Wireless Controller 440X 5508 WISM Config ETG 1102

AT&T Global Network Services
Engineering Technology Guide
Project Title:
Wireless LAN Controller Based Architecture
Controller Installation Guide
Location:
IGA
Last Revision Date:
15 September 2011
Cisco Controller Release 6.0.202.0
Cisco Controller Release 7.0.98.218 (for 3502 and 1262 WAPs)
Revision History
Date
15 Sep 2011
Who
Andrew Potter
Purpose
11.1 Template release
1 Cisco 4402/4404/5508/WISM Initial configuration

US deployments
1 ...................................... CISCO 4402/4404/5508/WISM INITIAL CONFIGURATION 2
1.1
Console Wizard Worksheet.......................................................................................................................... 4
Resetting to Default Settings Using the CLI (WISM session or 440x/5508 serial console only) ......................... 6
1.2
Startup Wizard: from Serial Console or 6509 Session command ........................................................ 6
1.3
Load current Wireless LAN controller code .............................................................................................. 8
1.3.1
Config TACACS and Radius Servers ........................................................................................................ 9
1.3.2
Create AL_CPU_ACCESS access control list ......................................................................................... 10
1.3.3
Apply the ACL (note different syntax for V6 and V7 code) .................................................................... 13
1.3.4
Test TACACS (Americas, AP) ................................................................................................................ 13
1.3.5
Generate Webadmin/SSH self signed certificate and disable controller handling of DHCP helper for
client users .............................................................................................................................................................. 13
2 ................................................................... WEB BASED DETAIL CONFIGURATION 14

2.1
Controller Tab............................................................................................................................................. 15
2.1.1
Controller - General ................................................................................................................................. 15
2.1.2
Controller NTP ......................................................................................................................................... 16
2.1.3
Controller Interfaces.............................................................................................................................. 16
2.1.4
Create IBM Wireless VLANs .................................................................................................................. 18
2.1.5
Guest VLANs ........................................................................................................................................... 19
2.1.6
Controller Mobility management .......................................................................................................... 20
2.2
Management Tab ........................................................................................................................................ 21
2.2.1
Management SNMP ................................................................................................................................ 21
2.2.2
Management - Trap Receivers ................................................................................................................. 22
2.2.3
Management - Syslog Server ................................................................................................................... 22
2.2.4
Management - Local management Users ................................................................................................. 23
2.3
Security Tab ................................................................................................................................................ 24
2.3.1
Security Radius ..................................................................................................................................... 24
2.3.2
Security - Verify TACACS ...................................................................................................................... 26
2.3.3
Security AP Policies .............................................................................................................................. 26
2.3.4 ........................................................................................................................................................................ 27
2.3.5
Security - Priority Order > Management User ......................................................................................... 27
2.3.6
Security Wireless Protection Policies.................................................................................................... 27
2.4
Commands Tab ........................................................................................................................................... 28
2.4.1
Commands Set Time
(Set Timezone) .............................................................................................. 28
2.5
WLANs tab .................................................................................................................................................. 28
2.5.1
WLANs - Wireless LAN definition ......................................................................................................... 28
2.5.2
IBM-WPA2 profile WLANs Edit ............................................................................................................ 29
2.5.3
IBM-WPA2 profile WLANs -Edit - General tab ..................................................................................... 30
2.5.4
IBM-WPA2 profile WLANs Edit Security Layer 2 .............................................................................. 31
2.5.5
IBM-WPA2 profile WLANs Edit Security AAA Servers ..................................................................... 31
2.5.6
IBM-WPA2 profile WLANs Edit Advanced ........................................................................................ 32
2.6
IBM-WPA1 Profile ..................................................................................................................................... 33
2.6.1
IBM-WPA1 profile WLANs Edit ............................................................................................................ 33
2.6.2 ........................................................................................................................................................................ 33
2.6.3
IBM-WPA1 profile WLAN Edit Security Layer 2 tab ............................................................................ 34
2.6.4
WLANs Edit Create IBMVISITOR Profile (SSID IBMVISITOR) ...................................................... 35
2.7
IBMVISITOR WLAN Edit General ......................................................................................................... 36
2.7.1
IBMVISITOR WLAN Edit Security Layer 2 .......................................................................................... 36
2.7.2
IBMVISITOR WLAN Edit Advanced ..................................................................................................... 37
2.7.3
Wireless Access Points Global configuration .................................................................................... 38
2.7.4
Wireless 802.11a/n Network .............................................................................................................. 38
2.7.5
Wireless 802.11a/n RRM DCA ......................................................................................................... 39
2.7.6
Wireless 802.11b/g/n Network ........................................................................................................... 40
2.7.7
Wireless 802.11b/g/n RRM DCA ..................................................................................................... 41
2.8
Save Configuration to WCS server ........................................................................................................... 42
3 ................................. CONTROLLER BASED ACCESS POINT CONFIGURATION 43

3.1
Mapping Wireless LANs (WLANs) to Subnets (VLANS) using AP GROUP VLAN feature .............. 43
3.1.1
How AP groups work ............................................................................................................................... 43
3.1.2
Sample AP VLAN Group design ............................................................................................................. 44
3.1.3
How to plan AP groups: ........................................................................................................................... 45
3.2
Defining AP Groups .................................................................................................................................... 46
3.2.1
AP GROUP process ................................................................................................................................. 46
3.2.2
Configure the VLANs and SSIDs into the AP group. .............................................................................. 48
4 ........ JOINING AND CONFIGURING ACCESS POINTS TO THE CONTROLLER 49

4.1.1
4.1.2
4.1.3
AP join process ........................................................................................................................................ 49

Controller configuration of AP ................................................................................................................ 50
Post installation testing ............................................................................................................................ 52
5 ................. HREAP - HYBRID REMOTE EDGE ACCESS POINT INSTALLATION 53

5.1
Configuring HREAP APs ........................................................................................................................... 54
5.1.1
Verify HREAP controller configuration .................................................................................................. 54
5.1.2
Create site AP VLAN group .................................................................................................................... 57
5.1.3
Discovering and Joining Access points .................................................................................................... 60
5.1.4
Connect the HREAP APs and enable the Ethernet ports.......................................................................... 61
6 .................. WCS DISCOVERY AND AP PLACEMENT ON FLOOR-PLAN MAPS. 62

Appendix A - Sample initial console configuration on WISM
1.1 Console Wizard Worksheet

This section documents the initial staging or onsite configuration of Cisco Wireless LAN
controllers to get them initially installed onto the IBM network
Steps performed include
1. Ensuring Controller configuration is at factory default
2. Running the Console configuration dialog script
a. Assigns Hostname
b. Defines Failsafe local management userid.
c. Assigns Management IP address and Management VLAN
d. Assigns AP Management IP address
e. Enables Ether-channel (LAG)
f. Enables Radio Resource management
3. Configure TACACS, Wireless Radius servers
4. Create Self Signed SSH / HTTPS administrative management Certificate
5. Updating the Controller firmware code
Controller console setup is documented at Cisco at:
http://www.cisco.com/en/US/docs/wireless/controller/4400/quick/guide/ctrlv32.html#wp33791
This section can be done at Staging for 4402, 4404 and 5508 series controllers.
Physical Controller Connection:

440x controllers: Use the DB-9 null modem serial cable provided with the controller to connect
Laptop. Note: a standard Cisco ribbon cable will work with an RJ-45 to 9-pin female serial
terminal adapter Cisco part number (74-0495-01) at each end)
5508 controllers use standard Cisco blue RJ45 console cable
Terminal emulator communications settings are as follows: 9600 baud, 8 data bits, 1 stop bit, no
parity, no hardware flow control
WISM NOTE: Access console via 6509 supervisor session command.
Appendix A at the end of this document has a sample WISM controller console session
WISM controllers can be accessed via the session once the internal service port has acquired a
private IP address.
Verify that the correct VLANs are trunked to the controllers using the correct wism commands
per the correct wireless distribution 6509 configuration template.
Verify WISM service port with the command:

# show wism status
Connect using the session command

# session slot <wism slot number>
proc <controller 1 or 2>
WISM controllers can also use standard Cisco blue console rollover serial cable. (Note 2
consoles per WISM blade)
HINT. If you skip a question by mistake or answer wrong, you can back up to the
previous question by typing the minus key -and pressing <Enter>
Boot up the controller. Wait until it boots and prompts.
Resetting to Default Settings Using the CLI (WISM session or 440x/5508 serial
console only)
If the controller has an undesired old configuration, follow these steps to reset the configuration
to factory default settings using the CLI.
Step 1 If logged in, enter reset system. At the prompt that asks whether you need to save
changes to the configuration, enter N. The unit reboots.
Step 2 Reconnect to the console. When you are prompted for a username, enter recover-config
to restore the factory default configuration. The controller reboots and displays this message:
Welcome to the Cisco WLAN Solution Wizard Configuration Tool
Step 3 Use the configuration wizard to enter configuration settings.

