Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Computer Networks

Universal Wireless Controller Configuration for Cisco Identity Services Engine

advertisement 
Universal Wireless Controller
Configuration for Cisco Identity Services
Engine
Secure Access How-To Guide Series
Author: Hosuk Won
Date:
November 2015
SECURE ACCESS HOW-TO GUIDES
Table of Contents
Introduction................................................................................................................................................................. 3
What Is Cisco Identity Services Engine? ...................................................................................... 3
Cisco Wireless Controllers ................................................................................................................ 3
About This Document ......................................................................................................................... 4
Configuration ............................................................................................................................................................. 5
Initial Configuration .............................................................................................................................. 5
Controller Configuration ..................................................................................................................... 6
Security Configuration ........................................................................................................................ 8
WLAN Configuration ......................................................................................................................... 12
Management Configuration ............................................................................................................ 16
Appendix A: Sample Configuration ................................................................................................................ 17
Configuration for WLC Running 8.x Code .................................................................................. 17
Configuration for Cisco IOS Switch Interface Connected to the WLC............................... 20
Configuration for Cisco IOS Switch SVI ...................................................................................... 20
Appendix B: Design Considerations .............................................................................................................. 21
FlexConnect AP & WLAN................................................................................................................ 21
Auto-Anchored WLAN ...................................................................................................................... 23
Cisco Systems © 2016
Page 2
SECURE ACCESS HOW-TO GUIDES
Introduction
What Is Cisco Identity Services Engine?
Cisco Identity Services Engine (ISE) is an all-in-one enterprise policy control product that enables comprehensive
secure wired, wireless, and Virtual Private Networking (VPN) access.
Cisco ISE offers a centralized control point for comprehensive policy management and enforcement in a single
RADIUS-based product. The unique architecture of Cisco ISE allows enterprises to gather real-time contextual
information from networks, users, and devices. The administrator can then use that information to make proactive
governance decisions. Cisco ISE is an integral component of Cisco Secure Access.
Cisco Secure Access is an advanced Network Access Control and Identity Solution that is integrated into the Network
Infrastructure. It is a fully tested, validated solution where all the components within the solution are thoroughly vetted
and rigorously tested as an integrated system.
Cisco Wireless Controllers
Unlike overlay Network Access Control solutions the Cisco Secure Access utilizes the access layer devices (switches,
wireless controllers, etc.) for enforcement. The access device itself now handles functions that were commonly
handled by appliances and other overlay devices, such as URL redirection for web authentications.
The Cisco Secure Access not only combines standards-based identity and enforcement models, such as IEEE 802.1X
and VLAN control, it also has many more advanced identity and enforcement capabilities such as URL Redirect,
Named Access Control Lists (AireSpace ACLs), Security Group Tagging (SGT), device profiling, guest and web
authentications services, posture assessments, and integration with leading Mobile Device Management (MDM)
vendors for compliance validation of mobile devices before and during network access.
Cisco Systems © 2016
Page 3
SECURE ACCESS HOW-TO GUIDES
About This Document
The following section describes the “universal configuration” for Cisco® Wireless LAN Controllers (WLC). These
recommended configurations are compiled as a best practice to be used for all deployments, and they remain consistent
through the different stages of deployment, as well as the different deployment types chosen.
The following diagram shows the overall layout of the components. There are two access VLANs, ACCESS VLAN
for Employee users and GUEST VLAN for Guest users. Although this document doesn’t include policy configurations
on ISE such as BYOD, Posture Assessment, and profiling configuration provided here allows baseline for such
operations.
Figure 1 Component
In the appendix, there are sample configurations that can be copied and pasted with minimal modification. Also in the
appendix are the additional configurations that pertain to FlexConnect mode WLAN/AP and WLANs configured in
Auto-Anchor mode.
Cisco Systems © 2016
Page 4
SECURE ACCESS HOW-TO GUIDES
Configuration
Initial Configuration
This section covers initial bootstrapping of WLC using the CLI-based configuration tool.
Table 1. Initial Configuration
Option
Value
Management Interface IP
10.1.60.61
Management Interface Mask
255.255.255.0
Management Interface Gateway
10.1.60.1
Management Interface VLAN ID
0 (Untagged)
Management Interface Port Number
1
Virtual Gateway IP
192.0.2.1
Mobility/RF Group Name
Main
NTP Server IP
10.1.60.1
Note: Initial Configuration applies to new WLC with no prior configuration. If the ISE-related configurations are
being added to a WLC with existing configuration, then proceed to the Controller Configuration section.
Step 1
Connect to the console port of the WLC or use virtual console for vWLC. Refer to the following settings to
bootstrap the WLC.
(Cisco Controller)
Welcome to the Cisco Wizard Configuration Tool
Use the '-' character to backup
Would you like to terminate autoinstall? [yes]:yes
AUTO-INSTALL: process terminated -- no configuration loaded
System Name [Cisco_91:e2:64] (31 characters max):
Enter Administrative User Name (24 characters max): admin
Enter Administrative Password (3 to 24 characters): ********
Re-enter Administrative Password
: ********
Service Interface IP Address Configuration [static][DHCP]:dhcp
Enable Link Aggregation (LAG) [yes][NO]: no
Management
Management
Management
Management
Management
Management
Interface
Interface
Interface
Interface
Interface
Interface
IP Address: 10.1.60.61
Netmask: 255.255.255.0
Default Router: 10.1.60.1
VLAN Identifier (0 = untagged): 0
Port Num [1 to 8]: 1
DHCP Server IP Address: 10.1.100.100
Virtual Gateway IP Address: 192.0.2.1
Cisco Systems © 2016
Page 5
SECURE ACCESS HOW-TO GUIDES
Mobility/RF Group Name: Main
Network Name (SSID): EXAMPLE
Configure DHCP Bridging Mode [yes][NO]: no
Allow Static IP Addresses [YES][no]: no
Configure a RADIUS Server now? [YES][no]: no
Warning! The default WLAN security policy requires a RADIUS server.
Please see documentation for more details.
Enter Country Code list (enter 'help' for a list of countries) [US]:us
Enable
Enable
Enable
Enable
802.11b
802.11a
802.11g
Auto-RF
Network [YES][no]: yes
Network [YES][no]: yes
Network [YES][no]: yes
[YES][no]: yes
Configure a NTP server now? [YES][no]: yes
Enter the NTP server's IP address: 10.1.60.1
Enter a polling interval between 3600 and 604800 secs: 3600
Configuration correct? If yes, system will save it and reset. [yes][NO]: yes
We recommend that you set the Cisco WLC virtual gateway address to 192.0.2.1. The address you use
must be a non-routed IP with a fully qualified domain name (FQDN) mapped in the Domain Name System
(DNS). This FQDN/ IP address should be added to certificates generated by your CA. This configuration
stops users from seeing “untrusted certificate” errors when they are redirected to the WLC’s virtual
gateway.
Step 2
After the WLC resets, configure the rest of the WLC settings. This guide includes both GUI and CLI-based
configuration for the following sections.
