ISE wireless design

Similar Messages

• Question regarding Wireless design

  Hi,
  I am planning for a wireless design for a new site and would like to understand the following
  1. Should I go with the Access Point (AP) that support 2.4 GHz or 5 GHz or both
  2. What is the average coverage area in meters or feet for both the frequencies
  3. If the overall area is 2000 Sq. feet with few walls in between, how many access points will be required approximately
  4. What is the leading practice on the number of users per AP
  5. What are the circumstances when a Wireless controller need to be deployed. Is it purely based upon the number of AP's to manage?
  6. Should there be a separate DHCP scope for each AP? If not, how to AP's communicate with each other if there is no controller deployed?
  Your time for answering these will be highly appreciated. Thank you.

  Hi Manoj,
  Here is my responses to your qurey.
  1. Should I go with the Access Point (AP) that support 2.4 GHz or 5 GHz or both
  BOTH
  2. What is the average coverage area in meters or feet for both the frequencies
  These days coverage is not the primary criteria, its capacity. Roughly you need to put a AP for each 20-25 devices for normal data usage.
  3. If the overall area is 2000 Sq. feet with few walls in between, how many access points will be required approximately
  Based on the number of devices expected in each area you can determine that. If you do a survey do it in 5GHz which is lower cell size.
  4. What is the leading practice on the number of users per AP
  If it is typical data usage (email, browsing,etc) then 20-25 users per AP. If you require Video/voice then this number comes down to around 10.
  5. What are the circumstances when a Wireless controller need to be deployed. Is it purely based upon the number of AP's to manage?
  Always go for a Controller managed solutions. It is very hard to control RF environment if you go to manage then individually.(like autonomous AP)
  6. Should there be a separate DHCP scope for each AP? If not, how to AP's communicate with each other if there is no controller deployed?
  No, you can have single DHCP scope for AP. As long as AP & WLC have layer 3 reachability it will comunicate with each other using CAPWAP protocol.
  HTH
  Rasika
  **** Pls rate all useful responses ****

• Question about Wireless Design and Controller

  Hi Everyone,
  Although I am not new to Cisco, I have somewhat limited experience with Wireless in general.  I was hoping to get your help with the following:
  We currently have a total of 8 1130AG, 4 on each floor.  They were configured a few years ago, and now we are looking to update the design a bit.  Each AP has its own SSID, and just provide internet access.  Looking at the configuration, I noticed that they are not configured to use proper channels, just random channels (9, 10, 11, instead of 1, 6, 11, etc.).  I noticed that when I roam between one AP to another, I lose about 4-8 pings before I re-establish connectivity again.
  Here are my questions:
  1.  Do I need a controller in order to use just one SSID for the whole setup instead of the 8 seprate ones we currently have?
  2.  Will the controller helps in providing seamless transition when a client roams between AP's?
  3.  Is it normal to loose connectivity roaming around?
  4.  Can I reconfigure the current setup to use just one SSID and provide better transition between AP without the use of a controller?
  5.  Which controller would you recommend?
  We don't have a need to anything fancy ,I am aware that I can enable multiple SSID, VLAN's, etc.  Just trying to keep it as simple as possible, yet reliable.
  Your input is appreciate.
  Thanks

  1.  With 8 AP's only, a WLC would be nice-to-have but not necessary. You can configure WLSE and it will do some limited functions.
  2.  This depends on the signal strengths, wireless coverage and configuration.  If you enable WLSE, for instance, and you have no wireless black spots, then roaming should be no issues.
  3.  See #2.
  4.  You can configure multiple SSID (up to 16 are broadcasted) but if one AP doesn't have the SSID you use for roaming, the association will drop when the client tries to join that particular AP.  It's like mobile phone towers.  If your carrier is not in the area, you sure won't be able to use your mobile phone in that area.
  5.  For 8 1130 APs, I'd recommend the smallest of the lot:  2106 with either 6, 12 or 25 AP licenses.  I'd recommend you the 25 AP licenses.  If your finances allow you something bigger, then consider either the 4402 (25 AP licenses) or the 5508.
  Cisco 2100 Series Wireless LAN Controllers
  http://www.cisco.com/en/US/prod/collateral/wireless/ps6302/ps8322/ps7206/ps7221/product_data_sheet0900aecd805aaab9.html
  Cisco 4400 Series Wireless LAN Controllers
  http://www.cisco.com/en/US/prod/collateral/wireless/ps6302/ps8322/ps6307/product_data_sheet0900aecd802570b0_ps6366_Products_Data_Sheet.html
  Cisco 5500 Series Wireless Controllers Data Sheet
  http://www.cisco.com/en/US/prod/collateral/wireless/ps6302/ps8322/ps10315/data_sheet_c78-521631.html

• Wireless design guide/help

  Hi guys........just have  few qestions about designing WLC 5508
  The  scenario is  that currently one of the client has a firewall Tiering T1 internet facing and T2 internal whioch has multiple DMZ connected.
  T2 firewall has a DMZ switch connected which has a router which connects to MPLS cloud to different site across the country. (around 10 sites) all static routing.
  Now the client is thinking to deploy wireless at all 10 sites using H-REAP. The issue is that client has only one WLC and they are not willing to buy other as i was thinking to deploy two WLC one for corporate and one for guest users. (one in internal network and on in DMZ)
  Now my question is as follwow.
  1- Keeping in mind that there is only one WLC where should i physically put it?
  2- How guest users will work ? How the authentication will be done?
  3-There are 8 SFP ports in WLC how physical topology will look like?
  4-How many Vlans i have to make for wirless users  will that be 10? (1 at each site) ?
  my last question is that how these ports work on WLC are they just like swicth e.g  one port can be assigned to different vlan....just confuse about interfaces and vlans on WLC (interfces concept)
  Thanks guy and hope to get a response ASAP.

  1- Keeping in mind that there is only one WLC where should i physically put it?
  Well since you will also be supporting Corporate and I'm guessing that is where the WLC sites, it should be in the inside network.  You would just need to allow udp 5246 & 5247
  2- How guest users will work ? How the authentication will be done?
  Guest users can use webauth in which the credentials will be stored on the WLC.
  3-There are 8 SFP ports in WLC how physical topology will look like?
  This is the tricky part.  You can either lag or not lag.  You can't split up the lag (etherchannel).  So you can either use all 8 if you with and create an etherchannel and then acl the guest traffic out the internet or you can put the guest on a layer 2 vlan in which you would connect that out to the dmz.  Or you can use one port for the management and also have a backup port, one for your internal wireless and also have a backup port and the same for guest.  SO it would look like this:
  Management primary port 1 backup port 2
  SSID primary port 3 backup port 4
  Guest primary port 5 guest port 6
  OR
  Management & SSID's primary port 1 backup port 2
  Guest primary port 3 guest port 4
  4-How many Vlans i have to make for wireless users will that be 10? (1 at each site) ?
  If you use local switching which I would think you would, the vlans for the SSID at the remote site will be created locally at each remote site.  If you want to centrally switch, means all traffic will come back to the WLC, then you will need at least one.  Now you can use a large subnet or have a subnet for each site, its up to you.  You would use AP Groups for that.
  my last question is that how these ports work on WLC are they just like switch e.g one port can be assigned to different vlan....just confuse about interfaces and vlans on WLC (interface concept)
  Thanks,
  Scott
  Help out other by using the rating system and marking answered questions as "Answered"

• Wireless design help

  Hi guys........just have  few qestions about designing WLC 5508
  The  scenario is  that currently one of the client has a firewall Tiering T1 internet facing and T2 internal whioch has multiple DMZ connected.
  T2 firewall has a DMZ switch connected which has a router which connects to MPLS cloud to different site across the country. (around 10 sites) all static routing.
  Now the client is thinking to deploy wireless at all 10 sites using H-REAP. The issue is that client has only one WLC and they are not willing to buy other as i was thinking to deploy two WLC one for corporate and one for guest users. (one in internal network and on in DMZ)
  Now my question is as follwow.
  1- Keeping in mind that there is only one WLC where should i physically put it?
  2- How guest users will work ? How the authentication will be done?
  3-There are 8 SFP ports in WLC how physical topology will look like?
  4-How many Vlans i have to make for wirless users  will that be 10? (1 at each site) ?
  my last question is that how these ports work on WLC are they just like swicth e.g  one port can be assigned to different vlan....just confuse about interfaces and vlans on WLC (interfces concept)
  Thanks guy and hope to get a response ASAP.

