Cisco 5508 WLC Configuration LAB

WPA2, Guest Access, FlexConnect (aka HREAP)

This posts starts with setting up a LAB to configured and test WLC. The WLC will be
setup with two SSIDs on local and remote site. The SSIDs will support WPA2 and
Guest access with web authentication. Also, the remote site will support
FlexConnect for one SSID which means traffic will not be transported back to
controller for that SSID but it will be locally switched. In the previous post
(http://www.xerunetworks.com/2012/05/cisco-5508-wlc-setup-and-initialconfiguration/) we have configured the WLC with IP address and also upgraded the
software on it. We will be using the same WLC in the LAB.

Key Concepts

Configure management VLAN as native VLAN on trunk to WLC as it needs

frames untagged for CAPWAP tunnel to work.

APs configured in local mode (no FlexConnect, all traffic to WLC, centrally
switched) will have switch ports as access ports and configured with
management VLAN.

APs configured in FlexConnect mode must use trunk port. Use management
VLAN as native VLAN. It needs trunk as it will be switching traffic locally on
multiple VLANs.

For FlexConnect to work, the WLAN should support FlexConnect and also the
AP should be in FlexConnect mode.

Traffic in WLANs on APs in FlexConnect mode can be either Centrally

Switched (trunked back to WLC) or can be Locally Switched. So, so can have
mix match of WLANs with one Centrally Switched and other Locally Switched.

In FlexConnect mode, the authentication traffic can be sent back to WLC in a

tunnel (Control Plane) or local authentication can be performed. Data traffic
can always be locally switched.

Configuration Steps
1. Configure AAA
2. Configure WLC Interfaces

3. Configure WLANs
4. Configure AP Groups
5. Configure FlexConnect Groups
6. MAP VLANs

LAB Setup
Routing

1. Site Router is the default Gateway for all VLANs

2. Each VLAN Interface is configured with IP Helper address to forward DHCP Queries to
DHCP Server
3. EIGRP is running between both site routers and Internet Router and all networks are included
in EIGRP advertisements.
4. Static Router is configured pointing to Internet router on HQ Router and is re-distributed via
EIGRP to remote site.
5. Internal VLAN routing is configured on both site routers.
Switch ports & VLANs

5. The management VLAN 3 is set as Native VLAN on Trunk both to WLC and to APs on
remote site.
6. HQ AP is connected to access port as all user traffic will be tunnelled back to WLC using
CAPWAP tunnel.
7. On Remote site APs are connected to trunk ports. This is because remote APs will be
switching the traffic locally and will be sending it to default gateway for routing for all other
WLANs except for Guest. The guest traffic will be sent back over the WAN to WLC using
CAPWAP tunnel.

Layer 3 Topology

*Click on the picture to get larger image

Layer 2 Topology

*Click on the picture to get larger image

WLC Configuration
AAA Configuration

1. Under Security Tab, you can enter AAA Configuration for Radius and Tacacs+. We will be
using Tacacs+ and configuration is quite simple and is shown below. The configuration for
authentication will be used to authenticate clients and management users. Authorization will be
used for management users, which will make sure that management users have only access to the
relevant items or they are limited to what they can change.
Again not showing the full ACS Configuration here but some relevant bits. You will have to
configure External Databases, AD Group Mapping etc.
Authentication

Authentication

2. For authorization to work, you will also configure ACS Server to support the same.
Interface Configuration
Interface Configuration>New Services

Group Configuration
Group Setup>Edit Group>ciscowl common

Group Setup>Edit Group>ciscowlcommon>Customer Attributes

While AD Group mapping is configured on the ACS so whoever in management group will have
full access. The same way you can multiple mappings for operators etc.
Guide for ACS 4.2
http://www.cisco.com/en/US/tech/tk722/tk809/technologies_tech_note09186a0080851f7c.shtml
Here is guide how to configure ACS 5
https://supportforums.cisco.com/docs/DOC-14908
WLC Interface Configuration

Configure Interfaces by using Controller Tab>Interfaces

Individual Interface configuration will be required for Guest WLAN which is used for both HQ
and Remote Site and is Centrally Switched everywhere. We will also need interface configured
for DATA WLAN which is just used in HQ in Centrally Switched, one remote sites Data WLAN
is locally switched.

Management Interface
This interface will be used for AP management and all CAPWAP traffic lands on the this
interface from APs. You have already configured it to upgrade software to the WLC and connect
to it for GUI access but here is how it should look like as per our topology.

HQ Data Interface
This interface will be used to switch traffic for DATA WLAN, also the broadcast for DHCP
addresses will leave this interface and will be forwarded by Router (IP Helper Address for
VLAN Configured) to relevant DHCP Server.

Guest Interface
This interface will be used for all guest traffic. This VLAN should be secured by using ACLs
determining what traffic can enter or leave this VLAN.

Here is the DHCP Request flow for locally switched and centrally switched WLAN

WLANs Configuration

WLANs configuration for HQ and Remote site and detailed below.

