manualshive.com logo in svg

Cisco Flex 7500 Series, Deployment Manual

Share
Download
Cisco Flex 7500 Series Deployment Manual Download Page 22

 

22

Flex 7500 Wireless Branch Controller Deployment Guide

 

  FlexConnect Groups

Local EAP (Local Authentication Continuation)

Figure 10

Dot1X Authentication (FlexConnect APs Acting as Local-EAP Server)

You can configure the controller to allow a FlexConnect AP in standalone or connected mode to 
perform LEAP or EAP-FAST authentication for up to 100 statically configured users. The controller 
sends the static list of user names and passwords to each FlexConnect access point of that particular 
FlexConnect Group when it joins the controller. Each access point in the group authenticates only 
its own associated clients.

This feature is ideal for customers who are migrating from an autonomous access point network to 
a lightweight FlexConnect access point network and are not interested in maintaining a large user 
database, or adding another hardware device to replace the RADIUS server functionality available 
in the autonomous access point.

As shown in 

Figure 10

, if the RADIUS/ACS server inside the Data Center is not reachable, then 

FlexConnect APs automatically acts as a Local-EAP Server to perform Dot1X authentication for 
wireless branch clients.

CCKM/OKC Fast Roaming

FlexConnect Groups are required for CCKM/OKC fast roaming to work with FlexConnect access 
points. Fast roaming is achieved by caching a derivative of the master key from a full EAP 
authentication so that a simple and secure key exchange can occur when a wireless client roams to 
a different access point. This feature prevents the need to perform a full RADIUS EAP 
authentication as the client roams from one access point to another. The FlexConnect access points 
need to obtain the CCKM/OKC cache information for all the clients that might associate so they can 
process it quickly instead of sending it back to the controller. If, for example, you have a controller 
with 300 access points and 100 clients that might associate, sending the CCKM/OKC cache for all 
100 clients is not practical. If you create a FlexConnect Group comprising a limited number of 
access points (for example, you create a group for four access points in a remote office), the clients 
roam only among those four access points, and the CCKM/OKC cache is distributed among those 
four access points only when the clients associate to one of them.

This feature along with Backup Radius and Local Authentication (Local-EAP) ensures 

no 

operational downtime

 for your branch sites.

Note

CCKM/OKC fast roaming among FlexConnect and non-FlexConnect access points is not 
supported.

Summary of Contents for Flex 7500 Series

Page 1: ...ous network elements of the Cisco FlexConnect solution along with their communication flow Provide general deployment guidelines for designing the Cisco FlexConnect wireless branch solution Note Prior to release 7 2 FlexConnect was called Hybrid REAP HREAP Now it is called FlexConnect Prerequisites Requirements There are no specific requirements for this document Components Used This document is n...

Page 2: ...s and allows IT managers to configure manage and troubleshoot up to 6000 access points APs and 64 000 clients from the data center The Cisco Flex 7500 series controller supports secure guest access rogue detection for Payment Card Industry PCI compliance and in branch locally switched Wi Fi voice and video The following table highlights the scalability differences between the Flex 7500 8500 WiSM2 ...

Page 3: ...2x10G interfaces allows active active link operation with fast failover link redundancy An additional active 10G link with LAG does not change the controller wireless throughput 2x10G interfaces 2x10G interfaces support optic cable with SFP product SFP 10G SR and SFP 10G LR Switch side SFP or X2 product should be of the same type SR or LR Interface Ports Usage Fast Ethernet Integrated Management M...

Page 4: ...assis DESCR Cisco Wireless Controller PID AIR CT7510 K9 VID V01 SN KQZZXWL The Desktop Management Interface DMI table contains server hardware and BIOS information The WLC 7500 displays BIOS version PID VID and Serial Number as part of inventory Note Flex 7500 is currently shipped with VID V02 Flex 7500 Boot Up Cisco boot loader options for software maintenance are identical to Cisco s existing co...

Page 5: ...5 Flex 7500 Wireless Branch Controller Deployment Guide Flex 7500 Boot Up Figure 3 Boot Up Order ...

Page 6: ...oller Deployment Guide Flex 7500 Boot Up Figure 4 WLC Configuration Wizard Note The Flex 7500 boot up sequence is equivalent and consistent with existing controller platforms Initial boot up requires WLC configuration using the Wizard ...

Page 7: ...co s existing WLC 5508 Refer to the WLC 7 3 configuration guide which covers the entire licensing procedure Software Release Support The Flex 7500 supports WLC code version 7 0 116 x and later only Supported Access Points Access Points 3600 3500 2600 1600 1550 1260 1240 1140 1130 1040 700 and 600 series Cisco 891 Series Integrated Services Router and Cisco 881 Series Integrated Services Router AP ...

Page 8: ...Ps from the Data Center Control traffic is marked by red dashes in Figure 5 Distribute the client data traffic at each Branch Office Data traffic is marked by blue green and purple dashes in Figure 5 Each traffic flow is going to its final destination in the most efficient manner Advantages of Centralizing Access Point Control Traffic Single pane of monitoring and troubleshooting Ease of managemen...

Page 9: ...y types only for non guest clients whose data traffic is also switched centrally at the Data Center Note These authentication restrictions do not apply to clients whose data traffic is distributed at the branch Table 1 L2 Security Support for Centrally Switched Non Guest Users WLAN L2 Security Type Result None N A Allowed WPA WPA2 802 1x Allowed CCKM Allowed 802 1x CCKM Allowed PSK Allowed 802 1x ...

