Home > Work With My Wireless Devices > Cisco Aironet 1100 and 1200 Series Access Points > Set Up Your Wireless LAN Controller Module

Step 5: Configure the Cisco Wireless LAN Controller Module

    Step 1:   SMB Support Assistant Site Survey
    Step 2:   Set Up Your Cisco Wireless LAN Controller Module Hardware
    Step 3:   Configure Your Router for the Wireless LAN Controller Module
    Step 4:   Complete Initial Setup for the Cisco Wireless LAN Controller Module
    Step 5:  Configure the Cisco Wireless LAN Controller Module
                      Introduction
                      Requirements
                      Configure the Controller
                           Connect to the Device Manager
                           Switch Settings
                           Configure Interfaces
                           WLAN Settings
                           Enable Telnet/SSH
                           Wireless Security
                           Configure WLAN Security for a Pre-Shared Key
                           Configure Wireless Security for an External RADIUS Server
                      Next Step
                      Troubleshoot the Procedure
                           Install the Certificate
                      Related Information
    Step 6:   Set Up a RADIUS Server for the Wireless LAN Controller Module
    Step 7:   Add a Lightweight Access Point to Your Wireless Network

Download PDF

	Step 5: Configure the Cisco Wireless LAN Controller Module
	Set Up Your Wireless LAN Controller Module

Introduction

This document provides instructions on how to configure the Wireless LAN Controller Module (WLCM) installed in your Cisco 2800 and 3800 Integrated Services Router.

This document shows how to configure the WLCM solution with these subnets:

VLAN	IP Address
Wireless LAPs	192.168.14.0
WLAN Controller Management	192.168.15.0
Wireless Default	192.168.16.0
Wireless Guest	192.168.17.0

If you want to set up a WLCM at more than one site, the Wireless LAN Controller Module IP Addressing Plan provides additional subnets that you can use for up to 30 sites. To set up an additional site, replace the VLAN subnets used in this document with the appropriate subnets for your site.

Requirements

To configure the Cisco WLCM, you need these items:

A straight-through Ethernet cable. For more information about cables, refer to Cable Descriptions.
Completed worksheets from the Site Survey:
- LAN Addressing Worksheet
- ISR Router Worksheet

In addition, you must have completed the steps in the Complete Initial Setup for the Cisco Wireless LAN Controller Module document.

Configure the Controller

Follow these steps to configure the Cisco WLCM:

Connect to the Device Manager

Follow these steps to connect to the Cisco WLAN Controller web user interface:

Connect a straight-through Ethernet cable from a PC to the Management port listed in field S5 of the ISR Router Worksheet.
Configure your PC with these values:
- IP Address: 192.168.14.100
- Subnet Mask: 255.255.255.0
- Default Gateway: 192.168.14.1
For detailed instructions on how to configure an IP address on your PC, refer to Configure an IP Address on Your PC.
In a web browser, open https://192.168.15.24.
Click Yes to accept the security certificate from the WLCM.

Note: If you would like to permanently install the certificate in order to skip this step in the future, see Install the Certificate.
Click Login.
In the Enter Network Password dialog box, enter the username admin and the password that you entered in fields W24 of the ISR Router Worksheet.
The WLCM Monitor screen displays.

Switch Settings

Follow these steps to configure the switch settings on the Wireless Controller:

Click Controller.
Follow these steps to set the WLCM in master controller mode:
1. Click Master Controller Mode.
2. Check Master Controller Mode and click Apply.
Follow these steps to configure a time server:
1. Click Network Time Protocol.
2. Click New.
3. On the NTP Servers > New screen, enter these values:
  - Server Index (Priority): 1
  - Server IP Address: Enter the router IP address that you entered in field L6A of the LAN Addressing Worksheet.
  Click Apply.

Configure Interfaces

Follow these steps to configure VLAN interfaces on the WLCM:

Click Controller.
Click Interfaces.
Follow these steps to create a VLAN interface for wireless users on the default network:
1. Click New.
2. Enter these values to create the Guest VLAN interface:
  - Interface Name: Vlan26
  - VLAN ID: 26
  Click Apply.
3. On the Interfaces > Edit screen, make these changes to the default values:
  - Interface Address:
    - IP Address: 192.168.16.254
    - Netmask: 255.255.255.0
    - Gateway: 192.168.16.1
  - DHCP Information:
    - Primary DHCP Server: 192.168.16.1
  Click Apply.
Follow these steps to create a VLAN interface for wireless users on the guest network:
1. Click New.
2. Enter these values to create the Guest VLAN interface:
  - Interface Name: Vlan27
  - VLAN ID: 27
  Click Apply.
3. Click Interfaces > Edit.
4. On the Interfaces > Edit screen, make these changes to the default values:
  - Interface Address:
    - IP Address: 192.168.17.254
    - Netmask: 255.255.255.0
    - Gateway: 192.168.17.1
  - DHCP Information:
    - Primary DHCP Server: 192.168.17.1
  Click Apply.

WLAN Settings

Follow these steps to configure Wireless LAN interfaces (WLANs) on the WLCM:

Click WLANs.
Click New.
Enter these values to create a WLAN for guest users:
- WLAN ID: 3
- WLAN SSID: wlan3
Click Apply.
On the WLANs > Edit screen, make these changes to the default values:
- General Policies:
  - Admin Status: Enabled
  - DHCP Server: Check Override and enter 192.168.17.1.
  - DHCP Addr. Assignment: Required
  - Interface Name: Vlan 27
- Security Policies:
  - Layer 2 Security: None
  - Layer 3 Security: None
  Note: Instructions to apply security policies are provided later in this document.
Click Apply.

Enable Telnet/SSH

The controller can be configured to accept telnet and SSH connections through the controller web-interface. Follow these steps to enable Telnet and SSH:

Click Management.
Click Telnet-SSH.
In the Telnet-SSH screen, make these changes to the defaults:
- For the Allow New Telnet Sessions, select Yes from the drop-down menu.
- For the Allow New SSH Sessions, select Yes from the drop-down menu.
- Click Apply.

Wireless Security

Two security options are available for the WLCM:

External RADIUS Server: The wireless network uses an external RADIUS server to authenticate users. This option provides greater security and requires that you provide an external RADIUS server.

Note: Cisco provides the parameters required to set up the RADIUS server, but does not provide full instructions for any particular RADIUS implementation.
WPA2 Pre-Shared Key: A pre-shared password or passphrase is used to provide access to the wireless network. This option is less secure and requires that you create a strong password for the wireless network.

To configure wireless security to use a pre-shared key, proceed to Configure Wireless Security for a Pre-Shared Key. To configure wireless security to use an external RADIUS server, proceed to Configure Wireless Security for an External RADIUS Server.

Configure WLAN Security for a Pre-Shared Key

Follow these steps to configure wireless security to use a WPA2 Pre-Shared Key:

Click WLANs.
Follow these steps to configure security on the default WLAN:
1. Click Edit next to the WLAN SSID for the default network that you entered in field W26 of the ISR Router Worksheet.
2. On the WLANs > Edit screen, make these changes to the default values:
  1. Security Policies:
    - Layer 2 Security: Choose WPA2.
    - Layer 3 Security: None.
  2. WPA2 Parameters:
    - WPA2 Compatibility Mode: Check WPA2 Compatibility Mode.
    - Allow WPA2 TKIP Clients: Check Allow WPA2 TKIP Clients.
    - Pre-Shared Key: Check Pre-Shared Key.
    - Check Please set the WPA2 Pre-Shared Key of length between 8 and 63 characters and enter the Pre-Shared Key that you entered in field W27 of the ISR Router Worksheet.
  Click Apply.
Follow these steps to configure security on the Guest WLAN:
1. Click Edit next to wlan3.
2. On the WLANs > Edit screen, make these changes to the default values:
  1. Security Policies:
    - Layer 2 Security: Choose WPA2.
    - Layer 3 Security: None.
  2. WPA2 Parameters:
    - WPA2 Compatibility Mode: Check WPA2 Compatibility Mode.
    - Allow WPA2 TKIP Clients: Check Allow WPA2 TKIP Clients.
    - Pre-Shared Key: Check Pre-Shared Key.
    - Check Please set the WPA2 Pre-Shared Key of length between 8 and 63 characters and enter the Pre-Shared Key that you entered in field W27 of the ISR Router Worksheet.
  Click Apply.
Click Save Configuration to save your configuration. Click OK to confirm.
Proceed to the Next Step.

Configure Wireless Security for an External RADIUS Server

Follow these steps to configure wireless security with an external RADIUS server:

Follow these steps to configure the WLCM to use the RADIUS server:
1. Click Security.
2. Click Radius Authentication.
3. Click New.
4. On the RADIUS Authentication Servers > New screen, make these changes to the default values:
  - Server IP Address: Enter the IP address of the RADIUS server that you entered in the field W22 of the Wireless Worksheet.
  - Shared Secret: Enter the shared secret key that you entered in field W18 of the Wireless Worksheet.
  - Confirm Shared Secret: Re-enter the shared secret key that you entered in field W18 of the Wireless Worksheet.
  - Network User: Enable
  Click Apply.
Follow these steps to configure WLAN security for the RADIUS server:
1. Click WLANs.
2. Follow these steps to configure WLAN security for users on the default network:
  1. Click Edit next to the WLAN SSID for the default network that you entered in field W26 of the ISR Router Worksheet.
  2. On the WLANs > Edit screen, make these changes to the default values:
    1. Security Policies:
      - Layer 2 Security: Choose WPA2.
      - Layer 3 Security: None.
    2. RADIUS servers:
      - Server 1: Choose the RADIUS server IP Address that you entered in field W22 of the ISR Router Worksheet.
    Click Apply.
3. Follow these steps to configure WLAN security for Guest users:
  1. Click Edit next to wlan3.
  2. On the WLANs > Edit screen, make these changes to the default values:
    1. Security Policies:
      - Layer 2 Security: Choose WPA2.
      - Layer 3 Security: None.
    2. RADIUS servers:
      - Server 1: Choose the RADIUS server IP Address that you entered in field W22 of the ISR Router Worksheet.
    Click Apply.
4. Click Save Configuration to save your configuration. Click OK to confirm.

Next Step

You have completed this procedure.

If you set up wireless security for a pre-shared key, proceed to Add a Lightweight Access Point to Your Wireless Network.

If you set up wireless security for an external RADIUS server, proceed to Set Up a RADIUS Server for the Wireless LAN Controller Module.

To make further changes to the wireless network, refer to the Wireless Support Page.

To configure other devices in your network, refer to the Configuration Overview Page.

Troubleshoot the Procedure

This section provides information about common problems that you may encounter. If this information does not solve your problem, contact the SMB Technical Assistance Center (SMB TAC) for assistance.

Problem	Cause(s) and Suggested Solution(s)
You are not able to connect to the WLCM.	Ensure that you type https before the WLCM IP address in your browser. Ensure that your PC is connected to the management port that you configured in Configure Your Router for the Wireless LAN Controller Module. For further assistance, contact the SMB Technical Assistance Center (SMB TAC).

Install the Certificate

If you want to install a certificate from the WLCM on your PC, follow these steps:

Click View Certificate.
On the Certificate screen, click Install Certificate.
On the Certificate Import Wizard screen, click Next.
On the Certificate Store screen, choose Place all certificates in the following store and click Browse.
On the Select Certificate Store screen, click Trusted Root Certificate Authorities and click OK.
The Certificate Store screen displays Trusted Root Certificate Authorities. Click Next.
Click Finish.
The browser displays a security warning. Click OK.
The browser displays an alert that indicates that the certificate import was successful. Click OK.