WLC configuration

WLC controller configuration

WLC functionality can be activated on the ESR-15 and ESR-3200 service routers by following the instructions.

Configuration algorithm

Step

Description

Command

Keys

1

Configure local RADIUS server and enter its configuration mode.

wlc(config)# radius-server local

wlc(config-radius)#

2 Enable local RADIUS server. wlc(config-radius)# enable

3

Add NAS and enter its configuration mode.

wlc(config-radius)# nas <NAME>

wlc(config-radius-nas)#

<NAME> – NAS name, specified by a string of up to 235 characters.

4

Specify the authentication key.

wlc(config-radius-nas)# key ascii-text { <KEY> | encrypted <ENCRYPTED-KEY> }

<KEY> – a string of [4..64] ASCII characters;

<ENCRYPTED-KEY> – encrypted key, specified by a string of [8..128] characters.

5 Specify the network. wlc(config-radius-nas)# network <ADDR/LEN> <ADDR/LEN> – IP address and subnet mask, specified as AAA.BBB.CCC.DDD/EE, where each part of AAA – DDD takes values [0..255] and EE takes values [1..32].

6 Create a domain. wlc(config-radius)# domain <NAME> <NAME> – domain ID, specified by a string of up to 235 characters.

7

Configure virtual RADIUS server and enter its configuration mode.

wlc(config-radius)# virtual-server <NAME>

wlc(config-radius-vserver)#

<NAME> – virtual RADIUS server name, specified by a string of up to 235 characters.

8 Enable virtual RADIUS server. wlc(config-radius-vserver)# enable

9

Add RADIUS server to the list of used servers and enter server configuration mode.

wlc(config)# radius-server host
{ <IP-ADDR> | <IPV6-ADDR> }
[ vrf <VRF> ]

wlc(config-radius-server)#

<IP-ADDR> – RADIUS server IP address, specified as AAA.BBB.CCC.DDD, where each part takes values [0..255];

<IPV6-ADDR> – RADIUS server IPv6 address, specified as X:X:X:X::X, where each part takes values in HEX [0..FFFF];

<VRF> – VRF name, specified by a string of up to 31 characters.

10

Specify the authentication key.

wlc(config-radius-server)# key ascii-text { <KEY> | encrypted <ENCRYPTED-KEY> }

<KEY> – string of [4..64] ASCII characters;

<ENCRYPTED-KEY> – encrypted key, specified by a string of [8..128] characters.

11

Create AAA profile and enter its configuration mode.

wlc(config)# aaa radius-profile <NAME>

wlc(config-aaa-radius-profile)#

<NAME> – server profile name, specified by a string of up to 31 characters.

12

Specify RADIUS server in AAA profile.

wlc(config-aaa-radius-profile)# radius-server host
{ <IP-ADDR> | <IPV6-ADDR> }

<IP-ADDR> – RADIUS server IP address, specified as AAA.BBB.CCC.DDD, where each part takes values [0..255];

<IPV6-ADDR> – RADIUS server IPv6 address, specified as X:X:X:X::X, where each part takes values in HEX [0..FFFF].

13

Switch to SoftGRE controller configuration settings.

wlc(config)# softgre-controller

wlc(config-softgre-controller)#

14 Specify router IP address to be used as a source IP address in sent RADIUS packets. wlc(config-softgre-controller)# nas-ip-address <ADDR> <ADDR> – source IP address, specified as AAA.BBB.CCC.DDD, where each part takes values [0..255].

15

Set SoftGRE DATA tunnels configuration mode.

wlc(config-softgre-controller)# data-tunnel configuration { local | radius | wlc}

local – режим конфигурации, при котором параметры SoftGRE DATA туннелей получаются из локальной конфигурации маршрутизатора;

radius – режим, при котором параметры SoftGRE DATA туннелей запрашиваются у RADIUS-сервера;

wlc – режим, при котором параметры SoftGRE DATA туннелей запрашиваются у WLC.

16 Specify ААА profile. wlc(config-softgre-controller)# aaa radius-profile <NAME> <NAME> – server profile name, specified by a string of up to 31 characters.

17

Disable the exchange of ICMP messages that are used to check the availability of remote Wi-Fi tunnel gateway controller.

wlc(config-softgre-controller)# keepalive-disable

18

Allow traffic in user vlan.

wlc(config-softgre-controller)# service-vlan add {<VLAN-ID> | <LIST_ID> | <RANGE_ID> }

<VLAN-ID> – vlan number, in which the user traffic passes, takes values [2..4094];

<LIST_ID> – vlan list, comma-separated (1,2,3), takes values [2..4094];

<RANGE_ID> – vlan range, dash-separated (1-3), takes values [2..4094].

19

Enable Wi-Fi controller.

wlc(config-softgre-controller)# enable

20

Switch to SoftGRE tunnel settings.

wlc(config)# tunnel softgre <TUN>

<TUN> – device tunnel name.

21

Set SoftGRE tunnel operating mode.

wlc(config-softgre)# mode <MODE>

<MODE> – tunnel operating mode, possible options:

data – data mode;
management – management mode.

22

Set the local tunnel gateway IP address.

wlc(config-softgre)# local address <ADDR>

<ADDR> – local gateway IP address, specified as AAA.BBB.CCC.DDD, where each part takes values [0..255].

23

Enable the SoftGRE tunnel configuration use for automatic tunneks creations with the same mode and local address.

wlc(config-softgre)# default-profile

24 Enable tunnel. wlc(config-softgre)# enable

25

Switch to the controller configuration.

wlc(config)# wlc

26

Create a profile for access points general settings configuration.

wlc(config-wlc)# ap-profile <NAME>

wlc(config-wlc-ap-profile)#

<NAME> – profile name, specified by a string of up to 235 characters.

27

Set a password for access points connection.

wlc(config-wlc-ap-profile)# password ascii-text { <CLEAR-TEXT> | encrypted <HASH_SHA512> }

wlc(config-wlc-ap-profile)# exit

<CLEAR-TEXT> – password, specified by [8-64] characters.

<HASH_SHA512> – sha512 password hash, specified by [16-128] characters.

28

Create a configuration profile for the radio interface operating in the 2.4 GHz frequency range.

wlc(config-wlc)# radio-2g-profile <NAME>

<NAME> – profile name, specified by a string of up to 235 characters.

29

Configure the automatic channel bandwidth reduction mode when the airwaves are busy.

wlc(config-wlc-radio-2g-profile)# obss-coexistence {on | off}

on – automatic channel bandwidth reduction mode is enabled;

off – automatic channel bandwidth reduction mode is disabled;

30

Set the radio interface operation mode.

wlc(config-wlc-radio-2g-profile)# work-mode <WORK-MODE>

<WORK-MODE> – operation mode, possible options:

bg, nax, bgnax – for 2.4 GHz frequency range.

31

Set the channel list for dynamic channel selection.

wlc(config-wlc-radio-2g-profile)# limit-channels <CHANNEL>[,<CHANNEL>]

<CHANNEL> – number of the channel used, possible options:
For 2g channels chose from the bandwidth:
[1.. 13].

32

Set the channel bandwidth.

wlc(config-wlc-radio-2g-profile)# bandwidth <BANDWIDTH>

<BANDWIDTH> – channel bandwidth, possible options:

20;
40L;
40U.

33

Set the power level for radio interface.

wlc(config-wlc-radio-2g-profile)# tx-power {minimal | low | middle | high | maximal}

The possible values of the parameter, depending on the access point model, set the following power values in dBm:

	2.4 GHz
	min	low	middle	high	max
WEP-1L	11	12	14	15	16
WEP-2L	11	12	14	15	16
WOP-2L	11	12	14	15	16
WOP-20L	8	10	12	14	16
WEP-200L	4	7	10	13	16
WEP-30L	0	4	8	12	16
WOP-30L	0	4	8	12	16
WOP-30LS	0	3	6	9	11
WEP-3ax	6	8	11	14	16

34

Create a configuration profile for the radio interface operating in the 5 GHz frequency range.

wlc(config-wlc)# radio-5g-profile <NAME>

<NAME> – profile name, specified by a string of up to 235 characters.

35

Configure the automatic channel bandwidth reduction mode when the airwaves are busy.

wlc(config-wlc-radio-5g-profile)# obss-coexistence {on | off}

on – automatic channel bandwidth reduction mode is enabled;

off – automatic channel bandwidth reduction mode is disabled.

36

Set the radio interface operation mode.

wlc(config-wlc-radio-5g-profile)# work-mode <WORK-MODE>

<WORK-MODE> – operation mode, possible options:

anacax – for 5 GHz frequency range.

37

Set the channel list for dynamic channel selection.

wlc(config-wlc-radio-5g-profile)# limit-channels <CHANNEL>[,<CHANNEL>]

<CHANNEL> – number of the channel used, possible options:
For 5g each 4 channel chose from the bandwidth:
[36.. 64]
[100.. 144]
[149.. 165]

38

Set the channel bandwidth.

wlc(config-wlc-radio-5g-profile)# bandwidth <BANDWIDTH>

<BANDWIDTH> – channel bandwidth, possible options:

20;
40L;
40U;
80.

39

Set the power level for radio interface.

wlc(config-wlc-radio-5g-profile)# tx-power {minimal | low | middle | high | maximal}

The possible values of the parameter, depending on the access point model, set the following power values in dBm:

	5 GHz
	min	low	middle	high	max
WEP-1L	11	13	15	17	19
WEP-2L	11	13	15	17	19
WOP-2L	11	13	15	17	19
WOP-20L	11	13	15	17	19
WEP-200L	8	11	14	17	19
WEP-30L	0	5	10	15	19
WOP-30L	0	5	10	15	19
WOP-30LS	0	3	6	9	11
WEP-3ax	10	12	15	17	19

40

Set the dynamic frequency selection mode.

wlc(config-wlc-radio-5g-profile)# dfs {auto | disabled | forced}

auto — enabled;

disabled — disabled. DFS channels are not available for selection;

forced — disabled. DFS channels are available for selection.

41

Create a RADIUS server configuration profile.

wlc(config-wlc)# radius-profile <RADIUS-ID>

wlc(config-wlc-radius-profile)#

<RADIUS-ID> – RADIUS server ID, specified by a string of up to 235 characters.

42 Specify the RADIUS server IP address that is responsible for authentication. wlc(config-wlc-radius-profile)# auth-address <ADDR> <ADDR> – RADIUS server IP address, specified as AAA.BBB.CCC.DDD, where each part takes values [0..255].

43

Specify the RADIUS server password that is responsible for authentication.

wlc(config-wlc-radius-profile)# auth-password ascii-text { <CLEAR-TEXT> | encrypted <HASH_SHA512> }

<CLEAR-TEXT> – password, specified by [8-64] characters.

<HASH_SHA512> – sha512 password hash, specified by [16-128] characters.

44 Specify the domain. wlc(config-wlc-radius-profile)# domain <NAME> <NAME> – domain ID, specified by a string of up to 235 characters.

45

Create SSID configuration profile.

wlc(config-wlc)# ssid-profile <NAME>

wlc(config-wlc-ssid-profile)#

<NAME> – SSID profile name, specified by a string of up to 235 characters.

46

Set profile description.

wlc(config-wlc-ssid-profile)# description <DESCRIPTION>

<DESCRIPTION> – description, specified by a string of up to 255 characters.

47

Configure the frequency range in which the SSID will broadcast.

wlc(config-wlc-ssid-profile)# band <BAND>

<BAND> – frequency range, possible options:

2g;
5g.

48 Specify user vlan. wlc(config-wlc-ssid-profile)# vlan-id <ID> <ID> – vlan ID, takes values [0-4094].

49

Set the SSID connection security mode.

wlc(config-wlc-ssid-profile)# security-mode <MODE>

<MODE> – security mode, possible options:

WPA;
WPA2;
WPA2_1X;
WPA2_WPA3;
WPA2_WPA3_1X;
WPA3;
WPA3_1X;
WPA_1X;
WPA_WPA2;
WPA_WPA2_1X;
off.

