«

»

May 23

Cisco 5508 WLC Configuration LAB – WPA2, Guest Access, FlexConnect (aka H-REAP)

This posts starts with setting up a LAB to configured and test WLC. The WLC will be setup with two SSIDs on local and remote site. The SSIDs will support WPA2 and Guest access with web authentication. Also, the remote site will support FlexConnect for one SSID which means traffic will not be transported back to controller for that SSID but it will be locally switched. In the previous post (http://www.xerunetworks.com/2012/05/cisco-5508-wlc-setup-and-initial-configuration/) we have configured the WLC with IP address and also upgraded the software on it. We will be using the same WLC in the LAB.

 

Key Concepts

  • Configure management VLAN as native VLAN on trunk to WLC as it needs frames untagged for CAPWAP tunnel to work.
  • APs configured in local mode (no FlexConnect, all traffic to WLC, centrally switched) will have switch ports as access ports and configured with management VLAN.
  • APs configured in FlexConnect mode must use trunk port. Use management VLAN as native VLAN. It needs trunk as it will be switching traffic locally on multiple VLANs.
  • For FlexConnect to work, the WLAN should support FlexConnect and also the AP should be in FlexConnect mode.
  • Traffic in WLANs on APs in FlexConnect mode can be either Centrally Switched (trunked back to WLC) or can be Locally Switched. So, so can have mix match of WLANs with one Centrally Switched and other Locally Switched.
  • In FlexConnect mode, the authentication traffic can be sent back to WLC in a tunnel (Control Plane) or local authentication can be performed. Data traffic can always be locally switched.

 

Configuration Steps

  1. Configure AAA
  2. Configure WLC Interfaces
  3. Configure WLANs
  4. Configure AP Groups
  5. Configure FlexConnect Groups
  6. MAP VLANs

LAB Setup

 

Routing

1. Site Router is the default Gateway for all VLANs

2. Each VLAN Interface is configured with IP Helper address to forward DHCP Queries to DHCP Server

3. EIGRP is running between both site routers and Internet Router and all networks are included in EIGRP advertisements.

4. Static Router is configured pointing to Internet router on HQ Router and is re-distributed via EIGRP to remote site.

5. Internal VLAN routing is configured on both site routers.

 

Switch ports & VLANs

5. The management VLAN 3 is set as Native VLAN on Trunk both to WLC and to APs on remote site.

6. HQ AP is connected to access port as all user traffic will be tunnelled back to WLC using CAPWAP tunnel.

7. On Remote site APs are connected to trunk ports. This is because remote APs will be switching the traffic locally  and will be sending it to default gateway for routing for all other WLANs except for Guest. The guest traffic will be sent back over the WAN to WLC using CAPWAP tunnel.

 

 

Layer 3 Topology

*Click on the picture to get larger image

L3

 

Layer 2 Topology

*Click on the picture to get larger image

 

L2

 

WLC Configuration

AAA Configuration

1. Under Security Tab, you can enter AAA  Configuration for Radius and Tacacs+. We will be using Tacacs+ and configuration is quite simple and is shown below. The configuration for authentication will be used to authenticate clients and management users. Authorization will be used for management users, which will make sure that management users have only access to the relevant items or they are limited to what they can change.

Again not showing the full ACS Configuration here but some relevant bits. You will have to configure External Databases, AD Group Mapping etc.

 

Authentication

Tacacs-Authentication

 

Authorization

Tacacs-Authorization

 

2. For authorization to work, you will also configure ACS Server to support the same.

Interface Configuration

Interface Configuration>New Services

ACS-Interface Config

 

Group Configuration

Group Setup>Edit Group>ciscowl common

Group Setup>Edit Group>ciscowlcommon>Customer Attributes

ACS-Group Config

 

While AD Group mapping is configured on the ACS so whoever in management group will have full access. The same way you can multiple mappings for operators etc.

Guide for ACS 4.2

http://www.cisco.com/en/US/tech/tk722/tk809/technologies_tech_note09186a0080851f7c.shtml

Here is guide how to configure ACS 5

https://supportforums.cisco.com/docs/DOC-14908

 

WLC Interface Configuration

Configure Interfaces by using Controller Tab>Interfaces

Individual Interface configuration will be required for Guest WLAN which is used for both HQ and Remote Site and is Centrally Switched everywhere. We will also need interface configured for DATA WLAN which is just used in HQ in Centrally Switched, one remote sites Data WLAN is locally switched.

