1 Crafted by Abhishek Kumar Chaudhary

Wireless Architecture & Working

[Why and how]

• It’s like sending data through the air instead of wires.

• Now, in terms networking, wireless refers to the technology that allows devices to
connect and communicate without physical cables, using radio waves or other
electromagnetic signals.

Why Wireless Is Important in Networking?

1. Provides mobility to users.

2. Saves cost on cabling.
3. Scales quickly.
4. Integrates with modern enterprise tech like IoT, VoIP, and remote access.

Wireless Architecture:

1. Access Points (APs)

2. Wireless LAN Controller (WLC)
3. SSID (Service Set Identifier)
4. Client Devices
5. Authentication Server (Optional)

Now Understand each Term:

o Access Points
o Physical Hardware Device that broadcast Wi-Fi signals.
o Connect wirelessly to client devices (laptops, phones, etc.).
o Connect physically via Ethernet to the LAN network.
o Types:
o Autonomous (standalone) – self-managed (rare in enterprise).
o Lightweight (controller-based) – managed by WLC (common in enterprise).

[Link]
2 Crafted by Abhishek Kumar Chaudhary

o Wireless LAN Controller (WLC)

o The brain of the wireless network.

o Manages all APs centrally:
o SSIDs
o Security (WPA2/WPA3, 802.1X)
o Roaming
o Firmware updates
o Supports CAPWAP protocol to communicate with APs.

SSID (Service Set Identifier)

o The name of the wireless network (e.g., “Corp-Wi-Fi”, “Guest Wi-Fi” etc.).
o Multiple SSIDs can be broadcast from the same AP with different VLANs or security
settings.

Client Devices

o Laptops, Printers, Phones, IOT Devices that connect wirelessly to APs

Authentication Server (Optional)

o Usually, a RADIUS server like Cisco ISE or Windows NPS. // ClearPass in Aruba
o Used for 802.1X authentication – validating user/device identity before granting access.
o TACACS+ => (Cisco proprietary (but widely supported))

*** Remember, Your Home Router is multi-function device, which acts like a Router, wireless,

DHCP Server, Modem and sometimes switch also ***

Authentication Methods (Apart from 802.1X)

1- MAC Authentication (MACAuth or MAB - MAC Authentication Bypass)

2- Captive Portal Authentication
3- Pre-Shared Key (PSK – WPA2/WPA3-Personal)

[Link]
3 Crafted by Abhishek Kumar Chaudhary

4- Enhanced PSK / Private PSK (PPSK)

5- Web-Based Authentication (WBA)
6- Certificate-Based Authentication (Outside 802.1X)
7- VPN Authentication (Remote Access)

In enterprise and office environments, 802.1X authentication is the standard and most
preferred method for securing both wired and wireless network access.

WHY? Because

Feature Reason
Authenticates users/devices using credentials or certificates before
Strong security
granting access.
Every session is tied to a user or device identity, unlike pre-shared
User Identity-Based
keys (PSK).
Can assign VLANs, policies, and roles based on identity (via RADIUS
Access Control
server).
Works with RADIUS servers (e.g., ClearPass, ISE, FreeRADIUS) for
Centralized Management
policy enforcement.
Integration with AD/LDAP Supports integration with corporate identity directories.
Supports Network Different users/devices can be assigned to different VLANs
Segmentation automatically.

Where 802.1X is used?

o Wired ports in workstations, printers, phones (with fallback MAC auth for non-802.1X
devices).
o Wi-Fi networks: For employees and trusted devices (via WPA2-Enterprise or WPA3-
Enterprise).
o VPNs: 802.1X-based EAP authentication can also be extended to VPN clients.

[Link]
4 Crafted by Abhishek Kumar Chaudhary

Authentication flow of 802.1X and Integration with a RADIUS Server

➢ 802.1X is an IEEE standard for port-based network access control.

➢ It ensures that only authenticated users or devices can access the LAN or WLAN.

It defines three roles:

Role Description
The device (user or client) requesting access to the network (e.g., laptop,
Supplicant
phone).
The network device controlling access (e.g., switch port, wireless access
Authenticator
point).

Authentication Verifies credentials and grants or denies access (usually a RADIUS server like
Server Cisco ISE, Aruba ClearPass, or FreeRADIUS).

Authentication Flow (Step-by-step)

1. Supplicant connects

• Device plugs into a switch port or associates with a wireless AP.