A factory default configuration will enter the startup wizard. Answer the questions as follows.
1.2 Startup Wizard: from Serial Console or 6509 Session command

WISM only Answer yes to exist auto-install.
dialog)
(See Appendix A for sample WISM console
System name (32 chars): (WLC-4402/4404 controller: <reso>-wc-<n><a|b> )

(6509/WISM controller: <reso>-wc-w<slot#>c<1|2><a|b>
User name (24 chars): failsafe
Password (24 chars): <failsafepassword>
Enter service port interface IP configuration protocol: dhcp
Link Aggregation: yes (This question will not be asked on 6509/WISM LAG is required)
Enter the management interface IP address:
Enter Management Interface Netmask:
Enter Default router IP address:
Management VLAN identifier:
9.<x.x.x>
<netmask>
<gateway>
4001
IP address of DHCP server that will supply IP addresses to clients: <dhcp #1>
(Others added later)
LWAPP transport mode (layer 2 or layer 3): layer 3 (not asked on WISM)
AP manager interface IP address: <ap manager IP address>
(this question will not be asked on 5508 controllers)
(This should be from the subnet /vlan as management interface above)

(you should see message saying same vlan , gateway and netmask as management interface)
Virtual gateway IP address): 172.16.253.253
(this must be the same non-routed address on all controllers)
Cisco WLAN Solution Mobility group (RF group) name: <reso>-mobility-<n>
EMEA <country><reso>-<n>
Enter the WLAN 1 SSID : IBM (required to answer question will be deleted)
Allow or disallow static IP addresses for clients (use no for DHCP): no
Configure RADIUS server: no (to be configured later)
Enter country code: US
(Enter specific country code US, DE, AU)
(2 questions) Enablsh e support for 802.11b, 802.11a: no (to be configured later)
Enable or disable radio resource management (RRM) (auto RF): yes
Controller should reboot.
Log in using failsafe and password identified above.
Verify that two (4402 or 5508 small sites) or four (4404 or 5508) ports are enabled: (5508
Medium sites can optionally use all 8 ports)
Controller>
show port summary
Controller>
ping <management interface default route address>
If the ports show up and the management interface responds to ping, then the initial install is
complete.
Delete the WLAN created during the dialog script. Correct WLAN profiles configured later.
Controller> Config wlan delete 1
Controller> save config
1.3 Load current Wireless LAN controller code

Current code level as of September 2011 is 6.0.202.0
Controllers supporting AIR-CAP3502 and AIR-LAP1262 WAPs should run 7.0.98.218
Important: Refer to Cisco Release notes to ensure that code is upgraded properly. Very old
code versions require upgrading to an intermediate version of code prior to version 6
https://www.cisco.com/en/US/products/ps6366/prod_release_notes_list.html
Log into the controller management IP address using failsafe via ssh 9.<x.x.x>
Controller> show sysinfo
Verify code level
Code is on Controller WCS server via TFTP at 9.41.5.184
Hint: due to TFTP speeds across WAN a LOCAL TFTP server is strongly recommended.
Version 5.2 and later code support much faster transfers using FTP
Set TFTP download parameters:
transfer
transfer
transfer
transfer
download
download
download
download
filename <tftp-code-image>.aes
serve rip <ip address of tftp server>
datatype code
path <file path> (If using WCS path is /)
config sessions timeout 160

transfer download start
(to allow for slow downloads)
WAN based TFTP code downloads can take up to 4 hours.

Reload controller
Controller> reset system
1.3.1 Config TACACS and Radius Servers

(Americas) Register the controller into TACACS and Wireless Radius servers via Lotus email to
ACSADMIN. Edit these lines in Notepad and paste them into the controller.
1. Register the Authentication and Authorization TACACS servers for your region (US
shown). Enter the shared secrets with exact case and ensure you do NOT have any
trailing spaces at the end of the line. Do not quote the secrets.
2. Disallow controller admin access use of these 7 radius servers and set retransmit timer to 4
seconds
3. Define the 7 US radius servers (for EMEA or AP, select in-region servers)
Note: Shared secrets are case specific, should not be quoted and should not have any
embedded or trailing space characters.
config
config
config
config
config
TACACS auth add 1 9.0.4.33

TACACS auth add 2 9.0.2.33
TACACS athr add 1 9.0.4.33
TACACS athr add 2 9.0.2.33
aaa auth mgmt local TACACS
config
config
config
config
config
config
config
radius
radius
radius
radius
radius
radius
radius
auth
auth
auth
auth
auth
auth
auth
retransmit-timeout
retransmit-timeout
retransmit-timeout
retransmit-timeout
retransmit-timeout
retransmit-timeout
retransmit-timeout
config
config
config
config
config
config
config
radius
radius
radius
radius
radius
radius
radius
auth
auth
auth
auth
auth
auth
auth
management
management
management
management
management
management
management
config
config
config
config
config
config
config
radius
radius
radius
radius
radius
radius
radius
auth
auth
auth
auth
auth
auth
auth
add
add
add
add
add
add
add
1
2
3
4
5
6
7
1
2
3
4
5
6
7
49
49
49
49
ascii
ascii
ascii
ascii
1
2
3
4
5
6
7
<TACACS-shared-secret>
4
4
4
4
4
4
4
disable
disable
disable
disable
disable
disable
disable
9.41.5.108
9.17.182.81
9.61.5.108
9.56.5.173
9.27.5.108
9.45.5.108
9.43.5.108
1812
1812
1812
1812
1812
1812
1812
ascii
ascii
ascii
ascii
ascii
ascii
ascii
<wireless-shared-secret>
save config
If you make a mistake, you must delete any definitions before re-applying them
Config radius auth delete 1 (repeat for servers 2 7)
Config tacacs auth delete 1 (repeat for server 2)
Config tacacs athr delete 1 (repeat for server 2)
1.3.2 Create AL_CPU_ACCESS access control list

