Backup with redundant WLAN controllers

This is worthwhile for backing up a LANCOM WLAN controller with a second WLAN controller, the aim being to maintain full control over all managed access points at all times. The backup Controller is configured in such a way that it uses SCEP to obtain the necessary certificates from the backed-up primary WLAN controller.

Switch off the CA on the backup Controller.
In the configuration of the SCEP client in the backup controller, create a new backup in the CA table (in LANconfig under Certificates > SCEP client > CA table). The CA of the primary WLAN controller is entered here:
The URL is to be entered as the IP address or the DNS name of the primary WLAN controller followed by the path to the CA /cgi-bin/pkiclient.exe. For example 10.1.1.99/cgi-bin/pkiclient.exe'.
- Distinguished name: Standard name of the CA (/CN=LANCOM CA/O=LANCOM SYSTEMS/C=DE) or the name given on the primary Controller
- Switch on RA auto approve
- Usage type: WLAN controller
Then create a new entry in the certificate table with the following information:
- CA distinguished name: The standard name under which the CA is entered, e.g. /CN=LANCOM CA/O=LANCOM SYSTEMS/C=DE
- Subject: Specification of the primary WLAN controller's MAC address in the form: /CN=00:a0:57:01:23:45/O=LANCOM SYSTEMS/C=DE
- Challenge password: The general challenge password of the CA on the primary WLAN controller or a password for the Controller specified manually.
- Extended key usage: critical,serverAuth,1.3.6.1.5.5.7.3.18
- Key length: 2048 bits
- Usage type: WLAN controller
If a SCEP configuration was previously active on the backup controller, the following actions must be executed under WEBconfig (LCOS Menu Tree > Setup > Certificates > SCEP client):
- Clear SCEP file system
- Update (2x: the first time, the SCEP client retrieves the new CA/RA certificates only; the second time the device certificate is updated)
Configure the first WLAN controller 1 according to your requirements with all profiles and the associated AT table. The access points then establish connections to the first WLAN controller. Each access point receives a valid certificate and a configuration for the WLAN module from the WLAN controller.
Transfer the configuration from the first WLAN controller 1, for example using LANconfig, to the backup controller 2. The profiles and the AP tables with the access point MAC addresses are transferred to the backup controller at the same time. All access points remain logged on to the first WLAN controller.

Should WLAN controller 1 fail, the access points will automatically search for another WLAN controller and they will find the backup controller 2. Because this has the same root certificate, it is able to check the validity of the access points' certificates. Because the access points are also entered into the backup controller's AP table along with their MAC addresses, the backup controller can fully take over the management of the access points. Changes to the WLAN profiles in the backup controller will directly affect the managed access points.

Note: In this scenario, the access points remain under the management of the backup controller until this itself becomes unavailable or is manually disconnected.

Note: If the access points are set up for standalone operation, they will remain operational while searching for a backup controller and the WLAN clients will remain associated.