Cisco WLAN Management Software

mr.bond

mr.bond

mr.bond

Associate
Joined
16 Jan 2006
Posts
672
Location
Surrey
Here goes - any help much appreciated.

I've got a large global estate of Cisco Aironets, 1240g's - 1252g's.

They aurthenticate the user using LEAP to a pair of WLSE devices in HA in a datacentre which all WAP's use to authenticate the users. The WLSE devices (out of support) in turn pass the authentication to a WIndows 2000 Server with a piece of sftware running called Cisco ACS Agent.

This software is now out of support and does not work on any OS higher than Windows 2000.

Cisco's latest WLAN controllers don't do what as a business we need (the architecture has changed since the WLSE's were in support) as they now pipe all WLAn traffic throuigh the WLAN controllers, so I'd need one on each site.

Is there any theuird party software for WAP management whereby I can utilise the Cisco' Aironets I have but take away the need for the ACS software and the 2k server it's running on?

I've got options for a redesign, but none have any third party software capable of managing the estate and allowing me to move away from the WLSe's and the 2k server with ACS.

Anyone aware of any such software?
 
Hi Mr Bond,

I'm currently mid-deployment of a cisco UWN solution, 23 sites with 7 controllers in 2 data centres, we're using h-reap, to break the traffic out into the local sites, while using the WLC's to centrally manage everything with a WCS server overlaying the top.

We're passing the auth back via PEAP from the AP to the WLC, to a ACS which then calls a win2k3 server with ACS Agent on it to lookup the user in AD

Kev
 
Just had a check, 1240 and 1252 AP's look like they support H-REAP, I'd be tempted to migrate some of them to a WLC (we purchased 5508's) then update the AP code to lightweight...

Depending on your reseller, you might be able to negotiate buy-back on the old stuff.


Happy to provide any info on our deployment if you need it :)
 
Hi - thanks.

A couple of things you've mentioned there.

The controllers you use in the datacentre, can the AP's work fine without sending their WLAN traffic down them first? (bear with me I'm not a network expert, especially not with wireless!)

Also, you mention ACS Agent on a 2k3 server, is there a version which supports this now?
 
mr.bond said:
Hi - thanks.

A couple of things you've mentioned there.

The controllers you use in the datacentre, can the AP's work fine without sending their WLAN traffic down them first? (bear with me I'm not a network expert, especially not with wireless!)
Click to expand...

All data has to pass through the controller. Depending on your setup, you may chose to have them all in a centralised location (main data centre) or buy several units with only a few licences on each box at each site.

We have only recently migrated from WLSE to lightweight APs and WLC and are adding WCS and MSE soon.
 
Cheers for the information. Looks like I'll be getting rid of the Cisco Aironets soon as I get the chance.

Their current solution design isn't what I'm after, would cost a firtune to deploy controllers on each site (some have slow WAN links so piping all WLAN traffic through a data centre wouldn;t be approptiate).

Thanks for your answer guys.
 
Trifid said:
All data has to pass through the controller. Depending on your setup, you may chose to have them all in a centralised location (main data centre) or buy several units with only a few licences on each box at each site.

We have only recently migrated from WLSE to lightweight APs and WLC and are adding WCS and MSE soon.
Click to expand...


Actually no, it doesn't have to - hence the beauty of H-REAP.... I've got 7 controllers and the only traffic that passes from the AP to the Controller is management and Authentication. The Client traffic (IE a user's laptop) breaks out from the AP locally (like a regular AP) and isn't tunnelled all the way back.

There's 3 deployment models - controller at each site (Distributed) Controller at central site (Centralised) or Centralised H-REAP.


My requirement was to host the controllers in a DC environment - local comms rooms were not ideal and not to use up my WAN links with Client Traffic. So we deployed Central Controllers with Local Breakout. (H-REAP)

In the event of a WAN failure, the AP's will still continue to operate with clients that are already assoc/auth'd but will reject new connection requests until the WAN comes back. The only requirement I think is 150ms delay on the WAN (or something like that)

I'll look at sorting one of my diagrams out in a min for you to have a nose at
 
Last edited:
OK, here are the links for the Diagrams - they're not great, but that's because my Visio skills suck - hopefully it'll show what I mean:

Client Traffic

In the link above, we are breaking the Corp client out of the AP locally into a VLAN, but all the control traffic passes over the WAN. The exception to this is that we've deployed a Guest wireless network, now this forms a tunnel all the way over the WAN to a dedicated WLC, that has a toe into the internet. The benefit of this is, that a guest client connects to a dedicated SSID, the traffic is wrapped up over our network and pushed out to the internet (via a login splash page) The client isn't aware of the underlying corporate network as it's transparent.


Management Traffic


The above link shows how the management side of it hangs together, the two ACS Agents reside on Win2k3 machines that are members of the domain, so they can link into AD on behalf of the ACS Servers (Standalone appliances)


So, in Summary:

Guest Access is tunnelled back over the WAN, but then out to the net (the underlying network is transparent)
Corp Access is Authenticated over the WAN, but breaks out locally in each site, so there is no tying up of the WAN links.

Kev
 
Chief Wiggum said:
Actually no, it doesn't have to - hence the beauty of H-REAP.... I've got 7 controllers and the only traffic that passes from the AP to the Controller is management and Authentication. The Client traffic (IE a user's laptop) breaks out from the AP locally (like a regular AP) and isn't tunnelled all the way back.
Click to expand...

Apologies, I wasn't aware that was possible. I'll do some reading on HREAP. :)
 
No worries! To be fair the cisco docs aren't that great :) they say that our AP's aren't compatible and that you can only have a couple per controller, but that's not the case...

If you go down the WCS route and you use AP templates, you can't just apply all the settings you want and hit apply, it will fail. I've got a process back at my work desk that I've created through the pain of trial and error! Once I get the whole project deployed, I mitt write a deployment guide as the whole thing is a nightmare when you start from scratch!
 
Chief Wiggum said:
No worries! To be fair the cisco docs aren't that great :) they say that our AP's aren't compatible and that you can only have a couple per controller, but that's not the case...

If you go down the WCS route and you use AP templates, you can't just apply all the settings you want and hit apply, it will fail. I've got a process back at my work desk that I've created through the pain of trial and error! Once I get the whole project deployed, I mitt write a deployment guide as the whole thing is a nightmare when you start from scratch!
Click to expand...

Hopefully you'll make it public :]
 
We're using agent version of 1 against acs server 4.x.

You don't have to out the ap in a separate vlan, you could put the ap and the ssid in the same existing vlan, but we've chosen to split outs and have separate ap management and client traffic as well as seperate wired vlans. But like I said, there's no reason these can't all be the same if you needed them to be
 
You must log in or register to reply here.
Back
Top Bottom