Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Navigation
Guide That Contains This Content
[+] Expand All
[-] Collapse All
     

    Related Documentation

     

    Configuring a Controller

    Controllers can be configured from Network Director only when they are selected in the View pane.

    To configure a controller in Network Director:

    1. Under Views, select one of these options: Location View, Device View or Custom Group View.

      Tip: Do not select Dashboard View, Datacenter View, or Topology View.

    2. Click in the Network Director banner.
    3. Select a controller or controller cluster in the leftmost pane.

      When a controller is selected, WLC System Settings is added to the list of Key Tasks in the Tasks pane.

      Note: You only see the option WLC System Settings after you select a controller or controller cluster.

    4. In the Tasks pane, expand Key Tasks and then click WLC System Settings.

      The System Settings page opens, displaying three tabs—System, Wireless, and AAA. Make any needed changes under the appropriate sections on each tab:

    5. Click Done.

      The controller is now configured but not deployed—you must deploy the controller to activate the configuration. For more information, see Deploying Configuration to Devices.

    Configuring System Information for a Controller

    System information is received from the selected controller’s or controller cluster’s current controller configuration. You can change some of this information as indicated in Table 1. This information is part of the System Settings for a controller.

    Table 1: Basic System Information for Controllers

    Field

    Directions

    Basic Information

    IP Address

    No change can be made to information received from the selected controller.

    Model

    No change can be made to information received from the controller.

    Serial Number

    No change can be made to information received from the controller.

    OS Version

    No change can be made to information received from the controller.

    Contact

    You can change this value. Type a contact name for the controller.

    Location

    You can change this value. Type a location for the controller.

    Prompt

    You can change this value. Type the prompt that will appear in the CLI of the controller.

    Application Detection

    Enable mDNS Detection if available

    mDNS is only available on access points that support the feature when MSS 9.1 or later is the operating system. Check to enable multicast Domain Name System (mDNS) host name resolution service to support Apple mDNS.

    Configuring Link Layer Discovery Protocol (LLDP) on a Controller

    Link Layer Discovery Protocol (LLDP) is a link layer protocol used by network devices to advertise identity, capabilities, and neighbors. Link Layer Discovery Protocol-Media Endpoint Discovery (LLDP-MED) is an extension to LLDP that operates between endpoint devices such as IP phones to provide support for voice over IP (VoIP) applications.

    Tip: LLDP and LLDP-MED cannot operate simultaneously on a network.

    For information about LLDP, see Understanding LLDP and LLDP-MED.To configure LLDP on an access point, see Configuring Link Layer Discovery Protocol (LLDP) on an Access Point.

    To configure LLDP on a controller, provide the LLDP settings described in Table 2. The settings are located under the controller’s or controller cluster’s System Settings LLDP option in Network Director.

    Table 2: LLDP Settings for Controllers

    Field

    Directions

    Enable LLDP
    (default is enabled)

    Checked by default to enable the Link Layer Discovery Protocol on the controller. If you disable it, all TLVs (system capabilities, system name, system description) on the controller are discarded.

    Transmission Interval
    (default is 30 seconds)

    Specify the LLDP advertisement interval in seconds. The range is 5 to 32786 seconds and the default value is 30 seconds. LLDP frames can be sent earlier if local changes affect any of the selected TLVs (system capabilities, system name, system description).

    Hold Time
    (default is 120 seconds)

    Specify the length of time that a controller retains LLDP information before discarding it. The range is 0 to 65535 seconds with a default value of 120 seconds. We recommend a value four times the transmission interval value.

    Reinitialization Delay
    (default is 2 seconds)

    Configure the delay time, in seconds, before LLDP is initialized on any port. The range is 2 to 5 seconds with the default value of 2 seconds.

    Transmit Delay
    (default is 2 seconds)

    Specify the length of time between LLDP frame transmissions. The range is 1 to 8192 seconds with the default value of 2 seconds. The transmit delay value limits the rate at which local changes affect LLDP frames—frames sent advertise only the most recent changes. For example, if you change the controller name every 5 minutes, this triggers the network to send new LLDP advertisements. By setting the transmit-delay parameter, you can limit the rate at which new LLDP advertisements are sent on the network. LLDP frames are sent at each tx-interval number of seconds—If local changes occur then the frames are sent earlier, but not less than the value indicated here.

