«

»

May 23

Cisco 5508 WLC Configuration LAB – WPA2, Guest Access, FlexConnect (aka H-REAP)

This posts starts with setting up a LAB to configured and test WLC. The WLC will be setup with two SSIDs on local and remote site. The SSIDs will support WPA2 and Guest access with web authentication. Also, the remote site will support FlexConnect for one SSID which means traffic will not be transported back to controller for that SSID but it will be locally switched. In the previous post (http://www.xerunetworks.com/2012/05/cisco-5508-wlc-setup-and-initial-configuration/) we have configured the WLC with IP address and also upgraded the software on it. We will be using the same WLC in the LAB.

 

Key Concepts

  • Configure management VLAN as native VLAN on trunk to WLC as it needs frames untagged for CAPWAP tunnel to work.
  • APs configured in local mode (no FlexConnect, all traffic to WLC, centrally switched) will have switch ports as access ports and configured with management VLAN.
  • APs configured in FlexConnect mode must use trunk port. Use management VLAN as native VLAN. It needs trunk as it will be switching traffic locally on multiple VLANs.
  • For FlexConnect to work, the WLAN should support FlexConnect and also the AP should be in FlexConnect mode.
  • Traffic in WLANs on APs in FlexConnect mode can be either Centrally Switched (trunked back to WLC) or can be Locally Switched. So, so can have mix match of WLANs with one Centrally Switched and other Locally Switched.
  • In FlexConnect mode, the authentication traffic can be sent back to WLC in a tunnel (Control Plane) or local authentication can be performed. Data traffic can always be locally switched.

 

Configuration Steps

  1. Configure AAA
  2. Configure WLC Interfaces
  3. Configure WLANs
  4. Configure AP Groups
  5. Configure FlexConnect Groups
  6. MAP VLANs

LAB Setup

 

Routing

1. Site Router is the default Gateway for all VLANs

2. Each VLAN Interface is configured with IP Helper address to forward DHCP Queries to DHCP Server

3. EIGRP is running between both site routers and Internet Router and all networks are included in EIGRP advertisements.

4. Static Router is configured pointing to Internet router on HQ Router and is re-distributed via EIGRP to remote site.

5. Internal VLAN routing is configured on both site routers.

 

Switch ports & VLANs

5. The management VLAN 3 is set as Native VLAN on Trunk both to WLC and to APs on remote site.

6. HQ AP is connected to access port as all user traffic will be tunnelled back to WLC using CAPWAP tunnel.

7. On Remote site APs are connected to trunk ports. This is because remote APs will be switching the traffic locally  and will be sending it to default gateway for routing for all other WLANs except for Guest. The guest traffic will be sent back over the WAN to WLC using CAPWAP tunnel.

 

 

Layer 3 Topology

*Click on the picture to get larger image

L3

 

Layer 2 Topology

*Click on the picture to get larger image

 

L2

 

WLC Configuration

AAA Configuration

1. Under Security Tab, you can enter AAA  Configuration for Radius and Tacacs+. We will be using Tacacs+ and configuration is quite simple and is shown below. The configuration for authentication will be used to authenticate clients and management users. Authorization will be used for management users, which will make sure that management users have only access to the relevant items or they are limited to what they can change.

Again not showing the full ACS Configuration here but some relevant bits. You will have to configure External Databases, AD Group Mapping etc.

 

Authentication

Tacacs-Authentication

 

Authorization

Tacacs-Authorization

 

2. For authorization to work, you will also configure ACS Server to support the same.

Interface Configuration

Interface Configuration>New Services

ACS-Interface Config

 

Group Configuration

Group Setup>Edit Group>ciscowl common

Group Setup>Edit Group>ciscowlcommon>Customer Attributes

ACS-Group Config

 

While AD Group mapping is configured on the ACS so whoever in management group will have full access. The same way you can multiple mappings for operators etc.

Guide for ACS 4.2

http://www.cisco.com/en/US/tech/tk722/tk809/technologies_tech_note09186a0080851f7c.shtml

Here is guide how to configure ACS 5

https://supportforums.cisco.com/docs/DOC-14908

 

WLC Interface Configuration

Configure Interfaces by using Controller Tab>Interfaces

Individual Interface configuration will be required for Guest WLAN which is used for both HQ and Remote Site and is Centrally Switched everywhere. We will also need interface configured for DATA WLAN which is just used in HQ in Centrally Switched, one remote sites Data WLAN is locally switched.

 

Management Interface

This interface will be used for AP management and all CAPWAP traffic lands on the this interface from APs. You have already configured it to upgrade software to the WLC and connect to it for GUI access but here is how it should look like as per our topology.

