Cisco Cisco 2000 Series Wireless LAN Controller Manual Técnica
VLAN 257: 192.168.157.x/24. Gateway: 192.168.157.1
♦
VLAN 75: 192.168.75.x/24. Gateway: 192.168.75.1
♦
This document uses 802.1x with PEAP as the security mechanism.
Note: Cisco recommends that you use advanced authentication methods, such as EAP−FAST and
EAP−TLS authentication, in order to secure the WLAN.
EAP−TLS authentication, in order to secure the WLAN.
•
Assumptions
Switches are configured for all Layer 3 VLANs.
•
The DHCP server is assigned a DHCP scope.
•
Layer 3 connectivity exists between all devices in the network.
•
The LAP is already joined to the WLC.
•
Each VLAN has /24 mask.
•
ACS 5.2 has a Self−Signed Certificate installed.
•
Configuration Steps
This configuration is separated into three high−level steps:
Configure the RADIUS Server.
1.
Configure the WLC.
2.
Configure the Wireless Client Utility.
3.
Configure the RADIUS Server
Configuration of RADIUS server is divided into four steps:
Configure network resources.
1.
Configure users.
2.
Define policy elements.
3.
Apply access policies.
4.
ACS 5.x is a policy−based access control system. That is, ACS 5.x uses a rule−based policy model instead of
the group−based model used in the 4.x versions.
the group−based model used in the 4.x versions.
The ACS 5.x rule−based policy model provides more powerful and flexible access control compared to the
older group−based approach.
older group−based approach.
In the older group−based model, a group defines policy because it contains and ties together three types of
information:
information:
Identity information − This information can be based on membership in AD or LDAP groups or a
static assignment for internal ACS users.
static assignment for internal ACS users.
•
Other restrictions or conditions − Time restrictions, device restrictions, and so on.
•
Permissions − VLANs or Cisco IOS
®
privilege levels.
•
The ACS 5.x policy model is based on rules of the form:
If condition then result
•
For example, we use the information described for the group−based model: