Scribd
Upload
9 views

Wireless3Notes

Uploaded by

Partha Sarathi Nandi
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as TXT, PDF, TXT or read online on Scribd
9 views

Wireless3Notes

Uploaded by

Partha Sarathi Nandi
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as TXT, PDF, TXT or read online on Scribd
You are on page 1/ 12

1.

Physical to Logical Setup


2. Static Routing
3. NTP Server
4. DHCP Server
5. WLC Initialization
6. ISE & WLC Integration
7. Configuring WLAN using WPA+WPA2 (802.1x with ISE)
8. Downloadable ACLs (DACLs)
9. Integratinng AD with ISE
10. Ceritificate Based Authentication1
11. Basic Guest Access - WEP
12. Basic Guest Access - Local Web Authentication
13. Anchor Configuration
====================================================================
====================================================================
1. Physical to Logical Setup
====================================================================

====================================================================
2. Static Routing
====================================================================

----------
CAT1
----------

ip route 10.0.12.0 255.255.255.0 10.0.13.22


ip route 10.0.14.0 255.255.255.0 10.0.13.22
ip route 10.0.30.0 255.255.255.0 10.0.13.22
ip route 10.0.40.0 255.255.255.0 10.0.13.22

----------
CAT2
----------

ip route 10.0.10.0 255.255.255.0 10.0.13.11


ip route 10.0.11.0 255.255.255.0 10.0.13.11
ip route 10.0.20.0 255.255.255.0 10.0.13.11
ip route 10.0.1.0 255.255.255.0 10.0.13.11

====================================================================
3. NTP
====================================================================

-----------
CAT1
-----------

clock timezone GST 4


do clock set 18:45:00 11 mar 2020
!
ntp master
ntp source vlan 101

-----------
CAT2
-----------

clock timezone EST -4


!
ntp server 10.0.1.101
ntp source vlan 13

====================================================================
4. NTP
====================================================================

-----------
CAT1
-----------

ip dhcp excluded-address 10.0.11.1 10.0.11.100


ip dhcp excluded-address 10.0.12.1 10.0.12.100
ip dhcp excluded-address 10.0.20.1 10.0.20.100
ip dhcp excluded-address 10.0.30.1 10.0.30.100
ip dhcp excluded-address 10.0.40.1 10.0.40.100
!
ip dhcp pool AP1
network 10.0.11.0 /24
default-router 10.0.11.11
dns-server 10.0.1.12
option 43 hex f104.0A00.0A15
!
ip dhcp pool AP2
network 10.0.12.0 /24
default-router 10.0.12.22
dns-server 10.0.1.12
option 43 hex f104.0A00.0A15
!
ip dhcp pool EXECS
network 10.0.20.0 /24
default-router 10.0.20.11
dns-server 10.0.1.12
!
ip dhcp pool EMPLOYEES
network 10.0.30.0 /24
default-router 10.0.30.22
dns-server 10.0.1.12
!
ip dhcp pool GUESTS
network 10.0.40.0 /24
default-router 10.0.40.22
dns-server 10.0.1.12

====================================================================
5. WLC Initialization
====================================================================

-----------
WLC1
-----------

System Name: WLC1


Admin Name: admin
Password: NDojo123
Service Port: Default
LAG: Yes
IP Address: 10.0.10.21
S.Mask: 255.255.255.0
Default GW: 10.0.10.11
VLAN:10
***************************************************************************
System Name [Cisco_5c:f8:e4] (31 characters max): WLC1
Enter Administrative User Name (24 characters max): admin
Enter Administrative Password (3 to 24 characters): ********
Re-enter Administrative Password : ********

Service Interface IP Address Configuration [static][DHCP]:

Enable Link Aggregation (LAG) [yes][NO]: yes

Management Interface IP Address: 10.0.10.21


Management Interface Netmask: 255.255.255.0
Management Interface Default Router: 10.0.10.11
Management Interface VLAN Identifier (0 = untagged): 10
Management Interface DHCP Server IP Address: 10.0.10.11

Enable HA [yes][NO]: no

Virtual Gateway IP Address: 192.0.2.1

Mobility/RF Group Name: ABC

Network Name (SSID): MGMT

Configure DHCP Bridging Mode [yes][NO]: no

Allow Static IP Addresses [YES][no]: no

Configure a RADIUS Server now? [YES][no]: no


Warning! The default WLAN security policy requires a RADIUS server.
Please see documentation for more details.