• The port is in an unauthorized state, allowing only 802.1X traffic (EAPOL).

2. EAPOL (EAP over LAN) starts

• The Supplicant sends an EAPOL-Start message to initiate authentication.

3. Authenticator forward’s request

• The Authenticator (switch/AP) sends EAP-Request Identity to the supplicant.

• Supplicant responds with its identity (username, device ID, etc.).

4. Authenticator passes to RADIUS

• The Authenticator encapsulates the EAP packet in a RADIUS message and forwards it to
the Authentication Server.

[Link]
5 Crafted by Abhishek Kumar Chaudhary

• 5. EAP conversation continues

RADIUS server and Supplicant negotiate via the Authenticator using EAP methods (e.g.,
PEAP, EAP-TLS).

EAP Method Use Case

Certificate-based authentication (high
EAP-TLS
security).
Username/password (e.g., AD
PEAP/MSCHAPv2
credentials).
EAP-TTLS Legacy systems, some flexibility.

6. Authentication Result
If success: RADIUS sends Access-Accept, often with attributes:
• VLAN ID
• ACL rules
• Role-based policy
If failure: Access-Reject is sent, and port remains unauthorized.

7. Access Granted

The Authenticator transitions the port or wireless session to an authorized state, allowing
normal traffic.

RADIUS Integration

RADIUS (Remote Authentication Dial-In User Service) Server Role:

• Receives EAP identity requests from Authenticator.

• Validates credentials against a backend database (e.g., AD, LDAP, certificates).

• Sends Access-Accept or Access-Reject with optional VLAN, ACL, QoS info.

[Link]
6 Crafted by Abhishek Kumar Chaudhary

Now Understand, Employee Wi-Fi Connection (WPA2-Enterprise with 802.1X)

1. User Connects to Wi-Fi (SSID)

• SSID is configured for WPA2/WPA3-Enterprise (not WPA-Personal/PSK).

• The employee selects this SSID on their device (laptop, mobile, etc.).

2. Supplicant Initiates 802.1X (EAPOL Start)

• The device (called the Supplicant) sends an EAPOL-Start message to the Access Point
(AP).

• The supplicant begins the 802.1X authentication process.

3. Access Point Becomes Authenticator

• The AP acts as a bridge (Authenticator) in the 802.1X framework.

• It sends an EAP-Request/Identity to the client device asking for credentials.

4. Client Responds with Identity

• The employee’s device sends back EAP-Response/Identity (usually the username).

5. AP Forwards to RADIUS Server

• The AP encapsulates the EAP message into a RADIUS Access-Request.

• Sends it to the RADIUS server (like ClearPass, Cisco ISE).

6. EAP Authentication (TLS, PEAP, etc.)

• The RADIUS server and device negotiate an EAP method, such as:

o EAP-PEAP: Username/password (like Active Directory).

o EAP-TLS: Certificate-based (for higher security).

o Secure authentication happens over an encrypted tunnel.

7. Server Validates Credentials

• RADIUS server checks the credentials against:

o Active Directory (AD)

o LDAP

[Link]
7 Crafted by Abhishek Kumar Chaudhary

o Certificate store

• If valid, RADIUS sends Access-Accept.

8. Policy Enforcement (VLAN/ACL)

• Along with Access-Accept, RADIUS sends:

o Assigned VLAN

o ACLs, QoS, or User Roles

o Session timeout, bandwidth limits (optional)

Example:

“Employee Abhishek gets VLAN 10 and full internet. IoT device gets VLAN 30 with restricted
access.”

9. Access Granted

• The AP marks the session as authorized.

• The employee now has full network access based on their policy.

What Happens If It Fails?

• If credentials/certificates are invalid, RADIUS returns Access-Reject.

• The user won’t be allowed on the Wi-Fi.

Now, what is WLC and AP?

Wireless LAN Controller ==➔ Commander

Access Points =➔ Soldier

➢ AP--- It acts like a Wi-Fi transmitter.

➢ Think of it as a Wi-Fi hotspot.
➢ It connects to a switch and bridges wireless clients to the LAN.

A Wireless LAN Controller is a centralized device that manages multiple Access Points

[Link]
8 Crafted by Abhishek Kumar Chaudhary

An AP is always Hardware based Machine, while WLC can both Hardware and can be hosted on
Cloud.

