Universal NGWC/3850 Wireless Configuration with Cisco Identity Service Engine. Secure Access How -To Guides Series

(1)

Universal NGWC/3850 Wireless

Configuration with Cisco Identity

Service Engine

Secure Access How -To Guides Series

Author: Aaron Woland

Date: December 2012

(2)

3850 Switch Wireless Configuration ... 3

Overall Design... 3

3850 Switch Wireless Configuration Steps... 4

Validate licensing ... 5

Configure the HTTP Server on the Switch ... 6

Configure the Global AAA Commands ... 6

Configure the Global RADIUS Commands... 7

Configure VLANs and SVIs. ... 9

Configure DHCP Snooping (Optional) ... 9

Configure Local Access Control Lists ... 10

Configure the Global 802.1X Commands ... 10

Configure the Global Wireless feature ... 11

Configure WLANs ... 12

Configure Interfaces for Wireless APs ... 14

Create Identity Sequence ... 19

Enable policy Set ... 19

Configure Policy ... 21

ISE Configuration - Suppressing RADIUS test messages ... 23

(3)

3850 Switch Wireless Configuration

The Cisco Catalyst 3850 is the first stackable access-switching platform that enables wired plus wireless services on a single Cisco IOS XE Software-based platform. It provides a host of rich capabilities such as high availability based on state-ful switchover (SSO) on stacking, granular QoS, security, and Flexible Netflow (FNF) across wired and wireless in a seamless fashion. Also, the wired plus wireless features are bundled into a single Cisco IOS Software image, which reduces the number of software images that users have to qualify/certify before enabling them in their network. The single console port for command-line interface (CLI) management reduces the number of touch points to manage for wired plus wireless services, thereby reducing network complexity, simplifying network operations, and lowering the TCO to manage the infrastructure.

Converged wired plus wireless not only improves wireless bandwidth across the network but also the scale of wireless deployment. Each 48-port Cisco Catalyst 3850 provides 40 Gbps of wireless throughput (20 Gbps on the 24-port model). This wireless capacity increases with the number of members in the stack. This makes sure that the network can scale with current wireless bandwidth requirements, as dictated by IEEE 802.11n-based access points and with future wireless standards such as IEEE 802.11ac. Additionally, the Cisco Catalyst 3850 distributes the wireless controller functions to achieve better scalability. Each Cisco Catalyst 3850 switch/stack can operate as the wireless controller in two modes:

 Mobility agent (MA): This is the default mode in which the Cisco Catalyst 3850 switch ships. In this mode the switch is capable of terminating the CAPWAP tunnels from the access points and providing wireless

connectivity to wireless clients. Maintaining wireless client databases and configuring and enforcing security and QoS policies for wireless clients and access points can be enforced in this mode. No additional license on top of IP Base is required to operate in the mobility agent mode.

 Mobility controller (MC): In this mode, the Cisco Catalyst 3850 switch can perform all the mobility agent tasks in addition to mobility coordination, radio resource management (RRM), and Cisco CleanAir®

coordination within a mobility subdomain. The mobility controller mode can be enabled on the switch CLI. IP Base license level is required when the Cisco Catalyst 3850 switch is acting as the mobility controller. A centrally located Cisco 5508 Wireless LAN Controller (WLC 5508), Cisco Wireless Services Module 2 (WiSM2) (when running AireOS Version 7.3), and Wireless LAN Controller 5760 can also perform this role for larger deployments.

Overall Design

Following diagram shows the overall layout of the components. There are two Service Set IDentifiers (SSIDs), one secured with WPA2 (Wi-Fi Protected Access V2) + 802.1x and another Open + Central Web Authentication (CWA). Although we won't go into the details of different Bring Your Own Device (BYOD) policies or posture policies within Cisco Identity Services Engine (ISE), this setup will provide a baseline for such operations. This document will only cover the baseline configurations on 3850 switches for wireless configuration, for deploying 3850 on wired network or other ISE configurations please refer to respective ISE How-to documents.

