Home > Cisco Manuals > Wireless > Cisco 4402 > Manual Viewer

Cisco 4402 Configuration Guide

Cisco 4402 - Wireless LAN Controller Manual

Get Cisco 4402 - Wireless LAN Controller manuals and user guides
UPC - 882658039997
Free Cisco 4402 manuals!

Cisco 4402 manual table of contents:

  • Cisco 4402 | Configuration Guide - Page 1
    Guide to configuring eduroam using a Cisco wireless controller Best Practice Document Produced by UNINETT led working group on mobility (No UFS127) Authors: Tore Kristiansen, Jardar Leira, Vidar Faltinsen December 2010
  • Cisco 4402 | Configuration Guide - Page 2
    ...TERENA 2010. All rights reserved. GN3-NA3-T4-UFS127 December 2010 Norwegian "Veiledning for eduroam oppsett med Cisco trådløs controller" September 2010 [email protected] UNINETT bears responsibility for the content of this document. The work...
  • Cisco 4402 | Configuration Guide - Page 3
    ...Network planning 1.1 1.2 1.3 1.4 1.5 1.6 Necessary components IP addresses and subnets The wireless controller (WLC) The WCS, MSE and LA administration software Access points 1.5.1 Users The access point connection process 2 3 Configuring ...
  • Cisco 4402 | Configuration Guide - Page 4
    ...groups to IAS Step 5: Connection Request Policies Step 6: Remote Access Policies Step 7: RADIUS attributes Step 8: Logging B.2 Configuring NPS (Windows 2008) Step 1: Add a role Step 2: Radius Step 3: Adding Remote ... 40 41 44 45 46 47 47 48 50 51 53 54 55 56 58 59 References ...
  • Cisco 4402 | Configuration Guide - Page 5
    ... with the HE sector. UFS127 is a guide to configuring eduroam, including IEEE 802.1X, in a Cisco controller-based environment, i.e. a configuration based on one or more Cisco controllers which govern the traffic to and from Cisco lightweight access points (LAP). The guide applies both to Cisco ...
  • Cisco 4402 | Configuration Guide - Page 6
    Introduction This document is a guide to configuring eduroam in a Cisco controller-based environment, i.e. a configuration based ... controllers which govern the traffic to and from Cisco lightweight access points (LAP). The guide applies both to Cisco 5500 Series and 4400 Series controllers (WLC). Any...
  • Cisco 4402 | Configuration Guide - Page 7
    ...the event of serious operational problems. If one only has a single controller, WCS (Wireless Control System) management software...is necessary to plan which IP addresses and VLANs are to be used for the various purposes: • The Wireless LAN Controller (WLC) must have administrative IP addresses • ...
  • Cisco 4402 | Configuration Guide - Page 8
    ... a general management network for switches. Figure 1: Proposed subnets and necessary traffic pattern 1.3 The wireless controller (WLC) The 5500 controller has one administrative IP address ... the access points, but here the 4400 controller also has the AP Manager address which is used ...
  • Cisco 4402 | Configuration Guide - Page 9
    ... other management tools - TCP 443 or 80, 22 or 23 from units for administration (*) Beginning with controller software version 5.2, CAPWAP is used instead of LWAPP for communication between access pointaccess points and controller. 1.4 The WCS, MSE ...
  • Cisco 4402 | Configuration Guide - Page 10
    ... itself or using WCS once the access point has been connected (See Section ... supported. 1.5.1 The access point connection process Communication between an access point and a controller ... address instead. The methods supported by an access point for the initial discovery of a controller vary somewhat ...
  • Cisco 4402 | Configuration Guide - Page 11
    ...DHCP) in conjunction with the unit name "CISCO-CAPWAP-CONTROLLER" or "CISCO-LWAPP-CONTROLLER" and then ...CONTROLLER" and "CISCO-LWAPP-CONTROLLER" names be entered in the DNS, since older access points ...shared network specification for the subnet or globally. Cisco access points do not support an option...
  • Cisco 4402 | Configuration Guide - Page 12
    ... Restricting the subnet to include only wireless connections is a good way to achieve this. In addition it is possible to control what forms of traffic are... recommend a dedicated RADIUS server for wireless networks (remember that for some systems, it is easy to configure several RADIUS servers on the...
  • Cisco 4402 | Configuration Guide - Page 13
    ... installation in every single client which is to be granted access to the wireless network. The way in which you save your own root certificate and your ...is functioning internally, the national connection to eduroam can be configured. In general terms this involves rerouting the requests from ...
  • Cisco 4402 | Configuration Guide - Page 14
    ... be performed via the command line (CLI) but the controllers do not use Cisco's IOS, and Cisco recommends the use of the web interface (if ... configuration should resemble the following example: Welcome to the Cisco Wizard Configuration Tool Use the '-' character to backup System Name ...
