Home > Cisco Manuals > Wireless > Cisco 4402 > Manual Viewer

Cisco 4402 Configuration Guide

Cisco 4402 - Wireless LAN Controller Manual

Get Cisco 4402 - Wireless LAN Controller manuals and user guides
UPC - 882658039997
Free Cisco 4402 manuals!

Cisco 4402 manual table of contents:

  • Cisco 4402 | Configuration Guide - Page 1
    Guide to configuring eduroam using a Cisco wireless controller Best Practice Document Produced by UNINETT led working group on mobility (No UFS127) Authors: Tore Kristiansen, Jardar Leira, Vidar Faltinsen December 2010
  • Cisco 4402 | Configuration Guide - Page 2
    ...TERENA 2010. All rights reserved. GN3-NA3-T4-UFS127 December 2010 Norwegian "Veiledning for eduroam oppsett med Cisco trådløs controller" September 2010 campus@uninett.no UNINETT bears responsibility for the content of this document. The work...
  • Cisco 4402 | Configuration Guide - Page 3
    ... 36 37 37 3 5 Network planning 1.1 1.2 1.3 1.4 1.5 1.6 Necessary components IP addresses and subnets The wireless controller (WLC) The WCS, MSE and LA administration software ... interface Defining a RADIUS server Creating a WLAN (SSID) Connecting access points Further details 4 ...
  • Cisco 4402 | Configuration Guide - Page 4
    ... 3: Adding clients in IAS Step 4: Adding server groups to IAS Step 5: Connection Request ... Step 7: RADIUS attributes Step 8: Logging B.2 Configuring NPS (Windows 2008) Step 1: Add... 2: Radius Step 3: Adding Remote RADIUS Server Groups Step 4: Connection Request Policies... 45 46 47 47 48 50 51 53 54 55 56...
  • Cisco 4402 | Configuration Guide - Page 5
    ... eduroam, including IEEE 802.1X, in a Cisco controller-based environment, i.e. a configuration based on one or more Cisco controllers which govern the traffic to and from Cisco lightweight access ... both to Cisco 5500 Series and 4400 Series controllers (WLC). Any differences in configuration ...
  • Cisco 4402 | Configuration Guide - Page 6
    ...a Cisco controller-based environment, i.e. a configuration based on one or more Cisco controllers which govern the traffic to and from Cisco lightweight access points (... applies both to Cisco 5500 Series and 4400 Series controllers (WLC). Any differences in configuration between ...
  • Cisco 4402 | Configuration Guide - Page 7
    ... of licences later. The 4400 Series includes two different products: 4402 (with two GE ports) and 4404 (with four GE ports).... It is necessary to plan which IP addresses and VLANs are to be used for the various purposes: • The Wireless LAN Controller (WLC) must have administrative IP addresses • ...
  • Cisco 4402 | Configuration Guide - Page 8
    ... Proposed subnets and necessary traffic pattern 1.3 The wireless controller (WLC) The 5500 controller has one administrative IP address (Management), while the ... points, but here the 4400 controller also has the AP Manager address which is used in communication with the ...
  • Cisco 4402 | Configuration Guide - Page 9
    ... as the router address. It does not matter which address is used for the controller, but as a matter of form we recommend using an address ... NB: For 5500 series controllers, it is not necessary to configure an AP Manager address. The Management interface acts as an AP Manager interface by default and...
  • Cisco 4402 | Configuration Guide - Page 10
    ... the controller or that the information must have been entered manually (via a serial cable). 2) DHCP server discovery. By using DHCP option 43 for the subnet, the address of the controller can be provided simultaneously with other information via DHCP. ...
  • Cisco 4402 | Configuration Guide - Page 11
    ...point uses the domain name (provided by DHCP) in conjunction with the unit name "CISCO-CAPWAP-CONTROLLER" or "CISCO-LWAPP-CONTROLLER" and then looks this up...domain name "uninett.no", in conjunction with "CISCO-CAPWAP-CONTROLLER" gives "CISCO-CAPWAP-CONTROLLER.uninett.no". Of course,...
  • Cisco 4402 | Configuration Guide - Page 12
    unable to distinguish between IP addresses used by wired clients, which are often anonymous, and wireless clients. It is also desirable to reduce ... certificate for the RADIUS server. The server certificate is used by the wireless client to verify the authenticity of the RADIUS server before 802.1X 12
  • Cisco 4402 | Configuration Guide - Page 13
    ...for FreeRADIUS 2.x. Once IEEE 802.1X is functioning internally, the national connection to eduroam can be configured. In general terms this involves... UFS112 [1] and the "eduroam cookbook" [2]. - Obtain server certificate for RADIUS Configure RADIUS server for the user database Connect RADIUS server...
  • Cisco 4402 | Configuration Guide - Page 14
    ...configuration. Strictly speaking, all configuration work can be performed via the command line (CLI) but the controllers do not use Cisco's IOS, and Cisco recommends the use of... character to backup System Name [Cisco_34:21:11]: WLC Enter Administrative User Name (24 characters max): ...
  • Cisco 4402 | Configuration Guide - Page 15
    ...saved! Resetting system with new configuration... Note: As mentioned above, the AP Manager Interface must not be configured in the 5500 controller. Here the Management...their controller. The address should therefore be registered in the DNS as "CISCO-CAPWAP-CONTROLLER.yourdomain.no" and "CISCO...
  • Cisco 4402 | Configuration Guide - Page 16
    ... to 4]: For a stand-alone controller, an SFP port must be selected. This is normally Port 1. Management Interface DHCP Server IP Address: The IP... version 5.2 and newer in autonomous controllers. AP Manager Interface IP Address: (not applicable to the WLC 5500 Series) When using a...
  • Cisco 4402 | Configuration Guide - Page 17
    3.2 Further configuration via web browser Once the controller has restarted, it will be ready for configuration via the web browser in communication with the Management address or service interface. 3.2.1 Creating a virtual interface Path: Controller → ...
  • Cisco 4402 | Configuration Guide - Page 18
    The controller must have its own IP address in each VLAN which it is to serve. Strictly speaking, it...a good rule to use the first available after the router's address. The screen shot shows a typical configuration for such a virtual interface. 3.2.2 Defining a RADIUS server Path: Security → RADIUS...
  • Cisco 4402 | Configuration Guide - Page 19
    Path: Security → RADIUS → Accounting Accounting should also be configured and is required by eduroam. This is done in exactly the same way as for Authentication, but normally uses UDP port 1813. 19
  • Cisco 4402 | Configuration Guide - Page 20
    ...a WLAN (SSID) Path: WLANs → WLANs Initially all that is needed is the SSID "eduroam", but usually it ...An SSID can serve one or more of the virtual interfaces which have previously been defined and ...be done is to define a profile name and specify an SSID. This information cannot be changed later. 20
  • Cisco 4402 | Configuration Guide - Page 21
    Under General, the WLAN can be enabled or disabled at any time. Usually the SSID is set to broadcast and for eduroam this is mandatory. Here we have configured "Interface" as a virtual interface intended for the use of guests. This VLAN has the lowest level of security ...
  • Cisco 4402 | Configuration Guide - Page 22
    WPA+WPA2 are configured under Security and Layer 2. It is actually in conflict with 802.11i to have more than one method in a single network, but it is very common and is supported by most clients. However, since not all clients support other "variants", it is ...
  • Cisco 4402 | Configuration Guide - Page 23
    Security Layer 3 shall be "None". 23
  • Cisco 4402 | Configuration Guide - Page 24
    Under Security AAA Servers we select the previously defined RADIUS servers for Authentication and Accounting. 24
  • Cisco 4402 | Configuration Guide - Page 25
    ... employee, student or guest, without using different wireless profiles. Aironet IE: Enabled - Useful for those clients with this type of support. P2P Blocking Action: Disabled - This determines whether wireless clients are able to communicate directly with each...
  • Cisco 4402 | Configuration Guide - Page 26
    ... to protect against DoS, man-in-themiddle and dictionary attacks on the wireless network. To enable Client Protection, the clients must support CCX (Cisco Compatible eXtension program). After pressing "Apply", this WLAN will be activated. 26
  • Cisco 4402 | Configuration Guide - Page 27
    ... some access points to the network. Section 1.5.1 explains the access point connection process. All access points have their own X509 certificates. For this to function and for the access point to connect, it is important that the WLC's time is correctly set so that the certificate is valid. 27
  • Cisco 4402 | Configuration Guide - Page 28
    WLC supports NTP, which is set at another location. NTP server is usually the nearest router. If not another NTP server can be used, as in this example If a previously autonomous access point has been converted to a lightweight access point and the application has not specified an SSC for the ...
  • Cisco 4402 | Configuration Guide - Page 29
    ... SSID which has been created. Under Management one may wish to configure a number of things, such as SNMP parameters (which shall be used in communication with, among ... EAP authentication, the section "Manipulating EAP Timers" in the Cisco document http://www.cisco.com/en/US/tech/tk722/tk809/...
  • Cisco 4402 | Configuration Guide - Page 30
    ... and coverage of the wireless network, i.e. as many access points as possible. • Covering the required area using ... into account if one is planning to use as few access points as possible. If .... • A access point of the type to be used, in an autonomous version, since the controller is not yet 30
  • Cisco 4402 | Configuration Guide - Page 31
