Cisco 4402 - Wireless LAN Controller Using Manual Download

Page: 1 / 60

Guide to configuring eduroam

using a Cisco wireless controller

Best Practice Document

Produced by UNINETT led working group

on mobility

(No UFS127)

Authors: Tore Kristiansen, Jardar Leira, Vidar Faltinsen

December 2010

Summary of Contents for 4402 - Wireless LAN Controller

Page 1: ...to configuring eduroam using a Cisco wireless controller Best Practice Document Produced by UNINETT led working group on mobility No UFS127 Authors Tore Kristiansen Jardar Leira Vidar Faltinsen December 2010 ...

Page 2: ...een carried out by a UNINETT led working group on mobility as part of a joint venture project within the HE sector in Norway Stian Lysberg has contributed to appendix B Parts of the report may be freely copied unaltered provided that the original source is acknowledged and copyright preserved The third revision review and the translation of this report has received funding from the European Commun...

Page 3: ...ler 14 3 1 Initial configuration on a console 14 3 2 Further configuration via web browser 17 3 2 1 Creating a virtual interface 17 3 2 2 Defining a RADIUS server 18 3 2 3 Creating a WLAN SSID 20 3 2 4 Connecting access points 27 3 2 5 Further details 29 4 Radio planning 30 5 Physical installation of access points 32 A Configuration using autonomous access points 33 A 1 VLAN setup 33 A 2 Encryptio...

Page 4: ...s 41 Step 6 Remote Access Policies 44 Step 7 RADIUS attributes 45 Step 8 Logging 46 B 2 Configuring NPS Windows 2008 47 Step 1 Add a role 47 Step 2 Radius 48 Step 3 Adding Remote RADIUS Server Groups 50 Step 4 Connection Request Policies 51 Step 5 Network Policies 53 Step 6 RADIUS attributes 54 Step 7 Logging 55 C Installing a certificate for FreeRADIUS 56 References 58 Glossary 59 ...

Page 5: ...d from Cisco lightweight access points LAP The guide applies both to Cisco 5500 Series and 4400 Series controllers WLC Any differences in configuration between the 5500 Series and the 4400 Series are specified In principle the guide will also apply to wireless systems provided by suppliers other than Cisco The recommendation provides advice for network planning the configuration of RADIUS the conf...

Page 6: ...n configuring a controller based wireless network there are many things which need to be planned and performed in the correct order The main points are dealt with in the following chapters 1 Network planning 2 Configuring RADIUS 3 Configuring a controller 4 Radio planning 5 Physical installation of access points As an alternative to a controller based system a configuration may be chosen which is ...

Page 7: ...ndary controller and a tertiary one if desired Note also that UNINETT has a WiSM module in its spare parts storeroom which may be sent out in the event of serious operational problems If one only has a single controller WCS Wireless Control System management software is strictly speaking not necessary It is perfectly possible to manage with a web based management interface directly to the controll...

Page 8: ...so be separated from the service or server network but may for example be located in a general management network for switches Figure 1 Proposed subnets and necessary traffic pattern 1 3 The wireless controller WLC The 5500 controller has one administrative IP address Management while the 4400 controller requires two administrative IP addresses Management and AP Manager A WiSM module consists of t...

Page 9: ... but access to these applications must for security reasons be restricted Ideally they should be located on a subnet restricted to administrative use This is represented by the Operational Network in Figure 1 Management IP address In a restricted administration network AP Manager IP address In the same restricted administration network NB For 5500 series controllers it is not necessary to configur...

Page 10: ...s but this is not currently supported 1 5 1 The access point connection process Communication between an access point and a controller is by means of a special protocol Older controller software i e v 5 1 and older used the LWAPP protocol Since the introduction of version 5 2 the standard based CAPWAP protocol RFC 5415 has been used CAPWAP is based on Layer 3 IP communication between access point ...

