Cisco 4402 Configuration Guide

Cisco 4402 - Wireless LAN Controller Manual

Get Cisco 4402 - Wireless LAN Controller PDF manuals and user guides
UPC - 882658039997
View all Cisco 4402 manuals
Add to My Manuals
Save this manual to your list of manuals

Cisco 4402 manual content summary:

  • Cisco 4402 | Configuration Guide - Page 1
    Guide to configuring eduroam using a Cisco wireless controller Best Practice Document Produced by UNINETT led working group on mobility (No UFS127) Authors: Tore Kristiansen, Jardar Leira, Vidar Faltinsen December 2010
  • Cisco 4402 | Configuration Guide - Page 2
    2010 Norwegian "Veiledning for eduroam oppsett med Cisco trådløs controller" September 2010 [email protected] UNINETT bears responsibility for the content of this document. The work has been carried out by a UNINETT led working group on mobility as part of a joint-venture project within the HE
  • Cisco 4402 | Configuration Guide - Page 3
    subnets 1.3 The wireless controller (WLC) 1.4 The WCS, MSE and LA administration software 1.5 Access points 1.5.1 The access point connection process 1.6 Users 2 Configuring RADIUS 3 Configuring a controller 3.1 Initial configuration on a console 3.2 Further configuration via web browser
  • Cisco 4402 | Configuration Guide - Page 4
    Step 1: Installation of IAS 37 Step 2: Connecting to domain and certificates 38 Step 3: Adding clients in IAS 39 Step 4: Adding server groups to IAS 40 Step 5: Connection Request Policies 41 Step 6: Remote Access Policies 44 Step 7: RADIUS attributes 45 Step 8: Logging 46 B.2
  • Cisco 4402 | Configuration Guide - Page 5
    traffic to and from Cisco lightweight access points (LAP). The guide applies both to Cisco 5500 Series and 4400 Series controllers (WLC). Any differences in configuration between the 5500 Series and the 4400 Series are specified. In principle the guide will also apply to wireless systems provided by
  • Cisco 4402 | Configuration Guide - Page 6
    traffic to and from Cisco lightweight access points (LAP). The guide applies both to Cisco 5500 Series and 4400 Series controllers (WLC). Any differences in configuration between the 5500 Series and the 4400 Series are specified. In principle the guide will also apply to wireless systems provided by
  • Cisco 4402 | Configuration Guide - Page 7
    module in its spare parts storeroom which may be sent out in the event of serious operational problems. If one only has a single controller, WCS (Wireless Control System) management software is strictly speaking not necessary. It is perfectly possible to manage with a web-based management interface
  • Cisco 4402 | Configuration Guide - Page 8
    a configuration in which, for example, the operating network and services are in the same subnet. In any event it is recommended that the access points be located in a dedicated subnet, since these network points are exposed in open premises and risk being tapped. The controller(s) (WLC(s)) should
  • Cisco 4402 | Configuration Guide - Page 9
    administration network NB: For 5500 series controllers, it is not necessary to configure an AP Manager address. The Management interface acts as an AP Manager interface by default and the APs will associate themselves with this interface. WCS's address in the service VLAN - Near the beginning of
  • Cisco 4402 | Configuration Guide - Page 10
    will be used. Once the configuration has been downloaded to the access point (and any new firmware), it will begin to use the AP Manager address instead. The methods supported by an access point for the initial discovery of a controller vary somewhat depending on what model of access point is in use
  • Cisco 4402 | Configuration Guide - Page 11
    . Cisco access points do not support an option containing several domain specifications, such as option domain-name "uninett.no win.uninett.no home.uninett.no"; Configure a VLAN with an IPv4 subnet large enough for all access pointaccess points with realistic growth potential. Configure DHCP support
  • Cisco 4402 | Configuration Guide - Page 12
    . A guide to the configuration of Microsoft IAS and NPS is provided in Attachment B. A common requirement for all installations is a server certificate for the RADIUS server. The server certificate is used by the wireless client to verify the authenticity of the RADIUS server before 802.1X 12
  • Cisco 4402 | Configuration Guide - Page 13
    UNINETT's server certificate service, SCS (http://www.uninett.no/scs). UNINETT is actually a member of TERENA's TCS (TERENA Certificate Service) project and can supply user certificates to our members who belong to Comodo UserTrust. Most operating systems are accompanied by a client certificate with
  • Cisco 4402 | Configuration Guide - Page 14
    serial cable / console for the initial configuration using the Configuration Wizard in the CLI B. Use of service port / management with a web browser (HTTP) for further configuration. 1. Create virtual interfaces 2. Define RADIUS servers 3. Create a WLAN 4. Connect access points. Note: Some versions
