Guide to configuring eduroam using a Cisco wireless controller Best ...
Guide to configuring eduroam using a Cisco wireless controller Best ...
Guide to configuring eduroam using a Cisco wireless controller Best ...
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
Introduction<br />
This document is a guide <strong>to</strong> <strong>configuring</strong> <strong>eduroam</strong> in a <strong>Cisco</strong> <strong>controller</strong>-based environment, i.e. a<br />
configuration based on one or more <strong>Cisco</strong> <strong>controller</strong>s which govern the traffic <strong>to</strong> and from <strong>Cisco</strong><br />
lightweight access points (LAP). The guide applies both <strong>to</strong> <strong>Cisco</strong> 5500 Series and 4400 Series<br />
<strong>controller</strong>s (WLC). Any differences in configuration between the 5500 Series and the 4400 Series are<br />
specified.<br />
In principle the guide will also apply <strong>to</strong> <strong>wireless</strong> systems provided by suppliers other than <strong>Cisco</strong>.<br />
For information on the configuration and operation of IEEE 802.1X, see UFS112 [1]. The description in<br />
this case is based on the use of au<strong>to</strong>nomous access points, but the principle will be the same. In a<br />
<strong>controller</strong> system it is the <strong>controller</strong> which acts on behalf of the access point, including issues<br />
regarding the RADIUS authentication of users.<br />
When <strong>configuring</strong> a <strong>controller</strong>-based <strong>wireless</strong> network, there are many things which need <strong>to</strong> be<br />
planned and performed in the correct order. The main points are dealt with in the following chapters:<br />
6<br />
1. Network planning<br />
2. Configuring RADIUS<br />
3. Configuring a <strong>controller</strong><br />
4. Radio planning<br />
5. Physical installation of access points.<br />
As an alternative <strong>to</strong> a <strong>controller</strong>-based system, a configuration may be chosen which is based on<br />
au<strong>to</strong>nomous access points. However, in the interests of security, this is not recommended. A<br />
configuration <strong>using</strong> au<strong>to</strong>nomous access points requires the use of a dot1q trunk with all the necessary<br />
VLAN connections <strong>to</strong> an access point. Since access points can be located in open areas with roundthe-clock<br />
access, with a little knowledge a user may be able <strong>to</strong> replace an access point with a PC<br />
which in turn would be able <strong>to</strong> access VLANs that it should not be able <strong>to</strong> access, or act as an<br />
intermediary in a man-in-the-middle attack. <strong>Guide</strong>lines for how <strong>to</strong> configure <strong>eduroam</strong> without the use<br />
of a <strong>controller</strong> are nevertheless provided in Attachment A.