Catalyst 9800 Series Wireless Controller v2

First Published: 2020-04-30

Last Modified: 2021-09-22

Americas Headquarters
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, CA 95134-1706
USA
http://www.cisco.com
Tel: 408 526-4000
800 553-NETS (6387)
Fax: 408 527-0883
© 2020 Cisco Systems, Inc. All rights reserved.
 CONTENTS

CHAPTER 1 About 1
Requirements 1
About This Solution 2
Topology 3
Before You Present 4
Get Started 4
Hands-on Description 5

CHAPTER 2 Scenarios 7

Scenario: Basic WLAN Design Flow to create a WLAN 7

Define a Location 7
Provision an AP to the location 12
Define DHCP Server 14
Review Configuration 15
Test Connectivity 17
Scenario: Use Advance WLAN Design Flow to create a WLAN 17
Create a WLAN Profile 19
Create a Policy Profile 22

Create a Policy Tag 24

Tag the Access Point 25

Verify the connectivity 27
Scenario: Application Visibility and App Qos Policy 27
Enable Application Visibility 27
View the Applications detected 28
View and Verify the App QoS Policy 30
Scenario: Local Profiling on the WLC 32

Catalyst 9800 Series Wireless Controller v2

iii
 Contents

Enable local profiling and view the device types 32

Create a local profiling policy to apply different policies based on device types 34
View Samsung Device Details 37

Scenario: Detailed WLAN Configuration 39

Define AAA Servers on C9800 40
Define AAA Server Groups and Global settings on C9800 42
Define Authentication, Authorization and Accounting Lists on C9800 44
Create Webauth Parameter Map (Required for BYOD) 47
Create VLANs 49
Create WLAN Profiles 50
Create Policy Profiles 54
Create Policy Tag 60
Assign Policy Tag to AP 61
Create Redirect ACL (Referenced via RADIUS) 62
(Optional) Create URL Filter for BYOD Flow (Referenced via RADIUS) 63
Scenario: ISE Configuration for .1x & BYOD 64
Validate C9800 is added to ISE as Network Device 65
Modify Native Supplicant Provisioning Profile 67
Review Portals: BYOD Portal 68
Review Portals: Hotspot Portal 70
Create/Review downloadable ACLs (dACLs) 71
Create/Modify Authorization Profiles: NSP_Onboard 73
Create/Modify Authorization Profiles: Cisco_WebAuth 74
Configure Internet_Only 76
Create Policy Sets 77
Create Policy for Internal SSID 79
Create Policy for Guest SSID 80
Scenario: Client Testing for Guest & BYOD 82
Test Hotspot Flow 82
Test BYOD flow 84

CHAPTER 3 What's Next? 85

What's Next 85

Catalyst 9800 Series Wireless Controller v2

iv
 CHAPTER 1
About
• Requirements, on page 1
• About This Solution, on page 2
• Topology, on page 3
• Before You Present, on page 4
• Get Started, on page 4
• Hands-on Description, on page 5

Requirements
The table below outlines the requirements for this preconfigured demonstration.

Required Details
Endpoint router with dCloud Endpoint Router Kit, example (819HWD router), registered and
Standalone Access Point configured for dCloud
(CAPWAP in EZVPN with
Note Internal AP will not work with this demo and should be disabled.
TCP port 443 required) or
Standalone Access Point
Supported wireless access point for the C9800-CL v17.2. For more information
(CAWAP with UDP port
refer to Release Notes for Cisco Catalyst 9800 Series Wireless Controller,
5246 and 5247 required).
Cisco IOS XE Amsterdam 17.3.x.

Monitoring Workstation Laptop

User Devices Tablet, smartphone, or additional laptop

Note For best experience use an iOS device, Android will also work but
not as seamless as the iOS devices for BYOD onboarding.
BYOD onboarding in this demo is only supported with macOS,
Windows, Android and Apple iOS.

Catalyst 9800 Series Wireless Controller v2

1
 About
About This Solution

Note It is required that you have at least two end user devices for this demonstration—one for monitoring
and connecting to the backend components, and at least one device to onboard.
If you plan on onboarding a laptop during the demonstration, it is required that you have a second laptop.
The first laptop would be necessary to access the dCloud Workstation1 via RDP or the component
portal(s) directly using the VPN option (to show the ISE UI and other demo features) and the second
laptop would be necessary to demonstrate joining the hotspot or guest networks.

About This Solution

With 26 billion networked devices connections by 2020, 120 million new malware variants every year,
businesses losing $700 billion a year to IT downtime and 86 percent cloud adoption among enterprises by
2019, customers expect a wireless and wired network that is always on, has integrated security, and can be
deployed anywhere, including in the cloud of their choice.
Built from the ground up for intent-based networking and Cisco DNA, Cisco® Catalyst® 9800 Series Wireless
Controllers bring together Cisco IOS XE Software and Cisco RF excellence to create a best-in-class wireless
experience for your evolving and growing organization.
The Cisco Catalyst 9800 Series Wireless Controllers are based on an open, programmable architecture with
built-in security, streaming telemetry, and rich analytics.
The controllers are always on, are secure, and can be deployed anywhere—three pillars of network excellence
that strengthen the network by providing the best wireless experience without compromise, while saving time
and money.
Always on
High availability and seamless software updates, enabled by hot patching, keep your clients and services
always on in planned and unplanned events. Bug fixes, access point deployment at multiple sites, network
updates, and more can be handled without rebooting the controller or impacting the operation of the
networks.
Secure
Wireless infrastructure becomes the strongest first line of defense with Encrypted Traffic Analytics and
Cisco Software-Defined Access. The controllers come with built-in security to secure the controller and
the network: Secure Boot, runtime defenses, image signing, integrity verification, and hardware
authenticity.
Deploy anywhere
Whether your deployment choice is an on-premises solution or a cloud deployment solution, the Cisco
Catalyst 9800 Series Wireless Controllers allow for management and deployment of the controller
anywhere.
The Cisco Catalyst 9800 Series Wireless Controllers support open and programmable APIs that enable flexible
management and automation of your day-0 to day-N network operations. Model-driven streaming telemetry
provides deep insights into your network and client health. For more information regarding 9800 Platform
please refer to www.cisco.com/c/en/us/products/wireless/catalyst-9800-series-wireless-controllers/index.html.

Catalyst 9800 Series Wireless Controller v2

2
 About
Topology

Topology
This content includes preconfigured users and components to illustrate the scripted scenarios and features of
the solution. Most components are fully configurable with predefined administrative user accounts. You can
see the IP address and user account credentials to use to access a component by clicking the component icon
in the Topology menu of your active session and in the scenario steps that require their use.

Equipment Details

Device IP Address Access Method Username Password Device

C9800-CL Private: 198.19.11.10 Workstation1 Session Session ID Wlc.dcloud.cisco.com
(17.3.3) Browser Owner
Public: See Session Local Browser
Details

Catalyst 9800 Series Wireless Controller v2

3
 About
Before You Present

Device IP Address Access Method Username Password Device

WKST1 198.18.133.36 WebRDP or admin C1sco12345 Workstation1
AnyConnect (RDP access)
Exchange 198.18.133.2 WebRDP or administrator C1sco12345 OWA Mail –
Server AnyConnect access through
the bookmarks
AD1 198.18.133.1 WebRDP or DCLOUDa\dmnisirtaotr C1sco12345 AD1 (RDP
AnyConnect access)
Portals 198.18.133.110 Putty linuxuser C1sco12345
ISE (3.0) 198.18.133.27 Workstation1 admin C1sco12345 Ise.securitydemo.net
Browser

Before You Present

Cisco dCloud strongly recommends that you perform the tasks in this document before presenting it in front
of a live audience. This will allow you to become familiar with the structure of the document and content.
dCloud recommends using the Chrome browser for all demos.

