Technology for Business

Indoor MESH with Cisco AP 1131


The Lightweight Access Point Cisco 1131 is a two-radio Wi-Fi infrastructure device that can be used for indoor mesh deployments. It is a CAPWAP/LWAPP based product. It provides a 2.4 GHz radio and a 5.8 GHz radio compatible with 802.11b/g and 802.11a. One radio can be used for local (client) access for the access point (AP) and the second radio can be configured for wireless backhaul. The AP 1131 supports P2P, P2MP, and mesh type of architectures. Other Cisco indoor AP models are also mesh capable.

 

NewImage 

 

Indoor mesh is a subset of the Enterprise mesh architecture deployed on Unified Wireless architecture. With indoor mesh, one of the radios (typically 802.11b/g) and/or the wired Ethernet link is used to connect to clients, while the second radio (typically 802.11a) is used to backhaul client traffic. A mesh AP can be either a RAP (Root AP) or a MAP (Mesh AP). A RAP act as bridge between the controller and other wireless APs. A MAP connects to a RAP or a MAP over the air on a 802.11a radio and also services clients on a 802.11b/g radio.

 

Basic Mesh Configuration

The first step consists in setting the AP in bridge mode. After the AP reboots, set the AP role to RAP. This root AP has a wired connection with the WLC controller (through a switch).

NewImage

 

In this example, we set the bridge group name to BG1, the backhaul interface is 802.11a and we let the data rate to auto.

NewImage

 

Configure the next AP as a bridge and set its AP Role to MeshAP. A MAP does not have a wired connection to the WLC. It communicates with the WLC through a RAP. In this example, we set the bridge group name to BG1 (so it matches the RAP), the backhaul interface is 802.11a and we let the data rate to auto.

NewImage

 

I checked the Mesh DCA Channels and let the rest default values. Next, you must configure the desired DCA channels under Wireless > 802.11a/n.

NewImage

 

As a basic security measure, you need to provide the AP MAC Address of each RAP/MAP in the Local MAC Filters. Not doing so will prevent the MESH APs to come up.

 

Note: the AP MAC Address is the wired side MAC address.

 

NewImage

 

 

NewImage

 

Authenticating MESH APs with RADIUS

MAC Filtering does not scale well across multiple controllers and provides minimum security. You are better off using central authentication for all your Mesh APs. Cisco uses EAP-FAST to authenticate its mesh APs. Here is how to do it.

From the Mesh Security section, choose EAP, and check both External MAC Filter Authorization and Force External Authentication, Then check a RADIUS server from the list.

 

NewImage

 

 

To setup your RADIUS server, please complete these 2 steps:

 

1. Configure EAP-FAST on the RADIUS server and install the certificates.

 

EAP-FAST authentication is required if mesh access points are connected to the controller using an 802.11a interface; the external RADIUS servers need to trust Cisco Root CA 2048. You must download the EAP-FAST certs from Cisco.com. For information about installing and trusting the CA certificates, see Configuring RADIUS Servers, Cisco Wireless Mesh Access Points, Design and Deployment Guide, Release 7.0

 

2. Configure MAC filters for MESH APs

 

For each RAP/MAP, you need to provide two credentials in RADIUS

- MAC filter / Password

- Username / Password

 

The MAC filter / password format are as follows:

AP_MAC_Address / AP_MAC_Address

 

Example:

001d451f5d22 / 001d451f5d22

 

User and password format are as follows:

AP_Model-AP_MAC_Address / AP_Model-AP_MAC_Address

 

Example:

C1130-001d451f5d22 / C1130-001d451f5d22

 

Note: the AP MAC Address is the wired side MAC address.

 

 

TIP: From this point, you no longer need Local MAC filtering for your MAPs. Please purge them from your WLC.


The following figure shows Cisco ACS Passed Authentications report for both the mesh AP MAC filter and the mesh AP username.

NewImage

 

Conclusion

We covered the basics on how to use the Cisco AP 1131 to create an indoor mesh network. This can be useful for several reasons, such as extending a network where cabling is not always economical or for temporary work setups. MAC address filtering represents the least secure way of authenticating RAPs and MAPs. You should instead authenticate all APs with a RADIUS server. You may also want to authenticate the wired APs (RAP) using 802.1X, see my previous blog post for details.

 

 

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Spam Protection by WP-SpamFree