Guest

CiscoWorks Wireless LAN Solution Engine (WLSE)

Network Setup for Using WLSE 2.5 Radio Management Features

Document ID: 46528

Updated: Oct 22, 2004

   Print

Introduction

Cisco customers are greatly anticipating the introduction of radio management (RM) capabilities in the CiscoWorks Wireless LAN Solution Engine version 2.5 as part of phase two of the Cisco Structured Wireless Aware Network (SWAN). However, the new RM features introduce some new network device configuration requirements.

This application note covers the basic configurations required to use the SWAN radio management features only. There are, of course, more extensive configurations that can be implemented, but these are beyond the scope of this paper. The document is not an extensive technical tutorial on wireless LAN technology, the WLSE, or SWAN.

The intended audience of this document is Cisco employees supporting customers and Cisco customers testing and deploying the Cisco SWAN framework. Section 2.0 is a brief explanation of the SWAN components and how they interact. Section 3.0 describes the configuration of the various components. Appendix A contains a sample configuration from an access point.

Cisco Structured Wireless Aware Network

The components of the Cisco SWAN phase two are:

  • Cisco or version 2 Cisco Compatible Client 802.11b client cards

  • Cisco Aironet Access Points (APs) running the IOS version 12.2.13(JA) or greater

  • CiscoWorks Wireless LAN Solution Engine (WLSE) version 2.5

The critical software component in the network is a set of IOS features called the Wireless Domain Services (WDS). The WDS are control path technologies that you must activate on an AP in each layer-2 domain; you can also define a backup WDS in each layer-2 domain. The WDS allows for the following:

  • Fast, secure layer-2 wireless client roaming

  • Radio Management (RM) data aggregation

Fast, secure layer-2 roaming is achieved because the WDS acts as an 802.1x proxy authenticator for wireless clients within the layer-2 network. A discussion on roaming is beyond the scope of this paper.

Within the SWAN hierarchy, APs and Cisco and Cisco Compatible version 2 wireless clients can be configured to take radio measurements and monitor the RF environment during operation. These measurements are aggregated by the WDS and the WLSE consumes the aggregated data.

All APs (including the AP hosting the WDS) in a layer-2 domain must authenticate and register with the WDS to take part in the SWAN hierarchy. In this document, APs registered and authenticated with the WDS are referred to as infrastructure APs.

During the registration process, the WDS discovers infrastructure APs automatically through layer-2 broadcast transactions. Each infrastructure AP is subsequently LEAP authenticated by the WDS. Once a discovered infrastructure AP is LEAP authenticated, it is considered registered and authenticated into the SWAN hierarchy.

The WLSE is the Wireless Network Manager (WNM) component of SWAN. It polls for RM data from the WDS and provides intelligent processing of these data. The WLSE can manage multiple subnets, so it can receive RM data from many APs running WDS.

The WLSE must register with the WDS in each managed layer-2 domain to receive RM data. The WLSE IP address must be entered as a configuration parameter on the WDS AP. A username and password are entered on the WLSE. This username and password are used by the WDS to LEAP authenticate the WLSE. Once the WLSE is authenticated, it is considered registered with the WDS and assumes the WNM role in the SWAN hierarchy.

Figure 1 illustrates the components of SWAN.

image027.gif

Figure 1.

SWAN components communicate through a Cisco proprietary technology known as Wireless LAN Context Communication Protocol (WLCCP).

Configure Devices to Participate in SWAN RM

There are six steps for setting up SWAN:

  • Configure read and read-write SNMP on all APs

  • Configure the WLSE

  • Configure RADIUS servers

  • Configure WDS on the appropriate APs

  • Configure infrastructure APs to register and authenticate with the WDS

  • Configure wireless client devices

Configure SNMP on all Access Points

All access points must be configured for SNMP read and read-write operations to be properly managed by the WLSE. The WLSE must be configured to use the correct SNMP communities. Section 3.2 describes how to configure SNMP communities in the WLSE.

The SNMP agent must be enabled either through the browser interface of the device or through the device’s IOS CLI along with a valid SNMP read-only and read-write community.

Configure SNMP Through the IOS Command Line Interface

Follow these steps to configure the SNMP through the IOS CLI.

