Packet Tracer - Configure a WPA2 Enterprise WLAN on

the WLC
Addressing Table
Device Interface IP Address

R1 G0/0/0.5 192.168.5.1/24

R1
G0/0/0.200 192.168.200.1/24

R1
G0/0/1 172.31.1.1/24
SW1 VLAN 200 192.168.200.100/24
LAP-1 G0 DHCP
WLC-1 Management 192.168.200.254/24
RADIUS/SNMP Server NIC 172.31.1.254/24
Admin PC NIC 192.168.200.200/24

Objectives
In this activity, you will configure a new WLAN on a wireless LAN controller (WLC), including
the VLAN interface that it will use. You will configure the WLAN to use a RADIUS server and
WPA2-Enterprise to authenticate users. You will also configure the WLC to use an SNMP
server.
         Configure a new VLAN interface on a WLC.
         Configure a new WLAN on a WLC.
         Configure a new scope on the WLC internal DHCP server.
         Configure the WLC with SNMP settings.
         Configure the WLC to user a RADIUS server to authenticate WLAN users.
         Secure a WLAN with WPA2-Enterprise.
         Connect hosts to the new WLC.

Background / Scenario
You have already configured and tested the WLC with an existing WLAN. You configured
WPA2-PSK for that WLAN because it was to be used in a smaller business. You have been
asked to configure and test a WLC topology that will be used in a larger enterprise. You know
that WPA2-PSK does not scale well and is not appropriate to use in an enterprise network. This
new topology will use a RADIUS server and WPA2-Enterprise to authenticate WLAN users.
This allows administration of the user accounts from a central location and provides enhanced
security and transparency because each account has its own username and password. In
addition, user activity is logged on the server.
In this lab, you will create a new VLAN interface, use that interface to create a new WLAN, and
secure that WLAN with WPA2-Enterprise. You will also configure the WLC to use the enterprise
RADIUS server to authenticate users. In addition, you will configure the WLC to use a SNMP
server.
Instructions
Part 1: Create a new WLAN

Step 1: Create a new VLAN interface.

Each WLAN requires a virtual interface on the WLC. These interfaces are known as dynamic
interfaces. The virtual interface is assigned a VLAN ID and traffic that uses the interface will be
tagged as VLAN traffic. This is why connections between the APs, the WLC, and the router are
over trunk ports. For the traffic from multiple WLANs to be transported through the network,
traffic for the WLAN VLANs must be trunked.
a.     Open the browser from the desktop of Admin PC. Connect to the IP address of the WLC
over HTTPS.
b.     Login with the username admin and password Cisco123.
c.     Click the Controller menu and then click Interfaces from the menu on the left. You will see
the default virtual interface and the management interface to which you are connected.
d.     Click the New button in the upper right-hand corner of the page. You may need to scroll the
page to the right to see it.
e.     Enter the name of the new interface. We will call it WLAN-5. Configure the VLAN ID as 5.
This is the VLAN that will carry traffic for the WLAN that we create later. Click Apply. This
leads to a configuration screen for the VLAN interface.
f.      First, configure the interface to use physical port number 1. Multiple VLAN interfaces can
use the same physical port because the physical interfaces are like dedicated trunk ports.
g.     Address the interface as follows:
IP Address: 192.168.5.254
Netmask: 255.255.255.0
Gateway: 192.168.5.1
Primary DHCP server: 192.168.5.1
User traffic for the WLAN that uses this VLAN interface will be on the 192.168.5.0/24
network. The default gateway is the address of an interface on router R-1. A DHCP pool
has been configured on the router. The address that we configure here for DHCP tells the
WLC to forward all DHCP requests that it receives from hosts on the WLAN to the DHCP
server on the router.
h.     Be sure to click Apply to enact your changes and click OK to respond to the warning
message. Click Save Configuration so that your configuration will be in effect when the
WLC restarts.

Step 2: Configure the WLC to use a RADIUS server.