(4)

Components used:

 Cisco ISE 1.2.0.899

 Cisco 3850 running IOS-XE version 03.02.02.SE  Cisco LWAP 3602

 Microsoft Windows 2008 as AD/DNS/DHCP server

Few notes about NGWC wireless functions:

 Wireless management interface has to be same as AP access VLAN, APs in FlexConnect mode is not supported in this layout

 Client idle timeout is global setting (As opposed to latest AireOS)  AP needs to be directly connected to 3850 switch

 No need for legacy discovery method for AP using DHCP option 43 or DNS entry, with CAPWAP snooping all directly connected AP can join the 3850 if they are configured with correct VLAN. Due to CAPWAP snooping, if wireless management interface is configured on 3850 all directly connected APs can only talk to 3850

 Support for https redirect, however, user will be required to trust the certificate of 3850 https before continuing to login page

 With IOS-XE version 03.02.02.SE, the 3850 switch provides some functions of GUI based wireless configuration

Note: Cisco 3850 can act as Mobility Agent (MA) mode or Mobility Controller (MC) mode. Every mobility deployment requires at least one MC and since our design consists of one 3850 switch, we will be configuring the switch as MC mode.

3850 Switch Wireless Configuration Steps

The Cisco 3850 is a Unified Access platform that provides convergence of the wired and wireless networks into one physical infrastructure. This configuration example shows how to integrate Cisco 3850 switches for wireless authentication with ISE to provide basis for advanced identity functionality such as BYOD and Posture assessment. The example provided in this document will primarily focus on command line interface on the 3850 for wireless configuration.

(5)

Cisco Systems © 2015 Page 5 Note: With Version 03.02.02.SE, Cisco introduces GUI access to wireless configuration on the 3850. However, many part of the configuration still relies on CLI. For this document, only CLI configuration will be covered.

Validate licensing

3850 comes with Right-To-Use (RTU) license scheme. RTU licensing allows one to order and activate a specific license type and level, and to manage license usage on the switch. To activate a license, one is required to accept the End-User License Agreement (EULA). For the evaluation license, one is notified to purchase a permanent license or deactivate the license before the 90-day period expires. Before one can enable wireless function on the 3850 switch, one needs to be running either ipbase or ipservices feature pack and RTU license present and have accepted EULA. The RTU also governs number of AP count in case the switch is acting as Mobility Controller (MC).

Note: Prerequisite configuration: This guide assumes that the switches have the required licenses and following step will focus on validation of RTU license on the platform.

Step 1 Validate RTU licenses are in place.

Step 2 Run following show command to view what licenses are available and in use:

3850#show license right-to-use summary

Sample output

3850#show license right-to-use summary License Name Type Count Period left

--- ipservices permanent N/A Lifetime apcount base 0 Lifetime apcount adder 10 Lifetime

---

License Level In Use: ipservices License Level on Reboot: ipservices Evaluation AP-Count: Disabled Total AP Count Licenses: 10 AP Count Licenses In-use: 4 AP Count Licenses Remaining: 6

3850#

Step 1

Activate feature set that supports wireless controller functionality and also activate AP count RTU

as well:

3850#license right-to-use activate ipservices slot 1 acceptEULA 3850#license right-to-use activate apcount 10 slot 1 acceptEULA

(6)

Configure the HTTP Server on the Switch

Step 1 Set the DNS domain name on the switch. Cisco IOS® Software does not allow for certificates, or even

self-generated keys, to be created and installed without first defining a DNS domain name on the device. Step 2 Enter the following:

3850(config)#ip domain-name example.com

Step 3 Generate keys to be used for HTTPS by entering the following:

3850(config)#crypto key generate rsa general-keys modulus 2048

Note: To avoid possible certificate mismatch errors during web redirection, we recommend that you use a certificate that is issued by your trusted certificate authority instead of a local certificate. This topic is beyond the scope of this document.

Step 4 Enable the HTTP servers on the switch.

The HTTP server must be enabled on the switch to perform the HTTP / HTTPS capture and redirection. Enter the following:

3850(config)#ip http server 3850(config)#ip http secure-server

Note: Do not run the ip http secure-server command prior to generating the keys in step 2. If you perform the commands out of order, the switch will automatically generate a certificate with a smaller key size. This certificate can cause undesirable behaviour when redirecting HTTPS traffic. Unlike WLC with AireOS, 3850 Series wireless supports redirection of HTTPS request, however, endpoints will be prompted to trust the switch’s self-signed certificate during the redirection.

Step 5 Disable HTTP & HTTPS for other switch management functions (Optional):

3850(config)#ip http active-session-modules none 3850(config)#ip http secure-active-session-modules none

Note: This will disable management access to the 3850 wireless configuration as well as configuration from NCS Prime Infrastructure

Configure the Global AAA Commands

Step 1 Enable authentication, authorization, and accounting (AAA) on the access switches.

By default, the AAA “subsystem” of the Cisco switch is disabled. Prior to enabling the AAA subsystem, none of the required commands will be available in the configuration. Enter the following

:

(7)

3850(config)#aaa session-id common

Note: This command enables any of the services that AAA network security services provide—for example, local login authentication and authorization, defining and applying method lists, and so on. For further details, please refer to the Cisco IOS Security Configuration Guide.

Step 2 Create an authentication method for 802.1X.

An authentication method is required to instruct the switch on which group of RADIUS servers to use for 802.1X authentication requests:

3850(config)#aaa authentication dot1x default group radius

Step 3 Create an authorization method for 802.1X.

The method created in step 2 will enable the user/device identity (username/password or certificate) to be validated by the RADIUS server. However, simply having valid credentials is not enough. There must be an authorization as well. The authorization is what defines that the user or device is actually allowed to access the network, and what level of access is actually permitted.

3850(config)#aaa authorization network default group radius

Step 4 Create an accounting method for 802.1X.

RADIUS accounting packets are extremely useful and are required for many ISE functions. These types of packets will help ensure that the RADIUS server (Cisco ISE) knows the exact state of the interface and endpoint. Without the accounting packets, Cisco ISE would have knowledge only of the authentication and authorization communication. Accounting packets provide information on length of the authorized session, as well as bandwidth usage of the client.

3850(config)#aaa accounting dot1x default start-stop group radius

Step 5 Configure periodic RADIUS accounting update.

Periodic RADIUS accounting packets allows Cisco ISE to track which sessions are still active on the network. This command sends periodic updates every 15 minutes.

3850(config)#aaa accounting update periodic 15

Configure the Global RADIUS Commands

We configure a proactive method to check the availability of the RADIUS server. With this practice, the switch will send periodic test authentication messages to the RADIUS server (Cisco ISE). It is looking for a RADIUS response from the server. A success message is not necessary; a failed authentication will suffice, because it shows that the server is alive.

(8)

Cisco Systems © 2015 Page 8 Best Practice: With ISE 1.2 there is a feature to suppress authentications with certain conditions. We will use that feature to suppress any RADIUS keep alive messages. See end of this document for instructions.

Step 1 Add the Cisco ISE servers to the RADIUS group.

In this step we will add each Cisco ISE Policy Services Node (PSN) to the switch configuration, using the radius-test account. Repeat for each PSN.

3850(config)#radius-server host 192.168.201.88 auth-port 1812 acct-port 1813 test username radius-test idle-time 5 key cisco123

Note: The server will be proactively checked for responses once every 5 minutes, in addition to any authentications or authorizations occurring through normal processes. This value may be too aggressive for non ISE 1.2 deployments due to lack of log suppression feature on older versions of ISE, in that case increase this value to 60 minutes or higher. Step 2 Set the dead criteria.

The switch has been configured to proactively check the Cisco ISE server for RADIUS responses. Now configure the counters on the switch to determine if the server is alive or dead. Our settings will be to wait 10 seconds for a response from the RADIUS server and attempt the test 3 times before marking the server dead. If a Cisco ISE server doesn’t have a valid response within 30 seconds, it will be marked as dead. Also deadtime defines how long the switch will mark the server dead, which we are setting it to 15 minutes

.

3850(config)#radius-server dead-criteria time 10 tries 3 3850(config)#radius-server deadtime 15

Note: We will discuss high availability in more detail in the deployment mode sections.

Step 3 Enable change of authorization (CoA).

Previously we defined the IP address of a RADIUS server that the switch will send RADIUS messages to. However, we define the servers that are allowed to perform change of authorization (RFC 3576) operations in a different listing, also within global configuration mode, as follows:

3850(config)#aaa server radius dynamic-author

3850(config-locsvr-da-radius)#client 192.168.201.88 server-key cisco123

3850(config-locsvr-da-radius)#auth-type any

Step 4 Configure the switch to use the Cisco vendor-specific attributes.

Here we configure the switch to send any defined vendor-specific attributes (VSA) to Cisco ISE PSNs during authentication requests and accounting updates.

3850(config)#radius-server vsa send authentication 3850(config)#radius-server vsa send accounting

(9)

3850(config)#radius-server attribute 8 include-in-access-req 3850(config)#radius-server attribute 25 access-request include 3850(config)#radius-server attribute 31 mac format ietf upper-case 3850(config)#radius-server attribute 31 send nas-port-detail mac-only

Step 6 Ensure the switch always sends traffic from the correct interface for RADIUS request.

Switches may often have multiple IP addresses associated to them. Therefore, it is a best practice to always force any management communications to occur through a specific interface. This interface IP address must match the IP address defined in the Cisco ISE Network Device object.

Cisco Best Practice: As a network management best practice, use a loopback adapter for all management communications, and advertise that loopback interface into the internal routing protocol.

3850(config)#ip radius source-interface vlan 201

Configure VLANs and SVIs.

Wireless management interface is required to create CAPWAP tunnel with the Light Weigh APs. Also, VLANs will need to be created for each of the WLAN that will be setup for wireless access. Also, we will need to create any user VLANs that will map to WLANs.

Step 1 Add the following VLANs for wireless management and WLAN interface:

3850(config)#vlan 80 3850(config-vlan)#name AP_VLAN 3850(config-vlan)#vlan 30 3850(config-vlan)#name WLAN_USER 3850(config-vlan)#vlan 40 3850(config-vlan)#name WLAN_GUEST

Step 2 Create SVI for wireless management interface.

This interface will be used to communicate with the LWAP. The LWAPs needs to be connected directly

to the 3850 switch and the interface needs to be configured with same VLAN as wireless management

VLAN. Also, configure ip helper to forward DHCP request from the LWAP to DHCP server.

3850(config)#

3850(config-if)#ip address 192.168.80.1 255.255.255.0 3850(config-if)#ip helper-address 192.168.201.72 3850(config-if)#no shutdown

Configure DHCP Snooping (Optional)

DHCP snooping is not required for 3850 wireless feature to function, but it is considered a best practice to

require all endpoints to get addresses assigned by the DHCP server. This is done by enabling DHCP

snooping globally and running the dhcp required option on the WLAN configuration.

(10)

Before configuring DHCP snooping, be sure to note the location of your trusted DHCP servers. When you

configure DHCP snooping, the switch will deny DHCP server replies from any port not configured as

“trusted.” Enter interface configuration mode for the uplink interface and configure it as a trusted port.

Step 1 Configure Dynamic Host Configuration Protocol (DHCP) snooping for trusted ports.

3850(config)#interface

3850(config-if)#description Server 3850(config-if)#ip dhcp snooping trust

Step 2 Enable DHCP snooping.

DHCP snooping is enabled at global configuration mode. After enabling DHCP snooping, you must

configure the VLANs it should work with, which in our example is VLAN 30 & 40.

3850(config)#

3850(config)#no ip dhcp snooping information option 3850(config)#ip dhcp snooping

Configure Local Access Control Lists

Certain functions on the switch require the use of locally configured access control lists (ACLs), such as

URL redirection. Some of these ACLs you create will be used immediately, and some may not be used until

a much later phase of your deployment. The goal of this section is to prepare the switches for all possible

deployment models at one time, and limit the operational expense of repeated switch configuration.

Step 1 Add the following ACL to be used for URL redirection with web authentication:

3850(config)#ip access-list extended REDIRECT-ACL

3850(config-ext-nacl)#deny udp any host 192.168.201.72 eq 53

3850(config-ext-nacl)#deny udp any eq bootpc host 192.168.201.72 eq bootps 3850(config-ext-nacl)#deny ip any host 192.168.201.88

3850(config-ext-nacl)#permit ip any any

Configure the Global 802.1X Commands

Step 1 Enable 802.1X globally on the switch.

Enabling 802.1X globally on the switch does not actually enable authentication on any of the WLANs or interfaces.

3850(config)#

Step 2 Enable Downloadable ACLs to function.

Downloadable access control lists (dACLs) are a very common enforcement mechanism in a Cisco ISE deployment. In order for dACLs to function properly on a switch, IP device tracking must be enabled globally, as follows:

(11)

Note: There are some uncommon cases with Windows 7 and devices that do not respond to ARPs where it may be required to use the command ip device tracking use SVI.

Configure the Global Wireless feature

Step 1 Enable mobility controller (MC) feature on the switch.

3850 switch can act as Mobility Agent (MA) only or MC+MA. For any 3850 wireless deployment there

needs to be at least one MC available for the deployment. We are configuring the 3850 as MC+MA as

we only have one 3850 switch.

3850(config)#

Note: 3850 switch is always configured as MA Step 2 Enable management interface.

With 3850, all AP needs to be on the same VLAN as the management interface. This allows CAPWAP

tunnel between the APs and the 3850 switch.

3850(config)#

Note: If there are LWAPs configured with CUWN WLC connected to the 3850 switch, after above command is entered all the LWAPs connected to the 3850 will lose connection to the CUWN WLC and start registering with the 3850 switch. The LWAPs will then go through code upgrade and finally join the 3850 switch.

Step 3 Enable fast-ssid-change feature.

Fast-SSID-Change feature allows clients to move from one SSID to another without delay. This feature

allows client to move from open SSID to secure SSID in dual-SSID scenario for BYOD without delay.

3850(config)#

Note: This is primarily to address Apple iOS devices shifting from one SSID to another within short period of time

Step 4 Configure client idle timeout.

Idle-time out allows the switch to remove the client session when no traffic has been seen from the client

within configured timeframe. If this value is too short, client devices will be forced to reauthenticate

when coming out of stand-by mode. Here we are setting it to 2 hours.

(12)

Apple introduced an iOS feature to facilitate network access when captive portals are present. This

feature attempts to detect the presence of captive portal by sending a web request upon connecting to a

wireless network, and directs the request to

http://www.apple.com/library/test/success.html

. If a

response is received, then Internet access is assumed and no further interaction is required. If no

response is received, Internet access is assumed to be blocked by captive portal and CNA auto -

launches the pseudo browser to request portal login in a controlled window. CNA may break when

redirecting to an ISE captive portal. Following CLI command will prevent the pseudo browser from

popping up.

3850(config)#

Configure WLANs

Step 1 Add 802.1x-enabled WLAN.

This command creates a WLAN with example_employee as profile and SSID with WLAN ID of 1. If

this 3850 switch is part of bigger deployments, make sure all the settings match on all the switches for

the WLAN settings.

3850(config)#

Note: Although we are not entering L2 security settings for the wlan, the default setting for any wlan is WPA2/AES with 802.1x

Step 2 Configure WLAN to accept RADIUS Authorization and instructions from the RADIUS server.

The AAA Override option of a WLAN enables you to configure the WLAN for identity networking. It

enables you to apply VLAN tagging, Quality of Service (QoS), and Access Control Lists (ACLs) to

individual clients based on the returned RADIUS attributes from the ISE. Also, the nac directive enables

different client state based on instructions in the URL-Redirect such as CWA, DRW, MDM, NSP, and

CPP.

3850(config-wlan)# 3850(config-wlan)#nac

Step 3 Map VLAN to the WLAN.

Assign user VLAN created earlier to the WLAN.

(13)

If DHCP snooping was configured for the above VLAN in previous steps, this setting prevents client

devices with static IP address.

3850(config-wlan)#

Step 5 Configure session timeout (Reauthentication timer).

This value dictates how often the client will re-authenticate via the RADIUS server.

3850(config-wlan)#

Step 6 Enable the WLAN.

3850(config-wlan)#

Note: Whenever wlan configuration needs to be modified, the wlan has o be shutdown. Once modified it can be re-enabled by running above command. Note that this will disconnect all users on the respective wlan.

Step 7 Add open SSID to use with ISE CWA.

3850(config)#

Step 8 Enable MAC filtering on the WLAN.

Since this is open SSID, enabling MAC-Filtering with default RADIUS list will provide CWA using

ISE as external web server.

3850(config-wlan)#

Step 9 Configure WLAN to accept RADIUS Authorization messages from the RADIUS server

3850(config-wlan)# 3850(config-wlan)#nac

Step 10 Map VLAN to the WLAN.

3850(config-wlan)#

(14)

Step 12 Disable WPA and 802.1x on the WLAN.

Disable all L2 security features and set the WLAN as open SSID.

3850(config-wlan)# 3850(config-wlan)# 3850(config-wlan)# 3850(config-wlan)#

Step 13 Configure session timeout (Reauthentication timer).

3850(config-wlan)#

Note: The session-timeout for open SSID is set to lower value than secure SSID, as reauthentication of MAB request does not impact ISE as much as 802.1x request

Step 14 Enable the WLAN

3850(config)#

Configure Interfaces for Wireless APs

Step 1 Identify and configure interfaces where LWAP plugs in.

