Most wireless routers can operate as an access point (AP) for clients. Some add other wireless modes that can be used to extend the range, introduce multiple router/access points to the network, or bridge network segments together. Below is a summary of the different modes and their meaning: AP mode - this is the default, most common mode for all wireless routers, also called Infrastructure mode. Your router acts as an central connection point, which wireless clients can connect to. Client mode - The radio interface is used to connect the internet-facing side of the router (i.e., the WAN) as a client to a remote access point. NAT or routing are performed between WAN and LAN, like in "normal" gateway or router mode. Use this mode, e.g., if your internet connection is provided by a remote access point, and you want to connect a subnet of your own to it via Ethernet. Client Bridged mode - The radio interface is used to connect the LAN side of the router to a remote access point over Wi-Fi. The LAN and the remote AP will be in the same subnet (This is called a "bridge" between two network segments). The WAN side of the router is unused and can be disabled. Use this mode, e.g., to make the router act as a "WLAN adapter" for a device connected to one of its LAN Ethernet ports. Repeater - In general, a repeater simply regenerates a network signal in order to extend the range of the existing network infrastructure. A WLAN repeater does not physically connect by wire to any part of the network. Instead, it receives radio signals (802.11 frames) from an access point, end user device, or another repeater and retransmits the frames to client devices wirelessly. This makes it possible for a repeater located in between an access point and distant user to act as a relay for frames traveling back and forth between the user and the access point. This retransmitting of data typically halves the speed of the connection if same radios are used for both transmissions. Repeater bridge - A wireless bridge connects two LAN segments with a wireless link. The two segments are in the same subnet and look like two Ethernet switches connected by a cable to all computers on the subnet. Since the computers are on the same subnet, broadcasts reach all machines. DHCP clients in one segment can get their addresses from a DHCP server in the other segment. Ad-Hoc mode - This is for peer to peer wireless connections. Clients running in Ad-Hoc mode can connect to each other as required without involving central access points. See Also:How to set a Wireless Router as an Access Point? How to Secure your Wireless Network Before you use an AP801 or AP802 Series Lightweight Access Point with controller software release 7.0.116.0 or later releases, you must upgrade the software in the Next Generation Cisco 880 Series Integrated Services Routers (ISRs) to Cisco IOS 151-4.M or later.
When you want to use the AP801 or AP802 with a controller, you must enable the recovery image for the unified mode on the access point by entering the service-module wlan-ap 0 bootimage unified command on the router in privileged EXEC mode. If the service-module wlan-ap 0 bootimage unified command does not work, make sure that the software license is still eligible. After enabling the recovery image, enter the service-module wlan-ap 0 reload command on the router to shut down and reboot the access point. After the access point reboots, it discovers the controller, downloads the full CAPWAP or LWAPP software release from the controller, and acts as a lightweight access point.
To support CAPWAP or LWAPP, the router must be activated with at least the Cisco Advanced IP Services IOS license-grade image. A license is required to upgrade to this Cisco IOS image on the router. For licensing information, see http://www.cisco.com/c/en/us/td/docs/routers/access/sw_activation/SA_on_ISR.html. After the AP801 or AP802 boots up with the recovery image for the unified mode, it requires an IP address to communicate with the controller and to download its unified image and configuration from the controller. The router can provide DHCP server functionality, the DHCP pool to reach the controller, and setup option 43 for the controller IP address in the DHCP pool configuration. Use the following configuration to perform this task: ip dhcp pool pool_name network ip_address subnet_mask dns-server ip_address default-router ip_address option 43 hex controller_ip_address_in_hex Example: ip dhcp pool embedded-ap-pool network 60.0.0.0 255.255.255.0 dns-server 171.70.168.183 default-router 60.0.0.1 option 43 hex f104.0a0a.0a0f /* single WLC IP address(10.10.10.15) in hex format */The AP801 and AP802 802.11n radio supports lower power levels than the 802.11n radio in the Cisco Aironet 1250 series access points. The AP801 and AP802 access points store the radio power levels and passes them to the controller when the access point joins the controller. The controller uses the supplied values to limit the user’s configuration. The AP801 and AP802 access points can be used in FlexConnect mode. Page 2The local user database is limited to a maximum of 2048 entries, which is also the default value. This database is shared by local management users (including lobby ambassadors), local network users (including guest users), MAC filter entries, exclusion list entries, and access point authorization list entries. Together they cannot exceed the configured maximum value. For net user accounts or guest user accounts, the following special characters are allowed along with alphanumeric characters: ~, @, #, $, %, ^, &, (, ), !, _, -, `, ., [, ], =, +, *, :, ;, {, }, ,, /, and \. Page 3If your network contains various Cisco-licensed devices, you might want to consider using the Cisco License Manager (CLM) to manage all of the licenses using a single application. CLM is a secure client/server application that manages Cisco software licenses network wide. The license agent is an interface module that runs on the controller and mediates between CLM and the controller’s licensing infrastructure. CLM can communicate with the controller using various channels, such as HTTP, Telnet, and so on. If you want to use HTTP as the communication method, you must enable the license agent on the controller. The license agent receives requests from CLM and translates them into license commands. It also sends notifications to CLM. It uses XML messages over HTTP or HTTPS to receive the requests and send the notifications. For example, CLM sends a license install command, and the agent notifies CLM after the license expires. This section contains the following subsections: Page 4Controllers and access points have a Certificate Authority (CA) certificate that is used to sign and validate device certificates. The controller is shipped with a Cisco-installed CA certificate. This certificate may be used by EAP-FAST (when not using PACs), EAP-TLS, PEAP-GTC, and PEAP-MSCHAPv2 to authenticate wireless clients during local EAP authentication. However, if you want to use your own vendor-specific CA certificate, it must be downloaded to the controller.
Follow the instructions in this section to download CA certificates to the controller through the GUI or CLI. However, before you begin, make sure that you have a TFTP or FTP server available for the certificate download. Follow these guidelines when setting up a TFTP or FTP server:
Page 5If VLAN groups are in use, we recommend that you enable multicast VLAN to limit multicast on the air to a single copy on a predefined multicast VLAN. With VLAN select and VLAN pooling, there is a possibility that you might increase duplicate packets. With the VLAN select feature, every client listens to the multicast stream on a different VLAN. As a result, the controller creates different MGIDs for each multicast address and VLAN. Therefore, the upstream router sends one copy for each VLAN, which results, in the worst case, in as many copies as there are VLANs in the pool. Since the WLAN is still the same for all clients, multiple copies of the multicast packet are sent over the air. To suppress the duplication of a multicast stream on the wireless medium and between the controller and access points, you can use the multicast VLAN feature. Multicast optimization enables you to create a multicast VLAN which you can use for multicast traffic. You can configure one of the VLANs of the WLAN as a multicast VLAN where multicast groups are registered. Clients are allowed to listen to a multicast stream on the multicast VLAN. The MGID is generated using mulicast VLAN and multicast IP addresses. If multiple clients on the VLAN pool of the same WLAN are listening to a single multicast IP address, a single MGID is generated. The controller makes sure that all multicast streams from the clients on this VLAN pool always go out on the multicast VLAN to ensure that the upstream router has one entry for all the VLANs of the VLAN pool. Only one multicast stream hits the VLAN pool even if the clients are on different VLANs. Therefore, the multicast packets that are sent out over the air is just one stream. If the WLAN is anchored, then the interface mapping at the anchored side is used for client connections. For anchored guest WLANs, it is a best practice to use a black hole dynamic interface at the foreign controller. For more information, see https://www.cisco.com/c/en/us/td/docs/wireless/controller/technotes/8-6/b_Cisco_Wireless_LAN_Controller_Configuration_Best_Practices.html#concept_331FB2E819654D62BC998FF00BFA3FF3 This section contains the following subsections: Page 6
Page 7
The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language. Page 8IPv6 Neighbor Discovery is a set of messages and processes that determine relationships between neighboring nodes. Neighbor Discovery replaces ARP, ICMP Router Discovery, and ICMP Redirect used in IPv4. At any given time, only eight IPv6 addresses are supported per client. When the ninth IPv6 address is encountered, the controller removes the oldest stale entry and accommodates the latest one. IPv6 Neighbor Discovery inspection analyzes neighbor discovery messages in order to build a trusted binding table database, and IPv6 neighbor discovery packets that do not comply are dropped. The neighbor binding table in the controller track each IPv6 address and its associated MAC address. Clients are expired from the table according to Neighbor Binding timers. This section contains the following subsections: Page 9
The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language. Page 10The controllers contain an internal DHCP server. This server is typically used in branch offices that do not already have a DHCP server. The wireless network generally contains a maximum of 10 APs or less, with the APs on the same IP subnet as the controller. The internal server provides DHCP addresses to wireless clients, direct-connect APs, and DHCP requests that are relayed from APs. Only lightweight access points are supported. When you want to use the internal DHCP server, ensure that you configure SVI for client VLAN and set the IP address as DHCP server IP address. DHCP option 43 is not supported on the internal server. Therefore, the access point must use an alternative method to locate the management interface IP address of the controller, such as local subnet broadcast, Domain Name System (DNS), or priming. Also, an internal DHCP server can serve only wireless clients, not wired clients. When clients use the internal DHCP server of the controller, IP addresses are not preserved across reboots. As a result, multiple clients can be assigned to the same IP address. To resolve any IP address conflicts, clients must release their existing IP address and request a new one. Wired guest clients are always on a Layer 2 network connected to a local or foreign controller.
Page 11
The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language. Page 12This is an enhancement to the present implementation of the user idle timeout feature, which is applicable to all WLAN profiles on the controller. With this enhancement, you can configure a user idle timeout for an individual WLAN profile. This user idle timeout is applicable to all the clients that belong to this WLAN profile. You can also configure a threshold triggered timeout where if a client has not sent a threshold quota of data within the specified user idle timeout, the client is considered to be inactive and is deauthenticated. If the data sent by the client is more than the threshold quota specified within the user idle timeout, the client is considered to be active and the controller refreshes for another timeout period. If the threshold quota is exhausted within the timeout period, the timeout period is refreshed. Suppose the user idle timeout is specified as 120 seconds and the user idle threshold is specified as 10 megabytes. After a period of 120 seconds, if the client has not sent 10 megabytes of data, the client is considered to be inactive and is deauthenticated. If the client has exhausted 10 megabytes within 120 seconds, the timeout period is refreshed. This section contains the following subsections: Page 13
The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language. Page 14Mobility, or roaming, is a wireless LAN client’s ability to maintain its association seamlessly from one access point to another securely and with as little latency as possible. This section explains how mobility works when controllers are included in a wireless network. When a wireless client associates and authenticates to an access point, the access point’s controller places an entry for that client in its client database. This entry includes the client’s MAC and IP addresses, security context and associations, quality of service (QoS) contexts, the WLAN, and the associated access point. The controller uses this information to forward frames and manage traffic to and from the wireless client.
