Cisco Wireless LAN Controller Configuration Guide, Release 4.0
Chapter 6 - Configuring WLANs
Downloads: This chapterpdf (PDF - 1.49MB) The complete bookPDF (PDF - 12.59MB) | Feedback

Configuring WLANs

Table Of Contents

Configuring WLANs

WLAN Overview

Configuring WLANs

Displaying, Creating, Disabling, and Deleting WLANs

Activating WLANs

Configuring DHCP

Internal DHCP Server

External DHCP Servers

Using the GUI to Configure DHCP

Using the CLI to Configure DHCP

Configuring MAC Filtering for WLANs

Enabling MAC Filtering

Creating a Local MAC Filter

Configuring a Timeout for Disabled Clients

Assigning WLANs to VLANs

Configuring Layer 2 Security

Static WEP Keys

Dynamic 802.1X Keys and Authorization

Configuring a WLAN for Both Static and Dynamic WEP

WPA1 and WPA2

CKIP

Configuring Layer 3 Security

VPN Passthrough

Web-Based Authentication

Local Netuser

Configuring 802.3 Bridging

Configuring Quality of Service

Configuring QoS Enhanced BSS (QBSS)

Configuring Quality of Service Profiles

Configuring Cisco Client Extensions

Using the GUI to Configure CCX Aironet IEs

Using the GUI to View a Client's CCX Version

Using the CLI to Configure CCX Aironet IEs

Using the CLI to View a Client's CCX Version

Enabling WLAN Override

Using the GUI to Enable WLAN Override

Using the CLI to Enable WLAN Override

Configuring Access Point Groups

Creating Access Point Groups

Assigning Access Points to Access Point Groups

Configuring Multiple WLANs with the Same SSID

Additions to the Controller GUI

Addition to the Controller CLI

Configuring Conditional Web Redirect with 802.1X Authentication

Configuring the RADIUS Server

Using the GUI to Configure Conditional Web Redirect

Using the CLI to Configure Conditional Web Redirect

Disabling Accounting Servers per WLAN


Configuring WLANs


This chapter describes how to configure up to 16 WLANs for your Cisco UWN Solution. It contains these sections:

WLAN Overview

Configuring WLANs

WLAN Overview

The Cisco UWN Solution can control up to 16 WLANs for lightweight access points. Each WLAN has a separate WLAN ID (1 through 16), a separate WLAN SSID (WLAN name), and can be assigned unique security policies.

Lightweight access points broadcast all active Cisco UWN Solution WLAN SSIDs and enforce the policies that you define for each WLAN.


Note Cisco recommends that you assign one set of VLANs for WLANs and a different set of VLANs for management interfaces to ensure that controllers properly route VLAN traffic.


Configuring WLANs

These sections describe how to configure WLANs:

Displaying, Creating, Disabling, and Deleting WLANs

Activating WLANs

Configuring DHCP

Configuring MAC Filtering for WLANs

Assigning WLANs to VLANs

Configuring Layer 2 Security

Configuring Layer 3 Security

Configuring 802.3 Bridging

Configuring Quality of Service

Configuring Cisco Client Extensions

Configuring Access Point Groups

Configuring Multiple WLANs with the Same SSID

Configuring Conditional Web Redirect with 802.1X Authentication

Disabling Accounting Servers per WLAN

Displaying, Creating, Disabling, and Deleting WLANs

On the controller CLI, enter these commands to display, create, disable, and delete WLANs:

Enter show wlan summary to display existing WLANs and whether they are enabled or disabled. Note that each WLAN is assigned a WLAN ID from 1 to 16.

Enter config wlan create wlan-id wlan-name to create a new WLAN. For wlan-id, enter an ID from 1 to 16. For wlan-name, enter an SSID of up to 31 alphanumeric characters.


Note For release 4.0.206.0 and greater , the command format is expanded to allow support for multiple WLANs with the same SSID. To distinguish between the two WLANs, a unique profile name is added. The definition of the profile name is added to the command as follows: config wlan create wlan_id profile_name ssid. If you do not specify an ssid the profile_name parameter is used for both the profile name and the SSID. Refer to the "Configuring Multiple WLANs with the Same SSID" section for more details.



Note When WLAN 1 is created in the configuration wizard, it is created in enabled mode; disable it until you have finished configuring it. When you create a new WLAN using the config wlan create command, it is created in disabled mode; leave it disabled until you have finished configuring it.


Enter config wlan disable wlan-id to disable a WLAN, before making any modifications.


Note If the management and AP-manager interfaces are mapped to the same port and are members of the same VLAN, you must disable the WLAN before making a port-mapping change to either interface. If the management and AP-manager interfaces are assigned to different VLANs, you do not need to disable the WLAN.


Enter config wlan enable wlan-id to enable a WLAN.

Enter config wlan delete wlan-id to delete a WLAN.

Activating WLANs

After you have completely configured your WLAN settings, enter config wlan enable wlan-id to activate the WLAN.

Configuring DHCP

WLANs can be configured to use the same or different DHCP servers or no DHCP server. Two types of DHCP servers are available: internal and external.


Note When using the Layer 3 LWAPP mode, you should configure the management and AP-manager interfaces to be on the same subnet so that access points can join the controller.


Internal DHCP Server

The controllers contain an internal DHCP server. This server is typically used in branch offices that do not already have a DHCP server. The wireless network generally contains 10 access points or fewer, with the access points on the same IP subnet as the controller. The internal server provides DHCP addresses to wireless clients, direct-connect access points, appliance-mode access points on the management interface, and DHCP requests that are relayed from access points. Only lightweight access points are supported.

DHCP option 43 is not supported on the internal server. Therefore, the access point must use an alternative method to locate the management interface IP address of the controller, such as local subnet broadcast, DNS, priming, or over-the-air discovery.


Note Refer to Chapter 7 or the Controller Deployment Guide at this URL for more information on how access points find controllers:
http://www.cisco.com/en/US/products/ps6366/prod_technical_reference_list.html


External DHCP Servers

The operating system is designed to appear as a DHCP Relay to the network and as a DHCP server to clients with industry-standard external DHCP servers that support DHCP Relay. This means that each controller appears as a DHCP Relay agent to the DHCP server. This also means that the controller appears as a DHCP server at the virtual IP Address to wireless clients.

Because the controller captures the client IP address obtained from a DHCP server, it maintains the same IP address for that client during intra-controller, inter-controller, and inter-subnet client roaming.

Per-WLAN Assignment

WLANs that support management over wireless must allow management (device-servicing) clients to obtain an IP address from a DHCP server. See the "Using Management over Wireless" section on page 5-6 for instructions on configuring management over wireless.

