Home > Cisco Manuals > Wireless > Cisco 4402 > Manual Viewer

Cisco 4402 Configuration Guide

Cisco 4402 - Wireless LAN Controller Manual

Get Cisco 4402 - Wireless LAN Controller manuals and user guides
UPC - 882658039997
Free Cisco 4402 manuals!

Cisco 4402 manual table of contents:

  • Cisco 4402 | Configuration Guide - Page 1
    Guide to configuring eduroam using a Cisco wireless controller Best Practice Document Produced by UNINETT led working group on mobility (No UFS127) Authors: Tore Kristiansen, Jardar Leira, Vidar Faltinsen December 2010
  • Cisco 4402 | Configuration Guide - Page 2
    ...TERENA 2010. All rights reserved. GN3-NA3-T4-UFS127 December 2010 Norwegian "Veiledning for eduroam oppsett med Cisco trådløs controller" September 2010 campus@uninett.no UNINETT bears responsibility for the content of this document. The work...
  • Cisco 4402 | Configuration Guide - Page 3
    ... 1.5 1.6 Necessary components IP addresses and subnets The wireless controller (WLC) The WCS, MSE and LA administration software Access points 1.5.1 Users The access point connection process 2 3 Configuring RADIUS Configuring a controller 3.1 3.2 Initial configuration ...
  • Cisco 4402 | Configuration Guide - Page 4
    ... Step 3: Adding clients in IAS Step 4: Adding server groups to IAS Step 5: Connection Request Policies Step 6: Remote Access Policies Step 7: RADIUS attributes Step 8: Logging B.2 Configuring NPS (Windows 2008) Step 1: Add a role Step 2: Radius Step 3: ...
  • Cisco 4402 | Configuration Guide - Page 5
    .... UFS127 is a guide to configuring eduroam, including IEEE 802.1X, in a Cisco controller-based environment, i.e. a configuration based on one or more Cisco controllers which govern the traffic to and from Cisco lightweight access points (LAP). The guide applies both...
  • Cisco 4402 | Configuration Guide - Page 6
    ... is a guide to configuring eduroam in a Cisco controller-based environment, i.e. a configuration based on one or more Cisco controllers which govern the traffic to and from Cisco lightweight access points (LAP). The guide applies both to ...
  • Cisco 4402 | Configuration Guide - Page 7
    ... the event of serious operational problems. If one only has a single controller, WCS (Wireless Control System) management software ... is necessary to plan which IP addresses and VLANs are to be used for the various purposes: • The Wireless LAN Controller (WLC) must have administrative IP addresses ...
  • Cisco 4402 | Configuration Guide - Page 8
    ... a general management network for switches. Figure 1: Proposed subnets and necessary traffic pattern 1.3 The wireless controller (WLC) The 5500 controller has one administrative IP address ... the access points, but here the 4400 controller also has the AP Manager address which is used ...
  • Cisco 4402 | Configuration Guide - Page 9
    ...for specific purposes. The controller must also be represented in all the VLANs it is to serve via the wireless network. Traditionally, the first network address in the subnet is used as the router address.... CAPWAP(*): UDP 5246 and UDP 5247 to/from access point VLAN - If LWAPP(*): UDP 12222 ...
  • Cisco 4402 | Configuration Guide - Page 10
    ... over autonomous access points. In a controller-based system it is not necessary to configure a dot1q... route this network internally so that the access points can reach the controller and, if... that such a configuration will not be possible in cases where the traffic between controller and access point...
  • Cisco 4402 | Configuration Guide - Page 11
    ... uses the domain name (provided by DHCP) in conjunction with the unit name "CISCO-CAPWAP-CONTROLLER" or "CISCO-LWAPP-CONTROLLER" and then looks this up ... "CISCO-CAPWAP-CONTROLLER" and "CISCO-LWAPP-CONTROLLER" names be entered in the DNS, since older access points will not recognise ...
  • Cisco 4402 | Configuration Guide - Page 12
    ... Restricting the subnet to include only wireless connections is a good way to achieve this. In addition it is possible to control what forms of traffic are.... We recommend a dedicated RADIUS server for wireless networks (remember that for some systems, it is easy to configure several RADIUS servers on...
  • Cisco 4402 | Configuration Guide - Page 13
    ...completed. Here one can choose between using self-generated or purchased certificates. Self-... in every single client which is to be granted access to the wireless network. The way in which you ...Once IEEE 802.1X is functioning internally, the national connection to eduroam can be configured. In general...
  • Cisco 4402 | Configuration Guide - Page 14
    ...for such a configuration. Strictly speaking, all configuration work can be performed via the command line (CLI) but the controllers do not use Cisco's IOS, and Cisco recommends the use of the web interface (if necessary via WCS) for most of ...
  • Cisco 4402 | Configuration Guide - Page 15
    ... TEMP Allow Static IP Addresses [YES][no]: yes Configure a RADIUS Server now? [YES][no]: no Enter Country Code ... also be used by the access points to discover their controller. The address should therefore be registered in the DNS as "CISCO-CAPWAP-CONTROLLER.yourdomain.no" and "CISCO-LWAPPCONTROLLER....
  • Cisco 4402 | Configuration Guide - Page 16
    ... contacting it, cf. Chapter 1. The access points must obtain access only via UDP on ports 5246/5247 (CAPWAP) or... Address: (not applicable to the WLC 5500 Series) When using a 4400 Series controller, this is the address with which the access points communicate after they have established contact with ...
  • Cisco 4402 | Configuration Guide - Page 17
    3.2 Further configuration via web browser Once the controller has restarted, it will be ready for configuration via the web browser in communication with the ... of the controller (authorised VLANs in the trunk are regulated by the switch to which the SFP port(s) in the controller are connected). 17
  • Cisco 4402 | Configuration Guide - Page 18
    The controller must have its own IP address in each VLAN which it is to serve. Strictly speaking, it...a good rule to use the first available after the router's address. The screen shot shows a typical configuration for such a virtual interface. 3.2.2 Defining a RADIUS server Path: Security → RADIUS...
  • Cisco 4402 | Configuration Guide - Page 19
    Path: Security → RADIUS → Accounting Accounting should also be configured and is required by eduroam. This is done in exactly the same way as for Authentication, but normally uses UDP port 1813. 19
  • Cisco 4402 | Configuration Guide - Page 20
    ... is the SSID "eduroam", but usually it is desirable to have an SSID for guests who cannot use "eduroam" or if an SSID is required for testing. An SSID can serve one or .... The first thing that must be done is to define a profile name and specify an SSID. This information cannot be changed later. 20
  • Cisco 4402 | Configuration Guide - Page 21
    ... at any time. Usually the SSID is set to broadcast and for eduroam this is mandatory. Here we have configured "Interface" as a virtual interface intended for the use of guests. This VLAN has the lowest level of security and functions as a ...
  • Cisco 4402 | Configuration Guide - Page 22
    WPA+WPA2 are configured under Security and Layer 2. It is actually in conflict with 802.11i to have more than ... in a single network, but it is very common and is supported by most clients. However, since not all clients support other "variants", it is recommended to keep to WPA-TKIP and WPA2-AES. 22
  • Cisco 4402 | Configuration Guide - Page 23
    Security Layer 3 shall be "None". 23
  • Cisco 4402 | Configuration Guide - Page 24
    Under Security AAA Servers we select the previously defined RADIUS servers for Authentication and Accounting. 24
  • Cisco 4402 | Configuration Guide - Page 25
    ... hand, WMM depends on the relationship between the controller (access point) and clients, and may ... such as employee, student or guest, without using different wireless profiles. Aironet IE: Enabled ...determines whether wireless clients are able to communicate directly with each other (via WLC) or not....
  • Cisco 4402 | Configuration Guide - Page 26
    ...to protect against DoS, man-in-themiddle and dictionary attacks on the wireless network. To enable Client Protection, the clients must support CCX (Cisco Compatible eXtension program). After pressing "Apply", this WLAN will be activated. ...
  • Cisco 4402 | Configuration Guide - Page 27
    3.2.4 Connecting access points After going through all the steps so far it is time to connect some access points to the network. Section 1.5.1 explains the ... X509 certificates. For this to function and for the access point to connect, it is important that the WLC's time is correctly set so...
  • Cisco 4402 | Configuration Guide - Page 28
    ... another NTP server can be used, as in this example If a previously autonomous access point has been converted to a lightweight access point and the application has not specified an ... point, the SSC or the MIC (the MAC address for the access point's Ethernet address) must be entered before the...
  • Cisco 4402 | Configuration Guide - Page 29
    ... Further details Once a access point has been connected it will be possible to see the SSID ...one may wish to configure a number of things, such as SNMP parameters (which shall be used in communication ..., the section "Manipulating EAP Timers" in the Cisco document http://www.cisco.com/en/US/tech/tk722/...
  • Cisco 4402 | Configuration Guide - Page 30
    ... criteria: • Optimal capacity and coverage of the wireless network, i.e. as many access points as possible. • Covering the required area using the smallest possible ...should be taken into account if one is planning to use as few access points as possible. If one is to use ...
  • Cisco 4402 | Configuration Guide - Page 31