    System Capabilities
    (default is enabled)

    System capabilities is a TLV. When checked (default), this information is broadcast on the network.

    System Name
    (default is enabled)

    System name is a TLV. When checked (default), this information is broadcast on the network.

    System Description
    (default is enabled)

    System description is a TLV. When checked (default), this information is broadcast on the network.

    Configuring IP Services on a Controller

    To configure IP Services on a controller, provide the IP routes, IP aliases, and ARP settings described in Table 3. The settings are located under the controller or controller cluster’s System Settings IP Services option in Network Director.

    Table 3: IP Routes, IP Aliases, and ARP Settings for Controllers

    Field

    Directions

    Static Routes

    A static route is an explicit route from a controller to a host. Static routes do not expire but they are removed by a software reboot.

    Task: Add a Static Route to a Controller

    To add a static route to the selected controller or controller cluster:

    1. Click Add under Static Routes.

      The Create Static Route window opens.

    2. Provide these static route settings:
      • Default Route—Check this option to make this static route the default.
      • Destination—Type the IP address of the static route destination host.
      • Gateway—Type the IP address of the host’s static route gateway.
      • Metric—Select a number between 0 and 2,147,483,647 to indicate the cost of a route to a router. Lower-cost routes are preferred over higher-cost routes. When you add multiple routes to the same destination, MSS groups the routes together and orders them from lowest cost at the top of the group to highest cost at the bottom of the group. If you add a new route that has the same destination and cost as a previous route, MSS places the new route at the top of the group of routes with the same cost.
    3. Click OK.

      The static route is added to the Static Routes list on the System Settings page.

    IP Aliases

    An alias is a string that represents an IP address. After configuring the alias, you can refer to a controller using the alias name instead of the IP address. Aliases take precedence over DNS assignments. When you enter a hostname, MSS checks for an alias with that name first, then uses DNS to resolve the name.

    Task: Add an IP Alias to a Controller

    To add an IP alias to the selected controller or controller cluster:

    1. Click Add under IP Aliases.

      The Create IP Alias window opens.

    2. Provide these IP alias settings:
      • Host Name—Alias name for the controller
      • Host IP Address—IP address of the controller
    3. Click OK.

      The IP alias is added to the IP Alias list on the System Settings page.

    ARP Settings

    The Address Resolution Protocol (ARP) table maps IP addresses to MAC addresses. An ARP entry enters the table either automatically, or having been specifically configured with the parameters in this section.

    Aging Time

    The aging timeout specifies how long a dynamic entry can remain unused before the software removes the entry from the ARP table. The default aging timeout is 1200 seconds (20 minutes). The aging timeout does not affect the local entry, static entries, or permanent entries.

    Task: Add an ARP Entry to a Controller

    To add an IP alias to the selected controller or controller cluster:

    1. Click Add under ARP Settings.

      The Create ARP Entry window opens.

    2. Provide these ARP entry settings:
      • IP Address—Type the IP address of the ARP Entry.
      • MAC Address—Type the MAC address of the ARP Entry.
    3. Click OK.

      The ARP entry is added to the ARP Entries list on the System Settings page.

    Configuring DSCP CoS Mapping on a Controller

    Differentiated Services Code Point (DSCP) is a field in IPv4 and IPv6 packet headers. Class of Service (CoS) is a set of priority levels in quality-of-service (QoS) configurations. CoS-to-DSCP and DSCP-to-CoS mappings are used to evaluate packets for scheduling and assigning packets to one of the QoS queues. The result is Layer 2 and Layer 3 classification and marking of traffic to help provide end-to-end quality-of-service (QoS) throughout a network. The settings to configure DSCP on a controller or controller cluster are located under the controller’s System Settings IP Services option in Network Director.

    Configure either DSCP to CoS or CoS to DSCP by selecting options from the list and then clicking Done.

    Configuring RF Auto-tuning on a Controller

    RF auto-tuning automatically makes channel tuning decisions for access point radios on the basis of the RF data gathered by access points. Configuring power auto-tuning a controller means that all associated radios that have not been otherwise configured will be auto-tuned. Use this feature to configure auto-tuning on the selected controller or controller cluster.

    Tip: You can also configure radios with auto-tuning by creating a Radio profile and assigning that profile to radios. See Creating and Managing a Radio Profile.

