Back to Dashboard
Module 18
WLAN Configuration and Security
โ Previous Module
Next Module โ
# ๐ CCNA 200-301 - Video 18: WLAN Configuration and Security ## Deep Study Notes --- ## ๐ Learning Objectives By the end of this video, you should understand: - WLAN configuration methods (GUI, CLI, Mobility Express) - Wireless security implementation (PSK, 802.1X, WPA2/WPA3) - Authentication and encryption configuration - Guest wireless deployment - WLAN troubleshooting and verification --- ## ๐ง Core Concepts ### 1. WLAN Configuration Methods **Cisco Wireless Configuration Options:** | Method | Platform | Best For | |--------|----------|----------| | **WLC GUI** | 9800, 5500, 3500 series | Centralized management, large deployments | | **WLC CLI** | All WLC platforms | Automation, scripting | | **Cisco Mobility Express** | 1800, 2800, 3800 APs | Small to medium (1-25 APs) | | **Cisco Catalyst Center** | Enterprise | Large-scale automation | ``` โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โ WLC GUI CONFIGURATION WORKFLOW โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค โ โ โ STEP 1: Access WLC Management Interface โ โ https://[WLC-management-ip] โ โ โ โ STEP 2: Configure WLAN Parameters โ โ โโโ WLAN ID: Unique identifier โ โ โโโ SSID: Network name โ โ โโโ Status: Enabled/Disabled โ โ โโโ Interface/VLAN: Associated VLAN โ โ โโโ Security Policy: PSK, 802.1X, Open โ โ โ โ STEP 3: Configure Security โ โ โโโ WPA2 or WPA3 โ โ โโโ PSK passphrase or 802.1X RADIUS servers โ โ โโโ Encryption: AES-CCMP (WPA2) or GCMP (WPA3) โ โ โ โ STEP 4: Configure Advanced Features โ โ โโโ QoS: Voice, Video, Best Effort โ โ โโโ FlexConnect: Remote AP configuration โ โ โโโ AAA Override: Per-user VLAN assignment โ โ โโโ Client Exclusion: Block rogue clients โ โ โ โ STEP 5: Apply and Verify โ โ โโโ Clients can associate with SSID โ โ โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ ``` --- ### 2. WLC Configuration (Cisco 9800 CLI) **Basic WLC Setup:** ```cisco ! Enter configuration mode WLC# configure terminal ! Configure management interface WLC(config)# interface vlan 1 WLC(config-if)# ip address 192.168.1.100 255.255.255.0 WLC(config-if)# no shutdown WLC(config-if)# exit ! Configure default gateway WLC(config)# ip default-gateway 192.168.1.1 ! Configure AP join credentials WLC(config)# ap username cisco password Cisco123 ! Create WLAN profile WLC(config)# wlan Corporate-WiFi 1 WLC(config-wlan)# ssid Corporate-WiFi WLC(config-wlan)# security WLC(config-wlan-security)# wpa WLC(config-wlan-security-wpa)# wpa2 WLC(config-wlan-security-wpa)# wpa2 ciphers aes WLC(config-wlan-security-wpa)# exit WLC(config-wlan)# security wpa psk WLC(config-wlan-security)# psk ascii Cisco@123 WLC(config-wlan)# no shutdown WLC(config-wlan)# exit ! Apply WLAN to interface WLC(config)# wlan profile Corporate-WiFi 1 WLC(config)# interface vlan 10 WLC(config-if)# wlan 1 ``` --- ### 3. Cisco Mobility Express Configuration **Cisco Mobility Express** is an embedded wireless controller that runs directly on an AP (1800, 2800, 3800 series), eliminating the need for a separate hardware controller. ``` โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โ CISCO MOBILITY EXPRESS ARCHITECTURE โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค โ โ โ Primary AP (with Mobility Express) โ โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โ โ โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โ โ โ โ โ Mobility Express Controller โ โ โ โ โ โ (Embedded in AP) โ โ โ โ โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โ โ โ โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โ โ โ โ โ AP Radio โ โ โ โ โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โ โ โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โ โ โ โ โ โ CAPWAP โ โ โผ โ โ Secondary APs (Lightweight) โ โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โ โ โ AP โ โ โ โ (Lightweight Mode) โ โ โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โ โ โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ ``` **Mobility Express Initial Setup:** ```cisco ! After connecting to AP console, configure Mobility Express AP# capwap ap ip address 192.168.1.101 255.255.255.0 192.168.1.1 ! Access web GUI ! https://192.168.1.101 (admin/Cisco123) ! GUI Configuration Steps: ! 1. Run setup wizard ! 2. Set admin credentials ! 3. Configure primary AP ! 4. Create SSID with security ! 5. Join secondary APs ``` --- ### 4. WLAN Security Implementation **Security Comparison:** | Security Type | Authentication | Encryption | Use Case | |---------------|----------------|------------|----------| | **Open** | None | None | Public hotspots, guest | | **WPA2-Personal** | PSK (passphrase) | AES-CCMP | Home, small office | | **WPA2-Enterprise** | 802.1X/EAP (RADIUS) | AES-CCMP | Corporate, education | | **WPA3-Personal** | SAE (Simultaneous Authentication of Equals) | GCMP-256 | Enhanced home/office | | **WPA3-Enterprise** | 802.1X/EAP with stronger encryption | GCMP-256 | High-security corporate | --- ### 5. WPA2-Personal (PSK) Configuration **WLC GUI Configuration:** ``` WLAN Configuration: โโโ SSID: "Corp-WiFi" โโโ Security: WPA2 โโโ Authentication: PSK โโโ Passphrase: SecurePass123! โโโ Encryption: AES-CCMP ``` **WLC CLI Configuration:** ```cisco ! Create WLAN with PSK WLC(config)# wlan Corp-WiFi 1 WLC(config-wlan)# ssid Corp-WiFi WLC(config-wlan)# security wpa WLC(config-wlan-security)# wpa2 WLC(config-wlan-security)# wpa2 ciphers aes WLC(config-wlan-security)# exit WLC(config-wlan)# security wpa psk WLC(config-wlan-security)# psk ascii SecurePass123! WLC(config-wlan)# no shutdown WLC(config-wlan)# exit ``` --- ### 6. WPA2-Enterprise (802.1X) Configuration **Components Required:** - RADIUS Server (Cisco ISE, FreeRADIUS, Windows NPS) - WLC configured with RADIUS server - Clients with 802.1X supplicant ``` โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โ WPA2-ENTERPRISE AUTHENTICATION FLOW โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค โ โ โ Client (Supplicant) WLC (Authenticator) RADIUS Server (Auth) โ โ โ โ โ โ โ โ โ โ Association Request โ โ โ โ โโโโโโโโโโโโโโโโโโโโโโโโโโบโ โ โ โ โ โ โ โ โ โ EAP-Request/Identity โ โ โ โ โโโโโโโโโโโโโโโโโโโโโโโโโโโ โ โ โ โ โ โ โ โ โ EAP-Response/Identity โ โ โ โ โโโโโโโโโโโโโโโโโโโโโโโโโโบโ โ โ โ โ โ RADIUS Access-Request โ โ โ โโโโโโโโโโโโโโโโโโโโโโบโ โ โ โ โ โ โ โ โ EAP Authentication โ โ โ โ โโโโโโโโโโโโโโโโโโโโโโโโโโบโโโโโโโโโโโโโโโโโโโโโบโ โ โ โ (TLS, PEAP, etc.) โ โ โ โ โ โ โ โ โ โ โ RADIUS Access-Accept โ โ โ โโโโโโโโโโโโโโโโโโโโโโโ โ โ โ โ โ โ โ โ EAP-Success โ โ โ โ โโโโโโโโโโโโโโโโโโโโโโโโโโโ โ โ โ โ โ โ โ โ โ 4-Way Handshake (Key Exchange) โ โ โ โโโโโโโโโโโโโโโโโโโโโโโโโโบโ โ โ โ โ โ โ โ โ โ Data Traffic โ โ โ โ โโโโโโโโโโโโโโโโโโโโโโโโโโบโ โ โ โ โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ ``` **RADIUS Server Configuration (WLC):** ```cisco ! Add RADIUS server WLC(config)# radius server RADIUS1 WLC(config-radius)# address ipv4 192.168.100.10 WLC(config-radius)# key Cisco123 WLC(config-radius)# exit ! Configure WLAN for 802.1X WLC(config)# wlan Corp-8021X 2 WLC(config-wlan)# ssid Corp-8021X WLC(config-wlan)# security wpa WLC(config-wlan-security)# wpa2 WLC(config-wlan-security)# wpa2 ciphers aes WLC(config-wlan-security)# exit WLC(config-wlan)# security 802.1X WLC(config-wlan-security)# authentication