  • Cisco 4402 | Configuration Guide - Page 15
    yes Enable 802.11g Network [YES][no]: yes Enable Auto-RF [YES][no]: yes Configuration saved! Resetting system with new configuration... Note: As mentioned above, the AP Manager Interface must not be configured in the 5500 controller. Here the Management Interface acts as an AP Manager Interface. The
  • Cisco 4402 | Configuration Guide - Page 16
    UDP ports 12222/12223 and 5246/5247 from the subnet in which the access points are located. AP Manager Interface DHCP Server: As for the Management address. Virtual Gateway IP Address: 1.1.1.1 This is used if Layer 3 security is being used (e.g. in a web portal) or if there are several controllers
  • Cisco 4402 | Configuration Guide - Page 17
    has restarted, it will be ready for configuration via the web browser in communication with the Management address or service interface. 3.2.1 Creating a virtual interface Path: Controller → Interfaces A virtual interface must be created for every VLAN one wishes to make available to users
  • Cisco 4402 | Configuration Guide - Page 18
    address. The screen shot shows a typical configuration for such a virtual interface. 3.2.2 Defining a RADIUS server Path: Security → RADIUS → Authentication It is advisable to ensure that the RADIUS servers are in place before beginning to define a WLAN. Several RADIUS servers may be included, which
  • Cisco 4402 | Configuration Guide - Page 19
    Path: Security → RADIUS → Accounting Accounting should also be configured and is required by eduroam. This is done in exactly the same way as for Authentication, but normally uses UDP port 1813. 19
  • Cisco 4402 | Configuration Guide - Page 20
    3.2.3 Creating a WLAN (SSID) Path: WLANs → WLANs Initially all that is needed is the SSID "eduroam", but usually it is desirable to have an SSID for guests who cannot use "eduroam" or if an SSID is required for testing. An SSID can serve one or more of the virtual interfaces which have previously
  • Cisco 4402 | Configuration Guide - Page 21
    Under General, the WLAN can be enabled or disabled at any time. Usually the SSID is set to broadcast and for eduroam this is mandatory. Here we have configured "Interface" as a virtual interface intended for the use of guests. This VLAN has the lowest level of security and functions as a fall-back
  • Cisco 4402 | Configuration Guide - Page 22
    WPA+WPA2 are configured under Security and Layer 2. It is actually in conflict with 802.11i to have more than one method in a single network, but it is very common and is supported by most clients. However, since not all clients support other "variants", it is recommended to keep to WPA-TKIP and
  • Cisco 4402 | Configuration Guide - Page 23
    Security Layer 3 shall be "None". 23
  • Cisco 4402 | Configuration Guide - Page 24
    Under Security AAA Servers we select the previously defined RADIUS servers for Authentication and Accounting. 24
  • Cisco 4402 | Configuration Guide - Page 25
    are TOS (Type Of Service) values for IP tagging. Unfortunately this tagging will apply to all clients in this WLAN and therefore in practice is not applicable to eduroam. On the other hand, WMM depends on the relationship between the controller (access point) and clients, and may provide measurable
  • Cisco 4402 | Configuration Guide - Page 26
    of DHCP address and some clients has problems with handling this situation. Management Frame Protection (MFP) - Attempts to protect against DoS, man-in-themiddle and dictionary attacks on the wireless network. To enable Client Protection, the clients must support CCX (Cisco Compatible eXtension
  • Cisco 4402 | Configuration Guide - Page 27
    so far it is time to connect some access points to the network. Section 1.5.1 explains the access point connection process. All access points have their own X509 certificates. For this to function and for the access point to connect, it is important that the WLC's time is correctly set so that the
  • Cisco 4402 | Configuration Guide - Page 28
    WLC supports NTP, which is set at another location. NTP server is usually the nearest router. If not another NTP server can be used, as in this example If a previously autonomous access point has been converted to a lightweight access point and the application has not specified an SSC for the access
  • Cisco 4402 | Configuration Guide - Page 29
    3.2.5 Further details Once a access point has been connected it will be possible to see the SSID which has been created. Under Management one may wish to configure a number of things, for EAP authentication, the section "Manipulating EAP Timers" in the Cisco document http://www.cisco.com/en/US
  • Cisco 4402 | Configuration Guide - Page 30
    • Optimal capacity and coverage of the wireless network, i.e. as many access points as possible. • Covering the required area using the smallest possible number of access points. A third option may be to build the infrastructure to optimally detect the location of clients, but this is considered of
  • Cisco 4402 | Configuration Guide - Page 31
