Thursday, May 1, 2014

Anchoring for Guest Access on CT5760

Guest Anchor Configuration with WLAN / APs on both WLCs

This note is specifically capturing the required configurations for anchoring a CT5760 to another CT5760. The other configuration requirements for setting up webauth, webconsent, central web auth are covered in specific notes about each. Combine for a full solution...

 


Anchor Controller

DHCP can be run on devices other than the WLC if desired but if you choose to run it on the WLC for the Guest network this basic template is useful for building it. See the configuration guide for additional options if necessary.

ip dhcp excluded address 192.168.1.1 192.168.1.50

!

ip dhcp pool GUEST_VL296

network 192.168.1.0 /24

default-router 192.168.1.1

dns-server 8.8.8.8 4.4.4.4

lease 0 2


Similar to the previous versions of the Wireless LAN Controllers, the mobility domains on the foreign and anchor controllers are different. Below are the CLI configurations for the CT5760 to configure the mobility domains and member relationships.

 

hostname ANCHOR_CONTROLLER

wireless mobility group name ANCHOR_GROUP

wireless mobility group member 10.1.1.1 group FOREIGN_GROUP

 

Any WLAN that has DHCP required configured will also required DHCP snooping on the client VLAN configured to be enabled. If you miss this step your client will not be able to obtain an IP address and will never pass the IPLEARN state.

 

ip dhcp snooping vlan 296

ip dhcp snooping

ip device tracking

 

The WLAN configuration security settings will need to match in a similar way as they did in the earlier versions. This example shows the basic WLAN settings to disabled to WPA and AKM settings on the WLAN and enable WebAuth WebConsent which will present the user with a basic Acceptable Use Policy prior to joining the network. (** WebConsent configuration covered in more detail in another entry)

 

WLAN GUEST 1 GUEST

client VLAN 296

no security wpa

no security wpa akm dot1x

no security wpa wpa2

no security wpa wpa2 ciphers aes

security web-auth

security web-auth parameter-map consent

session-timeout 1800

no shutdown

 


Foreign Controller

hostname FOREIGN_CONTROLLER

 

Mobility groups are created in a similar fashion to the earlier versions. Make sure to specify the mobility group name of the other controller in your CLI like below and not add the controller to your group.

 

wireless mobility group name FOREIGN_GROUP

wireless mobility group member 20.1.1.1 group ANCHOR_CONTROLLER

 

Creating the 'dummy' client VLAN i somewhat counter-intuitive but just pick one that is not in use and that you don't have DHCP snooping enabled on. Do not choose the 'wireless management interface' here.

 

wlan GUEST 1 GUEST

client VLAN 1 ! <-- This is a dummy VLAN that is not in use and DHCP snooping is not enabled on

mobility anchor 20.1.1.1

no security wpa

no security wpa akm dot1x

no security wpa wpa2

no security wpa wpa2 ciphers aes

security web-auth

security web-auth parameter-map consent

session-timeout 1800

no shutdown


 

No comments:

Post a Comment