Iuwne10 LG v2

IUWNE
Implementing Cisco
Unified Wireless
Networking Essentials
Version 1.0
Lab Guide
Text Part Number: 97-2700-02
DISCLAIMER WARRANTY: THIS CONTENT IS BEING PROVIDED AS IS. CISCO MAKES AND YOU RECEIVE NO WARRANTIES IN
CONNECTION WITH THE CONTENT PROVIDED HEREUNDER, EXPRESS, IMPLIED, STATUTORY OR IN ANY OTHER PROVISION OF
THIS CONTENT OR COMMUNICATION BETWEEN CISCO AND YOU. CISCO SPECIFICALLY DISCLAIMS ALL IMPLIED
WARRANTIES, INCLUDING WARRANTIES OF MERCHANTABILITY, NON-INFRINGEMENT AND FITNESS FOR A PARTICULAR
PURPOSE, OR ARISING FROM A COURSE OF DEALING, USAGE OR TRADE PRACTICE. This learning product may contain early release
content, and while Cisco believes it to be accurate, it falls subject to the disclaimer above.
Table of Contents
Lab Guide
Overview
1
Outline
1
Lab 1-1: Becoming Familiar with Antennae and Ranges
2
Activity Objective
2
Visual Objective
2
Required Resources
2
Task 1: Complete These Power Conversions
3
Task 2: Calculate EIRP and Choose the Correct Antenna
4
Task 3: Determine the Type of Antenna Represented, Its Use, and the Best Location for It
5
Lab 1-2: Creating an Ad Hoc (IBSS) Network and Analyzing the Communication
7
Activity Objective
7
Visual Objective
7
Required Resources
7
Command List
9
Job Aids
9
Task 1: Connect to the Remote Lab
10
Task 2: Connect to Your Remote Lab Wireless Laptop
13
Task 3: Verify the Internal Card Settings
15
Task 4: Create an Ad Hoc Network and Analyze the Communication
19
Lab 2-1: Configuring a Cisco 2106 WLC
34
Activity Objective
34
Visual Objective
34
Required Resources
34
Job Aids
35
Task 1: Connect to the WLAN Controller Serial Interface and Configure Your Controller for the
First Time
37
Task 2: Connect to Your Controller
42
Task 3: Allow Limited Remote Management
44
Task 4: Allow Open Authentication
45
Task 5: Create a DHCP Scope
47
Task 6: Look for APs
48
Lab 2-2: Configuring and Migrating a Standalone AP
50
Activity Objective
50
Visual Objective
50
Required Resources
50
Job Aids
51
Task 1: Check the AP Parameters
51
Task 2: Configure Your Standalone AP
54
Task 3: Convert Your Standalone AP to LWAPP
64
Lab 2-3: Installing and Configuring a Cisco Mobility Express Wireless Controller and AP
76
Activity Objective
76
Visual Objective
76
Required Resources
76
Job Aids
77
Task 1: Configure Your Cisco Mobility Express Wireless Controller
80
85
Task 3: Manage the AP
88
Task 4: Use the Cisco Configuration Assistant
91
Lab 3-1: Installing and Using the Cisco ADU
104
Activity Objective
104
Visual Objective
104
Required Resources
104
Job Aids
105
Task 1: Installing the Software
105
Task 2: Use the Cisco ADU and the Cisco Site Survey Utility
110
Lab 3-2: Experimenting with Connections and Roaming

Activity Objective
Visual Objective
Required Resources
Job Aids
Task 1: Create a Common WLAN
Task 2: Connect to the Right AP
Task 3: Use Roaming
Lab 4-1: 802.1Q and Web Authentication
Activity Objective
Visual Objective
Required Resources
Job Aids
Task 1: Create a VLAN Interface
Task 2: Create the WLAN
Task 3: Configure a Trunk Port
Task 3: Create a Local Net User
Task 4: Have the AP Rejoin the Controller
Task 5: Client Configuration
Task 6: Client Exclusion
Lab 4-2: Configuring EAP-FAST Authentication with WPA
Activity Objective
Visual Objective
Required Resources
Job Aids
Task 2: Configure the Client and Access the Network
Lab 5-1: Configuring Controllers and APs from the Cisco WCS
Activity Objective
Visual Objective
Required Resources
Job Aids
Task 1: Create Credentials on the Cisco WCS and Customize the Interface
Task 2: Add a Controller and AP
Task 3: Manage the Controller and AP from the Cisco WCS
Lab 5-2: Working with Maps
Activity Objective
Visual Objective
Required Resources
Job Aids
Task 1: Add Maps
Task 2: Enhance the Map
Task 3: Positioning APs
Lab 5-3: Monitoring the Network and Containing Devices
Activity Objective
Visual Objective
Required Resources
Job Aids
Task 1: Monitoring Events
Task 2: Contain a Rogue
Lab 6-1: Back Up the Controller Configuration and the Cisco WCS Database Files
Activity Objective
Visual Objective
Required Resources
Task 1: Examine Controller Configuration Files
Task 2: Save the Configuration Using TFTP
ii
Implementing Cisco Unified Wireless Networking Essentials (IUWNE) v1.0
124
124
124
124
125
125
134
141
146
146
146
147
147
148
152
155
159
160
162
169
171
171
171
171
172
172
178
188
188
188
188
189
189
194
198
202
202
202
202
203
203
207
211
218
218
218
218
219
219
224
231
231
231
231
232
240
2008 Cisco Systems, Inc.
Lab 6-2: Troubleshooting

247
Activity Objective
247
Visual Objective
247
Required Resources
247
Command List
248
Job Aids
248
Lab 6-3: Optional Lab Troubleshooting with Wireshark and Converting an AP to Autonomous Mode
253
Activity Objective
253
Visual Objective
253
Required Resources
253
Job Aids
254
Task 1: Use Wireshark to Analyze a Connection Issue
258
Task 2: Migrate Your LWAPP 1252 AP to Autonomous Mode
265
Answer Key
272
Lab 1-1 Answer Key: Power Conversions
272
Lab 1-2 Answer Key: Creating an Ad Hoc Network (IBSS) and Analyzing the Communication 273
Lab 2-1 Answer Key: Configuring a Cisco 2106 WLC
273
Lab 2-2 Answer Key: Configuring and Migrating a Standalone AP
275
Lab 2-3 Answer Key: Installing and Configuring a Cisco Mobility Express Wireless Controller and
AP
276
Lab 3-1 Answer Key: Installing and Using the Cisco ADU
276
Lab 3-2 Answer Key: Experimenting with Connections and Roaming
277
Lab 4-1 Answer Key: 802.1Q and Web Authentication
278
Lab 4-2 Answer Key: Configuring EAP-FAST Authentication with WPA
279
Lab 5-1 Answer Key: Configuring Controllers and APs from the Cisco WCS Interface
280
Lab 5-2 Answer Key: Working with Maps
280
Lab 5-3 Answer Key: Monitoring the Network and Containing Devices
280
Lab 6-1 Answer Key: Backing Up Controller Configuration and the Cisco WCS Database Files
281
Lab 6-2 Answer Key: Troubleshooting
288
Lab 6-3 Answer Key: Troubleshooting with Wireshark
288
iii
iv
IUWNE
Lab Guide
Overview
This guide presents the instructions and other information concerning the lab activities for this
course. You can find the solutions in the lab activity Answer Key.
Outline
This guide includes these activities:
Lab 1-1: Becoming Familiar with Antennae and Ranges
Lab 1-2: Creating an Ad Hoc Network (IBSS) and Analyzing the Communication
Lab 2-2: Configuring and Migrate a Standalone AP
Lab 2-3: Configuring a Cisco Mobility Express Wireless Controller and AP
Lab 3-2: Experimenting with Connections and Roaming
Lab 4-1: Configuring Web Authentication
Lab 4-2: Configuring EAP-FAST Authentication with WPA
Lab 5-1: Configuring Controllers and APs from the Cisco WCS Interface
Lab 5-3: Monitoring the Network and Containing Devices
Lab 6-1: Backing Up the Controller Configuration and the Cisco WCS Database
Lab 6-2: Troubleshooting Games
Lab 6-3: Optional Lab
Answer Key
Lab 1-1: Becoming Familiar with Antennae and

Ranges
Complete this lab activity to practice what you learned in the related module.
Activity Objective
In this activity, you will work with antennae and powers. After completing this activity, you
will be able to meet these objectives:
Convert milliwatts to dBm and back
Determine the EIRP from the AP, cable, and antenna specifications provided
Determine which AP is the best choice for which situation
Visual Objective
The figure illustrates what you will accomplish in this activity.
Visual Objective for Lab 1-1: Becoming

Familiar with Antennas and Ranges
x mW = y dBm
2008 Cisco Systems, Inc. All rights reserved.
IUWNE v1.05
Required Resources
These are the resources and equipment that are required to complete this activity:
A PC with Microsoft Excel or OpenOffice Calc
Implementing Cisco Unified Wireless Network Essentials (IUWNE) v1.0
Task 1: Complete These Power Conversions

In this task, you will work with various powers to familiarize yourself with decibel
conversions.
Activity Procedure
Complete these steps:
Step 1
Convert 20 mW to its dBm equivalent.
Step 2
Convert 40 mW to its dBm equivalent.
Step 3
Convert 2 W to its dBm equivalent.
Step 4
Convert 23 dBm to its milliwatts equivalent.
Step 5
Convert -13 dBm to its milliwatts equivalent.
Step 6
A station receives 0.000001 mW RSSI from an AP. The noise level is around
0.00000025 mW. Convert these values to dBm and determine the SNR level. Is the
SNR level acceptable?
Step 7
How many dBd is a 7.24 dBi antenna?
Step 8
How many dBd is a 13.56 dBi antenna?
Step 9
How many dBi is a 13.56 dBd antenna?
Step 10
How many dBi is an 18.86 dBd antenna?
Step 11
What is the dBd gain of a 21 dBi dish antenna?
Step 12
Which antenna has more gain: 2.14 dBi or 3.28 dBd?
Step 13
Which antenna has more gain: 3.41 dBi or 4.18 dBm?
Activity Verification
You have successfully completed this task when you attain this result:
You have found the correct values as per the answer key.
Lab Guide
Task 2: Calculate EIRP and Choose the Correct Antenna

In this task, you will work with hardware specifications to determine the EIRP or to choose
which hardware matches the link specifications.
Activity Procedure
Step 1
Which antenna would work best for a point-to-point 26-mile (42-km) link? A 21 dBi
dish, a 5.2 dBi omnidirectional, or an 8.1 dBi patch?
Step 2
Which antenna would work best for large lobby coverage from a wall? A 21 dBi
dish, a 5.2 dBi omnidirectional, or an 8.1 dBi patch?
Step 3
Which antenna would work best for coverage of a meeting room from the ceiling?
21 dBi dish, 5.2 dBi omni, 8.1 dBi patch?
Step 4
An AP transmitter emits 40 mW of power through a cable that is adding 3 dB loss.

The Yagi antenna that is being used has 13.5 dBi gain. What is the EIRP?
Step 5
An AP transmitter emits 20 mW of power through a cable that is adding 4 dB loss

per 100 feet. The cable is 20 feet long. The omnidirectional antenna that is being
used is 5.2 dBi gain. What is the EIRP?
Step 6
An AP transmitter emits 100 mW of power to an antenna directly connected to it.

The antenna that is being used is an 8.5 dBi patch antenna. What is the EIRP?
Step 7
You have been asked not to exceed 20 dBm EIRP on a 3.0 dBi omnidirectional
antenna. Which power level should you set your AP to knowing that you use 50 feet
of 6 dB/100 feet loss cable?
Step 8
You have been asked not to exceed 17 dBm EIRP on a 13.5 dBi Yagi antenna.
Which power level should you set your AP to knowing that you will use 150 feet of
6 dB/100 feet loss cable and that the cable connectors add an extra 0.5 dB loss?
Step 9
You have been asked not to exceed 17 dBm EIRP on a 5.2 patch antenna. How
much length of 2.8 dB loss per 100 feet cable should you use, knowing that the AP
power level is statically set to 40 mW?
You have found the right values as per the answer key.
Task 3: Determine the Type of Antenna Represented, Its Use,

and the Best Location for It
In this task, you will work with AP coverage patterns to determine the type of antenna and its
usage.
Activity Procedure
Step 1
Look at the following radiation pattern:
Step 2
Which type of antenna does it represent?

____________________________________________________________________
Step 3
What type of use is the antenna best suited for?

____________________________________________________________________
Step 4
What is the best place for the antenna to be mounted?

pillar
rooftop
wall
Step 5
Lab Guide
Step 6

____________________________________________________________________
Step 7

____________________________________________________________________
Step 8

pillar
rooftop
wall
Step 9
Step 10

____________________________________________________________________
Step 11

____________________________________________________________________
Step 12

mast
rooftop
wall
You have found the right values as per the answer key.
Lab 1-2: Creating an Ad Hoc (IBSS) Network and

Analyzing the Communication
Activity Objective
In this activity, you will connect to the remote lab and create an ad hoc network between two
machines. You will then analyze the communication to understand what exactly is exchanged
between the laptops. After completing this activity, you will be able to meet these objectives:
Connect to the remote lab
Connect to your remote laptop
Verify the internal card settings
Create an ad hoc network and analyze the communication
Visual Objective
Visual Objective for Lab 1-2: Creating an

Ad Hoc (IBSS) Network and Analyzing
the Communication
IUWNE v1.06
Required Resources
A PC with connectivity to the Internet
The Cisco VPN client
The remote desktop application
Lab Guide
IP addresses assigned to your group
Lab map diagram
In the remote lab, a laptop with preinstalled sniffer and wireless card
Command List
The table describes the command that is used in this activity.
ping Command
Command
Description
ping
Tests Layer 3 reachability.
Job Aids
These job aids are available to help you complete the lab activity:
Remote laptop, already loaded with appropriate applications
Lab map IP addressing and naming convention
Lab MapGroups 1 to 4
Group 1
Group 2
Group 3
Group 4
Remote laptop address
10.10.1.240
10.20.1.240
10.30.1.240
10.40.1.240
Remote laptop login
student1
student2
student3
student4
Remote laptop
password
cisco
cisco
cisco
cisco
Ad hoc channel
Ad hoc SSID
IUWNE-AD1
IUWNE-AD1
IUWNE-AD2
IUWNE-AD2
Ad hoc IP address
192.168.10.1
192.168.10.2
192.168.10.5
192.168.10.6
Ad hoc mask
255.255.255.252
255.255.255.252
255.255.255.252
255.255.255.252
Lab MapGroups 5 to 8
Group 5
Group 6
Group 7
Group 8
10.50.1.240
10.60.1.240
10.70.1.240
10.80.1.240
Remote laptop login
student5
student6
student7
student8
Remote laptop
password
cisco
cisco
cisco
cisco
Ad hoc channel
11
11
Ad hoc SSID
IUWNE-AD3
IUWNE-AD3
IUWNE-AD4
IUWNE-AD4
Ad hoc IP address
192.168.10.9
192.168.10.10
192.168.10.13
192.168.10.14
Ad hoc mask
255.255.255.252
255.255.255.252
255.255.255.252
255.255.255.252
Lab Guide
Task 1: Connect to the Remote Lab

In this task, you will use the Cisco VPN client to connect to the remote lab. You will install it,
import the profile containing the parameters required to access the remote lab, and test the
connection.
Activity Procedure
10
Step 1
Check to see if the Cisco VPN client is already installed on your PC: Choose Start >
Programs, and verify that the Cisco VPN client folder is present in the list of
available programs. If the folder is present, go directly to Step 4.
Step 2
If the folder is not present, ask your instructor to provide you with the Cisco VPN
client installer and the profile file (.pcf) required to access the remote lab.
Step 3
Double-click the Cisco Systems VPN Client Installer, and use the default values to
install the program. You may be asked to reboot your PC.
Step 4
Chose Start > Programs, go to the Cisco Systems VPN Client folder, and click the
VPN Client icon.
Step 5
Click Connection Entries, and choose Import.
Step 6
Browse through the list and choose the .pcf file provided by your instructor. This
action should add a new entry in your Cisco VPN client window.
Step 7
Double-click the new entry in your Cisco VPN Client Window. Ask your instructor
to provide the credentials used in your class.
Lab Guide
11
Step 8
The connection is established when a small lock appears in the bottom-right corner
of your screen.
Step 9
Verify that you were assigned an IP address in the VPN network: Choose Start >
Run, enter cmd, and click OK.
Step 10
In the MS-DOS window, enter ipconfig/all. Check to verify that an adapter called
Cisco VPN adapter appears in the list and that it has an IP address in the range
10.X0.1.0 (where X is your group number).
Step 11
In the command prompt window, enter ping 10.100.1.254 to ping the common
gateway. Verify that the ping is successful.
You have successfully completed this task when you attain these results:
12
You are connected to the VPN gateway.
Your VPN adapter has an IP address in the 10.X0.1.0/24 range.
You can ping one of the remote lab routers.
Task 2: Connect to Your Remote Lab Wireless Laptop

In this task, you will use your VPN connection and the windows remote desktop service to
connect to your remote lab wireless laptop.
Activity Procedure
Step 1
Verify that your VPN connection to the remote lab is working properly.
Step 2
Connect to your remote laptop using the remote desktop: Choose Start > Programs
> Accessories > Communications > Remote Desktop Connection.
Note
Step 3
In each group, only one person at a time can be connected to the remote lab wireless
laptop. Choose with your partner who will be connecting.
Use the lab map table shown in the Job Aids section to determine the destination IP
address that should be used to connect to your remote laptop. The address should be
in the format 10.X0.1.240, where X is your pod number.
Lab Guide
13
14
Step 4
In the remote desktop connection pop-up window, in the computer field, enter the IP
address of your remote laptop, and click Connect.
Step 5
You will be presented with a new window where you are asked to enter the
credentials required to access your remote lab wireless laptop. Use the lab map table
to find out which username and password are used to connect to your groups laptop.
They should be in the format username, studentX, (where X is your group number),
and password, cisco.
Step 6
Enter the credentials, and click OK. You should see the Windows desktop of your
remote laptop. You will use this same method of access for all remaining labs, so
keep this procedure available for reference for the subsequent labs.
Step 7
Take some time to familiarize yourself with the remote desktop interface. It is a
remote desktop on top of your class PC desktop. The upper bar shows that you are in
the remote desktop interface and displays the IP address of the remote laptop. To
minimize the remote desktop window, click the Minimize button. The remote
desktop window is minimized to your class PC taskbar. You can then access other
applications in your class PC. Click the remote desktop program in the task bar to
restore it to its full size. Click the Maximize button to increase or the Restore down
button to reduce the size of the remote desktop application. To end the remote
desktop session, click the Close button in the remote desktop window. Never
disconnect the VPN session without closing the remote desktop application first.
You would be disconnected from the remote laptop without any possibility of
connecting back.
You are connected to the remote lab wireless laptop.
You can see your remote lab wireless laptop IP address in a tab at the top of your screen.
You see your remote lab wireless laptop desktop and can interact with it.
Task 3: Verify the Internal Card Settings

In this task, you will document how your internal card reacts when being configured to connect
to an ad hoc network.
Activity Procedure
Step 1
From your remote lab wireless laptop, click Start > Connect To > Show All
Connections.
Step 2
Locate your wireless connection. It should be called Intel(R) Wireless WiFi Link
4965AGN.
Step 3
Right-click the wireless connection and choose Enable.
Lab Guide
15
16
Step 4
Right-click Intel(R) Wireless WiFi link 4965AGN again and choose Properties.
Step 5
A new window opens. Click the Configure button located at the right of the
physical card description.
Step 6
A new window appears. Click the Advanced tab. In the Property list, choose Ad
Hoc Channel, and then choose the right value for your group from the drop-down
menu next to 802.11b/g. Refer to the following table:
Pod
Pod1
Pod2
Pod3
Pod4
Pod5
Pod6
Pod7
Pod8
Channel
11
11
Lab Guide
17
Step 7
Choose Ad Hoc Power Management, and verify that the default value is set to
Disabled. Choosing Disabled ensures that your card does not turn to the power save
mode while you are in ad hoc mode.
Step 8
You can see your wireless card MAC address at the bottom of the window.
Document it here.
Intel card MAC address:________________________________________________
Step 9
Click OK to validate your changes.
18
You have configured the channel used by your card to connect to ad hoc networks.
You have documented your internal wireless card MAC address.
Task 4: Create an Ad Hoc Network and Analyze the

Communication
In this task, you will work with a peer group to analyze ad hoc networks. You need to
coordinate your action with the peer group to perform the steps at the same time so that both
laptops can capture the right frames. The following table shows peer groups:
Pod
Peer Group
Pod 1
Pod 2
Pod 3
Pod 4
Pod 5
Pod 6
Pod 7
Pod 8
Activity Procedure
Step 1
Prepare your wireless connection. If you closed the Wireless Network Connection
Properties window, click Start > Connect to > Show all connections.
Step 2
A new window appears showing all your network adapters.
Step 3
Locate your wireless connection. It should be called Intel(R) Wireless WiFi Link
4965AGN.
Step 4
Right-click your Intel Wireless 4965AGN adapter and click Properties.
Step 5
To create an ad hoc network you must have a common subnet IP address, and create
a common SSID. You need the IP address because neither of the two laptops is
configured to act as a DHCP server. In the Wireless Network Connection Properties
window, click the General tab, choose Internet Protocol TCP/IP, and then click
Properties.
Lab Guide
19
20
Step 6
In the General tab, click the Use the following IP address radio button.
Step 7
Enter the IP address assigned to your group for this lab. Refer to the lab map.
Step 8
In Subnet mask, enter 255.255.255.252.
Step 9
Leave the other fields empty, and click OK.
Step 10
In the Wireless Network Connection Properties window, click the Wireless

Networks tab.
Step 11
If any networks are in the Preferred networks list, click them one by one and click
the Remove button until the Preferred network list is empty.
Step 12
Click Add.
Lab Guide
21
22
Step 13
A new window appears. In the Network name (SSID) field, enter your ad hoc SSID.
Refer to the lab map.
Step 14
Leave the default of Open in the Network Authentication field.
Step 15
For Data encryption field, choose Disabled.
Step 16
At the bottom of the page, check the This is a computer-to-computer (ad-hoc)

network; wireless access points are not used check box.
Step 17
Click OK to activate the profile.
Lab Guide
23
24
Step 18
Click OK to close the Wireless Network Connection Properties window and initiate
the connection.
Step 19
After a few seconds, your Intel wireless card should show the status as Connected.
Step 20
Right-click your wireless connection, and choose Status.
Step 21
You should see that you are connected to the ad hoc network you created.
Step 22
Open a command prompt. Choose Start > All programs > Accessories >
Command prompt.
Step 23
Try to ping the peer group IP address. The command should be in the form of ping
192.168.10.Z, where Z is the peer group host address. The ping should be
successful.
Lab Guide
25
26
Step 24
You have now confirmed that the peer-to-peer connection worked. The next step is
to sniff the connection process and analyze it. Right-click your Intel 4965 card and
choose Disable.
Step 25
To start Wireshark, click Start > All Programs > Wireshark > Wireshark.
Step 26
Choose the Airpcap passive interface. In Wireshark, click Capture and choose
Interfaces.
Step 27
In the Interfaces list, you should see Airpcap USB wireless capture adapter. Click
Options at the right end of the Airpcap USB wireless capture adapter line.
Step 28
A new window appears. Verify that Capture packets in promiscuous mode is

checked.
Step 29
Click Wireless Settings.
Step 30
In the Channel field, choose the ad hoc channel used by your group. Refer to the lab
map.
Step 31
Verify that the Capture Type is set to 802.11 + Radio. Click OK.
Step 32
You should filter the capture to only display frames coming from and to your Intel
adapter. In the Capture Filter field, enter ether host followed by the MAC address
of your Intel card documented in Step 8 of the previous task1. For example: ether
host 00:0b:85:72:17:10.
The Capture Filter menu presents a drop-down list from which some classical filters can be selected directly. The ether
host filter is not in the list, and must be entered manually.
Lab Guide
27
28
Step 33
Make sure that your partner group is at the same step. Then, in the bottom section of
the Wireshark capture option window, click Start to launch the capture.
Step 34
In the task bar, click your network card properties.
Step 35
Locate your wireless connection. You should see Intel(R) Wireless WiFi link
4965AGN.
Step 36
Right-click the connection and choose Enable.
Step 37
After a few seconds, your Intel wireless card should show the status as Connected.
Step 38
Right-click your wireless connection, and choose Status.
Step 39
You should see that you are connected to the ad hoc network you created.
Step 40
Open a command prompt window. Click Start > All programs > Accessories >
Command prompt.
Lab Guide
29
Step 41
Try to ping the peer group IP address. The command should be in the form ping
192.168.10.Z, where Z is the peer group host address. The ping should be
successful.
Step 42
From the Wireshark window, stop the capture. Click the Stop capture icon.
Step 43
Try to analyze the capture with your partner group and answer the following
questions: What is the most common frame type seen in the capture? Pings? Probe
requests/ probe answers? Beacons?
_________________________________________________________________
Step 44
Do you see any data packets? __________________________________________
Step 45
Click one beacon. Expand the Radiotap section. What is the peak frequency of the
channel used? The channel you defined for your network? Another one?
__________________________________________________________________
Step 46
At what speed (data rate) was it sent? The lowest possible speed? The fastest? An
intermediate speed?
__________________________________________________________________
Step 47
How often, on average, is the beacon sent? (Intervals between frames in the upper
section of the program window are given in seconds. You can also expand the IEEE
802.11 wireless management frame section and the Fixed Parameters subsection.)
Every second? Every tenth of a second? One hundred times a second?
___________________________________________________________________
30
Step 48
Expand the Tagged parameters section of the IEEE 802.11 wireless management
frame section. What are the supported rates? All the 802.11b rates? Only some of
them? More than the 802.11b rates?
___________________________________________________________________
Step 49
From these supported rates, what type of network protocol do you think is used?
802.11b? 802.11g? 802.11b/g? 802.11a?
___________________________________________________________________
Step 50
In the same Tagged parameters section of the IEEE 802.11 wireless LAN
management frame section, which flag indicates that it is an ad hoc network? An ad
hoc field? IBSS? BSSID?
____________________________________________________________________
Step 51
Does your card support WMM/WME? Yes / No____________________________
Step 52
Try to find frames that were not sent at the lowest speed. Why were they sent faster?
Because only beacon frames are sent slowly? To optimize the transmission to the
recipient?
____________________________________________________________________
Step 53
Close the Wireshark software. Save the capture on your desktop for future reference.
Give it the name Ad-hoc1.
Step 54
From the Wireless Network Connection Properties window, right-click your

wireless connection and choose Properties.
Step 55
Click the General tab, choose Internet Protocol TCP/IP, and click Properties.
Lab Guide
31
32
Step 56
Click the Obtain an IP address automatically radio button.
Step 57
Click the Obtain DNS server address automatically radio button.
Step 58
Click OK to validate.
Step 59
Close the Wireless Network Connection Properties window.
Step 60
Right-click your Intel 4965 card and choose Disable.
Step 61
Close the Network Connections window.
Step 62
Disconnect from your remote laptop.
You could create an ad hoc connection.
You could connect to your peer group.
You could capture some traffic and analyze it.
Lab Guide
33

Activity Objective
In this activity, you will connect to your Cisco 2106 WLC through the serial connection and
configure it for the first time. After completing this activity, you will be able to meet these
objectives:
Configure a Cisco 2106 WLC using the CLI setup wizard
Connect to your configured controller using the web interface
Allow Telnet connections to your controller
Allow open authentication access through your WLAN
Create a DHCP scope to support your local clients
Verify the presence of your AP
Visual Objective
Visual Objective for Lab 2-1: Configuring

a Cisco 2106 WLC
IUWNE v1.07
Required Resources
34
A connection to the remote terminal server with serial connection to your controller
In the remote lab, a Cisco 2106 WLC
Job Aids
Lab table
Lab TableIP Addressing, Naming, and Information: Pods 1 to 4

