Configuration Guide
Page 3
Table of Contents Executive Summary Introduction 6 1 Network planning 1.1 Necessary components 1.2 IP addresses and subnets 1.3 The wireless controller (WLC) 1.4 The WCS, MSE and LA administration software 1.5 Access points 1.5.1 The access point connection process 1.6 Users 2 Configuring RADIUS 3 Configuring a controller 3.1 Initial configuration on a console 3.2 Further configuration via web browser 3.2.1 Creating a virtual interface 3.2.2 Defining a RADIUS server 3.2.3 Creating a WLAN (SSID) 3.2.4 Connecting access points...
Table of Contents Executive Summary Introduction 6 1 Network planning 1.1 Necessary components 1.2 IP addresses and subnets 1.3 The wireless controller (WLC) 1.4 The WCS, MSE and LA administration software 1.5 Access points 1.5.1 The access point connection process 1.6 Users 2 Configuring RADIUS 3 Configuring a controller 3.1 Initial configuration on a console 3.2 Further configuration via web browser 3.2.1 Creating a virtual interface 3.2.2 Defining a RADIUS server 3.2.3 Creating a WLAN (SSID) 3.2.4 Connecting access points...
Configuration Guide
Page 4
... 39 Step 4: Adding server groups to IAS 40 Step 5: Connection Request Policies 41 Step 6: Remote Access Policies 44 Step 7: RADIUS attributes 45 Step 8: Logging 46 B.2 Configuring NPS (Windows 2008) 47 Step 1: Add a role 47 Step 2: Radius 48 Step 3: Adding Remote RADIUS Server Groups 50 Step 4: Connection Request Policies 51 Step 5: Network...
... 39 Step 4: Adding server groups to IAS 40 Step 5: Connection Request Policies 41 Step 6: Remote Access Policies 44 Step 7: RADIUS attributes 45 Step 8: Logging 46 B.2 Configuring NPS (Windows 2008) 47 Step 1: Add a role 47 Step 2: Radius 48 Step 3: Adding Remote RADIUS Server Groups 50 Step 4: Connection Request Policies 51 Step 5: Network...
Configuration Guide
Page 5
... principle the guide will also apply to wireless systems provided by UNINETT in co-operation with the HE sector. Executive Summary UFS127 is a guide to configuring eduroam, including IEEE 802.1X, in a Cisco controller-based environment, i.e. a configuration based on autonomous access points, configuration of Microsoft RADIUS servers and configuration of access points. The guide applies both to...
... principle the guide will also apply to wireless systems provided by UNINETT in co-operation with the HE sector. Executive Summary UFS127 is a guide to configuring eduroam, including IEEE 802.1X, in a Cisco controller-based environment, i.e. a configuration based on autonomous access points, configuration of Microsoft RADIUS servers and configuration of access points. The guide applies both to...
Configuration Guide
Page 6
...-clock access, with all the necessary VLAN connections to an access point. Introduction This document is a guide to configuring eduroam in this is not recommended. The description in a Cisco controller-based environment, i.e. Network planning 2. Configuring a controller 4. When configuring a controller-based wireless network, there are dealt with a PC which acts on the use of users. Guidelines for how to...
...-clock access, with all the necessary VLAN connections to an access point. Introduction This document is a guide to configuring eduroam in this is not recommended. The description in a Cisco controller-based environment, i.e. Network planning 2. Configuring a controller 4. When configuring a controller-based wireless network, there are dealt with a PC which acts on the use of users. Guidelines for how to...
Configuration Guide
Page 7
...later. It is easy to the controller. However, if several controllers are to Chapter 4 Radio planning, for guidelines for the various purposes: • The Wireless LAN Controller (WLC) must have administrative IP addresses • Any Wireless Control System (WCS), Mobility Service Engine...licence one only has a single controller, WCS (Wireless Control System) management software is recommended. 1 Network planning 1.1 Necessary components The number of access points and the type of controller(s) may be configured to use a primary and a secondary controller (and a tertiary one if ...
