We now have the following VLANs:
VLAN 1 - Unused
VLAN 10 - MANAGEMENT
VLAN 20 - OFFICE
VLAN 30 - GUESTS
We'll begin with the router. In the router, we have F0/0 connected to the switch. This will be our trunk, so we'll configure it like this:
in f0/0
speed 100
duplex full
no shut
in f0/0.10
encap dot 10
ip add 10.10.10.1 255.255.255.0
in f0/0.20
encap dot 20
ip add 20.20.20.1 255.255.255.0
in f0/0.30
encap dot 30
ip add 30.30.30.1 255.255.255.0
Now that connectivity is set up on the router side, lets set up our DHCP pools:
ip dhcp pool OFFICE
network 20.20.20.0 255.255.255.0
default-r 20.20.20.1
ip dhcp exclude 20.20.20.1 20.20.20.9
ip dhcp pool GUESTS
network 30.30.30.0 255.255.255.0
default-r 30.30.30.1
ip dhcp exclude 30.30.30.1 30.30.30.9
On the switch side, we'll set up the links to the router and the AP as trunks, like this:
in ran f0/11 , f0/12
speed 100
duplex full
sw m t
sw m t e d
We'll then set the native VLAN of the switch's F0/11 interface to allow BVI1's untagged traffic into VLAN 10 (MANAGEMENT). We'll also set up the SVI:
in f0/11
sw t n v 10
in vlan 10
ip add 10.10.10.2 255.255.255.0
ip default-gateway 10.10.10.1
Now the switch should be able to ping the router. We'll begin setting up the WAP to support the VLANs. This simple setup will offer no strong authentication methods and the traffic will not be encrypted. Security will be introduced in the next article.
We'll first begin by setting up connectivity for the switch itself. We'll need to give an IP address to the BVI1 interface so it would be transmitted out of G0 (because it belongs in bridge-group 1):
in g0
speed 100
duplex full
in bvi1
ip add 10.10.10.3 255.255.255.0
ip default-gateway 10.10.10.1
A BVI is similar to an SVI, except that while SVI corresponds to a VLAN, BVI corresponds to a bridge-group. Now we'll make two more sub-interfaces for the other VLANs:
in g0.20
encap dot 20
bridge-group 20
in g0.30
encap dot 30
bridge-group 30
We'll now set up the wireless side. We'll begin by creating SSIDs:
dot11 ssid Kelvin-OFFICE
vlan 20
authentication open
mbssid guest
dot11 ssid Kelvin-GUESTS
vlan 30
authentication open
mbssid guest
Now we'll apply the SSIDs to the interface and create some sub-interfaces to support the VLANs:
in d0
mbssid
ssid Kelvin-OFFICE
ssid Kelvin-GUESTS
channel 6
in d0.20
encap dot 20
bridge-group 20
in d0.30
encap dot 30
bridge-group 30
Now clients should be able to connect flawlessly. Next, we'll talk about WPA2-Enterprise.
Now we'll expand our topology to include a RADIUS server as shown:
We'll set up the port on the switch to be in ACCESS VLAN 10:
in f0/10
sw m a
sw a v 10
This RADIUS server would be where we authenticate our clients. I would expect you to know how to set up a RADIUS server for login authentication. The RADIUS server, like all other management devices, are in the MANAGEMENT VLAN (10). We'll hop back on the switch to set up some basics authentication options before we start with PEAP.
Let's first add the RADIUS server to the radius-server list. To do this, make sure "aaa new-model" is enabled:
aaa new-model
radius-server host 10.10.10.5 auth 1812 acct 1813 key 0 cisco
Be sure to add a corresponding client entry for the AP in the radius server. Now, we'll turn on some options, but before that, we'll create some backup user accounts:
user cisco pass cisco
Now, I'll demonstrate the basic use of RADIUS to do usermode authentication. To do this, we simply specify the authentication as follows:
aaa authentication login default group radius local
The word "default" refers to the default list, while "group radius" and "local" are the authentication methods added into the default list. By default, usermode login uses the default list, so logging off and on would result in a new login prompt. If logging in with a user in the RADIUS server fails, be sure to check that your RADIUS has PAP (or cleartext authentication) allowed. If it fails completely, you can still log in through the backup account you created because the "local" method is specified in the default list.
Now if it all goes well, we'll begin with PEAP authentication. Such an authentication method requires a few components. PEAP is also known as MS-CHAPv2, so let's create an EAP profile that uses PEAP:
eap profile PEAP
method mschapv2
Now, another thing we need is to create a dot1x credentials. It requires a trustpoint (which would be LOCAL), so lets create a trustpoint:
crypto pki trustpoint LOCAL
enroll self
crypto pki enroll LOCAL
Next, we'll create the credentials:
dot1x credentials CREDENTIALS
anonymous-id cisco
pki-trustpoint LOCAL
Finally we'll need a named AAA list (like default, but named) to specify the RADIUS server:
aaa authentication login RADIUSLIST group radius
aaa authentication dot1x default group radius
aaa authorization network default group radius
If you're using the configuration from the previous article, we'll need to enable cipher TKIP encryption from the wireless interface before we can add WPA2-Enterprise to the SSID. To do this, we'll type:
in d0
encryption vlan 20 mode cipher tkip
Now we can add WPA2-Enterprise as the authentication method as shown:
authentication open eap RADIUSLIST
authentication key-management wpa version 2
dot1x credentials CREDENTIALS
dot1x eap profile PEAP
This is the most basic configuration for WPA2-Enterprise. The clients should now be able to connect flawlessly. Congratulations!
No comments :
Post a Comment