  • Cisco 4402 | Configuration Guide - Page 15
    ...): TEMP Allow Static IP Addresses [YES][no]: yes Configure a RADIUS Server now? [YES][no]: no Enter Country...will also be used by the access points to discover their controller. The address should therefore be registered in the DNS as "CISCO-CAPWAP-CONTROLLER.yourdomain.no" and "CISCO-LWAPPCONTROLLER....
  • Cisco 4402 | Configuration Guide - Page 16
    ... from contacting it, cf. Chapter 1. The access points must obtain access only via UDP on ports 5246/5247 (CAPWAP) or... Address: (not applicable to the WLC 5500 Series) When using a 4400 Series controller, this is the address with which the access points communicate after they have established contact ...
  • Cisco 4402 | Configuration Guide - Page 17
    ...Further configuration via web browser Once the controller has restarted, it will be ready for configuration via the web browser in communication with the Management address or service interface. 3.2.1 Creating a virtual interface Path: Controller → Interfaces A virtual interface must ...
  • Cisco 4402 | Configuration Guide - Page 18
    The controller must have its own IP address in each VLAN which it is to serve. Strictly speaking, it does not matter ... the first available after the router's address. The screen shot shows a typical configuration for such a virtual interface. 3.2.2 Defining a RADIUS server Path: Security → RADIUS ...
  • Cisco 4402 | Configuration Guide - Page 19
    Path: Security → RADIUS → Accounting Accounting should also be configured and is required by eduroam. This is done in exactly the same way as for Authentication, but normally uses UDP port 1813. 19
  • Cisco 4402 | Configuration Guide - Page 20
    3.2.3 Creating a WLAN (SSID) Path: WLANs → WLANs Initially all that is needed is the SSID "eduroam", but usually it is desirable to have an SSID for guests who cannot use "eduroam" or if an SSID is required for testing. An SSID can serve one or more of the virtual interfaces which have previously...
  • Cisco 4402 | Configuration Guide - Page 21
    ..., the WLAN can be enabled or disabled at any time. Usually the SSID is set to broadcast and for eduroam this is mandatory. Here we have configured "Interface" as a virtual interface intended for the use of guests. This VLAN has the lowest level of security and functions as a fall-back network. Users...
  • Cisco 4402 | Configuration Guide - Page 22
    WPA+WPA2 are configured under Security and Layer 2. It is actually in conflict with 802.11i to have more than ... in a single network, but it is very common and is supported by most clients. However, since not all clients support other "variants", it is recommended to keep to WPA-TKIP and WPA2-AES. 22
  • Cisco 4402 | Configuration Guide - Page 23
    Security Layer 3 shall be "None". 23
  • Cisco 4402 | Configuration Guide - Page 24
    Under Security AAA Servers we select the previously defined RADIUS servers for Authentication and Accounting. 24
  • Cisco 4402 | Configuration Guide - Page 25
    ... other hand, WMM depends on the relationship between the controller (access point) and clients, and may provide ...for those clients with this type of support. P2P Blocking Action: Disabled - This determines whether wireless clients are able to communicate directly with each other (via WLC) or not. For...
  • Cisco 4402 | Configuration Guide - Page 26
    ... to protect against DoS, man-in-themiddle and dictionary attacks on the wireless network. To enable Client Protection, the clients must support CCX (Cisco Compatible eXtension program). After pressing "Apply", this WLAN will be activated. 26
  • Cisco 4402 | Configuration Guide - Page 27
    3.2.4 Connecting access points After going through all the steps so far it is time to connect some access points to the network. Section 1.5.1 explains the ... X509 certificates. For this to function and for the access point to connect, it is important that the WLC's time is correctly set so...
  • Cisco 4402 | Configuration Guide - Page 28
    WLC supports NTP, which is set at another location. NTP server is usually the nearest... be used, as in this example If a previously autonomous access point has been converted to a lightweight...'s Ethernet address) must be entered before the access point is permitted to connect. This will be found under...
  • Cisco 4402 | Configuration Guide - Page 29
    3.2.5 Further details Once a access point has been connected it will be possible to see the SSID which... created. Under Management one may wish to configure a number of things, such as SNMP parameters (..., the section "Manipulating EAP Timers" in the Cisco document http://www.cisco.com/en/US/tech/tk722/...
  • Cisco 4402 | Configuration Guide - Page 30
    ... two criteria: • Optimal capacity and coverage of the wireless network, i.e. as many access points as possible. • Covering the required area using the .... • Felt tip markers in three colours. • A access point of the type to be used, in an autonomous version, since the controller is not yet 30
