Upload
others
View
26
Download
0
Embed Size (px)
Citation preview
CiscoWLC(ForVersion8.0.120.0)CoASetupGuide
Page2of15
GlobalReachTechnologyLtdCommercialinConfidence
DisclaimerTHISDOCUMENTATIONANDALLINFORMATIONCONTAINEDHEREIN(“MATERIAL”)ISPROVIDEDFORGENERALINFORMATIONPURPOSESONLY.GLOBALREACHANDITSLICENSORSMAKENOWARRANTYOFANYKIND,EXPRESSORIMPLIED,WITHREGARDTOTHEMATERIAL,INCLUDING,BUTNOTLIMITEDTO,THEIMPLIEDWARRANTIESOFMERCHANTABILITY,NON-INFRINGEMENTANDFITNESSFORAPARTICULARPURPOSE,ORTHATTHEMATERIALISERROR-FREE,ACCURATEORRELIABLE.GLOBALREACHRESERVESTHERIGHTTOMAKECHANGESORUPDATESTOTHEMATERIALATANYTIME.LimitationofLiabilityINNOEVENTSHALLGLOBALREACHBELIABLEFORANYDIRECT,INDIRECT,INCIDENTAL,SPECIALORCONSEQUENTIALDAMAGES,ORDAMAGESFORLOSSOFPROFITS,REVENUE,DATAORUSE,INCURREDBYYOUORANYTHIRDPARTY,WHETHERINANACTIONINCONTRACTORTORT,ARISINGFROMYOURACCESSTO,ORUSEOF,THEMATERIAL.VERSION1.0PUBLISHEDDECEMBER2015
Page3of15
GlobalReachTechnologyLtdCommercialinConfidence
IMPORTANT-BEFOREYOUSTARTBeforeattemptingtointegrateyourhardwarecontrollerintoOdyssys,pleaseensurethatALLofthefollowingrequirementsareinplace;• YouhaveacontrollerinstalledinanenvironmentwherecompatibleAccessPointsareconfiguredtoworkwiththecontroller,i.e-DNS,DHCPoptionsconfiguredcorrectlyYourclientenvironmentisconfiguredtoallownetworkclientsto;• AssociatetoanAccessPoint• ObtainanIPaddress• AccesstotheinternetThefollowingcomponentsarerequiredtobeconfiguredandworkinginyourenvironmentbeforeattemptingintegrationwithOdyssys;• DHCPServer• DNSServer• FirewallNATPLEASENOTE-Thisisatechnicaldocumentandassuch,integrationofyourhardwarewithOdyssysshouldonlybehandledbytrainedindividuals.
TECHNOTEOdyssysdoesnotusestandardRADIUSports,thereforepleasemakesureyouallowtheportsinyourfirewall,definedinyourmanager.odyssys.netCaptivePortalsettings.
Page4of15
GlobalReachTechnologyLtdCommercialinConfidence
GETTINGSTARTEDWITHODYSSYSBeforeyouattempttoconfigureyourCiscoWirelessLANController(WLC)forusewithCoAauthenticationandOdyssys,youwillfirstneedtocreateyourowncaptiveportal.1. First,navigatetohttps://manager.odyssys.netandloginusingyourassignedCustomerID,usernameand
password.2. SelectCaptivePortals>CaptivePortalsfromtheleft-handmenuandclickCreateCaptivePortal.
Youshouldcompletetheformasfollows:Name:Anarbitrarynameforyourcaptiveportal.RADIUSSharedSecret:EitherkeeptheautomaticallygeneratedsharedsecretorcreateyourownHardwareVendor:SetthistoCiscoWLCPreAuthACL–ThismustmatchtheAccessControlList(ACL)youcreateinyourCiscoWLANcontroller(step10)ClickCreatetoconfirm.