Pod 1
Pod 2
Pod 3
Pod 4
10.10.1.240
10.20.1.240
10.30.1.240
10.40.1.240
Remote laptop login
student1
student2
student3
student4
Remote laptop
password
cisco
cisco
cisco
cisco
Controller system name
2106-1
2106-2
2106-3
2106-4
Administrative user
admin1
admin2
admin3
admin4
Administrative
password
cisco
cisco
cisco
cisco
Management interface
IP address
10.10.1.10
10.20.1.10
10.30.1.10
10.40.1.10
mask
255.255.255.0
255.255.255.0
255.255.255.0
255.255.255.0
Default router
10.10.1.254
10.20.1.254
10.30.1.254
10.40.1.254
Management vlan id
Management port
Management DHCP
server
10.10.1.10
10.20.1.10
10.30.1.10
10.40.1.10
AP manager IP address
10.10.1.11
10.20.1.11
10.30.1.11
10.40.1.11
AP Manager DHCP
server
10.10.1.10
10.20.1.10
10.30.1.10
10.40.1.10
Virtual gateway IP
address
1.1.1.1
1.1.1.1
1.1.1.1
1.1.1.1
Mobility group name
pod1
pod2
pod3
pod4
Enable symmetric
tunneling
No
No
No
No
Network name
IUWNE-1
IUWNE-2
IUWNE-3
IUWNE-4
Allow static IP
addresses
Yes
Yes
Yes
Yes
Radius server
No
No
No
No
Country code
US
US
US
US
Enable b, a, and autoRF
yes
yes
yes
yes
Lab Guide
35
Pod 1
Pod 2
Pod 3
Pod 4
Configure NTP
No
No
No
No
Configure time
No
No
No
No
DHCP scope name
Scope 1-1
Scope 2-1
Scope 3-1
Scope 4-1
DHCP start address
10.10.1.21
10.20.1.21
10.30.1.21
10.40.1.21
DHCP end address
10.10.1.25
10.20.1.25
10.30.1.25
10.40.1.25
DHCP Network
10.10.1.0
10.20.1.0
10.30.1.0
10.40.1.0
DHCP Netmask
255.255.255.0
255.255.255.0
255.255.255.0
255.255.255.0
DHCP lease time
14400
14400
14400
14400
DHCP default router
10.10.1.254
10.20.1.254
10.30.1.254
10.40.1.254
DHCP DNS server
10.100.1.1
10.100.1.1
10.100.1.1
10.100.1.1
DHCP Netbios Srvr
10.100.1.1
10.100.1.1
10.100.1.1
10.100.1.1
DHCP status
Enabled
Enabled
Enabled
Enabled
36
Pod 5
Pod 6
Pod 7
Pod 8
10.50.1.240
10.60.1.240
10.70.1.240
10.80.1.240
Remote laptop login
student5
student6
student7
student8
Remote laptop
password
cisco
cisco
cisco
cisco
Controller system name
2106-5
2106-6
2106-7
2106-8
Administrative user
admin5
admin6
admin7
admin8
Administrative
password
cisco
cisco
cisco
cisco
IP address
10.50.1.10
10.60.1.10
10.70.1.10
10.80.1.10
mask
255.255.255.0
255.255.255.0
255.255.255.0
255.255.255.0
Default router
10.50.1.254
10.60.1.254
10.70.1.254
10.80.1.254
Management vlan id
Management port
Management DHCP
server
10.50.1.10
10.60.1.10
10.70.1.10
10.80.1.10
10.50.1.11
10.60.1.11
10.70.1.11
10.80.1.11
AP Manager DHCP
server
10.50.1.10
10.60.1.10
10.70.1.10
10.80.1.10
Virtual gateway IP
address
1.1.1.1
1.1.1.1
1.1.1.1
1.1.1.1
Mobility group name
pod5
pod6
pod7
pod8
Pod 5
Pod 6
Pod 7
Pod 8
Enable symmetric
tunneling
No
No
No
No
Network name
IUWNE-5
IUWNE-6
IUWNE-7
IUWNE-8
Allow static IP
addresses
Yes
Yes
Yes
Yes
Radius server
No
No
No
No
Country code
US
US
US
US
yes
yes
yes
yes
Configure NTP
No
No
No
No
Configure time
No
No
No
No
DHCP scope name
Scope 5-1
Scope 6-1
Scope 7-1
Scope 8-1
DHCP start address
10.50.1.21
10.60.1.21
10.70.1.21
10.80.1.21
DHCP end address
10.50.1.25
10.60.1.25
10.70.1.25
10.80.1.25
DHCP Network
10.50.1.0
10.60.1.0
10.70.1.0
10.80.1.0
DHCP Netmask
255.255.255.0
255.255.255.0
255.255.255.0
255.255.255.0
DHCP lease time
14400
14400
14400
14400
DHCP default router
10.50.1.254
10.60.1.254
10.70.1.254
10.80.1.254
DHCP DNS server
10.100.1.1
10.100.1.1
10.100.1.1
10.100.1.1
DHCP Netbios Srvr
10.100.1.1
10.100.1.1
10.100.1.1
10.100.1.1
DHCP status
Enabled
Enabled
Enabled
Enabled
Task 1: Connect to the WLAN Controller Serial Interface and

Configure Your Controller for the First Time
In this task, you will connect to your remote WLAN controller serial interface using the remote
lab terminal server, and you will go through the initial CLI setup for your respective wireless
LAN controller.
Activity Procedure
Step 1
From your class PC, start the VPN client and double-click the remote lab connection
to activate it.
Step 2
From your class PC, choose Start > Programs > Accessories > Command
Prompt.
Step 3
At the command prompt, enter telnet followed by the IP address of the remote
terminal server (10.1.1.252 or other if provided by your instructor).
Lab Guide
37
38
Step 4
Enter the credentials (username student, password cisco or other if provided by your
instructor) to access the terminal server.
Step 5
After successful login you will be asked to select the correct pod (Podx), where x is
your pod number.
Step 6
You will see a new menu, allowing you to connect to several devices in your group.
Take some time to familiarize yourself with the different options that are available.
Step 7
You now need to connect to the Cisco 2106 WLC, which is WLC2106, or Item 2.
Notice that once you are connected to your controller, you can go back to the device
menu at any time by using the usual escape sequence CTRL + SHIFT + 6 then X.
Selecting 2 from the device menu should bring you to the controllers serial interface
which, since the controller is not configured yet, should be the initial CLI setup
wizard.
Note
Step 8
VERY IMPORTANT: Verify that the first question you see is System Name. When enabling
the HyperTerminal session to your controller, you may have pressed Enter to test the
connection, and the setting you had at that time may have become the default answer to the
first questions. If that has become the default, and if the first question you see is not System
Name, enter - (minus sign) and press Enter; this action will take you back one question.
Repeat the procedure as many times as needed to get back to the System Name question.
Choose the parameters for your pod (X is the number of your pod). Username is
adminX, where X is your pod number, and the password is cisco. Additional
parameters are given below and summarized in the table Lab TableIP
Addressing, Naming, and Information: Pods X to Y.
System Name [Cisco_34:26:a3]: 2106-1
Enter Administrative User Name (24 characters max): admin1
Enter Administrative Password (24 characters max): *******
Re-enter Administrative Password
: *******
Management Interface IP Address: 10.X0.1.10
Management Interface Netmask: 255.255.255.0
Management Interface Default Router: 10.X0.1.254
Management Interface VLAN Identifier (0 = untagged): 0
Management Interface Port Num [1 to 8]: 1
Note
The port number is important because it must match the connection leading from the WLAN
controller to the network infrastructure.
Management Interface DHCP Server IP Address: 10.X0.1.10

Note
Later your controller will be configured as a DHCP server. When using an internal WLAN
controller DHCP server, the IP address needs to match the management interface.
Therefore the DHCP server and management address will be the same and point to itself for
this lab. The remaining DHCP configuration will be completed later via the GUI.
AP Manager Interface IP Address: 10.X0.1.11

Lab Guide
39
Note
AP Manager is on the same Management subnet using a different host value.
AP Manager Interface DHCP Server (10.X0.1.10): 10.X0.1.10

Virtual Gateway IP Address: 1.1.1.1
Note
The Virtual Gateway provides Layer 3 features such as the DHCP relay to wireless clients.
This value must match among mobility groups.
Mobility/RF Group Name: PodX

Note
Mobility/RF Group allows multiple wireless controllers to be clustered into one logical
controller group to allow dynamic RF adjustments and roaming for wireless clients.
Enable Symmetric Mobility Tunneling [yes][NO]: no

Network Name (SSID): IUWNE-1
Allow Static IP Addresses [YES][no]: yes
Configure a RADIUS Server now? [YES][no]: no
Note
By default one WLAN SSID is configured on the WLC already and it is using server-based
authentication. If you skip RADIUS configuration during the startup wizard, the result is a
preconfigured SSID using 802.1x EAP requiring a RADIUS server; however, no server is
defined. This choice is to prevent open authentication security vulnerabilities.
Enter Country Code list (enter 'help' for a list of countries)

[US]: US
Enable 802.11b Network [YES][no]: yes
Enable 802.11a Network [YES][no]: yes
Enable 802.11g Network [YES][no]: yes
Note
On your controller, you enable all radios, 802.11b, 802.11g and 802.11a. The AP provided
for this controller will only have one 802.11a radio. You still allow all protocols, which means
that if an 802.11b/g AP were to join the controller, its radios would be enabled.
Enable Auto-RF [YES][no]: yes

Configure a NTP server now? [YES][no]: no
Configure the system time now? [YES][no]: no
Warning! No AP will come up unless the time is set.
Please see documentation for more details.
Note
You do not configure the time on this controller. In a real deployment, you would configure
the time during the initial configuration of a controller. In this remote lab scenario, the time
has already been configured and is consistent with the time of the other devices in the lab.
Configuration correct? If yes, system will save it and reset.

[yes][NO]:
40
Step 9
Read the warning. Take some time to review your configuration to make sure it
matches the lab map. Then answer yes to the Configuration correct?
question. The controller will save the configuration and reboot directly.
Step 10
Wait for the controller to reboot completely, until you are prompted for a username.
Enter your administrative username, and then press Enter.
Lab Guide
41
Step 11
Enter your password, and then press Enter. Verify that you get the prompt
(Cisco Controller)>.
Step 12
Verify your configuration by entering: show sysinfo. The display should be similar
to the one displayed here, with the values that are relevant to your pod.
You have a CLI session open to your controller.
Your initial setup is complete and you see the (Cisco Controller)> prompt.
Task 2: Connect to Your Controller

In this task, you will connect to your controllers web GUI. Because your controller now has a
basic configuration, you can connect to its Management Interface IP address through the VPN
tunnel without relying on the serial connection.
Activity Procedure
Step 1
Check that you are connected through the VPN tunnel to the remote lab network.
Step 2
If your remote desktop connection is still open, close it.
Note
42
Now that the controller has a web interface, all members of the group can connect
simultaneously to the controller. Use this possibility to explore the controller interface, but
keep in mind that it is preferable to avoid having two people working on the same feature to
avoid any confusion in the changes that could be made.
Step 3
From your class PC, open a browser session to your controller Management
Interface IP address. Use https. You may have to disable your local proxy to access
the web interface through the VPN tunnel.
Step 4
Click Yes to accept the self-signed certificate sent by the controller.
Step 5
Click the login button.
Step 6
Enter the administrative username (adminX, where X = Pod number) you defined in
the previous lab, and cisco as the password.
Step 7
You should see the controller Monitor Summary page.
Lab Guide
43
You are successfully connected to your controller web interface and see the Monitor
Summary page.
Task 3: Allow Limited Remote Management

Through the terminal server, you have a serial connection to your controller. In this task, you
will allow Telnet connections so that all members of your group can access the CLI, which will
be used mainly for debugging purposes.
Note
This is a lab environment. In a production environment, you might want to consider your
companys security strategy before allowing Telnet connections.
Activity Procedure
44
Step 1
From the controllers web interface, in the upper menu, navigate to Management >
Telnet-SSH.
Step 2
Notice that SSH sessions are already allowed. From the drop-down menu for Allow
New Telnet sessions, choose Yes. Notice that Telnet sessions are limited to five
minutes.
Step 3
Click Apply in the upper-right corner. You are now set up to allow Telnet sessions
and SSH sessions.
Step 4
Test the connectivity: From your class PC choose Start > Programs > Accessories
> Command Prompt.
Step 5
Enter telnet followed by the IP address of your controller service interface. The
entry should be in the format telnet 10.X0.1.10, where X is your Pod number.
Step 6
When prompted, enter the administrative username (adminX, where X = Pod

number) you defined in the previous lab, and cisco as the password. Press Enter.
Step 7
You should get the prompt (Cisco Controller)>.
You can successfully connect to your controller using Telnet.
Task 4: Allow Open Authentication

In this task, you will modify the WLAN created during the initial setup, so that open
authentication and associations are allowed.
Note
This is a lab environment. In a production environment, you might want to consider your
companys security strategy before allowing open authentication WLANs into your network.
Activity Procedure
Step 1
From your controller web interface, in the upper menu, navigate to WLAN.
Step 2
Look at the profile you created during the initial setup, by default it should use
WPA2/802.1x for authentication.
Step 3
Click your profile, IUWNE-X, where X is your Pod number, to edit it.
Lab Guide
45
Step 4
Make sure that, in the General tab, your WLAN status is set to Enable. Notice that
the SSID is broadcast by default.
Step 5
Click the Security tab.
Step 6
In the Layer 2 Security drop-down list, choose None to allow open authentication.
Step 7
Click Apply in the upper-right corner to validate the changes, read the warning, and
click OK to continue. Your security policies field should now be empty, which
means that you allow open authentication to your WLAN.
46
You successfully modified your WLAN to allow open authentication.

In this task, you will create a DHCP scope to provide IP addresses to your wireless clients.
Note
This is a lab environment. In a production environment, you might have an external DHCP
server for all your clients. In such a case, the management Interface DHCP server IP
address and the AP Manager DHCP server IP address would be the network DHCP server
IP address instead of being the IP address of the controller itself. This limited internal DHCP
server is recommended for 10 or fewer APs and their respective clients. DHCP option 43 is
not supported.
Activity Procedure
Step 1
From your controller web interface, in the upper menu, navigate to Controller.
Step 2
In the left menu click Internal DHCP server.
Step 3
A new screen appears. Click New to create a new scope.
Step 4
In the Scope Name field, enter Scope X-1, where X is your Pod number.
Step 5
Click Apply to create the scope.
Step 6
A new window appears, showing your new scope in the list. It is disabled by default
and does not have any range. Click its name to edit its settings.
Step 7
A new window appears. In the Pool Start Address field, enter the parameters listed
in the table, where X is your pod number.
Lab Guide
47
Internal DHCP Server Parameters

Parameter
Value
Pool Start Address
10.X0.1.21
Pool End Address
10.X0.1.25
Network
10.X0.1.0
Netmask
255.255.255.0
Lease time
14400
Default Router
10.X0.1.254
DNS Server
10.100.1.1
Netbios Name Server
10.100.1.1
Status
Enabled
Step 8
Review your scope to check the values entered, and then click Apply to create the
scope.
Step 9
Your new scope now appears in the list, with a status of Enabled.
Step 10
Save your configuration. In the upper menu, click Save configuration. Click OK to
confirm that you want to save the configuration.
You have successfully created a scope for your clients that are on your controller.
Task 6: Look for APs

In this task, you will look for the APs on the controller.
48
Activity Procedure
Step 1
From your controller web interface, in the upper menu, navigate to Monitor. The
Access Point Summary should not show any AP. One AP is allocated to your Pod.
You were told that the AP should automatically join the controller. It clearly does
not. The source of this issue can be in the AP configuration (standalone mode) or, if
the AP is in LWAPP mode, in the dialogue process between the AP and the
controller
Step 2
First check the controller. Navigate to Management.
Step 3
In the left menu, click SNMP.
Step 4
In the submenu, choose Trap Logs.
AP events are usually mentioned in the trap logs, but you should not see anything relevant to an
AP failure here. This means that the AP did not fail to associate. Two possibilities remain: the
AP cannot reach the controller, or there is something wrong on the AP. Actually, the AP
allocated to your pod should still be in standalone mode. In the next lab, you will convert the
autonomous AP to LWAPP and manage it with the tools used in this task to find whether the
AP has joined your controller properly.
Note
Because the controller does not have an AP, the WLAN you created will not be available for
any client. The AP is needed for the client to see the WLANs configured on the controller. If
you are unsure about this point, connect to your remote laptop and try to detect the WLAN
created on your controller, IUWNE-X. You should not be able to see it.
You have checked for the presence of your AP in the Management menu and on the CLI,
but could not find it.
Lab Guide
49
Lab 2-2: Configuring and Migrating a

Standalone AP
Activity Objective
In this activity, you will give your autonomous AP a basic configuration and test it. You will
then migrate this AP to LWAPP. After completing this activity, you will be able to meet these
objectives:
Check your autonomous AP parameters
Configure your autonomous AP via its web interface
Migrate your autonomous AP to LWAPP
Visual Objective

and Migrating a Standalone AP
IUWNE v1.08
Required Resources
50
In the remote lab, a standalone Cisco Aironet 1252AG AP
Job Aids
In the remote lab, a folder with the required files
Lab map

Pod 1
Pod 2
Pod 3
Pod 4
10.10.1.240
10.20.1.240
10.30.1.240
10.40.1.240
Remote laptop login
student1
student2
student3
student4
Remote laptop
password
cisco
cisco
cisco
cisco
AP IP address
10.10.1.50
10.20.1.50
10.30.1.50
10.40.1.50
AP IP mask
255.255.255.0
255.255.255.0
255.255.255.0
255.255.255.0
AP SNMP RW
community
private1
private2
private3
private4
Autonomous SSID
IUWNE-11
IUWNE-21
IUWNE-31
IUWNE-41
LWAPP channel
36
40
44
48

Pod 5
Pod 6
Pod 7
Pod 8
10.50.1.240
10.60.1.240
10.70.1.240
10.80.1.240
Remote laptop login
student5
student6
student7
student8
Remote laptop
password
cisco
cisco
cisco
cisco
AP IP address
10.50.1.50
10.60.1.50
10.70.1.50
10.80.1.50
AP IP mask
255.255.255.0
255.255.255.0
255.255.255.0
255.255.255.0
AP SNMP RW
community
private5
private6
private7
private8
Autonomous SSID
IUWNE-51
IUWNE-61
IUWNE-71
IUWNE-81
LWAPP channel
52
56
60
64
Task 1: Check the AP Parameters

In this task, you will connect to your AP and verify that it is in standalone mode. You will then
check its IP address.
Activity Procedure
Step 1
Connect to your Cisco Aironet 1252 AP. From your class PC, choose Start >
Programs > Accessories > Command Prompt.
Lab Guide
51
52
Step 2
Step 3
Step 4
After successful login you will be asked to choose the correct pod (Podx), where x
is your pod number.
Step 5
Step 6
Choose the device you want to connect to, AP1252, Item 4.
Step 7
You should be able to see the AP prompt. You may have to press Enter to activate
the CLI.
Step 8
Enter enable to access privileged mode. The password is Cisco (with Capital C).
Step 9
Enter show ip interface brief to check the IP addresses that are present on the AP.
Step 10
You should see that the IP address is assigned to the BVI interface, which is an
indication that the AP is back to standalone mode. All the usual Cisco IOS
commands, such as configure terminal, are available.
Note
The Bridge Virtual Interface, or BVI, is an IP address common to radio interfaces and the
Ethernet interface. Because it is not assigned to a specific physical interface but is common
to several of them, it is considered virtual, and is a bridge between interfaces.
Step 11
Start by configuring your CLI interface for better ease of use. Enter configure
terminal to enter configuration mode.
Step 12
Enter no ip domain-lookup. Using this command avoids a situation in which, if you

mistype a command, the switch tries to resolve what you entered as a host name.
Step 13
The system returns status messages to the console. This feature is sometimes
disturbing if you are entering an instruction. You can ask the system to redisplay
what you were entering if a system message is to be sent to the console and
interrupts what you were doing. To use this command, go to the console by typing
line console 0.
Step 14
Then enter logging synchronous. From then on, when a message is sent to the
console, what you were typing will be displayed again for you to continue typing
exactly from where you were interrupted by the message.
Step 15
Configure your AP with a static IP address. You want to configure the first and
unique BVI interface. Enter interface BVI 1.
Step 16
Enter your AP IP address. It should be in the format 10.X0.1.50, where X is your

group number. Enter ip address, followed by your APs IP address and mask.
Step 17
Enter end to return to privileged mode.
Step 18
Enter copy running-config startup-config to save the configuration.
Lab Guide
53
Step 19
Verify that your AP is in range of your controller. Try to ping your controller. Enter
ping followed by your controller Management Interface IP address. It should be in
the format ping 10.X0.1.10 where X is your pod number. The ping should be
successful.
Step 20
Reduce the window but do not close it.
You have made sure that your AP is in standalone mode, and have its IP address statically
defined.
The AP is ready to be migrated to LWAPP.
Task 2: Configure Your Standalone AP

In this task, you will provide basic configuration to your AP in standalone mode and verify that
the configuration is correct. This task is not necessary for the migration process itself. It aims at
training the running of basic configuration tasks on an autonomous AP, and checks to see, once
the migration is complete, which parameters were kept and which were removed during the
upgrade.
Note
In a real environment, you would migrate the AP directly, knowing in advance which
parameters would be left.
Activity Procedure
54
Step 1
Make sure that you have a VPN connection to the remote lab.
Step 2
From your class PC, open a browser HTTP session to your AP address, which was
configured from during the previous task and should be 10.X0.1.50 where X = pod
number.
Step 3
Use HTTP, not HTTPS. The username is blank; the password is Cisco (with a
capital C).
Step 4
You should be at the home page of your AP.
Step 5
In the left menu, click Express set-up.
Step 6
In the Hostname field, enter your AP name in the form 1252-X where X is your
group number.
Step 7
Leave the IP address assignment that was assigned during the previous task of
manual configuration. Do not change the values that are already present.
Note
Step 8
In this configuration, no gateway information is entered. In a production environment, a

gateway would be needed for the AP to be able to communicate with devices outside of its
subnet. In this lab environment, all the devices that the AP needs to connect to are inside its
own VLAN and subnet, so the gateway configuration can be ignored.
In the SNMP Community field, enter privateX, where X is your pod number.
Lab Guide
55
56
Step 9
Click the Read-Write radio button to make sure that the AP can be managed using
this SNMP community.
Step 10
At the bottom right of the page, click Apply to validate the changes. Read the
warning and click OK to continue.
Step 11
In the left menu, click Express Security.
Step 12
In the SSID field, enter IUWNE-X1, where X is your pod number.
Step 13
Click Broadcast SSID in Beacon.
Step 14
In the VLAN section, click No VLAN because you do not want to tag frames
coming from this simple SSID.
Step 15
In the security section, choose No Security for an open authentication-based SSID,

without any encryption.
Step 16
At the bottom-right corner of the Express Security Set Up window, click Apply to
validate the changes. Read the warning and click OK to continue.
Step 17
You now need to enable your radio to allow this SSID to be sent out. In the left
menu, click Network Interfaces, and then click the Radio1-802.11N5Ghz tab.
Step 18
The radios status is set to Disabled, which is the default. Click the Settings tab.
Lab Guide
57
58
Step 19
In the Enable Radio options, click Enable.
Step 20
Click Apply at the bottom right of the page to validate the change.
Step 21
In the left menu, click Home.
Step 22
In the Network Interfaces section of the Home: Summary Status, you should see
your radio Interface status at green, with a green up arrow. In the event log, you
should see that the line protocol on interface Dot11Radio1 was changed to up.
Step 23
Your AP is ready to provide connections. The configuration entered from the web
interface is saved automatically. Close the AP web browser.
Step 24
Use your local class PC to initiate a remote connection to the remote wireless laptop
to verify that it can see this new broadcast SSID being broadcasted by the standalone
AP. Choose Start > Programs > Accessories > Communications > Remote
Desktop Connection.
Note
In each pod, only one connection at a time is possible to the remote laptop. Choose with
your partner who will be connecting.
Step 25
Use the lab table in the job aids to verify what IP address you should use to connect
to your remote laptop. It should be in the format 10.X0.1.240, where X is your pod
number.
Step 26
In the Remote Desktop Connection window, in the Computer field, enter the IP
address of your remote laptop, and click cConnect.
Step 27
A new window appears where you are asked to enter the credentials required to
access your remote laptop. Use the lab table in the job aids to verify which username
and password are used to connect to your group laptop. They should be in the format
studentX/cisco, where X is your pod number.
Lab Guide
59
60
Step 28
Enter the credentials and click OK. You should see the Windows desktop of your
remote laptop.
Step 29
Connections.
Step 30
Locate your wireless connection. It should be called Intel Wireless WiFi Link
4965AGN.
Step 31
Right-click it and choose Enable.
Step 32
Right-click the Intel Wireless network icon.
Step 33
Click View Available Wireless Networks.
Step 34
You should see the WLAN you just created. Click it, and click Connect.
Step 35
Read the warning. In this lab environment, it is acceptable to connect to an

unsecured network. Click Connect Anyway to continue.
Step 36
After a few seconds, the connection status should change to Waiting for the network
to be ready.
Note
Step 37
Your AP does not provide any IP address. The state Waiting for the network to be ready
indicates that the Layer 2 connection (authentication and association) was successful, and
that the client is waiting for an IP address to be assigned via DHCP. Because there is no
DHCP server, this step fails. This failure is expected. Your goal at this stage is simply to
verify the Layer 2 association, not to get full connectivity to the network.
When the connection displays Limited or No Connectivity, click the Limited or

No Connectivity message. A new window appears.
Lab Guide
61
Step 38
Click Details to check the connectivity limitation. Verify that you obtained an
address in the Automatic Private IP addressing range (APIPA), 169.254.0.0, which
shows that no DHCP server could be found2.
Step 39
Your WLAN works properly for the purpose of the connection verification. Close
the Network Connection Details window. Close the Wireless Network
Connection Status window.
Step 40
You do not need to stay connected to this WLAN anymore. Click it and choose
Disconnect.
If you obtain an address in the range 192.168.1.0/24, verify that your card is set to DHCP and ask your instructor to
shut the port to your Cisco 526 controller on the main switch.
62
Step 41
Read the warning and click OK to continue.
Step 42
In the Wireless Network Connection window, right-click your Intel card icon and
choose Disable.
Step 43
Close the Wireless Network Connection window. Do not close your remote desktop
connection.
Your AP has a configured SSID.
You could associate to it.
Lab Guide
63
Task 3: Convert Your Standalone AP to LWAPP

In this task, you will convert your standalone AP to LWAPP mode. Converting to LWAPP
implies providing a new LWAPP able image to the AP. You can use a software utility to do
this, as shown in the course, or directly use the AP CLI. You will try the second method here.
Activity Procedure
64
Step 1
On your remote desktop locate a folder called IOS-TO-LWAPP. If you cannot

locate it, check with your instructor.
Step 2
Inside the folder, locate a file called c1250-rcvk9w8-tar.124-10b.JA. This file is the
LWAPP-enabled image that is for your AP.
Step 3
Still on your remote laptop desktop, locate the tftpd32 icon. Double-click it to start
the program.
Step 4
In the Current Directory field, browse to choose the IOS-TO-LWAPP folder.
Step 5
Click OK to open the folder.
Step 6
In Server interface, choose your wired connection IP address. It should be in the

form 10.X0.1.240, where X is your pod number.
Step 7
You now need to connect to your AP serial port to enter the required commands to
upgrade it to LWAPP. Your serial connection should be still open at this point and
connected to your AP. If it is closed, use steps 1 to 7 of Task 1 to connect to your
AP CLI.
Step 8
Enter enable to get to privileged mode. The password is Cisco (with a capital C).
Step 9
Verify that you can ping your remote laptop. Enter ping followed by your remote
laptop IP address. It should be in the form ping 10.X0.1.240, where X is your pod
number. The ping should be successful.
Step 10
Enter the command to download the new image file containing the LWAPP code.
Enter archive download-sw /force-reload /overwrite tftp://10.X0.1.240/c1250rcvk9w8-tar.10bJA.tar, where X is your pod number. The /force-reload option
asks for a reboot after the new image download, the /overwrite option asks to replace
the original code with the new one.
Lab Guide
65
66
Step 11
In the background, your TFTP server starts sending the file to the AP. Monitor the
progression, and verify that the file has been completely sent.
Step 12
Once the AP has upgraded its code, it should reboot and load the new code. You can
recognize the AP by its name, c1250-rcvk9w8.
Step 13
The AP tries to join a controller, and find yours. It moves to a join state. Upon
joining the controller, the AP needs to download the same code version as the
version on the controller. Watch the download sequence, and see the AP reboot.
Step 14
At the end of the second reboot, the AP then tries to find a controller using the DNS
server, looking for CISCO-LWAPP-CONTROLLER host. In this lab, the DNS
server does not provide the controller address, so this process fails. The AP then
broadcasts in the subnet, discovers your controller, and goes to the join phase. You
can see that it then moves to CFG (configuration) phase and receives its
configuration from the controller.
Lab Guide
67
68
Step 15
Press Enter. The AP should prompt you for a user name and password. The
username is Cisco and the password is Cisco. If these credentials are not valid, your
AP might have a remaining configuration from a previous class. In such a case, use
root as the username and Public1! as the password.
Step 16
The AP prompt should appear. Its name is still maintained. Enter enable to go to
privileged exec mode. The password is Cisco. If this password is invalid, your AP
might have a remaining configuration from a previous class. In such a case use
Public1! as the password.
Step 17
Enter the command: show ip interface brief to check the APs IP address.
Step 18
The IP address is now connected to the Gigabit Ethernet interface, and not to the
BVI.
Step 19
Enter show running-config. Browse through the configuration file. You should not
be able to see any information relevant to a WLAN. Apart from the main
configuration, the AP configuration now shows a long certificate, used to encrypt
the exchanges with the controller.
Step 20
Try to enter configure terminal. The command is not available anymore.
Step 21
Try to open a web session to your AP; it should fail. The AP is not reachable
anymore; only some limited commands are supported on the CLI.
Step 22
Close the command prompt. Close the TFTP server.
Step 23
Reduce your remote desktop window, but do not close it.
Step 24
Connect to your controller. From your class PC, open an HTTPS session to
10.X0.1.10, where X is your group number.
Step 25
You controllers initial screen should appear. Click Login. Enter your credentials
and click OK. You should be on your controller monitor page.
Step 26
From this page, you should see that your migrated AP is now present. Its b/g/n radio
is set to 0 because it only has an 802.11a/n radio.
Step 27
From the upper menu, click Wireless. Your AP appears. You can see that it has kept
its name.
Step 28
Click the AP name to check its settings. No other apparent configuration should be
seen.
Step 29
For stability, enter your controller name in the Primary Controller Name field. It
should be in the form 2106-X, where X is your pod number3.
Step 30
The AP does not need to have a static IP anymore. In the right side of the screen,
uncheck Static IP.
Note
Your controller has an integrated DHCP server. This server provides IP addresses to
wireless clients and LWAPP APs. As long as your AP was in standalone mode, it could not
receive an IP address from the controller. Now that it is in LWAPP mode, it will receive an IP
address from the controller at each reboot.
The value to enter here is your controller name, as it is seen from Management > SNMP > General. Do not enter an
IP address because the AP will compare the name sent from the controller in the LWAPP discovery answer to this
value, and the names have to be the same string.
Lab Guide
69
70
Step 31
The AP also has direct credentials. Verify that Over-ride Global credentials is
checked. In the username field, enter root. Use Public1! as the password.
Step 32
Click Apply in the upper-right section of the page to validate the change. Read the
warning, and click OK to continue.
Step 33
In the upper menu, navigate to WLAN.
Step 34
You should see the WLAN you created on the controller, but not the WLAN you
created on the AP when it was in standalone mode. The AP keeps the parameters
relevant to itself (its identity in the network), but the parameters relevant to the
wireless communication are now sent from the controller.
Step 35
Navigate back to wireless, and click in the left menu Access Points > Radios >
802.11a/n radios. You will change the channel on which the AP is set.
Step 36
You should see your AP transmit power and channel. There should be an asterisk
next to the channel and power level values, indicating that the values can be changed
dynamically.
Step 37
Click the blue arrow at the right end of the line and choose Configure.
Step 38
A new window appears with your AP 802.11a parameters. In the RF channel

assignment, click Custom, and choose the channel for your group as per the
following table:
Pod
Channel
36
40
44
48
52
56
60
64
Step 39
In TX Power Level assignment, click Custom, and choose 5 for the Channel power
value4.
Step 40
Click Apply to validate the changes.
Step 41
The values you chose should now appear, instead of the previous values.
Step 42
Still in the same window, and leaving the values you chose, in RF Channel
Assignment, click Global. In Tx Power Level Assignment, click Global.
Power level 1 is the maximum transmit power allowed in your country. Power level 2 is half this value, 3 is half again
(25%) and so on. Power level 5 is 6.125 percent of the maximum power allowed in your country on this channel.
Depending on the model, there can be up to 8 levels.
Lab Guide
71
Note
72
Choosing Global will make the AP transmit with the parameters you defined, but if any new
event in the network condition makes these parameters not optimal anymore, the controller
is allowed to change them automatically. Turning these values back to global will not force
the power to max power, as long as the AP does not report a coverage hole.
Step 43
Click Apply to validate the changes.
Step 44
Click Back to return to the list. Your AP should now show the values you chose,
with the asterisk still next to them.
Step 45
Save your configuration. In the upper menu, click Save configuration. Click OK to
confirm when prompted.
Step 46
Reopen the window to your remote wireless laptop.
Step 47
Click Start > Control Panel > Network connections.
Step 48
Right-click your Intel wireless adapter and choose Enable.
Step 49
Right-click your Intel wireless adapter and choose Properties.
Step 50
Go to Internet Protocol TCP/IP and click Properties.
Step 51
Make sure that your card is set to receive an IP address automatically (DHCP).
Step 52
Click OK and close the Properties window and the Control Panel.
Step 53
In the bottom-right corner of your desktop, right-click your wireless connection icon
and choose View Available Wireless Networks.
Lab Guide
73
Step 54
The WLAN created on your controller, IUWNE-X (X = pod number), should appear
in the list. The WLAN created on the AP in standalone mode should not be here5.
Step 55
Choose the WLAN and click Connect.
Step 56
After a few seconds, the status should turn to Connected.
Step 57
In the remote laptop, open a command prompt and click Start > All Programs >
Accessories > Command Prompt.
Step 58
Enter ipconfig to check if you received an IP address from your controller. You
should have received an IP address from the scope you created before.
Step 59
Try to ping the controller management IP address (10.X0.1.10). The ping should be
successful.
Step 60
Connections.
Step 61
4965AGN.
Step 62
Right-click it and choose disable.
It may be possible that the WLAN you created on the autonomous AP still appears. If this is the case, try to connect to
it. It will fail. The WLAN still appears because Windows caches some of the SSIDs heard in the past even when they
are not in range anymore. In this lab the AP MAC address is still heard by the Windows client, which may make it
assume that a WLAN heard before associated to this MAC address should still be available.
74
Step 63
Close the other open windows in your remote wireless laptop and close the remote
desktop connection to that remote wireless laptop.
Step 64
Close the other open windows to such items as terminal server. Remember to use
Control-Shift-6 +X to use the terminal server menu to correctly terminate sessions
and close your sessions.
Your Cisco 1252 AP is converted to LWAPP mode.
You could change some of the parameters from the controller.
You could associate to the WLAN now displayed.
Lab Guide
75
Lab 2-3: Installing and Configuring a Cisco

Mobility Express Wireless Controller and AP
Activity Objective
In this lab, you will configure your Cisco Mobility Express Wireless Controller and your Cisco
Mobility Express AP. After completing this activity, you will be able to meet these objectives:
Configure your Cisco Mobility Express Wireless Controller
Manage your Cisco Mobility Express AP
Use the Cisco Configuration Assistant
Visual Objective
Visual Objective for Lab 2-3: Installing

and Configuring a Cisco Mobility
Express Wireless Controller and AP
IUWNE v1.09
Required Resources
76
In the remote lab, a Cisco 526 Mobility Express controller
Command List
The table describes the commands that are used in this activity.
CLI Connection Command
Command
Description
telnet
Establishes Layer 7 command line connectivity to a remote

device
Job Aids
Lab map diagram
Lab Guide
77
78
Pod 1
Pod 2
Pod 3
Pod 4
10.10.1.240
10.20.1.240
10.30.1.240
10.40.1.240
Remote laptop login
student1
student2
student3
student4
Remote laptop
password
cisco
cisco
cisco
cisco
Controller name
526-1
526-2
526-3
526-4
Administrative user
admin1
admin2
admin3
admin4
Administrative
password
cisco
cisco
cisco
cisco
IP address
10.10.1.100
10.20.1.100
10.30.1.100
10.40.1.100
mask
255.255.255.0
255.255.255.0
255.255.255.0
255.255.255.0
Default router
10.10.1.254
10.20.1.254
10.30.1.254
10.40.1.254
Management vlan id
Management port
Management DHCP
server
10.10.1.253
10.20.1.253
10.30.1.253
10.40.1.253
10.10.1.101
10.20.1.101
10.30.1.101
10.40.1.101
AP Manager DHCP
server
10.10.1.253
10.20.1.253
10.30.1.253
10.40.1.253
Virtual gateway IP
address
1.1.1.1
1.1.1.1
1.1.1.1
1.1.1.1
Mobility group name
Pod1
Pod2
Pod3
Pod4
Enable symmetric
tunneling
No
No
No
No
Network name
IUWNE-101
IUWNE-201
IUWNE-301
IUWNE-401
Allow static IP
addresses
Yes
Yes
Yes
Yes
Radius server
No
No
No
No
Country code
US
US
US
US
yes
yes
yes
yes
521 AP name
521-1
521-2
521-3
521-4
Layer 3 switch
username
student1
student2
student3
student4
Layer 3 switch
password
cisco
cisco
cisco
cisco
DHCP scope
10.10.1.3110.10.1.35
10.20.1.3110.20.1.35
10.30.1.3110.30.1.35
10.40.1.3110.40.1.35
DHCP Pool name
Pod1
Pod2
Pod3
Pod4
DHCP network
10.10.1.0
10.20.1.0
10.30.1.0
10.40.1.0
Pod 1
Pod 2
Pod 3
Pod 4
DHCP netmask
255.255.255.0
255.255.255.0
255.255.255.0
255.255.255.0
DHCP gateway
10.10.1.254
10.20.1.254
10.30.1.254
10.40.1.254
DHCP lease
04
04
04
04
DHCP DNS server
10.100.1.1
10.100.1.1
10.100.1.1
10.100.1.1
DHCP Option 60
Cisco AP c520
Cisco AP c520
Cisco AP c520
Cisco AP c520
DHCP option 43
10.10.1.100
10.20.1.100
10.30.1.100
10.40.1.100
Cisco Configuration
Assistant community
IUWNE-1
IUWNE-2
IUWNE-3
IUWNE-4
Cisco Configuration
Assistant WLAN
IUWNE-102
IUWNE-202
IUWNE-302
IUWNE-402

Pod 5
Pod 6
Pod 7
Pod 8
10.50.1.240
10.60.1.240
10.70.1.240
10.80.1.240
Remote laptop login
student5
student6
student7
student8
Remote laptop
password
cisco
cisco
cisco
cisco
Controller name
526-5
526-6
526-7
526-8
Administrative user
admin5
admin6
admin7
admin8
Administrative
password
cisco
cisco
cisco
cisco
IP address
10.50.1.100
10.60.1.100
10.70.1.100
10.80.1.100
mask
255.255.255.0
255.255.255.0
255.255.255.0
255.255.255.0
Default router
10.50.1.254
10.60.1.254
10.70.1.254
10.80.1.254
Management vlan id
Management port
Management DHCP
server
10.50.1.253
10.60.1.253
10.70.1.253
10.80.1.253
10.50.1.101
10.60.1.101
10.70.1.101
10.80.1.101
AP Manager DHCP
server
10.50.1.253
10.60.1.253
10.70.1.253
10.80.1.253
Virtual gateway IP
address
1.1.1.1
1.1.1.1
1.1.1.1
1.1.1.1
Mobility group name
Pod5
Pod6
Pod7
Pod8
Enable symmetric
tunneling
No
No
No
No
Network name
IUWNE-501
IUWNE-601
IUWNE-701
IUWNE-801
Allow static IP
addresses
Yes
Yes
Yes
Yes
Lab Guide
79
Pod 5
Pod 6
Pod 7
Pod 8
Radius server
No
No
No
No
Country code
US
US
US
US
yes
yes
yes
yes
521 AP name
521-5
521-6
521-7
521-8
Layer 3 switch
username
student5
student6
student7
student8
Layer 3 switch
password
cisco
cisco
cisco
cisco
DHCP scope
10.50.1.3110.50.1.35
10.60.1.3110.60.1.35
10.70.1.3110.70.1.35
10.80.1.3110.80.1.35
DHCP Pool name
Pod5
Pod6
Pod7
Pod8
DHCP network
10.50.1.0
10.60.1.0
10.70.1.0
10.80.1.0
DHCP netmask
255.255.255.0
255.255.255.0
255.255.255.0
255.255.255.0
DHCP gateway
10.50.1.254
10.60.1.254
10.70.1.254
10.80.1.254
DHCP lease
04
04
04
04
DHCP DNS server
10.100.1.1
10.100.1.1
10.100.1.1
10.100.1.1
DHCP Option 60
Cisco AP c520
Cisco AP c520
Cisco AP c520
Cisco AP c520
DHCP option 43
10.10.1.100
10.20.1.100
10.30.1.100
10.40.1.100
Cisco Configuration
Assistant community
IUWNE-5
IUWNE-6
IUWNE-7
IUWNE-8
Cisco Configuration
Assistant WLAN
IUWNE-502
IUWNE-602
IUWNE-702
IUWNE-802
Task 1: Configure Your Cisco Mobility Express Wireless

Controller
In this task, you will provide an initial configuration to your Mobility Express controller
exactly the same way you did it for the Cisco 2106 controller, using the CLI.
Note
In a real environment, you would be more likely to use the Mobility Express web interface for
this initial setting, or the Cisco Configuration Assistant.
Activity Procedure
80
Step 1
Step 2
From your class PC, choose Start > Programs > Accessories > Command
Prompt.
Step 3
Step 4
Step 5
is your pod number.
Step 6
Take some time to familiarize yourself with the different options provided.
Step 7
You now need to connect to the Cisco 526 controller, which is WLC526, Item 1.
Notice that once connected to your controller, you can go back to the device menu at
any time by using the usual escape sequence CTRL + SHIFT + 6 then X. Choosing
1 from the device menu should bring you to the controller serial interface which,
since the controller is not configured yet, should be the initial CLI setup wizard.
Lab Guide
81
Note
VERY IMPORTANT: Verify that the first question you see is System Name. When enabling
the HyperTerminal session to your controller, you may have pressed Enter to test the
connection, and the setting you had at that time may have become the default answer to the
first questions. If that has become the default, and if the first question you see is not System
Name, enter - (minus sign) and press Enter; this action will take you back one question.
Repeat the procedure as many times as needed to get back to the System Name question.
Choose the parameters for your pod (x is the number of your pod). Username is
adminX, where X is your pod number, and the password is cisco. Additional
parameters are given below and summarized in the Lab MapIP Addressing,
Naming Conventions, and Information table.
System Name [Cisco_34:26:a3]: 526-1
Enter Administrative User Name (24 characters max): admin1
Enter Administrative Password (24 characters max): *******
Re-enter Administrative Password
: *******
Management Interface IP Address: 10.10.1.100
Management Interface Netmask: 255.255.255.0
Management Interface Default Router: 10.10.1.254
Management Interface VLAN Identifier (0 = untagged): 0
Management Interface Port Num [1 to 2]: 1
Note
The port number is important because it must match the connection leading from the
wireless LAN controller to the network infrastructure.
Management Interface DHCP Server IP Address: 10.10.1.253

Note
You will configure later on a DHCP scope on the switch to which this controller connects.
The Cisco 526 controller does not have an internal DHCP server.
AP Manager Interface IP Address: 10.10.1.101

Note
AP Manager is on the same Management subnet using a different host value.
AP Manager Interface DHCP Server (10.10.1.253): 10.10.1.253

Virtual Gateway IP Address: 1.1.1.1
82
Note
Virtual Gateway provides Layer 3 features such as DHCP relay to wireless clients. This
value must match among mobility groups.
Mobility/RF Group Name: Pod1

Note
Mobility/RF Group allows multiple wireless controllers to be clustered into one logical
controller group to allow dynamic RF adjustments and roaming for wireless clients.
Enable Symmetric Mobility Tunneling [yes][NO]: no

Network Name (SSID): IUWNE-101
Allow Static IP Addresses [YES][no]: yes
Configure a RADIUS Server now? [YES][no]: no
Note
By default one WLAN SSID is configured on the WLC already, and it is using server-based
authentication. If you skip RADIUS configuration during the startup wizard, the result is a
preconfigured SSID using 802.1x EAP requiring a RADIUS server; however, there is no
server defined. This is to prevent open authentication security vulnerabilities.
Enter Country Code list (enter 'help' for a list of countries)

[US]: US
Enable 802.11b Network [YES][no]: yes
Enable 802.11g Network [YES][no]: yes
Note
On your controller, you enable all radios, 802.11b and 802.11g. Notice that the wizard does
not prompt you for 802.11a. The Cisco Mobility Express solution APs are 802.11b and g
only, so there is no need for an 802.11a network.
Enable Auto-RF [YES][no]: yes

Configure a NTP server now? [YES][no]: no
Configure the system time now? [YES][no]: no
Warning! No AP will come up unless the time is set.
Please see documentation for more details.
Note
You do not configure the time on this controller. In a real deployment, you would configure
the time during the initial configuration of a controller. In this remote lab scenario, the time
has already been configured and is consistent with the time of the other devices in the lab.
Configuration correct? If yes, system will save it and reset.

[yes][NO]:
Lab Guide
83
Read the warning. Take some time to review your configuration to make sure it
matches the lab map. Then answer yes to the Configuration Correct question.
The controller will save the configuration and reboot directly
84
Step 8
Wait for the controller to reboot completely, until you are prompted for a username.
Enter your administrative username, and then press Enter.
Step 9
Enter your password, and then press Enter. Verify that you get the prompt
(Cisco Controller)>.
Step 10
Verify your configuration, by entering show sysinfo. The display should be similar
to the one displayed here, with the values relevant to your pod.
You have a CLI session open to your controller.
Your initial setup is complete and you see the (Cisco Controller)> prompt.
You could verify your configuration using the show sysinfo command.

The Cisco 526 controller does not have an integrated DHCP server. The Cisco 2106 provides
IP addresses only to APs and its own clients. In this task, you need to set up a DHCP scope
somewhere else for your own clients. An ideal location for this scope is the Layer 3 switch to
which your controller connects. In this task, you will create this scope on the switch and correct
your management interface DHCP server to point to it.
Activity Procedure
Step 1
Verify that you have a VPN connection to the remote lab.
Step 2
From your class PC, connect to the class switch using Telnet. Click Start > All
Programs > Accessories > Command Prompt.
Lab Guide
85
Step 3
switch which should be 10.X0.1.253 where X is your pod number or other if
provided by your instructor.
Step 4
Enter your credentials. The username should be in the form studentX, where X is
your pod number. The password should be cisco.
Step 5
Once at the switch prompt, enter configure terminal6.
Step 6
To configure a DHCP scope from the command line, you need to create the scope. It
is created by allocating a whole subnet to a DHCP scope. You also need to exclude
some addresses from the range, so that you will only allocate a few addresses and
not the whole range itself. Use the following table:
Pod 1
Pod 2
Pod 3
Pod 4
10.10.1.1 10.10.1.30
10.20.1.1 10.20.1.30
10.30.1.1 10.30.1.30
10.40.1.1 10.40.1.30
10.10.1.36
10.10.1.255
10.20.1.36
10.20.1.255
10.30.1.36
10.30.1.255
10.40.1.36
10.40.1.255
DHCP scope
10.10.1.3110.10.1.35
10.20.1.3110.20.1.35
10.30.1.3110.30.1.35
10.40.1.3110.40.1.35
DHCP Pool name
Pod1
Pod2
Pod3
Pod4
DHCP network
10.10.1.0
10.20.1.0
10.30.1.0
10.40.1.0
DHCP netmask
255.255.255.0
255.255.255.0
255.255.255.0
255.255.255.0
DHCP gateway
10.10.1.254
10.20.1.254
10.30.1.254
10.40.1.254
DHCP lease
04
04
04
04
DHCP DNS server
10.100.1.1
10.100.1.1
10.100.1.1
10.100.1.1
DHCP Option 60
Cisco AP c520
Cisco AP c520
Cisco AP c520
Cisco AP c520
DHCP option 43
10.10.1.100
10.20.1.100
10.30.1.100
10.40.1.100
Pod 5
Pod 6
Pod 7
Pod 8
10.50.1.1 10.50.1.30
10.60.1.1 10.60.1.30
10.70.1.1 10.70.1.30
10.80.1.1 10.80.1.30
10.50.1.36
10.50.1.255
10.60.1.36
10.60.1.255
10.70.1.36
10.70.1.255
10.80.1.36
10.80.1.255
DHCP scope
10.50.1.3110.50.1.35
10.60.1.3110.60.1.35
10.70.1.3110.70.1.35
10.80.1.3110.80.1.35
DHCP Pool name
Pod5
Pod6
Pod7
Pod8
DHCP network
10.50.1.0
10.60.1.0
10.70.1.0
10.80.1.0
DHCP excluded
addresses
DHCP excluded
addresses
Your privilege level on the switch means that you do not need to type enable first.
86
DHCP netmask
255.255.255.0
255.255.255.0
255.255.255.0
255.255.255.0
DHCP gateway
10.50.1.254
10.60.1.254
10.70.1.254
10.80.1.254
DHCP lease
04
04
04
04
DHCP DNS server
10.100.1.1
10.100.1.1
10.100.1.1
10.100.1.1
DHCP Option 60
Cisco AP c520
Cisco AP c520
Cisco AP c520
Cisco AP c520
DHCP option 43
10.10.1.100
10.20.1.100
10.30.1.100
10.40.1.100
Step 7
In this scope, you want to allocate addresses from 10.X0.1.31 to 10.X0.1.35 (where
X is your pod number). Therefore, you need to exclude 10.X0.1.1 to 10.X0.1.30,
and then 10.X0.1.36 to 10.X0.1.255. Enter ip dhcp excluded-address followed by
the first range. It should be in the form ip dhcp excluded-address 10.X0.1.1
10.X0.1.30 (notice the space between the two IP addresses of 10.X0.1.1 and
10.X0.1.30).
Step 8
Exclude the second part. Enter ip dhcp excluded-address followed by the second
range. It should be in the form ip dhcp excluded-address 10.X0.1.36 10.X0.1.255.
The addresses between these two ranges are not excluded and are therefore allocated
once you create the scope.
Step 9
To create the scope, enter ip dhcp pool PodX (your scope name), where X is your
pod number.
Step 10
Enter a subcommand prompt where you will configure the scope details. The first
element is, of course, the subnet. Enter network followed by your subnet number
and mask. It should be in the form network 10.X0.1.0 255.255.255.0, where X is
your pod number.
Step 11
The next information is the gateway you want your clients to use. Enter defaultrouter followed by the gateway IP address. It should be in the form default-router
10.X0.1.254, where X is your pod number.
Step 12
The next information is the lease duration. On the Cisco 2106 controller, you used 4
hours. Use the same duration here. Enter lease followed by its duration in days and
hours. It should be in the form: lease 0 4 (0 days, 4 hours).
Lab Guide
87
Step 13
The next information is the DNS server address. Enter dns-server followed by the
server address. It should be in the form dns-server 10.100.1.1.
Step 14
A final, interesting, option to configure in this DHCP scope is Option 43. Your AP
has a static IP address and uses broadcast in its subnet to discover the controller. A
DHCP server can be used to provide APs with an IP address and a Controller
Management Interface IP address. To achieve this, the DHCP server must first
recognize that the DHCP discover message comes from an AP. This is done via an
identification mechanism: the AP identifies itself sending a specific string. The
Cisco 521 AP sends Cisco AP c520, and the Cisco 1252 AP sends Cisco AP c1250.
The first element is to recognize these strings. Enter option 60 ascii Cisco AP
c520 (inclusive of the quotes ).
Step 15
The second element is to send back the controller IP address, upon receipt of the
option 60 string. This is Option 43 itself. Enter option 43 ascii followed by your
controller management IP address. It should be in the form option 43 ascii
10.X0.1.100 where X is your group number (inclusive of the quotes ).
Step 16
This last option, specific to APs, will not actually be used by your AP because the
AP has a static IP address and will not query the DHCP server. This option might
still be useful if another AP was connected to your LAN. Your DHCP scope is ready
to provide IP addresses. Enter end to exit the configuration mode.
Step 17
Verify your scope. Enter show running-config and you should see the configuration
file and your DHCP scope near the top along with other pods DHCP scope. Verify
each element carefully.
Step 18
Close the Telnet window.
You have successfully created a DHCP pool on the Layer 3 switch.
Task 3: Manage the AP

In this task, you will connect to your controller web interface and configure some parameters
on your AP.
88
Activity Procedure
Step 1
Connect to your Cisco Mobility Express 526 Controller. From your class PC, open
an HTTPS session to your controllers management interface. It should be in the
form https://10.X0.1.100, where X is your group number.
Step 2
The controller login Window should appear. Click Login.
Step 3
Enter your administrative user and password credentials (username = adminX and
password = cisco where X = Pod number).
Step 4
You should see the controller main monitor window. Your AP, already in LWAPP
mode, should be there. If it is not, check with your instructor.
Step 5
In the upper menu, navigate to Wireless. You should see your AP listed.
Lab Guide
89
Step 6
Click its name to edit its settings.
Step 7
A new window appears. Change the AP name. The new name should be in the form
521-X, where X is your group number. Refer to the lab table in the job aids.
Step 8
Your AP has a static IP address. Document the IP address it has here:

____________________________________________________________________
90
Step 9
Enter a proper location for your AP: IUWNE-LAB.
Step 10
Enter your controller name as the primary controller. It should be in the form 526-X,
where X is your group number.
Step 11
At the bottom of the screen, check that your AP has one single 802.11b/g radio, and
that it is set to Enable.
Step 12
Click the Advanced tab. Check that the Cisco Discovery Protocol check box is
checked. Your AP can be discovered using Cisco Discovery Protocol.
Step 13
Click Apply to validate the changes. Read the warning and click OK to continue.
Step 14
In the upper menu, navigate to WLAN.
Step 15
The WLAN you created during the initial setup should be listed. You could modify
it here, but do not change it now. You will use the Cisco Configuration Assistant in
the next task.
Step 16
Reduce the web browser but do not close it.
Your AP is seen on your controller.
You could change its name and location, and check its IP address.
Task 4: Use the Cisco Configuration Assistant

In this task, you will use the Cisco Configuration Assistant to configure a WLAN and verify it
on your Cisco Mobility Express Controller. Most configurations can be done directly on the
Cisco 526 controller web interface, just like on the Cisco 2106 controller, but the Cisco
Configuration Assistant provides a single interface from which all the Cisco Smart Business
Communication System devices can be configured. You will learn how to use it in this task.
Activity Procedure
Step 1
Note
Connect to your remote wireless laptop: from your class PC, choose Start >
Programs > Accessories > Communications > Remote Desktop Connection.
In each pod, only one connection at a time is possible to the remote laptop. Choose with
Lab Guide
91
92
Step 2
Use the lab table in the job aid to know what IP address you should use to connect to
your remote wireless laptop. It should be in the format 10.X0.1.240, where X is your
pod number.
Step 3
In the Remote Desktop Connection window, in the Computer field, enter the IP
Step 4
credentials required to access your remote wireless laptop. Use the lab table in the
job aid to know which username and password are used to connect to your group
laptop. They should be in the format studentX/cisco, where X is your pod number.
Step 5
remote laptop.
Step 6
On the desktop locate the Cisco Configuration Assistant icon.
Step 7
Double-click it to start the program.
Step 8
The initial window should ask if you want to connect to a community or create a
new one. There should not be any community listed, so choose to create one and
click OK to proceed. If there is already a community, ask your instructor to remove
it.
Step 9
A new window appears. In the Name field, enter IUWNE-X, where X is your pod
number. This will become the community name. A community is a common group
name for the devices that you administrate. It can be arbitrarily defined on the Cisco
Configuration Assistant, and does not need to be preconfigured on the devices.
Step 10
In the Company Name field, enter Cisco.
Step 11
Click Advanced. This setting shows how the Cisco Configuration Assistant will
connect to the devices you manage. Cisco Configuration Assistant uses
HTTP/HTTPS, which immediately shows that it will not be able to connect to your
AP because it is managed via the controller and does not offer any direct web
interface. Click OK to continue.
Lab Guide
93
Step 12
In the Discover devices section, choose A single device by IP address7. In the IP

address field, enter your Cisco 526 controller Management IP address. It should be
in the form 10.X0.1.100, where X is your pod number.
Step 13
Click Start to start the discovery process.
Step 14
After a few seconds a popup window should appear, warning you about a self-sign
certificate. It is the certificate generated at boot time by your Cisco 526 controller.
Click Yes to accept it.
Step 15
A new window appears, asking the credentials to connect to the Cisco 526
controller. Enter the credentials. Username should be adminX, where X is your pod
number, and password cisco. Click OK to continue.
If your controller was connected to an SMB switch of CE520 series, it would support the Cisco Configuration
Assistant communities, and you could use it to discover the whole network. On an enterprise type of switch,
communities are not supported. You can still discover devices, if they are directly manageable (like a controller) and if
you provide their IP address directly, as is done here.
94
Step 16
Your controller should then appear in the device list. It is now discovered and can be
managed through the Cisco Configuration Assistant as well.
Step 17
In the Discover devices section, enter the IP address of your Cisco 521 AP. You
documented the IP address in the previous task. Keep the Discover field set to a
single device by IP address.
Step 18
Click Start.
Step 19
After a few seconds, a new box showing Unable to connect should appear.
Step 20
It is expected that the box will appear. The AP cannot be contacted directly using
HTTP or HTTPS. Was the AP discovered?
Step 21
Click OK to close the community window.
Lab Guide
95
Step 22
A new window appears, showing a graphical representation of the community tree.

You can see the Cisco 526 controller, and the switch to which it connects. Rightclick your controller, and choose Properties.
Step 23
You see information about your controller. Click OK to close.
Step 24
Your AP is not shown on the topology. Is that because it is not seen by the Cisco
Configuration Assistant8 but still managed when Cisco Configuration Assistant
connects to the controller, or is it because it was not added at all and is ignored? To
check, click Monitor in the left menu.
Step 25
In the submenu, unfold the reports menu, and click Reports > Inventory. It will
show you the devices known in your community.
Another reason is because the main switch is not a CE520, and therefore not community-aware.
96
Step 26
You see that the Cisco 521 was indeed brought along with the controller, and is
known to the Cisco Configuration Assistant. The tool cannot display Cisco 521 on
the graphical map. This is because the main switch is not community-aware, so the
tool does not know where the AP is connected. However, it still knows that it is
managed by the Cisco 526 controller. There is just a graphical presentation
disconnect, but the AP is here.
Step 27
Close the Inventory window. The topology reappears. Right-click controller and
choose Annotation. The annotation field allows the administrator to write a short
memo.
Lab Guide
97
Step 28
Enter a short text such as Plus 521-X AP, where X is your pod number.
Step 29
Click OK.
Step 30
The text should now appear under your controller.
Step 31
There are many ways of working with the Cisco Configuration Assistant. Now
change the Cisco 526 controller previously configured to add an open authentication
SSID9. You could click the left menu on Configure > Wireless > WLAN, but the
simplest way is, once again, to right-click your controller, and choose WLAN
(SSID).
In a real network, you would probably not set all the WLANs you create to Open, no encryption. In Module 4 you will
learn how to configure the infrastructure for security. Until then, you are temporarily creating simple WLANs.
98
Step 32
A new window appears, showing the WLAN you created on the Cisco 526
controller during the first setup.
Step 33
You will create a new WLAN. You do not need this one anymore. Click it, and click
Delete at the bottom. The WLAN list should be empty.
Step 34
Click Create at the bottom.
Lab Guide
99
100
Step 35
A new window appears, warning you that no Radius server was created. The default
settings of a WLAN on Cisco controllers are WPA/WPA2 with a central serverbased authentication, which is done through a RADIUS server. A WLAN cannot
work because no Radius information is provided. You will create a new WLAN with
open authentication, therefore a Radius is still not needed at this stage; Click No to
continue.
Step 36
A new window appears. In the SSID field, enter IUWNE-X02, where X is your pod
number.
Step 37
There is no VLAN configured yet, leave the field to its default value of 1. Leave
QoS to Data, and security to No Security.
Step 38
Click OK to create the new WLAN.
Step 39
The new WLAN should appear in the list.
Step 40
Click OK to validate the WLAN creation. If OK or Apply at the bottom are not
clicked, all the operations remain local to the Cisco Configuration Assistant
software. As soon as you click OK or Apply, they are written to the Cisco 526
controller.
Step 41
The system prompts you for your 526 controller username and password. Enter your
administrative user credentials. They should be in the form adminX for the
username and cisco for the password, where X is your pod number.
Step 42
In the upper-left part of the Window, click Application > Exit. Click Yes to
confirm.
Step 43
Reduce the remote desktop window, but do not close it.
Step 44
Reopen the web browser session to your Cisco 526 controller, and click WLAN
(even if you are already in WLAN, to refresh).
Step 45
You should see the new WLAN created, its status should be set to enabled, and
security policies should be empty, which implies open authentication and no
encryption.
Lab Guide
101
102
Step 46
Go back to your remote desktop connection. From your remote lab wireless laptop,
choose Start > Connect To > Show All Connections.
Step 47
4965AGN.
Step 48
Right-click it and choose enable.
Step 49
Right-click your wireless connection again and choose View Available Wireless
Networks.
Step 50
The WLAN you created should appear in the list. If it does not appear, click Refresh
network list.
Step 51
Click the WLAN name, and click Connect.
Step 52
Read the warning about an unsecured network, and click Connect Anyway.
Step 53
The connection should be successful.
Step 54
Verify the connection. Choose Start > All Programs > Accessories > Command
Prompt.
Step 55
Enter ipconfig. You should see that your wireless card has an address in the range
you created on the class switch, which acts now as a DHCP server here also.
Step 56
Try to ping your 526 controller. Enter ping followed by the Management IP address
of your controller. It should be in the form ping 10.X0.1.100 where X is your pod
number. The ping should be successful.
Step 57
From your remote lab wireless laptop, choose Start > Connect To > Show All
Connections. Locate your wireless connection. It should be called Intel Wireless
WiFi Link 4965AGN.
Step 58
Right-click it and choose Disable.
You could create a new WLAN from the Cisco Configuration Assistant.
You could verify its transfer to the Cisco 526 controller.
You could test it by connecting to it.
Lab Guide
103

Activity Objective
In this activity, you will install and configure the Cisco Aironet Desktop Utility. After
completing this activity, you will be able to meet these objectives:
Install the Cisco ADU
Configure the Cisco ADU and implement the Cisco Site Survey Utility
Observe the association process though Wireshark sniffer
Visual Objective
Visual Objective for Lab 3-1: Installing

and Using the Cisco ADU
IUWNE v1.010
Required Resources
104
In the remote lab, a remote laptop with the Cisco card inserted and the Cisco ADU software
installed on the desktop
Job Aids
Lab table

Pod 1
Pod 2
Pod 3
Pod 4
WLAN
IUWNE-102
IUWNE-202
IUWNE-302
IUWNE-402
Profile name
Mobility Express
Mobility Express
Mobility Express
Mobility Express
Static IP
10.10.1.26
10.20.1.26
10.30.1.26
10.40.1.26
Static netmask
255.255.255.0
255.255.255.0
255.255.255.0
255.255.255.0
Gateway
10.10.1.254
10.20.1.254
10.30.1.254
10.1.40.254
DNS server
10.100.1.1
10.100.1.1
10.100.1.1
10.100.1.1

Pod 5
Pod 6
Pod 7
Pod 8
WLAN
IUWNE-502
IUWNE-602
IUWNE-702
IUWNE-802
Profile name
Mobility Express
Mobility Express
Mobility Express
Mobility Express
Static IP
10.50.1.26
10.60.1.26
10.70.1.26
10.80.1.26
Static netmask
255.255.255.0
255.255.255.0
255.255.255.0
255.255.255.0
Gateway
10.50.1.254
10.60.1.254
10.70.1.254
10.1.80.254
DNS server
10.100.1.1
10.100.1.1
10.100.1.1
10.100.1.1
Task 1: Installing the Software

In this task, you will install the Cisco ADU software. The Cisco CB21AG is already physically
installed on your remote laptop, but no driver is installed yet.
Activity Procedure
Step 1
Check that you are connected, through the VPN tunnel, to the remote lab network.
Step 2
Connect to your remote wireless laptop; from your class PC choose Start >
Lab Guide
105
Note
106
In each pod, only one connection to the remote laptop is possible at a time. Choose with
Step 3
Use the lab table located in the job aid to know what IP address you should use to
connect to your remote laptop. It should be in the format 10.X0.1.240, where X is
your pod number.
Step 4
In the Remote Desktop Connection pop-up window, in the computer field, enter the
IP address of your remote laptop, and click connect.
Step 5
credentials required to access your remote laptop. Use the lab map to know which
username and password are used to connect to your group laptop. They should be in
the format studentX/cisco, where X is your pod number.
Step 6
remote laptop.
Step 7
On the desktop locate the Cisco WinClient-802.11a-b-g-Ins-Wizard-v35 icon.

Double-click it to start the installation process.
Step 8
Click Next when you see the initial Welcome page.
Lab Guide
107
108
Step 9
Choose to install both the driver and the client utility.
Step 10
Click Next.
Step 11
Check the check box Install the Cisco Aironet Site Survey Utility.
Step 12
Click Next.
Step 13
Keep the default values in the next two windows (directory location for installation
and program folder name) and click Next to proceed. Read the information page
about the card management, and click Next to proceed.
Step 14
Choose Next to acknowledge the notice of client utility choice that you are about to
be presented with in follow window. Choose to configure the Cisco card using the
Cisco Aironet Desktop Utility. During the labs for this course, you will use the
Windows client for the internal Intel 4965 card and the Cisco ADU for the Cisco
card bus.
Step 15
Click Next.
Step 16
Read the warning informing you that the laptop will be rebooted at the end of the
install, and click Yes to continue.
Step 17
Read the information about the WLAN adapter. Because it is already inserted, click
OK to continue.
Step 18
The wizard will proceed to the program installation.
Lab Guide
109
Step 19
Read the final installation status and the reminder about laptop reboot and click OK
to continue. You will lose connection to your remote laptop.
Step 20
Wait about a minute and connect back to your remote wireless laptop.
Step 21
You should see now in the right part of the taskbar the ASTU green icon. You now
have two WLAN adapters available.
The Cisco ADU is successfully installed.
You could reconnect to your remote laptop after the Cisco ADU installation.
Task 2: Use the Cisco ADU and the Cisco Site Survey Utility
In this task, you will learn to use the Cisco ADU to create a profile, and the Cisco Site Survey
Utility to understand the wireless environment.
Activity Procedure
110
Step 1
Choose Start > All programs > Cisco Aironet > Aironet Site Survey Utility.
Step 2
A new window appears where you see the received signal on a given channel.
Step 3
Click AP scan list. The list of all APs detected appears. In a busy environment, there
may be quite a few APs. Wait a few seconds for the list to be created, and then click
Pause List Update.
Step 4
Browse down to find the Network Name created on the Cisco 526 controller. It
should be in the form IUWNE-X02, where X is your pod number. Adjust your
display window as needed.
Step 5
Once you have found the controller, click View AP Details.
Step 6
Document the channel and the MAC address of the AP:

AP 521 is on channel ___________. Its MAC address is ______________________
Step 7
Close the AP Detailed Information window.
Step 8
Minimize the Cisco Aironet Site Survey Utility window, but do not close it.
Lab Guide
111
Step 9
In the task bar, right-click ASTU10, and choose Open Aironet Desktop Utility.
Step 10
The current status may show that you are already connected to a profile. Click the
Profile Management tab.
Step 11
Click New to create a new profile.
Step 12
In Profile Name, enter Mobility Express.
Step 13
Leave the Client name to its default.
Step 14
In the SSID1 field, enter the name of the SSID on your Cisco 526 controller. It
should be in the form IUWNE-X02, where X is your pod number.
Step 15
10
The ASTU, Aironet System Tray Utility, is the Green icon installed with the Cisco ADU in the bottom-right portion
of your desktop.
112
Step 16
Check that Security is set to None because this WLAN uses open authentication.
Step 17
Click the Advanced tab.
Step 18
Because the WLAN is on the b/g network, uncheck 5 GHz 54 Mbps. Leave the
other parameters as they are. You could enter the AP MAC address in Preferred AP,
but do not do it yet. Click OK to create the profile. Do not activate it yet.
Step 19
Click the Diagnostic tab.
Lab Guide
113
114
Step 20
Click Adapter Information. A new window appears, showing information about

your Cisco WLAN adapter.
Step 21
Document your Cisco card MAC address: _________________________________
Step 22
Click OK to close the Adapter Information window.
Step 23
Choose at the top: Action > Disable the radio. You need to have the radio off so
you can turn it on when you are ready to sniff the communication. Notice that both
Adaptor information and Advanced statistics become grayed.
Step 24
Try to connect with a static IP address. This will verify the prior lab where you
configured YES for Allow static IP address during initial setup on your controller.
Step 25
Right-click your wireless connections in the taskbar, and choose Open Network
Connections.
Step 26
In your network adapters list, try to identify the Cisco WLAN card. It should be
labeled Cisco Aironet 802.11a/b/g Wireless Adapter. Right-click the name and
choose Properties.
Step 27
In this Wireless Network Connection window, choose Internet Protocol TCP/IP,

and click Properties.
Step 28
Click Use the following IP address.
Step 29
Enter new IP address values as per the following table.
Lab Guide
115
116
Pod 1
Pod 2
Pod 3
Pod 4
Static IP
10.10.1.26
10.20.1.26
10.30.1.26
10.40.1.26
Static netmask
255.255.255.0
255.255.255.0
255.255.255.0
255.255.255.0
Gateway
10.10.1.254
10.20.1.254
10.30.1.254
10.40.1.254
DNS server
10.100.1.1
10.100.1.1
10.100.1.1
10.100.1.1
Pod 5
Pod 6
Pod 7
Pod 8
Static IP
10.50.1.26
10.60.1.26
10.70.1.26
10.80.1.26
Static netmask
255.255.255.0
255.255.255.0
255.255.255.0
255.255.255.0
Gateway
10.50.1.254
10.60.1.254
10.70.1.254
10.80.1.254
DNS server
10.100.1.1
10.100.1.1
10.100.1.1
10.100.1.1
Step 30
Click OK to validate the settings.
Step 31
Close the Network properties window.
Step 32
Close the network connection window. Your card is ready for the association. This
window may take a few seconds because windows activate this change in address
information.
Step 33
You will sniff the card connection to the network. Start Wireshark. Click Start > All
Programs > Wireshark > Wireshark.
Step 34
You will first filter only frames going to or coming from your Cisco WLAN adapter.
In the upper menu, click Capture > Interfaces.
Step 35
Click Options at the right side of the Airpcap USB wireless capture adapter line.
Step 36
In the Capture Filter field, enter ether host followed by the MAC address of your
Cisco WLAN adapter. You documented it at Step 21. It should be in the form ether
host ab:cd:ef:gh:ij:kl, where ab:cd:ef:gh:ij:kl is your Cisco card MAC address.
Step 37
In the upper-right part of the same window, click Wireless Settings.
Step 38
A new window opens. In Channel, choose the channel on which your Cisco 521 AP
operates. You documented it at Step 6 of this task. Click OK to validate.
Step 39
Click Start to begin the capture.
Lab Guide
117
Step 40
The number of packets accepted as per your filter should stay to 0 or very low.
Step 41
In the taskbar, click the Cisco ADU to bring it back to front.
Step 42
Choose at the top: Action > Enable radio.
Step 43
Click the Profile management tab and double-click the Mobility Express profile
to activate it, or you may be connected to another SSID.
Step 44
Click the Current Status tab.
Step 45
As soon as you see the status set to Associated, click the Stop Capture icon in the
Wireshark window.
Step 46
In the upper part of the Wireshark window, find the probe request. Write the name
of the SSID you see in it. Is your card looking for a null SSID? A broadcast SSID?
A named SSID?
____________________________________________________________________
118
Step 47
At what speed was it sent? 1 Mb/s? 6 Mb/s? 11 Mb/s? 54 Mb/s?

____________________________________________________________________
Step 48
Find the probe response. Does the AP accept 802.11b speeds?

__________________________________________________________________
Step 49
Try to find the authentication request, authentication response, association request,

and association response. Document at what speed the association request was sent,
and what speed the association response was sent? Were they all sent at the same
speed? 1 Mb/s? 6 Mb/s? 11 Mb/s? 54 Mb/s?
Association request___________________________________________________
Association response__________________________________________________
Step 50
Document if the AP accepts short preambles: Yes / No
Step 51
Can you see the Cisco proprietary information (Cisco Compatible Extensions) in the
exchange? Yes / No
Step 52
Close Wireshark. Do not save the capture.
Step 53
Reopen the Cisco Site Survey Utility.
Lab Guide
119
Step 54
Click Associated AP status. It should now show your connection to the IUWNEX02 SSID along with your pods respective 2.4-GHz channel.
Step 55
Document the RSSI and the SNR read:

RSSI_________________________________SNR__________________________
Step 56
At the bottom left of the window, check the Display in percent check box. Did you
have the same perception of the link quality level?
Step 57
Close the Cisco Site Survey Utility.
Step 58
Reopen the web session window from your local classroom PC to your Cisco 526
controller (https://10.X0.1.100).
Step 59
In the upper menu, click Monitor.
Step 60
In the lower part of the screen, locate the Client Summary section. Current clients
should show at least one client11. Click Detail at the right end of the Current Clients
line.
Step 61
At least one client should be associated: your remote laptop. Some neighboring
laptops may also be seen. Check with the MAC address documented at Step 21 that
one of the clients is your Cisco card.
11
You may see more than one client because each card sending a probe request will be flagged as a client in your
network, even if it does not actively try to associate afterwards.
120
Step 62
Check to verify that the client is authenticated and associated. Check to verify that it
is using the WLAN-Profile12.
Step 63
Click its MAC address to verify its settings.
Step 64
Can you see which interface it is using? Can you see which AP it is connecting
through? Which authentication parameters of the WLAN are used?
Step 65
Document the client Cisco Compatible Extensions version:

_______________________________________
Step 66
Close the web session. You now have a validation of your Layer 2 connection. You
want to check the Layer 3 connectivity via a ping. From your remote wireless
laptop, open a command prompt and choose Start > All Programs > Accessories >
Command Prompt.
Step 67
Enter ipconfig. You should see that your wireless card has the static address you
defined.
Step 68
Try to ping your Cisco 526 controller. Enter ping followed by the Management IP
address of your controller. It should be in the form: ping 10.X0.1.100 where X is
your pod number. The ping should be successful.
12
The WLAN Profile shown is the one seen from the controller perspective, IUWNE-X02, not the profile from the
client perspective, Cisco Mobility Express.
Lab Guide
121
122
Step 69
At this point, the verification is complete. You need to return your WLAN card to its
default mode before shutting it down to be ready for the next lab. Right-click your
wireless connections in the taskbar, and choose Open Network Connections.
Step 70
In your network adapters list, try to identify the Cisco WLAN card. It should be
labeled Cisco Aironet 802.11a/b/g Wireless Adapter. Right-click it and choose
Properties.
Step 71
In this Wireless Network Connection window, choose the Internet Protocol

TCP/IP and click Properties.
Step 72
Click Obtain an IP address automatically.
Step 73
Click Obtain DNS Server address automatically.
Step 74
Click OK to close the TCP/IP properties window.
Step 75
In the Windows Network Properties window, right-click your Cisco WLAN card
and choose Disable.
Step 76
Close the Wireless Network Properties window.
Step 77
Close the remote desktop session and all the other open windows.
Complete Cisco ADU installation inclusive of the Cisco Site Survey Utility.
You could associate to your IUWNE-X02 SSID using the Cisco ADU client.
You could capture the traffic using the Wireshark software.
Lab Guide
123
Lab 3-2: Experimenting with Connections and

Roaming
Activity Objective
In this activity, you will experiment with connections features and roaming. For this lab, you
will work in a team with another group. Both will create the same WLAN, and you will see
how your client can roam from one to the other. After completing this activity, you will be able
to meet these objectives:
Create a WLAN common to two groups
Connect to a specific AP
Force roaming from one AP to the other
Visual Objective
Visual Objective for Lab 3-2:

Experimenting with Connections and
Roaming
IUWNE v1.011
Required Resources
124
In the remote lab, a Cisco 2106 controller
In the remote lab, a remote laptop with a Cisco WLAN adapter
Job Aids
Lab map
Partner group table
Lab TableNaming and Information: Pods 1 to 4

Pod 1
Pod 2
Pod 3
Pod 4
WLAN
IUWNE-ROAM12
IUWNE-ROAM12
IUWNE-ROAM34
IUWNE-ROAM34
Mobility group
Pod12
Pod12
Pod34
Pod34
Lab TableNaming, and Information: Pods 5 to 8

Pod 5
Pod 6
Pod 7
Pod 8
WLAN
IUWNE-ROAM56
IUWNE-ROAM56
IUWNE-ROAM78
IUWNE-ROAM78
Mobility group
Pod56
Pod56
Pod78
Pod78
Task 1: Create a Common WLAN

In this task you will create a WLAN common to two pods.
Activity Procedure
Step 1
Check that you are connected, through the VPN tunnel, to the remote lab network.
Step 2
From your class PC, open a browser session to your Cisco 2106 controller
Management Interface IP address. (https://10.X0.1.10) You may have to disable
your local proxy to access the web interface through the VPN tunnel.
Step 3
Click OK to accept the self-signed certificate sent by the controller.
Lab Guide
125
126
Step 4
Click Login.
Step 5
Enter the administrative username you defined in the previous lab and the password
(adminX for the username and cisco for the password).
Step 6
You should see the controller Monitor Summary page.
Step 7
In the upper menu, click WLAN.
Step 8
You should see the WLAN you created before. Click its name to edit its settings.
Step 9
Uncheck the Status Enabled check box. You do not want this WLAN to currently be
active13. Click Apply to validate the change.
Step 10
Now, at the WLAN page list, in the upper-right part of the window, click New to
create a new WLAN.
13
The Cisco 2106 and the AP are perfectly capable of supporting several WLANs at the same time, but in a crowded
environment, you do not want to see too many SSID names that you will not use. For this reason you will disable the
WLANs you do not use for each new lab.
Lab Guide
127
Step 11
Note
128
In Profile Name field, enter Roaming. In the WLAN SSID field, enter the name of
the WLAN. Refer to the lab table (IUWNE-ROAMX, where X = shared group
number between two pods).
The name is in capitals and is case-sensitive.
Step 12
Click Apply to validate the name.
Step 13
A new window opens showing the WLAN details.
Step 14
Check the Status Enabled check box.
Step 15
In the Radio Policy drop-down list, choose 802.11a only. Because your Cisco 1252
AP operates only in the 802.11a spectrum, there is no point in allowing this WLAN
in the 802.11b/g band.
Step 16
Step 17
In Layer 2 Security, choose None.
Step 18
Click Apply to create the WLAN with these settings.
Step 19
You should now have two WLAN Profile Names in the list, but only the Roaming
show a status of Enabled.
Step 20
In the upper menu, click Wireless.
Lab Guide
129
Step 21
You should see your AP. Note that its Ethernet MAC address is shown. You want to
know its radio MAC address. In the left menu, choose radio > 802.11a/n.
Step 22
You should see your AP, along with its radio MAC address. Document this MAC
address here:
1252 AP 802.11a MAC address:_________________________________________
130
Step 23
You want to allow your clients to connect at 802.11n speeds. Position your mouse
on the arrow at the end of the AP description line and choose Configure.
Step 24
A new screen appears. In the 11n Parameters section, verify that your AP supports
802.11n. You will be using 20-MHz-wide channels, compatible with non-802.11n
clients. Verify that the Channel Width is set to 20 MHz.
Step 25
Click Apply to validate.
Step 26
Navigate to Wireless > 802.11a/n > High Throughput (802.11n).
Step 27
In the General section, verify that 802.11n is activated. In the MCS Data Rate
Settings, verify that all data rates are checked. Document the highest possible rate:
___________________________________________________________________
Step 28
To be able to roam, not only do you need to have a common WLAN, but the
controllers also need to be in the same mobility group. In the upper menu, click
Controller.
Lab Guide
131
Step 29
In Default Mobility Domain Name and RF-Network Name, enter your common
group name. Refer to the table:
Pod
Name
Pod12
Pod12
Pod34
Pod34
Pod56
Pod56
Pod78
Pod78
Note
132
Names are case-sensitive.
Step 30
Click Apply to validate the change.
Step 31
Controllers are now in the same mobility group, but they do not communicate with
each other yet. In the left menu, unfold Mobility Management, and choose Mobility
groups.
Step 32
You see your controllers details. Document its Management IP address and built-in
MAC address14:
Management IP address: ______________________________________________
Built in MAC address: ________________________________________________
Step 33
In the upper-right part of the screen, click New to create a new member to your
mobility group.
Step 34
Ask your partner group for their controller IP address and built-in Mac address, and
enter the values in the right fields.
Step 35
Click Apply to create the new member.
Step 36
Your mobility group list now shows two members.
14
The built-in MAC address is a MAC address common to the whole system, and not relevant to a specific port. This
MAC address is reachable through any port, and characterizes the system as a whole.
Lab Guide
133
Step 37
To verify connectivity to the other controller, put the mouse over the arrow at the
right end of the line describing your partner controller, and choose Ping.
Step 38
The ping should be successful. If it is not, check your values.
Step 39
Your controllers are now ready to offer intercontroller connectivity and roaming. Do
not close the web browser window.
You could create a roaming WLAN.
Your controller is in the same mobility group as your partner controller, and they could
ping each other successfully.
Task 2: Connect to the Right AP

In this task, you will associate to this WLAN, and make sure both partners associate to the
same AP. To achieve it, you need to make sure that only one AP is available at a time.
Activity Procedure
134
Step 1
Steps 1 through 8 are for even-numbered pods (2, 4, 6, and 8) to disable their radios.
Odd-numbered pods can proceed to Step 9. In the controller web browser window,
click Wireless in the upper menu.
Step 2
In the left menu, choose Radio > 802.11a/n.
Step 3
You should now see your AP.
Step 4
Put your mouse on the arrow at the end of the line and choose configure.
Step 5
A new window appears with your AP 802.11a/n radio details.
Step 6
In the General section, set the Admin Status to Disable to turn your radio off.
Step 7
Click Apply to validate the change. Click Back to return to the radio list.
Step 8
The AP should show in the list, with its radio status set to DOWN and Disable.
Even-numbered pods can now proceed to Step 16 to configure their remote lab
wireless laptop.
Lab Guide
135
136
Step 9
Steps 9 through 15 are for odd-numbered pods (1, 3, 5, and 7) to remove any
existing client associations. Even-numbered pods should have finished Step 8 and
proceeded to step 16. On the odd-numbered pod controllers, the AP radio should still
be up. At this point, only one of the APs in the mobility group is up, which
guarantees that the client will connect to this AP only.
Step 10
One last step needs to be performed; remove the clients trace from the controllers.
Otherwise, the client will not connect to the controller you expect. You will see why
later on. In the upper menu, click Monitor.
Step 11
In the left menu, click Clients.
Step 12
A new window appears. You should see at least one client. If you do not see any
clients, move directly to Step 16.
Step 13
Put your mouse on the arrow at the right end of the line describing each client, and
choose Remove. Be careful not to choose Disable.
Step 14
Click OK to confirm that you want to delete this client from the controller cache.
Repeat the operation for all the other clients you may see in the list.
Step 15
No client should be left in the list.
Step 16
Connect to your remote laptop from your class PC; choose Start > Programs >
Accessories > Communications > Remote Desktop Connection.
Note
In each pod, only one connection at a time is possible to the remote laptop. With your
partner choose who will be connecting.
Step 17
Use the lab table to know what IP address you should use to connect to your remote
lab wireless laptop. It should be in the format 10.X0.1.240, where X is your pod
number.
Step 18
Step 19
credentials required to access your remote laptop. Use the lab table to know which
username and password are used to connect to your group laptop. They should be in
the format studentX for username and cisco for the password, where X is your pod
number.
Lab Guide
137
138
Step 20
remote laptop.
Step 21
Connections.
Step 22
4965AGN.
Step 23
Step 24
Right-click your internal Intel 4965 wireless card connection again (not the Cisco
wireless card) and choose View Available Wireless Networks.
Step 25
The IUWNE-ROAMXY SSID should appear in the list. Click Connect. Read the
warning about unsecured networks, and click Connect Anyway to continue.
Step 26
The connection should be successful.
Step 27
Once connected, right-click your network connection and choose Status.
Step 28
A new window appears. Verify that you are connected to the correct WLAN
(IUWNE-ROAMX). Also check the speed of the connection. It should be of 802.11n
type.
Step 29
Click the Support tab. Then click Details.
Lab Guide
139
Step 30
Document the IP address obtained: _______________________________________
Step 31
Notice the DHCP Server address: Which machine is it?

____________________________________________________________________
140
Step 32
Click Close to close the Network Connection Details window. Close the status
window.
Step 33
Try to ping your partner laptop wireless connection. Open a command prompt and
choose Start > All Programs > Accessories > Command Prompt.
Step 34
Ask for your partner pod respective IP address documented at Step 30. Notice that,
in the wireless space, both machines are in the same subnet because they connected
to the same WLAN connected to the same controller.
Step 35
At the command prompt, enter ping t followed by your partners laptop IP address.
Step 36
The ping should be successful and carry on without interruption. Notice the variable
time taken by each ping. The frame needs to travel from your laptop to the AP, then
from the AP to your partner laptop. It answers with a frame that has to travel all the
way back. At each step, CSMA/CA and contention windows may imply a different
delay. Let the ping continue without interrupting it and proceed to the next task
while leaving the command prompt window open.
You have successfully connected to the roaming profile.
Both partners are connected within the same subnet.
Task 3: Use Roaming

In this task, you will force your clients to roam from one AP to the other.
Activity Procedure
Step 1
Reopen the web session to your controller.
Step 2
Click Monitor. On the left menu click Clients.
Step 3
A new window appears. On the odd-numbered pods (1, 3, 5, 7) controllers, you

should see both laptops as clients to your controller. They are connecting through
the controller 1252 AP.
Step 4
On the even-numbered pods (2, 4, 6, 8) controllers, you should still see no client
because your AP radio is disabled.
Lab Guide
141
142
Step 5
Steps 5 through 12 are for even-numbered pods (2, 4, 6, and 8) to enable their
respective AP radios. In the controller web browser window, click Wireless in the
upper menu.
Step 6
Step 7
You should see your AP set to Disable.
Step 8
Put your mouse on the arrow at the end of the line and choose Configure.
Step 9
Step 10
In the General section, set the Admin Status to Enable. This will turn your radio
back on.
Step 11
Click Apply to validate the change. Click Back to return to the radio list.
Step 12
The AP should show in the list, with its radio status set to UP / Enable. Notice the
channel is on.
15
Step 13
On the odd-numbered pods (1, 3, 5, 7) controllers, the AP radio should also be up.
At this point, both APs are up, but on different channels.
Step 14
Repeat Steps 2 to 4 to make sure that, even though two APs are available now, the
clients did not hop to the second AP15.
Step 15
Now is the time to force the hop, disabling the first AP to force the client to look for
another AP serving the same SSID and hop to it.
Step 16
Steps 16 through 23 are for the odd-numbered pods (1, 3, 5, 7) to disable their radios
to force clients to search for another AP for association, In the controller web
browser window, click Wireless in the upper menu
Step 17
Step 18
You should see your AP.
Step 19
Put your mouse on the arrow at the end of the line and choose Configure.
Step 20
Step 21
In the General section, set the Admin Status to Disable. This will turn your radio
down. Do not click Apply yet.
Step 22
Before clicking Apply, make sure you have a connection to your remote laptop and
see the window where the machine is still pinging your partners IP address. Be
ready to go back to it as soon as you click Apply in the web browser session. Then,
click Apply to validate the change.
Step 23
In your laptop session, look at the ping window.
The clients have no reason to hop if the connection on the first AP offers a good enough connection.
Lab Guide
143
144
Step 24
A few pings should be timing out, while your WLAN card realizes that the
connection is not available anymore (no ACK to one of the pings), then scans all the
channels to find another AP serving the same SSID and reassociates. With a rate of
about 1 ping per second, try to evaluate how many seconds were lost in the process.
Step 25
Now both clients associate through the second (even-numbered) pods controller
AP.
Step 26
Reopen the web session to your controller.
Step 27
Click Monitor. On the left menu click Clients.
Step 28
A new window appears. On the even-numbered controllers, you should still not see a
client.
Step 29
On the odd-numbered pod controllers, you should still see both laptops as clients to
your controller. The AP name has changed now. It indicates the other controller as
the AP, and the protocol changed from 802.11n to Mobile the new controller proxies
the connection for your clients, but keeps in memory that they have to remain on the
same subnet as they were before, and that they come from the first controller.
Step 30
If your AP 802.11a radio was disabled, re-enable it.
Step 31
From you controller web interface click in the upper menu Save configuration.
Click OK to confirm.
Step 32
Close the remote laptop command prompt window.
Step 33
Connections.
Step 34
4965AGN.
Step 35
Step 36
Close the open windows in the remote desktop connection. Close the remote desktop
connection and the web interface to your controller.
You could roam from one AP to the other.
You could see the roaming and client caching feature.
Lab Guide
145
Lab 4-1: 802.1Q and Web Authentication

Activity Objective
In this activity you will set up a WLAN with Web Authentication as the security policy. This
implementation provides an open connection to a user that requires a username and password
security exchange. All network traffic is then transmitted in the clear. In order to provide that
support, a new WLAN instance must be created that provides an SSID that the Web
Authentication client will use. You must also define a Local Net User database and create the
username and password entries. Once the support for Web Authentication is configured
correctly on your controller, you will log in using the Local Net User username and password
using a browser connection from your remote lab wireless laptop. After completing this
activity, you will be able to meet these objectives:
Create a VLAN interface on the controller
Create a Web Authentication WLAN
Create a trunk port on a switch
Connect to the WLAN
Experiment with exclusion policies
Visual Objective
Visual Objective for Lab 4-1: 802.1Q and

Web Authentication
146
IUWNE v1.012
Required Resources
In the remote lab, a remote lab wireless laptop with a Cisco WLAN adapter
Job Aids
Pod IP addresses
Lab map
Lab TableIP Addressing, Naming, and Information: Pods: 1 to 4

Pod 1
Pod 2
Pod 3
Pod 4
Remote lab wireless

laptop address
10.10.1.240
10.20.1.240
10.30.1.240
10.40.1.240
Remote lab wireless

laptop login
student1
student2
student3
student4
Remote lab wireless

laptop password
cisco
cisco
cisco
cisco
526 WLC VLAN 90 ID
90
90
90
90
526 WLC VLAN 90 IP
172.16.90.10
172.16.90.20
172.16.90.30
172.16.90.40
526 WLC VLAN90

netmask
255.255.255.0
255.255.255.0
255.255.255.0
255.255.255.0
526 WLC VLAN 90

gateway
172.16.90.253
172.16.90.253
172.16.90.253
172.16.90.253
526 WLC VLAN 90 port
526 WLC VLAN 90

DHCP server
172.16.90.253
172.16.90.253
172.16.90.253
172.16.90.253
WLAN
IUWNE-Web1
IUWNE-Web2
IUWNE-Web3
IUWNE-Web4
Switch IP address
10.10.1.253
10.20.1.253
10.30.1.253
10.40.1.253
Switch username
student1
student2
student3
student4
Switch password
cisco
cisco
cisco
cisco
Controller interface on
the switch
Gigabitethernet0/3
Gigabitethernet0/8
Gigabitethernet0/13
Gigabitethernet0/18
Native VLAN
10
20
30
40
Local Net user name
webuser1
webuser2
webuser3
webuser4
Local net password
cisco
cisco
cisco
cisco
Lab Guide
147

Pod 5
Pod 6
Pod 7
Pod 8
Remote lab wireless

laptop address
10.50.1.240
10.60.1.240
10.70.1.240
10.80.1.240
Remote lab wireless

laptop login
student5
student6
student7
student8
Remote lab wireless

laptop password
cisco
cisco
cisco
cisco
526 WLC VLAN 90 ID
90
90
90
90
526 WLC VLAN 90 IP
172.16.90.50
172.16.90.60
172.16.90.70
172.16.90.80
526 WLC VLAN90

netmask
255.255.255.0
255.255.255.0
255.255.255.0
255.255.255.0
526 WLC VLAN 90

gateway
172.16.90.253
172.16.90.253
172.16.90.253
172.16.90.253
526 WLC VLAN 90

port
526 WLC VLAN 90

DHCP server
172.16.90.253
172.16.90.253
172.16.90.253
172.16.90.253
WLAN
IUWNE-Web1
IUWNE-Web2
IUWNE-Web3
IUWNE-Web4
Switch IP address
10.50.1.253
10.60.1.253
10.70.1.253
10.80.1.253
Switch username
student5
student6
student7
student8
Switch password
cisco
cisco
cisco
cisco
the switch
Gigabitethernet0/23
Gigabitethernet0/28
Gigabitethernet0/33
Gigabitethernet0/38
Native VLAN
50
60
70
80
Local Net user name
webuser5
webuser6
webuser7
webuser8
Local net password
cisco
cisco
cisco
cisco
Task 1: Create a VLAN Interface

In this scenario, the guest user WLAN is to send all users to VLAN 90, which links to a
theoretical DMZ. You will use the Cisco 526 controller web interface to configure a VLAN
interface that is needed to support the Web Authentication client traffic. In the next task, you
will create a WLAN that will be mapped to this VLAN.
Activity Procedure
148
Step 1
Make sure you have a VPN connection to the remote lab.
Step 2
From your class PC, connect to your Cisco 526 controller web interface. Open a
secured browser session to 10.X0.1.100, where X is your pod number.
Step 3
Enter your administrative user credentials, adminX as the username and cisco as the
password, where X is your pod number.
Step 4
From the upper Menu bar, choose the Controller > Interfaces option. Notice the
Controller options available in the left sidebar.
Step 5
In the main Interfaces window, click the New button.
Step 6
A new screen appears. In the Interface Name field, enter VLAN90.
Step 7
In the VLAN id field, enter 90.
Step 8
Click Apply to create the interface.
Step 9
A new screen appears where you can configure your interface details. Enter the
values for this new dynamic interface as per the following table:
Lab Guide
149
150
Pod 1
Pod 2
Pod 3
Pod 4
VLAN 90 ID
90
90
90
90
VLAN 90 IP
172.16.90.10
172.16.90.20
172.16.90.30
172.16.90.40
VLAN90 netmask
255.255.255.0
255.255.255.0
255.255.255.0
255.255.255.0
VLAN 90 gateway
172.16.90.253
172.16.90.253
172.16.90.253
172.16.90.253
VLAN 90 WLC port
VLAN 90 DHCP server
172.16.90.253
172.16.90.253
172.16.90.253
172.16.90.253
Pod 5
Pod 6
Pod 7
Pod 8
VLAN 90 ID
90
90
90
90
VLAN 90 IP
172.16.90.50
172.16.90.60
172.16.90.70
172.16.90.80
VLAN90 netmask
255.255.255.0
255.255.255.0
255.255.255.0
255.255.255.0
VLAN 90 gateway
172.16.90.253
172.16.90.253
172.16.90.253
172.16.90.253
VLAN 90 WLC port
VLAN 90 DHCP server
172.16.90.253
172.16.90.253
172.16.90.253
172.16.90.253
Step 10
The gateway, 172.16.90.253, will act as a DHCP server for clients of this subnet.
The DHCP server is already configured on the gateway. Click Apply to validate the
settings. Read the warning message and click OK to continue.
Step 11
Notice in the upper-right corner of your window the three options; Save
Configuration, Ping, and Logout. Click the Save Configuration option. This saves
the running configuration to the NVRAM.
You created a VLAN interface on your Cisco 526 controller.
Lab Guide
151

In this task, you will create a specific WLAN to support web authentication.
Activity Procedure
Step 1
Navigate to WLAN.
Step 2
Disable your IUWNE-X02 SSID from the previous lab. Click it. A new screen
appears.
Step 3
Uncheck the WLAN Status Enabled check box. Click Apply.
Step 4
Your WLAN still appears in the list, but is disabled. No connection will be allowed
to this WLAN, and it will not be seen on the AP16.
Step 5
Click the New button to create a new WLAN.
Step 6
In the screen that appears, leave the WLAN type to its default. Enter the profile
name of Web_authentication.
16
Your controller could have several active WLANs, but in a crowded lab environment it is better to limit the WLANs
to the one you really need.
152
Step 7
Assign the correct SSID as indicated on your lab map. It should be in the form
IUWNE-WEBX, where X is your pod number.
Step 8
Click the Apply button to create the new WLAN. A new edit screen will appear.
Step 9
Set Admin status to Enabled to activate the WLAN.
Step 10
Choose the VLAN90 interface you created earlier.
Step 11
Lab Guide
153
154
Step 12
Set the Layer 2 Security to None, because this WLAN will just use web
authentication (which is Layer 3) but no Layer 2 encryption or authentication.
Step 13
Click the Layer 3 Security tab.
Step 14
Click Web Policy. Read the warning about DNS and click OK to acknowledge.
Step 15
There are two possible web policies. Leave the policy to its default, Authentication.
Step 16
Click Apply to validate the WLAN settings.
Step 17
Review your WLAN configuration. Creating web authentication requires a

controller reboot. In the upper menu, click Commands.
Step 18
In the left menu, choose Reboot.
Step 19
A new screen appears; choose Reboot in the upper-right portion of the window.
Step 20
Two new options appear, Save and reboot and Reboot without save. Click Save and
reboot. Read the warning and click OK to continue.
Step 21
After a few minutes, your controller should be accessible again, and your Cisco 521
AP should also be accessible. Do not close your controller web browser.
You have disabled the WLAN from the previous lab.
You have successfully created a WLAN on your Cisco 526 Controller associated to the
VLAN 90 interface.
Task 3: Configure a Trunk Port

In this task you will connect to the switch to allow VLAN 90 to link to your controller.
Activity Procedure
Step 1
From the controller upper-right menu, choose Ping.
Step 2
Try to ping your management interface gateway. Enter the switch IP address. It
should be in the form 10.X0.1.253.
Step 3
The ping should be successful. You can ping the switch to which your controller
connects. Click OK to close.
Lab Guide
155
156
Step 4
Click Ping again. Enter your interface 90 IP address. It should be in the form
172.16.90.X0, where X is your pod number.
Step 5
The ping is again successful. You can ping your own interface in VLAN 90. Click
OK to close.
Step 6
Click Ping again. Enter the switch IP address in VLAN 90. It should be
172.16.90.253.
Step 7
This time the ping fails. You can reach the switch on the management subnet, but
not on VLAN 90. The problem could come from the switch IP address, but it is
configured properly. The second possibility is a misconfiguration in your controller
link to the switch. To verify, connect to the switch and from your local classroom
PC, choose Start > All Programs > Accessories > Command Prompt.
Step 8
Enter telnet followed by your switch IP address. It should be in the form telnet
Step 9
Enter your credentials. Login should be in the form studentX, where X is your pod
number. Password is cisco.
Step 10
Refer to the table below to know on which port your Cisco 526 controller is
connected. Enter show running-config interface gigabitethernet 0/X, where
gigabitethernet 0/X is your Cisco 526 controller interface on the switch. Refer to the
following table:
Pod 1
Pod 2
Pod 3
Pod 4
Switch IP address
10.10.1.253
10.20.1.253
10.30.1.253
10.40.1.253
Switch username
student1
student2
student3
student4
Switch password
cisco
cisco
cisco
cisco
526 Controller
interface on the
switch
Gigabitethernet0/3
Gigabitethernet0/8
Gigabitethernet0/13
Gigabitethernet0/18
Native VLAN
10
20
30
40
Pod 5
Pod 6
Pod 7
Pod 8
Switch IP address
10.50.1.253
10.60.1.253
10.70.1.253
10.80.1.253
Switch username
student5
student6
student7
student8
Switch password
cisco
cisco
cisco
cisco
526 Controller
interface on the
switch
Gigabitethernet0/23
Gigabitethernet0/28
Gigabitethernet0/33
Gigabitethernet0/38
Native VLAN
50
60
70
80
Step 11
Your controller port is in a VLAN on the switch. This fact means that the controller
can access anything that is the same VLAN, such as the AP, the remote lab wireless
laptop, or the switch itself as long as your controller does not apply any tag to the
frame it sends. This method worked previously because the management interface
was untagged. If you want to send tagged frames from your controller, you will need
to allow the switch to receive them. This implies changing the port mode from
access, in a VLAN, to a trunk. The switch will then accept receiving tags on this
trunk17.
Step 12
Enter configure terminal to configure the switch.
17
This configuration is not specific to the Cisco 526 controller. On your Cisco 2106 controller, you have, up to this
point, used only the management interface. As soon as you would need to use more than one interface on a port, this
port must be turned into a trunk.
Lab Guide
157
158
Step 13
Enter interface followed by your controller interface name.
Step 14
The port is not in the VLAN specified. Enter no switchport access vlan X0, where
X0 is the VLAN number displayed by the switch for this port.
Step 15
You will need to use 802.1Q type of tagging, which is the one supported by the
controller. Enter switchport trunk encapsulation dot1q.
Step 16
The port is a trunk. Enter switchport mode trunk.
Step 17
This configuration allows your controller to send and receive tagged frames, but one
element is missing. Until now, your controller was connecting to your Cisco 521 AP
and your remote lab wireless laptop because they all were in the same VLAN.
Frames were sent from one port of the VLAN to the other as if the VLAN itself was
an independent switch. If you change the controller port to trunk mode, all frames
coming for the different VLANs will still be sent to it, but with a VLAN tag. This
means that frames coming from your AP, your remote lab wireless laptop, or even
your local classroom PC will be sent to the controller with the VLAN tag you saw
before for your controller port. The problem is that your management and AP
manager interfaces are set with VLAN TAG 0, which means that they are
untagged, and do not understand tagged traffic. Try to access the controller web
interface. It should have become inaccessible. There are two ways of solving this
problem. The first one is to tag the management and AP manager interface, so that
they understand the tags sent from the other devices. The second one is to tell the
switch not to tag the frames that originate from the controllers old VLAN. This
second way is the easiest way. To do it, you need to tell the switch that, on this trunk
port, the native VLAN is your controllers old VLAN number.
Step 18
Still at the controller interface configuration level, enter switchport trunk native
vlan X0, where X is your pod number.
Step 19
You should immediately regain access to your controllers web interface, and your
Cisco 521 AP should be back after a few seconds. If you still cannot access your
switch web interface, notify your instructor.
Step 20
From the switch interface, enter end to exit the configuration mode.
Step 21
Enter ping followed by your controller IP address in VLAN 90. It should be in the
form ping 172.16.90.X0, where X is your pod number. The ping should be
successful. You can ping your controller from the switch. Close the command
prompt window.
Step 22
Verify the connectivity from the controller side. Click Ping again. Enter the switch
IP address in VLAN 90. It should be 172.16.90.253. The ping should this time be
successful. Close the popup window.
You created a trunk for your controller port on the switch.
You assigned the right native VLAN to this trunk port.
Task 3: Create a Local Net User

You must create a Local Net User and define a password that you will provide when logging in
as a Web Authentication client.
Activity Procedure
Step 1
From the upper menu, navigate to Security.
Step 2
In the left menu, click the Local Net Users button.
Step 3
Click New to create a new local user.
Step 4
In username, enter webuserX, where X is your pod number.
Lab Guide
159
Step 5
In Password and Confirm Password, enter cisco.
Step 6
Do not click Guest User because you do not want to restrict the user lifetime18.
Step 7
IN WLAN Profile, choose Web_Authentication.
Step 8
Fill in the description for this user. It should be in the form User for the Web based
WLAN.
Step 9
Click the Apply button to save the new user configuration.
You have successfully created a Local Net User on your controller.
Task 4: Have the AP Rejoin the Controller

In this task, you will reboot your AP for it to rejoin the controller.
Activity Procedure
Step 1
Navigate to Monitor. Your AP should not be seen anymore19. If you see your AP,
proceed directly to Task 5.
18
When clicking guest user, you can restrict the user credentials lifetime. You could use this setting here, but you
choose instead not to restrict the credentials lifetime and leave the Guest user box unchecked.
19
In this lab environment, when you rebooted your controller, your Cisco 521 AP tried to join your controller but could
not. It then probably joined another controller while you were still rebooting. Now that your controller is back,
rebooting the AP is the easiest way to have it discover your controller again and rejoin it.
160
Step 2
You need to connect to your Cisco 521 AP serial interface to reboot it locally. From
your class PC, choose Start > Programs > Accessories > Command Prompt.
Step 3
Step 4
Step 5
After successful login, you will be asked to choose the correct pod (Podx), where x
is your pod number.
Step 6
Step 7
You now need to connect to the Cisco 521 AP, which is AP521, or Item 3.
Step 8
Once connected, enter enable to access the privileged mode. The password is Cisco.
Lab Guide
161
Step 9
Enter reload to reboot the AP. Press Enter to confirm. After a few minutes, you
should see that the AP is fully rebooted and an indication that it joined your
controller. Close the command prompt window.
Your access point has successfully joined your controller.
Task 5: Client Configuration

In this task, you will configure your remote lab wireless laptop to connect to this new WLAN.
Activity Procedure
Step 1
162
Connect to your remote lab wireless laptop; from your class PC, choose Start >
Note
In each pod, only one connection at a time is possible to the remote lab wireless laptop.
Choose with your partner who will be connecting.
Step 2
Use the lab table to know what IP address you should use to connect to your remote
number.
Step 3
In the Remote Desktop Connection pop-up window, in the Computer field, enter the
IP address of your remote lab wireless laptop, and click Connect.
Step 4
credentials required to access your remote lab wireless laptop. Use the lab map to
know which username and password are used to connect to your pod remote lab
wireless laptop. They should be in the format studentX/cisco, where X is your pod
number.
Lab Guide
163
164
Step 5
remote lab wireless laptop.
Step 6
Connections.
Step 7
4965AGN.
Step 8
Step 9
Right-click the Intel Wireless network icon again and click View All Available
Wireless Networks.
Step 10
You should see the WLAN you just created. Click it and click Connect.
Step 11
Read the warning about unsecured networks, and click Connect anyway to proceed.
Step 12
After a few seconds, you should be connected. Open a command prompt to verify
your IP address. Choose Start > All Programs > Accessories > Command
Prompt.
Step 13
Enter ipconfig.
Step 14
Your wireless connection should have an IP address in the 172.16.90.0 range. This
implies that you could reach the gateway as a DHCP client to obtain an IP address
from it. Enter ipconfig /all.
Step 15
Make sure that you have only one DNS server obtained through the wireless
interface of 10.100.1.1. If you have more than one DNS server, report to your
instructor20.
20
You will need DNS server contact to resolve an URL next page. If you have a DNS server on your LAN interface,
Windows will always prefer it to the wireless one, and DNS resolution will fail for our example URL.
Lab Guide
165
166
Step 16
Try to ping through the controller to the gateway; enter ping 172.16.90.253. The
ping should fail.
Step 17
Now back up to only ping your controller IP address in VLAN 90. Enter ping
172.16.90.X0, where X is your pod number. The ping should fail. This means that
although you had DHCP reachability, you do not have IP reachability as a client.
This WLAN is based on web authentication, to actually access the network you need
to be authenticated.
Step 18
Your controller will not present itself to a wireless client as the VLAN interface, but
will always try to emulate the virtual IP address, 1.1.1.1, regardless of which VLAN
the wireless client should be sent once on the wired side of the network. Try to ping
this virtual IP address. Enter ping 1.1.1.1. The ping should fail.
Step 19
In this specific lab environment, your remote lab wireless laptop has two ways of
getting to your controller: via the wired interface, or via the wireless interface. For
the wireless connection to be successful, you need to access the controller from the
wireless interface. This implies creating a static route. Still from your command
prompt, enter a host route: route add 1.1.1.1 mask 255.255.255.255 172.16.90.253.
This informs your remote lab wireless laptop that to reach your controllers virtual
IP address (1.1.1.1), only the wireless gateway should be used.
Step 20
Still from the command prompt, enter route add 10.100.1.1 mask 255.255.255.255
172.16.90.253. This number informs your remote lab wireless laptop that reaching
the DNS server should be done via the wireless interface, so that traffic flows via
your controller and not your wired interface.
Step 21
From your remote lab wireless laptop, open a browser. Verify that the popup blocker
is disabled21. In the address bar enter test.example.com.
Step 22
Click OK to accept the certificate. You should be redirected to your controller

authentication page.
Step 23
In username, enter the local net user name you created before. It should be in the
form webuserX, where X is your pod number.
Step 24
In password, enter your local net user password. It should be cisco.
21
Web authentication page opens a popup window when connected. This page is not necessary in itself, but failure to
see it makes it difficult to know if you are successfully connected or not. Disabling popup blocker for your browser is
required in this lab environment.
Lab Guide
167
Step 25
Click Submit. The authentication should be successful. You should be redirected to

a sample web page.
Notice that to close the session, you will need use the page https://1.1.1.1/logout.html, and then
click Logout.
168
Step 26
From the command prompt, enter ping 172.16.90.253. The ping should be
successful. Now that you are authenticated, you have full access to the network.
Step 27
In the web interface, click Logout.
Step 28
Close the web browser.
You have successfully logged in to the web authentication-based WLAN you created.
Task 6: Client Exclusion

In the previous example you logged in correctly and were granted access. This time you will
provide the wrong password each time you attempt to log in.
Activity Procedure
Step 1
Open a new IE browser session.
Step 2
In the browsers address bar, enter the address http://test.example.com.
Step 3
Press Enter to initiate the browser session.
Step 4
When the security alert screen comes up, click Yes to continue.
Step 5
When the Login screen appears, log in using the name of the Local Net User you
created, but this time use iforgot as the password.
Step 6
Continue to try and log in to the system counting each failed attempt.
Step 7
After three failed attempts, you should be excluded.
Lab Guide
169
Step 8
Close the browser session.
Step 9
In the command prompt, enter: route delete 10.100.1.1. Traffic to the DNS server
does not need to go via the wireless interface anymore. Close the command prompt.
Step 10
Connections.
Step 11
4965AGN.
Step 12
Step 13
Close the connection to your remote desktop.
Step 14
From your class PC, open a web browser session to your 526 controller. Its IP
address should be in the form 10.X0.1.100.
Step 15
Navigate to Management in the menu bar.
Step 16
Choose the Trap Logs option in the left sidebar menu to bring up a list of recent
trap events.
Step 17
Examine the information found there. You should see the Client exclusion event.
Step 18
Document how many failed attempts were reported before you were excluded:
_______________________________________________________________
Step 19
Close the browser session to your controller.
You have successfully completed this activity when you have attained these results:
170
You have successfully been excluded from the controller
You have viewed the Alarm logs
Lab 4-2: Configuring EAP-FAST Authentication

with WPA
Activity Objective
In this activity, you will create a secured WLAN on your Cisco 2106 controller, using EAPFAST for authentication, based on a local EAP, and WPA for encryption. After completing this
Create and configure a local EAP-based EAP-FAST WLAN
Configure the Cisco ADU to associate to this WLAN
Visual Objective

EAP-FAST Authentication with WPA
IUWNE v1.013
Required Resources
In the remote lab, a remote lab wireless laptop with a WLAN adapter
Lab Guide
171
Job Aids
IP addresses assigned to your pod
Lab table

Pod 1
Pod 2
Pod 3
Pod 4
Profile
EAP-FAST
EAP-FAST
EAP-FAST
EAP-FAST
WLAN
IUWNE-FAST1
IUWNE-FAST2
IUWNE-FAST3
IUWNE-FAST4
Local user name
Fastuser1
Fastuser2
Fastuser3
Fastuser4
Local user password
cisco
cisco
cisco
cisco

Pod 5
Pod 6
Pod 7
Pod 8
Profile
EAP-FAST
EAP-FAST
EAP-FAST
EAP-FAST
WLAN
IUWNE-FAST5
IUWNE-FAST6
IUWNE-FAST7
IUWNE-FAST8
Local user name
Fastuser5
Fastuser6
Fastuser7
Fastuser8
Local user password
cisco
cisco
cisco
cisco

In this task you will create a new WLAN to support this secure authentication. You will then
configure your controller to use local EAP with EAP FAST.
Activity Procedure
172
Step 1
From your class PC, open a secured web session to your Cisco 2106 controller. Its
IP address should be in the form 10.X0.1.10, where X is your pod number.
Step 2
Click Login. Enter your credentials. Your administrative username should be in the
form adminX, where X is your pod number, and password should be cisco.
Step 3
Navigate to WLAN.
Step 4
Disable your IUWNE-ROAMX SSID from the previous lab (IUWNE-X should still
be disabled). Click it. A new screen appears.
Step 5
Uncheck WLAN Status Enabled. Click Apply.
Step 6
Your WLAN still appears in the list, but is disabled. No connection will be allowed
to this WLAN, and it will not be seen on the AP22.
Step 7
Click the New button to create a new WLAN.
Step 8
In the screen that appears, leave the WLAN Type to its default, WLAN. Enter the
profile name. It should be EAP_FAST.
Step 9
Assign the correct SSID as indicated on your lab map. It should be in the form
IUWNE-FASTX, where X is your pod number.
22
You controller could have several active WLANs, but in a crowded lab environment it is better to limit the WLANs
to the one you really need.
Lab Guide
173
174
Step 10
Click the Apply button to create the new WLAN. A new edit screen will appear.
Step 11
Set Admin status to Enabled to activate the WLAN.
Step 12
In Radio Policy, choose the 802.11a only.
Step 13
Leave the Interface to management.
Step 14
Click Apply to create the WLAN. Its security parameters are not configured yet;
you will return to them later in this task.
Step 15
Create a local user. From the upper menu, navigate to Security.
Step 16
In the left menu, click the Local Net Users button.
Step 17
Click New to create a new local user.
Step 18
In username, enter FastuserX, where X is your pod number.
Step 19
In password, enter cisco.
Step 20
Do not click Guest User. You will not limit the user session in this task, and guest
user only applies to web authentication-based WLANs.
Step 21
In WLAN Profile, chose EAP_FAST.
Step 22
Fill in the description for this user; Local user for the EAP FAST WLAN.
Step 23
Click the Apply button to save the new user configuration.
Step 24
Specify to the controller that the user credentials should be retrieved from the
controller. Choose Security > Local EAP > Authentication Priority.
Step 25
The column on the right is the one that is used to authenticate the clients
credentials. Verify that LDAP is in the left column so that it will not be used. If not,
elect LDAP, click the "<" button, and click Apply. This puts the user credentials in
the local database first.
Step 26
Create a new EAP profile. This profile will be used to apply your policy to the EAP
FAST WLAN. Choose Security > Local EAP > Profiles.
Step 27
Click New.
Step 28
When the new window appears, enter the Profile Name. It should be in the form
EAP-FASTX, where X is your pod number.
Step 29
Click Apply to create the profile.
Step 30
In the new window, click EAP-FAST to apply your policy to EAP-FAST

authentications.
Lab Guide
175
176
Step 31
Click Apply.
Step 32
Click your profile name to check its settings.
Step 33
In the left menu, click EAP FAST parameters.
Step 34
This window defines the EAP FAST parameters for your EAP FAST policy.
Step 35
You can leave the parameters to their default configuration. In a real network, you
may want to define these parameters according to your network security policy.
Step 36
Go back to your WLAN configuration. Navigate to WLAN. Click your EAP- FAST
WLAN to configure it.
Step 37
Step 38
Click AAA servers. This is where you will indicate to the controllers to use local
EAP for the incoming clients of the WLAN.
Step 39
In local EAP Authentication, check the Local EAP Authentication check box.
Step 40
Make sure that the EAP profile name is the one you created in this task (EAPFASTX, where X is your pod number).
Step 41
Click Layer 2 Security. This field is where you will define how authentication and
encryption should work for this WLAN.
Step 42
Make sure that Layer 2 Security is set to WPA+WPA2 because you will use WPA
for this WLAN.
Lab Guide
177
Step 43
Lower in the same tab, in WPA+WPA2 parameters, click WPA Policy.
Step 44
WPA encryption should be set to TKIP.
Step 45
Unclick WPA2 Policy because WPA is the only encryption you wish to use for this
WLAN.
Step 46
Leave Auth Key Mgmt to 802.1X, which means that the client key rotation and
values will be managed by the AAA server, in this case your controller. Click Apply
to validate the changes.
Step 47
In the upper part of your controller screen, click Save Configuration.
Step 48
For the local EAP values to be applied to your APs, you need to reboot your
controller. Navigate to Command.
Step 49
In the left menu click Reboot.
Step 50
Click Reboot again to confirm.
You configured your controller for EAP FAST local authentication.
Task 2: Configure the Client and Access the Network

In this task, you will configure your client for EAP-FAST and test the connection.
Note
178
VERY IMPORTANT: During step 32 to step 39 of client authentication, make sure NOT TO
DISCONNECT from the remote desktop connection to your remote wireless lab laptop. If
you disconnect during these steps, your remote wireless lab laptop may be blocked and not
respond. You would be unable to proceed with the rest of the labs. This issue is known and
nd
cannot be avoided as a result of user action needed to confirm request for 2 attempt to
download the final PAC file used for authentication.
Activity Procedure
Step 1
Note
Connect to your remote lab wireless laptop using remote desktop; choose Start >
Step 2
Use the lab map to know what IP address you should use to connect to your remote
number.
Step 3
In the remote desktop connection pop-up window, in the Computer field, enter the
Lab Guide
179
Step 4
wireless laptop. They should be in the format studentX for the username and cisco
for the password, where X is your pod number.
Step 5
Step 6
Connections.
Step 7
Locate your wireless connection. It should be called Cisco Aironet 802.11a/b/g

wireless adapter.
Step 8
Step 9
Right-click your Cisco ASTU (the Cisco Aironet System Tray Utility, which is the
green icon on the system tray) icon and choose Open Aironet Desktop Utility.
Step 10
Click the Profile Management tab. Click the Default profile23.
23
Do not use the Cisco Mobility Express profile; it is set to work on the 2.4-Ghz band only, and will not display SSIDs
in the 80.211a band.
180
Step 11
Click Scan.
Step 12
The IUWNE-FASTX SSID should appear in the list.
Step 13
Click it, and click Activate.
Step 14
A new window opens.
Step 15
In the Profile Name field, enter EAP FAST.
Step 16
Lab Guide
181
182
Step 17
In Set security options, choose WPA/WPA2/CCKM.
Step 18
In the drop-down list at the right of the same line, choose EAP FAST.
Step 19
Click the Configure button on the Profile Management screen.
Step 20
In EAP Fast Authentication Method, verify or change the setting to MSCHAP v2

