Note: The description in the article is based on the Cisco Catalyst 9800-L Wireless Controller with Cisco IOS XE Cupertino version 17.9.3 (currently recommended version). Connected to it are Cisco Catalyst 9164I AP access points.
New Configuration Model for WLAN
We set parameters that affect hardware directly on the Access Point. To control functions/features (such as WLANs or Radio Frequency (RF) profiles) that are available for each AP, Tags are used. In a tag, certain parameters (configurations) are combined and set on the AP. Each AP has 3 tags assigned, by default, default-tags are prepared.
Types of Tags:
Policy Tag- WLAN Policy, mandatorySite Tag- Site Policy, optionalRF Tag- Radio Policy, optional
Policy Tag - WLAN (SSID) Configuration
- Configuration - Tags & Profiles - Tags - Policy
If we want to create a WLAN, we must configure a Policy Tag, which contains the mapping of WLAN and Policy (up to 16 can be included). It's a list of WLANs (SSIDs) that the Access Point broadcasts, to which we assign the Policy Tag. Different WLAN Profiles can have the same Policy Profile assigned.
We can create just one Policy Tag and assign it to all APs. If we don't need to broadcast some SSIDs in certain parts of the network, for security reasons and to minimize SSIDs, we create multiple Policy Tags and assign them as needed.
- Policy Profile - we specify network and switching policies (Central or Local Switching), network assignment (VLAN), QoS, various Session Timeouts, Mobility Anchors
- WLAN Profile (SSID) - we specify wireless network parameters, SSID, used bands, security type (authentication), advanced protocols like IEEE 802.11k
Note: In AireOS, all SSID property settings were under WLAN. In the new configuration model, they are divided into Policy Profile and WLAN Profile.
Site Tag
- Configuration - Tags & Profiles - Tags - Site
Using the Site Tag, we determine whether the AP (switch Enable Local Site) is in local (Enabled) or FlexConnect mode (Disabled). We assign the AP Join Profile, or Flex Profile. It is recommended to include APs in the same roaming domain in the same Site Tag.
- AP Join Profile - we set AP parameters such as Country Code, Time Zone, CAPWAP Timers, remote access to AP (to be able to log in via SSH, we must set credentials here), Security - Rogue Detection Minimum RSSI recommended -80
- Flex Profile - settings for FlexConnect, such as VLAN/ACL mapping, ARP caching, Local Authentication
RF Tag
- Configuration - Tags & Profiles - Tags - RF
Inside the RF Tag, we can select an RF Profile or choose to use global RF configuration. We set individual bands 2.4 GHz, 5 GHz and 6 GHz. Optionally, we can set a Radio Profile for individual radio slots.
- RF Profile - allows defining specific transmission rates to be used, setting Transmit Power Control (TPC), Dynamic Channel Assignment (DCA) and other Radio Resource Management (RRM) settings
- Radio Profile - contains a few settings, such as Antenna Beam Selection
General Procedure for Configuring Wireless Networks
Note: C9800 offers wizards for many configurations, but it's often clearer (for me also easier) to perform the configuration directly.
Configuration steps when we want to create a WLAN from scratch and broadcast on certain APs. The first two points were described in the previous part, the others are briefly described here.
- add a VLAN that the WLAN will use and where WiFi clients will be placed
- prepare user authentication for the WLAN, for example, set up RADIUS (AAA)
- create a WLAN Profile, enter the SSID name, type of security (encryption and authentication) and other parameters
- create a Policy Profile, select the prepared VLAN and we can adjust other settings
- create a Policy Tag, where we combine the WLAN Profile and Policy Profile
- optionally we can create a Site Tag, mainly if we want to use FlexConnect somewhere or just for location identification, otherwise we use
default-site-tag - optionally we can create an RF Tag, often we can manage with
default-rf-tagand configuration of global settings, we can use it if we have high client density in some spaces, like a conference hall - on individual APs we set the Policy Tag (optionally also Site Tag and RF Tag), alternatively we can use Location or Filter
WLAN Profile
- Configuration - Tags & Profiles - WLANs
Generally, it is recommended that AP broadcasts as few SSIDs (WLANs) as possible. Cisco advises a maximum of 4. We can use a combination of security parameters (Mixed Mode) on one WLAN. But in practice, some (usually older) clients then have problems connecting (it's a relatively small percentage of devices). It's more reliable not to give clients a choice of different options and rather create two different WLANs.
Only some configuration items are mentioned below. Options change according to chosen variants.
Note: It's inconvenient that the names of created objects (in most configuration places) cannot be changed later. The only option is to create a new one and delete the original.
General
- Profile Name - name of the profile for identification
- SSID - name of the SSID
- WLAN ID - for internal identification
- Status - whether the profile is active
- Broadcast SSID - whether the SSID is broadcast, it's not recommended to hide SSID, it doesn't increase security and some clients may have problems
- Radio Policy - which bands are turned on for this WLAN, depends on the Security configuration
Security
At the top, we switch between
- Layer2 - basic security parameters
- Layer3 - here we set up Web Auth
- AAA - authentication for 802.1x
Security - Layer2
At the top under Layer2 we select the security standard, according to which configurations are offered, most often WPA2 + WPA3 or WPA3 (we shouldn't use outdated WEP or WPA, None might be necessary for Web Auth).