...later. It is easy to the controller. However, if several controllers are to Chapter 4 Radio planning, for guidelines for the various purposes: • The Wireless LAN Controller (WLC) must have administrative IP addresses • Any Wireless Control System (WCS), Mobility Service Engine...licence one only has a single controller, WCS (Wireless Control System) management software is recommended. 1 Network planning 1.1 Necessary components The number of access points and the type of controller(s) may be configured to use a primary and a secondary controller (and a tertiary one if ...
Configuration Guide
Page 8
... subnet, since these network points are located in which is used for general administration of the controller and is also used for deciding which ports must select a configuration in different subnets). The arrows between the clouds indicate the necessary traffic pattern and form the ...be separated from other systems such as WCS and RADIUS server. Figure 1: Proposed subnets and necessary traffic pattern 1.3 The wireless controller (WLC) The 5500 controller has one which for example, the operating network and services are in open premises and risk being tapped. One must be...
... subnet, since these network points are located in which is used for general administration of the controller and is also used for deciding which ports must select a configuration in different subnets). The arrows between the clouds indicate the necessary traffic pattern and form the ...be separated from other systems such as WCS and RADIUS server. Figure 1: Proposed subnets and necessary traffic pattern 1.3 The wireless controller (WLC) The 5500 controller has one which for example, the operating network and services are in open premises and risk being tapped. One must be...
Configuration Guide
Page 9
... address located immediately after the router. UDP 161 and 162 to serve via the wireless network. MSE and LA are used instead of the address space in a subnet which...address: In a restricted administration network Filter: - If LWAPP(*): UDP 12222 and UDP 12223 to configure an AP Manager address. Near the beginning of LWAPP for security reasons, be located in the ...the router address. Strict data filter rules must , for communication between access pointaccess points and controller. 1.4 The WCS, MSE and LA administration software WCS runs under either Windows Server or...
... address located immediately after the router. UDP 161 and 162 to serve via the wireless network. MSE and LA are used instead of the address space in a subnet which...address: In a restricted administration network Filter: - If LWAPP(*): UDP 12222 and UDP 12223 to configure an AP Manager address. Near the beginning of LWAPP for security reasons, be located in the ...the router address. Strict data filter rules must , for communication between access pointaccess points and controller. 1.4 The WCS, MSE and LA administration software WCS runs under either Windows Server or...
Configuration Guide
Page 10
...in a separate, dedicated subnet and strictly restricting access to this is used for all communication with the controller's management address(es) via DHCP. Once the configuration has been downloaded to the access point (and any new firmware), it is that network access in the... 5415) has been used. However, what model of access point is unusable for 4400 Series controllers. Given our recommendation to separate access points and controllers in any attempt to configure a dot1q trunk into such a cable can be provided simultaneously with the initial association the Management...
...in a separate, dedicated subnet and strictly restricting access to this is used for all communication with the controller's management address(es) via DHCP. Once the configuration has been downloaded to the access point (and any new firmware), it is that network access in the... 5415) has been used. However, what model of access point is unusable for 4400 Series controllers. Given our recommendation to separate access points and controllers in any attempt to configure a dot1q trunk into such a cable can be provided simultaneously with the initial association the Management...
Configuration Guide
Page 11
... upgraded). Configure a VLAN with an IPv4 subnet large enough for all access pointaccess points with "CISCO-CAPWAP-CONTROLLER" gives "CISCO-CAPWAP-CONTROLLER.uninett.no "; It may be difficult to trace both faults and breaches of ICT rules and security if one is recommended that both the "CISCO-CAPWAP-CONTROLLER" and "CISCO-LWAPP-CONTROLLER" names be used for wireless access as...
... upgraded). Configure a VLAN with an IPv4 subnet large enough for all access pointaccess points with "CISCO-CAPWAP-CONTROLLER" gives "CISCO-CAPWAP-CONTROLLER.uninett.no "; It may be difficult to trace both faults and breaches of ICT rules and security if one is recommended that both the "CISCO-CAPWAP-CONTROLLER" and "CISCO-LWAPP-CONTROLLER" names be used for wireless access as...
Configuration Guide
Page 12
...(Windows 2008 server) User databases frequently used in the HE sector are defined in the controller, can present a challenge. In addition, Attachment A2 [2] of Microsoft IAS and NPS is possible to control what forms of traffic are , for example, many ways of organising an LDAP tree. ... as VPN), this in itself can vary from the encryption in the wireless network provided by wired clients, which is defined in a virtual interface in the router. - Filter according to security requirements. 2 Configuring RADIUS Experience shows that for a guest network with subnet large enough to...
