Wireless LAN Controller (WLC)

Setting Up a Wireless LAN Controller (WLC)

Traditional roles of access points, such as association or authentication of wireless clients, are done by the WLC. Access points, called Lightweight Access Points (LAPs) in the unified environment, register themselves with a WLC and tunnel all the management and data packets to the WLCs, which then switch the packets between wireless clients and the wired portion of the network.
All the configurations are done on the WLC. LAPs download the entire configuration from WLCs and act as a wireless interface to the clients. The WLC, can be set up using the web browser GUI, or the CLI, the CLI is commonly used to initialize a wireless LAN Controller to allow for routing monitoring and configuration from the GUI.

The GUI allows up to five users to brose simultaneously to configure parameters and monitor operational status for the controller and it’s associated LAPs (lightweight AP).

Welcome to the Cisco Wizard Configuration Tool
Use the '-' character to backup
System Name [Cisco_94:40:40]: WLC_VC
Enter Administrative User Name (24 characters max): cisco
Enter Administrative Password (24 characters max): *****

Management Interface IP Address: 10.6.1.50
Management Interface Netmask: 255.255.255.0
Management Interface Default Router: 10.6.1.100
Management Interface VLAN Identifier (0 = untagged): 0
Management Interface Port Num [1 to 4]: 4
Management Interface DHCP Server IP Address: 10.6.1.50

AP Manager Interface IP Address: 10.6.1.51

AP-Manager is on Management subnet, using same values
AP Manager Interface DHCP Server (10.6.1.50):

Virtual Gateway IP Address: 1.1.1.1

Mobility/RF Group Name: GroupXYZ

Network Name (SSID): WLCXYZ
Allow Static IP Addresses [YES][no]: no

Configure a RADIUS Server now? [YES][no]: no
Warning! The default WLAN security policy requires a RADIUS server.
Please see documentation for more details.

Enter Country Code (enter 'help' for a list of countries) [US]: EE

Enable 802.11b Network [YES][no]: Yes
Enable 802.11a Network [YES][no]: no
Enable 802.11g Network [YES][no]: yes
Enable Auto-RF [YES][no]: yes
Configuration saved!
Resetting system with new configuration...

lets read the configuration now step by step

Welcome to the Cisco Wizard Configuration Tool
Use the '-' character to backup

System Name [Cisco_94:40:40]: WLC_VC
Enter Administrative User Name (24 characters max): cisco
Enter Administrative Password (24 characters max): *****

Management Interface IP Address: 10.6.1.50
Management Interface Netmask: 255.255.255.0
Management Interface Default Router: 10.6.1.100
Management Interface VLAN Identifier (0 = untagged): 0
Management Interface Port Num [1 to 4]: 4

These is used for in band management, the port number is important because it must match the connection
leading from the Wireless Lan Controller to the network infrastructure

Management Interface DHCP Server IP Address: 10.6.1.50

When using an internal wireless LAN controller DHCP Server, the ip address needs to match the
Management interface, therefore the DHCP Server and management address will be the same

AP Manager Interface IP Address: 10.6.1.51

AP Communication

AP-Manager is on Management subnet, using same values
AP Manager Interface DHCP Server (10.6.1.50):

Virtual Gateway IP Address: 1.1.1.1

The virtual gateway provides Layer 3 features such as DHCP relat to wireless clients, this value
Must match among mobility groups.

Mobility/RF Group Name: GroupXYZ

Mobility / RF Group allows multiple wireless controllers to be clustered into one logical
Controller group to allow dynamic RF adjustments and roaming for wireless clients.

Network Name (SSID): WLCXYZ
Allow Static IP Addresses [YES][no]: no

Configure a RADIUS Server now? [YES][no]: no
Warning! The default WLAN security policy requires a RADIUS server.
Please see documentation for more details.

By default one WLAN SSDI is configured on the WLC already and it is using server based  Authentication, if you skip RADIUS configuration during the start up wizard you will see the warning. The result is a preconfigured SSID using 802.1x EAP requiring a RADIUS Server, however
there is no server defined, this is to prevent open authentication security vulnerabilities.

Enter Country Code (enter 'help' for a list of countries) [US]: EE

Enable 802.11b Network [YES][no]: Yes
Enable 802.11a Network [YES][no]: no
Enable 802.11g Network [YES][no]: yes
Enable Auto-RF [YES][no]: yes
Configuration saved!
Resetting system with new configuration...

After the initial configuraion is done using the startup wizard, WLC saves the configuration and
reset itself

Another way to access the system is through the controller web, with the controller web you can use your browser to access the system, view configuration details, as well as modify your system configuration. the first thing you must do is to establish a secure connection between your browser and WLAN Controller

After you login in the monitor summary screen appears including information about connected AP.
You may notice at first that you do not have an AP. the AP requires an IP Address via DHCP. the AP  will need an Later 3 LWAPP communication to the controller and for any wireless clients.

Now we are going to configure the internal DHCP Server, we click on Controller then Internal DHCP  Server, on the left side,  click new in the top right then enter a scope name

The WLC is designed to act as a DHCP relay agent to the external DHCP server and acts like a DHCP server to the client. This is the sequence of events that occurs:

1. Generally, WLAN is tied to an interface which is configured with a DHCP server.
2. When the WLC receives a DHCP request from the client on a WLAN, it relays the request to the DHCP server with its management IP address.
3. The WLC shows its Virtual IP address, which must be a non-routable address, usually configured as 1.1.1.1, as the DHCP server to the client.
4. The WLC forwards the DHCP reply from the DHCP server to the wireless client with its Virtual IP address.

The DHCP server of the wireless controller can service only directly attached layer 3 LWAPP AP and their associated wireless clients.  We return to the monitor summary screen, still no AP in there, the LAPs will take a few minutes to load its ip address, operating system, and configuration  from the WLC (hence the term “lightweight AP”, the screen automatically refresh every 30 seconds. Wait until the AP Appears  before proceeding, you will also notice that the 802.11a radio will appear but remain down since  you did not initially enable the radio in CLI configuration.

Configuring Security Using WiFi Protected Access-Pre-Shared Key (WPA-PSK)

In the past, security on WLANs was not a major concern. This lack of concern was, in large part, because WLANs were restrictive, we all know the WEP Key encryption is not secure, therefore, the majority of new clients are supporting WPA-PSK, let see how to configure these on the on the AP to operate with WPA-PSK enabled clients, using the WLC GUI web Browser.

WEP key encryption is not secure enough and WPA-PSK is the first step to improve wireless security, the next step is to enhance security by using  a server based authentication. Cisco WLC support a wide range of different clients to server based authentication types, LEAP provides some unique capabilities that may be difficult to duplicate with other authentication schemes. A few of them are as follows:

* Fast, secure roaming with Cisco clients or Cisco-compatible clients
* A broad range of operating systems and devices, including Macintosh, Linux, and DOS
* Single login to a Microsoft Active Directory (AD) or Windows NT domain using Microsoft credentials

A Networker Blog

Advertisements

7 thoughts on “Wireless LAN Controller (WLC)

  1. Make sure to disable or change the default WLC SNMPv2c communities and SNMPv3 user (default/default).

  2. I have configured a WLC with one LAP directly connected to POE port-8 of controller.The LAP can be seen in GUI of WLC but operational status shows DOWN. Although the radios are enabled. Any suggestion?

  3. Victor,

    This comment is not quite correct:

    The DHCP server of the wireless controller can service only directly attached layer 3 LWAPP AP and their associated wireless clients.

    ———————————————————–

    Example: My WLC that serves as a Mobility Anchor is configured as a DHCP Server – no clients are at the central site – a data center.

    However, all the clients on my Guest Network statewide use this DHCP Scope and this Anchor as a DHCP Server.

    Darby Weaver

    http://www.darbyslogs.blogspot.com

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s