    ... cabling is not yet installed. Configure a unique SSID and preferably use a long Cat 5 cable and PoE for power supply..... UNINETT also offers AirMagnet Spectrum Analyzer [3] (this product is now owned by Cisco), which displays everything happening in the frequency range, not just 802.11 traffic. This ...
  • Cisco 4402 | Configuration Guide - Page 32
    ... power supply in order to switch the access point on or off. Naturally, one must not use Cat 5 cable splitting with PoE ... of installation kit. Follow the installation instructions for the access point. Note that the correct way to install a Cisco AP1130/AP1140/3500i is with the flat, plastic surface ...
  • Cisco 4402 | Configuration Guide - Page 33
    A. Configuration using autonomous access points The following is a description of how configuration may be carried out using autonomous access points. As ...that the access point is already configured with the necessary Management IP address, etc. 1. 2. Log on to the access point using a web browser....
  • Cisco 4402 | Configuration Guide - Page 34
    A.2 Encryption configuration Now go to SECURITY → Encryption Manager and specify the necessary encryptions for VLAN 21. The minimum requirement here is TKIP, since not all types support AES. Select "Enable rotation" of the key and specify a value of, for example, 36,000 seconds. 34
  • Cisco 4402 | Configuration Guide - Page 35
    A.3 RADIUS configuration Go to SECURITY → Server Manager and add the external RADIUS server using the shared secret. Specify the port number of the Authentication Port and Accounting Port, as well as the IP address for EAP Authentication and Accounting (in this case the same RADIUS server). 35
  • Cisco 4402 | Configuration Guide - Page 36
    A.4 Default VLAN Now go to SECURITY → SSID Manager and specify the default VLAN. 36
  • Cisco 4402 | Configuration Guide - Page 37
    ... Microsoft RADIUS servers Configuring IAS (Windows 2003) B.1 NB: This explanation assumes that the Windows ... in the domain. Step 1: Installation of IAS Go to Control Panel → Add or Remove Programs → Add/...Internet Authentication Service". Now click on "OK", "Next" and "Apply" to install IAS. 37
  • Cisco 4402 | Configuration Guide - Page 38
    Step 2: Connecting to domain and certificates Go to "Administrative Tools" on the Control Panel. Start "Internet Authentication Service": Click on "Action" in the file menu. Click on "Register Server in Active Directory" A certificate is required to ...
  • Cisco 4402 | Configuration Guide - Page 39
    .... The clients which can be added here may be access points, a control unit for wireless equipment (such as a Security Switch) or other RADIUS ... add it as a client and not all the access points. Go to "Administrative Tools" on the Control Panel. Start "Internet Authentication Service" Check if IAS is ...
  • Cisco 4402 | Configuration Guide - Page 40
    ... "Address" tab, enter the IP address or DNS name of the server. On the Authentication/Accounting tab, fill in the Authentication port and the shared secret On the "Load Balancing" tab, no changes are necessary in systems with redundancy. Click on "...
  • Cisco 4402 | Configuration Guide - Page 41
    ... employees locally and forward all students to the RADIUS server associated with the school domain, while another policy directs all...locally 2. Users who are to be forwarded to another RADIUS server (several of which can be configured) 3. All other users to be directed to eduroam 1. Right-click on "...
  • Cisco 4402 | Configuration Guide - Page 42
    ...Employee" RADIUS server is the last in the series and receives authentications it is to use and forwards them. Criteria for "Connection Policies" on ... may also select "Forward requests to the following remote RADIUS server group for authentication": the authentication request is then forwarded to one...
  • Cisco 4402 | Configuration Guide - Page 43
    Create a Connection Request Policy for every connection this RADIUS server is to serve. 43
  • Cisco 4402 | Configuration Guide - Page 44
    ...Some standard options may be: "NAS-Port-Type" adding "Ethernet", "Wireless - IEEE802.11" and "... example, all users belonging to the security group "Wireless Access Denied" will be assigned the criterion "Deny remote ... version 2 (MS-CHAP v2)" The use of "User can change password after it has expired" ...
  • Cisco 4402 | Configuration Guide - Page 45
    ...a description of what is needed to assign a user to a different VLAN from that supplied as standard by the access points or controller unit Click on "Add", select "Tunnel-Medium-Type" and click on "Add" Click on "Add" again and select "802 ...
  • Cisco 4402 | Configuration Guide - Page 46
    Click on "OK" twice and repeat this step for all the Remote Access Policies which are to be modified. Step 8: Logging IAS adds log entries to the Event Log and ... by IAS. IAS creates the log entries "Error", "Warning" and "Information" The logs contain a great deal of useful information such as: 46