Paste the following ACL commands.
config acl create AL_CPU_ACCESS
config acl counter start
config acl rule add AL_CPU_ACCESS 1
config acl rule direction AL_CPU_ACCESS 1 in
config acl rule source address AL_CPU_ACCESS 1 10.0.0.0 255.0.0.0
config
config
config
config
config
config
config
acl
acl
acl
acl
acl
acl
acl
rule
rule
rule
rule
rule
rule
rule
add AL_CPU_ACCESS 2
destination port range AL_CPU_ACCESS 2 161 161
protocol AL_CPU_ACCESS 2 17
action AL_CPU_ACCESS 2 permit
direction AL_CPU_ACCESS 2 in
source address AL_CPU_ACCESS 2 9.0.1.0 255.255.255.0
add AL_CPU_ACCESS 3
config
config
config
config
config
acl
acl
acl
acl
acl
rule
rule
rule
rule
rule

config
config
config
config
config
config
acl
acl
acl
acl
acl
acl
rule
rule
rule
rule
rule
rule
add AL_CPU_ACCESS 4
config
config
config
config
config
config
acl
acl
acl
acl
acl
acl
rule
rule
rule
rule
rule
rule
add AL_CPU_ACCESS 5
config
config
config
config
config
config
acl
acl
acl
acl
acl
acl
rule
rule
rule
rule
rule
rule
add AL_CPU_ACCESS 6
config
config
config
config
config
config
acl
acl
acl
acl
acl
acl
rule
rule
rule
rule
rule
rule
add AL_CPU_ACCESS 7
config
config
config
config
config
config
acl
acl
acl
acl
acl
acl
rule
rule
rule
rule
rule
rule
add AL_CPU_ACCESS 8
10
config
config
config
config
config
acl
acl
acl
acl
acl
rule
rule
rule
rule
rule

config
config
config
config
config
config
acl
acl
acl
acl
acl
acl
rule
rule
rule
rule
rule
rule
add AL_CPU_ACCESS 10
config
config
config
config
config
config
acl
acl
acl
acl
acl
acl
rule
rule
rule
rule
rule
rule
config
config
config
config
config
config
acl
acl
acl
acl
acl
acl
rule
rule
rule
rule
rule
rule
config
config
config
config
config
config
acl
acl
acl
acl
acl
acl
rule
rule
rule
rule
rule
rule
config
config
config
config
config
config
acl
acl
acl
acl
acl
acl
rule
rule
rule
rule
rule
rule
config
config
config
config
config
config
acl
acl
acl
acl
acl
acl
rule
rule
rule
rule
rule
rule
config
config
config
config
config
config
acl
acl
acl
acl
acl
acl
rule
rule
rule
rule
rule
rule
config
config
config
config
config
config
acl
acl
acl
acl
acl
acl
rule
rule
rule
rule
rule
rule
11
config
config
config
config
config
acl
acl
acl
acl
acl
rule
rule
rule
rule
rule

config
config
config
config
config
config
acl
acl
acl
acl
acl
acl
rule
rule
rule
rule
rule
rule
config
config
config
config
config
config
acl
acl
acl
acl
acl
acl
rule
rule
rule
rule
rule
rule
config
config
config
config
config
config
acl
acl
acl
acl
acl
acl
rule
rule
rule
rule
rule
rule
config
config
config
config
config
config
acl
acl
acl
acl
acl
acl
rule
rule
rule
rule
rule
rule
config
config
config
config
acl
acl
acl
acl
rule
rule
rule
rule
config
config
config
config
acl
acl
acl
acl
rule
rule
rule
rule
config
config
config
config
acl
acl
acl
acl
rule
rule
rule
rule

config acl rule action AL_CPU_ACCESS 26 permit
Verify the ACL was entered correctly

show acl detailed AL_CPU_ACCESS
12
1.3.3 Apply the ACL (note different syntax for V6 and V7 code)
config acl apply AL_CPU_ACCESS
config acl cpu AL_CPU_ACCESS both
*** (for V7 controller code only) ***
config acl cpu AL_CPU_ACCESS
save config
1.3.4 Test TACACS (Americas, AP)

While maintaining current ssh session open web browser session to
https://<controller-management-ip>
Log in via HTTPS using TACACS ID.
(accept self signed certificate)
If TACACS id works properly: change AAA order to the PDT standard.

config aaa auth mgmt TACACS local
Save config
Test TACACS id again.
1.3.5 Generate Webadmin/SSH self signed certificate and disable controller

handling of DHCP helper for client users
config certificate generate webadmin
config dhcp proxy disable
config prompt <hostname>
save config
reset system
(reboot controller for SSH cert to take effect)
13
2 Web based detail configuration

Remaining configuration of the controller can be done via HTTP or SSH console.
Note that while commands can be pasted into SSH console, there is no simple way to copy an edited
startup config into the controller.
When configuring, do not forget to click save configuration at the top right of the web screen or
issue the command save configuration from the SSH session.
You can show your current configuration via the SSH session using
Controller> config paging disable
Controller> show run-config commands
Log into the controller:
14
2.1 Controller Tab

2.1.1 Controller - General
Verify and enter hostname into Name field

Verify LAG mode on next reboot is Enabled
Set Fast SSID change to Enabled
default mobility domain name <reso>-mobility-<1 | 2 | 3> One common name for all
controllers that may support the same APs in the same site where users may roam from building to
building.
5. Default RF group name (<reso>-rfgroup-<1 | 2 | 3> ) Select a common group name for all
controllers serving APs that are within radio range of each other.
6. Click Apply and Save Configuration
1.
2.
3.
4.
15
2.1.2 Controller NTP
1.
2.
3.
4.
5.
Click NEW
Enter in NTP server 1
Click apply
Enter in NTP server 2
Click Apply and Save Configuration
2.1.3 Controller Interfaces
Verify that Management, AP-Manager exist in VLAN 4001 and that the Virtual interface is set to
1.1.1.1
16
Click new
Create default-non-usable VLAN ID 4093 . Do NOT put this VLAN on WD /CD/UD or any
switch port to any controller. This VLAN is a default non functioning subnet used to park new
Access Points (APs) prior to their being configured on the controller. This reduces the risk of the
IBMVISITOR SSID of mistakenly mapping to an IBM 9.x.x.x subnet.
Fill in the required private address information. Use 192.168.253.353

255.255.255.0, default gateway .1, DHCP server .1
Netmask
Click Apply, Click Save Configuration
17
2.1.4 Create IBM Wireless VLANs
Click new, Enter VLAN-<vlan#>-IBM, VLAN id : <vlan #> , Click Apply
Fill in VLAN ip address, netmask (/23 or /24) from controller address spreadsheet default
gateway. Start the IP addressing at the .5 address in the user subnet (same addressing as a
User Access switch)
Fill in primary and secondary DHCP servers.
Click Apply
Repeat for each IBM VLAN needed
18
2.1.5 Guest VLANs

Do the same for all guest VLANs. There should be one to one Guest VLANs corresponding to
each IBM VLAN. (Example: IBM 9.1.2.0/23 will result in creation of a corresponding guest
VLAN 10.1.2.0/23) Note for controllers supporting HREAP WAPs, this address will be
placed on the central controller and will map to the corresponding IBM 9.x.x.x Blue subnet
on the UA switches at the HREAP site.
Enter VLAN name VLAN-<vlan #>-GUEST and VLAN id: <vlan #>
1. Fill in Guest VLAN information

2. IP addresses map 1 to 1 to corresponding IBM VLAN except they are 10.x.x.x instead of
9.x.x.x. Netmask /24 or /23 (same as IBM net) Default gateway .1 (Tail end 2821 VE
router). DHCP server is tail end router gateway address.
3. Start the ip addresses in the VLAN at the .5 address in the subnet. Each controller
serving this VLAN should have a unique ip address.
19
Click Apply Click Save Configuration

4. Repeat for each guest VLAN needed.
2.1.6 Controller Mobility management
MAC address and Management IP address for this controller should display
Click new
Enter in MAC address and Management IP address of all controllers in the same Layer 2
domain. (MAC address visible on Controller Inventory screen)
Hint: do this on one controller, then click editall and copy the information for
pasting into the other controllers serving the same site access points.
Click Apply
Note: Verify Mobility configuration by using SSH console level commands:
Controller> mping <ip-address-of-mobility-member-controllers>
Controller> eping <ip-address-of-mobility-member-controllers>
The Mping command is a special controller only command that validates the LWAPP/CAPWAP
connection between the controller members of the same mobility group. This is important to manage
shared radio management, AP discovery, and client roam decisions
The Eping command is a special command that validates the ability of the controller to establish an
Ethernet-over-IP layer 2 link between different controllers in the same mobility group. This feature is
critical to allow client users to maintain their original IP address as they roam between different
controllers in the same Mobility group.
20
2.2 Management Tab

