Iuwne10 Lg v2

8/20/2019 Iuwne10 Lg v2

http://slidepdf.com/reader/full/iuwne10-lg-v2 1/294

IUWNE

Implementing CiscoUnified Wireless

Networking Essentials Version 1.0

Lab Guide

Text Part Number: 97-2700-02

8/20/2019 Iuwne10 Lg v2


DISCLAIMER WARRANTY: THIS CONTENT IS BEING PROVIDED “AS IS.” CISCO MAKES AND YOU RECEIVE NO WARRANTIES IN

CONNECTION WITH THE CONTENT PROVIDED HEREUNDER, EXPRESS, IMPLIED, STATUTORY OR IN ANY OTHER PROVISION OF

THIS CONTENT OR COMMUNICATION BETWEEN CISCO AND YOU. CISCO SPECIFICALLY DISCLAIMS ALL IMPLIED

WARRANTIES, INCLUDING WARRANTIES OF MERCHANTABILITY, NON-INFRINGEMENT AND FITNESS FOR A PARTICULAR

PURPOSE, OR ARISING FROM A COURSE OF DEALING, USAGE OR TRADE PRACTICE. This learning product may contain early release

content, and while Cisco believes it to be accurate, it falls subject to the disclaimer above.

8/20/2019 Iuwne10 Lg v2


Table of ContentsLab Guide 1

Overview 1

Outline 1

Lab 1-1: Becoming Familiar with Antennae and Ranges 2

Activity Objective 2

Visual Objective 2

Required Resources 2 Task 1: Complete These Power Conversions 3

Task 2: Calculate EIRP and Choose the Correct Antenna 4

Task 3: Determine the Type of Antenna Represented, Its Use, and the Best Location for It 5

Lab 1-2: Creating an Ad Hoc (IBSS) Network and Analyzing the Communication 7


Visual Objective 7

Required Resources 7

Command List 9

Job Aids 9

Task 1: Connect to the Remote Lab 10

Task 2: Connect to Your Remote Lab Wireless Laptop 13

Task 3: Verify the Internal Card Settings 15

Task 4: Create an Ad Hoc Network and Analyze the Communication 19 Lab 2-1: Configuring a Cisco 2106 WLC 34


Visual Objective 34


Job Aids 35

Task 1: Connect to the WLAN Controller Serial Interface and Configure Your Controller for theFirst Time 37

Task 2: Connect to Your Controller 42

Task 3: Allow Limited Remote Management 44

Task 4: Allow Open Authentication 45

Task 5: Create a DHCP Scope 47

Task 6: Look for APs 48

Lab 2-2: Configuring and Migrating a Standalone AP 50


Visual Objective 50


Job Aids 51

Task 1: Check the AP Parameters 51

Task 2: Configure Your Standalone AP 54

Task 3: Convert Your Standalone AP to LWAPP 64

Lab 2-3: Installing and Configuring a Cisco Mobility Express Wireless Controller and AP 76


Visual Objective 76


Job Aids 77

Task 1: Configure Your Cisco Mobility Express Wireless Controller 80

Task 2: Create a DHCP Scope 85

Task 3: Manage the AP 88

Task 4: Use the Cisco Configuration Assistant 91

Lab 3-1: Installing and Using the Cisco ADU 104


Visual Objective 104


Job Aids 105

Task 1: Installing the Software 105

Task 2: Use the Cisco ADU and the Cisco Site Survey Utility 110

8/20/2019 Iuwne10 Lg v2


ii Implementing Cisco Unified Wireless Networking Essentials (IUWNE) v1.0 © 2008 Cisco Systems, Inc.

Lab 3-2: Experimenting with Connections and Roaming 124




Job Aids 125

Task 1: Create a Common WLAN 125

Task 2: Connect to the Right AP 134

Task 3: Use Roaming 141

Lab 4-1: 802.1Q and Web Authentication 146




Job Aids 147

Task 1: Create a VLAN Interface 148

Task 2: Create the WLAN 152

Task 3: Configure a Trunk Port 155

Task 3: Create a Local Net User 159

Task 4: Have the AP Rejoin the Controller 160

Task 5: Client Configuration 162

Task 6: Client Exclusion 169

Lab 4-2: Configuring EAP-FAST Authentication with WPA 171



Required Resources 171 Job Aids 172

Task 1: Create the WLAN 172

Task 2: Configure the Client and Access the Network 178

Lab 5-1: Configuring Controllers and APs from the Cisco WCS 188




Job Aids 189

Task 1: Create Credentials on the Cisco WCS and Customize the Interface 189

Task 2: Add a Controller and AP 194

Task 3: Manage the Controller and AP from the Cisco WCS 198

Lab 5-2: Working with Maps 202

Activity Objective 202 Visual Objective 202


Job Aids 203

Task 1: Add Maps 203

Task 2: Enhance the Map 207

Task 3: Positioning APs 211

Lab 5-3: Monitoring the Network and Containing Devices 218




Job Aids 219

Task 1: Monitoring Events 219

Task 2: Contain a Rogue 224

Lab 6-1: Back Up the Controller Configuration and the Cisco WCS Database Files 231




Task 1: Examine Controller Configuration Files 232

Task 2: Save the Configuration Using TFTP 240

8/20/2019 Iuwne10 Lg v2


© 2008 Cisco Systems, Inc. Implementing Cisco Unified Wireless Networking Essentials (IUWNE) v1.0 iii

Lab 6-2: Troubleshooting 247




Command List 248

Job Aids 248

Lab 6-3: Optional Lab Troubleshooting with Wireshark and Converting an AP to Autonomous Mode 253




Job Aids 254

Task 1: Use Wireshark to Analyze a Connection Issue 258

Task 2: Migrate Your LWAPP 1252 AP to Autonomous Mode 265

Answer Key 272

Lab 1-1 Answer Key: Power Conversions 272

Lab 1-2 Answer Key: Creating an Ad Hoc Network (IBSS) and Analyzing the Communication 273

Lab 2-1 Answer Key: Configuring a Cisco 2106 WLC 273

Lab 2-2 Answer Key: Configuring and Migrating a Standalone AP 275

Lab 2-3 Answer Key: Installing and Configuring a Cisco Mobility Express Wireless Controller and AP 276

Lab 3-1 Answer Key: Installing and Using the Cisco ADU 276

Lab 3-2 Answer Key: Experimenting with Connections and Roaming 277

Lab 4-1 Answer Key: 802.1Q and Web Authentication 278 Lab 4-2 Answer Key: Configuring EAP-FAST Authentication with WPA 279

Lab 5-1 Answer Key: Configuring Controllers and APs from the Cisco WCS Interface 280

Lab 5-2 Answer Key: Working with Maps 280

Lab 5-3 Answer Key: Monitoring the Network and Containing Devices 280

Lab 6-1 Answer Key: Backing Up Controller Configuration and the Cisco WCS Database Files 281

Lab 6-2 Answer Key: Troubleshooting 288

Lab 6-3 Answer Key: Troubleshooting with Wireshark 288

8/20/2019 Iuwne10 Lg v2


iv Implementing Cisco Unified Wireless Networking Essentials (IUWNE) v1.0 © 2008 Cisco Systems, Inc.

8/20/2019 Iuwne10 Lg v2


IUWNE

Lab Guide

Overview

This guide presents the instructions and other information concerning the lab activities for thiscourse. You can find the solutions in the lab activity Answer Key.

Outline

This guide includes these activities:

Lab 1-1: Becoming Familiar with Antennae and Ranges

Lab 1-2: Creating an Ad Hoc Network (IBSS) and Analyzing the Communication

Lab 2-1: Configuring a Cisco 2106 WLC

Lab 2-2: Configuring and Migrate a Standalone AP

Lab 2-3: Configuring a Cisco Mobility Express Wireless Controller and AP

Lab 3-1: Installing and Using the Cisco ADU

Lab 3-2: Experimenting with Connections and Roaming

Lab 4-1: Configuring Web Authentication

Lab 4-2: Configuring EAP-FAST Authentication with WPA

Lab 5-1: Configuring Controllers and APs from the Cisco WCS Interface

Lab 5-2: Working with Maps

Lab 5-3: Monitoring the Network and Containing Devices

Lab 6-1: Backing Up the Controller Configuration and the Cisco WCS Database

Lab 6-2: Troubleshooting Games

Lab 6-3: Optional Lab

Answer Key

8/20/2019 Iuwne10 Lg v2


2 Implementing Cisco Unified Wireless Network Essentials (IUWNE) v1.0 © 2008 Cisco Systems, Inc.

Lab 1-1: Becoming Familiar with Antennae andRanges

Complete this lab activity to practice what you learned in the related module.

Activity Objective

In this activity, you will work with antennae and powers. After completing this activity, you

will be able to meet these objectives:

Convert milliwatts to dBm and back

Determine the EIRP from the AP, cable, and antenna specifications provided

Determine which AP is the best choice for which situation

Visual Objective

The figure illustrates what you will accomplish in this activity.

© 2008 Cisco Systems, Inc. All rights reserved. IUWNE v1.0—5

Visual Objective for Lab 1-1: BecomingFamiliar with Antennas and Ranges

x mW = y dBm

Required Resources

These are the resources and equipment that are required to complete this activity:

A PC with Microsoft Excel or OpenOffice Calc

8/20/2019 Iuwne10 Lg v2


© 2008 Cisco Systems, Inc. Lab Guide 3

Task 1: Complete These Power Conversions

In this task, you will work with various powers to familiarize yourself with decibel

conversions.

Activity Procedure

Complete these steps:

Step 1 Convert 20 mW to its dBm equivalent.

Step 2 Convert 40 mW to its dBm equivalent.

Step 3 Convert 2 W to its dBm equivalent.

Step 4 Convert 23 dBm to its milliwatts equivalent.

Step 5 Convert -13 dBm to its milliwatts equivalent.

Step 6 A station receives 0.000001 mW RSSI from an AP. The noise level is around

0.00000025 mW. Convert these values to dBm and determine the SNR level. Is the

SNR level acceptable?

Step 7 How many dBd is a 7.24 dBi antenna?

Step 8 How many dBd is a 13.56 dBi antenna?

Step 9 How many dBi is a 13.56 dBd antenna?

Step 10 How many dBi is an 18.86 dBd antenna?

Step 11 What is the dBd gain of a 21 dBi dish antenna?

Step 12 Which antenna has more gain: 2.14 dBi or 3.28 dBd?

Step 13 Which antenna has more gain: 3.41 dBi or 4.18 dBm?

Activity Verification

You have successfully completed this task when you attain this result:

You have found the correct values as per the answer key.

8/20/2019 Iuwne10 Lg v2



Task 2: Calculate EIRP and Choose the Correct Antenna

In this task, you will work with hardware specifications to determine the EIRP or to choose

which hardware matches the link specifications.

Activity Procedure


Step 1 Which antenna would work best for a point-to-point 26-mile (42-km) link? A 21 dBi

dish, a 5.2 dBi omnidirectional, or an 8.1 dBi patch?

Step 2 Which antenna would work best for large lobby coverage from a wall? A 21 dBi

dish, a 5.2 dBi omnidirectional, or an 8.1 dBi patch?

Step 3 Which antenna would work best for coverage of a meeting room from the ceiling?

21 dBi dish, 5.2 dBi omni, 8.1 dBi patch?

Step 4 An AP transmitter emits 40 mW of power through a cable that is “adding” 3 dB loss.

The Yagi antenna that is being used has 13.5 dBi gain. What is the EIRP?

Step 5 An AP transmitter emits 20 mW of power through a cable that is “adding” 4 dB loss

per 100 feet. The cable is 20 feet long. The omnidirectional antenna that is being

used is 5.2 dBi gain. What is the EIRP?

Step 6 An AP transmitter emits 100 mW of power to an antenna directly connected to it.

The antenna that is being used is an 8.5 dBi patch antenna. What is the EIRP?

Step 7 You have been asked not to exceed 20 dBm EIRP on a 3.0 dBi omnidirectional

antenna. Which power level should you set your AP to knowing that you use 50 feet

of 6 dB/100 feet loss cable?

Step 8 You have been asked not to exceed 17 dBm EIRP on a 13.5 dBi Yagi antenna.

Which power level should you set your AP to knowing that you will use 150 feet of

6 dB/100 feet loss cable and that the cable connectors add an extra 0.5 dB loss?

Step 9 You have been asked not to exceed 17 dBm EIRP on a 5.2 patch antenna. How

much length of 2.8 dB loss per 100 feet cable should you use, knowing that the AP

power level is statically set to 40 mW?



You have found the right values as per the answer key.

8/20/2019 Iuwne10 Lg v2



Task 3: Determine the Type of Antenna Represented, Its Use,and the Best Location for It

In this task, you will work with AP coverage patterns to determine the type of antenna and its

usage.

Activity Procedure


Step 1 Look at the following radiation pattern:

Step 2 Which type of antenna does it represent?

____________________________________________________________________

Step 3 What type of use is the antenna best suited for?

____________________________________________________________________

Step 4 What is the best place for the antenna to be mounted?

□ pillar

□ rooftop

□ wall


8/20/2019 Iuwne10 Lg v2




____________________________________________________________________


____________________________________________________________________


□ pillar□ rooftop

□ wall



____________________________________________________________________


____________________________________________________________________


□ mast

□ rooftop

□ wall



You have found the right values as per the answer key.

8/20/2019 Iuwne10 Lg v2



Lab 1-2: Creating an Ad Hoc (IBSS) Network andAnalyzing the Communication


Activity Objective

In this activity, you will connect to the remote lab and create an ad hoc network between two

machines. You will then analyze the communication to understand what exactly is exchanged

between the laptops. After completing this activity, you will be able to meet these objectives:

Connect to the remote lab

Connect to your remote laptop

Verify the internal card settings

Create an ad hoc network and analyze the communication

Visual Objective



Visual Objective for Lab 1-2: Creating anAd Hoc (IBSS) Network and Analyzingthe Communication

Required Resources


A PC with connectivity to the Internet

The Cisco VPN client

The remote desktop application

8/20/2019 Iuwne10 Lg v2



IP addresses assigned to your group

Lab map diagram

In the remote lab, a laptop with preinstalled sniffer and wireless card

8/20/2019 Iuwne10 Lg v2



Command List

The table describes the command that is used in this activity.

ping Command

Command Description

ping Tests Layer 3 reachability.

Job Aids

These job aids are available to help you complete the lab activity:

Remote laptop, already loaded with appropriate applications

Lab map IP addressing and naming convention

Lab Map—Groups 1 to 4

Group 1 Group 2 Group 3 Group 4

Remote laptop address 10.10.1.240 10.20.1.240 10.30.1.240 10.40.1.240

Remote laptop login student1 student2 student3 student4

Remote laptoppassword

cisco cisco cisco cisco

Ad hoc channel 1 1 6 6

Ad hoc SSID IUWNE-AD1 IUWNE-AD1 IUWNE-AD2 IUWNE-AD2

Ad hoc IP address 192.168.10.1 192.168.10.2 192.168.10.5 192.168.10.6

Ad hoc mask 255.255.255.252 255.255.255.252 255.255.255.252 255.255.255.252

Lab Map—Groups 5 to 8

Group 5 Group 6 Group 7 Group 8





Ad hoc channel 11 11 1 1

Ad hoc SSID IUWNE-AD3 IUWNE-AD3 IUWNE-AD4 IUWNE-AD4

Ad hoc IP address 192.168.10.9 192.168.10.10 192.168.10.13 192.168.10.14

Ad hoc mask 255.255.255.252 255.255.255.252 255.255.255.252 255.255.255.252

8/20/2019 Iuwne10 Lg v2



Task 1: Connect to the Remote Lab

In this task, you will use the Cisco VPN client to connect to the remote lab. You will install it,

import the profile containing the parameters required to access the remote lab, and test the

connection.

Activity Procedure


Step 1 Check to see if the Cisco VPN client is already installed on your PC: Choose Start >

Programs, and verify that the Cisco VPN client folder is present in the list of

available programs. If the folder is present, go directly to Step 4.

Step 2 If the folder is not present, ask your instructor to provide you with the Cisco VPN

client installer and the profile file (.pcf) required to access the remote lab.

Step 3 Double-click the Cisco Systems VPN Client Installer, and use the default values to

install the program. You may be asked to reboot your PC.

Step 4 Chose Start > Programs, go to the Cisco Systems VPN Client folder, and click the

VPN Client icon.

Step 5 Click Connection Entries, and choose Import.

8/20/2019 Iuwne10 Lg v2



Step 6 Browse through the list and choose the .pcf file provided by your instructor. This

action should add a new entry in your Cisco VPN client window.

Step 7 Double-click the new entry in your Cisco VPN Client Window. Ask your instructor

to provide the credentials used in your class.

8/20/2019 Iuwne10 Lg v2



Step 8 The connection is established when a small lock appears in the bottom-right corner

of your screen.

Step 9 Verify that you were assigned an IP address in the VPN network: Choose Start >

Run, enter cmd, and click OK .

Step 10 In the MS-DOS window, enter ipconfig/all. Check to verify that an adapter called

Cisco VPN adapter appears in the list and that it has an IP address in the range

10.X0.1.0 (where X is your group number).

Step 11 In the command prompt window, enter ping 10.100.1.254 to ping the common

gateway. Verify that the ping is successful.

Activity VerificationYou have successfully completed this task when you attain these results:

You are connected to the VPN gateway.

Your VPN adapter has an IP address in the 10.X0.1.0/24 range.

You can ping one of the remote lab routers.

8/20/2019 Iuwne10 Lg v2



Task 2: Connect to Your Remote Lab Wireless Laptop

In this task, you will use your VPN connection and the windows remote desktop service to

connect to your remote lab wireless laptop.

Activity Procedure


Step 1 Verify that your VPN connection to the remote lab is working properly.

Step 2 Connect to your remote laptop using the remote desktop: Choose Start > Programs

> Accessories > Communications > Remote Desktop Connection.

Note In each group, only one person at a time can be connected to the remote lab wireless

laptop. Choose with your partner who will be connecting.

Step 3 Use the lab map table shown in the Job Aids section to determine the destination IP

address that should be used to connect to your remote laptop. The address should be

in the format 10.X0.1.240, where X is your pod number.

8/20/2019 Iuwne10 Lg v2



Step 4 In the remote desktop connection pop-up window, in the computer field, enter the IP

address of your remote laptop, and click Connect.

Step 5 You will be presented with a new window where you are asked to enter the

credentials required to access your remote lab wireless laptop. Use the lab map table

to find out which username and password are used to connect to your group’s laptop.

They should be in the format username, studentX, (where X is your group number),

and password, cisco.

Step 6 Enter the credentials, and click OK . You should see the Windows desktop of your

remote laptop. You will use this same method of access for all remaining labs, so

keep this procedure available for reference for the subsequent labs.

8/20/2019 Iuwne10 Lg v2



Step 7 Take some time to familiarize yourself with the remote desktop interface. It is a

remote desktop on top of your class PC desktop. The upper bar shows that you are in

the remote desktop interface and displays the IP address of the remote laptop. To

minimize the remote desktop window, click the Minimize button. The remote

desktop window is minimized to your class PC taskbar. You can then access other

applications in your class PC. Click the remote desktop program in the task bar to

restore it to its full size. Click the Maximize button to increase or the Restore down

button to reduce the size of the remote desktop application. To end the remote

desktop session, click the Close button in the remote desktop window. Neverdisconnect the VPN session without closing the remote desktop application first.

You would be disconnected from the remote laptop without any possibility of

connecting back.


You have successfully completed this task when you attain these results:

You are connected to the remote lab wireless laptop.

You can see your remote lab wireless laptop IP address in a tab at the top of your screen.

You see your remote lab wireless laptop desktop and can interact with it.

Task 3: Verify the Internal Card Settings

In this task, you will document how your internal card reacts when being configured to connect

to an ad hoc network.

Activity Procedure


Step 1 From your remote lab wireless laptop, click Start > Connect To > Show All

Connections.

Step 2 Locate your wireless connection. It should be called Intel(R) Wireless WiFi Link

4965AGN.

Step 3 Right-click the wireless connection and choose Enable.

8/20/2019 Iuwne10 Lg v2



Step 4 Right-click Intel(R) Wireless WiFi link 4965AGN again and choose Properties.

Step 5 A new window opens. Click the Configure button located at the right of the

physical card description.

8/20/2019 Iuwne10 Lg v2



Step 6 A new window appears. Click the Advanced tab. In the Property list, choose Ad

Hoc Channel, and then choose the right value for your group from the drop-down

menu next to 802.11b/g. Refer to the following table:

Pod Pod1 Pod2 Pod3 Pod4 Pod5 Pod6 Pod7 Pod8

Channel 1 1 6 6 11 11 1 1

8/20/2019 Iuwne10 Lg v2



Step 7 Choose Ad Hoc Power Management, and verify that the default value is set to

Disabled. Choosing Disabled ensures that your card does not turn to the power save

mode while you are in ad hoc mode.

Step 8 You can see your wireless card MAC address at the bottom of the window.

Document it here.

Intel card MAC address:________________________________________________

Step 9 Click OK to validate your changes.



You have configured the channel used by your card to connect to ad hoc networks.

You have documented your internal wireless card MAC address.

8/20/2019 Iuwne10 Lg v2



Task 4: Create an Ad Hoc Network and Analyze theCommunication

In this task, you will work with a peer group to analyze ad hoc networks. You need to

coordinate your action with the peer group to perform the steps at the same time so that both

laptops can capture the right frames. The following table shows peer groups:

Pod Peer Group

Pod 1 Pod 2

Pod 3 Pod 4

Pod 5 Pod 6

Pod 7 Pod 8

Activity Procedure


Step 1 Prepare your wireless connection. If you closed the Wireless Network Connection

Properties window, click Start > Connect to > Show all connections.

Step 2 A new window appears showing all your network adapters.

Step 3 Locate your wireless connection. It should be called Intel(R) Wireless WiFi Link

4965AGN.

Step 4 Right-click your Intel Wireless 4965AGN adapter and click Properties.

Step 5 To create an ad hoc network you must have a common subnet IP address, and create

a common SSID. You need the IP address because neither of the two laptops is

configured to act as a DHCP server. In the Wireless Network Connection Properties

window, click the General tab, choose Internet Protocol TCP/IP, and then click

Properties.

8/20/2019 Iuwne10 Lg v2



Step 6 In the General tab, click the Use the following IP address radio button.

Step 7 Enter the IP address assigned to your group for this lab. Refer to the lab map.

Step 8 In Subnet mask, enter 255.255.255.252.

Step 9 Leave the other fields empty, and click OK .

8/20/2019 Iuwne10 Lg v2



Step 10 In the Wireless Network Connection Properties window, click the Wireless

Networks tab.

Step 11 If any networks are in the Preferred networks list, click them one by one and click

the Remove button until the Preferred network list is empty.

Step 12 Click Add.

8/20/2019 Iuwne10 Lg v2



Step 13 A new window appears. In the Network name (SSID) field, enter your ad hoc SSID.

Refer to the lab map.

Step 14 Leave the default of Open in the Network Authentication field.

Step 15 For Data encryption field, choose Disabled.

Step 16 At the bottom of the page, check the This is a computer-to-computer (ad-hoc)

network; wireless access points are not used check box.

8/20/2019 Iuwne10 Lg v2



Step 17 Click OK to activate the profile.

8/20/2019 Iuwne10 Lg v2



Step 18 Click OK to close the Wireless Network Connection Properties window and initiate

the connection.

Step 19 After a few seconds, your Intel wireless card should show the status as Connected.

8/20/2019 Iuwne10 Lg v2



Step 20 Right-click your wireless connection, and choose Status.

Step 21 You should see that you are connected to the ad hoc network you created.

Step 22 Open a command prompt. Choose Start > All programs > Accessories >

Command prompt.

Step 23 Try to ping the peer group IP address. The command should be in the form of ping

192.168.10.Z, where Z is the peer group host address. The ping should be

successful.

8/20/2019 Iuwne10 Lg v2



Step 24 You have now confirmed that the peer-to-peer connection worked. The next step is

to sniff the connection process and analyze it. Right-click your Intel 4965 card and

choose Disable.

Step 25 To start Wireshark, click Start > All Programs > Wireshark > Wireshark .

Step 26 Choose the Airpcap passive interface. In Wireshark, click Capture and choose

Interfaces.

Step 27 In the Interfaces list, you should see Airpcap USB wireless capture adapter. Click

Options at the right end of the Airpcap USB wireless capture adapter line.

Step 28 A new window appears. Verify that Capture packets in promiscuous mode is

checked.

Step 29 Click Wireless Settings.

8/20/2019 Iuwne10 Lg v2



Step 30 In the Channel field, choose the ad hoc channel used by your group. Refer to the lab

map.

Step 31 Verify that the Capture Type is set to 802.11 + Radio. Click OK .

Step 32 You should filter the capture to only display frames coming from and to your Intel

adapter. In the Capture Filter field, enter ether host followed by the MAC address

of your Intel card documented in Step 8 of the previous task 1. For example: ether

host 00:0b:85:72:17:10.

1 The Capture Filter menu presents a drop-down list from which some classical filters can be selected directly. The ether

host filter is not in the list, and must be entered manually.

8/20/2019 Iuwne10 Lg v2



Step 33 Make sure that your partner group is at the same step. Then, in the bottom section of

the Wireshark capture option window, click Start to launch the capture.

Step 34 In the task bar, click your network card properties.

Step 35 Locate your wireless connection. You should see Intel(R) Wireless WiFi link

4965AGN.

Step 36 Right-click the connection and choose Enable.

Step 37 After a few seconds, your Intel wireless card should show the status as Connected.

8/20/2019 Iuwne10 Lg v2



Step 38 Right-click your wireless connection, and choose Status.

Step 39 You should see that you are connected to the ad hoc network you created.

Step 40 Open a command prompt window. Click Start > All programs > Accessories >

Command prompt.

8/20/2019 Iuwne10 Lg v2



Step 41 Try to ping the peer group IP address. The command should be in the form ping

192.168.10.Z, where Z is the peer group host address. The ping should be

successful.

Step 42 From the Wireshark window, stop the capture. Click the Stop capture icon.

Step 43 Try to analyze the capture with your partner group and answer the following

questions: What is the most common frame type seen in the capture? Pings? Probe

requests/ probe answers? Beacons?

_________________________________________________________________

Step 44 Do you see any data packets? __________________________________________

Step 45 Click one beacon. Expand the Radiotap section. What is the peak frequency of the

channel used? The channel you defined for your network? Another one?

__________________________________________________________________

Step 46 At what speed (data rate) was it sent? The lowest possible speed? The fastest? An

intermediate speed?

__________________________________________________________________

Step 47 How often, on average, is the beacon sent? (Intervals between frames in the uppersection of the program window are given in seconds. You can also expand the IEEE

802.11 wireless management frame section and the Fixed Parameters subsection.)

Every second? Every tenth of a second? One hundred times a second?

___________________________________________________________________

8/20/2019 Iuwne10 Lg v2



Step 48 Expand the Tagged parameters section of the IEEE 802.11 wireless management

frame section. What are the supported rates? All the 802.11b rates? Only some of

them? More than the 802.11b rates?

___________________________________________________________________

Step 49 From these supported rates, what type of network protocol do you think is used?

802.11b? 802.11g? 802.11b/g? 802.11a?

___________________________________________________________________

Step 50 In the same Tagged parameters section of the IEEE 802.11 wireless LAN

management frame section, which flag indicates that it is an ad hoc network? An “ad

hoc” field? IBSS? BSSID?

____________________________________________________________________

Step 51 Does your card support WMM/WME? Yes / No____________________________

Step 52 Try to find frames that were not sent at the lowest speed. Why were they sent faster?

Because only beacon frames are sent slowly? To optimize the transmission to the

recipient?

____________________________________________________________________

Step 53 Close the Wireshark software. Save the capture on your desktop for future reference.

Give it the name Ad-hoc1.

Step 54 From the Wireless Network Connection Properties window, right-click your

wireless connection and choose Properties.

Step 55 Click the General tab, choose Internet Protocol TCP/IP, and click Properties.

8/20/2019 Iuwne10 Lg v2



Step 56 Click the Obtain an IP address automatically radio button.

Step 57 Click the Obtain DNS server address automatically radio button.

Step 58 Click OK to validate.

Step 59 Close the Wireless Network Connection Properties window.

Step 60 Right-click your Intel 4965 card and choose Disable.

Step 61 Close the Network Connections window.

Step 62 Disconnect from your remote laptop.

8/20/2019 Iuwne10 Lg v2





You could create an ad hoc connection.

You could connect to your peer group.

You could capture some traffic and analyze it.

8/20/2019 Iuwne10 Lg v2



Lab 2-1: Configuring a Cisco 2106 WLCComplete this lab activity to practice what you learned in the related module.

Activity Objective

In this activity, you will connect to your Cisco 2106 WLC through the serial connection and

configure it for the first time. After completing this activity, you will be able to meet theseobjectives:

Configure a Cisco 2106 WLC using the CLI setup wizard

Connect to your configured controller using the web interface

Allow Telnet connections to your controller

Allow open authentication access through your WLAN

Create a DHCP scope to support your local clients

Verify the presence of your AP

Visual ObjectiveThe figure illustrates what you will accomplish in this activity.


Visual Objective for Lab 2-1: Configuringa Cisco 2106 WLC

Required Resources




8/20/2019 Iuwne10 Lg v2



A connection to the remote terminal server with serial connection to your controller

In the remote lab, a Cisco 2106 WLC

Job Aids



Lab table

Lab Table—IP Addressing, Naming, and Information: Pods 1 to 4

Pod 1 Pod 2 Pod 3 Pod 4





Controller system name 2106-1 2106-2 2106-3 2106-4

Administrative user admin1 admin2 admin3 admin4

Administrativepassword


Management interfaceIP address

10.10.1.10 10.20.1.10 10.30.1.10 10.40.1.10

Management interfacemask

255.255.255.0 255.255.255.0 255.255.255.0 255.255.255.0

Default router 10.10.1.254 10.20.1.254 10.30.1.254 10.40.1.254

Management vlan id 0 0 0 0

Management port 1 1 1 1

Management DHCPserver

10.10.1.10 10.20.1.10 10.30.1.10 10.40.1.10

AP manager IP address 10.10.1.11 10.20.1.11 10.30.1.11 10.40.1.11

AP Manager DHCPserver

10.10.1.10 10.20.1.10 10.30.1.10 10.40.1.10

Virtual gateway IPaddress

1.1.1.1 1.1.1.1 1.1.1.1 1.1.1.1

Mobility group name pod1 pod2 pod3 pod4

Enable symmetrictunneling

No No No No

Network name IUWNE-1 IUWNE-2 IUWNE-3 IUWNE-4

Allow static IPaddresses

Yes Yes Yes Yes

Radius server No No No No

Country code US US US US

Enable b, a, and auto-RF

yes yes yes yes

8/20/2019 Iuwne10 Lg v2




Configure NTP No No No No

Configure time No No No No

DHCP scope name Scope 1-1 Scope 2-1 Scope 3-1 Scope 4-1

DHCP start address 10.10.1.21 10.20.1.21 10.30.1.21 10.40.1.21

DHCP end address 10.10.1.25 10.20.1.25 10.30.1.25 10.40.1.25

DHCP Network 10.10.1.0 10.20.1.0 10.30.1.0 10.40.1.0

DHCP Netmask 255.255.255.0 255.255.255.0 255.255.255.0 255.255.255.0

DHCP lease time 14400 14400 14400 14400

DHCP default router 10.10.1.254 10.20.1.254 10.30.1.254 10.40.1.254

DHCP DNS server 10.100.1.1 10.100.1.1 10.100.1.1 10.100.1.1

DHCP Netbios Srvr 10.100.1.1 10.100.1.1 10.100.1.1 10.100.1.1

DHCP status Enabled Enabled Enabled Enabled







Controller system name 2106-5 2106-6 2106-7 2106-8





10.50.1.10 10.60.1.10 10.70.1.10 10.80.1.10


255.255.255.0 255.255.255.0 255.255.255.0 255.255.255.0

Default router 10.50.1.254 10.60.1.254 10.70.1.254 10.80.1.254




10.50.1.10 10.60.1.10 10.70.1.10 10.80.1.10



10.50.1.10 10.60.1.10 10.70.1.10 10.80.1.10


1.1.1.1 1.1.1.1 1.1.1.1 1.1.1.1

Mobility group name pod5 pod6 pod7 pod8

8/20/2019 Iuwne10 Lg v2





No No No No



Yes Yes Yes Yes




yes yes yes yes





DHCP end address 10.50.1.25 10.60.1.25 10.70.1.25 10.80.1.25

DHCP Network 10.50.1.0 10.60.1.0 10.70.1.0 10.80.1.0

DHCP Netmask 255.255.255.0 255.255.255.0 255.255.255.0 255.255.255.0

DHCP lease time 14400 14400 14400 14400


DHCP DNS server 10.100.1.1 10.100.1.1 10.100.1.1 10.100.1.1



Task 1: Connect to the WLAN Controller Serial Interface andConfigure Your Controller for the First Time

In this task, you will connect to your remote WLAN controller serial interface using the remote

lab terminal server, and you will go through the initial CLI setup for your respective wireless

LAN controller.

Activity Procedure


Step 1 From your class PC, start the VPN client and double-click the remote lab connection

to activate it.

Step 2 From your class PC, choose Start > Programs > Accessories > Command

Prompt.

Step 3 At the command prompt, enter telnet followed by the IP address of the remote

terminal server (10.1.1.252 or other if provided by your instructor).

8/20/2019 Iuwne10 Lg v2



Step 4 Enter the credentials (username student, password cisco or other if provided by your

instructor) to access the terminal server.

Step 5 After successful login you will be asked to select the correct pod (Podx), where x is

your pod number.

Step 6 You will see a new menu, allowing you to connect to several devices in your group.

Take some time to familiarize yourself with the different options that are available.

Step 7 You now need to connect to the Cisco 2106 WLC, which is WLC2106, or Item 2.

Notice that once you are connected to your controller, you can go back to the devicemenu at any time by using the usual escape sequence CTRL + SHIFT + 6 then X.

Selecting 2 from the device menu should bring you to the controller’s serial interface

which, since the controller is not configured yet, should be the initial CLI setup

wizard.

8/20/2019 Iuwne10 Lg v2



Note VERY IMPORTANT: Verify that the first question you see is System Name. When enabling

the HyperTerminal session to your controller, you may have pressed Enter to test the

connection, and the setting you had at that time may have become the default answer to the

first questions. If that has become the default, and if the first question you see is not System

Name, enter “-” (minus sign) and press Enter ; this action will take you back one question.

Repeat the procedure as many times as needed to get back to the System Name question.

Step 8 Choose the parameters for your pod (X is the number of your pod). Username is

adminX, where X is your pod number, and the password is cisco. Additional

parameters are given below and summarized in the table “Lab Table—IP

Addressing, Naming, and Information: Pods X to Y.”

System Name [Cisco_34:26:a3]: 2106-1

Enter Administrative User Name (24 characters max): admin1Enter Administrative Password (24 characters max): *******

Re-enter Administrative Password : *******

Management Interface IP Address: 10.X0.1.10

Management Interface Netmask: 255.255.255.0

Management Interface Default Router: 10.X0.1.254

Management Interface VLAN Identifier (0 = untagged): 0

Management Interface Port Num [1 to 8]: 1

Note The port number is important because it must match the connection leading from the WLAN

controller to the network infrastructure.

Management Interface DHCP Server IP Address: 10.X0.1.10

Note Later your controller will be configured as a DHCP server. When using an internal WLAN

controller DHCP server, the IP address needs to match the management interface.

Therefore the DHCP server and management address will be the same and point to itself for

this lab. The remaining DHCP configuration will be completed later via the GUI.

AP Manager Interface IP Address: 10.X0.1.11

8/20/2019 Iuwne10 Lg v2



Note AP Manager is on the same Management subnet using a different host value.

AP Manager Interface DHCP Server (10.X0.1.10): 10.X0.1.10Virtual Gateway IP Address: 1.1.1.1

Note The Virtual Gateway provides Layer 3 features such as the DHCP relay to wireless clients.

This value must match among mobility groups.

Mobility/RF Group Name: PodX

Note Mobility/RF Group allows multiple wireless controllers to be clustered into one logical

controller group to allow dynamic RF adjustments and roaming for wireless clients.

Enable Symmetric Mobility Tunneling [yes][NO]: noNetwork Name (SSID): IUWNE-1

Allow Static IP Addresses [YES][no]: yesConfigure a RADIUS Server now? [YES][no]: no

Note By default one WLAN SSID is configured on the WLC already and it is using server-based

authentication. If you skip RADIUS configuration during the startup wizard, the result is a

preconfigured SSID using 802.1x EAP requiring a RADIUS server; however, no server isdefined. This choice is to prevent open authentication security vulnerabilities.

Enter Country Code list (enter 'help' for a list of countries)[US]: USEnable 802.11b Network [YES][no]: yesEnable 802.11a Network [YES][no]: yesEnable 802.11g Network [YES][no]: yes

Note On your controller, you enable all radios, 802.11b, 802.11g and 802.11a. The AP provided

for this controller will only have one 802.11a radio. You still allow all protocols, which means

that if an 802.11b/g AP were to join the controller, its radios would be enabled.

Enable Auto-RF [YES][no]: yesConfigure a NTP server now? [YES][no]: noConfigure the system time now? [YES][no]: noWarning! No AP will come up unless the time is set.Please see documentation for more details.

Note You do not configure the time on this controller. In a real deployment, you would configure

the time during the initial configuration of a controller. In this remote lab scenario, the time

has already been configured and is consistent with the time of the other devices in the lab.

Configuration correct? If yes, system will save it and reset.[yes][NO]:

8/20/2019 Iuwne10 Lg v2



Step 9 Read the warning. Take some time to review your configuration to make sure it

matches the lab map. Then answer yes to the “Configuration correct?”

question. The controller will save the configuration and reboot directly.

Step 10 Wait for the controller to reboot completely, until you are prompted for a username.

Enter your administrative username, and then press Enter.

8/20/2019 Iuwne10 Lg v2



Step 11 Enter your password, and then press Enter. Verify that you get the prompt

(Cisco Controller)>.

Step 12 Verify your configuration by entering: show sysinfo. The display should be similar

to the one displayed here, with the values that are relevant to your pod.



You have a CLI session open to your controller.

Your initial setup is complete and you see the (Cisco Controller)> prompt.

Task 2: Connect to Your Controller

In this task, you will connect to your controller’s web GUI. Because your controller now has a

basic configuration, you can connect to its Management Interface IP address through the VPN

tunnel without relying on the serial connection.

Activity Procedure


Step 1 Check that you are connected through the VPN tunnel to the remote lab network.

Step 2 If your remote desktop connection is still open, close it.

Note Now that the controller has a web interface, all members of the group can connect

simultaneously to the controller. Use this possibility to explore the controller interface, but

keep in mind that it is preferable to avoid having two people working on the same feature to

avoid any confusion in the changes that could be made.

8/20/2019 Iuwne10 Lg v2



Step 3 From your class PC, open a browser session to your controller Management

Interface IP address. Use https. You may have to disable your local proxy to access

the web interface through the VPN tunnel.

Step 4 Click Yes to accept the self-signed certificate sent by the controller.

Step 5 Click the login button.

Step 6 Enter the administrative username (adminX, where X = Pod number) you defined in

the previous lab, and cisco as the password.

Step 7 You should see the controller Monitor Summary page.

8/20/2019 Iuwne10 Lg v2





You are successfully connected to your controller web interface and see the Monitor

Summary page.

Task 3: Allow Limited Remote Management

Through the terminal server, you have a serial connection to your controller. In this task, you

will allow Telnet connections so that all members of your group can access the CLI, which will

be used mainly for debugging purposes.

Note This is a lab environment. In a production environment, you might want to consider your

company’s security strategy before allowing Telnet connections.

Activity Procedure


Step 1 From the controller’s web interface, in the upper menu, navigate to Management >

Telnet-SSH.

Step 2 Notice that SSH sessions are already allowed. From the drop-down menu for Allow

New Telnet sessions, choose Yes. Notice that Telnet sessions are limited to five

minutes.

Step 3 Click Apply in the upper-right corner. You are now set up to allow Telnet sessions

and SSH sessions.

8/20/2019 Iuwne10 Lg v2



Step 4 Test the connectivity: From your class PC choose Start > Programs > Accessories

> Command Prompt.

Step 5 Enter telnet followed by the IP address of your controller service interface. The

entry should be in the format telnet 10.X0.1.10, where X is your Pod number.

Step 6 When prompted, enter the administrative username (adminX, where X = Pod

number) you defined in the previous lab, and cisco as the password. Press Enter.

Step 7 You should get the prompt (Cisco Controller)>.



You can successfully connect to your controller using Telnet.

Task 4: Allow Open Authentication

In this task, you will modify the WLAN created during the initial setup, so that openauthentication and associations are allowed.

Note This is a lab environment. In a production environment, you might want to consider your

company’s security strategy before allowing open authentication WLANs into your network.

Activity Procedure


Step 1 From your controller web interface, in the upper menu, navigate to WLAN.

Step 2 Look at the profile you created during the initial setup, by default it should use

WPA2/802.1x for authentication.

Step 3 Click your profile, IUWNE-X, where X is your Pod number, to edit it.

8/20/2019 Iuwne10 Lg v2



Step 4 Make sure that, in the General tab, your WLAN status is set to Enable. Notice that

the SSID is broadcast by default.

Step 5 Click the Security tab.

Step 6 In the Layer 2 Security drop-down list, choose None to allow open authentication.

Step 7 Click Apply in the upper-right corner to validate the changes, read the warning, and

click OK to continue. Your security policies field should now be empty, which

means that you allow open authentication to your WLAN.



You successfully modified your WLAN to allow open authentication.

8/20/2019 Iuwne10 Lg v2



Task 5: Create a DHCP Scope

In this task, you will create a DHCP scope to provide IP addresses to your wireless clients.

Note This is a lab environment. In a production environment, you might have an external DHCP

server for all your clients. In such a case, the management Interface DHCP server IP

address and the AP Manager DHCP server IP address would be the network DHCP server

IP address instead of being the IP address of the controller itself. This limited internal DHCP

server is recommended for 10 or fewer APs and their respective clients. DHCP option 43 is

not supported.

Activity Procedure


Step 1 From your controller web interface, in the upper menu, navigate to Controller.

Step 2 In the left menu click Internal DHCP server.

Step 3 A new screen appears. Click New to create a new scope.

Step 4 In the Scope Name field, enter Scope X-1, where X is your Pod number.

Step 5 Click Apply to create the scope.

Step 6 A new window appears, showing your new scope in the list. It is disabled by default

and does not have any range. Click its name to edit its settings.

Step 7 A new window appears. In the Pool Start Address field, enter the parameters listed

in the table, where X is your pod number.

8/20/2019 Iuwne10 Lg v2



Internal DHCP Server Parameters

Parameter Value

Pool Start Address 10.X0.1.21

Pool End Address 10.X0.1.25

Network 10.X0.1.0

Netmask 255.255.255.0

Lease time 14400

Default Router 10.X0.1.254

DNS Server 10.100.1.1

Netbios Name Server 10.100.1.1

Status Enabled

Step 8 Review your scope to check the values entered, and then click Apply to create the

scope.

Step 9 Your new scope now appears in the list, with a status of Enabled.

Step 10 Save your configuration. In the upper menu, click Save configuration. Click OK to

confirm that you want to save the configuration.



You have successfully created a scope for your clients that are on your controller.

Task 6: Look for APs

In this task, you will look for the APs on the controller.

8/20/2019 Iuwne10 Lg v2



Activity Procedure


Step 1 From your controller web interface, in the upper menu, navigate to Monitor. The

Access Point Summary should not show any AP. One AP is allocated to your Pod.

You were told that the AP should automatically join the controller. It clearly does

not. The source of this issue can be in the AP configuration (standalone mode) or, if

the AP is in LWAPP mode, in the dialogue process between the AP and the

controller

Step 2 First check the controller. Navigate to Management.

Step 3 In the left menu, click SNMP.

Step 4 In the submenu, choose Trap Logs.

AP events are usually mentioned in the trap logs, but you should not see anything relevant to an

AP failure here. This means that the AP did not fail to associate. Two possibilities remain: the

AP cannot reach the controller, or there is something wrong on the AP. Actually, the AP

allocated to your pod should still be in standalone mode. In the next lab, you will convert the

autonomous AP to LWAPP and manage it with the tools used in this task to find whether the

AP has joined your controller properly.

Note Because the controller does not have an AP, the WLAN you created will not be available for

any client. The AP is needed for the client to see the WLANs configured on the controller. Ifyou are unsure about this point, connect to your remote laptop and try to detect the WLAN

created on your controller, IUWNE-X. You should not be able to see it.



You have checked for the presence of your AP in the Management menu and on the CLI,

but could not find it.

8/20/2019 Iuwne10 Lg v2



Lab 2-2: Configuring and Migrating aStandalone AP


Activity Objective

In this activity, you will give your autonomous AP a basic configuration and test it. You will

then migrate this AP to LWAPP. After completing this activity, you will be able to meet these

objectives:

Check your autonomous AP parameters

Configure your autonomous AP via its web interface

Migrate your autonomous AP to LWAPP

Visual Objective



Visual Objective for Lab 2-2: Configuringand Migrating a Standalone AP

Required ResourcesThese are the resources and equipment that are required to complete this activity:




In the remote lab, a standalone Cisco Aironet 1252AG AP

8/20/2019 Iuwne10 Lg v2



Job Aids


In the remote lab, a folder with the required files

Lab map







AP IP address 10.10.1.50 10.20.1.50 10.30.1.50 10.40.1.50

AP IP mask 255.255.255.0 255.255.255.0 255.255.255.0 255.255.255.0

AP SNMP RWcommunity

private1 private2 private3 private4

Autonomous SSID IUWNE-11 IUWNE-21 IUWNE-31 IUWNE-41

LWAPP channel 36 40 44 48







AP IP address 10.50.1.50 10.60.1.50 10.70.1.50 10.80.1.50

AP IP mask 255.255.255.0 255.255.255.0 255.255.255.0 255.255.255.0

AP SNMP RWcommunity

private5 private6 private7 private8

Autonomous SSID IUWNE-51 IUWNE-61 IUWNE-71 IUWNE-81

LWAPP channel 52 56 60 64

Task 1: Check the AP Parameters

In this task, you will connect to your AP and verify that it is in standalone mode. You will then

check its IP address.

Activity Procedure


Step 1 Connect to your Cisco Aironet 1252 AP. From your class PC, choose Start >

Programs > Accessories > Command Prompt.

8/20/2019 Iuwne10 Lg v2







Step 4 After successful login you will be asked to choose the correct pod (Podx), where x

is your pod number.



Step 6 Choose the device you want to connect to, AP1252, Item 4.

Step 7 You should be able to see the AP prompt. You may have to press Enter to activate

the CLI.

Step 8 Enter enable to access privileged mode. The password is Cisco (with Capital C).

8/20/2019 Iuwne10 Lg v2



Step 9 Enter show ip interface brief to check the IP addresses that are present on the AP.

Step 10 You should see that the IP address is assigned to the BVI interface, which is anindication that the AP is back to standalone mode. All the usual Cisco IOS

commands, such as configure terminal, are available.

Note The Bridge Virtual Interface, or BVI, is an IP address common to radio interfaces and the

Ethernet interface. Because it is not assigned to a specific physical interface but is common

to several of them, it is considered virtual, and is a bridge between interfaces.

Step 11 Start by configuring your CLI interface for better ease of use. Enter configure

terminal to enter configuration mode.

Step 12 Enter no ip domain-lookup. Using this command avoids a situation in which, if youmistype a command, the switch tries to resolve what you entered as a host name.

Step 13 The system returns status messages to the console. This feature is sometimes

disturbing if you are entering an instruction. You can ask the system to redisplay

what you were entering if a system message is to be sent to the console and

interrupts what you were doing. To use this command, go to the console by typing

line console 0.

Step 14 Then enter logging synchronous. From then on, when a message is sent to the

console, what you were typing will be displayed again for you to continue typing

exactly from where you were interrupted by the message.

Step 15 Configure your AP with a static IP address. You want to configure the first andunique BVI interface. Enter interface BVI 1.

Step 16 Enter your AP IP address. It should be in the format 10.X0.1.50, where X is your

group number. Enter ip address, followed by your AP’s IP address and mask.

Step 17 Enter end to return to privileged mode.

Step 18 Enter copy running-config startup-config to save the configuration.

8/20/2019 Iuwne10 Lg v2



Step 19 Verify that your AP is in range of your controller. Try to ping your controller. Enter

ping followed by your controller Management Interface IP address. It should be in

the format ping 10.X0.1.10 where X is your pod number. The ping should be

successful.

Step 20 Reduce the window but do not close it.



You have made sure that your AP is in standalone mode, and have its IP address statically

defined.

The AP is ready to be migrated to LWAPP.

Task 2: Configure Your Standalone AP

In this task, you will provide basic configuration to your AP in standalone mode and verify that

the configuration is correct. This task is not necessary for the migration process itself. It aims at

training the running of basic configuration tasks on an autonomous AP, and checks to see, once

the migration is complete, which parameters were kept and which were removed during the

upgrade.

Note In a real environment, you would migrate the AP directly, knowing in advance which

parameters would be left.

Activity Procedure


Step 1 Make sure that you have a VPN connection to the remote lab.

Step 2 From your class PC, open a browser HTTP session to your AP address, which was

configured from during the previous task and should be 10.X0.1.50 where X = pod

number.

8/20/2019 Iuwne10 Lg v2



Step 3 Use HTTP, not HTTPS. The username is blank; the password is Cisco (with a

capital C).

Step 4 You should be at the home page of your AP.

Step 5 In the left menu, click Express set-up.

Step 6 In the Hostname field, enter your AP name in the form 1252-X where X is your

group number.

Step 7 Leave the IP address assignment that was assigned during the previous task of

manual configuration. Do not change the values that are already present.

Note In this configuration, no gateway information is entered. In a production environment, a

gateway would be needed for the AP to be able to communicate with devices outside of its

subnet. In this lab environment, all the devices that the AP needs to connect to are inside its

own VLAN and subnet, so the gateway configuration can be ignored.

Step 8 In the SNMP Community field, enter privateX, where X is your pod number.

8/20/2019 Iuwne10 Lg v2



Step 9 Click the Read-Write radio button to make sure that the AP can be managed usingthis SNMP community.

Step 10 At the bottom right of the page, click Apply to validate the changes. Read the

warning and click OK to continue.

Step 11 In the left menu, click Express Security.

Step 12 In the SSID field, enter IUWNE-X1, where X is your pod number.

Step 13 Click Broadcast SSID in Beacon.

Step 14 In the VLAN section, click No VLAN because you do not want to tag frames

coming from this simple SSID.

Step 15 In the security section, choose No Security for an open authentication-based SSID,

without any encryption.

8/20/2019 Iuwne10 Lg v2



Step 16 At the bottom-right corner of the Express Security Set Up window, click Apply to

validate the changes. Read the warning and click OK to continue.

Step 17 You now need to enable your radio to allow this SSID to be sent out. In the left

menu, click Network Interfaces, and then click the Radio1-802.11N5Ghz tab.

Step 18 The radio’s status is set to Disabled, which is the default. Click the Settings tab.

8/20/2019 Iuwne10 Lg v2



Step 19 In the Enable Radio options, click Enable.

Step 20 Click Apply at the bottom right of the page to validate the change.

Step 21 In the left menu, click Home.

Step 22 In the Network Interfaces section of the Home: Summary Status, you should see

your radio Interface status at green, with a green “up” arrow. In the event log, you

should see that the line protocol on interface Dot11Radio1 was changed to “up.”

Step 23 Your AP is ready to provide connections. The configuration entered from the web

interface is saved automatically. Close the AP web browser.

Step 24 Use your local class PC to initiate a remote connection to the remote wireless laptopto verify that it can see this new broadcast SSID being broadcasted by the standalone

AP. Choose Start > Programs > Accessories > Communications > Remote

Desktop Connection.

8/20/2019 Iuwne10 Lg v2



Note In each pod, only one connection at a time is possible to the remote laptop. Choose with

your partner who will be connecting.

Step 25 Use the lab table in the job aids to verify what IP address you should use to connect

to your remote laptop. It should be in the format 10.X0.1.240, where X is your pod

number.

Step 26 In the Remote Desktop Connection window, in the Computer field, enter the IPaddress of your remote laptop, and click cConnect.

Step 27 A new window appears where you are asked to enter the credentials required to

access your remote laptop. Use the lab table in the job aids to verify which username

and password are used to connect to your group laptop. They should be in the format

studentX/cisco, where X is your pod number.

8/20/2019 Iuwne10 Lg v2



Step 28 Enter the credentials and click OK . You should see the Windows desktop of your

remote laptop.


Connections.

Step 30 Locate your wireless connection. It should be called Intel Wireless WiFi Link

4965AGN.

Step 31 Right-click it and choose Enable.

Step 32 Right-click the Intel Wireless network icon.

Step 33 Click View Available Wireless Networks.

8/20/2019 Iuwne10 Lg v2



Step 34 You should see the WLAN you just created. Click it, and click Connect.

Step 35 Read the warning. In this lab environment, it is acceptable to connect to an

unsecured network. Click Connect Anyway to continue.

Step 36 After a few seconds, the connection status should change to Waiting for the network

to be ready.

Note Your AP does not provide any IP address. The state Waiting for the network to be ready

indicates that the Layer 2 connection (authentication and association) was successful, and

that the client is waiting for an IP address to be assigned via DHCP. Because there is no

DHCP server, this step fails. This failure is expected. Your goal at this stage is simply to

verify the Layer 2 association, not to get full connectivity to the network.

Step 37 When the connection displays “Limited or No Connectivity,” click the Limited or

No Connectivity message. A new window appears.

8/20/2019 Iuwne10 Lg v2



Step 38 Click Details to check the connectivity limitation. Verify that you obtained an

address in the Automatic Private IP addressing range (APIPA), 169.254.0.0, which

shows that no DHCP server could be found2.

Step 39 Your WLAN works properly for the purpose of the connection verification. Close

the Network Connection Details window. Close the Wireless Network

Connection Status window.

Step 40 You do not need to stay connected to this WLAN anymore. Click it and choose

Disconnect.

2 If you obtain an address in the range 192.168.1.0/24, verify that your card is set to DHCP and ask your instructor to

shut the port to your Cisco 526 controller on the main switch.

8/20/2019 Iuwne10 Lg v2



Step 41 Read the warning and click OK to continue.

Step 42 In the Wireless Network Connection window, right-click your Intel card icon and

choose Disable.

Step 43 Close the Wireless Network Connection window. Do not close your remote desktop

connection.



Your AP has a configured SSID.

You could associate to it.

8/20/2019 Iuwne10 Lg v2



Task 3: Convert Your Standalone AP to LWAPP

In this task, you will convert your standalone AP to LWAPP mode. Converting to LWAPP

implies providing a new LWAPP able image to the AP. You can use a software utility to do

this, as shown in the course, or directly use the AP CLI. You will try the second method here.

Activity Procedure


Step 1 On your remote desktop locate a folder called IOS-TO-LWAPP. If you cannot

locate it, check with your instructor.

Step 2 Inside the folder, locate a file called c1250-rcvk9w8-tar.124-10b.JA. This file is the

LWAPP-enabled image that is for your AP.

Step 3 Still on your remote laptop desktop, locate the tftpd32 icon. Double-click it to start

the program.

Step 4 In the Current Directory field, browse to choose the IOS-TO-LWAPP folder.

8/20/2019 Iuwne10 Lg v2



Step 5 Click OK to open the folder.

Step 6 In Server interface, choose your wired connection IP address. It should be in the

form 10.X0.1.240, where X is your pod number.

Step 7 You now need to connect to your AP serial port to enter the required commands to

upgrade it to LWAPP. Your serial connection should be still open at this point and

connected to your AP. If it is closed, use steps 1 to 7 of Task 1 to connect to your

AP CLI.

Step 8 Enter enable to get to privileged mode. The password is Cisco (with a capital C).

Step 9 Verify that you can ping your remote laptop. Enter ping followed by your remote

laptop IP address. It should be in the form ping 10.X0.1.240, where X is your pod

number. The ping should be successful.

Step 10 Enter the command to download the new image file containing the LWAPP code.

Enter archive download-sw /force-reload /overwrite tftp://10.X0.1.240/c1250-

rcvk9w8-tar.10bJA.tar, where X is your pod number. The /force-reload option

asks for a reboot after the new image download, the /overwrite option asks to replace

the original code with the new one.

8/20/2019 Iuwne10 Lg v2



Step 11 In the background, your TFTP server starts sending the file to the AP. Monitor the

progression, and verify that the file has been completely sent.

Step 12 Once the AP has upgraded its code, it should reboot and load the new code. You can

recognize the AP by its name, c1250-rcvk9w8.

8/20/2019 Iuwne10 Lg v2



Step 13 The AP tries to join a controller, and find yours. It moves to a join state. Upon

joining the controller, the AP needs to download the same code version as the

version on the controller. Watch the download sequence, and see the AP reboot.

Step 14 At the end of the second reboot, the AP then tries to find a controller using the DNS

server, looking for CISCO-LWAPP-CONTROLLER host. In this lab, the DNSserver does not provide the controller address, so this process fails. The AP then

broadcasts in the subnet, discovers your controller, and goes to the join phase. You

can see that it then moves to CFG (configuration) phase and receives its

configuration from the controller.

8/20/2019 Iuwne10 Lg v2



Step 15 Press Enter. The AP should prompt you for a user name and password. The

username is Cisco and the password is Cisco. If these credentials are not valid, your

AP might have a remaining configuration from a previous class. In such a case, use

root as the username and Public1! as the password.

Step 16 The AP prompt should appear. Its name is still maintained. Enter enable to go to

privileged exec mode. The password is Cisco. If this password is invalid, your AP

might have a remaining configuration from a previous class. In such a case usePublic1! as the password.

Step 17 Enter the command: show ip interface brief to check the AP’s IP address.

Step 18 The IP address is now connected to the Gigabit Ethernet interface, and not to the

BVI.

Step 19 Enter show running-config. Browse through the configuration file. You should not

be able to see any information relevant to a WLAN. Apart from the main

configuration, the AP configuration now shows a long certificate, used to encrypt

the exchanges with the controller.

Step 20 Try to enter configure terminal. The command is not available anymore.

Step 21 Try to open a web session to your AP; it should fail. The AP is not reachable

anymore; only some limited commands are supported on the CLI.

Step 22 Close the command prompt. Close the TFTP server.

Step 23 Reduce your remote desktop window, but do not close it.

Step 24 Connect to your controller. From your class PC, open an HTTPS session to

10.X0.1.10, where X is your group number.

Step 25 You controller’s initial screen should appear. Click Login. Enter your credentials

and click OK . You should be on your controller monitor page.

8/20/2019 Iuwne10 Lg v2



Step 26 From this page, you should see that your migrated AP is now present. Its b/g/n radio

is set to 0 because it only has an 802.11a/n radio.

Step 27 From the upper menu, click Wireless. Your AP appears. You can see that it has kept

its name.

Step 28 Click the AP name to check its settings. No other apparent configuration should be

seen.

Step 29 For stability, enter your controller name in the Primary Controller Name field. It

should be in the form 2106-X, where X is your pod number 3.

Step 30 The AP does not need to have a static IP anymore. In the right side of the screen,

uncheck Static IP.

Note Your controller has an integrated DHCP server. This server provides IP addresses to

wireless clients and LWAPP APs. As long as your AP was in standalone mode, it could not

receive an IP address from the controller. Now that it is in LWAPP mode, it will receive an IP

address from the controller at each reboot.

3 The value to enter here is your controller name, as it is seen from Management > SNMP > General. Do not enter an

IP address because the AP will compare the name sent from the controller in the LWAPP discovery answer to this

value, and the names have to be the same string.

8/20/2019 Iuwne10 Lg v2



Step 31 The AP also has direct credentials. Verify that Over-ride Global credentials is

checked. In the username field, enter root. Use Public1! as the password.

Step 32 Click Apply in the upper-right section of the page to validate the change. Read the

warning, and click OK to continue.

Step 33 In the upper menu, navigate to WLAN.

Step 34 You should see the WLAN you created on the controller, but not the WLAN you

created on the AP when it was in standalone mode. The AP keeps the parameters

relevant to itself (its identity in the network), but the parameters relevant to the

wireless communication are now sent from the controller.

Step 35 Navigate back to wireless, and click in the left menu Access Points > Radios >

802.11a/n radios. You will change the channel on which the AP is set.

Step 36 You should see your AP transmit power and channel. There should be an asterisk

next to the channel and power level values, indicating that the values can be changed

dynamically.