    RF auto-tuning is configured for a controller or controller cluster under the Wireless tab of the selected controllers’ System Settings. Provide the RF auto-tuning settings described in Table 4 to configure the selected controller or controller cluster.

    Table 4: RF Auto-Tune Settings for Controllers

    Field

    Directions

    802.11b/g

    Enable
    (default is enabled)

    When checked (default), 802.11b/g power auto-tuning is implemented for the controller.

    Interference Domain Threshold
    (default is 85 radios)

    Define an interference domain threshold, which is the maximum set of radios in a mobility domain that can interfere with each other. The default is 85 radios.

    Convergence Delay
    (default is 60 minutes)

    Indicate the length of the delay between beginning calculations of new configuration. The default value is 60 minutes with a possible range of 0 to 10080 minutes.

    Week Day

    Schedule auto-tuning for a specific day.

    Hour

    Schedule auto-tuning for a specific hour of the indicated day,

    Minute

    Schedule auto-tuning for a specific minute of the indicated hour.

    802.11a

    Enable
    (default is enabled)

    When checked (default), 802.11b/g channel auto-tuning is implemented for the controller.

    Interference Domain Threshold
    (default is 85 radios)

    Define an interference domain threshold, which is the maximum set of radios in a mobility domain that can interfere with each other. The default is 85 radios.

    Convergence Delay
    (default is 60 minutes)

    Indicate the length of the delay between beginning calculations of new channel plans. The default value is 60 minutes with a range of 0 to 10080 minutes.

    Week Day

    Schedule auto-tuning for a specific day

    Hour

    Schedule auto-tuning for a specific hour of the indicated day,

    Minute

    Schedule auto-tuning for a specific minute of the indicated hour.

    Configuring Load Balancing on a Controller

    Load balancing distributes a workload across multiple wireless radios to achieve optimal utilization, maximize throughput, minimize response time, and avoid overload. Radios with heavy client loads are made less visible to new clients, causing those clients to associate with radios with a lighter load. For more information, see Understanding Load Balancing for Wireless Radios.

    Load balancing is configured for a controller or controller cluster under the Wireless tab of the selected controllers’ System Settings. See Table 5 for a description of the possible load-balancing settings for controllers and controller clusters.

    Table 5: Load-balancing Settings for Controllers

    Field

    Directions

    Enable
    (default is enabled)

    RF Load-balancing is enabled by default on controllers. You can disable it by removing this check mark.

    Load Balancing Strictness
    (default is low)

    You can specify how strictly MSS attempts to load-balance across radios on the controller. When low strictness is specified (default), heavily loaded access point radios are less visible and steer clients to less-busy radios, while ensuring that clients are not denied service even if all the WLA radios in the group are heavily loaded. When maximum strictness is specified, a radio with the maximum client load is invisible to new clients, and clients attempt to connect to other radios. In the event that all the radios in the group reach maximum client load, then no new clients can connect to the network.

    Preferred Band
    (default is 5-GHz)

    If a client supports both the 802.11a and 802.11b/g bands, you can configure MSS to steer the client to a less-busy radio for the purpose of load-balancing. This band-preference option makes access points with two radios attempt to hide one of the radios from a client with the purpose of steering the client to the other radio. Select 5GHz, 2.4GHz, or None for the preferred band.

    Configuring AAA 802.1X on a Controller

    IEEE 802.1X network users are authenticated when they identify themselves with a credential. Authentication can be passed through to RADIUS, performed locally on the controller, or partially completed by the controller. Assign authentication settings for the selected controller or controller cluster as described in Table 6.

    Table 6: 802.1X Authentication Settings for Controllers

    Field

    Directions

    802.1X Settings

    System Authentication Control
    (default is enabled)

    When checked (default) enables 802.1X authentication for all wired authentication ports on the controller.

    Retransmit Timeout
    (default is 5 seconds)

    Specify the number of seconds before retransmitting an Extensible Authentication Protocol over LAN (EAPoL) packet. Default is 5 seconds.

    Authentication Server Timeout
    (default is 30 seconds)

    Indicate number of seconds before the controller times out a request to a RADIUS server. The default is 30 seconds.

    Key Transmit
    (default is enabled)

    When checked (default), encryption key information is sent to the client after authentication in EAPoL-Key PDUs. The controller sends EAPoL key messages after successfully authenticating the client and receiving authorization attributes for the client. If the client is using dynamic WEP, the EAPoL key messages are sent immediately after authorization.