  1. Access the device through telnet, SSH, or console. All SNMP configuration is done with the snmp-server configuration command. The minimal command set required for the SNMP read-only community is:

    snmp-server view iso iso included
    snmp-server community read-only community view iso ro
    
    
  2. The minimal command set required for the SNMP read-write community is:

    snmp-server view iso iso included
    snmp-server community read-write community view iso rw
    
    

Configure SNMP Through the Access Point Web-based Interface

Follow these steps:

  1. Login to the AP web-based GUI.

  2. Navigate to SNMP configuration screen as follows:

    1. SERVICES

    2. SNMP

      image029.gif

      Figure 2.

  3. Enable SNMP by selecting the Enabled radio button.

  4. Click Apply.

  5. Use the system fields to enter the following:

    1. Location (sysLocation)

    2. System Name (sysName)

    3. System Contact (sysContact)

  6. To configure the read-only SNMP community, enter the community string in the SNMP Community field.

  7. Enter iso in the Object Identifier (optional) field.

  8. Click Read-Only, then click Apply. See Figure 3.

    image031.gif

    Figure 3.

  9. To configure the read-write SNMP community, enter the community string in the SNMP Community field.

  10. Enter iso in the Object Identifier (optional) field.

  11. Click Read-Write, then click Apply. See Figure 4.

    image033.gif

    Figure 4.

Configure the WLSE

To use the WLSE as the WNM component of SWAN, enter the WLCCP username and password in to the WLSE. This username and password is used to LEAP authenticate the WLSE to the WDS APs in the network.

  1. In the WLSE UI, navigate to the following:

    1. Devices

    2. Discover

    3. Device Credentials

    4. WLCCP Credentials

  2. Enter the RADIUS username and password.

  3. Click Save.

  4. You must also configure the correct SNMP read and read-write communities for the WLSE to use. In the WLSE web-based UI, navigate to the following

    1. Devices

    2. Discover

    3. Device Credentials

    4. Credentials -- SNMP Communities

  5. Consult the WLSE documentation on the proper syntax for entering SNMP communities.

    Other important parameters that must be entered into the WLSE are the telnet/SSH credentials that the WLSE uses to login to the AP CLI when configuring APs. Enter the telnet/SSH credentials in the WLSE interface found at Devices-->Discover-->Device Credentials-->Telnet/SSH User/Password. Consult the WLSE documentation on the proper syntax for entering telnet/SSH credentials into the WLSE.

Configure RADIUS Servers

All SWAN components must be LEAP authenticated by the WDS to participate. At a minimum, you must have a RADIUS server that supports LEAP that can authenticate SWAN members.

On the RADIUS server, the WDS APs need to be configured as Network Access Servers (NAS) supporting LEAP. You also need to configure at least one username and password that can be used by SWAN members for authentication to the WDS APs. For RADIUS servers that support wireless clients, the WDS APs must be configured as NAS supporting an appropriate authentication type. Consult your RADIUS server documentation for details on setting up devices as NAS.

LEAP is only required for SWAN member authentication. You can use a different authentication type such as EAP-TLS or PEAP for wireless clients. Section 3.4 describes the RADIUS server configuration process in the AP IOS.

A common problem occurs in environments where LEAP is not implemented for wireless clients. In these environments, you may choose to use the local RADIUS authentication server available on the IOS-based access points for authenticating SWAN members and a different authentication method for wireless clients. A detailed description on using the local RADIUS authentication server is beyond the scope of this paper. Consult the AP IOS documentation on using this service.

Configure Wireless Domain Services

Before making changes, backup and test the configurations on non-production devices.

To configure WDS on the appropriate APs involves:

  • Defining AAA server(s) the WDS uses to LEAP authenticate infrastructure APs and/or wireless clients

  • Turning on the WDS and setting a WDS priority parameter

  • Configure the WNM IP address

There are three ways to configure the WDS parameters on the access point.

  • AP web interface

  • AP command line interface

  • WLSE template interface

Appendix A contains a complete configuration from an IOS AP configured to run WDS.

