Solved

Wireless APs

Posted on 2014-02-17
21
595 Views
Last Modified: 2014-02-25
Dear Experts,

We have 2 small regional offices (approx. 5-10 users in each) and we would like to have wireless functionality to connect to corporate resources.

The thinking is to just buy an AP and connect it to the LAN switch. Our concerns are security and authentication, we would like only users logged in with their Windows credentials to be able to connect to the wireless network but we don't want the hassle of having a central appliance like Cisco WLC

Can you recommend a solution / Wireless AP pref. Cisco that would accomplish this?
0
Comment
Question by:Bladey001
  • 11
  • 6
  • 3
  • +1
21 Comments
 
LVL 6

Expert Comment

by:Jordan Medlen
ID: 39864760
Check out Ubiquiti. They have a free software controller and the access points are very reasonable. You can research at http://ubnt.com. I have used the Ubiquiti for some time now.
0
 
LVL 45

Expert Comment

by:Craig Beck
ID: 39867401
+1 for Ubiquiti.  You could use standalone Cisco APs too though (no controller required) if that's your preference.

If you want to use AD credentials to authenticate users you need a RADIUS server.  This can be easily accomplished by installing the NPS role on a Windows Server.
0
 

Author Comment

by:Bladey001
ID: 39867759
We have a RADIUS server already in our head office.

We have a couple of Cisco 1600 APs we could potentially use. If I configure one for each regional office and point to look for our central RADIUS server, should this work?
0
 
LVL 45

Expert Comment

by:Craig Beck
ID: 39867870
Yes that will work.

Just remember though that if the link to the central RADIUS server goes down new clients won't be able to connect and if a user moves from one AP to another that won't work either.
0
 

Author Comment

by:Bladey001
ID: 39867912
So if we ever needed to have 2 APs in a regional office and give clients the ability to move from one AP to the other would I then need a WLC/ubiquiti solution?
0
 
LVL 45

Expert Comment

by:Craig Beck
ID: 39868003
Apologies I just realized that I wasn't really clear with my last comment.

Only if the link between the regional office and the central office went down would roaming between APs stop working.

While the link between the sites is up the RADIUS authentication works fine, but if it goes down the APs can't ask the RADIUS server if the client is allowed to connect, so authentication would fail.
0
 
LVL 7

Expert Comment

by:bill30
ID: 39868080
If you have the AP's in Lightweight mode connected to a WLC back at the main office you can set the APs to use FlexConnect and tie it in with a Radius server.  Flexconnect will allow for Radius authentication without a connection back to the WLC.  An example can be found here: https://supportforums.cisco.com/docs/DOC-24082

If you have the AP's in Autonomous mode this Cisco guide will help you configure each AP to authenticate a new user to a Windows 2008 ServerL http://www.cisco.com/c/en/us/support/docs/wireless/aironet-1100-series/44844-leapserver.html

The CLI will be something like:

aaa new-model
aaa group server radius rad_eap
     server x.x.x.x auth-port 1812 acct-port 1813
aaa authentication login eap_methods group rad_eap
aaa session-id common
radius-server host x.x.x.x auth-port 1812 acct-port 1813 key "yourkeyhere"
¿
dot11 ssid CompanyWifi
   no authentication open
   no wpa-psk ascii
   authentication open eap eap_methods
   authentication network-eap eap_methods

Open in new window


You can troubleshoot the EAP handshake with: debug radius authentication¿
0
 
LVL 45

Expert Comment

by:Craig Beck
ID: 39868133
Hmmm, FlexConnect will allow for the link to the RADIUS without the link to the WLC - that's true.

So answer this... If the WAN link goes down and the RADIUS server is at the CENTRAL site, how does the FlexConnect AP see the RADIUS server??
0
 
LVL 45

Expert Comment

by:Craig Beck
ID: 39868140
...anyhow a WLC/FlexConnect isn't an issue here...
we don't want the hassle of having a central appliance like Cisco WLC
0
 
LVL 7

Expert Comment

by:bill30
ID: 39868235
@craigbeck, they are using something to authenticate windows domain users at the remote sites, this would have the same dependency.  They would have the same issue with an autonomous AP, if there was no windows server authenticating for their domain at the remote site.  

I was adding the FlexConnect information as an option, if they wanted resiliency with the WAN down, to be able to manage their AP's centrally, and be secure.  They would still need the AP's to point to a local windows domain server in either scenario.
0
6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

 
LVL 45

Expert Comment

by:Craig Beck
ID: 39868428
@bill30 - local authentication, nor FlexConnect is an option here.  The OP clearly states that there is no desire to use a WLC therefore FlexConnect is out of the question.  Also, in post ID: 39867759, Bladey001 asked:
If I configure one for each regional office and point to look for our central RADIUS server, should this work?
This implies that there is no local RADIUS server at either site and therefore there is a dependency on the WAN links as I mentioned.

To reiterate, there is no mention of local RADIUS, or WLC.

they are using something to authenticate windows domain users at the remote sites, this would have the same dependency.
This is incorrect.  A site can have a local domain controller which authenticates users on a domain without needing a link to the central site.  There is no WAN dependency here as the local DC holds a local copy of the Active Directory and can authenticate users directly.  The only issue here would be replication of changes to other DCs at the other sites, but that won't impact authentication on the workstations.

With the case of the branch AP, if it uses RADIUS at the central site the RADIUS will likely use the central AD server so a local AD server wouldn't be a requirement or a benefit.  If the AP lost its WAN link it would need a local RADIUS server, but as I said, that isn't mentioned in this thread.
0
 

Author Comment

by:Bladey001
ID: 39869637
Wow I've only just seen all these responses so I must apologize because i think i have caused some confusion here!

At our head office we do have a WLC, and is one of the reasons why we have a RADIUS server. What i was trying to imply was that i didn't want the hassle of having to put another WLC into each regional office because of the low number of users there. The regional offices do have a local DC holding a copy of AD allowing local authentication.

In this case would FlexConnect be the ideal choice here?

Sorry again for not being clear guys, my fault entirely!
0
 
LVL 45

Accepted Solution

by:
Craig Beck earned 500 total points
ID: 39869721
Ok thanks for clarifying.

If you do have a central WLC FlexConnect is the ideal choice, of course.  However you'll still depend on the WAN link for new authentications and roaming if the WAN link fails, unless you install the NPS role on a server at the branches too.

If you want to be able to continue to work while the WAN link is down, FlexConnect and local RADIUS is the only option.
0
 

Author Comment

by:Bladey001
ID: 39869782
Ok great!

We have a WLC running software version 7.0.235.3 and the APs we have available are AIR-SAP-16021-E-K9

Can you confirm if this will work with FlexConnect and if we need anything else?

Thanks again
0
 
LVL 45

Assisted Solution

by:Craig Beck
Craig Beck earned 500 total points
ID: 39869849
No that won't work.

The SAP version APs are Autonomous out-of-the-box.  To use them with a WLC you'll need to put CAPWAP code on them.

However, your code is not recent enough to work with the 1602 AP anyway.  To run the 1602 with a WLC you need at least v7.4 code on the WLC.

What WLC do you have?
0
 

Author Comment

by:Bladey001
ID: 39869884
We have a Cisco 4402 I believe
0
 
LVL 45

Expert Comment

by:Craig Beck
ID: 39869888
It'll never work then.

The 4400 series WLCs will only go up to v7.0.240.0 - they don't support the 1600 series AP at all.
0
 

Author Comment

by:Bladey001
ID: 39869892
Damn! FlexConnect looks like such a good solution as well...

So I guess for us at the moment it looks like sticking in the standalone AP and configure to authenticate with the RADIUS server at head office... until we get a new WLC
0
 
LVL 45

Expert Comment

by:Craig Beck
ID: 39869992
Don't forget - you'll still need a RADIUS server locally at the site if you want to remove the dependency on the WAN link.
0
 
LVL 7

Expert Comment

by:bill30
ID: 39874582
To add to craigbecks comment, only the 1200, 1250, the Cisco 1000 Series, and the Cisco 1500 Series LAPs work with the 4100 Series WLCs.  And I believe most of those are EOL so its not an option to purchase more unless you go the used/refurb route.  If they upgrade the main location WLC to a 2504 or 5508, you should have backwards compatibility with your main office AP's and the satelite 1602's, and be able to employ flexconnect.  But I will throw in the caveat that we should check on the existing AP's configuration number.
0
 
LVL 45

Expert Comment

by:Craig Beck
ID: 39874603
If they upgrade the main location WLC to a 2504 or 5508, you should have backwards compatibility with your main office AP's and the satelite 1602's
It really depends on what APs are at the main site.

To use the 1600 you need 7.4 code, so APs such as the 1230 won't work anymore - they were EoL as of 7.0.240.0 WLC code and unsupported in 7.4.
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

In this article I will describe how to setup a Cisco WLC 5508 to work with Apple's Bonjour protocol across VLANs.  I will also discuss using screen mirroring and Airplay on an AppleTV v3.  This article covers the wireless network only and requires m…
Today sees the launch of a new case study, focusing on BYOD technologies we have been working with for some time now.  But with the advent of 802.11ac wireless technologies and the story behind our landmark developments, we would like to share this …
This Micro Tutorial will show you how to maximize your wireless card to its maximum capability. This will be demonstrated using Intel(R) Centrino(R) Wireless-N 2230 wireless card on Windows 8 operating system.
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now