Interface-Mgmt

 

HQ Data Interface

This interface will be used to switch traffic for DATA WLAN, also the broadcast for DHCP addresses will leave this interface and will be forwarded by Router (IP Helper Address for VLAN Configured) to relevant DHCP Server.

Interface-HQData

 

Guest Interface

This interface will be used for all guest traffic. This VLAN should be secured by using ACLs determining what traffic can enter or leave this VLAN.

Interface-Guest

 

Here is the DHCP Request flow for locally switched and centrally switched WLAN

 

WLC DHCP Request Flow                 WLC DHCP Request Flow-Local Switching

 

 

WLANs Configuration

WLANs configuration for HQ and Remote site and detailed below.

 

 

Guest

Guest WLAN will use web authentication and will be centrally authenticated and centrally switched. Go to WLANs tab and select Create New. Give the profile, SSID Name and ID

General Tab: Status=Enabled, Radio Policy=802.11b/g Only, Interface=management, Broadcast SSID=Enabled

WLANS-Guest-General

Security TAB: Layer 2: Layer 2 Security = None

WLANS-Guest-Sec-L2

Security TAB: Layer 3: Web Policy=Enabled, Authentication=Enabled

WLANS-Guest-Sec-L3

Security TAB: AAA Servers: Order Used for Authentication = LOCAL

WLANS-Guest-Sec-AAA

Advanced TAB: Enable Session Time=1800 (You must consider changing this otherwise session will expire too soon, Set it to 43200), DHCP Addr. Assignment=Required, Client Exclusion=Disabled (optional)

WLANS-Guest-Adv

 

Data (HQ)

DATA WLAN for HQ will use central switching and central authentication. Create a new WLAN, Enter Profile Name as LocalData, SSID as Data and ID as 2.

General Tab: Status=Enabled, Radio Policy=802.11b/g Only, Interface=management, Broadcast SSID=Enabled

WLANS-HQData-General

Security TAB: Layer 2: Layer 2 Security =WPA+WPA2, WPA2 Encryption=AES, Auth Key Mgmt=802.1x+CCKM

WLANS-HQData-Sec-L2

Security TAB: Layer 3:Layer 3 Security=None

Security TAB: AAA Servers: Radius Server Override Interface=Enabled, Authentication Server=Enabled, Accounting Server=Enabled, Authentication=Radius & Local

WLANS-HQData-Sec-AAA

Advanced TAB: Enable Session Time=1800 (You must consider changing this otherwise session will expire too soon, Set it to 43200), DHCP Addr. Assignment=Required, Client Exclusion=Disabled (optional)

WLANS-HQData-Advan

 

Data (Remote)

DATA WLAN for HQ will use central switching and central authentication. Create a new WLAN, Enter Profile Name as RemoteData, SSID as Data and ID as 3.

General Tab: Status=Enabled, Radio Policy=802.11b/g Only, Interface=management, Broadcast SSID=Enabled

WLANS-RemoteData-General

Security TAB: Layer 2: Layer 2 Security =WPA+WPA2, WPA2 Encryption=AES, Auth Key Mgmt=802.1x+CCKM

WLANS-RemoteData-Sec-L2

Security TAB: Layer 3:Layer 3 Security=None

Security TAB: AAA Servers: Radius Server Override Interface=Enabled, Authentication Server=Enabled, Accounting Server=Enabled, Authentication=Radius & Local

WLANS-RemoteData-Sec-AAA

Advanced TAB: Enable Session Time=1800 (You must consider changing this otherwise session will expire too soon, Set it to 43200), DHCP Addr. Assignment=Required, Client Exclusion=Disabled (optional), FlexConnect Local Switching =Enabled

WLANS-RemoteData-Adv

 

AP Group Configuration

Now, its time to assign WLANs and APs to AP Groups and to also add Interface and VLAN mapping. We will be creating two AP Groups, one for local APs and one for remote APs.

WLANS TAB>Advanced>AP Group>Add Group

 

Local

Add new Group name Local (or whatever you like for your HQ Site)

Now for the new AP Group that we added do following

 

WLANs TAB>ADD New>WLAN SSID=DATA, Interface=HQData

WLANs TAB>ADD New>WLAN SSID=Guest, Interface=Guest

APGroups-WLANS

 

AP TAB: Check AP Box for Local AP and Click Add AP button

APGroups-AP

 

Remote

Add new Group name Remote (or whatever you like for your Remote Site)

Now for the new AP Group that we added do following

 

 

WLANs TAB>ADD New>WLAN SSID=DATA, Interface=management

WLANs TAB>ADD New>WLAN SSID=Guest, Interface=Guest

APGroups-Remote-WLANS

 

AP TAB: Check AP Box for Remote AP and Click Add AP button

APGroups-Remote-AP

 

FlexConnect Groups

 

These are required for roaming on remote site with APs using FlexConnect.

