Related Manuals for Cisco 4402 - Wireless LAN Controller
Summary of Contents for Cisco 4402 - Wireless LAN Controller
- Page 1 Guide to configuring eduroam using a Cisco wireless controller Best Practice Document Produced by UNINETT led working group on mobility (No UFS127) Authors: Tore Kristiansen, Jardar Leira, Vidar Faltinsen December 2010...
- Page 2 Version / date: December 2010 Original language : Norwegian Original title: “Veiledning for eduroam oppsett med Cisco trådløs controller” Original version / date: September 2010 Contact: campus@uninett.no UNINETT bears responsibility for the content of this document. The work has been carried out by a UNINETT led working group on mobility as part of a joint-venture project within the HE sector in Norway.
-
Page 3: Table Of Contents
Table of Contents Executive Summary Introduction Network planning Necessary components IP addresses and subnets The wireless controller (WLC) The WCS, MSE and LA administration software Access points 1.5.1 The access point connection process Users Configuring RADIUS Configuring a controller Initial configuration on a console Further configuration via web browser 3.2.1 Creating a virtual interface... - Page 4 Step 1: Installation of IAS Step 2: Connecting to domain and certificates Step 3: Adding clients in IAS Step 4: Adding server groups to IAS Step 5: Connection Request Policies Step 6: Remote Access Policies Step 7: RADIUS attributes Step 8: Logging Configuring NPS (Windows 2008) Step 1: Add a role Step 2: Radius...
-
Page 5: Executive Summary
UFS127 is a guide to configuring eduroam, including IEEE 802.1X, in a Cisco controller-based environment, i.e. a configuration based on one or more Cisco controllers which govern the traffic to and from Cisco lightweight access points (LAP). The guide applies both to Cisco 5500 Series and 4400 Series controllers (WLC). -
Page 6: Introduction
This document is a guide to configuring eduroam in a Cisco controller-based environment, i.e. a configuration based on one or more Cisco controllers which govern the traffic to and from Cisco lightweight access points (LAP). The guide applies both to Cisco 5500 Series and 4400 Series controllers (WLC). -
Page 7: Network Planning
Network planning Necessary components The number of access points and the type of controller(s) may be evaluated depending on the size and layout of the premises. Refer to Chapter 4 Radio planning, for guidelines for estimating the number of access points. Remember to allow for estimated growth in the coming years, bearing in mind the radio-related limitations in effect. -
Page 8: The Wireless Controller (Wlc)
Figure 1 provides a summary. Each network cloud represents an IP subnet with the exception of the eduroam hierarchy which for the sake of simplicity is given its own network cloud. The arrows between the clouds indicate the necessary traffic pattern and form the basis for deciding which ports must be opened in package filters (if the units are located in different subnets). -
Page 9: The Wcs, Mse And La Administration Software
established by means of the Management address. The Management and AP Manager addresses should be located in the same subnet. It does not matter which IP addresses in a subnet are used for this purpose, but the addresses should be located in a subnet which is protected against general access, designated “Admin Network” in Figure 1. -
Page 10: Access Points
Access points The network cables connected to access points are often exposed in open areas and can represent a security risk. An unauthorised person tapping into such a cable can potentially gain access to subnets to which he or she should not have access and this may also enable man-in-the-middle attacks on users. -
Page 11: Users
DNS, since older access points will not recognise CAPWAP in connection with initial association (until they have been upgraded). For ISC DCHP, enter: ...in the shared network specification for the subnet or globally. Cisco access points do not support an option containing several domain specifications, such as Users Using RADIUS and dynamic VLAN assignment (AAA override), it is possible to grant different groups access to different subnets or VLANs using the same SSID (for example “eduroam”). -
Page 12: Configuring Radius
unable to distinguish between IP addresses used by wired clients, which are often anonymous, and wireless clients. It is also desirable to reduce broadcast traffic to a minimum so that this does not affect the capacity of the wireless connections. Restricting the subnet to include only wireless connections is a good way to achieve this. - Page 13 authentication can be completed. Here one can choose between using self-generated or purchased certificates. Self-generated certificates is the most secure option, but entail significant extra work, since it is necessary to perform a separate certificate installation in every single client which is to be granted access to the wireless network.
-
Page 14: Configuring A Controller
Strictly speaking, all configuration work can be performed via the command line (CLI) but the controllers do not use Cisco’s IOS, and Cisco recommends the use of the web interface (if necessary via WCS) for most of the configuration. - Page 15 SNMP. WCS uses SNMP to communicate with the controller at this address. The address will also be used by the access points to discover their controller. The address should therefore be registered in the DNS as “CISCO-CAPWAP-CONTROLLER.yourdomain.no” and “CISCO-LWAPP- CONTROLLER.yourdomain.no”.
