WLC Setup

The goal of this chapter is not to teach you how to configure and deploy Wireless LAN Controller. Therefore, only relevant screenshots are shown in the following steps:

Step 1 Figure 11-52 shows the basic IP address and software version of WLC.

Figure 11-52 WLC Software and IP Summary

Figure 11-52 WLC Software and IP Summary

Step 2 Under the Controller > General menu, LWAPP transport mode must be enabled for Layer 3. In addition, enter a mobility domain name. A sample domain name used is irvlab. Figure 11-53 shows enabling LWAPP Transport Mode in Layer 3.

Figure 11-53 WLC General Controller Setting for Layer 3

* 111 » 1111 CISCO

MONITOR WLANs CONTROLLER

WIRELESS SECURITY

Save Con MANAGEMENT COMMANDS

Controller

General

802.3x Flow Control Mode

| Disabled

3

Inventory

LWAPP Transport Mode

|Layer 3

(Current Operating Mod

Interfaces

LAG Mode on next reboot

| Disabled

(LAG Mode is currently <

Network Routes

Ethernet Multicast Mode

| Disabled

Internal DHCP Server

Broadcast Forwarding

| Disabled

► Mobility Management

Aggressive Load Balancing

| Enabled

Spanning Tree

Peer to Peer Blocking Mode

| Disabled

Ports

Over The Air Provisioning of AP

| Enabled

Master Controller

AP Fallback

| Enabled

Mode

Network Time

Apple Talk Bridging

| Disabled

Protocol

Fast SSID change

| Disabled

► QoS

Default Mobility Domain Name

| irvlab

► CDR

RF-Network Name

| irvlab

User Idle Timeout (seconds)

1300

ARP Timeout (seconds)

1300

Web Radius Authentication

| PAP

802.3 Bridging

| Disabled

3

Step 3 Go to Controller > Interfaces and add in the user traffic VLAN information. Figure 11-54 shows the added interfaces.

Figure 11-54 WLC Interface Summary

MONITOR WLANs

CONTROLLER WIRELESS

SECURITY

MANAGEMENT

Save Configuration COMMANDS HELP

Ping Logout Re

Interfaces

New...

Interface Name

VLAN Identifier

IP Address

Interface Type

Dynamic AP Management

ap-manager

untagged

192.168.30.3

Static

Enabled

Edit

healthy

70

10.95.17,68

Dynamic

Disabled

Edit

Remov

management

untagged

192.168.30.4

Static

Not Supported

Edit

service-port

N/A

192,168,82.68

Static

Not Supported

Edit

user traffic 99

99

10.10.10,2

Dynamic

Disabled

Edit

■ ■: r.'i ■:■

virtual

N/A

1.1.1,1

Static

Not Supported

Edit

Step 4 Next, the RADIUS authentication server must be added. Go to Security > AAA > RADIUS Authentication. Click New to add the ACS server. Figure 11-55 shows the added RADIUS authentication server.

Figure 11-55 Adding a RADIUS Authentication Server in WLC

Save Configuration PingHp Logout R< MONITOR WLANs CONTROLLER WIRELESS SECURITY MANAGEMENT COMMANDS HELP

RADIUS Authentication Servers Call Station ID Type I IP Address

Apply

Credentials Caching □

Use AES Key Wrap □ (Designed for FIPS customers and requires a key wrap compliant RADIUS server)

Network Server

User Management Index Server Address Port

Admin Status

Credentials Caching □

Use AES Key Wrap □ (Designed for FIPS customers and requires a key wrap compliant RADIUS server)

Network Server

User Management Index Server Address Port

Admin Status

0

1

10.95.17.147 1812

Disabled

Enabled

0

2

192.168.10.111 1812

Disabled

Enabled

Q

Step 5 The RADIUS accounting server must be added next. Click the Radius Accounting link and then click New. Figure 11-56 shows the added RADIUS accounting server.

Figure 11-56 Adding a RADIUS Accounting Server in WLC

Security

General •r RADIUS

Authentication Accounting ►TACACS+ LDAP

Local Net Users MAC Filtering Disabled Clients User Login Policies AP Policies

Save Conf

MONITOR WLANs CONTROLLER WIRELESS SECURITY MANAGEMENT COMMANDS

RADIUS Accounting Servers Network User Server Index Server Address Port

Admin Status

RADIUS Accounting Servers Network User Server Index Server Address Port

Admin Status

0

i

10.95.17.147 1813 Disabled

Enabled

o

0

2

192.168.10.111 1813 Disabled

Enabled

o

Step 6 Go to the WLANs menu and find the irvlab WLAN SSID. Click irvlab SSID and make sure the WLAN status is Enabled. In addition, make sure that the correct RADIUS authentication and accounting servers are selected on the AAA Servers tab. See Figure 11-57 for a summary.

Figure 11-57 AAA Servers Used in WLC

Figure 11-57 AAA Servers Used in WLC

NAM/NAS Setup

With the ACS and WLC components configured, the next step is to add WLC into NAS.

Adding WLC into NAS is similar to adding a VPN concentrator, as shown in the following steps:

Step 1 Go to the NAM GUI and manage the NAS used for the WLC. NAS in this setup is a Real-IP gateway. Make sure to check the Enable L3 Support check box.

Step 2 Go to the Advanced > Managed Subnet page and add the user VLAN 99. This step is similar to the managed subnet setup in the VPN SSO section.

Step 3 Go to the Authentication > VPN Auth > General page and enable the Single Sign-On boxes along with RADIUS Accounting port 1813.

Step 4 Go to the Authentication > VPN Auth > VPN Concentrators page. Add the WLC unit as a VPN concentrator.

Step 5 Go to the Authentication > VPN Auth > Accounting Servers page. Add the NAS server (not the ACS server) as the RADIUS accounting server.

Step 6 Go to the Authentication > VPN Auth > Accounting Mapping page. The WLC entry must be mapped to the ACS accounting server. Click Add Entry.

Step 7 WLC must be added as an authentication server. Go to the User

Management > Auth Servers > New page. Add WLC as a Cisco VPN SSO authentication type. The default role can be Allow All. Allow All is a created role that has full network access. This role assigns all authenticated wireless users full network access.

Note For this simple test network, we assigned all authenticated users with the Allow All role. If more granular roles are desired, mapping rules can be created for the WLC auth server using the same procedure described in the earlier section on Cisco VPN SSO.

Step 8 Monitoring the wireless controller users is performed by viewing the User Management > Online Users > In-Band page. Successfully authenticated users will appear under the provider Cisco VPN.

Was this article helpful?

0 0

Post a comment