  • Cisco 4402 | Configuration Guide - Page 31
    ... [3] may be borrowed from UNINETT for use in radio planning. This software is associated with a specific wireless card which is provided. It can import ... also offers AirMagnet Spectrum Analyzer [3] (this product is now owned by Cisco), which displays everything happening in the frequency range, not ...
  • Cisco 4402 | Configuration Guide - Page 32
    ... the access point must be installed. Most access points support PoE, i.e. 802.3af. Some newer access points which...of installation kit. Follow the installation instructions for the access point. Note that the correct way to install a Cisco AP1130/AP1140/3500i is with the flat, plastic surface down. In...
  • Cisco 4402 | Configuration Guide - Page 33
    ... Configuration using autonomous access points The following is a description of how configuration may be carried out using .... A.1 VLAN setup First we set up the VLAN, assuming that the access point is already ... Management IP address, etc. 1. 2. Log on to the access point using a web browser. Go ...
  • Cisco 4402 | Configuration Guide - Page 34
    A.2 Encryption configuration Now go to SECURITY → Encryption Manager and specify the necessary encryptions for VLAN 21. The minimum requirement here is TKIP, since not all types support AES. Select "Enable rotation" of the key and specify a value of, for example, 36,000 seconds. 34
  • Cisco 4402 | Configuration Guide - Page 35
    A.3 RADIUS configuration Go to SECURITY → Server Manager and add the external RADIUS server using the shared secret. Specify the port number of the Authentication Port and Accounting Port, as well as the IP address for EAP Authentication and Accounting (in this case the same RADIUS server). 35
  • Cisco 4402 | Configuration Guide - Page 36
    A.4 Default VLAN Now go to SECURITY → SSID Manager and specify the default VLAN. 36
  • Cisco 4402 | Configuration Guide - Page 37
    ... Microsoft RADIUS servers Configuring IAS (Windows 2003) B.1 NB: This explanation assumes that the Windows ... in the domain. Step 1: Installation of IAS Go to Control Panel → Add or Remove Programs → Add/...Internet Authentication Service". Now click on "OK", "Next" and "Apply" to install IAS. 37
  • Cisco 4402 | Configuration Guide - Page 38
    Step 2: Connecting to domain and certificates Go to "Administrative Tools" on the Control Panel. Start "Internet Authentication Service": Click on "Action" in the file menu. Click on "Register Server in Active Directory" A certificate is required to ...
  • Cisco 4402 | Configuration Guide - Page 39
    ... documentation of its infrastructure on the eduroam web page. The clients which can be added here may be access points, a control unit for wireless equipment (such as a Security Switch) or other RADIUS servers forwarding authentication requests here. NB: When ...
  • Cisco 4402 | Configuration Guide - Page 40
    ... to the server group. On the "Address" tab, enter the IP address or DNS name of the server. On the Authentication/Accounting tab, fill in the Authentication port and the shared secret On the "Load Balancing" tab, no changes are necessary in systems with redundancy. Click on "OK" followed by "Next" ...
  • Cisco 4402 | Configuration Guide - Page 41
    ... directs all other users to the eduroam core. Since the policies are handled in a specific order, it is important that this is done correctly. 1. Users who are to ... be forwarded to another RADIUS server (several of which can be configured) 3. All other users to be directed to eduroam 1. Right-click ...
  • Cisco 4402 | Configuration Guide - Page 42
    student.school.no is the connection to eduroam and forwards authentication to the employee.school.no RADIUS server. The "Employee" RADIUS server is the last in the series and receives authentications it is to use and forwards them. Criteria for "Connection Policies" on the student.school.no RADIUS ...
  • Cisco 4402 | Configuration Guide - Page 43
    Create a Connection Request Policy for every connection this RADIUS server is to serve. 43
  • Cisco 4402 | Configuration Guide - Page 44
    ...place. Some standard options may be: "NAS-Port-Type" adding "Ethernet", "Wireless - IEEE802.11" and "Wireless - Other" "Windows-Groups" adding "Domain...users. For example, all users belonging to the security group "Wireless Access Denied" will be assigned the criterion "Deny remote access ...
  • Cisco 4402 | Configuration Guide - Page 45
    ...a description of what is needed to assign a user to a different VLAN from that supplied as standard by the access points or controller unit Click on "Add", select "Tunnel-Medium-Type" and click on "Add" Click on "Add" again and select "802 ...
  • Cisco 4402 | Configuration Guide - Page 46
    Click on "OK" twice and repeat this step for all the Remote Access Policies which are to be modified. Step 8: Logging IAS adds log entries to the Event Log and writes them to a file. Open "Event Viewer" and select "System". All events under Source "IAS" are logs generated by IAS. IAS creates the ...
