Cisco 4402 Configuration Guide - Page 11

Users - upgrade

Get Cisco 4402 - Wireless LAN Controller PDF manuals and user guides
UPC - 882658039997
View all Cisco 4402 manuals
Add to My Manuals
Save this manual to your list of manuals

Page 11 highlights

http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008 08714fe.shtml 3) DNS discovery. The access point uses the domain name (provided by DHCP) in conjunction with the unit name "CISCO-CAPWAP-CONTROLLER" or "CISCO-LWAPP-CONTROLLER" and then looks this up in the DNS. For example, the domain name "uninett.no", in conjunction with "CISCO-CAPWAP-CONTROLLER" gives "CISCO-CAPWAP-CONTROLLER.uninett.no". Of course, this requires the controller to be first registered in the DNS. It is recommended that both the "CISCO-CAPWAP-CONTROLLER" and "CISCO-LWAPP-CONTROLLER" names be entered in the DNS, since older access points will not recognise CAPWAP in connection with initial association (until they have been upgraded). For ISC DCHP, enter: option domain-name "yourdomain.no"; ...in the shared network specification for the subnet or globally. Cisco access points do not support an option containing several domain specifications, such as option domain-name "uninett.no win.uninett.no home.uninett.no"; Configure a VLAN with an IPv4 subnet large enough for all access pointaccess points with realistic growth potential. Configure DHCP support for this subnet. Use Layer 3 communication between the access points and the controller. All ingoing and outgoing traffic in the access point subnet shall be blocked except: - If CAPWAP: UDP 5246 and UDP 5247 to/from access point VLAN - If LWAPP: UDP 12222 and UDP 12223 to/from access point VLAN - DNS - UDP 53 (may be restricted to relevant DNS servers) 1.6 Users Using RADIUS and dynamic VLAN assignment (AAA override), it is possible to grant different groups access to different subnets or VLANs using the same SSID (for example "eduroam"). It is desirable to separate users into different subnets to be able to use filters to regulate the level of access of external and internal services. As a rule, a typical educational institution will have at least the following user groups: • Employees • Students • Guests One may also wish to create a distinction between different types of employees, students and guests. The configuration of FreeRADIUS in connection with dynamic VLAN assignment is described in detail in Chapter 9 of UFS112 [1]. The same VLAN should not be used for wireless access as for wired network access, primarily for security reasons. It may be difficult to trace both faults and breaches of ICT rules and security if one is 11

  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • 27
  • 28
  • 29
  • 30
  • 31
  • 32
  • 33
  • 34
  • 35
  • 36
  • 37
  • 38
  • 39
  • 40
  • 41
  • 42
  • 43
  • 44
  • 45
  • 46
  • 47
  • 48
  • 49
  • 50
  • 51
  • 52
  • 53
  • 54
  • 55
  • 56
  • 57
  • 58
  • 59
  • 60
11
Configure a VLAN with an IPv4 subnet large enough for all access pointaccess
points with realistic growth potential. Configure DHCP support for this subnet.
Use Layer 3 communication between the access points and the controller.
All ingoing and outgoing traffic in the access point subnet shall be blocked
except:
- If CAPWAP: UDP 5246 and UDP 5247 to/from access point VLAN
- If LWAPP: UDP 12222 and UDP 12223 to/from access point VLAN
- DNS – UDP 53 (may be restricted to relevant DNS servers)
08714fe.shtml
3)
DNS discovery. The access point uses the domain name (provided by DHCP) in conjunction
with the unit name “CISCO-CAPWAP-CONTROLLER” or “CISCO-LWAPP-CONTROLLER”
and then looks this up in the DNS. For example, the domain name “uninett.no”, in conjunction
with “CISCO-CAPWAP-CONTROLLER” gives “CISCO-CAPWAP-CONTROLLER.uninett.no”.
Of course, this requires the controller to be first registered in the DNS. It is recommended that
both
the “CISCO-CAPWAP-CONTROLLER” and “CISCO-LWAPP-CONTROLLER” names be
entered in the DNS, since older access points will not recognise CAPWAP in connection with
initial association (until they have been upgraded).
For ISC DCHP, enter:
option domain-name "yourdomain.no";
...in the shared network specification for the subnet or globally. Cisco access points do not
support an option containing several domain specifications, such as
option domain-name "uninett.no win.uninett.no home.uninett.no";
1.6
Users
Using RADIUS and dynamic VLAN assignment (AAA override), it is possible to grant different groups
access to different subnets or VLANs using the
same
SSID (for example “eduroam”). It is desirable to
separate users into different subnets to be able to use filters to regulate the level of access of external
and internal services.
As a rule, a typical educational institution will have at least the following user groups:
Employees
Students
Guests
One may also wish to create a distinction between different types of employees, students and guests.
The configuration of FreeRADIUS in connection with dynamic VLAN assignment is described in detail
in Chapter 9 of UFS112 [1].
The same VLAN should
not
be used for wireless access as for wired network access, primarily for
security reasons. It may be difficult to trace both faults and breaches of ICT rules and security if one is