Enter Country Code list (enter 'help' for a list of countries) [US]:

Enable 802.11b Network [YES][no]:


Enable 802.11a Network [YES][no]:
Enable 802.11g Network [YES][no]:
Enable Auto-RF [YES][no]:

Configure a NTP server now? [YES][no]: yes


Enter the NTP server's IP address: 10.0.1.101
Enter a polling interval between 3600 and 604800 secs: 3600

Would you like to configure IPv6 parameters[YES][no]: no

Configuration correct? If yes, system will save it and reset. [yes][NO]: yes
***************************************************************************

-----------
WLC2
-----------

System Name: WLC2


Admin Name: admin
Password: NDojo123
Service Port: Default
LAG: Yes
IP Address: 10.0.14.21
S.Mask: 255.255.255.0
Default GW: 10.0.14.22
VLAN:14

***************************************************************************
System Name [Cisco_ac:2d:a5] (31 characters max): WLC2
Enter Administrative User Name (24 characters max): admin
Enter Administrative Password (3 to 24 characters): ********
Re-enter Administrative Password : ********

Enable Link Aggregation (LAG) [yes][NO]: yes

Management Interface IP Address: 10.0.14.21


Management Interface Netmask: 255.255.255.0
Management Interface Default Router: 10.0.14.22
Cleaning up Provisioning SSID
Error: failed to disable Day0 ssid. return Code : 7
Management Interface VLAN Identifier (0 = untagged): 14
Management Interface DHCP Server IP Address: 10.0.13.11

Virtual Gateway IP Address: 192.0.2.1

Multicast IP Address: 225.11.11.11

Mobility/RF Group Name: ABC

Network Name (SSID): MGMT

Configure DHCP Bridging Mode [yes][NO]: no

Allow Static IP Addresses [YES][no]: no

Configure a RADIUS Server now? [YES][no]: no


Warning! The default WLAN security policy requires a RADIUS server.

Please see documentation for more details.

Enter Country Code list (enter 'help' for a list of countries) [US]:

Enable 802.11b Network [YES][no]:


Enable 802.11a Network [YES][no]:
Enable 802.11g Network [YES][no]:
Enable Auto-RF [YES][no]:

Configure a NTP server now? [YES][no]: yes


Enter the NTP server's IP address: 10.0.1.101
Enter a polling interval between 3600 and 604800 secs: 3600

Would you like to configure IPv6 parameters[YES][no]: no

Configuration correct? If yes, system will save it and reset. [yes][NO]: yes

====================================================================
6. ISE & WLC Integration
====================================================================

------
WLC1
------

Security -> AAA -> RADIUS -> Authentication -> New

IP: 10.0.1.5
Key: cisco123
authentication port: 1812
Timeout: 5

Security -> AAA -> RADIUS -> Accounting -> New

IP: 10.0.1.5
Key: cisco123
authentication port: 1812
Timeout: 5

====================================================================
7. Configuring the WLC for ISE-Based Authentication
====================================================================

------------------------------
1. Create the VLAN Interfaces
------------------------------

Controllers -> Interfaces -> New

Name: execs
VLAN: 20
IP Address: 10.0.20.99
Subnet Mask: 255.255.255.0
Default Gateway: 10.0.20.11
DHCP Server: 10.0.13.11

Name: employees
VLAN: 30
IP Address: 10.0.30.99
Subnet Mask: 255.255.255.0
Default Gateway: 10.0.30.22
DHCP Server: 10.0.13.11

Name: guests
VLAN: 40
IP Address: 10.0.40.99
Subnet Mask: 255.255.255.0
Default Gateway: 10.0.40.22
DHCP Server: 10.0.13.11

------------------------------
2. Create the SSID
------------------------------

WLANs -> Create New

General

Profile Name: ABC


SSID: ABC
Enabled: Checked
Interface: management

Security:

Layer2: WPA+WPA2
AAA Server:
Check RADIUS Server Overwrite Interface
Select the ISE as Authentication and Accounting

Advanced:

Check "Allow AAA Override"

====================================================================
8. Configuring the ISE for WLC based Authentication
====================================================================

------------------------------
1. Create the Groups and Users
------------------------------

Administration -> Identity Management -> Groups -> User Identity Groups -> Add

Name: EXECS

Name: EMPLOYEES

Administration -> Identity Management -> Identities -> Add

Name: Exec1
Password: Ciso123*
Group: EXECS

Name: Employee1
Password: Ciso123*
Group: EMPLOYEES

--------------------------------------
2. Configure an Authorization Profile
--------------------------------------

Policy -> Policy Elements -> Results -> Authorization -> Authorization Profiles ->
Add

Name: EXECS-PROFILE
VLAN: 20

Name: EMPLOYEES-PROFILE
VLAN: 30

--------------------------------------
3. Configure an Authorization Policy
--------------------------------------

Policy -> Authorization -> Add

-----------------------------------
Name: EXECS-POLICY
Identity Group: EXECS

Conditions:
Wireless_802.1x
Device:Device-Type = HQ-WLCs
Radius:Called-Station endswith ABC

Permission:
Name: EXECS-PROFILE
-----------------------------------

-----------------------------------
Name: EMPLOYEE-POLICY
Identity Group: EMPLOYEES

Conditions:
Wireless_802.1x
Device:Device-Type = HQ-WLCs
Radius:Called-Station endswith ABC

Permission:
Name: EMPLOYEE-PROFILE
-----------------------------------

====================================================================
9. Downloadable ACLs
====================================================================

--------------------------------
1. Create the ACL on the WLC
--------------------------------

Security -> Access Control Lists -> ACL

Name: EMP-ACL
Put the entries in

Permit ICMP from and To 10.0.13.0/24


Block ICMP from the Rest
Permit the Rest

--------------------------------
2. Configure the ISE Profile
--------------------------------

Policy -> Policy Elements -> Results -> Authorization -> Authorization Profile ->
EMPLOYEE-PROFILE -> Edit

Airespace ACL Name = EMP-ACL

Verification/Logs:

WLC - Monitor -> Clients -> Click on the Client

ISE - Operations -> RADIUS -> Live Logs

===========================================================
9. Integrating AD with ISE
===========================================================
-----------------------------------------------------------------------------------
-------------
1. Importing the Root Certificate for the Company - Required if you are doing
Certificate based authentcation
-----------------------------------------------------------------------------------
-------------

Administration -> System -> Certificates -> Trusted Certificates -> Import

Check all the boxes

Save

------------------------------------------------------
2. Add Active Directory to ISE
------------------------------------------------------

Administration -> Identity Management -> External Identity Sources -> Active
Directory -> Add

Name: AD-ABC
Domain: networkdojo.local
Admin User: admin
Password: NDojo123

Administration -> Identity Management -> External Identity Sources -> Active
Directory -> AD-ABC -> Groups -> Import

ADgroup1
ADgroup2
DomainUsers
DomainAdmins
DomainGuest

----------------------------------------------------------------------------
3. Enable Certificates from AD - if using Certificate based Authentication
----------------------------------------------------------------------------

Administration -> Identity Management -> External Identity Sources -> Certificate
Authentication Profile -> Pre-Load ceritificate Profile -> Add AD-ABC to the
Identity Store

Save

----------------------------------------------------------------------------
4. Enable/Use AD based authentication
----------------------------------------------------------------------------

Administration -> Identity Management -> Identity Source Sequences ->


All_Users_ID_Stores ->

-> Add AD and Internal Endpoint to the Select list.