Use the AP Web-based Interface to Configure Wireless Domain Services

Follow these steps to configure the WDS through the AP web-based interface:

  1. Login to the AP.

  2. Navigate to the Wireless Services Table of Contents (TOC) section.

  3. Select the Settings tab.

  4. Enable WDS by selecting the Use this AP as Wireless Domain Services check-box.

  5. Enter a value between 1 and 255 in the Wireless Domain Services priority field.

    Note: The priority value is used to determine which AP is the active WDS AP when multiple APs are configured to run WDS. The highest priority is 255. Figure 5 illustrates these configuration parameters.

    image035.gif

    Figure 5.

  6. Select the Configure Wireless Network Manager check-box.

  7. Enter the IP address of your WLSE in the Wireless Network Manager IP Address field.

  8. Select Apply to commit the WDS configuration. Figure 6 illustrates these configuration parameters.

    image037.gif

    Figure 6.

    After turning on WDS on the AP, define the AAA server(s) that are used to LEAP authenticate infrastructure devices participating in SWAN.

  9. Navigate to WDS TOC section as follows:

    1. Go under Wireless Services.

    2. Select WDS TOC.

    3. Select the Server Groups tab.

  10. Enter a server group name.

  11. Select the appropriate AAA servers in the Priority drop down boxes.

    Note: If no AAA servers is entered into the AP, click the Define Servers link to add the servers. The AP online help can assist you entering AAA servers into the AP. The newly defined group must have Infrastructure Authentication enabled as an option under Use Group For. Figure 7 illustrates these configuration options.

    image039.gif

    Figure 7.

  12. If you are going to use WDS for wireless client authentication, configure another server group for client authentication and configure the appropriate authentication types. See the AP documentation for details on wireless client authentication using WDS.

Configure Wireless Domain Services at the AP Command Line Interface

You can also configure WDS through the IOS command line interface. The key steps are:

  • Configure AAA servers to authenticate SWAN infrastructure members and/or wireless clients

  • Configure the WDS

  • Configure the Wireless Network Manager (WNM)

  1. To configure your AAA servers and servers groups, turn on AAA services with the command:

    aaa new-model
    
  2. Define your RADIUS servers that you will use for both infrastructure and/or client authentication with the command

    radius-server host <hostname or IP address> auth-port <port> acct-port <port> key <shared secret key>
    
    

    Note: Consult your RADIUS server documentation for the correct port numbers. CiscoSecure ACS uses port 1645 for authorization and 1646 for accounting.

  3. Define a server group for infrastructure authentication with the command:

    aaa group server radius <server group_name>
         server <radius server>
    
    
    
  4. Define at least additional one server group for wireless client authentication.

  5. Setup the WDS using the following commands (In the priority field, 255 is highest):

    wlccp wds priority <1-255> interface BVI1
    
    
  6. Configure the Wireless Network Manager (WNM):

    wlccp wnm ip address <WLSE IP address>
    
  7. Configure the server group the WDS will use to LEAP authenticate SWAN infrastructure members:

    aaa authentication login <named authentication list> group <infrastructure authentication server group name> 
    
    wlccp authentication-server infrastructure <named authentication list>
    
    
  8. Note: The WDS take over 802.1x authenticator responsibilities for all APs in the subnet that are registered and authenticated with the WDS. This means that if you are using any EAP type for authentication, YOU MUST ALSO DEFINE A SEPARATE SERVER GROUP FOR CLIENT AUTHENTICATION.

    The server group for client authentication may contain the same servers defined in the group for infrastructure authentication. Use these commands:

    aaa authentication login <named authentication list> group <client authentication server group name> 
    
    wlccp authentication-server client <any | eap | leap | mac> <named authentication list>
    
    
  9. The AP hosting WDS must also register and authenticate itself to the WDS to participate in the SWAN hierarchy, so the hosting AP is also an infrastructure AP. Configuring infrastructure APs is covered in Confirm the Configuration section , but it is convenient to configure the parameters to authenticate and register the WDS host AP as an infrastructure AP at the same time you setup the WDS. Use these IOS command to accomplish this:

    wlccp ap username <username> password <password>
    

    Note:  Appendix A contains an example WDS AP configuration file.

