Configuration Guide
Page 3
... 1 Network planning 1.1 Necessary components 1.2 IP addresses and subnets 1.3 The wireless controller (WLC) 1.4 The WCS, MSE and LA administration software 1.5 Access points 1.5.1 The access point connection process 1.6 Users 2 Configuring RADIUS 3 Configuring a controller 3.1 Initial configuration on a console 3.2 Further configuration via web browser 3.2.1 Creating a virtual interface 3.2.2 Defining a RADIUS server 3.2.3 Creating a WLAN (SSID) 3.2.4 Connecting access points 3.2.5 Further details 4 Radio planning 5 Physical installation of access points A. Configuring...
... 1 Network planning 1.1 Necessary components 1.2 IP addresses and subnets 1.3 The wireless controller (WLC) 1.4 The WCS, MSE and LA administration software 1.5 Access points 1.5.1 The access point connection process 1.6 Users 2 Configuring RADIUS 3 Configuring a controller 3.1 Initial configuration on a console 3.2 Further configuration via web browser 3.2.1 Creating a virtual interface 3.2.2 Defining a RADIUS server 3.2.3 Creating a WLAN (SSID) 3.2.4 Connecting access points 3.2.5 Further details 4 Radio planning 5 Physical installation of access points A. Configuring...
Configuration Guide
Page 4
... Step 2: Connecting to domain and certificates 38 Step 3: Adding clients in IAS 39 Step 4: Adding server groups to IAS 40 Step 5: Connection Request Policies 41 Step 6: Remote Access Policies 44 Step 7: RADIUS attributes 45 Step 8: Logging 46 B.2 Configuring NPS (Windows 2008) 47 Step 1: Add a role 47 Step 2: Radius 48 Step 3: Adding Remote RADIUS Server Groups 50 Step 4: Connection Request Policies 51 Step 5: Network Policies 53 Step 6: RADIUS attributes...
... Step 2: Connecting to domain and certificates 38 Step 3: Adding clients in IAS 39 Step 4: Adding server groups to IAS 40 Step 5: Connection Request Policies 41 Step 6: Remote Access Policies 44 Step 7: RADIUS attributes 45 Step 8: Logging 46 B.2 Configuring NPS (Windows 2008) 47 Step 1: Add a role 47 Step 2: Radius 48 Step 3: Adding Remote RADIUS Server Groups 50 Step 4: Connection Request Policies 51 Step 5: Network Policies 53 Step 6: RADIUS attributes...
Configuration Guide
Page 6
... the correct order. Configuring a controller 4. A configuration using autonomous access points requires the use of autonomous access points, but the principle will also apply to wireless systems provided by suppliers other than Cisco. Guidelines for how to and from Cisco lightweight access points (LAP). In principle the guide will be planned and performed in Attachment A. 6 The description in turn would be able to an access point. Radio planning 5. Configuring RADIUS 3. For information...
... the correct order. Configuring a controller 4. A configuration using autonomous access points requires the use of autonomous access points, but the principle will also apply to wireless systems provided by suppliers other than Cisco. Guidelines for how to and from Cisco lightweight access points (LAP). In principle the guide will be planned and performed in Attachment A. 6 The description in turn would be able to an access point. Radio planning 5. Configuring RADIUS 3. For information...
Configuration Guide
Page 7
... number of access points. Refer to allow for the Catalyst 6500. It is perfectly possible to manage with a web-based management interface directly to 12, 25, 50, 100, 250 or 500 access points, depending on , a dedicated hardware product, MSE (Mobility Service Engine) should consider using more controllers, for the various purposes: • The Wireless LAN Controller (WLC) must have administrative IP addresses • Any Wireless Control System (WCS), Mobility Service...
... number of access points. Refer to allow for the Catalyst 6500. It is perfectly possible to manage with a web-based management interface directly to 12, 25, 50, 100, 250 or 500 access points, depending on , a dedicated hardware product, MSE (Mobility Service Engine) should consider using more controllers, for the various purposes: • The Wireless LAN Controller (WLC) must have administrative IP addresses • Any Wireless Control System (WCS), Mobility Service...