PREPARATION IS KEY TO A SUCCESSFUL PRESENTATION.

Get Started
Follow the steps to schedule a session of the content and configure your presentation environment.

Procedure

Step 1 Initiate your dCloud session. [Show Me How]

Note It may take up to 20 minutes for your session to become active.

Step 2 For best performance, connect to the workstation with Cisco AnyConnect VPN [Show Me How] and the local
RDP client on your laptop. [Show Me How]
Workstation 1: 198.18.133.36, Username: admin, Password: C1sco12345
Note You can also connect to the workstation using the Cisco dCloud Remote Desktop client [Show Me
How]. The dCloud Remote Desktop client works best for accessing an active session with minimal
interaction. However, many users experience connection and performance issues with this method.

Step 3 On Workstation1, ensure your Country is enabled on the demo wireless controller (WLC). [Show Me How]
Note The WLC login for this demo requires session specific credentials. The username is the name you
use to log in to the dCloud UI and the password is the session ID. You can obtain this information
from the session details section of your active demo. The username is provided and must be used
with the unique session ID as password.

Catalyst 9800 Series Wireless Controller v2

4
 About
Hands-on Description

Step 4 Provision your compatible AP. [Show Me How]

Note If using an endpoint router, this step only needs to be completed once. This is HIGHLY recommended
when using these demos. Without an endpoint router, the AP must be re-provisioning with the new
demo WLC IP address EACH time you schedule a new demo.

Step 5 Verify your AP is operational. [Show Me How]

You now have the option of connecting to Workstation1 through the AP. [Show Me How]
You may need to complete additional demonstration preparation activities, based on the location of your
demonstration.
• Complete the additional demonstration preparation activities for demonstrating at a Cisco Office. [Show
Me How]
• Complete the additional demonstration preparation activities for demonstrating at a Customer Site. [Show
Me How]

Hands-on Description
This hands-on lab will walk students through multiple exercises to provide an introduction to the new Cisco
9800 WLAN Controller. Here is an overview of the steps you will walk through in this lab.
• Use the Basic WLAN Design Flow to create a WLAN
• Test the WLAN
• Review the Configuration that was generated from the Basic Design Flow
• Review the CLI for the WLAN Configuration

• Use the Advanced WLAN Design to create a WLAN

• Create Wlan Profile , Policy Profile and Policy Tag using the advanced wizard
• Test the WLAN

• Enable Application Visibility on the WLAN

• Enable Application Visibility and View the Applications
• Define a QoS Policy to control the applications

• Local Profiling on the WLC

• Enable the Local Profiling on the WLC

• Detailed WLAN Configuration

• Define AAA on C9800
• Create Webauth Parameter Map (Required for BYOD)
• Create VLANs

Catalyst 9800 Series Wireless Controller v2

5
 About
Hands-on Description

• Create WLAN Profiles

• Create Policy Profiles
• Create Policy Tag
• Assign Policy Tag to AP
• Create Redirect ACL
• Create URL Filter for BYOD Flow

• ISE Configuration
• Validate C9800 is added to ISE as Network Device
• Modify Native Supplicant Provisioning Profile
• Review Portals
• BYOD Portal
• Hotspot Portal
• Create/Review downloadable ACLs (dACLs)
• Create/Modify Authorization Profiles
• NSP_Onboard
• Cisco_WebAuth
• Internet_Only
• Create Policy Sets
• Create Policy for Internal SSID
• Create Policy for Guest SSID
• Client Testing for Guest & BYOD
• Hotspot Flow

• Test BYOD Flow

Catalyst 9800 Series Wireless Controller v2

6
 CHAPTER 2
Scenarios
• Scenario: Basic WLAN Design Flow to create a WLAN, on page 7
• Scenario: Use Advance WLAN Design Flow to create a WLAN, on page 17
• Scenario: Application Visibility and App Qos Policy, on page 27
• Scenario: Local Profiling on the WLC, on page 32
• Scenario: Detailed WLAN Configuration, on page 39
• Scenario: ISE Configuration for .1x & BYOD, on page 64
• Scenario: Client Testing for Guest & BYOD, on page 82

Scenario: Basic WLAN Design Flow to create a WLAN

Exercise Objective
The goal of this exercise is to use the Basic Wireless Setup to create an admin WLAN that you will use for
connectivity for the rest of the lab exercises. This will serve as the first introduction to the new 9800 UI.

Exercise Description
In this Exercise you will use the Basic WLAN Setup to perform the following tasks.

Define a Location
The Basic Wireless configuration starts from defining a location. This is the location that will deploy APs
and the APs will support the defined wireless services.

Procedure

Step 1 Connect to the Lab network. Connect to the 9800 public IP address provided by the session details. Log in
with username/session ID.
Step 2 Select the Wireless Setup icon from the top right of the 9800 browser interface and select Basic.
Example:

Catalyst 9800 Series Wireless Controller v2

7
 Scenarios
Define a Location

Step 3 Click Add.

Example:

Step 4 For General, create a Location Name of Podx_location where x is your pod number. Leave the Location
Type as Local and Client Density as Typical.
Example:

Note While we set this Location Name to Pod1_location, remember that assigning a Podx_location
name is relative. As a user, you can name your own location name as desired. Pod name\number is
needed mostly in a group environment to keep multiple user AP SSIDs from overlapping.

Step 5 Select the Wireless Networks tab and then click Add.

Catalyst 9800 Series Wireless Controller v2

8
Scenarios
Define a Location

Example:

Add Location Setup displays.

Step 6 For WLAN, click Define new.

Example:

Step 7 Complete these settings on the General tab.

a) For Profile Name, enter podx_admin.
b) For SSID, enter podx_admin.
c) For WLAN ID, enter 1.
d) Set Status to ENABLED.
Example:

Catalyst 9800 Series Wireless Controller v2

9
 Scenarios
Define a Location

Step 8 Complete these settings on the Security tab.

a) For Auth Key Mgmt, select PSK.
b) For Pre-Shared Key, enter ciscocisco.
Example:

Catalyst 9800 Series Wireless Controller v2

10
Scenarios
Define a Location

Use the default setting for all other settings. Explore the other tabs and notice the configuration options. Also
notice the other tabs under the Security tab.

Step 9 After exploring select Save & Apply to Device which will return you to Add Location Setup.
Step 10 Under Policy Details, for VLAN/VLAN Group, select mgmt. Click Add.
Notice the characteristics of the policy, all centralized services.

Catalyst 9800 Series Wireless Controller v2

11
 Scenarios
Provision an AP to the location

You created the WLAN and the policy applied to that WLAN.

Provision an AP to the location

Now it is time to provision the AP that will support the WLAN we just defined.

Procedure

Step 1 Select the AP Provisioning tab.

The left side column, Add/Select APs has a section titled Available AP list. The AP associated to the 9800
should be listed.

Step 2 Select AP and then click the arrow to add the AP to the APs on this Location column. Click Apply.
Example:

Catalyst 9800 Series Wireless Controller v2

12
Scenarios
Provision an AP to the location

Catalyst 9800 Series Wireless Controller v2

13
 Scenarios
Define DHCP Server

You created the WLAN and applied it to the AP.