  • Cisco 4402 | Configuration Guide - Page 47
    ...7D The MAC address of the user who is attempting to gain access NAS-Port-Type = Wireless - IEEE 802.11 The type of network being used Proxy-Policy-Name =... by the user to connect to the wireless network Policy-Name = students in VLAN 10 The Remote Access Policy being used B.2...
  • Cisco 4402 | Configuration Guide - Page 48
    ... For more information about eduroam, visit www.eduroam.no. The clients which can be added here may be access points, a control unit for wireless equipment (such as a Security Switch) or other RADIUS servers forwarding authentication. NB: When a control unit...
  • Cisco 4402 | Configuration Guide - Page 49
    ... address or full DNS name Under "Vendor name", "RADIUS Standard" may be selected The Shared Secret must be the same in both the client and in the NPS setup. • A different Shared Secret may be used for each client Click on "OK" Repeat this procedure until all the clients have been added. Remember ...
  • Cisco 4402 | Configuration Guide - Page 50
    ... or DNS name of the server. In the "Authentication/Accounting" tab, type in the Authentication Port and Shared Secret • • On the "Load Balancing" tab, no changes are necessary ... group for eduroam and a group for School, have been added. See www.eduroam.no for more information about eduroam. 50
  • Cisco 4402 | Configuration Guide - Page 51
    ... be forwarded to another RADIUS server (several of which can be configured) 3. All other users to be directed to eduroam Expand "Policies", ... be authenticated using this policy. Click on "OK" followed by "Next" The "Authentication" option controls where the authentication is to be directed to. 51
  • Cisco 4402 | Configuration Guide - Page 52
    • If one selects "Authenticate request on this server" the user is authenticated on this RADIUS server and the domain of which the user is a member. Proceed as follows: • Click on the "Attributes" tab • Select "Attribute: User-Name" and click on "Add" • Under "Find", type Under "Replace ...
  • Cisco 4402 | Configuration Guide - Page 53
    ...access to users. For example, all users belonging to the security group "Wireless Access Denied" will be assigned the criterion "Access ... optional. Click on "Next" Note the NAS Port Type Select "Ethernet", "Wireless - IEEE 802.11" and "Wireless - Other" Click on "Next", then "Next" again, followed by...
  • Cisco 4402 | Configuration Guide - Page 54
    ... a description of what is needed to assign a user to a different VLAN from that supplied as standard by the access points or controller unit: • Click on "Standard" in the left-hand frame and click on "Add" in the right-hand frame. • Find "Tunnel-...
  • Cisco 4402 | Configuration Guide - Page 55
    ..."Server Roles" and "Network Policy and Access Services". NPS creates the log entries "...file (in C:\Windows\System32\LogFiles) also Network Policy Server granted access to a user. "Granted ...7D The MAC address of the user who is attempting to gain access Client Friendly Name: SecuritySwitch The client ...
  • Cisco 4402 | Configuration Guide - Page 56
    ... obtain a certificate with the help of UNINETT's SCS service, see http://forskningsnett.uninett.no... must be submitted via UNINETT's SCS service and forms the basis for issuing a certificate..." It is then placed in the location specified in the RADIUS configuration, often in /etc/FreeRADIUS/cert/. Below...
  • Cisco 4402 | Configuration Guide - Page 57
    ...bb:41:1c:06:9a:e9:1c:bf:da:2d:7a: 50:e9:12:4d:84:20:71:4e:...c7:d9:71:c6:c3:a3:5e: 50:df:69:d3:0a:5f:7c:...09:4d:1c:11:6b:04:44:25:ba:a2:46:09:23:e4:...77:3A:42:7C:F9:67:66:50:A1:E9:D1:2A:FC:BB:...sha1WithRSAEncryption 52:80:07:f2:9b:a5:50:f2:e3:43:4c:cd:5c:...:9a:7e:5f:11: 44:a1:25:fe:0c:ce:6f:da:52:12:c5:5g...
  • Cisco 4402 | Configuration Guide - Page 58
    References [1] UFS112: Recommended Security System for Wireless Networks. Implementation of IEEE 802.1X. Jardar Leira, UNINETT. 20/12/2007. [2] "...": GEANT2 Deliverable DJ5.1.5,3: Inter-NREN Roaming Infrastructure and Service Support Cookbook - Third Edition. 29/10/2008. ...
  • Cisco 4402 | Configuration Guide - Page 59
    ...-GBIC" (for Gbit Ethernet) Service Set Identifier Cisco Wireless Control System. Software for the administration of WLCs Cisco Wireless Services Module. Plug-in card for Cisco Catalyst 6500 containing two Cisco 4404 wireless controllers Cisco Wireless LAN Controller The Wi-Fi Alliance's Wi-Fi...
  • Cisco 4402 | Configuration Guide - Page 60
    More Best Practice Documents are available at www.terena.org/campus-bp/ [email protected]



Type your new search above

The manual viewer requires the flash plugin to be installed and enabled.
To view this page ensure that Adobe Flash Player version 10 or greater is installed.

Cisco 4402 - Wireless LAN Controller Manual