So if you follow my on the /r/homelab subreddit you might have seen my post about my network diagram. and if you saw that the is a good chance you saw that I was rocking a single Cisco 1131 AP which I got many complaints about (with good reason). What I did not show is the extra Cisco 1231 which I had just finished configuring and was ready to install in my shed to get much needed WIFI to our garden which not only lacked WIFI but also 3G/4G making it impossible to browse reddit in the great outdoors and we cant have that.
Both the 1131 and 1231 were autonomous AP's so I had to configure the same SSID on both and just pray that the client would pick the best AP. but recently I have been doing tons of file transfers and was looking at getting a 802.11N or 802.11AC system to replace the 802.11G gear and decided that one AP would not work and I needed multiple APs (at least 3 maybe 4) to get fast speeds both indoors and outdoors.
So I spent months looking at different vendors which I will list below for your delight
- Netgear (don't ask)
- And Sophos, Mainly because with that I wouldn't need a controller as I run a Sophos XG box which is the controller
Now I have my reasoning behind why I picked Cisco. and it boils down to a proper enterprise controller (not some windows software like ubiquiti) and tons of features most of which I will never need. And I liked my existing Cisco setup and thanks to eBay Cisco came out on top not in performance but in price to performance which is more important for me.
Time to buy and setup
So I decided to go with Cisco again. but I wanted to ditch the autonomous AP's as it turns out more than 2 AP's will drive you insane in that config.
I originally planned to get a Cisco 2106 or 4402. but as loads of people told me it can not do AireOS 8.0 and higher which is a big deal as you miss out on 802.11ac support, the awesome new dashboard and more importantly 802.11r roaming which according to everyone on the web is amazing
So the next choice was of course the Cisco 2504. but... its more expensive than my new Skylake i5 desktop which I built for video editing so... kind of not an option so at this point the whole WIFI project went dark and I was on the edge of not going Cisco and instead LigoWave after trying the controller software out in a VM
But then someone on reddit pointed out that since AirreOS 8.1 the Cisco vWLC does not require license keys and is done on the honor system like the Cisco 2821 IOS images being the only thing between having Callmanager or not
But the ISO image was near impossible to find and I did not run ESXI.
Then a few months later something strange happened with Cisco's software site. many things went from requiring service contracts to just requiring login from phone firmware like the 7971 to the Cisco vWLC ISO image's.
Umm... that is not a supported config
So I downloaded the ISO for Cisco vWLC 8.2.130 as it appears to be a stable release and cisco still recommends 8.0 so 8.2 is like rocket science in comparison. mounted that sucker in my XenServer in a new VM and installed which worked great actually. just wont boot without 2 interfaces (int 1 is management, int 2 being service and any extra being for ports or in the case of XenServer extra VLAN's on their own ports as it cant do tagged vlan's)
Install was a breeze once I created the network interfaces. just run through the config guide. setting management IP and Service IP, making a mobility group and setting up NTP and we was basically done.
To log in all you have to do is point your browser to https://(management IP) which for me is https://10.0.5.254. Accept the SSL certificate error and then login with the credentials created during the install and then you get this fancy dashboard
This dashboard is really cool and you can click around for ages finding tons of information. I can even see what brand of device is connected, only issue with that is one iPhone which comes up as unknown and a Windows Phone shows up as WindowsWorkstation so does Windows10 laptops instead of Windows10Workstation which is odd.
for now we are not interested in this though as on a clean install it will be mostly blank anyway. Click advanced at the top to get the usual Cisco WLC configuration page
At this stage I went into the management tab and software activation and activated 20 AP's. Note that if this was a business I would be buying licenses but for a Homelab I don't see a reason to pay for it. if you really want to its £450 for 5 AP's or £97 for just one AP which for lab use is crazy and although I am not sure on the legality of adding licenses without paying I don't see any issue with it for lab use as its not a business.
So once the controller is up and running you need some access point to associate with it.