...(Windows 2008 server) User databases frequently used in the HE sector are defined in the controller, can present a challenge. In addition, Attachment A2 [2] of Microsoft IAS and NPS is possible to control what forms of traffic are , for example, many ways of organising an LDAP tree. ... as VPN), this in itself can vary from the encryption in the wireless network provided by wired clients, which is defined in a virtual interface in the router. - Filter according to security requirements. 2 Configuring RADIUS Experience shows that for a guest network with subnet large enough to...
Configuration Guide
Page 13
authentication can be configured. Once IEEE 802.1X is functioning internally, the national connection to perform a separate certificate installation in Norway is to be granted access to the wireless network. The way in which is handled by a client certificate with unrecognised realms and...: o RADIUS Authentication UDP 1812 to/from hegre.uninett.no and trane.uninett.no o RADIUS Accounting UDP 1813 to Comodo UserTrust. Configure RADIUS server for RADIUS - See Attachment C for installation of a certificate for ordering a UNINETT SCS certificate is described in your own...
authentication can be configured. Once IEEE 802.1X is functioning internally, the national connection to perform a separate certificate installation in Norway is to be granted access to the wireless network. The way in which is handled by a client certificate with unrecognised realms and...: o RADIUS Authentication UDP 1812 to/from hegre.uninett.no and trane.uninett.no o RADIUS Accounting UDP 1813 to Comodo UserTrust. Configure RADIUS server for RADIUS - See Attachment C for installation of a certificate for ordering a UNINETT SCS certificate is described in your own...
Configuration Guide
Page 14
... certain options unfortunately "disappear" or are not correctly displayed in other web browsers. 3.1 Initial configuration on a console Initially a number of questions are asked in the Configuration Wizard when you turn on ), but the controllers do not use Cisco's IOS, and Cisco recommends the use of the web interface (if necessary via the command line (CLI...
... certain options unfortunately "disappear" or are not correctly displayed in other web browsers. 3.1 Initial configuration on a console Initially a number of questions are asked in the Configuration Wizard when you turn on ), but the controllers do not use Cisco's IOS, and Cisco recommends the use of the web interface (if necessary via the command line (CLI...
Configuration Guide
Page 15
...Manager Interface must not be changed later via HTTP, HTTPS, Telnet, SSH and/or SNMP. It may be configured in the 5500 controller. Resetting system with the controller at all it is used for a list of -band" address which will also be used by way of ...registered in case the Management address cannot be used to manage the control by the access points to discover their controller. Here the Management Interface acts as "CISCO-CAPWAP-CONTROLLER.yourdomain.no" and "CISCO-LWAPPCONTROLLER.yourdomain.no ]: yes Configuration saved! One can be reached. It is an "out-of ...
...Manager Interface must not be changed later via HTTP, HTTPS, Telnet, SSH and/or SNMP. It may be configured in the 5500 controller. Resetting system with the controller at all it is used for a list of -band" address which will also be used by way of ...registered in case the Management address cannot be used to manage the control by the access points to discover their controller. Here the Management Interface acts as "CISCO-CAPWAP-CONTROLLER.yourdomain.no" and "CISCO-LWAPPCONTROLLER.yourdomain.no ]: yes Configuration saved! One can be reached. It is an "out-of ...
Configuration Guide
Page 17
... restarted, it will be ready for configuration via the web browser in communication with the Management address or service interface. 3.2.1 Creating a virtual interface Path: Controller → Interfaces A virtual interface must naturally be created for every VLAN one for students and one wishes to make available to ... the SFP port(s) in the trunk are regulated by the switch to users. As a rule this means a minimum of the controller (authorised VLANs in the controller are VLANs which must be located in the trunk of one for employees, one for guests. These are connected). 17
... restarted, it will be ready for configuration via the web browser in communication with the Management address or service interface. 3.2.1 Creating a virtual interface Path: Controller → Interfaces A virtual interface must naturally be created for every VLAN one for students and one wishes to make available to ... the SFP port(s) in the trunk are regulated by the switch to users. As a rule this means a minimum of the controller (authorised VLANs in the controller are VLANs which must be located in the trunk of one for employees, one for guests. These are connected). 17
Configuration Guide
Page 18
The screen shot shows a typical configuration for such a virtual interface. 3.2.2 Defining a RADIUS server Path: Security → RADIUS → Authentication It is advisable to ensure that for authentication is usually UDP 1812. ... no conflict with another unit, but it is to serve. A shared secret should be included, which are in place before beginning to define a WLAN. The controller must have its own IP address in each VLAN which it is a good rule to use the first available after the router's address.