WPA3 security mode is supported only on WEP-3ax, WEP-30L, WOP-30L, WOP-30LS access points.

If mixed security mode (e.g., WPA2_WPA3) is selected, WPA3 will be applied only to APs that support it, and the other APs will use the second mode (WPA2).

50 Specify the RADIUS server profile. wlc(config-wlc-ssid-profile)# radius-profile <RADIUS-ID> <RADIUS-ID> – RADIUS server ID, specified by a string of up to 235 characters.

51 Specify the SSID name that will broadcast to users. wlc(config-wlc-ssid-profile)# ssid <NAME> <NAME> – SSID name, specified by a string of up to 32 characters. Titles containing a space must be enclosed in quotation marks.

52 Enable SSID. wlc(config-wlc-ssid-profile)# enable

53

Create the location profile.

wlc(config-wlc)# ap-location <NAME>

wlc(config-wlc-ap-location)#

<NAME> – local configuration profile name , specified by a string of up to 235 characters.

54

Set profile description.

wlc(config-wlc-ap-location)# description <DESCRIPTION>

<DESCRIPTION> – description, specified by a string of up to 255 characters.

55

Specify the radio interface configuration profiles for the access points.

wlc(config-wlc-ap-location)# radio-5g-profile <NAME>

wlc(config-wlc-ap-location)# radio-2g-profile <NAME>

<NAME> – profile name, specified by a string of up to 235 characters.

56

Specify the general settings profile for the access points.

wlc(config-wlc-ap-location)# ap-profile <PROFILE-ID>

<PROFILE-ID> – profile ID, specified by a string of up to 235 characters and must match the name of the described profile from ap-profile.

57

Specify the SSID profile to be assigned to the access points.

wlc(config-wlc-ap-location)# ssid-profile <NAME>

<NAME> – SSID profile name, specified by a string of up to 235 characters.

58

Create an address space for accessing the controller.

wlc(config-wlc)# ip-pool <NAME>

wlc(config-wlc-ip-pool)#

<NAME> – address space name, specified by a string of up to 235 characters.

59

Specify the access points network.

wlc(config-wlc-ip-pool)# network <ADDR/LEN>

<ADDR/LEN> – IP address and network mask, specified as AAA.BBB.CCC.DDD/EE, where each part of AAA – DDD takes values [0..255] and EE takes values [1..32].

60

Specify the location profile name that is applied to the specified address space.

wlc(config-wlc-ip-pool)# ap-location <NAME>

<NAME> – location name, specified by a string of up to 235 characters.

61

Switch to the service activator settings.

wlc(config-wlc)# service-activator

wlc(config-wlc-service-activator)#

62

Configure automatic registration of access points on the controller.

wlc(config-wlc-service-activator)# aps join auto

63 Specify the controller IP address that is visible for access points. wlc(config-wlc)# outside-address <ADDR> <ADDR> – controller IP address, specified as AAA.BBB.CCC.DDD, where each part takes values [0..255].

64 Enable the controller. wlc(config-wlc)# enable

Configuration example

Task

Organize the management of wireless access points using the WLC controller. In particular, it is necessary to configure the connection of access points, update and configure them to provide access to Internet resources to authorized Wi-Fi users.

The configuration example is based on the factory configuration for a scheme with SoftGRE tunneling.

Solution

The solution provides automatic connection of access points to the WLC controller. When connecting to the network, the access point requests an address via DHCP and receives the URL of the access point initialization service in the 43 (vendor specific) DHCP option.

Having received this option, the access point enters to the controller and is displayed in the database of served access points (command for monitoring the list: show wlc ap). The controller then initializes it according to its configuration:

Performs an update if the software version on the access point does not match the version that is hosted on the controller.
Sets the access password.
Performs configuration according to the settings for this location (ap-location): the selected configuration profile for this type of access point and SSID.

Access points can be connected to the WLC controller through the enterprise L2 or L3 network.

Сonfiguring VLANs when new APs are connected can be a time-consuming task, especially if the enterprise network uses a large number of switches between the APs and the controller. Therefore, the factory configuration of WLC assumes the construction of SoftGRE DATA tunnels for the transfer of user traffic. This solution even in L2 network allows to simplify access points connection, as there is no need to route VLAN for each SSID through all switches.

When organizing communication in L3 network, it is necessary to ensure DHCP relay configuration on the enterprise network equipment to redirect access points' DHCP requests to the WLC, where a pool of IP addresses for access points management is configured, as well as to issue 43 option 15 of the DHCP suboption containing the controller URL.

WLC configuration procedure:

Configuring interfaces, network settings and firewall.
Configuring the controller for SoftGRE DATA tunnels organization.
Configuring the DHCP server.
Configuring the RADIUS server.
Configuring the WLC access point management module:
- Configuring SSID.
- Setting up configuration profiles for each type of access point.
- Creating a location (ap-location) and defining configuration rules for access points included in this location.
- Defining the subnets of the APs to be served.
Configuring access point updates.

Interface, network parametes and firewall configuration

Configure TCP/UDP port profiles for the required services:

wlc# configure

wlc(config)# object-group service ssh
wlc(config-object-group-service)# port-range 22
wlc(config-object-group-service)# exit

wlc(config)# object-group service dns
wlc(config-object-group-service)# port-range 53
wlc(config-object-group-service)# exit

wlc(config)# object-group service dhcp_server
wlc(config-object-group-service)# port-range 67
wlc(config-object-group-service)# exit

wlc(config)# object-group service dhcp_client
wlc(config-object-group-service)# port-range 68
wlc(config-object-group-service)# exit

wlc(config)# object-group service ntp
wlc(config-object-group-service)# port-range 123
wlc(config-object-group-service)# exit

wlc(config)# object-group service netconf
wlc(config-object-group-service)# port-range 830
wlc(config-object-group-service)# exit

wlc(config)# object-group service radius_auth
wlc(config-object-group-service)# port-range 1812
wlc(config-object-group-service)# exit

wlc(config)# object-group service sa
wlc(config-object-group-service)# port-range 8043-8044
wlc(config-object-group-service)# exit

wlc0(config)# object-group service airtune
wlc(config-object-group-service)# port-range 8099
wlc(config-object-group-service)# exit

Create three security zones — user, trusted and untrusted (for Internet access):

wlc(config)# security zone users
wlc(config-zone)# exit

wlc(config)# security zone trusted
wlc(config-zone)# exit

wlc(config)# security zone untrusted
wlc(config-zone)# exit

Configure firewall rules:

wlc(config)# security zone-pair trusted untrusted
wlc(config-zone-pair)# rule 1
wlc(config-zone-pair-rule)# action permit
wlc(config-zone-pair-rule)# enable
wlc(config-zone-pair-rule)# exit
wlc(config-zone-pair)# exit
wlc(config)# security zone-pair trusted trusted
wlc(config-zone-pair)# rule 1
wlc(config-zone-pair-rule)# action permit
wlc(config-zone-pair-rule)# enable
wlc(config-zone-pair-rule)# exit
wlc(config-zone-pair)# exit
wlc(config)# security zone-pair trusted self
wlc(config-zone-pair)# rule 10
wlc(config-zone-pair-rule)# action permit
wlc(config-zone-pair-rule)# match protocol tcp
wlc(config-zone-pair-rule)# match destination-port ssh
wlc(config-zone-pair-rule)# enable
wlc(config-zone-pair-rule)# exit
wlc(config-zone-pair)# rule 20
wlc(config-zone-pair-rule)# action permit
wlc(config-zone-pair-rule)# match protocol icmp
wlc(config-zone-pair-rule)# enable
wlc(config-zone-pair-rule)# exit
wlc(config-zone-pair)# rule 30
wlc(config-zone-pair-rule)# action permit
wlc(config-zone-pair-rule)# match protocol udp
wlc(config-zone-pair-rule)# match source-port dhcp_client
wlc(config-zone-pair-rule)# match destination-port dhcp_server
wlc(config-zone-pair-rule)# enable
wlc(config-zone-pair-rule)# exit
wlc(config-zone-pair)# rule 40
wlc(config-zone-pair-rule)# action permit
wlc(config-zone-pair-rule)# match protocol udp
wlc(config-zone-pair-rule)# match destination-port ntp
wlc(config-zone-pair-rule)# enable
wlc(config-zone-pair-rule)# exit
wlc(config-zone-pair)# rule 50
wlc(config-zone-pair-rule)# action permit
wlc(config-zone-pair-rule)# match protocol tcp
wlc(config-zone-pair-rule)# match destination-port dns
wlc(config-zone-pair-rule)# enable
wlc(config-zone-pair-rule)# exit
wlc(config-zone-pair)# rule 60
wlc(config-zone-pair-rule)# action permit
wlc(config-zone-pair-rule)# match protocol udp
wlc(config-zone-pair-rule)# match destination-port dns
wlc(config-zone-pair-rule)# enable
wlc(config-zone-pair-rule)# exit
wlc(config-zone-pair)# rule 70
wlc(config-zone-pair-rule)# action permit
wlc(config-zone-pair-rule)# match protocol tcp
wlc(config-zone-pair-rule)# match destination-port netconf
wlc(config-zone-pair-rule)# enable
wlc(config-zone-pair-rule)# exit

wlc(config-zone-pair)# rule 80
wlc(config-zone-pair-rule)# action permit
wlc(config-zone-pair-rule)# match protocol tcp
wlc(config-zone-pair-rule)# match destination-port sa
wlc(config-zone-pair-rule)# enable
wlc(config-zone-pair-rule)# exit
wlc(config-zone-pair)# rule 90
wlc(config-zone-pair-rule)# action permit
wlc(config-zone-pair-rule)# match protocol udp
wlc(config-zone-pair-rule)# match destination-port radius_auth
wlc(config-zone-pair-rule)# enable
wlc(config-zone-pair-rule)# exit
wlc(config-zone-pair)# rule 100
wlc(config-zone-pair-rule)# action permit
wlc(config-zone-pair-rule)# match protocol gre
wlc(config-zone-pair-rule)# enable
wlc(config-zone-pair-rule)# exit
wlc(config-zone-pair)# exit
wlc(config)# security zone-pair users self
wlc(config-zone-pair)# rule 10
wlc(config-zone-pair-rule)# action permit
wlc(config-zone-pair-rule)# match protocol icmp
wlc(config-zone-pair-rule)# enable
wlc(config-zone-pair-rule)# exit
wlc(config-zone-pair)# rule 20
wlc(config-zone-pair-rule)# action permit
wlc(config-zone-pair-rule)# match protocol udp
wlc(config-zone-pair-rule)# match source-port dhcp_client
wlc(config-zone-pair-rule)# match destination-port dhcp_server
wlc(config-zone-pair-rule)# enable
wlc(config-zone-pair-rule)# exit
wlc(config-zone-pair)# rule 30
wlc(config-zone-pair-rule)# action permit
wlc(config-zone-pair-rule)# match protocol tcp
wlc(config-zone-pair-rule)# match destination-port dns
wlc(config-zone-pair-rule)# enable
wlc(config-zone-pair-rule)# exit
wlc(config-zone-pair)# rule 40
wlc(config-zone-pair-rule)# action permit
wlc(config-zone-pair-rule)# match protocol udp
wlc(config-zone-pair-rule)# match destination-port dns
wlc(config-zone-pair-rule)# enable
wlc(config-zone-pair-rule)# exit
wlc(config-zone-pair)# exit
wlc(config)# security zone-pair untrusted self
wlc(config-zone-pair)# rule 1
wlc(config-zone-pair-rule)# action permit
wlc(config-zone-pair-rule)# match protocol udp
wlc(config-zone-pair-rule)# match source-port dhcp_server
wlc(config-zone-pair-rule)# match destination-port dhcp_client
wlc(config-zone-pair-rule)# enable
wlc(config-zone-pair-rule)# exit
wlc(config-zone-pair)# exit
wlc(config)# security zone-pair users untrusted
wlc(config-zone-pair)# rule 1
wlc(config-zone-pair-rule)# action permit
wlc(config-zone-pair-rule)# enable
wlc(config-zone-pair-rule)# exit
wlc(config-zone-pair)# exit

Configure NAT:

wlc(config)# nat source
wlc(config-snat)# ruleset factory
wlc(config-snat-ruleset)# to zone untrusted
wlc(config-snat-ruleset)# rule 10
wlc(config-snat-rule)# description "replace 'source ip' by outgoing interface ip address"
wlc(config-snat-rule)# action source-nat interface
wlc(config-snat-rule)# enable
wlc(config-snat-rule)# exit
wlc(config-snat-ruleset)# exit
wlc(config-snat)# exit

Create VLAN for uplink:

wlc(config)# vlan 2
wlc(config-vlan)# exit

Create user VLAN:

wlc(config)# vlan 3
wlc(config-vlan)# force-up
wlc(config-vlan)# exit

Create interfaces to interact with access point management subnets, Wi-Fi users, and the Internet:

#Configure interface parameters for access points:
wlc(config)# bridge 1
wlc(config-bridge)# vlan 1
wlc(config-bridge)# security-zone trusted
wlc(config-bridge)# ip address 192.168.1.1/24
wlc(config-bridge)# enable
wlc(config-bridge)# exit

#Configure parameters for public interface:
wlc(config)# bridge 2
wlc(config-bridge)# vlan 2
wlc(config-bridge)# security-zone untrusted
wlc(config-bridge)# ip address dhcp
wlc(config-bridge)# enable
wlc(config-bridge)# exit

#Configure interface parameters for Wi-Fi users: 
wlc(config)# bridge 3
wlc(config-bridge)# security-zone users
wlc(config-bridge)# ip address 192.168.2.1/24
wlc(config-bridge)# vlan 3
wlc(config-bridge)# enable
wlc(config-bridge)# exit

Configure ports:

#Configure interfaces for uplink:
wlc(config)# interface gigabitethernet 1/0/1
wlc(config-if-gi)# mode switchport
wlc(config-if-gi)# switchport access vlan 2
wlc(config-if-gi)# exit
wlc(config)# interface tengigabitethernet 1/0/1
wlc(config-if-te)# mode switchport
wlc(config-if-te)# switchport access vlan 2
wlc(config-if-te)# exit


#Configure interfaces for access points connection:
wlc(config)# interface gigabitethernet 1/0/2
wlc(config-if-gi)# mode switchport
wlc(config-if-gi)# exit
wlc(config)# interface gigabitethernet 1/0/3
wlc(config-if-gi)# mode switchport
wlc(config-if-gi)# exit
wlc(config)# interface gigabitethernet 1/0/4
wlc(config-if-gi)# mode switchport
wlc(config-if-gi)# exit
wlc(config)# interface tengigabitethernet 1/0/2
wlc(config-if-te)#  mode switchport
wlc(config-if-te)# exit

Enable DNS name resolution:

wlc(config)# domain lookup enable

Configure profile to raise tunnels:

wlc(config)# tunnel softgre 1
wlc(config-softgre)# mode data
wlc(config-softgre)# local address 192.168.1.1
wlc(config-softgre)# default-profile
wlc(config-softgre)# enable
wlc(config)# exit

DHCP server configuration

It is obligatory to specify NTP server, because correct time allows to pass certificate validity check.

Configure the address space for the devices to be connected to the controller:

wlc(config)# ip dhcp-server pool ap-pool

#Define the subnetwork:
wlc(config-dhcp-server)# network 192.168.1.0/24

#Specify the range of IP addresses to be issued:
wlc(config-dhcp-server)# address-range 192.168.1.2-192.168.1.254

#Default gateway is the address of AP control bridge:
wlc(config-dhcp-server)# default-router 192.168.1.1

#Issue DNS sever address:
wlc(config-dhcp-server)# dns-server 192.168.1.1

#It is obligatory to specify NTP server, because correct time allows to pass certificate validity check.

#Issue 42 DHCP option, which includes NTP server address, for time synchronization on access points:
wlc(config-dhcp-server)# option 42 ip-address 192.168.1.1

#Issue 43 vendor specific DHCP option, which includes:

- 12 suboption, which is needed for SoftGRE data tunnels building. Option includes IP adress of controller SoftGRE interface.
wlc(config-dhcp-server)# vendor-specific
wlc(config-dhcp-server-vendor-specific)# suboption 12 ascii-text "192.168.1.1"

- 15 suboption, which is needed for access point to automatically reach the controller and got involved under controller's management. Option includes controller HTTPS URL.
wlc(config-dhcp-server-vendor-specific)# suboption 15 ascii-text "https://192.168.1.1:8043"
wlc(config-dhcp-server-vendor-specific)# exit
wlc(config-dhcp-server)# exit

Configure the address space for users:

wlc(config)# ip dhcp-server pool users-pool

#Define the network:
wlc(config-dhcp-server)# network 192.168.2.0/24

#Define the range of IP addresses to be issued to Wi-Fi users:
wlc(config-dhcp-server)# address-range 192.168.2.2-192.168.2.254

#Default gateway:
wlc(config-dhcp-server)# default-router 192.168.2.1

#Issue the adress of DNS server:
wlc(config-dhcp-server)# dns-server 192.168.2.1
wlc(config-dhcp-server)# exit

RADIUS server configuration

Configure local RADIUS server.

wlc(config)# radius-server local

#Configure NAS ap. Contains the AP subnets that will be served by the local RADIUS server when Enterprise-authorizing Wi-Fi users:
wlc(config-radius)# nas ap
wlc(config-radius-nas)# key ascii-text password
wlc(config-radius-nas)# network 192.168.1.0/24
wlc(config-radius-nas)# exit

#Configure NAS local. Used when WLC accesses local RADIUS server when building SoftGRE tunnels:
wlc(config-radius)# nas local
wlc(config-radius-nas)# key ascii-text password
wlc(config-radius-nas)# network 127.0.0.1/32
wlc(config-radius-nas)# exit

#Create user domain:
wlc(config-radius)# domain default

#Create Wi-Fi user account to connect to the Enterprise SSID:
wlc(config-radius-domain)# user name1
wlc(config-radius-user)# password ascii-text password1
wlc(config-radius-user)# exit
wlc(config-radius-domain)# exit

#The virtual server settings contain port numbers for authentication and accounting, proxying settings to the external RADIUS server. Using standard ports (1812 for authentication and 1813 for accounting) does not require configuration. In this case, enabling the virtual server is sufficient.
wlc(config-radius)# virtual-server default
wlc(config-radius-vserver)# enable
wlc(config-radius-vserver)# exit
wlc(config-radius)# enable
wlc(config)# exit

In the factory configuration, the user account is not configured for security purposes, so you must create an account to connect to the Enterprise SSID in the factory configuration.

Define parameters for communication with the RADIUS server: IP address and key. Since the RADIUS server is located locally on the controller, set 127.0.0.1 as the host address. The key must match the key specified for nas local.

wlc(config)# radius-server host 127.0.0.1
wlc(config-radius-server)# key ascii-text password
wlc(config-radius-server)# exit

Add a AAA profile, specify the server address to be used:

wlc(config)# aaa radius-profile default_radius
wlc(config-aaa-radius-profile)# radius-server host 127.0.0.1
wlc(config-aaa-radius-profile)# exit

Configure and enable the functionality to automatically bring up SoftGRE tunnels:

wlc(config)# softgre-controller

#Since the RADIUS server is located locally on the controller, we specify nas-ip-address 127.0.0.1:
wlc(config-softgre-controller)# nas-ip-address 127.0.0.1

#Choose the mode of creating data SoftGRE tunnels - WLC:
wlc(config-softgre-controller)# data-tunnel configuration wlc

#Select the previously created AAA profile:
wlc(config-softgre-controller)# aaa radius-profile default_radius
wlc(config-softgre-controller)# keepalive-disable

#Enable traffic in the user vlan:
wlc(config-softgre-controller)# service-vlan add 3
wlc(config-softgre-controller)# enable
wlc(config-softgre-controller)# exit

Configuring the WLC Access Point Management Module

Move to the access point configuration nanagement module settings:

wlc(config)# wlc
wlc(config-wlc)#

Configure the RADIUS server profile that will be used to authenticate wireless clients with the Enterprise SSID of Wi-Fi access points. If clients are supposed to be authenticated to an external RADIUS server, its address and key are specified here. With this setting, the access point will authenticate clients without WLC.

wlc(config-wlc)# radius-profile default-radius

#Since the RADIUS server is located locally on the controller, we specify the address of the controller in the access point subnet:
wlc(config-wlc-radius-profile)# auth-address 192.168.1.1

#RADIUS server key must match the key specified for the NAS ap:
wlc(config-wlc-radius-profile)# auth-password ascii-text password

#Specify the RADIUS domain. This domain must match the domain in which the Enterprise user accounts are created.
wlc(config-wlc-radius-profile)# domain default
wlc(config-wlc-radius-profile)# exit

SSID configuration

The SSID profile contains the access point's SSID settings. The Enterprise SSID setting is shown as an example:

wlc(config-wlc)# ssid-profile default-ssid

#Description can contain the short profile description:
wlc(config-wlc-ssid-profile)# description default-ssid

#SSID is the name of the wireless network that users will see when scanning the airwaves:
wlc(config-wlc-ssid-profile)# ssid default-ssid

#VLAN ID is the VLAN number for transmitting user traffic. When passing Wi-Fi traffic to clients, the tag will be removed by the AP. When passing traffic in the opposite direction, untagged traffic from clients will be tagged:
wlc(config-wlc-ssid-profile)# vlan-id 3

#Security mode is the wireless network access security mode. Select WPA2_1X mode for Enterprise authorization:
wlc(config-wlc-ssid-profile)# security-mode WPA2_1X

#Specify the RADIUS server settings profile that will be used to authorize Wi-Fi users:
wlc(config-wlc-ssid-profile)# radius-profile default-radius

#Next, you must specify at least one band in which the SSID will operate: 2.4/5 GHz:
wlc(config-wlc-ssid-profile)# band 2g
wlc(config-wlc-ssid-profile)# band 5g

#Activate SSID profile. In case it is necessary to disable SSID on all locations, the SSID profile can be disabled with the 'no enable' command:
wlc(config-wlc-ssid-profile)# enable
wlc(config-wlc-ssid-profile)# exit

Profile configuration

Create a profile of common access point settings:

wlc(config-wlc)# ap-profile default-ap

#Set the password to connect to the access point:
wlc(config-wlc-ap-profile)# password ascii-text password

#If necessary, you can enable ssh/telnet access to the access points and the web interface:
wlc(config-wlc-ap-profile)# services
wlc(config-wlc-ap-profile-services)# ip ssh server
wlc(config-wlc-ap-profile-services)# ip telnet server
wlc(config-wlc-ap-profile-services)# ip http server
wlc(config-wlc-ap-profile)# exit

Create access point configuration profiles:

You can override the parameters for each access point separately via an individual profile. For detailed information about the access points, please refer to the official documentation.

Create a configuration profile for a radio interface operating in the 2.4 GHz frequency band:

wlc(config-wlc)# radio-2g-profile default_2g

#Set the list of channels from which the access point will automatically select the least loaded radio channel:
wlc(config-wlc-radio-2g-profile)# limit-channels 1,6,11

#Select IEEE 802.11 radio interface operation mode:
wlc(config-wlc-radio-2g-profile)# work-mode bgnax

#Set the radio channel bandwidth:
wlc(config-wlc-radio-2g-profile)# bandwidth 20

#Set the transmitter signal strength in dBm:
wlc(config-wlc-radio-2g-profile)# tx-power maximal
wlc(config-wlc-radio-2g-profile)# exit

Create a configuration profile for the radio interface operating in the 5 GHz frequency range:

wlc(config-wlc)# radio-5g-profile default_5g

#Change the dynamic frequency selection mode to forced mode:
wlc(config-wlc-radio-5g-profile)# dfs forced

#Specify a list of channels from which the access point will automatically select the least loaded radio channel:
wlc(config-wlc-radio-5g-profile)# limit-channels 36,40,44,48,52,56,60,64

#Select IEEE 802.11 radio interface operation mode:
wlc(config-wlc-radio-5g-profile)# work-mode anacax

#Set the radio channel bandwidth:
wlc(config-wlc-radio-5g-profile)# bandwidth 20

#Set the transmitter signal strength in dBm:
wlc(config-wlc-radio-5g-profile)# tx-power maximal
wlc(config-wlc-radio-5g-profile)# exit

Location configuration

A location is group of access points designed to provide service within a topographic and/or logical network segment, which in general will be configured according to the same rules (profiles). The location for a point (ap-location) is determined when the point is connected to the controller, depending on the address space. The exception is overriding the radio parameters and/or ap-location in an individually created template for the access point based on its MAC address.

Create a location and define the configuration rules for the APs in that location:

wlc(config-wlc)# ap-location default-location

#Description can contain short location description:
wlc(config-wlc-ap-location)# description default-location

#Specify the configuration profiles for the radio interfaces:
wlc(config-wlc-ap-location)# radio-2g-profile default_2g
wlc(config-wlc-ap-location)# radio-5g-profile default_5g

#Specify the profile of the common access point settings:
wlc(config-wlc-ap-location)# ap-profile default-ap

#Specify the wireless network profiles that will provide services in this location:
wlc(config-wlc-ap-location)# ssid-profile default-ssid default

#Since the scheme assumes the transfer of user traffic through SoftGRE tunnels, it is necessary to specify that the location operates in tunneling mode:
wlc(config-wlc-ap-location)# mode tunnel
wlc(config-wlc-ap-location)# exit

Define the Access Point subnets to be served

Define the address space of the access points to be connected:

wlc(config-wlc)# ip-pool default-ip-pool

#Description can contain short description of addresses pool:
wlc(config-wlc-ip-pool)# description default-ip-pool

#The subnet of access point IP addresses is specified in the network parameter. If this parameter is not defined, all access points will be subject to this rule.

#Specify the ap-location that will be assigned to the access points in this address pool:
wlc(config-wlc-ip-pool)# ap-location default-location
wlc(config-wlc-ip-pool)# exit

Access points with subnets not defined in ip-pool will not be served by the controller.

Access point auto-registration

Activate access point auto-registration on the controller:

wlc(config-wlc)# service-activator
wlc(config-wlc-service-activator)# aps join auto

When connecting new access points, no additional actions are required, the access points will be registered automatically.

WLC enabling

Enable WLC operation, specify the controller IP address for the access points, and save the settings:

wlc(config-wlc)# enable
wlc(config-wlc)# outside-address 192.168.1.1
wlc(config-wlc)# end
wlc# commit
wlc# confirm

Web interface for monitoring

Web interface is available for monitoring access points and can be enabled with the command:

wlc(config)# ip http server
wlc(config)# end
wlc# commit
wlc# confirm

Web interface is available on URL: http://<IP-address_wlc>, login/password in default configuration are: admin/password.

Access Point Update

In the default configuration, when connected, the AP will immediately and automatically update to the firmware that is loaded on the WLC. If the AP is already under WLC control, it will update to the new firmware as soon as it is downloaded.

To download the firmware, use the command:

#TFTP server IP address – 192.168.1.2, WEP-1L-1.2.5_build_16.tar.gz – firmware file name.
wlc# copy tftp://192.168.1.2:/WEP-1L-1.2.5_build_16.tar.gz system:access-points-firmwares

If multiple firmware files are loaded on the WLC, the AP will update to the most recent version.

AirTune configuration

One of the priority areas for the development of access points in the field of Enterprise&High-Density Wi-Fi is the implementation of AirTune service, the main function of which is Radio Resource Management (RRM).

Radio Resource Management allows automatically optimizing access point performance based on current conditions. The AirTune service does not replace radio planning procedures, but allows for the final stage of network optimization, as well as ongoing monitoring.

Technologies and algorithms used:

Dynamic Channel Assignment (DCA) is an algorithm that automatically assigns frequency channels to each access point in the network to avoid interference between them;
Transmit Power Control (TPC) is an algorithm for controlling the power of transmitters to ensure optimal network coverage and minimize “conflict” areas, where the client is in the zone of confident reception of several neighboring access points;
Load Balancing is an algorithm for automatic distribution of client devices between points. In case of overload, the service will determine a more optimal AP for client connection and issue recommendations for access points, the client will see in the air only one AP recommended for authorization;
Roaming is support for 802.11 k/r seamless roaming standards.

The main tasks of the functionality are:

Automatic setting of working channels between access points;
Automatic adjustment of the radiated power for the stability of the coverage area (“cell”);
Optimization of wireless network throughput;
Minimizing “conflict” areas between access points;
Equal load distribution between access points;
Finding the optimal access point for a client located in an “unstable” reception zone;
Minimizing “accidental” client reconnections at cell boundaries;
Support for seamless roaming of clients between access points.

When the TPC/DCA functionality works, access points collect information about the radio environment at the current moment of time with the help of special packets (Action Frame) at the command of the service. Then they transmit the information to the service, which performs analysis of “radio air quality” and optimizes parameters for each access point, which ensures uniformity of coverage area and minimizes interference.

The service also includes roaming functionality:

Synchronization of lists of neighboring 802.11k access points, which allows the client to search for a more suitable access point from the recommended list, rather than analyzing the entire airwaves, when the signal from the current access point weakens.
Key negotiation between access points for 802.11r roaming, which allows to significantly accelerate the process of client switching between access points, because the client will not need to go through a second full authorization on the oncoming access point, only accelerated.

Roaming of 802.11k/r standards requires client-side support for the standard.

Simple example of network optimization using the service is shown in the picture (DCA+TPC functionality):

Operating algorithm

When connecting to the server (the connection between the AP and the server is made via WebSocket protocol), the AP sends a “subscribe-request” message, where it transmits its parameters, such as:

factory installation parameters (serial number, device type, MAC address);
location name (geographical domain);
radio settings (channel, power);
SSID list;
list of connected clients.

After the AP has built a session with the service, AirTune groups the points by domain. If there is no domain on the service to which the point belongs, AirTune sends a denial of service.

If a domain is configured on AirTune, the server sends a “subscribe-response” indicating which features (DCA, TPC, Load Balance) are configured for that domain.

Optimization (DCA, TPC) takes place within the domain as follows:

1) The first step is authorization of APs on AirTune service, for this purpose the management system configures AirTune service URL on APs by means of SNMP-set request;

2) APs establish a session with the service by exchanging Subscribe-Request/Subscribe-Response packets, in which the AP informs the service about the current configuration. In case the geographic domain passed in the message from the point does not exist on the service, the service will ignore the requests. If the domain is found, the connection is successful;

3) Next, the server sends a “rrm-request-mode” request to the access points to update the current information about them, since optimization can start not only after the connection of the point, but routinely or by administrator's command long after the initial connection;

4) Access points respond with “rrm-response-mode” in which they transmit their current radio parameters;

5) The server sends a request to scan the “rrm-update”. Depending on the eltex-rrm-scan option, the scan can be a “normal” scan (a point tries the available channels and detects all visible points) or a special scan, where only points from the domain transmit special action packets at one, predefined, point in time;

6) The points send the result of scanning to the server with the message “rrm-response”;

7) Having received the results from all the APs in the domain, the server determines the optimal power, optimal channel, list of neighbors for each point depending on the settings and sends the message “rrm-info”;

8) After that, the APs apply the recommended settings, and the optimization is considered complete.

Optimization takes place in the following cases:

new point has been added to the domain;
one of the APs has been disconnected;
radio parameters have been changed on one of the points;
by timer (Optimization interval);
when the administrator presses the corresponding button.

Optimization does not take place in the following cases:

AP restart;
short loss of connection between AP and the service;
AP update.

Customer balancing on AP:

1) If TPC/DCA algorithms are enabled together with the balancer or the “Use all APs for Balance” option is disabled, the first step is to search for neighboring points in the air;

If the “Use all APs for Balance” flag is set in the AirTune configuration, the “Search for neighboring points on the air” item will be skipped, and the distribution will be done to all APs in the same domain.

2) When a new client connects to the AP, the server sends the “rrm-client-assoc” message, which contains the MAC address of the client SSID to which the client has connected. In case the connected client is in the zone of confident reception and the AP is not loaded, the service does not take any actions, only the message “RRM-Client-Assoc-Ack” is sent for portal clients, after it the AP unblocks the clients for Internet access (if the user is already authorized on the portal);

3) If when a client connects, this point is busy (client limit is exceeded) or the client has a signal below the set level, the server initiates the process of balancing this client;

4) The service sends “rrm-probe-request” message to “neighboring” APs, on which the same SSID is configured, to determine with what signal level APs “see” this client;

5) The APs respond with an “rrm-probe-response” message indicating the RSSI signal streng

6) If the server has not found a suitable point for the client, server leaves user at the current point. If the optimal point is found, the client is disconnected from the current AP with the command “rrm-disassoc-request”, on all others, except the optimal one, client gets blocked with the command “rrm-blacklist”, thus the client sees only 1 target AP on the air and the client will switch (roaming).

Client balancing between APs takes place within one interface (2.4 GHz or 5 GHz).

If a client is connected in 2.4 GHz to a loaded AP, it will not be balanced on the free 5 GHz interface of the second AP, only on the same interface (2.4 GHz).

If the client device supports MAC address randomization functionality in Probe Request, the functionality will not work for such clients, because the analysis of the signal strength from the client on neighboring APs is based on management packets from the client (Probe request).

Configuration algorithm

By default, all the necessary settings for the service operation are configured, the only thing needed is to specify the IP address of the controller, which is visible to access points, enable the service, create a profile and bind it to a location.

The settings are made in the configuration mode (config) of the WLC controller configuration section (config-wlc).

Step	Description	Command	Keys
1	Switch to WLC configuration.	wlc# configure wlc(config)# wlc wlc(config-wlc)#
2	Create AirTune profile.	wlc(config-wlc)# airtune-profile <NAME> wlc(config-airtune-profile)#exit wlc(config-wlc)#	<NAME> – profile name, specified by a string of up to 235 characters.
3	Switch to location that requires automatic optimization of access point settings.	wlc(config-wlc)# ap-location <NAME> wlc(config-wlc-ap-location)#	<NAME> – location profile name, specified by a string of up to 235 characters.
4	Bind the created profile to location.	wlc(config-wlc-ap-location)# airtune-profile <NAME> wlc(config-wlc-ap-location)#exit wlc(config-wlc)#	<NAME> – location profile name, specified by a string of up to 235 characters.
5	Switch to service general configuration.	wlc(config-wlc)# airtune wlc(config-airtune)#
6	Enable the service.	wlc(config-airtune)# enable wlc(config-airtune)#end

Configuration example

#Create airtune profile, by default, it already contains the optimal service settings, so it is needed only to create the profile itself:
wlc# configure
wlc(config)# wlc
wlc(config-wlc)# airtune-profile default_airtune
wlc(config-airtune-profile)#exit

#Add a profile to a location to allow optimization in the selected location:
wlc(config-wlc)# 
wlc(config-wlc)# ap-location default-location
wlc(config-wlc-ap-location)# airtune-profile default_airtune
wlc(config-wlc-ap-location)#exit

#Globally activate airtune functionality in the controller (optimization will only take place in locations with airtune profile):
wlc(config-wlc)# airtune
wlc(config-airtune)# enable
wlc(config-wlc)# end

wlc# commit
wlc# confirm

Дерево страниц

WLC configuration

WLC controller configuration

Configuration algorithm

Configuration example

Task

Solution

Interface, network parametes and firewall configuration

DHCP server configuration

RADIUS server configuration

Configuring the WLC Access Point Management Module

SSID configuration

Profile configuration

Location configuration

Define the Access Point subnets to be served

Access point auto-registration

WLC enabling

Web interface for monitoring

Access Point Update

AirTune configuration

Operating algorithm

Configuration algorithm

Configuration example