WEBVTT 0:00:03.120000 --> 0:00:07.280000 Hello and welcome to this video in which is the final video right now 0:00:07.280000 --> 0:00:10.680000 in our wireless series where I'm going to show you how to configure a 0:00:10.680000 --> 0:00:17.280000 wireless LAN using WPA2 security credentials with pre-shared key on a 0:00:17.280000 --> 0:00:18.900000 wireless controller. 0:00:18.900000 --> 0:00:24.540000 Well, let's just do a quick summary here of WPA and WPA2. 0:00:24.540000 --> 0:00:30.520000 So remember WPA was a certification program put out by the Wi-Fi Alliance, 0:00:30.520000 --> 0:00:35.400000 an independent entity that certified Wi-Fi vendors equipment. 0:00:35.400000 --> 0:00:39.140000 The WPA certification certified at their equipment could do the stuff 0:00:39.140000 --> 0:00:44.760000 that was in a draft version of the 802.11i standard. 0:00:44.760000 --> 0:00:46.820000 What about WPA2? 0:00:46.820000 --> 0:00:53.760000 Well, when 802.11i was fully ratified, then all the things that were in 0:00:53.760000 --> 0:00:59.180000 that standard could be certified against and given the WPA2 stamp of approval. 0:00:59.180000 --> 0:01:03.760000 So if you created an access point and you gave it to the Wi-Fi Alliance, 0:01:03.760000 --> 0:01:07.640000 you said, hey, this access point can do all the things that are in the 0:01:07.640000 --> 0:01:10.960000 now fully ratified 802.11i standard. 0:01:10.960000 --> 0:01:14.160000 They would test your access point and if that was true, that it did all 0:01:14.160000 --> 0:01:19.460000 the things in that document, you would get the WPA2 seal of approval. 0:01:19.460000 --> 0:01:24.020000 Also one of the things that made WPA2 better than WPA was they added a 0:01:24.020000 --> 0:01:27.040000 much stronger form of encryption to that. 0:01:27.040000 --> 0:01:33.440000 So WPA still relied on the RC4 encryption cipher with some tweaks to it. 0:01:33.440000 --> 0:01:40.980000 WPA2 now added AESCCMP, which was actually even authorized by the National 0:01:40.980000 --> 0:01:45.960000 Security Agency of the United States as being an authorized, legitimate 0:01:45.960000 --> 0:01:48.820000 security standard for encryption. 0:01:48.820000 --> 0:01:53.020000 So you really need to be using these days AESCCMP for your encryption, 0:01:53.020000 --> 0:01:54.920000 if not something higher. 0:01:54.920000 --> 0:02:00.920000 Now both methods offered personal and enterprise additions. 0:02:00.920000 --> 0:02:04.660000 Personal was typically meant for a small office home office where the 0:02:04.660000 --> 0:02:13.680000 encryption and nothing else was involved. 0:02:13.680000 --> 0:02:17.260000 Enterprise additions were for larger scale environments where you would 0:02:17.260000 --> 0:02:21.460000 need use of 802.1x, which requires a little bit more configuration, a 0:02:21.460000 --> 0:02:25.580000 little bit more complexity on the client's side to get that working as 0:02:25.580000 --> 0:02:30.760000 well as a radius server on the back end to do all the 802.1x authentication. 0:02:30.760000 --> 0:02:36.260000 Even to this day, many companies, even larger companies, use the personal 0:02:36.260000 --> 0:02:42.880000 additions of WPA2 simply because it's easier to implement, easier to configure, 0:02:42.880000 --> 0:02:46.360000 no need for an 802.1x server. 0:02:46.360000 --> 0:02:52.100000 All right, so let's walk through how you would configure a brand new wireless 0:02:52.100000 --> 0:03:00.420000 LAN on a controller with WPA2 and pre shared key authentication and encryption. 0:03:00.420000 --> 0:03:04.920000 Now, first of all, disclaimer, there are lots of different wireless LANs 0:03:04.920000 --> 0:03:08.640000 out there. What I'm going to show you is one of Cisco's latest and greatest 0:03:08.640000 --> 0:03:13.760000 wireless LAN controllers, which is their 9800 series controller. 