2.2.1 Management SNMP
1.
2.
3.
4.
5.
6.
Click General on left

Enter hostname
SNMP location
Contact (DNUS Manage now queue name)
SNMP v1 enable
Click Apply
Click Communities
Click New
1. Enter RO community string

2. Address and Netmask 0.0.0.0
3. Access mode Read Only Status enable
21
4. Click Apply.
5. Repeat for RW community string.
6. RW is address and netmask is 0.0.0.0
2.2.2 Management - Trap Receivers
Click New
Enter community name and IP address for WCS server (Currently In US 9.41.5.184)
Status enable
For US and Canada only: Add two SNMP trap destinations for iGEMS servers. Call these
community names IGEMS1 and IGEMS2 per the following rule.
a. If the Controller hostname begins with letters a though f or digits 0 though 9,
enter 135.89.176.120 and 135.89.45.120 as SNMP trap destinations
b. If the Controller hostname begins with letters g though z, enter 135.89.45.121
and 135.89.176.121 as SNMP trap destinations
c. For all controllers installed in Canada, enter 135.89.176.122 and 135.89.45.122 as
SNMP trap destinations.
5. For other global regions, enter the appropriate IGEMS or NetView trap destinations.
1.
2.
3.
4.
2.2.3 Management - Syslog Server

Click Management Tab, Expand Logs on left, Select config
22
1.
2.
3.
4.
Enter IP address of Syslog server (US Wireless LAN syslog server is 9.0.6.151)
Click Add,
Click Apply
Save Configuration
2.2.4 Management - Local management Users
Verify Failsafe user id - read write.

If incorrect, delete via blue colored pull-down on right and select remove and then click
New to re-create the ID with ReadWrite access.
Note: the only way to change an admin password is to delete the account and re-create it with a
new password
23
2.3 Security Tab

Click Security tab
Verify or define Radius servers here. Note: This step can be skipped if you did them via the
command line in the initial config chapter 1 above). Radius shared secrets can be changed if
necessary here
2.3.1
Security Radius
Expand Radius on left
Click New
1. Fill in IP address of First Wireless Radius server.

2. Shared secret format ASCII
3. Enter Shared secret and confirm shared secret (From ACSADMIN request)
4. Service Status Enabled
5. RFC 3576 Enabled
6. Server timeout 4 seconds
7. Network User Check enable
8. Management Not Checked:
9. IPSEC Not Checked
10. Click Apply
Repeat this step for each of the below US radius servers
ACS Server name
ausk-cs-lc01-en0.austin.ibm.com
bldknms10.boulder.ibm.com
btvk-cs-lc01-en0.btv.ibm.com
pokknms16.srv.ibm.com
rtpknms10.raleigh.ibm.com
sbyknms12.sby.ibm.com
IP
9.41.5.108
9.17.182.81
9.61.5.108
9.56.5.173
9.27.5.108
9.45.5.108
24
snjk-cs-lc01-en0.sanjose.ibm.com
9.43.5.108
When done click Save Configuration
25
2.3.2 Security - Verify TACACS

Expand TACACS
Select Authentication
Verify the two TACACS servers 9.0.4.33 and 9.0.2.33 are defined and Enabled
on Index 1 and 2 to edit if necessary. Server timeout is 5 seconds.
Click
Repeat step for TACACS Authorization servers 9.0.4.33 and 9.0.2.33 should be
defined and enabled.
2.3.3 Security AP Policies
1. Check Accept Self Signed certificate (SSC)

2. Click Apply
26
2.3.4
2.3.5 Security - Priority Order > Management User
Verify this: (US, AP only) Expand Priority Order, Select Management User
1. Use > and < buttons to send TACACS+ and LOCAL to order used for
Authentication.
2. Use Up and Down to make TACACS+ the first service attempted.
2.3.6 Security Wireless Protection Policies

1. Expand Wireless Protection policies on left
2. Expand Rogue Policies
3. Select General
1. Verify Detect and report Ad-Hoc Networks is NOT checked

27
2.4 Commands Tab

2.4.1 Commands Set Time
(Set Timezone)
Select Commands Tab, Click Set time on left

Time should be set via NTP
1. Set Timezone from pull down

2. Click Set Timezone
3. Click Save Configuration
2.5 WLANs tab

2.5.1 WLANs - Wireless LAN definition
In this section we will define three (3) wireless LAN profiles. They are:
IBM-WPA1 SSID IBM WLAN # 20 Encryption WPA2 with AES
IBM-WPA2 SSID IBM WLAN # 21 Encryption WPA1 with TKIP
IBMVISITOR SSID IBMVISITOR WLAN # 22 Encryption NONE
Note: these WLANs must start at WLAN profile #20 to ensure that APs will not serve
these SSIDs to users until the APs are properly configured into their correct AP VLAN
GROUP.
28
IBM-WPA2 Profile
2.5.2 IBM-WPA2 profile WLANs Edit

Note: If there is a single existing IBM profile from the console dialog then remove it.(Put a
checkmark in the line and select remove selected and press Go
Create IBM-WPA2 Profile (SSID IBM)
Select Create New on right Click Go
1.
2.
3.
4.
5.
Enter Type: WLAN

Enter Profile Name IBM-WPA2
Enter SSID IBM
Select WLAN ID #20 for this profile
Click Apply
29
2.5.3 IBM-WPA2 profile WLANs -Edit - General tab
1. Status Enabled Not checked (do not enable until controller config is complete)
2. Radio Policy All
3. Interface default-non-usable (actual VLAN is assigned later using AP Group feature
when Access points are installed and configured on the controller)
4. Broadcast SSID check Enabled
30
2.5.4 IBM-WPA2 profile WLANs Edit Security Layer 2

Click layer 2 subtab
Select WPA+WPA2 in Pull down

WPA+WPA2 Parameters:
WPA policy NOT checked
WPA2 Policy Checked
WPA 2 Encryption AES Checked, TKIP Not checked
Auth Key Mgmt: 802.1x
2.5.5 IBM-WPA2 profile WLANs Edit Security AAA Servers
1. Select from Authentication Servers three previously defined ACS servers for this
WLAN based on Load Balance design and those that are closest. Choose for server 1,
Server 2 and Server 3
31
2.5.6 IBM-WPA2 profile WLANs Edit Advanced

Click Advanced Tab
Click Enable Session Timeout

Fill in value of 43200 for session timeout
Click Client Exclusion 60 seconds
Click DHCP address assignment required
If this controller is designated to support HREAP Branch office sites, check HREAP
local switching enabled
6. Click Apply, Save Configuration
1.
2.
3.
4.
5.
32
2.6 IBM-WPA1 Profile

2.6.1 IBM-WPA1 profile WLANs Edit
Create IBM-WPA1 Profile (SSID IBM)
Under WLANs tab, select create new and click Go
1.
2.
3.
4.
5.
Enter Type: WLAN

Enter Profile Name IBM-WPA1
Enter SSID IBM
Select WLAN ID #21 for this profile
Click Apply
2.6.2
1.
2.
3.
4.
Status Enabled Not checked (do not enable until controller config is complete)
Radio Policy All
Interface default-non-usable
Broadcast SSID check Enabled
33
2.6.3 IBM-WPA1 profile WLAN Edit Security Layer 2 tab

This WLAN has the same settings as the previous WPA2 profile except we enable only WPA1
with TKIP encryption.
Click Security tab, and Layer 2 subtab.
Select WPA+WPA2 in Pull down

WPA+WPA2 Parameters:
WPA policy checked
WPA2 Policy NOT Checked
WPA Encryption AES NOT Checked, TKIP checked
Auth Key Mgmt: 802.1x
Complete configuration of the WLAN IBM-WPA1 profile following the same steps as the IBMWPA2 WLAN profile continuing from step WLANs Edit Security AAA Servers above.
34
2.6.4 WLANs Edit Create IBMVISITOR Profile (SSID IBMVISITOR)