Use the WLSE to Configure WDS

You can use the WLSE to configure WDS on one or more APs. However, it does require that the APs are already discovered by the WLSE and running 12.2(13)JA AP IOS code or later.

These steps require the use of the WLSE:

  • Create a configuration template to setup AAA servers and the WDS

  • Apply the configuration template to the appropriate APs with a configuration job.

To create the configuration template:

  1. Login to the WLSE web interface.

  2. Navigate to Configure-->Templates.

  3. Enter a template name, selecting IOS as the template type.

  4. Click Create New to access the template creation wizard

  5. Enter these:

    • AAA servers that will be used to LEAP authenticate the infrastructure APs WLSE to the WDS

    • AAA servers that will be used to authenticate wireless client devices

  6. To enter AAA servers, select the Security-->Server Manager section of the template wizard.

  7. Enter the AAA servers and appropriate parameters, as illustrated in Figure 8.

    image041.gif

  8. To configure the WDS parameters, select the Wireless Services and then WDS template sections.

  9. Under Global Properties, select Enable as the option for Use this AP as Wireless Domain Services.

  10. Enter a priority value for the WDS priority (255 is the highest).

  11. Enter the WLSE IP address in the WNM IP Address field.

  12. Now configure a server group to authenticate the SWAN infrastructure components. Enter one or more server names or enter the appropriate server IP addresses.

  13. Under the User Group For section, select Infrastructure Authentication.Click Save.

    Note: The WDS take over 802.1x authenticator responsibilities for all APs in the subnet that are registered and authenticated with the WDS. This means that if you use any EAP type for authentication, YOU MUST ALSO DEFINE A SEPARATE SERVER GROUP FOR CLIENT AUTHENTICATION.

    The server group for client authentication may contain the same servers defined in the group for infrastructure authentication.

  14. To define a server group for client authentication, add another server group but go to the Use Group For section and select Client Authentication. Then select the appropriate client authentication settings.

  15. Click Save. Figure 9 illustrates WDS and server group configuration in a WLSE template wizard.

    image043.gif

    Figure 9.

  16. To include these parameters in the WLSE configuration template, navigate to Wireless Services and then the Configuration section of the template wizard.

  17. Select Enabled as the Wireless Services option. Enter a username and password that can be LEAP authenticated by the AAA servers in the infrastructure server group (see Figure 11).

  18. To preview, click the Preview section of the WLSE configuration template wizard

    A preview of the newly created template is like the following:

    In this example, two AAA servers are defined—172.20.98.202 and 172.20.98.204. These servers are used for infrastructure authentication and client authentication. The server group for authenticating infrastructure devices is named “wlccp_rad_infra” and the server group for authenticating wireless clients is named “wlccp_rad_client”.

    Wireless Services: WDS - Wireless Domain Services - Settings

    Wireless Services: AP 
     
    wlccp ap username wlccp_user password cisco
     
    Security: Server Manager 
     
    aaa new-model
     
    radius-server host 172.20.98.204 key 0 arachnid
     
    radius-server host 172.20.98.202 key 0 arachnid
     
    Wireless Services: WDS - Wireless Domain Services - Settings 
     
    wlccp wds priority 255 interface BVI 1
     
    wlccp wnm ip address 172.20.98.221 
     
    aaa new-model
     
    aaa group server radius wlccp_rad_infra
     
      server 172.20.98.204
     
      server 172.20.98.202
     
    aaa authentication login method_wlccp_rad_infra group wlccp_rad_infra
     
    wlccp authentication-server infrastructure method_wlccp_rad_infra
     
    aaa group server radius wlccp_rad_client
     
      server 172.20.98.204
     
      server 172.20.98.202
     
    aaa authentication login method_wlccp_rad_client group wlccp_rad_client
     
    wlccp authentication-server client eap method_wlccp_rad_client
     
    wlccp authentication-server client leap method_wlccp_rad_client
     
    

  19. Verify the content in Preview section of the WLSE configuration template wizard

  20. Select Save.

    Note: If you see an error message indicating that the WLSE cannot process the configuration because no valid device version is supported for the template, you can ignore it. This message is a known bug.

  21. After you select Save, a popup window appears with the option of applying the template immediately or saving it for later.

    1. To apply the template immediately, select Yes. You are navigated to the job creation wizard.

    2. To save it for later, select No.

  22. To apply the configuration to the appropriate APs, you must use the job creation wizard. Go to Configure and then the Jobs WLSE interface.

    Note: Refer to the WLSE documentation for details on creating configuration jobs.

Configure Infrastructure APs

Infrastructure APs begin participation in SWAN when they register and LEAP authenticate with the WDS. The only required configuration on infrastructure APs is the username and password to use to register with the WDS. The AP hosting WDS must also register and authenticate to the WDS to participate in the SWAN hierarchy, so the hosting AP is also an infrastructure AP. You can configure infrastructure APs in three ways:

  • AP web-based interface

  • AP IOS command line interface

  • WLSE configuration job

Configure Infrastructure APs Through the Web-based Interface

Follow these steps:

  1. Login to the AP web-based interface.

  2. Navigate to the Wireless Services Table of Contents item.

  3. Select the AP.

  4. Enable wireless services by selecting the appropriate radio button.

  5. Enter the username and password that are used to authenticate the infrastructure AP to the WDS.

  6. Click Apply to commit the configuration. Figure 10 illustrates the configuration parameters.

    image045.gif

    Figure 10.

Configure Infrastructure APs through the IOS Command Line Interface

To configure infrastructure APs through the IOS command line interface, enter these command:

wlccp ap username <username> password <password>

Configure Infrastructure APs Using a WLSE Configuration Job

You can use the WLSE to configure multiple infrastructure APs in a single job with a template for infrastructure APs only. Consult the WLSE online help and documentation on configuration jobs. The relevant section of the WLSE template wizard is Wireless Services (see Figures 8 and 11).

  1. To configure the username and password used to authenticate the AP to the WDS, go to Wireless Services and select AP Configuration.

  2. Select the radio button to enable wireless services.

  3. Enter the username and password that to be LEAP authenticated. Figure 11 illustrates these options.

  4. Apply the template to the appropriate devices by creating a configuration job.

    image047.gif

    Figure 11.

Configure Wireless Clients

You can use Cisco and non-Cisco client adapters that are Cisco Compatible Extensions version 2 compliant to feed radio measurements in the Cisco Structured Wireless Aware Network (SWAN). Cisco client adapters must be running the Carbon release of firmware. This document only contains instructions for Cisco client adapters.

When you create or edit a wireless profile, select the Enable Radio Management check-box under the Advanced Infrastructure tab. This allows Cisco wireless clients to participate in SWAN.

Confirm the Configurations

Once you complete the device configurations, you can use two methods to confirm the configurations are correct and that the SWAN components are properly communicating:

  • Web-based interface on the WDS APs

  • IOS command line interface on the WDS AP

Use the Web-based Interface on the WDS AP

Follow these steps:

  1. Login to the web-interface on the WDS AP

  2. Navigate to the Wireless Services Table of Contents section.

  3. Select the WDS sub-section.

  4. Select the WDS Status tab.

  5. The WDS Registration and AP Information show the correct number of APs (all infrastructure APs and the WDS AP).

    Wireless clients participating in SWAN are shown in the Mobile Node Information section. The WLSE is shown in the Wireless Network Manager section. If the WLSE authentication status is shown as Security Keys Setup, the WLSE is properly registered.

    Figure 12 is a screen shot that shows these status indicators.

    image049.gif

    Figure 12.

Use the IOS Command Line Interface to Validate the Configurations

The IOS command line on the WDS APs is used to validate the configurations.

  1. To validate the WDS configuration, issue the command:

    show wlccp wds ap
    

    This lists all of the registered APs. You see the infrastructure AP listed.

    AP1100-VLAN12-Fe0-1# show wlccp wds ap
    
        MAC-ADDR       IP-ADDR          STATE         LIFETIME
    
    000d.28f2.33ea     10.1.12.19      REGISTERED      171 
    
    000d.28f2.3426     10.1.12.23      REGISTERED      173 
    
    000d.28f2.3436     10.1.12.22      REGISTERED      183 
    
    000c.8576.326e     10.1.12.18      REGISTERED      497 
    
    
  2. To validate that the WLSE is correctly registered, issue the command

    show wlccp wnm status
    

    This lists the WLSE IP address and you see Security Keys Setup in the status field. For example:

    AP1100-VLAN12-Fe0-1# show wlccp wnm status
    
    WNM IP Address : 172.20.98.221 Status : SECURITY KEYS SETUP
    

Appendix A—WDS Access Point Configuration Example

!

! This is the configuration from a Cisco Aironet 1100

! Wireless Access Point running IOS version 12.2(13)JA.

! 

! The Access Point is configured to run the Wireless

! Domain Services (WDS) within the Cisco Structured

! Wireless Aware Network (SWAN) and authenticate wireless

! clients.

!

! This configuration is supplied only as an example and,

! as such, is not intended to represent “best practices”

! or as a recommended configuration from Cisco Systems.

! 

! Note that a large portion of the configuration has

! been removed because these configuration commands are

! contextually irrelevant.  Only basic commands required

! for WLSE management and WDS are included.

!

! This configuration example is not supported by Cisco

! Systems.

!

! The commands required for Wireless Domain Services

! configuration are in bold and have embedded descriptive

! comments.

!

version 12.2

no service pad

service timestamps debug uptime

service timestamps log uptime

service password-encryption

!

hostname ap1100-1

!

enable password 7 032752180500

!

username Cisco password 7 05280F1C2243

ip subnet-zero

!

!

! The following command turns on AAA services in the IOS

!

aaa new-model

!

!

! The following command defines a RADIUS server group

! named “wlccp_wds_infra” that is used by the AP to

! authenticate SWAN components (infrastructure APs and

! the WLSE WNM component.

!

! Note that two RADIUS servers are defined which use port

! 1645 as the authentication port and port 1646 as the

! RADIUS accounting port.

!

! Each of the RADIUS servers listed below will also need 

! to be defined in the IOS configuration using the command

! “radius-server”.

!

aaa group server radius wlccp_wds_infra

server 172.20.98.204 auth-port 1645 acct-port 1646

server 172.20.98.202 auth-port 1645 acct-port 1646

!

!

! The following command defines a RADIUS server group

! named “wlccp_wds_client” that is used by the AP to

! authenticate wireless client devices.

!

! The WDS acts as a proxy 802.1x authenticator for all of

! infrastructure APs registered and authenticated with it,

! so at least one server group for wireless client devices

! that supports the appropriate authentication type must be

! defined on the WDS AP.

!

! In this example, there are two RADIUS servers defined for

! authenticating wireless clients, that use port 1645 for

! authentication and port 1646 for RADIUS accounting.

!

! Note that in this example, the RADIUS servers in the

! server group for wireless client authentication are the

! same servers that are used to authenticate SWAN

! infrastructure components.  There are two important

! points to understand:

!

!     1. It is not a requirement to have the same

!        servers or authentication type for SWAN infra-

!        structure authentication and wireless client

!       authentication.  You can define different servers

!        for your SWAN infrastructure and your wireless

!        client devices.

!

!     2. Even if you are using the same RADIUS servers for

!        SWAN infrastructure authentication and wireless

!        client authentication, you still need to configure

!        separate server groups—one for SWAN infrastructure

!        authentication and at least one group for wireless

!        client authentication.

!

aaa group server radius wlccp_wds_client

server 172.20.98.204 auth-port 1645 acct-port 1646

server 172.20.98.202 auth-port 1645 acct-port 1646

!

!

! The following command describes an authentication login

! sequence “alias” that is used by the WDS process when it

! authenticates SWAN infrastructure components.  The

! “alias” is “method_wlccp_wds_infra” and refers to

! the RADIUS server group used to authenticate SWAN

! infrastructure components.  The alias will be

! referenced by the wlccp command.

!

aaa authentication login method_wlccp_wds_infra group wlccp_wds_infra

!

!

! The following command describes an authentication login

! sequence “alias” that is used by the WDS process when it

! acts as a proxy authenticator for wireless client

! components.  The “alias” is “method_wlccp_wds_client”

! refers to the RADIUS server group used to authenticate

! wireless clients.  The alias will be referenced by the

! wlccp command.

!

aaa authentication login method_wlccp_wds_client group wlccp_wds_client

!

aaa authorization exec default local 

aaa authorization ipmobile default group rad_pmip 

aaa accounting network acct_methods start-stop group rad_acct

aaa session-id common

dot11 holdoff-time 600

!

!

! Note that a large part of the configuration file has been

! removed here because it is contextually irrelevant (to

! this document).

!

ip radius source-interface BVI1

!

! The following command defines an SNMP “view”.  The view

! defines the scope of visibility into the IETF MIB tree

! structure.  By defining the view to include “iso”, we

! include the entire IETF MIB tree structure.

!

snmp-server view iso iso included

!

! The following command defines the SNMP read-only

! community.  Note that we include the “iso” view to

! ensure the WLSE has read access to the entire IETF 

! MIB tree

!

snmp-server community public view iso RO

!

! The following command defines the SNMP read-write

! community.  Note that we include the “iso” view to

! ensure the WLSE has write access to the entire IETF MIB

! tree.

!

snmp-server community private view iso RW

!

! The following commands populate key RFC1213 MIB variables

! (in the System MIB Table).  They are not actually

! required, but are useful to SNMP managers.

!

snmp-server location Home Lab

snmp-server contact Jake Woodhams

snmp-server chassis-id ap1100-1

!

snmp-server enable traps tty

!

!

! The following commands define the RADIUS servers that

! will be used by the system.  The required information

! are:

!

!     Server hostname or IP address

!     Authentication port number

!     Accounting port number

!     Shared secret key

!

! You need to have a “radius-server” entry for each

! RADIUS server that will be used to authenticate

! SWAN infrastructure components AND wireless clients.

! 

! You need to enter the RADIUS servers using the

! “radius-server” command even though you have defined

! servers within a server group.

!

radius-server host 172.20.98.204 auth-port 1645 acct-port 1646 key 7 070E334D4D01170C13

!

radius-server host 172.20.98.202 auth-port 1645 acct-port 1646 key 7 06071D204F46071001

!

radius-server attribute 32 include-in-access-req format %h

radius-server authorization permit missing Service-Type

radius-server vsa send accounting

!

bridge 1 route ip

!

!

! The following command defines the RADIUS server group

! alias the WDS will reference when it authenticates SWAN

! components.  The “alias” (in this example, 

! “method_wlccp_wds_infra) must be defined by the command

! “authentication login”.

!

wlccp authentication-server infrastructure method_wlccp_wds_infra

!

!

! The following command defines the RADIUS server group

! alias the WDS will reference when it authenticates

! wireless clients.  The “alias” (in this example, 

! “method_wlccp_wds_infra) must be defined by the command

! “authentication login”.

!

! Note here that there are two entries—one for EAP and

! another for LEAP.  In this example, there are wireless

! clients that are authenticated using both EAP-TLS and

! LEAP, so in this case, a separate entry for EAP and

! LEAP are required even though they both point to the

! same alias.

!

wlccp authentication-server client eap method_wlccp_wds_client

!

wlccp authentication-server client leap method_wlccp_wds_client

!

! 

! The following command turns on the Wireless Domain

! Services.  The priority set to 255 ensures that this

! AP will be the active WDS host if there are more than

! WDS AP configured on the subnet.

!

! The interface will default to the BVI1 bridge-group. You

! should just use the default setting.  The interface part

! of the command defines the interface the WDS will use

! to advertise itself over the wired network as the WDS

! and then authenticate any SWAN infrastructure components

! seeking to register with the WDS.

!

wlccp wds priority 255 interface BVI1

!

!

! The following command defines the “Wireless Network

! Manager” (WNM).  The WNM should be the address of the

! WLSE.

!

wlccp wnm ip address 192.168.100.200

!

!

! The following command defines the username and pass-

! word that will be used to authenticate the AP to the

! WDS.  Remember that the AP hosting the WDS must 

! register and authenticate to the WDS too to participate

! in SWAN.

!

! In this example, the username is “wlccp_user” and the

! password is hashed to obscure it in the config file.

!

wlccp ap username wlccp_user password 7 104D000A0618

!

line con 0

line vty 5 15

!

end

Related Information

Updated: Oct 22, 2004
Document ID: 46528