In this post we will see how to configure WLAN on 3850 switches. In the below topology single 3850 switch stack is acting as MC/MA (WLC functionality)
I have mainly used CLI method for the configuration & if you prefer GUI over CLI you can use that as well. Before starting WLAN configuration make sure your 3850 is configured as MC in order to act as WLC functionality. You need to have “wirelesss mobility controller” command on your switch to make it MC (by default it is MA). Also note that AP & wireless management should be on the same vlan.(999 in my case).
Since this 3850 act as MC (Mobility Controller), you have to define a dynamic interface where users will get map into. I have used vlan1410 (10.141.96.0/21) for this.
3850-1#sh vlan brief 999 SW-MGMT active 1410 WLN-STD-6 active 1420 WLN-STF-1 active ! interface GigabitEthernet1/0/2 switchport access vlan 999 switchport mode access spanning-tree portfast ! interface GigabitEthernet1/0/48 switchport trunk native vlan 800 switchport trunk allowed vlan 999,1410,1420 switchport mode trunk ! wireless mobility controller wireless management interface Vlan999 wireless mobility group name LTU-CA wireless rf-network LTU-CA ! interface Vlan999 ip address 10.15.4.255 255.255.254.0 ! interface Vlan1410 ip address 10.141.103.253 255.255.248.0 ! ip default-gateway 10.15.5.250
In addition to the above 6500 switch is configured as gateway for all the vlans.
interface Vlan999 description SW-MGMT ip address 10.15.5.250 255.255.254.0 ip pim sparse-mode ! interface Vlan1410 ip address 10.141.103.250 255.255.248.0 ip helper-address x.x.26.100 ip pim sparse-mode
Now we can start configuring WLAN.
3850-1(config)#wlan ?
WORD Enter Profile Name up to 32 alphanumeric characters
shutdown Enable/disable all WLANs
3850-1(config)#wlan OPEN ?
<1-64> Create WLAN Identifier
<cr>
3850-1(config)#wlan OPEN 19 ?
WORD Enter SSID (Network Name) up to 32 alphanumeric characters
<cr>
3850-1(config)#wlan OPEN 19 OPEN
Now if you look at the running configuration you will see the following
3850-1#sh run | sec wlan
wlan OPEN 19 OPEN
shutdown
It’s nothing much showing, what about all default settings of this WLAN ? If you want to see this you need to issue “sh running-config all” command. So here it is & all the default settings.
3850-1#sh running-config all | sec wlan OPEN wlan OPEN 19 OPEN accounting-list assisted-roaming dual-list assisted-roaming neighbor-list broadcast-ssid ccx aironet-iesupport channel-scan defer-priority 4 channel-scan defer-priority 5 channel-scan defer-priority 6 channel-scan defer-time 100 chd client association limit ap 0 client association limit radio 0 client association limit 0 client vlan default dtim dot11 24ghz 1 dtim dot11 5ghz 1 exclusionlist exclusionlist timeout 60 ip access-group web ip access-group ip dhcp server 0.0.0.0 ipv6 traffic-filter web none ipv6 traffic-filter none mac-filtering mfp client mfp infrastructure-protection mobility anchor sticky radio all security wpa security wpa akm dot1x security wpa wpa2 security wpa wpa2 ciphers aes security dot1x authentication-list security dot1x encryption 104 security ft over-the-ds security ft reassociation-timeout 20 security pmf association-comeback 1 security pmf saquery-retry-time 200 security static-wep-key authentication open security tkip hold-down 60 security web-auth authentication-list security web-auth parameter-map service-policy client input unknown service-policy client output unknown service-policy input unknown service-policy output unknown session-timeout 1800 wmm allowed shutdown
So by default security is set to WPA2/AES, interface map to vlan 1 (default), broadcast SSID,etc. In this first example we will change it to open authentication. Also we have mapped it to client vlan 1410 (WLN-STD-6) & remove WPA security.
3850-1(config)#wlan OPEN 19 OPEN 3850-1(config-wlan)#no security wpa 3850-1(config-wlan)#client vlan vlan1410 3850-1(config-wlan)#no shut 3850-1(config-wlan)#do sh run | sec wlan OPEN wlan OPEN 19 OPEN client vlan WLN-STD-6 no security wpa no security wpa akm dot1x no security wpa wpa2 no security wpa wpa2 ciphers aes no shutdown
Since I am using WLAN ID higher than 16, I have to use a AP Group to advertise this SSID. So I have created a AP Group called “3850″ & map this WLAN onto it with interface vlan 1410. You can assign AP into AP Group by using “ap name <AP-NAME> ap-group <Group-Name>” CLI command
3850-1(config)#ap group 3850 3850-1(config-apgroup)#? default Set a command to its defaults description Specify the description for the AP group exit Exit sub-mode no Negate a command or set its defaults wlan Add WLAN to ap group 3850-1(config-apgroup)#wlan ? WORD Enter WLAN name 3850-1(config-apgroup)#wlan OPEN 3850-1(config-wlan-apgroup)#? default Set a command to its defaults exit Exit sub-mode no Negate a command or set its defaults radio-policy Configures Radio Policy on given AP-Group vlan Configures the WLANs vlan 3850-1(config-wlan-apgroup)#vlan ? WORD Specify the vlan name or vlan id 3850-1(config-wlan-apgroup)#vlan WLN-STD-6 3850-1#ap name L3502-1 ap-groupname 3850 Changing the AP's group name will cause the AP to reboot. Are you sure you want to continue? (y/n)[y]: y
Once you do this you should be able to connect to this SSID
Here is the client details
3850-1#show wireless client mac-address a088.b435.c2f0 detail Client MAC Address : a088.b435.c2f0 Client Username: N/A AP MAC Address : 2c3f.382b.5700 AP Name: L3502-1 AP slot : 1 Client State : Associated Wireless LAN Id : 19 Wireless LAN Name: OPEN BSSID : 2c3f.382b.570d Connected For : 95 secs Protocol : 802.11n - 5 GHz Channel : 64 Client IIF-ID : 0xc3ab4000000088 ASIC : 0 IPv4 Address : 10.141.99.247 IPv6 Address : Unknown Association Id : 2 Authentication Algorithm : Open System Status Code : 0 Session Timeout : 0 Client CCX version : 4 Client E2E version : 1 Input Policy Name : unknown Input Policy State : None Output Policy Name : unknown Output Policy State : None 802.1P Priority Tag : Not supported WMM Support : Enabled U-APSD Support : Disabled Power Save : OFF Current Rate : m15 Supported Rates : 6.0,9.0,12.0,18.0,24.0,36.0,48.0,54.0,6.0,9.0,12.0,18.0,24.0,36.0,48.0,54.0 Mobility State : Local Mobility Move Count : 0 Security Policy Completed : Yes Policy Manager State : RUN Policy Manager Rule Created : Yes NPU Fast Fast Notified : Yes Last Policy Manager State : DHCP_REQD Client Entry Create Time : 1293325 seconds Policy Type : N/A Encryption Cipher : None Management Frame Protection : No Protected Management Frame - 802.11w : No EAP Type : Not Applicable Interface : WLN-STD-6 VLAN : 1410 Quarantine VLAN : 0 Access VLAN : 1410 WFD capable : No Manged WFD capable : No Cross Connection capable : No Support Concurrent Operation : No Client Capabilities CF Pollable : Not implemented CF Poll Request : Not implemented Short Preamble : Not implemented PBCC : Not implemented Channel Agility : Not implemented Listen Interval : 90 Fast BSS Transition : Not implemented Fast BSS Transition Details : Client Statistics: Number of Bytes Received : 196611 Number of Bytes Sent : 8767 Number of Packets Received : 1477 Number of Packets Sent : 166 Number of EAP Id Request Msg Timeouts : 0 Number of EAP Request Msg Timeouts : 0 Number of EAP Key Msg Timeouts : 0 Number of Data Retries : 4 Number of RTS Retries : 0 Number of Duplicate Received Packets : 0 Number of Decrypt Failed Packets : 0 Number of Mic Failured Packets : 0 Number of Mic Missing Packets : 0 Number of Policy Errors : 0 Radio Signal Strength Indicator : -49 dBm Signal to Noise Ratio : 44 dB Assisted-Roaming Prediction List: Nearby AP Statistics: L3502-1(slot1) antenna0: 58 seconds ago -61 dBm antenna1: 58 seconds ago -51 dBm
Now if you want to configure this as WPA2/AES with PSK you can add the below configuration. Since we have disabled WPA first you need to enable it prior to configure WPA2. Also before configuring PSK you need to disable dot1x
3850-1(config-wlan)#security wpa 3850-1(config-wlan)#security wpa wpa2 ciphers aes 3850-1(config-wlan)#no security wpa akm dot1x 3850-1(config-wlan)#security wpa akm psk set-key ascii 0 Cisco123
This time you have to use the PSK defined to connect this WLAN.
Here is the client statistics
3850-1#sh wireless client mac-address a088.b435.c2f0 detail Client MAC Address : a088.b435.c2f0 Client Username: N/A AP MAC Address : 2c3f.382b.5700 AP Name: L3502-1 AP slot : 1 Client State : Associated Wireless LAN Id : 19 Wireless LAN Name: OPEN BSSID : 2c3f.382b.570d Connected For : 189 secs Protocol : 802.11n - 5 GHz Channel : 64 Client IIF-ID : 0xcc9bc000000097 ASIC : 0 IPv4 Address : 10.141.99.247 IPv6 Address : Unknown Association Id : 2 Authentication Algorithm : Open System Status Code : 0 Session Timeout : 0 Client CCX version : 4 Client E2E version : 1 Input Policy Name : unknown Input Policy State : None Output Policy Name : unknown Output Policy State : None 802.1P Priority Tag : Not supported WMM Support : Enabled U-APSD Support : Disabled Power Save : OFF Current Rate : m15 Supported Rates : 6.0,9.0,12.0,18.0,24.0,36.0,48.0,54.0,6.0,9.0,12.0,18.0,24.0,36.0,48.0,54.0 Mobility State : Local Mobility Move Count : 0 Security Policy Completed : Yes Policy Manager State : RUN Policy Manager Rule Created : Yes NPU Fast Fast Notified : Yes Last Policy Manager State : DHCP_REQD Client Entry Create Time : 1296794 seconds Policy Type : WPA2 Authentication Key Management : PSK Encryption Cipher : CCMP (AES) Management Frame Protection : No Protected Management Frame - 802.11w : No EAP Type : Not Applicable Interface : WLN-STD-6 VLAN : 1410 Quarantine VLAN : 0 Access VLAN : 1410 WFD capable : No Manged WFD capable : No Cross Connection capable : No Support Concurrent Operation : No Client Capabilities
In GUI (https://10.15.4.255/wireless), you have to go to “Configuration -> Wireless -> WLAN” & then any features under General, Security, QoS, AVC & Advance tab (see below)
In next post we will see how to configure dot1x WLAN with ACS/ISE.
Related Posts
1. Getting Started with 3850
2. WLAN configs with 3850 – Part 2
3. 3850 Password Recovery
4. Converged Access Mobility
5. 3850- Flexible Netflow
6. Wireshark Capture in 3850
