Creating Wireless Networks

WLANs

Cisco Mobility Express solution supports a maximum of 16 WLANs. Each WLAN has a unique WLAN ID (1 through 16), a unique Profile Name, SSID, and can be assigned different security policies.

Access Points broadcast all active WLAN SSIDs and enforce the policies that you define for each WLAN.

You can configure WLANs with different service set identifiers (SSIDs) or with the same SSID. An SSID identifies the specific wireless network that you want the controller to access. Creating WLANs with the same SSID enables you to assign different Layer 2 security policies within the same wireless LAN. To distinguish among WLANs with the same SSID, you must create a unique profile name for each WLAN. WLANs with the same SSID must have unique Layer 2 security policies so that clients can make a WLAN selection based on information advertised in beacon and probe responses.

A number of WLAN Security options are supported on Cisco Mobility Express solution and are outlined below:

  1. Open

  2. WPA2 Personal

  3. WPA2 Enterprise (External RADIUS, AP)

For Guest WLAN, a number of capabilities are supported:

  1. CMX Guest Connect

  2. WPA2 Personal

  3. Captive Portal (AP)

  4. Captive Portal (External Web Server)

Creating Employee WLANs

Creating Employee WLAN with WPA2 Personal

Procedure
    Step 1   Navigate to Wireless Settings > WLANs and then click on Add new WLAN button. The Add new WLAN Window will pop up.

    Step 2   In the Add new WLAN window, on the General page, configure the following:
    1. Enter the Profile Name.
    2. Enter the SSID.
    Step 3   Click on the WLAN Security and configure the following:
    1. Select Security as WPA2 Personal.
    2. Enter the Passphrase and Confirm PassPhrase.

    Step 4   Click Apply.

    Creating Employee WLAN using WPA2 Enterprise with External Radius Server

    Procedure
      Step 1   Navigate to Wireless Settings > WLANs and then click on Add new WLAN button. The Add new WLAN Window will pop up.

      Step 2   In the Add new WLAN window, on the General page configure the following:
      1. Enter the Profile Name.
      2. Enter the SSID.
      Step 3   Click on the WLAN Security and configure the following:
      1. Select Security Type as WPA2 Enterprise.
      2. Select Authentication Server as External Radius.
      Step 4   Add the Radius server and configure the following:

      • Enter the Radius IP

      • Enter the Radius Port

      • Enter the Shared Secret

      • Click on tick icon

      Step 5   Click Apply.

      Creating Employee WLAN with WPA2 Enterprise and Authentication Server as AP

      Procedure
        Step 1   Navigate to Wireless Settings > WLANs and then click on Add new WLAN button. The Add new WLAN Window will pop up.

        Step 2   In the Add new WLAN window, on the General page configure the following:
        1. Enter the Profile Name.
        2. Enter the SSID.

        Step 3   Click on the WLAN Security and configure the following:
        1. Select Security as WPA2 Enterprise.
        2. Select Authentication Server as AP.
          Note   

          AP is the Master AP running the controller function. In this use case, controller is the Authentication Server and therefore Local WLAN user account must exist to onboard the clients.

        Step 4   Click the Apply.

        Creating Employee WLAN with WPA2 Enterprise/External RADIUS and MAC Filtering

        Procedure
          Step 1   Navigate to Wireless Settings > WLANs and then click on Add new WLAN. The Add new WLAN Window will pop up.
          Step 2   In the Add new WLAN window, on the General tab, configure the following:

          • Enter the Profile Name

          • Enter the SSID

          Step 3   Click on the WLAN Security tab and configure the following:

          • Enable MAC Filtering

          • Select Security Type as WPA2 Enterprise

          • Select Authentication Server as External RADIUS

          • Select RADIUS Compatibility from the drop-down list

          • Select MAC Delimiter from the drop-down list

          Step 4   Add the Radius server and configure the following:

          • Enter the Radius IP

          • Enter the Radius Port

          • Enter the Shared Secret

          • Click on tick icon

          Step 5   Click Apply.

          Creating Guest WLANs

          Mobility Express controller can provide guest user access on WLANs which are specifically designated for use by guest users. To set this WLAN exclusively for guest user access, enable the Guest Network under the WLAN Security tab.

          Creating Guest WLAN with Captive Portal on CMX Connect

          Procedure
            Step 1   Navigate to Wireless Settings > WLANs and then click on Add new WLAN button. The Add new WLAN Window will pop up.
            Step 2   In the Add new WLAN window, on the General tab, configure the following:

            • Enter the Profile Name

            • Enter the SSID

            Step 3   Enable the Guest Network under the WLAN Security tab.
            Step 4   Select Captive Portal as CMX Connect.
            Step 5   Enter Captive Portal URL.
            Note   

            Captive Portal URL must have the following format: https://yya7lc.cmxcisco.com/visitor/login where yya7lc is your Account ID.

            Step 6   Click Apply.
            Note   

            Additional steps are required on CMX Cloud to create the Captive Portal, Site with Access Points and associating Captive Portal to the Site.

            Creating Guest WLAN with Internal Splash Page

            There is an internal splash page built into the Mobility Express controller which can be used to onboard the clients connecting to Guest WLANs. This internal splash page can also be customized by uploading a customized bundle. To upload a customized internal splash page, navigate to Wireless Settings > Guest WLANs. Select Page Type as Customized and click on the Upload button to upload a customized page bundle.

            For internal splash page, Cisco Mobility Express supports multiple options for Access Type. They are as follows:

            1. Local User Account
            2. Web Consent
            3. Email Address
            4. RADIUS
            5. WPA2 Personal
            Procedure
              Step 1   Navigate to Wireless Settings > WLANs and then click on Add new WLAN button. The Add new WLAN Window will pop up.
              Step 2   In the Add new WLAN window, on the General tab, configure the following:

              • Enter the Profile Name

              • Enter the SSID

              Step 3   Enable the Guest Network under the WLAN Security tab.
              Step 4   Select Captive Portal as Internal Splash Page.
              Step 5   Select one of the following Access Type as needed:

              1. Local User Account–Splash Page will present the user to enter username and password which must be authenticated by the controller before network access is granted. Local WLAN users must be created on the controller to onboard the Guest clients.

              2. Web Consent–Splash Page will present the user to acknowledge before network access is granted.

              3. Email Address–Splash Page will present the user to enter the email address before network access is granted.

              4. RADIUS–Splash Page will present the user to enter username and password which must be authenticated by the RADIUS server before network access is granted. Select Access Type as RADIUS and enter the RADIUS server configuration.

              5. WPA2 Personal–This is an example of L2 + L3 (Web Consent). Layer 2 PSK security authentication will happen first followed by Splash Page which will present the user to acknowledge before network access is granted. Select Access Type as WPA2 Personal and enter the Passphrase.

              Step 6   Click Apply.

              Creating Guest WLAN with External Splash Page

              An external splash page is one which resides on an external Web Server. Similar to the internal splash page, Cisco Mobility Express supports multiple options for Access Type with external splash page. They are as follows:

              1. Local User Account

              2. Web Consent

              3. Email Address

              4. RADIUS

              5. WPA2 Personal

              Procedure
                Step 1   Navigate to Wireless Settings > WLANs and then click on Add new WLAN button. The Add new WLAN Window will pop up.
                Step 2   In the Add new WLAN window, on the General tab, configure the following:

                • Enter the Profile Name

                • Enter the SSID

                Step 3   Enable the Guest Network under the WLAN Security tab.
                Step 4   Select Captive Portal as External Splash Page.
                Step 5   Select one of the following Access Type as needed:

                1. Local User Account–Splash Page will present the user to enter username and password which must be authenticated by the controller before network access is granted. Local WLAN users must be created on the controller to onboard the Guest clients.

                2. Web Consent–Splash Page will present the user to acknowledge before network access is granted.

                3. Email Address–Splash Page will present the user to enter the email address before network access is granted.

                4. RADIUS–Splash Page will present the user to enter username and password which must be authenticated by the RADIUS server before network access is granted. Select Access Type as RADIUS and enter the RADIUS server configuration.

                5. WPA2 Personal–This is an example of L2 + L3 (Web Consent). Layer 2 PSK security authentication will happen first followed by Splash Page which will present the user to acknowledge before network access is granted. Select Access Type as WPA2 Personal and enter the Passphrase.

                Step 6   Click Apply.

                Internal Splash Page for Web Authentication

                Cisco Mobility Express supports a default internal guest portal that comes built-in and also a customized page, which can be imported by the user.

                Using default internal guest portal

                To use the default Guest Portal Page or import a customized Guest Portal page, follow the procedure below:

                Procedure
                  Step 1   Navigate to Wireless Settings > Guest WLANs.
                  Step 2   Configure the following on the Guest WLAN page:

                  • Page Type–Select as Internal (Default).

                  • Preview–You can Preview the page by clicking on the Preview button.

                  • Display Cisco Logo–To hide the Cisco logo that appears in the top right corner of the default page, you can choose No. This field is set to Yes by default.

                  • Redirect URL After Login–To have the guest users redirected to a particular URL (such as the URL for your company) after login, enter the desired URL in this text box. You can enter up to 254 characters.

                  • Page Headline–To create your own headline on the login page, enter the desired text in this text box. You can enter up to 127 characters. The default headline is Welcome to the Cisco Wireless Network.

                  • Page Message–To create your own message on the login page, enter the desired text in this text box. You can enter up to 2047 characters. The default message is Cisco is pleased to provide the Wireless LAN infrastructure for your network. Please login and put your air space to work.

                  Step 3   Click Apply.

                  Using customized internal guest portal

                  If a customized guest portal has to be presented to guest users, a sample page can be downloaded from cisco.com which can then be edited and imported to the Cisco Mobility Express controller. After the page has been edited and ready to be uploaded to the Cisco Mobility Express controller, follow the steps below.

                  Procedure
                    Step 1   Navigate to Wireless Settings > Guest WLANs.
                    Step 2   Configure the following on the Guest WLAN page:

                    • Page Type–Select as Customized.

                    • Customized page Bundle–Click on the Upload button to upload the he customized page bundle to the Mobility Express controller.

                    • Preview–You can Preview the Guest portal by clicking on the Preview button.

                    • Redirect URL After Login–To have the guest users redirected to a particular URL (such as the URL for your company) after login, enter the desired URL in this text box. You can enter up to 254 characters.

                    Step 3   Click Apply.

                    Managing WLAN Users

                    Cisco Mobility Express supports creation of local user accounts. These users can be authenticated for WLANs configured to use Security as WPA2 Enterprise with Authentication Server set to AP or Guest WLANs configured to use internal or external splash page with Access Type as Local User Account.

                    To create local user accounts, follow the procedure below:

                    Procedure
                      Step 1   Navigate to Wireless Settings > WLAN Users and then click on Add WLAN User button.
                      Step 2   Configure the following for the WLAN user:

                      • User Name–Enter the username

                      • Guest User–For Guest user, enable the Guest User checkbox

                      • Lifetime–For Guest User, define the user account validity. Default is 86400 seconds (or, 24 hours) from the time of its creation.

                      • WLAN Profile–Select the WLAN to which the user will connect

                      • Password–Enter the password for the user account

                      • Description–Additional details or comments for the user account

                      • Click on tickicon.

                      Adding MAC for Local MAC Filtering on WLANs

                      Cisco Mobility Express supports MAC Filtering on WLANs on controller as well as with external RADIUS. MAC addresses can be added to the controller and be either Whitelisted or Blacklisted. To add MAC addresses to the controller, follow the procedure below:

                      Procedure
                        Step 1   Navigate to Wireless Settings > WLAN Users and click on Local MAC Addresses.
                        Step 2   Click Add MAC Address.
                        Step 3   In the Add MAC Address window, configure the following:

                        • MAC Address–Enter the MAC Address of the device

                        • Description–Enter the description

                        • Type–Select whether this MAC has to be WhitleList of BlackList

                        • Profile Name–Select the WLAN to which the user will connect

                        Step 4   Click Apply.