Configure a WPA2 Enterprise WLAN on the WLC
SNMP and RADIUS
In the figure, PC-A is running Simple Network Management Protocol (SNMP) and Remote Authentication Dial-In User Service (RADIUS) server software. SNMP is used to monitor the network. The network administrator wants the WLC to forward all SNMP log messages, called traps, to the SNMP server.
In addition, for WLAN user authentication, the network administrator wants to use a RADIUS server for authentication, authorization, and accounting (AAA) services. Instead of entering a publicly known pre-shared key to authenticate, as they do with WPA2-PSK, users will enter their own username and password credentials. The credentials will be verified by the RADIUS server. This way, individual user access can be tracked and audited if necessary and user accounts can be added or modified from a central location. The RADIUS server is required for WLANs that are using WPA2 Enterprise authentication.
Note: SNMP server and RADIUS server configuration is beyond the scope of this module.
Configure SNMP Server Information
Click the MANAGEMENT tab to access a variety of management features. SNMP is listed at the top of the menu on the left. Click SNMP to expand the sub-menus, and then click Trap Receivers. Click New… to configure a new SNMP trap receiver, as shown in the figure.
- Click MANAGEMENT
- Click SNMP
- Click Trap Receivers
- Click New…
Enter the SNMP Community name and the IP address (IPv4 or IPv6) for the SNMP server. Click Apply. The WLC will now forward SNMP log messages to the SNMP server.
Configure RADIUS Server Information
In our example configuration, the network administrator wants to configure a WLAN using WPA2 Enterprise, as opposed to WPA2 Personal or WPA2 PSK. Authentication will be handled by the RADIUS server running on PC-A.
To configure the WLC with the RADIUS server information, click the SECURITY tab > RADIUS > Authentication. No RADIUS servers are currently configured. Click New… to add PC-A as the RADIUS server.
- Click SECURITY
- Click RADIUS
- Click Authentication
- Click New…
Enter the IPv4 address for PC-A and the shared secret. This is the password used between the WLC and the RADIUS server. It is not for users. Click Apply, as shown in the figure.
After clicking Apply, the list of configured RADIUS Authentication Servers refreshes with the new server listed, as shown in the figure.
Topology with VLAN 5 Addressing
Each WLAN configured on the WLC needs its own virtual interface. The WLC has five physical ports for data traffic. Each physical port can be configured to support multiple WLANs, each on its own virtual interface. Physical ports can also be aggregated to create high-bandwidth links.
The network administrator has decided that the new WLAN will use interface VLAN 5 and network 192.168.5.0/24. R1 already has a subinterface configured and active for VLAN 5, as shown in the topology and show ip interface brief output.
R1# show ip interface brief Interface IP-Address OK? Method Status Protocol FastEthernet0/0 172.16.1.1 YES manual up up FastEthernet0/1 unassigned YES unset up up FastEthernet0/1.1 192.168.200.1 YES manual up up FastEthernet0/1.5 192.168.5.254 YES manual up up (output omitted) R1#
Configure a New Interface
VLAN interface configuration on the WLC includes the following steps:
- Create a new interface.
- Configure the VLAN name and ID.
- Configure the port and interface address.
- Configure the DHCP server address.
- Apply and Confirm.
- Verify Interfaces.
1. Create a new interface.
To add a new interface, click CONTROLLER > Interfaces > New…, as shown in the figure.
- Click CONTROLLER
- Click Interfaces
- Click New…
2. Configure the VLAN name and ID.
In the figure, the network administrator configures the interface name as vlan5 and the VLAN ID as 5. Clicking Apply will create the new interface.
3. Configure the port and interface address.
On the Edit page for the interface, configure the physical port number. G1 in the topology is Port Number 1 on the WLC. Then configure the VLAN 5 interface addressing. In the figure, VLAN 5 is assigned IPv4 address 192.168.5.254/24. R1 is the default gateway at IPv4 address 192.168.5.1.
4. Configure the DHCP server address.
In larger enterprises, WLCs will be configured to forward DHCP messages to a dedicated DHCP server. Scroll down the page to configure the primary DHCP server as IPv4 address 192.168.5.1, as shown in the figure. This is the default gateway router address. The router is configured with a DHCP pool for the WLAN network. As hosts join the WLAN that is associated with the VLAN 5 interface, they will receive addressing information from this pool.
5. Apply and Confirm.
Scroll to the top and click Apply, as shown in the figure. Click OK for the warning message.
6. Verify Interfaces.
Click Interfaces. The new vlan5 interface is now shown in the list of interfaces with its IPv4 address, as shown in the figure.
Configure a DHCP Scope
DHCP scope configuration includes the following steps:
- Create a new DHCP scope.
- Name the DHCP scope.
- Verify the new DHCP scope.
- Configure and enable the new DHCP scope.
- Verify the enable DHCP scope
1. Create a new DHCP scope.
A DHCP scope is very similar to a DHCP pool on a router. It can include a variety of information including a pool of addresses to assign to DHCP clients, DNS server information, lease times, and more. To configure a new DHCP scope, click Internal DHCP Server > DHCP Scope > New…, as shown in the figure.
- Click Internal DHCP Server.
- Click DHCP Scope.
- Click New…
2. Name the DHCP scope.
On the next screen, name the scope. Because this scope will apply to the wireless management network, the network administrator uses Wireless_Management as the Scope Name and clicks Apply.
3. Verify the new DHCP scope.
You are returned to the DHCP Scopes page and can verify the scope is ready to be configured. Click the new Scope Name to configure the DHCP scope.
4. Configure and enable the new DHCP scope.
On the Edit screen for the Wireless_Management scope, configure a pool of addresses for the 192.168.200.0/24 network starting at .240 and ending at .249. The network address and subnet mask are configured. The default router IPv4 address is configured, which is the subinterface for R1 at 192.168.200.1. For this example, the rest of the scope is left unchanged. The network administrator selects Enabled from the Status drop down and clicks Apply.
5. Verify the enable DHCP scope
The network administrator is returned to the DHCP Scopes page and can verify the scope is ready to be allocated to a new WLAN.
Configure a WPA2 Enterprise WLAN
By default, all newly created WLANs on the WLC will use WPA2 with Advanced Encryption System (AES). 802.1X is the default key management protocol used to communicate with the RADIUS server. Because the network administrator already configured the WLC with the IPv4 address of the RADIUS server running on PC-A, the only configuration left to do is to create a new WLAN to use interface vlan5.
Configuring a new WLAN on the WLC includes the following steps:
- Create a new WLAN.
- Configure the WLAN name and SSID.
- Enable the WLAN for VLAN 5.
- Verify AES and 802.1X defaults.
- Configure WLAN security to use the RADIUS server.
- Verify the new WLAN is available.
1. Create a new WLAN.
Click the WLANs tab and then Go to create a new WLAN, as shown in the figure.
2. Configure the WLAN name and SSID.
Fill in the profile name and SSID. In order to be consistent with the VLAN that was previously configured, choose an ID of 5. However, any available value can be used. Click Apply to create the new WLAN, as shown in the figure.
3. Enable the WLAN for VLAN 5.
The WLAN is created but it still needs to be enabled and associated with the correct VLAN interface. Change the status to Enabled and choose vlan5 from the Interface/Interface Group(G) dropdown list. Click Apply and click OK to accept the popup message, as shown in the figure.