    Cat 5 cable and PoE for power supply. Network connection is not needed, although it is preferable, since one will want to change the power level as one determines what may work best under the current circumstances.. • A telescopic pole or other equipment to locate the access point temporarily as
  • Cisco 4402 | Configuration Guide - Page 32
    .11n require more power and consequently one must have 802.3at. PoE is far more practical and usually cheaper than installing a separate power outlet close to the access point and connecting a permanent power supply. That solution also results in the loss of the possibility of remotely controlling
  • Cisco 4402 | Configuration Guide - Page 33
    is not recommended from the point of view of security. A.1 VLAN setup First we set up the VLAN, assuming that the access point is already configured with the necessary Management IP address, etc. 1. Log on to the access point using a web browser. 2. Go to SERVICES→VLAN to create the necessary
  • Cisco 4402 | Configuration Guide - Page 34
    A.2 Encryption configuration Now go to SECURITY → Encryption Manager and specify the necessary encryptions for VLAN 21. The minimum requirement here is TKIP, since not all types support AES. Select "Enable rotation" of the key and specify a value of, for example, 36,000 seconds. 34
  • Cisco 4402 | Configuration Guide - Page 35
    A.3 RADIUS configuration Go to SECURITY → Server Manager and add the external RADIUS server using the shared secret. Specify the port number of the Authentication Port and Accounting Port, as well as the IP address for EAP Authentication and Accounting (in this case the same RADIUS server). 35
  • Cisco 4402 | Configuration Guide - Page 36
    A.4 Default VLAN Now go to SECURITY → SSID Manager and specify the default VLAN. 36
  • Cisco 4402 | Configuration Guide - Page 37
    Microsoft RADIUS servers B.1 Configuring IAS (Windows 2003) NB: This explanation assumes that the Windows 2003 server is registered in the domain. Step 1: Installation of IAS Go to Control Panel → Add or Remove Programs → Add/Remove Windows Components Select "Networking Services" and click
  • Cisco 4402 | Configuration Guide - Page 38
    Go to "Administrative Tools" on the Control Panel. Start "Internet Authentication Service": Click on "Action" in the file menu. Click on "Register Server in Active Directory" A certificate is required to activate PEAP. To add a certificate: • Start → Run • Type "mmc" and click on "OK". • In
  • Cisco 4402 | Configuration Guide - Page 39
    unit, such as a Security Switch or similar, is used for a wireless network one usually only needs to add it as a client and not all the access points. Go to "Administrative Tools" on the Control Panel. Start "Internet Authentication Service" Check if IAS is running; if not, click on "Action" in
  • Cisco 4402 | Configuration Guide - Page 40
    group. • On the "Address" tab, enter the IP address or DNS name of the server. • On the Authentication/Accounting tab, fill in the Authentication port and the shared secret • On the "Load Balancing" tab, no changes are necessary in systems with redundancy. • Click on "OK" followed by "Next" • Remove
  • Cisco 4402 | Configuration Guide - Page 41
    the eduroam core. Since the policies are handled in a specific order, it is important that this is done correctly. 1. Users who are to be authenticated locally 2. Users who are to be forwarded to another RADIUS server (several of which can be configured) 3. All other users to be directed to eduroam
  • Cisco 4402 | Configuration Guide - Page 42
    click on "Add" • Under "Find", type:(.*)@(.*) and under "Replace with", type: $1 • One may also select "Forward requests to the following remote RADIUS server group for authentication": the authentication request is then forwarded to one of the server groups created in Step 4. Click on "OK" followed
  • Cisco 4402 | Configuration Guide - Page 43
    Create a Connection Request Policy for every connection this RADIUS server is to serve. 43
  • Cisco 4402 | Configuration Guide - Page 44
    Add", select "Protected EAP (PEAP)", click on "OK". • To check that a PEAP has been created with a single certificate, click on "Edit ..." Click on "OK" and tick: • "Microsoft Encrypted Authentication version 2 (MS-CHAP v2)" • The use of "User can change password after it has expired" is optional 44
  • Cisco 4402 | Configuration Guide - Page 45
    configuring different RADIUS attributes. The following is a description of what is needed to assign a user to a different VLAN from that supplied as standard by the access points or controller on "Add" • Click on "Add" again and select "Virtual LANs (VLAN)" • Click on "OK" twice, then click on "Close
  • Cisco 4402 | Configuration Guide - Page 46
    Click on "OK" twice and repeat this step for all the Remote Access Policies which are to be modified. Step 8: Logging IAS adds log entries to the Event Log and writes them to a file. Open "Event Viewer" and
  • Cisco 4402 | Configuration Guide - Page 47