-> Recommended to move AD to the top

Save

====================================================================
10. Incorporating the AD Groups into your Policy
====================================================================

Policy -> Authorization -> Insert at the Top

-----------------------------------
Name: AD-EXECS-POLICY

Conditions:
Wireless_802.1x
Device:Device-Type = HQ-WLCs
Radius:Called-Station endswith ABC
AD-ABC:ExternalGroups equal Networkdojo.local/Adgroup1

Permission:
Name: EXECS-PROFILE
-----------------------------------

-----------------------------------
Name: AD-EMP-POLICY

Conditions:
Wireless_802.1x
Device:Device-Type = HQ-WLCs
Radius:Called-Station endswith ABC
AD-ABC:ExternalGroups equal Networkdojo.local/Adgroup1
Permission:
Name: EMPLOYEE-PROFILE
-----------------------------------

=============================================
11. Ceritificate Based Authentication1
=============================================

-----------------------------------------------------------------------------------
--------------
1. Change the Condition such that Certificate based authentication becomes a
requirementfor Adgroup1.
-----------------------------------------------------------------------------------
--------------

-----------------------------------
Name: AD-EXECS-POLICY

Conditions:
Wireless_802.1x
Device:Device-Type = HQ-WLCs
Radius:Called-Station endswith ABC
AD-ABC:ExternalGroups equal Networkdojo.local/Adgroup1
Network Access:EAPAuthentication equals EAP-TLS

Permission:
Name: EXECS-PROFILE
-----------------------------------

===========================================================
12. Basic Guest Access - WEP
===========================================================

----------
CAT1
----------

ip route 199.1.1.0 255.255.255.0 10.0.13.22

----------
CAT2
----------

int loo0
ip address 199.1.1.1 255.255.255.0
!
access-list 101 permit ip any 199.1.1.0 0.0.0.255
access-list 101 permit udp any any eq bootps
access-list 101 permit udp any any eq bootpc
access-list 101 permit udp any any eq domain
!
Interface vlan 40
ip access-group 101 in

------------
WLC
------------

----------------------------
A. Create the VLAN Interface
----------------------------

Controller -> Interfaces

Name: guests
VLAN: 40
IP Address: 10.0.40.99/24
Default Gateway: 10.0.40.22
DHCP: 10.0.13.11

----------------------------
B. Create the SSID
----------------------------

WLAN -> Create New

Profile Name: GUESTS-WEP


SSID: GUESTS-WEP
Enabled: checked
Interface: guests
Layer2 Security: Basic WEP : 40-bit : Cisco

===========================================================
13. Basic Guest Access - Local Web Authentication
===========================================================

------
WLC1
------

----------------------------
1. Create the SSID
----------------------------
WLAN -> Create New

Profile Name: GUESTS-LWEB


SSID: GUESTS-LWEB
Enabled: checked
Interface: guests
Layer2 Security: None
Layer3 Security: Web-Policy

--------------------------
2. Create a Local NetUser
--------------------------

Security -> AAA -> Local Net Users -> Add

Username: khawar
Password: Cisco123
Guest user: Checked
WLAN: GUESTS-LWEB

===========================================================
14. Anchor Configuration
===========================================================

--------------------------------------------------
1. Configure a relationship between the WLCs
--------------------------------------------------

Controllers -> Mobility Management -> Mobility Groups -> EditAll

Copy and Paste the config from the partner WLCs adding the Group Name at the end

-----------------------------------------------------------------------------------
----
2. Configure the Interface and WLAN for Guest on the Anchor identical to the Main
WLC
-----------------------------------------------------------------------------------
----

----------------------------
A. Create the VLAN Interface
----------------------------

Controller -> Interfaces

Name: guests
VLAN: 40
IP Address: 10.0.40.98/24
Default Gateway: 10.0.40.22
DHCP: 10.0.13.11

----------------------------
B. Create the SSID
----------------------------

WLAN -> Create New

Profile Name: GUESTS


SSID: GUESTS
Enabled: checked
Interface: guests
Layer2 Security: Basic WEP : 40-bit : Cisco

-----------------------------------------------------------------------------------
----
3. Configure the Relationship of Anchor and Foreign WLC between WLC1 & WLC2
-----------------------------------------------------------------------------------
----

--------
WLC2
--------

WLANS -> Hover over the Blue Over next to the WLAN and select "Mobility Anchor"

Select Local as the Mobility Anchor

WLANS -> Hover over the Blue Over next to the WLAN and select "Foreign Map"

Specify the MAC Address of the peer and the associated exit interface.

--------
WLC1
--------

WLANS -> Hover over the Blue Over next to the WLAN and select "Mobility Anchor"

Select WLC2 as the Anchor

You might also like