BYOD: Part 1 – MSM Configuration

Reading Time: 5 minutes

This is the first post, of a series of posts, explaining how I set up my BYOD environment at home, to get my guest onto the internet. The environment consists of IMC (Intelligent Management Center) with UAM (User Access Manager) Module and MSM (in the past) and Unified WLAN (which replaced the MSM controller some days ago) infrastructure. This first post will describe, all the steps, necessary to prepare the MSM controller to work with IMC. We will do the following:

  • configure two VLAN’s
  • configure one SSID
  • configure the IMC UAM Server as the Radius Server

Now we start to do the cool stuff…

I will not describe how to configure the switching infrastructure and you need to be able to do the initial configuration of the controller on your own. You need to have a working controller or a team of controllers with AP’s connected. I use version 6.2.0 for my environment, but all other MSM versions down to 5.5 should work. 

MSM Version
MSM Version

If you have the mobility premium license, you should enable Mobility Traffic Manager by going to Management –> Device Discovery and enable the Mobility controller discovery. If this is your only controller check the “This is the primary mobility controller” checkbox. 

MSM Mobility Controller Discovery
MSM Mobility Controller Discovery

This step is optional, but this will enable you, to bridge traffic through the controller, which is my preferred way for redirecting the client to the BYOD Portal. Now we will create two VLAN’s which will help us to get the client online. I called them “BYOD_registration” and “BYOD_Guest”. The “BYOD_registration” VLAN will be used to transfer the clients to the IMC BYOD portal and restrict traffic to every other direction then the portal. The “BYOD_Guest” VLAN is actually the VLAN which will carry the client traffic after the client is fully connected and should have access to the internet.  Just go to Network –> Network profiles and create both VLAN’s. 

MSM Add Network Profile
MSM Add Network Profile

 It should looking like this:

MSM Network Profiles
MSM Network Profiles

 If you don’t have the premium license or won’t let the controller tunnel one of the VLAN’s you can skip the next step. For all the others: Go to Network –>VLANs and select the VLAN which should be forwarded to the controller and select a port. In this case I use the “BYOD_registration” VLAN and put it on the internet port. I always put egress VLAN’s on the internet port. This option will create a tagged VLAN on the internet port. So be sure, that the Infrastructure could handle this. 

MSM VLAN Mapping
MSM VLAN Mapping

For my setup, I tagged both ports to the internet port, which means that all the data needs to go through the controller. It is also possible to have the “BYOD_Guest” VLAN handled locally by the AP, which is very useful when having branch offices with their own internet breakout. 

MSM VLANS
MSM VLANS

If you want to have one of the VLAN’s switched locally by the AP, there is one more step to do. You have to go to the AP or the AP group and select Configuration–>Local networks and put the VLAN, which should be switched locally on the Local networks side. This option is only considered for VSC’s which have MTM enabled. 

MSM Local Networks
MSM Local Networks

After setting up the scene, we need to create an SSID to provide the Service to our clients. So, create a new VSC and configured it as below: Setup a name for the VSC, this is not the name of the SSID, but it would make sense to keep them the same. The important stuff is the checkmarks for “Authentication” and “Access control”. Remove the check mark for “Access control”. Remove the checkmark for “Authentication” only, if every AP should send its own radius request to the IMC server! This could be useful if the controller fails and you still want to authenticate users, but you need to have all AP’s in the Access Device list of UAM. 

MSM VSC Global
MSM VSC Global

VSC ingress mapping is a simple one, leave it as it is.

MSM VSC Ingress Mapping
MSM VSC Ingress Mapping

In the Virtual AP box, you can specify the SSID name. In all my configurations, it is the same as the VSC name. Below are my preferred settings for “Broadcast name” and “Band steering”. You can use your preferred settings here. It will not have any impact on the BYOD solution, but it will have impact on your RF environment.

MSM VSC Virtual AP
MSM VSC Virtual AP

You have to enable Wireless mobility, if you need traffic, going through the controller. This will enable the local networks settings, we set earlier.

MSM VSC Wireless Mobility
MSM VSC Wireless Mobility

As the SSID is not protected by WPA 2, in my case, this option makes no sense and remain off. I also disabled the Wireless security filters, for my Home Network. For a production environment it could make sense to use them.

MSM VSC Fast Wireless Roaming
MSM VSC Fast Wireless Roaming

In my case, the SSID is not protected with WPA or any 802.1x authentication. If you need, you can enable the WPA 2 preshared key protection. Be aware, all your guests need to know the key.

MSM VSC Wireless Protection
MSM VSC Wireless Protection

For BYOD to work, I have to enable MAC-based authentication. This has to be a remote authentication with IMC UAM as the radius server. There is no way to use a different radius server.

MSM VSC MAC Based Authentication
MSM VSC MAC Based Authentication

The wireless IP filter will not make any sense, as this will not allow traffic to the internet. Now save the new VSC.

MSM VSC Wireless IP Filter
MSM VSC Wireless IP Filter

The last step is to bind the VSC to the desired AP group. Don’t use any Egress Network. The radius server will send a VLAN ID.

MSM VSC Bindings
MSM VSC Bindings

These were my BYOD settings for the MSM controller in my Home Lab. This should also work in bigger environments. In future posts, I will describe how to configure the IMC UAM part. If you find anything which is not working, contact me or leave me a comment. I will try to include this into my post. 

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.