Monday, 8 December 2014

Converged Access - post deployment notes



The technical benefits of demarcating the wireless data traffic locally are obvious and well documented, one thing that was not apparent before I did this deployment was how much extra configuration (and time) would be required!   

The configuration of the switches is split into two types, the Mobility Controller which can be a 3650, 3850, 5760, 5508 or WiSM2 and the Mobility Agent which is the default 3650 behavior.


The following tips and gotchas are well documented in Cisco release notes and configuration guides but I am highlighting them here as these were relevant to my deployment. 

Tips


  • The AP licenses (RTU) need to be added to the Mobility Controllers only.

  • Each Mobility Controller can support up to 16 Mobility Agents so more than likely need to split the site across multiple MCs.

  • Each MC points to the other MC in the Mobility Domain (same as old skool wireless).


Gotchas



  • All switches need to be running IP Base, this caught me out as pre sales had specced the 3650s with LAN Base which I needed to upgrade through the RTU licensing (reboot required).

  • The 3650 and 3850 cannot perform auto guest anchoring functionality, you need a 5760 or 5508 for that.

  • If doing web authentication without a guest anchor each 3650 or 3850 needs to be able to route to the guest client, I added a static route via the core switch so it didn’t use the regular management interface but rather the wireless management interface I added.
  • Prime Infrastructure identifies the 3650 and 3850 as both a switch and a WLAN controller, as switches consume a Lifecycle License ensure the switches are factored in along with APs for license count. 

Configuration Examples

MA and MC configuration


 aaa new-model
aaa local authentication default authorization default
!
!
aaa group server radius Customer_NPS
 server name NPS1
 server name NPS2
!
aaa authentication login default group Customer_NPS local
aaa authentication login WEB local
aaa authentication dot1x default group Customer_NPS
aaa authorization console
aaa authorization exec default group Customer_NPS local
aaa authorization network default local
aaa authorization network EAP group Customer_NPS
aaa authorization credential-download default local
aaa accounting exec default start-stop group Customer_NPS
!
aaa server radius dynamic-author
 client <NPS1 ip> server-key <removed>
 client <NPS2 ip> server-key <removed>
 auth-type any
!
ip device tracking
!
dot1x system-auth-control
!
parameter-map type webauth global
 type webauth
 virtual-ip ipv4 192.0.2.1
 banner text ^C Aircelle Guest WiFi ^C
!
parameter-map type webauth CustomWEB
 type webauth
 custom-page login device flash:webauth/webauth_login.html
 custom-page success device flash:webauth/webauth_success.html
 custom-page failure device flash:webauth/webauth_failure.html
 custom-page login expired device flash:/webauth/webauth_expired.html
!
ip ssh version 2
!
interface Vlan1
 no ip address
 shutdown
!
interface Vlan9
 description Management
 ip address x.x.x.31 255.255.255.0
!
interface Vlan222
 description "WLAN Mgmt"
 ip address x.x.y.31 255.255.255.0
!
ip default-gateway x.x.x.254
ip http server
ip http authentication aaa login-authentication default
no ip http secure-server
ip route x.x.223.0 255.255.255.0 x.x.y.254
!
snmp-server group Prime v3 priv write v1default
snmp-server enable traps all
snmp-server host <prime server> version 3 priv <removed>
!
radius server NPS1
 address ipv4 <server1 ip> auth-port 1812 acct-port 1813
 key <removed>
!
radius server NPS2
 address ipv4 <server2 ip> auth-port 1812 acct-port 1813
 key <removed>
!
wireless management interface Vlan222
wireless client fast-ssid-change
wireless client max-user-login 1
captive portal bypass
wireless rf-network WLANDOMAIN

wlan Corporate 1 WLAN_Corp
 aaa-override
 accounting-list default
 client vlan WLAN_Corp
 ip flow monitor wireless-avc-basic input
 ip flow monitor wireless-avc-basic output
 security dot1x authentication-list default
 session-timeout 1800
 no shutdown
wlan Guest 2 WLAN_Guest
 client vlan WLAN_Guest
 ip access-group web preauth_ipv4_acl
 ip flow monitor wireless-avc-basic input
 ip flow monitor wireless-avc-basic output
 no security wpa
 no security wpa akm dot1x
 no security wpa wpa2
 no security wpa wpa2 ciphers aes
 security web-auth
 security web-auth authentication-list WEB
 security web-auth parameter-map CustomWEB
 session-timeout 14400
 no shutdown
ap led
ap mgmtuser username admin password 0 <removed> secret 0 <removed>
ap country GB
ap dot11 24ghz beamforming
ap dot11 24ghz rate RATE_1M disable
ap dot11 24ghz rate RATE_2M disable
ap dot11 24ghz rate RATE_5_5M disable
ap dot11 24ghz rate RATE_6M disable
ap dot11 24ghz rate RATE_9M disable
ap dot11 24ghz rate RATE_11M mandatory
ap dot11 24ghz rate RATE_12M mandatory
ap dot11 24ghz rate RATE_18M supported
ap dot11 24ghz rate RATE_24M supported
ap dot11 24ghz rate RATE_36M supported
ap dot11 24ghz rate RATE_48M supported
ap dot11 24ghz rate RATE_54M supported
ap dot11 5ghz rrm channel dca add 100
ap dot11 5ghz rrm channel dca add 104
ap dot11 5ghz rrm channel dca add 108
ap dot11 5ghz rrm channel dca add 112
ap dot11 5ghz rrm channel dca add 116
ap dot11 5ghz rrm channel dca add 132
ap dot11 5ghz rrm channel dca add 136
ap dot11 5ghz rrm channel dca add 140
ap dot11 5ghz beamforming
ap dot11 5ghz rate RATE_6M disable
ap dot11 5ghz rate RATE_9M disable
ap dot11 5ghz rate RATE_12M mandatory
ap dot11 5ghz rate RATE_18M supported
ap dot11 5ghz rate RATE_24M supported
ap dot11 5ghz rate RATE_36M supported
ap dot11 5ghz rate RATE_48M supported
ap dot11 5ghz rate RATE_54M supported
ap dot11 5ghz channelswitch mode 1
ap group default-group
end



Additional configuration on MC
wireless mobility controller
wireless mobility controller peer-group SPG1
wireless mobility controller peer-group SPG1 member ip x.x.y.21 public-ip x.x.y.21
wireless mobility controller peer-group SPG1 member ip x.x.y.26 public-ip x.x.y.26
wireless mobility controller peer-group SPG1 member ip x.x.y.31 public-ip x.x.y.31
wireless mobility controller peer-group SPG1 member ip x.x.y.34 public-ipx.x.y.34
wireless mobility controller peer-group SPG1 member ip x.x.y.24 public-ip x.x.y.24
wireless mobility controller peer-group SPG1 member ip x.x.y.22 public-ip x.x.y.22
wireless mobility controller peer-group SPG1 member ip x.x.y.23 public-ip x.x.y.23
wireless mobility controller peer-group SPG1 member ip x.x.y.25 public-ip x.x.y.25
wireless mobility controller peer-group SPG1 member ip x.x.y.32 public-ip x.x.y.32
wireless mobility controller peer-group SPG1 member ip x.x.y.33 public-ip 1x.x.y.33
wireless mobility group member ip x.x.y.62 public-ip x.x.y.62 group WLANDOMAIN
wireless mobility group name WLANDOMAIN
 
Posted by at 1 comment:
Labels: , , , ,
Subscribe to: Posts (Atom)