Page 10: ...U must be at least 500 bytes FlexConnect Mode Description Connected A FlexConnect is said to be in Connected Mode when its CAPWAP control plane back to the controller is up and operational meaning the WAN link is not down Standalone Standalone mode is specified as the operational state the FlexConnect enters when it no longer has the connectivity back to the controller FlexConnect APs in Standalon...

Page 11: ...ove turned on Recommended BW 1 54 Mbps Recommended RTT latency 400 ms Test Results For 100 APs 2000 Clients no rogue and no RFIDs Features above turned off Recommended BW 1 024 Mbps Recommended Latency 300 ms Wireless Branch Network Design The rest of this document highlights the guidelines and describes the best practices for implementing secured distributed branch networks FlexConnect architectu...

Page 12: ... configuration and troubleshooting operations within the data center and then transparently extends those services to each branch Deployments using Flex 7500 are easier for IT to set up manage and most importantly scale Advantages Increase scalability with 6000 AP support Increased resiliency using FlexConnect Fault Tolerance Increase segmentation of traffic using FlexConnect Central and Local Swi...

Page 13: ...rations for similar branch sites FlexConnect Groups FlexConnect Groups provide the functionality of Local Backup Radius CCKM OKC fast roaming and Local Authentication Fault Tolerance Improves the wireless branch resiliency and provides no operational downtime ELM Enhanced Local Mode for Adaptive wIPS Provide Adaptive wIPS functionality when serving clients without any impact to client performance ...

Page 14: ... groups to simplify network administration when managing multiple stores across geographic locations For operational ease the document creates one AP group per store to satisfy these requirements Centrally Switched SSID Data center across all stores for Local Store Manager administrative access Locally Switched SSID Store with different WPA2 PSK keys across all stores for hand held scanners Featur...

Page 15: ...field and choose 17 from the ID drop down list Note WLAN IDs 1 16 are part of the default group and cannot be deleted In order to satisfy our requirement of using same SSID store per store with a different WPA2 PSK you need to use WLAN ID 17 and beyond because these are not part of the default group and can be limited to each store Step 2 Under WLAN Security choose PSK from the Auth Key Mgmt drop ...

Page 16: ...ontroller Deployment Guide AP Groups Step 3 Click WLAN General verify the Security Policies change and check the Status box to enable the WLAN Step 4 Repeat steps 1 2 and 3 for new WLAN profile Store2 with SSID as store and ID as 18 ...

Page 17: ...fault ap group Step 6 Under WLAN verify the status of WLAN IDs 1 17 and 18 Step 7 Click WLAN Advanced AP group Add Group Step 8 Add AP Group Name as Store1 same as WLAN profile Store1 and Description as the Location of the Store In this example California is used as the location of the store Step 9 Click Add when done Step 10 Click Add Group and create the AP Group Name as Store2 and the descripti...

Page 18: ...ore 17 Step 16 Click Add after WLAN ID 17 is selected Step 17 Repeat steps 14 16 for WLAN ID 1 DataCenter 1 This step is optional and needed only if you want to allow Remote Resource access Step 18 Go back to the WLAN Advanced AP Groups screen Step 19 Click AP Group Name Store2 to add or edit WLAN Step 20 Click Add New to select the WLAN Step 21 Under WLAN from WLAN SSID drop down choose WLAN ID 1...

Page 19: ... with the same SSID under a single AP group is not permitted Note Adding APs to the AP group is not captured in this document but it is needed for clients to access network services Summary AP groups simplify network administration Troubleshooting ease with per branch granularity Increased flexibility ...

Page 20: ...nect Solution provide no operational branch downtime FlexConnect Group is primarily designed and should be created to address these challenges In addition it eases organizing each branch site because all the FlexConnect access points of each branch site are part of a single FlexConnect Group Note FlexConnect Groups are not analogous to AP Groups Primary Objectives of FlexConnect Groups Backup RADI...

Page 21: ...e the Branch then clients will authenticate and access wireless services even during a WAN outage Note With Local Authentication turned on the AP will always authenticate the clients locally even when it is in connected mode When Local Authentication is disabled the controller will authenticate clients to the Central RADIUS server when the FlexConnect AP is in connected mode When the AP is in Stan...

Page 22: ...M OKC Fast Roaming FlexConnect Groups are required for CCKM OKC fast roaming to work with FlexConnect access points Fast roaming is achieved by caching a derivative of the master key from a full EAP authentication so that a simple and secure key exchange can occur when a wireless client roams to a different access point This feature prevents the need to perform a full RADIUS EAP authentication as ...

Page 23: ... FlexConnect groups to support Local Authentication using LEAP when FlexConnect is either in Connected or Standalone mode The configuration sample in Figure 11 illustrates the objective differences and 1 1 mapping between the AP Group and FlexConnect group Step 1 Click New under Wireless FlexConnect Groups Step 2 Assign Group Name Store 1 similar to the sample configuration as shown in Figure 11 S...

Page 24: ...24 Flex 7500 Wireless Branch Controller Deployment Guide FlexConnect Groups Step 4 Click the Group Name Store 1 that you just created for further configuration Step 5 Click Add AP ...

Page 25: ...ep 8 Choose the AP from the drop down that needs to be part of this FlexConnect Group Step 9 Click Add after the AP is chosen from the drop down Step 10 Repeat steps 7 and 8 to add all the APs to this FlexConnect group that are also part of AP Group Store 1 See Figure 11 to understand the 1 1 mapping between the AP Group and FlexConnect group If you have created an AP Group per Store Figure 7 then...