         OSITAN N Many thanks  please comment
                                      Internet
                                                 FW 1
                                                     !                                                        <---------------------Traffic comming this way
                                                  FW2--------DMZ--------------SW---------- Router -----------------IP MPLS-----------------
                            ------Trusted-----  !                                                                                                        !
                                                     !                                                     ------Branch Router------->               RT 
                                  !           !               !                                                                                               SW
                               DSN      AD            DHCP                                                                                          !
                                                                                                                                                              AP  
                                                                                                                                                            USER
  1 Where WLC Place so that Guest trafice dont go to Trusted area?
  2. Its gona be H-Reap so DHCP would be local for branch
  3. Voce user  Qos? priority how ? example
  4 Guest Firewall rules to use only internet ?

• Wireless Design - Best Practices for Data, Voice, and LBS

  Hi,
  I am currently in the process of designing a WLAN for a new hospital and I am getting some push back from my sales team.  The requirements of the WLAN are data, voice, and location based services (RFID for medical equipment) ... needs to be 2.4 GHz for Guest and some apps/clients but primarily 5 GHz for most of the clients ... lastly needs to be N compatible for future use.
  So, I did a predictive design with 1252's on the perimeter with 2.4 and 5 GHz patch antennas and 1142's in the middle to fill gaps ... I also scoped out 2 5508 for redundancy .... total design with -65 at my edges was 169.  However, this is getting push back because of several cost issues ....
  1. The bundle that Cisco offers for 5 100 AP license 5508 WLC is cheaper than buying 2 250 AP licenses WLC's ... which doesn't make any sense to me because I think 5 devices is over kill
  2. The sales engineer is concerned about the power issues with the 1252's ... customer would rather not use power injectors ... and although they would have 6500's at there core ... they would only have basic switches in their IDF's so I wasn't sure which POE Switches would be able to handle 1252 but cost was an issue there as well
  So, for my understanding when you are doing a WLAN design for LBS it's always best to have APs or antennas on the perimeter for better triangulation ... it makes more sense to me to do that with patch instead of Omni's ... however my sales engineer wants to use all 1142's ... so my question is what are the pro and cons behind using all Omni's or using Patch and Omni's?
  Furthermore, if anyone has any documentation supporting why I would not use all Omni's that would be great because all the articles I have read on LBS just state that placement of APs is critical but doesn't give no specifics on whether it's a good practice to place them on the perimeter using a specific type of antenna or what.
  Thanks in advance for you help and any ideas about this design!!!

  1.  The 5508 is expensive because it's alot faster than the 4400 plus there are some features exclusive to the 5508 such as OfficeExtend.  As the old network design adage goes:  Your design can be done correctly, cheap or fast.  Choose two.
  2.  The 1250 requires 19.5w of power to enable FULL MCS rates to both radios.  Only the 3560E, 3750E or the Sup720 is capable of supporting that.  Upgrading the IOS of the 1250 to 12.4(10b)JDA3 will allow the AP to operate both radios at 15.4w BUT at a lower MCS rates.  Correct placement of the AP and the correct use of the antennaes will also help in the signal distribution.
  3.  Patch antennaes are mostly directional.  The 1140 is onmi-directional BUT the signal strength is not as powrful as the 1250 at full power.  The AIR-ANT2451NV is an omni-directional patch designed for the 1250.
  Cisco Aironet Antennas and Accessories Reference Guide
  http://www.cisco.com/en/US/prod/collateral/wireless/ps7183/ps469/product_data_sheet09186a008008883b.html
  Cisco Aironet 2.4 GHz and 5 GHz Antennas and Accessories
  http://www.cisco.com/en/US/prod/collateral/wireless/ps7183/ps469/product_data_sheet09186a008022b11b.html
  Some of the new patch antennaes for the 1250
  Cisco Aironet Dual Band MIMO Low Profile Ceiling Mount Antenna (AIR-ANT2451NV-R)
  http://www.cisco.com/en/US/prod/collateral/wireless/ps7183/ps469/data_sheet_ant2451nv.pdf
  Cisco Aironet Very Short 5-GHz Omnidirectional Antenna (AIR-ANT5135SDW-R)
  http://www.cisco.com/en/US/prod/collateral/wireless/ps7183/ps469/data_sheet_ant5135sdw.pdf
  Cisco Aironet Very Short 2.4-GHz Omnidirectional Antenna (AIR-ANT2422SDW-R)
  http://www.cisco.com/en/US/prod/collateral/wireless/ps7183/ps469/data_sheet_ant2422sdw.pdf
  Cisco Aironet 5-dBi Diversity Omnidirectional Antenna (AIR-ANT2452V-R)
  http://www.cisco.com/en/US/prod/collateral/wireless/ps7183/ps469/data_sheet_ant2452v.pdf
  Cisco Aironet 5-GHz MIMO Wall-Mounted Omnidirectional Antenna (AIR-ANT5140NV-R)
  http://www.cisco.com/en/US/prod/collateral/wireless/ps7183/ps469/data_sheet_ant5140nv.pdf
  Cisco Aironet 5-GHz MIMO 6-dBi Patch Antenna (AIR-ANT5160NP-R)
  http://www.cisco.com/en/US/prod/collateral/wireless/ps7183/ps469/data_sheet_ant5160np.pdf
  Cisco Aironet 2.4-GHz MIMO Wall-Mounted Omnidirectional Antenna (AIR-ANT2450NV-R)
  http://www.cisco.com/en/US/prod/collateral/wireless/ps7183/ps469/data_sheet_ant2450nv.pdf
  Cisco Aironet 2.4-GHz MIMO 6-dBi Patch Antenna (AIR-ANT2460NP-R)
  http://www.cisco.com/en/US/prod/collateral/wireless/ps7183/ps469/data_sheet_ant2460np.pdf

• ISE wireless CPP with redirect exclusions, possible?

  Hi all, a little bit of a tricky situation here. I've got a wireless network and ISE 1.1.1. The wireless is mixed 7.0 and 7.3 code.
  On an ISE wired installation it's easy to have an authorization rule that URL redirects users to the client provisioning portal *BUT* to have a redirect ACL on the switch with deny statements that excludes specific websites from the redirection. This is done so users can click on remediation links from the NAC Agent and get to websites to download anti-virus, sig updates, windows updates, etc... but all other web attempts get redirected to the CPP.
  All fine and it works perfectly on the wired network. HOWEVER, I can't seem to find a similar way to do this on the wireless network. While you can create a posture redirection policy to send them to the CPP with an ACL, that ACL seems to only permit or deny traffic per a standard ACL. Meaning a user gets on but any attempt to go anywhere in a browser redirects to the CPP. This makes it impossible to get to the remediation pages.
  Is there any way to accomplish what I'm trying to do here? It seems like it should be a basic function.

  Sorry I had some personal issues to deal with and just got a chance to follow up on this. Firs of all, good job on figuring it out and posting the findings back here! (+5) from me for that!
  To answer your questions:
  #1. You are 100% about the logic on the WLC ACLs vs Switch ACLs. On switches "deny" means "don't redirect" the traffic, thus permit it on the network. On the WLCs "deny" means "redirect" the traffic, hence don't allow it on the network. I am not sure why Cisco did this but different BUs, different teams, etc
  #2. You are also correct on this one. Your vWLC and ISE are working as expected. While switches support dACLs, WLCs only support "named ACL." As a result, when referencing ACLs on ISE for wireless, that ACL has to exist on the WLC and it MUST BE NAMED THE SAME or it won't work.
  Hope this helps. If you issues are resolved please mark the thread as "answered"
  Thank you for rating!

