Configure a WPA2 Enterprise WLAN on the WLC

SNMP and RADIUS

In the figure, PC-A is running Simple Network Management Protocol (SNMP) and Remote Authentication Dial-In User Service (RADIUS) server software. SNMP is used to monitor the network. The network administrator wants the WLC to forward all SNMP log messages, called traps, to the SNMP server.

In addition, for WLAN user authentication, the network administrator wants to use a RADIUS server for authentication, authorization, and accounting (AAA) services. Instead of entering a publicly known pre-shared key to authenticate, as they do with WPA2-PSK, users will enter their own username and password credentials. The credentials will be verified by the RADIUS server. This way, individual user access can be tracked and audited if necessary and user accounts can be added or modified from a central location. The RADIUS server is required for WLANs that are using WPA2 Enterprise authentication.

Note: SNMP server and RADIUS server configuration is beyond the scope of this module.

Topology

Configure SNMP Server Information

Click the MANAGEMENT tab to access a variety of management features. SNMP is listed at the top of the menu on the left. Click SNMP to expand the sub-menus, and then click Trap Receivers. Click New… to configure a new SNMP trap receiver, as shown in the figure.

The figure depicts three steps to creating a new SNMP server configuration on a WLC GUI. The Management tab on the main menu is selected and outlined with a rectangle and the number 1. SNMP on the sub-menu is selected and outlined with a rectangle and the
number 2. Trap Receivers is selected and outlined with a rectangle and the number 3. The New... button is outlined with a rectangle and the number 4.
  1. Click MANAGEMENT
  2. Click SNMP
  3. Click Trap Receivers
  4. Click New…

Enter the SNMP Community name and the IP address (IPv4 or IPv6) for the SNMP server. Click Apply. The WLC will now forward SNMP log messages to the SNMP server.

The figure depicts entering the SNMP Trap Receiver information and applying the configuration. The Management tab on the main menu is selected and under SNMP Trap Receiver> New, the Community Name is CCNAv7, the IP address is 172.16.1.254 and the status has
been enabled. The Apply button is outlined with a rectangle indicating to click.

Configure RADIUS Server Information

In our example configuration, the network administrator wants to configure a WLAN using WPA2 Enterprise, as opposed to WPA2 Personal or WPA2 PSK. Authentication will be handled by the RADIUS server running on PC-A.

To configure the WLC with the RADIUS server information, click the SECURITY tab > RADIUS > Authentication. No RADIUS servers are currently configured. Click New… to add PC-A as the RADIUS server.

The figure depicts four steps to creating a new RADIUS Authentication server configuration on a WLC GUI. The Security tab on the main menu is selected and outlined with a rectangle and the number 1. RADIUS on the sub-menu is selected and outlined with a
rectangle and the number 2. Authentication is selected and outlined with a rectangle and the number 3. The New... button is outlined with a rectangle and the number 4.
  1. Click SECURITY
  2. Click RADIUS
  3. Click Authentication
  4. Click New…

Enter the IPv4 address for PC-A and the shared secret. This is the password used between the WLC and the RADIUS server. It is not for users. Click Apply, as shown in the figure.

The figure depicts device information and options for creating a new RADIUS Authentication server configuration on the WLC GUI. The Security tab on the main menu is selected and under RADIUS Authentication Servers> New, the Server IP Address is 172.16.1.254
and a shared secret has been typed and confirmed. The Apply button is outlined with a rectangle indicating to click.

After clicking Apply, the list of configured RADIUS Authentication Servers refreshes with the new server listed, as shown in the figure.

The figure depicts the list of the RADIUS Authentication servers that were created. The Security tab on the main menu is selected and under RADIUS Authentication Servers the new server is listed.

Topology with VLAN 5 Addressing

Each WLAN configured on the WLC needs its own virtual interface. The WLC has five physical ports for data traffic. Each physical port can be configured to support multiple WLANs, each on its own virtual interface. Physical ports can also be aggregated to create high-bandwidth links.

The network administrator has decided that the new WLAN will use interface VLAN 5 and network 192.168.5.0/24. R1 already has a subinterface configured and active for VLAN 5, as shown in the topology and show ip interface brief output.

Topology

R1# show ip interface brief
Interface                  IP-Address      OK? Method Status                Protocol
FastEthernet0/0            172.16.1.1      YES manual up                    up
FastEthernet0/1            unassigned      YES unset  up                    up
FastEthernet0/1.1          192.168.200.1   YES manual up                    up
FastEthernet0/1.5          192.168.5.254   YES manual up                    up
(output omitted)
R1#

Configure a New Interface

VLAN interface configuration on the WLC includes the following steps:

  1. Create a new interface.
  2. Configure the VLAN name and ID.
  3. Configure the port and interface address.
  4. Configure the DHCP server address.
  5. Apply and Confirm.
  6. Verify Interfaces.

1. Create a new interface.

To add a new interface, click CONTROLLER > Interfaces > New…, as shown in the figure.

The figure depicts the creation of a new interface on a WLC GUI. The Controller tab on the main menu is selected and outlined with a rectangle and the number 1. Interfaces on the sub-menu is selected and outlined with a rectangle and the number 2. The New...
button is outlined with a rectangle and the number 3.
  1. Click CONTROLLER
  2. Click Interfaces
  3. Click New…

2. Configure the VLAN name and ID.

In the figure, the network administrator configures the interface name as vlan5 and the VLAN ID as 5. Clicking Apply will create the new interface.

The figure depicts configuring the VLAN name and ID on a WLC GUI. The Controller tab on the main menu is selected and under Interfaces > New, the Interface Name is vlan5 and the VLAN Id is 5. The Apply button is outlined with a rectangle indicating to click.

3. Configure the port and interface address.

On the Edit page for the interface, configure the physical port number. G1 in the topology is Port Number 1 on the WLC. Then configure the VLAN 5 interface addressing. In the figure, VLAN 5 is assigned IPv4 address 192.168.5.254/24. R1 is the default gateway at IPv4 address 192.168.5.1.

The figure depicts configuring the port and interface address on a WLC GUI. The Controller tab on the main menu is selected and under Interfaces > Edit the Port Number 1 is outlined in a rectangle as well as the Interface address information, IP address:
192.168.5.254, Netmask: 255.255.255.0, and Gateway: 192.168.5.1.

4. Configure the DHCP server address.

In larger enterprises, WLCs will be configured to forward DHCP messages to a dedicated DHCP server. Scroll down the page to configure the primary DHCP server as IPv4 address 192.168.5.1, as shown in the figure. This is the default gateway router address. The router is configured with a DHCP pool for the WLAN network. As hosts join the WLAN that is associated with the VLAN 5 interface, they will receive addressing information from this pool.

The figure depicts configuring the DHCP server address on a WLC GUI.The Controller tab on the main menu is selected and under Interfaces > Edit the Primary DHCP Server IP address, 192.168.5.1 is outlined with a rectangle.

5. Apply and Confirm.

Scroll to the top and click Apply, as shown in the figure. Click OK for the warning message.

The figure depicts applying and confirming interface settings on a WLC GUI. The Controller tab on the main menu is selected and the Interfaces > Edit sub-menu is selected. The Apply button is outlined with a rectangle indicating to click. A prompt indicating
the changing the interface parameters causes the WLANs to be temporarily disabled and thus may result in loss of connectivity for some clients.

6. Verify Interfaces.

Click Interfaces. The new vlan5 interface is now shown in the list of interfaces with its IPv4 address, as shown in the figure.

The figure depicts verifying interfaces on a WLC GUI. The Controller tab on the main menu is selected and the Interfaces sub-menu is selected. The vlan5 interface is listed under the list of Interfaces and is outlined
with a rectangle.

Configure a DHCP Scope

DHCP scope configuration includes the following steps:

  1. Create a new DHCP scope.
  2. Name the DHCP scope.
  3. Verify the new DHCP scope.
  4. Configure and enable the new DHCP scope.
  5. Verify the enable DHCP scope

1. Create a new DHCP scope.

A DHCP scope is very similar to a DHCP pool on a router. It can include a variety of information including a pool of addresses to assign to DHCP clients, DNS server information, lease times, and more. To configure a new DHCP scope, click Internal DHCP Server > DHCP Scope > New…, as shown in the figure.

The figure depicts the creation of a new DHCP Scope on a WLC GUI. The Controller tab on the main menu is selected. The Internal DHCP Server sub-menu is selected and outlined with a rectangle and the number 1. DHCP Scope is selected and outlined with a rectangle
and the number 2. The New... button is outlined with a rectangle and the number 3.
  1. Click Internal DHCP Server.
  2. Click DHCP Scope.
  3. Click New…

2. Name the DHCP scope.

On the next screen, name the scope. Because this scope will apply to the wireless management network, the network administrator uses Wireless_Management as the Scope Name and clicks Apply.

The figure depicts naming the DHCP Scope on a WLC GUI. The Controller tab on the main menu is selected and DHCP Scope > New is selected. The Scope name is Wireless_Management.

3. Verify the new DHCP scope.

You are returned to the DHCP Scopes page and can verify the scope is ready to be configured. Click the new Scope Name to configure the DHCP scope.

The figure depicts the verifying the new DHCP Scope on a WLC GUI. The Controller tab on the main menu is selected and the DHCP Scopes sub-menu is selected. The Wireless_Management is listed under Scope Name.

4. Configure and enable the new DHCP scope.

On the Edit screen for the Wireless_Management scope, configure a pool of addresses for the 192.168.200.0/24 network starting at .240 and ending at .249. The network address and subnet mask are configured. The default router IPv4 address is configured, which is the subinterface for R1 at 192.168.200.1. For this example, the rest of the scope is left unchanged. The network administrator selects Enabled from the Status drop down and clicks Apply.

The figure depicts the configuring and enabling the new DHCP Scope on a WLC GUI. The Controller tab on the main menu is selected and DHCP Scope > Edit is selected. The Pool Start IP address: 192.168.200.240, Pool End Address, 192.168.200.249, Network:
192.168.200.0, and Netmask: 255.255.255.0 are outlined in a square. The Default router: 192.168.200.1 and Status: enabled are outlined in rectangles.

5. Verify the enable DHCP scope

The network administrator is returned to the DHCP Scopes page and can verify the scope is ready to be allocated to a new WLAN.

The figure depicts verifying the enable DHCP Scope on a WLC GUI. The Controller tab on the main menu is selected and the DHCP Scopes sub-menu is selected. The Wireless_Management Address pool: 192.168.200.240 through 192.168.200.249
is outlined in a rectangle.

Configure a WPA2 Enterprise WLAN

By default, all newly created WLANs on the WLC will use WPA2 with Advanced Encryption System (AES). 802.1X is the default key management protocol used to communicate with the RADIUS server. Because the network administrator already configured the WLC with the IPv4 address of the RADIUS server running on PC-A, the only configuration left to do is to create a new WLAN to use interface vlan5.

Configuring a new WLAN on the WLC includes the following steps:

  1. Create a new WLAN.
  2. Configure the WLAN name and SSID.
  3. Enable the WLAN for VLAN 5.
  4. Verify AES and 802.1X defaults.
  5. Configure WLAN security to use the RADIUS server.
  6. Verify the new WLAN is available.

1. Create a new WLAN.

Click the WLANs tab and then Go to create a new WLAN, as shown in the figure.

The figure depicts the creation of a new WLAN on a WLC GUI. The WLANs tab on the main menu is selected and the Go button on the Create New sub-menu is outlined with a rectangle.

2. Configure the WLAN name and SSID.

Fill in the profile name and SSID. In order to be consistent with the VLAN that was previously configured, choose an ID of 5. However, any available value can be used. Click Apply to create the new WLAN, as shown in the figure.

The figure depicts the configuration of the WLAN Name and SSID on a WLC GUI. The WLANs tab on the main menu is selected and WLANs > New is selected. The Profile name: CompanyName, SSID: CompanyName, and ID: 5 are outlined in a rectangle. The Apply button is
outlined with a rectangle indicating to click.

3. Enable the WLAN for VLAN 5.

The WLAN is created but it still needs to be enabled and associated with the correct VLAN interface. Change the status to Enabled and choose vlan5 from the Interface/Interface Group(G) dropdown list. Click Apply and click OK to accept the popup message, as shown in the figure.

 

Troubleshoot WLAN Issues