    Reauthentication Attempts
    (default is 2)

    Number of reauthentication attempts the controller makes before the client becomes unauthorized. The default number of reauthentication attempts is 2. You can specify from 1 to 10 attempts.

    Bonded Period
    (default is 0)

    Specify the number of seconds (default is 0) that MSS retains session information for an authenticated computer while waiting for the 802.1X client on the computer to start (re)authentication for the user. Normally, the Bonded Auth period needs to be set only if the network has Bonded Auth clients that use dynamic WEP, or use WEP-40 or WEP-104 encryption with WPA or RSN. These clients can be affected by the 802.1X reauthentication parameter or the RADIUS Session-Timeout parameter.

    Quiet Period Timeout
    (default is 60 seconds)

    Indicate the number of seconds the controller is unresponsive to a client after a failed authentication. The default is 60 seconds. The acceptable range is from 0 to 65,535 seconds.

    Supplicant Timeout
    (default is 30 seconds)

    Indicate the interval of time before the controller retransmits an 802.1X-encapsulated EAP request to a client. If both the RADIUS and supplicant timeouts are set, MSS uses the shorter of the two. If the RADIUS session-timeout attribute is not set, MSS uses this timeout value, by default 30 seconds.

    Maximum Requests
    (default is 2)

    Indicate the maximum number of times (0 to 10) an EAP request is transmitted to the client before timing out the authentication session. The default is 2 attempts.

    Reauthentication and Reauthentication Period
    (default is 3600 seconds)

    Reauthentication of 802.1X wireless clients is enabled on the controller by default. By default, the controller waits 3600 seconds (1 hour) between authentication attempts. You can change the defaults.

    You can also disable reauthentication.

    Handshake Timeout
    (default is 2 seconds)

    Indicate the timeout for the 4-way handshake and the 802.1X group-key handshake on the controller. The default value is 2000 milliseconds (2 seconds) with a range of 20-5000 milliseconds.

    WEP Key Rolling

    For dynamic WEP, MSS dynamically generates keys for broadcast, multicast, and unicast traffic. MSS generates unique unicast keys for each client session and periodically regenerates (rotates) the broadcast and multicast keys for all clients. You can change or disable the broadcast or multicast rekeying interval.

    WEP Key Rolling and WEP Key Rolling Period
    (default is 1800 seconds)

    Change or disable the key rotation interval. The default interval for rotating the WEP key is 1800 seconds.

    TKIP/CCMP Key Rolling

    Unicast Key Rolling and Unicast Key Rolling Period
    (default is 300 seconds)

    Change or disable the broadcast TKIP and CCMP key rotation interval. The default interval for TKIP and CCMP key rotation is 300 seconds.

    Multicast Key Rolling and Multicast Key Rolling Period
    (default is 300 seconds)

    Change or disable the multicast key rotation interval. The default interval for rotating the multicast key is 300 seconds.

    Configuring AAA RADIUS on a Controller

    Remote Authentication Dial In User Service (RADIUS) is a networking protocol that provides centralized authentication, authorization, and accounting (AAA) management for computers to connect and use a network service. You can configure a single controller or controller cluster with RADIUS settings under the AAA tab of System Settings in Network Director.

    Tip: For more information, see Understanding Central Network Access Using RADIUS and TACACS+. To configure a RADIUS profile that can be assigned to devices, see Creating and Managing RADIUS Profiles .

    Assign AAA RADIUS settings for the selected controller or controller cluster as described in Table 7.

    Table 7: AAA RADIUS Settings for Controllers

    Field

    Directions

    RADIUS Default Settings

    Timeout
    (default is 5 seconds)

    Adjust the length of time (default is 5 seconds) that elapses with no connection before Network Director gives an unreachable RADIUS server error.

    Retry Count
    (default is 3 times)

    Adjust the number of times (default is 3) that a controller retries connection with a RADIUS server after the connection is dropped or refused.

    Dead Time
    (default is 5 seconds)

    Indicate the number of seconds before Network Director checks a RADIUS server that was previously unresponsive. Default is five seconds.

    Key

    Indicate a password string that is the shared secret that the controller uses to authenticate to the RADIUS server. No default.

    Use MAC as Password
    (default is disabled)

    Check to set the password to the controller’s MAC address. If you enable Use MAC As Password, then the Authorization Password field becomes unavailable.