Adam's guide to used Cisco Access points
Now the are plenty to of AP's to pick from but we need to be using a version of the Cisco vWLC that is 8.1 or newer due to to much more relaxed licensing which allows us to have an infinite evaluation which might have some legal issues but for home use you should be fine.
8.1 and up removed support for a bunch of AP's basically all the ones that was 802.11G only so 1130,1240 and even the 802.11n 1250 so avoid them however cheap they might be.
If you are going for 802.11n then you have 2 viable choices. Cisco 1142 or Cisco 3502. the latter having Cisco Cleanair which will be better suited to a more built up area. I live in the middle of nowhere and the only other AP nearby is our neighbors ISP provided router so I opted for the much cheaper Cisco 1142
1142's can be had for £30 on eBay all year long and their a decent AP still being able to do 300Mbps which is fine if you don't have a internet connection faster than 100Mbps down (remember wifi is half-duplex so 300Mbps is more like 150Mbps)
The 3502's are much better thanks to being fully supported in 8.1 up (1142's are on a feature freeze whatever that means) but they cost considerably more, £50+ usually and much harder to come across but the Cleanair technology is awesome if you have a ton of neighbors all with crappy TP-link routers or just a ton of people with wireless security cameras which use the 2.4ghz band for analogue video (bit rude if you ask me) it will magically fix it self instead of slowing down to a crawl like the 1142's would if something started hammering the channel its on.
If you want 802.11ac then you got options. the easiest to get hold of being a Cisco 3602 which is about £80-100 with an 802.11ac module which is like £150. not cheap like Ubiquiti but you pay more for Cisco and I prefer it over Ubiquiti personally. the is also the 1702, 2702 and 3702's which are current generation so hard to find used but the 1702 can be had for a decent price. some have even sold for less than £100 but they don't come up often but when they do they go for a max of £150 which is cheaper than the 3602 setup. brand new their about £325 but not paying that.
I personally am not bothering with 802.11ac as my internet connection is slower than 3G speeds and my laptop is not 802.11ac and that is the only device which could do with more bandwidth for file copies to my server.
As for the model of AP you need lightweight AP's these have a model number that starts with AIR-LAP or AIR-CAP. be careful as some eBay sellers will flash these with the autonomous firmware onto these and finding the lightweight firmware is a real challenge I have found.
The non lightweight AP's (model AIR-AP or AIR-SAP) can be converted to lightweight if you can source the firmware and are happy to go through the process of re-flashing it. however I have found that the standalone AP's are actually harder to get so unless you find an amazing deal on a standalone one then I would just search something like Cisco (cap,lap) and browse the whole range of AP's that are most likely running the right firmware already.
Installing your AP of choice
So before you buy an AP you should check what it comes with. A typical 1142/3502 AP should come with just 2 things
- The AP
- The mounting bracket
Most eBay listings do not include the mounting bracket (who removes these AP's and then throws out that vital part). The brackets can be found on eBay for about £13 (model AIR-AP-BRACKET
Once you have both you need to decide locations for your AP's. I have decided on the following locations
- ground floor bottom of stairs
- loft right in the center (my room)
- and one in the shed
Our house is a weird slice shape so putting 2 AP's basically one on top of another one at top of house one at bottom seems to get good coverage. the AP in the shed is for outdoor's as the signal is too weak outside and drops of once you go out the door which needs to work as we have no mobile signal at our place so cant enjoy the awesome summer we are having this year with reddit or YouTube outside.
To install the AP's you will need to run ethernet to the locations you decided on. mount the bracket on the ceiling with the cable routing through the top of the bracket (part with the metal tab protruding out). then plug the ethernet into the AP and slide the 4 mounting posts on the AP onto the bracket.
The AP's should be plugged into either a POE switch like my HP 2520G-8-POE or a POE injector which can do 802.3af.
