Cisco 5508 WLC Configuration LAB WPA2, Guest Access, FlexConnect (aka H-REAP) This posts starts with setting up a LAB to configured and test WLC. The WLC will be setup with two SSIDs on local and remote site. The SSIDs will support WPA2 and Guest access with web authentication. Also, the remote site will support FlexConnect for one SSID which means traffic will not be transported back to controller for that SSID but it will be locally switched. In the previous post (http://www.xerunetworks.com/2012/05/cisco-5508-wlc-setup-and-initial-configuration/) we have configured the WLC with IP address and also upgraded the software on it. We will be using the same WLC in the LAB.Key Concepts Configure management VLAN as native VLAN on trunk to WLC as it needs frames untagged for CAPWAP tunnel to work. APs configured in local mode (no FlexConnect, all traffic to WLC, centrally switched) will have switch ports as access ports and configured with management VLAN. APs configured in FlexConnect mode must use trunk port. Use management VLAN as native VLAN. It needs trunk as it will be switching traffic locally on multiple VLANs. For FlexConnect to work, the WLAN should support FlexConnect and also the AP should be in FlexConnect mode. Traffic in WLANs on APs in FlexConnect mode can be either Centrally Switched (trunked back to WLC) or can be Locally Switched. So, so can have mix match of WLANs with one Centrally Switched and other Locally Switched. In FlexConnect mode, the authentication traffic can be sent back to WLC in a tunnel (Control Plane) or local authentication can be performed. Data traffic can always be locally switched.Configuration Steps1. Configure AAA2. Configure WLC Interfaces3. Configure WLANs4. Configure AP Groups5. Configure FlexConnect Groups6. MAP VLANs

LAB SetupRouting1. Site Router is the default Gateway for all VLANs2. Each VLAN Interface is configured with IP Helper address to forward DHCP Queries to DHCP Server3. EIGRP is running between both site routers and Internet Router and all networks are included in EIGRP advertisements.4. Static Router is configured pointing to Internet router on HQ Router and is re-distributed via EIGRP to remote site.5. Internal VLAN routing is configured on both site routers.Switch ports & VLANs5. The management VLAN 3 is set as Native VLAN on Trunk both to WLC and to APs on remote site.6. HQ AP is connected to access port as all user traffic will be tunnelled back to WLC using CAPWAP tunnel.7. On Remote site APs are connected to trunk ports. This is because remote APs will be switching the traffic locally and will be sending it to default gateway for routing for all other WLANs except for Guest. The guest traffic will be sent back over the WAN to WLC using CAPWAP tunnel.Layer 3 Topology*Click on the picture to get larger image

Layer 2 Topology*Click on the picture to get larger image

WLC ConfigurationAAA Configuration1. Under Security Tab, you can enter AAA Configuration for Radius and Tacacs+. We will be using Tacacs+ and configuration is quite simple and is shown below. The configuration for authentication will be used to authenticate clients and management users. Authorization will be used for management users, which will make sure that management users have only access to the relevant items or they are limited to what they can change.Again not showing the full ACS Configuration here but some relevant bits. You will have to configure External Databases, AD Group Mapping etc.Authentication

Authentication

2. For authorization to work, you will also configure ACS Server to support the same.Interface ConfigurationInterface Configuration>New Services

Group ConfigurationGroup Setup>Edit Group>ciscowl commonGroup Setup>Edit Group>ciscowlcommon>Customer Attributes

While AD Group mapping is configured on the ACS so whoever in management group will have full access. The same way you can multiple mappings for operators etc.Guide for ACS 4.2http://www.cisco.com/en/US/tech/tk722/tk809/technologies_tech_note09186a0080851f7c.shtmlHere is guide how to configure ACS 5https://supportforums.cisco.com/docs/DOC-14908WLC Interface ConfigurationConfigure Interfaces by using Controller Tab>InterfacesIndividual Interface configuration will be required for Guest WLAN which is used for both HQ and Remote Site and is Centrally Switched everywhere. We will also need interface configured for DATA WLAN which is just used in HQ in Centrally Switched, one remote sites Data WLAN is locally switched.Management InterfaceThis interface will be used for AP management and all CAPWAP traffic lands on the this interface from APs. You have already configured it to upgrade software to the WLC and connect to it for GUI access but here is how it should look like as per our topology.

HQ Data InterfaceThis interface will be used to switch traffic for DATA WLAN, also the broadcast for DHCP addresses will leave this interface and will be forwarded by Router (IP Helper Address for VLAN Configured) to relevant DHCP Server.

Guest InterfaceThis interface will be used for all guest traffic. This VLAN should be secured by using ACLs determining what traffic can enter or leave this VLAN.