    ... and/or the cabling is not yet installed. Configure a unique SSID and preferably use a long Cat 5 cable and PoE for.... UNINETT also offers AirMagnet Spectrum Analyzer [3] (this product is now owned by Cisco), which displays everything happening in the frequency range, not just 802.11 traffic. This is ...
  • Cisco 4402 | Configuration Guide - Page 32
    ... Some newer access points which support 802.11n require more power and ...solution also results in the loss of the possibility of remotely controlling the power supply in order to switch the access ...access point. Note that the correct way to install a Cisco AP1130/AP1140/3500i is with the flat, plastic ...
  • Cisco 4402 | Configuration Guide - Page 33
    ...autonomous access points. As mentioned earlier, this type of configuration is not recommended from the point of view of security. A.1 VLAN setup First we set up the VLAN, assuming that the access point is already configured with the necessary Management IP address, etc...
  • Cisco 4402 | Configuration Guide - Page 34
    A.2 Encryption configuration Now go to SECURITY → Encryption Manager and specify the necessary encryptions for VLAN 21. The minimum requirement here is TKIP, since not all types support AES. Select "Enable rotation" of the key and specify a value of, for example, 36,000 seconds. 34
  • Cisco 4402 | Configuration Guide - Page 35
    A.3 RADIUS configuration Go to SECURITY → Server Manager and add the external RADIUS server using the shared secret. Specify the port number of the Authentication Port and Accounting Port, as well as the IP address for EAP Authentication and Accounting (in this case the same RADIUS server). 35
  • Cisco 4402 | Configuration Guide - Page 36
    A.4 Default VLAN Now go to SECURITY → SSID Manager and specify the default VLAN. 36
  • Cisco 4402 | Configuration Guide - Page 37
    ...Configuring Microsoft RADIUS servers Configuring IAS (Windows 2003) B.1 NB: This explanation assumes that the Windows 2003 server is registered in the domain. Step 1: Installation of IAS Go to Control Panel ... Authentication Service". Now click on "OK", "Next" and "Apply" to install IAS. 37...
  • Cisco 4402 | Configuration Guide - Page 38
    Step 2: Connecting to domain and certificates Go to "Administrative Tools" on the Control Panel. Start "Internet Authentication Service": Click on "Action" in the file menu. Click on "Register Server in Active Directory" A certificate is required to ...
  • Cisco 4402 | Configuration Guide - Page 39
    ...which can be added here may be access points, a control unit for wireless equipment (such as a Security Switch) or other RADIUS...servers forwarding authentication requests here. NB: When a control unit, such as a Security Switch or similar, is used for a wireless network one usually only needs to add ...
  • Cisco 4402 | Configuration Guide - Page 40
    ... "Next" Select "Custom" and type in a name for the server group • If this is the server group used for connection to eduroam, the server group ...On the "Address" tab, enter the IP address or DNS name of the server. On the Authentication/Accounting tab, fill in the Authentication port and the shared ...
  • Cisco 4402 | Configuration Guide - Page 41
    ... employees locally and forward all students to the RADIUS server associated with the school domain, while another policy directs all...locally 2. Users who are to be forwarded to another RADIUS server (several of which can be configured) 3. All other users to be directed to eduroam 1. Right-click on "...
  • Cisco 4402 | Configuration Guide - Page 42
    ....no RADIUS server. The "Employee" RADIUS server is the last in the series and receives authentications it is to use and forwards them. Criteria for ... may also select "Forward requests to the following remote RADIUS server group for authentication": the authentication request is then forwarded to one ...
  • Cisco 4402 | Configuration Guide - Page 43
    Create a Connection Request Policy for every connection this RADIUS server is to serve. 43
  • Cisco 4402 | Configuration Guide - Page 44
    ...Some standard options may be: "NAS-Port-Type" adding "Ethernet", "Wireless - IEEE802.11" and "... example, all users belonging to the security group "Wireless Access Denied" will be assigned the criterion "Deny remote ... version 2 (MS-CHAP v2)" The use of "User can change password after it has expired" ...
  • Cisco 4402 | Configuration Guide - Page 45
    ...select the "Advanced" tab There are many ways of configuring different RADIUS attributes. The following is a description ... VLAN from that supplied as standard by the access points or controller unit Click on "Add", select "Tunnel-... on "Add" again and select "802 (Includes all 802 media plus Ethernet ...
  • Cisco 4402 | Configuration Guide - Page 46
    ... IAS adds log entries to the Event Log and writes them to a file. Open "Event Viewer" and select "System". All events under Source "IAS" are logs generated by IAS. IAS creates the log entries "Error", "Warning" and "Information" The logs contain a great deal of useful information such as: 46