Define DHCP Server

The Basic WLAN configuration assumes the WLAN is connecting to a network that has a DHCP available
locally. That is not the case for our lab. Now we'll need to define the location of the DHCP server in the policy
used by this WLAN.

Procedure

Step 1 Go to Configuration > Tags & Profiles > Policy.

Step 2 Click Podx_location_WLANID_1.

Catalyst 9800 Series Wireless Controller v2

14
 Scenarios
Review Configuration

Step 3 Click the Advanced tab.

Step 4 Under DHCP select IPv4 DHCP Required and specify the DHCP Server IP Address as 198.18.133.1.
Step 5 Click Update & Apply to Device.

Example

Review Configuration
You have now created a fully functional WLAN. Take the time to explore the configurations that have been
applied.

Procedure

Step 1 Go to Configuration > Wireless Setup > Advanced.

This page does an excellent job of summarizing the components that make up a WLAN configuration. From
this page you can start a more complex configuration.

Step 2 Navigate to Configuration > Tags & Profiles > WLANs and notice the podx_admin WLAN that was
configured. Select the WLAN and explore the details of the WLAN.
Step 3 Go to Configuration > Tags & Profiles > Policy and select Podx_location_WLANID_1. Explore the details
of the policy.
Step 4 Go to Configuration > Tags & Profiles > Tags.
Notice there are 4 Tags – Policy, Site, RF, AP. Review the details of each tab for Podx_location. For the AP
tab under Static you’ll see your AP selected with Policy, Site and RF Tag all applied to Podx_location.

Catalyst 9800 Series Wireless Controller v2

15
 Scenarios
Review Configuration

Step 5 Go to Configuration > Wireless > Access Points. Select the AP.
Notice the details of the APs settings. Also notice under Tags section that Podx_location is applied to Policy,
Site & RF.
Example:

Step 6 Click the Save icon at the top right of the 9800 browser interface.
Example:

Step 7 Click Show Diff.

Example:

Catalyst 9800 Series Wireless Controller v2

16
 Scenarios
Test Connectivity

This opens a new window that shows a comparison between the Startup Config on the 9800 and the current
Running Config. Notice the CLI commands added to the 9800 after going through the Basic WLAN Config.

Test Connectivity
The Basic Wireless configuration starts from defining a location. This is the location that will deploy an AP
and the AP will support the defined wireless services.

Procedure

Step 1 Connect to the 9800 public IP address and then log in with the credentials provided for you ahead of time.
Step 2 Using your personal laptop, connect to the lab network, pod1_admin using ciscocisco.
Step 3 Using a Chrome browser go to 198.19.11.10 and log in with username/session ID.
Under the dashboard you’ll see that the AP is joined to the controller.

What to do next
In the next section we will create another SSID using the advance flow and connect to the device.

Scenario: Use Advance WLAN Design Flow to create a WLAN

Exercise Objective
In the previous scenario we used the Basic Wireless Setup to create a WLAN. In this scenario we will use the
advanced Wireless Setup to create another SSID. The SSID created in this exercise will be used to enable the
further features on the 9800 in the next scenarios. We will be using C9800-CL GUI to configure C9800.

Catalyst 9800 Series Wireless Controller v2

17
 Scenarios
Scenario: Use Advance WLAN Design Flow to create a WLAN

Recap on C9800 Configuration Model

In the previous exercise this is an abstracted from the user when using the basic configuration model.

Exercise Description
In this Exercise you will use the Advanced WLAN Setup to:

Catalyst 9800 Series Wireless Controller v2

18
 Scenarios
Create a WLAN Profile

Create a WLAN Profile

Procedure

Step 1 Connect to the Lab network.

Step 2 Connect to the 9800 public IP address provided by the session details. Log in with username/session
ID.
Step 3 Click the Wireless Setup icon from the top right of the 9800 browser interface and select Advanced.
Example:

The Advanced Configuration Wizard displays.

Step 4 Click Start Now to start the wizard.

Example:

Catalyst 9800 Series Wireless Controller v2

19
 Scenarios
Create a WLAN Profile

Step 5 In Tags & Profile to the right side of the WLAN Profile section click on the + to start creating a new WLAN
Profile
Example:

Catalyst 9800 Series Wireless Controller v2

20
Scenarios
Create a WLAN Profile

Step 6 Configure these settings on the General tab.

a) For Profile Name, enter pod1-psk.
b) For SSID, enter pod1-psk.
c) For WLAN ID, enter 2.
d) Set Status to ENABLED.
Example:

Step 7 Configure these settings on the Security tab.

a) For Auth Key Mgmt, select PSK
b) For Pre-Shared Key, enter cisco123.
Example:

Catalyst 9800 Series Wireless Controller v2

21
 Scenarios
Create a Policy Profile

Use the default setting for all those not listed above.

Step 8 Click Save & Apply to Device.

You return to the wizard.

Create a Policy Profile

Procedure

Step 1 In Tags & Profile to the right side of the Policy Profile section click on the + to start creating a new Policy
Profile
Step 2 Configure the Policy Profile using following settings. Use the default for any setting not specified.

Tab Section and Parameters Value

General Name localPolicy
Status Enabled
Access Policies VLAN VLAN/VLAN Group mgmt
Advanced DHCP IPv4 DHCP Required
DHCP Server IP Address 198.18.133.1

Example:

Catalyst 9800 Series Wireless Controller v2

22
Scenarios
Create a Policy Profile

Catalyst 9800 Series Wireless Controller v2

23
 Scenarios
Create a Policy Tag

Explore the other tabs and notice the configuration options.

Step 3 Click Save & Apply to Device.

Your return to the wizard.

Create a Policy Tag

Procedure

Step 1 In Tags & Profile to the right side of the Policy Tag section, click + to start creating a new Policy Tag Profile
Step 2 For Name, enter localPsk.
Step 3 In the tag window, click Add to map WLAN to a Policy Profile.

Catalyst 9800 Series Wireless Controller v2

24
 Scenarios
Tag the Access Point

WLAN Profile Policy Profile

pod1-psk localPolicy

Step 4 Click Save & Apply to Device.

You return to the wizard.

Tag the Access Point

Procedure

Step 1 In Tags & Profile, under the Apply section, click Tag APs.
Step 2 Select the Access Point and click Tag APs above the table.
Example:

Catalyst 9800 Series Wireless Controller v2

25
 Scenarios
Tag the Access Point

Tag APs is displayed.

Step 3 For Policy, select localPsk. Do not change the other tags. Click Apply to Device.
Example:

The AP rejoins the WLC and applies the configuration.

Catalyst 9800 Series Wireless Controller v2

26
 Scenarios
Verify the connectivity

The AP should be broadcasting the SSID created pod1-psk.

Verify the connectivity

Procedure

Step 1 Using your personal laptop or mobile, connect to the lab network pod1-psk using the credentials username
PSK and password cisco123.
Step 2 Navigate to the Dashboard and observe that the client has joined the Access Point.

Step 3 Click on the client to open the details page and browse through the details.

Scenario: Application Visibility and App Qos Policy

Exercise Objective
The goal of this exercise is to provide detailed steps to enable Application Visibility on the WLAN we just
created.
We will use the QOS Policy to configure an application policy on the WLAN and verify the same.

Exercise Description
In this exercise you will:

Enable Application Visibility

Procedure

Step 1 Navigate to Configuration > Services > Application Visibility.

Step 2 Click the arrow next to localPolicy.
Example:

Catalyst 9800 Series Wireless Controller v2

27
 Scenarios
View the Applications detected

Step 3 Verify that Visibility and Local Collector are selected.

Example:

Step 4 Click Apply to enable Application Visibility.

View the Applications detected

Procedure

Step 1 Verify that the client is connected to the SSID pod1-psk and browse different sites.
Example:

Catalyst 9800 Series Wireless Controller v2

28
Scenarios
View the Applications detected

For example, YouTube, Google, and few other sites.

Step 2 Navigate to Monitoring > Services > Application Visibility.

Step 3 Verify the application is detected in the client view.
Example:

Step 4 Hover on the pie chart to show the application name. Click Direction to verify the traffic in different direction.
Example:

Step 5 Click Applications to the view list of all the application detected.

Catalyst 9800 Series Wireless Controller v2

29
 Scenarios
View and Verify the App QoS Policy

Example:

View and Verify the App QoS Policy

Procedure

Step 1 Navigate to Configuration > Services > QOS.

Step 2 Click Add to add a QOS Policy.
Step 3 Configure the policy as shown in the following table and leave the default as is.

Parameter Value
Policy Name YoutubeBlock
Add Class-Maps +
AVC/User Define AVC
Match All
Drop Enabled
Match Type protocol
Selected Protocols (Select using the Arrow) Youtube

Example:

Catalyst 9800 Series Wireless Controller v2

30
Scenarios
View and Verify the App QoS Policy

Step 4 Click Save.

Step 5 Click the right arrow on the local Policy, select ingress, and then click Apply.
Example:

Step 6 Attempt to browse YouTube on the client connected to the pod1-psk WLAN and note that YouTube is now
blocked.

Catalyst 9800 Series Wireless Controller v2

31
 Scenarios
Scenario: Local Profiling on the WLC

Step 7 Navigate to Configuration > Services > QOS and delete the QoS Policy YoutubeBlock.

Scenario: Local Profiling on the WLC

Exercise Objective
The goal of this exercise is to enable local profiling.

Exercise Description

Enable local profiling and view the device types

Procedure

Step 1 Navigate to Configuration > Wireless > Wireless Global.

Step 2 Select Device Classification and click Apply.
Example:

The local device classification on the controller is enabled.

Step 3 Navigate to the main dashboard and verify that the Client Devices Types dashboard shows the clients joined.
Example:

Catalyst 9800 Series Wireless Controller v2

32
Scenarios
Enable local profiling and view the device types

Step 4 Navigate to Monitoring > Services > Local Profiling to show the detected device and details.
Example:

Catalyst 9800 Series Wireless Controller v2

33
 Scenarios
Create a local profiling policy to apply different policies based on device types

Create a local profiling policy to apply different policies based on device types
Procedure

Step 1 Navigate to Configuration > Security > Local Policy.

Step 2 Under Service Template, click Add.
Step 3 Fill in the Service Template using the following table without changing the defaults, then and click Apply
to Device.

Parameter Value
Service Template Name iPhone
VLAN ID 2

Example:

Step 4 Under Policy Map click Add.

Step 5 Create a new policy map called apple.
Step 6 Click the Add button under the Match Criteria List, fill in the dialog with the values in the following table,
click Add Criteria, and then click Apply to Device.

Parameters Values
Policy Map Name apple
Service Template iPhone
Device Type eq, Apple-Device

Catalyst 9800 Series Wireless Controller v2

34
Scenarios
Create a local profiling policy to apply different policies based on device types

Example:

Step 7 Navigate to Configuration > Tags & Profiles > Policy.

Step 8 Click on the policy used on our SSID called localPolicy to edit the policy.
Step 9 Navigate to Access Policies in the edit Policy Profile dialog box.
a) For Local Subscriber Policy Name, select apple.
b) For VLAN/VLAN Group, select employee
c) Click Update and Apply to Device.

Parameter Value
Local Subscriber Policy Name apple

Example:

Catalyst 9800 Series Wireless Controller v2

35
 Scenarios
Create a local profiling policy to apply different policies based on device types

Step 10 Reconnect an Apple device to the pod1-psk WLAN.

Step 11 Navigate to Monitoring > Wireless > Clients. Observe that the device is recognized as an apple device and
is now in a different subnet.
Example:

Catalyst 9800 Series Wireless Controller v2

36
 Scenarios
View Samsung Device Details

Step 12 Click on the device and then navigate to General > Security Information in the client information box.
It shows the service template applied under the local policies and the device is now part of VLAN 2 (employee
VLAN) and not the mgmt VLAN.

View Samsung Device Details

This procedure is optional if you have a Samsung S10 based device connect to the WLAN.

Catalyst 9800 Series Wireless Controller v2

37
 Scenarios
View Samsung Device Details

Procedure

Step 1 Navigate to Monitoring > Wireless > Clients, click on the client to open the client details dialog, and then
open the Client 360 view.
Step 2 Observe the additional information that Samsung Clients share with Cisco WLC’s and APs when local profiling
is enabled.
The exact model number, Carrier, Software version, and Client RSSI displayed comes from Samsung devices.
Example:

Step 3 For any non-Apple device, after you are connected to the proper network, see the Device Type assigned as
Un-Classified Device.
Example:

Catalyst 9800 Series Wireless Controller v2

38
 Scenarios
Scenario: Detailed WLAN Configuration

Step 4 Click on the device MAC Address and see its 360 view details.
Example:

Scenario: Detailed WLAN Configuration

Exercise Objective
The goal of this exercise is to provide detailed steps to define a secure employee WLAN and a Guest WLAN.
We will be using C9800-CL GUI to configure C9800. The following diagram shows the C9800 configuration
at a high level. Each box represents individual configuration profile with relevant options shown and how
each profile feeds into other profiles to make a working configuration. The bullet points within the profile
that are in bold represent sub profiles being fed into the profile. It also includes the suggested order to create
the profiles that maps to the main section of the document.

Exercise Description
The following diagram shows illustrates the steps we'll configure on the 9800 controller. Some of the settings
are preconfigured. For any preconfigured settings, we will review the settings.

Catalyst 9800 Series Wireless Controller v2

39
 Scenarios
Define AAA Servers on C9800

Define AAA Servers on C9800

These steps are used to add ISE PSN node as RADIUS server on C9800. We will also create RADIUS server
group and add the server entry we created. The server group can be referenced for each of the AAA method
list.

Procedure

Step 1 Using your personal laptop, connect to the lab network pod1-psk using credentials username: PSK and
password cisco123.
Step 2 Using a Chrome browser go to 198.19.11.10 and log in with username/session ID.
The dashboard indicates the AP is joined to the controller.

Step 3 Navigate to Configuration > Security > AAA > Servers / Groups > Servers.
Step 4 Click Add and enter the information in the following table.
Example:

Catalyst 9800 Series Wireless Controller v2

40
Scenarios
Define AAA Servers on C9800

Use the default settings for any values not in the table.

Parameter Value
Name* ISE01
IPv4 /IPv6 Server Address* 198.18.133.27
PAC Key (Not selected)
Key Type Clear Text
Key* (and confirm) C1sco12345
Support for CoA Enabled

Example:

Catalyst 9800 Series Wireless Controller v2

41
 Scenarios
Define AAA Server Groups and Global settings on C9800

Step 5 Click Apply to Device.

Define AAA Server Groups and Global settings on C9800

Procedure

Step 1 Click Server Groups.

Example:

Catalyst 9800 Series Wireless Controller v2

42
Scenarios
Define AAA Server Groups and Global settings on C9800

Step 2 Click Add and then enter following information.

