We have a small wireless network with four IOS-based 1220B. We are planning to upgrade them all to G modules, convert to Lightweight APs, and manage them with a small WLC like the 2106.
Currently we have a corporate Vlan and aguest vlan on these APs, using 802.1x MS PEAP for authentication to our Active Directory via a MS radius server.
I have done some reading and talking to sales reps but still not completely sure if the upgrade will meet the following needs:
1. automatic RF channel and power mgmt without having to buy additional Cisco components like WCS. One of the APs is in a different building.
2. basic RF monitoring and diagnostics
3. basic location identification of clients and APs.
4. easy client setup for guest authentication (via web) and easier client setup than MS PEAP for corporate user authentication, on the same controller.
5. the 2106 and some of the higher-end controllers only have 100mps uplink. With 20-30 wireless-G users in a training room they could overwhelm a single WLC setup. The fat-client setup doesn't have a bottleneck like this.
I understand if you throw money at it, you can add more controllers and spread the users out. But that kind of defeats the benefit of having a centralized controller to manage everything, unless you pay big bucks for WCS.
Can someone pardon my ignorance and shed some light on these issues?
Disclaimer - not a sales guy, nor a Cisco employee. Feedback based on what we've recently implemented.
1. Yes - the WLC will provide Auto RF and Dynamic Channel assignment w/out having to purchase a WCS. The WCS just consolidates the management of multiple WLCs (and a few other things). Personally, while we have the WCS, I'd be just as happy to manage our 5 WLCs individually for certain configuration items. The WCS's interface has some variances from the individual WLC interfaces and other odd ball things to note (see posts w/in the Wireless Security and Management section).
2. Basic RF monitoring and diagnostics are provided w/in the WLC.
3. No useful location information is provided w/out the Location Appliance which could hook into WCS. You'll know which AP a client is associated to or has roamed to/from. But little is available beyond that.
4. Lobby Ambassador is available both at the WLC level and at the WCS. We are using the WCS for managing our Guest wireless network. We haven't had too many issues getting it working. We're running WCS version 188.8.131.52. There are some specific things to be aware of when it comes to how you authenticate and audit the folks that are allowed to create Guest accounts. (see posts w/in the Wireless Security and Management section).
5. can't speak to the 2106, don't have one.
Personally, I wouldn't worry about getting WCS until you have more WLCs than you care to configure individually or if you are serious about getting a Location appliance and tracking things such as RFID tags. YMMV as far as how many WLCs you are willing to log into for policy/configuration changes.
Wow, this is the fastest reply I ever got in this forum! You are awesome, Chris!
That answered a lot of my concerns.
Did you ever had problem on a WLC uplink bottleneck due to the number of highspeed wireless users?
I guess with five WLCs, you probably have 1Gb interfaces in them.
I only have two concerns now. The biggest one is still the potential 100mb WLC uplink bottleneck in my poor-man's wireless setup.
My next concern is make secure corporate client configuration easier. With MS PEAP over 802.1x, each time a user gets a wireless laptop purchase or rebuilt, I have to enable RADIUS Dial-in permission in both the user and machine account, make sure they are both in a wireless security group, then I have to configure the laptop's wireless setup for 802.1x. I had numerous problems with non-MS wireless driver/utilities on all kinds of guest laptops not wanting to work and had to disable them and enable MS zero wireless setup to make them work with our highly secure setup :((
Do you have any better authentication setup you could kindly share with me?
BTW, is the Lobby guest established connection encrypted, between the client and AP? (My impression is NOT, unless the user uses https.)