Wireless Access

Hello...

 

Recently I put together a How To Guide for an MSM wireless deployment.   Thought I'd share this with others... It might help some of the newer MSM users understand how to better deploy/configure MSM wireless.    Please understand there are endless methods to setup an MSM wireless solution, this is but ONE of those solutions.   This scenario and configuration setup may or may not apply to your particular environment.

 

Comments and feedback are welcome.

 

http://www.sourceonetechnology.com/images/MSM_Setup-Rev0_4H.pdf

 

Regards,

JR

Great write-up.

 

You might consider changing the Private network from a pre-shared key to radius or ldap. One passord for all employees is rarely a good idea, as you never know exactly who has that password - including ex-employees and other non-employed personnel.

#LDAP

Thanks for the kind words, glad you liked it.

 

We normally do 802.1X EAP/TLS security deployments but, truth is, I was too lazy to document that in the guide, as it would have required a lot more time with documentation and screenshots, explaining how to setup a CA server, explaining how to automate deployment of certificates, explaining how to configure RADIUS, etc.   So I opted to document the more simple method, ;-).  Figured the majority of people opt for PSKs anyways.

 

 

Regards,

JR

 

Very nice guide... without RADIUS / 802.11x though - couldn't you do all that without the controller? (albiet not as expandable if you add more AP's)...

Hi, actually appreciate if you explain the 802.1x deployment. I am working on it and I have several troubles with the LDAP authentication. 

 

I am not using certifications so I am not asking you for document that part.

 

Thanks.

Toni.

I did an MSM + 802.1x document. You can access it here

http://h30499.www3.hp.com/hpeb/attachments/hpeb/itrc-270/9461/1/RWL%20TechNote%20-%20Wireless%20802.1x%20Auth%20Config%20Guide%20v1.00.pdf

 

 

(originally linked from this forum post: http://h30499.www3.hp.com/t5/Communications-Wireless-Legacy/PEAP-with-MSM765-and-Windows-XP-SP3/td-p/4784304#.UHQdXBV19q0)

 

Hi,

 

Thankyou very much for the Document! But I'm stuck and need some help when trying to authenticate I get this error message in the NPS server. Any Ideas?!

 

Logging Results:            Accounting information was written to the local log file.
    Reason Code:            23
    Reason:                An error occurred during the Network Policy Server use of the Extensible Authentication Protocol (EAP). Check EAP log files for EAP errors.

 

hi

 

You know how to configure LDAP with MSM760

 

Thanks in advanced

Hi, We've got 4 MSM765 controller card in our environment. All of them are in the same vlan same segment.However,

we've got around 500 AP (MSM 317 & MSM 466) in our network and most of them are controlled by only 2 of the controllers.

1controller manage almost 200,  1 manage around 180, 1 mange 100 and rest one just manage only 1 at the moment.

Is there any method to set AP's priority? to get the balance of the controllers' effort?

Bumping this for others....
If you have questions about the guide, let me know. I've since been doing some different configuration options using APs over Layer 3 and using External DHCP servers for the various VSCs.

Hi,

 

Excellent guide...will help me a lot in deployments..

 

Can we do cerificate with usename /password authention (two factor auhentication) with MSM controller ?

 

 

Regards

 

George

I want to make a small addendum to the information in this guide...

With the 6.0.x firmware, ACLs/attributes will NO LONGER WORK if the tunneled guest traffic routes back out through the LAN port (this can happen in some cases - DEPENDING on your routing configuration within the MSM. I learned this recently after upgrading some of my customer controllers from 5.7.x to 6.0.x. Whereas previously, based on the ACLs/attributes, tunneled traffic on the guest VSC no longer had access to the specific locations (for example, an internally hosted website) that were allowed via the attributes.

Again, in most cases ACLs/attributes will continue to work, except when that traffic is destined for specific locations (via ACLs/attributes) and based on the controllers Routing tables, is pushed out the LAN port.

This is something new in 6.0.x code. I guess it's a bit 'tighter' of a security configuration.

Also, one quick mention....in the guide, I mention TAGGING each AP at the switch port level for the guest VSC and VLAN. This is NOT really necessary IF you always tunnel that traffic through the controller anyways. Really depends on your setup...


George, are you referring to 802.1X EAP/TLS which uses both a certificate and computer/user authentication? If so, yes. I have done that for customers in the past.

Regards,
JR

#ACLs

Hi,

 

Thanks for your kind reply..

 

For Access controlled users ,when you are doing egress VLAN doest it require to tag internet port wiith that paricular VLAN..? or will it work with untagged as per design guide..

 

How we configure if multiple access controlled vlans are required..?

 

Can I do dynamic VLAN assignment in access controller users..One SSID but users should maped as per radius attributes..? is it required to configure multiple IP adresses in Internet port..?

 

I am confused..Please help..

 

Regards

George

 

 

 

 

George,
For access controlled VSCs, you do NOT have to have the AP tagged for that VLAN. I used to do it that way, but I don't anymore...

You can configure multiple access controlled VSCs on the same controller. I have done that on occasion. However, doing that changes the way I typically deploy the MSM controllers. If I need to deploy, for example, (2) different access controlled VSCs, and have each on a different VLAN, then I will NOT assign an IP address to the Internet Port of the controller (which is the default way controllers are setup). Instead, I will do the following (for example):

- From the Network|Network Profiles page, I will create my two profiles, GuestA (on VLAN 30) and GuestB (on VLAN40)
- From the Network|VLANs page, I will set GuestA as Mapped to the Internet Port (tagged).
- From the Network|VLANs page, I will set GuestB as Mapped to the Internet Port (tagged).
-From the Network|IP Interfaces page, I will remove ALL IP addressing from the Internet port itself.
-From the Network|IP Interfaces page, I will add a New Interface for GuestA and assign it an IP address on that VLAN as applicable.
-From the Network|IP Interfaces page, I will add a New Interface for GuestB and assign it an IP address on that VLAN as applicable.
-On the Switch, I change the actual port where the Internet Port is plugged into from Untagged to Tagged on both VLAN30 and VLAN40.
-From Network Tree|Controller|VSC, I will select the GuestA VSC, and then navigate to VSC egress mapping and select the applicable Mapping for all three traffic types.
-From Network Tree|Controller|VSC, I will select the GuestB VSC, and then navigate to VSC egress mapping and select the applicable Mapping for all three traffic types.

I have never yet done dynamic VLAN assignment based on specific users or RADIUS but I believe it can be done.

Thank You Jesse !! You rocks.. !! :)

 

I shared your excellent config guide link in my blog :)

 

Regards

 

George

www.newdaywireless.wordpress.com