This WLAN profile will define the guest internet access SSID. This SSID will not have any
security policy. Like the other VLANs it will have a default VLAN mapping to the non-routed
default-non-usable VLAN. The actual VLAN definition will occur when wireless APs are
configured and are assigned to an AP VLAN group in the Access Point Installation and
Configuration chapter of this document.
This Wireless LAN will not have any Layer 2 or Layer 3 authentication configed. Access
control to the Internet through this SSID is managed via the Cisco 2821 Tail end VE router that
is connected to the WD/CD/UD A router.
The Main WLANs tab should like:
1. Select Create New

2. Click go
1. Enter IBMVISITOR into both Profile Name and SSID fields.

2. Select WLAN ID #22 for this profile
3. Click Apply
35
2.7 IBMVISITOR WLAN Edit General
1. Status Enabled NOT checked (this will be enabled later when the APs are fully
configured)
2. Radio policy all
3. Interface default-non-usable
4. Broadcast SSID enabled
2.7.1 IBMVISITOR WLAN Edit Security Layer 2
1. Select None for Layer 2 Security

2. Click Apply
3. Click Save Configuration
36
2.7.2 IBMVISITOR WLAN Edit Advanced

Click Advanced tab
1. Check or uncheck fields as noted

a. Check Converge Hole Detection enabled
b. Check DHCP Addr Assignment Required
c. Client Exclusion NOT checked
d. :H-REAP Local Switching . NOT checked.
2. Click Apply
3. Click Save configuration
Completed WLAN setup screen should like the capture below showing the three WLANs
37
2.7.3 Wireless Access Points Global configuration

In this section, global parameters that apply to all APs joined to this controller are specified.
2.7.4 Wireless 802.11a/n Network

Expand Network under 802.11a/n at left
1. 802.11a Network Status check Enabled

2. Data Rates
a. 6 Mbps Supported
b. 9 Mbps Supported
c. 12 Mbps Mandatory
d. 18 Mbps Supported
e. 24 Mbps Mandatory
f. 36 54 Mbps all Supported
3. Check ClientLink
38
2.7.5 Wireless 802.11a/n RRM DCA

This section enables 5 GHz 802.11a/n automatic radio resource management with automatic
channel assignments occurring every night at 2 AM in the morning
Click RRM under 802.11a/n at left
Select DCA (Standards for Dynamic Channel Assignment)
1.
2.
3.
4.
Channel Assignment check Automatic

Interval 24 hours
Anchor time 2 (for 2:00 AM update time)
Click apply, Save Configuration
39
2.7.6 Wireless 802.11b/g/n Network

Expand Network under 802.11b/g/n at left
1.
2.
3.
4.
802.11b/g Network Status

Enabled
802.11g Support
Enabled
ClientLink
Disabled
Data Rates
a. 1 Mbps
Disabled
b. 2 Mbps
Disabled
c. 5.5 Mbps
Supported
d. 6 Mbps
Disabled
e. 9 Mbps
Disabled
f. 11 Mbps
Mandatory
g. 12 Mbps
Supported
h. 18 Mbps
Supported
i. 24 Mbps
Mandatory
j. 36-54 Mbps Supported
5. Click Apply
40
2.7.7 Wireless 802.11b/g/n RRM DCA

This section enables 2.4 GHz 802.11b/g/n automatic radio resource management with automatic
channel assignments occurring every night at 2 AM in the morning
Click RRM under 802.11b/g/n at left
Select DCA (Standards for Dynamic Channel Assignment)
1.
2.
3.
4.
5.
Channel Assignment check Automatic

Interval 24 hours
Anchor time 2
Click apply
Click Save Configuration
This completes the Base configuration.

Click Save Configuration
Further configuration will be needed define AP VLAN Groups based on the AP Building and
Floor locations and configure APs with their NAME, Primary and Backup Controllers, and
defined AP groups.
41
2.8 Save Configuration to WCS server

Select Commands tab
Click Upload file on left
1.
2.
3.
4.
5.
6.
7.
File type Configuration

do NOT check file encryption
Transfer Mode TFTP
IP address of WCS server. 9.41.5.184
file name should default to generated name from Controller IP and todays date.
Click Upload
Wait: Should display Operation completed Successfully
This completes the base configuration of the controller. Access points are configured in Section
3 below.
You can also view the configuration commands by logging in via SSH to the controller and
issuing the following command
Controller> show run-config commands
Screen paging can be disabled with the command:
Controller> config paging disable
42
3 Controller based Access Point configuration

3.1 Mapping Wireless LANs (WLANs) to Subnets (VLANS) using AP
GROUP VLAN feature
All Controllers deployed to the IBM Global Account standard will be defined to use the AP
Group VLAN feature. With this feature groups of APs are defined based on their geographic
location.
Advantages of AP Groups include:
1. Controllers can be deployed using PDT standard /23 and /24 subnet sizes and still allow
for seamless roaming between APs defined in different AP Groups and VLANs
2. VLANs can be added to the controller and the distribution switches as needed and new
AP Groups can be defined to accommodate new APs.
3. AP groups allow for smaller broadcast domains for each user connected to controllers
with potentially large number of Access points
4. AP groups allow control of the number of users per IP subnet in a fashion to reduce the
risk of IP DHCP address pool depletion.
3.1.1 How AP groups work

In the Figure below, we have defined two AP groups each supporting APs in a contiguous area
of the fictional Austin Building 83.
This building has 2 AP groups defined. Access Points installed on the 1st and 2nd floors of this
building are assigned to AP group AUS-B83-FLOORS-1-2. Access Points installed on the
top two floors of this building are assigned to AP Group AUS-B83-FLOORS-2-4.
1. If an IBM user on a Blue Laptop connects to the Wireless SSID IBM on the 4th floor
of this building, he will associate with controller wireless profile IBM-WPA1 or IBMWPA2 (depending on his client adaptor) , will be placed into VLAN 2001 and will get an
IP address in the blue 9.2.4.0/23 subnet
2. When a non-IBM Visitor on a Red laptop connects to the IBMVISITOR SSID on the 3rd
or 4th floor of this building they will be connected to VLAN 2021 and get an Internet only
address in the 10.2.4.0/23 subnet
3. Likewise users connecting to IBM or IBMVISITOR on the 1st or 2nd floors of this
building will be assigned to either VLAN 2002 (9.1.2.0/23) .or VLAN 2021 (10.1.2.0/23)
respectively.
4. When a user moves between floors and connects to an AP in a different AP group, the
controllers will activate their auto-anchor roaming feature and allow the user to retain
their original IP address even when roaming to a group of APs assigned to different
VLANs. This feature works even when those APs are operating on different controllers
assuming those controllers are all assigned into the same Mobility group (Controller
tab, Mobility management)
43
3.1.2 Sample AP VLAN Group design
44
3.1.3 How to plan AP groups:

Plan each Access Point to accommodate an average of 10 concurrent users
Plan about 350 User devices for a /23 sized subnet
Plan about 170 user devices for a /24 sized subnet
Wireless subnet DHCP Lease times should be four (4) hours
Based on the figures above, plan a maximum of 20 Access points in an AP group using
/24 sized VLANs
Based on the figures above, plan about a maximum of 35 access points in an AP Group
using /23 sized VLANs
Be prepared to adjust VLAN group sizes and number of APs per AP group based on site
details including
a. Manufacturing areas with multiple work shifts. 2nd Shift employees may
connect requesting DHCP leases before DHCP leases for 1st shift employee have
expired.
b. High user density areas. (Auditoriums, all-wireless sites, Cafeteria
locations.)
c. Sites with high usage of WiFi smartphones or tablets.
Depending on the layout and user population of a building or site, a single AP group may
encompass an entire floor of a building, multiple floors of a building or even an entire
building
The key point is that all wireless APs in a single AP group should be physically
contiguous to each other.
AP Groups must be named in all capital letters with no spaces.
AP Group names have a maximum length of 30 characters
a. Sample AP GROUP Name: KDC-B1630-FL1-3
AP Groups with identical names must be defined on the primary and all backup
controllers for that the access points may connect with.
SSIDs are mapped to VLANs when the AP group is defined.
When adding a new AP GROUP, Special care must be made to properly assign
IBMVISITOR and IBM Wireless LANs to the proper guest VLAN.. It is for this
reason the VLAN interfaces are defined using the naming syntax VLAN-200<x>-IBM
and VLAN-202<X>-GUEST convention.
Visitor Internet VLANs are mapped via layer 2 from the controllers though the
distribution switches onto the 802.1Q trunk to the Visitor Internet (VE) tail end 2821
Router. Visitor traffic is routed by the VE router over an IPSEC tunnel to the internet
head end. In the US the head end is configured in the Poughkeepsie Internet DMZ.
45
3.2 Defining AP Groups

