ certification programme for Gbit Ethernet) Service Set Identifier Cisco Wireless Control System. Glossary CAPWAP CLI LA LAP LWAPP MSE SFP SSID WCS WiSM WLC WMM Control And Provisioning of WLCs Cisco Wireless Services Module. Lightweight Access Point Lightweight Access...