  • Cisco 4402 | Configuration Guide - Page 47
    ...to gain access NAS-Port-Type = Wireless - IEEE 802.11 The type of network being used Proxy-Policy-Name ... being used Authentication-Provider = Windows The program used by the user to connect to the wireless network Policy-Name = students in VLAN 10 The Remote Access Policy being used B.2 Configuring...
  • Cisco 4402 | Configuration Guide - Page 48
    ...visit www.eduroam.no. The clients which can be added here may be access points, a control unit for wireless equipment (such as a Security Switch) or... servers forwarding authentication. NB: When a control unit, such as a Security Switch or similar, is used for a wireless network one usually ...
  • Cisco 4402 | Configuration Guide - Page 49
    ... both the client and in the NPS setup. • A different Shared Secret may be used for each client ... have been added. Remember that other RADIUS servers which forward authentication requests shall ... as clients. NB: If this is the central RADIUS server which is to be connected to eduroam, the core must ...
  • Cisco 4402 | Configuration Guide - Page 50
    ... "Address" tab, enter the IP address or DNS name of the server. In the "Authentication/Accounting" tab, type in the Authentication Port and Shared Secret • • On the "Load Balancing" tab, no changes are necessary in systems with redundancy. Click on ...
  • Cisco 4402 | Configuration Guide - Page 51
    ... locally 2. Users who are to be forwarded to another RADIUS server (several of which can be configured) 3. All other users to be directed to ... be authenticated using this policy. Click on "OK" followed by "Next" The "Authentication" option controls where the authentication is to be directed to. 51
  • Cisco 4402 | Configuration Guide - Page 52
    ... One may also select "Forward requests to the following remote RADIUS server group for authentication". The authentication request is then forwarded to one of... • "Override network policy authentication settings" must not be used in this connection. Click on "Next" • Click on "OK" followed by "...
  • Cisco 4402 | Configuration Guide - Page 53
    ... to users. For example, all users belonging to the security group "Wireless Access Denied" will be assigned the criterion "Access ... on "Next" Note the NAS Port Type Select "Ethernet", "Wireless - IEEE 802.11" and "Wireless - Other" Click on "Next", then "Next" again, followed by "Finish" Do this...
  • Cisco 4402 | Configuration Guide - Page 54
    ...to assign a user to a different VLAN from that supplied as standard by the access points or controller unit: • Click on "Standard" in the left-hand frame and click on "Add" in the ..."Add" • Click on "Add" again and select "802 (Includes all 802 media plus Ethernet canonical format)" ...
  • Cisco 4402 | Configuration Guide - Page 55
    ... and go to "Custom Views", "Server Roles" and "Network Policy and Access Services". NPS creates ...a file (in C:\Windows\System32\LogFiles) also Network Policy Server granted access to a user. "Granted access"...being used EAP Type: The type of EAP being used Microsoft: Secured password (EAP-MSCHAP v2) ...
  • Cisco 4402 | Configuration Guide - Page 56
    ... as "somethingorother.pem" It is then placed in the location specified in the RADIUS configuration, often in /etc/FreeRADIUS/cert/. Below is an example ... is an example of the output obtained when this command was run for a TERENA partial certificate valid for the server called "radius-test.uninett.no...
  • Cisco 4402 | Configuration Guide - Page 57
    ...:41:1c:06:9a:e9:1c:bf:da:2d:7a: 50:e9:12:4d:84:20:71:4e...:d9:71:c6:c3:a3:5e: 50:df:69:d3:0a:5f:7c...:3A:42:7C:F9:67:66:50:A1:E9:D1:2A:FC:BB....terena.org/TERENASSLCA.crl Authority Information Access: CA Issuers - URI:http://crt.tcs... 52:80:07:f2:9b:a5:50:f2:e3:43:4c:cd:...11: 44:a1:25:fe:0c:ce:6f:da:52:12:c5:...
  • Cisco 4402 | Configuration Guide - Page 58
    References [1] UFS112: Recommended Security System for Wireless Networks. Implementation of IEEE 802.1X. Jardar Leira, UNINETT. 20/12/2007. [2] "...": GEANT2 Deliverable DJ5.1.5,3: Inter-NREN Roaming Infrastructure and Service Support Cookbook - Third Edition. 29/10/2008. ...
  • Cisco 4402 | Configuration Guide - Page 59
    ...transceiver or "mini-GBIC" (for Gbit Ethernet) Service Set Identifier Cisco Wireless Control System. Software for the administration of WLCs Cisco Wireless Services...4404 wireless controllers Cisco Wireless LAN Controller The Wi-Fi Alliance's Wi-Fi Multimedia™ certification programme for ...
  • Cisco 4402 | Configuration Guide - Page 60
    More Best Practice Documents are available at www.terena.org/campus-bp/ campus-bp-announcements@terena.org



Type your new search above

The manual viewer requires the flash plugin to be installed and enabled.
To view this page ensure that Adobe Flash Player version 10 or greater is installed.

Cisco 4402 - Wireless LAN Controller Manual