Extending enterprise wireless to remote locations and homes

With our sudden moved to the WFH model, we have a couple choices on how we connect to the corporate network. Most of use a VPN but VPNs can presents various challenges such as having to install software, needing to log on, VPN capacity, VPN drops off, needing to re-authenticate and access from VPN not necessarily the same as on site.

What if it was possible to extend the enterprise wireless network functionality to the homes? Not only would this make WFH easier, but because I work in the education space, I also see many applications for remote education with both higher-ed and K-12 students. This would put users on the campus network, on a laboratory network, or for younger K-12 students; they can be put in a stricter safer internet environment than the general home Internet provides, leveraging all the enterprise level protection provided by school districts. However, these same use cases apply to enterprise users as well.

After expanding the VPN infrastructure and getting the entire organization on to the AnyConnect VPN, I started thinking about how we can extend the network and resources without VPN. After an inspiring conversation with a very passionate Cisco Wireless TME, Min Se Kim, I was inspired with the OEAP (Office Extender Access Point) concept.  What is more inspiring is the fact that we can use our old Cisco 3602 access points which we are taking out of service in large numbers in favor of Wi Fi 6 access points.

That being said, it was time to see how to make this work. At home I have an older 3602i access point and on campus I have a 5520 Wireless Controller with AireOS 8.5.161 (Last AireOS to support the trusty 36xx access points).

On the wireless controller I only needed to do two quick settings; from the WLC GUI go to the Controller -> Interfaces and edit the management interface; (1) check the NAT , and (2) enter the external NAT address of the WLC.

CT3504-SJ 2020-04-06 15-00-07

On the access point at home I needed to make sure that it was configured as a lightweight access point – NOT autonomous. I connected to the access point with a console cable, I cleared all the configurations and gave it two simple commands:

  • capwap ap primary {wlc_name} {wlc_External IP}
  • capwap ap reset

After the AP changes, I logged on to the WLC and watched the AP connect, download the correct software image and then reloaded with the new software. Almost plug and play and I now have the enterprise SSIDs running in my house. Fortunately, and for security sake, all the SSID’s are DOT1X enterprise grade security.


After the AP connects to the controller, there are two additional AP setting I recommend Under the AP -> Advanced settings. You should check Data Encryption and uncheck the Rogue Detection as shown below:


Now to test. I disconnected my AnyConnect VPN and changed my wireless network on my laptop from my home SSID to the enterprise SSID. LED turned blue and I got my assigned IP address in the correct VLAN and immediately had the same access I have while on the campus wireless.


As with any solution – there are some caveats:

  1. Now since we are going to have enterprise connected access point in residential areas, we will see all the typical neighborhood access points as rogues – for this very reason I would recommend running this on a dedicated WLC for remote OfficeExtend function and turning off the rogue detection on the AP. Or you can create a rogue rule similar to the one below:SJS-0CC-112-552-WLC-02
  2. We often have multiple SSIDs and if the AP goes into the default AP group it will advertise all the SSIDs. This maybe an undesired outcome especially if you have a guest network that you do not want to expose in remote locations. In order to mitigate this issue, I created an AP Group called “HOME-APG” which only has the SSIDs I wanted to extend out and added all the home access points to that group.

Part of the excitement here is not needing to use the VPN and also finding a great use for the older access points, the ability to connect multiple devices. Now keep in mind I am using the 3600i which does not have the AUX port – so this only extends the wireless. If I were using some of the newer access points such as the 1800, 2800 or the 3800, I would have the option of using the AUX port as RLAN (Remote LAN Port). With the RLAN you can connect your laptop via cable or connect a VoIP phone. This could be great for remote call center operations.

The reason I used the 5520 controller is that code 8.5.151 supports the 3600 access points. If I was using a 3702 or newer access points, I could utilize the C9800 Wireless controller. While this also works with the newer C9100 access point, they do not have AUX/RLAN port so they can only be used to extend wireless service although providing Wi-Fi6 service.

In testing the performance, running multiple speed tests, I was unable to see a significant difference between VPN or extended Wireless, both speeds seem consistent with my ISP (Internet Service Provider).


A common issue with VPN, is that for security reasons, enterprise’s often do not allow split tunneling when connected to the VPN, while this increases the security, it makes difficult if not impossible for users to print to local resources or access any local resources on their home network. To ease this issue when using the OfficeExtend feature, we can add personal SSID which will only appear at the remote site, using the OEAP GUI which will allow full local network access.

So if you want to try and make a more seamless transition from VPN to Enterprise Extended Wireless, this maybe a good solution for some of your remote users and certainly gives a second life to some older access points which you are probably thinking about putting in the recycle bin. Glad I didn’t put my 3600 in the recycling bin!

Some reference material I found useful:

5 thoughts on “Extending enterprise wireless to remote locations and homes

      1. Correct – you are just eliminating the use of VPN (aka software encryption)

    1. This should be doable in SSO mode – you are merely adding an external NAT for the management interface – it should failover with SSO

Leave a Reply

Your email address will not be published. Required fields are marked *