Note: Please note that the SSID named ‘EXAMPLE’ configured during the initialization will not be used
in this guide and can be removed by running the following command after the WLC resets.
(WLC) >config wlan delete 1
Controller Configuration
This section covers configuration related to the controller. This includes interface and VLAN
configurations for endpoint devices and global controller settings.
Table 2. Interface Configuration
Options
Employee
Guest
Interface Name
ACCESS
GUEST
VLAN ID
10
50
Dynamic IP
10.1.10.61
10.1.50.61
Subnet Mask
255.255.255.0
255.255.255.0
Cisco Systems © 2016
Page 6
SECURE ACCESS HOW-TO GUIDES
Gateway
10.1.10.1
10.1.50.1
DHCP Server
10.1.200.10
10.1.200.10
Port
1
1
Step 3
Configure dynamic interfaces. For GUI, go to Controller  Interfaces.
(WLC) >config interface create ACCESS 10
(WLC) >config interface create GUEST 50
Step 4
Assign a physical port for the dynamic interfaces created above. In this example, all interfaces are assigned
to same physical interface and utilize trunking.
(WLC) >config interface port ACCESS 1
(WLC) >config interface port GUEST 1
Step 5
Configure ip addresses on the interfaces.
(WLC) >config interface address dynamic-interface ACCESS 10.1.10.61 255.255.255.0 10.1.10.1
(WLC) >config interface address dynamic-interface GUEST 10.1.50.61 255.255.255.0 10.1.50.1
Step 6
Configure DHCP server for user interfaces.
(WLC) >config interface dhcp dynamic-interface ACCESS primary 10.1.200.10
(WLC) >config interface dhcp dynamic-interface GUEST primary 10.1.200.10
Step 7
Disable DHCP proxy globally and use router’s SVI to forward DHCP request to the DHCP server. For
GUI, go to Controller  Advanced  DHCP.
(WLC) >config dhcp proxy disable
Note: When dhcp proxy is disabled, WLC bridges DHCP requests to the upstream router. The upstream
router should be configured with ‘ip helper-address’ for the DHCP server, and as an ISE PSN node for
profiling purposes. While the WLC device sensor can capture DHCP attributes for ISE, it lacks several
DHCP attributes, such as the DHCP options attribute. By configuring the upstream router to forward DHCP
requests to the ISE node, ISE can collect additional DHCP information for profiling purposes.
Step 8
(Optional) Enable fast-ssid-change feature to accommodate apple devices transitioning from different
SSIDs for dual SSID deployment. For GUI, go to Controller  General
(WLC) >config network fast-ssid-change enable
Cisco Systems © 2016
Page 7
SECURE ACCESS HOW-TO GUIDES
Note: When fast SSID changing is enabled, the controller allows clients to move between SSIDs. When the
client sends a new association for a different SSID, the client entry in the controller connection table is
cleared before the client is added to the new SSID. When fast SSID changing is disabled, the controller
enforces a delay before clients are allowed to move to a new SSID, which impacts user experience in dual
SSID BYOD deployment.
Security Configuration
This section covers configuration related to the security, which includes RADIUS server and ACLs. The RADIUS
servers are using ID values of 11 and 12 so as to not overwrite any existing RADIUS settings.
Step 9
Step 10
Create a RADIUS Authentication server. In this example, there are two ISE nodes, 10.1.200.11 and
10.1.200.12. CoA is enabled, and timeout is set to 5 seconds (default is 2 seconds). Device Management via
RADIUS is disabled, and these RADIUS servers are dedicated for network user authentication. For GUI
configuration, go to Security  AAA  RADIUS  Authentication  New…
(WLC)
(WLC)
(WLC)
(WLC)
(WLC)
(WLC)
>config
>config
>config
>config
>config
>config
radius
radius
radius
radius
radius
radius
auth
auth
auth
auth
auth
auth
add 11 10.1.200.11 1812 ascii ISEc0ld
disable 11
management 11 disable
retransmit-timeout 11 5
rfc3576 enable 11
enable 11
(WLC)
(WLC)
(WLC)
(WLC)
(WLC)
(WLC)
>config
>config
>config
>config
>config
>config
radius
radius
radius
radius
radius
radius
auth
auth
auth
auth
auth
auth
add 12 10.1.200.12 1812 ascii ISEc0ld
disable 12
management 12 disable
retransmit-timeout 12 5
rfc3576 enable 12
enable 12
(Optional) Ensure that the MAC address format sent in the Calling-Station-ID field matches the ISE. This
should be the default setting.
(WLC) >config radius auth mac-delimiter hyphen
Step 11
(Optional) Configure the format of the RADIUS Called-Station-ID attribute with additional information.
The default format is APMAC:SSID. The option for this attribute varies depending on the WLC code
version. This field can be used to provide location-based authentication using AP location information that
endpoint associated for initial authentication.
(WLC) >config radius callStationIdType ap-macaddr-ssid
Note: This is different from MSE location integration that uses endpoint location using WiFi triangulation.
Step 12
Configure RADIUS fallback mode so the primary ISE node is used when it is back online. Without this
option, a second or tertiary server is used, even if the primary server is back online. For GUI, go to Security
 AAA  RADIUS  Fallback.
Cisco Systems © 2016
Page 8
SECURE ACCESS HOW-TO GUIDES
(WLC) >config radius fallback-test username RADIUS-TEST
(WLC) >config radius fallback-test mode active
Note: Selecting active causes the Cisco WLC to revert to a server with a lower priority from the available
backup servers. To select a server, it uses RADIUS probe messages to proactively determine whether a
server that has been marked inactive is back online. The controller ignores all inactive servers for all active
RADIUS requests. Selecting passive mode causes the Cisco WLC to revert to a server with a lower priority
from the available backup servers without using extraneous probe messages. The controller ignores all
inactive servers for a time period, and retries later when a RADIUS message needs to be sent.
Step 13
(Optional) The interval specifies the probe interval in the case of active mode fallback or inactive time in
the case of passive mode fallback. The default value is 300 seconds.
(WLC) >config radius fallback-test mode interval 300
Step 14
Disable RADIUS aggressive failover mechanism so the RADIUS server is not marked dead in error.
(WLC) >config radius aggressive-failover disable
Note: If the aggressive failover feature is enabled in the WLC, the WLC is too aggressive to mark the
AAA server as "not responding". One reason you should not enable this feature is because the AAA server
is possibly not responsive only to a particular client, if you configured silent discard. It could also be a
response to other valid clients with valid certificates. The WLC can still mark the AAA server as "not
responding" and "not functional". To overcome this, disable the aggressive failover feature. If this is
disabled, then the controller only fails over to the next AAA server if there are three consecutive clients that
fail to receive a response from the RADIUS server.
