Creating Wireless Networks

WLANs

Cisco Mobility Express solution supports a maximum of 16 WLANs. Each WLAN has a unique WLAN ID (1 through 16), a unique Profile Name, SSID, and can be assigned different security policies.

Access Points broadcast all active WLAN SSIDs and enforce the policies that you define for each WLAN.

A number of WLAN Security options are supported on Cisco Mobility Express solution and are outlined below:

  1. Open

  2. WPA2 Personal

  3. WPA2 Enterprise (External RADIUS, AP)

For Guest WLAN, a number of capabilities are supported:

  1. CMX Guest Connect

  2. WPA2 Personal

  3. Captive Portal (AP)

  4. Captive Portal (External Web Server)

Creating Employee WLANs

Creating Employee WLAN with WPA2 Personal

Procedure
    Step 1   Navigate to Wireless Settings > WLANs and then click on Add new WLAN button. The Add new WLAN Window will pop up.

    Step 2   In the Add new WLAN window, on the General page, configure the following:
    1. Enter the Profile Name.
    2. Enter the SSID.
    Step 3   Click on the WLAN Security and configure the following:
    1. Select Security as WPA2 Personal.
    2. Enter the Passphrase and Confirm PassPhrase.

    Step 4   Click Apply.

    Creating Employee WLAN using WPA2 Enterprise with External Radius Server

    Procedure
      Step 1   Navigate to Wireless Settings > WLANs and then click on Add new WLAN button. The Add new WLAN Window will pop up.

      Step 2   In the Add new WLAN window, on the General page configure the following:
      1. Enter the Profile Name.
      2. Enter the SSID.
      Step 3   Click on the WLAN Security and configure the following:
      1. Select Security Type as WPA2 Enterprise.
      2. Select Authentication Server as External Radius.
      Step 4   Add the Radius server and configure the following:

      • Enter the Radius IP

      • Enter the Radius Port

      • Enter the Shared Secret

      • Click on tick icon

      Step 5   Click Apply.

      Creating Employee WLAN with WPA2 Enterprise and Authentication Server as AP

      Procedure
        Step 1   Navigate to Wireless Settings > WLANs and then click on Add new WLAN button. The Add new WLAN Window will pop up.

        Step 2   In the Add new WLAN window, on the General page configure the following:
        1. Enter the Profile Name.
        2. Enter the SSID.

        Step 3   Click on the WLAN Security and configure the following:
        1. Select Security as WPA2 Enterprise.
        2. Select Authentication Server as AP.
          Note   

          AP is the Master AP running the controller function. In this use case, controller is the Authentication Server and therefore Local WLAN user account must exist to onboard the clients.

        Step 4   Click the Apply.

        Creating Employee WLAN with WPA2 Enterprise/External RADIUS and MAC Filtering

        Procedure
          Step 1   Navigate to Wireless Settings > WLANs and then click on Add new WLAN button. The Add new WLAN Window will pop up.
          Step 2   In the Add new WLAN window, on the General tab, configure the following:

          • Enter the Profile Name

          • Enter the SSID

          Step 3   Click on the WLAN Security tab and configure the following:

          • Enable MAC Filtering

          • Select Security Type as WPA2 Enterprise

          • Select Authentication Server as External RADIUS

          • Select RADIUS Compatibility from the drop-down list

          • Select MAC Delimiter from the drop-down list

          Step 4   Add the Radius server and configure the following:

          • Enter the Radius IP

          • Enter the Radius Port

          • Enter the Shared Secret

          • Click on tick icon.

          Step 5   Click Apply.

          Creating Guest WLANs

          Mobility Express controller can provide guest user access on WLANs which are specifically designated for use by guest users. To set this WLAN exclusively for guest user access, enable the Guest Network under the WLAN Security tab.

          Creating Guest WLAN with Captive Portal on CMX Connect

          Procedure
            Step 1   Navigate to Wireless Settings > WLANs and then click on Add new WLAN button. The Add new WLAN Window will pop up.
            Step 2   In the Add new WLAN window, on the General tab, configure the following:

            • Enter the Profile Name

            • Enter the SSID

            Step 3   Enable the Guest Network under the WLAN Security tab.
            Step 4   Select Captive Portal as CMX Connect.
            Step 5   Enter Captive Portal URL.
            Note   

            Captive Portal URL must have the following format: https://yya7lc.cmxcisco.com/visitor/login where yya7lc is your Account ID.

            Step 6   Click Apply.
            Note   

            Additional steps are required on CMX Cloud to create the Captive Portal, Site with Access Points and associating Captive Portal to the Site.

            Creating Guest WLAN with Internal Splash Page

            There is an internal splash page built into the Mobility Express controller which can be used to onboard the clients connecting to Guest WLANs. This internal splash page can also be customized by uploading a customized bundle. To upload a customized internal splash page, navigate to Wireless Settings > Guest WLANs. Select Page Type as Customized and click on the Upload button to upload a customized page bundle.

            For internal splash page, Cisco Mobility Express supports multiple options for Access Type. They are as follows:

            1. Local User Account
            2. Web Consent
            3. Email Address
            4. RADIUS
            5. WPA2 Personal
            Procedure
              Step 1   Navigate to Wireless Settings > WLANs and then click on Add new WLAN button. The Add new WLAN Window will pop up.
              Step 2   In the Add new WLAN window, on the General tab, configure the following:

              • Enter the Profile Name

              • Enter the SSID

              Step 3   Enable the Guest Network under the WLAN Security tab.
              Step 4   Select Captive Portal as Internal Splash Page.
              Step 5   Select one of the following Access Type as needed:

              1. Local User Account–Splash Page will present the user to enter username and password which must be authenticated by the controller before network access is granted. Local WLAN users must be created on the controller to onboard the Guest clients.

              2. Web Consent–Splash Page will present the user to acknowledge before network access is granted.

              3. Email Address–Splash Page will present the user to enter the email address before network access is granted.

              4. RADIUS–Splash Page will present the user to enter username and password which must be authenticated by the RADIUS server before network access is granted. Select Access Type as RADIUS and enter the RADIUS server configuration.

              5. WPA2 Personal–This is an example of L2 + L3 (Web Consent). Layer 2 PSK security authentication will happen first followed by Splash Page which will present the user to acknowledge before network access is granted. Select Access Type as WPA2 Personal and enter the Passphrase.

              Step 6   Click Apply.

              Creating Guest WLAN with External Splash Page

              An external splash page is one which resides on an external Web Server. Similar to the internal splash page, Cisco Mobility Express supports multiple options for Access Type with external splash page. They are as follows:

              1. Local User Account

              2. Web Consent

              3. Email Address

              4. RADIUS

              5. WPA2 Personal

              Procedure
                Step 1   Navigate to Wireless Settings > WLANs and then click on Add new WLAN button. The Add new WLAN Window will pop up.
                Step 2   In the Add new WLAN window, on the General tab, configure the following:

                • Enter the Profile Name

                • Enter the SSID

                Step 3   Enable the Guest Network under the WLAN Security tab.
                Step 4   Select Captive Portal as External Splash Page.
                Step 5   Select one of the following Access Type as needed:

                1. Local User Account–Splash Page will present the user to enter username and password which must be authenticated by the controller before network access is granted. Local WLAN users must be created on the controller to onboard the Guest clients.

                2. Web Consent–Splash Page will present the user to acknowledge before network access is granted.

                3. Email Address–Splash Page will present the user to enter the email address before network access is granted.

                4. RADIUS–Splash Page will present the user to enter username and password which must be authenticated by the RADIUS server before network access is granted. Select Access Type as RADIUS and enter the RADIUS server configuration.

                5. WPA2 Personal–This is an example of L2 + L3 (Web Consent). Layer 2 PSK security authentication will happen first followed by Splash Page which will present the user to acknowledge before network access is granted. Select Access Type as WPA2 Personal and enter the Passphrase.

                Step 6   Click Apply.

                Internal Splash Page for Web Authentication

                Cisco Mobility Express supports a default internal guest portal that comes built-in and also a customized page, which can be imported by the user.

                Using default internal guest portal

                To use the default Guest Portal Page or import a customized Guest Portal page, follow the procedure below:

                Procedure
                  Step 1   Navigate to Wireless Settings > Guest WLANs.
                  Step 2   Configure the following on the Guest WLAN page:

                  • Page Type–Select as Internal (Default).

                  • Preview–You can Preview the page by clicking on the Preview button.

                  • Display Cisco Logo–To hide the Cisco logo that appears in the top right corner of the default page, you can choose No. This field is set to Yes by default.

                  • Redirect URL After Login–To have the guest users redirected to a particular URL (such as the URL for your company) after login, enter the desired URL in this text box. You can enter up to 254 characters.

                  • Page Headline–To create your own headline on the login page, enter the desired text in this text box. You can enter up to 127 characters. The default headline is Welcome to the Cisco Wireless Network.

                  • Page Message–To create your own message on the login page, enter the desired text in this text box. You can enter up to 2047 characters. The default message is Cisco is pleased to provide the Wireless LAN infrastructure for your network. Please login and put your air space to work.

                  Step 3   Click Apply.

                  Using customized internal guest portal

                  If a customized guest portal has to be presented to guest users, a sample page can be downloaded from cisco.com which can then be edited and imported to the Cisco Mobility Express controller. After the page has been edited and ready to be uploaded to the Cisco Mobility Express controller, follow the steps below.

                  Procedure
                    Step 1   Navigate to Wireless Settings > Guest WLANs.
                    Step 2   Configure the following on the Guest WLAN page:

                    • Page Type–Select as Customized.

                    • Customized page Bundle–Click on the Upload button to upload the he customized page bundle to the Mobility Express controller.

                    • Preview–You can Preview the Guest portal by clicking on the Preview button.

                    • Redirect URL After Login–To have the guest users redirected to a particular URL (such as the URL for your company) after login, enter the desired URL in this text box. You can enter up to 254 characters.

                    Step 3   Click Apply.

                    Centralized NAT on Guest WLANs

                    Managed Service Providers provide managed WiFi services at Hotels, Retail locations with 1 - 70 APs on site with up 300 or more concurrent wireless clients. In such locations aggregate throughput is limited by WAN connectivity and is typically less than 250 Mbps. Use of external DHCP server for clients is limited to back office devices/clients due to scale limitations. For Guest devices, expectation is to use internal DHCP server on Master AP so that and all guest traffic can be routed via the Master Access Point.


                    To configure centralized NAT on Guest WLANs, follow the procedure below:

                    Procedure
                      Step 1   Add a DHCP Pool for the WLAN which has to bed NAT'ed. To create the scope, navigate to Wireless Settings > DHCP Server > Add new Pool. The Add DHCP Pool window will pop up. On the Add DHCP Pool window, configure the following:

                      • Enter the Pool Name for the WLAN

                      • Enable the Pool Status

                      • Enter the VLAN ID for the WLAN

                      • Enter the Lease Period for the DHCP clients. Default is 1 Day

                      • Enter the Network/Mask

                      • Enter the Start IP for the DHCP pool

                      • Enter the End IP for the DHCP pool

                      • Enter the Default Gateway for the DHCP pool
                        Note   

                        If the scope is for client devices connecting to the Centralized NAT, one must select Mobility Express Controller for Default Gateway.

                      • Enter the Domain Name (Optional) for the DHCP pool

                      • For Name Servers, select User Defined if one needs to enter IP addresses of Name Servers or select OpenDNS in which case OpenDNS Name Server IP addresses are automatically populated

                      • Click Apply.

                      Step 2   To create WLAN, navigate to Wireless Settings > WLANs. On the Add new WLAN or Edit WLAN window, click on the VLAN and Firewall tab and configure the following:

                      • For Client IP Management, select Mobility Express Controller

                      • Check the Peer to Peer Block to disable communication between two clients on that WLAN

                      • Enter the Native VLAN ID

                      • Select the DHCP Scope which was created for Guest clients on the Mobility Express controller

                      Note   

                      : The VLAN for this WLAN should be configured on all the switch ports to which APs are connected.

                      Step 3   Click Apply.

                      Managing WLAN Users

                      Cisco Mobility Express supports creation of local user accounts. These users can be authenticated for WLANs configured to use Security as WPA2 Enterprise with Authentication Server set to AP or Guest WLANs configured to use internal or external splash page with Access Type as Local User Account.

                      To create local user accounts, follow the procedure below:

                      Procedure
                        Step 1   Navigate to Wireless Settings > WLAN Users and then click on Add WLAN User button.
                        Step 2   Configure the following for the WLAN user:

                        • User Name–Enter the username

                        • Guest User–For Guest user, enable the Guest User checkbox

                        • Lifetime–For Guest User, define the user account validity. Default is 86400 seconds (or, 24 hours) from the time of its creation.

                        • WLAN Profile–Select the WLAN to which the user will connect

                        • Password–Enter the password for the user account

                        • Description–Additional details or comments for the user account

                        • Click on tickicon.

                        Adding MAC for Local MAC Filtering on WLANs

                        Cisco Mobility Express supports MAC Filtering on WLANs on controller as well as with external RADIUS. MAC addresses can be added to the controller and be either Whitelisted or Blacklisted. To add MAC addresses to the controller, follow the procedure below:

                        Procedure
                          Step 1   Navigate to Wireless Settings > WLAN Users and click on Local MAC Addresses.
                          Step 2   Click Add MAC Address.
                          Step 3   In the Add MAC Address window, configure the following:

                          • MAC Address–Enter the MAC Address of the device

                          • Description–Enter the description

                          • Type–Select whether this MAC has to be WhitleList of BlackList

                          • Profile Name–Select the WLAN to which the user will connect

                          Step 4   Click Apply.

                          WLAN Passpoint Support

                          Starting Release 8.5, Cisco Mobility Express will add support for Passpoint on WLANs. Access Points which supports IEEE 802.11u-based network information and phone client devices that are certified for WiFi Alliance's are able to work together to support the Passpoint functionality.

                          The 802.11u enabled phone client devices discover and select target AP based on the information gathered during the pre-association stage from an 802.11u-enabled AP/Cisco Mobility Express controller. A phone client device has pre-provisioned network information such as home OI Information, realm name and domain name, presented as configuration file inside the phone client device. In addition, the phone client device may obtain home network information using the IMSI data derived from the inserted SIM/USIM card.

                          The 802.11u AP provides various information listings that provide the HotSpot owner details, roaming partners, realm list, 3GPP cellular information, and domain name. The realm list also provides listings of the realm name and its associated EAP authentication type mappings. Knowing this information is essential for the phone client device so that correct EAP credential exchange may take place.

                          Through the WLAN configuration, single SSID and multiple SSID will be configured with necessary Passpoint information. This additional Passpoint information will be added on beacon or probe response information, so that Passpoint-enabled phone client device can detect and query AP to get further information. During the query process, standard protocol format called ANQP-Access Network Query Protocol-is followed. Here, the protocol describes the standard 2-way or 4-way handshake process to get enough information from the AP and ANQP server to determine the best AP that the phone client device can authenticate and associate with. This handshake process is called GAS-Generic Advertisement Service-protocol that is defined on IEEE 802.11u standard.

                          To configure Passpoint, follow the procedure below:

                          Procedure
                             Command or ActionPurpose
                            Step 1 Enable Expert View on Cisco Mobility Express. Expert View is available on the top banner of the Cisco Mobility Express WebUI as shown below. This will enable the 802.11u and Hotspot 2.0 tabs on the WLANs.  



                             
                            Step 2 To configure 802.11u and Hotspot 2.0 on WLAN, navigate to Wireless Settings > WLANs. On the Add new WLAN or Edit WLAN window, click on the 802.11u tab and Hotspot 2.0 tab to enter the relevant configuration.    
                            Step 3Click Apply.