Parameter Value
Name ISE
Dead-Time (mins) 10
Available Servers ISE01 (move to assigned)

The Dead-Time setting controls how long the RADIUS server in the group will be marked as dead when it
fails to authenticate or fails to respond to RADIUS probes. This setting is only useful when more than one
RADIUS server configured.
Example:

Catalyst 9800 Series Wireless Controller v2

43
 Scenarios
Define Authentication, Authorization and Accounting Lists on C9800

Step 3 Click Apply to Device.

Step 4 Navigate to Configuration > Security > AAA > AAA Advanced > RADIUS Fallback and confirm the
default settings, which dictates how the RADIUS servers will be marked dead.
• Retransmit Count: How many times the RADIUS server will be tried for an authentication request.
• Timeout Interval (seconds): How long the controller will wait between authentication requests.
• Dead Time (Minutes): Identical to the dead-time configured under Server Groups, but this setting is
global.

Step 5 Navigate to Configuration > Security > AAA > AAA Advanced > Global Config and confirm the default
settings which dictates how the controller will communicate with the RADIUS server:
RADIUS Server Load Balance: When enabled, and if there are more than one RADIUS server, the controller
will send RADIUS requests to each RADIUS servers in sequence based on batch settings.

Step 6 Click Show Advanced Settings >>>.

Note the Call Station ID under Authentication Column. This is the attribute that C9800 populates during
authentication. The default CID field is formatted as ap-macaddress-ssid. ISE uses the SSID from the
CID field for policy matching purposes.

Define Authentication, Authorization and Accounting Lists on C9800

Procedure

Step 1 Navigate to Configuration > Security > AAA > AAA Method List > Authentication, and then click Add.

Catalyst 9800 Series Wireless Controller v2

44
Scenarios
Define Authentication, Authorization and Accounting Lists on C9800

Step 2 Create the Authentication list using following information which will be used for both OPEN SSID
(dCloud_Guest) and SECURE SSID (dCloud_Internal):

Name default
Type Dot1x
Group-Type Group
Available Server Groups ISE (move to assigned)

Notes The existing default method list entry of Type login is SSH to the WLC for CLI access.
For authentication list, another name can be used. We are using default so it is named same as
authorization list for which the name default has a special meaning. If clients fail to associate,
and authentication requests are not showing up in the ISE Live Log, try setting the authentication
list name to default as shown above.

Example:

Step 3 Click Apply to Device.

Step 4 Navigate to Configuration > Security > AAA > AAA Method List > Authorization, click Add, and then
enter following information for the AAA Authorization list that will be shared for both SSIDs.

Parameter Value
Name default
Type Network
Group-Type Group
Available Server Groups ISE (move to assigned)

Catalyst 9800 Series Wireless Controller v2

45
 Scenarios
Define Authentication, Authorization and Accounting Lists on C9800

Notes The existing default method list entry of Type execis SSH to the WLC for CLI access.
The Authorization name default is significant here since there is no Authorization list that can be
defined within the 802.1X WLAN. By using default as name, C9800 can use ISE to get additional
authorization details such as dACL operation. If the default authorization list cannot be used or
desired, then a named authorization list can be created and can be referenced via RADIUS server
as a Cisco VSA. The Cisco VSA to use is Method-List={authorization-method-list}, which can be
configured in ISE advanced attribute settings.

Example:

Step 5 Click Apply to Device.

Step 6 Navigate to Configuration > Security > AAA > AAA Method List > Accounting, and then click Add.
Step 7 Enter the following information for AAA Authorization list that will be shared for both SSIDs.

Parameter Value
Name default
Type identity
Available Server Groups ISE (move to assigned)

Example:

Catalyst 9800 Series Wireless Controller v2

46
 Scenarios
Create Webauth Parameter Map (Required for BYOD)

Step 8 Click Apply to Device.

Create Webauth Parameter Map (Required for BYOD)

This will only be used in the SECURE SSID (dCloud_Internal) to suppress Apple Captive Network Assistant
(CAN; AKA mini browser) from popping up upon association to the WLAN. This is required because the
Apple CNA is unable to fulfill the BYOD onboarding flow.

Procedure

Step 1 Navigate to Configuration > Security > Web Auth, and then click Add
Example:

Catalyst 9800 Series Wireless Controller v2

47
 Scenarios
Create Webauth Parameter Map (Required for BYOD)

Step 2 For Parameter-map name*, enter Captive_Bypass_Portal, and then click Apply to Device.
Example:

Step 3 Select Captive_Bypass_Portal from the Parameter-map name list.

Step 4 Select Captive Bypass Portal.
Step 5 Click Update & Apply.
Example:

Catalyst 9800 Series Wireless Controller v2

48
 Scenarios
Create VLANs

Create VLANs

Important Do not change anything in this section. This is already done for you because it is a basic item on the
controller.

Procedure

Step 1 Navigate to Configuration > Layer 2 > VLAN > VLAN and then click Add.
Step 2 Add two VLANs using the following table for User VLAN and Guest VLAN.
These VLANs will be mapped to SECURE SSID (dCloud_Internal) and OPEN SSID (dCloud_Guest)
respectively using policy profiles and tags.

VLAN ID 2 3
Name employee guest
State Activated Activated

Example:

Catalyst 9800 Series Wireless Controller v2

49
 Scenarios
Create WLAN Profiles

Step 3 Click Save & Apply to Device.

Create WLAN Profiles

Procedure

Step 1 Navigate to Configuration > Tags & Profiles > WLANs.

Step 2 Click Add to create the OPEN WLAN (dCloud_Guest) using following table.
This WLAN will be mapped to the AP using tags. Any configuration not defined in the table assumes default
settings.

Tab Parameter Open WLAN value

General Profile Name dCloud_Guestx
SSID (x is your pod#) dCloud_Guestx
Status Enabled
Security Layer 2 Layer 2 Security mode None
MAC Filtering Enabled
Authorization List default
Layer 3 Webauth Parameter Map
WebPolicy Enabled
AAA Authentication List default

Note There is no reference to an authorization list for dCloud_Internalx SSID. This is not an issue for
AAA override operation that applies authorization directly from RADIUS ACCESS-ACCEPT
response. However, this is an issue for applying dACL as it requires additional RADIUS
communication which requires an authorization list. To address this issue, either use the special
name default as the authorization list as configured in above or configure ISE to send Cisco VSA
Method-List={authorization-method-list} with ACCESS-ACCEPT when dACL is used.

Catalyst 9800 Series Wireless Controller v2

50
Scenarios
Create WLAN Profiles

Example:

Catalyst 9800 Series Wireless Controller v2

51
 Scenarios
Create WLAN Profiles

Step 3 Click Update & Apply to Device.

Step 4 Click Add to create the SECURE WLAN (dCloud_Internal) using following table.

Tab Parameter Secure WLAN Value

General Profile Name dCloud_Internalx
SSID (x is your pod#) dCloud_Internalx
Status Enabled
Security Layer 2 Layer 2 Security mode WPA + WPA2
MAC Filtering
Authorization List
Layer 3 Webauth Parameter Map Captive_Bypass_Portal
WebPolicy
AAA Authentication List default

Example:

Catalyst 9800 Series Wireless Controller v2

52
Scenarios
Create WLAN Profiles

Catalyst 9800 Series Wireless Controller v2

53
 Scenarios
Create Policy Profiles

Step 5 Click Update & Apply to Device

Create Policy Profiles

Policy profile covers device sensor, default VLAN, CoA, and RADIUS Accounting. Since VLANs are different,
two profiles are created one for each WLAN. These profiles will be mapped to the WLANs using tags.

Procedure

Step 1 Navigate to Configuration > Tags & Profiles > Policy and then click Add.

Catalyst 9800 Series Wireless Controller v2

54
Scenarios
Create Policy Profiles

Step 2 Add a Policy Profile for both WLANs using the following table.
Any configuration not defined in the table assumes the default setting.

Tab Parameter Guest WLAN Value Employee WLAN

Value
General Access Name Guest Employee
Policies
Status Enabled Enabled
RADIUS Profiling
HTTP TLV Caching
DHCP TLV Caching
VLAN VLAN/VLAN Group guest employee
Advanced DHCP IPv4 DHCP Required
DHCP Server IP 198.18.133.1 198.18.133.1
Address
AAA Policy Allow AAA Override
NAC State
Accounting List default default

Example:

Catalyst 9800 Series Wireless Controller v2

55
 Scenarios
Create Policy Profiles

Catalyst 9800 Series Wireless Controller v2

56
Scenarios
Create Policy Profiles

Catalyst 9800 Series Wireless Controller v2

57
 Scenarios
Create Policy Profiles

Catalyst 9800 Series Wireless Controller v2

58
Scenarios
Create Policy Profiles

Catalyst 9800 Series Wireless Controller v2

59
 Scenarios
Create Policy Tag

Step 3 Click Apply to Device.

Create Policy Tag

Procedure

Step 1 Navigate to Configuration > Tags & Profiles > Tags and, under Policy, click Add.
Step 2 For Name, enter iseEnabled.
Step 3 Click Add to map following WLANs to matching policy profiles.

WLAN Profile Policy Profile

dCloud_Guestx Guest
dCloud_Internalx Employee
pod1_admin Pod1_location_WLANID_1

Example:

The WLAN is now associated to the respective Policy Profile.

Step 4 Click Apply to Device.

Catalyst 9800 Series Wireless Controller v2

60
 Scenarios
Assign Policy Tag to AP

Assign Policy Tag to AP

This section shows how to apply a tag to a single AP. Using the Advanced Wireless Setup Wizard on C9800,
the same tag can be applied to multiple APs at the same time, or you can manually create an AP filter tag rule
to apply the tags based on an AP name regex (e.g. .*).

Procedure

Step 1 Navigate to Configuration > Wireless > Access Points.

Step 2 Click the AP Name or MAC address.
Step 3 For Policy, in the Tags section, select iseEnabled. Leave Site and RF as Pod1_location.
Example:

Catalyst 9800 Series Wireless Controller v2

61
 Scenarios
Create Redirect ACL (Referenced via RADIUS)

Step 4 Click Apply to Device.

Create Redirect ACL (Referenced via RADIUS)

Procedure

Step 1 Navigate to Configuration > Security > ACL, and then click Add.
Step 2 Complete the following configuration.
a) For ACL Name, enter ACL_WEBAUTH_REDIRECT.
b) For ACL Type, select IPv4 Extended.
c) For Sequence, enter 10.
d) For Action, select permit.
e) For Source Type, select any.
f) For Destination Type, select any.
g) For Protocol, select tcp.
h) For Source Port, select None.
i) For Destination Port, select eq. For the associated Select Port, select www((http)80).
j) Click Add.
Example:

Step 3 Click Save & Apply to Device.

Catalyst 9800 Series Wireless Controller v2

62
 Scenarios
(Optional) Create URL Filter for BYOD Flow (Referenced via RADIUS)

(Optional) Create URL Filter for BYOD Flow (Referenced via RADIUS)

Note Use this only as a reference, we are not using it in the lab delivery.
Unlike AireOS which allows DNS entries to be part of redirect ACL, separate URL filter have to be
created and be called upon via RADIUS attribute from ISE to permit access to Internet hosts using
FQDNs. We will not be using Android in this lab but leave this configuration as an example of usage
with the 9800s.

Procedure

Step 1 Navigate to Configuration > Security > URL Filters, and then click Add.
Step 2 Using following table, set the following values in the Edit URL Filter window.
The example allows access to the Google Play store for BYOD. The PRE-AUTH URL filter always works
if the Action is Permit regardless of whether the filter is set to Permit or Deny.

Name BYOD-URL-Filter
Type PRE-AUTH
Action Permit
URLs *.google.com
accounts.youtube.com
gstatic.com
*.googleapis.com
*.appspot.com
ggpht.com
gvt1.com
market.android.com
android.pool.ntp.org
*.googleusercontent.com
*.google-analytics.com

Example:

Catalyst 9800 Series Wireless Controller v2

63
 Scenarios
Scenario: ISE Configuration for .1x & BYOD

Step 3 Click Update & Apply to Device.

Important Save the configuration.

Scenario: ISE Configuration for .1x & BYOD

Exercise Objective
The goal of this exercise is to detail the configuration of ISE to provide .1x authentication and BYOD for
employees.

Exercise Description
The following diagram shows the related ISE configuration at a high level. Many of the settings are already
preconfigured on ISE. For preconfigured settings, we will review the settings.

Catalyst 9800 Series Wireless Controller v2

64
 Scenarios
Validate C9800 is added to ISE as Network Device

Validate C9800 is added to ISE as Network Device

These steps will validate that the C9800 is configured.

Before you begin

The C9800 should already be added to ISE as a network device.

Procedure

Step 1 On workstation1, open Firefox or Chrome, connect to ISE 2.4 at 198.18.133.27, and then log in with
admin/C1sco12345.
Step 2 Navigate to Administration > Network Resources > Network Devices.
Step 3 Verify that WLC1 is listed. Click WLC1 and review the following settings.

Setting Value
Name WLC1
IP Address 198.19.11.10/32
Device Profile Cisco
RADIUS authentication Settings X
Shared Secret C1sco12345
CoA Port 1700

Example:

Catalyst 9800 Series Wireless Controller v2

65
 Scenarios
Validate C9800 is added to ISE as Network Device

Step 4 Click Network Devices at the top to return to the list of network devices.

Catalyst 9800 Series Wireless Controller v2

66
 Scenarios
Modify Native Supplicant Provisioning Profile

Modify Native Supplicant Provisioning Profile

Let's modify the profile to use our SSID. Some steps are skipped as they are already preconfigured.

Procedure

Step 1 Navigate to Policy > Policy Elements > Results > Client Provisioning > Resources.
Step 2 Select Cisco-ISE-NSP and then click Edit.
Example:

This is the Native Supplicant Profile referenced and used in the ISE Client Provisioning Policy (Policy >
Client Provisioning Policy > Apple iOS Devices).

Step 3 Select ISE, and then click Edit to modify the Wireless Profile.
Step 4 Change the SSID Name from ISE to dCloud_Internalx and confirm the rest of the settings.
Note The SSID Name must match exactly with the same character case to the secure SSID name (e.g.
dCloud_Internalx) configured in Create WLAN Profiles, on page 50 or the client will not reconnect
with the certificate after completing BYOD.

Parameter Value
SSID Name * dCloud_Internalx
Security * WPA2 Enterprise
Allowed Protocol * TLS (MS-CHAPv2 if available)
Certificate Template EAP_Authentication_Certificate_Template

Note MS-CHAPv2 can be also set if available into the allowed protocols, you will see this into the Policy
Set authorization section for this specific SSID.

Example:

Catalyst 9800 Series Wireless Controller v2

67
 Scenarios
Review Portals: BYOD Portal

Step 5 Click Submit, and then click Submit again at the bottom of the page.

Review Portals: BYOD Portal

The BYOD portal is used for Single-SSID flow that we will be testing.

Procedure

Step 1 Navigate to Work Centers > BYOD > Portals & Components > BYOD Portals.
Step 2 Click BYOD Portal (default). Ensure all the settings match the image below.

Catalyst 9800 Series Wireless Controller v2

68
Scenarios
Review Portals: BYOD Portal

Step 3 Expand BYOD Settings and ensure the settings match the image below.
Example:

Catalyst 9800 Series Wireless Controller v2

69
 Scenarios
Review Portals: Hotspot Portal

Step 4 Clear Include an AUP.

Step 5 Select Originating URL.
Step 6 Click Save and then click Close.

Review Portals: Hotspot Portal

In our tests we are going to focus on setting up a guest flow using the hotspot. This review will also give you
an understanding on how COA, redirection and clearing out the sessions will work. For more detailed
configuration information around the guest, reference ISE Guest & Web Authentication.

Procedure

Step 1 Navigate to Work Centers > Guest Access > Portals & Components > Guest Portals.
Step 2 Click Hotspot Guest Portal (default).
Step 3 Review the portal flow and the setting details.
Step 4 Expand Acceptable Use Policy (AUP) Page Settings.

Catalyst 9800 Series Wireless Controller v2

70
 Scenarios
Create/Review downloadable ACLs (dACLs)

We are using an access code dcloud to prevent anyone from utilizing our hotspot who maybe near our wireless
signal.
Example:

Step 5 At the top right of the settings page click Close.

Create/Review downloadable ACLs (dACLs)

Unlike the AireOS controller, C9800 supports dACLs. Here we are going to create dACLs.

Procedure

Step 1 Navigage to Policy > Policy Elements > Results > Authorization > Downloadable ACLs.
Step 2 Click Add.
Step 3 Enter CWA.
Step 4 Expand Check DACL Syntax to verify the ACL is correct and then enter the lines for CWA from the following
table.
Note For the other ACLs, please use the table as reference. These are already built on ISE for you.

dACL Name dACL Content Description (Not part of the config)

CWA permit udp any host 198.18.133.1 Allow access to default guest portal port
eq domain TCP/8443 and DNS. This is used for
Create this to learn how they
permit tcp any host 198.18.133.27 devices upon redirection to the guest
are built.
eq 8443 portal. This can be used for any guest
deny ip any flow.

Catalyst 9800 Series Wireless Controller v2

71

Create/Review downloadable ACLs (dACLs)
dACL Name
ISE_PROVISION_ACCESS
This ACL already exists on
ISE, use this as an example
for what to include and why.
INTERNET_ACCESS
This ACL already exists on
ISE, use this as an example
for what to include and why.
Example:
Step 5 Click Submit.
Catalyst 9800 Series Wireless Controller v2
72
Scenarios
dACL Content Description (Not part of the config)
permit udp any host 198.18.133.1 Allow access to default BYOD portal
eq domain port TCP/8443, NSP Wizard port
permit tcp any host 198.18.133.27 TCP/8905, EST Server TCP/8084, and
eq 8443 DNS. This is used for devices upon
permit tcp any host 198.18.133.27 redirection to be able to go through
eq 8905 BYOD redirection and onboarding.
permit tcp any host 198.18.133.27
eq 8084
deny ip any
permit udp any host 198.18.133.1 Deny internal IP for dCloud and internal
eq domain client networks and allow rest of the IP
permit tcp any host 198.18.133.27 for Internet Access and to ISE (portal
eq 8443 success pages) and DNS.
permit tcp any host 198.18.133.27
eq 8084
deny ip any 198.18.0.0
0.1.255.255
permit ip any any
 Scenarios
Create/Modify Authorization Profiles: NSP_Onboard

Create/Modify Authorization Profiles: NSP_Onboard

We will update the authorization profile used for Single-SSID BYOD.

Procedure

Step 1 Navigate to Policy > Policy Elements > Results > Authorization > Authorization Profiles.
Step 2 Select NSP_Onboard, and then click Edit.
Step 3 Verify that DACL Name is selected and ISE_PROVISION_ACCESS is indicated.
Example:

Note This is the downloadable ACL to permit/deny defined during onboarding. If not using the default
authorization method, add Cisco VSA Method-List={authorization-method-list} under Advanced
Attribute Settings.

Step 4 Under Common Tasks and confirm the following settings.

a) Web Redirection (CWA, MDM, NSP, CPP) is selected.
b) Native Supplicant Provisioning is selected.
c) ACL is set to ACL_WEBAUTH_REDIRECT.
d) value is set to BYOD Portal (default).
Example:

Catalyst 9800 Series Wireless Controller v2

73
 Scenarios
Create/Modify Authorization Profiles: Cisco_WebAuth

Note The authorization result shows a BYOD flow, with an ACL send to the controller to indicate
redirection state and utilize the default BYOD Portal. ACL_WEBAUTH_REDIRECT is created in
Step Step 2, on page 62 in Create Redirect ACL (Referenced via RADIUS), on page 62.

Tip [For Reference only] This lab is not using the BYOD-URL-Filter, which permits access to certain
internet sites during BYOD for Android devices. If you need that in your own lab, add the following
Cisco VSA under Advanced Attribute Settings: Cisco:cisco-av-pair =
url-filter-preauth=BYOD-URL-Filter, where BYOD-URL-Filter exactly matches the name configured
in C9800 WLC in Step Step 2, on page 63 in (Optional) Create URL Filter for BYOD Flow
(Referenced via RADIUS), on page 63.

Step 5 Click Save.

Create/Modify Authorization Profiles: Cisco_WebAuth

We will configure the hotspot authorization profile.

Procedure

Step 1 Click Authorization Profiles.

Step 2 Select Cisco_WebAuth, and then click Edit.
Step 3 Select DACL Name, and then select CWA.
Note This is the downloadable ACL to permit/deny during onboarding. If not using the default authorization
method, add Cisco VSA Method-List={authorization-method-list} under Advanced Attribute
Settings.

Example:

Catalyst 9800 Series Wireless Controller v2

74
Scenarios
Create/Modify Authorization Profiles: Cisco_WebAuth

Step 4 Under Common Tasks, confirm the following settings.

a) Web Redirection (CWA, MDM, NSP, CPP) is selected.
b) Hot Spot is selected.
c) For ACL, select ACL_WEBAUTH_REDIRECT.
d) For value, select Hotspot Guest Portal (default).
Example:

Note The authorization result shows a hotspot flow, with a named ACL sending to the controller to
indicate redirection state and utilize the default Hotspot Portal. ACL_WEBAUTH_REDIRECT is
created in Step 2, on page 62 in Create Redirect ACL (Referenced via RADIUS), on page 62.

Catalyst 9800 Series Wireless Controller v2

75
 Scenarios
Configure Internet_Only

Step 5 Click Save.

Configure Internet_Only
We will create Internet Only Authorization Profile. Here you’re creating permissions to allow internet access
for associated rules.

Procedure

Step 1 Click Authorization Profiles, and then click Add.

Step 2 For Name, enter Internet_Only.
Step 3 Under Common Tasks, select DACL Name and then select INTERNET_ACCESS.
Example:

Step 4 Click Submit.

Catalyst 9800 Series Wireless Controller v2

76
 Scenarios
Create Policy Sets

Create Policy Sets

Procedure

Step 1 Navigate to Policy > Policy Sets.

Step 2 Click the gear icon on the first line and select Insert new row above.
Example:

Step 3 For Policy Set Name, enter dCloud_Internal.

Step 4 In the Conditions column, click +.
Conditions Studio is displayed.

Step 5 On the right-hand-side click Click to add an attribute.

Step 6 Under dictionary, select RADIUS.
The list is filtered to standard RADIUS attributes.

Step 7 In the text box under Attribute, enter Called to narrow the selection list, and then pick Called-Station-ID.
Example:

Catalyst 9800 Series Wireless Controller v2

77
 Scenarios
Create Policy Sets

Step 8 Change Equals to Contains.

Tip Using Contains will match on dCloud_Guest (as well as dCloud_Internal) without worrying about
what you added at the end to make it unique.

Step 9 In the attribute value, enter dCloud_Internal. This value is case sensitive.
Note Match the attribute value with the WLAN name pattern for dCloud_Internal configured in Create
WLAN Profiles, on page 50.

Example:

Step 10 Click Use on the bottom of the page.

Step 11 After returning to the main Policy Sets page, select Default Network Access under Allowed Protocols /
Server Sequence.
Step 12 Repeat Step Step 1, on page 77 through Step Step 11, on page 78 above for dCloud_Guestx (case sensitive).
Note Match the attribute value with the WLAN name pattern for dCloud_Guest configured in Create
WLAN Profiles, on page 50.

Catalyst 9800 Series Wireless Controller v2

78
 Scenarios
Create Policy for Internal SSID

Step 13 Click Save.

The result should resemble the following image.

Create Policy for Internal SSID

Procedure

Step 1 In the View column for the dCould-Internal policy set, click >.
Step 2 Expand Authorization Policy.
Step 3 Click x next to DenyAccess for default rule profiles.
Step 4 Select NSP_Onboard from the list.
Note This rule is used for those devices not using EAP-TLS and requires BYOD onboarding.

Example:

Step 5 Click + above the default rule.

Step 6 For Rule Name, enter EAP-TLS.
Step 7 Click + to open the Conditions Studio.
Step 8 On the right-hand-side, click Click to add an attribute.
Step 9 Under dictionary, select Network Access.
The list is filtered to Network Access attributes.

Step 10 Select EapAuthentication from the list.

Step 11 In the attribute value, select EAP-MSCHAPv2.
Step 12 Click Use on the bottom of the page.
Example:

Catalyst 9800 Series Wireless Controller v2

79
 Scenarios
Create Policy for Guest SSID

Step 13 After returning to the dCloud_Internal Policy Sets page, for Profiles, select PermitAccess.
Example:

Step 14 Click Save.

Step 15 Click the Policy Sets hyperlink in the top left corner of the page to return to the main policy set page.

Create Policy for Guest SSID

Note The default setup for guest would include most of these authentication policies. We are showing it in
case you are not using the defaults.

Procedure

Step 1 In the View column for the dCloud_Guest policy set, click >.
Step 2 Expand Authentication Policy.
Step 3 In the Use column, select Internal Endpoints.
Step 4 Click > Options.
Advanced options are displayed.

Step 5 For If User not found, select CONTINUE.

Example:

Catalyst 9800 Series Wireless Controller v2

80
Scenarios
Create Policy for Guest SSID

Step 6 Expand Authorization Policy.

Step 7 Next to DenyAccess, click x for default rule profiles.
Step 8 Select Cisco_WebAuth from the list.
Step 9 Above the Default rule, click + to create an authorization rule.
Step 10 For Rule Name, enter Guest Endpoint.
Step 11 Click + to display the Conditions Studio.
Step 12 On the right-hand-side, click Click to add an attribute.
Step 13 Under dictionary, select IdentityGroup.
The list is filtered to Identity Group attributes.

Step 14 Select Name from the list.

Step 15 In the attribute value, select Endpoint Identity Groups:GuestEndpoints.
Note This rule permits any endpoints registered in GuestEndpoints after accepting the AUP.

Step 16 Click Use on the bottom of the page.

Example:

Step 17 After returning to the dCloud_Guest Policy Sets page, for Profiles, select Internet_Only
Example:

Catalyst 9800 Series Wireless Controller v2

81
 Scenarios
Scenario: Client Testing for Guest & BYOD

Step 18 Click Save.

The result should resemble the following (note that we are not configuring the Guest Login example). For
more information, refer to ISE Guest & Web Authentication.

Step 19 In the top left corner of the page, click the Policy Sets hyperlink to return to main policy set page.

Scenario: Client Testing for Guest & BYOD

Exercise Objective
Now that we have working configurations to showcase what’s needed to showcase Guest, BYOD and secure
wireless, we can connect with a real client. If you don’t have an Apple device, ask the proctor to use their
device. You can use your own device for the guest flow but for BYOD will ask you to use an Apple iOS
device for simplicity of configuration and time purposes.

Test Hotspot Flow

Procedure

Step 1 On your client device, go to your wireless configuration, and then connect to dCloud_Guestx.
On Apple iOS devices the Captive network assistant should pop up.

Step 2 Enter the access code dcloud (all lowercase), and then click Accept.
Your device connects and you should be able to browse the internet.

Step 3 On the 9800, navigate to Monitoring > Wireless > Clients.

Notice your client has a value of Run for State.

Catalyst 9800 Series Wireless Controller v2

82
Scenarios
Test Hotspot Flow

Step 4 In ISE, navigate to Operations > RADIUS > Live Logs and notice the following.
You may need to change some of the column sizes and scroll to the right to see all information.
• Device first connects as an Apple-Device.
• Users enters code and accepts AUP.
• Device is registered and placed into Guest Endpoint group with internet access.
• Notice how the device was identified as an iPhone after it hit the portal. This is part of our device profiling
service.

Example:

Step 5 In the upper left, switch to live sessions view.

Here you can do COA actions on the endpoint such as terminate or re-authenticate if needed.

Step 6 Navigate to Context Visibilty > Endpoints and look through the endpoint information available there.
Step 7 Disable the wireless connection on your device.
Step 8 Under Context Visibility, delete the selected endpoint.
Example:

This allows us to go through the BYOD flow as a new client.

Catalyst 9800 Series Wireless Controller v2

83
 Scenarios
Test BYOD flow

Test BYOD flow

Procedure

Step 1 On your Apple iOS device, connect to the dCloud_Internalx SSID.

Step 2 Connect with credentials employee/C1sco12345.
Step 3 Trust the certificate presented.
Step 4 Check the client connection.
Example:

Step 5 Open Safari and navigate to cisco.com.

Step 6 Click Start and follow the prompts to go through BYOD process.
After the process completes you should be able to browse the internet.

Step 7 Navigate to ISE > Operations > RADIUS > Livelogs.

Notice the flow the device went through similar to the guest network.
• Device first connects as an Apple-Device.
• User is redirected to BYOD portal for onboarding (NSP_Onboard).
• Device is registered and configured with a certificate for certificate based authentication.

Notice how the device was identified as an iPhone after it hit the portal. This is part of our device profiling
service.
Example:

Catalyst 9800 Series Wireless Controller v2

84
 CHAPTER 3
What's Next?
• What's Next, on page 85

What's Next
Check out the other ISE demos at http://cs.co/selling-ise-demos
Talk about it on the dCloud Community.

Catalyst 9800 Series Wireless Controller v2

85
 What's Next?
What's Next

Catalyst 9800 Series Wireless Controller v2

86