Step 37 Click the blue arrow at the right end of the line and choose Configure.

8/20/2019 Iuwne10 Lg v2



Step 38 A new window appears with your AP 802.11a parameters. In the RF channel

assignment, click Custom, and choose the channel for your group as per the

following table:

Pod 1 2 3 4 5 6 7 8

Channel 36 40 44 48 52 56 60 64

Step 39 In TX Power Level assignment, click Custom, and choose 5 for the Channel power

value4.

Step 40 Click Apply to validate the changes.

Step 41 The values you chose should now appear, instead of the previous values.

Step 42Still in the same window, and leaving the values you chose, in RF ChannelAssignment, click Global. In Tx Power Level Assignment, click Global.

4 Power level 1 is the maximum transmit power allowed in your country. Power level 2 is half this value, 3 is half again

(25%) and so on. Power level 5 is 6.125 percent of the maximum power allowed in your country on this channel.

Depending on the model, there can be up to 8 levels.

8/20/2019 Iuwne10 Lg v2



Note Choosing Global will make the AP transmit with the parameters you defined, but if any new

event in the network condition makes these parameters not optimal anymore, the controller

is allowed to change them automatically. Turning these values back to global will not force

the power to max power, as long as the AP does not report a coverage hole.

Step 43 Click Apply to validate the changes.

Step 44 Click Back to return to the list. Your AP should now show the values you chose,with the asterisk still next to them.

Step 45 Save your configuration. In the upper menu, click Save configuration. Click OK to

confirm when prompted.

Step 46 Reopen the window to your remote wireless laptop.

Step 47 Click Start > Control Panel > Network connections.

Step 48 Right-click your Intel wireless adapter and choose Enable.

Step 49 Right-click your Intel wireless adapter and choose Properties.

Step 50 Go to Internet Protocol TCP/IP and click Properties.

8/20/2019 Iuwne10 Lg v2



Step 51 Make sure that your card is set to receive an IP address automatically (DHCP).

Step 52 Click OK and close the Properties window and the Control Panel.

Step 53 In the bottom-right corner of your desktop, right-click your wireless connection icon

and choose View Available Wireless Networks.

8/20/2019 Iuwne10 Lg v2



Step 54 The WLAN created on your controller, IUWNE-X (X = pod number), should appear

in the list. The WLAN created on the AP in standalone mode should not be here5.

Step 55 Choose the WLAN and click Connect.

Step 56 After a few seconds, the status should turn to Connected.

Step 57 In the remote laptop, open a command prompt and click Start > All Programs >

Accessories > Command Prompt.

Step 58 Enter ipconfig to check if you received an IP address from your controller. You

should have received an IP address from the scope you created before.

Step 59 Try to ping the controller management IP address (10.X0.1.10). The ping should be

successful.


Connections.


4965AGN.

Step 62 Right-click it and choose disable.

5 It may be possible that the WLAN you created on the autonomous AP still appears. If this is the case, try to connect to

it. It will fail. The WLAN still appears because Windows caches some of the SSIDs heard in the past even when they

are not in range anymore. In this lab the AP MAC address is still heard by the Windows client, which may make it

assume that a WLAN heard before associated to this MAC address should still be available.

8/20/2019 Iuwne10 Lg v2



Step 63 Close the other open windows in your remote wireless laptop and close the remote

desktop connection to that remote wireless laptop.

Step 64 Close the other open windows to such items as terminal server. Remember to use

Control-Shift-6 +X to use the terminal server menu to correctly terminate sessions

and close your sessions.



Your Cisco 1252 AP is converted to LWAPP mode.

You could change some of the parameters from the controller.

You could associate to the WLAN now displayed.

8/20/2019 Iuwne10 Lg v2



Lab 2-3: Installing and Configuring a CiscoMobility Express Wireless Controller and AP


Activity Objective

In this lab, you will configure your Cisco Mobility Express Wireless Controller and your Cisco

Mobility Express AP. After completing this activity, you will be able to meet these objectives:

Configure your Cisco Mobility Express Wireless Controller

Manage your Cisco Mobility Express AP

Use the Cisco Configuration Assistant

Visual Objective



Visual Objective for Lab 2-3: Installingand Configuring a Cisco MobilityExpress Wireless Controller and AP

Required Resources





In the remote lab, a Cisco 526 Mobility Express controller

8/20/2019 Iuwne10 Lg v2



Command List

The table describes the commands that are used in this activity.

CLI Connection Command

Command Description

telnet Establishes Layer 7 command line connectivity to a remote

device

Job Aids



Lab map diagram

8/20/2019 Iuwne10 Lg v2









Controller name 526-1 526-2 526-3 526-4





10.10.1.100 10.20.1.100 10.30.1.100 10.40.1.100


255.255.255.0 255.255.255.0 255.255.255.0 255.255.255.0

Default router 10.10.1.254 10.20.1.254 10.30.1.254 10.40.1.254




10.10.1.253 10.20.1.253 10.30.1.253 10.40.1.253



10.10.1.253 10.20.1.253 10.30.1.253 10.40.1.253


1.1.1.1 1.1.1.1 1.1.1.1 1.1.1.1

Mobility group name Pod1 Pod2 Pod3 Pod4

Enable symmetrictunneling No No No No



Yes Yes Yes Yes




yes yes yes yes

521 AP name 521-1 521-2 521-3 521-4

Layer 3 switchusername

student1 student2 student3 student4

Layer 3 switchpassword


DHCP scope 10.10.1.31-10.10.1.35

10.20.1.31-10.20.1.35

10.30.1.31-10.30.1.35

10.40.1.31-10.40.1.35

DHCP Pool name Pod1 Pod2 Pod3 Pod4

DHCP network 10.10.1.0 10.20.1.0 10.30.1.0 10.40.1.0

8/20/2019 Iuwne10 Lg v2




DHCP netmask 255.255.255.0 255.255.255.0 255.255.255.0 255.255.255.0

DHCP gateway 10.10.1.254 10.20.1.254 10.30.1.254 10.40.1.254

DHCP lease 0 4 0 4 0 4 0 4

DHCP DNS server 10.100.1.1 10.100.1.1 10.100.1.1 10.100.1.1

DHCP Option 60 Cisco AP c520 Cisco AP c520 Cisco AP c520 Cisco AP c520

DHCP option 43 10.10.1.100 10.20.1.100 10.30.1.100 10.40.1.100

Cisco Configuration Assistant community

IUWNE-1 IUWNE-2 IUWNE-3 IUWNE-4

Cisco Configuration Assistant WLAN








Controller name 526-5 526-6 526-7 526-8





10.50.1.100 10.60.1.100 10.70.1.100 10.80.1.100


255.255.255.0 255.255.255.0 255.255.255.0 255.255.255.0

Default router 10.50.1.254 10.60.1.254 10.70.1.254 10.80.1.254




10.50.1.253 10.60.1.253 10.70.1.253 10.80.1.253



10.50.1.253 10.60.1.253 10.70.1.253 10.80.1.253


1.1.1.1 1.1.1.1 1.1.1.1 1.1.1.1



No No No No



Yes Yes Yes Yes

8/20/2019 Iuwne10 Lg v2







yes yes yes yes

521 AP name 521-5 521-6 521-7 521-8

Layer 3 switchusername


Layer 3 switchpassword


DHCP scope 10.50.1.31-10.50.1.35

10.60.1.31-10.60.1.35

10.70.1.31-10.70.1.35

10.80.1.31-10.80.1.35


DHCP network 10.50.1.0 10.60.1.0 10.70.1.0 10.80.1.0

DHCP netmask 255.255.255.0 255.255.255.0 255.255.255.0 255.255.255.0

DHCP gateway 10.50.1.254 10.60.1.254 10.70.1.254 10.80.1.254

DHCP lease 0 4 0 4 0 4 0 4

DHCP DNS server 10.100.1.1 10.100.1.1 10.100.1.1 10.100.1.1


DHCP option 43 10.10.1.100 10.20.1.100 10.30.1.100 10.40.1.100

Cisco Configuration Assistant community


Cisco Configuration Assistant WLAN


Task 1: Configure Your Cisco Mobility Express WirelessController

In this task, you will provide an initial configuration to your Mobility Express controller

exactly the same way you did it for the Cisco 2106 controller, using the CLI.

Note In a real environment, you would be more likely to use the Mobility Express web interface for

this initial setting, or the Cisco Configuration Assistant.

Activity Procedure



Step 2 From your class PC, choose Start > Programs > Accessories > Command

Prompt.



8/20/2019 Iuwne10 Lg v2






is your pod number.


Take some time to familiarize yourself with the different options provided.

Step 7 You now need to connect to the Cisco 526 controller, which is WLC526, Item 1.

Notice that once connected to your controller, you can go back to the device menu atany time by using the usual escape sequence CTRL + SHIFT + 6 then X. Choosing

1 from the device menu should bring you to the controller serial interface which,

since the controller is not configured yet, should be the initial CLI setup wizard.

8/20/2019 Iuwne10 Lg v2



Note VERY IMPORTANT: Verify that the first question you see is System Name. When enabling

the HyperTerminal session to your controller, you may have pressed Enter to test the

connection, and the setting you had at that time may have become the default answer to the

first questions. If that has become the default, and if the first question you see is not System

Name, enter “-” (minus sign) and press Enter ; this action will take you back one question.

Repeat the procedure as many times as needed to get back to the System Name question.

Choose the parameters for your pod (x is the number of your pod). Username is

adminX, where X is your pod number, and the password is cisco. Additional

parameters are given below and summarized in the “Lab Map—IP Addressing,

Naming Conventions, and Information” table.

System Name [Cisco_34:26:a3]: 526-1Enter Administrative User Name (24 characters max): admin1

Enter Administrative Password (24 characters max): *******Re-enter Administrative Password : *******Management Interface IP Address: 10.10.1.100Management Interface Netmask: 255.255.255.0Management Interface Default Router: 10.10.1.254Management Interface VLAN Identifier (0 = untagged): 0Management Interface Port Num [1 to 2]: 1

Note The port number is important because it must match the connection leading from the

wireless LAN controller to the network infrastructure.

Management Interface DHCP Server IP Address: 10.10.1.253

Note You will configure later on a DHCP scope on the switch to which this controller connects.

The Cisco 526 controller does not have an internal DHCP server.

AP Manager Interface IP Address: 10.10.1.101

Note AP Manager is on the same Management subnet using a different host value.

AP Manager Interface DHCP Server (10.10.1.253): 10.10.1.253Virtual Gateway IP Address: 1.1.1.1

8/20/2019 Iuwne10 Lg v2



Note Virtual Gateway provides Layer 3 features such as DHCP relay to wireless clients. This

value must match among mobility groups.

Mobility/RF Group Name: Pod1

Note Mobility/RF Group allows multiple wireless controllers to be clustered into one logical

controller group to allow dynamic RF adjustments and roaming for wireless clients.

Enable Symmetric Mobility Tunneling [yes][NO]: noNetwork Name (SSID): IUWNE-101

Allow Static IP Addresses [YES][no]: yesConfigure a RADIUS Server now? [YES][no]: no

Note By default one WLAN SSID is configured on the WLC already, and it is using server-based

authentication. If you skip RADIUS configuration during the startup wizard, the result is a

preconfigured SSID using 802.1x EAP requiring a RADIUS server; however, there is no

server defined. This is to prevent open authentication security vulnerabilities.

Enter Country Code list (enter 'help' for a list of countries)[US]: USEnable 802.11b Network [YES][no]: yes

Enable 802.11g Network [YES][no]: yes

Note On your controller, you enable all radios, 802.11b and 802.11g. Notice that the wizard does

not prompt you for 802.11a. The Cisco Mobility Express solution APs are 802.11b and g

only, so there is no need for an 802.11a network.

Enable Auto-RF [YES][no]: yesConfigure a NTP server now? [YES][no]: noConfigure the system time now? [YES][no]: noWarning! No AP will come up unless the time is set.Please see documentation for more details.

Note You do not configure the time on this controller. In a real deployment, you would configurethe time during the initial configuration of a controller. In this remote lab scenario, the time

has already been configured and is consistent with the time of the other devices in the lab.

Configuration correct? If yes, system will save it and reset.[yes][NO]:

8/20/2019 Iuwne10 Lg v2



Read the warning. Take some time to review your configuration to make sure it

matches the lab map. Then answer yes to the Configuration Correct question.

The controller will save the configuration and reboot directly

Step 8 Wait for the controller to reboot completely, until you are prompted for a username.

Enter your administrative username, and then press Enter.

Step 9 Enter your password, and then press Enter. Verify that you get the prompt

(Cisco Controller)>.

8/20/2019 Iuwne10 Lg v2



Step 10 Verify your configuration, by entering show sysinfo. The display should be similar

to the one displayed here, with the values relevant to your pod.



You have a CLI session open to your controller.

Your initial setup is complete and you see the (Cisco Controller)> prompt.

You could verify your configuration using the show sysinfo command.

Task 2: Create a DHCP Scope

The Cisco 526 controller does not have an integrated DHCP server. The Cisco 2106 provides

IP addresses only to APs and its own clients. In this task, you need to set up a DHCP scope

somewhere else for your own clients. An ideal location for this scope is the Layer 3 switch to

which your controller connects. In this task, you will create this scope on the switch and correct

your management interface DHCP server to point to it.

Activity Procedure


Step 1 Verify that you have a VPN connection to the remote lab.

Step 2 From your class PC, connect to the class switch using Telnet. Click Start > All

Programs > Accessories > Command Prompt.

8/20/2019 Iuwne10 Lg v2




switch which should be 10.X0.1.253 where X is your pod number or other if

provided by your instructor.

Step 4 Enter your credentials. The username should be in the form studentX, where X is

your pod number. The password should be cisco.

Step 5 Once at the switch prompt, enter configure terminal6.

Step 6 To configure a DHCP scope from the command line, you need to create the scope. It

is created by allocating a whole subnet to a DHCP scope. You also need to exclude

some addresses from the range, so that you will only allocate a few addresses and

not the whole range itself. Use the following table:


DHCP excludedaddresses

10.10.1.1 -10.10.1.30

10.10.1.36 –10.10.1.255

10.20.1.1 -10.20.1.30

10.20.1.36 –10.20.1.255

10.30.1.1 -10.30.1.30

10.30.1.36 –10.30.1.255

10.40.1.1 -10.40.1.30

10.40.1.36 –10.40.1.255

DHCP scope 10.10.1.31-10.10.1.35

10.20.1.31-10.20.1.35

10.30.1.31-10.30.1.35

10.40.1.31-10.40.1.35


DHCP network 10.10.1.0 10.20.1.0 10.30.1.0 10.40.1.0

DHCP netmask 255.255.255.0 255.255.255.0 255.255.255.0 255.255.255.0

DHCP gateway 10.10.1.254 10.20.1.254 10.30.1.254 10.40.1.254

DHCP lease 0 4 0 4 0 4 0 4

DHCP DNS server 10.100.1.1 10.100.1.1 10.100.1.1 10.100.1.1


DHCP option 43 10.10.1.100 10.20.1.100 10.30.1.100 10.40.1.100


DHCP excludedaddresses

10.50.1.1 -10.50.1.30

10.50.1.36 –10.50.1.255

10.60.1.1 -10.60.1.30

10.60.1.36 –10.60.1.255

10.70.1.1 -10.70.1.30

10.70.1.36 –10.70.1.255

10.80.1.1 -10.80.1.30

10.80.1.36 –10.80.1.255

DHCP scope 10.50.1.31-10.50.1.35

10.60.1.31-10.60.1.35

10.70.1.31-10.70.1.35

10.80.1.31-10.80.1.35


DHCP network 10.50.1.0 10.60.1.0 10.70.1.0 10.80.1.0

6 Your privilege level on the switch means that you do not need to type enable first.

8/20/2019 Iuwne10 Lg v2



DHCP netmask 255.255.255.0 255.255.255.0 255.255.255.0 255.255.255.0

DHCP gateway 10.50.1.254 10.60.1.254 10.70.1.254 10.80.1.254

DHCP lease 0 4 0 4 0 4 0 4

DHCP DNS server 10.100.1.1 10.100.1.1 10.100.1.1 10.100.1.1


DHCP option 43 10.10.1.100 10.20.1.100 10.30.1.100 10.40.1.100

Step 7 In this scope, you want to allocate addresses from 10.X0.1.31 to 10.X0.1.35 (where

X is your pod number). Therefore, you need to exclude 10.X0.1.1 to 10.X0.1.30,

and then 10.X0.1.36 to 10.X0.1.255. Enter ip dhcp excluded-address followed by

the first range. It should be in the form ip dhcp excluded-address 10.X0.1.1

10.X0.1.30 (notice the space between the two IP addresses of 10.X0.1.1 and

10.X0.1.30).

Step 8 Exclude the second part. Enter ip dhcp excluded-address followed by the second

range. It should be in the form ip dhcp excluded-address 10.X0.1.36 10.X0.1.255.

The addresses between these two ranges are not excluded and are therefore allocated

once you create the scope.

Step 9 To create the scope, enter ip dhcp pool PodX (your scope name), where X is your

pod number.

Step 10 Enter a subcommand prompt where you will configure the scope details. The first

element is, of course, the subnet. Enter network followed by your subnet number

and mask. It should be in the form network 10.X0.1.0 255.255.255.0, where X is

your pod number.

Step 11 The next information is the gateway you want your clients to use. Enter default-

router followed by the gateway IP address. It should be in the form default-router

10.X0.1.254, where X is your pod number.

Step 12 The next information is the lease duration. On the Cisco 2106 controller, you used 4hours. Use the same duration here. Enter lease followed by its duration in days and

hours. It should be in the form: lease 0 4 (0 days, 4 hours).

8/20/2019 Iuwne10 Lg v2



Step 13 The next information is the DNS server address. Enter dns-server followed by the

server address. It should be in the form dns-server 10.100.1.1.

Step 14 A final, interesting, option to configure in this DHCP scope is Option 43. Your AP

has a static IP address and uses broadcast in its subnet to discover the controller. A

DHCP server can be used to provide APs with an IP address and a Controller

Management Interface IP address. To achieve this, the DHCP server must first

recognize that the DHCP discover message comes from an AP. This is done via an

identification mechanism: the AP identifies itself sending a specific string. The

Cisco 521 AP sends Cisco AP c520, and the Cisco 1252 AP sends Cisco AP c1250.The first element is to recognize these strings. Enter option 60 ascii “Cisco AP

c520” (inclusive of the quotes “”).

Step 15 The second element is to send back the controller IP address, upon receipt of the

option 60 string. This is Option 43 itself. Enter option 43 ascii followed by your

controller management IP address. It should be in the form option 43 ascii

“10.X0.1.100” where X is your group number (inclusive of the quotes “”).

Step 16 This last option, specific to APs, will not actually be used by your AP because the

AP has a static IP address and will not query the DHCP server. This option mightstill be useful if another AP was connected to your LAN. Your DHCP scope is ready

to provide IP addresses. Enter end to exit the configuration mode.

Step 17 Verify your scope. Enter show running-config and you should see the configuration

file and your DHCP scope near the top along with other pods DHCP scope. Verify

each element carefully.

Step 18 Close the Telnet window.



You have successfully created a DHCP pool on the Layer 3 switch.

Task 3: Manage the AP

In this task, you will connect to your controller web interface and configure some parameters

on your AP.

8/20/2019 Iuwne10 Lg v2



Activity Procedure


Step 1 Connect to your Cisco Mobility Express 526 Controller. From your class PC, open

an HTTPS session to your controller’s management interface. It should be in the

form https://10.X0.1.100, where X is your group number.

Step 2 The controller login Window should appear. Click Login.

Step 3 Enter your administrative user and password credentials (username = adminX and

password = cisco where X = Pod number).

Step 4 You should see the controller main monitor window. Your AP, already in LWAPP

mode, should be there. If it is not, check with your instructor.

Step 5 In the upper menu, navigate to Wireless. You should see your AP listed.

8/20/2019 Iuwne10 Lg v2



Step 6 Click its name to edit its settings.

Step 7 A new window appears. Change the AP name. The new name should be in the form

521-X, where X is your group number. Refer to the lab table in the job aids.

Step 8 Your AP has a static IP address. Document the IP address it has here:

____________________________________________________________________

Step 9 Enter a proper location for your AP: IUWNE-LAB.

Step 10 Enter your controller name as the primary controller. It should be in the form 526-X,

where X is your group number.

Step 11 At the bottom of the screen, check that your AP has one single 802.11b/g radio, and

that it is set to Enable.

Step 12 Click the Advanced tab. Check that the Cisco Discovery Protocol check box is

checked. Your AP can be discovered using Cisco Discovery Protocol.

Step 13 Click Apply to validate the changes. Read the warning and click OK to continue.

Step 14 In the upper menu, navigate to WLAN.

8/20/2019 Iuwne10 Lg v2



Step 15 The WLAN you created during the initial setup should be listed. You could modify

it here, but do not change it now. You will use the Cisco Configuration Assistant in

the next task.

Step 16 Reduce the web browser but do not close it.



Your AP is seen on your controller.

You could change its name and location, and check its IP address.

Task 4: Use the Cisco Configuration Assistant

In this task, you will use the Cisco Configuration Assistant to configure a WLAN and verify it

on your Cisco Mobility Express Controller. Most configurations can be done directly on the

Cisco 526 controller web interface, just like on the Cisco 2106 controller, but the Cisco

Configuration Assistant provides a single interface from which all the Cisco Smart Business

Communication System devices can be configured. You will learn how to use it in this task.

Activity Procedure


Step 1 Connect to your remote wireless laptop: from your class PC, choose Start >

Programs > Accessories > Communications > Remote Desktop Connection.

Note In each pod, only one connection at a time is possible to the remote laptop. Choose with


8/20/2019 Iuwne10 Lg v2



Step 2 Use the lab table in the job aid to know what IP address you should use to connect to

your remote wireless laptop. It should be in the format 10.X0.1.240, where X is your

pod number.

Step 3 In the Remote Desktop Connection window, in the Computer field, enter the IP

address of your remote laptop, and click Connect.


credentials required to access your remote wireless laptop. Use the lab table in the

job aid to know which username and password are used to connect to your grouplaptop. They should be in the format studentX/cisco, where X is your pod number.


remote laptop.

Step 6 On the desktop locate the Cisco Configuration Assistant icon.

Step 7 Double-click it to start the program.

8/20/2019 Iuwne10 Lg v2



Step 8 The initial window should ask if you want to connect to a community or create a

new one. There should not be any community listed, so choose to create one and

click OK to proceed. If there is already a community, ask your instructor to remove

it.

Step 9 A new window appears. In the Name field, enter IUWNE-X, where X is your pod

number. This will become the community name. A community is a common group

name for the devices that you administrate. It can be arbitrarily defined on the Cisco

Configuration Assistant, and does not need to be preconfigured on the devices.

Step 10 In the Company Name field, enter Cisco.

Step 11 Click Advanced. This setting shows how the Cisco Configuration Assistant will

connect to the devices you manage. Cisco Configuration Assistant uses

HTTP/HTTPS, which immediately shows that it will not be able to connect to your

AP because it is managed via the controller and does not offer any direct web

interface. Click OK to continue.

8/20/2019 Iuwne10 Lg v2



Step 12 In the Discover devices section, choose A single device by IP address7. In the IP

address field, enter your Cisco 526 controller Management IP address. It should be

in the form 10.X0.1.100, where X is your pod number.

Step 13 Click Start to start the discovery process.

Step 14 After a few seconds a popup window should appear, warning you about a self-sign

certificate. It is the certificate generated at boot time by your Cisco 526 controller.Click Yes to accept it.

Step 15 A new window appears, asking the credentials to connect to the Cisco 526

controller. Enter the credentials. Username should be adminX, where X is your pod

number, and password cisco. Click OK to continue.

7 If your controller was connected to an SMB switch of CE520 series, it would support the Cisco Configuration

Assistant communities, and you could use it to discover the whole network. On an enterprise type of switch,

communities are not supported. You can still discover devices, if they are directly manageable (like a controller) and if

you provide their IP address directly, as is done here.

8/20/2019 Iuwne10 Lg v2



Step 16 Your controller should then appear in the device list. It is now discovered and can bemanaged through the Cisco Configuration Assistant as well.

Step 17 In the Discover devices section, enter the IP address of your Cisco 521 AP. You

documented the IP address in the previous task. Keep the Discover field set to a

single device by IP address.

Step 18 Click Start.

Step 19 After a few seconds, a new box showing Unable to connect should appear.

Step 20 It is expected that the box will appear. The AP cannot be contacted directly using

HTTP or HTTPS. Was the AP discovered?

Step 21 Click OK to close the community window.

8/20/2019 Iuwne10 Lg v2



Step 22 A new window appears, showing a graphical representation of the community tree.

You can see the Cisco 526 controller, and the switch to which it connects. Right-

click your controller, and choose Properties.

Step 23 You see information about your controller. Click OK to close.

Step 24 Your AP is not shown on the topology. Is that because it is not seen by the Cisco

Configuration Assistant8 but still managed when Cisco Configuration Assistant

connects to the controller, or is it because it was not added at all and is ignored? Tocheck, click Monitor in the left menu.

Step 25 In the submenu, unfold the reports menu, and click Reports > Inventory. It will

show you the devices known in your community.

8 Another reason is because the main switch is not a CE520, and therefore not community-aware.

8/20/2019 Iuwne10 Lg v2



Step 26 You see that the Cisco 521 was indeed brought along with the controller, and is

known to the Cisco Configuration Assistant. The tool cannot display Cisco 521 on

the graphical map. This is because the main switch is not community-aware, so the

tool does not know where the AP is connected. However, it still knows that it is

managed by the Cisco 526 controller. There is just a graphical presentation

disconnect, but the AP is here.

Step 27 Close the Inventory window. The topology reappears. Right-click controller and

choose Annotation. The annotation field allows the administrator to write a short

memo.

8/20/2019 Iuwne10 Lg v2



Step 28 Enter a short text such as Plus 521-X AP, where X is your pod number.

Step 29 Click OK .

Step 30 The text should now appear under your controller.

Step 31 There are many ways of working with the Cisco Configuration Assistant. Now

change the Cisco 526 controller previously configured to add an open authentication

SSID9. You could click the left menu on Configure > Wireless > WLAN, but the

simplest way is, once again, to right-click your controller, and choose WLAN

(SSID).

9 In a real network, you would probably not set all the WLANs you create to Open, no encryption. In Module 4 you will

learn how to configure the infrastructure for security. Until then, you are temporarily creating simple WLANs.

8/20/2019 Iuwne10 Lg v2



Step 32 A new window appears, showing the WLAN you created on the Cisco 526

controller during the first setup.

Step 33 You will create a new WLAN. You do not need this one anymore. Click it, and clickDelete at the bottom. The WLAN list should be empty.

Step 34 Click Create at the bottom.

8/20/2019 Iuwne10 Lg v2



Step 35 A new window appears, warning you that no Radius server was created. The default

settings of a WLAN on Cisco controllers are WPA/WPA2 with a central server-

based authentication, which is done through a RADIUS server. A WLAN cannot

work because no Radius information is provided. You will create a new WLAN with

open authentication, therefore a Radius is still not needed at this stage; Click No to

continue.

Step 36 A new window appears. In the SSID field, enter IUWNE-X02, where X is your pod

number.

Step 37 There is no VLAN configured yet, leave the field to its default value of 1. Leave

QoS to Data, and security to No Security.Step 38 Click OK to create the new WLAN.

Step 39 The new WLAN should appear in the list.

8/20/2019 Iuwne10 Lg v2



Step 40 Click OK to validate the WLAN creation. If OK or Apply at the bottom are notclicked, all the operations remain local to the Cisco Configuration Assistant

software. As soon as you click OK or Apply, they are written to the Cisco 526

controller.

Step 41 The system prompts you for your 526 controller username and password. Enter your

administrative user credentials. They should be in the form adminX for the

username and cisco for the password, where X is your pod number.

Step 42 In the upper-left part of the Window, click Application > Exit. Click Yes to

confirm.

Step 43 Reduce the remote desktop window, but do not close it.

Step 44 Reopen the web browser session to your Cisco 526 controller, and click WLAN

(even if you are already in WLAN, to refresh).

Step 45 You should see the new WLAN created, its status should be set to enabled, and

security policies should be empty, which implies open authentication and no

encryption.

8/20/2019 Iuwne10 Lg v2



Step 46Go back to your remote desktop connection. From your remote lab wireless laptop,choose Start > Connect To > Show All Connections.


4965AGN.

Step 48 Right-click it and choose enable.

Step 49 Right-click your wireless connection again and choose View Available Wireless

Networks.

Step 50 The WLAN you created should appear in the list. If it does not appear, click Refresh

network list.

Step 51 Click the WLAN name, and click Connect.

Step 52 Read the warning about an unsecured network, and click Connect Anyway.

Step 53 The connection should be successful.

8/20/2019 Iuwne10 Lg v2



Step 54 Verify the connection. Choose Start > All Programs > Accessories > Command

Prompt.

Step 55 Enter ipconfig. You should see that your wireless card has an address in the range

you created on the class switch, which acts now as a DHCP server here also.

Step 56 Try to ping your 526 controller. Enter ping followed by the Management IP address

of your controller. It should be in the form ping 10.X0.1.100 where X is your pod

number. The ping should be successful.

Step 57 From your remote lab wireless laptop, choose Start > Connect To > Show All

Connections. Locate your wireless connection. It should be called Intel Wireless

WiFi Link 4965AGN.

Step 58 Right-click it and choose Disable.



You could create a new WLAN from the Cisco Configuration Assistant.

You could verify its transfer to the Cisco 526 controller.

You could test it by connecting to it.

8/20/2019 Iuwne10 Lg v2



Lab 3-1: Installing and Using the Cisco ADUComplete this lab activity to practice what you learned in the related module.