• ISE wireless web authentication for guest management not redirecting

  Hi forumers'
  I face the problem that after connecting to the wireless guest network, it won't redirect me to the ISE guest portal . This happen on my iPhone. The iPhone is running on iOS 5.0.1
  Whilst on workstation it's working well.
  attach the snapshot of what happen on the iPhone.
  Any clue to torubleshoot? Thanks
  Noel

  Hi
  I still fail whilst i testing on my iPhone.
  I'm not using ISE self-signed certificate, i create CSR and signed by root CA server. So once i try to connect it won't prompt me the "accept ceritficate"
  My WLC local auth certificate verdor certificate is signed by the same root CA server as well.
  So i test on desktop to run safari broswer, it able to redirect to ISE guest portal.
  Can please suggest more troubleshooting guide?
  Thanks
  This is how the outcome for the safari broswer
  Noel

• ISE - Wireless Anyconnect

  Hello! we have a doutb regarding our ISE installation. We have created a new SSID with EAP Chaninng validation (user + machine validation using Anyconnect client) through ISE, and NAC posture. 
  The problem is that when a user has never logged in a PC and tries to log for the first time through this wireless, is not working. The facts are like this:
  - User introduces user/pass for the first time to computer
  - Computer needs to contact AD to download the profile
  - Computer associates with the network
  - ISE puts the user "on-hold" until it's NAC compliant
  - Computer never launches NAC process, so it's never compliant
  - ISE doesn't give access to network
  - User cannot login to computer.
  This only happens the first time a user tries to access the network because it needs to download the profile, if the user has logged in before, this is not a problem. Do you think there is any solution for this problem?

  Use EAP Chaining with EAP-FAST v2. In the auth attempt, the supplicant provides the authentication server (ISE) both the machine and user credentials for each auth attempt.  Supported by the Cisco AnyConnect 3.1 client/supplicant . In ISE to enable its support (Policy->Policy Elements->Results->Authentication->Allowed Protocols->Default Network Access <for example>->Allow EAP-FAST).

• ISE wireless : permit only conexion on specific ESSID

  Hi
  I have ISE ver 1.1.x, cisco 2960, cisco 1800 and controller 2100
  There is active directory user (employee) and guest user
  Active directory have many user group (finance, security, human ressouce ...)
  For wireless conexion I created many ESSID in the controller for each group (finance, security, human ressouce, guest ...)
  I configured one VLAN for each correspondand ESSID
  There is not security key for wireless conexion
  Is it possible to deny conexion for one user to different ESSID and permit only connexion of each user on each correpondand ESSID ?
  Is possible to redirect user on it correpond ESSID(vlan) if he choose to connect on the wrong ESSID ?
  Thanks in advance

  •1.       I will suggest to create ACL.  Or
  •2.       To configure MAC filtering on a specific SSID: ( enter the mac only the wireless devices you wants to give access to the SSID particularly)
  • Configuration -> SSIDs -> [SSID Name]
  • Optional Settings -> MAC Address Filters -> Available MAC Filters -> New
  • In the MAC Filters>New window click on the "New" button next to the "MAC Address/OUI" list
  • Add the MAC Address\MAC Address Range
  • In the MAC Filters>New window select the newly created MAC Address\MAC Address Range and select "Permit" as the Action
  • Save the new MAC Filter
  • On the screen ensure the newly created MAC Filter is in the "Selected MAC Filters" area rather than the "Available MAC Filters" area
  • Ensure the default action (under the "Available MAC Filters" area) is "Deny"
  • Save the change to the SSID profile
  • Update the affected access points

• NAC/Wireless Design

  Hi!
  Looking for some input on some design options for NAC with a wireless deployment since OOB and IB are now both options.
  In a campus environment of up to 300 wireless users, in-band seems good so that we can have one SSID, but restrict a user login to a role and apply restrictions on the appliance, but I'm concerned about the common issue of the appliance becoming a bottleneck.
  My other thought too would be have multiple SSIDs (VLANs) and have multiple appliances handle certain VLANs, but this is pricey.
  In wireless OOB, it appears you can only have one "access" VLAN to maps users to (I guess b/c that is all the WLC supports?), so that does not work for us as we need to have employees and guests (among others, separated).
  Please correct me on any misunderstandings.
  All insight appreciated. Thanks for the input!

  Your understanding is correct.
  For 300 wireless users, you may want to go inband and do enforcement at the NAC server level.
  For OOB, you need to make different SSID for different roles.
  e.g. Guest, Employees and Contractor
  You can look at the configuration example too for OOB Wireless NAC 4.5 here:
  http://www.cisco.com/en/US/products/ps6128/products_configuration_example09186a0080a138cc.shtml

• Wireless Design Question

  I am a CCNA supporting a few offices that have VPN connections through local ISP to a central site. I have one site that is remote and unable to get a broadband connection. It is aprox. 1.5 miles from a site that has a broadband connection. I wouls like to set up a wireless connection. Because of the topology I think I would need a bridge between the sites most likely on a tower. I am thinking that I would need a bridge at the remote site a bridge in the middle and a bridge at the wired office.Am I on the right track . Can this be done and what sort of antennae woud I need. Please email me at [email protected] Thnak you

  I don't see a point in putting a bridge in the middle. Hardware/Technology is available to cover 1.5 miles.
  However, if you can manage a bridge in the middle and your hardware specs support the design, go for it.
  Thanks.

• ISE wireless with HP core switch

  Hi all,
  We are planning to implement ISE for Wireless users. Our core switch is HP and our WLC is 5500.
  I would like to know if we need to change our core switch so that we can use ISE or there is no need to change it.

  You'd need 2 separate SSIDs as the access method will be different for each, e.g:
  Employee - WPA2 and 802.1x
  Guest - Webauth
  You don't have to have a quarantine, we do but it's not essential.
  For your employee WLAN you could have just one VLAN or you could have multiple. We started off with just one for our employee WLAN but now we've got several on each WLC (laptops, medical devices, etc.). I would suggest starting off simple with one.
  Your employee WLAN clients won't get an address until after they authenticate so you don't need a VLAN before then.

• ISE Wireless endpoint license?

  Hi all! Which means endpoint wireless license for Cisco ISE. Access point or client device? For example: I have 1 WLC, 35 access points and 500 clients. How many licenses I need to buy?

  ISE licensing is based on endpoints authenticating to the network. So in your case if all 500 devices will be connecting to the network at the same time then you will need to purchase 500 licenses. Keep in mind that those are concurrent, thus, when a client leaves the network a license is freed up. 
  Hope this helps!
  Thank you for rating helpful posts! 

• Do We Require ATP to Re-sell ISE Wireless?

  Hi forum,
  I have reviewed the Cisco ISE Software 1.1 Q&A (http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5712/ps11637/ps11195/qa_c67-658591.html) and it seems to me that Table 5 (Differences Between Cisco Identity Services Engine Licenses) and the penultimate Ordering and Purchasing question infer that no ATP is required to re-sell ISE with Wireless license type.
  Can anyone on the forums confirm that this is indeed the case?
  I have put the same question to my TCAM.
  Helpful posts always rated!
  Kind regards, Ash.

  Ashley,
  Here is the Q&A that I found:
  http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5712/ps11637/ps11195/qa_c67-658591.html
  Ordering and Purchasing
  Q. How can I purchase the Cisco Identity Services Engine?
  A. Cisco Identity Services Engine Advanced, Base, and Wireless Upgrade  licenses can be purchased only through Cisco Authorized Technology  Provider (ATP) partners.
  Note:  Cisco Identity Services Engine platforms (both physical and virtual)  and Wireless licenses are generally available for purchase through any  Cisco authorized partner.