Per-Interface Assignment

You can assign DHCP servers for individual interfaces. The Layer 2 management interface, Layer 3 AP-manager interface, and dynamic interfaces can be configured for a primary and secondary DHCP server, and the service-port interface can be configured to enable or disable DHCP servers.


Note Refer to Chapter 3 for information on configuring the controller's interfaces.


Security Considerations

For enhanced security, Cisco recommends that operators require all clients to obtain their IP addresses from a DHCP server. To enforce this requirement, all WLANs can be configured with a DHCP Required setting and a valid DHCP server IP address, which disallows client static IP addresses. If DHCP Required is selected, clients must obtain an IP address via DHCP. Any client with a static IP address is not be allowed on the network. The controller monitors DHCP traffic because it acts as a DHCP proxy for the clients.

If slightly less security is tolerable, operators can create WLANs with DHCP Required disabled and a valid DHCP server IP address. Clients then have the option of using a static IP address or obtaining an IP address from the designated DHCP server.

Operators are also allowed to create separate WLANs with DHCP Required disabled and a DHCP server IP address of 0.0.0.0. These WLANs drop all DHCP requests and force clients to use a static IP address. Note that these WLANs do not support management over wireless connections.

This section provides both GUI and CLI instructions for configuring your WLAN to use a DHCP server.

Using the GUI to Configure DHCP

Follow these steps to use the GUI to configure DHCP.


Step 1 In the web user interface, navigate to the WLANs page.

Step 2 Locate the WLAN which you wish to configure for a DHCP server, and click the associated Edit link to display the WLANs > Edit page.

Step 3 Under General Policies, check the DHCP Relay/DHCP Server IP Addr check box to verify whether you have a valid DHCP server assigned to the WLAN. If you have no DHCP server assigned to the WLAN, continue with Step 4. Otherwise, continue with Step 9.

Step 4 Under General Policies, uncheck the Admin Status check box.

Step 5 Click Apply to disable the WLAN.

Step 6 In the DHCP Relay/DHCP Server IP Addr edit box, enter a valid DHCP server IP address for this WLAN.

Step 7 Under General Policies, check the Admin Status check box.

Step 8 Click Apply to assign the DHCP server to the WLAN and to enable the WLAN. You are returned to the WLANs page.

Step 9 In the upper-right corner of the WLANs page, click Ping and enter the DHCP server IP address to verify that the WLAN can communicate with the DHCP server.


Using the CLI to Configure DHCP

Follow these steps to use the CLI to configure DHCP.


Step 1 In the CLI, enter show wlan to verify whether you have a valid DHCP server assigned to the WLAN. If you have no DHCP server assigned to the WLAN, continue with Step 2. Otherwise, continue with Step 4.

Step 2 If necessary, use these commands:

config wlan disable wlan-id

config wlan dhcp_server wlan-id dhcp-server-ip-address

config wlan enable wlan-id

In these commands, wlan-id = 1 through 16, and dhcp-server-ip-address = DHCP server IP address.

Step 3 Enter show wlan to verify that you have a DHCP server assigned to the WLAN.

Step 4 Enter ping dhcp-ip-address to verify that the WLAN can communicate with the DHCP server.


Configuring MAC Filtering for WLANs

When you use MAC filtering for client or administrator authorization, you need to enable it at the WLAN level first. If you plan to use local MAC address filtering for any WLAN, use the commands in this section to configure MAC filtering for a WLAN.

Enabling MAC Filtering

Use these commands to enable MAC filtering on a WLAN:

Enter config wlan mac-filtering enable wlan-id to enable MAC filtering.

Enter show wlan to verify that you have MAC filtering enabled for the WLAN.

When you enable MAC filtering, only the MAC addresses that you add to the WLAN are allowed to join the WLAN. MAC addresses that have not been added are not allowed to join the WLAN.

Creating a Local MAC Filter

Controllers have built-in MAC filtering capability, similar to that provided by a RADIUS authorization server.

Use these commands to add MAC addresses to a WLAN MAC filter:

Enter show macfilter to view MAC addresses assigned to WLANs.

Enter config macfilter add mac-addr wlan-id to assign a MAC address to a WLAN MAC filter.

Enter show macfilter to verify that MAC addresses are assigned to the WLAN.

Configuring a Timeout for Disabled Clients

You can configure a timeout for disabled clients. Clients who fail to authenticate three times when attempting to associate are automatically disabled from further association attempts. After the timeout period expires, the client is allowed to retry authentication until it associates or fails authentication and is excluded again. Use these commands to configure a timeout for disabled clients:

Enter config wlan blacklist wlan-id timeout to configure the timeout for disabled clients. Enter a timeout from 1 to 65535 seconds, or enter 0 to permanently disable the client.

Use the show wlan command to verify the current timeout.

Assigning WLANs to VLANs

Use these commands to assign a WLAN to a VLAN:

Enter this command to assign a WLAN to a VLAN:

config wlan vlan wlan-id {default | untagged | vlan-id controller-vlan-ip-address vlan-netmask vlan-gateway}

Use the default option to assign the WLAN to the VLAN configured on the network port.

Use the untagged option to assign the WLAN to VLAN 0.

Use the vlan-id, controller-vlan-ip-address, vlan-netmask, and vlan-gateway options to assign the WLAN to a specific VLAN and to specify the controller VLAN IP address, the local IP netmask for the VLAN, and the local IP gateway for the VLAN.

Enter show wlan to verify VLAN assignment status.


Note Cisco recommends that you assign one set of VLANs for WLANs and a different set of VLANs for management interfaces to ensure that controllers properly route VLAN traffic.


To remove a VLAN assignment from a WLAN, use this command:

config wlan vlan wlan-id untagged

Configuring Layer 2 Security

This section explains how to assign Layer 2 security settings to WLANs.


Note Clients using the Microsoft Wireless Configuration Manager and 802.1X must use WLANs configured for 40- or 104-bit key length. Configuring for 128-bit key length results in clients that can associate but cannot authenticate.


Static WEP Keys

Controllers can control static WEP keys across access points. Use these commands to configure static WEP for WLANs:

Enter this command to disable 802.1X encryption:

config wlan security 802.1X disable wlan-id

Enter this command to configure 40/64, 104/128, or 128/152-bit WEP keys:

config wlan security static-wep-key encryption wlan-id {40 | 104 | 128} {hex | ascii} key key-index

Use the 40, 104, or 128 options to specify 40/64-bit, 104/128-bit, or 128/152-bit encryption. The default setting is 104/128.

Use the hex or ascii option to specify the character format for the WEP key.

Enter 10 hexadecimal digits (any combination of 0-9, a-f, or A-F) or five printable ASCII characters for 40-bit/64-bit WEP keys; enter 26 hexadecimal or 13 ASCII characters for 104-bit/128-bit keys; enter 32 hexadecimal or 16 ASCII characters for 128-bit/152-bit keys.

Enter a key index (sometimes called a key slot) of 1 through 4.

Dynamic 802.1X Keys and Authorization

Controllers can control 802.1X dynamic WEP keys using Extensible Authentication Protocol (EAP) across access points and support 802.1X dynamic key settings for WLANs.


Note To use LEAP with lightweight access points and wireless clients, make sure to choose Cisco-Aironet as the RADIUS server type when configuring the CiscoSecure Access Control Server (ACS).


Enter show wlan wlan-id to check the security settings of each WLAN. The default security setting for new WLANs is 802.1X with dynamic keys enabled. To maintain robust Layer 2 security, leave 802.1X configured on your WLANs.

To disable or enable the 802.1X authentication, use this command:

config wlan security 802.1X {enable | disable} wlan-id

After you enable 802.1X authentication, the controller sends EAP authentication packets between the wireless client and the authentication server. This command allows all EAP-type packets to be sent to and from the controller.

If you want to change the 802.1X encryption level for a WLAN, use this command:

config wlan security 802.1X encryption wlan-id [40 | 104 | 128]

Use the 40 option to specify 40/64-bit encryption.

Use the 104 option to specify 104/128-bit encryption. (This is the default encryption setting.)

Use the 128 option to specify 128/152-bit encryption.

If you want to configure Cisco Aironet 802.11a/b/g Wireless LAN Client Adapters (CB21AG and PI21AG) running PEAP-GTC to authenticate to a controller through a one-time password to a token server, use these commands:

config advanced eap identity-request-timeout—Configures the EAP identity request timeout value in seconds. The default setting is 1 second.

config advanced eap identity-request-retries—Configures the EAP identity request maximum retries value. The default setting is 20.

config advanced eap request-timeout—Configures the EAP request timeout value in seconds. The default setting is 1 second.

config advanced eap request-retries—Configures the EAP request maximum retries value. The default setting is 2.

show advanced eap—Shows the values that are currently configured for the config advanced eap commands. Information similar to the following appears:

 EAP-Identity-Request Timeout (seconds)........... 1
 EAP-Identity-Request Max Retries................. 20
 EAP-Request Timeout (seconds).................... 1
 EAP-Request Max Retries.......................... 2

Configuring a WLAN for Both Static and Dynamic WEP

You can configure up to four WLANs to support static WEP keys, and you can also configure dynamic WEP on any of these static-WEP WLANs. Follow these guidelines when configuring a WLAN for both static and dynamic WEP:

The static WEP key and the dynamic WEP key must be the same length.

When you configure both static and dynamic WEP as the Layer-2 security policy, no other security policies can be specified. That is, you cannot configure web authentication. However, when you configure either the dynamic WEP or the static WEP as the Layer 2 security policy, you can configure web authentication.

WPA1 and WPA2

Wi-Fi Protected Access (WPA or WPA1) and WPA2 are standards-based security solutions from the Wi-Fi Alliance that provide data protection and access control for wireless LAN systems. WPA1 is compatible with the IEEE 802.11i standard but was implemented prior to the standard's ratification; WPA2 is the Wi-Fi Alliance's implementation of the ratified IEEE 802.11i standard.

By default, WPA1 uses Temporal Key Integrity Protocol (TKIP) and message integrity check (MIC) for data protection while WPA2 uses the stronger Advanced Encryption Standard encryption algorithm using Counter Mode with Cipher Block Chaining Message Authentication Code Protocol (AES-CCMP). Both WPA1 and WPA2 use 802.1X for authenticated key management by default. However, these options are also available: PSK, CCKM, and 802.1X+CCKM.

802.1X—The standard for wireless LAN security, as defined by IEEE, is called 802.1X for 802.11, or simply 802.1X. An access point that supports 802.1X acts as the interface between a wireless client and an authentication server, such as a RADIUS server, to which the access point communicates over the wired network. If 802.1X is selected, only 802.1X clients are supported.

PSK—When you choose PSK (also known as WPA pre-shared key or WPA passphrase), you need to configure a pre-shared key (or a passphrase). This key is used as the pairwise master key (PMK) between the clients and the authentication server.

CCKM—Cisco Centralized Key Management (CCKM) uses a fast rekeying technique that enables clients to roam from one access point to another without going through the controller, typically in under 150 milliseconds (ms). CCKM reduces the time required by the client to mutually authenticate with the new access point and derive a new session key during reassociation. CCKM fast secure roaming ensures that there is no perceptible delay in time-sensitive applications such as wireless Voice over IP (VoIP), enterprise resource planning (ERP), or Citrix-based solutions. CCKM is a CCXv4-compliant feature. If CCKM is selected, only CCKM clients are supported.


Note The 4.0 release of controller software supports CCX versions 1 through 4. CCX support is enabled automatically for every WLAN on the controller and cannot be disabled. The controller stores the CCX version of the client in its client database and uses it to limit client functionality. Clients must support CCX v4 in order to use CCKM. See the "Configuring Quality of Service Profiles" section for more information on CCX.


802.1X+CCKM—During normal operation, 802.1X-enabled clients mutually authenticate with a new access point by performing a complete 802.1X authentication, including communication with the main RADIUS server. However, when you configure your WLAN for 802.1X and CCKM fast secure roaming, CCKM-enabled clients securely roam from one access point to another without the need to reauthenticate to the RADIUS server. 802.1X+CCKM is considered optional CCKM because both CCKM and non-CCKM clients are supported when this option is selected.

On a single WLAN, you can allow WPA1, WPA2, and 802.1X/PSK/CCKM/802.1X+CCKM clients to join. All of the access points on such a WLAN advertise WPA1, WPA2, and 802.1X/PSK/CCKM/
802.1X+CCKM information elements in their beacons and probe responses. When you enable WPA1 and/or WPA2, you can also enable one or two ciphers, or cryptographic algorithms, designed to protect data traffic. Specifically, you can enable AES and/or TKIP data encryption for WPA1 and/or WPA2. TKIP is the default value for WPA1, and AES is the default value for WPA2.

You can configure WPA1+WPA2 through either the GUI or the CLI.

Using the GUI to Configure WPA1+WPA2

Follow these steps to configure a WLAN for WPA1+WPA2 using the controller GUI.


Step 1 Click WLANs to access the WLANs page.

Step 2 Click the Edit link for the desired WLAN to access the WLANs > Edit page (see Figure 6-1).

Figure 6-1 WLANs > Edit Page

Step 3 Under Security Policies, choose WPA1+WPA2 from the Layer 2 Security drop-down box.

Step 4 Under WPA1+WPA2 Parameters, check the WPA1 Policy check box to enable WPA1, check the WPA2 Policy check box to enable WPA2, or check both check boxes to enable both WPA1 and WPA2.


Note The default value is disabled for both WPA1 and WPA2. If you leave both WPA1 and WPA2 disabled, the access points advertise in their beacons and probe responses information elements only for the authentication key management method you choose in Step 6.


Step 5 Check the AES check box to enable AES data encryption or the TKIP check box to enable TKIP data encryption for WPA1, WPA2, or both. The default values are TKIP for WPA1 and AES for WPA2.

Step 6 Choose one of the following key management methods from the Auth Key Mgmt drop-down box: 802.1X, CCKM, PSK, or 802.1X+CCKM.

Step 7 If you chose PSK in Step 6, choose ascii or hex from the PSK Format drop-down box and then enter a pre-shared key in the blank field. WPA pre-shared keys must contain 8 to 63 ASCII text characters or 64 hexadecimal characters.

Step 8 Click Apply to commit your changes.

Step 9 Click Save Configuration to save your changes.


Using the CLI to Configure WPA1+WPA2

Follow these steps to configure a WLAN for WPA1+WPA2 using the controller CLI.


Step 1 Enter this command to disable the WLAN:

config wlan disable wlan_id

Step 2 Enter this command to enable or disable WPA for the WLAN:

config wlan security wpa {enable | disable} wlan_id

Step 3 Enter this command to enable or disable WPA1 for the WLAN:

config wlan security wpa wpa1 {enable | disable} wlan_id

Step 4 Enter this command to enable or disable WPA2 for the WLAN:

config wlan security wpa wpa2 {enable | disable} wlan_id

Step 5 Enter these commands to enable or disable AES or TKIP data encryption for WPA1 or WPA2:

config wlan security wpa wpa1 ciphers {aes | tkip} {enable | disable} wlan_id

config wlan security wpa wpa2 ciphers {aes | tkip} {enable | disable} wlan_id

The default values are TKIP for WPA1 and AES for WPA2.

Step 6 Enter this command to enable or disable 802.1X, PSK, or CCKM authenticated key management:

config wlan security wpa akm {802.1X | psk | cckm} {enable | disable} wlan_id

The default value is 802.1X.

Step 7 If you enabled PSK in Step 6, enter this command to specify a pre-shared key:

config wlan security wpa akm psk set-key {ascii | hex} psk-key wlan_id

WPA pre-shared keys must contain 8 to 63 ASCII text characters or 64 hexadecimal characters.

Step 8 Enter this command to enable the WLAN:

config wlan enable wlan_id

Step 9 Enter this command to save your settings:

save config

CKIP

Cisco Key Integrity Protocol (CKIP) is a Cisco-proprietary security protocol for encrypting 802.11 media. CKIP improves 802.11 security in infrastructure mode using key permutation, message integrity check (MIC), and message sequence number. Software release 4.0 supports CKIP with static key. For this feature to operate correctly, you must enable Aironet information elements (IEs) for the WLAN.

A lightweight access point advertises support for CKIP in beacon and probe response packets by adding an Aironet IE and setting one or both of the CKIP negotiation bits [key permutation and multi-modular hash message integrity check (MMH MIC)]. Key permutation is a data encryption technique that uses the basic encryption key and the current initialization vector (IV) to create a new key. MMH MIC prevents bit-flip attacks on encrypted packets by using a hash function to compute message integrity code.

The CKIP settings specified in a WLAN are mandatory for any client attempting to associate. If the WLAN is configured for both CKIP key permutation and MMH MIC, the client must support both. If the WLAN is configured for only one of these features, the client must support only this CKIP feature.

CKIP requires that 5-byte and 13-byte encryption keys be expanded to 16-byte keys. The algorithm to perform key expansion happens at the access point. The key is appended to itself repeatedly until the length reaches 16 bytes. All lightweight access points except the AP1000 support CKIP.

You can configure CKIP through either the GUI or the CLI.

Using the GUI to Configure CKIP

Follow these steps to configure a WLAN for CKIP using the controller GUI.


Step 1 To enable Aironet IEs for this WLAN, check the Aironet IE check box under Cisco Client Extension (CCX).

Step 2 Click WLANs to access the WLANs page.

Step 3 Click the Edit link for the desired WLAN to access the WLANs > Edit page (see Figure 6-1).

Figure 6-2 WLANs > Edit Page

Step 4 Uncheck the Admin Status check box, if checked, to disable this WLAN and click Apply.

Step 5 Under Security Policies, choose CKIP from the Layer 2 Security drop-down box.

Step 6 Under CKIP Parameters, choose the length of the CKIP encryption key from the Key Size drop-down box.

Range: Not Set, 40 bits, or 104 bits

Default: Not Set

Step 7 Choose the number to be assigned to this key from the Key Index drop-down box. You can configure up to four keys.

Step 8 Choose ASCII or HEX from the Key Format drop-down box and then enter an encryption key in the Encryption Key field. 40-bit keys must contain 5 ASCII text characters or 10 hexadecimal characters. 104-bit keys must contain 13 ASCII text characters or 26 hexadecimal characters.

Step 9 Check the MMH Mode check box to enable MMH MIC data protection for this WLAN. The default value is disabled (or unchecked).

Step 10 Check the Key Permutation check box to enable this form of CKIP data protection. The default value is disabled (or unchecked).

Step 11 Check the Admin Status check box to enable this WLAN.

Step 12 Click Apply to commit your changes.

Step 13 Click Save Configuration to save your changes.


Using the CLI to Configure CKIP

Follow these steps to configure a WLAN for CKIP using the controller CLI.


Step 1 Enter this command to disable the WLAN:

config wlan disable wlan_id

Step 2 Enter this command to enable Aironet IEs for this WLAN:

config wlan ccx aironet-ie enable wlan_id

Step 3 Enter this command to enable or disable CKIP for the WLAN:

config wlan security ckip {enable | disable} wlan_id

Step 4 Enter this command to specify a CKIP encryption key for the WLAN:

config wlan security ckip akm psk set-key wlan_id {40 | 104} {hex | ascii} key key_index

Step 5 Enter this command to enable or disable CKIP MMH MIC for the WLAN:

config wlan security ckip mmh-mic {enable | disable} wlan_id

Step 6 Enter this command to enable or disable CKIP key permutation for the WLAN:

config wlan security ckip kp {enable | disable} wlan_id

Step 7 Enter this command to enable the WLAN:

config wlan enable wlan_id

Step 8 Enter this command to save your settings:

save config


Configuring Layer 3 Security

This section explains how to configure Layer 3 security settings for a wireless LAN on the controller.


Note VPN termination (IPSec) and Layer 2 Tunnel Protocol (L2TP) are not supported on controllers with software release 4.0x or greater.


VPN Passthrough

Using the GUI to Configure VPN Passthrough

Follow these steps to configure a WLAN for VPN Passthrough using the controller GUI.


Step 1 Select WLANs from the navigation bar at top of window.

Step 2 At the WLANs window, select the Edit link next to the WLAN for which you want to configure VPN passthrough.

The WLANs > Edit page appears.

Step 3 Select VPN Passthrough from the Layer 3 Security drop-down menu (right-hand).

Step 4 Check the Web Policy box and the Passthrough option that appears (Figure 6-3).

Figure 6-3 WLANs > Edit Page

(top)

Step 5 Scroll to the bottom of the WLAN > Edit window to enter the VPN Gateway Address (Figure 6-4). This IP address is that of the gateway router that is terminating the VPN tunnels initiated by the client and passed through the controller.

Figure 6-4 WLANs > Edit Page (bottom)

Step 6 Click Save Configuration.


Using the CLI to Configure VPN Passthrough

Enter this command to enable VPN Passthrough for a WLAN using the controller CLI.

config wlan security passthru {enable | disable} wlan-id gateway

For gateway, enter the IP address of the router that is terminating the VPN tunnel.

Enter show wlan to verify that the passthrough is enabled.

Web-Based Authentication

Web authentication is simple to set up and use and can be used with SSL to improve the overall security of the WLAN. The use of Web authentication requires Microsoft Internet Explorer with Active Scripts enabled. Enter these commands to enable web authentication for a WLAN:

config wlan security web {enable | disable} wlan-id

Enter show wlan to verify that web authentication is enabled.

Local Netuser

Controllers have built-in network client authentication capability, similar to that provided by a RADIUS authentication server. Enter these commands to create a list of usernames and passwords allowed access to the WLAN:

Enter show netuser to display client names assigned to WLANs.

Enter config netuser add username password wlan-id to add a user to a WLAN.


Note Local netuser names must be unique because they are stored in the same database.


Enter config netuser wlan-id username wlan-id to add a user to a WLAN without specifying a password for the user.

Enter config netuser password username password to create or change a password for a particular user.

Enter config netuser delete username to delete a user from the WLAN.

Configuring 802.3 Bridging

Controller software release 4.0 supports 802.3 frames and the applications that use them, such as those typically used for cash registers and cash register servers. To make these applications work with the controller, the 802.3 frames must be bridged on the controller.

Support for raw 802.3 frames allows the controller to bridge non-IP frames for applications not running over IP. Only this raw 802.3 frame format is currently supported:

+-------------------+---------------------+-----------------+------------------------+

| Destination | Source | Total packet | Payload .....
| MAC address | MAC address | length |

+-------------------+----------------------+-----------------+------------------------

Use these commands to configure 802.3 bridging using the controller CLI.

1. To enable or disable 802.3 bridging globally on all WLANs, enter this command:

config network 802.3-bridging {enable | disable}

The default value is disabled.

2. To see the current status of 802.3 bridging for all WLANs, enter this command:

show network

Configuring Quality of Service

Cisco UWN Solution WLANs support four levels of QoS: Platinum/Voice, Gold/Video, Silver/Best Effort (default), and Bronze/Background. You can configure the voice traffic WLAN to use Platinum QoS, assign the low-bandwidth WLAN to use Bronze QoS, and assign all other traffic between the remaining QoS levels. Enter these commands to assign a QoS level to a WLAN:

config wlan qos wlan-id {bronze | silver | gold | platinum}

Enter show wlan to verify that you have QoS properly set for each WLAN.

The WLAN QoS level (platinum, gold, silver, or bronze) defines a specific 802.11e user priority (UP) for over-the-air traffic. This UP is used to derive the over-the-wire priorities for non-WMM traffic, and it also acts as the ceiling when managing WMM traffic with various levels of priorities. The access point uses this QoS-profile-specific UP in accordance with the values in Table 6-1 to derive the IP DSCP value that is visible on the wired LAN.

Table 6-1 Access Point QoS Translation Values 

AVVID 802.1p UP-Based Traffic Type
AVVID IP DSCP
AVVID 802.1p UP
IEEE 802.11e UP

Network control

-

7

-

Inter-network control (LWAPP control, 802.11 management)

48

6

7

Voice

46 (EF)

5

6

Video

34 (AF41)

4

5

Voice control

26 (AF31)

3

4

Background (Gold)

18 (AF21)

2

2

Background (Gold)

20 (AF22)

2

2

Background (Gold)

22 (AF23)

2

2

Background (Silver)

10 (AF11)

1

1

Background (Silver)

12 (AF12)

1

1

Background (Silver)

14 (AF13)

1

1

Best Effort

0 (BE)

0

0, 3

Background

2

0

1

Background

4

0

1

Background

6

0

1


Configuring QoS Enhanced BSS (QBSS)

You can enable QBSS in these two modes:

Wireless Multimedia (WMM) mode, which supports devices that meet the 802.11E QBSS standard

7920 support mode, which supports Cisco 7920 IP telephones on your 802.11b/g network

QBSS is disabled by default.

Enabling WMM Mode

Enter this command to enable WMM mode:

config wlan wmm {disabled | allowed | required} wlan-id

The allowed option allows client devices to use WMM on the WLAN.

The required option requires client devices to use WMM; devices that do not support WMM cannot join the WLAN.


Note Do not enable WMM mode if Cisco 7920 phones are used on your network.



Note When the controller is in Layer 2 mode and WMM is enabled, you must put the access points on a trunk port in order to allow them to join the controller.


Enabling 7920 Support Mode

The 7920 support mode contains two options:

Support for 7920 phones that require call admission control (CAC) to be configured on and advertised by the client device (these are typically older 7920 phones)

Support for 7920 phones that require CAC to be configured on and advertised by the access point (these are typically newer 7920 phones)


Note When access point-controlled CAC is enabled, the access point sends out a Cisco proprietary CAC Information Element (IE) and does not send out the standard QBSS IE.


Enter this command to enable 7920 support mode for phones that require client-controlled CAC:

config wlan 7920-support client-cac-limit {enabled | disabled} wlan-id


Note You cannot enable both WMM mode and client-controlled CAC mode on the same WLAN.


Enter this command to enable 7920 support mode for phones that require access point-controlled CAC:

config wlan 7920-support ap-cac-limit {enabled | disabled} wlan-id

QBSS Information Elements Sometimes Degrade 7920 Phone Performance

If your WLAN contains both 1000 series access points and Cisco 7920 wireless phones, do not enable the WMM or AP-CAC-LIMIT QBSS information elements. Do not enter either of these commands:

config wlan 7920-support ap-cac-limit enable wlan-id

config wlan wmm [allow | require] wlan-id

The information sent by 1000 series access points in the WMM and AP-CAC-LIMIT QBSS information elements is inaccurate and could result in degradation of voice quality 7920 wireless phones. This issue does not affect the CLIENT-CAC-LIMIT QBSS IE, which you enable using this command:

config wlan 7920-support client-cac-limit enable wlan-id

The CLIENT-CAC-LIMIT QBSS IE is the only QBSS IE that should be used in networks containing both 1000 series access points and 7920 wireless phones.

Configuring Quality of Service Profiles

You can use the GUI or CLI to configure the Platinum, Gold, Silver, and Bronze QoS profiles.

Using the GUI to Configure QoS Profiles

To configure the Platinum, Gold, Silver, and Bronze QoS profiles using the GUI, follow these steps.


Step 1 Disable the 802.11a and 802.11b/g networks so that you can configure the QoS profiles.

To disable the radio network, click Wireless > 802.11a > Network or Wireless > 802.11b/g > Network, uncheck the 802.11a (or 802.11b/g) Network Status check box, and click Apply.

Step 2 Click Controller > QoS > Profiles to access the QoS Profiles page.

Step 3 Click Edit for the specific profile you want to configure (see Figure 6-5).

Figure 6-5 Controller > Edit QoS Profiles Page

Step 4 To change the description of the profile, modify the contents of the Description field.

Step 5 To define the average data rate for TCP traffic on a per user basis, enter the rate in Kbps in the Average Data Rate field. A value of 0 disables this option.

Step 6 To define the peak data rate for TCP traffic on a per user basis, enter the rate in Kbps in the Burst Data Rate field. A value of 0 disables this option.

Step 7 To define the average real-time rate for UDP traffic on a per user basis, enter the rate in Kbps in the Average Real-Time Rate field. A value of 0 disables this option.

Step 8 To define the peak real-time rate for UDP traffic on a per user basis, enter the rate in Kbps in the Burst Real-Time Rate field. A value of 0 disables this option.

Step 9 In the Maximum RF usage per AP (%) field, enter the maximum percentage of air bandwidth given to a user class.

For example if you set 50% for Bronze QoS, all the Bronze WLAN users combined will not get more than 50% of available RF bandwidth. Actual throughput could be less than 50%, but it will never be more than 50%.

Step 10 In the Queue Depth field, enter the number packets that access points keep in their queues. Any additional packets are dropped.

Step 11 To define the maximum value for the priority tag (0-7) associated with packets that fall within the profile, choose 802.1p from the Protocol Type drop-down box and enter the maximum priority value in the 802.1p Tag field.

The tagged packets include LWAPP data packets (between access points and the controller) and packets sent towards the core network.

Step 12 Click Apply.

Step 13 Click Save Configuration.

Step 14 Reenable the 802.11a and 802.11b/g networks.

To enable the radio network, click Wireless > 802.11a > Network or Wireless > 802.11b/g > Network, check the 802.11a (or 802.11b/g) Network Status check box, and click Apply.


Using the CLI to Configure QoS Profiles

To configure the Platinum, Gold, Silver, and Bronze QoS profiles using the CLI, follow these steps.


Step 1 Disable the 802.11a and 802.11b/g networks so that you can configure the QoS profiles. Enter these commands:

config 802.11a disable network

config 802.11b disable network

Step 2 To change the profile description, enter this command:

config qos description {bronze | silver | gold | platinum} description

Step 3 To define the average data rate in Kbps for TCP traffic on a per user basis, enter this command:

config qos average-data-rate {bronze | silver | gold | platinum} rate

Step 4 To define the peak data rate in Kbps for TCP traffic on a per user basis, enter this command:

config qos burst-data-rate {bronze | silver | gold | platinum} rate

Step 5 To define the average real-time rate in Kbps for UDP traffic on a per user basis, enter this command:

config qos average-realtime-rate {bronze | silver | gold | platinum} rate

Step 6 To define the peak real-time rate in Kbps for UDP traffic on a per user basis, enter this command:

config qos burst-realtime-rate {bronze | silver | gold | platinum} rate

Step 7 To specify the maximum percentage of RF usage per access point, enter this command:

config qos max-rf-usage {bronze | silver | gold | platinum} usage_percentage

Step 8 To specify the maximum number of packets that access points keep in their queues, enter this command:

config qos queue_length {bronze | silver | gold | platinum} queue_length

Step 9 To define the maximum value for the priority tag (0-7) associated with packets that fall within the profile, enter this commands:

config qos protocol-type {bronze | silver | gold | platinum} dot1p

config qos dot1p-tag {bronze | silver | gold | platinum} tag

Step 10 Reenable the 802.11a and 802.11b/g networks so that you can configure the QoS profiles. Enter these commands:

config 802.11a enable network

config 802.11b enable network


Configuring Cisco Client Extensions

Cisco Client Extensions (CCX) software is licensed to manufacturers and vendors of third-party client devices. The CCX code resident on these clients enables them to communicate wirelessly with Cisco access points and to support Cisco features that other client devices do not, including those related to increased security, enhanced performance, fast roaming, and superior power management.

The 4.0 release of controller software supports CCX versions 1 through 4, which enables controllers and their access points to communicate wirelessly with third-party client devices that support CCX. CCX support is enabled automatically for every WLAN on the controller and cannot be disabled. However, you can configure a specific CCX feature per WLAN. This feature is Aironet information elements (IEs).

If Aironet IE support is enabled, the access point sends an Aironet IE 0x85 (which contains the access point name, load, number of associated clients, and so on) in the beacon and probe responses of this WLAN, and the controller sends Aironet IEs 0x85 and 0x95 (which contains the management IP address of the controller and the IP address of the access point) in the reassociation response if it receives Aironet IE 0x85 in the reassociation request.

Follow the instructions in this section to configure a WLAN for the CCX Aironet IE feature and to see the CCX version supported by specific client devices using either the GUI or the CLI.


Note CCX is not supported on the AP1030.


Using the GUI to Configure CCX Aironet IEs

Follow these steps to configure a WLAN for CCX Aironet IEs using the GUI.


Step 1 Click WLANs to access the WLANs page.

Step 2 Click the Edit link of the desired WLAN to access the WLANs > Edit page (see Figure 6-6).

Figure 6-6 WLANs > Edit Page

Step 3 Check the Aironet IE check box if you want to enable support for Aironet IEs for this WLAN. Otherwise, uncheck this check box. The default value is enabled (or checked).

Step 4 Click Apply to commit your changes.

Step 5 Click Save Configuration to save your changes.


Using the GUI to View a Client's CCX Version

A client device sends its CCX version in association request packets to the access point. The controller then stores the client's CCX version in its database and uses it to limit the features for this client. For example, if a client supports CCX version 2, the controller does not allow the client to use CCX version 4 features. Follow these steps to see the CCX version supported by a particular client device using the GUI.


Step 1 Click Wireless > Clients to access the Clients page.

Step 2 Click the Detail link for the desired client device to access the Clients > Detail page (see Figure 6-7).

Figure 6-7 Clients > Detail Page

The CCX Version field shows the CCX version supported by this client device. Not Supported appears if the client does not support CCX.

Step 3 Click Back to return to the previous screen.

Step 4 Repeat this procedure to view the CCX version supported by any other client devices.


Using the CLI to Configure CCX Aironet IEs

To enable or disable support for Aironet IEs for a particular WLAN, enter this command:

config wlan ccx aironet-ie {enable | disable} wlan_id

The default value is enabled.

Using the CLI to View a Client's CCX Version

To see the CCX version supported by a particular client device, enter this command:

show client detail mac-addr

Enabling WLAN Override

By default, access points transmit all defined WLANs on the controller. However, you can use the WLAN Override option to select which WLANs are transmitted and which ones are not on a per access point basis. For example, you can use WLAN override to control where in the network the guest WLAN is transmitted or you can use it to disable a specific WLAN in a certain area of the network.

Using the GUI to Enable WLAN Override

Follow these steps to enable the WLAN Override option.


Step 1 Click Wireless to access the Wireless page.

Step 2 Click 802.11a Radios or 802.11b/g Radios under Access Points to list the corresponding access points.

Step 3 Click the Configure link for the desired access point.

Step 4 Choose Enable from the WLAN Override drop-down box to enable this option and display a list of the available WLANs (see Figure 6-8).

Figure 6-8 802.11a Cisco APs > Configure Page

Step 5 Check the check boxes for the WLANs you want this access point to broadcast.

Step 6 Click Apply to commit your changes.

Step 7 Click Save Configuration to save your changes.


Using the CLI to Enable WLAN Override

To enable the WLAN Override option using the controller CLI, enter this command:

config ap wlan enable {802.11a | 802.11b} cisco_ap

To define which WLANs you wish to transmit, enter this command:

config ap wlan add {802.11a | 802.11b} wlan-id cisco_ap

Configuring Access Point Groups

In a typical deployment, all users on a WLAN are mapped to a single interface on the controller. Therefore, all users associated with that WLAN are on the same subnet or VLAN. However, you can override this default WLAN setting to distribute the load among several interfaces or to group users based on specific criteria such as individual departments (for example, marketing) by creating access point groups (formerly known as site-specific VLANs). Additionally, these access point groups can be configured in separate VLANs to simplify network administration as illustrated in the example in Figure 6-9.


Note The required access control list (ACL) must be defined on the router that serves the VLAN or subnet.



Note Multicast traffic is not supported when access point group VLANs are configured.


Figure 6-9 Access Point Groups

In Figure 6-9, there are three configured dynamic interfaces that are mapped to three different VLANs identified as VLAN 61, VLAN 62, and VLAN 63. Three access point groups are defined and each is a member of a different VLAN but all are members of the same SSID. A client within the wireless SSID is assigned an IP address from the VLAN subnet on which its access point is a member. For example, any user that associates with an access point that is a member of the access point group: VLAN 61 is assigned an IP address from that subnet.

In the example in Figure 6-9, the controller internally treats roaming between access points as a Layer 3 roaming event. In this way, WLAN clients maintain their original IP addresses.

To configure access point groups, follow these top-level steps.

1. Configure the appropriate dynamic interfaces and map them to the desired VLANs.

For example, to implement the network in Figure 6-9, create dynamic interfaces for VLANs 61, 62, and 63 on the controller. Refer to Chapter 3, "Configuring Ports and Interfaces" for more information about how to configure dynamic interfaces.

2. Create the access point groups. Refer to the "Creating Access Point Groups" section.

3. Assign access points to the appropriate access point group. Refer to the "Assigning Access Points to Access Point Groups" section.

Creating Access Point Groups

Once all access points have joined the controller, you can create access point groups and assign each group to one or more WLANs. You also need to define WLAN-to-interface mapping.

Using the GUI to Create Access Point Groups

To create an access point group using the GUI, follow these steps.


Step 1 Click WLANs.

Step 2 Click AP Groups VLAN.

Step 3 Check the AP Groups VLAN Feature Enable check box.

Step 4 Enter the group's name in the AP Group Name field.

Step 5 Enter the group's description in the AP Group Description field.

Step 6 Click Create New AP Group to create the group. The newly created access point group appears on the AP Groups VLAN page (see Figure 6-10).

Figure 6-10 AP Groups VLAN Page

Step 7 To edit this new group, click Detail. The window seen in Figure 6-11 appears.

Step 8 To map the access point group to a WLAN, choose its ID from the WLAN SSID drop-down box.

Step 9 To map the access point group to an interface, choose its name from the Interface Name drop-down box.

Step 10 Click Add Interface-Mapping to add WLAN-to-interface mappings to the group.

Figure 6-11 AP Groups VLAN Page

Step 11 When you are done adding your interface mappings, click Apply.

Step 12 Repeat Steps 4 through 11 to add more access point groups.

Step 13 Click Save Configuration to save your changes.


Using the CLI to Create Access Point Groups

To create an access point group, enter this command:

config ap group-name group_name

Assigning Access Points to Access Point Groups

After you have created your access point groups, use the GUI or CLI to assign access points to these groups.

Using the GUI to Assign Access Points to Access Point Groups

To assign an access point to an access point group, follow these steps:


Step 1 Click Wireless > Access Points > All APs.

Step 2 Click the Detail link for the access point.

Step 3 Select the access point group from the AP Group Name drop-down box (see Figure 6-12).

Figure 6-12 All APs > Details Page

Step 4 Click Apply.

Step 5 Click Save Configuration to save your changes.


Using the CLI to Assign Access Points to Access Point Groups

To assign an access point to an access point group, enter this command:

config ap group-name group_name ap_name

Configuring Multiple WLANs with the Same SSID

In release 4.0.206.0 and greater, you can configure multiple WLANs with the same SSID. This feature enables you to assign different Layer 2 security policies within the same wireless LAN. To distinguish among WLANs with the same SSID, you must create a unique profile name for each WLAN.

These restrictions apply when configuring multiple WLANs with the same SSID:

WLANs with the same SSID must have unique Layer 2 security policies so that clients can make a WLAN selection based on information advertised in beacon and probe response. These are the available Layer 2 security policies:

None (open WLAN)

Static WEP or 802.1X


Note Because static WEP and 802.1X are both advertised by the same bit in beacon and probe responses, they cannot be differentiated by clients. Therefore, they cannot both be used by multiple WLANs with the same SSID.


CKIP

WPA/WPA2


Note Although WPA and WPA2 cannot both be used by multiple WLANs with the same SSID, two WLANs with the same SSID could be configured with WPA/TKIP with PSK and WPA/TKIP with 802.1X, respectively, or with WPA/TKIP with 802.1X or WPA/AES with 802.1X, respectively.


Hybrid-REAP access points do not support multiple SSIDs.

Additions to the Controller GUI

The new Profile Name parameter appears on three controller GUI pages:

1. The WLANs page, which lists all WLANs configured on the controller. Figure 6-13 shows two SSIDs named "abc" but with different profile names (abc1 and abc2). Notice that their security policies are also different.

Figure 6-13 WLANs Page

2. The WLANs > New page, which appears when you click New on the WLANs page to create a WLAN. Figure 6-14 shows the fields in which to enter the profile name and SSID for the WLAN.

Figure 6-14 WLANs > New Page

3. The WLANs > Edit page, which appears when you click Apply on the WLANs > New page or when you edit an existing WLAN. Figure 6-15 shows the ID, profile name, and SSID of the WLAN.

Figure 6-15 WLANs > Edit Page

Addition to the Controller CLI

In release 4.0.206.0, the command for creating a WLAN has expanded to allow the addition of the profile name in the command.


Note The config wlan enable wlan_id and config wlan delete wlan_id commands do not require the profile name to be specified. Their format has not changed.


The new command for creating a WLAN is as follows.

config wlan create wlan_id profile_name ssid


Note If you do not specify an ssid, the profile_name parameter is used for both the profile name and the SSID.



Note For releases earlier than 4.0.206.0, the CLI command for creating a WLAN remains as config wlan create wlan_id ssid.


Configuring Conditional Web Redirect with 802.1X Authentication

In release 4.0.206.0 and later, a user can be conditionally redirected to a particular web page after 802.1X authentication has completed successfully. Such conditions might include the user's password reaching expiration or the user needing to pay his or her bill for continued usage. You can specify the redirect page and the conditions under which the redirect occurs on your RADIUS server.

If the RADIUS server returns the Cisco AV-pair "url-redirect," then the user is redirected to the specified URL upon opening a browser. If the server also returns the Cisco AV-pair "url-redirect-acl," the specified access control list (ACL) is installed as a preauthentication ACL for this client. The client is not considered fully authorized at this point and is only allowed to pass traffic allowed by the preauthentication ACL.

After the client completes a particular operation at the specified URL (for example, changing a password or paying a bill), it must reauthenticate. When the RADIUS server does not return a "url-redirect," the client is considered fully authorized and allowed to pass traffic.

The conditional web redirect feature is available only for WLANs that are configured for 802.1X or WPA1+WPA2 Layer 2 Security.

Once the RADIUS server is configured, you can then configure the conditional web redirect on the controller using either the controller GUI or CLI.

Configuring the RADIUS Server

Follow these steps to configure your RADIUS server.


Note These instructions are specific to the CiscoSecure ACS; however, they should be similar to those for other RADIUS servers.



Step 1 From the CiscoSecure ACS main menu, click Group Setup.

Step 2 Click Edit Settings.

Step 3 From the Jump To drop-down menu, choose RADIUS (Cisco IOS/PIX 6.0). The window seen in Figure 6-16 appears.

Figure 6-16 ACS Server Configuration

Step 4 Check the [009\001] cisco-av-pair check box.

Step 5 Enter the following Cisco AV-pairs in the [009\001] cisco-av-pair edit box to specify the URL to which the user is redirected and the conditions under which the redirect takes place, respectively:

url-redirect=http://url

url-redirect-acl=acl_name


Using the GUI to Configure Conditional Web Redirect

Follow these steps to configure conditional web redirect using the controller GUI.


Step 1 Click WLANs to access the WLANs page.

Step 2 Click the Edit link for the desired WLAN. The WLANs > Edit page appears (see Figure 6-17).

Figure 6-17 WLANs > Edit Page

Step 3 Make sure that 802.1X or WPA1+WPA2 is selected for Layer 2 Security.

Step 4 Check the Web Policy check box under Layer 3 Security.

Step 5 Choose Conditional Web Redirect to enable this feature. The default value is disabled (unchecked box).

Step 6 If the user is to be redirected to a site external to the controller, choose the ACL that was configured on your RADIUS server from the Preauthentication ACL drop-down list.

Step 7 Click Apply to commit your changes.

Step 8 Click Save Configuration to save your changes.


Using the CLI to Configure Conditional Web Redirect

Follow these steps to configure conditional web redirect using the controller CLI.


Step 1 To enable or disable conditional web redirect, enter this command:

config wlan security cond-web-redir {enable | disable} wlan_id

Step 2 To save your settings, enter this command:

save config


Disabling Accounting Servers per WLAN

In release 4.0.206.0 and later, a new check box in the RADIUS Servers section of the WLANs > Edit page allows you to disable all accounting servers on a WLAN.

Disabling accounting servers disables all accounting operations and prevents the controller from falling back to the default RADIUS server for the WLAN.

Follow these steps to disable all accounting servers for a RADIUS authentication server.


Step 1 Click WLANs.

Step 2 Select the edit link next to WLAN to be modified.

The WLANs > Edit page appears.

Step 3 Scroll down to the RADIUS servers section of the page (see Figure 6-18).

Step 4 Uncheck the Enabled box for the Accounting Servers.

Figure 6-18 WLANs > Edit Page