Activity Objective

In this activity, you will install and configure the Cisco Aironet Desktop Utility. After

completing this activity, you will be able to meet these objectives: Install the Cisco ADU

Configure the Cisco ADU and implement the Cisco Site Survey Utility

Observe the association process though Wireshark sniffer

Visual Objective



Visual Objective for Lab 3-1: Installingand Using the Cisco ADU

Required Resources





In the remote lab, a remote laptop with the Cisco card inserted and the Cisco ADU software

installed on the desktop

8/20/2019 Iuwne10 Lg v2



Job Aids


Lab table



WLAN IUWNE-102 IUWNE-202 IUWNE-302 IUWNE-402

Profile name Mobility Express Mobility Express Mobility Express Mobility Express

Static IP 10.10.1.26 10.20.1.26 10.30.1.26 10.40.1.26

Static netmask 255.255.255.0 255.255.255.0 255.255.255.0 255.255.255.0

Gateway 10.10.1.254 10.20.1.254 10.30.1.254 10.1.40.254

DNS server 10.100.1.1 10.100.1.1 10.100.1.1 10.100.1.1



WLAN IUWNE-502 IUWNE-602 IUWNE-702 IUWNE-802

Profile name Mobility Express Mobility Express Mobility Express Mobility Express

Static IP 10.50.1.26 10.60.1.26 10.70.1.26 10.80.1.26

Static netmask 255.255.255.0 255.255.255.0 255.255.255.0 255.255.255.0

Gateway 10.50.1.254 10.60.1.254 10.70.1.254 10.1.80.254

DNS server 10.100.1.1 10.100.1.1 10.100.1.1 10.100.1.1

Task 1: Installing the Software

In this task, you will install the Cisco ADU software. The Cisco CB21AG is already physically

installed on your remote laptop, but no driver is installed yet.

Activity Procedure


Step 1 Check that you are connected, through the VPN tunnel, to the remote lab network.

Step 2 Connect to your remote wireless laptop; from your class PC choose Start >


8/20/2019 Iuwne10 Lg v2



Note In each pod, only one connection to the remote laptop is possible at a time. Choose with


Step 3 Use the lab table located in the job aid to know what IP address you should use to

connect to your remote laptop. It should be in the format 10.X0.1.240, where X is

your pod number.

Step 4 In the Remote Desktop Connection pop-up window, in the computer field, enter theIP address of your remote laptop, and click connect.


credentials required to access your remote laptop. Use the lab map to know which

username and password are used to connect to your group laptop. They should be in

the format studentX/cisco, where X is your pod number.

8/20/2019 Iuwne10 Lg v2




remote laptop.

Step 7 On the desktop locate the Cisco WinClient-802.11a-b-g-Ins-Wizard-v35 icon.

Double-click it to start the installation process.

Step 8 Click Next when you see the initial Welcome page.

8/20/2019 Iuwne10 Lg v2



Step 9 Choose to install both the driver and the client utility.

Step 10 Click Next.

Step 11 Check the check box Install the Cisco Aironet Site Survey Utility.

Step 12 Click Next.

8/20/2019 Iuwne10 Lg v2



Step 13 Keep the default values in the next two windows (directory location for installation

and program folder name) and click Next to proceed. Read the information page

about the card management, and click Next to proceed.

Step 14 Choose Next to acknowledge the notice of client utility choice that you are about to

be presented with in follow window. Choose to configure the Cisco card using the

Cisco Aironet Desktop Utility. During the labs for this course, you will use the

Windows client for the internal Intel 4965 card and the Cisco ADU for the Cisco

card bus.

Step 15 Click Next.

Step 16 Read the warning informing you that the laptop will be rebooted at the end of the

install, and click Yes to continue.

Step 17 Read the information about the WLAN adapter. Because it is already inserted, click

OK to continue.

Step 18 The wizard will proceed to the program installation.

8/20/2019 Iuwne10 Lg v2



Step 19 Read the final installation status and the reminder about laptop reboot and click OK

to continue. You will lose connection to your remote laptop.

Step 20 Wait about a minute and connect back to your remote wireless laptop.

Step 21 You should see now in the right part of the taskbar the ASTU green icon. You now

have two WLAN adapters available.



The Cisco ADU is successfully installed.

You could reconnect to your remote laptop after the Cisco ADU installation.

Task 2: Use the Cisco ADU and the Cisco Site Survey Utility

In this task, you will learn to use the Cisco ADU to create a profile, and the Cisco Site Survey

Utility to understand the wireless environment.

Activity Procedure


Step 1 Choose Start > All programs > Cisco Aironet > Aironet Site Survey Utility.

Step 2 A new window appears where you see the received signal on a given channel.

8/20/2019 Iuwne10 Lg v2



Step 3 Click AP scan list. The list of all APs detected appears. In a busy environment, there

may be quite a few APs. Wait a few seconds for the list to be created, and then clickPause List Update.

Step 4 Browse down to find the Network Name created on the Cisco 526 controller. It

should be in the form IUWNE-X02, where X is your pod number. Adjust your

display window as needed.

Step 5 Once you have found the controller, click View AP Details.

Step 6 Document the channel and the MAC address of the AP:

AP 521 is on channel ___________. Its MAC address is ______________________

Step 7 Close the AP Detailed Information window.

Step 8 Minimize the Cisco Aironet Site Survey Utility window, but do not close it.

8/20/2019 Iuwne10 Lg v2



Step 9 In the task bar, right-click ASTU10, and choose Open Aironet Desktop Utility.

Step 10 The current status may show that you are already connected to a profile. Click the

Profile Management tab.

Step 11 Click New to create a new profile.

Step 12 In Profile Name, enter Mobility Express.

Step 13 Leave the Client name to its default.

Step 14 In the SSID1 field, enter the name of the SSID on your Cisco 526 controller. It

should be in the form IUWNE-X02, where X is your pod number.


10 The ASTU, Aironet System Tray Utility, is the Green icon installed with the Cisco ADU in the bottom-right portion

of your desktop.

8/20/2019 Iuwne10 Lg v2



Step 16 Check that Security is set to None because this WLAN uses open authentication.

Step 17 Click the Advanced tab.

Step 18 Because the WLAN is on the b/g network, uncheck 5 GHz 54 Mbps. Leave the

other parameters as they are. You could enter the AP MAC address in Preferred AP,

but do not do it yet. Click OK to create the profile. Do not activate it yet.

Step 19 Click the Diagnostic tab.

8/20/2019 Iuwne10 Lg v2



Step 20 Click Adapter Information. A new window appears, showing information about

your Cisco WLAN adapter.

Step 21 Document your Cisco card MAC address: _________________________________

Step 22 Click OK to close the Adapter Information window.

Step 23 Choose at the top: Action > Disable the radio. You need to have the radio off so

you can turn it on when you are ready to sniff the communication. Notice that both

Adaptor information and Advanced statistics become grayed.

Step 24 Try to connect with a static IP address. This will verify the prior lab where you

configured YES for Allow static IP address during initial setup on your controller.

Step 25 Right-click your wireless connections in the taskbar, and choose Open Network

Connections.

8/20/2019 Iuwne10 Lg v2



Step 26 In your network adapters list, try to identify the Cisco WLAN card. It should be

labeled Cisco Aironet 802.11a/b/g Wireless Adapter. Right-click the name and

choose Properties.

Step 27 In this Wireless Network Connection window, choose Internet Protocol TCP/IP,

and click Properties.

Step 28 Click Use the following IP address.

Step 29 Enter new IP address values as per the following table.

8/20/2019 Iuwne10 Lg v2




Static IP 10.10.1.26 10.20.1.26 10.30.1.26 10.40.1.26

Static netmask 255.255.255.0 255.255.255.0 255.255.255.0 255.255.255.0

Gateway 10.10.1.254 10.20.1.254 10.30.1.254 10.40.1.254

DNS server 10.100.1.1 10.100.1.1 10.100.1.1 10.100.1.1


Static IP 10.50.1.26 10.60.1.26 10.70.1.26 10.80.1.26

Static netmask 255.255.255.0 255.255.255.0 255.255.255.0 255.255.255.0

Gateway 10.50.1.254 10.60.1.254 10.70.1.254 10.80.1.254

DNS server 10.100.1.1 10.100.1.1 10.100.1.1 10.100.1.1

Step 30 Click OK to validate the settings.

Step 31 Close the Network properties window.

Step 32 Close the network connection window. Your card is ready for the association. This

window may take a few seconds because windows activate this change in address

information.

Step 33 You will sniff the card connection to the network. Start Wireshark. Click Start > All

Programs > Wireshark > Wireshark.

Step 34 You will first filter only frames going to or coming from your Cisco WLAN adapter.

In the upper menu, click Capture > Interfaces.

Step 35 Click Options at the right side of the Airpcap USB wireless capture adapter line.

8/20/2019 Iuwne10 Lg v2



Step 36 In the Capture Filter field, enter ether host followed by the MAC address of your

Cisco WLAN adapter. You documented it at Step 21. It should be in the form ether

host ab:cd:ef:gh:ij:kl, where ab:cd:ef:gh:ij:kl is your Cisco card MAC address.

Step 37 In the upper-right part of the same window, click Wireless Settings.

Step 38 A new window opens. In Channel, choose the channel on which your Cisco 521 AP

operates. You documented it at Step 6 of this task. Click OK to validate.

Step 39 Click Start to begin the capture.

8/20/2019 Iuwne10 Lg v2



Step 40 The number of packets accepted as per your filter should stay to 0 or very low.

Step 41 In the taskbar, click the Cisco ADU to bring it back to front.

Step 42 Choose at the top: Action > Enable radio.

Step 43 Click the Profile management tab and double-click the Mobility Express profile

to activate it, or you may be connected to another SSID.

Step 44 Click the Current Status tab.

Step 45 As soon as you see the status set to Associated, click the Stop Capture icon in theWireshark window.

Step 46 In the upper part of the Wireshark window, find the probe request. Write the name

of the SSID you see in it. Is your card looking for a null SSID? A broadcast SSID?A named SSID?

____________________________________________________________________

8/20/2019 Iuwne10 Lg v2



Step 47 At what speed was it sent? 1 Mb/s? 6 Mb/s? 11 Mb/s? 54 Mb/s?

____________________________________________________________________

Step 48 Find the probe response. Does the AP accept 802.11b speeds?

__________________________________________________________________

Step 49 Try to find the authentication request, authentication response, association request,

and association response. Document at what speed the association request was sent,

and what speed the association response was sent? Were they all sent at the same

speed? 1 Mb/s? 6 Mb/s? 11 Mb/s? 54 Mb/s?

Association request___________________________________________________

Association response__________________________________________________

Step 50 Document if the AP accepts short preambles: Yes / No

Step 51 Can you see the Cisco proprietary information (Cisco Compatible Extensions) in the

exchange? Yes / No

Step 52 Close Wireshark. Do not save the capture.

Step 53 Reopen the Cisco Site Survey Utility.

8/20/2019 Iuwne10 Lg v2



Step 54 Click Associated AP status. It should now show your connection to the IUWNE-

X02 SSID along with your pod’s respective 2.4-GHz channel.

Step 55 Document the RSSI and the SNR read:

RSSI_________________________________SNR__________________________

Step 56 At the bottom left of the window, check the Display in percent check box. Did youhave the same perception of the link quality level?

Step 57 Close the Cisco Site Survey Utility.

Step 58 Reopen the web session window from your local classroom PC to your Cisco 526

controller (https://10.X0.1.100).

Step 59 In the upper menu, click Monitor.

Step 60 In the lower part of the screen, locate the Client Summary section. Current clients

should show at least one client11. Click Detail at the right end of the Current Clients

line.

Step 61 At least one client should be associated: your remote laptop. Some neighboring

laptops may also be seen. Check with the MAC address documented at Step 21 that

one of the clients is your Cisco card.

11 You may see more than one client because each card sending a probe request will be flagged as a client in your

network, even if it does not actively try to associate afterwards.

8/20/2019 Iuwne10 Lg v2



Step 62 Check to verify that the client is authenticated and associated. Check to verify that it

is using the WLAN-Profile12.

Step 63 Click its MAC address to verify its settings.

Step 64 Can you see which interface it is using? Can you see which AP it is connectingthrough? Which authentication parameters of the WLAN are used?

Step 65 Document the client Cisco Compatible Extensions version:

_______________________________________

Step 66 Close the web session. You now have a validation of your Layer 2 connection. You

want to check the Layer 3 connectivity via a ping. From your remote wireless

laptop, open a command prompt and choose Start > All Programs > Accessories >

Command Prompt.

Step 67 Enter ipconfig. You should see that your wireless card has the static address you

defined.

Step 68 Try to ping your Cisco 526 controller. Enter ping followed by the Management IP

address of your controller. It should be in the form: ping 10.X0.1.100 where X is

your pod number. The ping should be successful.

12 The WLAN Profile shown is the one seen from the controller perspective, IUWNE-X02, not the profile from the

client perspective, Cisco Mobility Express.

8/20/2019 Iuwne10 Lg v2



Step 69 At this point, the verification is complete. You need to return your WLAN card to its

default mode before shutting it down to be ready for the next lab. Right-click your

wireless connections in the taskbar, and choose Open Network Connections.

Step 70 In your network adapters list, try to identify the Cisco WLAN card. It should be

labeled Cisco Aironet 802.11a/b/g Wireless Adapter. Right-click it and choose

Properties.

Step 71 In this Wireless Network Connection window, choose the Internet Protocol

TCP/IP and click Properties.

Step 72 Click Obtain an IP address automatically.

Step 73 Click Obtain DNS Server address automatically.

8/20/2019 Iuwne10 Lg v2



Step 74 Click OK to close the TCP/IP properties window.

Step 75 In the Windows Network Properties window, right-click your Cisco WLAN card

and choose Disable.

Step 76 Close the Wireless Network Properties window.

Step 77 Close the remote desktop session and all the other open windows.



Complete Cisco ADU installation inclusive of the Cisco Site Survey Utility.

You could associate to your IUWNE-X02 SSID using the Cisco ADU client.

You could capture the traffic using the Wireshark software.

8/20/2019 Iuwne10 Lg v2



Lab 3-2: Experimenting with Connections andRoaming


Activity Objective

In this activity, you will experiment with connections features and roaming. For this lab, you

will work in a team with another group. Both will create the same WLAN, and you will see

how your client can roam from one to the other. After completing this activity, you will be able

to meet these objectives:

Create a WLAN common to two groups

Connect to a specific AP

Force roaming from one AP to the other

Visual Objective



Visual Objective for Lab 3-2:Experimenting with Connections andRoaming

Required Resources





8/20/2019 Iuwne10 Lg v2



In the remote lab, a Cisco 2106 controller

In the remote lab, a remote laptop with a Cisco WLAN adapter

Job Aids


Lab map

Partner group table

Lab Table—Naming and Information: Pods 1 to 4


WLAN IUWNE-ROAM12 IUWNE-ROAM12 IUWNE-ROAM34 IUWNE-ROAM34

Mobility group Pod12 Pod12 Pod34 Pod34

Lab Table—Naming, and Information: Pods 5 to 8


WLAN IUWNE-ROAM56 IUWNE-ROAM56 IUWNE-ROAM78 IUWNE-ROAM78

Mobility group Pod56 Pod56 Pod78 Pod78

Task 1: Create a Common WLAN

In this task you will create a WLAN common to two pods.

Activity Procedure


Step 1 Check that you are connected, through the VPN tunnel, to the remote lab network.

Step 2 From your class PC, open a browser session to your Cisco 2106 controller

Management Interface IP address. (https://10.X0.1.10) You may have to disable

your local proxy to access the web interface through the VPN tunnel.

Step 3 Click OK to accept the self-signed certificate sent by the controller.

8/20/2019 Iuwne10 Lg v2



Step 4 Click Login.

Step 5 Enter the administrative username you defined in the previous lab and the password

(adminX for the username and cisco for the password).

8/20/2019 Iuwne10 Lg v2



Step 6 You should see the controller Monitor Summary page.

Step 7 In the upper menu, click WLAN.

Step 8 You should see the WLAN you created before. Click its name to edit its settings.

Step 9 Uncheck the Status Enabled check box. You do not want this WLAN to currently be

active13. Click Apply to validate the change.

Step 10 Now, at the WLAN page list, in the upper-right part of the window, click New tocreate a new WLAN.

13 The Cisco 2106 and the AP are perfectly capable of supporting several WLANs at the same time, but in a crowded

environment, you do not want to see too many SSID names that you will not use. For this reason you will disable the

WLANs you do not use for each new lab.

8/20/2019 Iuwne10 Lg v2



Step 11 In Profile Name field, enter Roaming. In the WLAN SSID field, enter the name of

the WLAN. Refer to the lab table (IUWNE-ROAMX, where X = shared group

number between two pods).

Note The name is in capitals and is case-sensitive.

Step 12 Click Apply to validate the name.

Step 13 A new window opens showing the WLAN details.

Step 14 Check the Status Enabled check box.

Step 15 In the Radio Policy drop-down list, choose 802.11a only. Because your Cisco 1252

AP operates only in the 802.11a spectrum, there is no point in allowing this WLAN

in the 802.11b/g band.


8/20/2019 Iuwne10 Lg v2



Step 17 In Layer 2 Security, choose None.

Step 18 Click Apply to create the WLAN with these settings.

Step 19 You should now have two WLAN Profile Names in the list, but only the Roaming

show a status of Enabled.

Step 20 In the upper menu, click Wireless.

8/20/2019 Iuwne10 Lg v2



Step 21 You should see your AP. Note that its Ethernet MAC address is shown. You want to

know its radio MAC address. In the left menu, choose radio > 802.11a/n.

Step 22 You should see your AP, along with its radio MAC address. Document this MAC

address here:

1252 AP 802.11a MAC address:_________________________________________

Step 23 You want to allow your clients to connect at 802.11n speeds. Position your mouse

on the arrow at the end of the AP description line and choose Configure.

Step 24 A new screen appears. In the 11n Parameters section, verify that your AP supports

802.11n. You will be using 20-MHz-wide channels, compatible with non-802.11n

clients. Verify that the Channel Width is set to 20 MHz.

Step 25 Click Apply to validate.

8/20/2019 Iuwne10 Lg v2



Step 26 Navigate to Wireless > 802.11a/n > High Throughput (802.11n).

Step 27 In the General section, verify that 802.11n is activated. In the MCS Data Rate

Settings, verify that all data rates are checked. Document the highest possible rate:

___________________________________________________________________

Step 28 To be able to roam, not only do you need to have a common WLAN, but the

controllers also need to be in the same mobility group. In the upper menu, click

Controller.

8/20/2019 Iuwne10 Lg v2



Step 29 In Default Mobility Domain Name and RF-Network Name, enter your common

group name. Refer to the table:

Pod 1 2 3 4 5 6 7 8

Name Pod12 Pod12 Pod34 Pod34 Pod56 Pod56 Pod78 Pod78

Note Names are case-sensitive.

Step 30 Click Apply to validate the change.

Step 31 Controllers are now in the same mobility group, but they do not communicate with

each other yet. In the left menu, unfold Mobility Management, and choose Mobility

groups.

8/20/2019 Iuwne10 Lg v2



Step 32 You see your controller’s details. Document its Management IP address and built-in

MAC address14:

Management IP address: ______________________________________________

Built in MAC address: ________________________________________________

Step 33 In the upper-right part of the screen, click New to create a new member to yourmobility group.

Step 34 Ask your partner group for their controller IP address and built-in Mac address, and

enter the values in the right fields.

Step 35 Click Apply to create the new member.

Step 36 Your mobility group list now shows two members.

14 The built-in MAC address is a MAC address common to the whole system, and not relevant to a specific port. This

MAC address is reachable through any port, and characterizes the system as a whole.

8/20/2019 Iuwne10 Lg v2



Step 37 To verify connectivity to the other controller, put the mouse over the arrow at the

right end of the line describing your partner controller, and choose Ping.

Step 38 The ping should be successful. If it is not, check your values.

Step 39 Your controllers are now ready to offer intercontroller connectivity and roaming. Do

not close the web browser window.



You could create a roaming WLAN.

Your controller is in the same mobility group as your partner controller, and they could

ping each other successfully.

Task 2: Connect to the Right AP

In this task, you will associate to this WLAN, and make sure both partners associate to the

same AP. To achieve it, you need to make sure that only one AP is available at a time.

Activity Procedure


Step 1 Steps 1 through 8 are for even-numbered pods (2, 4, 6, and 8) to disable their radios.

Odd-numbered pods can proceed to Step 9. In the controller web browser window,

click Wireless in the upper menu.

Step 2 In the left menu, choose Radio > 802.11a/n.

8/20/2019 Iuwne10 Lg v2



Step 3 You should now see your AP.

Step 4 Put your mouse on the arrow at the end of the line and choose configure.

Step 5 A new window appears with your AP 802.11a/n radio details.

Step 6 In the General section, set the Admin Status to Disable to turn your radio off.

Step 7 Click Apply to validate the change. Click Back to return to the radio list.

Step 8 The AP should show in the list, with its radio status set to DOWN and Disable.

Even-numbered pods can now proceed to Step 16 to configure their remote lab

wireless laptop.

8/20/2019 Iuwne10 Lg v2



Step 9 Steps 9 through 15 are for odd-numbered pods (1, 3, 5, and 7) to remove any

existing client associations. Even-numbered pods should have finished Step 8 and

proceeded to step 16. On the odd-numbered pod controllers, the AP radio should still

be up. At this point, only one of the APs in the mobility group is up, which

guarantees that the client will connect to this AP only.

Step 10 One last step needs to be performed; remove the clients trace from the controllers.

Otherwise, the client will not connect to the controller you expect. You will see why

later on. In the upper menu, click Monitor.

Step 11 In the left menu, click Clients.

Step 12 A new window appears. You should see at least one client. If you do not see any

clients, move directly to Step 16.

Step 13 Put your mouse on the arrow at the right end of the line describing each client, and

choose Remove. Be careful not to choose Disable.

Step 14 Click OK to confirm that you want to delete this client from the controller cache.Repeat the operation for all the other clients you may see in the list.

Step 15 No client should be left in the list.

Step 16 Connect to your remote laptop from your class PC; choose Start > Programs >

Accessories > Communications > Remote Desktop Connection.

8/20/2019 Iuwne10 Lg v2



Note In each pod, only one connection at a time is possible to the remote laptop. With your

partner choose who will be connecting.

Step 17 Use the lab table to know what IP address you should use to connect to your remote

lab wireless laptop. It should be in the format 10.X0.1.240, where X is your pod

number.

Step 18 In the remote desktop connection pop-up window, in the computer field, enter the IPaddress of your remote laptop, and click Connect.


credentials required to access your remote laptop. Use the lab table to know which

username and password are used to connect to your group laptop. They should be in

the format studentX for username and cisco for the password, where X is your pod

number.

8/20/2019 Iuwne10 Lg v2




remote laptop.


Connections.


4965AGN.


Step 24 Right-click your internal Intel 4965 wireless card connection again (not the Cisco

wireless card) and choose View Available Wireless Networks.

Step 25 The IUWNE-ROAM XY SSID should appear in the list. Click Connect. Read the

warning about unsecured networks, and click Connect Anyway to continue.

Step 26 The connection should be successful.

Step 27 Once connected, right-click your network connection and choose Status.

8/20/2019 Iuwne10 Lg v2



Step 28 A new window appears. Verify that you are connected to the correct WLAN

(IUWNE-ROAM X ). Also check the speed of the connection. It should be of 802.11n

type.

Step 29 Click the Support tab. Then click Details.

8/20/2019 Iuwne10 Lg v2



Step 30 Document the IP address obtained: _______________________________________

Step 31 Notice the DHCP Server address: Which machine is it?

____________________________________________________________________

Step 32 Click Close to close the Network Connection Details window. Close the status

window.

Step 33 Try to ping your partner laptop wireless connection. Open a command prompt and

choose Start > All Programs > Accessories > Command Prompt.

Step 34 Ask for your partner pod respective IP address documented at Step 30. Notice that,

in the wireless space, both machines are in the same subnet because they connected

to the same WLAN connected to the same controller.

8/20/2019 Iuwne10 Lg v2



Step 35 At the command prompt, enter ping –t followed by your partner’s laptop IP address.

Step 36 The ping should be successful and carry on without interruption. Notice the variable

time taken by each ping. The frame needs to travel from your laptop to the AP, then

from the AP to your partner laptop. It answers with a frame that has to travel all the

way back. At each step, CSMA/CA and contention windows may imply a different

delay. Let the ping continue without interrupting it and proceed to the next task

while leaving the command prompt window open.



You have successfully connected to the roaming profile.

Both partners are connected within the same subnet.

Task 3: Use Roaming

In this task, you will force your clients to roam from one AP to the other.

Activity Procedure


Step 1 Reopen the web session to your controller.

Step 2 Click Monitor. On the left menu click Clients.

Step 3 A new window appears. On the odd-numbered pods’ (1, 3, 5, 7) controllers, you

should see both laptops as clients to your controller. They are connecting through

the controller 1252 AP.

Step 4 On the even-numbered pods’ (2, 4, 6, 8) controllers, you should still see no client

because your AP radio is disabled.

8/20/2019 Iuwne10 Lg v2



Step 5 Steps 5 through 12 are for even-numbered pods (2, 4, 6, and 8) to enable their

respective AP radios. In the controller web browser window, click Wireless in the

upper menu.


Step 7 You should see your AP set to Disable.

Step 8 Put your mouse on the arrow at the end of the line and choose Configure.


Step 10 In the General section, set the Admin Status to Enable. This will turn your radio

back on.

Step 11 Click Apply to validate the change. Click Back to return to the radio list.

Step 12 The AP should show in the list, with its radio status set to UP / Enable. Notice the

channel is on.

8/20/2019 Iuwne10 Lg v2



Step 13 On the odd-numbered pods’ (1, 3, 5, 7) controllers, the AP radio should also be up.

At this point, both APs are up, but on different channels.

Step 14 Repeat Steps 2 to 4 to make sure that, even though two APs are available now, the

clients did not hop to the second AP15.

Step 15 Now is the time to force the hop, disabling the first AP to force the client to look for

another AP serving the same SSID and hop to it.

Step 16 Steps 16 through 23 are for the odd-numbered pods (1, 3, 5, 7) to disable their radiosto force clients to search for another AP for association, In the controller web

browser window, click Wireless in the upper menu


Step 18 You should see your AP.

Step 19 Put your mouse on the arrow at the end of the line and choose Configure.


Step 21 In the General section, set the Admin Status to Disable. This will turn your radio

down. Do not click Apply yet.

Step 22 Before clicking Apply, make sure you have a connection to your remote laptop and

see the window where the machine is still pinging your partner’s IP address. Be

ready to go back to it as soon as you click Apply in the web browser session. Then,

click Apply to validate the change.

Step 23 In your laptop session, look at the ping window.

15 The clients have no reason to hop if the connection on the first AP offers a good enough connection.

8/20/2019 Iuwne10 Lg v2



Step 24 A few pings should be timing out, while your WLAN card realizes that the

connection is not available anymore (no ACK to one of the pings), then scans all the

channels to find another AP serving the same SSID and reassociates. With a rate of

about 1 ping per second, try to evaluate how many seconds were lost in the process.

Step 25 Now both clients associate through the second (even-numbered) pods’ controllerAP.

Step 26 Reopen the web session to your controller.

Step 27 Click Monitor. On the left menu click Clients.

Step 28 A new window appears. On the even-numbered controllers, you should still not see a

client.

8/20/2019 Iuwne10 Lg v2



Step 29 On the odd-numbered pod controllers, you should still see both laptops as clients to

your controller. The AP name has changed now. It indicates the other controller as

the AP, and the protocol changed from 802.11n to Mobile the new controller proxies

the connection for your clients, but keeps in memory that they have to remain on the

same subnet as they were before, and that they come from the first controller.

Step 30 If your AP 802.11a radio was disabled, re-enable it.

Step 31 From you controller web interface click in the upper menu Save configuration.

Click OK to confirm.

Step 32 Close the remote laptop command prompt window.


Connections.


4965AGN.


Step 36 Close the open windows in the remote desktop connection. Close the remote desktop

connection and the web interface to your controller.



You could roam from one AP to the other.

You could see the roaming and client caching feature.

8/20/2019 Iuwne10 Lg v2



Lab 4-1: 802.1Q and Web AuthenticationComplete this lab activity to practice what you learned in the related module.

Activity Objective

In this activity you will set up a WLAN with Web Authentication as the security policy. This

implementation provides an open connection to a user that requires a username and passwordsecurity exchange. All network traffic is then transmitted in the clear. In order to provide that

support, a new WLAN instance must be created that provides an SSID that the Web

Authentication client will use. You must also define a Local Net User database and create the

username and password entries. Once the support for Web Authentication is configured

correctly on your controller, you will log in using the Local Net User username and password

using a browser connection from your remote lab wireless laptop. After completing this

activity, you will be able to meet these objectives:

Create a VLAN interface on the controller

Create a Web Authentication WLAN

Create a trunk port on a switch

Connect to the WLAN

Experiment with exclusion policies

Visual Objective



Visual Objective for Lab 4-1: 802.1Q and

Web Authentication

8/20/2019 Iuwne10 Lg v2



Required Resources






In the remote lab, a remote lab wireless laptop with a Cisco WLAN adapter

Job Aids


Pod IP addresses

Lab map

Lab Table—IP Addressing, Naming, and Information: Pods: 1 to 4


Remote lab wirelesslaptop address

10.10.1.240 10.20.1.240 10.30.1.240 10.40.1.240

Remote lab wirelesslaptop login


Remote lab wirelesslaptop password


526 WLC VLAN 90 ID 90 90 90 90

526 WLC VLAN 90 IP 172.16.90.10 172.16.90.20 172.16.90.30 172.16.90.40

526 WLC VLAN90netmask

255.255.255.0 255.255.255.0 255.255.255.0 255.255.255.0

526 WLC VLAN 90gateway

172.16.90.253 172.16.90.253 172.16.90.253 172.16.90.253

526 WLC VLAN 90 port 1 1 1 1

526 WLC VLAN 90DHCP server

172.16.90.253 172.16.90.253 172.16.90.253 172.16.90.253

WLAN IUWNE-Web1 IUWNE-Web2 IUWNE-Web3 IUWNE-Web4

Switch IP address 10.10.1.253 10.20.1.253 10.30.1.253 10.40.1.253

Switch username student1 student2 student3 student4

Switch password cisco cisco cisco cisco

Controller interface onthe switch

Gigabitethernet0/3 Gigabitethernet0/8 Gigabitethernet0/13 Gigabitethernet0/18

Native VLAN 10 20 30 40

Local Net user name webuser1 webuser2 webuser3 webuser4

Local net password cisco cisco cisco cisco

8/20/2019 Iuwne10 Lg v2






10.50.1.240 10.60.1.240 10.70.1.240 10.80.1.240



Remote lab wireless

laptop password


526 WLC VLAN 90 ID 90 90 90 90

526 WLC VLAN 90 IP 172.16.90.50 172.16.90.60 172.16.90.70 172.16.90.80

526 WLC VLAN90netmask

255.255.255.0 255.255.255.0 255.255.255.0 255.255.255.0

526 WLC VLAN 90gateway

172.16.90.253 172.16.90.253 172.16.90.253 172.16.90.253

526 WLC VLAN 90port

1 1 1 1

526 WLC VLAN 90

DHCP server

172.16.90.253 172.16.90.253 172.16.90.253 172.16.90.253








Local Net user name webuser5 webuser6 webuser7 webuser8

Local net password cisco cisco cisco cisco

Task 1: Create a VLAN Interface

In this scenario, the guest user WLAN is to send all users to VLAN 90, which links to a

theoretical DMZ. You will use the Cisco 526 controller web interface to configure a VLAN

interface that is needed to support the Web Authentication client traffic. In the next task, you

will create a WLAN that will be mapped to this VLAN.