User Name and Password.
Step 21
Notice that the Protected Access Credential zone is empty. Make sure that the Allow
Automatic PAC provisioning box is checked. Your client will automatically receive
its PAC from the controller.
Step 22
Make sure that the other check boxes are unchecked (meaning uncheck the default
No Network Connection Unless User Is Logged In).
Step 23
Click the Configure button at the right end of the MSCHAP v2 User name and
password line.
Step 24
Make sure the Validate Server identity box is unchecked.
Step 25
Click User Saved User Name and Password.
Step 26
In the user name field, enter the local net user name you created in the previous task.
It should be in the form FastuserX, where X is your pod number.
Step 27
Enter the password you created along with the local net user in the previous task. It
should be cisco.
Step 28
Confirm the password.
Step 29
Make sure the Include Windows Logon Domain with User Name is unchecked
because you do not use Windows credentials here, but a name created for this
WLAN.
Step 30
Click the Advanced button.
Lab Guide
183
Step 31
Note
24
Both the Server or Domain Name and Login Name fields should be empty.
VERY IMPORTANT: During Steps 32 to step 39, make sure NOT TO DISCONNECT from
the remote desktop connection to your remote wireless lab laptop. If you disconnect during
these steps, your remote wireless lab laptop may be blocked and not respond. You would be
unable to proceed with the rest of the labs. This issue is known and cannot be avoided as a
nd
result of user action needed to confirm request for 2 attempt to download the final PAC file
used for authentication.
Step 32
Click OK to continue.
Step 33
Click OK to close the MSCHAP v2 User Name and Password Configuration

window.
Step 34
Click OK to close the Configure EAP FAST window.
Step 35
Click OK to close the Profile Configuration window.
Step 36
As soon as you click OK, the profile is activated, and a warning about the fact that
you did not receive any valid PAC appears. Click Yes to receive the PAC
automatically24. The process will take a few seconds, and then fail the first attempt.
Step 37
You should be prompted for a second attempt. Click Yes. If you are not prompted,
choose Action > Re-authenticate.
If you do not see this message, choose Action > Re-authenticate.
184
Step 38
Now that you have a valid PAC, the process should succeed.
Step 39
Verify from the current status window that you did receive an IP address.
Step 40
Click the Profile Management tab, choose EAP-FAST profile, and click Modify
to edit its settings.
Step 41
Step 42
Click the Configure button.
Lab Guide
185
186
Step 43
In Protected Access Credential, there is now a value, which is the PAC sent from
your controller.
Step 44
Click Manage to edit it.
Step 45
Click the + sign; at the left of Not Grouped, you should see your controller EAP
FAST Authority ID information and the PAC generated for your FastuserX.
Step 46
Close the manage PAC window, cancel the Configure EAP FAST window, and
cancel the configure Profile window or click OK.
Step 47
Connections.
Step 48
Locate your wireless connection. It should be called Aironet 802.11a/b/g wireless

adapter.
Step 49
You successfully associated to your EAP FAST WLAN.
Lab Guide
187
Lab 5-1: Configuring Controllers and APs from

the Cisco WCS
Activity Objective
In this activity, you will connect to the Cisco WCS and use it to manage your controller and
AP. After completing this activity, you will be able to meet these objectives:
Create credentials on the Cisco WCS and personalize the interface
Add a controller and AP to the Cisco WCS
Manage the controller and AP from the Cisco WCS
Visual Objective

Controllers and APs from the Cisco WCS
Interface
IUWNE v1.014
Required Resources
188
In the remote lab, a Cisco 1252 LAP
In the remote lab, a Cisco WCS server
Job Aids
Lab table

Pod 1
Pod 2
Pod 3
Pod 4
Cisco WCS user
Admin1
Admin2
Admin3
Admin4
Cisco WCS password
Public1!
Public1!
Public1!
Public1!
Controller IP address
10.10.1.10
10.20.1.10
10.30.1.10
10.40.1.10
AP new channel
40
44
48
52

Pod 5
Pod 6
Pod 7
Pod 8
Cisco WCS user
Admin5
Admin6
Admin7
Admin8
Cisco WCS password
Public1!
Public1!
Public1!
Public1!
10.50.1.10
10.60.1.10
10.70.1.10
10.80.1.10
AP new channel
56
60
64
36
Task 1: Create Credentials on the Cisco WCS and Customize

the Interface
In this task, you will connect to the Cisco WCS and create the credentials you need.
Activity Procedure
25
Step 1
Step 2
From your local classroom PC, open a secure web browser session to the address:
https://10.100.1.125.
Step 3
After a few seconds, a popup window appears informing you that the certificate is
self-signed. Click OK to continue.
Step 4
You should see a login screen similar to this figure.
On this server, the default web server is used for a previous lab. Do make sure to use https, and not http.
Lab Guide
189
190
Step 5
Connect using the credentials root for a username and Wlan2day for a password.
Step 6
If you log in successfully you should see a monitor screen similar to that shown
below. Take some time to look at what is displayed.
Step 7
You are logged in as root. You need to create your own account. In the upper menu,
click Administration, and choose AAA.
Step 8
Before creating a new user, you need to check the password policy on this Cisco
WCS instance. In the left-hand menu, click Local Password Policy.
Step 9
A new window appears, showing the local policy. This is where password
complexity level is defined. Take some time to examine the parameters, but do not
change them because they impact the whole Cisco WCS system.
Step 10
In the left menu, click Users.
Step 11
A new screen appears. In the upper-right drop-down list, choose Add User. Click
Go to continue.
Step 12
A new screen appears. In Username, enter AdminX, where X is your pod number.
Lab Guide
191
192
Step 13
In New Password, enter Public1!. It conforms to the local policy password strength.
Step 14
Confirm the password.
Step 15
In Groups Assigned to This User, click Admin.
Step 16
Click Submit to validate.
Step 17
The message User added successfully should appear in the upper part of the
screen.
Step 18
Click Users in the left menu to verify.
Step 19
Your new user should appear in the list.
Step 20
In the upper-right menu, choose Logout. Log in again using your user credentials.
Step 21
Read the message.
Step 22
Cisco WCS allows each user to have a specific home page. As an administrator, you
want to optimize this welcome page (a newer feature staring in v4.2). As an example
for this lab, you do not need the Mesh tab, and would also like to monitor controllers
CPU and memory load. Click Edit Tabs in the upper-right corner.
Step 23
A new window appears. Click the Mesh name, and choose Delete. Notice at the
bottom that you can always reset to factory defaults from this page.
Step 24
Click Save.
Step 25
You are back to the Home screen, and the Mesh tab is removed. Click Edit
Contents in the upper-right part of the screen.
Lab Guide
193
Step 26
A new screen appears. In the upper part, choose General.
Step 27
In available content, click Controller CPU Utilization, and click Add to Left
Column.
Step 28
In available content, click Controller Memory Utilization, and click Add to Right
Column.
Step 29
Click Save.
Step 30
You are back to the WCS Home, and the General tab now also shows Controller
CPU and Memory values.
You are connected to the Cisco WCS with the user you created.
You have a personalized home page.
Task 2: Add a Controller and AP

In this task, you will add your controller and your AP to the Cisco WCS.
Activity Procedure
Step 1
194
To add your Controller to Cisco WCS you must click Configure.
Step 2
Click the Controllers option.
Step 3
Open the drop-down window on the right, choose the Add Controllers option, and
then choose GO.
Step 4
You will be prompted with a new screen where you will enter the IP address and net
mask of the Management interface on your WLAN controller. It should be in the
form 10.X0.1.10, where X is your pod number26.
26
Notice the SNMP parameters part of the screen. Your controller will be discovered using SNMP, for which the read
and write community is defaulted to private on the controllers. In a production environment, you would change these
defaults, which present a high security risk, both on the WAC and on the controller, in Management > SNMP.
Lab Guide
195
196
Step 5
Click OK to start the search.
Step 6
After a short search, you should get a message that your controller has been added to
Cisco WCS.
Step 7
Click the Home symbol in the upper-left part of the screen.
Step 8
Choose Monitor > Controllers.
Step 9
Click the IP address of your controller.
Step 10
A new window appears, showing your controllers main monitor page, seen from the
Cisco WCS. You could configure your controller directly from here.
Step 11
Port No 1 is green. Click the green circle.
Step 12
You should see a new screen displaying the port statistics.
Step 13
Click WLAN on the left menu.
Step 14
A new page appears, showing the WLANs configured on the controller. You could
manage them directly from here.
Step 15
In the upper menu, click Monitor > Access Points.
Lab Guide
197
Step 16
You should see your AP in the list. Its status should be green. Click its name.
Step 17
You can see your AP details. Take some time to examine its parameters.
You added your controller to the Cisco WCS.
You could monitor its parameters.
You could verify that your AP was brought along with it.
Task 3: Manage the Controller and AP from the Cisco WCS

In this task, you will configure your controller and AP from the Cisco WCS.
Activity Procedure
198
Step 1
From Cisco WCS, navigate to Configure, and choose Controllers. Notice that it is
also possible to choose Controller templates, to deploy a configuration parameter to
several controllers in one click. Do not choose that option; choose Controllers.
Step 2
In the list, click your controller IP address.
Step 3
In the new page, showing your controller properties, click the left WLANs, and the
subgroup WLANs.
Step 4
You see the list of all the WLANs you created before. You do not use the Roaming
profile anymore.
Step 5
Check the check box on its left to choose the Roaming profile, then in the upper
right menu, choose Delete WLANs in the pull-down options, and click GO.
Step 6
Read the popup warning message and click OK to confirm.
Step 7
The WLAN should be removed from the list.
Step 8
From the upper menu, choose Configure > Access Points. Notice that it is also
possible to choose AP templates, to deploy a configuration parameter to several APs
in one click. Do not choose that option; choose Access Points.
Step 9
Click your AP name.
Lab Guide
199
Step 10
A new screen appears with your AP parameters. Change its location to IUWNEModule 5.
Step 11
Verify that Override Global Username Password is checked. AP UserName

should be root and Public1! should be the password.
Step 12
Click Save to validate the new location.
Step 13
In the lower part of the screen, locate your 802.11a/n radio parameters. Click it to
edit its settings.
Step 14
A new window appears with your AP 802.11a parameters. In the RF channel

assignment, click Custom, and choose the channel for your pod. Refer to the
following table.
AP new channel
AP new channel
Step 15
200
Pod 1
Pod 2
Pod 3
Pod 4
40
44
48
52
Pod 5
Pod 6
Pod 7
Pod 8
56
60
64
36
In TX power Level assignment, click Custom, and choose 4 for the Channel power
value.
Step 16
Click Save to validate the changes.
Step 17
The values you chose should appear now, instead of the previous values.
Step 18
As in a previous lab, Click Global for both the RF Channel Assignment and TX
Power level Assignment without changing the values you chose.
Step 19
Click Save to validate.
Step 20
Verify the status of the WLAN change the same way you did before. Click
Configure > Controllers.
Step 21
Check the check box at the left of your controller IP address. In the upper-right
drop-down list, choose Audit Now. Click GO.
Step 22
After a few seconds, an audit report should appear, informing you that there is no
difference between the controller and the Cisco WCS configurations.
Step 23
To confirm, open a web session to your controller and navigate to WLAN. The
Roaming profile should have disappeared.
Step 24
Click Wireless. In the left menu, choose Radio > 802.11a/n radio. Verify that your
AP has the values transmitted by the Cisco WCS.
You could change controller AP parameter from the Cisco WCS.
You could audit for differences between the network devices configuration and the one
seen on the Cisco WCS.
You could verify that changes were propagated to the network devices.
Lab Guide
201

Activity Objective
In this activity, you will add a map to the Cisco WCS and position your AP on it. After
Add maps to the Cisco WCS
Enhance the map by adding walls
Position an AP on the map and manage it
Visual Objective
Visual Objective for Lab 5-2: Working

with Maps
IUWNE v1.015
Required Resources
202
Job Aids
IP address for your pod
Lab table
Maps provided by your instructor

Pod 1
Pod 2
Pod 3
Pod 4
Campus name
Campus1
Campus2
Campus3
Campus4
Building name
Building1
Building2
Building3
Building4
Floor name
Floor1
Floor2
Floor3
Floor4

Pod 5
Pod 6
Pod 7
Pod 8
Campus name
Campus5
Campus6
Campus7
Campus8
Building name
Building5
Building6
Building7
Building8
Floor name
Floor5
Floor6
Floor7
Floor8
Task 1: Add Maps

In this task, you will check the map properties to ensure that they conform to the values you
will use in the later tasks. You will then add maps to the Cisco WCS.
Activity Procedure
Step 1
Navigate to Monitor > Maps.
Step 2
From the drop-down menu in the upper right part of the screen, under Select a
command, choose Properties, and click Go.
Step 3
In the Unit of dimension field, make sure that Meter is selected.
Note
Even if you would prefer to work in feet and inches, do not change these parameters without
the agreement of your instructor because they globally affect the Cisco WCS and the other
pods.
Step 4
In the Refresh map from Network field, make sure that Enable is chosen.
Step 5
Leave the Wall Usage calibration field to its default Auto value.
Step 6
Leave the Advanced debug mode field to its default Disable value.
Lab Guide
203
Note
204
Choosing to refresh a map from the network affects the polling parameters of the system,
and may impact the performances of your system. This is a lab environment, but you may
want to consider this impact before enabling the feature in a production environment.
Step 7
Click OK to apply.
Step 8
From the drop-down menu in the upper right part of the screen, under Select a
command, choose New Campus, and click Go.
Step 9
In the Campus Name field, enter CampusX (X = pod number).
Step 10
In the Contact field, enter StudentX (X = pod number).
Step 11
Click Browse and navigate to the folder on your local classroom PC containing the
campus maps. Choose Campus-Bldg 14.jpg campus map.
Step 12
Click Next to continue.
Step 13
You need to specify the size of your campus. Verify that the Maintain aspect ratio
box is chosen, and enter the horizontal span of the map you imported: 387 m (1270
feet).
Step 14
Notice that as you change the horizontal span, the vertical span is dynamically
adjusted. Click OK to continue.
Step 15
You should now see your campus under the map list. Click its name (CampusX) to
see its details.
Step 16
In the upper-right drop-down list, choose New building. Click GO.
Step 17
In the Name fields, enter your Building name. It should be in the format BuildingX
(X = pod number).
Step 18
In the Contact field, enter your name. This building has 4 floors and 1 basement.
Adjust your respective fields accordingly.
Step 19
Your building horizontal position should be 140.5, and vertical position 15.6. Its
span should be 92 m wide (301 feet) and 54 m height (177 feet).
Step 20
Click Place to validate your building specifications, and then click Save.
Step 21
The square around your building should become green. Click the building name
(BuildingX) to edit its settings.
Lab Guide
205
206
Step 22
A new screen appears. It is empty because there are no floors yet in this building. In
the upper-right drop-down list, choose New Floor Area. Click GO.
Step 23
In the Floor Area Name fields, enter your floor name FloorPodX (X = pod number).
Step 24
In the Contact field, enter your student name (StudentX).
Step 25
In the Floor drop-down list, choose 1.
Step 26
The type is Cubes and Walled Office.
Step 27
The floor height is 3.0 m.
Step 28
Click Browse and navigate to the folder on your local classroom PC containing the
maps. Choose West-Wing.png map.
Step 29
Click Next.
Step 30
Click OK to create the floor.
Step 31
You should see your map in colors.
You added a campus, a building, and a floor in this building.
Task 2: Enhance the Map

In this task, you will improve your map to input some wall information.
Activity Procedure
Step 1
In the upper-right drop-down window, choose Map Editor. Click Go.
Lab Guide
207
208
Step 2
A new window appears with your floor map.
Step 3
The first element you need to work on is the map scale. A mistake was made while
entering the floor size, and the floor needs to be rescaled. For now the scale appears
to be close to 82m wide, which is the size of the whole building. The map you have
represents only part of this building, so the scale needs to be corrected. You know
that the Lab 151 room is 8m wide.
Step 4
In the toolbar, there is an icon that looks like a caliper. When moving your mouse
over it, a label shows Scale floor. Click it.
Step 5
Click the left wall (and hold click) and pull it to the right wall of the Lab 151 room,
and then release the click.
Step 6
A popup window appears asking the length of the line. As you enter a value, the
total new width of the map appears. Enter 8 m as the value of LAB 151 width, so
that the new total width of the map is close to 36m. Click OK to validate.
Step 7
Your floor is now properly rescaled.
Step 8
In this scenario, Lab 153 is the area to which you are asked to provide wireless
coverage.
Step 9
You want to know the size of Lab 153 for your future reference. In the toolbar in the
upper left, there is an icon that looks like a ruler. Click it. Click the left wall of the
lab, then drag the mouse to the right wall (while holding the click) and release the
click. As you move the mouse, the distance appears in the upper-left corner under
distance. Repeat the same operation to obtain the vertical distance from Lab 153s
lower wall to the lab door.
Step 10
Document the size of Lab 153:

Horizontal distance _____________Vertical distance:
_________________________
Step 11
It is time to give the Cisco WCS an awareness of the walls thicknesses. For now, on
this map, walls are just background lines. Under the Map Editor, you can tell the
Cisco WCS what kind of wall they actually are. Click the line icon in the upper-left
part of the screen. It is labeled Draw Obstacles.
Step 12
Click the arrow at the right of the blue rectangle (upper-left part of the screen).
Lab Guide
209
210
Step 13
A new window appears where you can choose the type of wall you want to represent
in the pull-down options. Choose Thick Wall, and click Done. Notice the respective
change in approximate dB signal related to option.
Step 14
The mouse becomes a cross. The external walls are thick walls. Place the mouse at
the upper-right corner of the building, beyond the meeting room, and click the first
time. Move the mouse down following the wall. Click a second time to define this
next corner of the building and continue on the right. Carry on drawing the external
wall until you reach the bottom-left end of the building; press Escape to interrupt
the wall. You now have a thick wall obstacle (13 dB).
Step 15
In the obstacle menu, choose a light wall obstacle (2 dB). Draw the interior walls
around Lab 151, Lab 152, Lab 153 and the storages rooms in the upper-left part of
Lab 15327. Do not go over the doors.
Step 16
In the obstacle menu, choose a light door obstacle, and draw the doors of the
different rooms around the lab. You can use the zoom option to make sure that the
walls are in contact, and that there is not a one-dot-wide opening between an
obstacle and the next one where there is continuity.
Step 17
Once the obstacles are there, click Command > Save.
Step 18
Click Command > Exit.
Step 19
Read the warning about unsaved changes. Since you just saved, you can safely click
OK to continue and exit.
You could resize the map to match the actual area size.
You could draw walls around the area you want to cover.
Task 3: Positioning APs

In this task, you will add your AP to the map and monitor its heat map coverage.
Activity Procedure
Step 1
Make sure you are on your Floor map area.
27
The main area of coverage is Lab 153, but the signal will obviously spread through the thin walls, and you need to
know the actual area of coverage.
Lab Guide
211
212
Step 2
In the upper-right drop-down menu, click Add Access Points. Click Go to continue.
Step 3
A new window appears, showing the list of the available APs. Click yours. Click
OK to continue.
Step 4
Choose your AP from the list.
Step 5
Position your AP exactly in the center of the grid in the middle of the lab. Position is
25 horizontal, 15 vertical.
Step 6
In the left menu, verify or choose your antenna. The 802.11a/n radio is using the
AIR-ANT5135D-R antenna. It is pointing towards the Lab door (270 degrees). It is
also slightly pointing downwards (10 degrees).
Step 7
In the upper part, your AP height is 2.95m from the floor. Click Save to validate
your AP position.
Lab Guide
213
214
Step 8
The map is refreshed, taking your AP into consideration. The heat map does not
show because the view is by default on the 802.11b/g/n radio.
Step 9
Click Layers.
Step 10
Click the arrow at the right end of Access point. A new window appears.
Step 11
In Protocol, choose 802.11a/n.
Step 12
In Display, choose channels.
Step 13
In RSSI Cutoff, choose the recommended -65 dBm.
Step 14
Click OK to validate.
Step 15
Click Save Settings to make this view your default.
Step 16
Close the Layer menu.
Step 17
Position your mouse over your AP. A new menu shows with your AP
characteristics. Document your AP channel: _________________
Lab Guide
215
Step 18
Click AP Info. Document your AP uptime : _____________________________
Step 19
Document the LWAPP uptime28: :________________________________________
Step 20
Click 802.11 b/g/n/ radio. Verify that the radio is not seen at present.
Step 21
Click 802.11a/n. In the window, click View Rx Neighbors. Document the first two
neighbors you see:
Neighbor 1 Name:______________________________RSSI__________________
Neighbor 1 Name:______________________________RSSI__________________
28
Step 22
Close the RX neighbor window.
Step 23
The AP is placed incorrectly. It is actually exactly over the Lab word on the map.
From the upper-right drop-down list, choose Position APs.
Step 24
Click OK to continue.
Step 25
Click your AP and move it to position it over the LAB word.
Step 26
Click Save to validate the changes.
The difference between the AP uptime and the LWAPP uptime is the time it took for your AP to join the controller.
216
Step 27
You want to verify the coverage pattern of your AP. In the upper right drop-down
list, choose Recompute RF Prediction. Notice the other available options.
Step 28
Click Go.
Step 29
The map refreshes with the latest values.
You have successfully added your AP.
You see its heat map.
Lab Guide
217
Lab 5-3: Monitoring the Network and Containing

Devices
Activity Objective
In this activity, you will use the Cisco WCS tools to manage alarms and locate devices. After
Use the Cisco WCS to monitor events
Use the Cisco WCS to located devices
Use the Cisco WCS to contain a rogue
Visual Objective
Visual Objective for Lab 5-3: Monitoring

the Network and Containing Devices
IUWNE v1.016
Required Resources
218
A PC with connectivity to the remote lab
In the remote lab, connectivity to a controller using the web interface
An LWAPP AP
A remote lab wireless laptop
Connectivity to the Cisco WCS
Job Aids
Task 1: Monitoring Events

In this task, you will connect to the Cisco WCS and check the event dashboard. You will learn
to use the events, and to create reports.
Activity Procedure
29
Step 1
Step 2
Verify that you are still connected to the Cisco WCS, having a secure web browser
session to the address: https://10.100.1.129.
Step 3
Navigate to the Home page.
Step 4
At the bottom-left of the page, locate the dashboard called Alarm Summary.
Step 5
There should be some Malicious AP messages. Click the number you see for
Malicious AP messages. If there are no reported malicious AP messages, click
Monitor Security. Version 5.0 of Cisco WLC and Cisco WCS changed prior
version default displays of too many rogue APs. Display is now dependant on rulesbased rogue classification in both Cisco WLC and Cisco WCS starting in version
5.0.
Use https, secure http, and not http.
Lab Guide
219
220
Step 6
Click the number under Total Active in the Unclassified Rogue Access Points Alert
line.
Step 7
The yellow messages represent the APs not known by each controller. This means
that controller 2106-1 can report as rogue the AP on controller 2106-3, because
these two controllers are not in the same mobility group. Controllers will not report
APs seen on other controllers in the same mobility group, but will report any other
AP. This is why you may see APs from other pods, reported by your controller as
rogue, or APs from your pod, reported as rogue by the controllers outside your
mobility group.
Step 8
Look at the alarms. All states should be set to Alert.
Step 9
Click one of the APs MAC addresses.
Step 10
A new screen appears, with detailed information about the alarm.
Step 11
If the rogue is on the same channel as one of your APs, you should see the rogue
channel information. If the rogue is on another channel, it may be flagged as
unknown because your AP may only hear a distant signal without being sure of the
channel. Look at the time and date the alarm was created. This was the first time the
rogue was detected on your network.
Step 12
Annotations show that the alarm was acknowledged.
Step 13
Document when this alarm was created, which is when your AP detected it for the
first time:
____________________________________________________________________
Step 14
You want to know which AP detected this rogue. From the upper right drop-down
window, choose detecting APs. Click GO.
Step 15
A new screen appears, giving you details about the AP or APs detecting it.
Step 16
You want to know if this rogue has affected your AP performances. From the upper
menu, choose Reports > Performance Report.
Step 17
In the upper-right drop-down window choose New. Click Go.
Step 18
In Report title, enter a report name. It should be in the form PerformanceX, where
X is your pod number.
Step 19
Leave Report by to AP by controller.
Lab Guide
221
222
Step 20
In Controller, choose your controller.
Step 21
Leave Access point to All Access Points.
Step 22
In Protocol, check the 802.11a/n check box.
Step 23
For Reporting period, choose the last four days.
Step 24
Click Run Now.
Step 25
A new screen appears, showing a graphical representation of the Performance, called

Counters.
Step 26
Browse down to the FCS Error Rate report. Try to see if the rogue AP detection date
and time seen at Step 11 match with a change in the reported FCS rate.
Step 27
You also want to know how many rogue APs your controller has reported since the
beginning of the class. In Reports, choose Security Report.
Step 28
A new screen appears. In the left menu, choose Rogue APs Events.
Step 29
From the upper right drop-down menu, choose New. Click Go.
Step 30
In report title, enter the report name. It should be in the format RogueX, where X is
your pod number.
Step 31
In Report By, keep AP By Controller.
Step 32
In Controller, choose your controllers IP address.
Step 33
Leave Access Point to All Access Points.
Step 34
Leave Classification type to All Types.
Step 35
For reporting Period, choose the last 4 days.
Step 36
Click Run Now.
Lab Guide
223
Step 37
The report shows which rogues where detected and when. Most of them were
probably reported when you first configured your controller or a few seconds later.
Count how many rogues were detected:
___________________________________________________________________
Step 38
Among them, how many do not belong to the IUWNE lab?

___________________________________________________________________
Step 39
In the upper left, click the Home icon to go back to the main page.
You detected rogues from the dashboard.
You could run some reports and analyze the rogue message.
Task 2: Contain a Rogue

In this task, you will try to contain a rogue device.
Activity Procedure
224
Step 1
Reopen the remote desktop connection to your remote lab wireless laptop.
Step 2
Connections.
Step 3
Locate your wireless connection. It should be called Cisco Aironet 802.11a/b/g

wireless adapter.
Step 4
Step 5
Right-click your Cisco ASTU (The Aironet System Tray Utility, which is the green
icon on the system tray) icon and choose Open Aironet Desktop Utility.
Step 6
Click the Profile Management tab. Click the EAP-FAST profile. You should get
connected to the network.
Step 7
Open a command prompt. Click Start > All Programs > Accessories > Command
Prompt.
Step 8
You want to ping your controller continuously, but want to make sure that you are
using the wireless link and not the wired link.
Step 9
In the command prompt, check your IP address. Enter ipconfig.
Step 10
You will se the IP address of your Cisco WLAN adapter. Enter a static route using
this IP address to reach your controller virtual gateway IP address. Enter route add
1.1.1.1 mask 255.255.255.255 followed by your Cisco WLAN card IP address.
For example: route add 1.1.1.1 mask 255.255.255.255 10.10.1.28.
Step 11
Ping your controller continuously. Enter ping t followed by your controller virtual
gateway IP address: ping t 1.1.1.1.
Lab Guide
225
226
Step 12
The ping should be successful.
Step 13
Reduce the remote desktop window, but do not close it.
Step 14
Reopen the Cisco WCS browser window.
Step 15
Choose Monitor > Security.
Step 16
Click Unclassified Rogue APs in Alert state.
Step 17
You will see all the detected rogues. Because some controllers are in different
mobility groups, they report the others as rogues. In the list your AP with its WLAN
should also be seen as rogue. To understand what containment does, you will try to
treat it as a rogue and contain it.
Step 18
Click the rogue MAC address that matches your WLAN, IUWNE-FASTX, where X
is your pod number.
Step 19
In a real network, you would not contain your own APs. However. In this case,
suppose that a valid client of yours has connected by mistake to this rogue AP. To
contain it, from the upper drop-down window, choose 1 AP Containment30.
Step 20
Click GO.
Step 21
Read the warning. In a real network, you want to make absolutely sure that you are
containing a real rogue in your network before containing an AP. Disconnecting
valid clients from neighbor networks is usually forbidden.
Step 22
A new status screen appears, showing that the rogue AP is contained.
30
A rogue AP is reported here and you decide to contain it. To contain it implies that disassociation messages will be
sent to this AP client. In other words, Cisco WCS will ask the other APs around this one to spoof this APs MAC
address, and send disassociation messages. This implies that you actually use the other groups AP to contain your
rogue. You do not need more than one AP in this case, because all the APs and clients are in short range from each
other.
Lab Guide
227
228
Step 23
To see the effect of this containment, reopen the remote desktop connection to your
Step 24
The ping should fail most of the time. This connection has become unusable. In a
real network, using more than one AP to contain the rogue, all the pings would
probably fail. In a lab environment, because all APs are busy containing the others,
the connection is simply heavily disturbed.
Step 25
You suddenly realize that the rogue is actually one of your APs. Reopen the Cisco
WCS web browser interface.
Step 26
From the same rogue AP window, choose Set state to Friendly internal from the
upper-right menu. Click Go to confirm. This will stop the containment, and tell
Cisco WCS that this AP is one of the controllers APs.
Step 27
The AP status changes to Know AP.
Step 28
Reopen the connection to your remote lab wireless laptop.
Step 29
The ping should now be successful. The ping packets should be more consistent
with response times and without multiple drops.
Step 30
Close the command prompt window. Closing the window also interrupts the ping
process.
Step 31
Connections.
Step 32
Locate your wireless connection. It should be called Aironet 802.11a/b/g wireless

adapter.
Step 33
Lab Guide
229
Step 34
Close all the open windows.
Step 35
Close the remote desktop connection.
Step 36
Close the Cisco WCS web interface.
230
You could identify a rogue AP and contain it.
Lab 6-1: Back Up the Controller Configuration

and the Cisco WCS Database Files
Activity Objective
In this activity, you will perform maintenance tasks to protect your network against failures.
After completing this activity, you will be able to meet these objectives:
Use the command line to save your controller configuration files and manipulate them
Use a TFTP server to save your controller configuration files and manipulate them
Visual Objective
Visual Objective for Lab 6-1: Backing Up

the Controller Configuration and the
Cisco WCS Database Files
IUWNE v1.017
Required Resources
In the remote lab, a remote lab wireless laptop with TFTP server
Lab Guide
231
Command List
Display Controller Configuration and State Commands
Command
Description
show run-config
Displays the controller internal parameters
show running-config
Displays the controller configuration
Task 1: Examine Controller Configuration Files

In this task, you will examine two controller configuration files and save one of the two
configuration files. You will then check to see if the file can be reinjected to your controller.
Activity Procedure
Step 1
Step 2
Note
232
In each pod, only one connection to the remote lab wireless laptop is possible at a time.
Step 3
number.
Step 4
address of your remote lab wireless laptop, and click Connect.
Step 5
credentials required to access your remote lab wireless laptop. Enter your credentials
to your remote lab wireless laptop. They should be in the format studentX for the
username and cisco as the password, where X is your pod number.
Step 6
Step 7
Open a Telnet session to your controller. From your remote lab wireless laptop,
choose Start > All Programs > Accessories > Command Prompt.
Step 8
Enter telnet followed by the Management IP address of your Cisco 2106 controller.
It should be in the form telnet 10.X0.1.10, where X is your pod number.
Step 9
Enter your administrative user credentials. Username should be adminX, where X is

your pod number, and password cisco.
Step 10
At the command prompt, enter show run-config (note, not the same as show
running-config).
Lab Guide
233
Step 11
The show run-config command gives extensive information about your AP

configuration. Try to locate in the first pages the burned-in MAC address of your
controller (in the Inventory section, at the beginning of the first page), and document
it here:
_________________________________________________________________
Step 12
234
Further on, verify if your controller supports Management via wireless, that is
allows wireless users to connect to the controller for management purposes:
_______
Step 13
Browse down to your AP configuration section.
Step 14
Document your AP serial number: ________________________________
Lab Guide
235
Step 15
236
Document your AP BSSID:______________________________________
31
Step 16
Document your AP transmit power: _______________________________
Step 17
Browse through the rest of the configuration file.
Step 18
The configuration file displayed by show run-config command gives you extensive
information about your controller parameters, but is not replicable as a configuration
file to another controller. It is used for analysis purposes only. There is another
command, which gives information about the controller configuration in command
mode, just like a router or a switch. It is the show running-config command. Try it;
from the command prompt, enter show running-config31.
Step 19
A list of parameters appears on the command line. This is a configuration file closer
to the one you see on routers and switches, and that can be captured and saved.
Notice the difference between the two commands: show run-config and show running-config.
Lab Guide
237
Capture the information. In the configuration file, try to locate the Virtual interface
address. This information should be about four pages down in sequence.
238
Step 20
From the command line window, right-click the blue bar on top of the window, and
choose Edit. In the submenu, choose Mark.
Step 21
Choose the line describing your virtual interface in the screen. It should be
highlighted as you choose it.
Step 22
While still having the text highlighted, right-click the blue bar, choose Edit, and
choose Copy.
Step 23
Still from the remote lab wireless laptop, open the notepad. Click Start > All
Programs > Accessories > Notepad.
Step 24
Right-click inside the Notepad page, and choose Paste.
Step 25
The copied line appears into Notepad.
Step 26
You want to verify if this configuration file can be injected to a controller. Change
the Virtual interface address in the notepad file from 1.1.1.1 to 1.1.1.2.
Step 27
Select the whole note pad file; choose Edit > Select All.
Step 28
Choose Edit > Copy
Step 29
Move back to your controller command prompt. At the prompt, enter config.
Step 30
The prompt changes to config.
Lab Guide
239
Step 31
Right-click the blue bar, choose Edit > Paste. This will paste the line copied from
Notepad back into the controller. You may see a message informing you that the
system needs to be restarted. Do not restart.
Step 32
Still from your remote lab wireless laptop, open a secured web browser session to
your controller. Its IP address should be in the form 10.X0.1.10, where X is your
pod number.
Step 33
From the controller web interface, navigate to Controller.
Step 34
Click Interfaces on the left.
Step 35
Your virtual IP address is now 1.1.1.2. This shows that the configuration captured
from the show running-config command can be used to duplicate the configuration
to another controller, and can also be modified.
Step 36
Click Save Configuration to copy to the changes to the NVRAM.
Step 37
Close Notepad, leave the command prompt and web interface open.
You could capture the configuration file from the command prompt, modify it and reinject
it back to the controller
Task 2: Save the Configuration Using TFTP

The previous method is not very convenient and is error prone for complete configuration due
to cut and paste methods. However, the prior process of cut and paste does have limited value
during limited changes or when direct serial connection is the only possible communication. In
this task, you will save the configuration file using TFTP and examine it using an XML editor.
Activity Procedure
Step 1
240
From the remote lab wireless laptop, reduce the web interface and the command
prompt to access to your desktop.
Step 2
Locate the tftpd32 icon. Double click it to start the program.
Step 3
In the Current directory, browse to choose the Desktop.
Step 4
In Server interface, choose your wireless (not wired) connection IP address.

Document this IP address here:
_______________________________________________________________
Step 5
In the remote laptop task bar, click the web browser to go back to the Controller
interface.
Step 6
Click Save Configuration once again to be sure that the configuration is saved to
NVRAM.
Step 7
Navigate to Controller. Choose Interfaces in the left menu.
Step 8
Click your virtual gateway IP address interface.
Step 9
Its current value is 1.1.1.2, and this is the value saved in NVRAM. Change the value
to 1.1.1.3. Click Apply to validate the change.
Step 10
Read the warning about Please reset the system for the change to take effect.
Click OK to continue, however, do NOT reset the system.
Lab Guide
241
Step 11
Do not click Save configuration. The value in NVRAM is 1.1.1.2, and the value in
RAM is 1.1.1.3.
Step 12
Navigate to Commands.
Step 13
In the left menu, choose Upload File.
Step 14
In File Type, choose Configuration (versus Code).
Step 15
Do not enable file encryption32.
Step 16
In TFTP server IP address, enter your remote lab wireless laptop wireless (not
wired) interface IP address, documented in Step 4. Again, make sure that you use
the wireless interface, not the wired interface IP address.
Step 17
In File path, enter / which is the root directory of the TFTP server, which is your
desktop.
Step 18
In Filename, enter 2106-XConfig.txt, where X is your pod number.
Step 19
Click Upload.
Step 20
Read the warning about the file encryption, and click OK to continue.
Step 21
Look at the web interface. The process is said to be started, but then fails.
Step 22
The reason for this failure is that by default, management from wireless machines is
forbidden for security reasons. You could enable Management from Wireless in the
Management main menu, which would allow you to connect to your wireless
controller from a wireless machine; however, you would still not have the right to
upload and download controller configuration files via wireless. Only direct wired
Ethernet controller management would be allowed for transfer of configuration,
controller software, and so on.
Step 23
In the TFTP server window, choose your wired interface. It should be in the form
32
File Encryption encrypts the file before downloading it. Although this feature increases the file protection, you will
need to examine the downloaded file. It has to be unencrypted to be readable.
242
Step 24
From your controller web interface, change the TFTP server IP address to the new
address.
Step 25
Try again to upload the configuration file from the controller to the TFTP server.
Step 26
The process should be successful.
Step 27
Reduce the web browser window. The configuration should be on your desktop. As
it is a .txt file, Notepad would be used to open it by default, but WordPad would
actually be better to read it. Right-click your file, and choose Open with, and then
choose WordPad.
Step 28
The file is an XML file. You can see tags marking areas zones. The great advantage
of XML is that it is a universal language, and the file could be used in many
applications.
Step 29
Click Edit > Find.
Step 30
In find what, enter 1.1.1.3. Click Find Next. The value cannot be found.
Lab Guide
243
244
Step 31
Click Edit > Find Again, and enter this time 1.1.1.2. The value is found. This
means that the file sent when uploading the configuration file is the file in NVRAM,
not the file in RAM. A good practice is to always click Save Configuration before
saving a file to avoid differences between the controller actual configuration and the
saved file.
Step 32
In the Find dialog box, enter Checksum.
Step 33
Click Find Next. You will find several checksum areas. XML files are not normal
text files. If you were to edit this file with Notepad or WordPad and inject it back to
the controller, the process would work, but the controller would reboot and fail on
the checksum verification for this file. The result would be that the controller could
not use this file and would revert back to the initial setup wizard.
Step 34
Click Cancel to close the find dialog box.
Step 35
Click File > Exit. If the program asks if you want to save any change, answer No.
Step 36
You will now use an XML editor to look at the file. In your remote lab wireless
laptop, locate a yellow circle icon on your desktop called Cooktop. Double-click it
to start the program.
Step 37
Cooktop is an XML file free editor. It can change the file content just like a text
editor, but it will also recompute the checksums to make that the file is not corrupted
when reinjected. Click File > Open File.
Step 38
In Look In, choose Desktop. Verify that you are using All Files *.* versus the
default of All Cooktop Files for the file name extensions.
Step 39
Choose the controller configuration file (2106-XConfig.txt, where X is your pod

number), and click OK.
Step 40
Look at the configuration file, but do not change any value.
Step 41
In the XML menu, choose Validate.
Step 42
The system will validate the document and recompute the XML checksums.
Step 43
Click File Save.
Step 44
Exit the program
Step 45
You will try to reinject the modified configuration file to the controller. Reopen the
web browser window to your controller.
Step 46
Navigate to Commands. You should choose Download file (versus prior Upload).
Lab Guide
245
Step 47
In File Type, choose Configuration (versus Code).
Step 48
Leave the Configuration File Encryption Key field empty.
Step 49
In the TFTP server section of the page, in the IP Address field, enter your remote lab
wireless laptop wired (not wireless) interface IP address. It should be in the form
Step 50
Leave the maximum retries and timeout to their default values.
Step 51
Enter / in the File path field.
Step 52
In File Name, enter the configuration file name saved on your desktop.
Step 53
Click Download.
Step 54
Read the warning about the key, and click OK to continue.
Step 55
The download should be successful; your controller should store the downloaded
file to flash and reboot to take it into consideration.
Step 56
Wait about a minute for your controller to reboot, and verify that you can
successfully log back into the controller, and that the configuration reinjection was
taken into consideration.
Step 57
Close the browser to your controller.
Step 58
Close the command prompt in your remote laptop. Close the remote desktop
session.
246
You have saved your configuration file to a TFTP server and could reinject it back to the
controller.
Lab 6-2: Troubleshooting

Activity Objective
In this activity, you will troubleshoot controller and client misconfigurations. Your instructor
will introduce issues on your controller, and you will have to find them. After completing this
Troubleshoot your controller for issues related to the controller itself
Troubleshoot your controller for issues related to the APs
Troubleshoot your controller for issues related to client access
Visual Objective
Visual Objective for Lab 6-2:

Troubleshooting
IUWNE v1.018
Required Resources
Lab Guide
247
In the remote lab, a remote lab wireless laptop
Command List
Debug LWAPP Commands
Command
Description
debug lwapp errors enable
Reports LWAPP errors seen on the controller to the

console
debug lwapp events enable
Reports LWAPP events to the console
Job Aids
248
Initial lab table

Pod 1
Pod 2
Pod 3
Pod 4
Remote lab wireless

laptop address
10.10.1.240
10.20.1.240
10.30.1.240
10.40.1.240
Remote lab wireless

laptop login
student1
student2
student3
student4
Remote lab wireless

laptop password
cisco
cisco
cisco
cisco
Controller name
2106-1
2106-2
2106-3
2106-4
Administrative user
admin1
admin2
admin3
admin4
Administrative
password
cisco
cisco
cisco
cisco
IP address
10.10.1.10
10.20.1.10
10.30.1.10
10.40.1.10
mask
255.255.255.0
255.255.255.0
255.255.255.0
255.255.255.0
Default router
10.10.1.254
10.20.1.254
10.30.1.254
10.40.1.254
Management vlan id
Management port
Management DHCP
server
10.10.1.10
10.20.1.10
10.30.1.10
10.40.1.10
10.10.1.11
10.20.1.11
10.30.1.11
10.40.1.11
AP Manager DHCP
server
10.10.1.10
10.20.1.10
10.30.1.10
10.40.1.10
Virtual gateway IP
address
1.1.1.1
1.1.1.1
1.1.1.1
1.1.1.1
Mobility group name
Pod1
Pod2
Pod3
Pod4
Enable symmetric
tunneling
No
No
No
No
Network name
IUWNE-1
IUWNE-2
IUWNE-3
IUWNE-4
Allow static IP
addresses
Yes
Yes
Yes
Yes
Radius server
No
No
No
No
Country code
US
US
US
US
yes
yes
yes
yes
Configure NTP
No
No
No
No
Configure time
No
No
No
No
DHCP scope name
Scope 1-1
Scope 2-1
Scope 3-1
Scope 4-1
DHCP start address
10.10.1.21
10.20.1.21
10.30.1.21
10.40.1.21
DHCP end address
10.10.1.25
10.20.1.25
10.30.1.25
10.40.1.25
DHCP Network
10.10.1.0
10.20.1.0
10.30.1.0
10.40.1.0
Lab Guide
249
Pod 1
Pod 2
Pod 3
Pod 4
DHCP Netmask
255.255.255.0
255.255.255.0
255.255.255.0
255.255.255.0
DHCP lease time
14400
14400
14400
14400
DHCP default router
10.10.1.254
10.20.1.254
10.30.1.254
10.40.1.254
DHCP DNS server
10.100.1.1
10.100.1.1
10.100.1.1
10.100.1.1
DHCP Netbios Srvr
10.100.1.1
10.100.1.1
10.100.1.1
10.100.1.1
DHCP status
Enabled
Enabled
Enabled
Enabled
VLAN 90 ID
90
90
90
90
VLAN 90 IP
172.16.90.10
172.16.90.20
172.16.90.30
172.16.90.40
VLAN90 netmask
255.255.255.0
255.255.255.0
255.255.255.0
255.255.255.0
VLAN 90 gateway
172.16.90.253
172.16.90.253
172.16.90.253
172.16.90.253
VLAN 90 port
VLAN 90 DHCP server
172.16.90.253
172.16.90.253
172.16.90.253
172.16.90.253
WLAN
IUWNE-Web1
IUWNE-Web2
IUWNE-Web3
IUWNE-Web4
Switch IP address
10.10.1.253
10.20.1.253
10.30.1.253
10.40.1.253
Switch username
student1
student2
student3
student4
Switch password
cisco
Cisco
Cisco
Cisco
the switch
Gigabitethernet0/3
Gigabitethernet0/8
Gigabitethernet0/13
Gigabitethernet0/18
Native VLAN
10
20
30
40
Local Net user name
Webuser1
Webuser2
Webuser3
Webuser4
Local net password
Cisco
Cisco
Cisco
Cisco
Cisco WCS user
Admin1
Admin2
Admin3
Admin4
Cisco WCS password
Cisco
Cisco
Cisco
Cisco
10.10.1.10
10.20.1.10
10.30.1.10
10.40.1.10
AP new channel
40
44
48
52

Pod 5
Pod 6
Pod 7
Pod 8
Remote lab wireless

laptop address
10.50.1.240
10.60.1.240
10.70.1.240
10.80.1.240
Remote lab wireless

laptop login
student5
student6
student7
student8
Remote lab wireless

laptop password
cisco
cisco
cisco
cisco
Controller name
2106-5
2106-6
2106-7
2106-8
Administrative user
admin5
admin6
admin7
admin8
Administrative
password
cisco
cisco
cisco
cisco
250
Pod 5
Pod 6
Pod 7
Pod 8
IP address
10.50.1.10
10.60.1.10
10.70.1.10
10.80.1.10
mask
255.255.255.0
255.255.255.0
255.255.255.0
255.255.255.0
Default router
10.50.1.254
10.60.1.254
10.70.1.254
10.80.1.254
Management vlan id
Management port
Management DHCP
server
10.50.1.10
10.60.1.10
10.70.1.10
10.80.1.10
AP manager IP
address
10.50.1.11
10.60.1.11
10.70.1.11
10.80.1.11
AP Manager DHCP
server
10.50.1.10
10.60.1.10
10.70.1.10
10.80.1.10
Virtual gateway IP
address
1.1.1.1
1.1.1.1
1.1.1.1
1.1.1.1
Mobility group name
Pod5
Pod6
Pod7
Pod8
Enable symmetric
tunneling
No
No
No
No
Network name
IUWNE-5
IUWNE-6
IUWNE-7
IUWNE-8
Allow static IP
addresses
Yes
Yes
Yes
Yes
Radius server
No
No
No
No
Country code
US
US
US
US
yes
yes
yes
yes
Configure NTP
No
No
No
No
Configure time
No
No
No
No
DHCP scope name
Scope 5-1
Scope 6-1
Scope 7-1
Scope 8-1
DHCP start address
10.50.1.21
10.60.1.21
10.70.1.21
10.80.1.21
DHCP end address
10.50.1.25
10.60.1.25
10.70.1.25
10.80.1.25
DHCP Network
10.50.1.0
10.60.1.0
10.70.1.0
10.80.1.0
DHCP Netmask
255.255.255.0
255.255.255.0
255.255.255.0
255.255.255.0
DHCP lease time
14400
14400
14400
14400
DHCP default router
10.50.1.254
10.60.1.254
10.70.1.254
10.80.1.254
DHCP DNS server
10.100.1.1
10.100.1.1
10.100.1.1
10.100.1.1
DHCP Netbios Srvr
10.100.1.1
10.100.1.1
10.100.1.1
10.100.1.1
DHCP status
Enabled
Enabled
Enabled
Enabled
VLAN 90 ID
90
90
90
90
VLAN 90 IP
172.16.90.50
172.16.90.60
172.16.90.80
172.16.90.90
VLAN90 netmask
255.255.255.0
255.255.255.0
255.255.255.0
255.255.255.0
Lab Guide
251
Pod 5
Pod 6
Pod 7
Pod 8
VLAN 90 gateway
172.16.90.253
172.16.90.253
172.16.90.253
172.16.90.253
VLAN 90 port
VLAN 90 DHCP server
172.16.90.253
172.16.90.253
172.16.90.253
172.16.90.253
WLAN
IUWNE-Web5
IUWNE-Web6
IUWNE-Web7
IUWNE-Web8
Switch IP address
10.50.1.253
10.60.1.253
10.70.1.253
10.80.1.253
Switch username
student5
student6
student7
student8
Switch password
cisco
cisco
cisco
cisco
the switch
Gigabitethernet0/3
Gigabitethernet0/8
Gigabitethernet0/13
Gigabitethernet0/18
Native VLAN
50
60
70
80
Local Net user name
Webuser5
Webuser6
Webuser7
Webuser8
Local net password
Cisco
Cisco
Cisco
Cisco
Cisco WCS user
Admin5
Admin6
Admin7
Admin8
Cisco WCS password
Cisco
Cisco
Cisco
Cisco
10.50.1.10
10.60.1.10
10.70.1.10
10.80.1.10
AP new channel
56
60
64
36
252
Lab 6-3: Optional Lab

Troubleshooting with Wireshark and Converting
an AP to Autonomous Mode
Activity Objective
In this activity, you will use the Wireshark software to troubleshoot connection issues. Your
instructor will introduce issues to your configuration, and you will have to find them. You will
then convert your Cisco 1252 AP back to autonomous mode. After completing this activity,
you will be able to meet these objectives:
Use Wireshark to troubleshoot a connection
Convert an LWAPP AP to standalone mode
Visual Objective
Visual Objective for Lab 6-3: Optional

Lab
IUWNE v1.019
Required Resources
Lab Guide
253
Step 16
In Profile Name, enter Webauth.
Step 17
Leave the Client name to its default.
Step 18
In the SSID1 field, enter the name of the web authentication SSID on your 526
controller. It should be in the form IUWNE-WebX, where X is your pod number.
Step 19
Step 20
Check that security is set to None, because this WLAN uses open authentication.
Step 21
Click the Advanced tab.
Lab Guide
261
Step 22
Because the WLAN is on the b/g network, uncheck 5 GHz 54 Mbps. Leave the
other parameters to their default values.
Step 23
Click OK to validate your profile.
Step 24
Do not associate to it yet. Click the Diagnostic tab, and click Adapter information.
Step 25
Document your Cisco card MAC address:

__________________________________________________________________
262
Step 26
Close the adaptor information window.
Step 27
Start Wireshark. Click Start > All Programs > Wireshark > Wireshark.
Step 28
Choose the right interface to capture from. You will use the Airpcap passive
interface. In Wireshark, click Capture and choose Interfaces.
Step 29
In the interfaces list, you see Airpcap USB wireless capture adapter. Click Options
at the right end of the Airpcap USB wireless capture adapter line.
Step 30
A new window appears. Make sure that Capture in promiscuous mode is checked.
Step 31
Click Wireless settings.
Step 32
In Channel, choose the channel used by your authentication WLAN documented at

Step 13.
Step 33
Make sure that capture type is set to 802.11 + Radio. Click OK to validate.
Lab Guide
263
Step 34
You want to filter the capture to only display frames coming from and to your Cisco
WLAN adapter. In the capture filter field, enter ether host followed by the MAC
address of your Cisco WLAN card documented in step 25 of the previous task. For
example: ether host 00:0b:85:72:17:10
Step 35
Go back to the Cisco ADU, and double click the Webauth profile to associate to the
WLAN.
Step 36
The association should be successful.
Step 37
Try to open the web authentication page via the example URL test.example.com.
The page cannot be found.
Step 38
Go back to Wireshark. Stop the capture.
Step 39
Use the capture to try to understand what went wrong. Keep in mind that each frame
should be acknowledged, that your client is very close to the AP and should get a
good speed. Also keep in mind that the connection process for a web authenticated
WLAN is authentication request, authentication response, association request,
association response, DHCP exchange, and then Web authentication.
264
You found the issue and could correct it.
Task 2: Migrate Your LWAPP 1252 AP to Autonomous Mode

In this task, you will learn how to migrate your LWAPP AP back to standalone mode. To do it,
you will need to have a TFTP server running on your remote lab wireless laptop with the
correct image. You will then configure the AP from the controller CLI to reboot and download
the image.
Activity Procedure
Step 1
Make sure that you have a VPN tunnel to the remote lab.
Step 2
Note
Step 3
number.
Lab Guide
265
266
Step 4
In the Remote Desktop Connection pop-up window, in the Computer field, enter the
Step 5
wireless laptop. They should be in the format studentX and cisco, where X is your
pod number.
Step 6
Step 7
Locate on your Desktop a folder called IOS-TO-LWAPP. If you cannot locate it,
check with your instructor. Also locate the tftpd32 program.
Step 8
Open the IOS-to-LWAPP folder, and make sure it contains the c1250-k9w7tar.default image file. This is the file that the AP will be looking for: it contains a
default Cisco IOS image for the Cisco 1252 platform. If the file is not there, ask
your instructor. Otherwise, close the folder.
Step 9
Double-click the tftpd32 icon to launch the program.
Step 10
Click the browse button on the right side of the Current directory line in the tftpd32
application, navigate to your desktop, and choose the IOS-TO-LWAPP folder.
Step 11
In the server interface drop-down list, make sure to choose 10.X0.1.240, where X is
your pod number.
Step 12
Your TFTP server is ready to send the right image for the Cisco 1252 AP. Keep the
remote desktop session in the background.
Lab Guide
267
268
Step 13
Open a CLI session to your Cisco 2106 controller: still from your remote wireless
laptop, choose Start > Programs > Accessories > Command Prompt.
Step 14
Enter telnet followed by the IP address of your controller Service Interface IP

address. It should be in the format telnet 10.X0.1.10, where X is your pod number.
Step 15
Enter your administrative user credentials. Username should be adminX, where X is

your pod number, and password cisco.
Step 16
You should get the (Cisco Controller)> prompt.
Step 17
Enter show ap summary to verify that your AP is here.
Step 18
You should see your AP name.
Step 19
Enter the following command: config ap tftp-downgrade 10.X0.1.240 c1250k9w7-tar.default 1252-X where X is your pod number. The 1252-X is the AP
name given earlier in the lab exercises.
Step 20
This command does not generate any prompt on the controller. Navigate back to
your remote lab wireless laptop PC, and check if the TFTP server is providing the
image to the rebooting AP.
Step 21
If the TFTP server is not providing the image, wait a few minutes, go back to your
controller and restart from Step 19.
Step 22
While the image is being provided to your AP, connect to the terminal server. From
your class PC, choose Start > Programs > Accessories > Command Prompt.
Step 23
Step 24
Lab Guide
269
270
Step 25
is your pod number.
Step 26
Take some time to familiarize yourself with the different options provided.
Step 27
You now need to connect to the 1252 AP, Item 4.
Step 28
You should be able to follow your AP download process, and see the AP reboot,
using the new image. While the AP boots, you should be able to see at different
steps that it is using the c1250-k9w7 image, which is the default autonomous image.
Step 29
Once this process completes, you should be able to access to the AP CLI. You may
have to press Enter to activate the CLI.
Step 30
Enter enable to access privileged mode. The password is Cisco (with Capital C).
Step 31
Enter show ip interface brief to check the ip addresses present on the AP.
Step 32
You should see that the IP address is assigned to the BVI interface, which is an
indication that the AP is back to standalone mode. All the usual IOS commands,
such as configure terminal, are available. Do not configure this AP further.
Your LWAPP based 1252 AP is back to standalone mode.
Lab Guide
271
Answer Key
The correct answers and expected solutions for the activities that are described in this guide
appear here.
Lab 1-1 Answer Key: Power Conversions

When you complete this activity, you will get answers similar to the results here:
Task 1
Q1)
13 dBm
Q2)
16 dBm
Q3)
33 dBm
Q4)
200 mW
Q5)
0.05 mW
Q6)
The station receives -60 dBm and the noise level is -66 dBm. The SNR is (-66 (-60)) 6 dBm. This level is
not an acceptable SNR level. It is far too weak.
Q7)
dBi = dBd + 2.14, and dBd = dBi - 2.14. 7.24 dBi = 7.24 - 2.14 = 5.1 dBi.
Q8)
11.44 dBi
Q9)
dBi = dBd + 2.14, and dBd = dBi - 2.14. 13.56 dBd = 13.56 + 2.14 = 15.7 dBd.
Q10)
21 dBi
Q11)
18.86 dBd
Q12)
2.14 dBi = 0 dBd. 3.28 dBd = 5.42 dBi. 3.28 dBd is far more powerful than 2.14 dBi. The difference is
3.28 dB (dBi or dBd), more than twice the power.
Q13)
3.41 dBi = 2.55 dBd. dBm cannot be converted to dBi or dBd. dBm expresses a power with the milliwatt
as a reference, whereas dBd and dBi compare powers with antenna references. If the second value had
been 4.18 dBd, the comparison would have been possible: 4.18 dBd = 6.32 dBi, which is 2.91 dB
difference (dBi or dBd), almost twice the power.
Q1)
A 21 dBi dish antenna would be best.
Q2)
An 8.1 dBi patch antenna would be best.
Q3)
A 5.2 dBi omnidirectional antenna would be best.
Q4)
EIRP = Tx (dBm) cable loss + antenna gain. 40 mW is 16 dBm.

EIRP = 16 3 + 13.5 = 26.5 dBm.
Q5)
20 mW is 13 dBm. 20 feet of cable incurs a 1 dB loss.

EIRP = 13 1 + 5.2 = 17.2 dBm.
Q6)
100 mW is 20 dBm.
EIRP = 20 + 8.5 = 28.5 dBm.
Q7)
EIRP = Tx (dBm) cable loss + antenna gain.

Here: 20 = Tx 3 + 3. Tx should be 20 dBm, or 100 mW.
Q8)
EIRP = Tx (dBm) cable loss + antenna gain.

Here: 17 = Tx 9 -0.5 + 13.5. Tx should be 13 dBm or 20 mW.
Task 2
272
Q9)
EIRP = Tx (dBm) cable loss + antenna gain. 40 mW is 16 dBm.

Here: 17 = 16 - cable loss + 5.2. Cable loss should be 4.2 dB. 2.8 dB per 100 feet implies the need to use
150 feet of cable.
Task 3
Step 2)
dual patch antenna
Step 3)
a large hall or warehouse
Step 4)
a pillar (with each patch on one side)
Step 6)
directional antenna
Step 7)
point-to-point long-range link
Step 8)
a rooftop
Step 10)
omnidirectional antenna
Step 11)
open space or meeting room coverage
Step 12)
ceiling
Lab 1-2 Answer Key: Creating an Ad Hoc Network (IBSS) and

Analyzing the Communication
When you complete this activity, you will get similar results to the ones displayed here:
Task 4
Step 43
The most common frame is the beacon, which is sent 10 times per seconds.
Step 44
You should see data packets such as the pings.
Step 45
The frequency depend on the group.
Step 46
The data was sent at 1 Mb/s.
Step 47
100 ms.
Step 48
1, 2, 5.5 and 11 Mb/s.
Step 49
802.11b.
Step 50
IBSSID
Step 51
Yes, the Intel 4965AGN supports WMM.
Step 52
Data frames are sent at the optimum speed from the sender perspective and ACKs
are sent at the mandatory speed immediately below the speed used for the data
frame.
Lab 2-1 Answer Key: Configuring a Cisco 2106 WLC

When you complete this activity, you will get a similar configuration to the one displayed here:
Show running-config
802.11a cac voice tspec-inactivity-timeout ignore
802.11a cac video tspec-inactivity-timeout ignore
802.11a cac voice stream-size 84000 max-streams 2
802.11b cac voice tspec-inactivity-timeout ignore
802.11b cac video tspec-inactivity-timeout ignore
Lab Guide
273
802.11b cac voice stream-size 84000 max-streams 2

aaa auth mgmt local radius
location rssi-half-life tags 0
location rssi-half-life client 0
location rssi-half-life rogue-aps 0
location expiry tags 5
location expiry client 5
location expiry calibrating-client 5
location expiry rogue-aps 5
ap syslog host global 255.255.255.255
dhcp create-scope pod1-1
dhcp address-pool pod1-1 10.10.1.21 10.10.1.26
dhcp default-router pod1-1 10.10.1.254
dhcp enable pod1-1
dhcp dns-servers pod1-1 10.100.1.1
dhcp netbios-name-server pod1-1 10.100.1.1
dhcp network pod1-1 10.10.1.0 255.255.255.0
interface address ap-manager 10.10.1.11 255.255.255.0 10.10.1.254
interface address management 10.10.1.10 255.255.255.0 10.10.1.254
interface address virtual 1.1.1.1
interface dhcp ap-manager primary 10.10.1.10
interface dhcp management primary 10.10.1.10
interface port ap-manager 1
interface port management 1
load-balancing window 5
logging buffered 6
logging syslog host 0.0.0.0
mesh security eap
mgmtuser add admin1 **** read-write
mobility group domain Pod1
mobility dscp value for inter-controller mobility packets 0
network telnet enable
network otap-mode disable
network rf-network-name Pod1
radius fallback-test mode off
radius fallback-test username cisco-probe
radius fallback-test interval 300
sessions timeout 0
snmp version v2c enable
snmp version v3 enable
sysname 2106-1
wlan create 1 IUWNE-1 IUWNE-1
wlan radio 2 802.11a
wlan session-timeout 1 disable
wlan session-timeout 2 1800
wlan wmm allow 1
wlan wmm allow 2
wlan security wpa disable 1
wlan radius_server acct disable 2
wlan security static-wep-key encryption 1 104 <mode unknown> <passwd hidden> 1
wlan security static-wep-key encryption 2 104 <mode unknown> <passwd hidden>
1
wlan security wpa akm ft reassociation-time 20 1
wlan security wpa akm ft over-the-air enable 1
wlan security wpa akm ft over-the-ds enable 1
wlan security wpa wpa1 enable 2
wlan security wpa wpa1 ciphers tkip enable 2
wlan security wpa wpa2 disable 2
wlan enable 2
274
Lab 2-2 Answer Key: Configuring and Migrating a Standalone

AP
(Cisco Controller) >show ap summary
Number of APs.................................... 1
Global AP User Name.............................. Not Configured
AP Name
Slots AP Model
Ethernet MAC
Port Country
------------------ ----- ------------------- --------------------- ---- ------1252-1
2
AIR-LAP1252AG-A-K9
00:1d:45:91:37:10
Module 5 1
US
(Cisco Controller) >show ap config general 1252-1
Cisco AP Identifier..............................
Cisco AP Name....................................
Country code.....................................
Regulatory Domain allowed by Country.............
AP Country code..................................
AP Regulatory Domain.............................
Switch Port Number ..............................
MAC Address......................................
IP Address Configuration.........................
IP Address.......................................
IP NetMask.......................................
Gateway IP Addr..................................
Telnet State.....................................
Ssh State........................................
Cisco AP Location................................
Cisco AP Group Name..............................
Primary Cisco Switch Name........................
Primary Cisco Switch IP Address..................
Secondary Cisco Switch Name......................
Secondary Cisco Switch IP Address................
Tertiary Cisco Switch Name.......................
Tertiary Cisco Switch IP Address.................
Administrative State ............................
Operation State .................................
Mirroring Mode ..................................
AP Mode .........................................
Public Safety ...................................
Disabled
Remote AP Debug .................................
S/W Version ....................................
Boot Version ...................................
Mini IOS Version ................................
Stats Reporting Period ..........................
LED State........................................
PoE Pre-Standard Switch..........................
PoE Power Injector MAC Addr......................
Number Of Slots..................................
AP Model.........................................
IOS Version......................................
Reset Button.....................................
AP Serial Number.................................
AP Certificate Type..............................
Management Frame Protection Validation...........
Disabled)
AP User Mode.....................................
AP User Name.....................................
Cisco AP system logging host.....................
AP Up Time.......................................
AP LWAPP Up Time.................................
Join Date and Time...............................
Location
----------IUWNE
2
1252-1
US - United States
802.11bg:-AB
802.11a:-AB
US - United States
802.11a:-A
1
00:1d:45:91:37:10
DHCP
10.10.1.22
255.255.255.0
10.10.1.254
Disabled
Disabled
IUWNE Lab
none
2601-1
Not Configured
Not Configured
Not Configured
ADMIN_ENABLED
REGISTERED
Disabled
Local
Global: Disabled, Local:
Disabled
5.0.148.0
12.4.10.0
3.0.51.0
180
Enabled
Enabled
Disabled
2
AIR-LAP1252AG-A-K9
12.4(13d)JA
Enabled
FTX1201906W
Manufacture Installed
Enabled (Global MFP
Not Configured
Not Configured
255.255.255.255
0 days, 05 h 33 m 30 s
0 days, 05 h 32 m 29 s
Sat Feb 16 00:24:51 2008
Lab Guide
275
Join Taken Time.................................. 0 days, 00 h 01 m 00 s

Ethernet Port Duplex............................. Auto
Ethernet Port Speed.............................. Auto
Lab 2-3 Answer Key: Installing and Configuring a Cisco

Mobility Express Wireless Controller and AP
Task 1:
(Cisco Controller) >show running-config
advanced location expiry tags 1200
advanced location expiry client 150
advanced location expiry calibrating-client 30
advanced location expiry rogue-aps 1200
logging buffered 1
mesh security eap
msglog level critical
sysname 526-1
wlan dhcp_server 1 10.10.1.11 required
802.11a disable network
wlan enable 2
Task 3
On the switch:
Show running-config
output omitted
Ip dhcp excluded-address 10.10.1.1 10.10.1.30
Ip dhcp excluded-address 10.10.1.36 10.10.1.255
Ip dhcp pool Pod1
Network 10.10.1.0 255.255.255.0
Default-router 10.10.1.254
Lease 0 4
Dns-server 10.100.1.1
output omitted
Lab 3-1 Answer Key: Installing and Using the Cisco ADU
There is no answer key for this lab.
276
Lab 3-2 Answer Key: Experimenting with Connections and

Roaming
Show running-config
Location Summary
Algorithm used:
Average
Client
RSSI expiry timeout:
5 sec
Half life:
0 sec
Notify Threshold:
0 db
Calibrating Client
5 sec
Half life:
0 sec
Rogue AP
5 sec
Half life:
0 sec
Notify Threshold:
0 db
RFID Tag
5 sec
Half life:
0 sec
Notify Threshold:
0 db
dhcp create-scope Scope1-1
dhcp address-pool Scope1-1 10.10.1.21 10.10.1.25
dhcp default-router Scope1-1 10.10.1.254
dhcp enable Scope1-1
dhcp dns-servers Scope1-1 10.100.1.1
dhcp lease Scope1-1 14400
dhcp netbios-name-server Scope1-1 10.100.1.1
dhcp network Scope1-1 10.10.1.0 255.255.255.0
local-auth method fast server-key 736563726574
mesh security eap
mobility group member add 00:1e:13:50:a6:60 10.20.1.10
network webmode enable
network mgmt-via-dynamic-interface enable
Lab Guide
277

sysname 2106-1
wlan create 2 Roaming IUWNE-ROAM1
wlan wmm allow 1
wlan wmm allow 2
wlan enable 2
Lab 4-1 Answer Key: 802.1Q and Web Authentication

(Cisco Controller) >show running-config
advanced location expiry tags 1200
advanced location expiry client 150
advanced location expiry calibrating-client 30
advanced location expiry rogue-aps 1200
interface create vlan90 90
interface address dynamic-interface vlan90 90.90.90.10 255.255.255.0
90.90.90.253
interface dhcp dynamic-interface vlan90 primary 90.90.90.254
interface vlan vlan90 90
interface port vlan90 1
logging buffered 1
mesh security eap
msglog level critical
netuser add webuser1 cisco 2 userType permanent description User for the Web
based WLAN
netuser wlan-id webuser1 2
sysname 526-1
wlan create 2 Web_Authentication IUWNE-Web1
wlan interface 2 vlan90
wlan dhcp_server 1 10.10.1.11 required
802.11a disable network
wlan enable 2
On the switch:
278
Show running-config interface g0/3

Switchport trunk encapsulation dot1q
Switchport mode trunk
Switchport trunk native vlan 10
Lab 4-2 Answer Key: Configuring EAP-FAST Authentication

with WPA
Show running-config
dhcp create-scope Pod1
dhcp address-pool Pod110.10.1.21 10.10.1.26
dhcp default-router Pod110.10.1.254
dhcp enable Pod1
dhcp dns-servers Pod110.100.1.1
dhcp netbios-name-server Pod110.100.1.1
dhcp network Pod110.10.1.0 255.255.255.0
local-auth eap-profile add EAP-FAST1
local-auth eap-profile cert-issuer cisco EAP-FAST1
local-auth eap-profile method add fast EAP-FAST1
local-auth user-credentials ldap
local-auth eap-profile cert-verify ca-issuer disable EAP-FAST1
ldap retransmit-timeout 1 30
logging buffered 6
mesh security eap
mobility group domain Group1
netuser add Fastuser1 **** wlan 2 userType permanent description
netuser wlan-id fastuser1 2
sessions timeout 0
sysname 2106-1
Lab Guide
279
wlan create 2 EAP_FAST IUWNE-FAST1

wlan local-auth enable EAP-FAST1 2
wlan wmm allow 1
wlan wmm allow 2
wlan ldap add 2 1
1
1
wlan enable 2
Lab 5-1 Answer Key: Configuring Controllers and APs from the
Cisco WCS Interface
When you complete this activity, will get similar results to the one displayed here:
Task 2
Step 18: You should see the class main switch; the port depends on the group.
Lab 5-2 Answer Key: Working with Maps

When you complete this activity, you will get similar results to the one displayed here:
Task 2:
Step 9: The lab is about 10 m wide and 11 m high in its longer dimension.
Lab 5-3 Answer Key: Monitoring the Network and Containing

Devices
280
Lab 6-1 Answer Key: Backing Up Controller Configuration and

the Cisco WCS Database Files
When you complete this activity, will get similar results to those displayed here:
Show running-config
Show running-config
dhcp create-scope Pod1
dhcp address-pool Pod110.10.1.21 10.10.1.26
dhcp default-router Pod110.10.1.254
dhcp enable Pod1
dhcp dns-servers Pod110.100.1.1
dhcp netbios-name-server Pod110.100.1.1
dhcp network Pod110.10.1.0 255.255.255.0
local-auth eap-profile add EAP-FAST1
local-auth eap-profile cert-issuer cisco EAP-FAST1
local-auth eap-profile method add fast EAP-FAST1
local-auth user-credentials ldap
local-auth eap-profile cert-verify ca-issuer disable EAP-FAST1
ldap retransmit-timeout 1 30
logging buffered 6
mesh security eap
netuser add Fastuser1 **** wlan 2 userType permanent description
netuser wlan-id Fastuser1 2
sessions timeout 0
sysname 2106-1
wlan create 2 EAP_FAST IUWNE-FAST1
wlan local-auth enable EAP-FAST1 2
Lab Guide
281

wlan wmm allow 1
wlan wmm allow 2
wlan ldap add 2 1
wlan security static-wep-key encryption 1 104 <mode unknown> <passwd
hidden> 1
wlan security static-wep-key encryption 2 104 <mode unknown> <passwd
hidden> 1
wlan enable 2
Controller XML version:

<XML_config_variables>
<XML_config_variables-aaaLocalEapCfg.xml-7741ad65>
<LocalAuth-EAP-Configuration>
<DataBaseName>Local EAP Database</DataBaseName>
<method>
<fast>
<serverKeyEnc>
<iv>02a73af1a97673be3790122d2ecacec1</iv>
<mac>a6aa51e29b7c2485d490570211a7cb6f7c28a4ae</mac>
<passwd>01179a42d90d1bd06a1e7caa18fee13a00000000000000000000000000000000</passwd
>
</serverKeyEnc>
</fast>
</method>
<EAP-Profiles index="0">
<active>ENABLE</active>
<profileName>prfMaP1500LlEAuth93</profileName>
<profileHandle>195437080</profileHandle>
<certIssuer>legacy</certIssuer>
<Enable-Disable-flags>-123</Enable-Disable-flags>
<methodParams>
<localCertRequired>Required</localCertRequired>
<clientCertRequired>Required</clientCertRequired>
</methodParams>
<methods index="0">
<methodType>43</methodType>
<methodName>fast</methodName>
</methods>
<data>195437180</data>
</EAP-Profiles>
</LocalAuth-EAP-Configuration>
<XML_crc_file_size>1023</XML_crc_file_size>
<XML__CRC__CHECKSUM>3969282295</XML__CRC__CHECKSUM>
</XML_config_variables-aaaLocalEapCfg.xml-7741ad65>
<XML_config_variables-aaaapiFileDbCfgData.xml-ba700b76>
<User-Access-Configuration>
<numItems>1</numItems>
<length>223424</length>
<maxItems>512</maxItems>
<numOfRWUsers>1</numOfRWUsers>
<userDatabase index="0" arraySize="512">
<userName>admin1</userName>
<serviceType>6</serviceType>
<passwordStore>
<ps_type>PS_STATIC_AES128CBC_SHA1</ps_type>
<iv>d988dbd8ca6ed6d3b885885adca8474f</iv>
282
<mac>c52df09a410ea11f3a0ebae6b5d188aaf258726f</mac>
<max_passwd_len>50</max_passwd_len>
<passwd_len>64</passwd_len>
<passwd>3f33b257d1d5bf8f73f7f88a4b27113b4620283bd06892b0bb45e84dabbdbb874c95fa1a
6d252523aa776805b8080259756658316f5623cd4d44e57c35e972250000</passwd>
</passwordStore>
</userDatabase>
</User-Access-Configuration>
</XML_config_variables-aaaapiFileDbCfgData.xml-ba700b76>
<XML_config_variables-apfCfgData.xml-82be6d39>
<APCommon-Configuration>
<ConfigIsComplete>0</ConfigIsComplete>
<NumOfWLANs>2</NumOfWLANs>
<WirelessLANData index="1">
<ProfileName>IUWNE-1</ProfileName>
<ProfileNameLen>7</ProfileNameLen>
<Identifier>1</Identifier>
<Status>ENABLED</Status>
<BroadcastSSIDEnabled>1</BroadcastSSIDEnabled>
<CcxAironetIeSupportEnabled>1</CcxAironetIeSupportEnabled>
<Security>
<SecurityType>16384</SecurityType>
<wepPolicy>
<configData>
<Dot11Encryption>WEP104</Dot11Encryption>
<KeyIndex>1</KeyIndex>
</configData>
</wepPolicy>
<dot1xPolicy>
<configData>
<AuthTimeout>1800</AuthTimeout>
</configData>
</dot1xPolicy>
<wifiPolicy>
<configData>
<mcastCipher>4</mcastCipher>
<rsnIeData>30160100000fac040100000fac040100000fac0128000000000000000000000000000
00000000000000000000000000000000000000000000000000000000000</rsnIeData>
<rsnIeLen>24</rsnIeLen>
<warpIeData>dd0a00c0b90100000008010100000000000000000000000000000000000000000000
000000000000000000000000000000000000000000000000000000000000</warpIeData>
<warpIeLen>12</warpIeLen>
</configData>
</wifiPolicy>
<ipsecPolicy>
<configData>
<IpsecIkePhase1Mode>MAIN</IpsecIkePhase1Mode>
</configData>
</ipsecPolicy>
<VlanLocalAddress>10.10.1.10</VlanLocalAddress>
<VlanLocalNetmask>255.255.255.0</VlanLocalNetmask>
<GWAddress>10.10.1.254</GWAddress>
<BlacklistTimeout>60</BlacklistTimeout>
<InterfaceName>management</InterfaceName>
<WmePolicy>ALLOWED</WmePolicy>
</Security>
<Ssid>IUWNE-1</Ssid>
<apfVapSsidLen>7</apfVapSsidLen>
</WirelessLANData>
<Dot11BConfig>
<Dot11bBand>
<Dot11NumberOfChannels>11</Dot11NumberOfChannels>
<Dot11MaximumTransmitPowerLevel>27</Dot11MaximumTransmitPowerLevel>
Lab Guide
283
<Dot11MaxAntennaGainAllowed>6</Dot11MaxAntennaGainAllowed>
</Dot11bBand>
<Dot11gSupported>Supported</Dot11gSupported>
</Dot11BConfig>
<Dot11AConfig>
<Dot11aBand index="0">
<Dot11FirstChannelNumber>36</Dot11FirstChannelNumber>
<Dot11FirstDCAChannelNumber>36</Dot11FirstDCAChannelNumber>
</Dot11aBand>
<Dot11BandState>1</Dot11BandState>
<RequiresRadar>1</RequiresRadar>
<Dot11ChannelSpacing>4</Dot11ChannelSpacing>
<Dot11DCAChannelSpacing>4</Dot11DCAChannelSpacing>
<Dot11DCANumberOfChanels>4</Dot11DCANumberOfChanels>
</Dot11aBand>
</Dot11aBand>
</Dot11aBand>
</Dot11aBand>
</Dot11aBand>
<Dot11aDefaultCfg>
<defaultChan>36</defaultChan>
284
</Dot11aDefaultCfg>
</Dot11AConfig>
<Dot11CountryCode>US</Dot11CountryCode>
<networkName>Group1</networkName>
<Dot11MultiCountryCode index="0">US</Dot11MultiCountryCode>
</APCommon-Configuration>
</XML_config_variables-apfCfgData.xml-82be6d39>
<XML_config_variables-apfRogueData.xml-114ab423>
<RogueAP-Configuration>
<RogueList index="0">
<level>1</level>
</RogueList>
</RogueAP-Configuration>
</XML_config_variables-apfRogueData.xml-114ab423>
<XML_config_variables-cliWebCfgData.xml-a3523f1a>
</XML_config_variables-cliWebCfgData.xml-a3523f1a>
<XML_config_variables-dhcpCfgData.xml-92584a2f>
<DHCP-Configuration>
<scopes index="0">
<scopeName>Scope 1-1</scopeName>
<DHCPEnabled>ENABLED</DHCPEnabled>
<leaseTime>14400</leaseTime>
<poolStart>21.1.10.10</poolStart>
<poolEnd>29.1.10.10</poolEnd>
<poolLastAllocated>25.1.10.10</poolLastAllocated>
<defaultRoute index="0">254.1.10.10</defaultRoute>
<network>0.1.10.10</network>
<netmask>0.255.255.255</netmask>
<dnsServer index="0">1.1.100.10</dnsServer>
<wins index="0">1.1.100.10</wins>
</scopes>
</DHCP-Configuration>
</XML_config_variables-dhcpCfgData.xml-92584a2f>
<XML_config_variables-dot1qCfg.xml-3cf45304>
</XML_config_variables-dot1qCfg.xml-3cf45304>
<XML_config_variables-ldapCfgData.xml-1778a2ce>
<LDAP-Configuration>
<LDAP-Database-Name>LDAP Database</LDAP-Database-Name>
</LDAP-Configuration>
</XML_config_variables-ldapCfgData.xml-1778a2ce>
<XML_config_variables-logCfgData.xml-3d9622e2>
</XML_config_variables-logCfgData.xml-3d9622e2>
<XML_config_variables-meshFileCfg.xml-436a659c>
<MESH-Configuration>
<cfg>
<isChanged>1</isChanged>
<profileName>prfMaP1500LlEAuth93</profileName>
</cfg>
</MESH-Configuration>
</XML_config_variables-meshFileCfg.xml-436a659c>
<XML_config_variables-mmCfgData.xml-2a91608>
<Mobility-Manager-Configuration>
<group>Group1</group>
Lab Guide
285
</Mobility-Manager-Configuration>
</XML_config_variables-mmCfgData.xml-2a91608>
<XML_config_variables-nimSlot0.xml-bcd6b57f>
</XML_config_variables-nimSlot0.xml-bcd6b57f>
<XML_config_variables-policyCfgData.xml-40f47081>
</XML_config_variables-policyCfgData.xml-40f47081>
<XML_config_variables-rrmCfgData.xml-89a365cb>
<RadioResourceManager-Configuration>
<rrm2 index="1">
<rrmAllowedChans>
<chanCnt>20</chanCnt>
<chans index="8">100</chans>
</rrmAllowedChans>
</rrm2>
</RadioResourceManager-Configuration>
</XML_config_variables-rrmCfgData.xml-89a365cb>
<XML_config_variables-sigCfg.xml-2d0c8484>
</XML_config_variables-sigCfg.xml-2d0c8484>
<XML_config_variables-simCfgData.xml-47629dc4>
<System-Interface-Configuration>
<systemName>2106-1</systemName>
<systemIpAddress>192.168.1.1</systemIpAddress>
<systemGateway>0.0.0.0</systemGateway>
</System-Interface-Configuration>
</XML_config_variables-simCfgData.xml-47629dc4>
<XML_config_variables-simQosCfgData.xml-11069211>
</XML_config_variables-simQosCfgData.xml-11069211>
<XML_config_variables-simVlanCfgData.xml-a2f725a>
<VLAN-Configuration>
<simInterface index="0">
<InterfaceName>management</InterfaceName>
<vlanStatus>CREATED</vlanStatus>
<vlanLocalAddress>10.10.1.10</vlanLocalAddress>
<vlanLocalNetmask>255.255.255.0</vlanLocalNetmask>
<vlanLocalGateway>10.10.1.254</vlanLocalGateway>
<vlanDhcpProtocolState>1</vlanDhcpProtocolState>
<vlanDhcpPrimaryServer>10.10.1.10</vlanDhcpPrimaryServer>
<vlanPortNumber>1</vlanPortNumber>
<GatewayResolvedState>RESOLVED</GatewayResolvedState>
<vlanGatewayMac>0:1e:7a:ad:52:a9</vlanGatewayMac>
</simInterface>
<InterfaceName>service-port</InterfaceName>
<vlanId>-1</vlanId>
286
<vlanInterfaceType>Service-Port</vlanInterfaceType>
<vlanInterfaceId>3</vlanInterfaceId>
</simInterface>
<InterfaceName>virtual</InterfaceName>
<vlanId>-1</vlanId>
<vlanInterfaceType>Virtual</vlanInterfaceType>
</simInterface>
<InterfaceName>ap-manager</InterfaceName>
<vlanInterfaceType>VLAN</vlanInterfaceType>
<vlanLocalNetmask>255.255.255.0</vlanLocalNetmask>
<vlanLocalGateway>10.10.1.254</vlanLocalGateway>
<vlanDhcpPrimaryServer>10.10.1.10</vlanDhcpPrimaryServer>
<vlanPortNumber>1</vlanPortNumber>
<vlanInterfaceId>1</vlanInterfaceId>
<GatewayResolvedState>RESOLVED</GatewayResolvedState>
<vlanGatewayMac>0:1e:7a:ad:52:a9</vlanGatewayMac>
<vlanFlags>1</vlanFlags>
</simInterface>
</VLAN-Configuration>
</XML_config_variables-simVlanCfgData.xml-a2f725a>
<XML_config_variables-snmpCfgData.xml-4f1f9d7c>
<SNMP-Configuration>
<snmpV3User index="0">
<agentUserAuthKeyStore>
<iv>9af0c956b3ef198c2bbe657e02cb5746</iv>
<mac>b5b769a4a62137da506ed909dfd4f3e1fe2605bb</mac>
<passwd>df9e7cc2d2bbc09cbfa42c4942b3ddb00000000000000000000000000000000000000000
000000000000000000000000</passwd>
</agentUserAuthKeyStore>
<agentUserPrivKeyStore>
<iv>e9460c2cc054846a9399f6ca905c808e</iv>
<mac>d043b534f8587048cf403886b6254f4600b4f35e</mac>
<passwd>ff7682febf472d078b453ca2c0574a480000000000000000000000000000000000000000
000000000000000000000000</passwd>
</agentUserPrivKeyStore>
</snmpV3User>
<snmpTrapMgr index="0">
<agentTrapMgrCommunityName>127.0.0.1</agentTrapMgrCommunityName>
<agentTrapMgrIpAddr>127.0.0.1</agentTrapMgrIpAddr>
<agentTrapMgrStatus>1</agentTrapMgrStatus>
</snmpTrapMgr>
</SNMP-Configuration>
</XML_config_variables-snmpCfgData.xml-4f1f9d7c>
<XML_config_variables-sshpmCfgData.xml-41181e3e>
<SSHPolicyManagerConfigData>
<sshpmIPv4VirtualAddress>1.1.1.2</sshpmIPv4VirtualAddress>
<sshpmIPv4VirtualIPString>1.1.1.1</sshpmIPv4VirtualIPString>
</SSHPolicyManagerConfigData>
</XML_config_variables-sshpmCfgData.xml-41181e3e>
<XML_config_variables-trapMgrCfgData.xml-bd5b2af3>
</XML_config_variables-trapMgrCfgData.xml-bd5b2af3>
<XML_config_variables-webCustomizations.xml-3adfbbe>
Lab Guide
287
<Custom-WEB-Configuration>
<wlans index="3">
<useGlobalFlag>0</useGlobalFlag>
</wlans>
</Custom-WEB-Configuration>
</XML_config_variables-webCustomizations.xml-3adfbbe>
<XML_config_variables-xmlVersion.xml-d62125ee>
<XML_config_version>1.7</XML_config_version>
<XML_config_image_version>4.2.99.0</XML_config_image_version>
</XML_config_variables-xmlVersion.xml-d62125ee>
</XML_config_variables>
Lab 6-2 Answer Key: Troubleshooting

Lab 6-3 Answer Key: Troubleshooting with Wireshark

Your AP is set on channel 1, which is overcrowded, thus causing many collisions and losses.
Changing it to another channel reduces the loss rate.
If your client cannot get an IP address, which is the case here, the web authentication is not
involved. The only element is the DHCP server. You controller interface sends the client to a
wrong DHCP server address.
288

Iuwne10 LG v2

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Iuwne10 LG v2

Uploaded by

Copyright:

Available Formats

IUWNE

Lab 3-2: Experimenting with Connections and Roaming

Implementing Cisco Unified Wireless Networking Essentials (IUWNE) v1.0

2008 Cisco Systems, Inc.

Lab 6-2: Troubleshooting

2008 Cisco Systems, Inc.

Implementing Cisco Unified Wireless Networking Essentials (IUWNE) v1.0

Implementing Cisco Unified Wireless Networking Essentials (IUWNE) v1.0

2008 Cisco Systems, Inc.

Lab 1-1: Becoming Familiar with Antennae and Ranges

Lab 2-1: Configuring a Cisco 2106 WLC

Lab 2-2: Configuring and Migrate a Standalone AP

Lab 2-3: Configuring a Cisco Mobility Express Wireless Controller and AP

Lab 3-1: Installing and Using the Cisco ADU

Lab 3-2: Experimenting with Connections and Roaming

Lab 4-1: Configuring Web Authentication

Lab 4-2: Configuring EAP-FAST Authentication with WPA

Lab 5-2: Working with Maps

Lab 5-3: Monitoring the Network and Containing Devices

Lab 6-2: Troubleshooting Games

Lab 6-3: Optional Lab

Lab 1-1: Becoming Familiar with Antennae and

Convert milliwatts to dBm and back

Determine which AP is the best choice for which situation

Visual Objective for Lab 1-1: Becoming

2008 Cisco Systems, Inc. All rights reserved.

A PC with Microsoft Excel or OpenOffice Calc

Implementing Cisco Unified Wireless Network Essentials (IUWNE) v1.0

2008 Cisco Systems, Inc.

Task 1: Complete These Power Conversions

Convert 20 mW to its dBm equivalent.

Convert 40 mW to its dBm equivalent.

Convert 2 W to its dBm equivalent.

Convert 23 dBm to its milliwatts equivalent.

Convert -13 dBm to its milliwatts equivalent.

How many dBd is a 7.24 dBi antenna?

How many dBd is a 13.56 dBi antenna?

How many dBi is a 13.56 dBd antenna?

How many dBi is an 18.86 dBd antenna?

What is the dBd gain of a 21 dBi dish antenna?

Which antenna has more gain: 2.14 dBi or 3.28 dBd?

Which antenna has more gain: 3.41 dBi or 4.18 dBm?

2008 Cisco Systems, Inc.

Task 2: Calculate EIRP and Choose the Correct Antenna

An AP transmitter emits 40 mW of power through a cable that is adding 3 dB loss.

An AP transmitter emits 20 mW of power through a cable that is adding 4 dB loss

An AP transmitter emits 100 mW of power to an antenna directly connected to it.

Implementing Cisco Unified Wireless Network Essentials (IUWNE) v1.0

2008 Cisco Systems, Inc.

Task 3: Determine the Type of Antenna Represented, Its Use,

Look at the following radiation pattern:

Which type of antenna does it represent?

What type of use is the antenna best suited for?

What is the best place for the antenna to be mounted?

Look at the following radiation pattern:

2008 Cisco Systems, Inc.

Which type of antenna does it represent?

What type of use is the antenna best suited for?

What is the best place for the antenna to be mounted?

Look at the following radiation pattern:

Which type of antenna does it represent?

What type of use is the antenna best suited for?

What is the best place for the antenna to be mounted?