IUWNE Implementing Cisco Unified Wireless Networking Essentials Version 2.0 Lab Guide rent Port uncisco. Americas Hescquarere ‘Ase Peate Hoesqurar rope Hescmuarrs eso Sjanm ee Seto Syste usN os eeprom teraionl BV Anee, Senoee Gx Srosove, Srenetoranae ‘isco has me han 200 ofcos worwio Adrosos phan numbers numbers eta onthe Citco Website at wwuicocomvpoatices Saco rare Geco Log are vagonai cf co Sysone re rd iota nFe US a or conten Alning acoder ce be loune Go rcccoconigarocorata, Tropa vesoraic anicass athe ope oar espeive no's Tusa mo pur” ous hate ‘psnetne era patos Cacao on ae” compary (OES) [DISCLAIMER WARRANTY: THIS CONTENT IS BEING PROVIDED “AS IS CISCO MAKES AND YOU RECEIVE NO WARRANTIES IN \CONNECTION WITH THE CONTENT PROVIDED HEREUNDER, EXPRESS, IMPLIED, STATUTORY OR IN ANY OTHER PROVISION OF [THis CONTENT OR COMMUNICATION BETWEEN CISCO AND YOU. CISCO SPECIFICALLY DISCLAIMS ALL IMPLIED WARRANTIES, INCLUDING WARRANTIES OF MERCHANTABILITY, NON-INFRINGEMENT AND FITNESS FOR A PARTICULAR. PURPOSE, OR ARISING FROM A COURSE OF DEALING, USAGE OR TRADE PRACTICE. This eaing product may contin early release conten, nd while Cisco believes ito be acu, fils subject to the Gelaimer above La Guide (© 2011 Cisco andr its afiiates. Al ights reserved.Table of Contents Lab Guide. 1 Overview. ot ‘Outline : 1 Lab 1-1: Becoming Familiar with Antennas and Ranges 2 Activity Objective. 2 Visual Objective 2 Required Resources... a Task 1: Complete Power Conversions. oa Task 2: Calculate EIRP and Choose the Correct Antenna... 4 ‘Task 3: Determine the Type of Antenna Represented, Its Use, and the Best Location for It... 5 Lab 1-2: Gresting an Ad Hoc (BSS) Network and Analyzing the Communication eB Activity Objective. 8 Visual Objective. 8 Required Resources 8 Command List 9 Job Aids. 9 Task 1: Connect to the Remote Lab 9 Task 2: Connect to Your Remote Lab Wireless Laptop. ee 12 Task 3: Verify the Internal Card Settings. a 14 Task 4: Create an Ad Hoc Network and Analyze the Communication snes 16 Lab 2-1: Configuring a Cisco 2504 WLC 28 Activity Objective... aoe 28 Visual Objective 28 Required Resources.....nnnnnns co 28 Job Aids, 29 Task 1: Connect to the WLAN Controler Serial interface and onigure Your Gontoter for the First Time 31 Task 2: Connect to the Controller 35 ‘Task 3: Allow Limited Remote Management «nn 37 Task 4: Allow Open Authentication aoe 39 Task 5: Create a DHCP Scope wsnsan eon A ‘Task 6: Configure APS... eeeeee a2) Lab 2-2: Downgrading a Controller-Based AP to an Autonomous AP. so A, Activity Objective. _ Visual Objective Required Resources. Job Aids, Task 1: Downgrade a Controller-Based AP to an Autonomous AP... 46 Task 2: Configure the Cisco Aironet 1142 Access Point ee 51 Task 3: Configure Your Standalone AP from the GUI nnenes SQ Lab 3-1: Cniguing Cisco AnyConnect Secure Mobily Gent 58 Activity Objective. i 38 Visual Objective. —— 58 Required Resources. ae 58 Job Aids. sonnei, 5B ‘Task 1: Configure the Required interfaces for Data WLAN 60 ‘Task 2: Configure DHCP Pool for Data (VLAN x1) Clients on the WLAN Controller 63 ‘Task 3: Configure WLANs for Data eae 64 ‘Task 4: Configure Cisco AnyConnect Secure Mobility Client to Connect to the Data WLAN... 66 Task 5: Verify Connectivity = : n Lab 3-2: Experiencing Connections and Roaming ae 73 Activity Objective a 73 Visual Objective. co 73 Required Resources, cnn 73 Job Aids, eee 74 Task 1: Create a Common WLAN, - 74 Task 2: Connect to the Right AP. . 80 Task 3: Use Roaming. ..r.n:nnnnn sn - 84Lab 4-1: Configuring WLC PSK Authentication. Activity Objective. Visual Objective... Required Resources. Job Aids. Task 1: Configure the Data WLAN for PSK... 87 87 a7 87 88 88 Task 2: Configure Cisco AnyConnect Secure Mobily Client to Connect to the Data WLAN by Using PSK. Lab 4-2: Configuring Cisco Autonomous Access Point PSK Authentication Activity Objective... Visual Objective .. Required Resources OD AIDS «ne Task 1: Configure the Autonomous AP for PSK. 1 96 98 96 “96 97 97 Task 2: Configure Cisco AnyConnect Secure Mobility Client to Connect to the IUWNEx1 Using PSK Lab 4-3: Configuring EAP-FAST Authentication with WPA... Activity Objective Visual Objective Required Resources Job Aids ‘Task 1: Create the WLAN : Task 2: Greate the Local Net Users. Task 3: Configure the Client and Access the Network Lab 4-4: Configuring 802.10 and Web Authentication Activity Objective. Visual Objective Required Resources Job Aids. Task 1: Create a VLAN Interface Task 2: Create the WLAN... Task 3: Greate a Local Net User. Task 4: Configure the Client Task 5: Exclude Clients Lab 5-1: Configuring Controllers and APS from Cisco WCS. Aaiivty Objective. Visual Objective Required Resources Job Aids Task 1: Create Credentials on Cisco WCS and Customize the Interface Task 2: Add a Controller and AP on Task 3: Manage the Controller from Cisco WCS ‘Task 4: Manage the AP from Cisco WCS Lab 5-2: Working with Cisco WCS Activity Objective. Visual Objective Required Resources JOB Aid reno Task 1: Position APS. Task 2: Locate a Client on the Map. Lab 5:3: Mentoring the Network and Containing Devices: Aatvity Objective. Visual Objective Required Resources Job Aids... Task 1: Monitor Events Task 2: Contain a Rogue Task 3: Generate Reports. 99 404 104 404 104 105, 105 "108 112 116 116 116 116 7 118 Implementing Cisco Unified Wireless Networking Essentials (UWNE) v2.0 (© 2011 Cisco Systems, Inc.Lab 6-1: Backing Up the Cisco WLC Configuration Files... 165 Activity Objective... oe 165 Visual Objective. Sn 165, Required Resources, 165 Command List. a 166 Task 1: Examine Cisco WLC Configuration Files oe 166 Task 2: Save the Confguraton by Using TFTP. aera Lab 6-2: Troubleshooting, sons AT Activity Objective ee “177 Visual Objective. cnn so ATT Required Resources, = 77 Command List. Peceeien, co 178 Job Aids, sonnei 1B Task 1: Troubleshoot Your Wireless Environment 181 Lab 6-3: Troubleshooting with Wireshark and Converting an Autonomous AP to WLC Mode... 182 Activity Objective... 182 Visual Objective. So vrs 182 Required Resources, = 182 Job Aids. —— 183 Task 1: Use Wireshark to Analyze a Connection Issue. : 183 ‘Task 2: Migrate Your Autonomous AP to a WLC-Based AP one 186 Task 3: Convert Your Standalone AP to CAPWAP sn sn 188, Answer Key. 192 Lab 1-1 Answer Key: Becoming Familar with Antennas and Ranges... 192 Lab 1-2 Answer Key: Creating an Ad Hoc (IBSS) Network and Analyzing the Communication 193 Lab 2-1 Answer Key: Configuring a C:sco 2504 WLC.... 193 Lab 2-2 Answer Key: Downgrading a Controller-Based AO to an Autonomous AP. 195 Lab 3-1 Answer Key: Configuring Cisco AnyConnect Secure Mobility Client... 197 Lab 3-2 Answer Key: Experiencing Connections and Roaming pees 188) Lab 4-1; Answer Key: Configuring WLC PSK Authentication... 201 Lab 4-2: Configuring Cisco Autonomous Access Point PSK Authentication 204 Lab 4-3: Configuring EAP-FAST Authentication with WPA, 206 Lab 4-4 Answer Key: Configuring 802.10 and Web Authentication Sennen 208 Lab 5-1 Answer Key: Configuring Controllers and APs from Cisco WCS. 212 Lab 5-2 Answer Key: Working with Cisco WCS. . 212 Lab 5-3 Answer Key: Monitoring the Network and Coniaining Devices 212 Lab 6-1 Answer Key: Backing Up the Cisco WLC Configuration Files... 212 Lab 6-2 Answer Key: Troubleshooting 212 Lab 6-3 Answer Key: Troubleshooting with Wireshark and Converting an Autonomous AP to WLC Mode - . : 212 © 2011 Cisco Systems. Ine. Implementing Cisco Unified Wreless Networking Essentials (IUWNE)\20 iImplementing Cisco Unied Wireless Networking Essentiat (IUWNE) v2.0 {© 2011 Cisco Systems, inc.IUWNE Lab Guide Overview ‘This guide presents the instructions and other information concerning the lab activi ss for Implementing Cisco Unified Wireless Networking Essentials (TUWNE) v2.0 course. You can find the solutions in the lab activity Answer Key Outline ‘This guide includes these activities: Lab 1-1 Lab 1-2: Lab 2-1 Lab 2-2: Lab 3-1 Lab 3-2: Lab 4-1 Lab 4.2: Lab 4.3: Lab 4.4: Lab S-1 Lab 5-2: Lab 5-3: Lab 6-1 Lab 6-2: Lab 6-3: Mode Becoming Familiar with Antennas and Ranges Creating an Ad Hoe (IBSS) Network and Analyzing the Communication Configuring a Cisco 2504 WLC Downgrading a Controller-Based AP to an Autonomous AP Configuring Cisco AnyConnect Secure Mobility Client Experiencing Connections and Roaming Configuring WLC PSK Authentication Configuring Cisco Autonomous Access Point PSK Authentication Configuring EAP-FAST Authentication with WPA Configuring 802.10 and Web Authentication Configuring Controllers and APs from Cisco WCS Working with Cisco WCS Monitoring the Network and Containing Devices Backing Up the Cisco WLC Configuration Files ‘Troubleshooting ‘Troubleshooting with Wireshark and Converting an Autonomous AP to WLC Answer KeyLab 1-1: Becoming Familiar with Antennas and Ranges Complete this lab activity to practice what you learned in the related module. Activity Objective In this activity, you will work with antennas and powers. After completing this activity, you will be able to meet these objectives =| Convert mW to dBm and back = Determine the EIRP from the AP, cable, and antenna specifications that are provided = Determine which AP is the best choice for which situation Visual Objective The figure illustrates what you scomplish in this activity, Required Resources ‘These are the resources and equipment that are required to complete this activity: =| APC with Microsoft Excel or OpenOffice Cale Task 1: Complete Power Conversions In this task, you will work with various powers, to familiarize yourself with decibel 2 Implementing Giso Unified Wireless Networking Essentials (UWNE) v2.0 © 2011 isco Systems, IneActivity Procedure Complete these steps: Step 1 Convert 20 mW to its dBm equivalent. Step2 Convert 40 mW to its dBm equivalent. Stop 3 Convert 2 W to its dBm equivalent Step 4 Convert 23 dBm to its mW equivalent, Step Convert -13 dBm to its mW equivalent Step6 A station receives 0.000001-mW RSSI from an AP. The noise level is about 0,00000025 mW. Convert these values to dBm and determine the SNR level. Is the SNR level acceptable? Step7 How many dBd is a 7.24-4Bi antenna? Step 8 How many dBd is a 13.56-dBi antenna? Step9 How many dBi is a 13.56-Bd antenna’ Step 10 How many dBi is an 18.85-dBd antenna?” p11 What the dBd gain of a21-dBi dish antenna’ Step 12 Which antenna has more gain: 2.14 dBi or 3.28 dBd? Step 13 Which antenna has more gain: 3.41 dBi or 4.18 dBm? Stop 14 Which antenna has more gai 18 dBi or 3.41 dBd? Activity Verification ‘You have successfully completed this task when you attain this result: = You found the correct values, as speci fied in the answer key. {© 2011 Cisco Systems, ne Tab GuideTask 2: Calculate EIRP and Choose the Correct Antenna In this task, you will work with hardware specifications to determine the EIRP or to choose which hardware matches the link specifications. Activity Procedure Complete these steps: Stop 1 Stop 2 Stop 3 Step 4 Step 5 Stop 6 Step 8 Step 9 Which antenna would work best for a point-to-point, 26-mile (42-km) link? A 21- dBi dish, a 5.2-dBi omnidirectional, or an 8.1-dBi patch? Which antenna would work best for large lobby coverage, from a wall A21-4Bi dish, a 5.2-dBi omnidirectional, or an 8.1-dBi patch? Which antenna would work best for coverage of a meeting room, from the ceiling? 21-dBi dish, 5.2-4Bi omni, 8.1-4Bi patch? An AP transmitter emits 40 mW of power through a cable that adds 3-dB loss. The Yagi antenna that is being used has 13.5-dBi gain. What is the EIRP? An AP transmitter emits 20 mW of power throug! sable that adds 4-dB loss per 100 feet. The cable is 20-feet long. The omnidirectional antenna that is being used thas 5.2-dBi gain, What is the EIRP? An AP transmitter emits 100 mW of power to an antenna that connects directly to it The antenna is an 8.5-dBi patch antenna, What is the EIRP? You have been asked not to exceed 20-dBm EIRP on a 3.0-dBi omnidit ctional antenna, Which power level should you set your AP to, knowing that you use 50 feet, of cable at a loss of 6 dB per 100 feet? ‘You have been asked not to exceed !7-dBm EIRP on a 13.5-dBi Yagi antenna. ‘Which power level should you set your AP to, knowing that you will use 150 feet cable at a loss of 6 dB per 100 feet and thatthe cable connectors add an extra 0.5-dB loss? You have been asked not to exceed 17-dBm EIRP on a 5.2-dBi patch antenna. Ata loss of 2.8-dB per 100 feet, which length of cable should you use, knowing AP power level is statically set to 40 mW? at the 7 Triplementing Gisoo Unified Wireless Networking Essentials (UWNE) v20 (© 2011 Cisco Systems, IneActivity Verification You have successfully completed this task when you attain this result: ‘= You found the right values, as specified in the answer key. Task 3: Determine the Type of Antenna Represented, Its Use, and the Best Location for It In this task, you will work with AP coverage pattems to determine the type of antenna and its usage, Activity Procedure Complete these steps: Step1 Look at the following radiation pattern Step2_ Which type of antenna does this pattern represent? Step 3 For which type of use is this antenna best suited? ‘Step 4 What is the best place for the antenna to be mounted?” Opitlar D Rooftop DO Ceiting Step 5 Look at the following radiation patter. © 2011 Cisco Systems, Ine ab GuideStop 6 Stop 7 Step 8 Stop 9 Which type of antenna does this pattern represent? For which type of use is the antenna best suited? ‘What is the best place for the antenna to be mounted? OPillar OD Rooftop O Ceiling Look at the following radiation pattern, Stop 10 Step 11 Stop 12 For which type of use is the antenna best suited? ‘Which type of antenna does this pattern represent? ‘What is the best place for the antenna to be mounted? Mast T Rooftop O Ceiling Implementing Cisco Unified Wireless Networking Essentials (TUWNE) v2.0, (© 2011 Cisco Systems, In.Activity Verification ‘You have successfully completed this task when you attain this result: = You found the right values, as specified in the answer key. ‘B201T Cisco Systems, Ine Tab Guide 7Lab 1-2: Creating an Ad Hoc (IBSS) Network and Analyzing the Communication Complete this Activity Objective In this activity, you will connect to the remote lab and create an ad hoc network between two ‘machines. You will then analyze the communication to understand exactly what is exchanged between the laptops. After completing this activity, you will be able to meet these objectives: lab activity to practice what you learned in the related module. = Connect to the remote lab = Connect to a remote laptop = Verify the intemal card settings ‘= Create an ad hoe network and analyze the communication Visual Objective ‘The figure illustrates what you will accomplish in this activity b 1 Network and nication VPN Ruler sitter sotare ay! 702020000000 sy Remote Lapp Required Resources “These are the resources and equipment that are required to complete this activity = APC with connectivity to the Interne = The Cisco VPN client The Remote Desktop Connection application = IP addresses that are assigned to your group = Lab map diagram '& Implementing Cisco Unified Wireless Networking Essent (UWNE) v2.0 {©2011 Cisco Systems, inc.Inthe remote lab, a laptop with preinstalled sniffer and wireless card Command List The table describes the command that is used in this activity. ping Command ‘Command Description Ping) “Tests Layer 3 reachabiiiy Job Aids These job aids are available to help you complete the lab activity: = Remote laptop, already loaded with appropriate applications ‘= Lab map IP addressing and naming convention Lab Map—Groups 1 to 4 Group Group 2 Groups Group Remote laptop adress | 10.10.1.240 10:20.4.240 10:30:1.240 10.40.4.240 Remote laptop login student1 student2 student3 ‘student — Remote laptop isco sso cisco e800 password Ad hoc channel 1 1 zal 6 Ad hoc SSID IUWNE-AD1 TUWNE-AD2 IUWNE-AD3 IUWNE-AD4 ‘Ad hoc IP address | 102.168.10.1 192.168.10.2 192.168.1058 192.168.1068 'Ad hoc mask 255.255.256.252 | 255.256.255.252 | 255.266.255.252 | 255.256.255.252 Lab Map—Groups 5 to 8 Group 5 Group 6 (Group7 Groups Remote laptop address | 10.50.1.240 10.60.4240 10.70.1240 10.80.1.240 Remote laptop login | students student6 ‘student? students Remote laptop ‘isco ‘isco "| cisco Cisco 7 password “Ad hoc channel 1 aie 1 * ‘Ag hoc SSID TUWNE-ADS TUWNE-ADS TUWNE-AD7 TUWNE-ADa ‘AdhociP address | 192,168.10 192.168.1010 | 192.168.1013 | 192.168.10.14 ’Ad hoo mask 255.255.256.262 | 285.255.255.252 | 255.255.256.252 | 256256.255.250 Task 1: Connect to the Remote Lab In this task, you will use the Cisco VPN client to connect to the remote lab, You will install the client, import the profile that contains the parameters that are required to access the remote lab, and test the connection, ‘©2017 Glace Syatems, ne Tab GuideActivity Procedure Complete these steps: Step 1 Stop 2 Stop 3 Stop 4 Check to see if the Cisco VPN client is already installed on your PC: Choose Start > All Programs, and verify that the Cisco Systems VPN Client folder is present in the list of available programs. If the folder is present, go directly to Step 4, If the folder is not present, ask your instructor to provide you with the Cis 0 VPN nt installer and the profile file (.pef) that is required to access the remote lab. Double-click Cisco Systems VPN Client Installer, and use the default values to install the program, You might be asked to reboot your PC. Choose Start > All Programs, go to the Cisco Systems VPN Client folder, and click the VPN Client icon. ‘ecenories avg 2011 ea) Gieco isco Sytem VPN Client G hep GisenTu eee ane Peete @ VPNClient ee tteaa) FileZilla FTP Cent Games ‘Step 5 Back Click Connection Entries, and choose Import. EERE eer) Conan ties Save Carfaer tog. Optone Heb onectto FastLane Coit - «i altel Bese cisco owekate Browse the list and choose the pef file that is provided by your instructor. This action should add a new entry in the VPN Client window, 70 Implementing Cisco Unifled Wireless Networking Essentas(IUWNE) v2.0 (© 2011 Cisco Systems, Inc# statue: Di ake Fe.) yhoo bees Tr eee eet © Renctewieendate Scorousinones ta inanes (Sheds a @ Destee 4 My Documents 3 My Cowper 5) Petcare etn etitviednate named Cs Double-click the new entry in the VPN Client window. Ask your instructor to provide the credentials that are used in your class step 7 Rect Ot CC The server has requested the fllowing infmation to complet the user aushentoation, fa, Username: [lab@elan CISCO passwort ==] Save Password Stop 8 of the screen. Stop9 Verify that you were assigned an IP address in the VPN network: Choose Start, center emd, and click OK. Step 10 In the MS-DOS window, enter ipconfig/all. Verify that an adapter called Cisco VPN Adapter appears in the list and has an IP address in the range 10.X0.1.0 (where X is your group number) ‘The connection is established when a small lock appears in the bottom-right comer {©2011 Gisco Systems, ne Tab Guidevotens UPN Adapte Step 11. In the command prompt window, enter ping 10.100.1.254 to send a ping to the common gateway. Verify that the ping is successful Activity Verification ‘You have successfully completed this task when you attain these results: m= You are connected to the VPN gateway = Your VPN adapter has an IP address in the 10.X0.1.0/24 range. = You can send a ping to a remote lab router Task 2: Connect to Your Remote Lab Wireless Laptop In this task, you will use your VPN connection and Windows Remote Desktop Connection to connect to your remote lab wireless laptop. Activity Procedure Complete these steps Step 1 Verify that your VPN connection to the remote lab is working properly Step 2 Connect to your remote laptop by using the remote desktop: Choose Start > All Programs > Accessories > Remote Desktop Connection, Trpning Oc Ue Wi {isco Systems, IneConnect to» Projector Document Getting Stated oA Math Input Panel Pictures Notepad % Remote Desktop Connection Run Sipping Too! L Sound Recorder Sticky Notes @ Syne Center | Windows ere Ba Windows Mobility Center 3 wonbad roe faethe Penrod System Tool Back Note In each group, only one person at a time can connect to the remote lab wireless laptop. With ‘your partner, decide who will connect. Step3 Use the lab map table that is shown in the Job Aids section to determine the destination IP address to use to connect to your remote laptop. The address should be in the format 10.X0.1.240, where X is your pod number. Remote Desktop Connection comer 10101240 - Uernare: Nene spected Youndlbe ake fr cedrtal when yu coma Step 4 _In the Remote Desktop Connection pop-up window, in the computer field, enter the IP address of your remote laptop, then click Conneet. Step 5 You will be presented with a new window, in which you are asked to enter the credentials that are required to access your remote lab wireless laptop. Use the lab ‘map table to find out which username and password to use to connect to your group laptop. Use the username format studentX (where X is your group number) and password format {©2011 Cisco Systems, Inc lab Gude 18Enter your credentials ‘These credentials willbe used to connect to 1921682327. LJ Se Remember my credential Step6 Enter the credentials, then click OK. You should see the Windows desktop of your remote laptop. Tip You wil use this same method of access forall subsequent labs, so keep this procedure available fr reference. Step7 Take some time to familiarize yourself with the remote desktop interface. This remote desktop displays over your class PC desktop. The upper bar shows that you are in the remote desktop interface and displays the IP address of the remote laptop. ‘To minimize the remote desktop window, click the Minimize button. The remote desktop window is minimized to your class PC taskbar. You can then access other applications in your class PC. Click the Remote Desktop Connection icon in the task bar to restore the remote desktop to its full size. Click the Maximize button to increase or the Restore Down button to reduce the size of the remote desktop application. To end the remote desktop session, click the Close button in the remote desktop window. Never discomnect the VPN session without closing the remote desktop application first. You would be disconnected from the remote laptop without any possiblity of reconnecting Activity Verification You have successfully completed this task when you attain these results: = You are connected tothe remote lab wireless laptop. '= You see your remote lab wireless laptop IP address in a tab at the top of your sereen. = You sce your remote lab wireless laptop desktop and can interact with it Task 3: Verify the Internal Card Settings In this task, you will document how your internal card reacts when being configured to connect to an ad hoc network, Activity Procedure Complete these steps: Step1 From your remote lab wireless laptop, click Start > Contol Panel > Network and Internet >Network and Sharing Center >View Network Status and Tasks > Change Adapter Settings. Step2 Locate your wireless connection, which is labeled Intel(R) Wireless WiFi Link 4965AG 7 Implementing Cisco Unified Wireless Networing Essentias (UWNE) v20 (©2011 Cisco Systems, ine‘Wireless Network Connection ? Diagnose Create Shortest Delete @ Rename Properties We Wee net cmecion? Hel esi) Wires wi re Connect Dconect Bridge connects Crete Sportet Berane H_ Prperes description, Intel Wireless WiFi Link A96SAGN #2 Properties [Gerd Adve [Biv [Daa [Po Marae ‘The lowing popes ar avaiable fh even ada Clk the crop you wart change ante lt snd ran sel sve nite nate Prost Value ‘SR TinCharnalWathlarberdS2 | 1 ‘2 Jin Made Enea “doc Deiat Wesess Mose ‘ad Hc Power Management | Ad Hee 065 Mode | Channel itlrt | Mited Mode Petectan Roaring Apgessiveness Throws Erhancemert Tranent Power \Weelees Mae Step3 Right-click the wireless connection and choose Enable, Step4 Right-click the wireless connection again and choose Properties. Step5 A new window opens. Click the Configure button at the right of the physical card {©2011 Cisco Systoms, ine ab Guide 6Step6 A new window appears. Click the Advanced tab. In the Property list, choose Ad Hoc Channel 802.1 1b/g, and then choose the correct value for your group by using the up and down arrows in the Value field, Refer to the values in the table. Vaiww [Pout [Poa [Poud [oat [Pout [oat [pear [Poas coaneia |e 8 8 ie |e 7 Step7 Click OK to validate your changes. Step 8 Open a command prompt: chocse Start > All Programs > Command Prompt. Accessories > ‘Step From the command prompt, enter ipconfig /all. Step 10 You can see your wireless card MAC address. Document it here. Intel card MAC address ‘Step 11 Close the command prompt window. Activity Ver ‘You have successfully completed this task when you attain these results: ication = You configured the channel that your card uses to connect to ad hoe networks. = You documented your internal wireless card MAC address, Task 4: Create an Ad Hoc Network and Analyze the Communication In this task, you will work with a peer group to analyze ad hoc networks. You need to coordinate your action with the peer group to perform the steps at the same time, so that both laptops can capture the correct frames. The table shows the peer groups. Pod Peer Group Pod 1 Pod 2 “Pods «| Poa Pod 5 Pod 6 “Pod? ‘| Pods Activity Procedure Complete these steps: Step1 Prepare your wireless connection. If you closed the Wireless Network Connection Properties window, click Start> Control Panel > Network and Internet > ‘Network and Sharing Center > View Network Status and Tasks > Change Adapter Settings. ‘Step2 A new window appears, showing all your network adapters, ‘Step3 Locate your wireless connection. It should be called Intel(R) Wireless WiFi Link 4965AGN, Step4 Right-click your wireless connection and choose Properties. 16 Implementing Cisco Unified Wireless Networking Essentials (TUWNE) v20 {© 2017 Cisco Systems incPe re Netw [Shi —— ‘S Intelf) Wireless WiFi Link 49654GN #2 This connection uses the following tems: 7% Chent for Microsoft Networks | © Bh cisc0 AnyComnect Network Access Manage Fite Driver || | | BBia0s Packet Scheie | Brie and Pinter Sharing for Mzasft Networks Internet Protocol Version 6 (TCPAPV6) FEA irtsrct Protocel Vrson 4(TCP/P v4) ‘Step 5 To create an ad hoe network, you must have a common subnet IP address and create a common SSID. You need the IP address because neither of the two laptops is configured to act as a DHCP server. In the Wireless Network Connection Properties window, click the Networking tab, right-click Internet Protocol Version 4 (TCP/Py4), and then choose Properties. Internet Protocol Version 4 (TCPAPLA) Properties es ener ‘ou can ge stings assigned automaticaly your rotor suppts (hs capa. terse, you need to ask you nabork sani atr Ferthe appropriate sting. (blaine uomatialy 1 Use the flowing adess Bato: 192.168. 10. t Subnet mask 8.255. 8 .d Defoutoateway bla CHS server adress automaticaly, 1 Use the Flowing DNS server adtesses: Prefered Ons server ena ONS caver: Validate stings upon ext Step6 In the General tab, click the Use the following IP address radio button. Stop7 _Enter the IP address that is assigned to your group for this lab. Refer to the lab map. Step8 —_ In the Subnet Mask field, enter 255.255.255.252. Step9 Leave the other fields empty, and click OK. Click Close. Step 10 Go to Start > Control Panel > Network and Internet > Network and Sharing Center > View Network Status and Tasks > Manage Wireless Networks, ‘©2011 Gio Systems, Ine Tab Gude a7Step 11 Choose Add. Windows tries to connect to these netwoik in the order listed below Add Adapter properties Profiletypes Network and Sharing Center Step 12 Choose Create an ad hoc network, and then click Next CGO xlaad > Convoi Panel» Network andintemet + Manage Wireless Networks Manage wireless networks that use (Wireless Network Connection 2) (Soe A Many connect wis ect How do you want to add a network? Be Manually create a network profile Create an ad hoe network cls = © A tts snin nent Give your network a name and choose secutity options Seco 3) ties tas Secu te ie ote 8 Implementing Cisco Unifed Wireless Networking Essentias UWNE) v20 (© 2011 Cisco Systems, IncStep 13 A new window appears. In the Network Name field, enter your ad hoc SSID. Refer to the lab map. ‘Step 14 From the Seeurity Type drop-down list, choose No Authentication (Open). Step 15 Check the Save This Network check box. Step 16 Click Next. CO) A Mam coat ne tere The IUWNE-ADI network i ready to use Reranch woe eye pyaar ak city ben cond rad ig ssn Co Pela toon fh, > Tumon tnternet connection shaieg Step 17 Click Close. [> Cornel» Reto ttt» Hirge Wiese oo" Manage wireless networks that use Wireless Network Connection 2) As Aap open Flees Newnes eer ° wayne ey, dere) . a Stop 18 Close all the windows. ‘Step 19 Click the Network icon in the Windows system tray. The display shows the SSID that was previously created and the text “Waiting for users.” ‘©2017 Clase Syatems, Ine lab Gude 19Coren connect TUWNE-ADL Weng formers ae Sar Step 20 The even-number pods will connect to the odd-number pods. If you are in an even- number pod, click the Network icon in the system tray. You should see the SSID of ‘your odd-number partner pod, Click the SSID and then click Connect. Step 21 Click the Network icon in the system tray. You should see the SSID of your odd- number partner pod. Right-click the SSID and choose Status to verify that you are connected. 2 Implementing Cisco United Wireless Networking Essentias (TUWNE) v20 (© 2011 Cisco Systoms, Inca Wires: Network Connection? Sats es Bet cornet omah cass Pv corectty Nonewek zs eda nied uate aay 213086 ail! ecoved ‘Stop 22 Open a command prompt: Choose Start > All Programs > Accessories > ‘Command Prompt. ‘Step 23. Try to send a ping to the peer group IP address. The command should be in the form ping 192.168.10.Z, where Z is the peer group host address. The ping should be successful ‘Step24 You have now confirmed thatthe peer-to-peer connection worked. The next step is to sniff the connection process and analyze it. Right-click your wireless connection and choose Disable. Me Were cnn? Bae ocean aan Dicenect Diagnose tegeConmectins cone Shore & ese © Proper Stop 25 To start Wireshark, click Start > All Programs > Wireshark > Wireshark. Step 26 Choose the AirPeap passive interface. In Wireshark, click Capture and choose Interfaces. ‘© 2011 Cisco Systems, Ine lab Gude 2Add Wiresmark: Capture Interfaces (oe ke Destin P Packets Packats/s Sop "" AiBeap USB winless apne adapter. unknown ua om [Seton] @) brosdcomnibreme Ssh ftemetDrier — MZIEDZL MAS ons) [Be] 1 microsot feomearbaateanrese 6 (ae) Cosee_] ‘Stop 27 _ In the Capture Interfaces list, you should see an entry AirPcap USB Wireless Capture Adapter. Click Options at the right of this entry, Capture Options Fes ees Interface: Local [+] AlPeap USB wi less capture adapter nr 0: \\\airpap00 address: unknown Link-layer header type: | 802.11 plus radiotap header Wireless Settings [@| Capture packets n promiscuous mode Remote Setings | Capture packets in peap-ng format (experimental) Buffer size: 1 | Limniteach packetto 2 iar & megabyte(s) ‘Step 28 A new window appears. Verify that the Capture Packets in Promiscuous Mode ‘check box is checked. Stop 28. Click ireless Settings. WG Advanced Wien Stings Iertace Aieap USB wires capture adoro. 00 (Binktea] Baie Parameters channel 427063) [E] Bl tncude ee FcSin Frames Chamnetoniee CopueType: Wit Rado Le] FesFitelAlfames [=] _) Caw) Coe) ‘Step 30 In the Channel field, choose the ad hoc channel that your group uses. Refer to the lab map. ‘Step 31 Verify that the Capture Type is set to 802.11 + Radio, Click OK, 22 Implementing Cisco Unified Wireless Networking Essentas(IUWNE) v2.0 (© 2011 Cisco Systems, IneUh Wireshark Capture Options tpt vetice oc! [5] Aen Uses cape date spp 1P address unknown Link-layerheadertype:[ 602-1 plus radatap header Wireless Settings Capture packets in promiscuous mode a | Capture packets in pcap-ng format (experiments) Bute sins 2 3 megabytes 1 Limiteach packetto 1 bytes ional ether host 00-1F-38-C2-€8-A| Step 32 You should filter the capture to display only frames from and to your Intel adapter. In the Capture Filter field, enter ether host followed by the MAC address of your Intel card, which you documented in the last step ofthe previous task'; for example, ether host 00:05:85:72:17:10. ‘Stop 33 Make sure that your partner group is at the same step. Then, in the bottom section of the Wireshark Capture Options window, click Start to launch the eapture Step 34 Locate your wireless connection Intel(R) Wireless WiFi Link 4965AGN. Bie Wide Neon Comecton2 0 ieteo Wiel et Crete Shoreut Rename & Propeies Step 35 Right-click the connection and choose Enable. Tuwne-a0) flene office flane training ‘Step 36 From the odd-number pod, click the Network icon in the system tray. You should see your SSID. Click the SSID and click Connect. " The Capture Filter menu presents a drop- All Programs > Accessories > ‘Command Prompt. Step 40 Try to send a ping to the peer group IP address. The command should be in the form ping 192.168.10.Z, where Z is the peer group host address. The ping should be successful ‘AirPcap USB wireless Eile Edit View Go Step41 From the Wireshark window, stop the capture, Click the Stop Capture icon. Step42_— Try to analyze the capture with your partner group and answer the following {questions: What is the most common frame type that is seen in the capture? (Pings? Probe requests or answers? Beacons?) Step 43. Do you sce any data packets? Step 44 Click one beacon. Expand the Radiotap section. What is the peak frequency of the channel that is being used? The channel that you defined for your network? Another 24 Implementing Cisco Unified Wireless Networking Essentials (TUWNE) v2.0 (© 2014 Cisco Systems, IncStep.45 At which speed (data rate) was the beacon sent? (The lowest possible speed? The fastest? An intermediate speed?) How often, on average, is the beacon sent? (Intervals between frames in the upper section of the program window are given in seconds. You can also expand the IEEE 802.11 Wireless Management Frame section and the Fixed Parameters subsection.) (Every second? Every 10th of a second’? One hundred times a second?) Step 47 Expand the Tagged Parameters section of the IEEE 802.11 Wireless Management Frame section. What are the supported rates? (All the 802,11b rates? Only some of them? More than the 802.1 1b rates?) Step 48 From these supported rates, which type of network protocol do you think is used? (802.1 1b? 802.1 1g? 802.1 [b/g? 802.112?) Step 49 In the same Tagged Parameters section of the IEEE 802.11 Wireless Management Frame section, which flag indicates that the network is an ad hoc network? (An Ad Hoc field? IBSS? BSSID?) Does your card support WMM/WME? Yes / No eee : Step 51 Try to find frames that were not sent at the lowest speed. Why were they sent faster? (Because only beacon frames are sent slowly? To optimize the transmission to the recipient?) Step 52 Close the Wireshark software. Save the capture on your desktop for future reference. ‘Name the capture Ad-hoc! ‘Step 53 From the Wireless Network Connection Properties window. right-click your ‘wireless connection and choose Properties. Stop 4 Click the Networking tab, choose Internet Protocol Ver click Properties. 4 (TCP/Py4), and ‘©2017 Gio Systems, Ine Lab Gude 25Tan acaNcson RS Papo = | cer ee gue] (as ths capabity.Gthernse, youned to ack your thor admncratar| Ferthe eperopriate IP ster. 1 oben an aes sutomaticsy Use the flowing IP ackkess: | 1 Obtain ONS server adress automaticaly Use the Flowing ONS server addresses: aldo stings up et foal Step 55 Click the Obtain an IP Address Automatically radio button. ‘Step 56 Click the Obtain DNS Server Address Automatically radio button, Stop 57 Click OK to validate. Stop 58 Close the Wireless Network Connection Properties window. Step 59 Right-click your wireless connection and choose Disable. ‘iN Ceci el = 8 Dible Connect Disconnect Diagnase Bridge Connections @ Rename B Propeties Step 60 Close the Network Connections window. Step 61 Disconnect from your remote laptop. Tmnplementing Cisco Unified Wireless Networking Essentials (UWNE) v2.0 ‘© 2011 Cisco Systems, nc.Activity Verification ‘You have successfully completed this task when you attain these results: = You were able to create an ad hoc connection. = You were able to connect to your peer group. = You were able to capture and analyze some traffic. 1B 2011 Cisco Systems, Inc lab Gude a7Lab 2-1: Configuring a Cisco 2504 WLC Complete this I Activity Objective In this activity, you will connect to your Cisco 2504 WLC through the serial connection and configure the WLC for the first time. After completing this activity, you will be able to meet these objectives: activity to practice what you learned in the related module. = Configure a Cisco 25 04 WLC by using the CLI setup wizard = Connect to the configured controller by using the web interface = Allow Telnet connections to the controller = Allow open authentication access through the WLAN = Create a DHCP scope to support local clients = Verify the presence of the APs Visual Objective ‘The figure illustrates what you will accomplish in this activity. cass PC Cisco.ironet 35021 Accoss Point Remote Desktop ey we Terminal Sse ‘soner CiscoAironet WLC faonccose Pont Required Resources ‘These are the resources and equipment that are required to complete this activity = APC with connectivity tothe Internet The Cisco VPN client = A connection to the Remote Terminal server with a serial connection to your controller In the remote lab, a Cisco 2504 WLC 28 Implementing Cisco Unied Wireless Networking Essontiais (UWNE) v20 ©2011 Gsco Systems, IneIn the remote lab, a Cisco Aironet 3502i Access Point Inthe remote lab, a Cisco Aironet 1142 Access Point In the remote lab, a laptop with a Cisco WLAN adapter Job Aids ‘These job aids are available to help you complete the lab activity: ‘= IP addresses that are assigned to your pod = Lab table Lab Table—IP Addressing, Naming, and Information: Pods 1 to 4 Podt Ped 2 Pods Pods Remote laptop address | 10.10.1.240 10:20.1.240 10.30.1.240 [ to40.1.240 Remote laptop togin | student student students studenta Remote laptop isco sco isco ‘isco password Controller system name | 2508-1 2504-2 25043 2508-8 ‘Administrative user | admint aénin2 ‘aaming admind ‘Administrative ‘awert234 ‘aweri234 ‘awert236 ‘awert236 password Management interface | 10.10.1.10 1020.1.10 10.30.1.10 10.40.1.10 IP adcress Managementinterace | 2552552550 | 2552852550 | 252552550 | 2552552550 Default router 10.10.1.254 1020.1.254 10.30.1.254 10.40.1.254 “Management VLAN ID | 0 0 0 0 ‘Management port a 7 1 1 “Management HCP | 10.10.1.10 1020.4.10 10.30.1.40 40.40.4.10 Viral gateway iP 4.tat tata aaa aaa address Mobility group name | podt pod pods oad Network name TUWNE TUWNE2 1UWNE-S TOWNE DHCP Bridging Mode | No No No No ‘Allow static P Yes Yes Yes Yes addresses RADIUS server No No No No County code Ask he instructor | Askthe instructor | Ask the instructor | Ask the instructor Enable b, a, and auto- | Yes Yes Yes Yes RF Configure NTP No No No No Configure time No No No No “DHCP ‘scope name Scope 1-1 ‘Soope 2-1 ‘Scope 3-1 ‘Scope 4-1 {©2011 Cisco Syston, re (ab Gude 35Pod [Pea2 Pods Pod 4 DHCP start address | 10.10.1.21 10.20.1.21 10.30.1.21 10.40.4.21 “DHCP end address | 10.10.1.25, 10.20.1.25 1030.1.25 10.40.1.25 DHGP network 10.10.1.0 1020.10 10.30.40 704010 DHOP netmask 255.255.2550 255.255.256.0 255.255.2550 255.255.2550 DHCP lease time 14400 14400 14400 14400 DHCP defaultrouter | 10.10.1.254 10.20.1.254 10.30.1.254 10.40.1.254 DHCP ONS server | 10.100.1.1 10:100.1.1 10.100.1.1 10.100.1.1 DHGP NetBIOS server | 10.100.1.1 10.10.14 0.100.141 10.100.1.1 DHCP status Enabled Enabled Enabled Enabled Lab Table—IP Addressing, Naming, and Information: Pods 5 to 8 Pods Pod6 Pod7 Pod 8 Remote laptop address | 10.50.1.240 10.60.1.240 10.70.1.240 10.80.1.240 Remote laptop gin | students student student? students © Remote laptop cisco ‘isco ‘isco 800 password Controter system name | 2504-5 2508-6 2504-7 2504-8 ‘Administrative user | admin ‘admin ‘admin? ‘admin ‘Administrative ‘QWert234 ‘qwert234 ‘aWert234 ‘Qwert234 password Management interface | 10.60.1.10 10.60.1.10 10.70.1.10 10.80.1.10 Paaaress Maagomen merece | 2552552850 2552552550 /ass26s2550 | 286286.2860 Default router 10.50.1.254 10.60.1.254 10.70.1.254 10.80.1.254 Management VLAN ID | 0 ° ° 0 ‘Management port A 1 1 1 Management DHCP | 10.50.1.10 10.60.1.10 10.70.1.10 10.80.1.10 - Virtual gateway IP waa ata 1nd REET address Mobity group name | pods pod6 pod? pods Network name TUWNE-S TUWNE-6 1UWNE-T TUWNE-6 DHCP Bridging Mode | No No No No ‘Allow static IP Yes Yes Yes Yes addresses RADIUS server No No No No Country code ‘Ask the instructor | Askthe nstructor | Ask the instructor | Ask the instructor Enable b, a, and auto- RF Yes Yes Yes Yes 30 implementing Cisco Unified Wireless Networking Essentls (UWNE) v2.0 (© 2011 Cisco Systems, ncPod 5 Pod6 Pod7 Pod 8 Configure NTP No No No No Configure time No No No No DHCP scope name | Scope 5-1 Scope 6-41 Scope 7-1 Scope 8-4 DHOP start address | 10.50.1.21 1080.4.21 10.70.4.21 to.80121 DHOP end address | 10.50.1.25 1050.1.25 10:70.1.25 1080.1.25 : DHCP network 10.50.1.0 10.80.10 10.70.10 10.80.1.0 DHCP netmask 255.255.2560 | 255.255.256.0 | 255.256.2550 | 256.255.2550 DHCP lease time +4400 14400 “4400 14400 DHCP defautrouter | 10.50.1.254 10180.1.254 10.70.4254 10.80.1.254 DHCP ONS server | 10.100.1.4 10.100.1.4 40.100.1.1 10.10.14 DHCP NetBIOS server | 10.100.1.1 10.100.1.4 10.100.1.1 10.1001. DHCP status Enabled Enabled Enabled Enabled Task 1: Connect to the WLAN Controller Serial Interface and Configure Your Controller for the First Time In this task, you will connect to your remote WLAN controller serial interface by using the remote lab terminal server, and you will go through the initial CLI setup for your respective Cisco WLC. Activity Procedure Complete these steps: Step 1 Connect to the remote lab through the VPN tunnel, Step2 From your class PC, choose Start > Run. The Run window will appear. Enter emd. in the window, and then click OK. Run ‘Type the name of a program, folder, document, oF Internet resource, and Windows wil open t fr you Open: | an Coe) Comes ‘Stop3 In the CLI, open a Telnet session to the remote lab terminal server at 10.1.1.252. {©2011 Cisco Systems, In Tab Gade —atStep4 Log in to the terminal server. Enter student in the Username field and ci Password field. Jser Access Verification Username: student Pasaword, Step 5 Use the terminal server menu interface to access your pod. Choose the number of your pod, and then press Enter Welcome authorized users to the IUWNE Training Lab| Unauthorized access to or use Type "exit" at any time while in the men 1 fonnect to Pod: Pods 6 Podé 7 > Pod 8 Pode ease select menu item Step6 Use the menu to connect to the Cisco WLC device. Note Ifthe connection does not work, enter els# (where # is the menu item number) to clear the connection. To exit telnet session and retur this menu pre 32 Implementing Gisoo Unified Nreless Networking Essentials (IUWNE) v2.0 ‘©2011 Cisco Systems, INCTRL+SHIFT+6" then "x". Clear connections by typing cle# (where # = menu item #) ‘Type "exit" at any time while in the menu to disconnect ITEME DEVICE NAME Connect to WLc2504 Connect to AP3502 Conrect to AP1142 EXIT a 2 3 4 Please enter conmard or selection:1 Caution Verity that the frst selection you see is System Name, When enabling the HyperTerminal ‘session to your controller, you might have pressed Enter to test the connection, and the setting you had at that ime might have become the default selection, i that has become the default, and ifthe first selection you see is not System Name, then enter a hyphen (-)and press Enter go back one sep. Repeat the procedure as many times as needed to get back to the System Name selection stop, Step 7 ‘Choose the parameters for your pod. The username is adminx (where x is your pod number) and the password is QWer1234. Additional parameters are given here and summarized in the lab table. System Name [Cisco 34:26:a3]: 2504-x Enter Administrative User Name (24 characters max); adminx Enter Administrative Password (24 characters max): #+#+##+ Re-enter Aduinistrative password pores Management Interface IP Address: 10.x0.1.10 Management Interface Netmask: 255.255.255.0 Management Interface Default Router: 10.x0.1.254 Management Interface VLAN Identifier (0 = untagged): 0 Management Interface Port Num (1 to 4]: 1 Note ‘The port number is important because it must match the connection leading from the WLAN Controller tothe network infrastructure, Management Interface DHCP Server IP Addrese: 10.x0.1.10 Note Later, your controller wil be configured as a DHCP server. When using an intemal WLAN Controller DHCP server, the IP address needs to match the management interface. ‘Therefore, the DHCP server and management address will be the same and will point to itself for this lab. The remaining DHCP configuration will be completed later, via the GUI. Virtual Gateway IP Address: 1.1.1.1 Note The virtual gateway provides Layer 3 features such as the DHCP relay to wireless clients. This value must match among mobility groups. {©2011 Cisco Systems, in Tab Gude 33Mobility/RF Group Name: podx Note “The Mobilty/RF group allows multiple wireless controllers to be clustered into one logical controller group, to allow dynamic RF adjustments and roaming for wireless clients. Network Name (SSID): TUWNE-x Configure DHCP Bridging Mode [Yes] [nol : no Allow Static IP Addresses [YES] [no]: yes Configure a RADIUS Server now? [YES] [no] : no Note ‘By default, one WLAN SSID is already configured on the WLC and uses server-based authentication. If you skip RADIUS configuration during the startup wizard, the result is @ preconfigured SSID that uses 802.1X EAP, requiring a RADIUS server but without one ‘defined. Use this choice isto prevent open authentication security vulnerabilities, Enter Country Code list (enter ‘help! for a list of countries) [Us]: ask the trainer for the correct country code Enable @02.11b Network [YES] [no]: yes Enable #02.11a Network [YES] [no]: yes Enable 802.11g Network [YES] [no]: yes Note (On your controller, enable all radios: 802.11b, 802.11g, and 802.1 1a. The AP for this controler has only one 802.11a radio, You stil allow all protocols, so that if an 802.1 1big AP joins the controler, its radios willbe enabled. Enable Auto-RF [YES] {no}: yes Configure a NIP server now? [YES] [no]: no Configure the system time now? [YES] [no]; no Warning! No AP will come up unless the time is set Please see documentation for more details: Note ‘You do not configure the time on this controller. In areal deployment, you would configure the time during the intial configuration ofthe controler In this remote lab scenario, the time has already been configured anc is consistent with the time of the other devices in the lab, Configuration correct? If yes, system will save it and reset [ves] (NO) ble 802.119 Network ys fe Auta-R [YES] ino] configure a NIP server now? [YES] (nol: ne onflgure the syiter tise noo” {VEST nal no farming! No AP wi17 cone up unless the tine is set. ence see docurentation Fer nore details configuration correct? If yes, systen will save it and reset. Step8 Read the warning. Then enter yes. The controller saves the configuration and reboots directly. Step9 Wait for the controller to reboot completely, until you are prompted for a username. Enter your administrative use mame, and then press Enter. Implementing Cisco Unified Wireless Networking Essontas (UWNE) v2.0 {©2011 Cisco Systems, Inc.Starting © Borvicest Tso Sore ot: a Seoire Heb: ok [Se=rting Wanseenont Servicess 7 (izco Controller) Emer User Name (or “Racover-CanPig” this one-tine enly to reset conflewration to Factory defaults) Parnsordeeen (eat reriene | ‘Step 10 Enter your password, and then press Enter. Verify that you receive the Cisco Controller prompt. [2508-5) sahow syainFo Cisco Systens Ine. Cieeo Controter Fosti6.0 aolas Pic’ 48.0 + DATA + WPS, 2508-5 5 1,3,6.2.4.1.9.1.1279 10,5013:30 Software reset O'days 19 hrs 10 mins 38 sece eee base urrent Soot Lieense Types. l.0.. Evaluation Jhext Boot ticense Levelerscsccsesseveee base Step 11 Verify your configuration by entering show sysinfo, The display should be similar to the one that is shown here, but with the values that are relevant to your pod. Press More to sce the complete output To easily identify your WLC. change the prompt. Enter the command config prompt 2504 -x (where x is your pod number). Step 12 Press Enter. Step 13. Enter save config to save your changes. Activity Verification You have successfully completed this task when you attain these results: You have a CLI session open to your controller. = Your inital setup is complete and you see the Cisco Controller prompt. Task 2: Connect to the Controller In this task, you will connect to the web GUI of your controller. Because your controller now has a basic configuration, you can connect to its Management Interface IP address through the ‘VPN tunnel, without relying on the serial connection Activity Procedure Complete these steps: Stop 1 Check that you are connected through the VPN tunnel to the remote lab network. ‘Step 2 __If your Remote Desktop Connection is still open, close it ‘©2017 Cisco Systems, Ine Lab Gude 35Note [Now that the controller has a web interface, all members of simultaneously to the controller. Use this possibilty to expl keep in mind that tis preferable to avoid having two peopl 3f the group can connect jore the controller interface, but le working on the same feature, to Avoid any confusion about the changes that might be made. Step3 From your class PC, open a browser session to your controller Management Interface IP address. Use HTTPS. You may have to di access the web interface through the VPN tunnel. isable your local proxy to step 4 Click Continue to This Website to accept the self-signed certificate that the ‘controller sent. is problem with thi Wie recommend that you clos this webpage ad do not continue to ths webs. Step 5 Click the Login button. Step7 Click OK. Step6 Enter the administrative username adminx (where x is your pod number), which you defined in the previous lab, and enter QWer1234 as the password. cals (Window secur, cise ‘he server 1030140 st Cac Conroe requires suremame and Step 8 You should see the controller Monitor Summary page. % Implementing Cisoo Unified Wireless Networking Essentils (IUWNE) v2.0 (© 2011 Cisco Systems, IncActivity Verification You have successfully completed this task when you attain this result: = You are suet ‘Summary page. Task 3: Allow Limited Remote Management Through the terminal server, you have a serial connection to your controller. In this task, you will allow Telnet connections so that all members of your pod can access the CLI, which will be used mainly for debugging purposes. fully connected to your controller web interface and sce the Monitor Now This tsa lab environment. n a production environment, you might want to consider the security strategy of the environment before allowing Telnet connections, Activity Procedure Complete these steps: Step 1 From the web interface of the controller, in the upper menu, navigate to Management > Telnet-SSH. Step2 Notice that SSH sessions are already allowed, From the Allow New Telnet Sessions drop-down menu, choose Yes. Notice that Telnet sessions are limited to 5 minutes. Stop 3 Click Apply in the upper-right comer. You are now set up to allow Telnet sessions and SSH sessions. ‘B2017 Cisco Systems, ne Lab Gudeasnuantovosinnind a eal Step 4 Stop 5 Step 6 Stop 7 Stop 8 Step 9 ‘Navigate to Management Management (Cisco Controller) User? achint Password:sesee (Cisco Controller? > Test the connectivity: From your class PC, choose Start > All Programs > Accessories > Command Prompt. Enter telnet followed by the IP address of your controller service interface. The entry should be in the format telnet 10.x0.1.10 (where x is your pod number), When prompted, enter the administrative username admine (where xis your pod number) that you defined in the previous lab, and enter QWer 1234 as the password. Press Enter. You should get the 2504-1 prompt Switch back to your browser. Mgmt Via Wireless. enable controler Management o be accueil rom Wireeas cients ‘Sstep9 Check the Enable Controller Management To Be Acces Clients check box, Step 10 Click Apply to commit the changes. Step 11. Click Save Configuration to save the changes. Step 12 Click OK. Step 13 Click OK. 38 Implementing Cisco Unifed Wireless Networking Essentas (1UWNE) v20 (©2011 Gisco Systems, neActivity Verification You have successfully completed this task when you attain these results: = You used Telnet to connect to the controller, = You navigated to Management > Mgmt Via Wireless. Task 4: Allow Open Authentication In this task, you will modify the WLAN that you created during the initial setup, so that open ‘authentication and associations are allowed, Note This isa lab environment. Ina production environment, you might want to consider the security strategy of the company belore allowing open authentication WLANS into your network. Activity Procedure Complete these steps: Stop 1 ‘top 2 From your controller web interface, in the upper menu, navigate to WLAN. Look at the profile that yeu created during the initial setup. By default, it should use WPA2/802,1X for authentication, rw — way wn. naied_(wPazta020] Stop 3 Stop 4 Stop 5 Stop 6 WLANS> Ea 1UWNEA cesce Joy enrol | Seeunty 088 | Advanced see aie wr nzyan(o02291 tines ean) [ORE] Click the WLAN ID for your profile, IUWNE-x (where x is your pod number), to edit it Make sure that, in the General tab, your WLAN status is set to Enable. Note that the SSID is broadcast by default Click the Seeurity tab. In the Layer 2 Security drop-down list, choose None to allow open authentication, ‘©2011 Glace Systems ne Tab Gude 33WLANS> Edit ‘IUWNE-1 “General | Security | Qvs | Advanced | Layer 2 | Layer'3 |) AAA Servers) Layer 2 Security ® [Weaswens a] weaswen2 paramet{202% |) wrae Policy ‘wena Enerypion Pass Cra sath Kor Mart fax) Step7 Click Apply in the upper-right comer to validate the changes, read the warning, and. then click OK to continue. The Security Policies field should now display None, ‘which means that you allow open authentication to your WLAN. Step8 In the upper-right of the browser, choose the back button to return to the main WLAN page. WLANs erties thf carentriner Mere (Choe ee ame el Activity Verification ‘You have successfully completed this task when yon attain this result: = You successfully modified your WLAN to allow open authentication. Task 5: Create a DHCP Scope In this task, you will create a DHCP scope to provide IP addresses to your wireless clients. Note ‘This ig a lab environment. In a production environment, you might have an external DHCP ‘server forall your clients. In that case, the management Interface DHCP server IP address \Would be the network DHCP server IP address, instead of being the IP address of the ‘controller itself. This limited internal DHCP server is recommended for 10 or fewer APs and their respective cients. DHCP option 43 isnot supported. Activity Procedure Complete these steps: Step1 From your controller web interface, in the upper menu, navigate to Controller. Step2 Inthe left menu, click Internal DHCP server. Step3_ Choose DHCP Scope. Step4 A new screen appears. Click New to create a new scope. “20 Implementing Gisoo Unified Wireless Networking Essentials (IUWNE} v2.0 ‘@ 2011 Cisco Systems, Ine.Conor [DHEP scopes as ‘Step Inthe Scope Name field, enter Seope.x-1 (where x is your pod number). eee HCP Scape Hew Se | ames Step6 Click Apply to create the scope. Step7 A new window appears, showing your new scope in the list. This scope is di by default and does not have any range. Click its name to edit its settings. DHCP Scopes News age 0.00.0-0800 ‘Stop 8 A new window appears. Inthe Pool Start Address field, enter the parameters that are listed in the table, where-xis your pod number. Internal DHCP Server Parameters Parameter ue Pool Start Address 10.40.1214 ool End Address 10.90.1.25 Network 1030.10 Netmask 255.255.2550 Lease time 14400 Detaut Router 10.90.1.254 ONS Server 10,100.41 Netbios Name Sewer | 10-100.1.1 Status Enabled ‘BOTT Cieco Systems, no tab Gude aTDACP Scope> Ede sma geo] sume ory Step9 Review your scope to verify the values that you entered, and then click Apply to create the scope. DHCP Scopes Scope Name Address Lease Time status son0..21-20308.28 an rabies Step 10 Your new scope now appears in the list, with a status of Enabled. Step 11. Save your configuration. In the upper menu, click Save configuration. Click OK twice to confirm that you want to save the configuration, Activity Verification ‘You have successfully completed this task when you attain this result; = You successfully created a scope for the clients that are on your controller. Task 6: Configure APs In this task, you will look for and configure the AP name on the controller. Activity Procedure Complete these steps: Step1 From your controller web interface, in the upper menu, navigate to Monitor. The AP Summary should show two APS, Contact your instructor if you do not see two APs in the list ‘Access Point Summary ‘Total up Down 802.11a/n Radios ° @o @o Detail 802.11b/a/n Radios ° @o @o Detail all as ° @o @o Detail Step2 Click the Detail link for the Al APs entry. “42 Implementing Gio Unified Wireless Networking Essentias (IUWNE) v2.0 ‘© 2011 Cisco Systems, ineAULAPS Step 3 current iter None (chance Ete (clear eben) Number of APs 1 AP Name AP Mode ap mac AP Up Time saliail ‘Ate-c403500 Sodesitodat 04, 00h12m385 Click the entry for the AIR-CAP35021 AP. Goneral | Credentatz | interfaces | High A General 2° name esd stot Location efet oation — 1 AP MAC Address SOIaKeS- oat Bese Radio MAC ensezshsat:adcd Admin Stats [Enabe 2 Mode a “AP Sub Mode. [None | operational Status REG Fort Number 3 Network specu sagnsaparccsvooranesisese7292002 Step4 Click General. Step 5 Inthe AP Name field, enter pody-3802 (where x is your pod number) Step6 — Click Apply. and then click OK. ‘Step 7 Click entry for the 1142 AP. Stop8 Click General, Stop9 Inthe AP name field, enter 1142-x (where x is your pod number). Step 10 Click Apply, and then click OK. Step 11 Click Save Configuration. Step 12 _ Inthe warning window, click OK. Step 13 Click OK to acknowledge that your files have been saved successfully. Activity Verification ‘You have successfully completed this task when you attain these results: You successfully verified that your APs have connected to the controller. m= You successfully changed the name of your APs. ‘S201 Gace Systems, inc lab Gude 43Lab 2-2: Downgrading a Controller-Based AP to an Autonomous AP Complete this lab activity to practice what you learned in the related module. Activity Objective In this activity, you will migrate this CAPWAP AP to an autonomous AP. You will give your autonomous AP a basic configuration and test it. After completing this activity, you will be able to meet these objectives: m=) Migrate a CAPWAP AP to an autonomous AP = Configure an autonomous AP via its web interface = Check the autonomous AP parameters, Visual Objective ‘The figure illustrates what you will accompli this activity. Remote Desktop Cisco Aironet Tecminal $142 Access es Pont Required Resources ‘These are the resources and equipment that are required to complete this activity: = APC with connectivity tothe Internet The Cisco VPN client ‘A connection to the remote terminal server, with a serial connection to your controller A connection to the remote terminal server, with a serial connection to your AP. In the remote lab, a Cisco 2504 WLC In the remote lab, a Cisco Aironet 1142 Access Point “44 Implementing Gisco Uniied Wireless Networking Essentials (UWNE) v20 (©2017 Cisco Systems, nc|= Inthe remote lab, a laptop with a Cisco WLAN adapter Job Aids ‘These job aids are available to help you complete the lab activity: = Lab table Lab Table—IP Addressing, Naming, and Information: Pods 1 to 4 Pod 1 Pods Pod Remote laptop address | 10.10.1.240 40.20.1.240 1030.1.240 10.40.1.240 Remote laptop login _| studentt student students students Remote laptop cisco isco sco ‘cisco password ‘Control system name | 2504-1 2504-2 2508-8 2508-8 ‘Administrative user | admint ‘adnin2 ‘admin3 ‘admin ‘Administrative ‘aWert234 ‘aWert234 ‘awert234 ‘aWert234 password ‘AP IP address 10.10.1.50 1020.1.50 10.30.1.50 10.40.1.50 AP IP mask. 255.255.2550 256.255 256.0 256.255.2550 258.255.2550 'AP SNMP RW privatet private privates privates ‘community ‘Autonomous SSID___| IUWNE-11 (UWNE-21 TUWNESt TUWNE-41 Lab Table—IP Addressing, Naming, and Information: Pods 5 to 8 Pod Pods Pod7 Pods Remote laptop address | 10.60.1.240 40.60.1.240 10.70.1240 10.80.1.240 Remote laptop login | students stucent6 ‘student students Remote laptop ‘isco isco ‘isco ‘isco password Controller system name | 2504-5 25046 2504-7 2504-8 “Administrative user | admin’ ‘admin ‘admin? ‘admin ‘Administrative ‘aWert234 ‘QWert234 ‘awert234 ‘awert234 password AP IP address, 10.50.1.50, 10.60.1.50 10.70.1.50 10.80.1.50 “AP IP mask 255.255.2550 | 255.255.2550 | 256.256.255.0 _| 256,256.256.0 ‘AP SNMP RW privates privates pavate7 privates ‘community ‘Autonomous SSID___| IUWNE-5t TUWNE-61 WWWNET1 TUWNES1 © 207 Cisco Systems, Ie Tab Guide 45Task 1: Downgrade a Controller-Based AP to an Autonomous AP. In this task, you will downgrade your controller-based AP to an autonomous AP. Activity Procedure Complete these steps: Stop 1 Make sure that you have a VPN tunnel to the remote lab. Step 2 Connect to your remote laptop by using Remote Desktop Connection: Choose Start > All Programs > Accessories > Remote Desktop Connection. Sa coc So somemas & Soippng Toot sound Recorder Sty Meter @D sme center 5 Windows plore BH window Moby Cote bs Sytem Tels Note In each pod, only one connection at a time is possible to the remote laptop. With your pariner, decide who will connect. Step 3 Use the lab map to determine which IP address you should use to connect to your remote laptop. The address shculd be in the format 10.x0.1.240 (where x is your pod number). “ZS Implementing Cisco Uniied Wireless Networking Essentials (UWNE) v20 (©2011 Cisco Systems, ine[5 Remote Destop Connection Remote Desktop ~) Connection Cconoee: ERIE Lerman: Nee pected Yeundlbe ake er cedertl when you cone. | | © ome ‘Step4 —_ Inthe Remote Desktop Connection pop-up window, in the Computer field, enter the IP address of your remote laptop, and then click Connect. Stop5 Youre presented with a new window, in which you are asked to enter the credentials that are required to access your remote laptop. Use the lab map to know ‘hich userame and password are used to connect to your pod remote laptop. They should be in the format studentx and eisco (where x is your pod number). Step6 Enter the credentials and click OK. You should see the Windows desktop of your remote laptop. Step7 On your Desktop, locate a folder called Your-Tools. I you cannot locate this folder, check with your instructor. Also locate the tftpd32 program. ‘Step 8 Open the CAPWAP-to-I0S folder, and make sure that it contains the ¢1 142-k9w7- tat.default image file. This is the file that the AP will be looking for. The file contains a default Cisco 10S image for the Cisco Aironet 1142 Access Point platform. Ifthe file is not there, ask your instructor. Otherwise, close the folder. Stop9 Double-click the tftpd32 icon to launch the program. Step 10 Click the Browse button on the right side of the Current Directory field in the ‘fipd32 application, navigate to your desktop, and choose the CAPWAP-t0-10S folder. Stop 11 Inthe Server Interface drep-down list, choose 10.x0.1.240 (where x is your pod number). ‘B01 Cisco Syatoms, In lab Gude a7eon Curent Decry [CADocumenis and Setngsstudet\ = Sevverinetace a eles Tip Sere |r ent HC? sever Soa ena] ad ner Step 12 Stop 13 Step 14 Step 15 slanting | pages Your TFTP server is ready to send the right image for the Cisco Aironet 1142 ‘Access Point. Keep the remote desktop session in the background. Open a CLI session to your Cisco2504 controller: Still from your remote wireless laptop, choose Start > All Programs > Accessories > Command Prompt. Enter telnet followed by the IP address of your controller Manager Interface. This, entry should be in the format telnet 10.x0.1.10 (where x is your pod number). Enter your administrative user credentials. The usemame should be adminx (where ris your pod number) and the sassword is QWer1234, cisco Controller) lUser: acieint Password: kCisea Controller) Ml Step 16 Step 17 Step 18 step 19 Step 20 ‘You should get the 2504-x prompt (where x is your pod number). Enter show ap summary to verify that your AP is here. You should see your AP name, Enter the following command: config ap tftp-downgrade 10.x0.1.240 ¢1142-k9w7- tar.default 1142-¥ (where xis your pod number), The 1142-r is the AP name that ‘was assigned in the previous lab. This command does not generete any prompt on the controller. Navigate back to your remote laptop, and determine whether the TFTP server is providing the image to the rebooting AP. “48 Implementing Cisco Unified Wireless Networking Essentials (IUWNE) 20 ‘© 2011 sco Sysiems, Ine.(OmertDeecoy [C Docu ardSetngAcert\ 3] _ Bowe Senerittace all Show De dei rebum Fle ie: 640360 e4te0 Berserk 42210 Byerneo Step 21 If the TFTP server is not providing the image, wait a few minutes, go back to your controller, and restart from Step 19. ‘Step 22 _ If the image is being provided to your AP, connect to the terminal server, From your class PC, choose Start > All Programs > Accessories > Command Prompt. ‘Stop 23 At the command prompt, enter telnet followed by the IP address of the remote terminal server (10,1.1.252 or other if provided by your instructor). User Access Verification lUsernane: student Stop 24 Enter the credentials (usemame student, password eisco or other if provided by your instructor) to access the terminal server. Step 25 After successful login, you will be asked to choose the correct pod, pods, (where x is your pod number). You will see a new menu, allowing you to connect to several devices in your group. Take some time to familiarize yourself with the different options provided Connect to Podi Connect to Pod2 Connect to Pods Connect to Pod Connect to Pods Connect to Pods Connect to Pod? Connect to Pods 9 Exit Please select menu item:1 Step 26 Use the menu to connect to your pod. {B011 Cieco Systems, ne ‘ab Guide‘Step 27 Connect to the Cisco Aironet 1142 Access Point. ITEM DEVICE NAME connect to WLC2504 Connect to AP3502 Connect to AP1142 4 EXIT L 2 a Please enter conmand or selection:3 ‘Step 28 You should be able to follow your AP download process and see the AP reboot, using the new image. While the AP boots, you should be able to see that itis using the c1140-k9w7 image, which is the default autonomous image, at different steps, TEL: Tink is up. TEL: VeO iz active Tex: Initialization done lashfs[0]: 143 files, 7 directories ‘Jachfs[0]: 0 orghaned Files, 0 orphaned directories ‘lachfs(0]: Total bytes: 32385024 lashfs [0]: Bytes used: 5543836 ‘lachfs(0]: Bytes avat ible: 26841088, ‘lashfs[0]! Flashfs fsck took 19 seconds. fe cookie from systen serial eeprom, 38) face Ethernet YAC address? c8:3e:10" thernet speed 1s 100 Nb = FULL duplex. loading “Flash: /€1180-k9u7-nx, 124-21, JA1/€1140-K947~nx. 124-210, JA1”...seseaseesessezes $2osOdesgatesesosscanecesensesesossaseasesessesozeseesesesesausererereasesereveeteret fpeasesessssasassssstascssssassseseasassusazestassasasasassasstesezeseatesrsestssazesre®| (Segnesesngnasasevoseasesovessecesezeareasevestessseveeraseveetereversesrersenrsveroere [secsesssscssecsssassccssssassssssatassossssasassurssaseseasasessarecusssezestasazastes| sears sesgusecosecesseseseveatasecersersaseseetetoreresesesreserenesrateresertgoe2e20 easssessasseassusseasesesentascaseasassee ie "Flash: /e1140-K9u7-ax. 124-212, JA1/c140-KOw7-mx.124-212,981" uncospressed and inst Ned, entry point: 0x4000 Step 29 When this process is complete, you should be able to access to the AP CLI. You might need to press Enter to activate the CLI. [far 5 osriaras. 5551 SOP le [var 5 03:14:26,512: SLINEPROTO-S-UPDGWN: Line protocol on Interface BVIL, changed sta TOLOSTART SWP agent on host ap Ts undergotag a cold sta “fo up. [His 5°o3:14:32.635: SCDP_PO-4-PONER CK: Full power - NEGOTZATED inline power source |nar § 03:14:34.615: SONCP-6-ADORESSLASSIGN: InterFace BVTL assigned ONC? address 10.2 Jo-t-35, nask 295.255, 255.0, hostnane az lao» Step 30 Enter enable to access privileged mode, The password is Cisco (with a capital “C”) Step 31 Enter show ip interface brief to check the IP addresses that are present on the AP. pyar Paesuoras Joptah ip int brie neerrace Te-fildress OK? Matha Status tocol svt iOt0ie31 YES DCP up De Rado Undasigned YES unset atkintatratively dovn doun fesgabitetherneto hassigned YES ther up we Step 32 You should see that the IP addtess is assigned to the BVI interface, which is an indication that the AP is back to standalone mode. All the usual Cisco IOS commands, such as configure terminal, are available. Do not configure this AP further. 0 ‘implementing Cisco Unified Wireless Networking Essentials (UWNE) v20 (© 2017 Cisco Systems ncActivity Verification You have successfully completed this task when you attain this result: = Your CAPWAP-based Cisco Aironet 1142 Access Point is back to autonomous mode. Task 2: Configure the Cisco Aironet 1142 Access Point In this task, you will use basic commands to configure your AP with a static IP address from the command line. Activity Procedure Complete these steps: Step 1 Stop 2 Step 3 Stop 4 Step 5 Step 6 Step 7 Start by configuring your standalone CLI interface for better ease of use. Enter configure terminal (o enter configuration mode. Enter no ip domain-lookup. Using this command avoids a situation in which, if you mistype a command, the switch tries to resolve what you entered as a hostname. ‘The system returns status messages to the console. This feature is sometimes disturbing if you are entering an instruction. You can ask the system to redisplay hat you were entering ifa system message is sent to the console and interrupts what you were doing. To use this command, go to the console by entering line console 0. Then enter logging synchronous. From then on, when a message is sent to the console, what you were entering will be displayed again so that you can continue typing from where you were interrupted, Configure your AP with a static IP address. You want to configure the first and unique BVI interface. Enter interface BVI 1 Enter your AP IP address in the format 10..0.1.50 (where x is your pod number). Enter ip address, followed by the IP address and mask of your AP. Enter end to return (o privileged mode. Enter copy running-config startup-config to save the configuration. coKI lapel fapuconfigure tereinal Enter configuration connands, one per line, End with CNTL/Z. Jap(config)#interface BVI 1 Jap(canfig-iF)#ip address 10,10,1.50 255.255.255.0 jap (config-if )#end japtcop SHar. 1 00:10:46,679: XSYS-S-CONFIG_I: Configured Fron console by cons. Japtcopy run start lDestination Filenane Cstartup-config]? Building configuration... Steps Verify that your AP is in :ange of your controller. Try to send a ping to your controller, Enter ping followed by your controller Management Interface IP address, in the format ping 10.x0.1.10 (where x is your pod number), The ping should be successful Jape jaeeping 10.40.1,10 Type escape sequence to abort. Sending - 100-byte ICHP Echos to 10,10.1,10, timeout is 2 seconds: Success rate is 100 percent (S/S), round-trip nin/avg/nax = 1/1/4 ns ‘©2017 Cisco Systems, In lab Gude StStop 9 Reduce but do not close the window. Activity Verification ‘You have successfully completed this tasi when you attain this result: ‘= You made sure that your AP is in standalone mode and that its IP address is statically defined. Task 3: Configure Your Standalone AP from the GUI In this task, you will create an SSID with which your windows client can associate, Activity Procedure Complete Stop 1 ‘Stop 2 Stop 3 Stop 4 Stops ‘Stop 6 ‘Step 7 Steps these steps: Make sure that you have a VPN connection to the remote lab. From your class PC, open an HTTP session to your AP address, which you configured during the previous task and which should be 10.01.50 (where xis your pod number), Use HTTP, not HTTPS. The usemame is blank; the password is Ciseo (with a capital “C") ‘You should be at the home page of your AP. In the left menu, click Express Set-Up. In the Host Name field, enter your AP name in the form 1142-x (where x is your pod number) Leave the IP address assignment that was assigned during the previous task of ‘manual configuration. Do not change the values that are already present. In the Default Gateway field, enter 10.x0.1.284 (where x is your pod number) Expres sett Hos Name: Tae MAC Adaross: 88.1728 Coniguraion Server Protocol: ©) ONCE StaicR 1P Addons ovo 1 Subnot Mask 82552550 Default Gateway soon ‘SNMP Community pent 9 ReadOnly © Reade Step9__ In the SNMP Community field, enter privatex (where x is your pod number) ‘Step 10 Click the Read-Write radio button to make sure that the AP can be managed by using this SNMP community. ‘Step 11 At the bottom right ofthe page, click Apply to validate the changes, Read the warning and click OK to continue. Step 12 If prompted, enter password Cisco. 52 Implementing Cisco United Wirelss Networking Essotos (QUWNE] 20 ‘©2011 Cisco Systems, InStep 13 Stop 14 Step 15 Step 16 Step 17 Swe Step 18 Step 19 In the left menu, choose Express Security. In the SSID field, enter IUWNE=1 (where x is your pod number). Check the Broadeast SSID in Beacon check box, In the VLAN section, choose No VLAN because you do not want to tag frames coming from this simple SSID. In the Security section, choose No Security for an open authentication-based SSID, without any encryption. Own Ome MAtD: (1 Cane a 100 Se tena At the bottom right comer of the Express Security Set Up window, click Apply (0 validate the changes. Read the warning and click OK to continue, ‘You now need to enable your radio to allow this SSID to be sent out, In the left ‘menu, choose Network Interfaces, and then click Radiol-802.11NSGhz, Cisco Aonet 1140 Series Acces [cota a ch ori Fo ae amie ‘S201 Geo Systems, Ine. ab Guide‘Step 20 Click the Settings tab. Currant Status ateeatiranat ® Disses Downe © aecos Pot lbh o Reet) Step 21 Inthe Enable Radio options, choose Enable. Step 22 Click Apply at the bottom right of the page to validate the change. If prompted, click OK to continue. ‘Step 23. Your AP is ready to provide connections. The configuration that is entered from the web interface is saved automatically. Close the AP web browser. ‘Step 24 Use your local class PC to initiate a remote connection to the remote laptop to verify that it can see this new broadcast SSID that is being broadcasted by the standalone AP. Choose Start > All Programs > Accessories > Remote Desktop Connection, | tele BB Command Prompt © Connect to Network Preector 1 conactto aPojetr 4, Gating Stared AF resin Pe “]Neteped i Pain 45 Rema Desktop Connection & snpping Toot LU sound Recorder Slky tes, @ smecener 1 Winds pret 5B Window Moby Center E woraPad eae hecss Sytem Teo Note In each pod, only one connection ata time is possible to the remote laptop. With your Partner, decide who will connect Implementing Gio Unified Wireless Networking Essentials (UWNE} v2.0 (©2011 Cisco Systems, ne.‘Step 25 Use the lab table in the Job Aids section to verify which IP address you should use to connect to your remote laptop. The address should be in the format 10.x0.1.240 (where x is your pod number). 1 emote Deity Cnmecton | Remote Desktop > Connection comeuee 1010120 Username None peti ‘Yuvib sol cet von you corer © ters me ee] Step 26 In the Remote Desktop Connection window, in the Computer field, enter the IP address of your remote laptop, and click Connect. Step 27 A new window appears, in which you are asked to enter the credentials that are required to access your remote laptop. Use the lab table in the Job Aids section to verify which username and password to use to connect to your remote laptop. They should be in the format studentx/eiseo (where x is your pod number). Stop 28 Enter the credentials and click OK. You should sce the Windows desktop of your remote laptop. ‘Step 29 From your remote laptop, choose Start > Control Panel > Network and Internet > ‘Network and Sharing Center > Change Adapter Settings. ‘Step 30 Locate your wireless connect Stop 31 Right-click the wireless conneotion and choose Enable, ifit is not already enabled, ‘Wires Neto Cancion?) ia war 5 @ towte ree Shot & Rename [8 Powe Step 32 Click the Network icon in the system tray. ©2011 Cisco Systems, ne Tab GudeWireless Network Connection 2 a ts wall Pods isto a! pod ditaioe 4 TUWNE-ROANNL a datatt a Step 33. You should see the WLAN that you just created. Click the WLAN, and then click Connect. Step 34 After a few seconds, the connection status should change to Waiting for the network to be ready. «afl Wireless Network Connection: 1 vt Connectivity IP Connectivity No network access wed sate ‘enabled ss: TWN uration: 2 days 06:41:92 Speed: 58.0 Mbps Spal quay: atl! Stop 38 Click Details to check the connectivity limitation. Step 37 Your WLAN works properly for connection verification. Close the Network ‘Connection Details window. Close the Wireless Network Connection Status window. ‘mnplemerting Cisoo Unified Wireless Natworking Essentials (TUWNE) v2.0 (© 2011 Cisco Systems, ine.‘Step 38 You do not need to stay connected to this WLAN. Click the WLAN icon in the system tray and click Disconnect. rently connected te: + Network 3 Internet accese Unidentified network NNolntemet access, Wireler Network Connection 2 . TUWNE Connected Sf) Step 39 Read the warning and click OK to continue. Stop 40 In the Wireless Network Connection window, right-click your wireless connection and choose Disable ‘atl i vane a oes be rw "Wireless Network Connection 2 Diagnase @ Bridge Connectons Create Shortcut Delete @ Fename Proper ‘Step 41 Close the Wireless Network Connection window. Do not close Remote Desktop Connection. Activity Verification ‘You have successfully completed this task when you attain these results: m= Your AP has a configured SSID. = You could associate to the WLAN that was created in the exercise. D207 sco Systems, ne lab Gude 67Lab 3-1: Configuring Cisco AnyConnect Secure Mobility Client Complete this lab activity to practice what you leamed in the related module. Activity Objective In this activity, you will configure a WLAN on the controller. Using the Ciseo AnyConnect Secure Mobility Client, you will then creste a profile to connect to the newly created WLAN. After completing this activity, you will be able to meet these objectives: = Create a WLAN on the controller = Configure Cisco AnyConnect Secure Mobility Client to create a profile = Check the client Cisco Compatible Extensions version on the controller Visual Objective The figure illustrates what you will accomplish in this acti ab 3-1: Configu co AnyConnect Secure Mobility Client Remote Desktop isco Aironet ‘36021 Acooss| Point Required Resources ‘These are the resources and equipment that are required to complete this activity = APC with connectivity to the Internet = The Cisco VPN client m= Inthe remote lab, a Cisco 2504 WLC In the remote lab, a Cisco Aironet 3502 Access Point In the remote lab, a laptop with a Cisco WLAN adapter = ‘rnplemeting Cisco Unified Wireless Natworing Essentials (TUWNE] v2.0 (© 2011 Cisco Systems, Inc.Job Aids ‘These job aids are available to help you complete the lab activity = Lab table Lab Table—IP Addressing, Naming, and Informati Pod 1 Pod? Pods Pod 4 Remote laptop address | 10.10.1.240 10.20.1.240 10.30.1.240 10.40.1.240 Remote laptop login _| studentt | student2 student students Remote laptop isco isco cisco cisco password Controller system name | 2504-1 2504-2 2504-3, 2504-8 ‘Administrative user | admint adnin2 ‘admins ‘admin ‘Administrative ‘Qwert234 ‘awert234 ‘awert234 ‘QWert234 password Management interface | 10.10.1.10 10.20.1.10 10.30.1.10 10.40:1.10 IP address Interface name datatt ata21 datadt datadt VLAN 1 2 at a Lab Table—IP Addressing, Naming, and Information: Pods 5 to 8 Pod Pods Pod7 Pod 8 Remote laptop address | 10.60.1.240 10.60.1.240 10.70.1240 10.80.1.240 “Remote laptop login | students student6 student?” student emote lanton sco cisco isco isco password “Controller system name | 2504-5 2508.6 2508-7 2508-8 ‘Administrative user | admin adirin6 ‘admin? ‘admin ‘Administrative ‘QWert234 ‘aWert234 ‘aWert234 ‘wert234 password Management interlace | 10.50.1.10 10.60.1.10 10.70.4.10 10.80.1.10 IP address interface name data5t att data? datas VIAN ot et 71 at Tab Gude 8 ‘©2011 Cisco Systems, reTask 1: Configure the Required Interfaces for Data WLAN In this task, you will configure the Cisco 2504 WLC device with the required interfaces and, WLAN, Activity Procedure Complete these steps: ‘Step1 Check that you are connected through the VPN tunnel to the remote lab network. ‘Step 2 If Remote Desktop Connection is still open, close it, Note Now that the controller has a web interface, all members ofthe group can connect simultaneously to the controller. Use this possibilty to explore the controler interface, but keep in mind that tis preferable to avoid having two people working on the same feature, to ‘void any confusion about changes that might be made. Step3 From your class PC, open a browser session to your controller Management Interface IP address. Use HTT?S. You might need to disable your local proxy to access the web interface through the VPN tunnel. Step Click Continue to This Website to accept the self-signed certificate that the controller sent, 8 Theres @ problem with this website's security certificate, “Te sect cna presented by thi webete was not eved bya tsted ceria outa. The securty cerefetepaceted by the website wae sue or 3 ret betes ads ‘Seeuitycerteat rebiems may inate an aarp fol ou or ntercap any dt you snd to the We recommend that you close this webpage and donot continue to thi wt e © continue ots wetane (ot recsrenende © More information Step 5 Click the Login button. Step 6 Enter the administrative username adminx (where x is your pod number) that you defined in the previous lab, and enter QWer1234 as the password. ‘60 Impomeniting Cisco Unied Wireless Networkng Essentials UWE) v20 ‘©2011 Cisco Syston, neWindows Seu ee Step7 You should see the controller Monitor Summary page. Step8 In the top menu bar, click Controller. The controller General page appears. Step9 Click Interfaces in the left-hand menu. Ineraces te Stop 10 Click New (in the upper-right comer ofthe page) Step 11 Inthe Interface Name field, enter data (where x is your pod number). Step 12 Inthe VLAN Identifier field, enterx1 (where xis your pod number) as the WLAN ID for the datax! interface ‘Step 13 Click Apply to create the interface. ‘Step 14 A new screen, in which you can configure your interface details, appears. Enter the parameters for your pod, 2s listed in the table. ‘©2017 Cisco Systems, Ine Tab Guide oFInterfaces > Ealt contigurat Interface Address Interface Parameters (VLANS n1) Parameter Podt Pod 2 Pod 3 Pods Port Number 1 1 1 1 VIAN Identifier 1 2 at a IP Aadress 10.11.1.10 1024.1.10 10.31.1.10 Netmask 255.255.2550 | 255255.256.0 | 255.255.2550 | 255.255.2550 Gateway ro1tat yo2tat 103144 toatt4 Primary DHOP Server 10.10.1.10 10.20.10 10.30.1.10 10.40.1.10 Parameter Pods Pod 6 Pod? Pods Port Number 1 1 1 1 VLAN identifier St 6 7 at IP Address 10.54.4.10 10.61.1.10 10.71.4.10 10.81.4.10 Netmask 256.255.2550 | 256.255.2550 | 255.255.2550 | 255.255.2550 Gateway 705144 yo6ta.4 tortta yost14 Primary DHCP Server 10.50.1.10 10.60.1.10 10.70.1.10 10.80.1.10 Step 15 Click Apply. ‘Step 16 Click OK at the prompt. Stop 17 Click Save Configuration, Step 18 In the warning window, click OK. {G2 Implementing Cisco Unified Wireless Networking Essentials (UWNE) v2.0 (©2011 Cisco Systems, ncStep 19 Click OK to acknowledge that your files have been saved successfully. Activity Veri You have successfully completed this task when you attain this result: ation = You successfully created and saved the datarl (where x is your pod number) interface, Task 2: Configure DHCP Pool for Data (VLAN x1) Clients on the WLAN Controller In this task, you will ereate DHCP pools for data clients on the controller. Activity Procedure Complete these steps: Step 1 From your controller web interface, in the top menu bar, navigate to Controller. ‘lick Internal DHCP Server > DHCP Scope. Stop2 In the left-hand menu, Step3 In the DHCP Scopes winéow, click New to create a new scope. Bie CISCO Controller DHCP Seope> New ener Interfaces ‘Step 4 Inthe Scope Name field, enter dataxl (where x is your pod number). step 5 Click Apply to create the scope. A new window appears, showing your new scope in the list. The scope is disabled by default and does not have any range. Step6 Click datarl (where x is your pod number) to edit its settings, ‘B2017 Cisco Systems, ne Tab GudeDHCP Seope> Eat Step 7 ‘A new window appears. In the Pool Start Address field, enter the parameters that are listed in the table (where x is your pod number). Internal DHCP Server Parameters Parameter Value Pool Stan Address 10.x1.1.201 Pool End Address 10.x1.4.220 Network foxo ‘Netmask 255.255.2550 Lease Time 86400 Dotautt Routers tox Status Enabed ‘Step 8 Review your scope to check the values that you entered, and then click Apply to create the seope. You will retum to the DHCP Scopes page Step9 Click Save Configuration. Step 10 In the waming window, click OK. Stop 11. Click OK to acknowledge that your files have been saved successfully Activity Verification ‘You have successfully completed this task when you attain this result: = You successfully created a scope for the clients that are on your controller and have saved the dataxl (where x is your pod number) DHCP pool. Task 3: Configure WLANs for Data In this task, you will create WLANs to provide data that uses the default security policy. Activity Procedure Complete these steps: Stop 1 From your controller web interface, in the top menu bar, choose WLANS. ‘64 implementing Cisco Unified Wireless Networking Essentais (UWNE} v2.0 (©2017 Cisco Systems, Inc.Stop 2 Stop 3 Stop 4 Stop 5 WLANs WLANs > New ie, , [wan wees Profile Name (raw sa [eats covet ie me acta iene — 9 se Choose Create New from the drop-down menu and click Go to create a new WLAN. ae Geo In the Profile Name field, enter myda In the WLAN SSID field, enter datax1 (where x is your pod number). Click Apply to validate the name. A new window, showing the WLAN details, ‘opens. WLANs> Edit 'mydata’ General | security | 005 | | ss1o tenn stats enabled Securty Policies Radio Policy Intertce/intertace Grous(s) Muliaet vlan Feture Broadcast SSID [weazitauth(902.1%)1 (Wadfesions done under zecary tab wil appear ater applying the changes.) (az.128/5 ony ¥) etal Dena steps Step7 Step 8 Step 9 Check the Status Enabled check box. In the Radio Policy drop-down menu, choose 802.11b/g Only. In the Interface drop-dowa menu, choose datarl (where x is your pod number). From the Security sheet citoose Layer 2. From the Layer 2 Security drop down arrow choose None. B2OTT Cisco Systems, ne Tab Gude «65WLANs> Edit “mydata’ General | Security | @0s |) Advanced | “Layer 2 | aver 3) (AAA Servers |) Le? ser TT 1D samc Fitering Step 10 Click Apply. Choose WLANS. Step 11 Click Save Configuration. Step 12 Click OK to confirm that you want to save the configuration, ‘Step 13. Click OK to acknowledge that your files have been successfully saved Activity Verification You have successfully completed this task when you attain this result: = You successfully created and saved the mydata WLAN. Task 4: Configure Cisco AnyConnect Secure Mobility Client to Connect to the Data WLAN In this task, you will ereatea profile in Cisco AnyConnect Secure Mobility Client to connect to the data WLAN, Activity Procedure Complete these steps ‘Step1 Use your local class PC to initiate a remote connection to the remote wireless laptop to verify that it can sec this new broadcast SSID that the AP is broadcasting, Choose Start > All Programs > Accessories > Remote Desktop Connection. ‘G6 Implementing Gisco Unified Wireless Networking Essentials (UWNE) 20 “© 2017 Goa Systems, Ine.1 Connecto Projector 1 Geting Stated Btu nput Part | Notepad (Pie " RemeteDesitop Comnection = hun Seiping Tot 1 Sound Recorder Sly Meter D 5yne Center Si Wows Epler i Windows Moby Cntr Bl wieePas 1 Sptem Tee 4 bak Note In each pod, only one connection at atime is possible to the remote laptop. With your partner, decide who will connect. ‘Step 2 Use the lab table in the job aids to verify what IP address you should use to connect, to your remote laptop. It should be in the format 10.x0.1.240 (where x is your pod number) Remote Desktop Connection Urn Nore ects © ten Sstep3 _In the Remote Desktop Connection window, in the Computer field, enter the IP address of your remote laptop, and then click Connect. Stop4 A new window appears, in which you are asked to enter the credentials that are required to access your remote laptop. Use the lab table in the Job Aids section to verify which username and password to use to connect to your pod laptop. Use the format studentx/cisco (where x is your pod number). Step S Enter the credentials and click OK. You should see the Windows desktop of your remote laptop. Step6 Start the Cisco AnyConnect Secure Mobility Client Connection: Choose Start > Control Panel > Network and Internet > Network Sharing Center. ‘©2017 Cisco Systems, In Tab Gude 67Step7 Choose Change Adapter Settings. ‘Step 8 Right-click the Cisco AnyConnect Secure Mobility Client Connection and choose Enable. Stop Right-click the wireless connection and choose Properties. Step 10 On the Networking tab, check the Cisco AnyConnect Network Access Manager Filter Driver check box. Fl onde Sher x Mosh Neos Irtenet Preteen 6(TCPAPYS) nema Petcal Veen 4(TCPAP8} + Lek Lae Torley Dicovy Mapper VO ves os LekLae To esrender Pesoi (Gea AryCnmeet Neo Access Manag Fl Diet Step 11 Click OK. ‘Stop 12 Right-click your wireless connection and choose Enable. ST aT Go E> covet + taro maitre + vet Commecions > [4] Clgezey —_Embethonetcrderce Ougreethacomecion faramethscemedion BE Ale eerocomet sews oNOT. case Laan Che Cormeen Naok deed moe "2 Dist EP froicon Nedane sth, Beco hme Signa Eh, s Matson ie WF ak SA, ‘Step 13 Click the Ciseo AnyConnect Secure Mobility Client icon in the system tray, to launch the Cisco AnyConnect Secure Mobility Client. ‘86 Implementing Gisco Unified Wireless Networking Essentials (UWNE) v20, ©2011 Cisco Systems, nesco AnyConnect Secure Mobility Chest VPN: Disconnected Network wired (Connected) erences Cite deere) eereee ote Step 14 _ In the Network drop-down list, choose your SSID dataxl (where x is your pod number). \Rere wired dati TUWNE UWNe-1 pode Flane office Flane_training Flane_voice lronckyBoy podshreap Step 15 The Cisco AnyConnect Client should now connect to the selected SSID. Step 16 From the Cisco AnyConnect client, click Advanced Networks, Step 17 The Network Access Manager (NAM displays the connected SSID as a saved profile) (© 2011 Cisco Systems, Ine Tab Guide‘Step 18 Highlight your SSID dataxl (where x is your pod number). Step 19 Click Edit to change the name ofthe saved profile Step 20 Enter mydata in the Descriptive Name field. Step21 Click OK. Step22 Close the Cisco AnyConneet window. Activity Verification ‘You have successfully completed this task when you attain this result: = You successfully created and connectec to the mydata network profile. 70 Implementing Cisco Unifed Wireless Networking Essentials (UWNE) v2.0 ‘©2011 Cisco Syston ne.Task 5: Verify Connectivity In this task, you will verify connectivity to the dataxl SS Activity Procedure Complete these steps: Step 1 From your controller web incerface, in the upper menu, navigate to Menitor. Step 2 Scroll to Client Summary to view the number of clients that are connected. You should see one client that is connected. curt chs 1 bas Cited Cte ° Step3 Click Detail to the right of the Current Clients entry. le envi = fh ra et wen aes eat aie kine Te te Step4 Click your Client MAC Address. ey Step 5 The screen confirms that your client has connected to the AP. Step 6 Confirm that the IP address matches the one that is configured on the client. Stop7 —_Note the Cisco Compatible Extensions version, ‘©2041 Cisco Systems, ne. Tab Guide 7Activity Verification ‘You have suecessfully completed this task when you attain this result: m You successfully confirm you have connected to the datar! SSID. 72 lmplemeniing Cisea Unfiad Wireless Networking Essentials (UVINE) v20 ‘©2011 Cisco Syatoms, Ine.Lab 3-2: Experiencing Connections and Roaming ‘Complete this lab activity to practice what you learned in the related module. Activity Objes In this activity, you will experiment with connection features and roaming. For this lab, you ‘will work in a team with another pod. Both pods will ereate the same WLAN, and you will see how your client can roam from one to the other. After completing this activity, you will be able to meet these objectives: = Create a WLAN that is common to two pods = Connect to a specific AP Force roaming from one AP to the other Visual Objective The figure illustrates what you will aceamplish inthis activity tions and Roaming aS mower oan ‘AccessPoit Required Resources ‘These are the resources and equipment :hat are required to complete this activity: = APC with connectivity to the Internet The Cisco VPN client = Inthe remote lab, two Cisco 2504 WLCs In the remote lab, two Cisco Aironet 3502 Access Points In the remote lab, a laptop with a Cisco WLAN adapter ‘©2011 Giseo Systems, Ine Tab Guide 73Job Aids ‘These job aids are available to help you compete the lab activity = Lab table Lab Table—Naming and Information: Pods 1 to 4 Podt Pod2 Pods Poda WLAN TUWNE-ROAMT2 | IUWNE-ROAMI2 | IUWINE-ROAMS4 | IUWNE-ROAMGS Mobitty group Poste Podt2 Pods Pod3é Lab Table—Naming, and Information: Pods 5 to 8 Pod 5 Pod 6 [Pear Pods WLAN TUWNE-ROAMSE | TUWNE-ROANS | IUWNE-ROAME | 1UWNE-ROAMTS Mobility group Pods6 Poss Pou? Pod? Task 1: Create a Common WLAN In this task, you will ereate a WLAN that is common to two pods, Activity Procedure ‘Complete these steps: Step1 Check that you are connected, through the VPN tunnel, to the remote lab network. Step2 From your class PC, open a browser session to your Cisco 2504 WLC Management Interface IP address (https:!/10.x0.1.10). You might need to disable your local roxy to access the web interface through the VPN tunnel. Step3 Click OK to accept the self-signed certificate that the controller sent. Step4 Click Login, There isa problem with this website's secu 1 Contin tothe mete ot recommended contticate Step Enter the administrative username that you defined in the previous lab and the password (adminx for the username and QWer1234 for the password), 74 Implementing Cisco Unified Wireless Networking Essentials (UWNE) v2.0 (©2011 Glace Systems, Ine11 nao ey a a Step6 You should see the controller Monitor Summary page. Step7 In the upper menu, click WLAN. Step8 You should see the WLAN that you created earlier. Click the WLAN ID to edit its settings (© 2017 Cisco Systems, inc lab Guido 75WLANS> Eat NUWHES Scene | Sweaty | QoS | Advanced etait roto) [msinpenra tomers Cane trenan 3310 Be ‘Step9 Uncheck the Status Enabled check box. You do not want this WLAN to be currently active. Click Apply to validate the change. Stop 10 Click Back to return to the WLAN page list. tack ‘oly Step 11. From the WLAN page list, in the upper-right part of the window, click Go to create anew WLAN. WLANS> New Type [wan jy) Profile Name Roaring WLAN SSID TUWNe-ROANIE Stop 12 In Profile Name field, enter Roaming. In the WLAN SSID field, enter the name of the WLAN, IUWNE-ROAMx (where.x is your shared pod number between two pods). Note The name isin all capitals and is case-sensitive Step 13. Click Apply to validate the name. Step 14 A new window opens, showing the WLAN details. 76 Implementing Cisco Uniied Wireless Networking Essentials (UWNE) 20 011 Ciaca Systems, IneWLANS> Eat TUWNE-ROAMING Sener | Seewity | Q08 | Advanced ean ene der sey wl pps te soho eh Ineraceietace run) dash = fonds 2500 2 abled Step 15 Check the Status Enabled check box. Step 16 In the Radio Policy drop-down list, choose 802.114 Only Step 17 From the Interface/Interface Group(G) drop-down list, choose dat your pod number) Step 18 Click the Security tab. General | Seerty | 08 vanced) i VT 2 rac Step 19 In Layer Security, choose None. Step 20 Click Apply to create the WLAN with these settings. Step 21 In the upper menu, click Wireless. Step 22 You should see your AP. Note that its Ethernet MAC address is shown, You want to know the radio MAC address. In the left menu, choose Radios > 802.11a/n, (© 201% Cisco Systems, Ine Lab Gude 77Fast S510 change ‘faut Hebi Comin tame sk (sean) ‘An Timeout (nconds) ‘web nadie atheteaton ‘operating Eminent tntena Temp Alor Lint _webauth rosy Reoeton Port Disbied ¥ Disbed oat Commercial (040 2) ‘Step 23. You should see your AP, along with its radio MAC address. Document this MAC address: Radio MAC address: Step 24 To be able to roam, not only do you need to have a common WLAN, but the controllers also need to be in the same mobility group. In the upper menu, click Controller General Step 25 In Default Mobility Domain Name and RF-Group Name, enter your common group name. Refer to the following table: Fed Ea ale Ca] Name | Podt2 | Podz |Podse | Pods4 | Pods6 | Podsé | Pod7é | Pod7é Note Names are case-sensitive. Step 26 Click Apply to validate the change. Click OK on the warning screen. Step 27 The controllers are now in the same mobility group but do not communicate with each other. Inthe left menu, choose Mobility Management > Mobility Groups. 78 implemeriing Cisco Unifed Wireless Nebworking Essentials (]OVINE) V2.0 ©2011 Cisco Systems, neControlter Static Mobilty Group Members Gener Lntortocee nero Groups Multeast > Internal DHCP Server > Mobitty tanagement Step 28 You see your controller details. Document the controller Management IP address, and built-in MAC address Management IP address: = Note The builtin MAC address is a MAC address that is common to the whole system rather than to.a specific port. This MAC adtress is reachable through any port and characterizes the system as a whole ‘Step 29 In the upper-right part of the screen, click New to create a new member to your ‘mobility group. Step 30 Ask your partner pod for its controller IP address and built-in MAC address, and ‘enter the values in the corresponding fields. Stop31 Click Apply to create the new member. Static Mobily Group Members ew. | ea ‘Step 32 Your Local Mobility Group list now shows two members. ‘Static Mobily Group Members ew.. | sana Stop 33 of the entry that describes your partner controller, and then To verify connectivity to the other controller, hover over the arrow at the right end choose Ping, ‘© 201% Cisco Systems, Inc Tab Guide 7oe ee egy rece rom I 10.20.1.10: Gen oint = receve cnt = 3) ‘Step 34 The ping should be successful. If itis not, verify your values. Step38 Your controllers are now ready to offer intercontroller connectivity and roaming. Do not close the web browser window. Activity Verification You have successfully completed this task when you attain these results: You can create a roaming WLAN. = Your controller is in the same mobility grcup as your partner controller, and they can successfully send a ping to each other. Task 2: Connect to the Right AP In this task, you will associate to this WLAN and make sure that both partners associate to the same AP. To achieve this, you need to make sure that only one AP is available ata time. Activity Procedure Complete these steps: Note ‘Steps 1 through 8 are for even-numbered pods (2, 4,6, and 8), to disable their radios. Odd numbered pods can proceed to Step 8 Step1 _ In the controller web browser window, click Wireless in the upper menu. Stop2 _In the left menu, choose Radios > §02.11a/n, Step3 You should now see your AP. Step 4 Hover over the arrow at the end of the line, and then choose Configure. ‘Step5 A new window appears with your AP 802.1 la/n radio det Step6 —_In the General section, set the Admin Status to Disable to turn off your radio, Step7 Click Apply to validate the change. Click Back to return to the radio list. {80 Implementing Cisco Unified Wireless Networking Essentials (UWNE) v2.0 (©2017 Gio Systems, ne802.11ain Radios, Ccafrent rer: None 9 Name Biot? nase Radioniac Sub aand Statue Status pediasoz 1 eseti:2490:00 Ciesble Dom Stop 8 The AP should appear in thelist, with its Operational Status set to Down and its ‘Admin Status set to Disable. Even-numbered pods can now proceed to Step 15 to configure the remote laptop. Note Steps 9 through 14 are for odd-numbered pods (1,3, 8, and 7), to remove any existing client ‘associations. Even-numbered pods should have finished Step 8 and proceeded to Step 15, ‘On the odd-numbered pod controllers, the AP radio should still be up. At this point, only one AAP in the mobility group is up, which guarantees that the client will connect to this AP only. One last step needs to be performed; remove the client trace from the controllers. Otherwise, the client will not connect to the controller that you expect, You will see why later on. Step9 In the upper menu, click Monitor, Step 10 In the left menu, click Clients, Step 1A new window appears. You should see at least one client. If you do not see any clients, move directly to Step 15 manana wacicin Se mS pee Step 12 Hover over the arrow at the right end of the entry that describes each client, and then choose Remove. Be careful not to choose Disable. ‘re you sure you want delete? ‘Step 13. Click OK to confirm that you want to delete this client from the controller cache. Repeat the operation for any other clients that you see in the list. Clients current Filter None [Chane tor (shai Al) Client HAC Adde AP Name WLAN Profile Protocol Status Auth Port WGB B21 Cisco Systems, ne Lab Guide 61Step 14 No client should be left in the list. Step 15 Connect to your remote laptop from your class PC: Choose Start > All Programs > Accessories > Remote Desktop Connection. J Caleutor |X Command rome 22 Connect « Netwak Projector 1 cennetio Projector 5, Gating Sane SB man opt Pet © ReneteDestsp Comecon & sniping Tort, L Sound Recorder Ste tee sme cerer oj Windows pre Bh ion in eter 1 Sptem Teo 4 back Note In each pod, only one connection ata time is possible tothe remote laptop. With your partner, decide who will connect. Step 16 Use the lab table to determine which IP address you should use to connect to your remote laptop. Use the format 10.x0.1.240 (where x is your pod number). Remote Desktop » Connection ] cova ET Une: Mee spected Yount stadt andes wtenyecerct 2 ee Cem) a) Step 17 In the Remote Desktop Connection pop-up window, in the computer field, enter the IP address of your remote laptop, and click Connect Step 18 You are presented with a new window in which you are asked to enter the credentials that are required to access your remote laptop. Use the lab table to ‘determine which username and password to use. Use the format students for username and eiseo for the password (where » is your pod number) Step 19 Enter the credentials, and then click OK. You should see the Windows desktop of | your remote laptop. 2 Implementing Cisco Unified Wireless Networking Essentials (UWNE) v2.0 ©2011 Chaco Systems, Ine‘Step 20 From your remote laptop, open Cisco AnyConnect Secure Mobility Client. Step 21_ The TUWNE-ROAMe SSID should appear in the list. Click Connect. ‘Step 22 The connection should be successful. ‘Stop 23 After connecting, choose Advanced from Cisco AnyConnect Secure Mobility Client. Stop 24 Choose the IUWNE-ROAMx SSID. Stop 25 Choose Statistics. cto eesOee ee ‘Step 26 A new window appears. Verify that you are connected to the correct WLAN (IUWNE-ROAM). Also check the speed of the connection. It should be of 802.1 In type. Stop 27 Document the obtained IP address: Stop 28 Close the Network Access Manager window. Step29 Try to ping your partner pod laptop wireless connection. Open a command prompt and choose Start > All Programs > Accessories > Command Prompt. Step 30 Ask for your partner pod respective IP address, which is documented in Step 27 Notice that, in the wireless space, both machines are in the same subnet because they connected to the same WLAN, which connects to the same controller. Step 31 At the command prompt, enter ping -t followed by your partner pod laptop IP address. Step 32 The ping should be successful and carry on without interruption, Notice the variable time that each ping takes. The frame needs to travel from your laptop to the AP, then from the AP to your partner laptop. The laptop answers with a frame that must travel all the way back. At each step, CSMA/CA and contention windows might imply @ different delay. Let the ping continue without interrupting it and proceed to the next task, leaving the command prompt window open, ‘You have successfully completed this task when you attain these results: You successfully connected to the roaming profile = Both partners are connected within the same subnet. (© 2011 Cisco Systems, ne. lab GudeTask 3: Use Roaming In this task, you will force your clients to roam from one AP to the other. Activity Procedure Complete these steps: ‘Step1 Reopen the web session to your controller. ‘Step 2 Click Monitor. From the left menu, choose Clients. ‘Step3 A new window appears. On the controllers of the odd-numbered pods (1, 3, 5,7). you should see both laptops as clients to your controller. These clients are connecting through the controller 3502i AP. nts current iter one ange fer] [Show A] Client MAC Addr APName WLAN Profile Protocol Status Auth Port WOR Step4 On the controllers of the even-numbered pods (2, 4, 6, 8), you should still see no client because your AP radio is disabled. Note Steps 5 through 12 are for even-numbered pods (2, 4,6, and 8), to enable their respective AP radios. In the controller web browser window, click Wireless in the upper ment, Step5 —_In the left menu, choose Radios > 802.1 1a/n, 002.11ain Radios Clbeotriten Hone Stop6 You should see that your AP is set to Disable, Step7 Hover over the arrow at the end of the entry line and choose Configure. Step8 A new window appears with your AP 802.1 La/n radio details. Configure ack 802.11ain Cisco APs General a name poai-ss02 a Implementing Cisco Unified Wireless Networking Essentials (UWNE) v20 ‘©2011 Cisco Systems, neStop 9 Step 10 In the General section, set the Admin Status to Enable, This action turns on your radio, Click Apply to validate the change. Click Back to return to the radio list, poat-ss0e ‘Slots Base Radio MAC Sub Band Status Status 2 {vse 30:00 Enable UP Stop 11 Stop 12 Stop 13 ‘The AP should show in the list, with its radio Operational Status set to Up and its Admin Status set to Enable, Note that the channel is on. ‘On the odd-numbered pod (1, 3, 5, 7) controllers, the AP radio should also be up. At this point, both APs are up, but on different channels. Repeat Steps 2 to 4 to make sure that, even though two APs are now available, the clients did not roam to the second AP. Note ‘The clients have no reason to roam ifthe connection on the first AP offers a good enough connection, Stop 14 Now, force the roaming by disabling the first AP, to force the client to look for and roam to another AP that serves the same SSID. Note ‘Stops 15 through 21 are forthe odd-numbered pods (1, 3,5, 7), to disable their radios and to force cients to search for another AP for association, ‘step 15 Stop 16 Step 17 Step 18 Step 19 Stop 20 Step 21 Step 22 Stop 23 Step 24 Step 25 Step 26 In the controller web browser window, click Wireless in the upper menu. In the left menu, choose Radios > 802.11a/n, ‘You should see your AP. Hover over the arrow at the end of the entry line and choose Configure. ‘A new window appears with your AP 802.1 la/n radio details. In the General section, set the Admin Status to Disable. This will turn down your radio. Do not click Apply yet. Before clicking Apply, make sure that you have a connection to your remote laptop and see the window in which the machine is sending pings to your partner IP address. Be ready to go back to that window as soon as you click Apply in the web browser session. Then, click Apply to validate the change, In your laptop session, look at the ping window. A few pings should be timing out, while your WLAN card realizes that the ‘connection is not available anymore (no ACK. to one of the pings), then scans all the channels to find another AP that serves the same SSID and reassociates. From a rate ‘of about | ping per second, try to evaluate how many seconds were lost in the process. Now both clients associate through the AP and controller of the second (even- numbered) pod. Re-open the web session to your controller. Click Monitor. From the left menu, choose Clients. ‘©2011 Cisco Systems, ne. Lab Guide 85current Client Clients Fitter None MAC Addr AP Name WLAN Profile Protocol Status Auth Port WCE Step 27 A new window appears. On the even-numbered controllers, you should now see the two clients that have roamed. Click your client and note that the mobility role status is Foreign, Also note that the IP address has not changed from the one that you documented earlier, Clients current rtter one ne Canon all Client HAC Adie AP Name WAN Profile Status noadistagtiied 2020800 Roonina Disasocae Step 28 On the odd-numbered pod controllers, you should still see both laptops as clients to your controller. The AP name has changed and now indicates that the other controller is the AP and thatthe protocol changed from 802.11n to Mobile. The new controller proxies the connection for your clients, but keeps in memory that they ‘must remain on the same subnet as they were before and that they come from the first controller. Also note that the mobility role status is Anchor. Stop 28 If-your AP 802.1 a radio was disabled, re-enable it. ‘Step 30 From you controller web interface, click Save configuration from the upper ment, Click OK to confirm, Activity Verification You havs = You = You Implementing Cisco Unifed Wireless Networking Essentials (TUWNE) 20 /e successfully completed this task when you attain these results can roam from one AP to the other. can see the roa 1g and client caching feature, ‘©2011 Glace Syetoms, IneLab 4-1: Configuring WLC PSK Authentication ‘Complete this lab activity to practice what you learned in the related module. Activity Objective In this activity, you will configure a WLAN on the controller. Using the Cisco AnyConnect Secure Mobility Client, you will then scan the network, and create a profile to connect to the WLAN. After completing this activity, you will be able to meet these objective = Configure PSK for an existing WLAN "Configure Cisco AnyConnect Secure Mobility Client to ereate a profile Visual Objective ‘The figure illustrates what you will accomplish inthis activity SK Authentication ven ] Cisco 3s cst rename Cisco Aronet 35021 “Acoots Point Required Resources ‘These are the resources and equipment that are required to complete this activity: = APCwi The Cisco VPN client In the remote lab, a Cisco 2504 WLC In the remote lab, a Cisco Aironet 3502 Access Point In the remote lab, a laptop with a WLAN adapter connectivity to the Internet (© 2017 Cisco Systoms, ne Lab Gude a7Job Aids ‘These job aids are available to help you complete the lab activity: = Lab table with Pod IP addresses Lab Table—IP Addressing, Naming, and Information: Pods: 1 to 4 Pod t Pod 2 Pod 3 Pod 4 Remote laptop address | 10.10.1.240 10.20.1.240 10:90.1.240 10.40.1.240 Remote laptop login _| student student students student Remote laptop ‘cisco cisco cisco) isco. password Lab TableIP Addressing, Naming, and Information: Pods: 5 to 8 Pod § Po Pod? Pods Remote laptop address | 10.50.1.240 10.60.1.240 10.70.1.240 10.80.1.240 Remote laptop login | student studenté student? students Remote laptop cisco isco cisco. eisco password Task 1: Configure the Data WLAN for PSK In this task, you will configure the Cisco 2504 WLC device with the required PSK on the Data WLAN Activity Procedure Complete these steps: Step Step 2 Check that you are connected, through the VPN tunnel, to the remote lab network If your Remote Desktop Connection is still open, close it. Note Now thatthe controller has a web interface, all members ofthe group can connect simultaneously tothe controller. Use this possiility to explore the controller interface, but keep in ind that itis preferable to avoid having two people working on the same featur, to avoid any confusion about changes that might be made. Step3 Step 4 From your class PC, open a browser session to your controller Management Interface IP address. Use HTTPS. You might need to disable your local proxy to access the web interface through the VPN tunnel, Click Continue to This Website to accept the self-signed certificate that the controller sent. {38 Implomentin Cisco Unified Wireless Networking Essentials (UWNE) v2.0 ©2011 Cinco Systems, IneThere isa problem with this website's security certificate @ Contin toi abate 0 Step 5 Stop 6 Click the Login button, Enter the administrative usemame admin (where x is your pod number) that you defined in the previous lab, and QWer1234 as the password. silts (aaussecung, cise The server 0.201.104 Cie Conroe eqites username and parent [aint ‘Step 7 Stop 8 Stop 9 From your controller web interface, in the top menu bar, choose WLANs > WLANS. Click the mydata WLAN ID to open the WLAN, Enable the mydata WLAN, (© 2017 Gisoo Systems, Ine ab Guide aGeneral | Security: | 06 | Advanced ype wan (reiteatone dae unin ence a wil apps etre! aes step 10 Click the Security tab. Step 11 From the Layer 2 Security drop-down list, choose WPA + WPA2. Layer2 Secunty © “Hone = hone | [Stee + ozax | Step 12 Check the WPA2 Policy check box. Step 13 To the right of WPA2 Encryption, check AES check box. ayer? | Laver. | ANA Servers Layer 2 Security ® WPAtWPAZ ~ sohac Filtering | wa poi i ‘weRn2 Policy \WPA2 Enerysion aes Elna Auth Key Mom woe (aoaax Step 14 Choose PSK in the Auth Key Mgmt drop-down list. Implementing Cisco Unified Wireless Networking Essentials (UWWNE) v2.0 {©2011 Glaco Systems, Ine.Layer? | Layer3 | AAAServers Layer 2 Security © weAsiwPAZ WPA Foley \WPA2 Policy WPA2 Encryetion Dats Clnar ‘uth Key Mamt PsK . sk Format Step 15 Step 16 Step 17 Step 18 Step 19 Enter the password Hovetrainingtoday in the PSK area Click Apply Click Save Configuration, In the warning window, click OK. Click OK to acknowledge that your files have been saved successfully Activity Verification = You will verify this configuration upon completion of the next task Task 2: Configure Ci co AnyConnect Secure Mobility Client to Connect to the Data WLAN by Using PSK In this task, you will connect to the mydata WLAN by using PSK. Activity Procedure Complete these steps: Step 1 Use your local class PC to initiate a remote connection to the remote laptop to verify that it can see this new broadcast SSID being broadcasted by the standalone AP. Choose Start > All Programs > Accessories > Remote Desktop Connection. (© 2017 Cisco Systems, ne Lab Guide at© Remote DestopConnetion sniping Toot 1 Scuna Recorder StekyNetes @ syne Center 2 nous ple Window Mebity Center Note Tn each pod, only one connection ata time is possible tothe remote laptop. With your partner, decide who will connect. Step2 Use the lab table to verify which IP address you should use to connect to your remote laptop. Use the format 10.x0.1.240 (where x is your pod number). © Remote Desktop Connection ls [Mp Remote Desktop * Connection Step3 In the Remote Desktop Connection window, in the Computer field, enter the IP address of your remote laptop, and click Connect. Step4 A new window appears, in which you are asked to enter the credentials that are required to access your remote laptop. Use the lab table in the job aids to verify which username and password to use to connect to your remote laptop. Use the format studentx/eiseo (where x is your pod number). ‘Step Enter the credentials and click OK. You should see the Windows desktop of your remote laptop. Step6 Start the Cisco AnyConnect Secure Mobility Client Connection: Choose Start > Control Panel > Network and Internet > Network and Sharing Center > ‘Change Adapter Settings Implamentng Cisco Unified Wireless Networking Essentials (UWWNE) v2.0 GOH Cisco Systems ne.Stop7 Right-click the Cisco AnyConnect Secure Mobility Client connection and choose Enable, GOePY Coa rl Ni wai am 7 AC, Sertocemeentiy| poy tosorounee em Step 8 Click the Cisco AnyConnect Secure Mobility Client icon from the system tray to launch the Cisco AnyConneet Secure Mobility Client. Cisco AnyCennect VPN: Disconnected [ Network wired (Connected) Pieri ta pis ec a Cyc eect ec ey Step 19 From the Network drop-down list, choose your SSID data! (where x is your pod number). ‘D201 Gaco Systems, ne Lab Guide ——08Step 11 The Cisco AnyConnect Client should now connect to the selected SSID. ‘Step 12 The Network Access Manager disp ays the connected SSID. orcas Sy rear efematon fer te eee, at avers eed omapinenme: EEL seat cor ver Step 13. Enter Descriptive Name datax1-PSK (where x is your pod number). Step 14 Enter the Key Hovetrainingtoday, Step 15 Click OK to save the Profile. Stop 16 Choose Advanec the statistics tab to verify that you have connected to the datatI-PSK profile (where x is your pod number). ‘34 Implementing Cisco Unified Wireless Networking Essentials (UWNE) v2.0 ©2011 Cisco Systems, IncSecunty information | cori ation: ‘connected (Open) daazt Encryption: oo:thsbcaieba? EAP Methods eetdmonts71 Serve: 10.21.1201 Credeti Type 140 Disbied WAFL Information wR SSID Intel) Wreless Wl Uek Sqn tert 36580042 Chana 47983 132 Step 17 Close the Cisco AnyConnect window. Activity Verification ‘You have successfully completed this task when you attain this result: | You successfully created and connected to the datarl PSK network profile. ‘D201 Cisco Systems, ne {ab GuideLab 4-2: Configuring Cisco Autonomous Access Point PSK Authentication Complete this lab activity to practice what you learned in the related module, Activity Objective In this activity, you will configure a Cisco Aironet 1142 Access Point for PSK authentication Using the Cisco AnyConnect Secure Mobility Client, you will then sean the network, and. create a profile to connect to the WLAN. Afie: completing this activity, you will be able to meet these objectives: m= Create PSK security on an autonomous AP = Configure Cisco AnyConnect Secure Motility Client to create a profile Visual Objective ‘The figure illustrates what you will accomplish in this activity itonomous Access entication a Remote Desktop Cisco Aironet "142 Access Point Required Resources The: re the resources and equipment that are required to complete this activity: =A PC with connectivity tothe Intemet m= The Cisco VPN client © Inthe remote lab, a Cisco Aironet 1142 Access Point = Inthe remote lab, a laptop with a WLAN adapter 6 implementing Cisco Unified Wireless Networing Essentials (UWNE) v2.0 ©2011 Cisco Systems, neJob Aids These job aids are available to help you complete the lab activity = Lab table with Pod IP addresses Lab Table—IP Addressing, Naming, and Information: Pods: 1 to 4 Feat reat = maa Tonckeayeiees [Tena [wana [want | mania a ches cen 5 no Lab Table—IP Addressing, Naming, and Information: Pods: 5 to 8 Fea Fea ar Texte Fenow ey odes [10209280 [soen a0 [roam [nan Ranot pepo [suse el et — a Coes me = = Task 1: Configure the Autonomous AP for PSK In this task, you will configure the Cisco Aironet 1142 Access Point with the required PSK on the IUWNE-r1 (where « is your pod number) SSID. Activity Procedure Complete these steps: Step 1 Check that you are connected, through the VPN tunnel, to the remote lab network. Step2 If your Remote Desktop Conrection is still open, close it. Note ‘Now thatthe controler has a web interface, all members of the group can connect simultaneously tothe controller. Use this possibilty to explore the controller interface, but keop in mind that it's preferable to avoid having two people working on the same feature, to ‘avoid any confusion about changes that might be made. Step3 From your class PC, open a browser session to your Autonomous Access Point Interface IP address, 10.x0.1.50, Step Enter the password ‘2017 Gio Systems, ne lab Gude oFWaring Tisseveequeing hat yer uum and paemerdbe ‘entmnimscre rane sc aaberacabon mobo ere Step5 From your Autonomous AP web interface, choose Security > Encryption Manager. Step6 Click the Cipher radio button WEP Encryption Optional > Cisco Compliant TKIP Features: © Cipher AES COMP > step7 From the Cipher drop-down list, choose AES CCMP. ‘Step 8 Click Apply-All. Click OK, Step From your Autonomous AP web interface, choose Security > SSID Manager. Stop 10 Highlight your existing SSID, which should be in the form IUWNE-x1 (where x is your pod number). Step 11. Scroll down to Client Authenticated Key Management Step 12 Choose Mandatory from the Key Management drop-down list. Implementing Cisco Unified Wireless Networking Essentials (UWNE) v2.0 ©2011 Cisco Systems, ne(li Autheneated Key Managemen Key Management =NONES > FicoKd El EnatewwPA WPA = (toes oe WPA Pro-saved Kay: 1 ASCH © Hexadecimal Step 13. Check the Enable WPA check box. Step 14 Choose WPAy2 from the Enable WPA drop-down list. Step 15 Enter qwerty1234 as the WPA Pre-shared Key. ‘lent Autenteated Key Management Key Management Mardaiony = Com EratoweA WPA > py © ASCH Hocadan ‘Step 16 Scroll down and click the first Apply button. Click OK. Malle 8SS10 Bescon ‘Sa SSW as Guat Moe ‘Set Dstebebcon Rate (OTM) OABLED 1.300) (Fea) (anes) (Gu0s Modetntadractne SSID Satings Activity Verification = You will verify this configuration upon completion ofthe next task Task 2: Configure Cisco AnyConnect Secure Mobility Client to Connect to the IUWNEx1 Using PSK In this task, you will connect to the SSID using PSK. Activity Procedure ‘Complete these steps: Step 1 Use your local class PC to initiate a remote connection to the remote laptop, to verify that it can see this new broadcast SSID that the standalone AP is broadcasting, Choose Start > All Programs > Accessories > Remote Desktop Connection. ‘©2011 Cisco Systems, Ina Lab Guide 00Tecesnes {8 commana Prompt {2 Comectto a Network Projector 1 comaattoProgcor 1 Ging Sted Bios int Pane 5) Nota 4 RemeteDeizop Connection 3 Rn Sipping Too! 1 Sounaecorse Sick teter @ sme cone 5 Windows ploer Windows Meaty Center Stem Tees 4 back Note In each pod, only one connection ala time is possible tothe remote laptop. With your partner, decide who will connect. Step2 Use the lab table to verify which IP address you should use to connect to your remote laptop. Use the format 10.x0.1.240 (where x is your pod number). pero Don Cerecion Remote Desktop =) Connection conowe errane: Nene sectod ‘Step 3 In the Remote Desktop Connection window, in the Computer field, enter the IP address of your remote laptop, and then click Connect. Stop 4 A new window appears, in which you are asked to enter the credentials that are required to access your remote laptop. Use the lab table to verify which username and password are used to connect to your remote laptop. Use the format studente/ciseo (where x is your pod number). Step Enter the credentials and click OK. You should see the Windows desktop of your remote laptop. Step Start the Cisco AnyConnect Secure Mobility Client Connection, Choose Start > Control Panel > Network and Internet > Network and Sharing Center > Change Adapter Settings. 700 Implementing Cisco Unified Wireloss Networking Essontals (UNE) v2.0 ‘©2011 Glace Systems, IneStep7 Right-click Cisco AnyConnect Secure Mobility Client Connection and choose Enable, if it not already enabled GO oF corer > Reon alton Hi Cancns > Tell 6S) ay Lares eee Senter ‘Wales Nebo Conscon " al ecm we yt Step8 Click the Ciseo AnyConneet Secure Mobility Client icon in the system tray, 10 launch the Cisco AnyConnect Secure Mobility Client. isco AnyConnect Secure Mobility Client| PN: Disconnected ‘Step 9 ‘The Cisco AnyConnect Secure Mobility Client appears, iNtift. AnyConnect Citron ee Step 10 From the Network drop-down list, choose your SSID IUWNEx! (where x is your pod number). ‘©2011 Cisco Systems, ne. ab Guo —108Step 11. The Cisco AnyConnect Client should now connect to the selected SSID. Step 12 The Network Access Manager displays the connected SSID, [ Cisco AnyConnect rea frat fr the cern es Svraess red ae tr DecbtveNewe: a REL-#5C ssw: nett cers ton owen stom ey Cox) Cerca) Step 13 In the Descriptive Name field, enter IUWNEx1-PSK (where x is your pod number) Step 14 In the Key field, enter qwerty1234. Stop 15 Select OK to save the profile. Step 16 Click Advanced; choose the statistics tab to verify that you have connected to the IUWNExI-PSK profile (where x is your pod number) 702 Implementing Cisco Uniied Wireless Networking Essentials (UWNE) 20 ©2011 Gace Systems, Ineconretien nfnaton sau: ‘Acqua tess (Open) Nar Local MAC Ades Remote MAC Ades: B adeee Step 17 Close the Cisco AnyConnect window. Activity Verification NREL PSK onatsb:csebsa7 oes:at67:98:90 abled WiFi mnent Evcelerk (24 in) 0 ‘You have successfully completed this task when you attain this result: = You successfully created and connected to the IUWNEx1-PSK network profile. (©2017 Cisco Systems, Ine Tab Guide 708Lab 4-3: Configuring EAP-FAST Authentication with WPA ‘Complete this lab activity to practice what you leamed in the related module. Activity Objective In this activity, you will create a secured WLAN on your Cisco 2504 WLC, using EAP-FAST for authentication that is based on a local EAP, with WPA for encryption. After completing this activity, you will be able to meet these objectives: = Create and configure a local EAP-based EAP-FAST WLAN = Configure the Cisco AnyConnect Secure Mobility Client to associate to this WLAN Visual Objective ‘The figure illustrates what you will accomplish in this activity << Remote Desktop ‘36021 Access Bont Required Resources ‘These are the resources and equipment that are required to complete this activity = APC with connectivity to the Internet = The Cisco VPN client In the remote lab, a Cisco 2504 WLC In the remote lab, a Cisco Aironet 3502 Access Point Inthe remote lab, a laptop with a WLAN adapter 704 Implementing Gio Unified Wireless Networking Essentials (UWWNE) v20 (© 2011 Cisco Systems, nc.Job Aids ‘These job aids are available to help you complete the lab activity = Lab table Lab Table—IP Addressing, Naming, and Information: Pods: 1 to 4 Pod 1 Pod 2 Pod 3 Pod 4 Profile EAP-FAST EAP-FAST EAP-FAST EAP-FAST WLAN IUWNE-FASTI IUWNE-FAST2 | IUWNE-FASTS _| IUWNE-FASTA Local user name Fastusert Fastuser2 Fastuser3 Fastuserd| Local user password | cisco cisco) isco isco Remote laptop address | 10.10.1.240 10:20.1.240 10.30.1240 10.40.1.240 Remote iaptop iogin | studentt student2 students students Remote laptop cisco cisco isco cisco Password Lab Table—IP Addressing, Naming, and Information: Pods: 5 to 8 Pod 5 Pod 6 Pod Pod 8 Profie EAP-FAST EAP-FAST EAP-FAST EAP-FAST WLAN (UWNE-FASTS | IUWNE-FASTE | IUWNE-FAST? _| IUWNE-FASTB ‘Local user name FastuserS Fostuser6 Fastuser? Fastuser8 Local user password | cisco isco isco ‘isco Remote laptop address | 10.60.1.240, 10.60.1.240 10.70.4.240 10.80.1.240 Remote laptop ogin | students student6 student? students Remote laptop cisco isco | cisco ‘isco password Task 1: Create the WLAN In this task, you will ereate a new WLAN to support this secure authentication, Activity Procedure Complete these steps: Step1 Check that you are connected, through the VPN tunnel, to the remote lab network. Step2 If your Remote Desktop Connection is still open, close it Note ‘Now that the controller has a web interface, all members of the group can connect, simultaneously o the controller. Use this possibilty to explore the controller interface, but keep in mind that it is preferable to avoid having two people working on the same feature, to ‘avoid any confusion about changes that might be made, Stop 3 From your class PC, open a browser session to your controller Management Interface IP address. Use HTTPS. You might need to disable your local proxy to access the web interface through the VPN tunnel. (© 2011 Cisco Systems, In, Lab Guide 105Step 4 Click Continue to This Website to accept the self-signed certificate that the controller sent. m with this website's secu criticate 8 There is a pr @ cicenersto cee mi wadaag8 StepS Click the Login button. Windows Sean ‘Tha cever 103020 at Cco Controle requires a uemame and Mice Step7 Navigate to WLAN. Step 8 appears. Step6 Enter the administrative username adminx (where x is your pod number) that you defined in the previous lab, and enter QWer1234 as the password. ible your SSIDs from the previous lab. Click the WLAN IDs, and a new screen 706 Triplementing Cisco Unified Wraloss Networking Essanials (UWWNE) v20 ‘©2011 Glace Systom, Ineeneral_ | Seeuy | G85 | Advanced se oo (oieators done under scary tb il appear ater apsving De change.) Aad Poey on Intecsartnntnce rol) mani elcant van festire Fl snbind ‘Step9 Uncheck the Enabled check box to the right of Status. Click Apply. Repeat these steps for each SSID. WLANs Profile Name Type WLAN SID ‘Admin status} wwe aN UWL Disabled Roaming URN TUWHE-ROAM Disabled Step 10 Your WLAN still appears in the list but is disabled, No connection will be allowed to this WLAN, and it will not be seen on the AP. Note Your controller could have several active WLANS, but in @ crowded lab environment itis botter to limit the WLAN to one. Step 11 Click the Go button to create anew WLAN. Step 12 In the screen that appears, leave the WLAN Type set to its default, WLAN, In the Profile Name field, enter EAP-FAST. Step 13 In the SSID field, enter the correct SSID as indicated in the lab table. Use the form, IUWNE-FASTx (where x is your pod number). WLANs > New Type Profile tame: ssi0 © ae Step 14 Click the Apply button to create the new WLAN. A new edt sereen appears. Step 15 Check the Enabled check box next to Status, to activate the WLAN. Step 16 In the Radio Policy field, choose 802.114 only. Step 17 Leave the Interface/Interface Group(G) set to Management. ‘©2011 Cisco Systems, In. Lab Guido —_107General | Secwity | GoS | Advanced | | sensnr eae wr aattant(002.1%0) (Modtcatons doe nde sciy tb 0 ppsn ater sping the canoes) fad Per ee Interfacerintetae Goup(G)managerrt uae von Fate abled step 18 Click Apply to create the WLAN, Note “The WLAN security parameters are not yet configured: you will return to them later inthis lab, Activity Verification ‘You have successfully completed this task when you attain this result: = You configured your controller for the FAST WLAN, Task 2: Create the Local Net Users In this task, you will then configure your controller to use local EAP with EAP-FAST. Activity Procedure ‘Complete these steps Step 1 Create a local user. From the upper menu, navigate to Security. ‘Step2 In the left menu, click Local Net Users. Step3 Click New to create a new local user. Step4 In the Username field, enter FastUserx (where x is your pod number). Step5 Inthe Password field, enter cisco. Note Do not click Guest User. You will not mit the user session inthis task, and guest user applies only to web authentication-based WLANS. Step6 From the WLAN Profile drop-down list, choose [UWNE-FAST, Step7 In the Description field, enter Local Fast account. "08 Implementing Cisoo Unified Wireloss Networking Essentials (UWNE) v2.0 ©2017 Gio Systems, ne.steps Step 9 Local Net Users > New Click the Apply button to save the new user configuration, Specify to the controller that the user credentials should be retrieved from the controller. Choose Security > Local EAP > Authentication Priority, Priory Order>LocalAuth Stop 10 ‘The column on the right is used to authenticate the client credentials. Verify that LDAP is in the left column, so that it will not be used. Otherwise, click LDAP, click the Less Than (<) button, and then click Apply. This action puts the user credentials, in the local database first Step 11 Create a new EAP profile. This profile will be used to apply your policy to the EAP- FAST WLAN. Choose Security > Local EAP > Profiles. Step 12 Click New. step 13 When the new window appears, enter the Profile Name. Use the format EAP- FASTx (where x is your pod number). Step 14 Click Apply to create the profile. Step 15 In the new window, check the EAP-FAST check box to apply your policy to EAP- FAST authentications. Local EAP Profiles esas, go o o_o ‘Stop 16 Click Apply. Step 17 Click your profile name to check its settings. ©2017 Cisco Systems, ie Tab Gude 108Local EAP Profiles > Edit tear a eansast earns a rear a Local ceraeateReauied Ciena Care Ceres Racuirs Dena Cartons tsver See heck against CA creates Fl nal Step 18 Inthe left menu, click EAP-FAST parameters. EAP-FAST Method Paramstere Server Koy cn how) ‘muon 10 Gn ew) ‘errant ‘Anonymous Provision enabled FAST WLAN ID to configure it. Step 22 Click the Security tab. fecal aaa areas WPA+wea2 7 Ci s0mac Filtering ‘Step 28 In the same tab, in the WPA+WPA2 Parameters section, check the WPA Policy check box. Step 29 Check the TKIP check box to the right of WPA Encryption. Step 30 Uncheck the WPA2 Policy check box because WPA is the only encryption that you ‘want to use for this WLAN, ‘Step 31 Leave the Auth Key Mgmt drop-down list set to 802.1X, so that the client key rotation and values will be managed by the AA server (in this case, your controller). Click Apply to validate the changes. Step 32 Click Apply. ‘Step 33 Click Save Configuration Step 34 In the warning window, click OK. Step 35 Click OK to acknowledge that your files have been saved successfully. Activity Verification You have successfully completed this task when you attain this result: = You configured your controller for EAP-FAST local authentication, ‘B 2011 Cisco Systems, ic Tab Gude 111Task 3: Configure the Client and Access the Network In this task, you will configure your client for EAP-FAST and test the connection. Activity Procedure Complete these steps: ‘Step 1 Connect to your remote laptop by using Remote Desktop Connection: Choose Start > All Programs > Accessories > Remote Desktop Connection, ] Calavator 1B Command Prompt 1 ComestioaPoetor 1 Geting Stated A mening Pane 3 feels Dstop Comedian & Sepping Teo! U sound Recs ‘ty Nees @ sync Cones, Wino ptr Windona Mbit Center 5 worPad kato ces 1 Sytem Teale eck Note In each pod, only one connection a atime is possible to the remote laptop. With your partner, decide who will connect. Step2 Use the lab table to determine which IP address you should use to connect to your remote laptop. Use the format 10.x0.1.240 (where x is your pod number). 1G Remote Desktop Connection Remote Desktop *) Connection Step3 Inthe Remote Desktop Connection pop-up window, in the Computer field, enter the IP address of your remote laptop, and click Connect 112 Implementing Cisco Unifed Wireless Networking Essentials (UWNE) v2.0 (©2017 Cisco Systems, neStep 4 Stop 5 Step 6 Stop 7 Steps ‘You will be presented with a new window, in which you are asked to enter the credentials that are required to access your remote laptop. Use the lab table to verify which username and password to use to connect to your pod remote laptop. Use the format studentx for the username (where « is your pod number) and eisco for the password, Enter the credentials and click OK. You should see the Windows desktop of your remote laptop. From your remote laptop, choose Start > Control Pane I> Network and Internet > Network and Sharing Center > Change Adapter Settings. Locate your wireless connection. Right-click the connectior and choose Enable if it is not already enabled. ‘Wik eta Conrecbon 2 Diagnose creme morc B Rename @ Propeies Stop 9 ‘lace AnjCennedt Secure Mobility Cent PN Disconnected Network: wired (C Click the Cisco AnyConnect Secure Mobility Client icon from the system tray, to launch the Cisco AnyConnect Secure Mobility Client. ‘Stop 10 Stop 11 ‘The Cisco AnyConnect Secure Mobility Client appears. Connect From the Network drop-down list, choose your SSID IUWNE-FASTx (where x is your pod number). {©2011 Cisco Systems, inc Tab Gude 178Step 12 The Cisco AnyConnect profile window opens. Confirm the settings. Step 13. Click OK. Enter rman othe onnetn. Mea: Wales [ben toh ‘Step 14 Cisco AnyConnect Client prompts you for your username and password. aj ‘AryConnect Pease enter your sernane and passer forthe network TUNE FAST Stop 15 Enter the password that you created along with the local net user in the previous task. The password should be eiseo. Step 16 Click OK to continue. “114 Implementing Gisco Unified Wireless Networking Essentais (IUWNE) v2.0 (© 2017 Cisco Systems, incWA Enerese HP WN FASTI 1P Local MAC Ades: oothobedebia7 apFastosotecapy2) Remote MAC Ades: Hrexdboombsi7e BP adece tozit.23 Usernae(Passnord Speed (ps) sto IPSodet Disabled ed wi ruwne rast ‘date sta) Wales Wr ik Excelent (25 dBm) BES #2 a Bites esi? 159159 Step 17 Click Advaneed and verify in the Statistics window that you did receive an IP address. Activity Verification ‘You have successfully completed this task when you attain this result: m= You successfully associated to your EAP-FAST WLAN. ‘©2011 Cisco Systoms, Ine. Tab Gude 118Lab 4-4: Configuring 802.1Q and Web Authentication ‘Complete this lab activity to practice what you learned in the related module. Activity Objective In this activity, you will set up a WLAN with web authentication as the security policy. This implementation provides an open connection to a user that requires a username and password security exchange. All network traffic is then transmitted in the clear. To provide that support, a new WLAN instance must be created to provide an SSID that the web authentication client will use. You must also define a Local Net User database and create the username and password entries. When the support for web authentication is configured correctly on the controller, you will log in by using the local net user usemame and password from a browser connection on your remote laptop. After completing this activity, you will be able to meet these objectives: = Create a VLAN interface on the controller = Create a web authentication WLAN = Connect to the WLAN ‘= Experiment with exclusion policies Visual Objective ‘The figure illustrates what you will accomplish in this activity ab 4-4: Configuring 802.1Q and Web A ntication ven Router ly ome QS) & Remote Desktop isco Aironet ‘35021 Access Required Resources ‘These are the resources and equipment that are required to complete this activity = APC with connectivity to the Intemet "16 Implementing Cisco Unified Wreless Networking Essentials (UWNE) v2.0 (©2011 Cisco Systems, nc.Job Aids The Cisco VPN client In the remote lab, a Cisco 2504 WLC In the remote lab, a Cisco Aironet 3502 Access Point In the remote lab, a remote laptop with a Cisco WLAN adapter These job aids are available to help you complete the lab activity: = Lab table with pod IP addresses Lab Table—IP Addressing, Naming, and Information: Pods: 1 to 4 Pod Pod2 Pods Poda Remote laptop address | 10.10.1.240 10.20.1.240 10.30-1.240 10.40.1.280 “Remote laptop login _| student student students studenta Remote laptop | isco 800 800 isco password 2504 WLC VLAN 90 10 | 90 ” 90 0 2504 WLC VLAN 90 P| 172.16.90.10 172.16.90.20 172.16.90.30 172.16.90.40 2504 wic viAN co | 255.255.2550 | 258.285.2550 "| 255.255.2550 | 255.255.2550 2504 WLC VLAN 90 ‘| 172.16.90.253 172.16.90.253 172.16.90.253, 172.16 90.253 gateway 2504WLC VLAN@O | 1 1 1 1 port 2504 WLG VLAN 80 | 172,16.90.258 172.16.90.253 172.16.90.258 172.160.2538 DHCP server WLAN TUWNE-Webt TUVINE-Web2 TUWNE-Webs TUWNE-Webs Switch IP address 10.101.253 10.20.1253 10.30.1.253 710.40.1.253 Switch username student’ studeni2 students student Switch password isco isco sco isco Conwaterineraceon | Giabietemens | Grabiehemnea® | GoabtehemeInTs | Gigabtehereo/8 Native VLAN 10 20 30 40 Local net username | webusert wobuser2 wobusers webuserd Local net password | Cisco e800 sco seo Lab Table—IP Addressing, Naming, and Information: Pods: 5 to 8 Pod Pods Pod? Pods Remote laptop adress | 10-50.1.240 10.60.1.240 10.70.1.240 10.80.1.240 Remote laptop login | students students student? students Remote laptop seo cisco sco sco password 011 Graco System Tab Gude 17Pod 5 Pod 6 Pod? Pod 8 72504 WLC VLAN 9010 | 90 20 90 90 2504 WLC VLAN 90 IP | 172.16.90.50 172.16.96.60 172.16.90.70 172.16.90.80 250 ic viaNso | 2552552850 | 286.255.2550 | 255.255.2550 | 255286.2550 250awic VLAN | 172.16.90253 | 1721690283 | 1721690253 | 172.16.90.255, gateway 2504 WLC VLANG0 | 1 1 1 1 port 2504 WL vLANGo | 1721690253 | 172.16.9c253 | 172.1890.253 | 172.16.90.253 DHCP server WLAN TUWNE-Webs _| IUWNE-Web6 IUWNE-Web7 IUWNE-Web8 Switch IP address | 10.50.1.253 10.60.1.283 10.70.1.253 10,80.1.253 Switch usemame students students student? students ‘Switch password isco isco isco Cisco Cento intrace on | Gigabtomemat723 | Ggabiatemot26 | Ggabiatnret0ss | igabetheretose Native VLAN 50 60 70 80 Local netusername | webuserS webuser6 webuser? webuser8 Local net password | cisco isco cisco Cisco Task 1: Create a VLAN Interface In this scenario, the guest user WLAN is to send all users to VLAN 90, which links to a theoretical DMZ. You will use the Cisco 2504 WLC web interface to configure a VLAN interface to support the web authentication client traffic, In the next task, you will create a WLAN that will map to this VLAN, Activity Procedure Complete these steps: Step1 Check that you are connected, through the VPN tunnel, to the remote lab network, Step2 If your Remote Desktop Connection is still open, close it. Note Now thatthe controller has a web interface, all members ofthe group can connect ‘simultaneously tothe controller. Use this possibly to explore the controller interface, but keep in mind that it is preferable to avoid having two people working on the same feature, to avoid any confusion about changes that might be made. Step3 From your class PC, open a browser session to your controller Management Interface IP address. Use HTT?S. You might need to disable your local proxy to access the web interface through the VPN tunnel. Stop4 Click Continue to This Website to accept the self-signed certificate the controller sent. 118 Implementing Cisco United Wireless Networking Essentials (UWNE) v2.0 "© 2017 Cisco Systems, in.1G tree isa probler ith tis website's secu catia We recommend thatyou close this webpage and donot continue fo this website, 1 Cle nes to covet webpage Contin to ti fers mayan ete ood yu rece yc you St tothe Stop 5 Stop 6 Click the Login button, Enter the administrative usemame adminx (where xis your pod number) that you defined in the previous lab, and enter QWer1234 as the password. window ect “The serve 1050.110 a Cisco Controle requires usemame and | ——— Stop 7 Step 8 From the upper Menu bar, choose the Controller > Interfaces option, Note the Controller options that are available in the left sidebar. In the main Interfaces window, click the New button. Interfac VLAN Id Interface Name (WLAN9® es > New 90 Step 9 Step 10 Step 11 Step 12 A new sreen appears. In the Interface Name field, enter VLAN90. In the VLAN ID field, enter 90. Click Apply to create the interface. ‘A new screen appears, in which you can configure your interface details. Enter the values for this new dynamic interface, as specified inthe table. {@2011 Cisco Systems, nc Tab Gude 179Podt Pod2 Pods Pod VLAN 9010 % 90 20 20 VLAN 90 IP 172169040 | 172169020 | 172169030 | 172.16.90.40 VLAN 90 netmask 255.255.2550 | 255.256.2550 | 255.256.2550 | 255.256.2550 VIAN 90 gateway 172.16.90.253 | 1721690253 | 1721690253 | 172.16.90.253 VLAN 80 WLC port 1 1 1 1 VIANSODHGP server | 172.16.90255 | 172.1600289 | 1721600259 | 172.16.90253 —————eeSweweeeeyrew_e=san"v'vwm Pods Podé Pod Pods VLAN 80 1D 20 0 20 %0 VLAN 90 1 172.16.90.50 | 172.16.9060 | 172.16.90.70 | 172.16.90.80 VLAN 90 netmask 255.255.2560 | 255.255.2550 | 255.255.2550 | 255.255.2550 ‘VLAN 90 gateway 172.16.90.253 | 172.16.900.253 | 172.1690.259 | 172.16.90.259 ‘VLAN 90 WLC port 1 1 1 1 VLAN OO DHCP sever | 172.16.90.253 | 172.1690253 | 172.1690253 | 172.1690259, General Information Interface nome van 90 MAC Address (00;22sbd:a7:26:00 Configuration Quarantine quarantine nid Physical Information Port Number 1 Backup Port ° Active Port ° Enable Dynamic AP Management Interface Address VLAN Identifier 90 IP Address 172.16.90.50 Netmask 255.258.255.0 Gateway 172.16.90.253 DHCP Information Primary DHCP Server 172.16.90.254 Step 13 ‘The gateway 172.16.90.253 acts as a DHCP server for clients of this subnet. The DHCP server is already configured on the gateway. Click Apply to validate the settings. Read the warning message and click OK to continue. 120 implementing Cisco Unified Wireless Networking Essentials (UWNE) 20 {© 2011 Cisco Systems, ncStep 14 Click Save Configuration. Step 15 In the warming window, click OK. Step 16 Click OK to acknowledge that your files have been saved successfully. y Verification ‘You have successfully completed this task when you attain this result: = You created a VLAN interface on your Cisco 2504 WLC. Task 2: Create the WLAN In this task, you will ereate a specific WLAN to support web authentication. Activity Procedure Complete these steps: Step1 Navigate to WLANS. Step 2 Click the Go button to create a new WLAN. Step3 In the screen that appears, leave the WLAN type set to its default. In the Profile Name field, enter Web-Authentication. Step4 Assign the correct SSID, as indicated on your lab map. Use the format IUWNE- WEB (where x is your pod number). /LANs > New Type wan = Profie Name Wie -Authentiaton ssio ‘uWne- Wess z Step5 Click the Apply button to create the new WLAN. A new edit screen appears, step Check the Enabled check box next to Status, to activate the WLAN. ‘step 7 Choose the VLAN90 interface that you created earlier. i a = sous {Gentes sect Paes [bera2ttanite02.000) (nstesions doe under scury tab wil appear ser aphing te henge.) tntrac/itrace Grup(6) vin 8+ atest von Fate mated roads 1D crated step 8 Click the Security tab. B20 Caco Systems, In Tab Gude tatWLANs > Edit “aver 2 AaWer | | AMAServers | Step9 From the Layer 2 Security drop-down list, choose None. This WLAN will use web authentication (which is Layer 3) but no Layer 2 encryption or authentication, Step 10 Click the Layer 3 Security tab. Step 11. Check the Web Policy check box. Read the warming about DNS and click OK. [General | Security | Qos, | Avance | aver Layer 3 Seeinty none = Dl wer rotey Peston Step 12 There are two possible web policies. Leave the policy set to its default, Authentication Stop 13. Click Apply to validate the WLAN settings. Step 14 Inthe controller upper-right menu, click Ping, ened rears Ceca Gass Step 15 Enter your interface 90 IP address. Use the format 172.16.90.x0 (where x is your pod number). ‘Massage rom webpage a) Reply received fromm IP 172.15.90.0 (snd count = 3, ecehve count = A> at ‘Stop 16 The ping is successful. You can ping your own interface in VLAN 90. Click OK to close. ‘Step 17 Click Ping again. Enter the switch IP address in VLAN 90. Use the format 172.16.90.253. ‘Step 18 The ping should be sucessful. Click OK to close the pop-up window. 122 Implementing Cisco Unified Wireless Networking Essentials (UWNE) v2.0 (©2011 Cisco Systems, nese Mezeage rom webpage sj, evrsseetem 23651253: and coun ct cout = a Activity Verification ‘You have successfully completed this task when you attain these results: = You disabled the WLAN from the previous lab. You successfully created a WLAN on your Cisco 2504 WLC that is associated to the VLAN 90 interface. = You successfully sent a ping to the switch from the Cisco 2504 WLC. Task 3: Create a Local Net User You must create a local net user and define a password that you will provide when logging in ‘as a web authentication client, Activity Procedure Complete these steps: Step1 From the upper menu, navigate to Security. Step2 Inthe left menu, click Local Net Users. Step 3 Click New to create a new local user. Step4 In the Username field, enter webusers (where « is your pod number). Step 5 Inthe Password and Confirin Password fields, enter ciseo. Step6 _Donot click Guest User because you do not want to restrict the user lifetime, Note ‘When you lick Guest User, you can restrict the user credential fetime. You could use this setting, but instead you will nat restrict the credential Iiftime and will leave the Guest User box unchecked. Step7 __In the WLAN Profile drop-down list, choose Web-Authentication ‘step8 —_In the Description field, enter a description for this user. Enter User for the Web authentication. ‘©2017 Clee Systems, ne ab Guide 3Local Net Users > New User tame webusert Poseword Conf Password (LAN Profile Deseretion Step 9 Click the Apply button to save the new user configuration. Activity Verification ‘You have successfully completed this task when you attain this result = You successfully created a local net user on your controller. Task 4: Configure the Client In this task, you will configure your remote laptop to connect to the new WLAN. Activity Procedure Complete these steps: Step1 Connect to your remote laptop: From your elass PC, choose Start > All Programs > Accessories > Remote Desktop Connection. BS Command Promet I Comecttoa Peter A Manip Pane 7) Notepad 1 Remote Desktop Connecton seiping Tel 1 soundtecerser Siky Nets © 5yecerer Sy indo peer Fh Windows Moby Cer B Wore Sh Eve of ect Ub Spten Tools 4 oat Note In each pod, only one connection ata time is possible to the remote laptop. With your partner, decide who will connect. ‘24 Implementing Gls Unifed Wireless Networking Essentas (UWNE) v2.0 (©2011 Cisco Systems, ncStep2 Use the lab table to determine which IP address to use to connect to your remote laptop. Use the format 10,x0.1.240 (where x is your pod number). 15 RencteDetcg Carmen Remote Desktop Step3 Inthe Remote Desktop Connection pop-up window, in the Computer field, enter the IP address of your remote laptop, and click Connect. Step4 You will be presented with a new window, in which you are asked to enter the credentials that are required to access your remote laptop. Use the lab table to dotermine which username and password to use to connect fo your pod remote laptop. Use the format studentx/eiseo (where « is your pod number). StepS —_Enier the credentials and click OK. You should sce the Windows desktop of your remote laptop. Step6 Start the Cisco AnyConnect Secure Mobility Client Connection. Choose Start > Control Panel > Network and Internet > Network and Sharing Center > Change Adapter Settings. Step? Right-click the Cisco AnyConnect Secure Mobility Client Connection and choose Enable if itis not enabled. ciestlceee tena 0iM ounce — Mtr init Eby. a Beno Neree Sat Pe ioc Step8 Click the Cisco AnyConnect Secure Mobility Client icon from the system tray to launch the Cisco AnyComect Secure Mobility Client. Claco Any Connect Secure Mobility Cent PN: Disconnected Network wired (Connected) Customize, Step9 The Cisco AnyConnect Secure Mobility Client appears. B01 Cisco Sytem, re Tab Gude 125Hts AnyConnect Ciera Maat Liited Accove- NS Fature ©) networks Conestes(10.20.1.240) eer Step 10 From the Network drop-down list, choose your SSID [UWNE-WEBs (where x is your pod number), Ca a : won flane_offe aa flane_traring 8 al flane_volce aa podshreap Pods TUWNE-FASTI Step 11 After a few seconds, you should be connected. Open a command prompt to verify your IP address. Choose Start> All Programs > Accessories > Command Prompt. Stop 12 Enter ipconfig. rrraen vei ene eet ates tern ety Peete eoy Con Tree panne areas Default 6 [Ethernet adapter Wirele Poe eee eee? Addres api eee: Default Gateua Step 13 Your wireless connection shou'd have an IP address in the 172.16.90.0 range. This implies that you can reach the gateway as a DHCP client, to obtain an IP address, Enter ipconfig /all Step 14 Make sure that you have only one DNS server that is obtained through the wireless interface of 10.100.1.1. If you have more than one DNS server, report to your instructor. "126 Implementing Gisco Unified Wireless Networking Essentas(LUWNE) v2.0 (© 2011 Cisco Systems, incPere erent Ee if atc oan ee ara ee eee: Note ‘You wil need DNS server contact to resolve a URL to the test page. Ifyou have @ DNS server on your LAN interface, Windows will alvays prefert to the wireless one, and DNS resolution wil fall for the example URL. Step 15 Try to send a ping, through the controller, to the gateway. Enter ping 172.16.90. The ping should fail Step 16 Now ping your controller IP address in VLAN 90. Enter ping 172.16.90.x0 (where x is your pod number). The ping should fail. Although you had DHCP reachability ‘you do not have IP reachability as a client. This WLAN is based on web ‘authentication, so to access the network, you need to be authenticated, Step 17 Your controller will not present itself to a wireless client as the VLAN interface, but will always try to emulate the virtual IP address 1.1.1.1, regardless of on which VLAN the wireless client should be sent when on the wired side of the network. Try to ping this virtual IP address. Enter ping 1.1.1.1. The ping should fail nents and Settinga\ctudenti route add 1.1.1.1 mask 25 Stop 18. In this specific lab environment, your remote laptop has two ways of getting to your controller: via the wired interface or via the wireless interface. For the wireless connection to be successful, you need to access the controller from the wireless interface. This implies creating a static route, Still from your command prompt, ‘@2017 Cisco Systems, ne Tab Guide 427center a host route . Enter route add 1.1.1.1 mask 255.255.255.255 172.16.90.253. This informs your remote laptop that only the wireless gateway should be used to reach your controller virtual IP address (1.1.1.1). Step 19 Still from the command prompt, enter route add 10.100.1.1 mask 255.255.255.255 172.16.90.253. This number informs your remote laptop that reaching the DNS server should be done via the wireless interface, so that traffic flows via your controller and not your wired interface. Step 20 From your remote laptop, open a browser. Verify that the pop-up blocker is disabled. In the address bar, enter testexample.com, Note ‘A Web authentication page opens a pop-up window when connected. This page is not necessary in sel, but failure to see it makes it ficult to know whether you are successfully ‘connected, Disabling the pop-up blocker for your browser is required in this lab environment, Step21 Click OK to accept the certificate. You should be redirected to your controller authentication page. Welcome to the Cisco wireless network Cinco ls pleased to prove the Wireless LAN inrasructure for Your network, Please login and put your unifed wireless soliton work User Nome Password ‘step 22. In the User Name field, enter the local net user name that you created earlier. Use the format webuserx (where x is your pod number). ‘Step 23. In the Password field, enter your local net user password. Use the format cisco. 18 Implementing Gisco Unified Wireless Networking Essentials (UWNE) 20 (© 2017 isco Systems, Inc.pie neeeert Fle Edt View FavorRes Web Authentication Lonin Successful! ‘You can now use al regular network senices Please retain this smal logout window in oer tologafnen dane. Noiahatyou can always use he folowing URL to retrieve hs p303 Wt .inoaou Step 24 Click Submit. The authentication should be successful. You should be redirected to a sample web page. Your a ration succeeded. he TUWN sample Web page Pore eee ee ers Perera) aS Ear ia esters eae rae ct ‘step 25. From the command prompt, enter ping 172.16.90.283. The ping should be successful. Now that you are authenticated, you have full access to the network. Step 26 In the web interface, click Logout. Step.27 Close the web browser. ‘BB017 Cisse Syetems, Ine Tab Gude 23Activity Verification You have successfully completed this task when you attain this result: Activity Procedure = You successfully logged in to the web authentication-based WLAN that you created. Task 5: Exclude Clients In the previous task, you logged in correctly and were granted access. This time, you will provide the wrong password each time you attempt to log in, Complete these steps: Step 1 Step 2 Step 3 Stop 4 Step 5 Step 6 Stop 7 Welcome tothe Cisco wireless network ko metas ee Leta Open a new web browser session. In the address bar, enter the adidress http://test.example.com. Press Enter to initiate the browser session. When the security alert appears, click Yes to continue. ‘When the Login screen appears, log in by using the name of the local net user that, you created, but this time use iforgot as the password. we) Repeat the login entries, counting each failed attempt. After three failed attempts, you should be excluded. fanaa Excluded cess | b Stop 8 Close the browser session. 130 “implementing Cisco Unified Wireless Networking Essentials UWNE) 20 (©2011 Cisco Systems, inc‘Step9 In the command prompt, enter route delete 10.100-1.1. Traffic to the DNS server does not need to go via the wireless interface anymore. Close the command prompt. ‘step 10 From your class PC, and epen a web browser session to your Cisco 2504 WLC. The controller IP address should be in the format 10.«0.1.10 (where x is your pod number). Step 11 Navigate to Management in the menu bar. Step 12 Choose the Trap Logs option in the let sidebar menu, to bring up a list of recent, trap events, Step 13 Examine the information in the list. You should see the client exclusion event. Log System Time ‘Thu Feb 14 04:26:58 2008, Trap Client Excluded: MACAddress:00:14:00:46:3:37 Base Radio MAC :0 Slot: 0 Reason:Web Authentication failed 3 times. ReasonCode: 4 96:70 Zhu reb Donia ABs AisiS7uaksneSd detected an Rasa Badia HAC a ‘Step 14 Document how many failed attempts were reported before you were excluded: Step 15 From your controller web interface, click Save configuration in the upper menu. Step 16 Click OK. Activity Verification You have successfully completed this activity when you have attained these results: = You have successfully been excluded from the controller. = You viewed the Trap logs. ‘©2017 Cisco Systems, ne Tab Guide 13Lab 5-1: Configuring Controllers and APs from Cisco WCS Complete this lab activity to practice what you leamed in the related module. Activity Objective In this activity, you will connect to Cisco WCS and use it manage your controller and AP. After completing this activity, you will be able to meet these objectives: = Create credentials on Cisco WCS = Add a controller and AP to Cisco WCS = Create a local net user on the controller from the Cisco WCS interface |= Manage the controller and AP from Cisco WCS Visual Objective ‘The figure illustrates what you will accomplish in this activity rollers and APs from 1 ey i Cisco Aironet 38021 Access Point Required Resources ‘These are the resources and equipment thet are required to complete this activity: = A PC with connectivity to the Internet = The Cisco VPN client In the remote lab, a Cisco 2504 WLC In the remote lab, a Cisco Aironet 3502i Access Point In the remote lab, a Cisco WCS server 182 __lmplementing Cisco Unified Wireless Networking Essentiais (TUWNE) v2.0 (© 2011 Cisco Systems, neJob Aids ‘These job aids are available to help you complete the lab activity = Lab map for IP addressing and naming conventions Lab Map—IP Addressing, Naming, and Information: Pods: 1 to 4 Pod Pod2 Pod 3 Pods isco WCS user [Admina ‘Admin ‘arin ‘Admind Cisco WES password | Publict! Publot! Publict! Publics! ContolierIP address | 10.10.1.10 10.20.1.10 10.30.1.10 10.40.4.10 ‘AP new channel 40 a 8 2 Lab Map—IP Addressing, Naming, and Information: Pods: 5 to 8 Pod 5 Pod 6 Pod 7 Pod 8 isco WCS user ‘Admins: TAaming ‘Admin? ‘Admins (Cisco WCS password | Publict! Pubiict! Publict! Pubiict! ConttoiorP address | 10.50.1.10 10.60.1.10 10.70.1.10 10.80.1.10 [AP new channel 56 60 6s 36 Task 1: Create Credentials on Cisco WCS and Customize the Interface In this task, you will connect to Cisco WCS and create the credentials that you need. Activity Procedure Complete these steps: Step 1 Verify that you have a VPN connection to the remote lab, Step2 From your local classroom PC, open a secure web browser session to the address Ittps://10.100.1.1 Note (On this server, the default web sorver is used for a previous lab. Make sure to use HTTPS, not HTTP, step3 _Aftera few seconds, a po9-up window appears, informing you that the certificate is self-signed, Click OK to continue. Step4 You should see a login screen like the one in the figure. ‘© 2011 Gisso Syetoms, ne. Tab Guo 133thoales cisco We Le ORCI) Stop 5 Connect by using the credentials root as the usemame and Wlan2day as the password. Step6 Ifyou log in successfully, you should see a monitor screen like the one in the figure. ‘Take some time to look at what is displayed. =a 205 anon 205 G2 @ GX BA S| ote gem em soa Stop7 You are logged in as root. You need to create your own choose Administration > AAA. cry Implementing Gisco Unified Wireless Networking Essentials (IUWNE) v2.0 © 2011 isco Systems, ine.aE a o |e Sol eae aa ae a 265 | oe ii te ne Gm te natn) al Stop 8 In the left menu, choose Users. banana Us san Ferrata Step9 A new screen appears. In the upper-right drop-down list, choose Add User. Click Go to continue. Step 10 A new screen appears. In the Username field, enter Adminx (where x is your pod ‘number). ‘Add User [Aderistaton» AAA Users > Add User jeneral {Virtual Domains | Username, Now Password £ Confirm Password Groups Assigned to this User F admin 1 contgtanagers ‘Step 11 In the New Password and Confirm Password fields, enter Public! This password conforms to the local polizy password strength. Step 12 _ Inthe Groups Assigned to This User section, check the Admin check box. Step 13. Click Submit to validate ‘©2011 Cisco Systems, ne Tab Gude 135Step 14 The message “User added successfully” should appear in the upper part of the screen Step 15 Choose Users in the left menu to verity. [Users See ae FWwer ame Member or State LectLog Tine LaetLoget Tne Aue at Twa eat sneaiaaeem sassai seen Pain ain a Step 16 Your new user should appear in the list. Step 17 In the upper-right menu, choose Logout. Log in again, using your user credentials. Step 18 Cisco WCS allows each user to have a specific home page. As an administrator, you ‘want to optimize this page. Asan example for this lab, you do not need the Mesh tab, and need to monitor controller CPU and memory load. Click Edit Tabs in the upper-right corner. jrelase Control System Step 19. A new window appears. Click Mesh in the Tab Order field, and choose Delete, Note that there is an option to Reset to Factory Default, a the bottom of this window Powe Up Move Son Resets Faro Default || Save) Caneel Step 20. Click Save. Stop 21. You are retumed to the Cisco WCS Home sereen, and the Mesh tab is removed. Click Edit Content in the upper-right part of the screen. 136 Implementing Cisco Unified Wireless Networking Essentas (IUWNE) v2.0 (© 2011 Cisco Systems, inc.Eat Content osname [ener faznan near ony r ‘toni Step22 A new screen appears, In the Available Components field, choose All Controllers: CPU Utilization (%), and click the Add to Left Column button. ‘step 23 In the Available Components field, click All Controlle (%), and click the Add to Right Column button. Stop 24 Click Save, Memory Utilization ‘step 25 The display returns to Cisco WCS Home, and the General tab now shows the Controller CPU and Memory values. Activity Verification ‘You have successfully completed this task when you attain these results: = You are connected to Cisco WCS with the user you created. You have a personalized home page. Task 2: Add a Controller and AP In this task, you will add your controller and your AP to Ciseo WCS. Activity Procedure ‘Complete these steps: Step1 To add your controller to Cisco WCS, choose Configure > Controllers. salve ‘cisco lwcsHome cae ener [ot [ie] tems ree ‘step2 Open the drop-down window on the right, choose the Add Controllers option, and then choose Go. B2011 Cisco Systems, ne lab Gude —187Reboot Controllers JReboot Controllers and APs(Swap AP Images) Reboot Controllers and APs(Oo Not Swap AP Images) Download Software( TTP. IDovinioas Software(FTP), Download 10 Signstures [Dovinioad Customized webauth [Download Vendor Device Certificate Download Vendor CA Certificate [Save Config to Flash Refresh Config fram Controller Discover Templates from Controller [Templates Applied to Controller rk Now iow Latest Network Configuration Audit Report. Step3 You will be prompted with a new screen, in which you will enter the IP address and netmask of the Management Interface on your WLC. Use the format 10.c0.1.10 (where x is your pod number). Note Note the SNMP Parameters section ofthe screen. Your controler will be discovered by sing SNMP, for which the read and write community is defaulted to private on the Controllers. In a production environment, you would change these defaults, which present a high security risk, both on Cisco WCS and on the controller, in Management > SNMP. Step 4 Enter the administrator username and password. Use the format admin (where xis your pod number) for the usemame and QWer1234 for the password. [Add Controllers connoue » comats » Aaa Contours |General Parameters ‘Add Format Type [Device Info 1 Adcresses four etork Mask amazes verity Telnosst capabitis SNMP Parameters never en Timeout Fen Commenity = net/38H Parameters User Nome Foo Password Feed Confirm password Ree Retries ca Timeout rn) 38 Implementing Gisco Unified Wirloss Networking Essentials (TUWNE) v2.0 ‘© 2011 Cisco Systems, ine.Step5 Click OK to start the search. [Controtiers TP waddess — comsotertame we a 108 see wuczi00 Step6 After a short search, you should get a message that your controller has been added to Cisco WCS, Step7 Click the Home symbol in the upper-left part of the screen. Step8 Notice that the number of controllers has increased in the Inventory Detail Status. wes Home General | Client | Security | Mesh | Cleanair | Contextaware Step 9 Choose Monitor > Controllers. ‘Step 10 Click the IP address of your controller. Step 11. A new window appears, showing your controller main monitor page, seen from Cisco WCS. You could configure your controller directly from this page. Stop 12 Port No. | is green. Click the green Port icon, ‘Summary Montor» Contallers» 1990.1.10 » Syste > Sums ‘©2017 Cisco Systems, ne Tab Gude 135‘Step 13 You should see a new screen that displays the port statisti. Step 14 Choose System > WLAN from the left menu. ‘Step 15_A new page appears, showing the WLANs that are configured on the controller. system @ WLANs Mente > Cortes > 10301:10> Syste > WA Ae Bsimmory LWetrseesons See WLAN Profi wine 5510 Secu Potces Liwuays wae 2 securedate podidata None Step 16 In the upper menu, click Monitor > Access Points, ‘Access Points (os nl aerame ShemetMAC Adtran Ratio onto TB nostasaa coser1d:0890:7% 10.04.22 g02.1tNaln maso.i0 nodtsea eaisessioa:9o:7> 10.30.1.22 rouo..t0 Step 17 You should see your AP in the Access Points list. Click 3502-x (where.x is your pod number) for your 802.1 1b/g/n radio. “cava tie |

AAA > Local Net Users from the left menu. Propertias WLANs WeREAP Security Lee Enon Geena LEU RADILS ath Servete (ej Raonus act Servers (Gj RADIUS Fatback [104° servers IB TACACS* Servers Local Net Users Step From the drop-down menu on the right, choose Add Local Net User. Click Go. [= Selects command =] 0 SCENES Stop Choose To Create a New Template for Local Net Users Click Here to Get Redirected to Template Creation Page. You will be redirected to the Local Net Users template page. Step6 Ensure that the Import from File check box is unchecked, ‘©2017 Glace Systems, re Tab Gude 11‘New Controller Template Conigre® Sole Teen Pa> Say > Lact ec > Mew Cntrlo Template General Template name a Profle [rated Descriton [= ae Step7 Use the table to fill in the Local Net User Template dialog box (where x is your pod number). Parameter Description Template Name —_|Localnetuserx User Name Training Password Cisco23 Confirm Password | Cisco123 Profle Any Profile Description Training user Step8 Click Save to confirm. Stop 9 Click Apply to Controllers to apply the new template to your controller. Controller Template locainetusert™ pse Samat ene Sey > Lala Conroe Trp oesetanert Stop 10 Check the check box to the left of the IP Address of your controller. [Controller Template locainetusert" > Apply to Controllers. |contnro Sarangi Lurch Pad» Secury> (ogni Usere> core once cerume! > Appy to Cotrosere| ip Adress contrat Hane conti Group Hane F) woa0a.s0 cea 12 Implementing Gisco Unified Wireless Netwarking Essentas (IUWNE} v2.0 (©2011 Cisco Systems, IneStep 11 Click OK. Step 12 A dialog box appears, showing the results of applying your template. Verify that the Operation Status is Success. ‘ontroller Template ‘ocalnetuser!" > Template Results vgs Sit Tee La» Secty> ss Cae Tne shut’ » Template Rees ww aaerooe contoter mane Opecaton State Reason Activity Verification ‘You have successfully completed this task when you attain this result: = You were able to change controller parameter from Cisco WCS, Task 4: Manage the AP from Cisco WCS In this task, you will configure your AP from Cisco WCS. Activity Procedure Complete these steps: Step 1 From the upper menu, chcose Configure > Access Points. Note Note that you can also choose AP Templates, to deploy a configuration parameter to several [APs in one click. Do not choose that option. Step2 Click your AP 3502zx for your 802.1 Ib/g/n radio (where x is your pod number). Step3 An Access Point Detail screen appears, showing your AP parameters, In the Location field, enter PODx (where x is your pod number). [Access Point Detall: podi-3602 Coie > can ah» Azan Pow eat so nede ® tees 5 Step4 Click Save to validate the new location. ‘©2017 Geo Systems, re ab Gude 43Step 5 Inthe lower part of the sereen, locate the Radio Interfaces section. Click 802.11a/n to edit its settings. ‘Step6 Anew window appears with your AP 802.1 1a parameters, In the RF channel assignment, click Custom, and choose the channel for your pod. Refer to the table Podt | Pod2 | Pod3 | Pod4 ‘AP new channel | 40 “4 48 52 Pe Podé | Pod7 | Pods ‘AP new channel | 56 60 64 36 Step7 _ Inthe Tx Power Level Assignment section, choose Custom, and choose 4 from the drop-down list. tone ade Chel h ire] ‘Admin States ® jar © cue FD cee r ase Te Power vel acignmene © Step8 Click Save to validate the changes. Click OK. Step 8 The values that you chose should now appear instead of the previous values. Step 10 As in a previous lab, choose Global in both the RF Channel Assignment and Tx Power Level Assignment sections, without changing the values that you chose. Step 11 Click Save to validate. Click OK. Step 12 Choose Monitor > Access Points. Step 13. Click your access point 3502-» for your 802.1 La/n radio (where x is your pod number), Step 14 Click the Interfaces tab Fcnwc | wer [6 Jose rte ein tas Tee Naa “144 Implementing Cisco Unified Wireless Networking Essentas (UWNE) v20 (©2011 Cisco Systems, Inc.‘Step 15 Verify that your AP has the values that Cisco WCS transmitted by. Note ‘The channel might have changed because of Auto RF. Activity Verification ‘You have successfully completed this task when you attain this result: = You changed your AP parameters from Cisco WCS. ‘©2017 Clase Systems, re Tab Gude 148Lab 5-2: Working with Cisco WCS Complete this lab activity to practice what you leamed in the related module. Activity Objective In this activity, you will add a map to Cisco WCS and position your AP on it. After completing this activity, you will be able to meet these objectives: Add maps to Cisco WCS 1 Enhance the map by adding walls = Position an AP on the map and manage the AP Visual Objective ‘The figure illustrates what you will accomplish in this activity,

Maps > System Campus > Building > Floorx (where x is ‘your pod number). Step 10 Make sure that you are on your floor map area. Step 11 Inthe upper-right drop-down menu, choose Add Access Points. Click Go to continue. FP seme unc are somos TF avstad esa cb sesh uscaroeon exe sazoa0 Tr svcaneadiaease stetenonneize nscap9soa9 soa0s.s0 Stop 12 A new window appears, showing the list of the available APs. Click your AP. Click OK to continue. ‘cones Ponte Nome vert AP HWgnt ‘00m Select an AP ~~ (ee) 100% — 7 mS 302] a8 18 Stop 14 Position your AP exactly in the center of the grid in the middle of the lab (138 horizontal, 79 vertical). "48 Implementing Cisco Unified Wreless Networking Essentials (UWNE) v2.0 (©2011 Cisco Systems, nePeete or an il ‘Antenna [Internal-3500-5GH2 =] ‘ntenna/AP Image Stop 15 In the left menu, verify or choose your antenna. The 802.1 1a/n radio uses the Internal-3500i-SGHz. This antenna points toward the lab door (270 degrees). The antenna also points slightly downward (10 degrees). ‘ezoas Pots Mone Vor AH ‘00m rocsseidtessse =] rea fre Pee fey fio sd ‘step 16 In the upper part of the window, note that your AP Height value is 9.68 feet (2.95 m) from the floor. Click Save to validate your AP position. ES [es ‘Step 17 The map is refreshed, taking your AP into consideration. i tee Floor View wot» Wa Seance pt» round Hemaeem ouldue baumwewit mes naea eee 94 a estnaoe or a Eee Lk @ nab Suber mai Gaal [oie —a) bey reo fst cut ane lam Onteces metre PF Step 18 To filter the AP, expand Floor Settings > Access Points > AP Filter. Step 19 A new window appears. Step 20. From the Protocol drop-down list, choose 802.1 1a/n, Step 21 From the Display drop-dewn list, choose Channels, Step 22 From the RSSI Cutoff drop-down list, choose the recommended -65 dBm. Step 23. Click OK to vai Ke. Step 24 Click Save Settings to make this view your default. {©2017 Cisco Systems, no. Tab Gude 145Stop 25 ‘Step 26 Step 27 ‘The heat map should refresh, Close the Layer menu. Hover over your AP. A new menu shows your AP characteristics. Click the 802.11 ain tab, Document your AP channel: | Abinto sons wm (suzabtn | ‘Channel Number 36 | Extension channel wa | channet width 2 [1x Power Lev 1 | client count ° |x utiization & 0% “Tx Utilization 2 1% ‘Channel Utilization 2 ae [Antenna Name Internal-3500-5GHe | Antenna angle 360 degrees ilevation angle -10 degrees wp Dott in Enabled true [cleanair Status Enabled ‘ava. Air Quality 99 ‘Min. Air Quality 99 View Bx Neiahhors inw Radio Datale ‘iow Active Intarfarars Step 28 Click the AP Info tab, Document your AP uptime: Step 29 Document the CAPWAP uptime: Note The difference between the AP uptime and the CAPWAP uptime isthe time that it took for ‘your AP to join the controller. Step 30 Close the AP window. Stop 31 The AP is placed incorrectly. It should be over the LAB 153 label on the map. From the upper-right drop-down list, choose Position APs. Step 32 Click OK to continue. Srp 8 asi ce a 150 Implementing Goo Unifled Wireless Networking Essentials (UWNE) v2.0 "© 2011 Cisco Systoms, Inc‘Step 33. Click your AP and drag it to position it over the LAB 153 label. Step 34 Click Save to validate the changes. Inspect VOWLAN Readiness.. -- Select a command -- jAdd Access Points... Position APs... Remove Access Points. JAdd Chokepoints [Edit Location Presence Info... IRefrash from Network... Map Editor Planning Mode. inspect Location Readiness... inspect VoWLAN Readiness... Step.35 You want to verify the coverage pattern of your AP. In the upper-right drop-down list, choose Recompute RF Prediction, Note the other available options. step 26 Click Go. Step 37 The map refreshes with the most recent values. Activity Verification You have successfully completed this task when you attain this result: m= You successfully added your AP. Task 2: Locate a Client on the Map. In this task, you will locate your client on the map. Activity Procedure Complete these steps: ‘Step1 Navigate to Monitor > Maps > System Campus > Building > Floorx (where x is your pod number) Step 2 Make sure that you are on your floor map area. To filter the AP, expand Floor Settings > Access Points > AP Filter. B 201 Goo Syetems, Ine Tab Gude 15TFloor View a ON Wace a Psion | room ciens isto [eens Few Oxted ores PF the terres nt __ FES El ‘A new window appears, From the Protocol drop-down list, choose 802.11a/n, From the Display drop-down list, choose Assoc Client. Step6 Click OK to validate. ‘Step7 Click Save Settings to make this view your default, Step8 The heat map should refresh. Step9 Close the Layer menu. Step 10 The AP should display the connected client, Step 11 Hover over the I Clients label and click. Step 12 The client filter window opens. cctv Cina ees Cink Am Verde ene. Aan sotocume — wnanasr — mahoien sd SS tt Step 13. To view more details about the client, click the entry under Client User Name. Step 14 Review the details. [cent Detas Cuent Unknown -lraicnd38 2 Implementing Cisco Unified Wireless Networking Essentials (UWNE) v2.0 '@ 2011 Cisco Systems, Ine.Activity Verification ‘You have successfully completed this task when you attain this result: = You successfully located your client on the map. ‘Bw07 Cisse Systems, in Tab Guide 183Lab 5-3: Monitoring the Network and Containing Devices Complete this lab activity to practice what you learned in the related module Activity Objective In this activity, you will use Cisco WCS tools to manage alarms and to locate devices. After completing this activity, you will be able to meet these objectives: = Use Cisco WCS to monitor events Use Cisco WCS to locate devices ‘Use Cisco WCS to contain a rogue Visual Objective ‘The figure illustrates what you will accomplish in this activity Lab 5-3: Monitoring letwork and Containing vices cisco ans 5 ven Rouier class PC Cisco 2604 wie Remote Desktop isco Aironet ‘35021 Access Pont Required Resources ‘These are the resources and equipment that are required to complete this activity = APC with connectivity to the remote lab In the remote lab, a Cisco 2504 WLC In the remote lab, a Cisco Aironet 3502i Access Point Inthe remote lab, a Cisco WCS server = A remote lab wireless laptop 158 Implementing Gisco Unified Wireless Networking Essentials (TUWNE) v2.0 (© 2011 Cisco Systoms, in.Job Is There are no job aids required to complete the lab activity. Task 1: Monitor Events In this task, you will connect to Cisco WCS and check the event dashboard, You will learn to use the events and to create reports. Activity Procedure Complete these steps: ‘Step1 Verify that you have a VPN connection to the remote lab. Step2 Verify that you are still connected to Cisco WCS, having a secure web browset session to the address Wttpsi//10.100.1.1 Note Be sure to use HTTPS, not HTTP. Step 3 Navigate to the Home page. ‘Step 4 At the top-left of the page, locate the Alarm Summary dashboard. ‘step 5 Expand the Alarm Summary by clicking the blue Down Arrow icon. You should see some Rogue AP alarms. Click the number that you see listed for Rogue AP alarms, [Rogue AP Alarms 213 r Wondor lsemeston ype fase Type Sonmest APRSSL. Wo.o¢ Rome Cats r cisco Unelasstes 9 ° a isco nelaetiod 70 ° 5 isco Unelasied a « 6 vm nelaetiod 3 ° 5 susabino Cio Undlsefed 2° ° c uisbuetssisi Unknow Undasiied 15 a Step6 The events that are labeled with a yellow circle represent the APs that are not known by cach controller. For example, controller 2504-1 reports the AP on controller 2504-3 as being rogue, because these two controllers are in different mobility ‘groups. Controllers do not report APs that are seen on other controllers inthe same ‘mobility group but report any other AP. Therefore, you might see your controller report APS from other pods as rogue, or see the controllers from outside your ‘mobility group report the APs from your pod as rogue. step7 Look at the alarms, All states should be set to Alert. ‘Step 8 Click the MAC address of one of the APs. ‘step9 A new screen appears, showing detailed information about the alarm. ‘B2017 Cisco Systeme, ne. ab Guide 155Step 10 I the rogue ison the same channel as one of your APs, you should see the rogue channel information. Ifthe rogue is on another channel, it might be flagged as, ‘unknown because your AP might hear only a distant signal and be unsure of the channel, Look atthe time and date thatthe alarm was created. This was the first time that the rogue was detected on your network. ‘Step 11 Document when this alarm was created, which is the time that your AP first detected the rogue: Step 12 You want to know which AP detected this rogue. From the upper-right drop-down window, choose View Detecting AP on Network. Click Go. ‘step 13 A new screen appears, giving you details about the AP or APs that detected the rogue. Activity Verification You have successfully completed this task when you attain this result: = You detected rogues from the dashboard, Task 2: Contain a Rogue In this task, you will try to contain a rogue device. Activity Procedure Complete these steps: ‘Step1 Open Cisco AnyConnect Mobility Client from the system tray. Step 2 Connect to the IUWNE-x1-PSK profile. You should connect to the network. Step3 Open a command prompt. Click Start > All Programs > Accessories > Command Prompt. 156 implementing Cisco Unified Wireless Networking Essentials (TUWNE) v2.0 ‘© 2011 Gace Systems, Ine.Step 4 You want to send a continuous ping to your controller, but you also w sure that you are using the wireless link, not the wired link nt to make In the command prompt, check your IP address. Enter ipconfig. erat re eee tsar sa ae Peart eee eee reece) ae pti Cet eet) ORC RCH Step6 You will sce the IP address of your Cisco WLAN adapter. Enter a static route, using this IP address to reach your controller virtual gateway IP address. Enter route add 10.x0.1.50 mask 255.255.255.255 followed by your Cisco WLAN card IP address; for example, route add 10,10.1.50 mask 255.255.255.255 10.10.1.28, Send a continuous ping to your controller. Enter ping -t followed by your controller virtual gateway IP address: ping ~t 10.c0.1.50 (where x is your pod number). NN See CeCe FORT) Poe eter ast a eee ee ee Se ieeraerartpeereet Step 8 The ping should be successful ‘Stop 8 Minimize the remote desktop window, but do not close it. Step 10 Re-open the Ciseo WCS browser window. Step 11 At the top-left of the page, locate the Alarm Summary dashboard. ‘om smmay) k vi roe Step 12 Expand the Alarm Summary by clicking the blue Down Arrow icon. You should see some Rogue AP alarms. Click the number that you see for Rogue AP alarms. Step 13 Click the number under Total Active in the Unclassified Access Points Alert line. [Rogue AP Alarms; r sal load °° ° 2011 Cece Systeme, nc ab Guics 187Step 14 You will see all the detected rogues. In the list, your autonomous AP and its WLAN should be listed as rogue. To understand what containment does, you will try to treat this AP as a rogue and contain it Step 15. Click the Rogue MAC Address entry that matches your WLAN, [UWNE-rx1 (where ris your pod number). Step 16 Ina real network, you would not contain your own APs. However, suppose that @ valid client of yours has connected by mistake to this rogue AP. To contain it, choose 1 AP Containment in the upper drop-down window. Note ‘A rogue AP is reported here and you decide to contain i. To contain the AP implies that cisassociation messages willbe sent fo this AP client. In other words, Cisco WCS will ask the other APs around this one to spoof the AP MAC address and send disassociation ‘messages. This implies that you actually use the other group APS to contain your rogue. You do not need more than one AP in this case, because all the APs and clients are a short range from one another. See ~| [5°] Step 17 Click Go. Windows Internet Explorer YL ‘Containing Rogue AP may have legal consequences, Do you want to continue? Stop 18 Read the warming. In areal network, you want to make absolutely sure that you are containing a real rogue in your network before containing an AP. Disconnecting valid clients from neighbor networks is usually forbidden. Click OK. Escala Step 19 A new status screen appears, showing that the rogue AP is contained. Step 20 To see the effect of this containment, re-open the Remote Desktop Connection to your remote lab wireless laptop. 158 Implementing Cisco Unified Wireless Networking Essentials (UWNE) v2.0, ‘© 2011 Cisco Systems, Inc.Step 21 Step 22 ‘The ping should fail most of the time. This connection has become unusable. In a real network, in which you use more than one AP to contain a rogue, all the pings would probably fail. In this lab environment, in which all APs are busy containing the other APs, the connection is simply heavily disturbed. Now suppose that after containing a rogue, you realize that the rogue actually one of your APs. Re-open the Ciseo WCS web browser interface. r= Selects command ci f= Select a command lassign to me lunassian Delete lclesr Nacknovledge lUnacknowledge Trace Switch Port levent History iefrach from Network View Detecting AP on Network View Details by Controller Map (High Resolution) Sot State to Sct stata to [Set State to Friendly ~ External I AP Contsinment 2 AP Containment 5 AP Containment cation Step 23, From the same rogue AP window, choose Set State to Friendly Internal from the upper right menu, Click Go to confirm. This action stops the containment, and tells ‘Cisco WCS that this AP is registered to the controller. ‘Stop24 The AP status changes to Known AP. Step 25 Re-open the connection to your remote lab wireless laptop. ‘step 26 The ping should now be successful. The ping packets should be more consistent, with response times and without multiple drops. ‘Step 27 Close the command prompt window. Closing the window also interrupts the ping process, ‘©2011 Cisco Systems, ine Tab Gude 155Stop 28 Stop 29 Step 30 © o oD ‘Wiees Nett Canmetion 2) BB swamping i suthensene | cal rai wire bs From your remote lab wireless laptop, open Network and Sharing Center. Choose Change Adapter Settings. he connection should be called Intel(R) Wireless Locate your wireless connection, WiFi Link 4965AGN. Right-click the connection and choose Disable. neccooneson MW @ Disavie CConnect/ Disconnect Statue Diagnose ® Bvge Connections Crete Sharent Delete ® Rename Properties Activity Verification ‘You have successfully completed this task when you attain this result: = You identified and contained a rogue AP. Task 3: Generate Reports In this task, you will generate Inventory, CleanAir, and AP Utilization reports. Activity Procedure Complete Step 1 Stop 2 Step 3 Step 4 these ste ‘Verify that you have a VPN connection to the remote lab, Verify that you are still connected to Cisco WCS, with a secure web browser session to the address https://10.100.1.1 Navigate to the Home page. Choose Reports > Reports Launch Pad. 760 Implementing Cisco Unified Wireless Networking Essendals (UWNE) v2.0 ‘©2011 Cisco Systems, nelena Report Launch Pad Step Choose Devices > Inventory. Cleankir © Inventory Reports let Peete» taut ad > Devoe »tmwontary 5! omotience 6 Contexeaware None detected Device 6 il LEAP rage Predowrood [ELA rele tats (iar surmary inventory Step6 Click New. Inventory : New Reports > ent nh Pad» Davie > Inuasiry » Inventory Report Details i Report Tle fower eon Type [eombredinvenon step7 Enter IUWNE-x (where xis your pod number) in the Report Title field Step8 Click Save and Run. Save ][_ Save and Ron__][ Run Now || tunand Spot || Cancel Step9 View the report results step 10 Cl lick Caneel. ‘B01 Chaco Systems, ne ‘ab Guide 767Cee eee ee eet ee een tee ee eee ee ie . Step 11 From the left menu, choose Device > Utilization Utilization Reports FReperis> Repo Launched > Device > Uitzation None detected (ter Step 12 Click New. [Daitzation = New apo ele Fame arate report Te ina [eoycomeater a] FF ostarn Tea2.abion Stop 13. Enter IUWNE-x-AP Utilization (where x is your pod number) in the Report Title field. Step 14 Choose Radios from the Report Type drop-down ist. ‘Step 15 Choose AP by Controller fiom the Report By drop-down list, xl drop-down lis Step 16 Choose Last 5 days from the Reporting P ‘Step 17 Click Save and Run, Save || Save and Run || Run Now ][ RunandGpon_][ Cancel ‘Step 18 View the report results, Step 19 Click Caneel. 12 Tmnplementing Cisco Unified Wireless Networking Essentials TUWNE) v20 ‘© 2011 Cisco Systems, Inc.test m= fucaitet Ke! Met Snseton Last Rb terme no Camel seal lems OO o ie [se sheen ad] xe] © Step 20 From the left menu, choose CleanAir > Air Quality vs Time. leanaie © Air Quality vs Time Reports prs Rpt Launch Pa > Contr» Ale Quay ve Time! Br Quality vs time oe zd Eisen Rake worst ar que. Wert tr None sees ct A bel Stop 21 Click New. [Air Quality ve Time = New epee > aaarssunch tad > Clean > fc ult vie > Ar Quay ve oper Te [rl [aco ret Penzstam Panesion 6 ree OG ed » [TOPa.ea Step 22, Enter IUWNEx-AirQuality vs Time (where x is your pod number) in the Report Title field ‘Step 23. Choose AP By Controller from the Report By drop-down list. ‘Step 24 Choose Last $ Days from the Reporting Period drop-down list. Stop 25 Choose Save and Run. Save and Run || RunNow || Run and Export || Cancel Step 26 View the report results. Step 27 Click Cancel. ‘BROT Cisco Syetoms, ne Tab Guile —163ees eorLTwos «Sled Men Senedd Rin Lat fn Shae Domo now Tegan Tae cs se i Sem Stop 28 Log out of Cisco WCS. Activity Verification ‘You have successfully completed this task when you attain this result: = You successfully generated the Inventory, AP Utilization, and CleanAir reports. 164 Implementing Cisco Unified Wireless Networking Essentials (UWNE) v2.0 (©2017 Cisco Systems, ncLab 6-1: Backing Up the Cisco WLC Configuration Files Complete this lab activity to practice what you learned in the related module. Activity Objective In this activity, you will perform maintenance tasks to protect your network against failures ‘After completing this activity, you wall be able to meet these objectives: = Use the command line to save and manipulate WLC configuration files = Use a TFTP server to save and manipulate WLC configuration files Visual Objective ‘The figure illustrates what you will azcomplish in this activity. 10 WLC Configuration sco Aone 35021 18002504 ‘cess one Required Resources These are the resources and equipment that are required to complete this activity: = APC with connectivity to the Internet The Cisco VPN client = Acconnection to the remote terminal server with a serial connection to your Cisco WLC = Inthe remote lab, a Cisco 2504 WLC = Inthe remote lab, a Cisco Aironet 35024 Access Point In the remote lab, a remote lab wireless laptop with TFTP server {©2017 Cisoe Syston ne Tab Guide 165Command List The table describes the commands that are used in this activity Display WLC Configuration and State Commands ‘Com Description ‘show run-config Displays the Cisco WLC internal parameters show running-config commands | Displays the Cisco WLC configuration Task 1: Examine Cisco WLC Configuration Files In this task, you will examine two Cisco WLC configuration files and save one of the two files ‘You will then determine whether the file can be reinjected to your Cisco WLC. Activity Procedure Complete these steps: Stop 1 Verify that your VPN connection to the remote lab is working properly. Step2 Connect to your remote laptop by using Remote Desktop Connection: Choose Start > All Programs > Accessories > Remote Desktop Connection. The address should be in the format 10.X0.1.240, where X is your pod number. 1 comecto aPrecor pay A Ma npstPanes 5 Nate! 1S remote DetopComecton & siping Too! 1 sound Recorder sect ete 3 Windows Epler Fk Windows Mobi Ceer wena 4 a Eine fii Note In each group, only one person ata time can be connected to the remote lab wireless laptop. With your partner, decide who will connect 765 Implementing Cisco Uniled Wireless Networking Essentials (IUWNE) v2.0 (©2011 Cisco Systems, ie- Remote Desktop ») Connection 0.101.240 sername: Noe speed ‘Yu nb asked fr cedertal when you comme Step3 _In the Remote Desktop Connection pop-up window, in the Computer field, enter the IP address of your remote laptop, and click Connect. Step You will be presented with a new window, in which you are asked to enter the credentials that are required to access your remote lab wireless laptop. Use the lab ‘map table to find out which username and password to use to connect to your group laptop. Use the format studentX (where X is your group number) for the username and eiseo for the password. Enter your credentials ‘These cedenal willbe eed to connect to 19216820327 Step5 Enter the credentials, and click OK. You should sce the Windows desktop of your remote laptop. ‘Step6 Open a Telnet session to your Cisco WLC. From your remote lab wireless laptop, choose Start > All Programs > Accessories > Command Prompt. step7 Enter telnet followed by the Management IP address of your Cisco 2106 WLC. Use the format telnet 10.X0.1.10, where X is your pod number. Step8 Enter your administrative user credentials, The username should be adminX (where X is your pod number) and the password should be QWerl234. Step9 At the command prompt, enter show run-config, Note ‘This command is nat the same as the show running-config command, ©2011 Cisco Systems, Ine. Tab Gude 167Step 10 Step 11 ‘Stop 12 Step 13 Isysten Tinezone Location. configured Country... + Cfsco Systens tne. Gece Coneroiter $.0.336.0, 7.0.346.0 S sotsno 2504-2 1,3.6.1.4.1.9.2.828 30,4011: O'days i hrs 45 mine 0 sece 2 Comercial (0 to 40 6) ‘The show run-config command gives extensive information about your AP configuration. Try to locate the burned-in MAC address of your Cisco WLC in the Inventory section, at the beginning of the first page, and document it here: flees LAN Controller" 20:08 Further on, verify whether you: Cisco WLC supports management via wireless; that is, whether it allows wireless users to connect to the WLC for management purposes: a5, sable Enable Disable Enable Enable Enable Disable Disable Multicast Disabled 68 seconds 28 seconds 300° seconds: 308 seconds Disabie Browse to the AP configuration section. Document your AP serial number: 168 Tmnplmenting Cisco Unified Wireless Networking Essentials (UWNE) v20 (© 2011 Cisco Systems, incStop 14 Stop 15 Stop 16 nf Tgunat ton Manber OF WLANE Hediun Occupancy hinie GRP Period GRP Rexburation BSED Taco aire ‘Reztetovas toate i eu ieees Net Cont igured, ue, B dave: 17 h 45m 19 tae. om hmen the Document your AP BSSID: Browse through the rest of the configuration file ‘The configuration file that the show run-config command displays gives you extensive information about your Cisco WLC parameters but cannot be replicated as 1 configuration file to another Cisco WLC. This file is used for analysis purposes only. Another command provides information about the Cisco WLC configuration in command mode, just like a router or a switch. This command is the show run- config commands. From the command prompt, enter show run-config commands, database eize 2048 i hep address-pool Trainin hep defaule-router 10/50" -0 10. Jocal-auth method fast serverhey seem interface create training 58 0 10.50.1.30 10.50.1.40 ‘86-50-38 10.88-50-40 i284 BS FRE BEE: 2 training disabled laptop Stop 17 A list of parameters appears on the command line. This configuration file is more like the one that you see cn routers and switches, and it can be captured and saved. In the configuration file, try to locate the virtual interface address. This information should be about four pages down in sequence. ‘©2017 Gio Systane, Ine ab Gude 169