CT5760 Centralized Configuration Example
Network Topology
The diagram in Figure 3-1 shows the network topology with only the Unified Access CT5760 controller in a centralized deployment.
Figure 3-1 Network Topology Centralized Configuration
VLANs and IP Addresses
Table 3-1 VLANs and IP Address by Device
|
|
|
DHCP Server |
Gateway |
10.10.100.1 / 10.10.200.1 |
Cisco Prime Infrastructure |
200 |
10.10.200.30 |
Cisco ISE |
200 |
10.10.200.60 |
Anchor WLC |
300 |
192.168.1.5 |
Core Switch |
200, 100 |
10.10.100.1 / 10.10.200.1 |
AP |
200 |
DHCP |
5760 WLC |
200 |
10.10.200.5 |
Client VLAN |
100 |
DHCP |
Management VLAN |
200 |
10.10.200.5 |
NTP Server |
Gateway |
10.10.200.1 |
CT5760 Controller Configuration Example using CLI
Before you start the controller configuration, ensure that there is complete connectivity between all of the switches in the configuration above.
Console Connection
Before you can configure the switch or controller for basic operations, you must connect it to a PC that uses a VT-100 terminal emulator (such as HyperTerminal, ProComm, or Putty).
The controller has both EIA/TIA-232 asynchronous (RJ-45) and USB 5-pin mini Type B, 2.0 compliant serial console ports. The default parameters for the console ports are 9600 baud, eight data bits, one stop bit, and no parity. The console ports do not support hardware flow control. Choose the serial baud rate of 9600; if you have issues, try a baud rate of 115200.Figure 3-2 shows an example of a Mac Secure CRT; use similar for PC/Windows Putty, and so on.
Figure 3-2 Mac Secure CRT Example
Startup Wizard
Before you launch the startup wizard, have your IP addresses and VLANs information available. Start without the wizard/initial configuration dialog (check the initial configuration).
% Please answer 'yes' or 'no'.
Would you like to enter the initial configuration dialog? [yes/no]: no
Would you like to terminate autoinstall? [yes]:
Controller>
Press RETURN to get started!
Start with the wizard/initial configuration dialog (check the initial config).
Enable secret warning
----------------------------------
In order to access the device manager, an enable secret is required
If you enter the initial configuration dialog, you will be prompted for the enable
secret
If you choose not to enter the initial configuration dialog, or if you exit setup
without setting the enable secret,
please set an enable secret using the following CLI in configuration mode-
enable secret 0 <cleartext password>
----------------------------------
Would you like to enter the initial configuration dialog? [yes/no]: yes
At any point you may enter a question mark '?' for help. Use ctrl-c to abort configuration dialog at any prompt. Default settings are in square brackets '[]'.
Basic management setup configures only enough connectivity for management of the system, extended setup will ask you to configure each interface on the system
Would you like to enter basic management setup? [yes/no]: yes
Configuring global parameters:
Enter host name [Controller]: CT5760-Controller
The enable secret is a password used to protect access to privileged EXEC and configuration modes. This password, after entered, becomes encrypted in the configuration.
Enter enable secret: Cisco123
The enable password is used when you do not specify an enable secret password, with some older software versions, and some boot images.
Enter enable password: Admin123
The virtual terminal password is used to protect access to the router over a network interface. Enter virtual terminal password: Cisco123
Configure a NTP server now? [yes]: yes
Enter ntp server address : 10.10.200.1
Enter a polling interval between 16 and 131072 secs which is power of 2:16
Do you want to configure wireless network? [no]: yes
Enter mobility group name: New-Mobility
Enter the country code[US]:US
Setup account for accessing HTTP server? [yes]: yes
Username [admin]: admin
Password [cisco]: Cisco123
Password is UNENCRYPTED.