Page 11: ...in the DNS since older access points will not recognise CAPWAP in connection with initial association until they have been upgraded For ISC DCHP enter option domain name yourdomain no in the shared network specification for the subnet or globally Cisco access points do not support an option containing several domain specifications such as option domain name uninett no win uninett no home uninett n...

Page 12: ...ant user database As regards RADIUS and user databases there are a number of alternatives to choose from If the RADIUS server is also to be used for other purposes such as VPN this in itself can present a challenge We recommend a dedicated RADIUS server for wireless networks remember that for some systems it is easy to configure several RADIUS servers on the same server communicating through diffe...

Page 13: ...serTrust A detailed cookbook for ordering a UNINETT SCS certificate is available at http forskningsnett uninett no scs hvordan html When you have received a certificate it must be installed in your RADIUS server See Attachment C for installation of a certificate for FreeRADIUS 2 x Once IEEE 802 1X is functioning internally the national connection to eduroam can be configured In general terms this ...

Page 14: ...e for the initial configuration using the Configuration Wizard in the CLI B Use of service port management with a web browser HTTP for further configuration 1 Create virtual interfaces 2 Define RADIUS servers 3 Create a WLAN 4 Connect access points Note Some versions of the WLC WCS web server works best with Internet Explorer In other words one might find that certain options unfortunately disappe...

Page 15: ... something appropriate Service Interface IP Address Configuration none DHCP none The service interface is an out of band address which can be used to manage the control by way of IP This is all it is used for and often it is not used at all Since a gateway cannot be specified for this address it cannot be routed out of the subnet out of band address It is a good backup address in case the Manageme...

Page 16: ... WiSM It is also compulsory for software version 5 2 and newer in autonomous controllers AP Manager Interface IP Address not applicable to the WLC 5500 Series When using a 4400 Series controller this is the address with which the access points communicate after they have established contact with the controller via the Management address It should be located in the same subnet as the Management add...

Page 17: ...a virtual interface Path Controller Interfaces A virtual interface must be created for every VLAN one wishes to make available to users As a rule this means a minimum of one for employees one for students and one for guests These are VLANs which must naturally be located in the trunk of the controller authorised VLANs in the trunk are regulated by the switch to which the SFP port s in the controll...

Page 18: ...ess The screen shot shows a typical configuration for such a virtual interface 3 2 2 Defining a RADIUS server Path Security RADIUS Authentication It is advisable to ensure that the RADIUS servers are in place before beginning to define a WLAN Several RADIUS servers may be included which are of course the organisation s own servers A shared secret should be established which differs from that for e...

Page 19: ...19 Path Security RADIUS Accounting Accounting should also be configured and is required by eduroam This is done in exactly the same way as for Authentication but normally uses UDP port 1813 ...

Page 20: ...SID for guests who cannot use eduroam or if an SSID is required for testing An SSID can serve one or more of the virtual interfaces which have previously been defined and can easily be switched on or off as required The first thing that must be done is to define a profile name and specify an SSID This information cannot be changed later ...

Page 21: ...d for eduroam this is mandatory Here we have configured Interface as a virtual interface intended for the use of guests This VLAN has the lowest level of security and functions as a fall back network Users of other categories will be referred to other VLANs Further information on this will be found below ...

Page 22: ...r 2 It is actually in conflict with 802 11i to have more than one method in a single network but it is very common and is supported by most clients However since not all clients support other variants it is recommended to keep to WPA TKIP and WPA2 AES ...

Page 23: ...23 Security Layer 3 shall be None ...

Page 24: ...24 Under Security AAA Servers we select the previously defined RADIUS servers for Authentication and Accounting ...

Page 25: ... Allow AAA Override Enabled This makes it possible to let RADIUS override the VLAN which has been assigned to the WLAN In other words a user of a different category is assigned to another VLAN Failure to override will result in the user being assigned to the VLAN which is defined for the WLAN In this way it is possible to assign users to separate VLANs depending on their class such as employee stu...

Page 26: ...ust obtain an IP address from a DHCP server that is a client is not permitted to define its own IP address statically Ideally this should be set to required but experience has shown that this setting can cause problems for some clients In case of a temporary loss of connectivity the controller will require a renewal of DHCP address and some clients has problems with handling this situation Managem...

Page 27: ...nnect some access points to the network Section 1 5 1 explains the access point connection process All access points have their own X509 certificates For this to function and for the access point to connect it is important that the WLC s time is correctly set so that the certificate is valid ...

Page 28: ...mple If a previously autonomous access point has been converted to a lightweight access point and the application has not specified an SSC for the access point the SSC or the MIC the MAC address for the access point s Ethernet address must be entered before the access point is permitted to connect This will be found under Security AAA AP Policies ...

Page 29: ... parameters which shall be used in communication with among other things the WCS HTTP Telnet administration users logging and so on Regarding timeout values for EAP authentication the section Manipulating EAP Timers in the Cisco document http www cisco com en US tech tk722 tk809 technologies_configuration_example09186a0080665d18 shtml gives some valuable recommendations that should be considered ...

Page 30: ...sible one will in practice reduce the power output at 2 4 GHz so that 5 GHz will have at least as large a range This therefore ceases to be a problem and one may not need to make measurements for both wavebands To carry out effective radio planning it is important to have the best possible knowledge of the structure of the building One must also have access to most of the building in order to carr...

Page 31: ...s of the same colour touching each other If two fields of the same colour meet there is a potential problem area which should be remedied by adjusting location and or power output Remember that radio signals can also penetrate floors and ceilings so the location of access points above and below the floor in question must also be taken into account AirMagnet Survey 3 and Airmagnet Planner 3 may be ...

Page 32: ...t 5 cable splitting with PoE i e divide the four pairs into two connections each with two pairs A disadvantage with using PoE is the extra heat it generates The PoE switches often cause a rise in temperature especially in smaller rooms and cabinets where they are often placed To provide PoE to the access point one will need either a PoE compatible switch or a PoE injector Most access points are su...

Page 33: ...ommended from the point of view of security A 1 VLAN setup First we set up the VLAN assuming that the access point is already configured with the necessary Management IP address etc 1 Log on to the access point using a web browser 2 Go to SERVICES VLAN to create the necessary VLANs In our example VLAN 21 has been created for eduroam employees and VLAN 40 for management Remember to tick Native VLAN...

Page 34: ... go to SECURITY Encryption Manager and specify the necessary encryptions for VLAN 21 The minimum requirement here is TKIP since not all types support AES Select Enable rotation of the key and specify a value of for example 36 000 seconds ...

Page 35: ...Server Manager and add the external RADIUS server using the shared secret Specify the port number of the Authentication Port and Accounting Port as well as the IP address for EAP Authentication and Accounting in this case the same RADIUS server ...

Page 36: ...36 A 4 Default VLAN Now go to SECURITY SSID Manager and specify the default VLAN ...

Page 37: ... assumes that the Windows 2003 server is registered in the domain Step 1 Installation of IAS Go to Control Panel Add or Remove Programs Add Remove Windows Components Select Networking Services and click on Details Tick Internet Authentication Service Now click on OK Next and Apply to install IAS ...

Page 38: ...K In the window which opens click on File and then Add Remove Snap in Click on Add on the Standalone tab Select Certificates and click on Add Select Computer account and click on Next Select Local computer and click on Apply Click on Close followed by OK in the windows which are open Click on the plus sign in front of Certificates Right click on Personal select All tasks and then Request New Certi...

Page 39: ... Service this will be grey if the service is already running Right click on RADIUS Clients select New RADIUS Client type a Friendly Name and IP address and click on Next Examples of Friendly Names are Accesspoint1 AP E314 SecuritySwitch SchoolRADIUS select one which is descriptive As the Client Vendor one can select RADIUS Standard The Shared Secret must be the same in both the client and in the I...

