07-02-2010 02:08 PM - edited 07-03-2021 06:56 PM
Welcome to the Cisco Networking Professionals Ask the Expert conversation. This is an opportunity to get an update on different aspects of wireless network design and installation with Fred Niehaus. Fred is a Technical Marketing Engineer for the Wireless Networking Business Unit at Cisco, where he is responsible for developing and marketing enterprise wireless solutions using Cisco Aironet and Airespace wireless LAN products. In addition to his participation in major deployments, Niehaus has served as technical editor for several Cisco Press books including the "Cisco 802.11 Wireless Networking Reference Guide" and "The Business Case for Enterprise-Class Wireless LANs." Prior to joining Cisco with the acquisition of Aironet, Niehaus was a support engineer for Telxon Corporation, supporting some of the very first wireless implementations for major corporate customers. Fred has been in the data communications and networking industry for more than 20 years and holds a Radio Amateur (Ham) License "N8CPI."
Remember to use the rating system to let Fred know if you have received an adequate response.
Fred might not be able to answer each question due to the volume expected during this event. Our moderators will post many of the unanswered questions in other discussion forums shortly after the event. This event lasts through July 16, 2010. Visit this forum often to view responses to your questions and the questions of other community members.
07-14-2010 08:24 AM
GJB -
Things to check:
1. Can you set a port on the switch to the same VLAN as the wireless VLAN and have a wired client get an address?
2. Do you have an ip-helper statement on the layer 3 interface?
3. With pre-shared keys, you can still 'appear' to be associated, but if the PSK is wrong, you won't pass traffic and get an IP address.
4. What do the logs indicate?
5. Are there multiple SSIDs? Do you have VLANs set? Is the AP then connected to a trunk? Is the trunk native VLAN correct? Are your VLAN to SSID mappings correct? etc.
Regards,
Scott
07-14-2010 11:34 AM
Hi Experts,
I got few things to inquire regarding our deployment of wireless mesh. Currently, we deployed 2 1522 (MAP + RAP) with omni-antenna and this are managed by wlc 4402 version 6.x
Now, we are having problems regarding the signal strenght that we got. Even i was to closed on the MAP, the signal in laptop was still not full, i mean i don't get excellent connection. Also, when we are outside the rooms we get good signal but once we go inside the room the connection is lost. Please advice on how we can improve our deployment, because maybe we missed somethings.
Thanks in advance and appreciate all your feedback
Reymon
07-14-2010 01:42 PM
Reymon -
It's difficult to speculate on what your issues are when we don't know enough about the physical structure and the environment in which you've set up your mesh APs. However, I'm going to try and ask you a few more questions to get you going in the right direction:
1. First, when something used to work and now does not, something has changed. It may not be something you did, but could be something you didn't. My suggestion here is to check your AP and its antenna connections. If you did not seal them well enough against weather and water penetration, you may be having some hardware failures as the water begins to affect the radio. So you may have to check that.
2. Did you install the RAP + MAP using 5 GHz as the backhaul, client access on 2.4 GHz on the MAP, and no client access on the RAP? If not, that is the recommended setting. It doesn't mean you can't have clients on 5 GHz, but for each client you add on 5 GHz you cut down on your backhaul throughput, which is already cut in half for every hop back to the RAP since it's mesh.
3. You mention going into rooms and losing the signal. Mesh deployments with 1522 APs is typically outdoors (you can run mesh indoors with other APs such as 1240/1130/etc.). Depending on the building construction, it would make sense that the signal won't penetrate well indoors as it's not designed to. This will particularly be the case if you used the directional antennas on the RAP to MAP backhaul on 5 GHz and your clients are also on 5 GHz. If you are using the omni directional antennas on 2.4 GHz, this would be less of an issue as omni has a 360 degree spread pattern and 2.4 GHz propagates building materials better.
