Wireless APs

Dear Experts,

We have 2 small regional offices (approx. 5-10 users in each) and we would like to have wireless functionality to connect to corporate resources.

The thinking is to just buy an AP and connect it to the LAN switch. Our concerns are security and authentication, we would like only users logged in with their Windows credentials to be able to connect to the wireless network but we don't want the hassle of having a central appliance like Cisco WLC

Can you recommend a solution / Wireless AP pref. Cisco that would accomplish this?
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Jordan MedlenCommented:
Check out Ubiquiti. They have a free software controller and the access points are very reasonable. You can research at http://ubnt.com. I have used the Ubiquiti for some time now.
Craig BeckCommented:
+1 for Ubiquiti.  You could use standalone Cisco APs too though (no controller required) if that's your preference.

If you want to use AD credentials to authenticate users you need a RADIUS server.  This can be easily accomplished by installing the NPS role on a Windows Server.
Bladey001Author Commented:
We have a RADIUS server already in our head office.

We have a couple of Cisco 1600 APs we could potentially use. If I configure one for each regional office and point to look for our central RADIUS server, should this work?
Virus Depot: Cyber Crime Becomes Big Business

The rising threat of malware-as-a-service is not one to be overlooked. Malware-as-a-service is growing and easily purchased from a full-service cyber-criminal store in a “Virus Depot” fashion. View our webinar recording to learn how to best defend against these attacks!

Craig BeckCommented:
Yes that will work.

Just remember though that if the link to the central RADIUS server goes down new clients won't be able to connect and if a user moves from one AP to another that won't work either.
Bladey001Author Commented:
So if we ever needed to have 2 APs in a regional office and give clients the ability to move from one AP to the other would I then need a WLC/ubiquiti solution?
Craig BeckCommented:
Apologies I just realized that I wasn't really clear with my last comment.

Only if the link between the regional office and the central office went down would roaming between APs stop working.

While the link between the sites is up the RADIUS authentication works fine, but if it goes down the APs can't ask the RADIUS server if the client is allowed to connect, so authentication would fail.
If you have the AP's in Lightweight mode connected to a WLC back at the main office you can set the APs to use FlexConnect and tie it in with a Radius server.  Flexconnect will allow for Radius authentication without a connection back to the WLC.  An example can be found here: https://supportforums.cisco.com/docs/DOC-24082

If you have the AP's in Autonomous mode this Cisco guide will help you configure each AP to authenticate a new user to a Windows 2008 ServerL http://www.cisco.com/c/en/us/support/docs/wireless/aironet-1100-series/44844-leapserver.html

The CLI will be something like:

aaa new-model
aaa group server radius rad_eap
     server x.x.x.x auth-port 1812 acct-port 1813
aaa authentication login eap_methods group rad_eap
aaa session-id common
radius-server host x.x.x.x auth-port 1812 acct-port 1813 key "yourkeyhere"
dot11 ssid CompanyWifi
   no authentication open
   no wpa-psk ascii
   authentication open eap eap_methods
   authentication network-eap eap_methods

Open in new window

You can troubleshoot the EAP handshake with: debug radius authentication¿
Craig BeckCommented:
Hmmm, FlexConnect will allow for the link to the RADIUS without the link to the WLC - that's true.

So answer this... If the WAN link goes down and the RADIUS server is at the CENTRAL site, how does the FlexConnect AP see the RADIUS server??
Craig BeckCommented:
...anyhow a WLC/FlexConnect isn't an issue here...
we don't want the hassle of having a central appliance like Cisco WLC
@craigbeck, they are using something to authenticate windows domain users at the remote sites, this would have the same dependency.  They would have the same issue with an autonomous AP, if there was no windows server authenticating for their domain at the remote site.  

I was adding the FlexConnect information as an option, if they wanted resiliency with the WAN down, to be able to manage their AP's centrally, and be secure.  They would still need the AP's to point to a local windows domain server in either scenario.
Craig BeckCommented:
@bill30 - local authentication, nor FlexConnect is an option here.  The OP clearly states that there is no desire to use a WLC therefore FlexConnect is out of the question.  Also, in post ID: 39867759, Bladey001 asked:
If I configure one for each regional office and point to look for our central RADIUS server, should this work?
This implies that there is no local RADIUS server at either site and therefore there is a dependency on the WAN links as I mentioned.

To reiterate, there is no mention of local RADIUS, or WLC.

they are using something to authenticate windows domain users at the remote sites, this would have the same dependency.
This is incorrect.  A site can have a local domain controller which authenticates users on a domain without needing a link to the central site.  There is no WAN dependency here as the local DC holds a local copy of the Active Directory and can authenticate users directly.  The only issue here would be replication of changes to other DCs at the other sites, but that won't impact authentication on the workstations.

With the case of the branch AP, if it uses RADIUS at the central site the RADIUS will likely use the central AD server so a local AD server wouldn't be a requirement or a benefit.  If the AP lost its WAN link it would need a local RADIUS server, but as I said, that isn't mentioned in this thread.
Bladey001Author Commented:
Wow I've only just seen all these responses so I must apologize because i think i have caused some confusion here!

At our head office we do have a WLC, and is one of the reasons why we have a RADIUS server. What i was trying to imply was that i didn't want the hassle of having to put another WLC into each regional office because of the low number of users there. The regional offices do have a local DC holding a copy of AD allowing local authentication.

In this case would FlexConnect be the ideal choice here?

Sorry again for not being clear guys, my fault entirely!
Craig BeckCommented:
Ok thanks for clarifying.

If you do have a central WLC FlexConnect is the ideal choice, of course.  However you'll still depend on the WAN link for new authentications and roaming if the WAN link fails, unless you install the NPS role on a server at the branches too.

If you want to be able to continue to work while the WAN link is down, FlexConnect and local RADIUS is the only option.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Bladey001Author Commented:
Ok great!

We have a WLC running software version and the APs we have available are AIR-SAP-16021-E-K9

Can you confirm if this will work with FlexConnect and if we need anything else?

Thanks again
Craig BeckCommented:
No that won't work.

The SAP version APs are Autonomous out-of-the-box.  To use them with a WLC you'll need to put CAPWAP code on them.

However, your code is not recent enough to work with the 1602 AP anyway.  To run the 1602 with a WLC you need at least v7.4 code on the WLC.

What WLC do you have?
Bladey001Author Commented:
We have a Cisco 4402 I believe
Craig BeckCommented:
It'll never work then.

The 4400 series WLCs will only go up to v7.0.240.0 - they don't support the 1600 series AP at all.
Bladey001Author Commented:
Damn! FlexConnect looks like such a good solution as well...

So I guess for us at the moment it looks like sticking in the standalone AP and configure to authenticate with the RADIUS server at head office... until we get a new WLC
Craig BeckCommented:
Don't forget - you'll still need a RADIUS server locally at the site if you want to remove the dependency on the WAN link.
To add to craigbecks comment, only the 1200, 1250, the Cisco 1000 Series, and the Cisco 1500 Series LAPs work with the 4100 Series WLCs.  And I believe most of those are EOL so its not an option to purchase more unless you go the used/refurb route.  If they upgrade the main location WLC to a 2504 or 5508, you should have backwards compatibility with your main office AP's and the satelite 1602's, and be able to employ flexconnect.  But I will throw in the caveat that we should check on the existing AP's configuration number.
Craig BeckCommented:
If they upgrade the main location WLC to a 2504 or 5508, you should have backwards compatibility with your main office AP's and the satelite 1602's
It really depends on what APs are at the main site.

To use the 1600 you need 7.4 code, so APs such as the 1230 won't work anymore - they were EoL as of WLC code and unsupported in 7.4.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Wireless Hardware

From novice to tech pro — start learning today.