Page 26: ...ep 11 Click Local Authentication Protocols and check the Enable LEAP Authentication box Step 12 Click Apply after the check box is set Note If you have a backup controller make sure the FlexConnect groups are identical and AP MAC address entries are included per FlexConnect group ...

Page 27: ... add more than 100 users Step 16 Click Apply after step 14 is completed and the No of Users count is verified Step 17 From the top pane click WLANs Step 18 Click WLAN ID 17 This was created during the AP Group creation See Figure 7 Step 19 Under WLAN Edit for WLAN ID 17 click Advanced Step 20 Check the FlexConnect Local Auth box in order to enable Local Authentication in Connected Mode Note Local ...

Page 28: ...7500 Wireless Branch Controller Deployment Guide FlexConnect Groups NCS and Cisco Prime also provides the FlexConnect Local Auth check box in order to enable Local Authentication in Connected Mode as shown here ...

Page 29: ...29 Flex 7500 Wireless Branch Controller Deployment Guide FlexConnect Groups NCS and Cisco Prime also provides facility to filter and monitor FlexConnect Locally Authenticated clients as shown here ...

Page 30: ...30 Flex 7500 Wireless Branch Controller Deployment Guide FlexConnect Groups ...

Page 31: ... is a strict mapping of WLAN to VLAN and thus the client getting associated on a particular WLAN on FlexConnect AP has to abide by a VLAN which is mapped to it This method has limitations because it requires clients to associate with different SSIDs in order to inherit different VLAN based policies From 7 2 release onwards AAA override of VLAN on individual WLAN configured for local switching is s...

Page 32: ...bled on WLAN configured for local switching The FlexConnect AP should have VLAN pre created from WLC for dynamic VLAN assignment If VLANs returned by AAA override are not present on AP client they will get an IP from the default VLAN interface of the AP Procedure Complete these steps Step 1 Create a WLAN for 802 1x authentication Step 2 Enable AAA override support for local switching WLAN on the W...

Page 33: ... the controller for 802 1x authentication In order to add the AAA server navigate to WLC GUI Security AAA Radius Authentication New Step 4 The AP is in local mode by default so covert the mode to FlexConnect mode Local mode APs can be converted to FlexConnect mode by going to Wireless All APs and click the Individual AP ...

Page 34: ... 5 Add the FlexConnect APs to the FlexConnect group Navigate under WLC GUI Wireless FlexConnect Groups Select FlexConnect Group General tab Add AP Step 6 The FlexConnect AP should be connected on a trunk port and WLAN mapped VLAN and AAA overridden VLAN should be allowed on the trunk port ...

Page 35: ...tes its VLAN default based on the WLAN VLAN mapping is assigned Navigate to WLAN GUI Wireless All APs click the specific AP FlexConnect tab and click VLAN Mapping Step 8 Create a user in the AAA server and configure the user to return VLAN ID in IETF Radius attribute Step 9 In order to have dynamic VLAN assignment the AP would have the interfaces for the dynamic VLAN pre created based on the confi...

Page 36: ...reless clients to the VLAN provided by the AAA server If the VLAN provided by the AAA server is not present at the AP the client is put to a WLAN mapped VLAN on that AP and traffic will switch locally on that VLAN Further prior to release 7 3 traffic for a particular WLAN from FlexConnect APs can be switched Centrally or Locally depending on the WLAN configuration From release 7 3 onwards traffic ...

Page 37: ...tandalone Mode If the VLAN returned by an AAA server is not present in the Flex AP database the client will be put to default VLAN that is a WLAN mapped VLAN on Flex AP When the AP connects back this client will be de authenticated and will switch traffic centrally If the VLAN returned by an AAA server is present in the Flex AP database the client will be put into a returned VLAN and traffic will ...

Page 38: ...38 Flex 7500 Wireless Branch Controller Deployment Guide FlexConnect VLAN Based Central Switching Step 2 Enable Vlan based Central Switching on the newly created WLAN Step 3 Set AP Mode to FlexConnect ...

Page 39: ...in its database either via WLAN VLAN Mapping on a particular Flex AP or via configuring VLAN from a Flex group In this example VLAN 63 is configured in WLAN VLAN mapping on Flex AP Step 5 In this example VLAN 62 is configured on WLC as one of the dynamic interfaces and is not mapped to the WLAN on the WLC The WLAN on the WLC is mapped to Management VLAN that is VLAN 61 ...

Page 40: ...ing and Authentication are set to Central Note Observe that although WLAN is configured for Local Switching the Data Switching field for this client is Central based on the presence of a VLAN that is VLAN 62 which is returned from the AAA server is not present in the AP Database Step 7 If another user associates to the same AP on this created WLAN and some VLAN is returned from the AAA server whic...

Page 41: ... a default interface VLAN Interface which is mapped to the WLAN In this example the WLAN is mapped to a management interface that is VLAN 61 and so the client has received an IP address from VLAN 61 Step 8 If another user associates to it on this created WLAN and VLAN 63 is returned from the AAA server which is present on this Flex AP the client will be assigned VLAN 63 and traffic will switch loc...

Page 42: ...LAN ACL mapping which will be for AAA override VLANs These are then pushed to the AP Summary Create FlexConnect ACL on the controller Apply the same on a VLAN present on FlexConnect AP under AP Level VLAN ACL mapping Can be applied on a VLAN present in FlexConnect Group under VLAN ACL mapping generally done for AAA overridden VLANs While applying ACL on VLAN select the direction to be applied whic...