Activity Procedure


Step 1 Make sure you have a VPN connection to the remote lab.

Step 2 From your class PC, connect to your Cisco 526 controller web interface. Open a

secured browser session to 10.X0.1.100, where X is your pod number.

8/20/2019 Iuwne10 Lg v2



Step 3 Enter your administrative user credentials, adminX as the username and cisco as the

password, where X is your pod number.

Step 4 From the upper Menu bar, choose the Controller > Interfaces option. Notice the

Controller options available in the left sidebar.

Step 5 In the main Interfaces window, click the New button.

Step 6 A new screen appears. In the Interface Name field, enter VLAN90.

Step 7 In the VLAN id field, enter 90.

Step 8 Click Apply to create the interface.

Step 9 A new screen appears where you can configure your interface details. Enter the

values for this new dynamic interface as per the following table:

8/20/2019 Iuwne10 Lg v2




VLAN 90 ID 90 90 90 90

VLAN 90 IP 172.16.90.10 172.16.90.20 172.16.90.30 172.16.90.40

VLAN90 netmask 255.255.255.0 255.255.255.0 255.255.255.0 255.255.255.0

VLAN 90 gateway 172.16.90.253 172.16.90.253 172.16.90.253 172.16.90.253

VLAN 90 WLC port 1 1 1 1

VLAN 90 DHCP server 172.16.90.253 172.16.90.253 172.16.90.253 172.16.90.253


VLAN 90 ID 90 90 90 90

VLAN 90 IP 172.16.90.50 172.16.90.60 172.16.90.70 172.16.90.80

VLAN90 netmask 255.255.255.0 255.255.255.0 255.255.255.0 255.255.255.0

VLAN 90 gateway 172.16.90.253 172.16.90.253 172.16.90.253 172.16.90.253

VLAN 90 WLC port 1 1 1 1

VLAN 90 DHCP server 172.16.90.253 172.16.90.253 172.16.90.253 172.16.90.253

8/20/2019 Iuwne10 Lg v2



Step 10 The gateway, 172.16.90.253, will act as a DHCP server for clients of this subnet.

The DHCP server is already configured on the gateway. Click Apply to validate the

settings. Read the warning message and click OK to continue.

Step 11 Notice in the upper-right corner of your window the three options; Save

Configuration, Ping, and Logout. Click the Save Configuration option. This saves

the running configuration to the NVRAM.



You created a VLAN interface on your Cisco 526 controller.

8/20/2019 Iuwne10 Lg v2



Task 2: Create the WLAN

In this task, you will create a specific WLAN to support web authentication.

Activity Procedure


Step 1 Navigate to WLAN.

Step 2 Disable your IUWNE-X02 SSID from the previous lab. Click it. A new screen

appears.

Step 3 Uncheck the WLAN Status Enabled check box. Click Apply.

Step 4 Your WLAN still appears in the list, but is disabled. No connection will be allowed

to this WLAN, and it will not be seen on the AP16.

Step 5 Click the New button to create a new WLAN.

Step 6 In the screen that appears, leave the WLAN type to its default. Enter the profile

name of Web _ authentication.

16 Your controller could have several active WLANs, but in a crowded lab environment it is better to limit the WLANs

to the one you really need.

8/20/2019 Iuwne10 Lg v2



Step 7 Assign the correct SSID as indicated on your lab map. It should be in the form

IUWNE-WEBX, where X is your pod number.

Step 8 Click the Apply button to create the new WLAN. A new edit screen will appear.

Step 9 Set Admin status to Enabled to activate the WLAN.

Step 10 Choose the VLAN90 interface you created earlier.


8/20/2019 Iuwne10 Lg v2



Step 12 Set the Layer 2 Security to None, because this WLAN will just use web

authentication (which is Layer 3) but no Layer 2 encryption or authentication.

Step 13 Click the Layer 3 Security tab.

Step 14 Click Web Policy. Read the warning about DNS and click OK to acknowledge.

Step 15 There are two possible web policies. Leave the policy to its default, Authentication.

Step 16 Click Apply to validate the WLAN settings.

Step 17 Review your WLAN configuration. Creating web authentication requires a

controller reboot. In the upper menu, click Commands.

Step 18 In the left menu, choose Reboot.

8/20/2019 Iuwne10 Lg v2



Step 19 A new screen appears; choose Reboot in the upper-right portion of the window.

Step 20 Two new options appear, Save and reboot and Reboot without save. Click Save and

reboot. Read the warning and click OK to continue.

Step 21 After a few minutes, your controller should be accessible again, and your Cisco 521

AP should also be accessible. Do not close your controller web browser.



You have disabled the WLAN from the previous lab.

You have successfully created a WLAN on your Cisco 526 Controller associated to theVLAN 90 interface.

Task 3: Configure a Trunk Port

In this task you will connect to the switch to allow VLAN 90 to link to your controller.

Activity Procedure


Step 1 From the controller upper-right menu, choose Ping.

Step 2 Try to ping your management interface gateway. Enter the switch IP address. It

should be in the form 10.X0.1.253.

Step 3 The ping should be successful. You can ping the switch to which your controller

connects. Click OK to close.

8/20/2019 Iuwne10 Lg v2



Step 4 Click Ping again. Enter your interface 90 IP address. It should be in the form

172.16.90.X0, where X is your pod number.

Step 5 The ping is again successful. You can ping your own interface in VLAN 90. Click

OK to close.

Step 6 Click Ping again. Enter the switch IP address in VLAN 90. It should be

172.16.90.253.

Step 7 This time the ping fails. You can reach the switch on the management subnet, but

not on VLAN 90. The problem could come from the switch IP address, but it is

configured properly. The second possibility is a misconfiguration in your controller

link to the switch. To verify, connect to the switch and from your local classroom

PC, choose Start > All Programs > Accessories > Command Prompt.

Step 8 Enter telnet followed by your switch IP address. It should be in the form telnet


Step 9 Enter your credentials. Login should be in the form studentX, where X is your pod

number. Password is cisco.

Step 10 Refer to the table below to know on which port your Cisco 526 controller is

connected. Enter show running-config interface gigabitethernet 0/X, where

gigabitethernet 0/X is your Cisco 526 controller interface on the switch. Refer to the

following table:

8/20/2019 Iuwne10 Lg v2







526 Controllerinterface on theswitch







526 Controllerinterface on theswitch



Step 11 Your controller port is in a VLAN on the switch. This fact means that the controller

can access anything that is the same VLAN, such as the AP, the remote lab wireless

laptop, or the switch itself as long as your controller does not apply any tag to the

frame it sends. This method worked previously because the management interface

was untagged. If you want to send tagged frames from your controller, you will need

to allow the switch to receive them. This implies changing the port mode from

access, in a VLAN, to a trunk. The switch will then accept receiving tags on thistrunk 17.

Step 12 Enter configure terminal to configure the switch.

17 This configuration is not specific to the Cisco 526 controller. On your Cisco 2106 controller, you have, up to this

point, used only the management interface. As soon as you would need to use more than one interface on a port, this

port must be turned into a trunk.

8/20/2019 Iuwne10 Lg v2



Step 13 Enter interface followed by your controller interface name.

Step 14 The port is not in the VLAN specified. Enter no switchport access vlan X0, where

X0 is the VLAN number displayed by the switch for this port.

Step 15 You will need to use 802.1Q type of tagging, which is the one supported by the

controller. Enter switchport trunk encapsulation dot1q.

Step 16 The port is a trunk. Enter switchport mode trunk .

Step 17 This configuration allows your controller to send and receive tagged frames, but one

element is missing. Until now, your controller was connecting to your Cisco 521 AP

and your remote lab wireless laptop because they all were in the same VLAN.

Frames were sent from one port of the VLAN to the other as if the VLAN itself was

an independent switch. If you change the controller port to trunk mode, all frames

coming for the different VLANs will still be sent to it, but with a VLAN tag. This

means that frames coming from your AP, your remote lab wireless laptop, or even

your local classroom PC will be sent to the controller with the VLAN tag you saw

before for your controller port. The problem is that your management and APmanager interfaces are set with “VLAN TAG 0”, which means that they are

untagged, and do not understand tagged traffic. Try to access the controller web

interface. It should have become inaccessible. There are two ways of solving this

problem. The first one is to tag the management and AP manager interface, so that

they understand the tags sent from the other devices. The second one is to tell the

switch not to tag the frames that originate from the controller’s old VLAN. This

second way is the easiest way. To do it, you need to tell the switch that, on this trunk

port, the native VLAN is your controller’s old VLAN number.

Step 18 Still at the controller interface configuration level, enter switchport trunk native

vlan X0, where X is your pod number.

8/20/2019 Iuwne10 Lg v2



Step 19 You should immediately regain access to your controller’s web interface, and your

Cisco 521 AP should be back after a few seconds. If you still cannot access your

switch web interface, notify your instructor.

Step 20 From the switch interface, enter end to exit the configuration mode.

Step 21 Enter ping followed by your controller IP address in VLAN 90. It should be in the

form ping 172.16.90.X0, where X is your pod number. The ping should be

successful. You can ping your controller from the switch. Close the command

prompt window.

Step 22 Verify the connectivity from the controller side. Click Ping again. Enter the switch

IP address in VLAN 90. It should be 172.16.90.253. The ping should this time besuccessful. Close the popup window.

Activity VerificationYou have successfully completed this task when you attain these results:

You created a trunk for your controller port on the switch.

You assigned the right native VLAN to this trunk port.

Task 3: Create a Local Net User

You must create a Local Net User and define a password that you will provide when logging in

as a Web Authentication client.

Activity ProcedureComplete these steps:

Step 1 From the upper menu, navigate to Security.

Step 2 In the left menu, click the Local Net Users button.

Step 3 Click New to create a new local user.

Step 4 In username, enter webuserX, where X is your pod number.

8/20/2019 Iuwne10 Lg v2



Step 5 In Password and Confirm Password, enter cisco.

Step 6 Do not click Guest User because you do not want to restrict the user lifetime18.

Step 7 IN WLAN Profile, choose Web_Authentication.

Step 8 Fill in the description for this user. It should be in the form User for the Web based

WLAN.

Step 9 Click the Apply button to save the new user configuration.



You have successfully created a Local Net User on your controller.

Task 4: Have the AP Rejoin the Controller

In this task, you will reboot your AP for it to rejoin the controller.

Activity Procedure


Step 1 Navigate to Monitor. Your AP should not be seen anymore19. If you see your AP,

proceed directly to Task 5.

18 When clicking guest user, you can restrict the user credentials lifetime. You could use this setting here, but youchoose instead not to restrict the credential’s lifetime and leave the Guest user box unchecked.19 In this lab environment, when you rebooted your controller, your Cisco 521 AP tried to join your controller but could

not. It then probably joined another controller while you were still rebooting. Now that your controller is back,

rebooting the AP is the easiest way to have it discover your controller again and rejoin it.

8/20/2019 Iuwne10 Lg v2



Step 2 You need to connect to your Cisco 521 AP serial interface to reboot it locally. From

your class PC, choose Start > Programs > Accessories > Command Prompt.





Step 5 After successful login, you will be asked to choose the correct pod (Podx), where x

is your pod number.



Step 7 You now need to connect to the Cisco 521 AP, which is AP521, or Item 3.

Step 8 Once connected, enter enable to access the privileged mode. The password is Cisco.

8/20/2019 Iuwne10 Lg v2



Step 9 Enter reload to reboot the AP. Press Enter to confirm. After a few minutes, you

should see that the AP is fully rebooted and an indication that it joined your

controller. Close the command prompt window.



Your access point has successfully joined your controller.

Task 5: Client Configuration

In this task, you will configure your remote lab wireless laptop to connect to this new WLAN.

Activity Procedure


Step 1 Connect to your remote lab wireless laptop; from your class PC, choose Start >


8/20/2019 Iuwne10 Lg v2



Note In each pod, only one connection at a time is possible to the remote lab wireless laptop.

Choose with your partner who will be connecting.

Step 2 Use the lab table to know what IP address you should use to connect to your remote


number.

Step 3 In the Remote Desktop Connection pop-up window, in the Computer field, enter theIP address of your remote lab wireless laptop, and click Connect.


credentials required to access your remote lab wireless laptop. Use the lab map to

know which username and password are used to connect to your pod remote lab

wireless laptop. They should be in the format studentX/cisco, where X is your pod

number.

8/20/2019 Iuwne10 Lg v2




remote lab wireless laptop.


Connections.


4965AGN.


Step 9 Right-click the Intel Wireless network icon again and click View All Available

Wireless Networks.

Step 10 You should see the WLAN you just created. Click it and click Connect.

8/20/2019 Iuwne10 Lg v2



Step 11 Read the warning about unsecured networks, and click Connect anyway to proceed.

Step 12 After a few seconds, you should be connected. Open a command prompt to verify

your IP address. Choose Start > All Programs > Accessories > Command

Prompt.

Step 13 Enter ipconfig.

Step 14 Your wireless connection should have an IP address in the 172.16.90.0 range. This

implies that you could reach the gateway as a DHCP client to obtain an IP address

from it. Enter ipconfig /all.

Step 15 Make sure that you have only one DNS server obtained through the wireless

interface of 10.100.1.1. If you have more than one DNS server, report to your

instructor 20.

20 You will need DNS server contact to resolve an URL next page. If you have a DNS server on your LAN interface,

Windows will always prefer it to the wireless one, and DNS resolution will fail for our example URL.

8/20/2019 Iuwne10 Lg v2



Step 16 Try to ping through the controller to the gateway; enter ping 172.16.90.253. The

ping should fail.

Step 17 Now back up to only ping your controller IP address in VLAN 90. Enter ping

172.16.90.X0, where X is your pod number. The ping should fail. This means that

although you had DHCP reachability, you do not have IP reachability as a client.

This WLAN is based on web authentication, to actually access the network you needto be authenticated.

Step 18 Your controller will not present itself to a wireless client as the VLAN interface, but

will always try to emulate the virtual IP address, 1.1.1.1, regardless of which VLAN

the wireless client should be sent once on the wired side of the network. Try to ping

this virtual IP address. Enter ping 1.1.1.1. The ping should fail.

Step 19 In this specific lab environment, your remote lab wireless laptop has two ways ofgetting to your controller: via the wired interface, or via the wireless interface. For

the wireless connection to be successful, you need to access the controller from the

wireless interface. This implies creating a static route. Still from your command

prompt, enter a host route: route add 1.1.1.1 mask 255.255.255.255 172.16.90.253.

This informs your remote lab wireless laptop that to reach your controller’s virtual

IP address (1.1.1.1), only the wireless gateway should be used.

8/20/2019 Iuwne10 Lg v2



Step 20 Still from the command prompt, enter route add 10.100.1.1 mask 255.255.255.255

172.16.90.253. This number informs your remote lab wireless laptop that reaching

the DNS server should be done via the wireless interface, so that traffic flows via

your controller and not your wired interface.

Step 21 From your remote lab wireless laptop, open a browser. Verify that the popup blocker

is disabled21. In the address bar enter test.example.com.

Step 22 Click OK to accept the certificate. You should be redirected to your controller

authentication page.

Step 23 In username, enter the local net user name you created before. It should be in the

form webuserX, where X is your pod number.

Step 24 In password, enter your local net user password. It should be cisco.

21 Web authentication page opens a popup window when connected. This page is not necessary in itself, but failure to

see it makes it difficult to know if you are successfully connected or not. Disabling popup blocker for your browser is

required in this lab environment.

8/20/2019 Iuwne10 Lg v2



Step 25 Click Submit. The authentication should be successful. You should be redirected to

a sample web page.

Notice that to close the session, you will need use the page https://1.1.1.1/logout.html, and then

click Logout.

Step 26 From the command prompt, enter ping 172.16.90.253. The ping should be

successful. Now that you are authenticated, you have full access to the network.

Step 27 In the web interface, click Logout.

Step 28 Close the web browser.

8/20/2019 Iuwne10 Lg v2





You have successfully logged in to the web authentication-based WLAN you created.

Task 6: Client Exclusion

In the previous example you logged in correctly and were granted access. This time you will

provide the wrong password each time you attempt to log in.

Activity Procedure


Step 1 Open a new IE browser session.

Step 2 In the browser’s address bar, enter the address http://test.example.com.

Step 3 Press Enter to initiate the browser session.

Step 4 When the security alert screen comes up, click Yes to continue.

Step 5 When the Login screen appears, log in using the name of the Local Net User you

created, but this time use iforgot as the password.

Step 6 Continue to try and log in to the system counting each failed attempt.

Step 7 After three failed attempts, you should be excluded.

8/20/2019 Iuwne10 Lg v2



Step 8 Close the browser session.

Step 9 In the command prompt, enter: route delete 10.100.1.1. Traffic to the DNS server

does not need to go via the wireless interface anymore. Close the command prompt.


Connections.


4965AGN.


Step 13 Close the connection to your remote desktop.

Step 14 From your class PC, open a web browser session to your 526 controller. Its IP

address should be in the form 10.X0.1.100.

Step 15 Navigate to Management in the menu bar.

Step 16 Choose the Trap Logs option in the left sidebar menu to bring up a list of recent

trap events.

Step 17 Examine the information found there. You should see the Client exclusion event.

Step 18 Document how many failed attempts were reported before you were excluded:

_______________________________________________________________

Step 19 Close the browser session to your controller.


You have successfully completed this activity when you have attained these results:

You have successfully been excluded from the controller

You have viewed the Alarm logs

8/20/2019 Iuwne10 Lg v2



Lab 4-2: Configuring EAP-FAST Authenticationwith WPA


Activity Objective

In this activity, you will create a secured WLAN on your Cisco 2106 controller, using EAP-

FAST for authentication, based on a local EAP, and WPA for encryption. After completing this

activity, you will be able to meet these objectives:

Create and configure a local EAP-based EAP-FAST WLAN

Configure the Cisco ADU to associate to this WLAN

Visual Objective



Visual Objective for Lab 4-2: ConfiguringEAP-FAST Authentication with WPA

Required Resources






In the remote lab, a remote lab wireless laptop with a WLAN adapter

8/20/2019 Iuwne10 Lg v2



Job Aids


IP addresses assigned to your pod

Lab table



Profile EAP-FAST EAP-FAST EAP-FAST EAP-FAST

WLAN IUWNE-FAST1 IUWNE-FAST2 IUWNE-FAST3 IUWNE-FAST4

Local user name Fastuser1 Fastuser2 Fastuser3 Fastuser4

Local user password cisco cisco cisco cisco



Profile EAP-FAST EAP-FAST EAP-FAST EAP-FAST

WLAN IUWNE-FAST5 IUWNE-FAST6 IUWNE-FAST7 IUWNE-FAST8

Local user name Fastuser5 Fastuser6 Fastuser7 Fastuser8

Local user password cisco cisco cisco cisco

Task 1: Create the WLAN

In this task you will create a new WLAN to support this secure authentication. You will then

configure your controller to use local EAP with EAP FAST.

Activity Procedure


Step 1 From your class PC, open a secured web session to your Cisco 2106 controller. Its

IP address should be in the form 10.X0.1.10, where X is your pod number.

Step 2 Click Login. Enter your credentials. Your administrative username should be in the

form adminX, where X is your pod number, and password should be cisco.

Step 3 Navigate to WLAN.

Step 4 Disable your IUWNE-ROAMX SSID from the previous lab (IUWNE-X should still be disabled). Click it. A new screen appears.

8/20/2019 Iuwne10 Lg v2



Step 5 Uncheck WLAN Status Enabled. Click Apply.

Step 6 Your WLAN still appears in the list, but is disabled. No connection will be allowed

to this WLAN, and it will not be seen on the AP22.

Step 7 Click the New button to create a new WLAN.

Step 8 In the screen that appears, leave the WLAN Type to its default, WLAN. Enter the

profile name. It should be EAP_FAST.

Step 9 Assign the correct SSID as indicated on your lab map. It should be in the form

IUWNE-FASTX, where X is your pod number.

22 You controller could have several active WLANs, but in a crowded lab environment it is better to limit the WLANs

to the one you really need.

8/20/2019 Iuwne10 Lg v2



Step 10 Click the Apply button to create the new WLAN. A new edit screen will appear.

Step 11 Set Admin status to Enabled to activate the WLAN.

Step 12 In Radio Policy, choose the 802.11a only.

Step 13 Leave the Interface to management.

Step 14 Click Apply to create the WLAN. Its security parameters are not configured yet;

you will return to them later in this task.

Step 15 Create a local user. From the upper menu, navigate to Security.

Step 16 In the left menu, click the Local Net Users button.

Step 17 Click New to create a new local user.

Step 18 In username, enter FastuserX, where X is your pod number.

8/20/2019 Iuwne10 Lg v2



Step 19 In password, enter cisco.

Step 20 Do not click Guest User. You will not limit the user session in this task, and guest

user only applies to web authentication-based WLANs.

Step 21 In WLAN Profile, chose EAP_FAST.

Step 22 Fill in the description for this user; Local user for the EAP FAST WLAN.

Step 23 Click the Apply button to save the new user configuration.

Step 24 Specify to the controller that the user credentials should be retrieved from the

controller. Choose Security > Local EAP > Authentication Priority.

Step 25 The column on the right is the one that is used to authenticate the client’s

credentials. Verify that LDAP is in the left column so that it will not be used. If not,

elect LDAP, click the "<" button, and click Apply. This puts the user credentials in

the local database first.

Step 26 Create a new EAP profile. This profile will be used to apply your policy to the EAP

FAST WLAN. Choose Security > Local EAP > Profiles.

Step 27 Click New.

Step 28 When the new window appears, enter the Profile Name. It should be in the form

EAP-FASTX, where X is your pod number.

Step 29 Click Apply to create the profile.

Step 30 In the new window, click EAP-FAST to apply your policy to EAP-FAST

authentications.

8/20/2019 Iuwne10 Lg v2



Step 31 Click Apply.

Step 32 Click your profile name to check its settings.

Step 33 In the left menu, click EAP FAST parameters.

Step 34 This window defines the EAP –FAST parameters for your EAP FAST policy.

8/20/2019 Iuwne10 Lg v2



Step 35 You can leave the parameters to their default configuration. In a real network, you

may want to define these parameters according to your network security policy.

Step 36 Go back to your WLAN configuration. Navigate to WLAN. Click your EAP- FAST

WLAN to configure it.


Step 38 Click AAA servers. This is where you will indicate to the controllers to use local

EAP for the incoming clients of the WLAN.

Step 39 In local EAP Authentication, check the Local EAP Authentication check box.

Step 40 Make sure that the EAP profile name is the one you created in this task (EAP-

FASTX, where X is your pod number).

Step 41 Click Layer 2 Security. This field is where you will define how authentication and

encryption should work for this WLAN.

Step 42 Make sure that Layer 2 Security is set to WPA+WPA2 because you will use WPA

for this WLAN.

8/20/2019 Iuwne10 Lg v2



Step 43 Lower in the same tab, in WPA+WPA2 parameters, click WPA Policy.

Step 44 WPA encryption should be set to TKIP.

Step 45 Unclick WPA2 Policy because WPA is the only encryption you wish to use for this

WLAN.

Step 46 Leave Auth Key Mgmt to 802.1X, which means that the client key rotation and

values will be managed by the AAA server, in this case your controller. Click Apply

to validate the changes.

Step 47 In the upper part of your controller screen, click Save Configuration.

Step 48 For the local EAP values to be applied to your APs, you need to reboot your

controller. Navigate to Command.

Step 49 In the left menu click Reboot.

Step 50 Click Reboot again to confirm.



You configured your controller for EAP FAST local authentication.

Task 2: Configure the Client and Access the Network

In this task, you will configure your client for EAP-FAST and test the connection.

Note VERY IMPORTANT: During step 32 to step 39 of client authentication, make sure NOT TO

DISCONNECT from the remote desktop connection to your remote wireless lab laptop. If

you disconnect during these steps, your remote wireless lab laptop may be blocked and not

respond. You would be unable to proceed with the rest of the labs. This issue is known and

cannot be avoided as a result of user action needed to confirm request for 2nd

attempt to

download the final PAC file used for authentication.

8/20/2019 Iuwne10 Lg v2



Activity Procedure


Step 1 Connect to your remote lab wireless laptop using remote desktop; choose Start >




Step 2 Use the lab map to know what IP address you should use to connect to your remote


number.

Step 3 In the remote desktop connection pop-up window, in the Computer field, enter the

IP address of your remote lab wireless laptop, and click Connect.

8/20/2019 Iuwne10 Lg v2






wireless laptop. They should be in the format studentX for the username and cisco

for the password, where X is your pod number.




Connections.

Step 7 Locate your wireless connection. It should be called Cisco Aironet 802.11a/b/g

wireless adapter.


Step 9 Right-click your Cisco ASTU (the Cisco Aironet System Tray Utility, which is the

green icon on the system tray) icon and choose Open Aironet Desktop Utility.

Step 10 Click the Profile Management tab. Click the Default profile23.

23 Do not use the Cisco Mobility Express profile; it is set to work on the 2.4-Ghz band only, and will not display SSIDs

in the 80.211a band.

8/20/2019 Iuwne10 Lg v2



Step 11 Click Scan.

Step 12 The IUWNE-FAST X SSID should appear in the list.

Step 13 Click it, and click Activate.

Step 14 A new window opens.

Step 15 In the Profile Name field, enter EAP FAST.


8/20/2019 Iuwne10 Lg v2



Step 17 In Set security options, choose WPA/WPA2/CCKM.

Step 18 In the drop-down list at the right of the same line, choose EAP FAST.

Step 19 Click the Configure button on the Profile Management screen.

Step 20 In EAP Fast Authentication Method, verify or change the setting to MSCHAP v2

User Name and Password.

8/20/2019 Iuwne10 Lg v2



Step 21 Notice that the Protected Access Credential zone is empty. Make sure that the Allow

Automatic PAC provisioning box is checked. Your client will automatically receive

its PAC from the controller.

Step 22 Make sure that the other check boxes are unchecked (meaning uncheck the default

No Network Connection Unless User Is Logged In).

Step 23 Click the Configure button at the right end of the MSCHAP v2 User name and

password line.

Step 24 Make sure the Validate Server identity box is unchecked.

Step 25 Click User Saved User Name and Password.

Step 26 In the user name field, enter the local net user name you created in the previous task.

It should be in the form FastuserX, where X is your pod number.

Step 27 Enter the password you created along with the local net user in the previous task. It

should be cisco.

Step 28 Confirm the password.

Step 29 Make sure the Include Windows Logon Domain with User Name is unchecked

because you do not use Windows credentials here, but a name created for this

WLAN.

Step 30 Click the Advanced button.

8/20/2019 Iuwne10 Lg v2



Step 31 Both the Server or Domain Name and Login Name fields should be empty.

Note VERY IMPORTANT: During Steps 32 to step 39, make sure NOT TO DISCONNECT from

the remote desktop connection to your remote wireless lab laptop. If you disconnect during

these steps, your remote wireless lab laptop may be blocked and not respond. You would be

unable to proceed with the rest of the labs. This issue is known and cannot be avoided as a

result of user action needed to confirm request for 2nd

attempt to download the final PAC file

used for authentication.

Step 32 Click OK to continue.

Step 33 Click OK to close the MSCHAP v2 User Name and Password Configuration

window.

Step 34 Click OK to close the Configure EAP FAST window.

Step 35 Click OK to close the Profile Configuration window.

Step 36 As soon as you click OK , the profile is activated, and a warning about the fact that

you did not receive any valid PAC appears. Click Yes to receive the PAC

automatically24. The process will take a few seconds, and then fail the first attempt.

Step 37 You should be prompted for a second attempt. Click Yes. If you are not prompted,

choose Action > Re-authenticate.

24 If you do not see this message, choose Action > Re-authenticate.

8/20/2019 Iuwne10 Lg v2



Step 38 Now that you have a valid PAC, the process should succeed.

Step 39 Verify from the current status window that you did receive an IP address.

Step 40 Click the Profile Management tab, choose EAP-FAST profile, and click Modify

to edit its settings.


Step 42 Click the Configure button.

8/20/2019 Iuwne10 Lg v2



Step 43 In Protected Access Credential, there is now a value, which is the PAC sent from

your controller.

Step 44 Click Manage to edit it.

Step 45 Click the + sign; at the left of Not Grouped, you should see your controller EAP

FAST Authority ID information and the PAC generated for your FastuserX.

Step 46 Close the manage PAC window, cancel the Configure EAP FAST window, and

cancel the configure Profile window or click OK.


Connections.

Step 48 Locate your wireless connection. It should be called Aironet 802.11a/b/g wireless

adapter.


8/20/2019 Iuwne10 Lg v2





You successfully associated to your EAP FAST WLAN.

8/20/2019 Iuwne10 Lg v2



Lab 5-1: Configuring Controllers and APs fromthe Cisco WCS


Activity Objective

In this activity, you will connect to the Cisco WCS and use it to manage your controller and

AP. After completing this activity, you will be able to meet these objectives:

Create credentials on the Cisco WCS and personalize the interface

Add a controller and AP to the Cisco WCS

Manage the controller and AP from the Cisco WCS

Visual Objective



Visual Objective for Lab 5-1: ConfiguringControllers and APs from the Cisco WCSInterface

Required Resources






In the remote lab, a Cisco 1252 LAP

8/20/2019 Iuwne10 Lg v2



In the remote lab, a Cisco WCS server

Job Aids



Lab table



Cisco WCS user Admin1 Admin2 Admin3 Admin4

Cisco WCS password Public1! Public1! Public1! Public1!

Controller IP address 10.10.1.10 10.20.1.10 10.30.1.10 10.40.1.10

AP new channel 40 44 48 52




Cisco WCS password Public1! Public1! Public1! Public1!



Task 1: Create Credentials on the Cisco WCS and Customize

the InterfaceIn this task, you will connect to the Cisco WCS and create the credentials you need.