The AP's should have the default VLAN in the same range as the management interface of the vWLC and you need to create a DNS entry on your DNS server or router for these domains CISCO-CAPWAP-CONTROLLER.local-domain and CISCO-LWAPP-CONTROLLER.local-domain that point to the IP of your vWLC. this is the easiest and can be done quickly in Windows Server, Sophos or PFSense. if you cant do custom DNS then you can set DHCP option 43 but this is more hassle in my opinion.
once the AP is powered and if it can find the WLC either through DNS or DHCP it will automatically join it. download the firmware for that controller and then download a config. at this point you can go to the vWLC and find the new AP under the wireless tab
As you can see the new AP is now being shown. but you will need to give it a name like I have above to do that click on the AP and you will get the following page.
On this page you can give the AP a name and location. I also recommend you switch to Flexconnect mode as vWLC can not do local mode and with Flexconnect the AP will stay up even if the WLC goes down and it also does all the VLAN switching at the AP which on downside means you have to configure the interfaces on the switch to have all the VLAN's you want to use for the SSID's but on the plus side you don't have a bottleneck of all wireless traffic going through a tunnel to the WLC.
Once I set the AP to Flexconnect the SSID I configured was being broadcast and with some changes to the SSID under the WLAN tab so it was using a PSK vs 802.1x I was able to connect and was browsing the internet.
Give me more AP's
So all of the above was created during the testing stage of this WIFI install. I had my 1130 and 1230 ready to put back if I did not like the WLC setup but I fell in love with it. simple things like being able to see the hostname of connected devices was enough to sell me over the old 1130 and being able to manage and monitor all my AP's in one place was awesome. they even have an android app which I can use for testing and monitoring the system.
but I only had the one 1142 AP so I ordered 2 more so I could get full coverage. The second AP I chose to install in the loft. it is directly above the first AP (bottomStairAP) but with the 1st floor sand wedged in-between I was not getting full speed in the loft which we can't have so up goes another 1142.
This AP was also the first AP to be mounted the right way up. Cisco say that wall mounting can be done but is not recommended due to signal issues. Also mounted this AP with the AP-BRACKET-1 instead of the AP-BRACKET-2. My one word review of that bracket. rubbish. get the AP-BRACKET-2 where possible.
I also installed a 3rd 1142 in our shed to get WIFI out in the garden so I can browse reddit in the lovely British weather (so never). I would have a picture but its in a very arkward location so I could not get a good photo of it.
Reinstalling the 1130?
So shortly after deploying the new WIFI I discovered an issue. I do a bit of work with retail gear mainly Symbol PDA's and the newer android models work fine and the Windows Mobile 6+ devices was also fine as they can do AES but the older Windows Pocket PC 2003 devices refused to connect. they can only do TKIP and if AES is enabled they refuse to connect full stop.
The WLC is configured to not allow just TKIP for security reasons. TKIP is not as bad as WEP and most routers still have TKIP enabled alongside AES but these PDA's can not work alongside AES on same SSID.
Easy fix. installed the old 1130 again right next to the loftAP (not ideal but working fine).
This was then configured with one SSID with TKIP and the PDA's started working once again which is great as I need them to run both mine and my brothers business (yes we need to upgrade soon)
TKIP's main vulnerability can be averted by setting a fast key rotation. unfortunately this crashes the Symbol PDA's. Should be fine as we live in the middle of nowhere but this is not a recommended config at all.
The install on them 2 AP's is quite ugly compared to the others but the roof is full of insulation so the AP's had to be mounted to the wooden beam and could not run wires through the roof to them which sucks.
So since installing all these new access points I have not only had much better signal all around but I can finally take advantage of the 802.11N radio in my laptop to get faster transfers to my file server and boy is it faster. not as good as wire speed but as good as WIFI can get with my old ThinkPad T430.
A ubiquiti system would have been easier/quicker in the long run but wheres the fun in that. its mostly plug and play and super boring. the Cisco gear is not only fun to learn but also has a ton of awesome features. (and the ubiquiti controller is a mess, don't like it one bit) homelabbing should be a challenge at times as your not learning if you just buy a bunch of stuff plug it in and run through a step by step wizard.
What do you think of my DIY Cisco WIFI system. I know its not amazing but it was relatively cheap and a ton of fun to learn.