 

Management Interface

This interface will be used for AP management and all CAPWAP traffic lands on the this interface from APs. You have already configured it to upgrade software to the WLC and connect to it for GUI access but here is how it should look like as per our topology.

Interface-Mgmt

 

HQ Data Interface

This interface will be used to switch traffic for DATA WLAN, also the broadcast for DHCP addresses will leave this interface and will be forwarded by Router (IP Helper Address for VLAN Configured) to relevant DHCP Server.

Interface-HQData

 

Guest Interface

This interface will be used for all guest traffic. This VLAN should be secured by using ACLs determining what traffic can enter or leave this VLAN.

Interface-Guest

 

Here is the DHCP Request flow for locally switched and centrally switched WLAN

 

WLC DHCP Request Flow                 WLC DHCP Request Flow-Local Switching

 

 

WLANs Configuration

WLANs configuration for HQ and Remote site and detailed below.

 

 

Guest

Guest WLAN will use web authentication and will be centrally authenticated and centrally switched. Go to WLANs tab and select Create New. Give the profile, SSID Name and ID

General Tab: Status=Enabled, Radio Policy=802.11b/g Only, Interface=management, Broadcast SSID=Enabled

WLANS-Guest-General

Security TAB: Layer 2: Layer 2 Security = None

WLANS-Guest-Sec-L2

Security TAB: Layer 3: Web Policy=Enabled, Authentication=Enabled

WLANS-Guest-Sec-L3

Security TAB: AAA Servers: Order Used for Authentication = LOCAL

WLANS-Guest-Sec-AAA

Advanced TAB: Enable Session Time=1800 (You must consider changing this otherwise session will expire too soon, Set it to 43200), DHCP Addr. Assignment=Required, Client Exclusion=Disabled (optional)

WLANS-Guest-Adv

 

Data (HQ)

DATA WLAN for HQ will use central switching and central authentication. Create a new WLAN, Enter Profile Name as LocalData, SSID as Data and ID as 2.

General Tab: Status=Enabled, Radio Policy=802.11b/g Only, Interface=management, Broadcast SSID=Enabled

WLANS-HQData-General

Security TAB: Layer 2: Layer 2 Security =WPA+WPA2, WPA2 Encryption=AES, Auth Key Mgmt=802.1x+CCKM

WLANS-HQData-Sec-L2

Security TAB: Layer 3:Layer 3 Security=None

Security TAB: AAA Servers: Radius Server Override Interface=Enabled, Authentication Server=Enabled, Accounting Server=Enabled, Authentication=Radius & Local

WLANS-HQData-Sec-AAA

Advanced TAB: Enable Session Time=1800 (You must consider changing this otherwise session will expire too soon, Set it to 43200), DHCP Addr. Assignment=Required, Client Exclusion=Disabled (optional)

WLANS-HQData-Advan

 

Data (Remote)

DATA WLAN for HQ will use central switching and central authentication. Create a new WLAN, Enter Profile Name as RemoteData, SSID as Data and ID as 3.

General Tab: Status=Enabled, Radio Policy=802.11b/g Only, Interface=management, Broadcast SSID=Enabled

WLANS-RemoteData-General

Security TAB: Layer 2: Layer 2 Security =WPA+WPA2, WPA2 Encryption=AES, Auth Key Mgmt=802.1x+CCKM

WLANS-RemoteData-Sec-L2

Security TAB: Layer 3:Layer 3 Security=None

Security TAB: AAA Servers: Radius Server Override Interface=Enabled, Authentication Server=Enabled, Accounting Server=Enabled, Authentication=Radius & Local

WLANS-RemoteData-Sec-AAA

Advanced TAB: Enable Session Time=1800 (You must consider changing this otherwise session will expire too soon, Set it to 43200), DHCP Addr. Assignment=Required, Client Exclusion=Disabled (optional), FlexConnect Local Switching =Enabled

WLANS-RemoteData-Adv

 

AP Group Configuration

Now, its time to assign WLANs and APs to AP Groups and to also add Interface and VLAN mapping. We will be creating two AP Groups, one for local APs and one for remote APs.