Guest
Guest WLAN will use web authentication and will be centrally authenticated and centrally
switched. Go to WLANs tab and select Create New. Give the profile, SSID Name and ID
General Tab: Status=Enabled, Radio Policy=802.11b/g Only, Interface=management, Broadcast
SSID=Enabled

Security TAB: Layer 2: Layer 2 Security = None

Security TAB: Layer 3: Web Policy=Enabled, Authentication=Enabled

Security TAB: AAA Servers: Order Used for Authentication = LOCAL

Advanced TAB: Enable Session Time=1800 (You must consider changing this otherwise session
will expire too soon, Set it to 43200), DHCP Addr. Assignment=Required, Client
Exclusion=Disabled (optional)

Data (HQ)
DATA WLAN for HQ will use central switching and central authentication. Create a new
WLAN, Enter Profile Name as LocalData, SSID as Data and ID as 2.
General Tab: Status=Enabled, Radio Policy=802.11b/g Only, Interface=management, Broadcast
SSID=Enabled

Security TAB: Layer 2: Layer 2 Security =WPA+WPA2, WPA2 Encryption=AES, Auth Key
Mgmt=802.1x+CCKM

Security TAB: Layer 3:Layer 3 Security=None

Security TAB: AAA Servers: Radius Server Override Interface=Enabled, Authentication
Server=Enabled, Accounting Server=Enabled, Authentication=Radius & Local

Advanced TAB: Enable Session Time=1800 (You must consider changing this otherwise session
will expire too soon, Set it to 43200), DHCP Addr. Assignment=Required, Client
Exclusion=Disabled (optional)

Data (Remote)
DATA WLAN for HQ will use central switching and central authentication. Create a new
WLAN, Enter Profile Name as RemoteData, SSID as Data and ID as 3.
General Tab: Status=Enabled, Radio Policy=802.11b/g Only, Interface=management, Broadcast
SSID=Enabled

Security TAB: Layer 2: Layer 2 Security =WPA+WPA2, WPA2 Encryption=AES, Auth Key
Mgmt=802.1x+CCKM

Security TAB: Layer 3:Layer 3 Security=None

Security TAB: AAA Servers: Radius Server Override Interface=Enabled, Authentication
Server=Enabled, Accounting Server=Enabled, Authentication=Radius & Local

Advanced TAB: Enable Session Time=1800 (You must consider changing this otherwise session
will expire too soon, Set it to 43200), DHCP Addr. Assignment=Required, Client
Exclusion=Disabled (optional), FlexConnect Local Switching =Enabled

AP Group Configuration

Now, its time to assign WLANs and APs to AP Groups and to also add Interface and VLAN
mapping. We will be creating two AP Groups, one for local APs and one for remote APs.
WLANS TAB>Advanced>AP Group>Add Group

Local
Add new Group name Local (or whatever you like for your HQ Site)
Now for the new AP Group that we added do following

WLANs TAB>ADD New>WLAN SSID=DATA, Interface=HQData

WLANs TAB>ADD New>WLAN SSID=Guest, Interface=Guest

AP TAB: Check AP Box for Local AP and Click Add AP button

Remote
Add new Group name Remote (or whatever you like for your Remote Site)
Now for the new AP Group that we added do following

WLANs TAB>ADD New>WLAN SSID=DATA, Interface=management

WLANs TAB>ADD New>WLAN SSID=Guest, Interface=Guest

AP TAB: Check AP Box for Remote AP and Click Add AP button

FlexConnect Groups

These are required for roaming on remote site with APs using FlexConnect.
1. Go to Wireless>FlexConnect Groups>Press the New Button to create a new Group
2. Enter the Group Name as HQ and press Apply
3. New AP Group HQ will appear, click on the group name and under General TAB add APs to
the group.
4. Do the same by creating second AP Group named Remote

Connecting AP to the Network

You will use the CiscoAironet-AP-to-LWAPP-Upgrade-Tool to convert you autonomous AP to

lightweight. Use the guide below for this

http://www.cisco.com/en/US/docs/wireless/access_point/conversion/lwapp/upgrade/guide/lwapn
ote.html
By using this tool you will not only assign IP to AP but will also tell it the controllers address.

Configure APs for FlexConnect

This will apply only to APs on remote site as local site APs will be local mode and will not be
using FlexConnect.
1. Go to Wireless >Access Point> All APs and select the RemoteAP1
2. On the General Tab of RemoteAP1 select the AP mode to FlexConnect and click Apply. This
will reset the AP

3. Once the AP is back online, you would see that now there is FlexConnect Tab available along
with other Tabs of the AP configuration window.
4. Click on FlexConnect Tab and enable the Check Box for VLAN Support, also enter the
native VLAN ID which is in our case is VLAN3. Click Apply and it should reset the AP.
5. Once AP is back on, Click on VLAN Mapping button under FlexConnect tab.
6. Now because its remote we will be using remote site VLAN mapping, so for Data we will use
VLAN 18. This will mean that all traffic for WLAN Data will use VLAN 18 on remote site.

Now, thats you all configured with remote AP. You may also want to configure High
Availability on APs if you have two controllers which you would normally have. The
configuration for Local AP is simple enough as it will work in local mode and all traffic will go
to back controller for switching.

Feedback
Hope you find this post helpful. Leave your comments if you need clarification of any point or
what to know more about this. I followed Cisco Guides to impalement all this but wanted to
write a simple way of doing it and also to explain it better to myself and to everyone.

References
http://www.cisco.com/en/US/docs/wireless/controller/7.2/configuration/guide/cg.html
https://supportforums.cisco.com/docs/DOC-24082