Cisco Systems 3.2 Configuring Identity Networking

5-16

Cisco Wireless LAN Controller Configuration Guide

OL-8335-02

Chapter 5 Configuring Security Solutions

Configuring Identity Networking

Configuring Identity Networking

These sections explain the Identity Networking feature, how it is configured, and the expected behavior

for various security policies:

•Identity Networking Overview, page 5-16

•RADIUS Attributes Used in Identity Networking, page 5-17

Identity Networking Overview

In most wireless LAN systems, each WLAN has a static policy that applies to all clients associated with

an SSID. Although powerful, this method has limitations since it requires clients to associate with

different SSIDs to inherit different QoS and security policies.

However, the Cisco Wireless LAN Solution supports Identity Networking, which allows the network to

advertise a single SSID but allows specific users to inherit different QoS or security policies based on

their user profiles. The specific policies that you can control using identity networking include:

•Quality of Service. When present in a RADIUS Access Accept, the QoS-Level value overrides the

QoS value specified in the WLAN profile.

•ACL. When the ACL attribute is present in the RADIUS Access Accept, the system applies the

ACL-Name to the client station after it authenticates. This overrides any ACLs that are assigned to

the interface.

•VLAN. When a VLAN Interface-Name or VLAN-Tag is present in a RADIUS Access Accept, the

system places the client on a specific interface.

Note The VLAN feature only supports MAC filtering, 802.1X, and WPA. The VLAN feature does not

support Web Auth or IPSec.

•Tunnel Attributes.

Note When any of the other RADIUS attributes in this section are returned, the Tunnel Attributes must

also be returned.

In order for this feature to be enabled, on a per WLAN basis, the Enable AAA Override configuration

flag must be enabled.

The Operating System’s local MAC Filter database has been extended to include the interface name,

allowing local MAC filters to specify to which interface the client should be assigned. A separate

RADIUS server can also be used, but the RADIUS server must be defined using the Security menus.

Contents

Main Cisco Wireless LAN Controller Configuration Guide Page CONTENTS Page Page Page Page Page Page Page Page Page Preface Audience Purpose Organization Conventions xvi Related Publications Obtaining Documentation Cisco.com Product Documentation DVD Ordering Documentation Documentation Feedback Cisco Product Security Overview Reporting Security Problems in Cisco Products Obtaining Technical Assistance Cisco Technical Support & Documentation Website Submitting a Service Request Definitions of Service Request Severity Obtaining Additional Publications and Information Page Overview Cisco Wireless LAN Solution Overview Single-Controller Deployments Multiple-Controller Deployments Operating System Software Operating System Security Cisco WLAN Solution Wired Security Layer 2 and Layer 3 LWAPP Operation Operational Requirements Configuration Requirements Cisco Wireless LAN Controllers Primary, Secondary, and Tertiary Controllers Client Roaming Same-Subnet (Layer 2) Roaming Inter-Controller (Layer 2) Roaming Inter-Subnet (Layer 3) Roaming Special Case: Voice Over IP Telephone Roaming Client Location External DHCP Servers Per-Wireless LAN Assignment Per-Interface Assignment Security Considerations Cisco WLAN Solution Wired Connections Cisco WLAN Solution Wireless LANs Access Control Lists Identity Networking Enhanced Integration with Cisco Secure ACS File Transfers Power over Ethernet Pico Cell Functionality Intrusion Detection Service (IDS) Wireless LAN Controller Platforms Cisco 2000 Series Wireless LAN Controllers Cisco 4100 Series Wireless LAN Controllers Cisco 4400 Series Wireless LAN Controllers Cisco 2000 Series Wireless LAN Controller Model Numbers Cisco 4100 Series Wireless LAN Controller Model Numbers Cisco 4400 Series Wireless LAN Controller Model Numbers Startup Wizard Cisco Wireless LAN Controller Memory Cisco Wireless LAN Controller Failover Protection Cisco Wireless LAN Controller Automatic Time Setting Cisco Wireless LAN Controller Time Zones Network Connections to Cisco Wireless LAN Controllers Cisco 2000 Series Wireless LAN Controllers Cisco 4100 Series Wireless LAN Controllers Cisco 4400 Series Wireless LAN Controllers VPN and Enhanced Security Modules for 4100 Series Controllers Rogue Access Points Rogue Access Point Location, Tagging, and Containment Web User Interface and the CLI Web User Interface Command Line Interface Using the Web-Browser and CLI Interfaces Using the Web-Browser Interface Guidelines for Using the GUI Opening the GUI Enabling Web and Secure Web Modes Configuring the GUI for HTTPS Loading an Externally Generated HTTPS Certificate Page Disabling the GUI Using Online Help Using the CLI Logging into the CLI Using a Local Serial Connection Using a Remote Ethernet Connection Logging Out of the CLI Navigating the CLI Enabling Wireless Connections to the Web-Browser and CLI Interfaces Configuring Ports and Interfaces 3-2 Overview of Ports and Interfaces Ports Distribution System Ports Service Port Interfaces Management Interface AP-Manager Interface Virtual Interface Service-Port Interface Dynamic Interface WLANs Configuring the Management, AP-Manager, Virtual, and Service-Port Interfaces Using the GUI to Configure the Management, AP-Manager, Virtual, and Service-Port Interfaces Page Page Using the CLI to Configure the Management, AP-Manager, Virtual, and Service-Port Interfaces Using the CLI to Configure the Management Interface Using the CLI to Configure the AP-Manager Interface Using the CLI to Configure the Virtual Interface Using the CLI to Configure the Service-Port Interface Configuring Dynamic Interfaces Using the GUI to Configure Dynamic Interfaces Page Using the CLI to Configure Dynamic Interfaces Configuring Ports Page Page Configuring Port Mirroring Configuring Spanning Tree Protocol Using the GUI to Configure Spanning Tree Protocol Page Page Page Using the CLI to Configure Spanning Tree Protocol Enabling Link Aggregation Link Aggregation Guidelines Using the GUI to Enable Link Aggregation Using the CLI to Enable Link Aggregation Configuring Neighbor Devices to Support LAG Configuring a 4400 Series Controller to Support More Than 48 Access Points Using Link Aggregation Using Multiple AP-Manager Interfaces Page Page Page Page Connecting Additional Ports Configuring Controller Settings Using the Configuration Wizard Before You Start Resetting the Device to Default Settings Resetting to Default Settings Using the CLI Resetting to Default Settings Using the GUI Running the Configuration Wizard on the CLI Managing the System Time and Date Configuring Time and Date Manually Configuring NTP Configuring a Country Code Enabling and Disabling 802.11 Bands Configuring Administrator Usernames and Passwords Configuring RADIUS Settings Configuring SNMP Settings Enabling 802.3x Flow Control Enabling System Logging Enabling Dynamic Transmit Power Control Configuring Multicast Mode Understanding Multicast Mode Guidelines for Using Multicast Mode Enabling Multicast Mode Configuring the Supervisor 720 to Support the WiSM General WiSM Guidelines Configuring the Supervisor Page Using the Wireless LAN Controller Network Module Page Configuring Security Solutions Cisco WLAN Solution Security Security Overview Layer 1 Solutions Layer 2 Solutions Layer 3 Solutions Rogue Access Point Solutions Rogue Access Point Challenges Tagging and Containing Rogue Access Points Integrated Security Solutions Configuring the System for SpectraLink NetLink Telephones Using the GUI to Enable Long Preambles Using the CLI to Enable Long Preambles Using Management over Wireless Using the GUI to Enable Management over Wireless Using the CLI to Enable Management over Wireless Configuring DHCP Using the GUI to Configure DHCP Using the CLI to Configure DHCP Customizing the Web Authentication Login Screen Default Web Authentication Operation Page Customizing Web Authentication Operation Hiding and Restoring the Cisco WLAN Solution Logo Changing the Web Authentication Login Window Title Changing the Web Message Changing the Logo Preparing the TFTP Server Copying the Logo or Graphic to the TFTP Server Downloading the Logo or Graphic Hiding the Logo Creating a Custom URL Redirect Verifying Web Authentication Changes 5-15 Example: Sample Customized Web Authentication Login Window Figure 5-4 Example of a Customized Web Authentication Login Window These are the CLI