Page5of15
GlobalReachTechnologyLtdCommercialinConfidence
3. SelecttheCaptivePortalyouhavejustcreatedtoviewit’sdetailsundertheGeneralInfotab.
Page6of15
GlobalReachTechnologyLtdCommercialinConfidence
CONFIGURINGODYSSYSWITHINTHECiscoWLCAAARADIUSConfiguration1. LogintotheCiscoWLC.2. ClickontheSecuritytabfromthetopmenuandselectAAAthenRADIUSandthenAuthenticationfromthe
menulocatedontheleft-handsideofthepage,andthenselectNewfromtheupperrightcorneroftheRADIUSAuthenticationServerspage.
TECHNOTE:EnsuretheyourAuthCalledStationIDTypeissettoAPMACAddress:SSIDandyourMACdelimiterissettoHyphen.
3. ClicktheNew…button,andentertheAuthenticationRADIUSsettingsobtainedfromOdyssys(undertheGeneralInfotaboftheCaptivePortalyoucreatedearlier)Themandatoryfieldsareasfollows:ServerIPAdress:IPaddressofOdyssysPrimaryRADIUSServerSharedSecret:SharedSecretPasswordConfirmedSharedSecret:SharedSecretPasswordPortNumber:RADIUSAuthenticationportSupportforRFC3576:SelectEnabledfromthedropdown.ClicktheApplybuttononcecomplete.
4. Repeatsteps2and3againfortheSecondaryRADIUSServerIPaddresses,rememberingtoclick"Apply"whencompletetosavethesettings.
Page7of15
GlobalReachTechnologyLtdCommercialinConfidence
5. StillwithintheSECURITYtabandmenu,select"Accounting"intheRADIUSsub-menuandthenclick"New"locatedintheupperrightcorneroftheRADIUSAccountingServerswindow.
TECHNOTE:EnsuretheyourAcctCalledStationIDTypeissettoAPMACAddress:SSIDandyourMACdelimiterissettoHyphen.
6. EnterintheRADIUSAccountingsettingslistedbelowfromtheCaptivePortalsectionofOdyssys:ServerIPAdress:IPaddressofOdyssysPrimaryRADIUSServerSharedSecret:SharedSecretPasswordConfirmedSharedSecret:SharedSecretPasswordPortNumber:RADIUSAccountingport(thisisdifferenttotheAuthenticationPortNumber)ClicktheApplybuttononcecomplete
7. Repeatsteps5and6fortheSecondaryRADIUSServerIPaddressrememberingtoclick"Apply"whencompletetosave.
Page8of15
GlobalReachTechnologyLtdCommercialinConfidence
AccessControlListConfiguration
8. StillwithintheSECURITYtabandmenu,select"AccessControlLists"andthen"AccessControlLists"fromthesub-menu.
9. Clickon"New..."intheupperrightcorneroftheAccessControlListswindow.
10. EnterthenameofthePreAuthenticationAccessControlListandclickApplytosavethesettings.RememberthismustexactlymatchthePreAuthACLvaluesetinOdyssysinstep2ofthisguide.
11. ClicktheACLyouhavejustcreatedandclicktheAddNewRulebutton.
Page9of15
GlobalReachTechnologyLtdCommercialinConfidence
12. Completethehighlightedfieldswiththeinformationprovidedbelow,creatinganewruleforeachsequencenumber.
The fields that need to bemodified are "Sequence", "Source", "Destination" and "Action". The "Protocol","DSCP"and"Direction"fieldsshouldbeleftasdefault.Sequence:1Source:IP54.246.95.205Mask255.255.255.255Destination:AnyAction:PermitSequence:2Source:AnyDestination:IP54.246.95.205255.255.255.255Action:PermitSequence:3Source:IP54.243.42.241Mask255.255.255.255Destination:AnyAction:PermitSequence:4Source:AnyDestination:IP54.243.42.241Mask255.255.255.255Action:PermitSequence:5Source:AnyDestination:IP54.247.108.6Mask255.255.255.255Action:PermitSequence:6Source:IP54.247.108.6Mask255.255.255.255Destination:AnyAction:PermitBelowishowtheAccessControlListwilllookafteralloftheabovesettingshavebeenentered.
Page10of15
GlobalReachTechnologyLtdCommercialinConfidence
WLANConfiguration13. SelecttheWLANstabfromthetopmenu,selectCreateNewfromthedropdownlistintheupperrightofthe
page,andclickGo.
