In this exercise, we are tasked with setting up a network for a large organization. We have previously set-up a wireless network with WPA2-PSK but understand that this security standard does not scale well. This is because WPA2-PSK is dependent on a pre-shared key (PSK) which can come in the hands of nefarious actors and compromise the entire network. The solution to this is WPA-Enterprise which uses certificates to authenticate users that would like to join the network. Therefore, we will be needing a RADIUS server that can handle issuing of the certificates or keys. These keys then act as session keys that tell the Access Points whether or not to allow a certain device access.
The objectives of this exercise are:
· Configure a new VLAN interface on a WLC.
· Configure a new WLAN on a WLC.
· Configure a new scope on the WLC internal DHCP server.
· Configure the WLC with SNMP settings.
· Configure the WLC to user a RADIUS server to authenticate WLAN users.
· Secure a WLAN with WPA2-Enterprise.
· Connect hosts to the new WLC
Note: Activities in this exercise re-use passwords. This is not a good practice and was set-up this way for ease of demonstration. Use complex password strategies in real world applications.
Part 1: Creating New Wireless LAN (WLAN)
In order to configure a WLAN on a Wireless LAN Controller (WLC), we need to configure a dynamic interface for it. Every WLAN needs a dynamic interface which is essentially a virtual interface that has been assigned a VLAN ID so that traffic generated from is tagged as VLAN traffic. The connections between the Access Points, router and WLC are over trunk ports. For traffic from multiple WLANs to be transmitted through the network, traffic for the WLAN VLANs must be trunked.
In order to create the VLAN, follow these steps.
1. Open the browser from the desktop of Admin PC. Connect to the IP address of the WLC over HTTPS.
2. Login with the username admin and password Cisco123.
3. Click the Controller menu and then click Interfaces from the menu on the left. You will see the default virtual interface and the management interface to which you are connected.
4. Click the New button in the upper right-hand corner of the page. You may need to scroll the page to the right to see it.
5. Enter the name of the new interface. We will call it WLAN-5. Configure the VLAN ID as 5. This is the VLAN that will carry traffic for the WLAN that we create later. Click Apply. This leads to a configuration screen for the VLAN interface.
6. First, configure the interface to use physical port number 1. Multiple VLAN interfaces can use the same physical port because the physical interfaces are like dedicated trunk ports.
7. Address the interface as follows:
· IP Address: 192.168.5.254
· Netmask: 255.255.255.0
· Gateway: 192.168.5.1
· Primary DHCP server: 192.168.5.1
The default gateway for devices using this WLAN is an address to R-1. This router has a DHCP pool configured on it. The WLC will forward all DHCP requests from the WLAN’s VLAN to R-1.
8. Be sure to click Apply to enact your changes and click OK to respond to the warning message. Click Save Configuration so that your configuration will be in effect when the WLC restarts.
Next, we need to configure the WLC to recognize and use the RADIUS Server for authentication of users on the WLAN. Individual user accounts with their usernames and passwords can be managed on the RADIUS server. In order to set this up, follow these steps:
1. Click on the Security menu of the WLC.
2. Click the New button and enter the IP address of the RADIUS server in the Server IP Address field.
3. The RADIUS server will authenticate the WLC before it will allow the WLC to access the user account information that is on the server. This requires a shared secret value. Use Cisco123. Confirm the shared secret and click Apply.
We are now ready to create a WLAN on the WLC. Use these steps to create a WLAN of the SSID SSID-5:
1. Click the WLANs entry in the menu bar. Locate the dropdown box in the upper right-hand corner of the WLANs screen. It will say Create New. Click Go to create a new WLAN.
2. Enter the Profile Name of the new WLAN. Use the profile name Floor 2 Employees. Assign an SSID of SSID-5 to the WLAN. Change the ID drop down to 5. Hosts will need to use this SSID to join the network. When you are done, click Apply to accept your settings.
Note: The ID is an arbitrary value that is used a label for the WLAN. It can be any number available. In this case 5 was chosen for uniformity purposes.
3. Click Apply so that the settings go into effect.
4. Now that the WLAN has been created you can configure features of the network. Click Enabled to make the WLAN functional. It is a common mistake to accidentally skip this step.
5. Choose the VLAN interface that will be used for the new WLAN. The WLC will use this interface for user traffic on the network. Click the drop-down box for Interface/Interface Group (G). Select the interface that we created in Step 1.
6. Go to the Advanced tab. Scroll to FlexConnect section of the interface.
7. Click to enable FlexConnect Local Switching and FlexConnect Local Auth.
8. Click Apply to enable the new WLAN. If you forget to do this, the WLAN will not operate.
We also need to configure WLAN security since we are going to be using WPA2-Enterprise instead of WPA2-PSK to authenticate users on the WLAN. Follow these steps to set this up via the WLC:
1. Click the WLAN ID of the newly created WLAN to continue configuring it, if necessary.
2. Click the Security tab. Under the Layer 2 tab, select WPA+WPA2 from the drop-down box.
3. Under WPA+WPA2 Parameters, enable WPA2 Policy. Click 802.1X under Authentication Key Management. This tells the WLC to use the 802.1X protocol to authenticate users externally.
4. Click the AAA Servers tab. Open the drop-down next to Server 1 in the Authentication Servers column and select the server that we configured in Step 2.
5. Click Apply to enact this configuration. You have now configured the WLC to use the RADIUS server to authenticate users that attempt to connect to the WLAN.
Part 2: Configuring DHCP Scope and SNMP
The WLC offers its own internal DHCP server. Cisco recommends that the WLAN DHCP server not be used for high-volume DHCP services, such as that required by larger user WLANs. However, in smaller networks, the DHCP server can be used to provide IP addresses to LAPs that are connected to the wired management network. In this step, we will configure a DHCP scope on the WLC and use it to address LAP-1.
1. Should be connected to the WLC GUI from Admin PC.
2. Click the Controller menu and then click Interfaces. We can see 3 interfaces listed: WLAN-5, management and virtual.
3. Click the management Interface. Record its addressing information.
a. IP Address: 192.168.200.254
b. Netmask: 255.255.255.0
c. Gateway: 192.168.200.1
d. Primary DHCP Server: 192.168.200.1
4. We want the WLC to use its own DHCP server to provide addressing to devices on the wireless management network, such as lightweight APs. For this reason, enter the IP address of the WLC management interface as the primary DHCP server address. Click Apply. Click OK to acknowledge any warning messages that appear.
5. In the left-hand menu, expand the Internal DHCP Server section. Click DHCP Scope.
6. To create a DHCP scope, click the New… button.
7. Name the scope Wired Management. You will configure this DHCP scope to provide addresses to the
wired infrastructure network that connects the Admin PC, WLC-1, and LAP-1.
8. Click Apply to create the new DHCP scope.
9. Click the new scope in the DHCP Scopes table to configure addressing information for the scope. Enter
the following information.
a. Pool Start Address: 192.168.200.240
b. Pool end Address: 192.168.200.249
c. Status: Enabled
d. Network (Ref. Step 1): 192.168.200.0
e. Netmask (Ref. Step 1): 255.255.255.0
f. Default Routers (Ref. Step 1): 192.168.200.1
10. Click Apply to activate the configuration. Click Save Configuration in the upper-right-hand corner of the
WLC interface to save your work so that it is available when the WLC restarts.
The internal DHCP on the WLC will provide an IP address to the LAP after a brief delay. A CAPWAP tunnel is established once the LAP has its IP address and this allows LAP-1 to provide access to the WLAN we created (SSID-5). Ensure the values entered in the DHCP Scope are accurate or else you will have problems getting your Lightweight AP from getting an IP address. Hovering your mouse over LAP-11 should show you something like this:
We can configure SNMP so that we can receive any alerts and notifications from the network. This Will use Trap Receivers. This is how it is configured through the WLC:
1. Click the Management menu in the WLC GUI and expand the entry for SNMP in the left-hand menu.
2. Click Trap Receivers and then New…
3. Enter the community string as WLAN_SNMP and the IP address of the server at 172.31.1.254.
4. Click Apply to finish the configuration.
Use the Save Configuration button at the top right-hand corner of the WLC GUI at all times to keep the configuration from resetting after a reboot.
Part 3: Connect Hosts to Network
In order to connect the wireless host to the network, we need to create a profile that will capture all the necessary information that will let it authenticate and connect. Go to the Wireless Host (Laptop) in the topology and open the PC Wireless App from its Desktop.
1. Click the Profiles tab and then click New to create a new profile. Name the profile WLC NET.
2. Highlight the Wireless Network Name for the WLAN that we created earlier and click Advanced Setup.
3. Verify that the SSID for the wireless LAN is present and then click Next. Wireless Host should see SSID-5. If it does not, move the mouse over LAP-1 to verify that it is communicating with the WLC. The popup box should indicate that LAP-1 is aware of SSID-5. If it is not, check the WLC configuration. You can also manually enter the SSID.
4. Verify that the DHCP network setting is selected and click Next.
5. In the Security drop down box, select WPA2-Enterprise. Click Next.
6. Enter login name user1 and the password User1Pass and click Next.
7. Verify the Profile Settings and click Save.
8. Select the WLC NET profile and click the Connect to Network button. After a brief delay, you should see the Wireless Host connect to LAP-1. You can click the Fast Forward Time button to speed up the process if it seems to be taking too long.
9. Confirm that Wireless Host has connected to the WLAN. Wireless Host should receive an IP address from the DHCP server that is configured for hosts on R-1. The address will be in the 192.168.5.0/24 network. You may need to click the Fast Forward Time button (Alt + D) to speed up the process.
Once connected, we will test connectivity of the device in the network. We expect it to receive an IP address for the network 192.168.5.0/24 because it was the DHCP pool configured on R-1, which is the DHCP helper for the WLAN SSID-5. To do this, open a command prompt window and issue the ipconfig config command to see what IP the device has. You could also alternatively hover over the device in the topology to view its IP address.
To confirm interconnectivity within the network, we will ping the switch SW-1 (192.168.200.100) and the RADIUS server (172.31.1.254).
