Guide to configuring eduroam using a Cisco wireless controller Best ...

More documents

Recommendations

Info

Introduction This document is a guide to configuring eduroam in a Cisco controller-based environment, i.e. a configuration based on one or more Cisco controllers which govern the traffic to and from Cisco lightweight access points (LAP). The guide applies both to Cisco 5500 Series and 4400 Series controllers (WLC). Any differences in configuration between the 5500 Series and the 4400 Series are specified. In principle the guide will also apply to wireless systems provided by suppliers other than Cisco. For information on the configuration and operation of IEEE 802.1X, see UFS112 [1]. The description in this case is based on the use of autonomous access points, but the principle will be the same. In a controller system it is the controller which acts on behalf of the access point, including issues regarding the RADIUS authentication of users. When configuring a controller-based wireless network, there are many things which need to be planned and performed in the correct order. The main points are dealt with in the following chapters: 6 1. Network planning 2. Configuring RADIUS 3. Configuring a controller 4. Radio planning 5. Physical installation of access points. As an alternative to a controller-based system, a configuration may be chosen which is based on autonomous access points. However, in the interests of security, this is not recommended. A configuration using autonomous access points requires the use of a dot1q trunk with all the necessary VLAN connections to an access point. Since access points can be located in open areas with roundthe-clock access, with a little knowledge a user may be able to replace an access point with a PC which in turn would be able to access VLANs that it should not be able to access, or act as an intermediary in a man-in-the-middle attack. Guidelines for how to configure eduroam without the use of a controller are nevertheless provided in Attachment A.
1 Network planning 1.1 Necessary components The number of access points and the type of controller(s) may be evaluated depending on the size and layout of the premises. Refer to Chapter 4 Radio planning, for guidelines for estimating the number of access points. Remember to allow for estimated growth in the coming years, bearing in mind the radio-related limitations in effect. The type of controller should be considered on the basis of the estimated total number of access points. For larger installations, the latest 5508 controller (with eight GE ports) is currently recommended. This is capable of handling up to 12, 25, 50, 100, 250 or 500 access points, depending on which licence one purchases. It is easy to expand the number of licences later. The 4400 Series includes two different products: 4402 (with two GE ports) and 4404 (with four GE ports). In addition there is the WiSM module for the Catalyst 6500. The WiSM consists of two 4404 controllers each with four rear-facing GE ports, each of which can handle up to 150 access points. In larger installations one should consider using more controllers, for the sake of fault tolerance. Each access point may be configured to use a primary and a secondary controller (and a tertiary one if desired). Note also that UNINETT has a WiSM module in its spare parts storeroom which may be sent out in the event of serious operational problems. If one only has a single controller, WCS (Wireless Control System) management software is strictly speaking not necessary. It is perfectly possible to manage with a web-based management interface directly to the controller. However, if several controllers are used, WCS is recommended. For the mapping and monitoring of all the Wi-Fi units in a wireless network, to produce plan drawings and so on, a dedicated hardware product, MSE (Mobility Service Engine) should be obtained. MSE can handle up to 18,000 Wi-Fi units (clients and access points) and can be integrated with WCS. An option is an LA (Location Appliance), which can handle up to 2500 Wi-Fi units (and can also be integrated with WCS, up to version 6.0). 1.2 IP addresses and subnets It is necessary to plan which IP addresses and VLANs are to be used for the various purposes: • The Wireless LAN Controller (WLC) must have administrative IP addresses • Any Wireless Control System (WCS), Mobility Service Engine (MSE) and/or Location Appliance (LA) must have IP addresses • The access points must have management IP addresses which should be separated on a dedicated subnet. • Users must have their own subnet or user class. The controller must also have one IP address per user subnet. 7
Page 1 and 2: Guide to configuring eduroam using
Page 3 and 4: Table of Contents Executive Summary
Page 5: Executive Summary UFS127 is a UNINE
Page 9 and 10: established by means of the Managem
Page 11 and 12: http://www.cisco.com/en/US/tech/tk7
Page 13 and 14: authentication can be completed. He
Page 15 and 16: Management Interface Netmask: 255.2
Page 17 and 18: 3.2 Further configuration via web b
Page 19 and 20: Path: Security → RADIUS → Accou
Page 21 and 22: Under General, the WLAN can be enab
Page 23 and 24: Security Layer 3 shall be “None
Page 25 and 26: What one selects under QoS depends
Page 27 and 28: 3.2.4 Connecting access points Afte
Page 29 and 30: 3.2.5 Further details Once a access
Page 31 and 32: operating and/or the cabling is not
Page 33 and 34: A. Configuration using autonomous a
Page 35 and 36: A.3 RADIUS configuration Go to SECU
Page 37 and 38: B. Configuring Microsoft RADIUS ser
Page 39 and 40: Step 3: Adding clients in IAS The c
Page 41 and 42: Step 5: Connection Request Policies
Page 43 and 44: Create a Connection Request Policy
Page 45 and 46: • Click on “OK”, then “Next
Page 47 and 48: User ola.nordmann was granted acces
Page 49 and 50: • Type in a “Friendly Name”
Page 51 and 52: Step 4: Connection Request Policies
Page 53 and 54: Step 5: Network Policies Remote Acc
Page 55 and 56: Step 7: Logging NPS adds log entrie
Page 57 and 58:
oot@sirius:~/tmp$ openssl x509 -noo
Page 59 and 60:
Glossary CAPWAP Control And Provisi
show all

Guide to configuring eduroam using a Cisco wireless controller Best ...

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?