Converged Wired and Wireless Access
Provisioning a Small Branch WLAN
90
Best Practice User Guide for the Catalyst 3850 and Catalyst 3650 Switch Series
Provisioning a Small Branch WLAN
• Provision in Easy-RADIUS—Easiest to configure and does not rely on outside services.
• Provision in Secure Mode—End-users are authenticated by the external RADIUS server or ISE.
• Manage Radio Frequency and Channel Settings
We highly recommend that secure mode be provisioned for security concerns. However, both WLAN
modes can co-exist if the network design requires it. For example, you can provision both WLANs on a
single switch with each WLAN having its own purpose in the network.
Note If your network does not permit open access for any wireless device, proceed to the “Provision in Secure
Mode” section and provision your wireless network in secure mode.
Note Guest Access network deployment is beyond the scope of this document. For detailed information, see
the “Configuring Wireless Guest Access” chapter in the Security Configuration Guide, Cisco IOS XE
Release 3E, (Catalyst 3850 Switches).
Provision in Easy-RADIUS
Easy-RADIUS allows access to the network without authentication and is not secure.
• Disable Authentication to Enable Easy-RADIUS
• Configure QoS to Secure the WLAN
• Verify Client Connectivity in RADIUS
Note If your network does not permit open access for any wireless device, proceed to the “Provision in Secure
Mode” section and provision your wireless network in secure mode.
Disable Authentication to Enable Easy-RADIUS
Step 1 To provision in easy-RADIUS, use the no security EXEC commands to disable authentication for a
WLAN.
By default, the WLAN is enabled for security with Wi-Fi Protected Access (WPA) and Wi-Fi Protected
Access II (WPA2). To make the WLAN open, use the no security wpa wpa2 command.
wlan OPEN_WLAN 1 open_wlan
client vlan 200
no security wpa
no security wpa akm dot1x
no security wpa wpa2
no security wpa wpa2 ciphers aes
no shutdown
To Next Page
Loading...
Need help?
General