ENGLISH |

315 Pla c e d 'Yo uv ille, Suit e 210, Mo nt ra l, QC , C a na d a H2Y 0A4

P: (514) 819-9175

The St ev e Willia m s Gro up 2014

FRANAIS

All Rig ht s

Help ing orga niza t ions levera ging t ec hnology t o d ra ma t ic a lly inc rea se result s.

Tec hno lo g y fo r Business

Gl b mmp K CQF u gr f A gqa m ?N / / 1/
Po st ed o n Wed nesd a y July 13th, 2011

The Lightw eight Ac c ess Point Cisc o 1131 is a tw o-ra d io W i-Fi infra struc ture d evic e tha t c a n b e used for ind oor mesh d ep loyments. It is a
CAPW AP/ LW APP b a sed p rod uc t. It p rovid es a 2.4 GHz ra d io a nd a 5.8 GHz ra d io c omp a tib le w ith 802.11b / g a nd 802.11a . One ra d io c a n b e used for
loc a l (c lient) a c c ess for the a c c ess p oint (AP) a nd the sec ond ra d io c a n b e c onfigured for w ireless b a c kha ul. The AP 1131 sup p orts P2P, P2MP, a nd
mesh typ e of a rc hitec tures. Other Cisc o ind oor AP mod els a re a lso mesh c a p a b le.

Ind oor mesh is a sub set of the Enterp rise mesh a rc hitec ture d ep loyed on Unified W ireless a rc hitec ture. W ith ind oor mesh, one of the ra d ios (typ ic a lly
802.11b / g) a nd / or the w ired Ethernet link is used to c onnec t to c lients, w hile the sec ond ra d io (typ ic a lly 802.11a ) is used to b a c kha ul c lient tra ffic . A
mesh AP c a n b e either a RAP (Root AP) or a MAP (Mesh AP). A RAP a c t a s b rid ge b etw een the c ontroller a nd other w ireless APs. A MAP c onnec ts to a
RAP or a MAP over the a ir on a 802.11a ra d io a nd a lso servic es c lients on a 802.11b / g ra d io.
Ba sic Mesh Config ura tion

The first step c onsists in setting the AP in b rid g e mo de . Afte r the AP re bo o ts, se t the AP ro le to RAP. This roo t AP ha s a w ire d c o nne c tio n w ith the

WLC c o ntro lle r (thro ugh a sw itc h).

In this e xa mp le , w e se t the brid g e g ro up na me to BG1, the b ac khaul inte rfac e is 802.11a a nd w e le t the d a ta ra te to a uto .

C o nfig ure t he next AP a s a b rid g e a nd set it s AP Ro le t o MeshA P. A MAP d o es no t ha v e a w ired c o nnec t io n t o t he WLC . It c o m m unic a t es w it h t he WLC
t hro ug h a RAP. In t his exa m p le, w e set t he b rid g e g ro up na m e t o BG1 (so it m a t c hes t he RAP), t he b a c kha ul int erfa c e is 802.11a a nd w e let t he d a t a ra t e t o
a ut o .

I c hec ke d the M esh DCA Cha nne ls a nd le t the re st d efa ult v a lue s. Ne xt, yo u must c o nfig ure the d e sire d DCA c ha nnels und e r Wireless >
802.11a/ n.

As a b a sic sec urity mea sure, you need to p rovid e the AP MAC Address of ea c h RAP/ MAP in the Loc a l MAC Filters. Not d oing so w ill p revent the MESH
APs to c ome up .

No te : the AP MAC Ad d ress is the wire d sid e M AC a d d re ss.

A uthentic a ting MESH APs with RA DIUS

MAC Filtering d oes not sc a le w ell a c ross multip le c ontrollers a nd p rovid es minimum sec urity. You a re b etter off using c entra l a uthentic a tion for a ll your
Mesh APs. Cisc o uses EAP-FAST to a uthentic a te its mesh APs. Here is how to d o it.
From the Mesh Sec urity sec tion, c ho o se EAP, a nd c hec k b oth External MAC Filter Authorization a nd Forc e External Authentic ation, Then c hec k a
RADIUS server from the list.

To set up yo ur RADIUS serv er, p lea se c o m p let e t hese 2 st ep s:

1. C o nfig ure EAP-FAST o n t he RADIUS serv er a nd inst a ll t he c ert ific a t es.
EAP-FAST a ut hent ic a t io n is req uired if m esh a c c ess p o int s a re c o nnec t ed t o t he c o nt ro ller using a n 802.11a int erfa c e; t he ext erna l RADIUS serv ers need t o t rust
C isc o Ro o t C A 2048. Yo u m ust d o w nlo a d t he EAP-FAST c ert s fro m C isc o .c o m . Fo r info rm a t io n a b o ut inst a lling a nd t rust ing t he C A c ert ific a tes, see Configuring

RADIUS Servers, Cisc o W ireless Mesh Ac c ess Points, Design a nd Dep loyment Guid e, Relea se 7.0
2. C o nfig ure MAC filt ers fo r MESH APs
Fo r ea c h RAP/ MAP, yo u need t o p ro v id e two c red e ntia ls in RADIUS
- MAC filt er / Pa ssw o rd
- Userna m e / Pa ssw o rd
The M AC filte r / p a sswo rd fo rma t are as fo llo w s:
AP_MAC _Ad d ress / AP_MAC _Ad d ress
Exa m p le:
001d 451f5d 22 / 001d 451f5d 22

Use r a nd p asswo rd fo rma t a re a s fo llow s:

AP_Mo d el-AP_M AC_Add re ss / AP_M o d e l-AP_M AC_Ad d re ss
Exa m p le:
C 1130-001d 451f5d 22 / C 1130-001d 451f5d 22

No te: the AP MAC Ad d re ss is the wire d side M AC a dd re ss.

TIP: Fro m t his p o int , yo u no lo ng er need Lo c a l MAC filt ering fo r yo ur MAPs. Plea se p urg e t hem fro m yo ur WLC .
The fo llo w ing fig ure sho w s C isc o AC S Pa ssed A ut hent ic a tio ns rep o rt fo r b o t h t he m esh AP M AC filter a nd t he m esh AP userna m e.

Conc lusion

W e c overed the b a sic s on how to use the Cisc o AP 1131 to c rea te a n ind oor mesh netw ork. This c a n b e useful for severa l rea sons, suc h a s extend ing
a netw ork w here c a b ling is not a lw a ys ec onomic a l or for temp ora ry w ork setup s. MAC a d d ress filtering rep resents the lea st sec ure w a y of
a uthentic a ting RAPs a nd MAPs. You should instea d a uthentic a te a ll APs w ith a RADIUS server. You ma y a lso w a nt to a uthentic a te the w ired APs (RAP)
using 802.1X, see my p revious b log p ost for d eta ils.

Mi piace

Tw eet

Share

This ent ry w a s p o st ed in Wireless b y Steve Willia ms. Bo o km a rk t he this p ost [http :/ / www.swillia msg roup .c om/ ind oor-mesh-with-c isc o-a p -1131/ ] .
p riv a c y

sit e m a p

Reserv ed .
Site b y: The C ha d Ba rr G roup