Before starting this step, ensure you have access to the building floor plan maps with their AP
locations defined. Based on this, define AP group names and assign AP membership into each
AP group.
1. Click on the WLANs tab
2. Expand Advanced on the left
3. Click AP Groups
1. Fill in AP group name (All CAPs, no spaces)

2. Fill in description
3. Click Add
3.2.1 AP GROUP process

As outlined in the following steps there are three major steps to creating an AP VLAN group
1. Create the AP Group name and fill in a description identifying where these Access Points
are located.
2. Map the two IBM SSID profiles (IBM-WPA2, IBM-WPA1) to the correct IBM VLAN
for this group. (Exception for HREAP APs. IBM SSIDs are mapped in the VLAN
group to default-non-usable)
Note both IBM-WPA1 and IBM-WPA2 profiles will
map to the same VLAN.
3. Map the one IBMVISITOR profile to the correct IBMVISITOR VLAN.
Note: Special care must be made to ensure that the IBMVISITOR profile is mapped to
the correct VLAN. This MUST correspond to a VLAN interface previously created with a
10.x.x.x guest IP address.
Later when APs are installed or converted to controller based wireless, they will be assigned to
one of the APs on this controller.
Note: AP groups with identical names must be created on the primary, backup and tertiary
controllers that each AP may join.
If an AP connects to a controller without its defined AP
46
group, it will use the default-non-usable VLAN defined on the SSIDs and wireless LAN
connectivity will be disabled.
47
3.2.2 Configure the VLANs and SSIDs into the AP group.

Click on the name of the AP group just created
1. Select the first IBM SSID profile (note the IBM-WPA2 profile name will not show up)
2. Select the correct IBM VLAN for the interface name.
3. Click Add
4. Click Add New
5. Click the 2nd IBM SSID Profile (note the IBM-WPA1 profile name will not show up)
6. Select the same IBM VLAN profile as in step 2 above to select the correct IBM VLAN
7. Click Add
8. Click Add New
9. Select the IBMVISITOR SSID profile
10. Select the correct VLAN-202x-GUEST VLAN for the IBMVISITOR
11. Click Add, Click Save Configuration
The completed AP group will look like :
48
4 Joining and configuring access points to the controller

Adding an access points to a controller based environment may involve dealing with as many as
four controllers at any given site. First new non-configured factory default lightweight APs
will initially join the controller pointed to by the DNS aliases:
Cisco-lwapp-controller.<subdomain>.ibm.com
Cisco-capwap-controller.<subdomain>.ibm.com
Before attempting to join access points to a controller, verify the discovery controller for the
site by doing an NSLOOKUP command to verify these DNS aliases.
c:\nslookup cisco-lwapp-controller.pok.ibm.com
Server: POKDNS01.srv.ibm.com
Address: 9.0.2.1
Name:
pok-wc-w3c1a.pok.ibm.com
Address: 9.57.120.139
Aliases: cisco-lwapp-controller.pok.ibm.com
c:\
Secondly, each access point must be defined after discovery to operate with a primary and backup
controller. The backup controller will only be used by the access point if the primary controller fails.
The location of the backup controller will be within the same layer 2 distribution block for medium
and large wireless site types. For small site types with a single onsite controller, the backup
controller will be at a large site and will offer layer 3 failover.
4.1.1 AP join process

New APs or newly converted IOS APs will perform their initial discovery of a controller by :
1. acquiring an IP address from the IBM SCO VLAN using DHCP
2. using Domain Name Services (DNS) to discover the IP address of the controller host:
cisco-lwapp-controller.<subdomain>.ibm.com OR cisco-capwapcontroller.<subdomain>.ibm.com
3. Connects to the management IP address of this controller
4. Downloading the controllers version of the wireless AP firmware.
5. Rebooting and re-discovering the controller. Admin Status will be REG
6. NOTE: the AP may re-join a different controller in the same mobility group. If you do
not see it come back to this screen after registering, then log into the other controllers in
the same mobility group (view this under controllers, mobility management) to find
it. Continue configuration.
49
4.1.2 Controller configuration of AP

New APs will have a hostname of AP<mac-address> Click on each one to configure
Configure the AP as follows. (Shown on the three screen captures below)
1. General Tab fill in AP hostname and detailed location information
2. High availability tab: fill in primary and backup controller. Primary controller may
be a different controller than the one initially discovered by this AP. Fill in just the
controller hostnames without domain information AND the management IP address.
3. Advanced tab: from the AP VLAN group, pick he previously created AP VLAN
group for this AP. All APs in a given building area (15-25 APs for /24 sized subnets and
26 40 APs for a /23 sized subnets) much be in the same defined VLAN group.
Note see chapter 6 for additional details on configuring HREAP access points.
Click Apply. The AP will reboot (click OK to allow) and if this is not the primary controller,
it will join that controller. Log into the primary controller and verify the APs configuration.
50
General tab.
Fill in AP name and Location
High Availability tab: Fill in primary and backup controller name and IP.
Click Apply. APs will reboot one last time with their new VLAN group.
Click save configuration
51
Advanced tab: select proper AP Group name.

Advanced tab: select Enable Link Latency
Click Apply and Save Configuration
4.1.3 Post installation testing

After configuration of all APs being installed or upgraded, a local walk around test must be
performed to ensure that users can connect, authenticate with their wireless userid and get an IP
address. This test should be done using a laptop configured to connect and authenticate with an
IBM BlueWireless userid and password. If this location is supporting IBMVISITOR guest
access, then test to see if the IBMVISITOR guest login webpage is available.
Log into the access switch and do a show interface on each LAN port connected to the access
points to ensure that they have negotiated correct port speed and duplex and do not show any
port errors.
52
5 HREAP - Hybrid Remote Edge Access Point installation

Hybrid REAP access points are deployed at the smallest controller site type typically branch
offices where he number of WAPs install will never exceed 20.
Advantages of HREAP include:
1. No local controllers are installed at the HREAP site
2. You still get full controller management of RF channels, transmit power levels, rogue
detection and AP roaming.
3. No Visitor internet tail end router needs to be provisioned at the HREAP site.
IBMVISITOR service is accessed though the shared tail end router located at the
centralized controller site.
Key points about HREAP installations
o Unlike normal Local mode controller based APs, HREAP APs switch the IBM SSID
(Both WPA1 and WPA2 profiles) to the local Ethernet LAN segment at the site.
o The IBMVISITOR SSID is Local switched (Agreed this is confusing) which means the
traffic is tunneled inside the LWAPP/CAPWAP protocol to the controller and accesses
the Visitor Internet tail end router via the central controller location.
o HREAP APs are controller based, however no controller is deployed at the site.
HREAP APs are dependant on primary and backup controllers at a large campus site.
o A minimum of two controllers at a large campus WD block (one on the A side, one on
the B side) will be assigned to provide HREAP access for multiple sites up to the
capacity of the controllers.
o HREAP APs discover the same way as local APs, however once they are joined to the
controller, they are assigned a fixed IP address, netmask, gateway, DNS server and
subdomain name.
o The Collapsed Access or User Access switch where HREAP APs are installed muar be
configured with a single IBM Wireless VLAN and Subnet. This is the same as when
provisioning IOS standalone WAPs. These APs will be assigned static addresses in the
LAN switch wireless VLAN. This is different from Local mode controller WAPs
where the APs are DHCP clients on the SCO User VLANs.
o The IBM SSID VLAN is accessed locally on site
o The IBMVISITOR VLAN is a private 10.x.x.x subnet and is configured on the central
controllers and on the tail end router. The addressing for the IBM VISITOR VLAN is
the same standard. Replace the 9 with 10 and retain the site addressing.
o There will be one AP VLAN group per HREAP site. The IBM VLANs will map to
default-non-usable VLAN (since they are not routed to the controller) and the
IBMVISITOR VLAN will map to the appropriate guest VLAN on the controller.
For a more detailed discussion on HREAP, please look at the Wireless LAN NDD1 document on
the AT&T PDT template sharepoint website.
https://businesssolutions.web.att.com/sites/IBM-GAS/sharepoint/html/iga-docs-standards.html
53
Configuring HREAP APs