The figure below shows a wireless client that roams from one local mode access point to another local mode access point when both access points are joined to the same controller. Figure 1. Intracontroller RoamingWhen the wireless client moves its association from one access point to another, the controller simply updates the client database with the newly associated access point. If necessary, new security context and associations are established as well. The process becomes more complicated, however, when a client roams from an access point joined to one controller to an access point joined to a different controller. It also varies based on whether the controllers are operating on the same subnet. The figure below shows intercontroller Layer 2 roaming, which occurs when the wireless LAN interfaces of the controllers are on the same IP subnet. Figure 2. Intercontroller Layer 2 RoamingWhen the client associates to an access point joined to a new controller, the new controller exchanges mobility messages with the original controller, and the client database entry is moved to the new controller. New security context and associations are established if necessary, and the client database entry is updated for the new access point. This process remains transparent to the user. The figure below shows intercontroller Layer 3 roaming, which occurs when the wireless LAN interfaces of the controllers are on different IP subnets. Figure 3. Intercontroller Layer 3 RoamingLayer 3 roaming is similar to Layer 2 roaming in that the controllers exchange mobility messages on the client roam. However, instead of moving the client database entry to the new controller, the original controller marks the client with an “Anchor” entry in its own client database. The database entry is copied to the new controller client database and marked with a “Foreign” entry in the new controller. The roam remains transparent to the wireless client, and the client maintains its original IP address. Page 15The controller determines the location of client devices by gathering received signal strength indication (RSSI) measurements from access points all around the client of interest. The controller can obtain location reports from up to 16 access points for clients, RFID tags, and rogue access points. Improve location accuracy by configuring the path loss measurement (S60) request for normal clients or calibrating clients by entering this command: config location plm ? where ? is one of the following:
If a client does not send probes often or sends them only on a few channels, its location cannot be updated or cannot be updated accurately. The config location plm command forces clients to send more packets on all channels. When a CCXv4 (or higher) client associates, the controller sends it a path loss measurement request, which instructs the client to transmit on the bands and channels that the access points are on (typically, channels 1, 6, and 11 for 2.4-GHz-only access points) at a configurable interval (such as 60 seconds) indefinitely. These four additional location CLI commands are available; however, they are set to optimal default values, so we do not recommend that you use or modify them:
Page 16If you enable conditional web redirect, the user can be conditionally redirected to a particular web page after 802.1X authentication has completed successfully. You can specify the redirect page and the conditions under which the redirect occurs on your RADIUS server. Conditions might include the user’s password reaching expiration or the user needing to pay his or her bill for continued usage. If the RADIUS server returns the Cisco AV-pair “url-redirect,” then the user is redirected to the specified URL upon opening a browser. If the server also returns the Cisco AV-pair “url-redirect-acl,” the specified access control list (ACL) is installed as a preauthentication ACL for this client. The client is not considered fully authorized at this point and can only pass traffic allowed by the preauthentication ACL. After the client completes a particular operation at the specified URL (for example, changing a password or paying a bill), the client must reauthenticate. When the RADIUS server does not return a “url-redirect,” the client is considered fully authorized and allowed to pass traffic.
After you configure the RADIUS server, you can then configure the conditional web redirect on the controller using either the controller GUI or CLI. Page 17Cisco TrustSec enables organizations to secure their networks and services through identity-based access control to anyone, anywhere, anytime. The solution also offers data integrity and confidentiality services, policy-based governance, and centralized monitoring, troubleshooting, and reporting services. You can combine Cisco TrustSec with personalized, professional service offerings to simplify the solution deployment and management, and is a foundational security component to Cisco Borderless Networks. The Cisco TrustSec security architecture helps build secure networks by establishing domains of trusted network devices. Each device in the domain is authenticated by its peers. Communication on the links between the devices in the domain is secured with a combination of encryption, message integrity check, and data path replay protection mechanisms. Cisco TrustSec uses a device and user credentials that are acquired during authentication for classifying the packets by security groups (SGs), as they enter the network. This packet classification is maintained by tagging packets on an ingress to the Cisco TrustSec network. This is because they can be correctly identified to apply security and other policy criteria along the data path. The tag, called the security group tag (SGT), allows the network to enforce the access control policy by enabling the endpoint device to act upon the SGT to filter traffic. Note that the Cisco TrustSec security group tag is applied only when you enable AAA override on a WLAN. One of the components of Cisco TrustSec architecture is the security group-based access control. In the security group-based access control component, access policies in the Cisco TrustSec domain are topology-independent, based on the roles (as indicated by the security group number) of source and destination devices rather than on network addresses. Individual packets are tagged with the security group number of the source. The Cisco TrustSec solution is implemented across the following three distinct phases: Client classification at ingress by a centralized policy database (Cisco ISE) and assigning unique SGT to clients based on client identity attributes such as the role and so on. Propagation of IP-to-SGT binding to neighboring devices using the SGT Exchange Protocol (SXP) or inline tagging methods or both. Security Group Access Control List (SGACL) policy enforcement. Cisco AP is the enforcement point for central or local switching (central authentication). For more information about deploying the Cisco TrustSec solution, see the Wireless TrustSec Deployment Guide at: Cisco devices use the SGT Exchange Protocol (SXP) to propagate SGTs across network devices that do not have any hardware support for Cisco TrustSec. The SXP is the software solution to eliminate the need for upgrade of Cisco TrustSec hardware on all Cisco switches. Controller supports the SXP as part of the Cisco TrustSec architecture. The SXP sends SGT information to the Cisco TrustSec-enabled switches so that appropriate role-based access control lists (RBAC lists) can be activated. This depends on the role information present in the SGT. To implement the SXP on a network, only the egress distribution switch has to be Cisco TrustSec-enabled. All the other switches can be non-Cisco TrustSec-capable switches. The SXP runs between the access layer and the distribution switch or between two distribution switches. The SXP