Step 15
Step 16
Create RADIUS Accounting servers. For GUI, go to Security  AAA  RADIUS  Accounting 
New…
(WLC)
(WLC)
(WLC)
(WLC)
>config
>config
>config
>config
radius
radius
radius
radius
acct
acct
acct
acct
add 11 10.1.200.11 1813 ascii ISEc0ld
disable 11
retransmit-timeout 11 5
enable 11
(WLC)
(WLC)
(WLC)
(WLC)
>config
>config
>config
>config
radius
radius
radius
radius
acct
acct
acct
acct
add 12 10.1.200.12 1813 ascii ISEc0ld
disable 12
retransmit-timeout 12 5
enable 12
Create ACL_WEBAUTH_REDIRECT ACL. For GUI, go to Security  Access Control Lists  Access
Control Lists  New…
(WLC)
(WLC)
(WLC)
(WLC)
(WLC)
>config
>config
>config
>config
>config
Cisco Systems © 2016
acl
acl
acl
acl
acl
delete ACL_WEBAUTH_REDIRECT
create ACL_WEBAUTH_REDIRECT
rule add ACL_WEBAUTH_REDIRECT 1
rule action ACL_WEBAUTH_REDIRECT 1 permit
rule protocol ACL_WEBAUTH_REDIRECT 1 6
Page 9
SECURE ACCESS HOW-TO GUIDES
(WLC) >config acl rule source port range ACL_WEBAUTH_REDIRECT 1 0 65535
(WLC) >config acl rule destination address ACL_WEBAUTH_REDIRECT 1 10.1.200.12 255.255.255.255
(WLC) >config acl rule destination port range ACL_WEBAUTH_REDIRECT 1 8443 8444
(WLC)
(WLC)
(WLC)
(WLC)
(WLC)
(WLC)
>config
>config
>config
>config
>config
>config
acl
acl
acl
acl
acl
acl
rule
rule
rule
rule
rule
rule
add ACL_WEBAUTH_REDIRECT 1
action ACL_WEBAUTH_REDIRECT 1 permit
protocol ACL_WEBAUTH_REDIRECT 1 6
source address ACL_WEBAUTH_REDIRECT 1 10.1.200.12 255.255.255.255
source port range ACL_WEBAUTH_REDIRECT 1 8443 8444
destination port range ACL_WEBAUTH_REDIRECT 1 0 65535
(WLC)
(WLC)
(WLC)
(WLC)
(WLC)
(WLC)
>config
>config
>config
>config
>config
>config
acl
acl
acl
acl
acl
acl
rule
rule
rule
rule
rule
rule
add ACL_WEBAUTH_REDIRECT 1
action ACL_WEBAUTH_REDIRECT 1 permit
protocol ACL_WEBAUTH_REDIRECT 1 6
source port range ACL_WEBAUTH_REDIRECT 1 0 65535
destination address ACL_WEBAUTH_REDIRECT 1 10.1.200.12 255.255.255.255
destination port range ACL_WEBAUTH_REDIRECT 1 8905 8905
(WLC)
(WLC)
(WLC)
(WLC)
(WLC)
(WLC)
>config
>config
>config
>config
>config
>config
acl
acl
acl
acl
acl
acl
rule
rule
rule
rule
rule
rule
add ACL_WEBAUTH_REDIRECT 1
action ACL_WEBAUTH_REDIRECT 1 permit
protocol ACL_WEBAUTH_REDIRECT 1 6
source address ACL_WEBAUTH_REDIRECT 1 10.1.200.12 255.255.255.255
source port range ACL_WEBAUTH_REDIRECT 1 8905 8905
destination port range ACL_WEBAUTH_REDIRECT 1 0 65535
(WLC)
(WLC)
(WLC)
(WLC)
(WLC)
(WLC)
>config
>config
>config
>config
>config
>config
acl
acl
acl
acl
acl
acl
rule
rule
rule
rule
rule
rule
add ACL_WEBAUTH_REDIRECT 1
action ACL_WEBAUTH_REDIRECT 1 permit
protocol ACL_WEBAUTH_REDIRECT 1 6
source port range ACL_WEBAUTH_REDIRECT 1 0 65535
destination address ACL_WEBAUTH_REDIRECT 1 10.1.200.11 255.255.255.255
destination port range ACL_WEBAUTH_REDIRECT 1 8443 8444
(WLC)
(WLC)
(WLC)
(WLC)
(WLC)
(WLC)
>config
>config
>config
>config
>config
>config
acl
acl
acl
acl
acl
acl
rule
rule
rule
rule
rule
rule
add ACL_WEBAUTH_REDIRECT 1
action ACL_WEBAUTH_REDIRECT 1 permit
protocol ACL_WEBAUTH_REDIRECT 1 6
source address ACL_WEBAUTH_REDIRECT 1 10.1.200.11 255.255.255.255
source port range ACL_WEBAUTH_REDIRECT 1 8443 8444
destination port range ACL_WEBAUTH_REDIRECT 1 0 65535
(WLC)
(WLC)
(WLC)
(WLC)
(WLC)
(WLC)
>config
>config
>config
>config
>config
>config
acl
acl
acl
acl
acl
acl
rule
rule
rule
rule
rule
rule
add ACL_WEBAUTH_REDIRECT 1
action ACL_WEBAUTH_REDIRECT 1 permit
protocol ACL_WEBAUTH_REDIRECT 1 6
source port range ACL_WEBAUTH_REDIRECT 1 0 65535
destination address ACL_WEBAUTH_REDIRECT 1 10.1.200.11 255.255.255.255
destination port range ACL_WEBAUTH_REDIRECT 1 8905 8905
(WLC)
(WLC)
(WLC)
(WLC)
(WLC)
(WLC)
>config
>config
>config
>config
>config
>config
acl
acl
acl
acl
acl
acl
rule
rule
rule
rule
rule
rule
add ACL_WEBAUTH_REDIRECT 1
action ACL_WEBAUTH_REDIRECT 1 permit
protocol ACL_WEBAUTH_REDIRECT 1 6
source address ACL_WEBAUTH_REDIRECT 1 10.1.200.11 255.255.255.255
source port range ACL_WEBAUTH_REDIRECT 1 8905 8905
destination port range ACL_WEBAUTH_REDIRECT 1 0 65535
(WLC)
(WLC)
(WLC)
(WLC)
(WLC)
>config
>config
>config
>config
>config
acl
acl
acl
acl
acl
rule
rule
rule
rule
rule
add ACL_WEBAUTH_REDIRECT 1
action ACL_WEBAUTH_REDIRECT 1 permit
protocol ACL_WEBAUTH_REDIRECT 1 17
source port range ACL_WEBAUTH_REDIRECT 1 0 65535
destination port range ACL_WEBAUTH_REDIRECT 1 53 53
(WLC)
(WLC)
(WLC)
(WLC)
(WLC)
>config
>config
>config
>config
>config
acl
acl
acl
acl
acl
rule
rule
rule
rule
rule
add ACL_WEBAUTH_REDIRECT 1
action ACL_WEBAUTH_REDIRECT 1 permit
protocol ACL_WEBAUTH_REDIRECT 1 17
source port range ACL_WEBAUTH_REDIRECT 1 53 53
destination port range ACL_WEBAUTH_REDIRECT 1 0 65535
Cisco Systems © 2016
Page 10
SECURE ACCESS HOW-TO GUIDES
Step 17
(Optional) If desired, DNS ACL entries can be added to the redirect ACL. This allows endpoint access to
the Google Play store during the NSP process.
