Cisco 4402 Configuration Guide - Page 12

Configuring RADIUS - 12

Get Cisco 4402 - Wireless LAN Controller PDF manuals and user guides
UPC - 882658039997
View all Cisco 4402 manuals
Add to My Manuals
Save this manual to your list of manuals

Page 12 highlights

unable to distinguish between IP addresses used by wired clients, which are often anonymous, and wireless clients. It is also desirable to reduce broadcast traffic to a minimum so that this does not affect the capacity of the wireless connections. Restricting the subnet to include only wireless connections is a good way to achieve this. In addition it is possible to control what forms of traffic are to be permitted, for example by not distributing multicast traffic. A VLAN, which is defined in a virtual interface in the controller, can be used simultaneously in several SSIDs. In other words, a VLAN for guests may be used simultaneously both for eduroam guests and for a guest network with other types of authentication. The eduroam guests will still benefit from the encryption in the wireless network provided by WPA, but both will have to comply with the filtering rules for the network which are defined in the router. - Several VLANs with subnet large enough to serve the relevant user group - Address early in the address space for WLC for each VLAN which is to be served - Filter according to security requirements. 2 Configuring RADIUS Experience shows that it often takes a great deal of time to achieve the proper dialogue between a RADIUS server and the relevant user database. As regards RADIUS and user databases, there are a number of alternatives to choose from. If the RADIUS server is also to be used for other purposes (such as VPN), this in itself can present a challenge. We recommend a dedicated RADIUS server for wireless networks (remember that for some systems, it is easy to configure several RADIUS servers on the same server, communicating through different ports). RADIUS servers frequently used in the HE sector are: • FreeRADIUS 1.x • FreeRADIUS 2.x • Microsoft IAS (Windows 2003 server) • Microsoft NPS (Windows 2008 server) User databases frequently used in the HE sector are: • Microsoft Active Directory (AD) • OpenLDAP • Novell eDirectory • Cerebrum The organisation of the user database itself can vary from institution to institution: there are, for example, many ways of organising an LDAP tree. In other words, it is difficult to provide a unique explanation of how one should make connections between RADIUS and a user database. For details of configuring FreeRADIUS 1.x, see UFS112 [1]. The configuration of FreeRADIUS 2.x has changed somewhat, but UFS112 will still be of assistance. In addition, Attachment A2 [2] of the "eduroam cookbook" is recommended. A guide to the configuration of Microsoft IAS and NPS is provided in Attachment B. A common requirement for all installations is a server certificate for the RADIUS server. The server certificate is used by the wireless client to verify the authenticity of the RADIUS server before 802.1X 12

  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • 27
  • 28
  • 29
  • 30
  • 31
  • 32
  • 33
  • 34
  • 35
  • 36
  • 37
  • 38
  • 39
  • 40
  • 41
  • 42
  • 43
  • 44
  • 45
  • 46
  • 47
  • 48
  • 49
  • 50
  • 51
  • 52
  • 53
  • 54
  • 55
  • 56
  • 57
  • 58
  • 59
  • 60
12
-
Several VLANs with subnet large enough to serve the relevant user group
-
Address early in the address space for WLC for each VLAN which is to be
served
-
Filter according to security requirements.
unable to distinguish between IP addresses used by wired clients, which are often anonymous, and
wireless clients. It is also desirable to reduce broadcast traffic to a minimum so that this does not affect
the capacity of the wireless connections. Restricting the subnet to include only wireless connections is
a good way to achieve this. In addition it is possible to control what forms of traffic are to be permitted,
for example by not distributing multicast traffic.
A VLAN, which is defined in a virtual interface in the controller, can be used simultaneously in several
SSIDs. In other words, a VLAN for guests may be used simultaneously both for eduroam guests and
for a guest network with other types of authentication. The eduroam guests will still benefit from the
encryption in the wireless network provided by WPA, but both will have to comply with the filtering
rules for the network which are defined in the router.
2
Configuring RADIUS
Experience shows that it often takes a great deal of time to achieve the proper dialogue between a
RADIUS server and the relevant user database. As regards RADIUS and user databases, there are a
number of alternatives to choose from. If the RADIUS server is also to be used for other purposes
(such as VPN), this in itself can present a challenge. We recommend a dedicated RADIUS server for
wireless networks (remember that for some systems, it is easy to configure several RADIUS servers
on the same server, communicating through different ports).
RADIUS servers frequently used in the HE sector are:
FreeRADIUS 1.x
FreeRADIUS 2.x
Microsoft IAS (Windows 2003 server)
Microsoft NPS (Windows 2008 server)
User databases frequently used in the HE sector are:
Microsoft Active Directory (AD)
OpenLDAP
Novell eDirectory
Cerebrum
The organisation of the user database itself can vary from institution to institution: there are, for
example, many ways of organising an LDAP tree. In other words, it is difficult to provide a unique
explanation of how one should make connections between RADIUS and a user database.
For details of configuring FreeRADIUS 1.x, see UFS112 [1]. The configuration of FreeRADIUS 2.x has
changed somewhat, but UFS112 will still be of assistance. In addition, Attachment A2 [2] of the
“eduroam cookbook” is recommended. A guide to the configuration of Microsoft IAS and NPS is
provided in Attachment B.
A common requirement for all installations is a server certificate for the RADIUS server. The server
certificate is used by the wireless client to verify the authenticity of the RADIUS server before 802.1X