Page 43: ...requirement If the permit any rule is not configured at the end there is an implicit deny which will block all traffic Step 7 Once the FlexConnect ACLs are created it can be mapped for WLAN VLAN mapping under individual FlexConnect AP or can be applied on VLAN ACL mapping on the FlexConnect group Step 8 Map FlexConnect ACL configured above at AP level for individual VLANs under VLAN mappings for i...

Page 44: ...nder VLAN ACL mapping in FlexConnect group are mainly used for dynamic VLAN override Limitations A maximum of 512 FlexConnect ACLs can be configured on WLC Each individual ACL can be configured with 64 rules A maximum of 32 ACLs can be mapped per FlexConnect group or per FlexConnect AP At any given point in time there is a maximum of 16 VLANs and 32 ACLs on the FlexConnect AP ...

Page 45: ...to permit all the devices present at the local site network When packets from a wireless client on the Corporate SSID matches the rules in Flex ACL configured on OEAP AP that traffic is switched locally and the rest of the traffic that is implicit deny traffic will switch centrally over CAPWAP The Split Tunneling solution assumes that the subnet VLAN associated with a client in the central site is...

Page 46: ...ontroller Deployment Guide FlexConnect Split Tunneling Step 1 Configure a WLAN for Central Switching that is Flex Local Switching should not be enabled Step 2 Set DHCP Address Assignment to Required Step 3 Set AP Mode to FlexConnect ...

Page 47: ...which are on the 9 6 61 0 subnet that is exist on the Central site to 9 1 0 150 to be switched locally after the NAT operation is applied on Flex AP The rest of the traffic will hit an implicit deny rule and be switched centrally over CAPWAP Step 5 This created FlexConnect ACL can be pushed as a Split Tunnel ACL to individual Flex AP or can also be pushed to all the Flex APs in a Flex Connect grou...

Page 48: ...eless Branch Controller Deployment Guide FlexConnect Split Tunneling b Select WLAN Id on which Split Tunnel feature should be enabled choose Flex ACL and click Add c Flex ACL is pushed as Local Split ACL to the Flex AP ...

Page 49: ...ex ACL as Local Split ACL to a FlexConnect Group a Select the WLAN Id on which the Split Tunneling feature should be enabled On the WLAN ACL mapping tab select FlexConnect ACL from the FlexConnect group where particular Flex APs are added and click Add b The Flex ACL is pushed as LocalSplit ACL to Flex APs in that Flex group ...

Page 50: ...feature is enabled by default and cannot be disabled It requires no configuration on the controller or AP However to ensure Fault Tolerance works smoothly and is applicable this criteria should be maintained WLAN ordering and configurations have to be identical across the primary and backup Flex 7500 controllers VLAN mapping has to be identical across the primary and backup Flex 7500 controllers M...

Page 51: ... basis Primary Objective Set limits on maximum clients Operational ease Note This is not a form of QoS By default the feature is disabled and does not force the limit Limitations This feature does not enforce client limit when the FlexConnect is in Standalone state of operation WLC Configuration Complete these steps Step 1 Select the Centrally Switched WLAN ID 1 with SSID DataCenter This WLAN was ...

Page 52: ...WLAN Default for Maximum Allowed Clients is set to 0 which implies there is no restriction and the feature is disabled NCS Configuration In order to enable this feature from the NCS go to Configure Controllers Controller IP WLANs WLAN Configuration WLAN Configuration Details ...

Page 53: ...Controller Deployment Guide Client Limit per WLAN Configuration through Cisco Prime In order to enable this feature from the Cisco Prime go to Configure Controllers Controller IP WLANs WLAN Configuration WLAN Configuration Details ...

Page 54: ... locally within the controller for clients in the same subnet This is the default value Drop Causes the controller to discard packets for clients in the same subnet Forward Up Stream Causes the packet to be forwarded on the upstream VLAN The devices above the controller decide what action to take regarding the packet From release 7 2 onwards peer to peer blocking is supported for clients associate...

Page 55: ...the P2P configuration on the corresponding sub interfaces Limitations In FlexConnect solution P2P blocking configuration cannot be applied only to a particular FlexConnect AP or sub set of APs It is applied to all FlexConnect APs that broadcast the SSID Unified solution for central switching clients supports P2P upstream forward However this will not be supported in the FlexConnect solution This i...

Page 56: ...mary and backup controllers Navigate under WLC GUI Commands Download File to start the download Step 2 Save the configurations on the controllers but do not reboot the controller Step 3 Issue the AP pre image download command from the primary controller a Navigate to WLC GUI Wireless Access Points All APs and choose the access point to start pre image download b Once the access point is chosen cli...

Page 57: ...nce will keep Clients associated Once the controller is back the APs automatically reboot with the pre downloaded image After rebooting the APs re join the primary controller and resume client s services Limitations Works only with CAPWAP APs FlexConnect Smart AP Image Upgrade The pre image download feature reduces the downtime duration to a certain extent but still all the FlexConnect APs have to...

Page 58: ...will pre download the AP image from the master The distribution of AP image from the server to the client will be on a local network and will not experience the latency of the WAN link As a result the process will be faster Summary Master and Slave APs are selected for each AP Model per FlexConnect Group Master downloads image from WLC Slave downloads image from Master AP Reduces downtime and save...

Page 59: ... reboot the controller Step 3 Add the FlexConnect APs to FlexConnect group Navigate to WLC GUI Wireless FlexConnect Groups select FlexConnect Group General tab Add AP Step 4 Click the FlexConnect AP Upgrade check box in order to achieve efficient AP image upgrade Navigate to WLC GUI Wireless FlexConnect Groups select FlexConnect Group Image Upgrade tab ...

