Configuring the Controller for FlexConnect
This section provides the procedure for configuring the controller for FlexConnect. The controller configuration for FlexConnect consists of creating centrally switched and locally switched VLANs. This procedure uses the following three WLANs as examples.
management (centrally switched VLAN)
101 (local switched VLAN)
management (centrally switched VLAN)
To create a centrally switched WLAN, follow these steps. In our example, this is the first WLAN (employee).
Step 1 Choose Configure > Controllers.
Step 2 Click the desired controller in the IP Address column.
Step 3 Choose WLANs > WLAN Configuration to access the WLAN Configuration page.
Step 4 Choose Add a WLAN from the Select a command drop-down list, and click Go.
Note Cisco access points can support up to 16 WLANs per controller. However, some Cisco access points do not support WLANs that have a WLAN ID greater than 8. In such cases, when you attempt to create a WLAN, you get a message that says “Not all types of AP support WLAN ID greater than 8, do you wish to continue?”. Clicking OK creates a WLAN with the next available WLAN ID. However, if you delete a WLAN that has a WLAN ID less than 8, then the WLAN ID of the deleted WLAN is applied to the next created WLAN.
Step 5 If you want to apply a template to this controller, choose a template name from the drop-down list. The fields populate according to how the template is set. If you want to create a new WLAN template, click the click here link to be redirected to the template creation page (see the “Configuring WLAN Templates” section).
Step 6 Modify the configuration parameters for this WLAN. In our employee WLAN example, you must choose WPA1+WPA2 from the Layer 2 Security drop-down list.
Step 7 Be sure to enable this WLAN by selecting the Status check box under General Policies.
Note If NAC is enabled and you created a quarantined VLAN for use with this, make sure to select it from the Interface drop-down list under General Policies. Also, select the Allow AAA Override check box to ensure that the controller validates a quarantine VLAN assignment.
Step 8 Click Save to commit your changes.
Step 9 Follow these steps to create a locally switched WLAN. In our example, this is the second WLAN (employee-local).
a. Follow the substeps in To create a centrally switched WLAN, follow these steps. In our example, this is the first WLAN (employee).to create a new WLAN. In our example, this WLAN is named “employee-local.”
b. Click a WLAN ID from the original WLAN page to move to a WLANs edit page. Modify the configuration parameters for this WLAN. In our employee WLAN example, you need to choose WPA1+WPA2 from the Layer 2 Security drop-down list. Make sure you choose PSK authentication key management and enter a preshared key.
Note Make sure you enable this WLAN by selecting the Admin Status check box. Also, make sure you enable local switching by selecting the FlexConnect Local Switching check box. When you enable local switching, any FlexConnect access point that advertises this WLAN is able to locally switch data packets (instead of tunneling them to the controller).
Note For FlexConnect access points, the interface mapping at the controller for WLANs configured for FlexConnect local switching is inherited at the access point as the default VLAN tagging. This can be easily changed per SSID and per FlexConnect access point. Non-FlexConnect access points tunnel all traffic back to the controller, and VLAN tagging is dictated by each interface mapping of the WLAN.
c. Click Save to commit your changes.
Step 10 Follow these steps if you also want to create a centrally switched WLAN that is used for guest access. In our example, this is the third WLAN (guest-central). You might want to tunnel guest traffic to the controller so that you can exercise your corporate data policies for unprotected guest traffic from a central site.
a. Follow the substeps in To create a centrally switched WLAN, follow these steps. In our example, this is the first WLAN (employee).to create a new WLAN. In our example, this WLAN is named “guest-central.”
b. In the WLANs Edit page, modify the configuration parameters for this WLAN. In our employee WLAN example, you must choose None from the Layer 2 Security and Layer 3 Security drop-down lists on the Security tab, select the Web Policy check box, and make sure Authentication is selected.
Note If you are using an external web server, you must configure a preauthentication access control list (ACL) on the WLAN for the server and then choose this ACL as the WLAN preauthentication ACL.
c. Make sure you enable this by selecting the Status check box.
d. Click Save to commit your changes.
e. If you want to customize the content and appearance of the login page that guest users see the first time they access this, follow the instructions in the “Configuring a Web Authentication Template” section.
f. To add a local user to this WLAN, choose Configure > Controller Template Launch Pad.
g. Choose Security > Local Net Users from the left sidebar menu.
h. When the Local Net Users page appears, choose Add Template from the Select a command drop-down list, and click Go.
i. Unselect the Import from File check box.
j. Enter a username and password for the local user.
k. From the Profile drop-down list, choose the appropriate SSID.
l. Enter a description of the guest user account.
m. Click Save.
Step 11 See the “Configuring an Access Point for FlexConnect” section to configure two or three access points for FlexConnect.
Configuring an Access Point for FlexConnect
This section provides instructions for configuring an access point for FlexConnect.
To configure an access point for FlexConnect, follow these steps:
Step 1 Make sure that the access point has been physically added to your network.
Step 2 Choose Configure > Access Points.
Step 3 Choose which access point you want to configure for FlexConnect by clicking it in the AP Name list. The Access Point Detail page appears.
The last field listed in the Inventory Information group box indicates whether this access point can be configured for FlexConnect. Only the 1130AG and 1240AG access points support FlexConnect.
Step 4 Verify that the AP Mode field displays FlexConnect. If it does not, continue to Step 5. If FlexConnect is showing as supported, skip to Step 9.
Step 5 Choose Configure > AP Configuration Templates > Lightweight AP or Autonomous AP.
Step 6 Choose which access point you want to configure for FlexConnect by clicking it in the AP Name list. The Lightweight AP Template Detail page appears.
Step 7 Select the FlexConnect Mode supported check box. Enabling this configuration allows you to view all profile mappings.
Note If you are changing the mode to FlexConnect and if the access point is not already in FlexConnect mode, all other FlexConnect parameters are not applied on the access point.
Step 8 Select the VLAN Support check box and enter the number of the native VLAN on the remote network (such as 100) in the Native VLAN ID text box.
Note By default, a VLAN is not enabled on the FlexConnect access point. When FlexConnect is enabled, the access point inherits the VLAN ID associated to the WLAN. This configuration is saved in the access point and received after the successful join response. By default, the native VLAN is 1. One native VLAN must be configured per FlexConnect access point in a VLAN-enabled domain. Otherwise, the access point cannot send and receive packets to and from the controller. When the client is assigned a VLAN from the RADIUS server, that VLAN is associated to the locally switched WLAN.
Step 9 Click the Apply/Schedule tab to save your changes.
Step 10 The Locally Switched VLANs section shows which WLANs are locally switched and provides their VLAN identifier. Click the Edit link to change the number of VLANs from which a client IP address is obtained. You are then redirected to a page where you can save the VLAN identifier changes.
Step 11 Click Save to save your changes.
Step 12 Repeat this procedure for any additional access points that need to be configured for FlexConnect at the remote site.
Connecting Client Devices to the WLANs
Follow the instructions for your client device to create profiles that connect to the WLANs you created in the “Configuring the Controller for FlexConnect” section.
In our example, you create three profiles on the client:
1. To connect to the “employee” WLAN, you create a client profile that uses WPA/WPA2 with PEAP-MSCHAPV2 authentication. When the client becomes authenticated, it gets an IP address from the management VLAN of the controller.
2. To connect to the “employee-local” WLAN, you create a client profile that uses WPA/WPA2 authentication. When the client becomes authenticated, it gets an IP address from VLAN 101 on the local switch.
3. To connect to the “guest-central” WLAN, you create a profile that uses open authentication. When the client becomes authenticated, it gets an IP address from VLAN 101 on the network local to the access point. After the client connects, the local user types any HTTP address in the web browser. You are automatically directed to the controller to complete the web-authentication process. When the web login page appears, enter the username and password.
To see if data traffic of the client is being locally or centrally switched, choose Monitor > Devices > Clients.