- MAC Filtering - if turned on, the device's MAC address is first verified when connecting (we set the list of allowed addresses in authentication under Device Authentication)
- WPA Parameters - according to the selection, WPA2 Policy and/or WPA3 Policy are set for us, which enables further settings
- WPA2/WPA3 Encryption - in most cases for both WPA2 and WPA3 we use AES(CCMP128), which offers all standard options under Auth Key Mgmt (when we choose WPA3 GCMP256, we can only use SUITEB192-1X)
- Protected Management Frame (PMF) - protection of management messages, must be set to Required for WPA3, for WPA2 we can use Optional, newer devices support PMF (today it's the majority), 8 years ago I didn't find any functional device during testing
- Fast Transition (FT) - fast switching between APs and reduction of authentication load, Cisco recommends using Adaptive FT, which should allow connection of clients that don't support FT, but in the past there were problems, for example, new iPhones didn't connect, moreover Adaptive FT can't be used together with WPA3, today most devices support FT, so we can generally turn it on, possibly create a separate WLAN with FT turned off for the oldest devices, with the not recommended Over the DS option, client authentication takes place not over the air, but over LAN between APs
- Auth Key Mgmt - we select authentication methods for client connection to WLAN and set their parameters, different options are offered according to WPA Parameters, basic options are PSK/SAE and 802.1x, variants PSK-SHA256, 802.1x-SHA256 and along with FT options such as FT + SAE or FT + 802.1x (Cisco recommends, if we want to use FT + SAE, to also turn on SAE), for 802.1x we must set a list of authentication methods on the AAA tab
- MPSK Configuration - with certain configurations we can use MPSK (Multi-PreShared Key) and define multiple PSKs for one SSID
Advanced
- Aironet IE, Advertise AP Name - proprietary Cisco attribute useful for measurement (site survey) or debug, but in operation it's rather recommended to turn off (it can cause problems for some clients, from practice I would say that problems are not common), when turned on, additional information such as AP name, AP load, number of clients is broadcast in beacon and probe responses
- P2P Blocking Action - we can block traffic between individual clients within WLAN, which is good for security, but there must not be devices in the network with which clients would need to communicate (like Apple TV) or use applications that require direct connection (like calling), it's suitable for Guest SSID
- Advertise Support, Advertise PC Analytics Support - Device Analytics allows obtaining additional information from certain clients (Apple, Samsung, Intel AX210 ...)
- Assisted Roaming (11k) - it's recommended to use the IEEE 802.11k standard, Prediction Optimization turns on list generation for non 802.11k clients, Neighbor List turns on list generation for 802.11k clients within the same band, Dual Band Neighbor List generates a list for both bands (2.4 and 5 GHz), not recommended if we use only one band
- Band Select - tries to prefer the 5 GHz band by delaying the probe response on 2.4 GHz, newer clients should automatically prefer the 5 GHz band over 2.4 GHz, so this option is unnecessary for them
Policy Profile
- Configuration - Tags & Profiles - Policy
One of the main reasons for creating multiple Policy Profiles is when clients need to end up in different networks (VLAN). If I create multiple SSIDs with different security parameters (WLAN Profile) for the same network, we can use a common Policy Profile.
General
- Name - policy name for identification
- Status - whether the policy is active
- WLAN Switching Policy - we usually use Central Switching, Central Authentication, Central DHCP - communication goes through WLC
Access Policies
- VLAN - assign VLAN/VLAN Group
Advanced
In the WLAN Timeout section, important timeout values are set. By default (in this version of IOS XE), they are quite small.
- Session Timeout (sec) - the time after which the client should reauthenticate, it should happen without problems, but on a network with mobile phones and using PSK/SAE, the client will always disconnect for a few seconds after the given time (which causes communication to drop, e.g., Teams meetings), on another network with laptops and 802.1x the problem does not occur (dot1x may take the session timeout from RADIUS), the default 30 minutes (1800 seconds) is suitable to increase (no problem 12 or more hours)
- Idle Timeout (sec) - if the client does not communicate for the given time, it is considered inactive and is disconnected (deauthenticated), default 5 min (300 seconds)
- Client Exclusion Timeout (sec) - enables client exclusion on repeated failed authentication and sets the time for how long it is blocked, default 60 seconds
Other settings
- IPv4 DHCP Required - enabling forces clients to request or renew an IP address from DHCP upon connection, until then they cannot communicate in WLAN, this method allows strict control of used IP addresses, but many clients may have problems with it
RF Profile
- Configuration - Tags & Profiles - RF/Radio - RF
Radio Frequency (RF) profile contains the radio configuration for AP and determines how Radio Resource Management (RRM) operates the AP. We have predefined profiles for individual bands. For 2.4 and 5 GHz, there are three variants prepared according to client density.
We often suffice with default-rf-tag. It uses Global Config, which are settings in Configuration - Radio Configurations - RRM, Network, Parameters. We can change these global settings.
Some parameters can be adjusted directly on the AP.