0:03:13.760000 --> 0:03:17.740000 And we're going to be working on the GUI of that controller type. 0:03:17.740000 --> 0:03:21.600000 So that controller has already been pre configured with an IP address 0:03:21.600000 --> 0:03:23.620000 so I can at least browse to it. 0:03:23.620000 --> 0:03:30.640000 So if you remember, the way that a lot of these controllers worked was 0:03:30.640000 --> 0:03:37.420000 that you had the controller and then you had a console port, which was 0:03:37.420000 --> 0:03:40.620000 just used to get into the command line, but we're not going to do that. 0:03:40.620000 --> 0:03:42.760000 The CCDA wants you to know how to do it on the GUI. 0:03:42.760000 --> 0:03:47.260000 You also had a service port. 0:03:47.260000 --> 0:03:54.040000 And with the service port, you could stick an IP address on it. 0:03:54.040000 --> 0:03:58.320000 And now you could browse to that, browse to the GUI via that IP address. 0:03:58.320000 --> 0:04:00.880000 So that has already been done for me on this controller. 0:04:00.880000 --> 0:04:03.560000 So I'm going to be browsing to that IP address. 0:04:03.560000 --> 0:04:06.380000 But beyond that, the controller is in a basic state. 0:04:06.380000 --> 0:04:10.280000 It's going to present me with the initial setup wizard. 0:04:10.280000 --> 0:04:14.580000 And I'm going to have to go through that in order to proceed. 0:04:14.580000 --> 0:04:21.660000 All right, so I'm going to connect to my wireless LAN controller. 0:04:21.660000 --> 0:04:25.320000 Now, the wireless LAN controller is presenting me with a digital certificate 0:04:25.320000 --> 0:04:30.380000 for authentication purposes to give me a secure HTTP session. 0:04:30.380000 --> 0:04:34.780000 The problem is that digital certificate is a self-signed authentication 0:04:34.780000 --> 0:04:39.100000 certificate. And it's not been signed by some trusted root authority out 0:04:39.100000 --> 0:04:41.020000 there on the internet. 0:04:41.020000 --> 0:04:44.700000 So my browser right now is saying, hey, I see a digital certificate, but 0:04:44.700000 --> 0:04:50.040000 it's signed and authenticated by the device that created itself, which 0:04:50.040000 --> 0:04:51.300000 isn't really secure. 0:04:51.300000 --> 0:04:52.640000 So it's given me a warning. 0:04:52.640000 --> 0:04:55.460000 Some browsers, you couldn't get past this. 0:04:55.460000 --> 0:04:58.720000 But fortunately for us, at least with Firefox, we can. 0:04:58.720000 --> 0:05:06.280000 And so if I go to Advanced and I scroll down, I now have the ability to 0:05:06.280000 --> 0:05:08.520000 accept the risk and continue. 0:05:08.520000 --> 0:05:10.200000 So that's what I'm going to do. 0:05:10.200000 --> 0:05:15.260000 All right, this has already been pre -configured to have a username and 0:05:15.260000 --> 0:05:22.200000 password of Cisco for both things. 0:05:22.200000 --> 0:05:35.500000 And now after a few moments, we should see the initial setup wizard. 0:05:35.500000 --> 0:05:36.860000 And there we are. 0:05:36.860000 --> 0:05:40.140000 So now we're in the configuration setup wizard. 0:05:40.140000 --> 0:05:43.600000 All right, so I'm going to leave this as a standalone controller. 0:05:43.600000 --> 0:05:46.320000 It's not doing any kind of redundancy with anybody else. 0:05:46.320000 --> 0:05:47.720000 I am in the United States. 0:05:47.720000 --> 0:05:55.260000 I can go ahead and change the date to March 19th, because that's what 0:05:55.260000 --> 0:05:57.380000 it is right now as I record this. 0:05:57.380000 --> 0:05:59.580000 I'll just leave the time exactly as it is. 0:05:59.580000 --> 0:06:02.120000 I'm not going to put in an NTP server. 0:06:02.120000 --> 0:06:07.040000 Now scrolling down, wireless management settings. 0:06:07.040000 --> 0:06:16.120000 So remember that as I drew, the controller had a console port. 0:06:16.120000 --> 0:06:18.880000 It had a service port. 0:06:18.880000 --> 0:06:23.120000 And then it had some data ports. 0:06:23.120000 --> 0:06:28.400000 You know, and the quantity of data ports varies based on the platform. 0:06:28.400000 --> 0:06:33.080000 And each one of these data ports could be configured with an IP address. 0:06:33.080000 --> 0:06:37.460000 And whatever IP address you put on here, this would be an IP address that 0:06:37.460000 --> 0:06:40.700000 your access points would actually join to when they're joining and creating 0:06:40.700000 --> 0:06:42.140000 their CAPWAP tunnels. 0:06:42.140000 --> 0:06:45.660000 So that's what's asking us to do right here. 0:06:45.660000 --> 0:06:49.720000 It's asking us to select an interface, which is going to be one of these 0:06:49.720000 --> 0:06:54.000000 guys. I'll just leave it to gigabit two, select what VLAN that's going 0:06:54.000000 --> 0:06:58.480000 to be in, and put an IP address and mask on there. 0:06:58.480000 --> 0:06:59.740000 So let's just go ahead and do that. 0:06:59.740000 --> 0:07:00.920000 So I'm just going to select. 0:07:00.920000 --> 0:07:04.280000 I'm going to put it in the default VLAN, VLAN one. 0:07:04.280000 --> 0:07:10.360000 And I'm just going to give it some fake IP address about 192, 168, 1.100 0:07:10.360000 --> 0:07:18.640000 or 101. Subnet mask 255, 255, 255, 0. 0:07:18.640000 --> 0:07:21.640000 Default gateway. 0:07:21.640000 --> 0:07:25.320000 If I had a real default gateway, it would be something like this. 0:07:25.320000 --> 0:07:30.900000 And I don't need to put in a DHCP server. 0:07:30.900000 --> 0:07:33.040000 And I'm not going to be running IPv6 on this. 0:07:33.040000 --> 0:07:39.700000 So now I can just move on. 0:07:39.700000 --> 0:07:44.480000 All right. So now at this point, I could continue with next or I could 0:07:44.480000 --> 0:07:47.460000 add just my basic preliminary wireless LAN. 0:07:47.460000 --> 0:07:49.800000 So I'm going to show you how to add the wireless LAN with a pre shared 0:07:49.800000 --> 0:07:52.460000 key here in the setup wizard. 0:07:52.460000 --> 0:07:55.380000 And then once we're past the setup wizard and we had the full dashboard 0:07:55.380000 --> 0:07:59.980000 to look at, we'll create another wireless LAN with a pre shared key. 0:07:59.980000 --> 0:08:03.120000 So let's add one right here. 0:08:03.120000 --> 0:08:07.280000 And we'll call this one corporate one. 0:08:07.280000 --> 0:08:11.600000 We'll stick with WPA2 personal. 0:08:11.600000 --> 0:08:15.540000 And I'll click the little eyeball here so you can see the key. 0:08:15.540000 --> 0:08:19.320000 And we'll call the key Cisco 1234. 0:08:19.320000 --> 0:08:22.040000 Probably not the safest key out there. 0:08:22.040000 --> 0:08:25.640000 But for demonstration purposes, that'll work. 0:08:25.640000 --> 0:08:31.780000 And add. And there it is. 0:08:31.780000 --> 0:08:34.360000 We can see it right there. 0:08:34.360000 --> 0:08:37.520000 Now we click next. 0:08:37.520000 --> 0:08:41.020000 We don't have to mess around with the client density or any RF groups 0:08:41.020000 --> 0:08:43.860000 or anything. We'll leave it to data and voice. 0:08:43.860000 --> 0:08:48.520000 And now it's saying, okay, I'm going to generate a certificate that I 0:08:48.520000 --> 0:08:52.240000 can push down to the access points because when the access points create 0:08:52.240000 --> 0:08:56.540000 a cap web tunnel, they're going to need a digital certificate. 0:08:56.540000 --> 0:08:58.780000 It's not going to be the same digital certificate. 0:08:58.780000 --> 0:09:02.580000 I just got to do my HTTPS session to the to the GUI. 0:09:02.580000 --> 0:09:06.660000 This is a different digital certificate used purely for the cap web purposes 0:09:06.660000 --> 0:09:09.780000 to have an encrypted tunnel to pass that control traffic. 0:09:09.780000 --> 0:09:11.580000 So do I want to generate a certificate? 0:09:11.580000 --> 0:09:14.140000 Yes, probably. Otherwise capwaps can have a big problem. 0:09:14.140000 --> 0:09:17.580000 We can just leave the key size to 2048. 0:09:17.580000 --> 0:09:19.820000 We can leave the signature to Shaw one. 0:09:19.820000 --> 0:09:24.300000 And let's put in a passphrase here that can be used to help generate that 0:09:24.300000 --> 0:09:25.000000 digital certificate. 0:09:25.000000 --> 0:09:28.400000 How about INE rocks? 0:09:28.400000 --> 0:09:29.420000 Yeah, that sounds good. 0:09:29.420000 --> 0:09:31.100000 We'll put that in there. 0:09:31.100000 --> 0:09:34.280000 That looks good. 0:09:34.280000 --> 0:09:35.620000 And then summary. 0:09:35.620000 --> 0:09:39.000000 All right. There's everything we put in. 0:09:39.000000 --> 0:09:44.100000 Finish. All right. 0:09:44.100000 --> 0:09:45.720000 So now it's thinking about it. 0:09:45.720000 --> 0:09:47.220000 It's thinking about, okay, is everything look good? 0:09:47.220000 --> 0:09:48.580000 I just put into the setup wizard. 0:09:48.580000 --> 0:09:50.460000 Hopefully it will. 0:09:50.460000 --> 0:09:53.960000 And in just a moment, I should see the actual dashboard where have all 0:09:53.960000 --> 0:09:56.040000 my options available to me. 0:09:56.040000 --> 0:10:03.560000 Good. The configuration successfully applied. 0:10:03.560000 --> 0:10:04.420000 Now it logged me out. 0:10:04.420000 --> 0:10:06.460000 I'm going to log back in. 0:10:06.460000 --> 0:10:15.760000 And this time I'm going to see the full dashboard. 0:10:15.760000 --> 0:10:20.260000 And every wireless LAN controller has a different layout for their dashboard. 0:10:20.260000 --> 0:10:23.620000 But once you've configured one, you should be able to find the appropriate 0:10:23.620000 --> 0:10:28.120000 pull down windows and boxes to configure the same types of things in a 0:10:28.120000 --> 0:10:30.440000 different one. So here we are. 0:10:30.440000 --> 0:10:33.240000 It says I've already got one wireless LAN configured. 0:10:33.240000 --> 0:10:36.580000 Currently there are no access points that are joined to this. 0:10:36.580000 --> 0:10:37.920000 So there would be no clients. 0:10:37.920000 --> 0:10:41.360000 And so now we're just going to complete this by configuring one more wireless 0:10:41.360000 --> 0:10:43.960000 LAN with WPA2 pre shared key. 0:10:43.960000 --> 0:10:46.840000 But now we're going to do it from the actual dashboard itself. 0:10:46.840000 --> 0:10:49.600000 So here I would select configuration. 0:10:49.600000 --> 0:10:54.780000 Under tags and profiles, I would select wireless lands. 0:10:54.780000 --> 0:11:00.980000 Okay, it's already got corporate one. 0:11:00.980000 --> 0:11:05.780000 Let's add another wireless LAN. 0:11:05.780000 --> 0:11:10.000000 So by default, whatever you put in the profile name, it'll go down to 0:11:10.000000 --> 0:11:11.720000 the SSID as well. 0:11:11.720000 --> 0:11:13.340000 How about corporate? 0:11:13.340000 --> 0:11:17.440000 Oh, how about INE keys? 0:11:17.440000 --> 0:11:22.740000 There we go. Now, notice by default is disabled, which means that the 0:11:22.740000 --> 0:11:26.900000 beacons from many access points that join will not advertise this wireless 0:11:26.900000 --> 0:11:30.680000 LAN. I want to enable it. 0:11:30.680000 --> 0:11:33.140000 Okay, and I want to broadcast the SSID. 0:11:33.140000 --> 0:11:36.540000 I want my access points when they do get around to joining this via CAPWAP 0:11:36.540000 --> 0:11:40.300000 to include this SSID in their beacons. 0:11:40.300000 --> 0:11:43.440000 Now, right now there's no security. 0:11:43.440000 --> 0:11:46.820000 So I need to go to the security group right here, the security tab. 0:11:46.820000 --> 0:11:50.900000 It defaults to WPA with WPA2. 0:11:50.900000 --> 0:11:52.420000 You can just leave it to that. 0:11:52.420000 --> 0:11:53.820000 And this is real easy. 0:11:53.820000 --> 0:11:55.700000 All we have to do. 0:11:55.700000 --> 0:11:59.800000 Notice it defaults to AES CCMP for encryption. 0:11:59.800000 --> 0:12:00.660000 That's what we want. 0:12:00.660000 --> 0:12:06.400000 That's good. These other ones, these GCMPs, these are actually stronger, 0:12:06.400000 --> 0:12:10.860000 but not all wireless clients like laptops, PCs and smartphones necessarily 0:12:10.860000 --> 0:12:17.800000 support GCMP, whereas everything these days supports AES with CCMP. 0:12:17.800000 --> 0:12:20.940000 So that's probably best to keep it that way. 0:12:20.940000 --> 0:12:27.780000 So it defaults to WPA2 Enterprise, which is 802.1x, and I don't want that. 0:12:27.780000 --> 0:12:32.800000 So I will deselect that, and I will select pre-shared key. 0:12:32.800000 --> 0:12:35.800000 And then the last thing is it gives me the option to type in my pre-shared 0:12:35.800000 --> 0:12:42.280000 key. So let's just type in INE12345. 0:12:42.280000 --> 0:12:46.580000 Apply to device. 0:12:46.580000 --> 0:12:51.460000 And now I have both wireless LANs ready to go. 0:12:51.460000 --> 0:12:55.700000 So the moment that an access point reaches out via CapWap Discovery discovers 0:12:55.700000 --> 0:13:00.640000 this controller and creates an encrypted CapWap control tunnel, it will 0:13:00.640000 --> 0:13:05.560000 then learn of these two wireless LANs and start advertising them in its 0:13:05.560000 --> 0:13:11.520000 beacons. So that concludes this section on configuring wireless LANs with 0:13:11.520000 --> 0:13:15.300000 pre-shared key within a Cisco wireless LAN controller.