(WLC)
(WLC)
(WLC)
(WLC)
(WLC)
(WLC)
(WLC)
(WLC)
>config
>config
>config
>config
>config
>config
>config
>config
acl
acl
acl
acl
acl
acl
acl
acl
url-domain
url-domain
url-domain
url-domain
url-domain
url-domain
url-domain
url-domain
add
add
add
add
add
add
add
add
play.google.com ACL_WEBAUTH_REDIRECT
android.clients.google.com ACL_WEBAUTH_REDIRECT
www.googleapis.com ACL_WEBAUTH_REDIRECT
ggpht.com ACL_WEBAUTH_REDIRECT
android.pool.ntp.org ACL_WEBAUTH_REDIRECT
market.android.com ACL_WEBAUTH_REDIRECT
mtalk.google.com ACL_WEBAUTH_REDIRECT
gvt1.com ACL_WEBAUTH_REDIRECT
Note: To accommodate client devices with language setting other than English may require additional
domains to be added. Up to 20 domain entries can be added per ACL.
Step 18
Apply ACL to the data path
(WLC) >config acl apply ACL_WEBAUTH_REDIRECT
Note: When a client is in the redirect state such as POSTURE_REQ , CWA, Client Provisioning, the
default behavior of the WLC is to block all traffic except DHCP/DNS. The
ACL_WEBAUTH_REDIRECT ACL (which is called in the url-redirect-acl AV Pair received from Cisco
ISE) is applied to the client, and it can reach only resources specifically allowed in the ACL.
Step 19
Create a BLACKHOLE ACL.
(WLC)
(WLC)
(WLC)
(WLC)
(WLC)
(WLC)
(WLC)
(WLC)
>config
>config
>config
>config
>config
>config
>config
>config
acl
acl
acl
acl
acl
acl
acl
acl
delete BLACKHOLE
create BLACKHOLE
rule add BLACKHOLE 1
rule action BLACKHOLE 1 permit
rule protocol BLACKHOLE 1 6
rule source port range BLACKHOLE 1 0 65535
rule destination address BLACKHOLE 1 10.1.200.12 255.255.255.255
rule destination port range BLACKHOLE 1 8444 8444
(WLC)
(WLC)
(WLC)
(WLC)
(WLC)
(WLC)
>config
>config
>config
>config
>config
>config
acl
acl
acl
acl
acl
acl
rule
rule
rule
rule
rule
rule
add BLACKHOLE 1
action BLACKHOLE 1 permit
protocol BLACKHOLE 1 6
source address BLACKHOLE 1 10.1.200.12 255.255.255.255
source port range BLACKHOLE 1 8444 8444
destination port range BLACKHOLE 1 0 65535
(WLC)
(WLC)
(WLC)
(WLC)
(WLC)
(WLC)
>config
>config
>config
>config
>config
>config
acl
acl
acl
acl
acl
acl
rule
rule
rule
rule
rule
rule
add BLACKHOLE 1
action BLACKHOLE 1 permit
protocol BLACKHOLE 1 6
source port range BLACKHOLE 1 0 65535
destination address BLACKHOLE 1 10.1.200.11 255.255.255.255
destination port range BLACKHOLE 1 8444 8444
(WLC)
(WLC)
(WLC)
(WLC)
(WLC)
(WLC)
>config
>config
>config
>config
>config
>config
acl
acl
acl
acl
acl
acl
rule
rule
rule
rule
rule
rule
add BLACKHOLE 1
action BLACKHOLE 1 permit
protocol BLACKHOLE 1 6
source address BLACKHOLE 1 10.1.200.11 255.255.255.255
source port range BLACKHOLE 1 8444 8444
destination port range BLACKHOLE 1 0 65535
(WLC) >config acl rule add BLACKHOLE 1
Cisco Systems © 2016
Page 11
SECURE ACCESS HOW-TO GUIDES
Step 20
(WLC)
(WLC)
(WLC)
(WLC)
>config
>config
>config
>config
acl
acl
acl
acl
rule
rule
rule
rule
action BLACKHOLE 1 permit
protocol BLACKHOLE 1 17
source port range BLACKHOLE 1 0 65535
destination port range BLACKHOLE 1 53 53
(WLC)
(WLC)
(WLC)
(WLC)
(WLC)
>config
>config
>config
>config
>config
acl
acl
acl
acl
acl
rule
rule
rule
rule
rule
add BLACKHOLE 1
action BLACKHOLE 1 permit
protocol BLACKHOLE 1 17
source port range BLACKHOLE 1 53 53
destination port range BLACKHOLE 1 0 65535
Apply ACL to the data path
(WLC) >config acl apply BLACKHOLE
WLAN Configuration
This section covers configuration related to the Secured WLAN for Employee devices. This includes WLAN settings.
The WLANs are using ID value of 11 and 12 so as not to overwrite any existing WLAN settings. This example
configures two WLANs:
•
•
‘ISE’ is a secured WLAN with WLAN ID 11, used for employee access and Single SSID BYOD flow.
‘OPEN’ is an open WLAN with WLAN ID 12, used for guest access.
Table 3.
Option
Secured WLAN
Open WLAN
WLAN ID
11
12
WLAN Name
ISE
OPEN
SSID
ISE
OPEN
Interface
ACCESS
GUEST
L2 Security
WPA/WPA2 &
802.1X
MAC Filtering
L3 Security
None
None
RADIUS Auth Server
11 & 12
11 & 12
RADIUS Acct Server
11 & 12
11 & 12
RADIUS Interim ACCT
Enabled
Enabled
Interim Update Interval
0 Seconds
0 Seconds
AAA Override
Enabled
Enabled
Idle Timeout
180 Seconds
180 Seconds
NAC
NAC_RADIUS
NAC_RADIUS
Device Sensor
DHCP & HTTP
DHCP & HTTP
Cisco Systems © 2016
Page 12
SECURE ACCESS HOW-TO GUIDES
Step 21
Create ISE WLAN using WLAN ID 11. For GUI, go to WLANs  Create New  Go.
(WLC) >config wlan create 11 ISE ISE
Step 22
Assign previously created interface ‘ISE’ to the WLAN.
(WLC) >config wlan interface 11 ACCESS
Note: When WLANs are added to the WLC, it is already enabled with WPA and 802.1X.
Step 23
Assign previously created RADIUS Auth and Acct servers to the WLAN.
(WLC)
(WLC)
(WLC)
(WLC)
Step 24
>config
>config
>config
>config
wlan
wlan
wlan
wlan
radius_server
radius_server
radius_server
radius_server
auth
auth
acct
acct
add
add
add
add
11
11
11
11
11
12
11
12
Configure interim accounting updates for the endpoints. Following setting applies to 8.x code.