- Page 16 It should be possible to route this address internally and preferably also externally if, for example, one needs external support. Strict filters should be in place to prevent unwanted units from contacting it, cf. Chapter 1. The access points must obtain access only via UDP on ports 5246/5247 (CAPWAP) or 12222/12223 (LWAPP).
-
Page 17: Further Configuration Via Web Browser
Further configuration via web browser Once the controller has restarted, it will be ready for configuration via the web browser in communication with the Management address or service interface. 3.2.1 Creating a virtual interface Path: Controller → Interfaces A virtual interface must be created for every VLAN one wishes to make available to users. As a rule this means a minimum of one for employees, one for students and one for guests. -
Page 18: Defining A Radius Server
The controller must have its own IP address in each VLAN which it is to serve. Strictly speaking, it does not matter which IP address this is in the subnet as long as there is no conflict with another unit, but it is a good rule to use the first available after the router’s address. - Page 19 Path: Security → RADIUS → Accounting Accounting should also be configured and is required by eduroam. This is done in exactly the same way as for Authentication, but normally uses UDP port 1813.
-
Page 20: Creating A Wlan (Ssid)
3.2.3 Creating a WLAN (SSID) Path: WLANs → WLANs Initially all that is needed is the SSID “eduroam”, but usually it is desirable to have an SSID for guests who cannot use “eduroam” or if an SSID is required for testing. An SSID can serve one or more of the virtual interfaces which have previously been defined and can easily be switched on or off as required. - Page 21 Under General, the WLAN can be enabled or disabled at any time. Usually the SSID is set to broadcast and for eduroam this is mandatory. Here we have configured “Interface” as a virtual interface intended for the use of guests. This VLAN has the lowest level of security and functions as a fall-back network.
- Page 22 WPA+WPA2 are configured under Security and Layer 2. It is actually in conflict with 802.11i to have more than one method in a single network, but it is very common and is supported by most clients. However, since not all clients support other “variants”, it is recommended to keep to WPA-TKIP and WPA2-AES.
- Page 23 Security Layer 3 shall be “None”.
- Page 24 Under Security AAA Servers we select the previously defined RADIUS servers for Authentication and Accounting.
- Page 25 What one selects under QoS depends to some extent on how the organisation otherwise supports QoS in its network. The first QoS options are TOS (Type Of Service) values for IP tagging. Unfortunately this tagging will apply to all clients in this WLAN and therefore in practice is not applicable to eduroam.
- Page 26 Management Frame Protection (MFP) – Attempts to protect against DoS, man-in-the- middle and dictionary attacks on the wireless network. To enable Client Protection, the clients must support CCX (Cisco Compatible eXtension program). After pressing “Apply”, this WLAN will be activated.
-
Page 27: Connecting Access Points
3.2.4 Connecting access points After going through all the steps so far it is time to connect some access points to the network. Section 1.5.1 explains the access point connection process. All access points have their own X509 certificates. For this to function and for the access point to connect, it is important that the WLC’s time is correctly set so that the certificate is valid. - Page 28 WLC supports NTP, which is set at another location. NTP server is usually the nearest router. If not another NTP server can be used, as in this example If a previously autonomous access point has been converted to a lightweight access point and the application has not specified an SSC for the access point, the SSC or the MIC (the MAC address for the access point’s Ethernet address) must be entered before the access point is permitted to connect.
-
Page 29: Further Details
Under Management one may wish to configure a number of things, such as SNMP parameters (which shall be used in communication with, among other things, the WCS), HTTP, Telnet, administration users, logging, and so on. Regarding timeout values for EAP authentication, the section “Manipulating EAP Timers” in the Cisco document http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a0080665d18.shtml... -
Page 30: Radio Planning
Radio planning Carrying out effective radio planning involves a lot of work and can be very time-consuming. The controller assists to the best of its ability by adjusting the channel and power according to the prevailing conditions, but for a good result manual radio planning is essential. Radio planning consists of surveying the radio frequency signal from given positions in order to determine the optimal location of the access points. - Page 31 Contact UNINETT in order to borrow this tool. UNINETT also offers AirMagnet Spectrum Analyzer [3] (this product is now owned by Cisco), which displays everything happening in the frequency range, not just 802.11 traffic. This is very helpful in cases where there are connectivity problems which are impossible to understand on the basis of the 802.11 traffic alone.
-
Page 32: Physical Installation Of Access Points
Most access points are supplied with some form of installation kit. Follow the installation instructions for the access point. Note that the correct way to install a Cisco AP1130/AP1140/3500i is with the flat, plastic surface down. In other words, it is not optimally located when attached to a wall, although this is possible and probably preferred in some cases. -
Page 33: Configuration Using Autonomous Access Points
Configuration using autonomous access points The following is a description of how configuration may be carried out using autonomous access points. As mentioned earlier, this type of configuration is not recommended from the point of view of security. VLAN setup First we set up the VLAN, assuming that the access point is already configured with the necessary Management IP address, etc. -
Page 34: Encryption Configuration
Encryption configuration Now go to SECURITY → Encryption Manager and specify the necessary encryptions for VLAN 21. The minimum requirement here is TKIP, since not all types support AES. Select “Enable rotation” of the key and specify a value of, for example, 36,000 seconds. -
Page 35: Radius Configuration
RADIUS configuration Go to SECURITY → Server Manager and add the external RADIUS server using the shared secret. Specify the port number of the Authentication Port and Accounting Port, as well as the IP address for EAP Authentication and Accounting (in this case the same RADIUS server). -
Page 36: Default Vlan
Default VLAN Now go to SECURITY → SSID Manager and specify the default VLAN. -
Page 37: Configuring Microsoft Radius Servers
Configuring Microsoft RADIUS servers Configuring IAS (Windows 2003) NB: This explanation assumes that the Windows 2003 server is registered in the domain. Step 1: Installation of IAS Go to Control Panel → Add or Remove Programs → Add/Remove Windows Components Select “Networking Services”... -
Page 38: Step 2: Connecting To Domain And Certificates
Step 2: Connecting to domain and certificates Go to “Administrative Tools” on the Control Panel. Start “Internet Authentication Service”: Click on “Action” in the file menu. Click on “Register Server in Active Directory” A certificate is required to activate PEAP. To add a certificate: Start →... -
Page 39: Step 3: Adding Clients In Ias
Step 3: Adding clients in IAS The clients are permitted to submit authentication requests to the RADIUS server, which the server then grants locally or forwards. For more information about the structure of eduroam, see the documentation of its infrastructure on the eduroam web page. The clients which can be added here may be access points, a control unit for wireless equipment (such as a Security Switch) or other RADIUS servers forwarding authentication requests here. -
Page 40: Step 4: Adding Server Groups To Ias
Step 4: Adding server groups to IAS To enable IAS to forward authentication, a server group must be created. If this RADIUS server is the last in a series of several and is not to forward authentication, it is not necessary to define any server groups. -
Page 41: Step 5: Connection Request Policies
Step 5: Connection Request Policies Connection Request Policies determine where authorisation shall take place according to certain criteria. One policy may authenticate employees locally and forward all students to the RADIUS server associated with the school domain, while another policy directs all other users to the eduroam core. Since the policies are handled in a specific order, it is important that this is done correctly. - Page 42 student.school.no is the connection to eduroam and forwards authentication to the employee.school.no RADIUS server. The “Employee” RADIUS server is the last in the series and receives authentications it is to use and forwards them. Criteria for “Connection Policies” on the student.school.no RADIUS server: .*@student.school.no –...
- Page 43 Create a Connection Request Policy for every connection this RADIUS server is to serve.
-
Page 44: Step 6: Remote Access Policies
Step 6: Remote Access Policies Remote Access Policies handle the local authentication and can for example grant different users access to different networks: some to the guest network, some to VLAN 10, VLAN 12, etc. Right-click on “Remote Access Policies” and select “New Remote Access Policy” Click on “Next”, select “Set up a custom policy”... -
Page 45: Step 7: Radius Attributes
Click on “OK”, then “Next” and “Apply” Do this for each Remote Access Policy that is needed. Step 7: RADIUS attributes Remote Access Policies may be expanded using RADIUS attributes. The RADIUS attributes can, among other things, provide the user with access to different VLANs. Right-click on a Remote Access Policy: for example “Students in VLAN 10”, and select “Properties”... -
Page 46: Step 8: Logging
Click on “OK” twice and repeat this step for all the Remote Access Policies which are to be modified. Step 8: Logging IAS adds log entries to the Event Log and writes them to a file. Open “Event Viewer” and select “System”. All events under Source “IAS” are logs generated by IAS. IAS creates the log entries “Error”, “Warning”... -
Page 47: Configuring Nps (Windows 2008)
User ola.nordmann was granted access. “Granted access” or “denied access” Fully-Qualified-User-Name = school.no/Users/Ola Nordmann Full path of the user in the AD Client-Friendly-Name = SecuritySwitch The client which has sent the authorisation request to this RADIUS server Client-IP-Address = 10.10.10.91 The Client’s IP address Calling-Station-Identifier = 00-1A-73-F5-34-7D The MAC address of the user who is attempting to gain access... -
Page 48: Step 2: Radius
A certificate is required to activate PEAP. To add a certificate: Start → Run Type “mmc” and click on “OK”. In the window which opens, click on “File” and then “Add/Remove Snap-in”. Click on “Add…” on the “Standalone” tab. Select “Certificates” and click on “Add” Select “Computer account”... - Page 49 Type in a “Friendly Name” (Examples of Friendly Names are Accesspoint1, AP-E314, SecuritySwitch, SchoolRADIUS: select one which is descriptive!) Type in an IP address or full DNS name Under “Vendor name”, “RADIUS Standard” may be selected The Shared Secret must be the same in both the client and in the NPS setup. A different Shared Secret may be used for each client Click on “OK”...
-
Page 50: Step 3: Adding Remote Radius Server Groups
Step 3: Adding Remote RADIUS Server Groups To enable NPS to forward authentications, a server group must be created. If this RADIUS server is the last in a series of several and is not intended to forward authentication, it is not necessary to define any server groups. If the server is to be in communication with eduroam, eduroam must be added as a server group. -
Page 51: Step 4: Connection Request Policies
Step 4: Connection Request Policies Connection Request Policies determine where authorisation shall take place according to certain criteria. One policy may authenticate employees locally and forward all students to the RADIUS server associated with the school domain, while another policy directs all other users to the eduroam core. Since the policies are handled in a specified order, it is important that this is done correctly. - Page 52 If one selects “Authenticate request on this server” the user is authenticated on this RADIUS server and the domain of which the user is a member. Proceed as follows: Click on the “Attributes” tab Select “Attribute: User-Name” and click on “Add” Under “Find”, type: (.*)@(.*) Under “Replace with”, type: $1 One may also select “Forward requests to the following remote RADIUS server group for...
-
Page 53: Step 5: Network Policies
Step 5: Network Policies Remote Access Policies handle the local authentication and can for example grant different users access to different networks: some to the guest network, some to VLAN 10, VLAN 12, etc. Right-click on “Network Policies” and click on “New” Choose descriptive names for policies, such as “Employees with Guest network”, “Students in VLAN10”, etc. -
Page 54: Step 6: Radius Attributes
Step 6: RADIUS attributes Network Policies may be expanded using RADIUS attributes. The RADIUS attributes can, among other things, provide the user with access to different VLANs. Right-click on a “Network Policy” and select “Properties” Go to the “Settings” tab There are many ways of configuring different RADIUS attributes. -
Page 55: Step 7: Logging
Step 7: Logging NPS adds log entries in the Event Log and also writes them to a file. Open the Event Viewer and go to “Custom Views”, “Server Roles” and “Network Policy and Access Services”. NPS creates the log entries “Warning” and “Information”, while “Error”... -
Page 56: Installing A Certificate For Freeradius
Installing a certificate for FreeRADIUS order obtain certificate with help UNINETT’s service, http://forskningsnett.uninett.no/scs/hvordan.html. This also describes how to generate the RADIUS server’s private key (CSR), using openssl. The private key must be submitted via UNINETT’s SCS service and forms the basis for issuing a certificate. When this has been completed, the certificate must be installed on the RADIUS server. - Page 57 root@sirius:~/tmp$ openssl x509 -noout -text -in test.pem Certificate: Data: Version: 3 (0x2) Serial Number: 52:75:c4:ea:b2:96:a3:04:96:23:6e:60:b0:52:f1:67 Signature Algorithm: sha1WithRSAEncryption TERENA is the Issuer: C=NL, O=TERENA, CN=TERENA SSL CA issuer Validity Not Before: May 12 00:00:00 2010 GMT Not After : May 11 23:59:59 2013 GMT Duration Subject: C=NO, O=UNINETT AS, CN=radius-test.uninett.no Subject Public Key Info:...
-
Page 58: References
References UFS112: Recommended Security System for Wireless Networks. Implementation of IEEE 802.1X. Jardar Leira, UNINETT. 20/12/2007. “eduroam cookbook”: GEANT2 Deliverable DJ5.1.5,3: Inter-NREN Roaming Infrastructure and Service Support Cookbook - Third Edition. 29/10/2008. Found at www.eduroam.org. Airmagnet Survey: http://www.airmagnet.com/products/survey/ Airmagnet Planner: http://www.airmagnet.com/products/planner/ Airmagnet Spectrum Analyzer: http://www.airmagnet.com/products/spectrum_analyzer/... -
Page 59: Glossary
Service Set Identifier Cisco Wireless Control System. Software for the administration of WLCs WiSM Cisco Wireless Services Module. Plug-in card for Cisco Catalyst 6500 containing two Cisco 4404 wireless controllers Cisco Wireless LAN Controller The Wi-Fi Alliance’s Wi-Fi Multimedia™ certification programme for multimedia properties. - Page 60 More Best Practice Documents are available at www.terena.org/campus-bp/ campus-bp-announcements@terena.org...