commands used to create the window in Figure 5-4: Configuring Identity Networking Identity Networking Overview RADIUS Attributes Used in Identity Networking QoS-Level ACL-Name Interface-Name VLAN-Tag Tunnel Attributes Page Configuring WLANs Wireless LAN Overview Configuring Wireless LANs Displaying, Creating, Disabling, and Deleting Wireless LANs Activating Wireless LANs Assigning a Wireless LAN to a DHCP Server Configuring MAC Filtering for Wireless LANs Enabling MAC Filtering Creating a Local MAC Filter Assigning Wireless LANs to VLANs Configuring Layer 2 Security Dynamic 802.1X Keys and Authorization WEP Keys Dynamic WPA Keys and Encryption Configuring a Wireless LAN for Both Static and Dynamic WEP Configuring Layer 3 Security IPSec IPSec Authentication IPSec Encryption IKE Authentication IKE Diffie-Hellman Group IKE Phase 1 Aggressive and Main Modes IKE Lifetime Timeout IPSec Passthrough Configuring Quality of Service Configuring QoS Enhanced BSS (QBSS) Enabling WMM Mode Enabling 7920 Support Mode QBSS Information Elements Sometimes Degrade 7920 Phone Performance Controlling Lightweight Access Points Lightweight Access Point Overview Cisco 1000 Series IEEE 802.11a/b/g Lightweight Access Points Cisco 1030 Remote Edge Lightweight Access Points Cisco 1000 Series Lightweight Access Point Part Numbers Cisco 1000 Series Lightweight Access Point External and Internal Antennas External Antenna Connectors Antenna Sectorization Cisco 1000 Series Lightweight Access Point LEDs Cisco 1000 Series Lightweight Access Point Connectors Cisco 1000 Series Lightweight Access Point Power Requirements Cisco 1000 Series Lightweight Access Point External Power Supply Cisco 1000 Series Lightweight Access Point Mounting Options Cisco 1000 Series Lightweight Access Point Physical Security Using the DNS for Controller Discovery Dynamic Frequency Selection Autonomous Access Points Converted to Lightweight Mode Guidelines for Using Access Points Converted to Lightweight Mode Reverting from Lightweight Mode to Autonomous Mode Using a Controller to Return to a Previous Release Using the MODE Button and a TFTP Server to Return to a Previous Release Controllers Accept SSCs from Access Points Converted to Lightweight Mode Using DHCP Option 43 Using a Controller to Send Debug Commands to Access Points Converted to Lightweight Mode Converted Access Points Send Crash Information to Controller Converted Access Points Send Radio Core Dumps to Controller Enabling Memory Core Dumps from Converted Access Points Display of MAC Addresses for Converted Access Points Page Page Managing Controller Software and Configurations Transferring Files to and from a Controller Upgrading Controller Software Page Saving Configurations Clearing the Controller Configuration Erasing the Controller Configuration Resetting the Controller Page Configuring Radio Resource Management Overview of Radio Resource Management Radio Resource Monitoring Dynamic Channel Assignment Dynamic Transmit Power Control Coverage Hole Detection and Correction Client and Network Load Balancing RRM Benefits Overview of RF Groups RF Group Leader RF Group Name Configuring an RF Group Using the GUI to Configure an RF Group Using the CLI to Configure RF Groups Viewing RF Group Status Using the GUI to View RF Group Status Page Page Using the CLI to View RF Group Status Enabling Rogue Access Point Detection Using the GUI to Enable Rogue Access Point Detection Page Page Using the CLI to Enable Rogue Access Point Detection Configuring Dynamic RRM Using the GUI to Configure Dynamic RRM Page Page Page Page Page Using the CLI to Configure Dynamic RRM Overriding Dynamic RRM Statically Assigning Channel and Transmit Power Settings to Access Point Radios Using the GUI to Statically Assign Channel and Transmit Power Settings Page Using the CLI to Statically Assign Channel and Transmit Power Settings Disabling Dynamic Channel and Power Assignment Globally for a Controller Using the GUI to Disable Dynamic Channel and Power Assignment Using the CLI to Disable Dynamic Channel and Power Assignment Viewing Additional RRM Settings Using the CLI Configuring Mobility Groups Overview of Mobility Page Page Overview of Mobility Groups Page Determining When to Include Controllers in a Mobility Group Configuring Mobility Groups Prerequisites Using the GUI to Configure Mobility Groups Page Page Using the CLI to Configure Mobility Groups Configuring Auto-Anchor Mobility Guidelines for Using Auto-Anchor Mobility Using the GUI to Configure Auto-Anchor Mobility Page Using the CLI to Configure Auto-Anchor Mobility A Safety Considerations and Translated Safety Warnings Safety Considerations Warning Definition A-3 A-4 A-5 Class 1 Laser Product Warning A-6 A-7 Ground Conductor Warning A-8 A-9 Chassis Warning for Rack-Mounting and Servicing A-10 A-11 A-12 Page Page A-15 Page Page A-18 Battery Handling Warning for 4400 Series Controllers A-19 A-20 Equipment Installation Warning A-21 Page A-23 More Than One Power Supply Warning for 4400 Series Controllers A-24 Page Page B Declarations of Conformity and Regulatory Information Regulatory Information for 1000 Series Access Points Manufacturers Federal Communication Commission Declaration of Conformity Statement Tested To Comply With FCC Standards FOR HOME OR OFFICE USE Department of CommunicationsCanada Canadian Compliance Statement European Community, Switzerland, Norway, Iceland, and Liechtenstein Declaration of Conformity with Regard to the R&TTE Directive 1999/5/EC Declaration of Conformity for RF Exposure Guidelines for Operating Cisco Aironet Access Points in Japan Japanese Translation English Translation 03-5549-6500 Administrative Rules for Cisco Aironet Access Points in Taiwan Access Points with IEEE 802.11a Radios All Access Points English Translation Declaration of Conformity Statements FCC Statements for Cisco 2000 Series Wireless LAN Controllers Page Page C End User License and Warranty End User License Agreement Page Limited Warranty Page Disclaimer of Warranty General Terms Applicable to the Limited Warranty Statement and End User License Agreement Additional Open Source Terms Page D System Messages and Access Point LED Patterns System Messages Page Using Client Reason and Status Codes in Trap Logs Client Reason Codes Client Status Codes Using Lightweight Access Point LEDs INDEX Numerics A B Page D E F G H I N P Q R S T U V W