WLANS TAB>Advanced>AP Group>Add Group

 

Local

Add new Group name Local (or whatever you like for your HQ Site)

Now for the new AP Group that we added do following

 

WLANs TAB>ADD New>WLAN SSID=DATA, Interface=HQData

WLANs TAB>ADD New>WLAN SSID=Guest, Interface=Guest

APGroups-WLANS

 

AP TAB: Check AP Box for Local AP and Click Add AP button

APGroups-AP

 

Remote

Add new Group name Remote (or whatever you like for your Remote Site)

Now for the new AP Group that we added do following

 

 

WLANs TAB>ADD New>WLAN SSID=DATA, Interface=management

WLANs TAB>ADD New>WLAN SSID=Guest, Interface=Guest

APGroups-Remote-WLANS

 

AP TAB: Check AP Box for Remote AP and Click Add AP button

APGroups-Remote-AP

 

FlexConnect Groups

 

These are required for roaming on remote site with APs using FlexConnect.

1. Go to Wireless>FlexConnect Groups>Press the New Button to create a new Group

2. Enter the Group Name as ‘HQ’ and press Apply

3. New AP Group HQ will appear, click on the group name and under General TAB add APs to the group.

4. Do the same by creating second AP Group named ‘Remote’

 

Connecting AP to the Network

You will use the ‘CiscoAironet-AP-to-LWAPP-Upgrade-Tool’ to convert you autonomous AP to lightweight. Use the guide below for this

http://www.cisco.com/en/US/docs/wireless/access_point/conversion/lwapp/upgrade/guide/lwapnote.html

By using this tool you  will not only assign IP to AP but will also tell it the controller’s address.

 

Configure APs for FlexConnect

 

 

This will apply only to APs on remote site as local site APs will be local mode and will not be using FlexConnect.

1. Go to Wireless >Access Point> All APs and select the RemoteAP1

2. On the General Tab of RemoteAP1 select the AP mode to FlexConnect and click Apply. This will reset the AP

AP Set to FlexConnect

3. Once the AP is back online, you would see that now there is FlexConnect Tab available along with other Tabs of the AP configuration window.

4. Click on FlexConnect Tab and enable the Check Box for ‘VLAN Support’, also enter the native VLAN ID which is in our case is VLAN3. Click ‘Apply’ and it should reset the AP.

5. Once AP is back on, Click on ‘VLAN Mapping’ button under FlexConnect tab.

6. Now because its remote we will be using remote site VLAN mapping, so for Data we will use VLAN 18. This will mean that all traffic for WLAN Data will use VLAN 18 on remote site.

FlexConnect-RemoteAP-Flex-VlanMAP

 

Now, that’s  you all configured with remote AP. You may also want to configure High Availability on APs if you have two controllers which you would normally have. The configuration for Local AP is simple enough as it will work in local mode and all traffic will go to back controller for switching.

 

 

Feedback

Hope you find this post helpful. Leave your comments if you need clarification of any point or what to know more about this. I followed Cisco Guides to impalement all this but wanted to write a simple way of doing it and also to explain it better to myself and to everyone.

 

References

http://www.cisco.com/en/US/docs/wireless/controller/7.2/configuration/guide/cg.html

https://supportforums.cisco.com/docs/DOC-24082

27 comments

Skip to comment form

  1. josip

    Hi,
    i have some problems with my LAN configuration on my cisco devices. I have connected my WLC(cisco 2504) on switch(cisco catalyst 2960 series) and AP(air lap 1041n) on WLC, AP is joned. Now i have problem with internet access, this topology is connected on LAN in my lab(all computers in LAN have internet ) and trought the LAN in my lab i should have internet, but that is not happening. what i should do?
    thanks
    Josip

  2. xerunetworks

    Hi, Sorry for late reply. The data plane from remote site is only for Guest VLAN 20. The Data VLAN 18 on remote site is still locally switches. So what I wanted to say is that still you can have a mix of centrally switched and locally switches SSIDs for a site.
    Well, yes that would be a problem if you move to central switching for this is prepared keeping in mind that a lot of organization have same VLAN numbering policy for remote sites and local site. For example VLAN for wireless users can be same on all sites or Server VLAN on all sites can be same. Now because its locally significant it would ideally stay local.

  3. Marco

    Hello,
    nice article.
    I don’t understand why, for remote APs, you drawed data plane as tunneled, but then you configure flexconnect. As far as I know data plane is not tunneled.
    Am I missing something?