3850(config)#

3850(config-if)#description AP

Note: With 3850 switch, the LWAP needs to be directly connected to the switch

Step 2 Assign wireless management VLAN.

Enabling 802.1X globally on the switch does not actually enable authentication on any of the

switchports. Authentication will be configured, but not enabled until we configure Monitor Mode.

3850(config-if)#

3850(config-if)#switchport access vlan 80

Note: 3850 introduces a new way of discovering new LWAPs by using CAPWAP snooping feature. There is no need to configure DHCP option 43 or DNS entry for 3850 wireless management IP address

(15)

Step 4 Enable the interface.

3850(config-if)#

Step 5 Validate AP status.

After APs have been upgraded and rebooted, validate that all APs are running in Local mode and the

Country setting is correct. Also, make sure all AP Status shows up as Joined.

3850#show ap status

3850#show ap join stats summary

Note: Currently 3850 only supports LWAPs in Local, Monitor, se-connect, and sniffer mode. If the LWAP was previously configured as FlexConnect mode then run ‘ap name {AP_NAME} mode local’ command

(16)

Sample output

3850#show ap status

AP Name Status Mode Country --- AP4c4e.350d.35f8 Enabled Local US APd48c.b5e4.3b88 Enabled Local US AP4c4e.35c7.1572 Enabled Local US AP44d3.ca42.58cd Enabled Local US

3850#show ap join stats summary Number of APs : 4

Base MAC Ethernet MAC AP Name IP Address Status --- 20bb.c067.fda0 4c4e.350d.35f8 AP4c4e.350d.35f8 192.168.80.103 Joined 34bd.c890.52f0 d48c.b5e4.3b88 APd48c.b5e4.3b88 192.168.80.101 Joined 5006.046e.f300 4c4e.35c7.1572 AP4c4e.35c7.1572 192.168.80.100 Joined 64d9.8946.b160 44d3.ca42.58cd AP44d3.ca42.58cd 192.168.80.102 Joined

3850#

Step 6 Save configuration.

(17)

3850 Example Configuration

hostname 3850 !

aaa new-model

aaa session-id common

aaa authentication dot1x default group radius aaa authorization network default group radius aaa accounting dot1x default start-stop group radius aaa accounting update periodic 15

!

aaa server radius dynamic-author

client 192.168.201.88 server-key cisco123 auth-type any ! vlan 80 name AP_VLAN vlan 30 name WLAN_USER vlan 40 name WLAN_GUEST ! interface vlan 80 ip address 192.168.80.1 ip helper 192.168.201.72 no shut interface vlan 30 ip address 192.168.30.1 ip helper 192.168.201.72 ip helper 192.168.201.88 no shut interface vlan 40 ip address 192.168.40.1 ip helper 192.168.201.72 ip helper 192.168.201.88 no shut ! ip device tracking ! ip dhcp snooping vlan 30, 40

no ip dhcp snooping information option ip dhcp snooping

!

ip domain-name example.com !

crypto key generate rsa general-keys modulus 2048 ! dot1x system-auth-control ! ip http server ip http secure-server ip http secure-active-session-modules none ip http active-session-modules none !

ip access-list extended REDIRECT-ACL deny udp any host 192.168.201.72 eq 53

deny udp any eq bootpc host 192.168.201.72 eq bootps deny ip any host 192.168.201.88

permit ip any any !

ip radius source-interface Vlan201 snmp-server community cisco123 RO

radius-server attribute 6 on-for-login-auth radius-server attribute 8 include-in-access-req radius-server attribute 25 access-request include radius-server attribute 31 mac format ietf upper-case radius-server attribute 31 send nas-port-detail mac-only radius-server dead-criteria time 10 tries 3

(18)

radius-server deadtime 15

radius-server vsa send accounting radius-server vsa send authentication !

wireless mobility controller

wireless management interface Vlan80 wireless client fast-ssid-change wireless mgmt-via-wireless wireless client user-timeout 7200 captive-portal-bypass

!

wlan example_secure 1 example_secure aaa-override client vlan 30 nac ip dhcp required session-timeout 86400 no shutdown !

wlan example_open 2 example_open aaa-override client vlan 40 mac-filtering default nac ip dhcp required no security wpa

no security wpa akm dot1x no security wpa wpa2

no security wpa wpa2 ciphers aes session-timeout 7200

no shutdown !

interface GigabitEthernet 1/0/17 description Server

switch port mode access switch port access vlan 201 ip dhcp snooping trust spanning-tree portfast no shut ! interface GigabitEthernet 1/0/9 description AP

switch port mode access switch port access vlan 80 spanning-tree portfast no shut

ISE Configuration

There are no specific configurations for ISE to integrate with 3850 switches for wireless access. The 3850

can be integrated in the same way as Catalyst switches to support advanced ISE features such as CWA,

BYOD, and Posture Assessment. While this document covers policies related to BYOD, please refer to

BYOD how-to guide for configuring the underlying services to enable BYOD. This includes configuration of

CA server, external identity sources, and supplicant provisioning policy.

(19)

Create Identity Sequence

We will create an identity sequence to process authentication request for secure SSID. This sequence will authenticate endpoints via certificate, AD, or internal user database.

Step 1 Login to ISE primary admin node.

Step 2 Navigate to Administration  Identity Management  Identity Source Sequences Step 3 Click ‘Add’

Step 4 Create a sequence with following name ‘CAP_AD_Internal’

Figure 2.

Step 5 Click Save.

Enable policy Set

Policy set feature within ISE 1.2 allows administrator to create complex identity policy. In this document we will create two policy sets that maps to each of the WLANs and create underlying policies within each policy set. This provides clarity on how policies apply to each use cases with ISE policy structure.

Step 1 To Enable policy set feature navigate to Administration  System  Settings  Policy Sets Step 2 Select ‘Enabled’ and click ‘Save’

(20)

Cisco Systems © 2015 Page 20 Note: Once policy set feature is enabled, policy will need to be recreated if one wants to go back to classic mode. However, the initial policy will be copied to the default policy set when the feature is enabled.

Procedure 1

Create Downloadable ACL

Here, we will be creating a DACL (Downloadable ACL) to apply during Authorization

Step 1

Navigate to

Policy



Policy Elements



Results



Authorization



Downloadable ACLs

Step 2

Click on Add to create NSP Authorization Profile with following parameters

Name

INTERNET-ONLY

DACL Content

permit udp any host 192.168.201.72

eq domain

permit udp any any eq bootpc

deny ip any any

Step 3

Click ‘Save’

Procedure 2

Configure Authorization Profile

Here, we will be creating three authorization profiles

Step 1

Navigate to

Policy



Policy Elements



Results



Authorization



Authorization Profiles

Step 2

Click on Add to create NSP Authorization Profile with following parameters

Name

NSP

Common Tasks

Web Redirection

Type

Native Supplicant Provisioning

ACL

REDIRECT-ACL

Step 3

Click ‘Save’

Step 4

Click on Add to create WebAuth Authorization Profile with following parameters

Name

WebAuth

Common Tasks

Web Redirection

(21)

Name

WebAuth

Type

ACL

REDIRECT-ACL

Step 5

Click ‘Save’

Step 6

Click on Add to create Internet Authorization Profile with following parameters

Name

Internet

Common Tasks

DACL Name

ACL

INTERNET-ONLY

Step 7

Click ‘Save’

Configure Policy

Step 1 Navigate to Policy  Policy Set

Step 2 Click on the ‘+’ sign on the left pane and click ‘Create Above’

Figure 3.

(22)

Step 4 Click Submit.

Step 5 Define Policy set as ‘example_open’ as name and following parameters

Figure 5.

(23)

ISE Configuration - Suppressing RADIUS test messages

You can configure collection filters to suppress syslog messages being sent to the monitoring and external servers. The

suppression can be performed at the Policy Services Node level based on different attribute types. You can disable the suppression as well. You can define multiple filters with a specific attribute type and corresponding value.

Note: It is recommended to limit the number of collection filter to 20

Configure ISE to suppress RADIUS test messages

Step 1 Login to ISE primary admin node.

Step 2 Navigate to Administration > System > Logging. Step 3 Click on Collection Filters on left pane.

Step 4 Click on Add on the top of the right pane.

Figure 6.

Step 5 Select ‘User Name’ from the Attribute pull down menu. Step 6 Enter ‘radius-test’ for Value.

Step 7 Select ‘Filter All’ from the Filter Type pull down menu. Step 8 Click Save.

Universal NGWC/3850 Wireless Configuration with Cisco Identity Service Engine. Secure Access How -To Guides Series