Cisco Structured Wireless-Aware Network (SWAN) Implementation Guide January 2005 Corporate Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.
THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.
C ON T E N T S Audience 5 Acronyms and Terms 6 Cisco SWAN Framework Overview 7 CISCO SWAN Framework Components Software Components 12 Hardware Components 12 11 Implementing the Cisco SWAN Framework 13 Common Tasks 14 Configuring the CiscoSecure ACS Server for Infrastructure Authentication 14 Configuring the Local RADIUS Server on the Access Point for Infrastructure Authentication Configuring the AAA Server to Support WLAN Client Authentication 18 Preparing the CiscoWorks WLSE for Managing WLAN Devices
Contents Book Title iv 78-xxxxx-xx
Cisco Structured Wireless-Aware Network (SWAN) Implementation Guide The Cisco Structured Wireless-Aware Network (SWAN) provides the framework to integrate and extend wired and wireless networks to deliver the lowest possible total cost of ownership for companies deploying wireless LANs (WLANs).
Cisco Structured Wireless-Aware Network (SWAN) Implementation Guide Acroymns and Terms Acroymns and Terms Table 1 Acronyms, Terms, and Definitions Term Definition Cisco SWAN Cisco Structured Wireless Aware Network—Cisco’s framework for delivering integrated wired and wireless LAN networks. WDS Wireless Domain Service — Cisco IOS software functionality enabling advanced Cisco SWAN functionality. WLCCP Wireless LAN Context Control Protocol —A Cisco-defined control protocol for Cisco SWAN.
Cisco Structured Wireless-Aware Network (SWAN) Implementation Guide Cisco SWAN Framework Overview Table 1 Acronyms, Terms, and Definitions Term Definition Access Point-Based WDS Architecture The Access Point-Based WDS architecture is an architecture with Layer 2 WLAN control domains, where WDS is hosted on Cisco Aironet access points. Switch-Based WDS Architecture The Switch-Based WDS architecture is an architecture with Layer 3 WLAN control domains, where the WDS is hosted on the WLSM.
Cisco Structured Wireless-Aware Network (SWAN) Implementation Guide Cisco SWAN Framework Overview The Cisco SWAN framework introduces WLCCP to facilitate control messaging between the framework components. Figure 1 illustrates the conceptual model of the Cisco SWAN framework, including the WLCCP messaging protocol. As shown in Figure 1, each layer is implemented in specific Cisco products.
Cisco Structured Wireless-Aware Network (SWAN) Implementation Guide Cisco SWAN Framework Overview Figure 2 represents a logical, hierarchical view of the SWAN framework that clearly illustrates the importance of the WDS layer. Figure 2 Cisco SWAN Logical View ACS WLSE WLCCP messages RADIUS control domain WDS WLAN control domain WLCCP messages WDS 802.
Cisco Structured Wireless-Aware Network (SWAN) Implementation Guide Cisco SWAN Framework Overview Figure 3 shows the access point-based WDS solution. Figure 3 Access Point-Based WDS Solution In the access point-based WDS solution, infrastructure access points discover the WDS via special WLCCP multicast messages. You must have an access point running WDS on each Layer 2 subnet.
Cisco Structured Wireless-Aware Network (SWAN) Implementation Guide Cisco SWAN Framework Overview Figure 4 Switch-Based WDS Solution In the switch-based WDS solution, mGRE tunnels are built from the Catalyst 6500 switch hosting the WLSM where the WDS is running. Wireless client data is tunneled to the Catalyst 6500 switch where it is forwarded appropriately. The mGRE tunnel legs are built when the infrastructure access points register with the WDS on the WLSM.
Cisco Structured Wireless-Aware Network (SWAN) Implementation Guide Cisco SWAN Framework Overview • WLSE • Cisco and Cisco compatible clients Software Components There are two software components essential to the operation of the Cisco SWAN framework: WDS and WLCCP. WLCCP WLCCP is a Cisco-defined control protocol that allows control communication between the Cisco SWAN components. WLCCP messages are used to authenticate and register Cisco SWAN components, constructing the Cisco SWAN control topology.
Cisco Structured Wireless-Aware Network (SWAN) Implementation Guide Implementing the Cisco SWAN Framework Cisco Wireless LAN Solution Engine (CiscoWorks WLSE) The CiscoWorks WLSE is a management tool that provides comprehensive WLAN device management, including access point configuration, fault management, and extensive reporting. The CiscoWorks WLSE also applies intelligence to radio management data gathered from the network.
Cisco Structured Wireless-Aware Network (SWAN) Implementation Guide Implementing the Cisco SWAN Framework When the encryption key negotiations are complete, the WDS reports all its registered infrastructure access points to the CiscoWorks WLSE for management. After the infrastructure access points are managed on the CiscoWorks WLSE, the CiscoWorks WLSE interrogates the infrastructure access points with SNMP to complete its internal inventory tables.
Cisco Structured Wireless-Aware Network (SWAN) Implementation Guide Implementing the Cisco SWAN Framework • Define each WDS-host as a network access server (NAS) • Define credentials to be used by infrastructure access points for authentication • To define each WDS-host as a NAS on the CiscoSecure ACS, follow these steps: Step 1 Log into the CiscoSecure ACS server. Step 2 Select Network Configuration from the menu on the left-hand side (see Figure 5).
Cisco Structured Wireless-Aware Network (SWAN) Implementation Guide Implementing the Cisco SWAN Framework Figure 6 CiscoSecure ACS NAS Setup Step 8 Repeat Steps 2 through 7 for each WDS-host device. Step 9 Restart the CiscoSecure ACS service by selecting Submit + Restart after completing the tasks through Step 7. Or you can select System Configuration on the left-hand side menu, then Service Control, and then Restart.
Cisco Structured Wireless-Aware Network (SWAN) Implementation Guide Implementing the Cisco SWAN Framework Figure 7 Step 4 Fill out the information relevant to the user, including the password, and then click Submit (see Figure 8). Figure 8 Step 5 CiscoSecure ACS User Setup CiscoSecure ACS User Setup Repeat Steps 2 through 4 for each credentials pair you intend on using for infrastructure authentication. The CiscoSecure ACS setup for infrastructure access point authentication is now complete.
Cisco Structured Wireless-Aware Network (SWAN) Implementation Guide Implementing the Cisco SWAN Framework To configure the local RADIUS server on an access point, follow these steps: Step 1 Access the access point command-line interface and go into configuration mode. Step 2 Enter the following IOS command: AAA-ap(config)# aaa new-model Step 3 Enter the following IOS command: AAA-ap(config)# radius-server local You are now in the local RADIUS server configuration mode.
Cisco Structured Wireless-Aware Network (SWAN) Implementation Guide Implementing the Cisco SWAN Framework To configure the necessary credentials on the CiscoWorks WLSE follow these steps: Step 1 Log into the CiscoWorks WLSE. Step 2 Navigate to Devices > Discover. Select Device Credentials on the left-hand side table of contents (see Figure 9). Step 3 Select SNMP Communities on the left-hand side table of contents (see Figure 9). Step 4 In the form, enter the appropriate SNMP credentials.
Cisco Structured Wireless-Aware Network (SWAN) Implementation Guide Implementing the Cisco SWAN Framework Figure 10 CiscoWorks WLSE Telnet/SSH Credentials Entry Step 7 Select Device Credentials > WLCCP Credentials from the table of contents on the left-hand side (see Figure 11). Step 8 Enter the appropriate WLCCP credentials for logging in to the managed access points for configuration (see Figure 11). Consult the CiscoWorks WLSE online help for details on WLCCP credentials entry syntax.
Cisco Structured Wireless-Aware Network (SWAN) Implementation Guide Implementing the Cisco SWAN Framework Configuring Advanced Discovery Options Advanced discovery options include enabling device reverse-DNS name resolution, device auto-manage, and auto-manage filtering by MAC address. The format for device name within the WLSE can also be configured.
Cisco Structured Wireless-Aware Network (SWAN) Implementation Guide Implementing the Cisco SWAN Framework These are the basic configuration tasks: • Entering a host name for the access point • Defining SNMP communities • Defining Telnet or SSH parameters • Defining AAA parameters for infrastructure authentication • Defining AAA parameters for WLAN client authentication • Defining WLCCP credentials • Enabling WDS services • Defining the CiscoWorks WLSE Follow these steps to complete the task
Cisco Structured Wireless-Aware Network (SWAN) Implementation Guide Implementing the Cisco SWAN Framework Step 8 Enter the following to define AAA parameters for client authentication: wds-ap(config)# radius-server host auth-port acct-port key wds-ap(config)# aaa group server radius client_group wds-ap(config-sg-radius)# server auth-port <1812> acct-port <1813> wds-ap(config)# aaa authentication login client-group group client_group wds-ap(
Cisco Structured Wireless-Aware Network (SWAN) Implementation Guide Implementing the Cisco SWAN Framework Step 2 Enter the following commands to define the SNMP communities: infra-ap(config)#snmp-server view iso iso included infra-ap(config)#snmp-server community view iso RO infra-ap(config)#snmp-server community view iso RW Step 3 Enter a host name for the access point: infra-ap(config)#hostname Step 4 Enter the following to define Telnet or SSH
Cisco Structured Wireless-Aware Network (SWAN) Implementation Guide Implementing the Cisco SWAN Framework Validating the Configuration The IOS command line on the WDS host can be used to validate the configurations. To validate the WDS configuration, enter this command: show wlccp wds ap All of the registered access points and infrastructure access points are listed. For example: wds-ap# show wlccp wds ap MAC-ADDR IP-ADDR STATE LIFETIME 000d.28f2.33ea 10.1.12.19 REGISTERED 000d.28f2.3426 10.1.12.