Here is the DHCP Request flow for locally switched and centrally switched WLAN WLANs ConfigurationWLANs configuration for HQ and Remote site and detailed below.GuestGuest WLAN will use web authentication and will be centrally authenticated and centrally switched. Go to WLANs tab and select Create New. Give the profile, SSID Name and IDGeneral Tab: Status=Enabled, Radio Policy=802.11b/g Only, Interface=management, Broadcast SSID=Enabled

Security TAB: Layer 2: Layer 2 Security = None

Security TAB: Layer 3: Web Policy=Enabled, Authentication=Enabled

Security TAB: AAA Servers: Order Used for Authentication = LOCAL

Advanced TAB: Enable Session Time=1800 (You must consider changing this otherwise session will expire too soon, Set it to 43200), DHCP Addr. Assignment=Required, Client Exclusion=Disabled (optional)

Data (HQ)DATA WLAN for HQ will use central switching and central authentication. Create a new WLAN, Enter Profile Name as LocalData, SSID as Data and ID as 2.General Tab: Status=Enabled, Radio Policy=802.11b/g Only, Interface=management, Broadcast SSID=Enabled

Security TAB: Layer 2: Layer 2 Security =WPA+WPA2, WPA2 Encryption=AES, Auth Key Mgmt=802.1x+CCKM

Security TAB: Layer 3:Layer 3 Security=NoneSecurity TAB: AAA Servers: Radius Server Override Interface=Enabled, Authentication Server=Enabled, Accounting Server=Enabled, Authentication=Radius & Local

Advanced TAB: Enable Session Time=1800 (You must consider changing this otherwise session will expire too soon, Set it to 43200), DHCP Addr. Assignment=Required, Client Exclusion=Disabled (optional)

Data (Remote)DATA WLAN for HQ will use central switching and central authentication. Create a new WLAN, Enter Profile Name as RemoteData, SSID as Data and ID as 3.General Tab: Status=Enabled, Radio Policy=802.11b/g Only, Interface=management, Broadcast SSID=Enabled

Security TAB: Layer 2: Layer 2 Security =WPA+WPA2, WPA2 Encryption=AES, Auth Key Mgmt=802.1x+CCKM

Security TAB: Layer 3:Layer 3 Security=NoneSecurity TAB: AAA Servers: Radius Server Override Interface=Enabled, Authentication Server=Enabled, Accounting Server=Enabled, Authentication=Radius & Local

Advanced TAB: Enable Session Time=1800 (You must consider changing this otherwise session will expire too soon, Set it to 43200), DHCP Addr. Assignment=Required, Client Exclusion=Disabled (optional), FlexConnect Local Switching =Enabled

AP Group ConfigurationNow, its time to assign WLANs and APs to AP Groups and to also add Interface and VLAN mapping. We will be creating two AP Groups, one for local APs and one for remote APs.WLANS TAB>Advanced>AP Group>Add GroupLocalAdd new Group name Local (or whatever you like for your HQ Site)Now for the new AP Group that we added do followingWLANs TAB>ADD New>WLAN SSID=DATA, Interface=HQDataWLANs TAB>ADD New>WLAN SSID=Guest, Interface=Guest

AP TAB: Check AP Box for Local AP and Click Add AP button

RemoteAdd new Group name Remote (or whatever you like for your Remote Site)Now for the new AP Group that we added do followingWLANs TAB>ADD New>WLAN SSID=DATA, Interface=managementWLANs TAB>ADD New>WLAN SSID=Guest, Interface=Guest

AP TAB: Check AP Box for Remote AP and Click Add AP button

FlexConnect GroupsThese are required for roaming on remote site with APs using FlexConnect.1. Go to Wireless>FlexConnect Groups>Press the New Button to create a new Group2. Enter the Group Name as HQ and press Apply3. New AP Group HQ will appear, click on the group name and under General TAB add APs to the group.4. Do the same by creating second AP Group named RemoteConnecting AP to the NetworkYou will use the CiscoAironet-AP-to-LWAPP-Upgrade-Tool to convert you autonomous AP to lightweight. Use the guide below for thishttp://www.cisco.com/en/US/docs/wireless/access_point/conversion/lwapp/upgrade/guide/lwapnote.htmlBy using this tool you will not only assign IP to AP but will also tell it the controllers address.Configure APs for FlexConnectThis will apply only to APs on remote site as local site APs will be local mode and will not be using FlexConnect.1. Go to Wireless >Access Point> All APs and select the RemoteAP12. On the General Tab of RemoteAP1 select the AP mode to FlexConnect and click Apply. This will reset the AP

3. Once the AP is back online, you would see that now there is FlexConnect Tab available along with other Tabs of the AP configuration window.4. Click on FlexConnect Tab and enable the Check Box for VLAN Support, also enter the native VLAN ID which is in our case is VLAN3. Click Apply and it should reset the AP.5. Once AP is back on, Click on VLAN Mapping button under FlexConnect tab.6. Now because its remote we will be using remote site VLAN mapping, so for Data we will use VLAN 18. This will mean that all traffic for WLAN Data will use VLAN 18 on remote site.

Now, thats you all configured with remote AP. You may also want to configure High Availability on APs if you have two controllers which you would normally have. The configuration for Local AP is simple enough as it will work in local mode and all traffic will go to back controller for switching.FeedbackHope you find this post helpful. Leave your comments if you need clarification of any point or what to know more about this. I followed Cisco Guides to impalement all this but wanted to write a simple way of doing it and also to explain it better to myself and to everyone.Referenceshttp://www.cisco.com/en/US/docs/wireless/controller/7.2/configuration/guide/cg.htmlhttps://supportforums.cisco.com/docs/DOC-24082