    Morover I have another doubts: you used the same VLAN ID for Guest and Data VLAN on remote site and HQ. Could it be a problem in case you want to configure centralized switching for remote site too??

  4. Mikey

    I have a situation for you. We use h-reap across 60+ site. only 2 vlans (vlan 5, 300) one is for guests and one is for corporate. at one location the wired and wireless network (vlan 5) is full. The dhcp scope is full. I want to break up the wireless and wired users. So, can I create another wireless vlan for just this one site and give it a new subnet? and leave the wired uses on the same vlan 5? Vlan 5 is the native vlan and vlan 300 is the guest network.

    1. xerunetworks

      I dont see any issue with creating another VLAN, SSID and DHCP scope. You will remove vlan 5 from the WLC config and also from Trunk with AP. Also, you will make new VLAN native on trunk to AP. However, the best practice is to have a new management VLAN and configure APs IP as per new management. You can also use new management VLAN as native on the trunk. Also, you will allow only certain VLANs on the trunk such that such that its not bombarded with unrelated traffic from other VLANs. Make sure to clear ARP and MAC address table on switches if you wish to decide changing the AP IP addresses.

  5. mtb2000

    I have the same situation as you have described in your article, But as soon as I enable an Accesspoint the connection to my branch office shows time-outs and delays when I execute a ping.
    Do you have an idea of what that can be?

    1. xerunetworks

      Can you make sure you are not having a routing issue and also make sure that the delay and congestion on WAN link is tolerant for a remote installation. The WAN requirements are discussed in the following cisco design document

      http://www.cisco.com/en/US/products/ps11635/products_tech_note09186a0080b7f141.shtml#wan

  6. David Hecht

    Thanks for the great lab post but I have a question?
    If the guest WLAN at the remote site is centraly switched, does the HQ router terminate that gateway (20.18.20.1/24) instead of the Remote router? For that matter why is the guest subnet different, shouldnt they be the same subnet? If not why is there no WLC interface set up for the remote site guest net? These questions are for my education only. Thanks.

    1. xerunetworks

      you are absolutly right, the guest subnet needs to be same or we will have a create a new interface or use subinterface for the second subnet. So, the best practice would be use different subnet for each guest SSID on remote site.I will fix the diagram. Thanks for feedback.

      1. Santhosh

        Thanks for the awesome article 🙂

        Few questions to clarify pls,

        we have to create WLC interface for branch data and branch guest as well and if we create branch guest gateway to be branch office router IP then how will we secure the access between guest and branch office data network when intervlan routing is enabled on branch router ?

        Do we have to enable ACLs on the branch router as well ?

        I created DMZ network on my firewall and used this as gateway for the guest network and created firewall rules between DMZ and internal to restrict access…this working prefect for HQ location where the vWLC and firewall are all local…

        I am not sure how the remote branch AP will work in this situation ? If I create WLC interface for branch guest and assign gateway IP to HQ firewall DMZ will the traffic from branch office Guest network tunnel back to WLC and terminate to my firewall DMZ ?

        if so, what network will it use to send the tunnel traffic – is it using mgmt network or the guest network ?

        1. Santhosh

          I got the answer – and all working now.

          All data on local switching and guest network on central switching.

  7. Deshike Deshapriya

    I have a different requirement. One 2504 WLC in main site and 1042 APs in remote site. I have internet links in both main and remote site.  I need Guest(in remote site) traffic to pass from the remote internet link rather utilizing VPN link and central internet link. Is this possible? Is there a way if i can publish central site WLC to internet so that remote guest access to web portal through remote site internet link?

    1. xerunetworks

      yes it is possible that guest traffic flows over the vpn link to the central WLC, you have to use central authentication and central authentication for Guest SSID. It will forward all traffic to central site and internet connection on central site will be used.

  8. Deshike Deshapriya

    does wlc guest access and web auth are two different features or they both require to function properly.

  9. Gene

    Are there any 5508 WLC in a lab enviroment we can log into?
    Or a virtual machine with read access only?
    Thanks
    ,Gene

    1. xerunetworks

      you find be lucky to find such setup as this is costly costly hardware

  10. Rohit Sood

    hi
    Very good documantation for a newbee.

    1. Techy14344

      Thats a very good documentation indeed ! More power

Leave a Reply to Santhosh Cancel reply

%d bloggers like this: