Over the past few weeks I’ve received a few tweet’s asking if anyone has setup Cisco’s OfficeExtend solution and what were some of the gotchas that you ran into. After this last round I decided I might as well blog about it, so here goes!
What is it?
The Cisco OfficeExtend solution does as its name implies, it “extends” your wireless network to a remote home office for example. For a few years now we have had HREAP mode APs that allow us to use LWAPP/CAPWAP APs over a WAN link with higher latencies for a remote small office, now we have the ability to bring this home as well.
What do I need?
Hopefully if you are reading this you have some experience in Wireless network from an Enterprise class so I won’t go over every little detail. Basically OfficeExtend requires an internal Cisco AIR-5508 Wireless LAN Controller. Per best practices and proper security a 2nd AIR-5508 is required as well. This 2nd WLC is placed into your DMZ and has a NAT address assigned to it with ports UDP 5246 and 5247 open to it from the big bad Internet. If you work with Cisco WLC’s you’ll notice that this sounds awfully familiar, say maybe from a Guest anchor deployment? (Makes that anchor controller seem a little better now doesn’t it!) Instead of anchoring a WLAN from the internal to the DMZ we do the reverse, we set the internal WLC the anchor for the DMZ. The end user then needs a Cisco 1131 or 1142 CAPWAP AP running 6.0 code or newer.
What does it do for me?
Here comes the best part, you prep the AP with the public address set on the WLC and bring the AP home or to a hotel etc. Once the AP comes online here comes your corporate networks with all of their security requirements, no need for VPN! Each of the WLANs that you set on the DMZ WLC with the internal WLC as their anchor will be available for you to use. For example, at my work we push down our internal Data, Voice, and also Guest networks to employees homes. When I leave my office with my Cisco 7925 wireless phone in my bag the minute I pull in the garage it connects back up and I can make/receive calls.
As with everything there are some caveats when setting this up. If you look at the diagram you can see the list of ports that are needed to be opened between the Firewalls. One thing you might notice right away is that I have to open up UDP 1812/1813 commonly used for Radius to my internal network, why is that you ask? Well unlike the Guest anchor solution where the user is authenticated on the anchor WLC with an OfficeExtend solution you are authenticated before you hit the anchor controller. So anything authentication methods that require EAP types will require you to grant access to your ACS or Radius server from the DMZ. Secondly if you have worked with Cisco WLCs you know that to do this the AP needs to be HREAP and then have the OfficeExtend box checked. Putting an AP into HREAP mode is easy, the hard part is getting it to join the public IP address. A process that works for me is converting it to HREAP mode, then allowing it to come back up after downloading the new code. Once the AP returns I check the box for OfficeConnect. After this is done I change the primary controller name to my DMZ WLC and set the IP to the public IP. Here’s the tricky part, luckily I have a DSL line at work which I can hook the AP up to and test the connection back to the DMZ network via the public IP.
So there you have it, Cisco OfficeExtend in a nutshell. Ever since deploying the solution I have not had a need to use VPN at home, what’s even more great is the fact that whenever IT pushes out a Kasperksy update that makes VPN no longer work I still have remote access!