5.1.1 Verify HREAP controller configuration
Identify the central site what will support this specific HREAP site. This site should be within
the same region as the site. US West should be supported from the Boulder virtual WD block,
US North East should be supported from the Poughkeepsie WD Block.
Verify both the primary and backup controllers are configured for HREAP. In the IBM
standard design, HREAP controllers will only support HREAP APs at remote offices.
Controller tab, General, Mobility Management verify that the two controllers
are joined into a single HREAP mobility group.
Mobility domain should be <large site RESO>-hreap-<1,2,3>

Verify that the primary and backup controllers are UP in their mobility group.
(Controller, Mobility Management, Mobility Groups)
54
55
Verify that the Both WLAN profiles IBM-WPA2 and IBM-WPA2 are enabled for
HREAP (WLANs, Click on each profile and select Advanced, HREAP checked at
the bottom)
56
5.1.2 Create site AP VLAN group

Create the new Visitor VLAN on the both the primary and backup controllers for these APs
Controller,Interfaces, Click New Fill in the Interface name VLAN-xxxx-GUEST and
select the guest VLAN. Guest VLANs start at the top of block 2021-2040 at 2040 and work
down. Click Apply The interface IP address must be unique for all controllers serving
this VLAN
Fill in the VLAN information: (Interface IP, Netmask, Gateway Default route. DHCP is the
Gateway, Click Apply, Click Save Configuration
57
Add the new AP group for this site: WLANs, Advanced, AP Groups Click Add
Group
Enter Group name (Format: <Central-Site-RESO>-<City>-HREAP) Click Add
HREAP ADD APGROUP WLAN: Click on the new AP group. Click the WLANs tab
within the AP group
Select WLAN IBM(20), Select Interface name default-non-usable, Click Add
Repeat this step for WLAN IBM(21) WPA1 profile
58
Add in the new guest VLAN interface created above:

Click Add New
Select WLAN IBMVISITOR(22), Select the correct IBM-<xxxx>-GUEST VLAN interface,
Click ADD
Final AP group config should look like this:
Click Save Config
59
5.1.3 Discovering and Joining Access points

First: verify that a normal Wireless VLAN is configured on the UD and UA switches for the site.
This VLAN should be configured the same as if you were deploying IOS WAPs *without* guest
access. You should not configure a 802.1q trunk.
Second, verify that the DNS aliases CISCO-LWAPP-CONTROLLER.<sitedomain>.ibm.com
and CISCO-CAPWAP-CONTROLLER.<sitedomain>.ibm.com are defined in DNS. They
should point to one of these two HREAP controllers. These Aliases are used for initial AP
discovery or replacement AP discovery.
c:> nslookup cisco-lwapp-controller.usmi.ibm.com
Address: 9.0.2.1
Non-authoritative answer:
Name:
pok-wc-w4c2b.pok.ibm.com
Address: 9.57.120.167
Aliases: cisco-lwapp-controller.usmi.ibm.com
c:> nslookup cisco-capwap-controller.usmi.ibm.com
Address: 9.0.2.1
Non-authoritative answer:
Name:
pok-wc-w4c2b.pok.ibm.com
Address: 9.57.120.167
Aliases: cisco-capwap-controller.usmi.ibm.com
c: >
Note that the DNS Discovery controller may not be the same intended to permanently support
these WAPs. For this situation, simply allow the discovery to occur and then re-assign the APs
primary and backup controllers to their correct operational controllers.
60
5.1.4 Connect the HREAP APs and enable the Ethernet ports.
Follow the steps in Chapter 5 (AP Join) to discover and configure each of the access points
with the following two exceptions.
1. In the Wireless tab, click <ap-name>, general tab, select AP Mode: HREAP
2. Check Static IP and assign the AP Static IP address, netmask, gateway, domain
name and DNS server for the wireless VLAN on the site UA switch. (it is important to
fill in all 5 fields)
3. When you click apply the AP will reboot and join in HREAP mode.
Click Save config

Test connectivity. IBM users should associate and be switched locally with the on-site wireless
subnet. IBMVISITOR guest users should get a central controller based IP address from the
central tail end router.
61
6 WCS discovery and AP placement on floor-plan maps.

Log into WCS. Currently the US WCS is at https://9.41.5.184. Additional WCS
servers will be added as the controller based wireless environment grows within IBM
Verify that the controllers are discovered and registered to this controller (Monitor
Controllers)
Browse to and select the floor area where these new APs are being installed OR where
old IOS APs have been migrated and converted to controller based wireless..
Note: If the floor area is not present in WCS, then it must be loaded in by the AT&T
network server support team. A JPEG (.jpg) or portable network graphics (.png) floor
plan file must be supplied. These files can be sent to the IBM Lotus Notes ID
ACSADMIN asking that they be placed in to WCS. Please identify the site, building
floor and floor area of each floor plan map supplied.
62
Select one or more APs from the list of un-assigned APs for placement on this floor area
The APs you selected will show up at the upper right of the floor plan.
Drag and drop the AP to the proper location on the map.
Click save
63
The WAP will show up with its RF heat map (802.11a or 802.11b/g) . Select heat map, client
and configuration viewing options from the list on the left.
64
Appendix A Sample initial console configuration on WISM

Example configuring controller in Module Slot 4 controller number 2
ft0-wd-4a#
show wism status
Service Vlan : 4081, Service IP Subnet : 192.168.253.1/255.255.255.0
WLAN
Slot Controller Service IP
Management IP
SW Version Status
----+-----------+----------------+----------------+-----------+--------------4
1
192.168.253.128 9.32.112.11
6.0.188.0
Oper-Up
4
2
192.168.253.129 169.254.1.1
6.0.188.0
Oper-Up
If the service IP shows 0.0.0.0, then the session command will not work. Verify the 6509 configuration
template the correct private DHCP scope configured to the WISM service VLAN. If the controller does NOT
have a service IP address, then the WISM module must be power cycled using the config level command
power cycle . NOTE: this will power cycle BOTH controllers on this module.
Verify that the controller has gotten a DHCP address from for the Service IP
ft0-wd-4a#sh wism module 4 controller 2 status
WiSM Controller 2 in Slot 4 configured with auto-lag
Operational Status of the Controller : Oper-Up
Service VLAN
: 4081
Service Port
: 10
Service Port Mac Address
: 001f.cac0.a382
Service IP Address
: 192.168.253.129
Management IP Address
: 169.254.1.1
Software Version
: 6.0.188.0
Port Channel Number
: 408
Allowed-vlan list
: 2001-2003,2021-2022,4001
WCP Keep Alive Missed
: 0
Connect to controller and run console dialog
ft0-wd-4a# session slot 4 processor 2
The default escape character is Ctrl-^, then x.
You can also type 'exit' at the remote prompt to end the session
Trying 192.168.253.129 ... Open
(WiSM-slot4-2)
Welcome to the Cisco Wizard Configuration Tool
Use the '-' character to backup
Would you like to terminate autoinstall? [yes]: yes
System Name [Cisco_c0:a3:8b] (31 characters max): <hostname>
Enter Administrative User Name (24 characters max): failsafe
ft0-wc-w1c2a
65
Enter Administrative Password (24 characters max): *******

Re-enter Administrative Password
: *******
Service Interface IP Address Configuration [none][DHCP]:
Management
Management
Management
Management
Management
AP Manager
Interface
Interface
Interface
Interface
Interface
Interface
IP Address: <management ip> 9.32.112.15

Netmask: 255.255.255.192
Default Router: <Default GW>9.32.112.1
VLAN Identifier (0 = untagged): 4001
DHCP Server IP Address: 172.17.253.253
IP Address: <Ap manager interface> 9.32.112.16
AP-Manager is on Management subnet, using same values

AP Manager Interface DHCP Server (172.17.253.253 ): (Default no DHCP allowed)
Virtual Gateway IP Address: 1.1.1.1
(Must be same on all controllers)
Mobility/RF Group Name: ft0-mobility-1

Network Name (SSID): IBM
(Must be entered.
Allow Static IP Addresses [YES][no]: no
Will be deleted and redefined later)
Configure a RADIUS Server now? [YES][no]: no

Warning! The default WLAN security policy requires a RADIUS server.
Please see documentation for more details.
Enter Country Code list (enter 'help' for a list of countries) [US]: US
Enable 802.11b Network [YES][no]: no
Enable 802.11a Network [YES][no]: no
Enable Auto-RF [YES][no]: yes
Configure a NTP server now? [YES][no]: yes
Enter the NTP server's IP address: 9.0.8.9
(Enter one now
Enter a polling interval between 3600 and 604800 secs: 7200
- others entered later)
Configuration correct? If yes, system will save it and reset. [yes][NO]: yes
Configuration saved!
Resetting system with new configuration...
[Connection to 192.168.253.129 closed by foreign host]
ft0-wd-4a#
Verify WISM controller #2 reboots and shows its ip address

ft0-wd-4a#sh wism status
Service Vlan : 4081, Service IP Subnet : 192.168.253.1/255.255.255.0
WLAN
Slot Controller Service IP
Management IP
SW Version Status
----+-----------+----------------+----------------+-----------+--------------4
1
192.168.253.128 9.32.112.11
6.0.188.0
Oper-Up
4
2
192.168.253.129 9.32.112.15
6.0.188.0
Oper-Up
66
ft0-wd-4a#
67
Verify port and management interface status

ft0-wd-4a#session slo 4 processor 2
. . .
WiSM-slot4-2) >show port summary
Pr
-1
2
3
4
Type
------Normal
Normal
Normal
Normal
STP
Stat
---Forw
Forw
Forw
Forw
Admin
Mode
------Enable
Enable
Enable
Enable
Physical
Mode
---------Auto
Auto
Auto
Auto
Physical
Status
---------1000 Full
1000 Full
1000 Full
1000 Full
Link
Status
-----Up
Up
Up
Up
Link
Trap
------Enable
Enable
Enable
Enable
Mcast
Appliance
POE
--------- ------Enable
N/A
Enable
N/A
Enable
N/A
Enable
N/A
(WiSM-slot4-2) >show interface summary

Interface Name
-------------------------------ap-manager
management
service-port
virtual
Port
---LAG
LAG
N/A
N/A
Vlan Id
-------4001
4001
N/A
N/A
IP Address
--------------9.32.112.16
9.32.112.15
192.168.253.129
1.1.1.1
Type
------Static
Static
Static
Static
Ap Mgr
-----Yes
No
No
No
Guest
----No
No
No
No
(WiSM-slot4-2) >ping 9.32.112.15

Send count=3, Receive count=3 from 9.32.112.15
(WiSM-slot4-2) >ping 9.32.112.1
Send count=3, Receive count=3 from 9.32.112.1
(WiSM-slot4-2) >config certificate generate webadmin
Creating a certificate may take some time. Do you wish to continue? (y/n) y
Web Administration certificate has been generated
(WiSM-slot4-2) >reset system
The system has unsaved changes.
Would you like to save them now? (y/N) y
68

Wireless Controller 440X 5508 WISM Config ETG 1102

Enviado por

Dados do documento

Direitos autorais

Formatos disponíveis

Compartilhar este documento

Compartilhar ou incorporar documento

Opções de compartilhamento

Você considera este documento útil?

Este conteúdo é inapropriado?

Direitos autorais:

Formatos disponíveis

Wireless Controller 440X 5508 WISM Config ETG 1102

Enviado por

Direitos autorais:

Formatos disponíveis

AT&T Global Network Services

Engineering Technology Guide

1 Cisco 4402/4404/5508/WISM Initial configuration

Startup Wizard: from Serial Console or 6509 Session command ........................................................ 6

2 ................................................................... WEB BASED DETAIL CONFIGURATION 14

Save Configuration to WCS server ........................................................................................................... 42

3 ................................. CONTROLLER BASED ACCESS POINT CONFIGURATION 43

4 ........ JOINING AND CONFIGURING ACCESS POINTS TO THE CONTROLLER 49

AP join process ........................................................................................................................................ 49

5 ................. HREAP - HYBRID REMOTE EDGE ACCESS POINT INSTALLATION 53

6 .................. WCS DISCOVERY AND AP PLACEMENT ON FLOOR-PLAN MAPS. 62

1.1 Console Wizard Worksheet

Physical Controller Connection:

Verify WISM service port with the command:

Connect using the session command

proc <controller 1 or 2>

Step 3 Use the configuration wizard to enter configuration settings.

1.2 Startup Wizard: from Serial Console or 6509 Session command

(See Appendix A for sample WISM console

System name (32 chars): (WLC-4402/4404 controller: <reso>-wc-<n><a|b> )

(This should be from the subnet /vlan as management interface above)

show port summary

ping <management interface default route address>

1.3 Load current Wireless LAN controller code

config sessions timeout 160

(to allow for slow downloads)

WAN based TFTP code downloads can take up to 4 hours.

1.3.1 Config TACACS and Radius Servers

TACACS auth add 1 9.0.4.33

1.3.2 Create AL_CPU_ACCESS access control list

destination port range AL_CPU_ACCESS 3 161 161

config acl rule add AL_CPU_ACCESS 9

destination port range AL_CPU_ACCESS 9 161 161

config acl rule add AL_CPU_ACCESS 18

destination port range AL_CPU_ACCESS 18 161 161

config acl rule add AL_CPU_ACCESS 26

Verify the ACL was entered correctly

*** (for V7 controller code only) ***

config acl cpu AL_CPU_ACCESS

1.3.4 Test TACACS (Americas, AP)

Log in via HTTPS using TACACS ID.

(accept self signed certificate)

If TACACS id works properly: change AAA order to the PDT standard.

Test TACACS id again.

1.3.5 Generate Webadmin/SSH self signed certificate and disable controller

(reboot controller for SSH cert to take effect)

2 Web based detail configuration

Log into the controller:

2.1 Controller Tab

Verify and enter hostname into Name field

2.1.2 Controller NTP

2.1.3 Controller Interfaces

Fill in the required private address information. Use 192.168.253.353

Click Apply, Click Save Configuration

2.1.4 Create IBM Wireless VLANs

Click new, Enter VLAN-<vlan#>-IBM, VLAN id : <vlan #> , Click Apply

2.1.5 Guest VLANs

1. Fill in Guest VLAN information

Click Apply Click Save Configuration

2.1.6 Controller Mobility management

2.2 Management Tab

Click General on left

1. Enter RO community string

2.2.2 Management - Trap Receivers

* (for V7 controller code only) *