×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Some questions for WLC guest network, and AP directly connection

Unanswered Question
Apr 20th, 2012
User Badges:

I am using Cisco wireless controller 2500, and few APs (3501)

I used VLAN to pipe APs across the swithes into WLC and setup Windows 2008 NPS with AD server certificate (issued by AD CA) installed.


1. With office notebook PC on AD domain, I setup WLANs in layer2 [WPA2][802.1x] to authenticate computer account to NPS server as well as verify the AD server certificate.

Can someone comment is this setting GOOD enough - user anuthentication and data encryption?


2. When I setup guest WLAN, I user [WPA2][802.1x] to authenticate "guest user" accounts (info passed to guest with 1 day expiration) to NPS, but the problem is the guest laptop windows did not trust my AD server certificate. I am thinking to install on the NPS a server certificate purchased from public CA.

Can someone comment is this secure? As I thought everyone around the office area could use their laptop to guess the user/pswd and try to connect the Guest SSID.


3. I also check the forum that using Layer3 security only "Web authentication" against the NPS guest account, but there seems even no encryption, and what abount the authtication - plain text?


4. I want to connect some APs directly to the WLC port 3 or port 4 which are POE, but how to config on WLC so all WLANs or virtual interfaces can be broadcast in all APs?


Please help. Thanks,

GPING

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Scott Fella Sat, 04/21/2012 - 03:40
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    The Hall of Fame designation is a lifetime achievement award based on significant overall achievements in the community. 

  • Cisco Designated VIP,

    2017 Wireless

GPING,


#1 is fine and it is secure. Using wpa2-aes and 802.1x is good for your internal network.


#2 & #3 guest access, I will always use no layer 2 encryption but will use a WebAuth page for guest username and password. I will not put guest username in AD nor use radius to authenticate these guest users. I will enter all guest IDs in the wlc.


#4 you can search the forum on this one. As you can put APs on port 3 & 4, it's not supported by TAC and you are limited on what you can do. If you do use the ports, the APs will be placed on the same vlan as the management interface. You might as well just use a switch if you ask me... The wlc isn't a switch.


Thanks,


Scott Fella


Sent from my iPhone

gping2005 Sat, 04/21/2012 - 18:02
User Badges:

Thanks Scott, now I can get the WLANs for internal users settle down.

With guest access, I plan to provide to contractors / trainees / even vistors / office apps testers.

I haven't put time on WLC user creation yet. but how to control like 100+ guest accounts / password complexity / expiration / renewal / auto-disconnect after expire / and also authentication method data encryption etc.


With #4 (connecting AP directly to WLC) I would drop the idea as you suggested.

However I do have some departments in other subnets (via router), is there any way to install APs there then route back to WLC for central configuration. If possible I can make new subents for their dept wireless users, while majority wireless users in HQ are assigned with the IPs in the same subnet as their wired PCs (sharing the same DHCP pools), as the business required, is it wise?


Thanks. GPING

Scott Fella Sat, 04/21/2012 - 18:16
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    The Hall of Fame designation is a lifetime achievement award based on significant overall achievements in the community. 

  • Cisco Designated VIP,

    2017 Wireless

Well when you talk about guest users, these users should be true guest users. Non company employees that need access to Internet only. Don't try to mix things together, like users that are in AD or need to access corporate devices or apps. Using multiple vlans, you can acl what us allowed and what isn't. As far as APs on different subnet, as long as there is routing from the subnet the ap is on and the wlc, you should have no problems. Stage the ap first.... Once the ap has joined the wlc, then move it to the other subnet. Break down what users require what access and that will determine how many subnets you need and possible SSIDs.


Thanks,


Scott Fella


Sent from my iPhone

gping2005 Sat, 04/21/2012 - 18:46
User Badges:

Stage the ap first.... Once the ap has joined the wlc,

- are you meaning "manually setup static (rather than dhcp) IP address on AP, and tell AP where is WLC" via console?

I will try the AP configuration via console, then http once ip is setup.


Thanks.

GPing

Scott Fella Sat, 04/21/2012 - 18:52
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    The Hall of Fame designation is a lifetime achievement award based on significant overall achievements in the community. 

  • Cisco Designated VIP,

    2017 Wireless

No... Stage it meaning, first let the ap join the wlc before you move it to a different subnet. Putting an ap on the same subnet as the wlc is the easiest way. There is also option 43 in dhcp and DNS to help find the wlc.


Thanks,


Scott Fella


Sent from my iPhone

gping2005 Sat, 04/21/2012 - 19:27
User Badges:

Not clear.

Say on department switch, connect Aps and setup a AP vlan, configure ip help- to department dhcp server with AP address pool, with option 43 pointing to HQ WLC addresses?

I understand the staging now: I used to have WLC management interface the same as the first AP. then I separate menagement from APs, the first Ap has no problem to find WLC but the new APs could not find. After I put AP vlan back to mgmt, I noticed new APs will download something from WLC, then join WLC. Is it what you meant "staging".


I believe on WLC we can configure certain wlans broadcast only on a particular group of APs, not on all APs, is it correct?

Thanks.


GPING

Scott Fella Sat, 04/21/2012 - 19:32
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    The Hall of Fame designation is a lifetime achievement award based on significant overall achievements in the community. 

  • Cisco Designated VIP,

    2017 Wireless

That's what I mean by staging:) its easier to put them on the same vlan just to make sure you don't have a DOA before you mount an AP.


AP groups will allow you to specify what SSID will be broadcasted on what ap.


Thanks,


Scott Fella


Sent from my iPhone

gping2005 Sat, 04/21/2012 - 19:45
User Badges:

Hi, Scott,

what sort of book would be better to prepare / go through these WLC settings? cisco course / wireless certification?

Scott Fella Sat, 04/21/2012 - 19:51
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    The Hall of Fame designation is a lifetime achievement award based on significant overall achievements in the community. 

  • Cisco Designated VIP,

    2017 Wireless

Wow that's tough. I would say some sort of hands on would be good. There are docs on Cisco site also with good initial setups etc. But hands on courses are good if you don't have anyone there to instruct you.


Thanks,


Scott Fella


Sent from my iPhone

gping2005 Sun, 04/22/2012 - 21:51
User Badges:

Hi, Scott,

I just used web auth and access list, work great.

just ask is there any way to create on WLC batch local network guest users... random password, print out and hand over to the guest / visitors by even reception..?


Thanks.

GPING

Scott Fella Mon, 04/23/2012 - 03:25
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    The Hall of Fame designation is a lifetime achievement award based on significant overall achievements in the community. 

  • Cisco Designated VIP,

    2017 Wireless

Not from the wlc. I think if you had WCS/NCS you can to batch users and print or email the credentials.


Thanks,


Scott Fella


Sent from my iPhone

Actions

This Discussion