Scribd
Upload
16 views11 pages

Wireless 4 Notes

Uploaded by

Partha Sarathi Nandi
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as TXT, PDF, TXT or read online on Scribd
16 views11 pages

Wireless 4 Notes

Uploaded by

Partha Sarathi Nandi
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as TXT, PDF, TXT or read online on Scribd
You are on page 1/ 11

1. Basic Setup with Review - (Configuring 802.

1x Authentication with ISE & AD)


2. Guest - HotSpot
3. Guest - Sponsor Portal
4. MAB for APs
5. Mobility Express
6. Device Administration with ISE
7. ATF
8. Clear Air Configurations
-----------------------------------------------
===============================================
Base Configuration
===============================================

-----
CAT1
-----

vlan 10-15,20,30
exit
!
Interface vlan 101
ip address 10.0.1.11 255.255.255.0
no shut
!
default interface range gig 1/0/10-11
!
Interface range gig 1/0/10-11
channel-group 21 mode on
no shut
!
Interface port-channel 21
switchport mode trunk
!
Interface vlan 10
ip address 10.0.10.11 255.255.255.0
no shut
!
Interface gig 1/0/1
switchport mode access
switchport access vlan 11
!
Interface vlan 11
ip address 10.0.11.11 255.255.255.0
no shut
!
Interface vlan 15
ip address 10.0.15.11 255.255.255.0
no shut
!
Interface vlan 20
ip address 10.0.20.11 255.255.255.0
no shut
!
Interface vlan 13
ip address 10.0.13.11 255.255.255.0
no shut
!
ip dhcp excluded-address 10.0.11.1 10.0.11.100
ip dhcp excluded-address 10.0.12.1 10.0.12.100
ip dhcp excluded-address 10.0.15.1 10.0.15.100
ip dhcp excluded-address 10.0.20.1 10.0.20.100
ip dhcp excluded-address 10.0.30.1 10.0.30.100
ip dhcp excluded-address 10.0.40.1 10.0.40.100
!
ip dhcp pool AP1
network 10.0.11.0 /24
default-router 10.0.11.11
dns-server 10.0.1.12
option 43 hex f104.0A00.0A15
!
ip dhcp pool AP2
network 10.0.15.0 /24
default-router 10.0.15.11
dns-server 10.0.1.12
!
ip dhcp pool AP3
network 10.0.12.0 /24
default-router 10.0.12.22
dns-server 10.0.1.12
option 43 hex f104.0A00.0A15
!
ip dhcp pool EXECS
network 10.0.20.0 /24
default-router 10.0.20.11
dns-server 10.0.1.12
!
ip dhcp pool EMPLOYEES
network 10.0.30.0 /24
default-router 10.0.30.22
dns-server 10.0.1.12
!
ip dhcp pool GUESTS
network 10.0.40.0 /24
default-router 10.0.40.22
dns-server 10.0.1.12
!
no router eigrp 1
router eigrp 111
network 10.0.0.0
passive-interface default
no passive-interface vlan 13

-----
CAT2
-----

vlan 10-15,20,30
exit
!
default interface range gig 1/0/10-11
!
Interface range gig 1/0/10-11
channel-group 21 mode on
no shut
!
Interface port-channel 21
switchport mode trunk
!
Interface vlan 14
ip address 10.0.14.22 255.255.255.0
no shut
!
Interface gig 1/0/3
switchport mode access
switchport access vlan 12
!
Interface vlan 12
ip address 10.0.12.22 255.255.255.0
ip helper-address 10.0.13.11
no shut
!
Interface vlan 13
ip address 10.0.13.22 255.255.255.0
no shut
!
Interface vlan 30
ip address 10.0.30.22 255.255.255.0
ip helper-address 10.0.13.11
no shut
!
Interface vlan 40
ip address 10.0.40.22 255.255.255.0
ip helper-address 10.0.13.11
no shut
!
Interface loopback0
ip address 199.1.1.1 255.255.255.0
!
no router eigrp 1
router eigrp 111
network 10.0.0.0
network 199.1.1.0
passive-interface default
no passive-interface vlan 13

==================================================
Basic Wireless Network with ISE and AD Integration
==================================================

***************************************
WLC
***************************************

----------------------------------
1. Configure the VLAN Interfaces
----------------------------------

Controller -> Interfaces

Name: execs - VLAN 20


Name: employees - VLAN 30
Name: guests - VLAN 40

-------------------------------------------
2. Configure the relationship towards ISE
-------------------------------------------
Security -> AAA -> RADIUS -> Authentication

Security -> AAA -> RADIUS -> Accounting

-------------------------------------------
3. Configure the WLAN using ISE
-------------------------------------------

WLAN -> Create New

General

Name: ABC Profile


SSID: ABC
Enabled: Checked
Interface: management

Security:

Layer2 : WPA+WPA2 (Default)


AAA Server Tab:

RADIUS Server Overwrite Interface : checked

Authentication Server: 10.0.1.5


Accounting Server : 10.0.1.5

Advanced Tab:

Allow AAA Override : Checked

***************************************
ISE
***************************************

---------------------------------------
1. Configure the relationship with WLC
---------------------------------------

Administration -> Network Resources -> Network Device Groups -> Add

Name: HQ-WLCs

Administration -> Network Resources -> Network Devices -> Add

Name: WLC1
IP Address: 10.0.10.21
Network Device Group: HQ-WLCs
Protocol : RADIUS
Key: cisco123

---------------------------------------
2. Configure integration with AD
---------------------------------------

A. Administration -> Identity Management -> Exernal Identity Sources -> Active
Directory -> Add

B. Administration -> Identity Management -> Exernal Identity Sources -> Active
Directory -> Groups

C. Administration -> Identity Management -> Exernal Identity Sources ->


Certification Authentication Profile -> Preloaded Ceritficate Profile

D. Administration -> Identity Management -> Identity Source Sequence ->


All_User_ID_Stores

---------------------------------------
3. Configure the Authorization Profiles
---------------------------------------

Policy -> Policy Elements -> Results -> Authorization -> Authorization Profile ->
Add

Name: EXECS-PROFILE
VLAN: 20

Name: EMPLOYEES-PROFILE
VLAN: 30

-----------------------------------------------------------------------------
4. Configure the Authorization Policy to link the conditions to the Profile
-----------------------------------------------------------------------------

Policy -> Authorization -> Insert

Name: EXECS-POLICY

Conditions:
AD-ABC:ExternalGroup equals adgroup1 [AD Group]
RADIUS:Called-Station endswith ABC [SSID]
Wireless_802.1x [Specifying the Condition for Wireless Users]
Device:DeviceType equals HQ-WLCs [The WLC or WLC Group]

Permission : EXECS-PROFILE [Assigns a user that meets the above req. to


VLAN 20]

=========================================
2. Guest - HotSpot
=========================================

------
WLC
------

---------------------------------
1. Create the ACL for Pre-Auth
---------------------------------

Security -> Access Control Lists -> Access Control List

Name: ISE

Permit to communicate to DHCP, DNS and ISE only. This is the Pre-Auth ACL.

------------------------------------
2. Create a special SSID for GUESTS
------------------------------------
Name: GUESTS
SSID: GUEST
Interface: guests
Enabled: Checked

Security Tab:
Layer 2: None; MAC Filtering

AAA Server Tab:

Authentication and Accounting Server: 10.0.1.5 (ISE)

Advanced Tab:

Check "Allow AAA Override"


NAC State: ISE_NAC

------
ISE
------

--------------------------------------------------------------------
1. Add the Guest VLAN Interface of WLC as a Client address to WLC1
--------------------------------------------------------------------

Administration -> Network Resources -> Network Devices -> WLC1 -> Edit

Add : 10.0.40.99

--------------------------------------------------------------------
2. Create the HOTSPOT Guest Portal
--------------------------------------------------------------------

Work Centers -> Guest Access -> Portals and Components -> Guest Portals -> Create -
> Hotspot

Name:ABC-HotSpot
AUP Page Settings:
Require Code: Cisco123

Save

--------------------------------------------------------------------
3. Create an Authorization Profile
--------------------------------------------------------------------

Policy -> Policy Elements -> Results -> Authorization -> Authorization Profile ->
Add

Name: ABC-GUEST-HOTSPOT

Web Redirection:

Type: HotSpot
ACL: ISE
Value:ABC-HotSpot

Save
--------------------------------------------------------------------
4. Create Authorization Policies
--------------------------------------------------------------------

Policy -> Authorization -> Insert

Name:GUEST-ACCESS
Condition: EndpointGroup = GuestEndpoint
Permission: PermitAccess

Name:GUEST-AUTHENTICATION
Condition:Wireless_MAB
RADIUS:called-station endswith GUEST

Permission: ABC-GUEST-HOTSPOT

=========================================
3. Guest - Sponsor Portal
=========================================

------------------------------------------------------------------------
1. Create the Group and User Accounts for Creating the Guest Accounts
------------------------------------------------------------------------

Administration -> Identity Management -> Groups -> EndUser Identity Groups -> Add

Name: ABC-SponsorGroup

Administration -> Identity Management -> Identities -> Add

Name: khawar
Password: Cisco123*
Group: ABC-SponsorGroup

------------------------------------------------------------------------
2. Create a location which helps in control time/date of login for Guest
------------------------------------------------------------------------

Work Centers -> Guest Access -> Settings -> Guest Location and SSIDs

Name: Chicago
Timezone: CST6

------------------------------------------------------------------------
3. Create the Guest Type
------------------------------------------------------------------------

Work Centers -> Guest Access -> Portals & Components -> Guest Types -> Create

Name: ChicagoGuests

Configure the limits for the Guest like the number of simultaneous Logins....