Page 60: ...nect Groups select FlexConnect Group Image Upgrade tab FlexConnect Master APs and select AP from the drop down list and click Add Master Note Only one AP per model can be configured as Master AP If Master AP is configured manually the Manual field will be updated as yes b In order to automatically select Master AP navigate to WLC GUI Wireless FlexConnect Groups select FlexConnect Group Image Upgra...

Page 61: ... in order to download an image from the Master AP after which it will fall back to download the image from the WLC It will make 20 attempts against WLC in order to download a new image after which the administrator has to re initiate the download process Step 7 Once FlexConnect Upgrade is initiated only the Master AP will download the image from the WLC Under All AP page Upgrade Role will be updat...

Page 62: ...sly from their master AP and rest of the slave APs will use the random back off timer to retry for the Master AP in order to download the AP image In the instance that the Slave AP fails to download the image from the Master AP for some reason it will go to the WLC in order to fetch the new image This works only with CAPWAP APs Smart AP image upgrade does not work when the Master AP is connected o...

Page 63: ...llers before you enable this CLI This feature is also supported on the 8510 5520 and 8540 controllers Cisco Controller config ap autoconvert disable Disables auto conversion of unsupported mode APs to supported modes when AP joins flexconnect Converts unsupported mode APs to flexconnect mode when AP joins monitor Converts unsupported mode APs to monitor mode when AP joins Cisco Controller Step 1 T...

Page 64: ...p autoconvert monitor at the same time FlexConnect WGB uWGB Support for Local Switching WLANs From release 7 3 onwards WGB uWGB and wired wireless clients behind WGBs are supported and will work as normal clients on WLANs configured for local switching After association WGB sends the IAPP messages for each of its wired wireless clients and Flex AP will behave as follows When Flex AP is in connecte...

Page 65: ... for WGB and clients behind WGB WGB is supported on an IOS AP 1240 1130 1140 1260 1600 1250 2600 and 3600 Procedure Complete these steps Step 1 No special configuration is needed in order to enable WGB uWGB support on FlexConnect APs for WLANs configured for local switching as WGB Also clients behind WGB are treated as normal clients on local switching configured WLANs by Flex APs Enable FlexConne...

Page 66: ...66 Flex 7500 Wireless Branch Controller Deployment Guide FlexConnect WGB uWGB Support for Local Switching WLANs Step 2 Set AP Mode to FlexConnect ...

Page 67: ...ng WLANs Step 3 Associate WGB with wired clients behind this configured WLAN Step 4 In order to check the details for WGB go to Monitor Clients and select WGB from the list of clients Step 5 In order to check the details of the wired wireless clients behind WGB go to Monitor Clients and select the client ...

Page 68: ... servers configured on the controller An AP specific configuration for the RADIUS servers will also be supported The AP specific configuration will have greater priority than the FlexConnect group configuration The existing configuration command at the FlexConnect Group which needs the index of the RADIUS server in the global RADIUS server list on the controller will be deprecated and replaced wit...

Page 69: ... servers can be associated with a FlexConnect Group using a drop down list comprising of RADIUS servers configured on the AAA Authentication page Step 3 Mode of configuration at FlexConnect Group in release 7 4 Primary and Secondary RADIUS servers can be configured under the FlexConnect Group using an IP address port number and Shared Secret ...

Page 70: ...configured will cause the older entry to be replaced by the new one Enhanced Local Mode ELM ELM is supported on the FlexConnect solution Refer to the best practices guide on ELM for more information Guest Access Support in Flex 7500 Figure 12 Guest Access Support in Flex 7500 Flex 7500 will allow and continue to support creation of EoIP tunnel to your guest anchor controller in DMZ For best practi...

Page 71: ...of the WLC 7500 from NCS is identical to Cisco s existing WLCs For more information on managing WLC and discovering templates refer to the Cisco Wireless Control System Configuration Guide Release 7 0 172 0 Managing WLC 7500 with Cisco Prime The management of the WLC 7500 from Cisco Prime is identical to Cisco s existing WLCs ...

Page 72: ...al radius With controller release 7 5 PEAP and EAP TLS EAP methods are also supported EAP TLS Certificate Generation for EAP TLS The following steps are needed on the WLC and the client in order to authenticate the client to the FlexConnect AP using EAP TLS authentication On WLC 1 Generate device certificate for the WLC 2 Get device certificate signed by CA server 3 Generate CA certificate from th...

Page 73: ...tp www cisco com en US products ps6366 products_configuration_example09186a008093f1b9 sh tml Figure 13 Document 100590 Configuration of EAP TLS on FlexConnect AP 1 Create WLAN for Local Switching and Local Authentication In the example below two WLANs have been created one for EAP TLS and the other for PEAP authentication Figure 14 WLAN Configuration for PEAP and EAP TLS 2 Enable FlexConnect Local...

Page 74: ... the AP tries to authenticate the wireless clients using the RADIUS servers first AP Local Authentication is attempted only if no RADIUS servers are found either because the RADIUS servers timed out or no RADIUS servers were configured Figure 16 FlexConnect Group Configuration for AP Local Authentication 4 Selecting EAP methods will now have two more options PEAP and EAP TLS under the FlexConnect ...

Page 75: ...nnect group if the EAP TLS method is enabled and the same is used at the AP to authenticate the clients c When a new AP joins the group certificates will be pushed to the AP along with other configurations The user has to download the EAP device and Root certificates to controller prior to enabling EAP TLS on the FlexConnect group d Upon receiving a certificate message from the controller the AP w...

Page 76: ...TLS is enabled eapdev pem ca This is the CA root certificate eapdev pem crt This is the public certificate of the device eapdev pem prv This is the RSA private key of the device eapdevpwd This is the password file to protect the private key Figure 20 Files Stored in the Flash on AP Client Configuration Configure the wireless profile for EAP TLS by selecting EAP Type EAP TLS and specifying the Trus...

Page 77: ...nch Controller Deployment Guide Support for PEAP and EAP TLS Authentication Figure 21 Wireless Profile for EAP TLS Figure 22 Validate Server Identity Once the client is connected Server Based Authentication will reflect EAP TLS ...

Page 78: ... Deployment Guide Support for PEAP and EAP TLS Authentication Figure 23 Client Authentication using EAP TLS Client Certificates The Trusted Root and Client Certificates can be viewed as follows These are the certificates as generated earlier ...

Page 79: ...79 Flex 7500 Wireless Branch Controller Deployment Guide Support for PEAP and EAP TLS Authentication Figure 24 Certificates on Client ...

Page 80: ...80 Flex 7500 Wireless Branch Controller Deployment Guide Support for PEAP and EAP TLS Authentication Figure 25 Trusted Root CA Certificate on Client ...

Page 81: ...Controller Deployment Guide Support for PEAP and EAP TLS Authentication Figure 26 Trusted Client Certificate Show Commands The EAP type of the client will be reflected on the WLC and can be seen in the output of show client detail ...

Page 82: ...ure 27 EAP Type for Client Authenticated using EAP TLS EAP PEAP PEAP EAP MSCHAPv2 and EAP GTC EAP Type is supported with release 7 5 and Users need to be added on the WLC as shown below A maximum of 100 users can be added per FlexConnect group User Creation Figure 28 User Addition for Local Authentication ...

Page 83: ... for PEAP and EAP TLS Authentication Client Configuration Selecting EAP Type EAP MSCHAPv2 or GTC can configure the wireless profile for EAP PEAP Figure 29 Wireless Profile for EAP PEAP EAP MSCHAPv2 Users created on the controller need to be configured on the client ...

Page 84: ...84 Flex 7500 Wireless Branch Controller Deployment Guide Support for PEAP and EAP TLS Authentication Figure 30 User Name and Password for PEAP ...

Page 85: ...cation Figure 31 Cisco Aironet Desktop Utility Profile Management Once the client is connected Server Based Authentication will reflect PEAP EAP MSCHAPv2 Figure 32 Client Authentication using PEAP EAP MSCHAPv2 Once the client is authenticated the EAP Type can be seen under the Client Detail page ...

Page 86: ...lected on the WLC and can be seen in the output of show client detail Figure 34 EAP Type of Client Authenticated using PEAP CLI Support for PEAP and EAP TLS on FlexConnect APs Two new CLIs have been added to configure PEAP and EAP TLS from the controller config flexconnect group groupName radius ap peap enable disable config flexconnect group groupName radius ap eap tls enable disable ...

Page 87: ... debug dot11 aaa authenticator all debug aaa api debug aaa subsys debug dot11 aaa dispatcher debug aaa protocol local debug radius debug aaa dead criteria transaction Guidelines FlexConnect AP should be in standalone mode or configured for Local authentication Certificates must be present on the AP for EAP TLS to work WLAN VLAN mapping at FlexConnect Group Level Prior to release 7 5 WLAN to VLAN m...

Page 88: ...AN VLAN Mapping Inheritance WLAN level WLAN VLAN mapping has the lowest precedence Higher precedence mapping will override the mapping of lower precedence AP level WLAN VLAN mapping has the highest precedence On deletion of a higher precedence mapping the next highest precedence mapping will take effect The following figure depicts the order of precedence as it refers to WLAN VLAN mapping at the W...

Page 89: ...500 Wireless Branch Controller Deployment Guide WLAN VLAN mapping at FlexConnect Group Level Figure 37 WLAN for Local Switching Figure 38 FlexConnect Local Switching The WLAN is mapped to the management VLAN 56 ...

Page 90: ...Deployment Guide WLAN VLAN mapping at FlexConnect Group Level Figure 39 WLAN Mapped to VLAN 56 Management Interface Figure 40 WLAN Mapped to VLAN 56 as Per WLAN Specific Mapping When a client connects to this WLAN it will get an IP in VLAN 56 ...

Page 91: ... FlexConnect Group Level Figure 41 Client in VLAN 56 2 Create WLAN VLAN mapping under FlexConnect Groups This capability is the new feature in release 7 5 Figure 42 WLAN Mapped to VLAN 57 under FlexConnect Group WLAN VLAN mappings can be viewed per AP from the VLAN Mappings page ...

Page 92: ...ure 43 VLAN Mappings at AP In this example the WLAN is mapped to VLAN 57 on the FlexConnect Group since the Group specific mappings take precedence over WLAN specific mappings Figure 44 WLAN 1 Mapped to VLAN 57 as Per Group Specific Configuration Inheritance The client is assigned an IP address in VLAN 57 ...

Page 93: ...reate a WLAN VLAN mapping at the AP select Make AP Specific under VLAN Mappings Once this is done the WLAN is mapped to VLAN 58 since AP specific mappings take precedence over Group specific and WLAN specific mappings Figure 46 WLAN Mapped to VLAN 58 as Per AP Specific Mapping Inheritance The client is assigned an IP address in VLAN 58 ...

Page 94: ... as part of this feature config flexconnect group group wlan vlan wlan wlan id add vlan vlan id config flexconnect group group wlan vlan wlan wlan id delete config ap flexconnect vlan remove wlan wlan_id ap_name Figure 48 WLAN VLAN Configuration at FlexConnect Group from CLI The command show flexconnect group detail can be used to see the WLAN VLAN mapping for the FlexConnect group ...

Page 95: ...flexconnect group detail Output The command show ap config general AP name can be used to view the WLAN VLAN mappings per AP Figure 50 show ap config general Output The following commands can be used to troubleshoot this feature On WLC debug flexconnect wlan vlan enable disable On AP debug capwap flexconnect wlan vlan ...

Page 96: ...cture will be updated with this information d There will be configuration per FlexConnect group as well as per AP A maximum of 16 ACLs can be created for a FlexConnect group and a maximum of 16 ACLs can be configured per AP e In order to support fast roaming CCKM PMK for the AAA overridden clients the controller will maintain these ACL in the cache and push them to all APs which are part of the Fl...

Page 97: ... ACL 1 Create a Local Switching WLAN which is either centrally switched or locally switched Figure 51 Create Local Switching WLAN 2 Turn on AAA override for the WLAN Enable AAA override 3 Create a FlexConnect ACL FlexConnect ACL can be configured from the Security page as well as from the Wireless page ...

Page 98: ...x 7500 Wireless Branch Controller Deployment Guide Client ACL Support Figure 52 Configure FlexConnect ACL Figure 53 Configure FlexConnect ACL 4 Assign the FlexConnect ACL to the FlexConnect group or to the AP ...

Page 99: ...7500 Wireless Branch Controller Deployment Guide Client ACL Support Figure 54 ACL Mapping on FlexConnect Group Figure 55 ACL Mapping on AP 5 Configure the Airespace attribute on the Radius Cisco ACS server ISE ...

Page 100: ...100 Flex 7500 Wireless Branch Controller Deployment Guide Client ACL Support Figure 56 Aire Acl Name on Cisco ACS Server Figure 57 Airespace ACL Name on ISE 6 Authenticate the client ...

Page 101: ...US products ps11635 products_tech_note09186a0080b7f141 shtml Guidelines Prior to AAA sending the client ACL the ACL should be pre created on the group or AP The ACL will not be dynamically downloaded to the AP at the time of client join A maximum of 96 ACLs can be configured on the AP Each ACL will have a maximum of 64 rules If client is already authenticated and ACL name is changed on the radius ...

Page 102: ...rk CUWN release 8 0 introduces a new feature VideoStream for Local Switching for branch office deployments This feature enables the wireless architecture to deploy multicast video streaming across the branches just like it is currently possible for enterprise deployments This feature recompenses the drawbacks that degrade the video delivery as the video streams and clients scale in a branch networ...

Page 103: ...he clients in the same channel because each client has different channel conditions Wireless multicast does not prioritize the video traffic even though it is marked as Differentiated Service Code Point DSCP by the video server The application will see a loss of packets with no ACK and retries to the delivery will be bad In order to provide reliable transmissions of multicast packet it is necessar...

Page 104: ...nd converts it to 802 11 unicast frames Finally a reliable multicast service delivers the video stream as unicast directly to the client Higher Video Scaling on Clients With Cisco VideoStream technology all of the replication is done at the edge on the AP thus utilizing the overall network efficiently At any point in time there is only the configured media stream traversing the network because the...

Page 105: ...o be verified in the form of IGMP join and leave messages by the clients L3_Switch show ip igmp interface Vlan56 is up line protocol is up Internet address is 9 5 56 1 24 IGMP is enabled on interface Current IGMP host version is 2 Current IGMP router version is 2 IGMP query interval is 60 seconds IGMP configured query interval is 60 seconds IGMP querier timeout is 120 seconds IGMP configured queri...

Page 106: ...SSM Group C Connected L Local P Pruned R RP bit set F Register flag T SPT bit set J Join SPT M MSDP created entry E Extranet X Proxy Join Timer Running A Candidate for MSDP Advertisement U URD I Received Source Specific Host Report Z Multicast Tunnel z MDT data group sender Y Joined MDT data group y Sending to MDT data group V RD Vector v Vector Outgoing interface flags H Hardware switched A Asser...

Page 107: ...onfiguration Cisco Controller config network multicast global enable Cisco Controller config network multicast igmp snooping enable To enable the VideoStream feature globally on the controller navigate to Wireless Media Stream General and check the Multicast Direct Feature check box Enabling the feature here populates some of the configuration parameters on the controller for VideoStream Figure 61...

Page 108: ...ticast direct enable Enable Global Multicast to Unicast Conversion disable Disable Global Multicast to Unicast Conversion The multicast direct button under WLAN QoS appears on if the feature is enabled globally This provides the flexibility to enable VideoStream feature per SSID and is described later in this document ...

Page 109: ...Controller Deployment Guide Client ACL Support Turn on Local Switching under WLAN Advanced and ensure that the APs in the setup are in FlexConnect mode Figure 62 Enable Local Switching on WLAN Figure 63 Change AP Mode to FlexConnect ...

Page 110: ...Branch Controller Deployment Guide Client ACL Support Add Media Stream Configuration To add a multicast stream to the controller navigate to Wireless Media Stream Streams and click Add New Figure 64 Media Stream Configuration ...

Page 111: ...s can be the same address as shown in Figure 64 You can also configure a range of multicast address on the controller There is a limitation of 100 on the number of multicast addresses entries or the number of stream entries that will be pushed to the APs Enabling VideoStream WLAN One or all WLANs SSIDs configured can be enabled for streaming video with VideoStream This is another configuration ste...

Page 112: ... the WLAN by not checking the Multicast Direct feature This will show that wireless clients streaming video are in Normal Multicast mode Verifying VideoStream Functionality Make sure the wireless clients are associated to the access point s and are configured for a correct interface As seen in the Figure 66 there are three clients associated to one AP All three clients have an IP address from VLAN...

Page 113: ... Join Timer Running A Candidate for MSDP Advertisement U URD I Received Source Specific Host Report Z Multicast Tunnel z MDT data group sender Y Joined MDT data group y Sending to MDT data group V RD Vector v Vector Outgoing interface flags H Hardware switched A Assert winner Timers Uptime Expires Interface state Interface Next Hop or VCD State Mode 239 255 255 250 4d20h 00 02 47 RP 0 0 0 0 flags ...

Page 114: ...lients is in a Multicast Direct Allowed State Figure 67 FlexConnect VideoStream Clients The Wireshark capture on the client shows the Multicast to Unicast Video Stream The Ethernet header contains the MAC address of the client as the Destination MAC address for example 7c d1 c3 86 7e dc Figure 68 Wireshark Capture Depicting mc2uc ...

Page 115: ...this feature 4 Currently this feature only has IPv4 support Show Commands Controller Some of the show commands are documented earlier in this document The following section is only for your reference Cisco Controller show ap summary Number of APs 5 Global AP User Name Not Configured Global AP Dot1x User Name Not Configured AP Name Slots AP Model Ethernet MAC Location Country IP Address Clients DSE...

Page 116: ...eam group detail Media2 Media Stream Name Media2 Start IP Address 229 77 77 28 End IP Address 229 77 77 28 RRC Parmmeters Avg Packet Size Bytes 1200 Expected Bandwidth Kbps 500 Policy Admit RRC re evaluation periodic QoS Video Status Multicast direct Usage Priority 1 Violation fallback Cisco Controller show flexconnect media stream client summary Client Mac Stream Name Multicast IP AP Name VLAN Ty...

Page 117: ...AP_1600 show capwap mcast flexconnect clients Bridge Group 1 Multcast Group Address 229 77 77 28 MCUC List Number of MCUC Client 3 88cb 87bd 0cab Bridge Group 1 Vlan 0 7cd1 c386 7edc Bridge Group 1 Vlan 0 d896 9502 7eb4 Bridge Group 1 Vlan 0 MC Only List Number of MC Only Client 0 AP_1600 show capwap mcast flexconnect groups WLAN mc2uc configuration WLAN ID 1 Enabled State 1 WLAN ID 2 Enabled Stat...

Page 118: ... deployment is a critical differentiator for any branch deployment This feature in release 8 0 eliminates the need to reboot when the AP is converted to FlexConnect mode When the controller sends the AP a mode change message the AP will get converted to FlexConnect mode without requiring a reload The AP sub mode will also be configured if the AP receives the AP sub mode payload information from th...

Page 119: ...t of a Default FlexConnect group has been introduced in release 8 3 When the controller boots up the default flex group is created by default This group cannot be deleted or added manually Similarly access points cannot be manually added to or deleted from the default flex group The group has default configuration for the FlexConnect group parameters upon creation and has no maximum limit on the n...

Page 120: ...ct group the AP will be placed in The following specifically refer to scenarios where the AP will be placed as part of the default flex group Day 0 Setup Scenario 1 AP boots up and contacts the PnP server PnP server does not have FlexConnect group configuration as part of the configured attributes Also the AP is not configured as part of any FlexConnect Group on the WLC In this case the AP is plac...

Page 121: ...view APs that are a part of the default flex group click on the FlexConnect AP link in the General tab Step 3 APs from default flex group can be moved to an admin configured FlexConnect group Select the Group from New Group Name drop down menu and select the AP from the list and then click Move ...

Page 122: ...onfig general apname command would reflect the default FlexConnect Group as shown below FlexConnect Group default flex group A new cli command as below is introduced to display only the APs that are part of a specific group Cisco Controller show flexconnect group detail default flex group aps Number of APs in Group 1 AP Ethernet MAC Name Status Mode Type Conflict with PnP 7c 0e ce f5 b2 a4 AP7c0e ...

Page 123: ...me network control system series appliances i ndex html Cisco MSE Information http www cisco com c en us products wireless mobility services engine index html Cisco LAP Documentation http www cisco com c en us products wireless aironet 3500 series index html Terminology APM AP Manager Interface Dyn Dynamic Interface Management Management Interface Port Physical Gbps port WiSM 2 Wireless Service Mo...

Page 124: ...FlexConnect Local Switching A Local mode access points treat these WLANs as normal WLANs Authentication and data traffic are tunneled back to the WLC During a WAN link failure this WLAN is completely down and no clients are active on this WLAN until the connection to the WLC is restored Q Can I do web authentication with Local switching A Yes you can have an SSID with web authentication enabled an...

Page 125: ...HREAP Design and Deployment Guide Cisco 4400 Series Wireless LAN Controllers Cisco 2000 Series Wireless LAN Controllers Cisco Wireless Control System Cisco 3300 Series Mobility Services Engine Cisco Aironet 3500 Series Cisco Secure Access Control System Technical Support Documentation Cisco Systems ...

Page 126: ...126 Flex 7500 Wireless Branch Controller Deployment Guide Related Information ...

Reviews:

No comments

Brands by name

Popular brands

Load more brands