Archive | WLC2100 RSS for this section

Wireless Guest Access

There are some good documentation about configuring Guest Access for two controllers, so I won’t explain it.

If you know the first (Forneign) is pointing to the second WLC (Anchor) and you’ll know that the anchor controls everything, it’s easy.

Here are some screenshots :





Rogue Detection

To dectect Rogue access points, make sure the AP’s are at monitor or local mode.

The Protection Type should be AP Authentication.

(See WLC Config Guide Page 453)

Max WLAN on a WLC

There is a maximum of WLANs that you can create on a WLAN and that number is 16.

Even if the WLAN is disabled, the total of enabled and disabled WLAN’s can’t exeed 16 otherwise you will see the message :

EAP-TLS on the WLC

Certificates are always difficult. Why ? Because we don’t work often with it, but when you know how everything is working, it’s very easy.

First I created an certificate request with the tool OpenSSL.

OpenSSL>req -new -newkey rsa:1024 -nodes -keyout mykey.pem -out myreq.pem

You got some questions and you fill in the things you want to.

Now you open the myreq.pem file with wordpad and copy the content to the CA server for a Certificate Request.

When the certificate is issued, download it as a BASE64 file.
Copy this file to the OpenSSL/bin folder.

openssl>pkcs12 -export -in CA.pem -inkey mykey.pem -out CA.p12 -clcerts
-passin pass:check123 -passout pass:check123

Where check123 is the password.

openssl>pkcs12 -in CA.p12 -out final.pem -passin pass:check123 -passout pass:check123

Now we can upload the final.pem to the WLC.

The WLC also needs the CA root certificate. It’s the same procedure, but you can also use Mozilla. (See the youtube video’s of Jerome.)
Upload this CAroot cert also to the WLC.

Now we can create a local EAP profile on the WLC :

Make sure that the AAA Server of the WLAN is set to local EAP authentication.

If you have configured a radius server at the WLC, make sure it’s DISABLED !
Although it’s not selected at the WLAN, if it’s enabled, the WLC will contact the Radius server first !!!!

Ofcourse you’ll have to create a certificate for the client.
First make an AD user and request a user certificate. (See the links).

Create an EAP-TLS profile on the client with the correct certificate.

Here you see the client information :

I used the documentation of :

http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a00806e367a.shtml

http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a008068d45a.shtml

Coverage hole algorithm thresholds

Jerome Henry got a very nice page about it :
http://wirelessccie.blogspot.com/2010/01/coverage-hole-algorithm-thresholds.html

The formula =

Client SNR Cutoff Value (|dB|) = [AP Transmit Power (dBm) – Constant (17 dBm) – Coverage Profile (dB)]

Serviceport of the Controller

Sometimes you want to put a fixed ip address at the Serviceport of a Controller, but you’ll receive the message :
(WiSM-slot2-1) >config interface address service-port 192.168.100.10 255.255.255.0
The DHCP protocol for the service port must be disabled before configuring the IP addr

To disable the DHCP of the serviceport :
(WiSM-slot2-1) >config interface dhcp service-port disable

(WiSM-slot2-1) >config interface address service-port 192.168.100.10 255.255.255.0

(WiSM-slot2-1) >show interface summary

Interface Name Port Vlan Id IP Address Type Ap Mgr Guest
——————————– —- ——– ————— ——- —— —–

service-port N/A N/A 192.168.100.10 Static No No
(WiSM-slot2-1) >

Configure SNMP Trapflags WLC

You can use the GUI (Management / SNMP / Trap Controls) to view and configure the SNMP Traps.

You can also use the CLI :
(Cisco Controller) >config trapflags ?

authentication Enable or Disable sending traps on invalid SNMP access.
linkmode Enable or Disable switch level Link Up/Down trap flag.
multiusers Enable or Disable sending traps when multiple logins active.
client Enable or Disable sending Client related Dot11 Traps
ap Enable or Disable sending AP related Traps
802.11-Security Enable or Disable sending 802.11 Security related Traps
rrm-profile Enable or Disable sending RRM Profile related Traps
rrm-params Enable or Disable sending RRM Paramemeter Update related Traps
aaa Enable or Disable sending AAA related Traps
rogueap Enable or Disable sending RogueAP Detection Trap
configsave Enable or Disable sending Config Saved Trap

And to view the settings :
(Cisco Controller) >show trapflags

Authentication Flag………………………… Enable
Link Up/Down Flag………………………….. Enable
Multiple Users Flag………………………… Enable

Client Related Traps
802.11 Disassociation……………………… Disable
802.11 Association………………………… Disable
802.11 Deauthenticate……………………… Disable
802.11 Authenticate Failure………………… Disable
802.11 Association Failure…………………. Disable
Excluded…………………………………. Disable

802.11 Security related traps
WEP Decrypt Error…………………………. Disable
IDS Signature Attack………………………. Disable

Cisco AP
Register…………………………………. Disable
InterfaceUp………………………………. Disable

Auto-RF Profiles
–More– or (q)uit
Load…………………………………….. Disable
Noise……………………………………. Disable
Interference……………………………… Disable
Coverage…………………………………. Disable

Auto-RF Thresholds
tx-power…………………………………. Disable
channel………………………………….. Disable

AAA
auth…………………………………….. Disable
servers………………………………….. Disable

rogueap…………………………………… Enable

configsave………………………………… Enable