    Authorization Password

    Provide a password if you are not using the MAC address as the password—there is no default.

    MAC Address Format
    (default is hyphens)

    Indicate the format of the MAC address (no default) that will be sent as a password, either Hyphens, Colons, One hyphen or Raw. For descriptions and examples of these formats, see Creating and Managing RADIUS Profiles .

    Authentication Protocol
    (default is PAP)

    Select PAP, CHAP, MSCHAP-V2, or None to determine an authentication protocol for the RADIUS server. These authentication protocols work as follows:

    • PAP stands for Password Authentication Protocol and is used by Point to Point Protocols to validate users before allowing them access to server resources. Almost all network operating system remote servers support PAP. However, PAP transmits unencrypted ASCII passwords over the network and is therefore not secure. Use it as a last resort when the remote server does not support the stronger authentication.
    • CHAP stands for Challenge Handshake Authentication Protocol and authenticates a user or network host to an authenticating entity. CHAP provides protection against replay attacks by the peer through the use of an incrementally changing identifier and of a variable challenge-value. CHAP requires that both the client and server know the plaintext of the secret password—it is never sent over the network. CHAP provides better security than PAP does.
    • MSCHAP—stands for Microsoft’s implementation of the Challenge Handshake Authentication Protocol version 2 on the router for password-change support. This feature provides users accessing a router the option of changing the password when the password expires, is reset, or is configured to be changed at the next login. The MS-CHAP variant does not require either peer to know the plaintext of the secret password. MSCHAP-V2 is used as an authentication option with RADIUS servers used for Wi-Fi security using the WPA-Enterprise protocol.
    RADIUS DAC Settings

    Dynamic Authorization Client (DAC) is a dynamic RADIUS extension that enables administrators supporting a RADIUS server to disconnect a user and change the authorization attributes of an existing user session.

    RADIUS DAC Port
    (default is 3799)

    Port used for changing the authorization attributes of an existing user session. Default port is 3799.

    Configuring AAA LDAP on a Controller

    Lightweight Directory Access Protocol (LDAP) is an Internet protocol that e-mail and other programs use to look up information from a server.

    Tip: You can also create LDAP Profiles and assign them to devices from Network Director—for directions, see Creating and Managing LDAP Profiles.

    Assign LDAP settings for the selected controller or controller cluster as described in Table 8.

    Table 8: Setting AAA LDAP Settings for Controllers

    Field

    Directions

    Authentication Port
    (default is 389)

    The default LDAP authentication port is 389. You can change the port number by using the up and down arrows.

    Timeout
    (default is 5 seconds)

    Adjust the length of time (default is 5 seconds) that elapses with no connection before Network Director gives an unreachable LDAP server error. You can change this value by using the up and down arrows to 1 through 90 seconds.

    Dead Time
    (default is 5 seconds)

    Indicate the number of seconds an LDAP server is unresponsive before it is marked as unavailable. Default is five seconds.

    Bind Mode
    (default is simple bind)

    When an LDAP session is created (LDAP client connects to a server) the authentication state of the session is set to anonymous. BIND mode establishes the authentication state for a session and sets the LDAP protocol version.

    The default is Simple bind—you can change this to SASL-MD5. With Simple bind, the users’ credentials are sent to the LDAP Directory Service in clear text. With SASL-MD5 bind, the users’ credentials are encrypted.

    MAC Address Format
    (default is hyphens)

    Indicate the format of the MAC address that will be sent as a password, either Hyphens, Colons, One hyphen, Raw, or None. None, means that the MAC address is stated in a single stream (for example, 12ae53ef5676), with no subgrouping of the numbers. Hyphens indicates hyphen separation, for example, 12-ae-53-ef-56-76), Colons indicates colon separation, for example, 12:ae:53:ef:56:76).

    Base DN

    The top level of the LDAP directory tree is the base, referred to as the base DN. Enter a base domain name, for example, DC=eng, DC=Juniper Networks, or DC=com. This string indicates where to load users and groups.

    Prefix DN
    (default is cn)

    AD or NT domains use the NetBIOS prefix domain name. Default is cn.

    What To Do Next

    The controller is now reconfigured, but the changes are not yet being used for operation. Deploy the controller by following the directions in Deploying Configuration to Devices.

     

    Related Documentation

     

    Modified: 2017-04-20