Configure SNMP Network Management? [no]: no
Current interface summary
Any interface listed with OK? value "NO" does not have a valid configuration
Interface |
IP-Address |
OK? |
Method |
Status |
Protocol |
Vlan1 |
unassigned |
NO |
unset |
up |
down |
GigabitEthernet0/0 |
unassigned |
YES |
unset |
up |
up |
Te1/0/1 |
unassigned |
YES |
unset |
down |
down |
Te1/0/2 |
unassigned |
YES |
unset |
down |
down |
Te1/0/3 |
unassigned |
YES |
unset |
down |
down |
Te1/0/4 |
unassigned |
YES |
unset |
down |
down |
Te1/0/5 |
unassigned |
YES |
unset |
down |
down |
Te1/0/6 |
unassigned |
YES |
unset |
down |
down |
Enter interface name used to connect to the management network from the above interface summary: GigabitEthernet0/0[service port)
Configuring interface GigabitEthernet0/0: Configure IP on this interface? [no]: yes
IP address for this interface: 192.168.2.50
Subnet mask for this interface [255.255.0.0] : 255.255.255.0
Wireless management interface needs to be configured at startup
It needs to be mapped to an SVI that is not Vlan 1 (default)
Enter VLAN No for wireless management interface: 200
Enter IP address: 10.10.200.5
Enter IP address mask:: 255.255.255.0
[0] Go to the IOS command prompt without saving this config.
[1] Return back to the setup without saving this config.
[2] Save this configuration to nvram and exit.
Enter your selection [2]:2
Press RETURN to get started!
Version
The CT5760 controller currently ships with release 3.2.01 or release 3.3.0. You can check this using the command:
WLC5760#show version
Snip…
Switch Ports Model SW Version SW Image Mode
------ ----- ----- ---------- ---------- ----
* 1 6 AIR-CT5760 03.03.01SE ct5760-ipservicesk9 INSTALL
It is recommended to upgrade to software release 3.3.3 and later. Latest software codes are available on Cisco.com. It is best practice to go through the release notes before upgrading to that software code. Please follow the steps in the Cisco IOS-XE software upgrade document.
To display the WCM and IOSd versions, use the following command:
#show version running
To display the AP version, use the following command:
#show ap name apname config general
Accessing the CT5760 Controller Web GUI
You can access the GUI by configuring the out of band management port (GigE 0/0) or by using existing reachable configured interfaces through the network. i.e. create a VLAN and L3 interface to reach the controller.
For best GUI experience, it is best practice to follow the below listed steps:
1. Use the following list of supported browsers:
- Chrome - Ver. 26.x +
- Mozilla - Ver. 20.x +
- IE - Ver. 8.x, 9.x and 10.x
2. Upgrade the controller to the latest software version that has additional features and GUI support.
3. You must create a username and password to access the GUI. You can configure a local username by issuing the CLI below or you can configure it to use credentials using an authentication server. Make sure the user has privilege 15 as an access level.
4. By default, https is enabled. You can access the web GUI through https, but if you want to enable http access, you can do so by issuing the CLI below:
WLC5760(config)#username username privilege 15 password password
WLC5760config)#ip http server
WLC5760(config)#ip http secure-server
WLC5760(config)#ip http authentication local
Note The ip http authentication local CLI command is not configured by default in older releases. However, it is configured by default in recent releases. Ensure that it is configured once you upgrade to the latest release.
Now, you will be able to access the Web GUI interface. Open a browser and type your controller/switch IP address. Example, https://10.10.10.5/. Please refer to the GUI access example below.
GUI Access for CT5760/3850 Example
Complete these steps:
Step 1 GUI access–Open a browser and type your controller IP address. By default https is enabled.
For example:
https://10.10.10.5
username: admin
Password: Cisco123
Note You can setup username/password using the following CLI command: Controller(config)#username admin privilege 15 password Cisco123.
This is an example and not the default username and password.
Once you login, you will be directed to the following page:
Step 2 Click Wireless WEB GUI, this will take you to the home page shown below:
Note For additional GUI configuration examples, please see Cisco Unified Access CT5760 Controllers, Catalyst 3850 Switches IOS XE Software release 3.2.2 Web GUI Deployment Guide
Basic Configuration
For the purpose of this document, CLI commands are used to perform configurations. However, most of the configurations mentioned in this document can also be performed using the GUI.
This section shows the configuration options from the console of the CT5760 for the following:
- Management and Client interfaces
- AP Join
- DHCP configuration
Add Management and Client Interface
interface Vlan200
description “Management VLAN”
ip address 10.10.200.5 255.255.255.0
no shut
interface Vlan100
description “Client VLAN”
no shut
AP Join
Before connecting your Access Points to the network, ensure licenses and the correct time is set on the controller.
Licenses
Licenses are based on the Right-To-Use license model (per AP license price for the CT5760 controller).
You must add the AP licenses you purchased and accept the EULA before connecting your APs. This is how you can do it:
WLC5760#license right-to-use activate apcount 510 slot 1 acceptEULA
Once you apply it, you can check the AP license information using the CLI:
WLC5760#show license right-to-use
Slot# License name Type Count Period left
----------------------------------------------------------
1 apcount adder 510 Lifetime
You can also add evaluation licenses for testing purposes:
WLC5760#license right-to-use activate apcount evaluation acceptEULA
For additional license information, please refer to the Cisco Right to Use Licensing FAQ.
Enable Network Time Protocol (NTP) and Setup Time
NTP is very important for several features. It is mandatory to use NTP synchronization on controllers if you use any of these features—Location, SNMPv3, access point authentication, or MFP. The WLC supports synchronization with NTP using authentication.
You can setup NTP during the Initial Wizard configuration. To enable the NTP server use the following command:
WLC5760(config)#ntp server <ip_address>
Controller Time:
It is important to setup the correct time on the controller so that the AP can join the controller.
WLC5760#clock set hh:mm:ss day month year
Country Code settings:
Ensure that you have the correct Country Code set on your controller. To see the current Country Code configured on your controller, please issue the following CLI:
WLC5760(config)#show wireless country configured
Configured Country.............................: US - United States
Configured Country Codes
US - United States : 802.11a Indoor,Outdoor/ 802.11b / 802.11g
To change the country code on your controller, please follow the steps below:
WLC5760(config)#ap dot11 24ghz shutdown
WLC5760(config)#ap dot11 5ghz shutdown
WLC5760(config)#ap country ?
WORD Enter the country code (e.g. US,MX,IN) upto a maximum of 20 countries
Wireless Management Interface
Configuring the Wireless management interface enables the APs to join the controller. Wireless management interface can be configured as part of the Startup Wizard or can be configured by issuing the following command:
WLC5760(config)#wireless management interface vlan 200
Note You need not configure AP Manager or dynamic interfaces on the 5760 controller.
Default Gateway
The 5760 controller does not support routing. You must define a default gateway on the controller pointing to the default gateway responsible for routing in the network.
Here is how to define a default gateway:
WLC-5760 (config)#ip default-gateway 10.10.200.1
Multicast Forwarding Mode
You must enable the capwap multicast forwarding mode as multicast, even if the multicast forwarding is not enabled. This mode is called Multicast Multicast (MCMC). To use this mode, you must configure a multicast group on your controller. Each AP connected to the controller subscribes to this multicast group, and can receive the multicast flow. You can enable MCMC and configure the multicast group with this command:
WLC5760(config)#ap capwap multicast 239.3.3.3
- The multicast address is used by the controller in order to forward traffic to access points. It is important that it does not match another address in use on your network by other protocols. For example, if you use 224.0.0.251, it breaks mDNS used by some third party applications. It is recommended that the address be in the private range (239.0.0.0 - 239.255.255.255, which does not include 239.0.0.x and 239.128.0.x.). It is also important that the multicast IP address be set to a different value on each WLC. You do not want a WLC that speaks to its access points to reach the APs of another WLC.
- If the access points are on a different subnet than the one used on the management interface, your network infrastructure must provide multicast routing between the management interface subnet and the AP subnet.
Note Do not enable wireless multicast unless it is needed. You might need to enable multicast forwarding in certain networks with heavy multicast application such as Video Streaming, or Bonjour without mDNS proxy, and with large IPV6 client counts.
To configure multicast forwarding on the WLC, use the following command:
WLC5760(config)#wireless multicast
For additional multicast information, refer to the Multicast Configuration chapter in this document.
DHCP Snooping and Trust Configuration on CT5760
It is recommended to use external DHCP server instead of internal DHCP server. DHCP snooping configuration is required on the controller for proper client join functionality. DHCP snooping must be enabled on each client VLAN including the override VLAN, if override is applied on the WLAN. The following example shows how to configure DHCP snooping.
Global DHCP Snooping Configuration:
ip dhcp snooping
ip dhcp snooping vlan 100, 200
Enable the bootp-broadcast
command. This command is used by clients who send DHCP messages with broadcast addresses and the broadcast bit is set in the DHCP message.
ip dhcp snooping wireless bootp-broadcast enable
On the Interface:
Note If upstream is via a port channel, the trust configuration must be configured on the port channel interface as well.
interface TenGigabitEthernet1/0/1
description Connection to Core Switch
switchport trunk allowed vlan 100, 200
switchport mode trunk
ip dhcp relay information trusted
ip dhcp snooping trust
Note DHCP snooping must be configured on the Guest Anchor controller for guest access similar to the configuration above.
If you are using an ip-helper address on the interface, you must modify option 82 behavior:
On the DHCP Snooping Device
no ip dhcp snooping information option
OR
On the DHCP Relay Device (per interface)
ip dhcp relay information trusted
On the DHCP Relay Device (global configuration)
ip dhcp relay information trust-all
WLAN Configuration
When configuring your WLANs, it is best practice to enable Band Select, Fast SSID change, and lower the number of SSID configured on your controller.
Enable Band Selection
Band selection enables client radios that are capable of dual-band (2.4 and 5 GHz) operation to move to a less congested 5 GHz access point. The 2.4 GHz band is often congested. Clients on this band typically experience interference from Bluetooth devices, microwave ovens, and cordless phones as well as co-channel interference from other access points because of the 802.11b/g limit of three non-overlapping channels. To prevent these sources of interference and improve overall network performance, you can configure band selection on the controller.
- Band selection is enabled or disabled globally by default.
- Band selection works by regulating probe responses to clients. It makes 5 GHz channels more attractive to clients by delaying probe responses to clients on 2.4 GHz channels.
- Do not use band selection for voice, as it can slow down roaming.
- Some client types do not work well with band selection enabled.
- Most new clients prefer 5 GHz by default.
- Do not use band selection on high-density designs.
To Enable or disable band selection on specific WLANs:
WLC5760(config-wlan)#band-select
Enable Fast SSID Changing
When fast SSID changing is enabled, the controller allows clients to move faster between SSIDs. When fast SSID is enabled, the client entry is not cleared and the delay is not enforced. This configuration is very important to have for supporting Apple IOS devices.
The fast SSID change is enabled globally on the controller. To enable fast SSID change:
WLC5760(config)#wireless client fast-ssid-change
WLAN Configuration Example
Configure a WLAN and assign a client VLAN. Use WPA/PSK for security, and the passkey is cisco123.
wlan corporate 1 corporate band-select
client vlan 100
no security wpa akm dot1x
security wpa akm psk set-key ascii 0 cisco123
no shutdown
Enter this command to allow management over wireless.
wireless mgmt-via-wireless <cr>
Voice WLAN
If you are deploying a voice WLAN, apply the best practices below for Voice WLAN configurations:
Enable Voice acm and sip CAC on both the 2.4 GHz and 5 GHz bands under global Config:
2.4 GHz band:
WLC5760(config)#ap dot11 24ghz shutdown
WLC5760(config)#ap dot11 24ghz cac voice acm
WLC5760(config)#ap dot11 24ghz cac voice sip
WLC5760(config)#no ap dot11 24ghz shutdown
5 GHz band:
WLC5760(config)#ap dot11 5ghz shutdown
WLC5760(config)#ap dot11 5ghz cac voice acm
WLC5760(config)#ap dot11 5ghz cac voice sip
WLC5760(config)#no ap dot11 5ghz shutdown
To Apply Policy to WLAN:
WLC5760(config-wlan)##service-policy output platinum
WLC5760(config-wlan)##service-policy input platinum-up
Enable SIP Snooping under the WLAN if SIP calling is required:
WLC5760(config-wlan)#call-snoop
Note Refer to CAC configuration document if CAC is required in your network.
AP and Client Verification
Connect an AP to any port configured with Vlan 200 on the L2 switch. Wait until it joins and enter command:
show ap summary
Number of APs: 1
Global AP User Name: Not configured
Global AP Dot1x User Name: Not configured
AP Name / AP Model / Ethernet MAC / Radio MAC / State
---------------------------------------------------------------------------------
AP44d3.ca42.321a / 3602I / 44d3.ca42.321a / 64d9.8942.4090 / Registered
Connect a wireless client to the corporate SSID with the WPA key 'cisco123'. On the controller, you might see the following successful authorization for new client association.
Show wireless client summary from controller to confirm wireless clients.
Security Configuration
This section shows the configuration options from the console of the CT5760:
- Enable Authentication, Authorization, and Accounting (AAA)
- Configure ISE as RADIUS server (10.10.200.60)
- Shared secret - secret
From the CT5760 console (telnet/serial) - Configure AAA
aaa new-model
!
aaa group server radius Cisco
server name Cisco
!
aaa authentication login no_auth none
aaa authentication dot1x default group radius
aaa authentication dot1x Cisco_dot1x group Cisco
aaa authorization network default group Cisco
aaa accounting network default start-stop group Cisco
dot1x system-auth-control
radius server Cisco
address ipv4 10.10.200.60 auth-port 1812 acct-port 1813
key secret
Optional Radius Server Configuration
aaa server radius dynamic-author
auth-type any
!
radius-server attribute 6 on-for-login-auth
radius-server dead-criteria time 10 tries 3
radius-server deadtime 3
radius-server vsa send accounting
radius-server vsa send authentication
!
This command creates the WLAN with 802.1x security.
wlan corporate1x 2 corporate1x
accounting-list Cisco
band-select
client vlan 100
security dot1x authentication-list Cisco_dot1x
session-timeout 600
no shutdown
Connect wireless client to corporate-1x with the credentials configured on the AAA server:
Controller#show wireless client summary
Wireless WebAuth and Guest Anchor Solutions
The following sections show a WebAuthentication (WebAuth) configuration and Guest Anchor examples on the CT5760.
Note For a complete webauth configuration, please download the webauth bundle from the following URL: http://software.cisco.com/download/release.html?mdfid=284397235&softwareid=282791507&
release=3.2.2&relind=AVAILABLE&rellifecycle=&reltype=latest.The readme file has all the GUI and CLI configuration for webauth.
Best practices for Central (CWA) and Local (LWA) WebAuth configurations:
- Release 3.3.3SE and later are the recommended releases for any web-auth network deployments.
- Configure the virtual-ip under the global parameter-map to drop the unauthenticated HTTPS traffic for the LWA scenario.
- Configure per user max HTTP connections (15) and web-auth state time out (5 min) for LWA scenario.
This is how to apply the configuration:
parameter-map type webauth global
virtual-ip ipv4 <virtual-ip>
timeout init-state sec 300
max-http-conns 15
- Configure only HTTP redirect in the redirect ACL for central web-auth (CWA) scenarios.
WLC5760(config)#ip access-list extended cwa_redirect_acl
WLC5760(config-ext-nacl)#permit tcp any any eq www
Configure Parameter-Map Section in Global Configuration
The parameter map connection configuration mode commands allow you to define a connection- type parameter map. After you create the connection parameter map, you can configure TCP, IP, and other settings for the map.
! First section is to define our global values and the internal Virtual Address.
! This should be common across all WCM nodes.
parameter-map type webauth global
virtual-ip ipv4 <virtual-ip>
timeout init-state sec 300
max-http-conns 15
PARAMETER-MAP TYPE WEBAUTH WEBPARALOCAL?
TYPE WEBAUTH?
BANNER TEXT ^C WEBAUTHX^C
REDIRECT ON-SUCCESS HTTP://9.12.128.50/WEBAUTH/LOGINSUCCESS.HTML
REDIRECT PORTAL IPV4 9.12.128.50
Configure Customized WebAuth Tar Packages
Transfer each file to flash:
copy tftp://10.1.10.100/WebAuth/webauth/ webauth_consent.html flash:webauth_consent.html
copy tftp://10.1.10.100/WebAuth/ webauth_success.html flash: webauth_success.html
copy tftp://10.1.10.100/WebAuth/ webauth_failure.html flash: webauth_failure.html
copy tftp://10.1.10.100/WebAuth/ webauth_expired.html flash: webauth_expired.html
Note In case the customized page contains images, they won't be displayed unless certain requirements are met, which are:
- The filename of the images must start with “web_auth_”. For example: web_auth_logo.png.
- The image source in the HTML file must be edited to look like:
<img src="http://[wireless management ip]/flash:[name of the file]">
Configure Parameter Map with Custom Pages
parameter-map type webauth webparalocal
type webauth
custom-page login device flash:webauth_consent.html
custom-page success device flash:webauth_success.html
custom-page failure device flash: webauth_failure.html
custom-page login expired device flash:webauth_expired.html
Configure Parameter Map with Type Consent and Email Options
parameter-map type webauth webparalocal
type consent
consent email
custom-page login device flash:webauth_consent.html
custom-page success device flash:webauth_success.html
custom-page failure device flash:webauth_failure.html
custom-page login expired device flash:webauth_expired.html
Configure Local WebAuth Authentication
username guest password guest123
aaa new model
dot1x system-auth-control
aaa authentication login EXT_AUTH local
aaa authorization network EXT_AUTH local
aaa authorization network default local
or
aaa authentication login default local
aaa authorization network default local
Configure External Radius for WebAuth
aaa new model
dot1x system-auth-control
aaa server radius dynamic-author ?
client 10.10.200.60 server-key cisco ?server-key cisco ?
auth-type any
radius server cisco
address ipv4 10.10.200.60 auth-port 1812 acct-port 1813
key cisco
aaa group server radius cisco server name cisco
aaa authentication login EXT_AUTH group cisco
or
aaa authentication login default group cisco
Configure WLAN with WebAuth
wlan Guest-WbAuth 3 Guest-WbAuth
client vlan 100
mobility anchor 192.168.5.1
no security wpa
no security wpa akm dot1x
no security wpa wpa2
no security wpa wpa2 ciphers aes
security web-auth
security web-auth authentication-list EXT_AUTH
security web-auth parameter-map webparalocal
no shutdown
Note Please see Bundle of sample pages for web portal authentication for WLC 5760 for an example of external webauth configuration.
Configure HTTP Server in Global Configuration
!--- These are needed to enable Web Services in the Cisco IOS® software.
ip http server
ip http secure-server
ip http active-session-modules none
SNMP Configuration
From the CT5760 console, configure the SNMP strings.
snmp---server community public ro
snmp---server community private rw
IPv6 Configuration
IPv6 is supported on the data path. Wireless clients will be able to get an IPv6 address.
Enable IPv6 Snooping - CT5760
There are slight differences in configurations on a CT5760 when configuring IPv6. To enable IPv6 on a CT5760, the following step must be completed.
ipv6 nd raguard attach-policy testgaurd
Trusted-port
Device-role router
interface TenGigabitEthernet1/0/1
description Uplink to Core Switch
switchport trunk native vlan 200
switchport mode trunk
ipv6 nd raguard attach-policy testgaurd
ip dhcp snooping trust
Enable IPv6 on Interface - CT5760
Based on interfaces that need IPv6 configurations and the type of address needed, respective configurations are enabled as follows. IPv6 configurations are enabled on VLAN200.
vlan configuration 100 200
ipv6 nd suppress
ipv6 snooping
interface Vlan100
description Client VLAN
ip address 10.10.100.5 255.255.255.0
ip helper-address 10.10.100.1 2001:DB8:0:10::1/64
ipv6 address FEC0:20:21::1/64
ipv6 enable