Cisco Structured Wireless-Aware Network (SWAN) Implementation Guide Implementing the Cisco SWAN Framework Step 2 Create the VLAN between the supervisor and WLSM: sup-720(config)# interface Vlan sup-720(config-int)# ip address sup-720(config-int)# exit Step 3 Define the VLAN created in step 2 as the VLAN between the supervisor and WLSM.
Cisco Structured Wireless-Aware Network (SWAN) Implementation Guide Implementing the Cisco SWAN Framework • Define AAA parameters for WLAN client authentication • Define the CiscoWorks WLSE Follow these steps to complete the tasks: Step 1 Access the WLSM command-line interface.
Cisco Structured Wireless-Aware Network (SWAN) Implementation Guide Implementing the Cisco SWAN Framework This step is very important. After the Cisco SWAN topology is established, all 802.1x client authentications are forwarded through the WDS. If the client authentication group(s) is not properly configured, WLAN clients are denied access to the network. RADIUS servers are not redefined with the first command if you are using the same AAA server for infrastructure and client authentication.
Cisco Structured Wireless-Aware Network (SWAN) Implementation Guide Implementing the Cisco SWAN Framework Subsequent to these steps, customers can configure additional parameters like VLANs, SSIDs, and encryption settings. Customers may choose to use the CiscoWorks WLSE to do these configurations in bulk after the CiscoWorks WLSE has discovered the WDS-host and the infrastructure access points.
Cisco Structured Wireless-Aware Network (SWAN) Implementation Guide Implementing the Cisco SWAN Framework You should also navigate to the Catalyst 6500 Supervisor command-line interface and validate that the control communications between the WLSM and supervisor are correctly working.
Cisco Structured Wireless-Aware Network (SWAN) Implementation Guide Implementing the Cisco SWAN Framework The tunnel source, network attributes and state, registered access points with tunnel end-points for the mobility group, and the registered mobile in the mobility group are shown: sup720# show mobility network 4 Wireless Network ID: 4 Wireless Tunnel Source IP Address: 10.100.4.
Cisco Structured Wireless-Aware Network (SWAN) Implementation Guide Implementing the Cisco SWAN Framework When Not Using Multiple Authentication Types, Encryption Types, or VLANs If you are not using multiple authentication or encryption types or VLANs on the access points, follow these steps to configure the access points to use CCKM: Step 1 Gain control of the access point command line interface and enter configuration mode. Step 2 Enter the interface configuration mode for the appropriate radio.
Cisco Structured Wireless-Aware Network (SWAN) Implementation Guide Implementing the Cisco SWAN Framework The VLAN number corresponds to the VLAN number configured in Step 3. Step 6 Set the authentication: infra-ap(config-if-ssid)#authentication network-eap Set the authentication key management: infra-ap(config-if-ssid)#authentication key-management {[wpa] [cckm]} [optional] Use the wpa keyword only if you are using WPA. If this is the case, the wpa keyword must preceed the cckm keyword.
Cisco Structured Wireless-Aware Network (SWAN) Implementation Guide Implementing the Cisco SWAN Framework Step 9 Select the profile you created or edited in Steps 2 through 8. Step 10 Enter whatever security credentials are required to authenticate to the network and complete the authentication and association process. Consult the product documentation for details on using CCKM with non-Cisco branded client adapters or third-party supplicants.
Cisco Structured Wireless-Aware Network (SWAN) Implementation Guide Implementing the Cisco SWAN Framework Preparing to Use Cisco SWAN Radio Management The procedures required before using the Cisco SWAN framework radio management features are as follows: • Discover infrastructure access points and WDS devices • Import building floorplans • Place access points on the floorplans • Configure antenna and other access point specific parameters (optional) The process for completing the infrastructure acc
Cisco Structured Wireless-Aware Network (SWAN) Implementation Guide Implementing the Cisco SWAN Framework When the building tool is open, follow the wizard steps to create a new building and import floorplans for each of the building floors. Consult the CiscoWorks WLSE online help for assistance if necessary. When the buildings are created and floorplans are imported, managed access points are visible in the lower left-hand pane of the Location Manager.
Cisco Structured Wireless-Aware Network (SWAN) Implementation Guide Implementing the Cisco SWAN Framework enabled, the WDS periodically requests radio measurement data from supporting registered MNs. These MNs collect the requested data and send it to the WDS. The WDS aggregates data from the MNs and passes the aggregated data to the CiscoWorks WLSE. WLAN client monitoring is configured for client serving and non-serving channels.
Cisco Structured Wireless-Aware Network (SWAN) Implementation Guide Implementing the Cisco SWAN Framework Cisco Structured Wireless-Aware Network (SWAN) Implementation Guide 38 OL-6217-01
