Configuring Cisco WLAN with multiple SSIDs in different VLANs - Part 2

This is part 2/2 of the series.  Part 1 discussed the assumptions and the required layer 3 switch configurations. Please read part 1 prior to reading part 2 You can view part 1 here.
======================================================================
 note: Screenshots and configuration examples are using a Cisco 2500 series WLAN controller (aka WLC). The Cisco 2500 series controller is connected to a cisco 3750 or 3650 L3 switch. This article assumes that inter-VLAN routing is already working and only the WLAN controller needs to be configured.


======================================================================
IMPORTANT REMINDER: before you do all the configuration, note that the LWAPP image version cannot be higher than that of the WLAN controller. a quick "show version" command on both the WLC and the LWAPP will save you all the time and effort. 


From LWAPP: the default username is "Cisco" and password is "Cisco": 

output of show version: 

cisco AIR-CAP702I-F-K9 (MIPS74k) processor (revision 01) with 73728K/57344K bytes of memory.
Processor board ID KWC184402C5
MIPS74k CPU at 40Mhz, revision number 0x0000
Last reset from power-on
LWAPP image version 7.5.1.33
1 Gigabit Ethernet interface

AIR-CAP means this is a Lightweight Access Point (aka a Controller-based Access Point). If it says AIR-WAP, then this is not a controller-based access point and will therefore not associate to the Controller. 

From the Controller:

(Cisco Controller) >show sysinfo

Manufacturer's Name.............................. Cisco Systems Inc.

Product Name..................................... Cisco Controller

Product Version.................................. 7.4.121.0

Bootloader Version............................... 1.0.20

Field Recovery Image Version..................... 1.0.0

Firmware Version................................. PIC 16.0

In this case, configuring the WLAN controller and the LWAPP will not work. the LWAPP will not associate. We will need to either downgrade the image of the LWAPP, or upgrade the image of the WLAN Controller. 

=======================================================================

Part 2: Configure the WLAN Controller

In the first part, we discussed the Layer 3 switch configuration requirements. In case you missed it, please read the first part of this article here: Configuring Cisco WLAN with multiple SSIDs in different VLANs - Part 1

As usual, the first thing to do is plug the WLAN Controller's port 1 to the trunk-configured port in the L3 switch (discussed in part 1). Port 1 is the green colored portin the figure below.

The other 3 ports will be connected to your APs (Access Points).  For brevity, we will not discuss configuring licenses and upgrading firmware in this article.



1. Configure the Controller's via the Start-up Wizard.

The first thing we need to configure is the WLAN controller's IP address, hostname, domain, etc. The others can be configured once we set-up the controller via its web interface. The simplest way to do this is to use the startup wizard. You will need to attach the controller's console port to a computer and open terminal services in your computer using the following:

• 9600 baud
• 8 data bits
• No flow control
• 1 stop bit
• No parity

Power-on the device. The controller will show a boot-up sequence followed by a start-up wizard asking you a series of questions. If you did not see a start-up wizard then  the controller was already pre-configured. to reset the controller, you can use a pencil and hold down the reset button at the back of the controller for 3 seconds until the controller reboots and the start-up wizard shows up again.

The startup wizard is straightforward and self-explanatory. You will need to enter the following information:

• System Name - the same as the hostname of the controller; 
• Administrative User Name - the admin user name to login to device;
• Administrative Password - admin password to login to device;
• Management Interface IP - the IP address of this Controller. As discussed in part 1, the WLAN controller IP is 10.8.219.251 (you can change this according to your network topology).  The subnet mask is /24 or 255.255.255.0;
• Management Interface Default Router - is the Gateway IP address. Put the IP address of the gateway which, as per part 1, is interface VLAN 219 which is 10.8.219.1;
• Management Interface VLAN Identifier -  "0" or untagged. This is because we will be plugging the management interface (assigned to port 1) on a trunk switchport. 
• Management Interface Port Number - this is the port number where you intend to plug your. We intend to make port 1 as the management interface port. Thus put "1".
• Management Interface DHCP Server -  the IP address of your DHCP Server;
• Virtual Gateway IP address -Just use whatever default value is in there (1.1.1.1); 
• Network Name (SSID): This is the defaul SSID the APs will associate to when they go online. You can assign GUEST as the default SSID. Alternatively, this can be configured later;
• Configure DHCP Bridging Mode - No;
• Allow Static IP Address from Clients - Yes/No;
• Configure a Radius Server? - No. For simplicity, we will not use a Radius server for dot1x authentication. You can change this later.

For the rest of the questions, just use the default value or yes. For NTP servers, you can assign an NTP server's IP address or Fully Qualified Domain Name. If you have  none, you can skip this. All the configuration settings asked can be configured or re-configured/changed later. 

Once the Start-up Wizard is complete, and the WLAN controller is already plugged to the L3 switch, we can access the controller via http or https (for security reasons, we will disallow http access to it later).

 2. Configure the Access Points.

Plug all your Access Points (APs) either to the WLAN Controller, or the L3 switch. The WLAN Controller will immediately know if the APs are powered up and add them to its database.

In case they are not "found" within the first 3 minutes, you will need to configure the APs via console. The Com1 port parameters are the same as part 1 of this article. Once you are logged into console, issue the following commands:

       a. Assign an IP address in the ap via this command:

           capwap ap ip address <ip address> <subnet mask> 

       b. Define the WLC controller where the ap should attach

     capwap ap controller ip address <ip address of controller> 

       c. Define the WLC gateway (in our example, the IP address of interface VLAN 219).

           capwap ap ip default-gateway <ip address of gateway>


After these series of commands are entered, we will configure the rest via the Web GUI. Just follow the instructions below:

Configuring APs using WEB GUI: 

Login to the WLAN Controller via http://10.8.219.251 or https://10.8.219.251 (the Management Interface IP Address). Inside, go to the "Wireless" tab and configure each of the AP radios in its inventory:

 Click on AP1PH, AP2PH, AP3PH and configure them appropriately:

In the General Tab - specify the Static IP, Netmask, AP Name, Location, AP Mode, etc. as shown in the figure below. As per part 1 of this Article, the AP IP addresses will be from 10.8.219.248 to 250.




In the Credentials Tab - leave everything unchecked (default).

In the High-Availability Tab - specify the primary controller as "this controller"


Lastly in the Advanced Tab - configure it as shown in the picture below except, put your own country code; and check telnet and/or ssh if you wish to be able to connect directly tot he AP via telnet or SSH. In the diagram below, the AP has a power injector and thus is using the power injector's MAC Address. In most cases, this is automatically populated.

Once each of the APs are configured, click "Apply" in the upper right hand corner of the screen. We will proceed in configuring "interfaces". 

3. Configure Interfaces.

An interface is configured to "attach" specific WLAN Profiles to it. The interfaces defined  identifies the VLAN association of a wireless profile. We will need to configure interfaces for VLAN 13 (IT) and VLAN 5 (GUEST).

Go to the "Controller" Tab. In there, navigate to "Interfaces".  There will already be at least two interfaces configured: "management", and "virtual" interfaces. In the picture below, I have many other interfaces configured (one for each VLAN I have) in our controller. For simplicity I erased them and showed only two configured - guest, and IT interfaces.

Each interface will have an IP address this is similar to assigning VLAN interface IP addressesin that they must be unique (not used), and is within the VLAN's subnet. Remember, the interface IP address is not the VLAN's default router / gateway, nor is it the IP address of any of the APs.

To create a new interface click "New" in the upper right corner (not shown in the photo above, but it's there). In the interface name, type "guest", and VLAN ID is "5" (since our Guest VLAN is 5), then click "Apply" in the upper right hand corner of the screen. You should be directed to a page like the one shown below. Put the IP address, Subnet mask, and DHCP server (we specified this in part 1):



Once completed, click "Apply". Then, repeat the configuration but this time for VLAN 13, IT. By the end of this exercise, we should have at least 4 interfaces: management, virtual, guest, and IT.

Now, we can configure our WLAN profiles:

4. Configure WLAN Profiles:

Go to "WLAN" Tab. Inside, click "Go" with "create new" shown in the dropdown list:

We will create two WLAN Profiles: GUEST, and IT. Both their SSIDs will be broadcasted (seen by wireless clients such as laptops, and mobile phones). First, let's create the GUEST WLAN Profile. As expected, the interface configured for GUEST is "guest" configured in step 3.

• Profile Name - Can be anything. Let's be consistent and name it GUEST;
• SSID - can be anything. It is the broadcasted name of the WLAN. In the example, we named it _GUEST;
• Status - if enabled checkbox is checked, then the WLAN is useable. If unchecked, it is configured, but unuseable; 
• Security Policies - this will be configured in the security tab. 
• Radio Policy - determines if the AP will use 802.11a, ab, b/g/n, b/g. Let's stick to "all".
• Multicast VLAN Feature - by default this is not checked (disabled). Multicast is required for wifi users using bon jour services (Apple TV, iTunes on the air), as well as other peer-to-peer services. Configuring Multicast VLAN features will be discussed in a separate topic.
• Broadcast SSID - when enabled, broadcasts the SSID. Thus, wireless clients can see the SSID of this WLAN Profile. If disabled (unchecked), the SSID will not be broadcasted. Association can still be done by manually configuring the Wireless Profile in the client device. Note that SSIDs are case-sensitive.

The next step is to go to the "Security" Tab. We will configure GUEST with WPA/WPA2 authentication using a pre-shared key which you will specify. Keep the Pre-shared key secret and change it every once in a while.

The other authentication method is dot1x but we will discuss that in another post. For the meantime, we will stick with WPA/WPA2. 



When finished, click "Apply". Repeat the steps this time, create aWLAN Profile named IT-Department with SSID as IT-Dept. Use interface "IT" configured in step 2 for the IT-Department Wireless Profile.This will tell the WLAN Controller that the WLAN profile IT-Department should be in VLAN 13.

5. Secure the WLAN Controller access

The last step is to change the configuration parameters of the WLAN controller. Go to Management Tab. There are a lot of options here but the basic yet important ones are as follows: 

• Under  HTTP-HTTPS (left navigation pane) -  disable HTTP Access and enable HTTPS Access. Set a Web Session Timeout (idle time when the user will be forced logout by the system
• Under Mgmt Via Wireless - disable management via wireless. Access to the WLAN Controller therefore can only be done via LAN. 

Congratulations! You just configured your wifi for two SSIDs on different VLANs.