Page 40: ... group If this is the server group used for connection to eduroam the server group should be called eduroam Click on Add to add RADIUS servers to the server group On the Address tab enter the IP address or DNS name of the server On the Authentication Accounting tab fill in the Authentication port and the shared secret On the Load Balancing tab no changes are necessary in systems with redundancy Cl...

Page 41: ...f which can be configured 3 All other users to be directed to eduroam 1 Right click on Connection Request Policy and select New Connection Request Policy 2 Click on Next 3 Select A custom policy fill in the Policy name for example Local School or eduroam and click on Next 4 Click on Add to add criteria for the connection Eduroam determines where a user belongs by using the realm which is indicated...

Page 42: ...roam server Select User Name and click on Add Fill in the criteria for example student school no specifies that all users who type in username stuent school no shall be authenticated using this policy Click on Next and then Edit Profile On the Authentication tab specify where the authentication request shall be directed If one selects Authenticate request on this server the user is authenticated o...

Page 43: ...43 Create a Connection Request Policy for every connection this RADIUS server is to serve ...

Page 44: ...rantine or WiFi VLAN10 or other groups from AD NB The AD groups must be created first When the criteria have been determined click on Next select Grant remote access permission and click on Next o Remote Access Policies may also be created which deny access to users For example all users belonging to the security group Wireless Access Denied will be assigned the criterion Deny remote access permis...

Page 45: ...eded to assign a user to a different VLAN from that supplied as standard by the access points or controller unit Click on Add select Tunnel Medium Type and click on Add Click on Add again and select 802 Includes all 802 media plus Ethernet canonical format Click on OK twice to return and select additional attributes Select Tunnel Pvt Group ID and click on Add Click on Add again and type the name o...

Page 46: ...modified Step 8 Logging IAS adds log entries to the Event Log and writes them to a file Open Event Viewer and select System All events under Source IAS are logs generated by IAS IAS creates the log entries Error Warning and Information The logs contain a great deal of useful information such as ...

Page 47: ...twork being used Proxy Policy Name School The Connection Request Policy being used Authentication Provider Windows The program used by the user to connect to the wireless network Policy Name students in VLAN 10 The Remote Access Policy being used B 2 Configuring NPS Windows 2008 Step 1 Add a role Add the role Network Policy and Access Services the only role service required by the Network Policy S...

Page 48: ...as been created Close the console window Step 2 Radius The clients are permitted to submit authentication requests to the RADIUS server which the server then grants locally or forwards For more information about eduroam visit www eduroam no The clients which can be added here may be access points a control unit for wireless equipment such as a Security Switch or other RADIUS servers forwarding aut...

Page 49: ... for each client Click on OK Repeat this procedure until all the clients have been added Remember that other RADIUS servers which forward authentication requests shall also be added as clients NB If this is the central RADIUS server which is to be connected to eduroam the core must also be added To add the eduroam core follow the same procedure as when adding clients but with the following setting...

Page 50: ...r Groups and select New Type in a Group name and click on Add If this is the server group used for connection to eduroam the server group should be called eduroam On the Address tab enter the IP address or DNS name of the server In the Authentication Accounting tab type in the Authentication Port and Shared Secret On the Load Balancing tab no changes are necessary in systems with redundancy Click ...

Page 51: ...ction between realm and e mail address However in most cases it is possible to use a realm corresponding to an e mail address The realms used are often agreed in advance If you have any queries contact eduroam uninett no An example of a realm student school no is the connection to eduroam and forwards authentication to the employee school no RADIUS server The Employee RADIUS server is the last in ...

Page 52: ...type Under Replace with type 1 One may also select Forward requests to the following remote RADIUS server group for authentication The authentication request is then forwarded to one of the server groups created in Step 3 Click on Next Override network policy authentication settings must not be used in this connection Click on Next Click on OK followed by Finish Create a Connection Request Policy ...

