Wireless AP autoconfiguration

Userlevel 3
*Content migrated from LinkedIn Group- Enterasys OneFabric Connect Central
By: Salvador Ferrer, Director, Solutions Architecture

In the last poll about what systems would you integrate with network management systems there was a mention to integrate enterasys wireless. As I understood the question the problem is with autoconfiguration the AP connectivity so the vlans required for the AP are automatically assigned to the port.

An AP can require connectivity to several VLANs depending on the mapping of SSID to vlans or its own management configuration o the connectivity services configured.

The problem has actually a solution which very soon will be a technical paper by our solutions engineering team. It is being deployed at a customer as we speak (wouldn't it be more appropriate to write 'as we write' in this case 🙂?).

The paper will describe the in detail the solution, I will try to summarize here the main configuration points.

First, we will need a NAC engine to apply the configuration dynamically to each port. This NAC engine will have a configuration that can do something like this:

if MAC is in AP_MACs group then policy is AP_Policy

In AP_MACs group we will put the macs of our APs or the OUID of our AP provider (Enterasys, of course!)

Second, we need to define AP_Policy in policy manager, this policy must have a contain to VLAN action for the APs, so the traffic untagged from the AP will go in the required management VLAN. To this policy we can add as many tagged egress vlans as needed by the services delivered by the AP. e.g.

- contain to vlan 1990 (for AP management)
- egress 1990 untagged (for AP management)
- egress 1991 tagged (if we have an ssid mapped to vlan 1991)

Third, enable MAC authentication in the ports so AP connections are detected and managed by NAC.

And forth and most important, ports with AP must set the number of authenticated devices set to 1 to ensure that the port does not tries to authenticate the clients connected to the AP. This is second authentication is unnecessary because the AP already authenticated the device doing the same process again can cause problems.

All the process of creating the AP management vlan, the NAC rule and group, the AP policy etc, can be done by a single webservice call, createVirtualAndPhysicalNetwork,http://www.onefabric.net/connectcentral/resources/html/ME-NAC_Configuration_WebService.htm#createVirtualAndPhysicalNetwork

Once we have it created we can populate the AP_MACs with succesive calls to addMACToEndSystemGroup (http://www.onefabric.net/connectcentral/resources/html/ME-NAC_WebService.htm#addMACToEndSystemGroup) if we want to ad teh APs as full macs or addValueToNamedList (http://www.onefabric.net/connectcentral/resources/html/ME-NAC_WebService.htm#addValueToNamedList) if we want to add the APs as mac ranges or OUIDs

After issuing the calls, adding additional vlans to the policy and enabling authentication params in the port is manual.

The good thing of the method is that say that we create a new SSID that maps to vlan 2000 but vlan 2000 doesn't exists and we have to create it and deploy it in all ports with an AP. In this setup just create the vlan in Policy Manager and add it tagged to the egress list of the AP_Policy. Click deploy and the vlan is automatically created and added to the right ports as needed.

0 replies

Be the first to reply!