1. Go to Wireless>FlexConnect Groups>Press the New Button to create a new Group

2. Enter the Group Name as ‘HQ’ and press Apply

3. New AP Group HQ will appear, click on the group name and under General TAB add APs to the group.

4. Do the same by creating second AP Group named ‘Remote’

 

Connecting AP to the Network

You will use the ‘CiscoAironet-AP-to-LWAPP-Upgrade-Tool’ to convert you autonomous AP to lightweight. Use the guide below for this

http://www.cisco.com/en/US/docs/wireless/access_point/conversion/lwapp/upgrade/guide/lwapnote.html

By using this tool you  will not only assign IP to AP but will also tell it the controller’s address.

 

Configure APs for FlexConnect

 

 

This will apply only to APs on remote site as local site APs will be local mode and will not be using FlexConnect.

1. Go to Wireless >Access Point> All APs and select the RemoteAP1

2. On the General Tab of RemoteAP1 select the AP mode to FlexConnect and click Apply. This will reset the AP

AP Set to FlexConnect

3. Once the AP is back online, you would see that now there is FlexConnect Tab available along with other Tabs of the AP configuration window.

4. Click on FlexConnect Tab and enable the Check Box for ‘VLAN Support’, also enter the native VLAN ID which is in our case is VLAN3. Click ‘Apply’ and it should reset the AP.

5. Once AP is back on, Click on ‘VLAN Mapping’ button under FlexConnect tab.

6. Now because its remote we will be using remote site VLAN mapping, so for Data we will use VLAN 18. This will mean that all traffic for WLAN Data will use VLAN 18 on remote site.

FlexConnect-RemoteAP-Flex-VlanMAP

 

Now, that’s  you all configured with remote AP. You may also want to configure High Availability on APs if you have two controllers which you would normally have. The configuration for Local AP is simple enough as it will work in local mode and all traffic will go to back controller for switching.

 

 

Feedback

Hope you find this post helpful. Leave your comments if you need clarification of any point or what to know more about this. I followed Cisco Guides to impalement all this but wanted to write a simple way of doing it and also to explain it better to myself and to everyone.

 

References

http://www.cisco.com/en/US/docs/wireless/controller/7.2/configuration/guide/cg.html

https://supportforums.cisco.com/docs/DOC-24082

27 comments

Skip to comment form

  1. sergio

    Thanks, but I am confused in this part: Data (Remote)
    DATA WLAN for HQ will use central switching and central authentication. (should be LOCAL SWITCHING?)

    1. xerunetworks

      Yes, that’s right, its local switching and authentication

  2. Rodrigo Haag

    Tks a lot ! This post is very useful !

  3. The Dude

    This post was fantastic. Worked like a charm. I did this without the central setup.

  4. Ali

    Can I please get clarification on this:

    This Native VLAN that I define on the 5508 WLC at the corporate site this would be the native VLAN of the remote site not the Corporate site correct?

    FlexConnect group what is that for exactly, I’m not understanding the full concept?

    Also 5508 supports 100 AP groups and 25 AP’s per group so that equates to 2500 AP’s however max AP support on 5508 is 500 AP’s. Can someone confirm what is the exact number?

  5. JZ

    Would it be possible to provide the configurations of the routers and switches
    in the topology?

  6. Santhosh

    I have 10 branches with one AP and two SSIDs (one for Internal Staff and one for Guest WiFi) and using virtual wireless controller in the central office exactly same topology as your lab but have more branches

    What are the options to enable secure internal and guest access without anchor wlc (&) using flexconnect mode ?

    In your above post under Guest Interface title – “”This interface will be used for all guest traffic.”” do I have to create individual interfaces for 10 branch Guest SSIDs (or) one Guest interface will be used for all the Guest access from 10 branches ?

    In your above lab how the remote branch guest VLAN 20 access Internet…I dont see interface created for this VLAN20 and IP address 20.18.20.0/24 ?

    Pls let me know

  7. Shabeer

    Thanks for wonderful documentation.. I would like to know which tool is used to create L3 Network diagram?

    1. Fran

      The software to create network diagrams is called Visio and belongs to the Microsoft Office suite.

Leave a Reply to Fran Cancel reply

%d bloggers like this: