Cisco Wireless LAN Controller Configuration Guide, Release 7.4
Configuring OfficeExtend Access Points
Downloads: This chapterpdf (PDF - 1.91MB) The complete bookPDF (PDF - 17.75MB) | The complete bookePub (ePub - 4.37MB) | Feedback

Configuring OfficeExtend Access Points

Configuring OfficeExtend Access Points

Information About OfficeExtend Access Points

A Cisco 600 Series OfficeExtend access point (Cisco OEAP) provides secure communications from a controller to an access point at a remote location, seamlessly extending the corporate WLAN over the Internet to an employee’s residence. The user’s experience at the home office is exactly the same as it would be at the corporate office. Datagram Transport Layer Security (DTLS) encryption between the access point and the controller ensures that all communications have the highest level of security.


Note


DTLS is permanently enabled on the Cisco OEAP. You cannot disable DTLS on this access point.


Figure 1. Typical OfficeExtend Access Point Setup.

The following figure shows a typical OfficeExtend access point setup.




Note


Cisco OEAPs are designed to work behind a router or other gateway device that is using network address translation (NAT). NAT allows a device, such as a router, to act as an agent between the Internet (public) and a personal network (private), enabling an entire group of computers to be represented by a single IP address. There is no limit to the number of Cisco OEAPs that you can deploy behind a NAT device. Roaming is not supported for the Cisco 600 OEAP model.


Currently, Cisco 1040, 1130, 1140, 2602I, 3502I, and 3600 series access points that are associated with a controller can be configured to operate as Cisco OEAPs. All the supported AP models with integrated antenna can be configured as OEAP.

OEAP 600 Series Access Points

This section details the requirements for configuring a Cisco wireless LAN controller for use with the Cisco 600 Series OfficeExtend Access Point. The 600 Series OfficeExtend Access Point supports split mode operation, and it requires configuration through the WLAN controller in local mode. This section describes the configurations necessary for proper connection and supported feature sets.


Note


The CAPWAP UDP 5246 and 5247 ports must be open on the firewall between the WLAN controller and the 600 Series OfficeExtend Access Point.



Note


Multicast is not supported on Cisco 600 Series OfficeExtend Access Points.


OEAP in Local Mode

The 600 Series OfficeExtend Access Point connects to the controller in local mode. You cannot alter these settings.


Note


Monitor mode, flexconnect mode, sniffer mode, rogue detector, bridge, and SE-Connect are not supported on the 600 Series OfficeExtend Access Point and are not configurable.

Figure 2. OEAP Mode


Supported WLAN Settings for 600 Series OfficeExtend Access Point

The 600 Series OfficeExtend Access Point supports a maximum of three WLANs and one remote LAN. If your network deployment has more than three WLANs, you must place the 600 Series OfficeExtend Access Point in an AP group. If the 600 Series OfficeExtend Access Points are added to an AP group, the same limit of three WLANs and one remote LAN still applies for the configuration of the AP group.

If the 600 Series OfficeExtend Access Point is in the default group, which means that it is not in a defined AP group, the WLAN/remote LAN IDs must be set lower than ID 8.

If additional WLANs or remote LANs are created with the intent of changing the WLANs or remote LAN being used by the 600 Series OfficeExtend Access Point, you must disable the current WLANs or remote LAN that you are removing before enabling the new WLANs or remote LAN on the 600 Series OfficeExtend Access Point. If there are more than one remote LANs enabled for an AP group, disable all remote LANs and then enable only one of them.

If more than three WLANs are enabled for an AP group, disable all WLANs and then enable only three of them.

WLAN Security Settings for the 600 Series OfficeExtend Access Point

When configuring the security settings in the WLAN (see the following figure), note that there are specific elements that are not supported on the 600 Series OfficeExtend Access Point. CCX is not supported on the 600 Series OfficeExtend Access Point, and elements related to CCX are not supported.

For Layer 2 Security, the following options are supported for the 600 Series OfficeExtend Access Point:

  • None
  • WPA+WPA2
  • Static WEP
  • 802.1X (only for remote LANs)
    Figure 3. WLAN Layer 2 Security Settings

In the Security tab (see the following figure), do not select CCKM in WPA+WPA2 settings. Select only 802.1X or PSK.

Figure 4. WLAN Security Settings - Auth Key Management

Security encryption settings must be identical for WPA and WPA2 for TKIP and AES. The following are examples of incompatible settings for TKIP and AES.

Figure 5. Incompatible WPA and WPA2 Security Encryption Settings for OEAP 600 Series

Figure 6. Incompatible WPA and WPA2 Security Encryption Settings for OEAP 600 Series

The following are examples of compatible settings:

Figure 7. Compatible Security Settings for OEAP Series

Figure 8. Compatible Security Settings for OEAP Series

QoS settings are supported (see the following figure), but CAC is not supported and should not be enabled.


Note


Do not enable Coverage Hole Detection.



Note


Aironet IE should not be enabled. This option is not supported.

Figure 9. QoS Settings for OEAP 600


MFP is also not supported and should be disabled or set to optional.

Figure 10. MFP Settings for OEAP Series Access Points

Client Load Balancing and Client Band Select are not supported.

Authentication Settings

For authentication on the 600 Series OfficeExtend Access Point, LEAP is not supported. This configuration must be addressed on the clients and RADIUS servers to migrate them to EAP-Fast, EAP-TTLS, EAP-TLS, or PEAP.

If Local EAP is being utilized on the controller, the settings would also have to be modified not to use LEAP.

Supported User Count on 600 Series OfficeExtend Access Point

Only 15 users are allowed to connect on the WLANs provided on the Cisco 600 Series OEAP at any one time, a sixteenth user cannot authenticate until one of the first clients is deauthenticated or timeout on the controller occurs. This number is cumulative across the controller WLANs on the 600 Series OfficeExtend Access Point.

For example, if two controller WLANs are configured and there are 15 users on one of the WLANs, no other users can join the other WLAN on the 600 Series OfficeExtend Access Point at that time.

This limit does not apply to the local private WLANs that the end user configures on the 600 Series OfficeExtend Access Point for personal use. Clients connected on these private WLANs or on the wired ports do not affect these limits.


Note


This limit does not apply to other AP models that operate in the OfficeExtend mode.


Remote LAN Settings

Only four clients can connect through a remote LAN port on the 600 Series OfficeExtend Access Point. This number does not affect the fifteen user limit imposed for the Controller WLANs. The remote LAN client limit supports connecting a switch or hub to the remote LAN port for multiple devices or connecting directly to a Cisco IP phone that is connected to that port. Only the first four devices can connect until one of the devices is idle for more than one minute.

Remote LAN is configured in the same way that a WLAN or Guest LAN is configured on the controller:

Figure 11. Remote LAN Settings for OEAP 600 Series AP

Security settings can be left open, set for MAC filtering, or set for Web Authentication. The default is to use MAC filtering. Additionally, you can specify 802.1X Layer 2 security settings.

Figure 12. Layer 2 Security Settings for OEAP 600 Series APs in Remote LANs

Figure 13. Layer 3 Security Settings for OEAP 600 Series APs in Remote LANs

Channel Management and Settings

The radios for the 600 Series OfficeExtend Access Point are controlled through the Local GUI on the access point and not through the Wireless LAN Controller. Attempting to control the spectrum channel or power, or to disable the radios through the controller does not have effect on the 600 Series OfficeExtend Access Point. RRM is not supported on the 600 Series OfficeExtend Access Point.

The 600 series scans and chooses channels for 2.4-GHz and 5-GHz during startup as long as the default settings on the local GUI are left as default in both spectrums.

Figure 14. Channel Selection for OEAP 600 Series APs

The channel bandwidth for 5.0 GHz is also configured on the 600 Series OfficeExtend Access Point Local GUI, for 20-MHz or 40-MHz wide channels. Setting the channel width to 40 MHz for 2.4 GHz is not supported and fixed at 20 MHz.

Figure 15. Channel Width for OEAP 600 APs

Additional Caveats

  • The Cisco 600 Series OfficeExtend Access Points (OEAPs) are designed for single AP deployments, therefore client roaming between Cisco 600 Series OEAPs is not supported. Disabling the 802.11a/n or 802.11b/g/n on the controller may not disable these spectrums on the Cisco 600 Series OEAP because local SSID may be still working.
  • Your firewall must be configured to allow traffic from access points using CAPWAP. Make sure that UDP ports 5246 and 5247 are enabled and are not blocked by an intermediate device that could prevent an access point from joining the controller.
  • APs such as 3500, 3600, 1260, 2600, and 1040 that are converted to OEAP mode and mapped to locally switched WLAN forward the DHCP request to the local subnet on the AP connected switch. To avoid this condition, you must disable local switching and local authentication.
  • For Cisco 600 Series OEAP to associate with Cisco Virtual Wireless LAN Controller, follow these steps:
    1. Configure the OEAP to associate with a physical controller that is using 7.5 or a later release and download the corresponding AP image.
    2. Configure the OEAP so that the OEAP does not associate with the physical controller again; for example, you can implement an ACL in the network to block CAPWAP between the OEAP and the physical controller.
    3. Configure the OEAP to associate with the Cisco Virtual Wireless LAN Controller.

Implementing Security


Note


Configuring LSC is not a requirement but is an option. The OfficeExtend 600 access points do not support LSC.


  1. Use local significant certificates (LSCs) to authorize your OfficeExtend access points, by following the instructions in Authorizing Access Points Using LSCs.
  2. Implement AAA server validation using the access point’s MAC address, name, or both as the username in authorization requests, by entering this command: config auth-list ap-policy authorize-ap username {ap_mac | Cisco_AP | both} Using the access point name for validation can ensure that only the OfficeExtend access points of valid employees can associate with the controller. To implement this security policy, ensure that you name each OfficeExtend access point with an employee ID or employee number. When an employee is terminated, run a script to remove this user from the AAA server database, which prevents that employee’s OfficeExtend access point from joining the network.
  3. Save your changes by entering this command: save config

    Note


    CCX is not supported on the 600 OEAP. Elements related to CCX are not supported. Also, only 802.1X or PSK is supported. TKIP and AES security encryption settings must be identical for WPA and WPA2.


Licensing for an OfficeExtend Access Point

To use OfficeExtend access points, a base license must be installed and in use on the controller. After the license is installed, you can enable the OfficeExtend mode on the following AP models:
  • 1130
  • 1240
  • 1040
  • 1140
  • 1250
  • 1260
  • 1600
  • 2600
  • 3500 (integrated antenna) series
  • 3600 (integrated antenna) series

Configuring OfficeExtend Access Points

After the 1130 series, 1140 series, 1040 series, 3500 (integrated antenna) series, or 3600 (integrated antenna) series access point has joined the controller, you can configure it as an OfficeExtend access point.

Configuring OfficeExtend Access Points (GUI)


    Step 1   Choose Wireless to open the All APs page.
    Step 2   Click the name of the desired access point to open the All APs > Details page.
    Step 3   Enable FlexConnect on the access point as follows:
    1. In the General tab, choose FlexConnect from the AP Mode drop-down list to enable FlexConnect for this access point.
    Step 4   Configure one or more controllers for the access point as follows:
    1. Click the High Availability tab.
    2. Enter the name and IP address of the primary controller for this access point in the Primary Controller Name and Management IP Address text boxes.
      Note   

      You must enter both the name and IP address of the controller. Otherwise, the access point cannot join this controller.

    3. If desired, enter the name and IP address of a secondary or tertiary controller (or both) in the corresponding Controller Name and Management IP Address text boxes.
    4. Click Apply. The access point reboots and then rejoins the controller.
      Note   

      The names and IP addresses must be unique for the primary, secondary, and tertiary controllers.

    Step 5   Enable OfficeExtend access point settings as follows:
    1. Click the FlexConnect tab.
    2. Select the Enable OfficeExtend AP check box to enable the OfficeExtend mode for this access point. The default value is selected.

      Unselecting this check box disables OfficeExtend mode for this access point. It does not undo all of the configuration settings on the access point. If you want to clear the access point’s configuration and return it to the factory-default settings, enter clear ap config Cisco_AP on the controller CLI. If you want to clear only the access point’s personal SSID, click Reset Personal SSID.

      Note    The OfficeExtend AP support is enabled for the access points 3500 series, and access points 1130,1240,1040,1140,1600,2600,3600 series.
      Note    Rogue detection is disabled automatically when you enable the OfficeExtend mode for an access point. However, you can enable or disable rogue detection for a specific access point by selecting the Rogue Detection check box on the All APs > Details for (Advanced) page. Rogue detection is disabled by default for OfficeExtend access points because these access points, which are deployed in a home environment, are likely to detect a large number of rogue devices.
      Note   

      DTLS data encryption is enabled automatically when you enable the OfficeExtend mode for an access point. However, you can enable or disable DTLS data encryption for a specific access point by selecting the Data Encryption check box on the All APs > Details for (Advanced) page.

      Note   

      Telnet and SSH access are disabled automatically when you enable the OfficeExtend mode for an access point. However, you can enable or disable Telnet or SSH access for a specific access point by selecting the Telnet or SSH check box on the All APs > Details for (Advanced) page.

      Note   

      Link latency is enabled automatically when you enable the OfficeExtend mode for an access point. However, you can enable or disable link latency for a specific access point by selecting the Enable Link Latency check box on the All APs > Details for (Advanced) page.

    3. Select the Enable Least Latency Controller Join check box if you want the access point to choose the controller with the least latency when joining. Otherwise, leave this check box unselected, which is the default value. When you enable this feature, the access point calculates the time between the discovery request and discovery response and joins the Cisco 5500 Series Controller that responds first.
    4. Click Apply.

      The OfficeExtend AP text box on the All APs page shows which access points are configured as OfficeExtend access points.

    Step 6   Configure a specific username and password for the OfficeExtend access point so that the user at home can log into the GUI of the OfficeExtend access point:
    1. Click the Credentials tab.
    2. Select the Over-ride Global Credentials check box to prevent this access point from inheriting the global username, password, and enable password from the controller. The default value is unselected.
    3. In the Username, Password, and Enable Password text boxes, enter the unique username, password, and enable password that you want to assign to this access point.
      Note   

      The information that you enter is retained across controller and access point reboots and if the access point joins a new controller.

    4. Click Apply.
      Note   

      If you want to force this access point to use the controller’s global credentials, unselect the Over-ride Global Credentials check box.

    Step 7   Configure access to local GUI, LAN ports, and local SSID of the OfficeExtend access points:
    1. Choose Wireless > Access Points > Global Configuration to open the Global Configuration page.
    2. Under OEAP Config Parameters, select or unselect the Disable Local Access check box to enable or disable local access of the OfficeExtend access points.
      Note    By default, the Disable Local Access check box is unselected and therefore the Ethernet ports and personal SSIDs are enabled. This configuration does not affect remote LAN. The port is enabled only when you configure a remote LAN.
    Step 8   Click Save Configuration.
    Step 9   If your controller supports only OfficeExtend access points, see the Configuring RRM section for instructions on setting the recommended values for the DCA interval, channel scan duration, and neighbor packet frequency.

    Configuring OfficeExtend Access Points (CLI)

    • Enable FlexConnect on the access point by entering this command:

      config ap mode flexconnect Cisco_AP

    • Configure one or more controllers for the access point by entering one or all of these commands:

      config ap primary-base controller_name Cisco_AP controller_ip_address

      config ap secondary-base controller_name Cisco_AP controller_ip_address

      config ap tertiary-base controller_name Cisco_AP controller_ip_address


      Note


      You must enter both the name and IP address of the controller. Otherwise, the access point cannot join this controller.



      Note


      The names and IP addresses must be unique for the primary, secondary, and tertiary controllers.


    • Enable the OfficeExtend mode for this access point by entering this command:

      config flexconnect office-extend {enable | disable} Cisco_AP

      The default value is enabled. The disable parameter disables OfficeExtend mode for this access point. It does not undo all of the configuration settings on the access point. If you want to clear the access point’s configuration and return it to the factory-default settings, enter this command:

      clear ap config cisco-ap

      If you want to clear only the access point’s personal SSID, enter this command:

      config flexconnect office-extend clear-personalssid-config Cisco_AP.


      Note


      Rogue detection is disabled automatically when you enable the OfficeExtend mode for an access point. However, you can enable or disable rogue detection for a specific access point or for all access points using the config rogue detection {enable | disable} {Cisco_AP | all} command. Rogue detection is disabled by default for OfficeExtend access points because these access points, which are deployed in a home environment, are likely to detect a large number of rogue devices.



      Note


      DTLS data encryption is enabled automatically when you enable the OfficeExtend mode for an access point. However, you can enable or disable DTLS data encryption for a specific access point or for all access points using the config ap link-encryption {enable | disable} {Cisco_AP | all} command.



      Note


      Telnet and SSH access are disabled automatically when you enable the OfficeExtend mode for an access point. However, you can enable or disable Telnet or SSH access for a specific access point using the config ap {telnet | ssh} {enable | disable} Cisco_AP command.



      Note


      Link latency is enabled automatically when you enable the OfficeExtend mode for an access point. However, you can enable or disable link latency for a specific access point or for all access points currently associated to the controller using the config ap link-latency {enable | disable} {Cisco_AP | all} command.


    • Enable the access point to choose the controller with the least latency when joining by entering this command:

      config flexconnect join min-latency {enable | disable} Cisco_AP

      The default value is disabled. When you enable this feature, the access point calculates the time between the discovery request and discovery response and joins the Cisco 5500 Series Controller that responds first.

    • Configure a specific username and password that users at home can enter to log into the GUI of the OfficeExtend access point by entering this command:

      config ap mgmtuser add username user password password enablesecret enable_password Cisco_AP

      The credentials that you enter in this command are retained across controller and access point reboots and if the access point joins a new controller.


      Note


      If you want to force this access point to use the controller’s global credentials, enter the config ap mgmtuser delete Cisco_AP command. The following message appears after you execute this command: “AP reverted to global username configuration.”


    • To configure access to the local network for the Cisco 600 Series OfficeExtend access points, enter the following command:

      config network oeap-600 local-network {enable | disable}

      When disabled, the local SSIDs, local ports are inoperative; and the console is not accessible. When reset, the default restores local access. This configuration does not affect the remote LAN configuration if configured on the access points.

    • Configure the Dual R-LAN Ports feature, which allows the Ethernet port 3 of Cisco 600 Series OfficeExtend access points to operate as a remote LAN by entering this command:

      config network oeap-600 dual-rlan-ports {enable | disable}

      This configuration is global to the controller and is stored by the AP and the NVRAM variable. When this variable is set, the behavior of the remote LAN is changed. This feature supports different remote LANs per remote LAN port.

      The remote LAN mapping is different depending on whether the default group or AP Groups is used:
      • Default Group—If you are using the default group, a single remote LAN with an even numbered remote LAN ID is mapped to port 4. For example, a remote LAN with remote LAN ID 2 is mapped to port 4 (on the Cisco 600 OEAP). The remote LAN with an odd numbered remote LAN ID is mapped to port 3 (on the Cisco 600 OEAP). For example, a remote LAN with remote LAN ID 1 is mapped to port 3 (on the Cisco 600 OEAP).
      • AP Groups—If you are using an AP group, the mapping to the OEAP-600 ports is determined by the order of the AP groups. To use an AP group, you must first delete all remote LANs and WLANs from the AP group leaving it empty. Then, add the two remote LANs to the AP group adding the port 3 AP remote LAN first, and the port 4 remote group second, followed by any WLANs.

    • Save your changes by entering this command: save config


      Note


      If your controller supports only OfficeExtend access points, see the Configuring Radio Resource Management section for instructions on setting the recommended value for the DCA interval.


    Configuring a Personal SSID on an OfficeExtend Access Point


      Step 1   Find the IP address of your OfficeExtend access point by doing one of the following:
      • Log on to your home router and look for the IP address of your OfficeExtend access point.
      • Ask your company’s IT professional for the IP address of your OfficeExtend access point.
      • Use an application such as Network Magic to detect devices on your network and their IP addresses.
      Step 2   With the OfficeExtend access point connected to your home router, enter the IP address of the OfficeExtend access point in the Address text box of your Internet browser and click Go.
      Note   

      Make sure that you are not connected to your company’s network using a virtual private network (VPN) connection.

      Step 3   When prompted, enter the username and password to log into the access point.
      Step 4   On the OfficeExtend Access Point Welcome page, click Enter. The OfficeExtend Access Point Home page appears.
      Figure 16. OfficeExtend Access Point Home Page

      This page shows the access point name, IP address, MAC address, software version, status, channel, transmit power, and client traffic.

      Step 5   Choose Configuration to open the Configuration page.
      Figure 17. OfficeExtend Access Point Configuration Page

      Step 6   Select the Personal SSID check box to enable this wireless connection. The default value is disabled.
      Step 7   In the SSID text box, enter the personal SSID that you want to assign to this access point. This SSID is locally switched.
      Note   

      A controller with an OfficeExtend access point publishes only up to 15 WLANs to each connected access point because it reserves one WLAN for the personal SSID.

      Step 8   From the Security drop-down list, choose Open, WPA2/PSK (AES), or 104 bit WEP to set the security type to be used by this access point.
      Note   

      If you choose WPA2/PSK (AES), make sure that the client is configured for WPA2/PSK and AES encryption.

      Step 9   If you chose WPA2/PSK (AES) in Step 8, enter an 8- to 38-character WPA2 passphrase in the Secret text box. If you chose 104 bit WEP, enter a 13-character ASCII key in the Key text box.
      Step 10   Click Apply.
      Note   

      If you want to use the OfficeExtend access point for another application, you can clear this configuration and return the access point to the factory-default settings by clicking Clear Config. You can also clear the access point’s configuration from the controller CLI by entering the clear ap config Cisco_AP command.


      Viewing OfficeExtend Access Point Statistics

      Use these commands to view information about the OfficeExtend access points on your network:

      • See a list of all OfficeExtend access points by entering this command: show flexconnect office-extend summary
      • See the link delay for OfficeExtend access points by entering this command: show flexconnect office-extend latency
      • See the encryption state of all access points or a specific access point by entering this command: show ap link-encryption {all | Cisco_AP} This command also shows authentication errors, which track the number of integrity check failures, and replay errors, which track the number of times that the access point receives the same packet. See the data plane status for all access points or a specific access point by entering this command: show ap data-plane {all | Cisco_AP}