list default WLC(config-wlan)# security radius WLC(config-wlan)# radius server RADIUS1 WLC(config-wlan)# no shutdown WLC(config-wlan)# exit ``` --- ### 7. WPA3 Configuration **WPA3 Features:** - SAE (Simultaneous Authentication of Equals) replaces PSK - GCMP-256 encryption for stronger security - Opportunistic Wireless Encryption (OWE) for open networks - Protected Management Frames (PMF) mandatory **WPA3-Personal Configuration (WLC):** ```cisco ! Configure WPA3-Personal WLC(config)# wlan WPA3-Corp 3 WLC(config-wlan)# ssid WPA3-Corp WLC(config-wlan)# security wpa WLC(config-wlan-security)# wpa3 WLC(config-wlan-security)# wpa3 ciphers gcmp256 WLC(config-wlan-security)# exit WLC(config-wlan)# security wpa psk WLC(config-wlan-security)# psk ascii SecurePass123! WLC(config-wlan)# no shutdown WLC(config-wlan)# exit ``` --- ### 8. Guest Wireless Configuration **Guest Network Design:** ``` โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โ GUEST WIRELESS ARCHITECTURE โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค โ โ โ Internet โ โ โ โ โ โผ โ โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โ โ โ Firewall โ โ โ โ (DMZ for Guest) โ โ โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โ โ โ โ โ โผ โ โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โ โ โ Guest VLAN (Separate Subnet) โ โ โ โ 192.168.200.0/24 โ โ โ โ โ โ โ โ โโโโโโโโโโโโโโโ โโโโโโโโโโโโโโโ โโโโโโโโโโโโโโโ โ โ โ โ โ WLC โ โ Router โ โ DHCP โ โ โ โ โ โ (Guest WLAN)โ โ โ โ Server โ โ โ โ โ โโโโโโโโโโโโโโโ โโโโโโโโโโโโโโโ โโโโโโโโโโโโโโโ โ โ โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โ โ โ โ โ โผ โ โ Guest APs (SSID: Guest) โ โ โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ ``` **Guest WLAN Configuration (Open + Web Auth):** ```cisco ! Create guest WLAN WLC(config)# wlan Guest 4 WLC(config-wlan)# ssid Guest-WiFi WLC(config-wlan)# security WLC(config-wlan-security)# wpa WLC(config-wlan-security-wpa)# wpa2 disable WLC(config-wlan-security-wpa)# wpa3 disable WLC(config-wlan-security)# exit WLC(config-wlan)# security web-auth WLC(config-wlan)# web-auth-server https://guestportal.example.com WLC(config-wlan)# no shutdown WLC(config-wlan)# exit ! Configure guest VLAN WLC(config)# interface vlan 200 WLC(config-if)# ip address 192.168.200.1 255.255.255.0 WLC(config-if)# no shutdown WLC(config-if)# exit ! Map guest WLAN to guest VLAN WLC(config)# wlan Guest 4 WLC(config-wlan)# interface vlan 200 ``` --- ### 9. FlexConnect (Remote AP) Configuration **FlexConnect** allows APs to operate in remote sites without a WLC, using local switching for client traffic. ``` โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โ FLEXCONNECT ARCHITECTURE โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค โ โ โ Headquarters Remote Branch โ โ โ โ โโโโโโโโโโโ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โ โ โ WLC โ โ FlexConnect AP โ โ โ โโโโโโฌโโโโโ โ โ โ โ โ โ โโโโโโโโโโโโโโโโโโโโโโโ โ โ โ โ WAN (CAPWAP) โ โ Local Switching โ โ โ โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โ โ โ โ โ โ (Control Only) โ โโโโโโโโโโโโโโโโโโโโโโโ โ โ โ โ โ โ โ โ โโโโโโผโโโโโ โ โโโโโโโโโโโโโโโโโโโโโโโ โ โ โ โ Central โ โ โ Local VLAN โ โ โ โ โ VLAN โ โ โ 192.168.100.0/24 โ โ โ โ โโโโโโโโโโโ โ โโโโโโโโโโโโโโโโโโโโโโโ โ โ โ โ โ โ โ โ โโโโโโโโโโโโโโโโโโโโโโโ โ โ โ โ โ Clients โ โ โ โ โ โ (Local traffic) โ โ โ โ โ โโโโโโโโโโโโโโโโโโโโโโโ โ โ โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โ โ โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ ``` **FlexConnect Configuration:** ```cisco ! Configure AP as FlexConnect WLC(config)# ap name AP-BRANCH-01 WLC(config-ap)# ap mode flexconnect WLC(config-ap)# flexconnect vlan 100 native WLC(config-ap)# flexconnect vlan 100 wlan 1 ! Configure FlexConnect group WLC(config)# flexconnect group BRANCH-GROUP WLC(config-group)# ap name AP-BRANCH-01 WLC(config-group)# exit ``` --- ### 10. WLAN Verification Commands | Command | Purpose | |---------|---------| | `show wlan summary` | Display all WLANs | | `show wlan [id]` | Display detailed WLAN config | | `show ap summary` | Display AP status | | `show ap join statistics` | AP join history | | `show client summary` | Display connected clients | | `show client [mac] detail` | Detailed client info | | `show radius summary` | RADIUS server status | | `debug client [mac]` | Debug client association | **Example Outputs:** ```cisco WLC# show wlan summary WLAN ID SSID Profile Status Security 1 Corp-WiFi Enabled WPA2-PSK 2 Corp-8021X Enabled WPA2-802.1X 3 Guest-WiFi Enabled Open 4 WPA3-Corp Enabled WPA3-PSK WLC# show ap summary AP Name Slots AP Model Eth MAC Location Country IP Address State AP-01 2 2800 aa:bb:cc:dd:ee:ff default US 192.168.1.102 Registered AP-02 2 2800 aa:bb:cc:dd:ee:fe default US 192.168.1.103 Registered WLC# show client summary Client MAC AP Name WLAN ID VLAN ID IP Address State aa:bb:cc:dd:ee:ff AP-01 1 10 192.168.1.50 Associated aa:bb:cc:dd:ee:fe AP-02 2 20 192.168.2.100 Associated ``` --- ### 11. WLAN Troubleshooting | Problem | Symptom | Solution | |---------|---------|----------| | **Client Can't Associate** | Client stuck at "Authenticating" | Check WLAN enabled, security settings, client compatibility | | **Authentication Failure** | Client rejects password | Verify PSK, RADIUS server reachable, credentials | | **No IP Address** | Client gets 169.254.x.x | Check DHCP server, VLAN configuration, DHCP relay | | **Low Signal** | Intermittent connectivity | Site survey, AP placement, channel planning | | **RADIUS Issues** | 802.1X authentication fails | Verify RADIUS server reachable, shared secret, certificates | **Troubleshooting Commands:** ```cisco ! Check client association WLC# show client [mac-address] detail ! Check client authentication logs WLC# debug client [mac-address] ! Check AP status WLC# show ap [name] detail ! Check RADIUS statistics WLC# show radius statistics ! Check CAPWAP status WLC# show capwap ap [name] status ``` --- ### 12. Wireless Client Troubleshooting (Client Side) **Windows Client Commands:** ```cmd ! View wireless networks netsh wlan show profiles netsh wlan show networks ! View current connection netsh wlan show interfaces ! Delete stored profile netsh wlan delete profile name="Corp-WiFi" ! Generate wireless report netsh wlan show wlanreport ``` **macOS/Linux Commands:** ```bash # View wireless interface ifconfig ipconfig # Scan for networks (macOS) airport -s # Scan for networks (Linux) iwlist wlan0 scan # View connection status iwconfig wlan0 ``` --- ## ๐ง Complete Configuration Examples ### Lab 1: WLC Configuration with PSK **Topology:** ``` WLC (192.168.1.100) Switch AP โ โ โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโ โ Clients (Wireless) ``` **WLC Configuration:** ```cisco ! Configure management interface interface vlan 1 ip address 192.168.1.100 255.255.255.0 no shutdown ! Configure default gateway ip default-gateway 192.168.1.1 ! Configure AP join credentials ap username cisco password Cisco123 ! Create WLAN wlan Corp-WiFi 1 ssid Corp-WiFi security wpa wpa2 wpa2 ciphers aes exit security wpa psk psk ascii SecurePass123! exit no shutdown ! Apply to interface interface vlan 10 wlan 1 ``` --- ### Lab 2: WPA2-Enterprise with RADIUS **Topology:** ``` WLC (192.168.1.100) RADIUS Server (192.168.100.10) โ โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โ Clients (802.1X) ``` **WLC Configuration:** ```cisco ! Configure RADIUS server radius server ISE address ipv4 192.168.100.10 key RadiusSecret123 ! Configure RADIUS authentication aaa new-model aaa authentication dot1x default group ISE ! Create enterprise WLAN wlan Corp-8021X 2 ssid Corp-8021X security wpa wpa2 wpa2 ciphers aes exit security 802.1X authentication list default exit security radius radius server ISE exit no shutdown ``` **RADIUS Server (Cisco ISE) Configuration:** ```cisco ! Network Device (WLC) Device Name: WLC-01 IP Address: 192.168.1.100 Shared Secret: RadiusSecret123 ! Policy Set Name: Corporate-Wireless Conditions: WLAN = Corp-8021X ! Authentication Policy Protocol: PEAP Identity Store: Active Directory ! Authorization Policy Result: Permit Access, VLAN 10 ``` --- ### Lab 3: Mobility Express Basic Configuration **Initial Setup (Web GUI):** ``` 1. Connect to AP console or default SSID (CiscoAirProvision) 2. Open browser to https://192.168.1.1 3. Log in (admin/Cisco123) 4. Run Setup Wizard: Controller Settings: โโโ Controller IP: 192.168.1.101 โโโ Controller Netmask: 255.255.255.0 โโโ Default Gateway: 192.168.1.1 โโโ Management VLAN: 1 AP Settings: โโโ AP Name: Primary-AP โโโ Country Code: US โโโ Timezone: America/New_York WLAN Settings: โโโ SSID: Corporate-WiFi โโโ Security: WPA2-PSK โโโ Passphrase: SecurePass123! โโโ VLAN: 10 5. Secondary APs automatically join (if connected) ``` --- ## โ Exam Tips (For CCNA 200-301) | Topic | What Cisco Tests | |-------|------------------| | **WLAN Security** | WPA2-PSK vs. WPA2-Enterprise, RADIUS integration | | **WPA3** | SAE replaces PSK, GCMP-256 encryption | | **Mobility Express** | Embedded controller on AP, 1-25 APs | | **FlexConnect** | Remote APs with local switching | | **CAPWAP** | Control (5246) and Data (5247) tunnels | | **Guest Access** | Separate VLAN, web authentication, limited access | ### Common Exam Scenarios: **Scenario 1:** "A corporate network requires central authentication with username/password for wireless access. Which security method should be used?" - **Answer:** WPA2-Enterprise (802.1X) with RADIUS server **Scenario 2:** "A remote branch office has 5 APs and no WLC. Which Cisco wireless solution is most appropriate?" - **Answer:** Cisco Mobility Express (embedded controller on one AP) **Scenario 3:** "What is the purpose of FlexConnect?" - **Answer:** Allows APs to locally switch traffic at remote sites while maintaining central WLC control --- ## ๐ Summary (1-Minute Revision) ``` WLAN CONFIGURATION: CONFIGURATION METHODS: โโโ WLC GUI: Centralized, feature-rich โโโ WLC CLI: Automation, scripting โโโ Mobility Express: Small deployments (1-25 APs) SECURITY TYPES: โโโ Open: No security (guest only) โโโ WPA2-Personal: PSK, AES-CCMP โโโ WPA2-Enterprise: 802.1X, RADIUS, AES-CCMP โโโ WPA3-Personal: SAE, GCMP-256 โโโ WPA3-Enterprise: 802.1X, GCMP-256 CAPWAP: โโโ Control Tunnel: UDP 5246 (DTLS) โโโ Data Tunnel: UDP 5247 (DTLS) โโโ Discovery: DHCP Option 43, DNS, broadcast FLEXCONNECT: โโโ Remote AP operation without local WLC โโโ Local switching for client traffic โโโ CAPWAP for control only VERIFICATION: โโโ show wlan summary โโโ show ap summary โโโ show client summary โโโ debug client [mac] ``` --- ## ๐งช Practice Questions **1. Which security method requires a RADIUS server for authentication?** - A) WPA2-Personal - B) WPA2-Enterprise - C) Open - D) WEP <details> <summary>Answer</summary> <b>B) WPA2-Enterprise</b> - Uses 802.1X/EAP with RADIUS server for per-user authentication. </details> **2. Which Cisco wireless solution has an embedded controller running on an AP?