So you can see it isn't a straightforward answer, but I hope I gave you some things to look into. My suspicion is that the hardware may be having some issues if you say that this used to work and now does not. I'd be able to comment a bit better if I also knew what you were trying to accomplish with the RAP + MAP setup. Typically we would see this sort of setup with just 2 APs for either a bridge link, or extending a wired network to an outer lying area/structure. Unfortunately, just relying on the placement of the MAP close to the outer lying area won't guarantee penetration into that area or structure. You may have to use a wired bridge connection from that MAP into a switch for the second area for wired connections, or you could change antenna types and possibly continue mesh indoors.
Regards,
Scott
07-14-2010 12:12 PM
Hi Expert,
I am on the verge of rolling out my first wireless network! I have a few points that I'd you to shed for me. First let me tell you that i choice PEAP/MSCHAPv2.
1. What are the best practices for guess SSID?Open with no pass?
2. Can I use different encryption per vlan? Vlan 100 wpa? vlan 2 wep? 23 wap?
3. As there is only wpa option in the gui even in the cli, how the supplicant or the ap that it is wpa or wap2? I mean there is wpa with a check box,but there is not wpa2.
4. I want to use MAC auth end PEAP. But I read something like the AP will try to auth with the MAC first, if it pass the MAC auth it won't bother to try PEAP. Is that true? In my mind, i though the ACS checks the MAC, if the mac is there then the ACS proceed to PEAP auth.
5. The wired Network is already segmented in vlans- one vlan per dept, do I need to use different vlan for the wireless network or can I reuse the vlans in the wired network? In a PCI stand point what is the best way to do it?
Thanks, greatly appreciate.
---Jean Paul
07-14-2010 02:02 PM
Jean Paul -
1. Yes, the best practice is broadcast, but I wouldn't agree with no password. You want to make it easy for your users to access the guest services, but not so easy that you expose yourself to risk. Some common ways to deal with guest access is to use the web auth provided in the controller. It can be as simple as a splash with a UAP (User Acceptance Policy) or you can use the lobby ambassador/administrator function of the controller to create username/password combinations. I would definitely enforce ACLs that limit guest traffic to things like DHCP/DNS/HTTP/HTTPS etc. and bandwidth limit if necessary. The other option is a guest anchor controller outside your firewall. With the anchoring options configured on the guest VLAN, you can force guest traffic through a tunnel that has its endpoint on a controller outside your firewall. With this approach, you're safe as the traffic is no longer on your network. Other options are 3rd party products that are essentially a NAT/Firewall between wired and wireless, but we're talking Cisco here so I'll leave it at that since Cisco does a great job of securing guest traffic. One final note is that the controller can also be used to authenticate guest wired traffic as well.
2. Yes, you can setup a different encryption/security paradigm per VLAN. You'll have to create different WLANs and dynamic interfaces for each and then map them accordingly. I don't recommend any more than 4 SSIDs active at a time to cut down on the amount of beacons that take up time slices on the AP. I saw you mentioned WEP - please be careful if you must use this. It can be hacked in seconds these days. Place any requirements for WEP onto a separate VLAN that is appropriately ACL'd and use the highest encryption possible and rotate the key(s).
3. You mention about the WPA option in the GUI - to answer your questions here I need to know the model of the AP and the IOS version. However, I do understand your confusion about the WPA/WPA2 part. To setup WPA and WPA2, they are both considered WPA for the 'checkbox' - it's the encryption that makes the difference. The encryption must be configured first, and THEN select the WPA optional/mandatory. When setting the encryption, if you select 'tkip' you'll be using WPA, if you select 'aes-ccmp' you'll be using WPA2.
4. Not sure about this one - I don't know which one is performed first. Generally people prefer PEAP because it allows for two factor authentication. The first is typically in the form of username and password. The second is usually in the form of a certificate from a trusted authority. If the machine authenticating has the certificate installed, it is trusted as part of the system. I personally wouldn't use MAC authentication as a second form because it can so easily be spoofed, but if your devices don't support certificates then I'm not sure what options you have. Microsoft has a good guide on PEAP here:
5. You can use the same VLANs as the wired side, but we generally don't recommend that. You want to keep your broadcast domains smaller, and that makes for better performance. In addition, wouldn't you like to write ACLs and manage traffic for wireless separate from wired? That can only be done effectively from different VLANs.