Assigning Tags to AP
For a specific AP to broadcast the prepared WLANs (SSID), it must have an assigned Policy Tag. Optionally, we can adjust other behavior and assign a Site Tag and RF Tag. There are many ways to do this.
Note: When changing the Tag, the AP loses its association with the WLC and reconnects.
Manual settings directly on the AP
- Configuration - Wireless - Access Points
Open the configuration of a specific AP and assign it on the General tab in the Tags section.
Manual settings using Wireless Setup
- Configuration - Wireless Setup - Advanced
For bulk settings, we can use the wizard. Click Start Now, then the button next to Tag APs. Then select the desired AP and after clicking Tag APs select the tags. Save at the end.
Manual central settings - Static
- Configuration - Tags & Profiles - Tags - AP - Static
AP are identified by their MAC address. In one place, we can set or adjust the assigned Tags on the AP.
Using location - Location
- Configuration - Tags & Profiles - Tags - AP - Location
We can define a Location that has assigned Tags and specific AP.
Using filter - Filter
- Configuration - Tags & Profiles - Tags - AP - Filter
We can define rules that select APs by name defined by a regular expression.
Examples of WLAN configurations
Several examples of how WLANs can be configured. Only selected parameters are listed, others can be set according to the previous description or in default. Settings related to RADIUS authentication are described in Microsoft NPS as RADIUS for WiFi.
Modern corporate laptops with access to the internal network
Uses 802.1x EAP-TLS authentication via RADIUS, where devices authenticate with a computer certificate. On the RADIUS server, we can restrict to a selected group of computers. Only the 5 GHz band with WPA3 Enterprise is allowed.
Policy Profile - wifi
- VLAN/VLAN Group: VLAN for internal network
WLAN Profile - wifi
- SSID: wifi
- Radio Policy: 5 GHz Enabled
- Security - Layer2: WPA3
- WPA Parameters: WPA3 Policy
- WPA2/WPA3 Encryption: AES(CCMP128)
- Protected Management Frame: Required
- Fast Transition: Enabled
- Auth Key Mgmt: 802.1x-SHA256, FT + 802.1x
- Security - AAA - Authentication List: AuthDomain (prepared Authentication dot1x group list for RADIUS)
Other devices with access to the internal network
Uses MAC Filtering and 802.1x PEAP-MSCHAP v2 authentication via RADIUS, where users authenticate with a username and password. The 2.4 and 5 GHz bands with WPA2 and WPA3 (WPA3-Enterprise Transition) are allowed.
WLAN Profile - wifi2
- SSID: wifi2
- Radio Policy: 5 GHz Enabled, 2.4 GHz Enabled 802.11g only
- Security - Layer2: WPA2 + WPA3
- MAC Filtering: Enabled
- Authorization List: MACfilter-local (prepared Authorization network local list)
- WPA Parameters: WPA2 Policy, WPA3 Policy
- WPA2/WPA3 Encryption: AES(CCMP128)
- Protected Management Frame: Required
- Fast Transition: Enabled
- Auth Key Mgmt: 802.1x, 802.1x-SHA256, FT + 802.1x
- Security - AAA - Authentication List: AuthDomain (prepared Authentication dot1x group list for RADIUS)
Guest internet access with Web Auth
Open network where authentication is performed on a web page (Captive Portal) using an account created, for example, at the reception. The 2.4 and 5 GHz bands with Open (None) are allowed.
Policy Profile - host
- VLAN/VLAN Group: VLAN for guest access
WLAN Profile - host
- SSID: host
- Radio Policy: 5 GHz Enabled, 2.4 GHz Enabled 802.11g only
- Security - Layer2: None
- Protected Management Frame: Disabled
- Fast Transition: Disabled
- Security - Layer3 - Web Policy: Enabled
- Web Auth Parameter Map: global
- Authentication List: AuthLocal (prepared Authentication login local list)
- Preauthentication ACL IPv4: PreACL (prepared ACL)
- P2P Blocking Action: Block
Employee internet access
Uses PSK (Pre-Shared Key) authentication. The 2.4 and 5 GHz bands with WPA2 and WPA3 (WPA3-Personal Transition) are allowed.
WLAN Profile - host2
- SSID: host2
- Radio Policy: 5 GHz Enabled, 2.4 GHz Enabled 802.11g only
- Security - Layer2: WPA2 + WPA3
- WPA Parameters: WPA2 Policy, WPA3 Policy
- WPA2/WPA3 Encryption: AES(CCMP128)
- Protected Management Frame: Optional
- Fast Transition: Enabled
- Auth Key Mgmt: PSK, SAE, PSK-SHA256, FT + PSK, FT + SAE
- Pre-Shared Key: login key
Policy Tag - Company-default
Creation of individual SSIDs that will be broadcast by AP after assigning this tag.
- Name: Company-default
- WLAN-POLICY Maps:
- WLAN Profile: wifi + Policy Profile: wifi
- WLAN Profile: wifi2 + Policy Profile: wifi
- WLAN Profile: host + Policy Profile: host
- WLAN Profile: host2 + Policy Profile: host
There are no comments yet.