14. EnteraProfileNameandtheSSIDthatwillbebroadcast(thesecanbethesame).TheProfileNameisusedforadministrativepurposesandtheSSIDwillbetheWi-Finameusersconnectto.ClickApplywhencompletetosavethesettings.
15. SelecttheSecuritytabunderthesettingsforyourWLANandapplythefollowingsettings.Layer2Layer2Security:NoneMacFiltering:TickthecheckboxLayer3Layer3Security:NoneAAAServersRADIUSServers:TicktheEnabledcheckboxforbothAuthenticationandAccountingServers.ThenfromtheServer1andServer2dropdownboxesselectthePrimary&SecondaryAuthenticaitonandAccountingserversconfiguredinsteps3–7ofthisguide.RADIUSServerAccounting:TicktheInterimUpdatecheckboxandsetanInterimIntervalof180.AuthenticationPriorityorderforweb-authuser:MovebothLocalandLDAPintothetheNotUsedbox,leavingonlyRADIUSattheusedauthenitcationtype.
Page11of15
GlobalReachTechnologyLtdCommercialinConfidence
16. SelecttheAdvancedtabunderthesettingsforyourWLANandapplythefollowingsettings.NACNacState:SelectRadiusNACfromthedropdown.
17. ClickApplytosaveyoursettings.ThenreturntotheGeneraltabtoenableyourSSIDnowthatconfigurationis
complete.
Page12of15
GlobalReachTechnologyLtdCommercialinConfidence
ACCESSCONTROLLISTADDRESSESOdyssys54.246.95.20554.243.42.241Twitterapi.twitter.com*.twimg.comGoogle74.125.29.8474.125.226.24374.125.228.1074.125.228.7474.125.228.111130.111.19.240173.194.74.95Facebook*.facebook.com*.akamaihd.net*.fbcdn.netconnect.facebook.comLinkedIn8.247.88.22523.202.203.12064.94.107.57138.108.7.20216.52.242.80216.52.242.86PayPalExpressCheckout173.0.82.77/3292.122.246.85/3266.117.29.34/32216.113.188.89/3266.235.147.113/32IfyouwishtodisableApple'sCaptiveAssistantpleaseaddthefollowingtoyourwalledgardenwww.apple.comwww.airport.uswww.ibook.infowww.thinkdifferent.uswww.itools.infowww.appleiphonecell.comcaptive.apple.com
Page13of15
GlobalReachTechnologyLtdCommercialinConfidence
FREQUENTLYASKEDQUESTIONS
Q.Iwanttoadddifferentauthenticationprovidertypes,howdoIdothis?A.PleaseseeourOdyssysAuthenticationguideforfurtherinformation.
Q.IneedmoreinformationonhowtosetupOdyssysA.PleaseseeourOdyssyssetupguide.
Page14of15
GlobalReachTechnologyLtdCommercialinConfidence
GLOSSARY
ACL-AccessControlListAAA-Authentication,Authorization,andAccountingDHCP-DynamicHostConfigurationProtocolDNS-DomainNameServiceNAT-NetworkAddressTranslationPORT-Aprocess-specificoranapplication-specificsoftwareconstructservingasacommunicationendpoint,whichisusedbytheTransportLayerprotocolsofInternetProtocolsuite,suchasUserDiagramProtocol(UDP)andTransmissionControlProtocol(TCP)RADIUS-RemoteAuthenticationDialInUserService(RADIUS)SHAREDSECRET-AsinglepasswordsharedbetweentwodevicesSSID-ServiceSetIdentifier-AuniqueidentifierforyourWi-FiserviceWLAN-WirelessLocalAreaNetworkWLC-WirelessLocalAreaNetworkController
GlobalReachTechnologyLtdCravenHouse,121KingswayLondonWC2B6PAT+44(0)[email protected]©GlobalReachTechnologyLimitedAllrightsreserved.GlobalReachandtheGlobalReachlogoareregisteredtrademarks.