Regards,
Scott
07-15-2010 08:54 PM
Hi Expert,
Before all, thank you for your great advice and helps. I've decided to implement a few of them. However, during preliminary test , i run into some issues. Hopefully, you will be able to help one last time.
During my test, I implemented a few SSID wich worked fine in my lab with WEP encryption. And i decided to change the encryption, some of the SSID did work with wpa2. However, two remains my attention, the guess SSID which uses wpa with tkip and one of the test SSID. The guess SSID worked fine untill I decided to reload the AP. When the AP came back it could not grabs an ip, but sho commands shows that it is associate with the AP. See below. I am 100% certain that the config is correct as it was working fine before the reload.
a) Show commands
#sh dot11 associations
802.11 Client Stations on Dot11Radio0:
SSID [SAVY_GUESS] :
MAC Address IP address Device Name Parent State
000e.9b6e.XXXX 169.254.97.66 ccx-client - self Assoc
Address : 000e.9b6e.XXX Name : NONE
IP Address : 169.254.97.66 Interface : Dot11Radio 0
Device : ccx-client Software Version : NONE
CCX Version : 2
State : Assoc Parent : self
SSID : SAVY_GUESS
VLAN : 9
Hops to Infra : 1 Association Id : 13
Clients Associated: 0 Repeaters associated: 0
Tunnel Address : 0.0.0.0
Key Mgmt type : WPA PSK Encryption : TKIP
Current Rate : 54.0 Capability : ShortHdr ShortSlot
Supported Rates : 1.0 2.0 5.5 6.0 9.0 11.0 12.0 18.0 24.0 36.0 48.0 54.0
Voice Rates : disabled
Signal Strength : -31 dBm Connected for : 11592 seconds
Signal to Noise : 61 dBm Activity Timeout : 57 seconds
Power-save : Off Last Activity : 3 seconds ago
Apsd DE AC(s) : NONE
Packets Input : 8830 Packets Output : 9
Bytes Input : 435094 Bytes Output : 1154
Duplicates Rcvd : 15 Data Retries : 0
Decrypt Failed : 0 RTS Retries : 0
MIC Failed : 0 MIC Missing : 0
Packets Redirected: 0 Redirect Filtered: 0
Session timeout : 0 seconds
Reauthenticate in : never
b) SSID config
dot11 ssid SAVY_GUESS
vlan 9
authentication open
authentication key-management wpa
mbssid guest-mode
wpa-psk ascii 7 1240321A241F5B367B29281F6200133524422D325C
!
interface Dot11Radio0
no ip address
no ip route-cache
!
encryption vlan 9 mode ciphers tkip
!
encryption vlan 16 mode ciphers aes-ccm
!
ssid SAVY_GUESS
!
ssid Wireless-Test
!
interface Dot11Radio0.9
encapsulation dot1Q 164
no ip route-cache
bridge-group 9
bridge-group 9 subscriber-loop-control
bridge-group 164 block-unknown-source
no bridge-group 9 source-learning
no bridge-group 9 unicast-flooding
bridge-group 9 spanning-disabled
!
interface FastEthernet0.9
encapsulation dot1Q 9
ip helper-address 10.XXX.ZZZ.254
no ip route-cache
bridge-group 255
no bridge-group 255 source-learning
bridge-group 255 spanning-disabled
!
ps. Wired Device connected on the vlan did grab an IP.
2. Wireless_Test
This SSID was working fine until I change the vlan associate to it.