(WLC) >config wlan radius_server acct interim-update 0 11
(WLC) >config wlan radius_server acct interim-update enable 11
Note: For 7.6 code disable interim accounting. Although disabled the WLC will still send accounting
updates for mobility events for the endpoint.
(WLC) >config wlan radius_server acct interim-update disable 11
Note: For any other previous versions.
(WLC) >config wlan radius_server acct interim-update 3600 11
(WLC) >config wlan radius_server acct interim-update enable 11
Step 25
Configure WLAN to accept AuthZ attributes from ISE.
(WLC) >config wlan aaa-override enable 11
Step 26
(Optional) Configure idle timeout.
(WLC) >config wlan usertimeout 180 11
Step 27
Enable nac-radius for the WLAN.
Cisco Systems © 2016
Page 13
SECURE ACCESS HOW-TO GUIDES
(WLC) >config wlan nac radius enable 11
Step 28
Enable device sensor for http and dhcp.
(WLC) >config wlan profiling radius all enable 11
Step 29
Enable Secured WLAN.
(WLC) >config wlan enable 11
Step 30
Create OPEN WLAN using WLAN ID 12.
(WLC) >config wlan create 12 OPEN OPEN
Step 31
Assign previously created interface ‘GUEST’ to the WLAN.
(WLC) >config wlan interface 12 GUEST
Step 32
Disable L2 security for open WLAN.
(WLC) >config wlan security wpa disable 12
Step 33
Enable MAC filtering for CWA.
(WLC) >config wlan mac-filtering enable 12
Step 34
Assign previously created RADIUS Auth and Acct servers to the WLAN.
(WLC)
(WLC)
(WLC)
(WLC)
Step 35
>config
>config
>config
>config
wlan
wlan
wlan
wlan
radius_server
radius_server
radius_server
radius_server
auth
auth
acct
acct
add
add
add
add
12
12
12
12
11
12
11
12
Configure interim accounting updates for the endpoints. Following setting applies to 8.x code.
(WLC) >config wlan radius_server acct interim-update 0 12
(WLC) >config wlan radius_server acct interim-update enable 12
Cisco Systems © 2016
Page 14
SECURE ACCESS HOW-TO GUIDES
Note: For 7.6 code disable interim accounting. Although disabled the WLC will still send accounting
updates for mobility events for the endpoint.
(WLC) >config wlan radius_server acct interim-update disable 12
Note: For any other previous versions.
(WLC) >config wlan radius_server acct interim-update 3600 12
(WLC) >config wlan radius_server acct interim-update enable 12
Step 36
Configure WLAN to accept AuthZ attributes from ISE
(WLC) >config wlan aaa-override enable 12
Step 37
Configure session timeout.
(WLC) >config wlan session-timeout 12 1800
Step 38
Configure idle timeout.
(WLC) >config wlan usertimeout 180 12
Step 39
(Optional) Configure other parameters necessary for open WLAN.
(WLC) >config wlan chd 12 disable
(WLC) >config wlan ccx AironetIeSupport disable 12
(WLC) >config wlan dhcp_server 12 0.0.0.0 required
Step 40
Enable nac-radius for the WLAN.
(WLC) >config wlan nac radius enable 12
Step 41
Enable device sensor for http and dhcp.
(WLC) >config wlan profiling radius all enable 12
Step 42
Enable Open WLAN.
(WLC) >config wlan enable 12
Cisco Systems © 2016
Page 15
SECURE ACCESS HOW-TO GUIDES
Management Configuration
This section covers configuration related to the General Controller Management. This includes
Captive Portal Bypass, and HTTPS redirect settings.
Step 43
Enable captive portal bypass to disable mini browser from popping up when Apple device associates to the
WLAN. This will be in effect after the WLC has been restarted. There is no GUI for this configuration.
(WLC) >config network web-auth captive-bypass enable
Step 44
(Optional) Enable HTTPS redirect on 8.x code. For GUI, go to Management  HTTP-HTTPS  HTTPS
Redirection  Enabled.
(WLC) >config network web-auth https-redirect enable
Note: This is not recommended in production environment due to added load on the controller and reduced
web auth sessions that WLC can handle when enabled.
Step 45
Save configuration.
(WLC) >save config
Step 46
Reload the controller to have captive portal bypass setting take effect.
(WLC) >reset system
Cisco Systems © 2016
Page 16
SECURE ACCESS HOW-TO GUIDES
Appendix A: Sample Configuration
Configuration for WLC Running 8.x Code
Configuration for previous versions of WLC is identical with the exception of interim accounting settings under each
of the WLAN configuration. Please refer to main section of the document for proper configuration for previous
versions.
config
config
config
config
config
config
config
config
config
interface create ACCESS 10
interface create GUEST 50
interface port ACCESS 1
interface port GUEST 1
interface address dynamic-interface ACCESS 10.1.10.61 255.255.255.0 10.1.10.1
interface address dynamic-interface GUEST 10.1.50.61 255.255.255.0 10.1.50.1
interface dhcp dynamic-interface ACCESS primary 10.1.200.10
interface dhcp dynamic-interface GUEST primary 10.1.200.10
dhcp proxy disable
config
config
config
config
config
config
config
config
config
config
config
config
radius
radius
radius
radius
radius
radius
radius
radius
radius
radius
radius
radius
auth
auth
auth
auth
auth
auth
auth
auth
auth
auth
auth
auth
add 11 10.1.200.11 1812 ascii ISEc0ld
disable 11
management 11 disable
retransmit-timeout 11 5
rfc3576 enable 11
enable 11
add 12 10.1.200.12 1812 ascii ISEc0ld
disable 12
management 12 disable
retransmit-timeout 12 5
rfc3576 enable 12
enable 12
config radius fallback-test username RADIUS-TEST
config radius fallback-test mode active
config radius aggressive-failover disable
config
config
config
config
config
config
config
config
radius
radius
radius
radius
radius
radius
radius
radius
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
acl
acl
acl
acl
acl
acl
acl
acl
acl
acl
acl
acl
acl
acl
acl
acl
acl
acct
acct
acct
acct
acct
acct
acct
acct
add 11 10.1.200.11
disable 11
retransmit-timeout
enable 11
add 12 10.1.200.12
disable 12
retransmit-timeout
enable 12
1813 ascii ISEc0ld
11 5
1813 ascii ISEc0ld
12 5
delete ACL_WEBAUTH_REDIRECT
create ACL_WEBAUTH_REDIRECT
rule add ACL_WEBAUTH_REDIRECT 1
rule action ACL_WEBAUTH_REDIRECT 1 permit
rule protocol ACL_WEBAUTH_REDIRECT 1 6
rule source port range ACL_WEBAUTH_REDIRECT 1 0 65535
rule destination address ACL_WEBAUTH_REDIRECT 1 10.1.200.12 255.255.255.255
rule destination port range ACL_WEBAUTH_REDIRECT 1 8443 8444
rule add ACL_WEBAUTH_REDIRECT 1
rule action ACL_WEBAUTH_REDIRECT 1 permit
rule protocol ACL_WEBAUTH_REDIRECT 1 6
rule source address ACL_WEBAUTH_REDIRECT 1 10.1.200.12 255.255.255.255
rule source port range ACL_WEBAUTH_REDIRECT 1 8443 8444
rule destination port range ACL_WEBAUTH_REDIRECT 1 0 65535
rule add ACL_WEBAUTH_REDIRECT 1
rule action ACL_WEBAUTH_REDIRECT 1 permit
rule protocol ACL_WEBAUTH_REDIRECT 1 6
Cisco Systems © 2016
Page 17
SECURE ACCESS HOW-TO GUIDES
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
acl
acl
acl
acl
acl
acl
acl
acl
acl
acl
acl
acl
acl
acl
acl
acl
acl
acl
acl
acl
acl
acl
acl
acl
acl
acl
acl
acl
acl
acl
acl
acl
acl
acl
acl
acl
acl
acl
acl
acl
acl
acl
acl
rule source port range ACL_WEBAUTH_REDIRECT 1 0 65535
rule destination address ACL_WEBAUTH_REDIRECT 1 10.1.200.12 255.255.255.255
rule destination port range ACL_WEBAUTH_REDIRECT 1 8905 8905
rule add ACL_WEBAUTH_REDIRECT 1
rule action ACL_WEBAUTH_REDIRECT 1 permit
rule protocol ACL_WEBAUTH_REDIRECT 1 6
rule source address ACL_WEBAUTH_REDIRECT 1 10.1.200.12 255.255.255.255
rule source port range ACL_WEBAUTH_REDIRECT 1 8905 8905
rule destination port range ACL_WEBAUTH_REDIRECT 1 0 65535
rule add ACL_WEBAUTH_REDIRECT 1
rule action ACL_WEBAUTH_REDIRECT 1 permit
rule protocol ACL_WEBAUTH_REDIRECT 1 6
rule source port range ACL_WEBAUTH_REDIRECT 1 0 65535
rule destination address ACL_WEBAUTH_REDIRECT 1 10.1.200.11 255.255.255.255
rule destination port range ACL_WEBAUTH_REDIRECT 1 8443 8444
rule add ACL_WEBAUTH_REDIRECT 1
rule action ACL_WEBAUTH_REDIRECT 1 permit
rule protocol ACL_WEBAUTH_REDIRECT 1 6
rule source address ACL_WEBAUTH_REDIRECT 1 10.1.200.11 255.255.255.255
rule source port range ACL_WEBAUTH_REDIRECT 1 8443 8444
rule destination port range ACL_WEBAUTH_REDIRECT 1 0 65535
rule add ACL_WEBAUTH_REDIRECT 1
rule action ACL_WEBAUTH_REDIRECT 1 permit
rule protocol ACL_WEBAUTH_REDIRECT 1 6
rule source port range ACL_WEBAUTH_REDIRECT 1 0 65535
rule destination address ACL_WEBAUTH_REDIRECT 1 10.1.200.11 255.255.255.255
rule destination port range ACL_WEBAUTH_REDIRECT 1 8905 8905
rule add ACL_WEBAUTH_REDIRECT 1
rule action ACL_WEBAUTH_REDIRECT 1 permit
rule protocol ACL_WEBAUTH_REDIRECT 1 6
rule source address ACL_WEBAUTH_REDIRECT 1 10.1.200.11 255.255.255.255
rule source port range ACL_WEBAUTH_REDIRECT 1 8905 8905
rule destination port range ACL_WEBAUTH_REDIRECT 1 0 65535
rule add ACL_WEBAUTH_REDIRECT 1
rule action ACL_WEBAUTH_REDIRECT 1 permit
rule protocol ACL_WEBAUTH_REDIRECT 1 17
rule source port range ACL_WEBAUTH_REDIRECT 1 0 65535
rule destination port range ACL_WEBAUTH_REDIRECT 1 53 53
rule add ACL_WEBAUTH_REDIRECT 1
rule action ACL_WEBAUTH_REDIRECT 1 permit
rule protocol ACL_WEBAUTH_REDIRECT 1 17
rule source port range ACL_WEBAUTH_REDIRECT 1 53 53
apply ACL_WEBAUTH_REDIRECT
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
acl
acl
acl
acl
acl
acl
acl
acl
acl
acl
acl
acl
acl
acl
acl
acl
acl
acl
acl
acl
acl
acl
delete BLACKHOLE
create BLACKHOLE
rule add BLACKHOLE 1
rule action BLACKHOLE 1 permit
rule protocol BLACKHOLE 1 6
rule source port range BLACKHOLE 1 0 65535
rule destination address BLACKHOLE 1 10.1.200.12 255.255.255.255
rule destination port range BLACKHOLE 1 8444 8444
rule add BLACKHOLE 1
rule action BLACKHOLE 1 permit
rule protocol BLACKHOLE 1 6
rule source address BLACKHOLE 1 10.1.200.12 255.255.255.255
rule source port range BLACKHOLE 1 8444 8444
rule destination port range BLACKHOLE 1 0 65535
rule add BLACKHOLE 1
rule action BLACKHOLE 1 permit
rule protocol BLACKHOLE 1 6
rule source port range BLACKHOLE 1 0 65535
rule destination address BLACKHOLE 1 10.1.200.11 255.255.255.255
rule destination port range BLACKHOLE 1 8444 8444
rule add BLACKHOLE 1
rule action BLACKHOLE 1 permit
Cisco Systems © 2016
Page 18
SECURE ACCESS HOW-TO GUIDES
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
acl
acl
acl
acl
acl
acl
acl
acl
acl
acl
acl
acl
acl
acl
acl
rule protocol BLACKHOLE 1 6
rule source address BLACKHOLE 1 10.1.200.11 255.255.255.255
rule source port range BLACKHOLE 1 8444 8444
rule destination port range BLACKHOLE 1 0 65535
rule add BLACKHOLE 1
rule action BLACKHOLE 1 permit
rule protocol BLACKHOLE 1 17
rule source port range BLACKHOLE 1 0 65535
rule destination port range BLACKHOLE 1 53 53
rule add BLACKHOLE 1
rule action BLACKHOLE 1 permit
rule protocol BLACKHOLE 1 17
rule source port range BLACKHOLE 1 53 53
rule destination port range BLACKHOLE 1 0 65535
apply BLACKHOLE
config
config
config
config
config
config
config
config
config
config
config
config
config
wlan
wlan
wlan
wlan
wlan
wlan
wlan
wlan
wlan
wlan
wlan
wlan
wlan
create 11 ISE ISE
interface 11 ACCESS
radius_server auth add 11 11
radius_server auth add 11 12
radius_server acct add 11 11
radius_server acct add 11 12
radius_server acct interim-update 0 11
radius_server acct interim-update enable 11
aaa-override enable 11
usertimeout 180 11
nac radius enable 11
profiling radius all enable 11
enable 11
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
wlan
wlan
wlan
wlan
wlan
wlan
wlan
wlan
wlan
wlan
wlan
wlan
wlan
wlan
wlan
wlan
wlan