------------------------------------------------------------------------
4. Create the Sponsor Groups
------------------------------------------------------------------------
Work Centers -> Guest Access -> Portals & Components -> Sponsor Groups -> Create

Name:ChicagoSponsors
Members: ABC-SPONSOR-GROUP
Guest Type that can be created: ChicagoGuests
Locations: Chicago

------------------------------------------------------------------------
5. Login as Sponsor to create the accounts
------------------------------------------------------------------------

Work Centers -> Guest Access -> Portals & Components -> Sponsor Portal -> default

FirstName: Ccie
LastName: Wireless1

Account: CWireless1/7902 (Automatically Created)

FirstName: Ccie
LastName: Wireless2

Account: CWireless2/8804 (Automatically Created)

------
WLC
------

---------------------------------
1. Create the ACL for Pre-Auth
---------------------------------

Security -> Access Control Lists -> Access Control List

Name: ISE

Permit to communicate to DHCP, DNS and ISE only. This is the Pre-Auth ACL.

------------------------------------
2. Create a special SSID for GUESTS
------------------------------------

Name: GUESTS
SSID: GUEST
Interface: guests
Enabled: Checked

Security Tab:
Layer 2: None; MAC Filtering

AAA Server Tab:

Authentication and Accounting Server: 10.0.1.5 (ISE)

Advanced Tab:

Check "Allow AAA Override"


NAC State: ISE_NAC
--------
ISE
--------

-------------------------------------------------------------------
1. Create the Sponsor Guest Portal
--------------------------------------------------------------------

Work Centers -> Guest Access -> Portals and Components -> Guest Portals -> Create -
> SponsorPortal

Name:ABC-SponsorPortal
Portal Settings:
Employess using this portal as : ChicagoGuests

Login Page:
Include AUP

Save

--------------------------------------------------------------------
2. Create an Authorization Profile
--------------------------------------------------------------------

Policy -> Policy Elements -> Results -> Authorization -> Authorization Profile ->
Add

Name: ABC-GUEST-SponsorPortal

Web Redirection:

Type: Centralized Web Auth


ACL: ISE
Value:ABC-SponsorPortal

Save

--------------------------------------------------------------------
4. Create Authorization Policies
--------------------------------------------------------------------

Policy -> Authorization -> Insert

Name:GUEST-ACCESS
Condition: EndpointGroup = GuestEndpoint
Permission: PermitAccess

Name:GUEST-AUTHENTICATION
Condition:Wireless_MAB
RADIUS:called-station endswith GUEST

Permission: ABC-GUEST-Sponsor-Portal

===============================================
4. MAB for AP to authenticate based on ISE
===============================================

1. Copy the AP MAC address.


- You can copy it from WLC or Switch "Show mac address-table"

2. Create an identity group for Endpoints

Administration -> Identity Management -> Groups -> EndPoint Groups -> Add

Name: LEGIT-APs

3. Create the Endpoint and assign it to the Groups.

Context Visibility -> Endpoints -> Add

MAC: xxxx.xxxx.xxxx
Static Group Assignment : LEGIT-APs

4. Create the Policy

Policy -> Authorizations -> Insert

Name: LEGIT-AP-POLICY

Identity Group: LEGIT-APs


Condition: Wired-MAB

Permission: Permit Access

5. Create an Network Device for the Switch

Administration -> Network Resources -> Network Devices -> Add

Name: CAT1
IP Address: 10.0.1.11
Protocol: RADIUS
Key: cisco123

Submit

6. Configure the Switch for MAB

aaa new-model
!
radius server ISE
address ipv4 10.0.1.5 auth-port 1812 acct-port 1813
key cisco123
!
aaa group server radius RAD-AUTH
server name ISE
!
aaa authentication dot1x default group RAD-AUTH
aaa authorization network default group RAD-AUTH
!
dot1x system-auth-control
!
int gig 1/0/1
authentication order mab dot1x
authentication priority mab dot1x
mab
authentication port-control auto
no shut
==================================
5. Mobility Express
==================================

-----------------------------------------------------------------------
1. Configure the Switchport as a Trunk with a VLAN (FlexConnect type)
-----------------------------------------------------------------------

------
CAT1
------

Interface Gig 1/0/2


switchport mode trunk
switchport trunk native vlan 15

-----------------------------------------------------------------------
2. Configure the AP to load the ME Capable Image
-----------------------------------------------------------------------

------
CAT1
------

ap-type mobility-express

Note: It will reload as an AP. If there is not Controller on the segment, it will
also load the controller.

You might also like