Page 53: ...0 or other groups from AD NB The AD groups must be created first When the criteria have been specified click on Next select Access granted and click on Next o Network Policies may also be created which deny access to users For example all users belonging to the security group Wireless Access Denied will be assigned the criterion Access denied But remember the policies are handled in a predetermine...

Page 54: ...on Standard in the left hand frame and click on Add in the right hand frame Find Tunnel Medium Type in the list and click on Add Click on Add again and select 802 Includes all 802 media plus Ethernet canonical format Click on OK twice to return and select additional attributes Find Tunnel Pvt Group ID in the list and click on Add Click on Add and type in the VLAN which is to be used For example 77...

Page 55: ...ted Fully Qualified Account Name school no Users Nordmann Ola Full path of the account in the domain Calling Station Identifier 00 1A 73 F5 34 7D The MAC address of the user who is attempting to gain access Client Friendly Name SecuritySwitch The client which has sent the authorisation request to this RADIUS server Client IP Address 10 10 10 91 The client s IP address Proxy Policy Name Local The C...

Page 56: ...vBwk9f4wDOGQUO9H euWi9PBqwyK 0gjdn28GR dSR WvuSpfnLnR6e3wEDAgMBAAGjggFpMIIBZTAfBgNVHSMEGDAWgBQMvZNoDPPeq6NJ ays3V0fqkOO57TAdBgNVHQ4EFgQUJ0EwdzpCfPlnZlCh6dEq Lsd73MwDgYDVR0P END RSA PRIVATE KEY BEGIN CERTIFICATE AQUFBwMCMBgGA1UdIAQRMA8wDQYLKwYBBAGyMQECAh0wOgYDVR0fBDMwMTAvoC2g K4YpaHR0cDovL2NybC50Y3MudGVyZW5hLm9yZy9URVJFTkFTU0xDQS5jcmwwbQYI U1NMIENBMB4XDTEwMDUxMjAwMDAwMFoXDTEzMDUxMTIzNTk1OVowQzELMAk...

Page 57: ... ED X509v3 Subject Key Identifier 27 41 30 77 3A 42 7C F9 67 66 50 A1 E9 D1 2A FC BB 1D EF 73 X509v3 Key Usage critical Digital Signature Key Encipherment X509v3 Basic Constraints critical CA FALSE X509v3 Extended Key Usage TLS Web Server Authentication TLS Web Client Authentication X509v3 Certificate Policies Policy 1 3 6 1 4 1 6449 1 2 2 29 X509v3 CRL Distribution Points URI http crl tcs terena ...

Page 58: ... cookbook GEANT2 Deliverable DJ5 1 5 3 Inter NREN Roaming Infrastructure and Service Support Cookbook Third Edition 29 10 2008 Found at www eduroam org 3 Airmagnet Survey http www airmagnet com products survey Airmagnet Planner http www airmagnet com products planner Airmagnet Spectrum Analyzer http www airmagnet com products spectrum_analyzer ...

Page 59: ...ss Point Protocol MSE Mobility Service Engine SFP Small form factor pluggable transceiver or mini GBIC for Gbit Ethernet SSID Service Set Identifier WCS Cisco Wireless Control System Software for the administration of WLCs WiSM Cisco Wireless Services Module Plug in card for Cisco Catalyst 6500 containing two Cisco 4404 wireless controllers WLC Cisco Wireless LAN Controller WMM The Wi Fi Alliance ...

Page 60: ...More Best Practice Documents are available at www terena org campus bp campus bp announcements terena org ...

Search results

Summary of Contents for 4402 - Wireless LAN Controller

Reviews:

Related manuals for 4402 - Wireless LAN Controller

Brands by name

Popular brands

Cisco 4402 - Wireless LAN Controller, Using Manual

Search results

Summary of Contents for 4402 - Wireless LAN Controller

Reviews:

Related manuals for 4402 - Wireless LAN Controller

Brands by name

Popular brands