  • Cisco 4402 | Configuration Guide - Page 47
    ... user who is attempting to gain access NAS-Port-Type = Wireless - IEEE 802.11 The type of network being used Proxy-Policy-Name = School ... Policy being used Authentication-Provider = Windows The program used by the user to connect to the wireless network Policy-Name = students in ...
  • Cisco 4402 | Configuration Guide - Page 48
    ... which can be added here may be access points, a control unit for wireless equipment (such as a Security Switch) or other RADIUS servers forwarding authentication. NB: When a control unit, such as a Security Switch or similar, is used for a wireless network one usually only needs to add it ...
  • Cisco 4402 | Configuration Guide - Page 49
    ...selected The Shared Secret must be the same in both the client and in the NPS setup. • A different Shared Secret may be used for each client Click on "OK... also be added as clients. NB: If this is the central RADIUS server which is to be connected to eduroam, the core must also be added...
  • Cisco 4402 | Configuration Guide - Page 50
    .... If the server is to be in communication with eduroam, eduroam must be added as a server group. • • Right-click on "Remote RADIUS Server Groups" and select "New" Type in a "Group name" and click on "Add If this is the server group used for connection to eduroam, the server group ...
  • Cisco 4402 | Configuration Guide - Page 51
    ... locally 2. Users who are to be forwarded to another RADIUS server (several of which can be configured) 3. All other users to be directed to ....school.no shall be authenticated using this policy. Click on "OK" followed by "Next" The "Authentication" option controls where the authentication is to be ...
  • Cisco 4402 | Configuration Guide - Page 52
    • If one selects "Authenticate request on this server" the user is authenticated on this RADIUS server and the domain of which the user is a... One may also select "Forward requests to the following remote RADIUS server group for authentication". The authentication request is then forwarded to one ...
  • Cisco 4402 | Configuration Guide - Page 53
    .... For example, all users belonging to the security group "Wireless Access Denied" will be assigned the criterion "Access denied". But ... on "Next" Note the NAS Port Type Select "Ethernet", "Wireless - IEEE 802.11" and "Wireless - Other" Click on "Next", then "Next" again, followed by "Finish" Do ...
  • Cisco 4402 | Configuration Guide - Page 54
    ... "Properties" • Go to the "Settings" tab There are many ways of configuring different RADIUS attributes. The following is a description of what is ... to a different VLAN from that supplied as standard by the access points or controller unit: • Click on "Standard" in the left-hand frame and click ...
  • Cisco 4402 | Configuration Guide - Page 55
    ... and go to "Custom Views", "Server Roles" and "Network Policy and Access Services". NPS creates the...Name: Employee VLAN 77 The Network Policy being used Authentication Server: RADIUS.employee.school.no The ...being used EAP Type: The type of EAP being used Microsoft: Secured password (EAP-MSCHAP v2) 55...
  • Cisco 4402 | Configuration Guide - Page 56
    ... as "somethingorother.pem" It is then placed in the location specified in the RADIUS configuration, often in /etc/FreeRADIUS/cert/. Below is an example ... is an example of the output obtained when this command was run for a TERENA partial certificate valid for the server called "radius-test.uninett.no...
  • Cisco 4402 | Configuration Guide - Page 57
    ... SSL CA Validity Not Before: May 12 00:00:00 2010 GMT Not ...:f4:65:cf:f5:86:cd:12:0f:55:76:df:83:10:...:1c:bf:da:2d:7a: 50:e9:12:4d:84:20:71:4e:a9:9c:66:63:db... X509v3 Extended Key Usage: TLS Web Server Authentication, TLS Web Client Authentication X509v3...:11: 44:a1:25:fe:0c:ce:6f:da:52:12:c5:5g:d9:e0:23:fa...
  • Cisco 4402 | Configuration Guide - Page 58
    References [1] UFS112: Recommended Security System for Wireless Networks. Implementation of IEEE 802.1X. Jardar Leira, UNINETT. 20/12/2007. [2] "...": GEANT2 Deliverable DJ5.1.5,3: Inter-NREN Roaming Infrastructure and Service Support Cookbook - Third Edition. 29/10/2008. ...
  • Cisco 4402 | Configuration Guide - Page 59
    ... pluggable transceiver or "mini-GBIC" (for Gbit Ethernet) Service Set Identifier Cisco Wireless Control System. Software for the administration of WLCs... Module. Plug-in card for Cisco Catalyst 6500 containing two Cisco 4404 wireless controllers Cisco Wireless LAN Controller The Wi-Fi Alliance's Wi-Fi...
  • Cisco 4402 | Configuration Guide - Page 60
    More Best Practice Documents are available at www.terena.org/campus-bp/ campus-bp-announcements@terena.org



Type your new search above

The manual viewer requires the flash plugin to be installed and enabled.
To view this page ensure that Adobe Flash Player version 10 or greater is installed.

Cisco 4402 - Wireless LAN Controller Manual