    Policy being used Authentication-Provider = Windows The program used by the user to connect to the wireless network Policy-Name = students in VLAN 10 The Remote Access Policy being used B.2 Configuring NPS (Windows 2008) Step 1: Add a role Add the role "Network Policy and Access Services", the only
  • Cisco 4402 | Configuration Guide - Page 48
    the console window. Step 2: Radius The clients are permitted to submit authentication requests to the RADIUS server, which the server then grants locally or forwards. For more information about eduroam, visit www.eduroam.no. The clients which can be added here may be access points, a control unit
  • Cisco 4402 | Configuration Guide - Page 49
    same in both the client and in the NPS setup. • A different Shared Secret may be used for each client • Click on "OK" Repeat this procedure until all the clients have been added. Remember that other RADIUS servers which forward authentication requests shall also be added as clients. NB: If this is
  • Cisco 4402 | Configuration Guide - Page 50
    " • On the "Address" tab, enter the IP address or DNS name of the server. • In the "Authentication/Accounting" tab, type in the Authentication Port and Shared Secret • On the "Load Balancing" tab, no changes are necessary in systems with redundancy. • Click on "OK" in both windows. Repeat this
  • Cisco 4402 | Configuration Guide - Page 51
    Users who are to be authenticated locally 2. Users who are to be forwarded to another RADIUS server (several of which can be configured) 3. All other users to authentication to the employee.school.no RADIUS server. The "Employee" RADIUS server is the last in the series and receives authentication
  • Cisco 4402 | Configuration Guide - Page 52
    " and click on "Add" • Under "Find", type Under "Replace with", type: $1 • One may also select "Forward requests to the following remote RADIUS server group for authentication". The authentication request is then forwarded to one of the server groups created in Step 3. Click on "Next" • "Override
  • Cisco 4402 | Configuration Guide - Page 53
    and click on "OK" • Ensure that "Microsoft Encrypted Authentication version 2 (MS-CHAP v2)" is ticked. o The remainder of the selections are optional. • Click on "Next" • Note the NAS Port Type • Select "Ethernet", "Wireless - IEEE 802.11" and "Wireless - Other" • Click on "Next", then "Next" again
  • Cisco 4402 | Configuration Guide - Page 54
    configuring different RADIUS attributes. The following is a description of what is needed to assign a user to a different VLAN from that supplied as standard by the access points or controller click on "Add" • Click on "Add" and select "Virtual LANs (VLAN)" • Click on "OK" twice and then on "Close"
  • Cisco 4402 | Configuration Guide - Page 55
    -F5-34-7D The MAC address of the user who is attempting to gain access Client Friendly Name: SecuritySwitch The client which has sent the authorisation request to this RADIUS server Client IP Address: The client's IP address 10.10.10.91 Proxy Policy Name: Local The Connection Request Policy
  • Cisco 4402 | Configuration Guide - Page 56
    the basis for issuing a certificate. When this has been completed, the certificate must be installed on the RADIUS server. FreeRADIUS requires the entire certificate chain to be included in the final certificate. In effect the certificate will consist of three parts: first the private key you have
  • Cisco 4402 | Configuration Guide - Page 57
    :41:1c:06:9a:e9:1c:bf:da:2d:7a: 50:e9:12:4d:84:20:71:4e:a9:9c:66:63:db:70 Web Server Authentication, TLS Web Client Authentication X509v3 Certificate Policies: Policy: 1.3.6.1.4.1.6449.1.2.2.29 X509v3 CRL Distribution Points: URI:http://crl.tcs.terena.org/TERENASSLCA.crl Authority Information Access
  • Cisco 4402 | Configuration Guide - Page 58
    References [1] UFS112: Recommended Security System for Wireless Networks. Implementation of IEEE 802.1X. Jardar Leira, UNINETT. 20/12/2007. [2] "eduroam cookbook": GEANT2 Deliverable DJ5.1.5,3: Inter-NREN Roaming Infrastructure and Service Support Cookbook - Third Edition. 29/10/2008. Found at
  • Cisco 4402 | Configuration Guide - Page 59
    WCS WiSM WLC WMM Control And Provisioning of Wireless Access Points protocol, defined in RFC5415 Command Line Interface Cisco Location Appliance. Optional software application which provides location services. Lightweight Access Point Lightweight Access Point Protocol Mobility Service Engine Small
  • Cisco 4402 | Configuration Guide - Page 60
    More Best Practice Documents are available at www.terena.org/campus-bp/ [email protected]
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • 27
  • 28
  • 29
  • 30
  • 31
  • 32
  • 33
  • 34
  • 35
  • 36
  • 37
  • 38
  • 39
  • 40
  • 41
  • 42
  • 43
  • 44
  • 45
  • 46
  • 47
  • 48
  • 49
  • 50
  • 51
  • 52
  • 53
  • 54
  • 55
  • 56
  • 57
  • 58
  • 59
  • 60
Guide to configuring eduroam
using a Cisco wireless controller
Best Practice Document
Produced by UNINETT led working group
on mobility
(No UFS127)
Authors: Tore Kristiansen, Jardar Leira, Vidar Faltinsen
December 2010