WPA2-Enterprise uses an external RADIUS server to authenticate WLAN users. Individual user
accounts with unique usernames and passwords can be configured on the RADIUS server.
Before the WLC can use the services of the RADIUS server, the WLC must be configured with
the server address.
a.     Click the Security menu on the WLC.
b.     Click the New button and enter the IP address of the RADIUS server in the Server IP
Address field.
 c.     The RADIUS server will authenticate the WLC before it will allow the WLC to access the
user account information that is on the server. This requires a shared secret value.
Use Cisco123. Confirm the shared secret and click Apply.
Note: It is not a good practice to reuse passwords. This activity reuses passwords only to
make the activity easier for you to complete and review.

Step 3: Create a new WLAN.

Create a New WLAN. Use the newly created VLAN interface for the new WLAN.
a.     Click the WLANs entry in the menu bar. Locate the dropdown box in the upper right-had
corner of the WLANs screen. It will say Create New. Click Go to create a new WLAN.
b.     Enter the Profile Name of the new WLAN. Use the profile name Floor 2 Employees.
Assign an SSID of SSID-5 to the WLAN. Change the ID drop down to 5. Hosts will need to
use this SSID to join the network. When you are done, click Apply to accept your settings.
Note: The ID is an arbitrary value that is used as a label for the WLAN. In this case, we
configured it as 5 to be consistent with VLAN for the WLAN. It could be any available value.
c.     Click Apply so that the settings go into effect.
d.     Now that the WLAN has been created you can configure features of the network.
Click Enabled to make the WLAN functional. It is a common mistake to accidentally skip
this step.
e.     Choose the VLAN interface that will be used for the new WLAN. The WLC will use this
interface for user traffic on the network. Click the drop-down box for Interface/Interface
Group (G). Select the interface that we created in Step 1.
f.      Go to the Advanced tab. Scroll to FlexConnect section of the interface.
g.     Click to enable FlexConnect Local Switching and FlexConnect Local Auth.
h.     Click Apply to enable the new WLAN. If you forget to do this, the WLAN will not operate.

Step 4: Configure WLAN security.

Instead of WPA2-PSK, we will configure the new WLAN to use WPA2-Enterprise.
a.     Click the WLAN ID of the newly created WLAN to continue configuring it, if necessary.
b.     Click the Security tab. Under the Layer 2 tab, select WPA+WPA2 from the drop-down box.
c.     Under WPA+WPA2 Parameters, enable WPA2 Policy. Click 802.1X under Authentication
Key Management. This tells the WLC to use the 802.1X protocol to authenticate users
externally.
d.     Click the AAA Servers tab. Open the drop-down next to Server 1 in the Authentication
Servers column and select the server that we configured in Step 2.
e.     Click Apply to enact this configuration. You have now configured the WLC to use the
RADIUS sever to authenticate users that attempt to connect to the WLAN.

Part 2: Configure a DHCP Scope and SNMP

Step 1: Configure a DHCP Scope.

The WLC offers its own internal DHCP server. Cisco recommends that the WLAN DHCP server
not be used for high-volume DHCP services, such as that required by larger user WLANs.
However, in smaller networks, the DHCP server can be used to provide IP addresses to LAPs
that are connected to the wired management network. In this step, we will configure a DHCP
scope on the WLC and use it to address LAP-1.
a.     Should be connected to the WLC GUI from Admin PC.
b.     Click the Controller menu and then click Interfaces.
Question:

What interfaces are present?

R.- WLAN-5, management, virtual

c.     Click the management Interface. Record its addressing information here.

Questions:

IP address:192.168.200.254
Netmask:255.255.255.0
Gateway:192.168.200.1
Primary DHCP server:0.0.0.0 No indicado.
d.     We want the WLC to use its own DHCP sever to provide addressing to devices on the
wireless management network, such as lightweight APs. For this reason, enter the IP
address of the WLC management interface as the primary DHCP server address.
Click Apply. Click OK to acknowledge any warning messages that appear.
e.     In the left-hand menu, expand the Internal DHCP Server section. Click DHCP Scope.
f.      To create a DHCP scope, click the New… button.
g.     Name the scope Wired Management. You will configure this DHCP scope to provide
addresses to the wired infrastructure network that connects the Admin PC, WLC-1, and
LAP-1.
h.     Click Apply to create the new DHCP scope.
i.      Click the new scope in the DHCP Scopes table to configure addressing information for the
scope. Enter the following information.
Pool Start Address: 192.168.200.240
Pool End Address: 192.168.200.249
Status: Enabled
Provide the values for Network, Netmask, and Default Routers from the information you
gathered in Step 1c.
j.      Click Apply to activate the configuration. Click Save Configuration in the upper-right-hand
corner of the WLC interface to save your work so that it is available when the WLC restarts.
The internal DHCP server will now provide an address to LAP-1 after a brief delay. When
LAP-1 has its IP address, the CAPWAP tunnel will be established and LAP-1 will be able to
provide access to the Floor 2 Employees (SSID-5) WLAN. If you move the mouse over
LAP-1 in the topology, you should see its IP address, the status of the CAPWAP tunnel,
and the WLAN that LAP-1 is providing access to.
Step 2: Configure SNMP
a.     Click the Management menu in the WLC GUI and expand the entry for SNMP in the left-
hand menu.
b.     Click Trap Receivers and then New…
c.     Enter the community string as WLAN_SNMP and the IP address of the server
at 172.31.1.254.
d.     Click Apply to finish the configuration.

Part 3: Connect Hosts to the Network

Step 1: Configure a host to connect to the enterprise network.

In the Packet Tracer PC Wireless client app, you must configure a WLAN Profile in order to
attach to a WPA2-Enterprise WLAN.
a.     Click Wireless Host and open the PC Wireless app.
b.     Click the Profiles tab and then click New to create a new profile. Name the profile WLC
NET.
c.     Highlight the Wireless Network Name for the WLAN that we created earlier and
click Advanced Setup.
d.     Verify that the SSID for the wireless LAN is present and then click Next. Wireless Host
should see SSID-5. If it does not, move the mouse over LAP-1 to verify that it is
communicating with the WLC. The popup box should indicate that LAP-1 is aware of SSID-
5. If it is not, check the WLC configuration. You can also manually enter the SSID.
e.     Verify that the DHCP network setting is selected and click Next.
f.      In the Security drop down box, select WPA2-Enterprise. Click Next.
g.     Enter login name user1 and the password User1Pass and click Next.
h.     Verify the Profile Settings and click Save.
i.      Select the WLC NET profile and click the Connect to Network button. After a brief delay,
you should see the Wireless Host connect to LAP-1. You can click the Fast Forward Time
button to speed up the process if it seems to be taking too long.
j.      Confirm that Wireless Host has connected to the WLAN. Wireless Host should receive an IP
address from the DHCP server that is configured for hosts on R1. The address will be in the
192.168.5.0/24 network. You may need to click the Fast Forward Time button speed up the
process.

Step 2: Test Connectivity.

a.     Close the PC Wireless app.
b.     Open a command prompt and confirm that Wireless Host laptop has obtained an IP address
from the WLAN network.
Question:

What network should the address be in? Explain.

The address should be in the 192.168.5.0/24 network. The interface was configured to get
its IP address from 192.168.5.1. That is the router subinterface address for VLAN 5. DHCP
is running on the router to provide addresses to wireless hosts.
c.     Ping the default gateway, SW1, and the RADIUS server. Success indicates full connectivity
within this topology.
Reflection Questions
1. The RADIUS server uses a dual authentication mechanism. What two things are
authenticated by the RADIUS server? Why do think this is necessary?
Es muy importante la autenticación debido a que el servidor radio maneja las tablas o datos de
todos los usuarios y contraseñas. La doble autenticación permite una seguridad mayor.

2. What are the advantages of WPA2-Enterprise over WPA2-PSK?

En WPA2-PSK todos los host deben tener la misma contraseña sin nombre de usuario. Esto
implica que la seguridad es menor o puede ser fácilmente vulnerable debido a que la contraseña
podría ser publica gracias a la gran cantidad de usuarios.