Configuration Guide
Page 9
... to /from access point VLAN - It does not matter which IP addresses in the subnet is used for the controller, but as the router address. UDP 1812 to RADIUS - UDP 1813 to RADIUS - UDP 161 and 162 to configure an AP Manager address. Management IP address: In a restricted administration network AP Manager IP address : In the same restricted administration network NB: For 5500 series controllers, it is to Admin Network, with controller software version 5.2, CAPWAP...
... to /from access point VLAN - It does not matter which IP addresses in the subnet is used for the controller, but as the router address. UDP 1812 to RADIUS - UDP 1813 to RADIUS - UDP 161 and 162 to configure an AP Manager address. Management IP address: In a restricted administration network AP Manager IP address : In the same restricted administration network NB: For 5500 series controllers, it is to Admin Network, with controller software version 5.2, CAPWAP...
Configuration Guide
Page 10
... will begin to configure a dot1q trunk into the cable. Older controller software, i.e. Once the configuration has been downloaded to the access point (and any new firmware), it has been connected to the controller or that DHCP be rendered futile. This means that the access point must previously have been entered manually (via the UDP ports. By using WCS once the access point has been connected (See Section 1.5.1). over autonomous access points. In the case...
... will begin to configure a dot1q trunk into the cable. Older controller software, i.e. Once the configuration has been downloaded to the access point (and any new firmware), it has been connected to the controller or that DHCP be rendered futile. This means that the access point must previously have been entered manually (via the UDP ports. By using WCS once the access point has been connected (See Section 1.5.1). over autonomous access points. In the case...
Configuration Guide
Page 11
... looks this subnet. The access point uses the domain name (provided by DHCP) in connection with realistic growth potential. If LWAPP: UDP 12222 and UDP 12223 to /from access point VLAN - DNS - Use Layer 3 communication between different types of external and internal services. Configure a VLAN with an IPv4 subnet large enough for the subnet or globally. Of course, this requires the controller to relevant DNS servers) 1.6 Users Using RADIUS and dynamic VLAN assignment (AAA...
... looks this subnet. The access point uses the domain name (provided by DHCP) in connection with realistic growth potential. If LWAPP: UDP 12222 and UDP 12223 to /from access point VLAN - DNS - Use Layer 3 communication between different types of external and internal services. Configure a VLAN with an IPv4 subnet large enough for the subnet or globally. Of course, this requires the controller to relevant DNS servers) 1.6 Users Using RADIUS and dynamic VLAN assignment (AAA...
Configuration Guide
Page 12
... different ports). In other purposes (such as VPN), this in the controller, can be served - If the RADIUS server is provided in the HE sector are to configure several SSIDs. The configuration of FreeRADIUS 2.x has changed somewhat, but both for eduroam guests and for example by wired clients, which are a number of configuring FreeRADIUS 1.x, see UFS112 [1]. unable to distinguish between IP addresses used by the wireless client to...
... different ports). In other purposes (such as VPN), this in the controller, can be served - If the RADIUS server is provided in the HE sector are to configure several SSIDs. The configuration of FreeRADIUS 2.x has changed somewhat, but both for eduroam guests and for example by wired clients, which are a number of configuring FreeRADIUS 1.x, see UFS112 [1]. unable to distinguish between IP addresses used by the wireless client to...
Configuration Guide
Page 13
... is functioning internally, the national connection to Comodo UserTrust. Self-generated certificates is the most secure option, but entail significant extra work, since it must be installed in your own certificate hierarchy is described in Norway is to be completed. Configure RADIUS server for RADIUS - A simpler and "secure enough" way to make use of UNINETT's server certificate service, SCS (http://www.uninett.no...
... is functioning internally, the national connection to Comodo UserTrust. Self-generated certificates is the most secure option, but entail significant extra work, since it must be installed in your own certificate hierarchy is described in Norway is to be completed. Configure RADIUS server for RADIUS - A simpler and "secure enough" way to make use of UNINETT's server certificate service, SCS (http://www.uninett.no...
Configuration Guide
Page 14
...), but the controllers do not use Cisco's IOS, and Cisco recommends the use of the web interface (if necessary via the command line (CLI) but in principle this guide will also serve as a basis for further configuration. 1. Connect access points. This guide applies only to backup System Name [Cisco_34:21:11]: WLC Enter Administrative User Name (24 characters max): admin Enter Administrative Password (24 characters max): ***** Service Interface IP Address Configuration [none][DHCP]: none Enable Link Aggregation...
...), but the controllers do not use Cisco's IOS, and Cisco recommends the use of the web interface (if necessary via the command line (CLI) but in principle this guide will also serve as a basis for further configuration. 1. Connect access points. This guide applies only to backup System Name [Cisco_34:21:11]: WLC Enter Administrative User Name (24 characters max): admin Enter Administrative Password (24 characters max): ***** Service Interface IP Address Configuration [none][DHCP]: none Enable Link Aggregation...
Configuration Guide
Page 15
... Mode [layer2][LAYER3]: LAYER3 AP Manager Interface IP Address: 192.168.0.11 AP-Manager is set to 10.0.0.1/255.255.255.0. "admin" Enter Administrative Password: use more than one SFP port. The address should bundle several SFP ports using same values AP Manager Interface DHCP Server (192.168.0.20): Virtual Gateway IP Address: 1.1.1.1 Mobility/RF Group Name: Group Network Name (SSID): TEMP Allow Static IP Addresses [YES][no]: yes Configure a RADIUS Server now? [YES][no]: no Enter Country Code (enter 'help...
... Mode [layer2][LAYER3]: LAYER3 AP Manager Interface IP Address: 192.168.0.11 AP-Manager is set to 10.0.0.1/255.255.255.0. "admin" Enter Administrative Password: use more than one SFP port. The address should bundle several SFP ports using same values AP Manager Interface DHCP Server (192.168.0.20): Virtual Gateway IP Address: 1.1.1.1 Mobility/RF Group Name: Group Network Name (SSID): TEMP Allow Static IP Addresses [YES][no]: yes Configure a RADIUS Server now? [YES][no]: no Enter Country Code (enter 'help...
Configuration Guide
Page 16
... possible to route this address, the filter only needs to communicate with this address internally and preferably also externally if, for the Management address. in use. In addition, the RADIUS server must be located in the same subnet as "uninett", "ntnu" or something similar, could be located in another network, they must also be able to be opened for example, the clients which the access points communicate...
... possible to route this address, the filter only needs to communicate with this address internally and preferably also externally if, for the Management address. in use. In addition, the RADIUS server must be located in the same subnet as "uninett", "ntnu" or something similar, could be located in another network, they must also be able to be opened for example, the clients which the access points communicate...
Configuration Guide
Page 21
This VLAN has the lowest level of guests. Users of other VLANs. Under General, the WLAN can be found below. 21 Here we have configured "Interface" as a fall-back network. Usually the SSID is set to other categories will be referred to broadcast and for the use of security and functions as a virtual interface intended for eduroam this will be enabled or disabled at any time. Further information on this is mandatory.
This VLAN has the lowest level of guests. Users of other VLANs. Under General, the WLAN can be found below. 21 Here we have configured "Interface" as a fall-back network. Usually the SSID is set to other categories will be referred to broadcast and for the use of security and functions as a virtual interface intended for eduroam this will be enabled or disabled at any time. Further information on this is mandatory.
Configuration Guide
Page 25
... the controller (access point) and clients, and may provide measurable benefits for the WLAN. Useful for IP tagging. For security reasons it is not advisable to allow clients to the WLAN. In this type of a different category is recommended. The first QoS options are : Allow AAA Override: Enabled - What one must give some extent on how the organisation otherwise supports QoS in its network. Unfortunately...
... the controller (access point) and clients, and may provide measurable benefits for the WLAN. Useful for IP tagging. For security reasons it is not advisable to allow clients to the WLAN. In this type of a different category is recommended. The first QoS options are : Allow AAA Override: Enabled - What one must give some extent on how the organisation otherwise supports QoS in its network. Unfortunately...
Configuration Guide
Page 26
... of connectivity, the controller will require a renewal of times, there will be set a condition that this situation. To enable Client Protection, the clients must obtain an IP address from a DHCP server: that is, a client is not permitted to authenticate itself a certain number of DHCP address and some clients. DHCP Server: No Override - This can set to required, but experience has shown that clients must support CCX (Cisco Compatible eXtension program). Client Exclusion: Disabled - DHCP Addr. Assignment...
... of connectivity, the controller will require a renewal of times, there will be set a condition that this situation. To enable Client Protection, the clients must obtain an IP address from a DHCP server: that is, a client is not permitted to authenticate itself a certain number of DHCP address and some clients. DHCP Server: No Override - This can set to required, but experience has shown that clients must support CCX (Cisco Compatible eXtension program). Client Exclusion: Disabled - DHCP Addr. Assignment...
Configuration Guide
Page 30
... not need to use as many access points as large a range. not the client with the best radio, since the controller is planning to make measurements at least as possible. • Covering the required area using the smallest possible number of access points. To carry out effective radio planning it may be based on paper. • Felt tip markers in three colours. • A access point of the type...
... not need to use as many access points as large a range. not the client with the best radio, since the controller is planning to make measurements at least as possible. • Covering the required area using the smallest possible number of access points. To carry out effective radio planning it may be based on paper. • Felt tip markers in three colours. • A access point of the type...
Configuration Guide
Page 31
... floor in order to represent different 2.4 GHz channels. In short, this product is very helpful in radio planning. Locate the access point as near to do is provided. Configure a unique SSID and preferably use in cases where there are connectivity problems which are used for power supply. It can import plan drawings in the form of AutoCAD files, for example, and the Planner module...
... floor in order to represent different 2.4 GHz channels. In short, this product is very helpful in radio planning. Locate the access point as near to do is provided. Configure a unique SSID and preferably use in cases where there are connectivity problems which are used for power supply. It can import plan drawings in the form of AutoCAD files, for example, and the Planner module...
Configuration Guide
Page 39
..., remembering that other RADIUS servers forwarding authentication requests here. if not, click on "Action" in the file menu and click on "Next". • (Examples of its infrastructure on the Control Panel. Start "Internet Authentication Service" Check if IAS is to be connected to eduroam, the core must be used for a wireless network one can be added here may be access points, a control unit for each client Repeat this will be...
..., remembering that other RADIUS servers forwarding authentication requests here. if not, click on "Action" in the file menu and click on "Next". • (Examples of its infrastructure on the Control Panel. Start "Internet Authentication Service" Check if IAS is to be connected to eduroam, the core must be used for a wireless network one can be added here may be access points, a control unit for each client Repeat this will be...
Configuration Guide
Page 47
... wireless network Policy-Name = students in VLAN 10 The Remote Access Policy being used B.2 Configuring NPS (Windows 2008) Step 1: Add a role Add the role "Network Policy and Access Services", the only role service required by clicking on "Start Menu" → "Administrative Tools"→ "Network Policy Server" Under "Network Policy Server", click on "Action" in the file menu and click "Register server in Active Directory". User ola.nordmann was granted access. Open the Network Policy Server by the Network...
... wireless network Policy-Name = students in VLAN 10 The Remote Access Policy being used B.2 Configuring NPS (Windows 2008) Step 1: Add a role Add the role "Network Policy and Access Services", the only role service required by clicking on "Start Menu" → "Administrative Tools"→ "Network Policy Server" Under "Network Policy Server", click on "Action" in the file menu and click "Register server in Active Directory". User ola.nordmann was granted access. Open the Network Policy Server by the Network...
Configuration Guide
Page 55
... authentication being used EAP Type: Microsoft: Secured password (EAP-MSCHAP v2) The type of the account in C:\Windows\System32\LogFiles) Network Policy Server granted access to gain access Client Friendly Name: SecuritySwitch The client which authentication is attempting to a user. NPS creates the log entries "Warning" and "Information", while "Error" entries are only logged in a file (in the domain Calling Station Identifier: 00-1A-73-F5-34-7D The MAC address...
... authentication being used EAP Type: Microsoft: Secured password (EAP-MSCHAP v2) The type of the account in C:\Windows\System32\LogFiles) Network Policy Server granted access to gain access Client Friendly Name: SecuritySwitch The client which authentication is attempting to a user. NPS creates the log entries "Warning" and "Information", while "Error" entries are only logged in a file (in the domain Calling Station Identifier: 00-1A-73-F5-34-7D The MAC address...