You are correct. The steps you mention pretty much sum it up.
I would like to add a few things to check on your WLC. 1) make sure you set the RADIUS serve type to FreeRADIUS if you are using MAB, it is located under security -> MAC Filtering, also set the MAC delimiter to colon. I know you mentioned 802.1x but MAB is common to use for your captive portal and then let your users have access to your encrypted net after they have correctly configured their device. 2) Add BOTH interfaces from your PF server to the Authentication and Authorization sections of your WLC AAA config. For some reason PF sends most RADIUS traffic from the management interface but RADIUS CoA packets come from the other interface. If you are going to be putting all the users on that WLC in the same subnet / vlan then there is nothing special you need to do. However if you need to place users in different vlans / subnets you will need some custom code. Its not too bad, but it needs to be done correctly or else your users will not get access. We place users in different vlans based on the building they are in, we put the APs in AP Groups and have the called-station-id-type variable set to the AP Group name which is the vlan that I want the users in : ) (kinda, there is a bit more to it but unless you need it I wont go into it). you set that in the GUI under Security -> RADIUS -> Authentication Another thing, depending on the type of Cisco APs you are using, I would try to use the FlexConnect mode as much as possible. It makes the AP make the routing decision locally instead of tunnelling all the traffic to the WLC. This take a lot of load off of your WLC and greatly increases the efficiency of your wireless network, it also eliminates a few potential DOS scenarios against your WLC. The drawback to FlexConnnect is that it cannot be used in conjunction with MAB and not all APs support it. But if you can, use it. That should get you started, if you have any problems feel free to post back here. If I have time I'll do what I can, but the Inverse team are the true masters and they monitor this list very closely and a very helpful. Good luck! Jake Sallee Godfather of Bandwidth System Engineer University of Mary Hardin-Baylor WWW.UMHB.EDU 900 College St. Belton, Texas 76513 Fone: 254-295-4658 Phax: 254-295-4221 ________________________________ From: Juan Camilo Valencia [[email protected]] Sent: Wednesday, September 03, 2014 3:45 PM To: [email protected] Subject: Re: [PacketFence-users] WLC 5508 Conf Hi Jake, Didn`t start yet, What I understand is: * Create the object in PF, i.e, configure a new switch with the type WLC. * Define the IP in the controller field, I think should be the same as for the object. * Configure a stronsecretpassword for RADIUS section in the PF switch definition. * SNMP shouldn`t be necessary, (I think that not, but previously in MAB for 2960 I was wrong, so I will configure anyway) In The side of the controller, I should. * Define the SSID. * Configure WPA + WPA2 for 802.1x Auth. * Point RADIUS servers to PF box. * Allow AAA override. I think that's all, however like I said, I need to send the configuration before testing, so that are the roots of my doubts. Let me know if I`m in the rigth path, if there should be like trick in the custom.pm<http://custom.pm> or something additional to the WLC side. On Wed, Sep 3, 2014 at 3:12 PM, Sallee, Jake <[email protected]<mailto:[email protected]>> wrote: >> Actually I have a lot of experience with the 3.3.2 versión Excellent! That helps a lot. So where are you in getting your WLC hooked up to your PF server? Are you just starting or have you added it and are having issues? Jake Sallee Godfather of Bandwidth System Engineer University of Mary Hardin-Baylor WWW.UMHB.EDU<http://WWW.UMHB.EDU> 900 College St. Belton, Texas 76513 Fone: 254-295-4658 Phax: 254-295-4221 ________________________________ From: Juan Camilo Valencia [[email protected]<mailto:[email protected]>] Sent: Wednesday, September 03, 2014 12:00 PM To: [email protected]<mailto:[email protected]> Subject: Re: [PacketFence-users] WLC 5508 Conf Hi Jake, Actually I have a lot of experience with the 3.3.2 versión deployed for almost a couple of years with WDS and AP and a bunch of variety if cisco Switches. I jumped into the 4 branch 6 months ago into the lab environment, but rigth now is necessary to pass into production mode. I have deployed 4.3 version in a pilot with 2960 stack, and now the following is the wireless, so I think that I will understand the majority of things in PF language (I hope so). So I appreciate every single Help that you can provide me. Best Regards, El sep 3, 2014 10:45 AM, "Sallee, Jake" <[email protected]<mailto:[email protected]><mailto:[email protected]<mailto:[email protected]>>> escribió: Wow, okay. I have been running PF in conjunction with my 5508 for about 3 years and it works well. Before you jump in with both feet, I need to ask something. Have you successfully setup and tested PF in a lab/test environment? If you have not I strongly urge you to do that first. PF is a very capable product and can do A LOT, but it can be daunting if you do not approach it with the correct mindset. If you have already successfully set up PF in a lab type of environment, I am happy to help as much as I can. Honestly, setting up the WLC to work with PF is going to be about 5% of the work involved in getting PF deployed. Where are you currently in your PF setup? Have you installed PF and configured it and are now stuck on the WLC? Jake Sallee Godfather of Bandwidth System Engineer University of Mary Hardin-Baylor WWW.UMHB.EDU<http://WWW.UMHB.EDU><http://WWW.UMHB.EDU> 900 College St. Belton, Texas 76513 Fone: 254-295-4658 Phax: 254-295-4221 ________________________________ From: Juan Camilo Valencia [[email protected]<mailto:[email protected]><mailto:[email protected]<mailto:[email protected]>>] Sent: Wednesday, September 03, 2014 7:02 AM To: [email protected]<mailto:[email protected]><mailto:[email protected]<mailto:[email protected]>> Subject: [PacketFence-users] WLC 5508 Conf Hi Guys, We are going to configure packetfence with a WLC 5508 with IOS 7.6.100, this is my first time joining a WLC with packetfence. I have being reading the Network configuration devices and I'm a little confuse. I saw several threads of discussion about this particular device (Apparently this CISCO device is very popular), so I guess that there are several users that already did this configuration, can you help me to understand what are the steps that I need to follow in order to make this configuration to work?. We need an SSID secure with WPA2 enterprise security authenticating against an AD without the LDAP module, just using RADIUS. I'm confused because in the docs for the secure SSID the example is whit a WISM, is that part of the WLC 5508? (I have zero experience with that and I need to provide the steps to another provider that is who manage this device) Can I follow this steps and will be fine? or Do you have a steps summary or CLI commands to make it happen? Thanks a lot for your help, and let me know where can I start whit this. Best Regards from Colombia -- “Choose a job you love, and you will never have to work a day in your life” ------------------------------------------------------------------------------ Slashdot TV. Video for Nerds. Stuff that matters. http://tv.slashdot.org/ _______________________________________________ PacketFence-users mailing list [email protected]<mailto:[email protected]><mailto:[email protected]<mailto:[email protected]>> https://lists.sourceforge.net/lists/listinfo/packetfence-users ------------------------------------------------------------------------------ Slashdot TV. Video for Nerds. Stuff that matters. http://tv.slashdot.org/ _______________________________________________ PacketFence-users mailing list [email protected]<mailto:[email protected]> https://lists.sourceforge.net/lists/listinfo/packetfence-users -- “Choose a job you love, and you will never have to work a day in your life” ------------------------------------------------------------------------------ Slashdot TV. Video for Nerds. Stuff that matters. http://tv.slashdot.org/ _______________________________________________ PacketFence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
