Adding Mesh Access Points to the Mesh Network
This section assumes that the controller is already active in the network and is operating in Layer 3 mode.
Note |
Controller ports that the mesh access points connect to should be untagged. |
Before adding a mesh access point to a network, do the following:
Procedure
Step 1 |
Add the MAC address of the mesh access point to the controller’s MAC filter. See the Adding MAC Addresses of Mesh Access Points to MAC Filter section. |
Step 2 |
Define the role (RAP or MAP) for the mesh access point. See the Defining Mesh Access Point Role section. |
Step 3 |
Verify that Layer 3 is configured on the controller. See the Verifying Layer 3 Configuration section. |
Step 4 |
Configure a primary, secondary, and tertiary controller for each mesh access point. See the Configuring Multiple Controllers Using DHCP 43 and DHCP 60 section. Configure a backup controller. See the Configuring Backup Controllers section. |
Step 5 |
Configure external authentication of MAC addresses using an external RADIUS server. See the Configuring External Authentication and Authorization Using a RADIUS Server. |
Step 6 |
Configure global mesh parameters. See the Configuring Global Mesh Parameters section. |
Step 7 |
Configure backhaul client access. See the Configuring Advanced Features section. |
Step 8 |
Configure local mesh parameters. See the Configuring Local Mesh Parameters section. |
Step 9 |
Configure antenna parameters. See the Configuring Antenna Gain section. |
Step 10 |
Configure channels for serial backhaul. This step is applicable only to serial backhaul access points. See the Backhaul Channel Deselection on Serial Backhaul Access Point section. |
Step 11 |
Configure the DCA channels for the mesh access points. See the Configuring Dynamic Channel Assignment section. |
Step 12 |
Configure mobility groups (if desired) and assign controllers. See the Configuring Mobility Groups chapter in the Cisco Wireless Controller Configuration Guide. |
Step 13 |
Configure Ethernet bridging (if desired). See the Configuring Ethernet Bridging section. |
Step 14 |
Configure advanced features such as Ethernet VLAN tagging network, video, and voice. See the Configuring Advanced Features section. |
Adding MAC Addresses of Mesh Access Points to MAC Filter
You must enter the radio MAC address for all mesh access points that you want to use in the mesh network into the appropriate controller. A controller only responds to discovery requests from outdoor radios that appear in its authorization list. MAC filtering is enabled by default on the controller, so only the MAC addresses need to be configured. If the access point has an SSC and has been added to the AP Authorization List, then the MAC address of the AP does not need to be added to the MAC Filtering List.
You can add the mesh access point using either the GUI or the CLI.
Note |
You can also download the list of mesh access point MAC addresses and push them to the controller using Cisco Prime Infrastructure. |
Adding the MAC Address of the Mesh Access Point to the Controller Filter List (GUI)
To add a MAC filter entry for the mesh access point on the controller using the controller GUI, follow these steps:
Procedure
Step 1 |
Choose Security > AAA > MAC Filtering. The MAC Filtering page appears. |
||
Step 2 |
Click New. The MAC Filters > New page appears. |
||
Step 3 |
Enter the radio MAC address of the mesh access point.
|
||
Step 4 |
From the Profile Name drop-down list, select Any WLAN. |
||
Step 5 |
In the Description field, specify a description of the mesh access point. The text that you enter identifies the mesh access point on the controller.
|
||
Step 6 |
From the Interface Name drop-down list, choose the controller interface to which the mesh access point is to connect. |
||
Step 7 |
Click Apply to commit your changes. The mesh access point now appears in the list of MAC filters on the MAC Filtering page. |
||
Step 8 |
Click Save Configuration to save your changes. |
||
Step 9 |
Repeat this procedure to add the MAC addresses of additional mesh access points to the list. |
Adding the MAC Address of the Mesh Access Point to the Controller Filter List (CLI)
To add a MAC filter entry for the mesh access point on the controller using the controller CLI, follow these steps:
Procedure
Step 1 |
To add the MAC address of the mesh access point to the controller filter list, enter this command: config macfilter add ap_mac wlan_id interface [description] A value of zero (0) for the wlan_id parameter specifies any WLAN, and a value of zero (0) for the interface parameter specifies none. You can enter up to 32 characters for the optional description parameter. |
Step 2 |
To save your changes, enter this command: save config |
Defining Mesh Access Point Role
By default, AP1500s are shipped with a radio role set to MAP. You must reconfigure a mesh access point to act as a RAP.
General Notes about MAP and RAP Association With The Controller
The general notes are as follows:
-
A MAP always sets the Ethernet port as the primary backhaul if it is UP, and secondarily the 802.11a/n/ac radio. This gives the network administrator time to reconfigure the mesh access point as a RAP, initially. For faster convergence on the network, we recommend that you do not connect any Ethernet device to the MAP until it has joined the mesh network.
-
A MAP that fails to connect to a controller on a UP Ethernet port, sets the 802.11a/n/ac radio as the primary backhaul. If a MAP fails to find a neighbor or fails to connect to a controller through a neighbor, the Ethernet port is set as the primary backhaul again.
-
A MAP connected to a controller over an Ethernet port does not build a mesh topology (unlike a RAP).
-
A RAP always sets the Ethernet port as the primary backhaul.
-
If the Ethernet port is DOWN on a RAP, or a RAP fails to connect to a controller on a UP Ethernet port, the 802.11a/n/ac radio is set as the primary backhaul for 15 minutes. Failing to find a neighbor or failing to connect to a controller via any neighbor on the 802.11a/n/ac radio causes the primary backhaul to go into the scan state. The primary backhaul begins its scan with the Ethernet port.
Configuring the AP Role (GUI)
To configure the role of a mesh access point using the GUI, follow these steps:
Procedure
Step 1 |
Click Wireless to open the All APs page. |
Step 2 |
Click the name of an access point. The All APs > Details (General) page appears. |
Step 3 |
Click the Mesh tab. |
Step 4 |
Choose RootAP or MeshAP from the AP Role drop-down list. |
Step 5 |
Click Apply to commit your changes and to cause the access point to reboot. |
Configuring the AP Role (CLI)
To configure the role of a mesh access point using the CLI, enter the following command:
config ap role {rootAP | meshAP} Cisco_AP
Configuring Multiple Controllers Using DHCP 43 and DHCP 60
To configure DHCP Option 43 and 60 for mesh access points in the embedded Cisco IOS DHCP server, follow these steps:
Procedure
Step 1 |
Enter configuration mode at the Cisco IOS CLI. |
Step 2 |
Create the DHCP pool, including the necessary parameters such as the default router and name server. The commands used to create a DHCP pool are as follows:
where:
|
Step 3 |
Add the option 60 line using the following syntax:
For the VCI string, use one of the values below. The quotation marks must be included.
|
Step 4 |
Add the option 43 line using the following syntax:
The hex string is assembled by concatenating the TLV values shown below: Type + Length + Value Type is always f1(hex). Length is the number of controller management IP addresses times 4 in hex. Value is the IP address of the controller listed sequentially in hex. For example, suppose that there are two controllers with management interface IP addresses 10.126.126.2 and 10.127.127.2. The type is f1(hex). The length is 2 * 4 = 8 = 08 (hex). The IP addresses translate to 0a7e7e02 and 0a7f7f02. Assembling the string then yields f1080a7e7e020a7f7f02. The resulting Cisco IOS command added to the DHCP scope is listed below:
|
Backup Controllers
A single controller at a centralized location can act as a backup for mesh access points when they lose connectivity with the primary controller in the local region. Centralized and regional controllers need not be in the same mobility group. Using the controller GUI or CLI, you can specify the IP addresses of the backup controllers, which allows the mesh access points to fail over to controllers outside of the mobility group.
You can also configure primary and secondary backup controllers (which are used if primary, secondary, or tertiary controllers are not specified or are not responsive) for all access points connected to the controller as well as various timers, including the heartbeat timer and discovery request timers.
Note |
The fast heartbeat timer is not supported on access points in bridge mode. The fast heartbeat timer is configured only on access points in local and FlexConnect modes. |
The mesh access point maintains a list of backup controllers and periodically sends primary discovery requests to each entry on the list. When the mesh access point receives a new discovery response from a controller, the backup controller list is updated. Any controller that fails to respond to two consecutive primary discovery requests is removed from the list. If the mesh access point’s local controller fails, it chooses an available controller from the backup controller list in this order: primary, secondary, tertiary, primary backup, and secondary backup. The mesh access point waits for a discovery response from the first available controller in the backup list and joins the controller if it receives a response within the time configured for the primary discovery request timer. If the time limit is reached, the mesh access point assumes that the controller cannot be joined and waits for a discovery response from the next available controller in the list.
Note |
When a mesh access point’s primary controller comes back online, the mesh access point disassociates from the backup controller and reconnects to its primary controller. The mesh access point falls back to its primary controller and not to any secondary controller for which it is configured. For example, if a mesh access point is configured with primary, secondary, and tertiary controllers, it fails over to the tertiary controller when the primary and secondary controllers become unresponsive and waits for the primary controller to come back online so that it can fall back to the primary controller. The mesh access point does not fall back from the tertiary controller to the secondary controller if the secondary controller comes back online; it stays connected to the tertiary controller until the primary controller comes back up. |
Configuring External Authentication and Authorization Using a RADIUS Server
External authorization and authentication of mesh access points using a RADIUS server such as Cisco ACS (4.1 and later) and ISE are supported in release 7.0 and later releases. The RADIUS server must support the client authentication type of EAP-FAST with certificates.
Before you employ external authentication within the mesh network, ensure that you make these changes:
-
The RADIUS server to be used as an AAA server must be configured on the controller.
-
The controller must also be configured on the RADIUS server.
-
Add the mesh access point configured for external authorization and authentication to the user list of the RADIUS server.
-
For additional details, see the Adding a Username to a RADIUS Server section.
-
-
Configure EAP-FAST on the RADIUS server and install the certificates. EAP-FAST authentication is required if mesh access points are connected to the controller using an 802.11a interface; the external RADIUS servers need to trust Cisco Root CA 2048. For information about installing and trusting the CA certificates, see the Configuring RADIUS Servers section.
Note
If mesh access points connect to a controller using a Fast Ethernet or Gigabit Ethernet interface, only MAC authorization is required.
Note
This feature also supports local EAP and PSK authentication on the controller.
Configuring RADIUS Servers
To install and trust the CA certificates on the RADIUS server, follow these steps:
Procedure
Step 1 |
Download the CA certificates for Cisco Root CA 2048 from the following locations: |
Step 2 |
Install the certificates as follows:
|
Step 3 |
Configure the external RADIUS servers to trust the CA certificate as follows:
|
For additional configuration details on Cisco ACS servers, see the following:
Enabling External Authentication of Mesh Access Points (GUI)
To enable external authentication for a mesh access point using the GUI, follow these steps:
Procedure
Step 1 |
Choose Wireless > Mesh. The Mesh page appears (see Figure 1). |
Step 2 |
In the security section, select the EAP option from the Security Mode drop-down list. |
Step 3 |
Select the Enabled check boxes for the External MAC Filter Authorization and Force External Authentication options. |
Step 4 |
Click Apply. |
Step 5 |
Click Save Configuration. |
Adding a Username to a RADIUS Server
Add MAC addresses of mesh access point that are authorized and authenticated by external RADIUS servers to the user list of that server prior to enabling RADIUS authentication for a mesh access point.
For remote authorization and authentication, EAP-FAST uses the manufacturer’s certificate (CERT) to authenticate the child mesh access point. Additionally, this manufacturer certificate-based identity serves as the username for the mesh access point in user validation.
For Cisco IOS-based mesh access points, in addition to adding the MAC address to the user list, you need to enter the platform_name_string–MAC_address string to the user list (for example, c1240-001122334455). The controller first sends the MAC address as the username; if this first attempt fails, then the controller sends the platform_name_string–MAC_address string as the username.
Note |
The Authentication MAC address is different for outdoor versus indoor APs. Outdoor APs use the AP's BVI MAC address, whereas indoor APs use the AP's Gigabit Ethernet MAC address. |
RADIUS Server Username Entry
-
platform_name_string-MAC_address
User: c1570-aabbccddeeff
Password: cisco
-
Hyphen Delimited MAC Address
User: aa-bb-cc-dd-ee-ff
Password: aa-bb-cc-dd-ee-ff
Note |
The AP1552 platform uses a platform name of c1550. The AP1572 uses a platform name of c1570. |
Enable External Authentication of Mesh Access Points (CLI)
To enable external authentication for mesh access points using the CLI, enter the following commands:
Procedure
Step 1 |
config mesh security eap |
Step 2 |
config macfilter mac-delimiter colon |
Step 3 |
config mesh security rad-mac-filter enable |
Step 4 |
config mesh radius-server index enable |
Step 5 |
config mesh security force-ext-auth enable (Optional) |
View Security Statistics (CLI)
To view security statistics for mesh access points using the CLI, enter the following command:
show mesh security-stats Cisco_AP
Use this command to display packet error statistics and a count of failures, timeouts, and association and authentication successes as well as reassociations and reauthentications for the specified access point and its child.