uses TCP as the transport layer. Cisco TrustSec authentication is performed for the host (client) joining the network on the access layer switch. This is similar to an access switch with the hardware that is enabled with Cisco TrustSec. The access layer switch is not Cisco TrustSec hardware enabled. Therefore, data traffic is not encrypted or cryptographically authenticated when it passes through the access layer switch. The SXP is used to pass the IP address of the authenticated device, which is a wireless client and the corresponding SGT up to the distribution switch. If the distribution switch is a hardware that is enabled with Cisco TrustSec, the switch inserts the SGT into the packet on behalf of the access layer switch. If the distribution switch is not a hardware that is enabled with Cisco TrustSec, the SXP on the distribution switch passes the IP-SGT mapping to all the distribution switches that have the Cisco TrustSec hardware. On the egress side, the enforcement of the RBAC lists occurs at the egress L3 interface on the distribution switch. The following are some guidelines for Cisco TrustSec SXP: The SXP is supported only on the following security policies: WPA2-dot1x WPA-dot1x MAC filtering using RADIUS servers Web authentication using RADIUS servers for user authentication The SXP is supported for both IPv4 and IPv6 clients. By default, the controller always works in the Speaker mode. From Release 8.3, the SXP on the controller is supported for both centrally and locally switched networks. It is possible to do IP-SGT mapping on the WLANs as well for clients that are not authenticated by Cisco ISE. From Release 8.4, SXPv4 is supported in FlexConnect mode APs. For more information about Cisco TrustSec, see http://www.cisco.com/c/en/us/solutions/enterprise-networks/trustsec/index.html. Cisco TrustSec environment data is a set of information or attributes that helps controller to perform Cisco TrustSec-related functions. The controller acquires the environment data from the authentication server (Cisco ISE) when the controller first joins a Cisco TrustSec domain by sending a secure RADIUS Access request. The authentication server returns a RADIUS Access-Accept message with attributes, including environment expiry timeout attributes. This is the time interval that controls how often the Cisco TrustSec device must refresh its environment data. A Security Group is a group of users, endpoint devices, and resources that share access control policies. Security groups are defined by the administrator in the Cisco ISE. As new users and devices are added to the Cisco TrustSec domain, the authentication server assigns these new entities to the appropriate security groups. Cisco TrustSec assigns each of the security group a unique 16-bit number whose scope is global in a Cisco TrustSec domain. The number of security groups in a wireless device is limited to the number of authenticated network entities. You do not have to manually configure the security group numbers. After a device is authenticated, the Cisco TrustSec tags any packet that originates from that device with an SGT that contains the security group number of the device. The packet carries this SGT everywhere in the network, in the Cisco TrustSec header. As the SGT contains the security group of the source, the tag can be referred to as the source SGT (S-SGT). The destination device is also assigned to a security group (destination SG) that can be referred to as the destination SGT (D-SGT), although the Cisco TrustSec packet does not contain the security group number of the destination device. You can control the operations that users can perform based on the security group assignments of users and destination resources, using the Security Group Access Control Lists (SGACLs). Policy enforcement in a Cisco TrustSec domain is represented by a permission matrix, with the source security group on one axis and destination security group numbers on the other axis. Each cell in the matrix body contains an ordered list of SGACLs, which specifies the permissions that must be applied to packets originating from the source security group and destined for the destination security group. When a wireless client is authenticated, it downloads all the SGACLs in the matrix cells. When a wireless client connects to the network, the client pushes all the ACLs to the controller. This figure shows an example of a Cisco TrustSec permission matrix with three defined user roles, one defined destination resource, and three SGACL policies that control access to the destination server based on the user roles. Cisco TrustSec achieves role-based topology-independent access control in a network by assigning users and devices in the network to security groups and applying access control between the security groups. The SGACLs define access control policies based on the device identities. As long as the roles and permissions remain the same, changes to the network topology do not change the security policy. When a user is added to the wireless group, you simply assign the user to an appropriate security group and the user immediately receives permissions to that group. The size of ACLs is reduced and their maintenance is simplified with the use of role-based permissions. With Cisco TrustSec, the number of Access Control Entities (ACEs) configured is determined by the number of permissions that are specified, resulting in a much smaller number of ACEs. By default, the following predefined SGACL policies are downloaded: Default policy—This is applied when source and destination SGTs are available, but SGACLs are not defined for a cell or column. Unknown policy—This is applied when the source SGT is unknown. You can use the session group named Unknown and apply the unknown policy on that traffic. The following are examples of SGACLs that are on Cisco ISE and downloaded on a controller and tested: Generic SGACL Web_SGACL permit tcp dst eq 80 permit tcp dst eq 443 PCI_Servers_SGACL deny tcp dst eq 4444 deny tcp dst eq 4446 deny tcp dst eq 443 PCI_Zone_SGACL deny tcp dst eq 4444 deny tcp dst eq 4446 deny tcp dst eq 443 Deny_SSH_RDP_Telnet_SGACL deny tcp dst eq 23 deny tcp dst eq 23 deny tcp dst eq 3389 permit ip Deny_JumpHost_Protocols deny tcp dst eq 23 deny tcp dst eq 23 deny tcp dst eq 3389 permit ipAnti-Malware SGACLs
Collaboration SGACLs
Inline tagging is a transport mechanism using which a controller or a Cisco AP understands the source SGT. Transport mechanism is of two types:
With wireless Cisco TrustSec enabled on the controller, the choice of enabling and configuring SXP to exchange tags with the switches is optional. Both wireless Cisco TrustSec and SXP modes are supported; however, there is no use case to have both wireless Cisco TrustSec on AP and SXP to be in the enabled state concurrently. Cisco TrustSec access control is implemented using ingress tagging and egress enforcement. At the ingress point to the Cisco TrustSec domain, the traffic from the source is tagged with an SGT containing the security group number of the source entity. The SGT is propagated across the domain with the traffic. At the egress point of the Cisco TrustSec domain, an egress device uses the source SGT (S-SGT) and the security group of the destination entity (D-SGT) to determine the access policy to apply from the SGACL policy matrix. You can apply policy enforcement to both central and local switched traffic on an AP. If wired clients communicate with wireless clients, the Cisco AP enforces the downstream traffic. If wireless clients communicate with wired clients, the Cisco AP enforces the upstream traffic. This way, the Cisco AP enforces traffic in both downstream and wireless-to-wireless traffic. You require S-SGT, D-SGT, and ACLs for enforcement to work. Cisco APs get the SGT information for all wireless clients from the information available on the Cisco ISE server.
Configuring Cisco TrustSec Cisco TrustSec Credentials Monitoring Environment Data Configuring a Static Security Group Tag on a WLAN Configuring Inline Tagging Verifying SGACL Policy Download Configuring Policy Enforcement Page 18The Allow Authentication, Authorization, Accouting (AAA) Override option of a WLAN enables you to configure the WLAN for authentication. It enables you to apply VLAN tagging, QoS, and ACLs to individual clients based on the returned RADIUS attributes from the AAA server. AAA overrides for FlexConnect access points introduce a dynamic VLAN assignment for locally switched clients. AAA overrides for FlexConnect also support fast roaming (Opportunistic Key Caching [OKC]/ Cisco Centralized Key management [CCKM]) of overridden clients. VLAN overrides for FlexConnect are applicable for both centrally and locally authenticated clients. VLANs can be configured on FlexConnect groups. If a VLAN on the AP is configured using the WLAN-VLAN, the AP configuration of the corresponding ACL is applied. If the VLAN is configured using the FlexConnect group, the corresponding ACL configured on the FlexConnect group is applied. If the same VLAN is configured on the FlexConnect group and also on the AP, the AP configuration, with its ACL takes precedence. If there is no slot for a new VLAN from the WLAN-VLAN mapping, the latest configured FlexConnect group VLAN is replaced. If the VLAN that was returned from the AAA is not present on the AP, the client falls back to the default VLAN configured for the WLAN. Before configuring a AAA override, the VLAN must be created on the access points. These VLANs can be created by using the existing WLAN-VLAN mappings on the access points, or by using the FlexConnect group VLAN-ACL mappings. In order to support centralized access control through a centralized AAA server such as the Cisco Identity Services Engine (ISE) or ACS, the IPv6 ACL can be provisioned on a per-client basis using AAA Override attributes. In order to use this feature, the IPv6 ACL must be configured on the controller and the WLAN must be configured with the AAA Override feature enabled. The AAA attribute for an IPv6 ACL is Airespace-IPv6-ACL-Name similar to the Airespace-ACL-Name attribute used for provisioning an IPv4-based ACL. The AAA attribute-returned contents should be a string that is equal to the name of the IPv6 ACL as configured on the controller. You can have AAA overrides for FlexConnect APs to dynamically assign QoS levels and/or bandwidth contracts for both locally switched traffic on web-authenticated WLANs and 802.1X-authenticated WLANs. There is an option to select the downstream rate limit through the QoS profile page. Users that already make use of QoS profiles functionality have additional granularity and capabilities. The trade-off with configuring the rate limits under the QoS profile is that there are only four QoS profiles available. Thus, there are only four sets of configuration options to use. Also, because the QoS profile is applied to all clients on the associated SSID, all clients connected to the same SSID will have the same rate limited parameters. Important Guidelines Rate limiting is supported for APs in Local and FlexConnect mode (both Central and Local switching). When the controller is connected and central switching is used, the controller handles the downstream enforcement of per-client rate limit only. APs handle the enforcement of the upstream traffic and per-SSID rate limit for downstream traffic. For the locally switched environment, both upstream and downstream rate limits will be enforced on the AP. The enforcement on the AP will take place in the dot11 driver. This is where the current classification exists. In both directions, per-client rate limit is applied/checked first and per-SSID rate limit is applied/checked second. On virtual controller platforms, per-client downstream rate limiting is not supported in FlexConnect central switching. The WLAN rate limiting will always supercede the global QoS setting for WLAN and user. Rate limiting works only for TCP and UDP traffic. Other types of traffic (IPSec, GRE, ICMP, CAPWAP, etc) cannot be limited. Using AVC rule, you can limit the bandwidth of a particular application for all the clients joined on the WLAN. These bandwidth contracts coexist with per-client downstream rate limiting. The per-client downstream rate limits takes precedence over the per-application rate limits. Bidirectional rate limiting (BDRL) configuration in a mobility Anchor-Foreign setup needs to be done both on Anchor and Foreign controller. As a best practice, we recommend that you do identical configuration on both the controllers to avoid breakage of any feature. Per WLAN BDRL is supported on these currently supported Cisco Wave1 APs: 1600, 2600, 3600, 1700, 2700, 3700, and 3500. For information about BDRL support on Cisco Wave 2 APs, see the FlexConnect Feature Matrix section in the Feature Matrix for Cisco Wave 2 Access Points and Wi-Fi 6 (802.11ax) Access Points. BDRL is not supported in mesh platforms. On Cisco Virtual Wireless Controller (vWLC), per-client downstream rate limiting is not supported in FlexConnect central switching. In Release 8.5, in anchor-foreign scenario with Cisco Wave 2 APs, only per-client downstream works. The per-client upstream, per-SSID downstream, and per-SSID upstream are not supported. However, all of these are supported in Cisco Wave 1 APs. In Release 8.8 and later releases, in anchor-foreign scenarios with Cisco Wave 2 and 802.11ax APs, all of per-client upstream and downstream and per-SSID upstream and downstream are supported, provided that the configuration is the same in both and anchor and foreign controllers. Related Documentation: Wireless Bi-Directional Rate Limiting Deployment Guide This section contains the following subsections:
Page 19When an access point boots up, it looks for a controller. If it finds one, it joins the controller, downloads the latest software image and configuration from the controller, and initializes the radio. It saves the downloaded configuration in nonvolatile memory for use in standalone mode.
A FlexConnect access point can learn the controller IP address in one of these ways:
When a FlexConnect access point can reach the controller (referred to as the connected mode), the controller assists in client authentication. When a FlexConnect access point cannot access the controller, the access point enters the standalone mode and authenticates clients by itself.
When a client associates to a FlexConnect access point, the access point sends all authentication messages to the controller and either switches the client data packets locally (locally switched) or sends them to the controller (centrally switched), depending on the WLAN configuration. With respect to client authentication (open, shared, EAP, web authentication, and NAC) and data packets, the WLAN can be in any one of the following states depending on the configuration and state of controller connectivity:
When a FlexConnect access point enters standalone mode, WLANs that are configured for open, shared, WPA-PSK, or WPA2-PSK authentication enter the “local authentication, local switching” state and continue new client authentications. In controller software release 4.2 or later releases, this configuration is also correct for WLANs that are configured for 802.1X, WPA-802.1X, WPA2-802.1X, or Cisco Centralized Key Management, but these authentication types require that an external RADIUS server be configured. You can also configure a local RADIUS server on a FlexConnect access point to support 802.1X in a standalone mode or with local authentication. Other WLANs enter either the “authentication down, switching down” state (if the WLAN was configured for central switching) or the “authentication down, local switching” state (if the WLAN was configured for local switching). When FlexConnect access points are connected to the controller (rather than in standalone mode), the controller uses its primary RADIUS servers and accesses them in the order specified on the RADIUS Authentication Servers page or in the config radius auth add CLI command (unless the server order is overridden for a particular WLAN). However, to support 802.1X EAP authentication, FlexConnect access points in standalone mode need to have their own backup RADIUS server to authenticate clients.
You can configure a backup RADIUS server for individual FlexConnect access points in standalone mode by using the controller CLI or for groups of FlexConnect access points in standalone mode by using either the GUI or CLI. A backup server configured for an individual access point overrides the backup RADIUS server configuration for a FlexConnect. When web-authentication is used on FlexConnect access points at a remote site, the clients get the IP address from the remote local subnet. To resolve the initial URL request, the DNS is accessible through the subnet's default gateway. In order for the controller to intercept and redirect the DNS query return packets, these packets must reach the controller at the data center through a CAPWAP connection. During the web-authentication process, the FlexConnect access points allows only DNS and DHCP messages; the access points forward the DNS reply messages to the controller before web-authentication for the client is complete. After web-authentication for the client is complete, all the traffic is switched locally.
When a FlexConnect access point enters into a standalone mode, the following occurs:
If the access point fails to establish the ARP, the following occurs:
Once the access point reestablishes a connection with the controller, it disassociates all clients, applies new configuration information from the controller, and allows client connectivity again. Page 20
The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language. Page 21 The 802.11ac radio module for the Cisco Aironet 3600 Series access point and Cisco Aironet 3700 Series access point provides enterprise-class reliability and wired-network-like performance. It supports three spatial streams and up to 160 MHz-wide channels for a maximum data rate of 2.5 Gbps. The 802.11ac radio in slot 2 is a subordinate radio for which you can configure specific parameters. Because the 802.11ac is a subordinate radio, it inherits many properties from the main 802.11a/n radio on slot 1. The parameters that you can configure for the 802.11ac radio are as follows: Admin status—Interface status of the radio that you can enable or disable. By default, the Admin status is in an enabled state. If you disable 802.11n, the 802.11ac radio is also disabled. Channel width—You can choose the RF channel width as 20 MHz, 40 MHz, 80 MHz, or 160 MHz. If you choose the channel width as 160 MHz, you must enable the 802.11ac mode on the High Throughput page. The 11ac Supported field is a nonconfigurable parameter that appears for the 802.11ac subordinate radio in slot 2. When the Cisco Aironet 3600 Series access point with 802.11ac radio module is in unsupported mode such as Monitor and Sniffer, Admin Status and Channel Width will not be configured. This section provides instructions to manage 802.11ac devices such as the Cisco Aironet 3600 Series Access Points and Cisco Aironet 3700 Series Access Point on your network. With default AP group—Only WLAN IDs 1 to 8 are advertised on the 5-GHz radios; there is no limit on the 2.4-GHz radios. With user-defined AP group—Only the first 8 WLAN IDs are advertised on the 5-GHz radios regardless of the ID number; there is no limit on the 2.4-GHz radios. Changing the 802.11n radio channel also changes the 802.11ac channels. On the Cisco WLC GUI, the 802.11ac clients that are connected to the 802.11n radio are displayed 802.11an clients, and the 802.11ac clients that are connected to the 802.11ac radio are displayed as 802.11ac clients. Ensure that your WLAN has WMM enabled and open or WPA2/AES for 802.11ac to be supported. Otherwise, the speed of 802.11ac is not available, even on 802.11ac clients. For more information about the 802.11ac module on the Cisco Aironet 3600 Series access point, see http://www.cisco.com/c/en/us/products/wireless/aironet-3600-series/relevant-interfaces-and-modules.html. The 802.11ac Wave 2 introduces additional capabilities beyond what were added with Wave 1. It utilizes MU-MIMO technology and other advancements to help increase wireless performance for applications such as HD video streaming. Wave 2 provides better RF efficiency that Wave 1 provides, in addition to a number of other features that further improve wireless connectivity. MU-MIMO is short for Multi-User, Multiple-Input, Multiple-Output. MU-MIMO is an enhanced form of the MIMO technology that enables multiple independent radio terminals to access a system. With 802.11n or 802.11ac Wave 1, an access point can transmit multiple spatial streams at the same time, but only directed to a single wireless client. This means only a single device gets data at a time. This is referred to as single-user MIMO (SU-MIMO). 802.11ac Wave 2 allows for MU-MIMO, which enables multiple users to simultaneously receive data from the AP simultaneously using the same channel. With MU-MIMO a Wave 2 capable access point is able to use its antenna resources to transmit to multiple clients, all at the same time and over the same channel. MU-MIMO is used in the downstream direction and requires the wireless clients to also be Wave 2 capable. 802.11ac Wave 2 allows for up to eight spatial streams. However, initial Wave2 implementations will only increase the number of spatial streams from 3 to 4 as compared to Wave 1 implementations. The support of an additional spatial stream allows for additional increased performance as compared to 3 SS APs. For more information on these technologies, see the following documents on Cisco.com: The AP 1850 supports standards-based Explicit Compressed Beamforming Feedback (ECBF) as defined in the 802.11ac standards. With ECBF the client provides estimates of the wireless channel conditions to the access point. As these are based on explicit channel measurements from the client, both the AP and the client must support it. For 802.11ac, the access point’s ECBF is typically referred to as Transmit Beamforming or TxBF for short. While both TxBF and ClientLink 3.0 improve the performance of wireless client devices, ClientLink3.0 provides an additional advantage over TxBF. ClientLink3.0 technology does not depend on any client-side hardware or software capabilities and operates seamlessly in mixed-mode environments where 802.11ac and 802.11a/n clients coexist on the same access point. In comparison, TxBF requires client-side support to take advantage of the performance improvements of beamforming and therefore benefits only 802.11ac clients that support TxBF. The Cisco 1850 AP supports TxBF but not beamforming to legacy client devices. Therefore, Cisco 1850 AP does not support ClientLink 3.0. You can disable TxBF only on the APs that support ClientLink 1.0. It cannot be disabled on the APs that supports ClientLink 2.0 and above. The 802.11ac module is supported only on the following access points: 1700 1800 2700 2800 3600 3700 3800 The 802.11ac module is turned off if the built-in 5-GHz radio is turned off. You must ensure that the configuration of the channel, power values, and the mode of the 802.11ac module is the same as those of the built-in 5-GHz radio on the AP. Also, the 802.11ac module serves only 802.11ac clients. The 802.11ac module main channel cannot be changed individually. This 802.11ac support is applicable only to the following controller platforms:
Controllers do not support High availability for 802.11ac modules. The 802.11ac configuration (802.11ac Data Rates and 802.11ac Global mode) on the controller is not synchronized with the standby controller. This might result in client throughput fluctuations and reassociations when you explicitly disable those configurations on the active controller. In addition, the 802.11ac Global mode configuration controls whether the radio module is enabled. If 802.11ac Global mode is enabled on one controller but not on another, the 802.11ac module might be disabled if the access point associates with a controller on which 802.11ac Global mode is disabled. When changing AP from static to auto channel assignment, by default AP moves to best possible bandwidth supported by the radio and a valid channel. Channel number and width assignment may be suboptimal until next DCA cycle gets started. SSIDs with TKIP and SSIDs with TKIP+AES are not enabled on the 802.11ac radios. Therefore, all the 5-GHz clients are expected to associate with the 802.11n radios. Page 22Cisco Wireless Release 8.4 provides the Parallel Redundancy Protocol (PRP) enhancement to improve wireless network availability for wired clients behind Workgroup Bridge (WGB), and improve the roaming performance by allowing wired clients to have dual wireless connections. PRP allows a data communication network to prevent data transmission failures by providing two alternate paths for the traffic to reach its destination. Two Ethernet networks (LANs) with similar topology are completely separated. A device that requires protection for data across the network connects to the two independent networks (LAN-A and LAN-B) is called a Dual Attached Node implementing PRP (DANP). A DANP source sends two frames simultaneously on both LANs. A DANP destination receives both frames and discards the duplicating. If one LAN fails, a DANP destination can still receive a frame from the other LAN. Non-redundant endpoints in the network that attach only to either LAN-A or LAN-B are known as Singly Attached Nodes (SANs). A Redundancy Box (RedBox) is used when a single interface node must be attached to both networks. Such a node can communicate with all other nodes. The switch implements RedBox functionality is a PRP switch. To implement the PRP function for this release, you need to connect the AP and WGB to a PRP switch. The PRP switch is to offload PRP processing. AP or WGB is to keep dual wireless connections. You can have two WGBs interconnected through an external PRP switch and wirelessly connected to a single fixed AP or two fixed APs. Two WGBs can roaming between APs. Redundant packet transmissions can be supported over either single or both 2.4 GHz and 5 GHz. The infrastructure side also needs a PRP switch for AP side. For the application where both WGBs may roam at the same time, the roaming coordination feature is introduced to avoid roaming gaps and guarantee staggered roaming. In this release, only dual radio links roaming coordination across two WGBs is supported for roaming coordination. Supported platforms and AP mode:
General guidelines for this configuration:
The following figure shows a topology of concurrent wireless transmission via two WGBs paired with one PRP switch, commonly used in train transportation. On the train side, the PRP switch (in this example, Cisco IE2000U) duplicates upstream packets and sends both packets simultaneously via two different ports, Gi0/1 and Gi0/2. The dual packets will pass from different WGBs or APs, to ensure that at least one packet reaches the destination. On the track side, one more PRP switch is added to each aggregating endpoint along the track. The PRP switch on the track side will remove the duplicating for upstream packets. The same redundancy for downstream packet is also available by the pair of PRP switches.
To enable or disable PRP on a WLAN (new command): (Cisco Controller)> config wlan wgb prp {enable|disable} <wlan id> enable Enable Parallel Redundancy Protocol (PRP) feature on a WLAN disable Disable Parallel Redundancy Protocol (PRP) feature on a WLAN
This CLI will enable two WLANs to allow dual associations in flex-connect mode. It will also enable the AP to forward packets to or from WGB wired clients with double tags in flex-connect mode.
For Parallel Redundancy Protocol (PRP), wired client traffic will be duplicated to transmit in dual radio links in two WGBs. Dual radio links without any radio link coordination have the possibility to trigger roaming at the same time, so that the traffic will be broken in a short window time. The following figure is a typical PRP scenario of train transportation. AP like IW3702 has two physical Ethernet ports. Gig0 will be exclusively used to bridge PRP traffic. Gig1 will be used for internal communication. Gig 1 will connect to a non-PRP port on the PRP switch or connect to a peer Gig1 port directly. Figure 9. Peer Link Between Two WGBsFollow these steps to configure dual radio coordination on two WGBs:
Follow these steps to configure the wireless controller for FlexConnect:
Page 23
The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language. Page 24You can configure the controller to allow a Cisco Wave 1 (IOS-based) FlexConnect AP in standalone mode to perform LEAP, EAP-FAST, PEAP, or EAP-TLS authentication for up to 100 statically configured users. The controller sends the static list of usernames and passwords to each FlexConnect access point when it joins the controller. Each access point in the group authenticates only its own associated clients.
This feature is ideal for customers who are migrating from an autonomous access point network to a lightweight FlexConnect access point network and are not interested in maintaining a large user database or adding another hardware device to replace the RADIUS server functionality available in the autonomous access point.
You have to provision a certificate to the AP because the AP has to send the certificate to the client. You must download the Vendor Device Certificate and the Vendor Certification Authority Certificate to the controller. The controller then pushes these certificates to the AP. If you do not configure a Vendor Device Certificate and the Vendor CA Certificate on the controller, the APs associating with the FlexConnect group download the self-signed certificate of the controller, which may not be recognized by many wireless clients. With EAP-TLS, AP does not recognize and accept client certificate if the client root CA is different from the AP root CA. When you use Enterprise public key infrastructures (PKI), you must download a Vendor Device Certificate and Vendor CA Certificate to the controller so that the controller can push the certificates to the AP in the FlexConnect group. Without a common client and AP root CA, EAP-TLS fails on the local AP. The AP cannot check an external CA and relies on its own CA chain for client certificate validation. The space on the AP for the local certificate and the CA certificate is around 7 Kb, which means that only short chains are adapted. Longer chains or multiple chains are not supported.
For information about the number of FlexConnect groups and access point support for a Cisco WLC model, see the data sheet of the respective Cisco WLC model. Page 25
The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language. Page 26Band select enables client radios that are capable of dual-band (2.4 and 5-GHz) operations to move to a less congested 5-GHz access point. The 2.4-GHz band is often congested. Clients on this band typically experience interference from Bluetooth devices, microwave ovens, and cordless phones as well as co-channel interference from other access points because of the 802.11b/g limit of 3 nonoverlapping channels. To prevent these sources of interference and improve overall network performance, configure band selection on the controller. Band select works by regulating probe responses to clients and it can be enabled on a per-WLAN basis. It makes 5-GHz channels more attractive to clients by delaying probe responses to clients on 2.4-GHz channels. In an access point, the band select table can be viewed by running the show dot11 band-select command. It can also be viewed by running the show cont d0/d1 | begin Lru command. The band select algorithm affects clients that use 2.4-GHz band. Initially, when a client sends a probe request to an access point, the corresponding client probe’s Active and Count values (as seen from the band select table) become 1. The algorithm functions based on the following scenarios: Scenario1: Client RSSI (as seen from the show cont d0/d1 | begin RSSI command output) is greater than both Mid RSSI and Acceptable Client RSSI. Dual-band clients: No 2.4-GHz probe responses are seen at any time; 5-GHz probe responses are seen for all 5-GHz probe requests. Single-band (2.4-GHz) clients: 2.4-GHz probe responses are seen only after the probe suppression cycle. After the client’s probe count reaches the configured probe cycle count, the algorithm waits for the Age Out Suppression time and then marks the client probe’s Active value as 0. Then, the algorithm is restarted. Scenario2: Client RSSI (as seen from show cont d0/d1 | begin RSSI ) lies between Mid-RSSI and Acceptable Client RSSI. All 2.4-GHz and 5-GHz probe requests are responded to without any restrictions. This scenario is similar to the band select disabled. Band selection-enabled WLANs do not support time-sensitive applications such as voice and video because of roaming delays. Mid-RSSI is unsupported on Cisco Aironet 1600 Series APs. Band selection is unsupported on Cisco Aironet 1040, OEAP 600 Series APs. Band selection is unsupported on Cisco Aironet 1040, OEAP 600 Series APs. Band selection operates only on access points that are connected to a controller. A FlexConnect access point without a controller connection does not perform band selection after a reboot. The band-selection algorithm directs dual-band clients only from the 2.4-GHz radio to the 5-GHz radio of the same access point, and it only runs on an access point when both the 2.4-GHz and 5-GHz radios are up and running. You can enable both band selection and aggressive load balancing on the controller. They run independently and do not impact one another. It is not possible to enable or disable band selection and client load balancing globally through the controller GUI or CLI. You can, however, enable or disable band selection and client load balancing for a particular WLAN. We recommend that you do not use Band Select in high-density areas such as stadiums. |