wlan
wlan
create 12 OPEN OPEN
interface 12 GUEST
security wpa disable 12
mac-filtering enable 12
radius_server auth add 12 11
radius_server auth add 12 12
radius_server acct add 12 11
radius_server acct add 12 12
radius_server acct interim-update 0 12
radius_server acct interim-update enable 12
aaa-override enable 12
session-timeout 12 1800
usertimeout 180 12
chd 12 disable
ccx AironetIeSupport disable 12
dhcp_server 12 0.0.0.0 required
nac radius enable 12
profiling radius all enable 12
enable 12
config network web-auth captive-bypass enable
save config
Cisco Systems © 2016
Page 19
SECURE ACCESS HOW-TO GUIDES
Configuration for Cisco IOS Switch Interface Connected to the WLC
description WLC Port 1
switchport trunk encapsulation dot1q
switchport trunk native vlan 60
switchport mode trunk
Configuration for Cisco IOS Switch SVI
interface vlan 10
description ACCESS
ip address 10.1.10.1 255.255.255.0
ip helper-address 10.1.200.10
ip helper-address 10.1.200.11
interface vlan 50
description GUEST
ip address 10.1.50.1 255.255.255.0
ip helper-address 10.1.200.10
ip helper-address 10.1.200.11
Cisco Systems © 2016
Page 20
SECURE ACCESS HOW-TO GUIDES
Appendix B: Design Considerations
FlexConnect AP & WLAN
FlexConnect mode, formerly known as H-REAP mode, allows APs to locally switch user traffic for
certain WLANs typically deployed in branch offices. That allows wireless traffic to stay within the
branch office. In this design, when an endpoint associates to a FlexConnect enabled WLAN, the
endpoint authenticates inside the CAPWAP tunnel from the LAP to the controller. However, once
authenticated, the traffic is switched locally from the LAP to the local LAN instead of through the
central Wireless Controller. The integration with ISE and FlexConnect mode AP has been
supported since WLC v7.5. However, the integration requires a specific configuration. Aside from
configuring WLANs and APs into FlexConnect mode, the Redirect ACLs also must be re-created
as FlexConnect ACLs, and downloaded to the FlexConnect group or individual APs.
First create ACL_WEBAUTH_REDIRECT & BLACKHOLE FlexConnect ACLs
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
flexconnect
flexconnect
flexconnect
flexconnect
flexconnect
flexconnect
flexconnect
flexconnect
flexconnect
flexconnect
flexconnect
flexconnect
flexconnect
flexconnect
flexconnect
flexconnect
flexconnect
flexconnect
flexconnect
flexconnect
flexconnect
flexconnect
flexconnect
flexconnect
flexconnect
flexconnect
flexconnect
flexconnect
flexconnect
flexconnect
flexconnect
flexconnect
flexconnect
flexconnect
flexconnect
flexconnect
flexconnect
flexconnect
flexconnect
flexconnect
flexconnect
Cisco Systems © 2016
acl
acl
acl
acl
acl
acl
acl
acl
acl
acl
acl
acl
acl
acl
acl
acl
acl
acl
acl
acl
acl
acl
acl
acl
acl
acl
acl
acl
acl
acl
acl
acl
acl
acl
acl
acl
acl
acl
acl
acl
acl
create ACL_WEBAUTH_REDIRECT
rule add ACL_WEBAUTH_REDIRECT 1
rule action ACL_WEBAUTH_REDIRECT 1 permit
rule protocol ACL_WEBAUTH_REDIRECT 1 6
rule source port range ACL_WEBAUTH_REDIRECT 1 0 65535
rule destination address ACL_WEBAUTH_REDIRECT 1 10.1.200.12 255.255.255.255
rule destination port range ACL_WEBAUTH_REDIRECT 1 8443 8444
rule add ACL_WEBAUTH_REDIRECT 1
rule action ACL_WEBAUTH_REDIRECT 1 permit
rule protocol ACL_WEBAUTH_REDIRECT 1 6
rule source address ACL_WEBAUTH_REDIRECT 1 10.1.200.12 255.255.255.255
rule source port range ACL_WEBAUTH_REDIRECT 1 8443 8444
rule destination port range ACL_WEBAUTH_REDIRECT 1 0 65535
rule add ACL_WEBAUTH_REDIRECT 1
rule action ACL_WEBAUTH_REDIRECT 1 permit
rule protocol ACL_WEBAUTH_REDIRECT 1 6
rule source port range ACL_WEBAUTH_REDIRECT 1 0 65535
rule destination address ACL_WEBAUTH_REDIRECT 1 10.1.200.12 255.255.255.255
rule destination port range ACL_WEBAUTH_REDIRECT 1 8905 8905
rule add ACL_WEBAUTH_REDIRECT 1
rule action ACL_WEBAUTH_REDIRECT 1 permit
rule protocol ACL_WEBAUTH_REDIRECT 1 6
rule source address ACL_WEBAUTH_REDIRECT 1 10.1.200.12 255.255.255.255
rule source port range ACL_WEBAUTH_REDIRECT 1 8905 8905
rule destination port range ACL_WEBAUTH_REDIRECT 1 0 65535
rule add ACL_WEBAUTH_REDIRECT 1
rule action ACL_WEBAUTH_REDIRECT 1 permit
rule protocol ACL_WEBAUTH_REDIRECT 1 6
rule source port range ACL_WEBAUTH_REDIRECT 1 0 65535
rule destination address ACL_WEBAUTH_REDIRECT 1 10.1.200.11 255.255.255.255
rule destination port range ACL_WEBAUTH_REDIRECT 1 8443 8444
rule add ACL_WEBAUTH_REDIRECT 1
rule action ACL_WEBAUTH_REDIRECT 1 permit
rule protocol ACL_WEBAUTH_REDIRECT 1 6
rule source address ACL_WEBAUTH_REDIRECT 1 10.1.200.11 255.255.255.255
rule source port range ACL_WEBAUTH_REDIRECT 1 8443 8444
rule destination port range ACL_WEBAUTH_REDIRECT 1 0 65535
rule add ACL_WEBAUTH_REDIRECT 1
rule action ACL_WEBAUTH_REDIRECT 1 permit
rule protocol ACL_WEBAUTH_REDIRECT 1 6
rule source port range ACL_WEBAUTH_REDIRECT 1 0 65535
Page 21
SECURE ACCESS HOW-TO GUIDES
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
flexconnect
flexconnect
flexconnect
flexconnect
flexconnect
flexconnect
flexconnect
flexconnect
flexconnect
flexconnect
flexconnect
flexconnect
flexconnect
flexconnect
flexconnect
flexconnect
flexconnect
flexconnect
acl
acl
acl
acl
acl
acl
acl
acl
acl
acl
acl
acl
acl
acl
acl
acl
acl
acl
rule destination address ACL_WEBAUTH_REDIRECT 1 10.1.200.11 255.255.255.255
rule destination port range ACL_WEBAUTH_REDIRECT 1 8905 8905
rule add ACL_WEBAUTH_REDIRECT 1
rule action ACL_WEBAUTH_REDIRECT 1 permit
rule protocol ACL_WEBAUTH_REDIRECT 1 6
rule source address ACL_WEBAUTH_REDIRECT 1 10.1.200.11 255.255.255.255
rule source port range ACL_WEBAUTH_REDIRECT 1 8905 8905
rule destination port range ACL_WEBAUTH_REDIRECT 1 0 65535
rule add ACL_WEBAUTH_REDIRECT 1
rule action ACL_WEBAUTH_REDIRECT 1 permit
rule protocol ACL_WEBAUTH_REDIRECT 1 17
rule source port range ACL_WEBAUTH_REDIRECT 1 0 65535
rule destination port range ACL_WEBAUTH_REDIRECT 1 53 53
rule add ACL_WEBAUTH_REDIRECT 1
rule action ACL_WEBAUTH_REDIRECT 1 permit
rule protocol ACL_WEBAUTH_REDIRECT 1 17
rule source port range ACL_WEBAUTH_REDIRECT 1 53 53
apply ACL_WEBAUTH_REDIRECT
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
flexconnect
flexconnect
flexconnect
flexconnect
flexconnect
flexconnect
flexconnect
flexconnect
flexconnect
flexconnect
flexconnect
flexconnect
flexconnect
flexconnect
flexconnect
flexconnect
flexconnect
flexconnect
flexconnect
flexconnect
flexconnect
flexconnect
flexconnect
flexconnect
flexconnect
flexconnect
flexconnect
flexconnect
flexconnect
flexconnect
flexconnect
flexconnect
flexconnect
flexconnect
flexconnect
flexconnect
acl
acl
acl
acl
acl
acl
acl
acl
acl
acl
acl
acl
acl
acl
acl
acl
acl
acl
acl
acl
acl
acl
acl
acl
acl
acl
acl
acl
acl
acl
acl
acl
acl
acl
acl
acl
create BLACKHOLE
rule add BLACKHOLE 1
rule action BLACKHOLE 1 permit
rule protocol BLACKHOLE 1 6
rule source port range BLACKHOLE 1 0 65535
rule destination address BLACKHOLE 1 10.1.200.12 255.255.255.255
rule destination port range BLACKHOLE 1 8444 8444
rule add BLACKHOLE 1
rule action BLACKHOLE 1 permit
rule protocol BLACKHOLE 1 6
rule source address BLACKHOLE 1 10.1.200.12 255.255.255.255
rule source port range BLACKHOLE 1 8444 8444
rule destination port range BLACKHOLE 1 0 65535
rule add BLACKHOLE 1
rule action BLACKHOLE 1 permit
rule protocol BLACKHOLE 1 6
rule source port range BLACKHOLE 1 0 65535
rule destination address BLACKHOLE 1 10.1.200.11 255.255.255.255
rule destination port range BLACKHOLE 1 8444 8444
rule add BLACKHOLE 1
rule action BLACKHOLE 1 permit
rule protocol BLACKHOLE 1 6
rule source address BLACKHOLE 1 10.1.200.11 255.255.255.255
rule source port range BLACKHOLE 1 8444 8444
rule destination port range BLACKHOLE 1 0 65535
rule add BLACKHOLE 1
rule action BLACKHOLE 1 permit
rule protocol BLACKHOLE 1 17
rule source port range BLACKHOLE 1 0 65535
rule destination port range BLACKHOLE 1 53 53
rule add BLACKHOLE 1
rule action BLACKHOLE 1 permit
rule protocol BLACKHOLE 1 17
rule source port range BLACKHOLE 1 53 53
rule destination port range BLACKHOLE 1 0 65535
apply BLACKHOLE
Once created, add them to the FlexConnect Aps.
config ap flexconnect policy acl add ACL_WEBAUTH_REDIRECT AP_NAME
config ap flexconnect policy acl add BLACKHOLE AP_NAME
Cisco Systems © 2016
Page 22
SECURE ACCESS HOW-TO GUIDES
Note: While FlexConnect mode supports additional configurations such as Local authentication, those options have
not been tested as part of ISE integration. Also, while this document goes over the required configuration using
individual APs, it is generally easier to configure FlexConnect groups to manage settings for the APs. Also note
following caveats for FlexConnect mode AP Local Switching deployment with ISE:
•
•
•
Endpoints utilizing FlexConnect must be able to access the ISE node
FlexConnect ACL does not support DNS ACL
TrustSec for locally switched traffic is not supported
While it is the FlexConnect ACL that gets applied to the FlexConnect endpoint sessions, older versions of WLC may
fail to apply the FlexConnect ACL without regular ACL with same ACL name already in place. At minimum it will
require a regular ACL name registered to the WLC. In that case, simply create an empty ACL as following:
config acl create ACL_WEBAUTH_REDIRECT
config acl apply ACL_WEBAUTH_REDIRECT
config acl create BLACKHOLE
config acl apply BLACKHOLE
Auto-Anchored WLAN
Customers often configure Auto-Anchor (AKA Guest Tunneling) to tunnel guest WLAN traffic to an anchor controller
residing in a DMZ for added security. This is a supported configuration with ISE Central WebAuth. However, there is
specific configuration to make this work. This can be setup normally for an Auto-Anchor setup with one exception,
which is the RADIUS Accounting server needs to be disabled on the Anchor Controller WLAN. Assuming the OPEN
WLAN is being anchored, here is an example of WLAN setting on the anchor controller.
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
wlan
wlan
wlan
wlan
wlan
wlan
wlan
wlan
wlan
wlan
wlan
wlan
wlan
wlan
wlan
wlan
create 12 OPEN OPEN
interface 12 GUEST
security wpa disable 12
mac-filtering enable 12
radius_server auth disable 12
radius_server acct disable 12
radius_server acct interim-update disable 12
aaa-override enable 12
session-timeout 12 1800
usertimeout 180 12
chd 12 disable
ccx AironetIeSupport disable 12
dhcp_server 12 0.0.0.0 required
nac radius enable 12
profiling radius all enable 12
enable 12
Note: The RADIUS settings are disabled in the preceding example, however, the anchor controller will receive the
ACL name to apply to the session from ISE relayed by the foreign controller in the mobility message. It is essential
that the anchor controller configuration includes the redirect ACL, so it can be applied to the user session when called
upon by the foreign controller.
Cisco Systems © 2016
Page 23
SECURE ACCESS HOW-TO GUIDES
Cisco Systems © 2016
Page 24
Related documents
ASSIGNMENT FEEDBACK
ASSIGNMENT FEEDBACK
ACL Injury Looking to return to your sport or job
ACL Injury Looking to return to your sport or job
About ACL
About ACL
SYSTEM DESIGN OF A BIOFEEDBACK ACTIVE SENSOR SYSTEM (BASS)
SYSTEM DESIGN OF A BIOFEEDBACK ACTIVE SENSOR SYSTEM (BASS)
File
File
InjuryRisksFemale
InjuryRisksFemale
Download
advertisement