SSID [Wireless-Test] :
MAC Address IP address Device Name Parent State
001f.3b51.XXXX 169.254.90.253 ccx-client 00C00070 self EAP-Assoc
Address : 001f.3b51.XXXX Name : I00000070
IP Address : 169.254.90.253 Interface : Dot11Radio 0
Device : ccx-client Software Version : NONE
CCX Version : 4
State : EAP-Assoc Parent : self
SSID : Wireless-Test
VLAN : 16
Hops to Infra : 1 Association Id : 12
Clients Associated: 0 Repeaters associated: 0
Tunnel Address : 0.0.0.0
Key Mgmt type : WPAv2 Encryption : AES-CCMP
Current Rate : 54.0 Capability : WMM ShortHdr ShortSlot
Supported Rates : 1.0 2.0 5.5 11.0 6.0 9.0 12.0 18.0 24.0 36.0 48.0 54.0
Voice Rates : disabled
Signal Strength : -43 dBm Connected for : 14298 seconds
Signal to Noise : 52 dBm Activity Timeout : 14 seconds
Power-save : On Last Activity : 6 seconds ago
Apsd DE AC(s) : NONE
Packets Input : 15322 Packets Output : 256
Bytes Input : 913707 Bytes Output : 19866
Duplicates Rcvd : 249 Data Retries : 14
Decrypt Failed : 0 RTS Retries : 0
MIC Failed : 0 MIC Missing : 0
Packets Redirected: 0 Redirect Filtered: 0
Session timeout : 0 seconds
Reauthenticate in : never
b) config
dot11 ssid Wireless-Test
vlan 16
authentication open eap eap_methods2
authentication network-eap eap_methods2
authentication key-management wpa
accounting acct_methods3
mbssid guest-mode
!
interface Dot11Radio0.16
encapsulation dot1Q 16
no ip route-cache
bridge-group 16
bridge-group 16 subscriber-loop-control
bridge-group 16 block-unknown-source
no bridge-group 16 source-learning
no bridge-group 16 unicast-flooding
bridge-group 16 spanning-disabled
!
interface FastEthernet0.16
encapsulation dot1Q 16
ip helper-address 10.zzz.xxx.254
no ip route-cache
bridge-group 16
no bridge-group 16 source-learning
bridge-group 16 spanning-disabled
!
Can the radio interface get mess by the reload? How can I verify theradio? Debug did not show Client asking for IP...
3. My last question, my ACLs to limit guess access. Should i implement them in my firewall or in my distribution router? The distribution router has a sub_interface for each SSID. Would it be better to block traffic right from the distribution router rather let unecessary traffic flow to the network?
Thanks a lot for great advice and guidance,
---Jean Paul.
07-16-2010 05:58 AM
Jean Paul -
Usually when something doesn't work after a reload it means you forgot to commit changes to nvram (i.e. write mem). If you could attach a full running config as a text file, that would be good. In the mean time, a couple of things:
1. Your subinterfaces and VLAN tags should match as a matter of practice. They don't have to, but it is always best from a configuration and troubleshooting standpoint. Your subinterface Dot11Radio0.9 has an encapsulation for VLAN 164. In addition, your bridge groups should also match. Therefore, you need to change your encapsulation to VLAN 9 as your encapsulation for VLAN 164 does not match the encapsulation you set on the SSID [encryption vlan 9 mode ciphers tkip].
2. When you say 'When the AP came back it could not grabs an ip' do you mean the AP itself? If you have interface bvi1 set to DHCP, it will get an IP on the native VLAN of the trunk. If you statically assign it, make sure it's on the native VLAN. Without a full config I can't see this, but also make sure you have 'bridge-group 1 route ip' so the AP will forward layer 3 traffic.
3. As far as the ACLs go, if you review Cisco's best practices for a hierarchy design, enforcing policy (QoS, ACLs, etc.) is indeed the function of the Distribution block. Since the Distribution blocks aggregate all of your Access layer traffic, it is the optimal place to enforce ACLs. You're right, no sense in having your traffic traverse the network farther than it should. Now, just as a comparison, where you place your ACLs also depends on whether or not you're doing standard or extended ACLs. Standard ACLs only use source ip and therefore should be placed as close to the source as possible. Extended ACLs use destination and ports and should therefore be placed as close to the destination as possible.