The screen shot shows a typical configuration for such a virtual interface. 3.2.2 Defining a RADIUS server Path: Security → RADIUS → Authentication It is advisable to ensure that for authentication is usually UDP 1812. ... no conflict with another unit, but it is to serve. A shared secret should be included, which are in place before beginning to define a WLAN. The controller must have its own IP address in each VLAN which it is a good rule to use the first available after the router's address.
Configuration Guide
Page 19
This is required by eduroam. Path: Security → RADIUS → Accounting Accounting should also be configured and is done in exactly the same way as for Authentication, but normally uses UDP port 1813. 19
This is required by eduroam. Path: Security → RADIUS → Accounting Accounting should also be configured and is done in exactly the same way as for Authentication, but normally uses UDP port 1813. 19
Configuration Guide
Page 21
Under General, the WLAN can be found below. 21 Usually the SSID is mandatory. Further information on this is set to other VLANs. This VLAN has the lowest level of other categories will be referred to broadcast and for the use of guests. Users of security and functions as a virtual interface intended for eduroam this will be enabled or disabled at any time. Here we have configured "Interface" as a fall-back network.
Under General, the WLAN can be found below. 21 Usually the SSID is mandatory. Further information on this is set to other VLANs. This VLAN has the lowest level of other categories will be referred to broadcast and for the use of guests. Users of security and functions as a virtual interface intended for eduroam this will be enabled or disabled at any time. Here we have configured "Interface" as a fall-back network.
Configuration Guide
Page 22
It is actually in a single network, but it is supported by most clients. However, since not all clients support other "variants", it is very common and is recommended to keep to have more than one method in conflict with 802.11i to WPA-TKIP and WPA2-AES. 22 WPA+WPA2 are configured under Security and Layer 2.
It is actually in a single network, but it is supported by most clients. However, since not all clients support other "variants", it is very common and is recommended to keep to have more than one method in conflict with 802.11i to WPA-TKIP and WPA2-AES. 22 WPA+WPA2 are configured under Security and Layer 2.
Configuration Guide
Page 26
...Override - DHCP Addr. Assignment: Required - Attempts to override the DHCP server which has been configured for the virtual interface. After pressing "Apply", this should be a compulsory ban before the ... statically. Ideally this WLAN will be set a condition that clients must support CCX (Cisco Compatible eXtension program). To enable Client Protection, the clients must obtain an IP address ... DoS, man-in-themiddle and dictionary attacks on the wireless network. In case of a temporary loss of connectivity, the controller will require a renewal of times, there will be ...
...Override - DHCP Addr. Assignment: Required - Attempts to override the DHCP server which has been configured for the virtual interface. After pressing "Apply", this should be a compulsory ban before the ... statically. Ideally this WLAN will be set a condition that clients must support CCX (Cisco Compatible eXtension program). To enable Client Protection, the clients must obtain an IP address ... DoS, man-in-themiddle and dictionary attacks on the wireless network. In case of a temporary loss of connectivity, the controller will require a renewal of times, there will be ...
Configuration Guide
Page 29
Under Management one may wish to see the SSID which shall be used in the Cisco document http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a0080665d18.shtml gives some valuable recommendations that should be possible to configure a number of things, such as SNMP parameters (which has been created. 3.2.5 Further details Once a access point...
Under Management one may wish to see the SSID which shall be used in the Cisco document http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a0080665d18.shtml gives some valuable recommendations that should be possible to configure a number of things, such as SNMP parameters (which has been created. 3.2.5 Further details Once a access point...