Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

Some questions for WLC guest network, and AP directly connection

I am using Cisco wireless controller 2500, and few APs (3501)

I used VLAN to pipe APs across the swithes into WLC and setup Windows 2008 NPS with AD server certificate (issued by AD CA) installed.

1. With office notebook PC on AD domain, I setup WLANs in layer2 [WPA2][802.1x] to authenticate computer account to NPS server as well as verify the AD server certificate.

Can someone comment is this setting GOOD enough - user anuthentication and data encryption?

2. When I setup guest WLAN, I user [WPA2][802.1x] to authenticate "guest user" accounts (info passed to guest with 1 day expiration) to NPS, but the problem is the guest laptop windows did not trust my AD server certificate. I am thinking to install on the NPS a server certificate purchased from public CA.

Can someone comment is this secure? As I thought everyone around the office area could use their laptop to guess the user/pswd and try to connect the Guest SSID.

3. I also check the forum that using Layer3 security only "Web authentication" against the NPS guest account, but there seems even no encryption, and what abount the authtication - plain text?

4. I want to connect some APs directly to the WLC port 3 or port 4 which are POE, but how to config on WLC so all WLANs or virtual interfaces can be broadcast in all APs?

Please help. Thanks,

GPING

11 REPLIES
Hall of Fame Super Silver

Re: Some questions for WLC guest network, and AP directly connec

GPING,

#1 is fine and it is secure. Using wpa2-aes and 802.1x is good for your internal network.

#2 & #3 guest access, I will always use no layer 2 encryption but will use a WebAuth page for guest username and password. I will not put guest username in AD nor use radius to authenticate these guest users. I will enter all guest IDs in the wlc.

#4 you can search the forum on this one. As you can put APs on port 3 & 4, it's not supported by TAC and you are limited on what you can do. If you do use the ports, the APs will be placed on the same vlan as the management interface. You might as well just use a switch if you ask me... The wlc isn't a switch.

Thanks,

Scott Fella

Sent from my iPhone

-Scott
*** Please rate helpful posts ***
Community Member

Re: Some questions for WLC guest network, and AP directly connec

Thanks Scott, now I can get the WLANs for internal users settle down.

With guest access, I plan to provide to contractors / trainees / even vistors / office apps testers.

I haven't put time on WLC user creation yet. but how to control like 100+ guest accounts / password complexity / expiration / renewal / auto-disconnect after expire / and also authentication method data encryption etc.

With #4 (connecting AP directly to WLC) I would drop the idea as you suggested.

However I do have some departments in other subnets (via router), is there any way to install APs there then route back to WLC for central configuration. If possible I can make new subents for their dept wireless users, while majority wireless users in HQ are assigned with the IPs in the same subnet as their wired PCs (sharing the same DHCP pools), as the business required, is it wise?

Thanks. GPING

Hall of Fame Super Silver

Re: Some questions for WLC guest network, and AP directly connec

Well when you talk about guest users, these users should be true guest users. Non company employees that need access to Internet only. Don't try to mix things together, like users that are in AD or need to access corporate devices or apps. Using multiple vlans, you can acl what us allowed and what isn't. As far as APs on different subnet, as long as there is routing from the subnet the ap is on and the wlc, you should have no problems. Stage the ap first.... Once the ap has joined the wlc, then move it to the other subnet. Break down what users require what access and that will determine how many subnets you need and possible SSIDs.

Thanks,

Scott Fella

Sent from my iPhone

-Scott
*** Please rate helpful posts ***
Community Member

Some questions for WLC guest network, and AP directly connection

Stage the ap first.... Once the ap has joined the wlc,

- are you meaning "manually setup static (rather than dhcp) IP address on AP, and tell AP where is WLC" via console?

I will try the AP configuration via console, then http once ip is setup.

Thanks.

GPing

Hall of Fame Super Silver

Re: Some questions for WLC guest network, and AP directly connec

No... Stage it meaning, first let the ap join the wlc before you move it to a different subnet. Putting an ap on the same subnet as the wlc is the easiest way. There is also option 43 in dhcp and DNS to help find the wlc.

Thanks,

Scott Fella

Sent from my iPhone

-Scott
*** Please rate helpful posts ***
Community Member

Some questions for WLC guest network, and AP directly connection

Not clear.

Say on department switch, connect Aps and setup a AP vlan, configure ip help- to department dhcp server with AP address pool, with option 43 pointing to HQ WLC addresses?

I understand the staging now: I used to have WLC management interface the same as the first AP. then I separate menagement from APs, the first Ap has no problem to find WLC but the new APs could not find. After I put AP vlan back to mgmt, I noticed new APs will download something from WLC, then join WLC. Is it what you meant "staging".

I believe on WLC we can configure certain wlans broadcast only on a particular group of APs, not on all APs, is it correct?

Thanks.

GPING

Hall of Fame Super Silver

Re: Some questions for WLC guest network, and AP directly connec

That's what I mean by staging:) its easier to put them on the same vlan just to make sure you don't have a DOA before you mount an AP.

AP groups will allow you to specify what SSID will be broadcasted on what ap.

Thanks,

Scott Fella

Sent from my iPhone

-Scott
*** Please rate helpful posts ***
Community Member

Some questions for WLC guest network, and AP directly connection

Hi, Scott,

what sort of book would be better to prepare / go through these WLC settings? cisco course / wireless certification?

Hall of Fame Super Silver

Re: Some questions for WLC guest network, and AP directly connec

Wow that's tough. I would say some sort of hands on would be good. There are docs on Cisco site also with good initial setups etc. But hands on courses are good if you don't have anyone there to instruct you.

Thanks,

Scott Fella

Sent from my iPhone

-Scott
*** Please rate helpful posts ***
Community Member

Re: Some questions for WLC guest network, and AP directly connec

Hi, Scott,

I just used web auth and access list, work great.

just ask is there any way to create on WLC batch local network guest users... random password, print out and hand over to the guest / visitors by even reception..?

Thanks.

GPING

Hall of Fame Super Silver

Re: Some questions for WLC guest network, and AP directly connec

Not from the wlc. I think if you had WCS/NCS you can to batch users and print or email the credentials.

Thanks,

Scott Fella

Sent from my iPhone

-Scott
*** Please rate helpful posts ***
697
Views
0
Helpful
11
Replies
CreatePlease to create content