Regards,
Scott
07-16-2010 07:23 AM
Hi Scott,
I am pretty sure, it is not a saving issue and for the vlan tag, I did change the vlan to wrong one as I didn't want to just cut/paste for security and privacy reason. There is the rest complete config, bare in mind I have made some config change in it as well for the same reason.
Sorry for the confusion, the AP have static IP, it is the hosts that refuse to grabs ip from my DCHP server. Also wired host connected to the vlans did grab IP.
Thanks,
-- Jean Paul.
07-16-2010 07:34 AM
Jean Paul -
I don't see anything glaring with your config. The guest SSID has me stumped since it's not using EAP. The only thing I can think of is that the passphrase wasn't entered correctly? But I'm sure you've tried that a few times? The other SSID using EAP, what do the logs show in your ACS/IAS?
Regards,
Scott
07-16-2010 08:24 AM
Hi scott,
I am pretty sure that the pass phrase is correct as re-enter so many(cut/paste) and even change it for a new one. My next step is to delete the Guess SSID and recreate it.
For the Eap SSIDs the ACS deplays the message below which I don't fully understand.
Beside the colum date and time,in the message type colom, the ACS displays UNKNOWN NAS and in the NAS-IP Addres colums' it displays the IP of one of the distribution switch.
07/16/201002:08:24Unknown NAS......(Unknown)........10.xx.xx.12..............
1. Date =07/16/2010
2. Time=02:08:24
3. Message-Type = Unknown NAS
4. NASIP-Address= one of my distribution switch
5. The dots are other colums with nothing
And nothing in the other colums.
Thanks,
--Jean Paul
07-16-2010 08:31 AM
Jean Paul -
I am not as familiar with ACS as I am with IAS. But I do know that you have to explicitly specify in IAS what NAS devices are trusted, and the passphrase has to match. Is there a similar requirement in ACS where you have to tell ACS what devices (by IP address and passphrase) are trusted? I would put all of your APs in there as NAS.
Regards,
Scott
07-16-2010 11:00 AM
Being LAZY does come with some frustration in the long run! There is what happended... Since I don't want to go up and dwon from 5th floor to the basement, so i decided to moved the test AP from the LAB to my office. In my office, I have a test switch that not authen to the RADIUS on which I connected the AP. To answer your question, yes ACS does not the same feature.After reading your last post, i went back added the IP of my test switch and the new vlan I just created.... Once, I added these two items, everything work fine without ANY change in the config....
Thanks again Mr. the EXPERT....
--- Jean Paul
07-16-2010 11:25 AM
Jean Paul -
Glad I could help!
Regards,
Scott
07-14-2010 01:37 PM
I have run into a problem between Cisco ACS 4.1.4(13) and the Controllers 6.0.188.0.
I want to run a url redirect splash page for some users to direct them to some information. I also use the Cisco Airespace VSA's to map other user's QOS and dynamic vlan assignment.
The configuration guides have you set up the controllers in the ACS as Cisco Aironet if you are want to configure the url-redirect function in radius. If you use the Airespace VSA's for QOS or Vlan assignment you need to set up the controller as Cisco Airspace. I have tested this and if you set it up one way the other breaks and vice versa...
Has anyone else run into this point of confusion? Is there a setting that will allow me to do both since I can only configure it one way and the documents do not aggree on 1 way to set up your controller in the ACS server. Is this an ACS issue that may be resolve in later versions?
Hope someone else has run into this.
JC
07-15-2010 05:52 AM
Hi Leo,
Is it possible to use Channel bonding on wireless n with the 5 GHz band between 2 autonomous AP's.
This to achieve a 300 Mbps wireless bridge link.
We have tried this in our lab and we can do channel bonding on the root bridge but not on the non-root bridge, the link stays on 20 Mhz and doesn't go to 40 Mhz.
Is this possible in some way ?
Best Regards,
Jerco Veltjen
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide