The technical benefits of demarcating the
wireless data traffic locally are obvious and well documented, one thing that was not apparent before I
did this deployment was how much extra configuration (and time) would be required!
The configuration of the switches is split into two types,
the Mobility Controller which can be a 3650, 3850, 5760, 5508 or WiSM2 and the Mobility
Agent which is the default 3650 behavior.
The following tips and gotchas are well documented in Cisco release notes and configuration guides but I am highlighting them here as these were relevant to my deployment.
Tips
- The AP licenses (RTU) need to be added to the Mobility Controllers only.
- Each Mobility Controller can support up to 16 Mobility Agents so more than likely need to split the site across multiple MCs.
- Each MC points to the other MC in the Mobility Domain (same as old skool wireless).
Gotchas
- All switches need to be running IP Base, this caught me out as pre sales had specced the 3650s with LAN Base which I needed to upgrade through the RTU licensing (reboot required).
- The 3650 and 3850 cannot perform auto guest anchoring functionality, you need a 5760 or 5508 for that.
- If doing web authentication without a guest anchor each 3650 or 3850 needs to be able to route to the guest client, I added a static route via the core switch so it didn’t use the regular management interface but rather the wireless management interface I added.
- Prime Infrastructure identifies the 3650 and 3850 as both a switch and a WLAN controller, as switches consume a Lifecycle License ensure the switches are factored in along with APs for license count.
Configuration Examples
MA and MC configuration
aaa new-model
aaa local authentication default authorization default
!
!
aaa group server radius Customer_NPS
server name NPS1
server name NPS2
!
aaa authentication login default group Customer_NPS local
aaa authentication login WEB local
aaa authentication dot1x default group Customer_NPS
aaa authorization console
aaa authorization exec default group Customer_NPS local
aaa authorization network default local
aaa authorization network EAP group Customer_NPS
aaa authorization credential-download default local
aaa accounting exec default start-stop group Customer_NPS
!
aaa server radius dynamic-author
client <NPS1 ip> server-key <removed>
client <NPS2 ip> server-key <removed>
auth-type any
!
ip device tracking
!
dot1x system-auth-control
!
parameter-map type webauth global
type webauth
virtual-ip ipv4 192.0.2.1
banner text ^C Aircelle Guest WiFi ^C
!
parameter-map type webauth CustomWEB
type webauth
custom-page login device flash:webauth/webauth_login.html
custom-page success device flash:webauth/webauth_success.html
custom-page failure device flash:webauth/webauth_failure.html
custom-page login expired device flash:/webauth/webauth_expired.html
!
ip ssh version 2
!
interface Vlan1
no ip address
shutdown
!
interface Vlan9
description Management
ip address x.x.x.31 255.255.255.0
!
interface Vlan222
description "WLAN Mgmt"
ip address x.x.y.31 255.255.255.0
!
ip default-gateway x.x.x.254
ip http server
ip http authentication aaa login-authentication default
no ip http secure-server
ip route x.x.223.0 255.255.255.0 x.x.y.254
!
snmp-server group Prime v3 priv write v1default
snmp-server enable traps all
snmp-server host <prime server> version 3 priv <removed>
!
radius server NPS1
address ipv4 <server1 ip> auth-port 1812 acct-port 1813
key <removed>
!
radius server NPS2
address ipv4 <server2 ip> auth-port 1812 acct-port 1813
key <removed>
!
wireless management interface Vlan222
wireless client fast-ssid-change
wireless client max-user-login 1
captive portal bypass
wireless rf-network WLANDOMAIN
wlan Corporate 1 WLAN_Corp
aaa-override
accounting-list default
client vlan WLAN_Corp
ip flow monitor wireless-avc-basic input
ip flow monitor wireless-avc-basic output
security dot1x authentication-list default
session-timeout 1800
no shutdown
wlan Guest 2 WLAN_Guest
client vlan WLAN_Guest
ip access-group web preauth_ipv4_acl
ip flow monitor wireless-avc-basic input
ip flow monitor wireless-avc-basic output
no security wpa
no security wpa akm dot1x
no security wpa wpa2
no security wpa wpa2 ciphers aes
security web-auth
security web-auth authentication-list WEB
security web-auth parameter-map CustomWEB
session-timeout 14400
no shutdown
ap led
ap mgmtuser username admin password 0 <removed> secret 0 <removed>
ap country GB
ap dot11 24ghz beamforming
ap dot11 24ghz rate RATE_1M disable
ap dot11 24ghz rate RATE_2M disable
ap dot11 24ghz rate RATE_5_5M disable
ap dot11 24ghz rate RATE_6M disable
ap dot11 24ghz rate RATE_9M disable
ap dot11 24ghz rate RATE_11M mandatory
ap dot11 24ghz rate RATE_12M mandatory
ap dot11 24ghz rate RATE_18M supported
ap dot11 24ghz rate RATE_24M supported
ap dot11 24ghz rate RATE_36M supported
ap dot11 24ghz rate RATE_48M supported
ap dot11 24ghz rate RATE_54M supported
ap dot11 5ghz rrm channel dca add 100
ap dot11 5ghz rrm channel dca add 104
ap dot11 5ghz rrm channel dca add 108
ap dot11 5ghz rrm channel dca add 112
ap dot11 5ghz rrm channel dca add 116
ap dot11 5ghz rrm channel dca add 132
ap dot11 5ghz rrm channel dca add 136
ap dot11 5ghz rrm channel dca add 140
ap dot11 5ghz beamforming
ap dot11 5ghz rate RATE_6M disable
ap dot11 5ghz rate RATE_9M disable
ap dot11 5ghz rate RATE_12M mandatory
ap dot11 5ghz rate RATE_18M supported
ap dot11 5ghz rate RATE_24M supported
ap dot11 5ghz rate RATE_36M supported
ap dot11 5ghz rate RATE_48M supported
ap dot11 5ghz rate RATE_54M supported
ap dot11 5ghz channelswitch mode 1
ap group default-group
end
Additional configuration on MC
wireless mobility controller
wireless mobility controller peer-group SPG1
wireless mobility controller peer-group SPG1 member ip x.x.y.21 public-ip x.x.y.21
wireless mobility controller peer-group SPG1 member ip x.x.y.26 public-ip x.x.y.26
wireless mobility controller peer-group SPG1 member ip x.x.y.31 public-ip x.x.y.31
wireless mobility controller peer-group SPG1 member ip x.x.y.34 public-ipx.x.y.34
wireless mobility controller peer-group SPG1 member ip x.x.y.24 public-ip x.x.y.24
wireless mobility controller peer-group SPG1 member ip x.x.y.22 public-ip x.x.y.22
wireless mobility controller peer-group SPG1 member ip x.x.y.23 public-ip x.x.y.23
wireless mobility controller peer-group SPG1 member ip x.x.y.25 public-ip x.x.y.25
wireless mobility controller peer-group SPG1 member ip x.x.y.32 public-ip x.x.y.32
wireless mobility controller peer-group SPG1 member ip x.x.y.33 public-ip 1x.x.y.33
wireless mobility group member ip x.x.y.62 public-ip x.x.y.62 group WLANDOMAIN
wireless mobility group name WLANDOMAIN