Activity Procedure



Step 2 From your local classroom PC, open a secure web browser session to the address:

https://10.100.1.125.

Step 3 After a few seconds, a popup window appears informing you that the certificate isself-signed. Click OK to continue.

Step 4 You should see a login screen similar to this figure.

25 On this server, the default web server is used for a previous lab. Do make sure to use https, and not http.

8/20/2019 Iuwne10 Lg v2



Step 5 Connect using the credentials root for a username and Wlan2day for a password.

Step 6 If you log in successfully you should see a monitor screen similar to that shown

below. Take some time to look at what is displayed.

Step 7 You are logged in as root. You need to create your own account. In the upper menu,

click Administration, and choose AAA.

8/20/2019 Iuwne10 Lg v2



Step 8 Before creating a new user, you need to check the password policy on this Cisco

WCS instance. In the left-hand menu, click Local Password Policy.

Step 9 A new window appears, showing the local policy. This is where password

complexity level is defined. Take some time to examine the parameters, but do not

change them because they impact the whole Cisco WCS system.

Step 10 In the left menu, click Users.

Step 11 A new screen appears. In the upper-right drop-down list, choose Add User. Click

Go to continue.

Step 12 A new screen appears. In Username, enter AdminX, where X is your pod number.

8/20/2019 Iuwne10 Lg v2



Step 13 In New Password, enter Public1!. It conforms to the local policy password strength.

Step 14 Confirm the password.

Step 15 In Groups Assigned to This User, click Admin.

Step 16 Click Submit to validate.

Step 17 The message “User added successfully” should appear in the upper part of the

screen.

Step 18 Click Users in the left menu to verify.

Step 19 Your new user should appear in the list.

Step 20 In the upper-right menu, choose Logout. Log in again using your user credentials.

Step 21 Read the message.

8/20/2019 Iuwne10 Lg v2



Step 22 Cisco WCS allows each user to have a specific home page. As an administrator, youwant to optimize this welcome page (a newer feature staring in v4.2). As an example

for this lab, you do not need the Mesh tab, and would also like to monitor controllers

CPU and memory load. Click Edit Tabs in the upper-right corner.

Step 23 A new window appears. Click the Mesh name, and choose Delete. Notice at the

bottom that you can always reset to factory defaults from this page.

Step 24 Click Save.

Step 25 You are back to the Home screen, and the Mesh tab is removed. Click EditContents in the upper-right part of the screen.

8/20/2019 Iuwne10 Lg v2



Step 26 A new screen appears. In the upper part, choose General.

Step 27 In available content, click Controller CPU Utilization, and click Add to Left

Column.

Step 28 In available content, click Controller Memory Utilization, and click Add to Right

Column.

Step 29 Click Save.

Step 30 You are back to the WCS Home, and the General tab now also shows Controller

CPU and Memory values.



You are connected to the Cisco WCS with the user you created.

You have a personalized home page.

Task 2: Add a Controller and AP

In this task, you will add your controller and your AP to the Cisco WCS.


Step 1 To add your Controller to Cisco WCS you must click Configure.

8/20/2019 Iuwne10 Lg v2



Step 2 Click the Controllers option.

Step 3 Open the drop-down window on the right, choose the Add Controllers option, andthen choose GO.

Step 4 You will be prompted with a new screen where you will enter the IP address and net

mask of the Management interface on your WLAN controller. It should be in the

form 10.X0.1.10, where X is your pod number 26.

26 Notice the SNMP parameters part of the screen. Your controller will be discovered using SNMP, for which the read

and write community is defaulted to private on the controllers. In a production environment, you would change these

defaults, which present a high security risk, both on the WAC and on the controller, in Management > SNMP.

8/20/2019 Iuwne10 Lg v2



Step 5 Click OK to start the search.

Step 6 After a short search, you should get a message that your controller has been added to

Cisco WCS.

Step 7 Click the Home symbol in the upper-left part of the screen.

Step 8 Choose Monitor > Controllers.

Step 9 Click the IP address of your controller.

8/20/2019 Iuwne10 Lg v2



Step 10 A new window appears, showing your controller’s main monitor page, seen from the

Cisco WCS. You could configure your controller directly from here.

Step 11 Port No 1 is green. Click the green circle.

Step 12 You should see a new screen displaying the port statistics.

Step 13 Click WLAN on the left menu.

Step 14 A new page appears, showing the WLANs configured on the controller. You could

manage them directly from here.

Step 15 In the upper menu, click Monitor > Access Points.

8/20/2019 Iuwne10 Lg v2



Step 16 You should see your AP in the list. Its status should be green. Click its name.

Step 17 You can see your AP details. Take some time to examine its parameters.



You added your controller to the Cisco WCS.

You could monitor its parameters.

You could verify that your AP was brought along with it.

Task 3: Manage the Controller and AP from the Cisco WCS

In this task, you will configure your controller and AP from the Cisco WCS.

Activity Procedure


Step 1 From Cisco WCS, navigate to Configure, and choose Controllers. Notice that it is

also possible to choose Controller templates, to deploy a configuration parameter to

several controllers in one click. Do not choose that option; choose Controllers.

Step 2 In the list, click your controller IP address.

8/20/2019 Iuwne10 Lg v2



Step 3 In the new page, showing your controller properties, click the left WLANs, and the

subgroup WLANs.

Step 4 You see the list of all the WLANs you created before. You do not use the Roaming

profile anymore.

Step 5 Check the check box on its left to choose the Roaming profile, then in the upper

right menu, choose Delete WLANs in the pull-down options, and click GO.

Step 6 Read the popup warning message and click OK to confirm.

Step 7 The WLAN should be removed from the list.

Step 8 From the upper menu, choose Configure > Access Points. Notice that it is also possible to choose AP templates, to deploy a configuration parameter to several APs

in one click. Do not choose that option; choose Access Points.

Step 9 Click your AP name.

8/20/2019 Iuwne10 Lg v2



Step 10 A new screen appears with your AP parameters. Change its location to IUWNE-

Module 5.

Step 11 Verify that Override Global Username Password is checked. AP UserName

should be root and Public1! should be the password.

Step 12 Click Save to validate the new location.

Step 13 In the lower part of the screen, locate your 802.11a/n radio parameters. Click it to

edit its settings.

Step 14 A new window appears with your AP 802.11a parameters. In the RF channel

assignment, click Custom, and choose the channel for your pod. Refer to the

following table.





Step 15 In TX power Level assignment, click Custom, and choose 4 for the Channel power

value.

8/20/2019 Iuwne10 Lg v2



Step 16 Click Save to validate the changes.

Step 17 The values you chose should appear now, instead of the previous values.

Step 18 As in a previous lab, Click Global for both the RF Channel Assignment and TX

Power level Assignment without changing the values you chose.

Step 19 Click Save to validate.

Step 20 Verify the status of the WLAN change the same way you did before. Click

Configure > Controllers.

Step 21 Check the check box at the left of your controller IP address. In the upper-right

drop-down list, choose Audit Now. Click GO.

Step 22 After a few seconds, an audit report should appear, informing you that there is no

difference between the controller and the Cisco WCS configurations.

Step 23 To confirm, open a web session to your controller and navigate to WLAN. The

Roaming profile should have disappeared.

Step 24 Click Wireless. In the left menu, choose Radio > 802.11a/n radio. Verify that your

AP has the values transmitted by the Cisco WCS.



You could change controller AP parameter from the Cisco WCS.

You could audit for differences between the network devices configuration and the one

seen on the Cisco WCS.

You could verify that changes were propagated to the network devices.

8/20/2019 Iuwne10 Lg v2



Lab 5-2: Working with MapsComplete this lab activity to practice what you learned in the related module.

Activity Objective

In this activity, you will add a map to the Cisco WCS and position your AP on it. After

completing this activity, you will be able to meet these objectives: Add maps to the Cisco WCS

Enhance the map by adding walls

Position an AP on the map and manage it

Visual Objective



Visual Objective for Lab 5-2: Workingwith Maps

Required Resources








8/20/2019 Iuwne10 Lg v2



Job Aids


IP address for your pod

Lab table

Maps provided by your instructor



Campus name Campus1 Campus2 Campus3 Campus4

Building name Building1 Building2 Building3 Building4

Floor name Floor1 Floor2 Floor3 Floor4



Campus name Campus5 Campus6 Campus7 Campus8

Building name Building5 Building6 Building7 Building8

Floor name Floor5 Floor6 Floor7 Floor8

Task 1: Add Maps

In this task, you will check the map properties to ensure that they conform to the values you

will use in the later tasks. You will then add maps to the Cisco WCS.


Step 1 Navigate to Monitor > Maps.

Step 2 From the drop-down menu in the upper right part of the screen, under Select a

command, choose Properties, and click Go.

Step 3 In the Unit of dimension field, make sure that Meter is selected.

Note Even if you would prefer to work in feet and inches, do not change these parameters without

the agreement of your instructor because they globally affect the Cisco WCS and the other

pods.

Step 4 In the Refresh map from Network field, make sure that Enable is chosen.

Step 5 Leave the Wall Usage calibration field to its default Auto value.

Step 6 Leave the Advanced debug mode field to its default Disable value.

8/20/2019 Iuwne10 Lg v2



Note Choosing to refresh a map from the network affects the polling parameters of the system,

and may impact the performances of your system. This is a lab environment, but you may

want to consider this impact before enabling the feature in a production environment.

Step 7 Click OK to apply.

Step 8 From the drop-down menu in the upper right part of the screen, under Select a

command, choose New Campus, and click Go.

Step 9 In the Campus Name field, enter CampusX (X = pod number).

Step 10 In the Contact field, enter StudentX (X = pod number).

Step 11 Click Browse and navigate to the folder on your local classroom PC containing the

campus maps. Choose Campus-Bldg 14.jpg campus map.

Step 12 Click Next to continue.

Step 13 You need to specify the size of your campus. Verify that the Maintain aspect ratio

box is chosen, and enter the horizontal span of the map you imported: 387 m (1270

feet).

8/20/2019 Iuwne10 Lg v2



Step 14 Notice that as you change the horizontal span, the vertical span is dynamically

adjusted. Click OK to continue.

Step 15 You should now see your campus under the map list. Click its name (CampusX) to

see its details.

Step 16 In the upper-right drop-down list, choose New building. Click GO.

Step 17 In the Name fields, enter your Building name. It should be in the format BuildingX

(X = pod number).

Step 18 In the Contact field, enter your name. This building has 4 floors and 1 basement.

Adjust your respective fields accordingly.

Step 19 Your building horizontal position should be 140.5, and vertical position 15.6. Its

span should be 92 m wide (301 feet) and 54 m height (177 feet).

Step 20 Click Place to validate your building specifications, and then click Save.

Step 21 The square around your building should become green. Click the building name

(BuildingX) to edit its settings.

8/20/2019 Iuwne10 Lg v2



Step 22 A new screen appears. It is empty because there are no floors yet in this building. In

the upper-right drop-down list, choose New Floor Area. Click GO.

Step 23 In the Floor Area Name fields, enter your floor name FloorPodX (X = pod number).

Step 24 In the Contact field, enter your student name (StudentX).

Step 25 In the Floor drop-down list, choose 1.

Step 26 The type is Cubes and Walled Office.

Step 27 The floor height is 3.0 m.

Step 28 Click Browse and navigate to the folder on your local classroom PC containing the

maps. Choose West-Wing.png map.

Step 29 Click Next.

8/20/2019 Iuwne10 Lg v2



Step 30 Click OK to create the floor.

Step 31 You should see your map in colors.



You added a campus, a building, and a floor in this building.

Task 2: Enhance the Map

In this task, you will improve your map to input some wall information.

Activity Procedure


Step 1 In the upper-right drop-down window, choose Map Editor. Click Go.

8/20/2019 Iuwne10 Lg v2



Step 2 A new window appears with your floor map.

Step 3 The first element you need to work on is the map scale. A mistake was made while

entering the floor size, and the floor needs to be rescaled. For now the scale appears

to be close to 82m wide, which is the size of the whole building. The map you have

represents only part of this building, so the scale needs to be corrected. You know

that the Lab 151 room is 8m wide.

Step 4 In the toolbar, there is an icon that looks like a caliper. When moving your mouse

over it, a label shows Scale floor. Click it.

Step 5 Click the left wall (and hold click) and pull it to the right wall of the Lab 151 room,

and then release the click.

Step 6 A popup window appears asking the length of the line. As you enter a value, the

total new width of the map appears. Enter 8 m as the value of LAB 151 width, so

that the new total width of the map is close to 36m. Click OK to validate.

Step 7 Your floor is now properly rescaled.

Step 8 In this scenario, Lab 153 is the area to which you are asked to provide wirelesscoverage.

8/20/2019 Iuwne10 Lg v2



Step 9 You want to know the size of Lab 153 for your future reference. In the toolbar in the

upper left, there is an icon that looks like a ruler. Click it. Click the left wall of the

lab, then drag the mouse to the right wall (while holding the click) and release the

click. As you move the mouse, the distance appears in the upper-left corner under

“distance.” Repeat the same operation to obtain the vertical distance from Lab 153’s

lower wall to the lab door.

Step 10 Document the size of Lab 153:

Horizontal distance _____________Vertical distance:

_________________________

Step 11 It is time to give the Cisco WCS an awareness of the walls’ thicknesses. For now, on

this map, walls are just background lines. Under the Map Editor, you can tell the

Cisco WCS what kind of wall they actually are. Click the line icon in the upper-left

part of the screen. It is labeled Draw Obstacles.

Step 12 Click the arrow at the right of the blue rectangle (upper-left part of the screen).

8/20/2019 Iuwne10 Lg v2



Step 13 A new window appears where you can choose the type of wall you want to represent

in the pull-down options. Choose Thick Wall, and click Done. Notice the respective

change in approximate dB signal related to option.

Step 14 The mouse becomes a cross. The external walls are thick walls. Place the mouse at

the upper-right corner of the building, beyond the meeting room, and click the first

time. Move the mouse down following the wall. Click a second time to define this

next corner of the building and continue on the right. Carry on drawing the external

wall until you reach the bottom-left end of the building; press Escape to interrupt

the wall. You now have a thick wall obstacle (13 dB).

8/20/2019 Iuwne10 Lg v2



Step 15 In the obstacle menu, choose a light wall obstacle (2 dB). Draw the interior walls

around Lab 151, Lab 152, Lab 153 and the storages rooms in the upper-left part of

Lab 15327. Do not go over the doors.

Step 16 In the obstacle menu, choose a light door obstacle, and draw the doors of the

different rooms around the lab. You can use the zoom option to make sure that the

walls are in contact, and that there is not a one-dot-wide opening between an

obstacle and the next one where there is continuity.

Step 17 Once the obstacles are there, click Command > Save.

Step 18 Click Command > Exit.

Step 19 Read the warning about unsaved changes. Since you just saved, you can safely click

OK to continue and exit.



You could resize the map to match the actual area size.

You could draw walls around the area you want to cover.

Task 3: Positioning APs

In this task, you will add your AP to the map and monitor its heat map coverage.

Activity Procedure


Step 1 Make sure you are on your Floor map area.

27 The main area of coverage is Lab 153, but the signal will obviously spread through the thin walls, and you need to

know the actual area of coverage.

8/20/2019 Iuwne10 Lg v2



Step 2 In the upper-right drop-down menu, click Add Access Points. Click Go to continue.

Step 3 A new window appears, showing the list of the available APs. Click yours. Click

OK to continue.

Step 4 Choose your AP from the list.

Step 5 Position your AP exactly in the center of the grid in the middle of the lab. Position is

25 horizontal, 15 vertical.

8/20/2019 Iuwne10 Lg v2



Step 6 In the left menu, verify or choose your antenna. The 802.11a/n radio is using the

AIR-ANT5135D-R antenna. It is pointing towards the Lab door (270 degrees). It isalso slightly pointing downwards (10 degrees).

Step 7 In the upper part, your AP height is 2.95m from the floor. Click Save to validateyour AP position.

8/20/2019 Iuwne10 Lg v2



Step 8 The map is refreshed, taking your AP into consideration. The heat map does not

show because the view is by default on the 802.11b/g/n radio.

Step 9 Click Layers.

Step 10 Click the arrow at the right end of Access point. A new window appears.

Step 11 In Protocol, choose 802.11a/n.

Step 12 In Display, choose channels.

8/20/2019 Iuwne10 Lg v2



Step 13 In RSSI Cutoff, choose the recommended -65 dBm.

Step 14 Click OK to validate.

Step 15 Click Save Settings to make this view your default.

Step 16 Close the Layer menu.

Step 17 Position your mouse over your AP. A new menu shows with your AP

characteristics. Document your AP channel: _________________

8/20/2019 Iuwne10 Lg v2



Step 18 Click AP Info. Document your AP uptime : _____________________________

Step 19 Document the LWAPP uptime28: :________________________________________

Step 20 Click 802.11 b/g/n/ radio. Verify that the radio is not seen at present.

Step 21 Click 802.11a/n. In the window, click View Rx Neighbors. Document the first two

neighbors you see:

Neighbor 1 Name:______________________________RSSI__________________

Neighbor 1 Name:______________________________RSSI__________________

Step 22 Close the RX neighbor window.

Step 23 The AP is placed incorrectly. It is actually exactly over the “Lab” word on the map.

From the upper-right drop-down list, choose Position APs.

Step 24 Click OK to continue.

Step 25 Click your AP and move it to position it over the LAB word.

Step 26 Click Save to validate the changes.

28 The difference between the AP uptime and the LWAPP uptime is the time it took for your AP to join the controller.

8/20/2019 Iuwne10 Lg v2



Step 27 You want to verify the coverage pattern of your AP. In the upper right drop-down

list, choose Recompute RF Prediction. Notice the other available options.

Step 28 Click Go.

Step 29 The map refreshes with the latest values.



You have successfully added your AP.

You see its heat map.

8/20/2019 Iuwne10 Lg v2



Lab 5-3: Monitoring the Network and ContainingDevices


Activity Objective

In this activity, you will use the Cisco WCS tools to manage alarms and locate devices. After

completing this activity, you will be able to meet these objectives:

Use the Cisco WCS to monitor events

Use the Cisco WCS to located devices

Use the Cisco WCS to contain a rogue

Visual Objective



Visual Objective for Lab 5-3: Monitoringthe Network and Containing Devices

Required Resources


A PC with connectivity to the remote lab

In the remote lab, connectivity to a controller using the web interface

An LWAPP AP

A remote lab wireless laptop

Connectivity to the Cisco WCS

8/20/2019 Iuwne10 Lg v2



Job Aids



Task 1: Monitoring Events

In this task, you will connect to the Cisco WCS and check the event dashboard. You will learn

to use the events, and to create reports.

Activity Procedure



Step 2 Verify that you are still connected to the Cisco WCS, having a secure web browser

session to the address: https://10.100.1.129.

Step 3 Navigate to the Home page.

Step 4 At the bottom-left of the page, locate the dashboard called Alarm Summary.

Step 5 There should be some Malicious AP messages. Click the number you see for

Malicious AP messages. If there are no reported malicious AP messages, click

Monitor Security. Version 5.0 of Cisco WLC and Cisco WCS changed prior

version default displays of too many rogue APs. Display is now dependant on rules-

based rogue classification in both Cisco WLC and Cisco WCS starting in version

5.0.

29 Use https, secure http, and not http.

8/20/2019 Iuwne10 Lg v2



Step 6 Click the number under Total Active in the Unclassified Rogue Access Points Alert

line.

Step 7 The yellow messages represent the APs not known by each controller. This means

that controller 2106-1 can report as rogue the AP on controller 2106-3, because

these two controllers are not in the same mobility group. Controllers will not report

APs seen on other controllers in the same mobility group, but will report any otherAP. This is why you may see APs from other pods, reported by your controller as

rogue, or APs from your pod, reported as rogue by the controllers outside your

mobility group.

Step 8 Look at the alarms. All states should be set to Alert.

Step 9 Click one of the APs MAC addresses.

Step 10 A new screen appears, with detailed information about the alarm.

8/20/2019 Iuwne10 Lg v2



Step 11 If the rogue is on the same channel as one of your APs, you should see the rogue

channel information. If the rogue is on another channel, it may be flagged as

unknown because your AP may only hear a distant signal without being sure of the

channel. Look at the time and date the alarm was created. This was the first time the

rogue was detected on your network.

Step 12 Annotations show that the alarm was acknowledged.

Step 13 Document when this alarm was created, which is when your AP detected it for the

first time:

____________________________________________________________________

Step 14 You want to know which AP detected this rogue. From the upper right drop-down

window, choose detecting APs. Click GO.

Step 15 A new screen appears, giving you details about the AP or APs detecting it.

Step 16 You want to know if this rogue has affected your AP performances. From the upper

menu, choose Reports > Performance Report.

Step 17 In the upper-right drop-down window choose New. Click Go.

Step 18 In Report title, enter a report name. It should be in the form PerformanceX, where

X is your pod number.

Step 19 Leave Report by to AP by controller.

8/20/2019 Iuwne10 Lg v2



Step 20 In Controller, choose your controller.

Step 21 Leave Access point to All Access Points.

Step 22 In Protocol, check the 802.11a/n check box.

Step 23 For Reporting period, choose the last four days.

Step 24 Click Run Now.

Step 25 A new screen appears, showing a graphical representation of the Performance, called

Counters.

Step 26 Browse down to the FCS Error Rate report. Try to see if the rogue AP detection date

and time seen at Step 11 match with a change in the reported FCS rate.

Step 27 You also want to know how many rogue APs your controller has reported since the

beginning of the class. In Reports, choose Security Report.

Step 28 A new screen appears. In the left menu, choose Rogue APs Events.

Step 29 From the upper right drop-down menu, choose New. Click Go.

8/20/2019 Iuwne10 Lg v2



Step 30 In report title, enter the report name. It should be in the format RogueX, where X is

your pod number.

Step 31 In Report By, keep AP By Controller.

Step 32 In Controller, choose your controller’s IP address.

Step 33 Leave Access Point to All Access Points.

Step 34 Leave Classification type to All Types.

Step 35 For reporting Period, choose the last 4 days.

Step 36 Click Run Now.

8/20/2019 Iuwne10 Lg v2



Step 37 The report shows which rogues where detected and when. Most of them were

probably reported when you first configured your controller or a few seconds later.

Count how many rogues were detected:

___________________________________________________________________

Step 38 Among them, how many do not belong to the IUWNE lab?

___________________________________________________________________

Step 39 In the upper left, click the Home icon to go back to the main page.



You detected rogues from the dashboard.

You could run some reports and analyze the rogue message.

Task 2: Contain a Rogue

In this task, you will try to contain a rogue device.

Activity Procedure


Step 1 Reopen the remote desktop connection to your remote lab wireless laptop.


Connections.

Step 3 Locate your wireless connection. It should be called Cisco Aironet 802.11a/b/g

wireless adapter.


8/20/2019 Iuwne10 Lg v2



Step 5 Right-click your Cisco ASTU (The Aironet System Tray Utility, which is the green

icon on the system tray) icon and choose Open Aironet Desktop Utility.

Step 6 Click the Profile Management tab. Click the EAP-FAST profile. You should get

connected to the network.

Step 7 Open a command prompt. Click Start > All Programs > Accessories > Command

Prompt.

Step 8 You want to ping your controller continuously, but want to make sure that you are

using the wireless link and not the wired link.

Step 9 In the command prompt, check your IP address. Enter ipconfig.

Step 10 You will se the IP address of your Cisco WLAN adapter. Enter a static route using

this IP address to reach your controller virtual gateway IP address. Enter route add

1.1.1.1 mask 255.255.255.255 followed by your Cisco WLAN card IP address.

For example: route add 1.1.1.1 mask 255.255.255.255 10.10.1.28.

Step 11 Ping your controller continuously. Enter ping –t followed by your controller virtual

gateway IP address: ping –t 1.1.1.1.

8/20/2019 Iuwne10 Lg v2



Step 12 The ping should be successful.

Step 13 Reduce the remote desktop window, but do not close it.

Step 14 Reopen the Cisco WCS browser window.

Step 15 Choose Monitor > Security.

Step 16 Click Unclassified Rogue APs in Alert state.

Step 17 You will see all the detected rogues. Because some controllers are in different

mobility groups, they report the others as rogues. In the list your AP with its WLAN

should also be seen as rogue. To understand what containment does, you will try to

treat it as a rogue and contain it.

Step 18 Click the rogue MAC address that matches your WLAN, IUWNE-FASTX, where Xis your pod number.

8/20/2019 Iuwne10 Lg v2



Step 19 In a real network, you would not contain your own APs. However. In this case,

suppose that a valid client of yours has connected by mistake to this rogue AP. To

contain it, from the upper drop-down window, choose 1 AP Containment30.

Step 20 Click GO.

Step 21 Read the warning. In a real network, you want to make absolutely sure that you are

containing a real rogue in your network before containing an AP. Disconnecting

valid clients from neighbor networks is usually forbidden.

Step 22 A new status screen appears, showing that the rogue AP is contained.

30A rogue AP is reported here and you decide to contain it. To contain it implies that disassociation messages will besent to this AP client. In other words, Cisco WCS will ask the other APs around this one to spoof this AP’s MAC

address, and send disassociation messages. This implies that you actually use the other group’s AP to contain your

rogue. You do not need more than one AP in this case, because all the APs and clients are in short range from each

other.

8/20/2019 Iuwne10 Lg v2



Step 23 To see the effect of this containment, reopen the remote desktop connection to your


Step 24 The ping should fail most of the time. This connection has become unusable. In a

real network, using more than one AP to contain the rogue, all the pings would

probably fail. In a lab environment, because all APs are busy containing the others,the connection is simply heavily disturbed.

Step 25 You suddenly realize that the “rogue” is actually one of your APs. Reopen the Cisco

WCS web browser interface.

Step 26 From the same rogue AP window, choose Set state to “Friendly internal” from the

upper-right menu. Click Go to confirm. This will stop the containment, and tell

Cisco WCS that this AP is one of the controllers’ APs.

8/20/2019 Iuwne10 Lg v2



Step 27 The AP status changes to Know AP.

Step 28 Reopen the connection to your remote lab wireless laptop.

Step 29 The ping should now be successful. The ping packets should be more consistent

with response times and without multiple drops.

Step 30 Close the command prompt window. Closing the window also interrupts the ping

process.


Connections.

Step 32 Locate your wireless connection. It should be called Aironet 802.11a/b/g wireless

adapter.


8/20/2019 Iuwne10 Lg v2



Step 34 Close all the open windows.

Step 35 Close the remote desktop connection.

Step 36 Close the Cisco WCS web interface.



You could identify a rogue AP and contain it.

8/20/2019 Iuwne10 Lg v2



Lab 6-1: Back Up the Controller Configurationand the Cisco WCS Database Files


Activity Objective

In this activity, you will perform maintenance tasks to protect your network against failures.

After completing this activity, you will be able to meet these objectives:

Use the command line to save your controller configuration files and manipulate them

Use a TFTP server to save your controller configuration files and manipulate them

Visual Objective



Visual Objective for Lab 6-1: Backing Upthe Controller Configuration and theCisco WCS Database Files

Required Resources







In the remote lab, a remote lab wireless laptop with TFTP server

8/20/2019 Iuwne10 Lg v2



Command List


Display Controller Configuration and State Commands

Command Description

show run-config Displays the controller internal parameters

show running-config Displays the controller configuration

Task 1: Examine Controller Configuration Files

In this task, you will examine two controller configuration files and save one of the two

configuration files. You will then check to see if the file can be reinjected to your controller.

Activity Procedure





Note In each pod, only one connection to the remote lab wireless laptop is possible at a time.


8/20/2019 Iuwne10 Lg v2





number.

Step 4 In the remote desktop connection pop-up window, in the computer field, enter the IP

address of your remote lab wireless laptop, and click Connect.


credentials required to access your remote lab wireless laptop. Enter your credentials

to your remote lab wireless laptop. They should be in the format studentX for theusername and cisco as the password, where X is your pod number.



Step 7 Open a Telnet session to your controller. From your remote lab wireless laptop,

choose Start > All Programs > Accessories > Command Prompt.

Step 8 Enter telnet followed by the Management IP address of your Cisco 2106 controller.

It should be in the form telnet 10.X0.1.10, where X is your pod number.

Step 9 Enter your administrative user credentials. Username should be adminX, where X is

your pod number, and password cisco.

Step 10 At the command prompt, enter show run-config (note, not the same as “ show

running-config”).

8/20/2019 Iuwne10 Lg v2



Step 11 The show run-config command gives extensive information about your AP

configuration. Try to locate in the first pages the burned-in MAC address of yourcontroller (in the Inventory section, at the beginning of the first page), and document

it here:

_________________________________________________________________

Step 12 Further on, verify if your controller supports Management via wireless, that is

allows wireless users to connect to the controller for management purposes:

_______

8/20/2019 Iuwne10 Lg v2



Step 13 Browse down to your AP configuration section.

Step 14 Document your AP serial number: ________________________________

8/20/2019 Iuwne10 Lg v2



Step 15 Document your AP BSSID:______________________________________

8/20/2019 Iuwne10 Lg v2



Step 16 Document your AP transmit power: _______________________________

Step 17 Browse through the rest of the configuration file.

Step 18 The configuration file displayed by show run-config command gives you extensive

information about your controller parameters, but is not replicable as a configuration

file to another controller. It is used for analysis purposes only. There is another

command, which gives information about the controller configuration in command

mode, just like a router or a switch. It is the show running-config command. Try it;

from the command prompt, enter show running-config31.

Step 19 A list of parameters appears on the command line. This is a configuration file closer

to the one you see on routers and switches, and that can be captured and saved.

31 Notice the difference between the two commands: show run-config and show running-config.

8/20/2019 Iuwne10 Lg v2



Capture the information. In the configuration file, try to locate the Virtual interface

address. This information should be about four pages down in sequence.

Step 20 From the command line window, right-click the blue bar on top of the window, and

choose Edit. In the submenu, choose Mark .

Step 21 Choose the line describing your virtual interface in the screen. It should be

highlighted as you choose it.

8/20/2019 Iuwne10 Lg v2



Step 22 While still having the text highlighted, right-click the blue bar, choose Edit, and

choose Copy.

Step 23 Still from the remote lab wireless laptop, open the notepad. Click Start > All

Programs > Accessories > Notepad.

Step 24 Right-click inside the Notepad page, and choose Paste.

Step 25 The copied line appears into Notepad.

Step 26 You want to verify if this configuration file can be injected to a controller. Change

the Virtual interface address in the notepad file from 1.1.1.1 to 1.1.1.2.

Step 27 Select the whole note pad file; choose Edit > Select All.

Step 28 Choose Edit > Copy

Step 29 Move back to your controller command prompt. At the prompt, enter config.

Step 30 The prompt changes to config.

8/20/2019 Iuwne10 Lg v2



Step 31 Right-click the blue bar, choose Edit > Paste. This will paste the line copied from

Notepad back into the controller. You may see a message informing you that the

system needs to be restarted. Do not restart.

Step 32 Still from your remote lab wireless laptop, open a secured web browser session to

your controller. Its IP address should be in the form 10.X0.1.10, where X is your

pod number.

Step 33 From the controller web interface, navigate to Controller.

Step 34 Click Interfaces on the left.

Step 35 Your virtual IP address is now 1.1.1.2. This shows that the configuration captured

from the show running-config command can be used to duplicate the configuration

to another controller, and can also be modified.

Step 36 Click Save Configuration to copy to the changes to the NVRAM.

Step 37 Close Notepad, leave the command prompt and web interface open.



You could capture the configuration file from the command prompt, modify it and reinject

it back to the controller

Task 2: Save the Configuration Using TFTP

The previous method is not very convenient and is error prone for complete configuration due

to cut and paste methods. However, the prior process of cut and paste does have limited value

during limited changes or when direct serial connection is the only possible communication. In

this task, you will save the configuration file using TFTP and examine it using an XML editor.


Step 1 From the remote lab wireless laptop, reduce the web interface and the command

prompt to access to your desktop.

8/20/2019 Iuwne10 Lg v2



Step 2 Locate the tftpd32 icon. Double click it to start the program.

Step 3 In the Current directory, browse to choose the Desktop.

Step 4 In Server interface, choose your wireless (not wired) connection IP address.

Document this IP address here:

_______________________________________________________________

Step 5 In the remote laptop task bar, click the web browser to go back to the Controller

interface.

Step 6 Click Save Configuration once again to be sure that the configuration is saved to

NVRAM.

Step 7 Navigate to Controller. Choose Interfaces in the left menu.

Step 8 Click your virtual gateway IP address interface.

Step 9 Its current value is 1.1.1.2, and this is the value saved in NVRAM. Change the value

to 1.1.1.3. Click Apply to validate the change.

Step 10 Read the warning about “Please reset the system for the change to take effect.”

Click OK to continue, however, do NOT reset the system.

8/20/2019 Iuwne10 Lg v2



Step 11 Do not click Save configuration. The value in NVRAM is 1.1.1.2, and the value in

RAM is 1.1.1.3.

Step 12 Navigate to Commands.

Step 13 In the left menu, choose Upload File.

Step 14 In File Type, choose Configuration (versus Code).

Step 15 Do not enable file encryption32.

Step 16 In TFTP server IP address, enter your remote lab wireless laptop wireless (not

wired) interface IP address, documented in Step 4. Again, make sure that you use

the wireless interface, not the wired interface IP address.

Step 17 In File path, enter / which is the root directory of the TFTP server, which is your

desktop.

Step 18 In Filename, enter 2106-XConfig.txt, where X is your pod number.

Step 19 Click Upload.

Step 20 Read the warning about the file encryption, and click OK to continue.

Step 21 Look at the web interface. The process is said to be started, but then fails.

Step 22 The reason for this failure is that by default, management from wireless machines is

forbidden for security reasons. You could enable Management from Wireless in the

Management main menu, which would allow you to connect to your wireless

controller from a wireless machine; however, you would still not have the right to

upload and download controller configuration files via wireless. Only direct wired

Ethernet controller management would be allowed for transfer of configuration,

controller software, and so on.

Step 23 In the TFTP server window, choose your wired interface. It should be in the form


32 File Encryption encrypts the file before downloading it. Although this feature increases the file protection, you will

need to examine the downloaded file. It has to be unencrypted to be readable.

8/20/2019 Iuwne10 Lg v2



Step 24 From your controller web interface, change the TFTP server IP address to the new

address.

Step 25 Try again to upload the configuration file from the controller to the TFTP server.

Step 26 The process should be successful.

Step 27 Reduce the web browser window. The configuration should be on your desktop. As

it is a .txt file, Notepad would be used to open it by default, but WordPad would

actually be better to read it. Right-click your file, and choose Open with, and then

choose WordPad.

Step 28 The file is an XML file. You can see tags marking areas zones. The great advantage

of XML is that it is a universal language, and the file could be used in many

applications.

Step 29 Click Edit > Find.

Step 30 In find what, enter 1.1.1.3. Click Find Next. The value cannot be found.

8/20/2019 Iuwne10 Lg v2



Step 31 Click Edit > Find Again, and enter this time 1.1.1.2. The value is found. This

means that the file sent when uploading the configuration file is the file in NVRAM,

not the file in RAM. A good practice is to always click Save Configuration before

saving a file to avoid differences between the controller actual configuration and the

saved file.

Step 32 In the Find dialog box, enter Checksum.

Step 33 Click Find Next. You will find several checksum areas. XML files are not normal

text files. If you were to edit this file with Notepad or WordPad and inject it back tothe controller, the process would work, but the controller would reboot and fail on

the checksum verification for this file. The result would be that the controller could

not use this file and would revert back to the initial setup wizard.

Step 34 Click Cancel to close the find dialog box.

Step 35 Click File > Exit. If the program asks if you want to save any change, answer No.

Step 36 You will now use an XML editor to look at the file. In your remote lab wireless

laptop, locate a yellow circle icon on your desktop called Cooktop. Double-click it

to start the program.

Step 37 Cooktop is an XML file free editor. It can change the file content just like a text

editor, but it will also recompute the checksums to make that the file is not corrupted

when reinjected. Click File > Open File.

8/20/2019 Iuwne10 Lg v2



Step 38 In Look In, choose Desktop. Verify that you are using All Files *.* versus thedefault of All Cooktop Files for the file name extensions.

Step 39 Choose the controller configuration file (2106-XConfig.txt, where X is your pod

number), and click OK .

Step 40 Look at the configuration file, but do not change any value.

Step 41 In the XML menu, choose Validate.

Step 42 The system will validate the document and recompute the XML checksums.

Step 43Click File Save.

Step 44 Exit the program

Step 45 You will try to reinject the modified configuration file to the controller. Reopen the

web browser window to your controller.

Step 46 Navigate to Commands. You should choose Download file (versus prior Upload).

8/20/2019 Iuwne10 Lg v2



Step 47 In File Type, choose Configuration (versus Code).

Step 48 Leave the Configuration File Encryption Key field empty.

Step 49 In the TFTP server section of the page, in the IP Address field, enter your remote lab

wireless laptop wired (not wireless) interface IP address. It should be in the form


Step 50 Leave the maximum retries and timeout to their default values.

Step 51 Enter / in the File path field.

Step 52 In File Name, enter the configuration file name saved on your desktop.

Step 53 Click Download.

Step 54 Read the warning about the key, and click OK to continue.

Step 55 The download should be successful; your controller should store the downloaded

file to flash and reboot to take it into consideration.

Step 56 Wait about a minute for your controller to reboot, and verify that you can

successfully log back into the controller, and that the configuration reinjection was

taken into consideration.

Step 57 Close the browser to your controller.

Step 58 Close the command prompt in your remote laptop. Close the remote desktop

session.



You have saved your configuration file to a TFTP server and could reinject it back to the

controller.

8/20/2019 Iuwne10 Lg v2



Lab 6-2: TroubleshootingComplete this lab activity to practice what you learned in the related module.

Activity Objective

In this activity, you will troubleshoot controller and client misconfigurations. Your instructor

will introduce issues on your controller, and you will have to find them. After completing thisactivity, you will be able to meet these objectives:

Troubleshoot your controller for issues related to the controller itself

Troubleshoot your controller for issues related to the APs

Troubleshoot your controller for issues related to client access

Visual Objective



Visual Objective for Lab 6-2:Troubleshooting

Required Resources







8/20/2019 Iuwne10 Lg v2




In the remote lab, a remote lab wireless laptop

Command List


Debug LWAPP Commands

Command Description

debug lwapp errors enable Reports LWAPP errors seen on the controller to theconsole

debug lwapp events enable Reports LWAPP events to the console

Job Aids


Initial lab table

8/20/2019 Iuwne10 Lg v2






10.10.1.240 10.20.1.240 10.30.1.240 10.40.1.240



Remote lab wireless

laptop password


Controller name 2106-1 2106-2 2106-3 2106-4





10.10.1.10 10.20.1.10 10.30.1.10 10.40.1.10


255.255.255.0 255.255.255.0 255.255.255.0 255.255.255.0

Default router 10.10.1.254 10.20.1.254 10.30.1.254 10.40.1.254




10.10.1.10 10.20.1.10 10.30.1.10 10.40.1.10



10.10.1.10 10.20.1.10 10.30.1.10 10.40.1.10


1.1.1.1 1.1.1.1 1.1.1.1 1.1.1.1



No No No No



Yes Yes Yes Yes




yes yes yes yes





DHCP end address 10.10.1.25 10.20.1.25 10.30.1.25 10.40.1.25

DHCP Network 10.10.1.0 10.20.1.0 10.30.1.0 10.40.1.0

8/20/2019 Iuwne10 Lg v2




DHCP Netmask 255.255.255.0 255.255.255.0 255.255.255.0 255.255.255.0

DHCP lease time 14400 14400 14400 14400


DHCP DNS server 10.100.1.1 10.100.1.1 10.100.1.1 10.100.1.1



VLAN 90 ID 90 90 90 90

VLAN 90 IP 172.16.90.10 172.16.90.20 172.16.90.30 172.16.90.40

VLAN90 netmask 255.255.255.0 255.255.255.0 255.255.255.0 255.255.255.0

VLAN 90 gateway 172.16.90.253 172.16.90.253 172.16.90.253 172.16.90.253

VLAN 90 port 1 1 1 1

VLAN 90 DHCP server 172.16.90.253 172.16.90.253 172.16.90.253 172.16.90.253




Switch password cisco Cisco Cisco Cisco




Local Net user name Webuser1 Webuser2 Webuser3 Webuser4

Local net password Cisco Cisco Cisco Cisco


Cisco WCS password Cisco Cisco Cisco Cisco






10.50.1.240 10.60.1.240 10.70.1.240 10.80.1.240

Remote lab wirelesslaptop login student5 student6 student7 student8

Remote lab wirelesslaptop password


Controller name 2106-5 2106-6 2106-7 2106-8




8/20/2019 Iuwne10 Lg v2





10.50.1.10 10.60.1.10 10.70.1.10 10.80.1.10


255.255.255.0 255.255.255.0 255.255.255.0 255.255.255.0

Default router 10.50.1.254 10.60.1.254 10.70.1.254 10.80.1.254




10.50.1.10 10.60.1.10 10.70.1.10 10.80.1.10

AP manager IPaddress

10.50.1.11 10.60.1.11 10.70.1.11 10.80.1.11


10.50.1.10 10.60.1.10 10.70.1.10 10.80.1.10


1.1.1.1 1.1.1.1 1.1.1.1 1.1.1.1



No No No No



Yes Yes Yes Yes




yes yes yes yes





DHCP end address 10.50.1.25 10.60.1.25 10.70.1.25 10.80.1.25

DHCP Network 10.50.1.0 10.60.1.0 10.70.1.0 10.80.1.0

DHCP Netmask 255.255.255.0 255.255.255.0 255.255.255.0 255.255.255.0

DHCP lease time 14400 14400 14400 14400


DHCP DNS server 10.100.1.1 10.100.1.1 10.100.1.1 10.100.1.1



VLAN 90 ID 90 90 90 90

VLAN 90 IP 172.16.90.50 172.16.90.60 172.16.90.80 172.16.90.90

VLAN90 netmask 255.255.255.0 255.255.255.0 255.255.255.0 255.255.255.0

8/20/2019 Iuwne10 Lg v2




VLAN 90 gateway 172.16.90.253 172.16.90.253 172.16.90.253 172.16.90.253

VLAN 90 port 1 1 1 1

VLAN 90 DHCP server 172.16.90.253 172.16.90.253 172.16.90.253 172.16.90.253








Local Net user name Webuser5 Webuser6 Webuser7 Webuser8

Local net password Cisco Cisco Cisco Cisco


Cisco WCS password Cisco Cisco Cisco CiscoController IP address 10.50.1.10 10.60.1.10 10.70.1.10 10.80.1.10


8/20/2019 Iuwne10 Lg v2



Lab 6-3: Optional LabTroubleshooting with Wireshark and Convertingan AP to Autonomous Mode


Activity Objective

In this activity, you will use the Wireshark software to troubleshoot connection issues. Your

instructor will introduce issues to your configuration, and you will have to find them. You will

then convert your Cisco 1252 AP back to autonomous mode. After completing this activity,

you will be able to meet these objectives:

Use Wireshark to troubleshoot a connection

Convert an LWAPP AP to standalone mode

Visual Objective



Visual Objective for Lab 6-3: OptionalLab

Required Resources






8/20/2019 Iuwne10 Lg v2


8/20/2019 Iuwne10 Lg v2


8/20/2019 Iuwne10 Lg v2


8/20/2019 Iuwne10 Lg v2


8/20/2019 Iuwne10 Lg v2


8/20/2019 Iuwne10 Lg v2



Step 16 In Profile Name, enter Webauth.

Step 17 Leave the Client name to its default.

Step 18 In the SSID1 field, enter the name of the web authentication SSID on your 526

controller. It should be in the form IUWNE-WebX, where X is your pod number.


Step 20 Check that security is set to None, because this WLAN uses open authentication.

Step 21 Click the Advanced tab.

8/20/2019 Iuwne10 Lg v2



Step 22 Because the WLAN is on the b/g network, uncheck 5 GHz 54 Mbps. Leave the

other parameters to their default values.

Step 23 Click OK to validate your profile.

Step 24 Do not associate to it yet. Click the Diagnostic tab, and click Adapter information.

Step 25 Document your Cisco card MAC address:

__________________________________________________________________

Step 26 Close the adaptor information window.

Step 27 Start Wireshark. Click Start > All Programs > Wireshark > Wireshark .

8/20/2019 Iuwne10 Lg v2



Step 28 Choose the right interface to capture from. You will use the Airpcap passive

interface. In Wireshark, click Capture and choose Interfaces.

Step 29 In the interfaces list, you see Airpcap USB wireless capture adapter. Click Options

at the right end of the Airpcap USB wireless capture adapter line.

Step 30 A new window appears. Make sure that Capture in promiscuous mode is checked.

Step 31 Click Wireless settings.

Step 32 In Channel, choose the channel used by your authentication WLAN documented at

Step 13.

Step 33 Make sure that capture type is set to 802.11 + Radio. Click OK to validate.

8/20/2019 Iuwne10 Lg v2


8/20/2019 Iuwne10 Lg v2


8/20/2019 Iuwne10 Lg v2



Step 34 You want to filter the capture to only display frames coming from and to your Cisco

WLAN adapter. In the capture filter field, enter ether host followed by the MACaddress of your Cisco WLAN card documented in step 25 of the previous task. For

example: ether host 00:0b:85:72:17:10

Step 35 Go back to the Cisco ADU, and double click the Webauth profile to associate to the

WLAN.

Step 36 The association should be successful.

Step 37 Try to open the web authentication page via the example URL test.example.com.

The page cannot be found.

Step 38 Go back to Wireshark. Stop the capture.

Step 39 Use the capture to try to understand what went wrong. Keep in mind that each frame

should be acknowledged, that your client is very close to the AP and should get agood speed. Also keep in mind that the connection process for a web authenticated

WLAN is authentication request, authentication response, association request,

association response, DHCP exchange, and then Web authentication.



You found the issue and could correct it.

8/20/2019 Iuwne10 Lg v2



Task 2: Migrate Your LWAPP 1252 AP to Autonomous Mode

In this task, you will learn how to migrate your LWAPP AP back to standalone mode. To do it,

you will need to have a TFTP server running on your remote lab wireless laptop with the

correct image. You will then configure the AP from the controller CLI to reboot and download

the image.

Activity Procedure


Step 1 Make sure that you have a VPN tunnel to the remote lab.






lab wireless laptop. It should be in the format 10.X0.1.240, where X is your podnumber.

8/20/2019 Iuwne10 Lg v2



Step 4 In the Remote Desktop Connection pop-up window, in the Computer field, enter the

IP address of your remote lab wireless laptop, and click Connect.




wireless laptop. They should be in the format studentX and cisco, where X is your

pod number.



Step 7 Locate on your Desktop a folder called IOS-TO-LWAPP. If you cannot locate it,

check with your instructor. Also locate the tftpd32 program.

Step 8 Open the IOS-to-LWAPP folder, and make sure it contains the “c1250-k9w7-

tar.default” image file. This is the file that the AP will be looking for: it contains a

default Cisco IOS image for the Cisco 1252 platform. If the file is not there, ask

your instructor. Otherwise, close the folder.

8/20/2019 Iuwne10 Lg v2



Step 9 Double-click the tftpd32 icon to launch the program.

Step 10 Click the browse button on the right side of the Current directory line in the tftpd32

application, navigate to your desktop, and choose the IOS-TO-LWAPP folder.

Step 11 In the server interface drop-down list, make sure to choose 10.X0.1.240, where X is

your pod number.

Step 12 Your TFTP server is ready to send the right image for the Cisco 1252 AP. Keep the

remote desktop session in the background.

8/20/2019 Iuwne10 Lg v2



Step 13 Open a CLI session to your Cisco 2106 controller: still from your remote wireless

laptop, choose Start > Programs > Accessories > Command Prompt.

Step 14 Enter telnet followed by the IP address of your controller Service Interface IP

address. It should be in the format telnet 10.X0.1.10, where X is your pod number.

Step 15 Enter your administrative user credentials. Username should be adminX, where X is

your pod number, and password cisco.

Step 16 You should get the (Cisco Controller)> prompt.

Step 17 Enter show ap summary to verify that your AP is here.

Step 18 You should see your AP name.

Step 19 Enter the following command: config ap tftp-downgrade 10.X0.1.240 c1250-

k9w7-tar.default 1252-X where X is your pod number. The “1252-X” is the AP

name given earlier in the lab exercises.

Step 20 This command does not generate any prompt on the controller. Navigate back to

your remote lab wireless laptop PC, and check if the TFTP server is providing the

image to the rebooting AP.

8/20/2019 Iuwne10 Lg v2



Step 21 If the TFTP server is not providing the image, wait a few minutes, go back to your

controller and restart from Step 19.

Step 22 While the image is being provided to your AP, connect to the terminal server. From

your class PC, choose Start > Programs > Accessories > Command Prompt.





8/20/2019 Iuwne10 Lg v2




is your pod number.


Take some time to familiarize yourself with the different options provided.

Step 27 You now need to connect to the 1252 AP, Item 4.

Step 28 You should be able to follow your AP download process, and see the AP reboot,

using the new image. While the AP boots, you should be able to see at different

steps that it is using the c1250-k9w7 image, which is the default autonomous image.

Step 29 Once this process completes, you should be able to access to the AP CLI. You may

have to press Enter to activate the CLI.

8/20/2019 Iuwne10 Lg v2



Step 30 Enter enable to access privileged mode. The password is Cisco (with Capital C).

Step 31 Enter show ip interface brief to check the ip addresses present on the AP.

Step 32 You should see that the IP address is assigned to the BVI interface, which is an

indication that the AP is back to standalone mode. All the usual IOS commands,

such as configure terminal, are available. Do not configure this AP further.



Your LWAPP based 1252 AP is back to standalone mode.

8/20/2019 Iuwne10 Lg v2



Answer KeyThe correct answers and expected solutions for the activities that are described in this guide

appear here.

Lab 1-1 Answer Key: Power Conversions

When you complete this activity, you will get answers similar to the results here:

Task 1

Q1) 13 dBm

Q2) 16 dBm

Q3) 33 dBm

Q4) 200 mW

Q5) 0.05 mW

Q6) The station receives -60 dBm and the noise level is -66 dBm. The SNR is (-66 – (-60)) 6 dBm. This level is

not an acceptable SNR level. It is far too weak.

Q7) dBi = dBd + 2.14, and dBd = dBi - 2.14. 7.24 dBi = 7.24 - 2.14 = 5.1 dBi.

Q8) 11.44 dBi

Q9) dBi = dBd + 2.14, and dBd = dBi - 2.14. 13.56 dBd = 13.56 + 2.14 = 15.7 dBd.

Q10) 21 dBi

Q11) 18.86 dBd

Q12) 2.14 dBi = 0 dBd. 3.28 dBd = 5.42 dBi. 3.28 dBd is far more powerful than 2.14 dBi. The difference is

3.28 dB (dBi or dBd), more than twice the power.

Q13) 3.41 dBi = 2.55 dBd. dBm cannot be converted to dBi or dBd. dBm expresses a power with the milliwatt

as a reference, whereas dBd and dBi compare powers with antenna references. If the second value had

been 4.18 dBd, the comparison would have been possible: 4.18 dBd = 6.32 dBi, which is 2.91 dB

difference (dBi or dBd), almost twice the power.

Task 2

Q1) A 21 dBi dish antenna would be best.

Q2) An 8.1 dBi patch antenna would be best.

Q3) A 5.2 dBi omnidirectional antenna would be best.

Q4) EIRP = Tx (dBm) – cable loss + antenna gain. 40 mW is 16 dBm.

EIRP = 16 – 3 + 13.5 = 26.5 dBm.

Q5) 20 mW is 13 dBm. 20 feet of cable incurs a 1 dB loss.

EIRP = 13 – 1 + 5.2 = 17.2 dBm.

Q6) 100 mW is 20 dBm.

EIRP = 20 + 8.5 = 28.5 dBm.

Q7) EIRP = Tx (dBm) – cable loss + antenna gain.

Here: 20 = Tx – 3 + 3. Tx should be 20 dBm, or 100 mW.

Q8) EIRP = Tx (dBm) – cable loss + antenna gain.

Here: 17 = Tx – 9 -0.5 + 13.5. Tx should be 13 dBm or 20 mW.

8/20/2019 Iuwne10 Lg v2



Q9) EIRP = Tx (dBm) – cable loss + antenna gain. 40 mW is 16 dBm.

Here: 17 = 16 - cable loss + 5.2. Cable loss should be 4.2 dB. 2.8 dB per 100 feet implies the need to use

150 feet of cable.

Task 3

Step 2) dual patch antenna

Step 3) a large hall or warehouse

Step 4) a pillar (with each patch on one side)

Step 6) directional antenna

Step 7) point-to-point long-range link

Step 8) a rooftop

Step 10) omnidirectional antenna

Step 11) open space or meeting room coverage

Step 12) ceiling

Lab 1-2 Answer Key: Creating an Ad Hoc Network (IBSS) and

Analyzing the CommunicationWhen you complete this activity, you will get similar results to the ones displayed here:

Task 4

Step 43 The most common frame is the beacon, which is sent 10 times per seconds.

Step 44 You should see data packets such as the pings.

Step 45 The frequency depend on the group.

Step 46 The data was sent at 1 Mb/s.

Step 47 100 ms.

Step 48 1, 2, 5.5 and 11 Mb/s.

Step 49 802.11b.

Step 50 IBSSID

Step 51 Yes, the Intel 4965AGN supports WMM.

Step 52 Data frames are sent at the optimum speed from the sender perspective and ACKs

are sent at the mandatory speed immediately below the speed used for the data

frame.

Lab 2-1 Answer Key: Configuring a Cisco 2106 WLC

When you complete this activity, you will get a similar configuration to the one displayed here:

Show running-config802.11a cac voice tspec-inactivity-timeout ignore802.11a cac video tspec-inactivity-timeout ignore802.11a cac voice stream-size 84000 max-streams 2802.11b cac voice tspec-inactivity-timeout ignore802.11b cac video tspec-inactivity-timeout ignore

8/20/2019 Iuwne10 Lg v2



802.11b cac voice stream-size 84000 max-streams 2aaa auth mgmt local radiuslocation rssi-half-life tags 0location rssi-half-life client 0location rssi-half-life rogue-aps 0location expiry tags 5location expiry client 5location expiry calibrating-client 5location expiry rogue-aps 5ap syslog host global 255.255.255.255dhcp create-scope pod1-1

dhcp address-pool pod1-1 10.10.1.21 10.10.1.26dhcp default-router pod1-1 10.10.1.254dhcp enable pod1-1dhcp dns-servers pod1-1 10.100.1.1dhcp netbios-name-server pod1-1 10.100.1.1dhcp network pod1-1 10.10.1.0 255.255.255.0interface address ap-manager 10.10.1.11 255.255.255.0 10.10.1.254interface address management 10.10.1.10 255.255.255.0 10.10.1.254interface address virtual 1.1.1.1interface dhcp ap-manager primary 10.10.1.10interface dhcp management primary 10.10.1.10interface port ap-manager 1interface port management 1load-balancing window 5logging buffered 6

logging syslog host 0.0.0.0mesh security eapmgmtuser add admin1 **** read-writemobility group domain Pod1mobility dscp value for inter-controller mobility packets 0network telnet enablenetwork otap-mode disablenetwork rf-network-name Pod1radius fallback-test mode offradius fallback-test username cisco-proberadius fallback-test interval 300sessions timeout 0snmp version v2c enablesnmp version v3 enablesysname 2106-1

wlan create 1 IUWNE-1 IUWNE-1wlan radio 2 802.11awlan session-timeout 1 disablewlan session-timeout 2 1800wlan wmm allow 1wlan wmm allow 2wlan security wpa disable 1wlan radius_server acct disable 2wlan security static-wep-key encryption 1 104 <mode unknown> <passwd hidden> 1wlan security static-wep-key encryption 2 104 <mode unknown> <passwd hidden>1wlan security wpa akm ft reassociation-time 20 1wlan security wpa akm ft over-the-air enable 1wlan security wpa akm ft over-the-ds enable 1wlan security wpa akm ft reassociation-time 20 2

wlan security wpa akm ft over-the-air enable 2wlan security wpa akm ft over-the-ds enable 2wlan security wpa wpa1 enable 2wlan security wpa wpa1 ciphers tkip enable 2wlan security wpa wpa2 disable 2wlan enable 2

8/20/2019 Iuwne10 Lg v2



Lab 2-2 Answer Key: Configuring and Migrating a StandaloneAP


(Cisco Controller) >show ap summaryNumber of APs.................................... 1Global AP User Name.............................. Not Configured AP Name Slots AP Model Ethernet MAC LocationPort Country

------------------ ----- ------------------- ----------------- ---------------- ---- -------1252-1 2 AIR-LAP1252AG-A-K9 00:1d:45:91:37:10 IUWNEModule 5 1 US(Cisco Controller) >show ap config general 1252-1

Cisco AP Identifier.............................. 2Cisco AP Name.................................... 1252-1Country code..................................... US - United StatesRegulatory Domain allowed by Country............. 802.11bg:-AB 802.11a:-AB AP Country code.................................. US - United States AP Regulatory Domain............................. 802.11a:-ASwitch Port Number .............................. 1MAC Address...................................... 00:1d:45:91:37:10IP Address Configuration......................... DHCP

IP Address....................................... 10.10.1.22IP NetMask....................................... 255.255.255.0Gateway IP Addr.................................. 10.10.1.254Telnet State..................................... DisabledSsh State........................................ DisabledCisco AP Location................................ IUWNE LabCisco AP Group Name.............................. nonePrimary Cisco Switch Name........................ 2601-1Primary Cisco Switch IP Address.................. Not ConfiguredSecondary Cisco Switch Name......................Secondary Cisco Switch IP Address................ Not ConfiguredTertiary Cisco Switch Name.......................Tertiary Cisco Switch IP Address................. Not Configured Administrative State ............................ ADMIN_ENABLEDOperation State ................................. REGISTERED

Mirroring Mode .................................. Disabled AP Mode ......................................... LocalPublic Safety ................................... Global: Disabled, Local:DisabledRemote AP Debug ................................. DisabledS/W Version .................................... 5.0.148.0Boot Version ................................... 12.4.10.0Mini IOS Version ................................ 3.0.51.0Stats Reporting Period .......................... 180LED State........................................ EnabledPoE Pre-Standard Switch.......................... EnabledPoE Power Injector MAC Addr...................... DisabledNumber Of Slots.................................. 2 AP Model......................................... AIR-LAP1252AG-A-K9IOS Version...................................... 12.4(13d)JA

Reset Button..................................... Enabled AP Serial Number................................. FTX1201906W AP Certificate Type.............................. Manufacture InstalledManagement Frame Protection Validation........... Enabled (Global MFPDisabled) AP User Mode..................................... Not Configured AP User Name..................................... Not ConfiguredCisco AP system logging host..................... 255.255.255.255 AP Up Time....................................... 0 days, 05 h 33 m 30 s AP LWAPP Up Time................................. 0 days, 05 h 32 m 29 sJoin Date and Time............................... Sat Feb 16 00:24:51 2008

8/20/2019 Iuwne10 Lg v2



Join Taken Time.................................. 0 days, 00 h 01 m 00 sEthernet Port Duplex............................. AutoEthernet Port Speed.............................. Auto

Lab 2-3 Answer Key: Installing and Configuring a CiscoMobility Express Wireless Controller and AP


Task 1:(Cisco Controller) >show running-config802.11a cac voice tspec-inactivity-timeout ignore802.11a cac voice stream-size 84000 max-streams 2802.11b cac voice tspec-inactivity-timeout ignore802.11b cac voice stream-size 84000 max-streams 2advanced location expiry tags 1200advanced location expiry client 150advanced location expiry calibrating-client 30advanced location expiry rogue-aps 1200interface address ap-manager 10.10.1.101 255.255.255.0 10.10.1.254interface address management 10.10.1.100 255.255.255.0 10.10.1.254interface address virtual 1.1.1.1interface dhcp ap-manager primary 255.255.255.255interface dhcp management primary 255.255.255.255

interface port ap-manager 1interface port management 1logging buffered 1mesh security eapmgmtuser add admin1 **** read-writemobility group domain Pod1msglog level criticalnetwork telnet enablenetwork rf-network-name Pod1sysname 526-1wlan create 1 IUWNE-102 IUWNE-102wlan security wpa disable 1wlan security wpa disable 2wlan dhcp_server 1 10.10.1.11 required802.11a disable network

wlan enable 2

Task 3

On the switch:Show running-config… output omitted …Ip dhcp excluded-address 10.10.1.1 10.10.1.30Ip dhcp excluded-address 10.10.1.36 10.10.1.255Ip dhcp pool Pod1Network 10.10.1.0 255.255.255.0Default-router 10.10.1.254Lease 0 4Dns-server 10.100.1.1… output omitted…

Lab 3-1 Answer Key: Installing and Using the Cisco ADU

There is no answer key for this lab.

8/20/2019 Iuwne10 Lg v2



Lab 3-2 Answer Key: Experimenting with Connections andRoaming


Show running-config802.11a cac voice tspec-inactivity-timeout ignore802.11a cac video tspec-inactivity-timeout ignore802.11a cac voice stream-size 84000 max-streams 2

802.11b cac voice tspec-inactivity-timeout ignore802.11b cac video tspec-inactivity-timeout ignore802.11b cac voice stream-size 84000 max-streams 2aaa auth mgmt local radiusLocation Summary Algorithm used: AverageClient

RSSI expiry timeout: 5 secHalf life: 0 secNotify Threshold: 0 db

Calibrating ClientRSSI expiry timeout: 5 secHalf life: 0 sec

Rogue APRSSI expiry timeout: 5 sec

Half life: 0 secNotify Threshold: 0 db

RFID TagRSSI expiry timeout: 5 secHalf life: 0 secNotify Threshold: 0 db

location rssi-half-life tags 0location rssi-half-life client 0location rssi-half-life rogue-aps 0location expiry tags 5location expiry client 5location expiry calibrating-client 5location expiry rogue-aps 5ap syslog host global 255.255.255.255dhcp create-scope Scope1-1

dhcp address-pool Scope1-1 10.10.1.21 10.10.1.25dhcp default-router Scope1-1 10.10.1.254dhcp enable Scope1-1dhcp dns-servers Scope1-1 10.100.1.1dhcp lease Scope1-1 14400dhcp netbios-name-server Scope1-1 10.100.1.1dhcp network Scope1-1 10.10.1.0 255.255.255.0local-auth method fast server-key 736563726574interface address ap-manager 10.10.1.11 255.255.255.0 10.10.1.254interface address management 10.10.1.10 255.255.255.0 10.10.1.254interface address virtual 1.1.1.1interface dhcp ap-manager primary 10.10.1.10interface dhcp management primary 10.10.1.10interface port ap-manager 1interface port management 1

load-balancing window 5mesh security eapmgmtuser add admin1 **** read-writemobility group domain Pod12mobility group member add 00:1e:13:50:a6:60 10.20.1.10mobility dscp value for inter-controller mobility packets 0network webmode enablenetwork telnet enablenetwork mgmt-via-dynamic-interface enablenetwork otap-mode disablenetwork rf-network-name Pod12radius fallback-test mode off

8/20/2019 Iuwne10 Lg v2



radius fallback-test username cisco-proberadius fallback-test interval 300snmp version v2c enablesnmp version v3 enablesysname 2106-1wlan create 1 IUWNE-1 IUWNE-1wlan create 2 Roaming IUWNE-ROAM1wlan session-timeout 1 1800wlan session-timeout 2 1800wlan wmm allow 1wlan wmm allow 2

wlan security wpa disable 1wlan security wpa disable 2wlan security wpa akm ft reassociation-time 20 1wlan security wpa akm ft over-the-air enable 1wlan security wpa akm ft over-the-ds enable 1wlan security wpa akm ft reassociation-time 20 2wlan security wpa akm ft over-the-air enable 2wlan security wpa akm ft over-the-ds enable 2wlan enable 2

Lab 4-1 Answer Key: 802.1Q and Web Authentication


(Cisco Controller) >show running-config

802.11a cac voice tspec-inactivity-timeout ignore802.11a cac voice stream-size 84000 max-streams 2802.11b cac voice tspec-inactivity-timeout ignore802.11b cac voice stream-size 84000 max-streams 2advanced location expiry tags 1200advanced location expiry client 150advanced location expiry calibrating-client 30advanced location expiry rogue-aps 1200interface create vlan90 90interface address ap-manager 10.10.1.101 255.255.255.0 10.10.1.254interface address management 10.10.1.100 255.255.255.0 10.10.1.254interface address virtual 1.1.1.1interface address dynamic-interface vlan90 90.90.90.10 255.255.255.090.90.90.253interface dhcp ap-manager primary 255.255.255.255

interface dhcp management primary 255.255.255.255interface dhcp dynamic-interface vlan90 primary 90.90.90.254interface vlan vlan90 90interface port ap-manager 1interface port management 1interface port vlan90 1logging buffered 1mesh security eapmgmtuser add admin1 **** read-writemobility group domain Pod12msglog level criticalnetuser add webuser1 cisco 2 userType permanent description User for the Webbased WLANnetuser wlan-id webuser1 2network telnet enable

network rf-network-name Pod12sysname 526-1wlan create 1 IUWNE-102 IUWNE-102wlan create 2 Web_Authentication IUWNE-Web1wlan interface 2 vlan90wlan security wpa disable 1wlan security wpa disable 2wlan dhcp_server 1 10.10.1.11 required802.11a disable networkwlan enable 2

On the switch:

8/20/2019 Iuwne10 Lg v2



Show running-config interface g0/3Switchport trunk encapsulation dot1qSwitchport mode trunkSwitchport trunk native vlan 10

Lab 4-2 Answer Key: Configuring EAP-FAST Authenticationwith WPA


Show running-config802.11a cac voice tspec-inactivity-timeout ignore802.11a cac video tspec-inactivity-timeout ignore802.11a cac voice stream-size 84000 max-streams 2802.11b cac voice tspec-inactivity-timeout ignore802.11b cac video tspec-inactivity-timeout ignore802.11b cac voice stream-size 84000 max-streams 2aaa auth mgmt local radiuslocation rssi-half-life tags 0location rssi-half-life client 0location rssi-half-life rogue-aps 0location expiry tags 5location expiry client 5location expiry calibrating-client 5location expiry rogue-aps 5

ap syslog host global 255.255.255.255dhcp create-scope Pod1dhcp address-pool Pod110.10.1.21 10.10.1.26dhcp default-router Pod110.10.1.254dhcp enable Pod1dhcp dns-servers Pod110.100.1.1dhcp netbios-name-server Pod110.100.1.1dhcp network Pod110.10.1.0 255.255.255.0local-auth eap-profile add EAP-FAST1local-auth eap-profile cert-issuer cisco EAP-FAST1local-auth eap-profile method add fast EAP-FAST1local-auth user-credentials ldaplocal-auth method fast server-key 736563726574local-auth eap-profile cert-verify ca-issuer disable EAP-FAST1interface address ap-manager 10.10.1.11 255.255.255.0 10.10.1.254

interface address management 10.10.1.10 255.255.255.0 10.10.1.254interface address virtual 1.1.1.1interface dhcp ap-manager primary 10.10.1.10interface dhcp management primary 10.10.1.10interface port ap-manager 1interface port management 1ldap retransmit-timeout 1 30load-balancing window 5logging buffered 6logging syslog host 0.0.0.0mesh security eapmgmtuser add admin1 **** read-writemobility group domain Group1mobility dscp value for inter-controller mobility packets 0netuser add Fastuser1 **** wlan 2 userType permanent description

netuser wlan-id fastuser1 2network telnet enablenetwork otap-mode disablenetwork rf-network-name Pod1radius fallback-test mode offradius fallback-test username cisco-proberadius fallback-test interval 300sessions timeout 0snmp version v2c enablesnmp version v3 enablesysname 2106-1wlan create 1 IUWNE-1 IUWNE-1

8/20/2019 Iuwne10 Lg v2



wlan create 2 EAP_FAST IUWNE-FAST1wlan local-auth enable EAP-FAST1 2wlan radio 2 802.11awlan session-timeout 1 disablewlan session-timeout 2 1800wlan wmm allow 1wlan wmm allow 2wlan security wpa disable 1wlan radius_server acct disable 2wlan ldap add 2 1wlan security static-wep-key encryption 1 104 <mode unknown> <passwd hidden>

1wlan security static-wep-key encryption 2 104 <mode unknown> <passwd hidden>1wlan security wpa akm ft reassociation-time 20 1wlan security wpa akm ft over-the-air enable 1wlan security wpa akm ft over-the-ds enable 1wlan security wpa akm ft reassociation-time 20 2wlan security wpa akm ft over-the-air enable 2wlan security wpa akm ft over-the-ds enable 2wlan security wpa wpa1 enable 2wlan security wpa wpa1 ciphers tkip enable 2wlan security wpa wpa2 disable 2wlan enable 2

Lab 5-1 Answer Key: Configuring Controllers and APs from theCisco WCS Interface

When you complete this activity, will get similar results to the one displayed here:

Task 2

Step 18: You should see the class main switch; the port depends on the group.

Lab 5-2 Answer Key: Working with Maps

When you complete this activity, you will get similar results to the one displayed here:

Task 2:

Step 9: The lab is about 10 m wide and 11 m high in its longer dimension.

Lab 5-3 Answer Key: Monitoring the Network and ContainingDevices

There is no answer key for this lab.

8/20/2019 Iuwne10 Lg v2



Lab 6-1 Answer Key: Backing Up Controller Configuration andthe Cisco WCS Database Files

When you complete this activity, will get similar results to those displayed here:

Show running-configShow running-config802.11a cac voice tspec-inactivity-timeout ignore802.11a cac video tspec-inactivity-timeout ignore

802.11a cac voice stream-size 84000 max-streams 2802.11b cac voice tspec-inactivity-timeout ignore802.11b cac video tspec-inactivity-timeout ignore802.11b cac voice stream-size 84000 max-streams 2aaa auth mgmt local radiuslocation rssi-half-life tags 0location rssi-half-life client 0location rssi-half-life rogue-aps 0location expiry tags 5location expiry client 5location expiry calibrating-client 5location expiry rogue-aps 5ap syslog host global 255.255.255.255dhcp create-scope Pod1dhcp address-pool Pod110.10.1.21 10.10.1.26

dhcp default-router Pod110.10.1.254dhcp enable Pod1dhcp dns-servers Pod110.100.1.1dhcp netbios-name-server Pod110.100.1.1dhcp network Pod110.10.1.0 255.255.255.0local-auth eap-profile add EAP-FAST1local-auth eap-profile cert-issuer cisco EAP-FAST1local-auth eap-profile method add fast EAP-FAST1local-auth user-credentials ldaplocal-auth method fast server-key 736563726574local-auth eap-profile cert-verify ca-issuer disable EAP-FAST1interface address ap-manager 10.10.1.11 255.255.255.0 10.10.1.254interface address management 10.10.1.10 255.255.255.0 10.10.1.254interface address virtual 1.1.1.1interface dhcp ap-manager primary 10.10.1.10interface dhcp management primary 10.10.1.10interface port ap-manager 1interface port management 1ldap retransmit-timeout 1 30load-balancing window 5logging buffered 6logging syslog host 0.0.0.0mesh security eapmgmtuser add admin1 **** read-writemobility group domain Pod1mobility dscp value for inter-controller mobility packets 0netuser add Fastuser1 **** wlan 2 userType permanent descriptionnetuser wlan-id Fastuser1 2network telnet enablenetwork otap-mode disablenetwork rf-network-name Pod1

radius fallback-test mode offradius fallback-test username cisco-proberadius fallback-test interval 300sessions timeout 0snmp version v2c enablesnmp version v3 enablesysname 2106-1wlan create 1 IUWNE-1 IUWNE-1wlan create 2 EAP_FAST IUWNE-FAST1wlan local-auth enable EAP-FAST1 2wlan radio 2 802.11awlan session-timeout 1 disable

8/20/2019 Iuwne10 Lg v2



wlan session-timeout 2 1800wlan wmm allow 1wlan wmm allow 2wlan security wpa disable 1wlan radius_server acct disable 2wlan ldap add 2 1wlan security static-wep-key encryption 1 104 <mode unknown> <passwdhidden> 1wlan security static-wep-key encryption 2 104 <mode unknown> <passwdhidden> 1wlan security wpa akm ft reassociation-time 20 1

wlan security wpa akm ft over-the-air enable 1wlan security wpa akm ft over-the-ds enable 1wlan security wpa akm ft reassociation-time 20 2wlan security wpa akm ft over-the-air enable 2wlan security wpa akm ft over-the-ds enable 2wlan security wpa wpa1 enable 2wlan security wpa wpa1 ciphers tkip enable 2wlan security wpa wpa2 disable 2wlan enable 2

Controller XML version:

<XML_config_variables><XML_config_variables-aaaLocalEapCfg.xml-7741ad65>

<LocalAuth-EAP-Configuration><DataBaseName>Local EAP Database</DataBaseName>

<method><fast>

<serverKeyEnc><iv>02a73af1a97673be3790122d2ecacec1</iv><mac>a6aa51e29b7c2485d490570211a7cb6f7c28a4ae</mac>

<passwd>01179a42d90d1bd06a1e7caa18fee13a00000000000000000000000000000000</passwd>

</serverKeyEnc></fast>

</method><EAP-Profiles index="0">

<active>ENABLE</active><profileName>prfMaP1500LlEAuth93</profileName><profileHandle>195437080</profileHandle>

<certIssuer>legacy</certIssuer><Enable-Disable-flags>-123</Enable-Disable-flags><methodParams><localCertRequired>Required</localCertRequired><clientCertRequired>Required</clientCertRequired>

</methodParams><methods index="0">

<methodType>43</methodType><methodName>fast</methodName>

</methods><data>195437180</data>

</EAP-Profiles></LocalAuth-EAP-Configuration><XML_crc_file_size>1023</XML_crc_file_size><XML__CRC__CHECKSUM>3969282295</XML__CRC__CHECKSUM>

</XML_config_variables-aaaLocalEapCfg.xml-7741ad65><XML_config_variables-aaaapiFileDbCfgData.xml-ba700b76><User-Access-Configuration>

<numItems>1</numItems><length>223424</length><maxItems>512</maxItems><numOfRWUsers>1</numOfRWUsers><userDatabase index="0" arraySize="512">

<userName>admin1</userName><serviceType>6</serviceType><passwordStore>

<ps_type>PS_STATIC_AES128CBC_SHA1</ps_type><iv>d988dbd8ca6ed6d3b885885adca8474f</iv>

8/20/2019 Iuwne10 Lg v2



<mac>c52df09a410ea11f3a0ebae6b5d188aaf258726f</mac><max_passwd_len>50</max_passwd_len><passwd_len>64</passwd_len>

<passwd>3f33b257d1d5bf8f73f7f88a4b27113b4620283bd06892b0bb45e84dabbdbb874c95fa1a6d252523aa776805b8080259756658316f5623cd4d44e57c35e972250000</passwd>

</passwordStore></userDatabase>

</User-Access-Configuration><XML_crc_file_size>782</XML_crc_file_size><XML__CRC__CHECKSUM>3297450704</XML__CRC__CHECKSUM>

</XML_config_variables-aaaapiFileDbCfgData.xml-ba700b76><XML_config_variables-apfCfgData.xml-82be6d39><APCommon-Configuration>

<ConfigIsComplete>0</ConfigIsComplete><NumOfWLANs>2</NumOfWLANs><WirelessLANData index="1">

<ProfileName>IUWNE-1</ProfileName><ProfileNameLen>7</ProfileNameLen><Identifier>1</Identifier><Status>ENABLED</Status><BroadcastSSIDEnabled>1</BroadcastSSIDEnabled><CcxAironetIeSupportEnabled>1</CcxAironetIeSupportEnabled><Security>

<SecurityType>16384</SecurityType><wepPolicy>

<configData><Dot11Encryption>WEP104</Dot11Encryption><KeyIndex>1</KeyIndex>

</configData></wepPolicy><dot1xPolicy>

<configData><AuthTimeout>1800</AuthTimeout>

</configData></dot1xPolicy><wifiPolicy>

<configData><mcastCipher>4</mcastCipher>

<rsnIeData>30160100000fac040100000fac040100000fac012800000000000000000000000000000000000000000000000000000000000000000000000000000000000000</rsnIeData>

<rsnIeLen>24</rsnIeLen>

<warpIeData>dd0a00c0b90100000008010100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000</warpIeData>

<warpIeLen>12</warpIeLen></configData>

</wifiPolicy><ipsecPolicy>

<configData><IpsecIkePhase1Mode>MAIN</IpsecIkePhase1Mode>

</configData></ipsecPolicy><VlanLocalAddress>10.10.1.10</VlanLocalAddress><VlanLocalNetmask>255.255.255.0</VlanLocalNetmask><GWAddress>10.10.1.254</GWAddress>

<BlacklistTimeout>60</BlacklistTimeout><InterfaceName>management</InterfaceName><WmePolicy>ALLOWED</WmePolicy>

</Security><Ssid>IUWNE-1</Ssid><apfVapSsidLen>7</apfVapSsidLen>

</WirelessLANData><Dot11BConfig>

<Dot11bBand><Dot11NumberOfChannels>11</Dot11NumberOfChannels>

<Dot11MaximumTransmitPowerLevel>27</Dot11MaximumTransmitPowerLevel>

8/20/2019 Iuwne10 Lg v2



<Dot11MaxAntennaGainAllowed>6</Dot11MaxAntennaGainAllowed></Dot11bBand><Dot11gSupported>Supported</Dot11gSupported>

</Dot11BConfig><Dot11AConfig>

<Dot11aBand index="0"><Dot11FirstChannelNumber>36</Dot11FirstChannelNumber><Dot11NumberOfChannels>4</Dot11NumberOfChannels>

<Dot11MaximumTransmitPowerLevel>17</Dot11MaximumTransmitPowerLevel><Dot11FirstDCAChannelNumber>36</Dot11FirstDCAChannelNumber><Dot11MaxAntennaGainAllowed>6</Dot11MaxAntennaGainAllowed>

</Dot11aBand><Dot11aBand index="1"><Dot11BandState>1</Dot11BandState><RequiresRadar>1</RequiresRadar><Dot11FirstChannelNumber>52</Dot11FirstChannelNumber><Dot11ChannelSpacing>4</Dot11ChannelSpacing><Dot11NumberOfChannels>4</Dot11NumberOfChannels>

<Dot11MaximumTransmitPowerLevel>23</Dot11MaximumTransmitPowerLevel><Dot11FirstDCAChannelNumber>52</Dot11FirstDCAChannelNumber><Dot11DCAChannelSpacing>4</Dot11DCAChannelSpacing><Dot11DCANumberOfChanels>4</Dot11DCANumberOfChanels><Dot11MaxAntennaGainAllowed>6</Dot11MaxAntennaGainAllowed>

</Dot11aBand><Dot11aBand index="2">

<Dot11BandState>1</Dot11BandState>

<RequiresRadar>1</RequiresRadar><Dot11FirstChannelNumber>100</Dot11FirstChannelNumber><Dot11ChannelSpacing>4</Dot11ChannelSpacing><Dot11NumberOfChannels>5</Dot11NumberOfChannels>



<Dot11BandState>1</Dot11BandState><RequiresRadar>1</RequiresRadar><Dot11FirstChannelNumber>132</Dot11FirstChannelNumber><Dot11ChannelSpacing>4</Dot11ChannelSpacing><Dot11NumberOfChannels>3</Dot11NumberOfChannels>



<Dot11BandState>1</Dot11BandState><Dot11FirstChannelNumber>149</Dot11FirstChannelNumber><Dot11ChannelSpacing>4</Dot11ChannelSpacing><Dot11NumberOfChannels>5</Dot11NumberOfChannels>

<Dot11MaximumTransmitPowerLevel>30</Dot11MaximumTransmitPowerLevel><Dot11FirstDCAChannelNumber>149</Dot11FirstDCAChannelNumber><Dot11DCAChannelSpacing>4</Dot11DCAChannelSpacing><Dot11DCANumberOfChanels>4</Dot11DCANumberOfChanels>

<Dot11MaxAntennaGainAllowed>6</Dot11MaxAntennaGainAllowed></Dot11aBand><Dot11aBand index="5">

<Dot11BandState>1</Dot11BandState><Dot11FirstChannelNumber>190</Dot11FirstChannelNumber><Dot11ChannelSpacing>6</Dot11ChannelSpacing><Dot11NumberOfChannels>2</Dot11NumberOfChannels>

<Dot11MaximumTransmitPowerLevel>20</Dot11MaximumTransmitPowerLevel><Dot11MaxAntennaGainAllowed>17</Dot11MaxAntennaGainAllowed>

</Dot11aBand><Dot11aDefaultCfg>

<defaultChan>36</defaultChan>

8/20/2019 Iuwne10 Lg v2



</Dot11aDefaultCfg></Dot11AConfig><Dot11CountryCode>US</Dot11CountryCode><networkName>Group1</networkName><Dot11MultiCountryCode index="0">US</Dot11MultiCountryCode>

</APCommon-Configuration><XML_crc_file_size>5811</XML_crc_file_size><XML__CRC__CHECKSUM>3881916614</XML__CRC__CHECKSUM>

</XML_config_variables-apfCfgData.xml-82be6d39><XML_config_variables-apfRogueData.xml-114ab423>

<RogueAP-Configuration>

<RogueList index="0"><level>1</level></RogueList>

</RogueAP-Configuration><XML_crc_file_size>142</XML_crc_file_size><XML__CRC__CHECKSUM>1488059387</XML__CRC__CHECKSUM>

</XML_config_variables-apfRogueData.xml-114ab423><XML_config_variables-cliWebCfgData.xml-a3523f1a>

<XML_crc_file_size>22</XML_crc_file_size><XML__CRC__CHECKSUM>1389374175</XML__CRC__CHECKSUM>

</XML_config_variables-cliWebCfgData.xml-a3523f1a><XML_config_variables-dhcpCfgData.xml-92584a2f>

<DHCP-Configuration><scopes index="0">

<scopeName>Scope 1-1</scopeName>

<DHCPEnabled>ENABLED</DHCPEnabled><leaseTime>14400</leaseTime><poolStart>21.1.10.10</poolStart><poolEnd>29.1.10.10</poolEnd><poolLastAllocated>25.1.10.10</poolLastAllocated><defaultRoute index="0">254.1.10.10</defaultRoute><network>0.1.10.10</network><netmask>0.255.255.255</netmask><dnsServer index="0">1.1.100.10</dnsServer><wins index="0">1.1.100.10</wins>

</scopes></DHCP-Configuration><XML_crc_file_size>575</XML_crc_file_size><XML__CRC__CHECKSUM>393978620</XML__CRC__CHECKSUM>

</XML_config_variables-dhcpCfgData.xml-92584a2f><XML_config_variables-dot1qCfg.xml-3cf45304>


</XML_config_variables-dot1qCfg.xml-3cf45304><XML_config_variables-ldapCfgData.xml-1778a2ce>

<LDAP-Configuration><LDAP-Database-Name>LDAP Database</LDAP-Database-Name>

</LDAP-Configuration><XML_crc_file_size>129</XML_crc_file_size><XML__CRC__CHECKSUM>3519211832</XML__CRC__CHECKSUM>

</XML_config_variables-ldapCfgData.xml-1778a2ce><XML_config_variables-logCfgData.xml-3d9622e2>


</XML_config_variables-logCfgData.xml-3d9622e2><XML_config_variables-meshFileCfg.xml-436a659c>

<MESH-Configuration><cfg>

<isChanged>1</isChanged><profileName>prfMaP1500LlEAuth93</profileName>

</cfg></MESH-Configuration><XML_crc_file_size>175</XML_crc_file_size><XML__CRC__CHECKSUM>3717743609</XML__CRC__CHECKSUM>

</XML_config_variables-meshFileCfg.xml-436a659c><XML_config_variables-mmCfgData.xml-2a91608>

<Mobility-Manager-Configuration><group>Group1</group>

8/20/2019 Iuwne10 Lg v2



</Mobility-Manager-Configuration><XML_crc_file_size>120</XML_crc_file_size><XML__CRC__CHECKSUM>2303725361</XML__CRC__CHECKSUM>

</XML_config_variables-mmCfgData.xml-2a91608><XML_config_variables-nimSlot0.xml-bcd6b57f>


</XML_config_variables-nimSlot0.xml-bcd6b57f><XML_config_variables-policyCfgData.xml-40f47081>


</XML_config_variables-policyCfgData.xml-40f47081><XML_config_variables-rrmCfgData.xml-89a365cb><RadioResourceManager-Configuration>

<rrm2 index="1"><rrmAllowedChans>

<chanCnt>20</chanCnt><chans index="8">100</chans><chans index="9">104</chans><chans index="10">108</chans><chans index="11">112</chans><chans index="12">116</chans><chans index="13">132</chans><chans index="14">136</chans><chans index="15">140</chans><chans index="16">149</chans>

<chans index="17">153</chans><chans index="18">157</chans><chans index="19">161</chans>

</rrmAllowedChans></rrm2>

</RadioResourceManager-Configuration><XML_crc_file_size>668</XML_crc_file_size><XML__CRC__CHECKSUM>1600534478</XML__CRC__CHECKSUM>

</XML_config_variables-rrmCfgData.xml-89a365cb><XML_config_variables-sigCfg.xml-2d0c8484>


</XML_config_variables-sigCfg.xml-2d0c8484><XML_config_variables-simCfgData.xml-47629dc4>

<System-Interface-Configuration><systemName>2106-1</systemName><systemIpAddress>192.168.1.1</systemIpAddress><systemGateway>0.0.0.0</systemGateway>

</System-Interface-Configuration><XML_crc_file_size>224</XML_crc_file_size><XML__CRC__CHECKSUM>3204326577</XML__CRC__CHECKSUM>

</XML_config_variables-simCfgData.xml-47629dc4><XML_config_variables-simQosCfgData.xml-11069211>


</XML_config_variables-simQosCfgData.xml-11069211><XML_config_variables-simVlanCfgData.xml-a2f725a>

<VLAN-Configuration><simInterface index="0">

<InterfaceName>management</InterfaceName><vlanStatus>CREATED</vlanStatus>

<vlanLocalAddress>10.10.1.10</vlanLocalAddress><vlanLocalNetmask>255.255.255.0</vlanLocalNetmask><vlanLocalGateway>10.10.1.254</vlanLocalGateway><vlanDhcpProtocolState>1</vlanDhcpProtocolState><vlanDhcpPrimaryServer>10.10.1.10</vlanDhcpPrimaryServer><vlanPortNumber>1</vlanPortNumber><GatewayResolvedState>RESOLVED</GatewayResolvedState><vlanGatewayMac>0:1e:7a:ad:52:a9</vlanGatewayMac>

</simInterface><simInterface index="1">

<InterfaceName>service-port</InterfaceName><vlanId>-1</vlanId>

8/20/2019 Iuwne10 Lg v2



<vlanInterfaceType>Service-Port</vlanInterfaceType><vlanDhcpProtocolState>3</vlanDhcpProtocolState><vlanInterfaceId>3</vlanInterfaceId>

</simInterface><simInterface index="2">

<InterfaceName>virtual</InterfaceName><vlanId>-1</vlanId><vlanStatus>CREATED</vlanStatus><vlanInterfaceType>Virtual</vlanInterfaceType><vlanLocalAddress>1.1.1.2</vlanLocalAddress><vlanDhcpProtocolState>1</vlanDhcpProtocolState>

</simInterface><simInterface index="3"><InterfaceName>ap-manager</InterfaceName><vlanStatus>CREATED</vlanStatus><vlanInterfaceType>VLAN</vlanInterfaceType><vlanLocalAddress>10.10.1.11</vlanLocalAddress><vlanLocalNetmask>255.255.255.0</vlanLocalNetmask><vlanLocalGateway>10.10.1.254</vlanLocalGateway><vlanDhcpProtocolState>1</vlanDhcpProtocolState><vlanDhcpPrimaryServer>10.10.1.10</vlanDhcpPrimaryServer><vlanPortNumber>1</vlanPortNumber><vlanInterfaceId>1</vlanInterfaceId><GatewayResolvedState>RESOLVED</GatewayResolvedState><vlanGatewayMac>0:1e:7a:ad:52:a9</vlanGatewayMac><vlanFlags>1</vlanFlags>

</simInterface></VLAN-Configuration><XML_crc_file_size>1949</XML_crc_file_size><XML__CRC__CHECKSUM>3145401149</XML__CRC__CHECKSUM>

</XML_config_variables-simVlanCfgData.xml-a2f725a><XML_config_variables-snmpCfgData.xml-4f1f9d7c>

<SNMP-Configuration><snmpV3User index="0">

<agentUserAuthKeyStore><iv>9af0c956b3ef198c2bbe657e02cb5746</iv><mac>b5b769a4a62137da506ed909dfd4f3e1fe2605bb</mac>

<passwd>df9e7cc2d2bbc09cbfa42c4942b3ddb00000000000000000000000000000000000000000000000000000000000000000</passwd>

</agentUserAuthKeyStore><agentUserPrivKeyStore>

<iv>e9460c2cc054846a9399f6ca905c808e</iv><mac>d043b534f8587048cf403886b6254f4600b4f35e</mac>

<passwd>ff7682febf472d078b453ca2c0574a480000000000000000000000000000000000000000000000000000000000000000</passwd>

</agentUserPrivKeyStore></snmpV3User><snmpTrapMgr index="0">

<agentTrapMgrCommunityName>127.0.0.1</agentTrapMgrCommunityName><agentTrapMgrIpAddr>127.0.0.1</agentTrapMgrIpAddr><agentTrapMgrStatus>1</agentTrapMgrStatus>

</snmpTrapMgr></SNMP-Configuration><XML_crc_file_size>925</XML_crc_file_size><XML__CRC__CHECKSUM>3737039482</XML__CRC__CHECKSUM>

</XML_config_variables-snmpCfgData.xml-4f1f9d7c><XML_config_variables-sshpmCfgData.xml-41181e3e>

<SSHPolicyManagerConfigData><sshpmIPv4VirtualAddress>1.1.1.2</sshpmIPv4VirtualAddress><sshpmIPv4VirtualIPString>1.1.1.1</sshpmIPv4VirtualIPString>

</SSHPolicyManagerConfigData><XML_crc_file_size>214</XML_crc_file_size><XML__CRC__CHECKSUM>755129620</XML__CRC__CHECKSUM>

</XML_config_variables-sshpmCfgData.xml-41181e3e><XML_config_variables-trapMgrCfgData.xml-bd5b2af3>


</XML_config_variables-trapMgrCfgData.xml-bd5b2af3><XML_config_variables-webCustomizations.xml-3adfbbe>

8/20/2019 Iuwne10 Lg v2


<Custom-WEB-Configuration><wlans index="3">

<useGlobalFlag>0</useGlobalFlag>/ l

Iuwne10 Lg v2

Documents