** - A) WLC 9800 - B) Mobility Express - C) Autonomous AP - D) FlexConnect <details> <summary>Answer</summary> <b>B) Mobility Express</b> - Runs controller software directly on a supported AP. </details> **3. What is the default CAPWAP data tunnel port?** - A) UDP 5246 - B) UDP 5247 - C) TCP 5246 - D) TCP 5247 <details> <summary>Answer</summary> <b>B) UDP 5247</b> - CAPWAP data tunnel uses UDP 5247 with DTLS encryption. </details> **4. Which encryption protocol is used in WPA2?** - A) TKIP - B) AES-CCMP - C) GCMP-256 - D) RC4 <details> <summary>Answer</summary> <b>B) AES-CCMP</b> - WPA2 uses AES-CCMP (Counter Mode with CBC-MAC Protocol). </details> **5. What does SAE (Simultaneous Authentication of Equals) replace in WPA3?** - A) 802.1X - B) PSK - C) AES - D) RADIUS <details> <summary>Answer</summary> <b>B) PSK</b> - SAE replaces Pre-Shared Key with stronger password-based authentication. </details> **6. Which command displays connected wireless clients on a WLC?** - A) `show clients` - B) `show wlan clients` - C) `show client summary` - D) `show wireless clients` <details> <summary>Answer</summary> <b>C) `show client summary`</b> - Displays all connected clients with status and IP addresses. </details> **7. What is the purpose of FlexConnect?** - A) Provide guest access - B) Enable APs to locally switch traffic at remote sites - C) Increase wireless range - D) Add more SSIDs <details> <summary>Answer</summary> <b>B) Enable APs to locally switch traffic at remote sites</b> - FlexConnect allows remote APs to forward client traffic locally without backhauling to WLC. </details> **8. Which DHCP option is used for WLC discovery?** - A) Option 43 - B) Option 53 - C) Option 66 - D) Option 150 <details> <summary>Answer</summary> <b>A) Option 43</b> - DHCP Option 43 provides WLC IP address to lightweight APs. </details> **9. Which encryption protocol is used in WPA3?** - A) AES-CCMP - B) TKIP - C) GCMP-256 - D) RC4 <details> <summary>Answer</summary> <b>C) GCMP-256</b> - WPA3 uses Galois/Counter Mode Protocol with 256-bit encryption. </details> **10. What is the maximum number of APs supported in Mobility Express?** - A) 5 - B) 25 - C) 50 - D) 100 <details> <summary>Answer</summary> <b>B) 25</b> - Cisco Mobility Express supports up to 25 APs and 1000 clients. </details> **11. Which protocol is used for 802.1X authentication?** - A) RADIUS - B) TACACS+ - C) LDAP - D) Kerberos <details> <summary>Answer</summary> <b>A) RADIUS</b> - RADIUS (Remote Authentication Dial-In User Service) is used for 802.1X authentication. </details> **12. What is the purpose of the `debug client [mac]` command?** - A) Configure client settings - B) Troubleshoot client association issues - C) Block a client - D) View client traffic <details> <summary>Answer</summary> <b>B) Troubleshoot client association issues</b> - Debug client shows detailed association and authentication messages. </details> --- ## ๐ Next Steps After completing Video 18, you should be ready for: - **Video 19:** Network Automation and Programmability - **Video 20:** Network Management and Monitoring **Lab Practice:** 1. Configure WLC with WPA2-Personal SSID 2. Configure WPA2-Enterprise with RADIUS server 3. Configure Mobility Express with web GUI 4. Verify client connectivity with `show client summary` 5. Troubleshoot client association issues with debug --- **Ready for Video 19?** Share the link or say "next" and I'll continue with Network Automation and Programmability (REST APIs, Python, Ansible, and Cisco DNA Center). I'll create comprehensive deep notes for **Video 19: Network Automation and Programmability** based on the standard CCNA 200-301 curriculum. ---