** Important**

Now, Hardware based Cisco WLC:

Model Description
Catalyst 9800 Series Next-gen WLCs, modular OS (IOS-XE), supports high scale.

➤ 9800-40 Mid-sized enterprises (up to 2,000 APs).

➤ 9800-80 Large-scale enterprises (up to 6,000 APs).

➤ 9800-L Compact, for small/mid businesses (up to 250 APs).

5520 Wireless Controller Scalable legacy controller, now EOS/EOL.
8540 Wireless Controller High-performance legacy WLC (EOL status).
3504 Wireless Controller
Entry-level, small scale (up to 150 APs) — also EOL.
(obsolete)

Now, Hardware based Aruba WLC: (7000 Series is popularly used in offices)

Model Description
Aruba 7000 Series Branch office and mid-size enterprise WLCs.
➤ 7010 / 7024 / 7030 Small/medium deployments.
Aruba 7200 Series Enterprise-grade, high-capacity controllers.
➤ 7210 / 7220 / 7240
Used in large enterprise/core environments.
/ 7240XM
Aruba Mobility
Centralized WLC + policy brain (MC-VA = virtual,
Conductor (MC-VA
MC-HW = hardware).
and MC-HW)

WLCs, 7000/7200 series are used on-premises

Quick Doubt Generally where does these WLC are placed? inside data center or inside
Office?

[Link]
9 Crafted by Abhishek Kumar Chaudhary

In the Data Center (Most Common in Enterprises)

• Why?

o Centralized control of APs across offices/campuses.

o Easy to scale and manage in large networks.

o Connected to the core/distribution network.

• Use case:

o Large campuses, multiple buildings, multiple floors.

o You might have hundreds or thousands of APs.

Example: Cisco Catalyst 9800 WLC in the main data center controlling APs across all
corporate buildings.

2. Inside Office (Small Branch Sites or Edge Locations)

• Why?

o For small branch offices that are not centrally managed.

o Reduces dependency on WAN.

o Mostly applies when no SD-WAN or central WLC exists.

• Use case:

o Small sites with less than 50 APs.

o May use Cisco 9800-L, Aruba 7000 series, or even go controller-less (Instant AP)

Again, Small Doubt- What Are Instant APs?

➢ Developed by HP Aruba.
➢ Do not require a physical wireless controller (WLC) to operate.
➢ One of the APs acts as a virtual controller
➢ One IAP becomes the “Virtual Controller”.
➢ It manages and pushes configurations to other IAPs in the same network.

[Link]
10 Crafted by Abhishek Kumar Chaudhary

➢ If the virtual controller goes down, another IAP takes over — providing built-in
redundancy.
➢ But But But, only applicable in Small to Medium Offices and Remote Branch Locations.

Cisco AP Models:
Catalyst Series (Latest Generation – Wi-Fi 6 & 6E)

Model Key Features

Wi-Fi 6 / Wi-Fi 6E, integrated security, telemetry,

Catalyst 9100 Series
IoT support

C9115, C9117, C9120 Indoor Wi-Fi 6 APs

C9130 High-performance, modular antenna
C9162, C9164, C9166 Wi-Fi 6E support (6 GHz band)
C9124 Ruggedized outdoor AP

Aironet Series (Older but Still in Use in Many Networks) – Will become obsolete in next 5 years

Model Key Features

Aironet 2800 / 3800 Dual 5GHz, MU-MIMO, modular antenna
Aironet 1800 / 1850 Mid-tier APs, Wave 2, Wi-Fi 5
Aironet 1540, 1570 Ruggedized for outdoor deployments
Aironet 1700 / 1600 / 2600 Older Wi-Fi 4/Wi-Fi 5 models, now mostly EoL

Cisco Embedded Wireless Controllers (EWC) on APs

AP with built-in Wireless controller module in their hardware. (Similarly to Aruba Instant-AP)

Model Controller Support

C9115, C9120, C9130 Can run EWC, controlling up to 100 APs
- No need for separate WLC in
small/branch offices

[Link]
11 Crafted by Abhishek Kumar Chaudhary

Mesh & Outdoor APs

Model Use Case

Cisco Catalyst 9124 Outdoor Wi-Fi 6 mesh
Aironet 1572, 1542 Industrial and city-wide Wi-Fi
Meraki Outdoor APs (MR76, MR86) Cloud-managed mesh (Meraki line)

Cisco Meraki APs (Cloud-Managed)

Model Key Features

MR36, MR44, MR46, MR56 Indoor Wi-Fi 6 cloud APs
MR76, MR86 Outdoor/industrial versions

HP Aruba AP Models:
Indoor Enterprise Access Points

Series Models Key Features

Entry to mid-tier Wi-Fi 6; ideal for
Aruba 500 Series AP-505, AP-515, AP-535
office use
Aruba 510 Series AP-514, AP-515 2x2 or 4x4 MU-MIMO; Wi-Fi 6
Aruba 530 Series AP-534, AP-535 High performance; dual 5 GHz
Aruba 550 Series AP-555 Flagship Wi-Fi 6 indoor AP
Aruba 610 Series AP-614, AP-615 Wi-Fi 6E capable (6 GHz support)

Outdoor & Rugged Access Points

Series Models Use Case

Aruba 560 Series AP-565, AP-567 Outdoor Wi-Fi 6 AP
Aruba 570 Series AP-574, AP-575 Rugged high-performance outdoor
Aruba 580 Series AP-584, AP-585 Industrial-grade, extreme conditions

Remote & Branch Access Points

Model Use Case

Aruba RAP Series (e.g., RAP-3, RAP- Remote APs with VPN
100) tunneling back to campus
Wall-mounted hospitality AP
Aruba 303H
(also used for branches)

[Link]
12 Crafted by Abhishek Kumar Chaudhary

Instant Access Points (IAP)

(500, 510, 530, etc.) are available in IAP versions (e.g., IAP-515). You just enable "Instant mode."

Legacy Wi-Fi 5 (802.11ac) Aps [Older Models, still used in some legacy small offices]

Series Models
Aruba 300 Series AP-305, AP-315
Aruba 310 Series AP-314, AP-315
Aruba 320 Series AP-324, AP-325
Aruba 330 Series AP-334, AP-335

Quick Doubt How does AP communicates with WLC if WLC is placed 100 or 50 km far in
data centers?

CAPWAP Tunnel over WAN

The AP uses the CAPWAP protocol (Control and Provisioning of Wireless Access Points) to
establish a secure tunnel to the WLC.

This tunnel carries both:

• Control traffic (management/configuration)

• Data traffic (actual user/client data) — unless it's in FlexConnect mode.

How Connectivity is Maintained Over Long Distances?

1. IP Reachability:

o The AP must be able to reach the WLC’s IP (either via public IP or

VPN/MPLS/private WAN).

2. Firewall/Port Rules:

o Ports like UDP 5246/5247 (CAPWAP) must be open across networks.

3. Reliable Network:

o WAN should have low latency and high reliability.

[Link]
13 Crafted by Abhishek Kumar Chaudhary

→ AP boots up → Gets IP → Contacts WLC via WAN → Forms CAPWAP → Authenticates

clients locally → Management via WLC.

*** Modes in the Cisco AP is different and separate topics, I’ll put some links you guys can read
from there ***

What is CAPWAP?
CAPWAP stands for Control and Provisioning of Wireless Access Points. It's a standardized
protocol defined in RFC 5415 used to manage and control Access Points (APs) from a central
Wireless LAN Controller (WLC).

CAPWAP is an open standard. Layer 3, UDP-based

UDP 5246: Control tunnel (management, configuration)

UDP 5247: Data tunnel (actual user traffic — if not using FlexConnect)

Working-
Step 1: AP Boots Up

• AP powers on and gets an IP address via DHCP.

• It tries to discover a WLC using:

o DHCP option 43

o DNS (CISCO-CAPWAP-CONTROLLER)

o Broadcast (L2)

o Static configuration

Step 2: Discovery Request/Response

• AP sends CAPWAP Discovery Request.

• WLC responds with a Discovery Response.

[Link]
14 Crafted by Abhishek Kumar Chaudhary

Step 3: Join Request/Response

• AP chooses a WLC (based on priority/load).

• Sends Join Request (includes certificates if secure).

• WLC sends Join Response (verifies AP, allocates resources).

Step 4: CAPWAP Tunnel Formation

• Control Tunnel (UDP 5246): For commands like config, firmware update, RF
management.

• Data Tunnel (UDP 5247): For client traffic (only in Local mode).

Step 5: AP Configuration

• WLC pushes configuration: SSIDs, VLANs, security settings, RF parameters.

Step 6: Operational

• Clients can now associate with the AP.

• AP relays authentication requests (like 802.1X) via WLC to RADIUS.

• If in Local Mode: All traffic is tunneled to WLC.

• If in FlexConnect: Control traffic goes to WLC; data traffic is handled locally.

Diagram/Topology

Internet ----→Router → Distribution Switch -- > WLC

Access Switch -→ AP

** Remember there is no cable connectivity between WLC and AP **

WHY?

They communicate over the LAN using the CAPWAP protocol.

[Link]
15 Crafted by Abhishek Kumar Chaudhary

Quick Doubt Why WLC is connected to Distribution Switch?

Understand Carefully and Logically-: See

➢ The Distribution Switch (Layer 3/Core) usually handles inter-VLAN routing, gateway
functions, and connects to the router/firewall.
➢ WLC needs to be in a central location where it can manage all APs and route wireless
client traffic efficiently across VLANs.
➢ By placing WLC here, routing between wired & wireless networks is faster and more
scalable.
➢ Distribution switches are high-capacity and support multiple VLANs, trunking, and
routing protocols.
➢ They have higher bandwidth uplinks, so connecting WLC here supports multiple APs
and heavy wireless traffic.
➢ APs from multiple floors or access switches can reach the WLC through the Distribution
switch.
➢ You avoid bottlenecks by not connecting WLC to a single Access Switch.

** You can also connect 2 WLC`s with one Single distribution Switch as an HA Pair (High
Availability & Load Balancing) **

Quick Doubt How AP Selects a WLC (If Multiple WLC`s are Available)

Depends on Several factors,

WLC AP Capacity

• WLC with available AP capacity is preferred.

• If overloaded, it won't accept new APs.

WLC Priority (Configured)

• WLCs can be assigned a priority level (1–3). ->> 1 = Low, 2 = Medium, 3 = High

[Link]
16 Crafted by Abhishek Kumar Chaudhary

• AP prefers the highest priority WLC available.

WLC Response Time (Latency)

• Some vendors (e.g., Cisco) factor in latency or fastest response.

Mobility Group Matching

• If part of a mobility group, AP may prefer a WLC in the same group.

• Enables seamless roaming.

AP Group Configurations

• AP may belong to a group with preferred WLCs. [Depends on Configuration]

Quick Doubt How is Internet Bandwidth Enforced on AP?

Imagine a Scenario- Router has a 100 Mbps WAN link

Even if the AP and client support high wireless speeds (say, 433 Mbps), the AP will never exceed
the router’s 100 Mbps WAN bandwidth because:

1. The router controls what gets in/out of the internet.

2. If 10 clients try to download simultaneously, the router divides the 100 Mbps across
them (or enforces QoS).

3. AP simply passes traffic—it doesn’t shape or limit internet speed unless configured to.

** But, Enterprise High Level AP`s and WLC can control the bandwidth as per Configuration**

What AP Contains Inside?

➢ CPU
➢ RAM
➢ Flash Storage (NAND)
➢ Wireless Radio – (generate and receive RF signals.)
➢ Antennas – (radiating and receiving the radio signals.)
➢ Ethernet Port
➢ PoE (Power over Ethernet) port

[Link]
17 Crafted by Abhishek Kumar Chaudhary

➢ Environmental Sensors
➢ Management Microcontroller (in advanced APs)
➢ USB Port
➢ SD Card Slot (Optional)
➢ Console Port

Quick Doubt How Many SSIDs can be configured on WLC?

Depends on several factors and Usage.

WLC Model Max SSIDs per WLC Max SSIDs per AP (practical)
Up to 4096 WLANs 16 SSIDs per AP (recommended
Cisco 9800 Series
(SSIDs) ≤ 8)
Cisco 5508 Up to 512 SSIDs 16 per AP
Cisco 2504 Up to 64 SSIDs 16 per AP
Cisco vWLC (virtual) Up to 512 SSIDs 16 per AP
Cisco 3504 (obsolete) Up to 512 16 per AP

➢ Each SSID is mapped to a WLAN ID

➢ Each WLAN is mapped to a VLAN (interface group) via profiles
➢ You can assign SSIDs selectively to AP Groups or FlexConnect Groups.

[Link]
18 Crafted by Abhishek Kumar Chaudhary

References: -

[Link]

[Link]

[Link]
controllers/catalyst-9800-series/[Link]

[Link]

[Link]

[Link]

[Link]

[Link]
uration/b-iw9165e-scg-17-14/[Link]

[Link]