Anda di halaman 1dari 23

Universal NGWC/3850 Wireless

Configuration with Cisco Identity


Service Engine
Secure Access How -To Guides Series

Author: Aaron Woland


Date: December 2012

SECURE ACCESS HOW-TO GUIDES

Table of Contents
3850 Switch Wireless Configuration ............................................................................................................................. 3
Overall Design............................................................................................................................................ 3
3850 Switch Wireless Configuration Steps................................................................................................. 4
Validate licensing ................................................................................................................................. 5
Configure the HTTP Server on the Switch ................................................................................................. 6
Configure the Global AAA Commands ....................................................................................................... 6
Configure the Global RADIUS Commands................................................................................................. 7
Configure VLANs and SVIs. ....................................................................................................................... 9
Configure DHCP Snooping (Optional) ........................................................................................................ 9
Configure Local Access Control Lists ....................................................................................................... 10
Configure the Global 802.1X Commands ................................................................................................. 10
Configure the Global Wireless feature ..................................................................................................... 11
Configure WLANs .................................................................................................................................... 12
Configure Interfaces for Wireless APs ..................................................................................................... 14
Create Identity Sequence ......................................................................................................................... 19
Enable policy Set ..................................................................................................................................... 19
Configure Policy ....................................................................................................................................... 21
ISE Configuration - Suppressing RADIUS test messages ......................................................................................... 23
Configure ISE to suppress RADIUS test messages ................................................................................. 23

Cisco Systems 2015

Page 2

SECURE ACCESS HOW-TO GUIDES

3850 Switch Wireless Configuration


The Cisco Catalyst 3850 is the first stackable access-switching platform that enables wired plus wireless services on a
single Cisco IOS XE Software-based platform. It provides a host of rich capabilities such as high availability based on
state-ful switchover (SSO) on stacking, granular QoS, security, and Flexible Netflow (FNF) across wired and wireless
in a seamless fashion. Also, the wired plus wireless features are bundled into a single Cisco IOS Software image,
which reduces the number of software images that users have to qualify/certify before enabling them in their network.
The single console port for command-line interface (CLI) management reduces the number of touch points to manage
for wired plus wireless services, thereby reducing network complexity, simplifying network operations, and lowering
the TCO to manage the infrastructure.
Converged wired plus wireless not only improves wireless bandwidth across the network but also the scale of wireless
deployment. Each 48-port Cisco Catalyst 3850 provides 40 Gbps of wireless throughput (20 Gbps on the 24-port
model). This wireless capacity increases with the number of members in the stack. This makes sure that the network
can scale with current wireless bandwidth requirements, as dictated by IEEE 802.11n-based access points and with
future wireless standards such as IEEE 802.11ac. Additionally, the Cisco Catalyst 3850 distributes the wireless
controller functions to achieve better scalability. Each Cisco Catalyst 3850 switch/stack can operate as the wireless
controller in two modes:

Mobility agent (MA): This is the default mode in which the Cisco Catalyst 3850 switch ships. In this mode the
switch is capable of terminating the CAPWAP tunnels from the access points and providing wireless
connectivity to wireless clients. Maintaining wireless client databases and configuring and enforcing security
and QoS policies for wireless clients and access points can be enforced in this mode. No additional license on
top of IP Base is required to operate in the mobility agent mode.
Mobility controller (MC): In this mode, the Cisco Catalyst 3850 switch can perform all the mobility agent
tasks in addition to mobility coordination, radio resource management (RRM), and Cisco CleanAir
coordination within a mobility subdomain. The mobility controller mode can be enabled on the switch CLI. IP
Base license level is required when the Cisco Catalyst 3850 switch is acting as the mobility controller. A
centrally located Cisco 5508 Wireless LAN Controller (WLC 5508), Cisco Wireless Services Module 2
(WiSM2) (when running AireOS Version 7.3), and Wireless LAN Controller 5760 can also perform this role
for larger deployments.

Overall Design
Following diagram shows the overall layout of the components. There are two Service Set IDentifiers (SSIDs), one
secured with WPA2 (Wi-Fi Protected Access V2) + 802.1x and another Open + Central Web Authentication (CWA).
Although we won't go into the details of different Bring Your Own Device (BYOD) policies or posture policies within
Cisco Identity Services Engine (ISE), this setup will provide a baseline for such operations. This document will only
cover the baseline configurations on 3850 switches for wireless configuration, for deploying 3850 on wired network or
other ISE configurations please refer to respective ISE How-to documents.

Cisco Systems 2015

Page 3

SECURE ACCESS HOW-TO GUIDES

Figure 1.

Components used:

Cisco ISE 1.2.0.899


Cisco 3850 running IOS-XE version 03.02.02.SE
Cisco LWAP 3602
Microsoft Windows 2008 as AD/DNS/DHCP server

Few notes about NGWC wireless functions:

Wireless management interface has to be same as AP access VLAN, APs in FlexConnect mode is not
supported in this layout
Client idle timeout is global setting (As opposed to latest AireOS)
AP needs to be directly connected to 3850 switch
No need for legacy discovery method for AP using DHCP option 43 or DNS entry, with CAPWAP snooping
all directly connected AP can join the 3850 if they are configured with correct VLAN. Due to CAPWAP
snooping, if wireless management interface is configured on 3850 all directly connected APs can only talk to
3850
Support for https redirect, however, user will be required to trust the certificate of 3850 https before continuing
to login page
With IOS-XE version 03.02.02.SE, the 3850 switch provides some functions of GUI based wireless
configuration

Note: Cisco 3850 can act as Mobility Agent (MA) mode or Mobility Controller (MC) mode. Every mobility
deployment requires at least one MC and since our design consists of one 3850 switch, we will be configuring the
switch as MC mode.

3850 Switch Wireless Configuration Steps


The Cisco 3850 is a Unified Access platform that provides convergence of the wired and wireless networks into one
physical infrastructure. This configuration example shows how to integrate Cisco 3850 switches for wireless
authentication with ISE to provide basis for advanced identity functionality such as BYOD and Posture assessment.
The example provided in this document will primarily focus on command line interface on the 3850 for wireless
configuration.

Cisco Systems 2015

Page 4

SECURE ACCESS HOW-TO GUIDES


Note: With Version 03.02.02.SE, Cisco introduces GUI access to wireless configuration on the 3850. However, many
part of the configuration still relies on CLI. For this document, only CLI configuration will be covered.

Validate licensing
3850 comes with Right-To-Use (RTU) license scheme. RTU licensing allows one to order and activate a specific
license type and level, and to manage license usage on the switch. To activate a license, one is required to accept the
End-User License Agreement (EULA). For the evaluation license, one is notified to purchase a permanent license or
deactivate the license before the 90-day period expires. Before one can enable wireless function on the 3850 switch,
one needs to be running either ipbase or ipservices feature pack and RTU license present and have accepted EULA.
The RTU also governs number of AP count in case the switch is acting as Mobility Controller (MC).
Note: Prerequisite configuration: This guide assumes that the switches have the required licenses and following step
will focus on validation of RTU license on the platform.
Step 1
Step 2

Validate RTU licenses are in place.


Run following show command to view what licenses are available and in use:
3850#show license right-to-use summary

Sample output
3850#show license right-to-use summary
License Name
Type
Count
Period left
----------------------------------------------ipservices
permanent
N/A
Lifetime
apcount
base
0
Lifetime
apcount
adder
10
Lifetime
-------------------------------------------License Level In Use: ipservices
License Level on Reboot: ipservices
Evaluation AP-Count: Disabled
Total AP Count Licenses: 10
AP Count Licenses In-use: 4
AP Count Licenses Remaining: 6
3850#

Step 1 Activate feature set that supports wireless controller functionality and also activate AP count RTU
as well:

3850#license right-to-use activate ipservices slot 1 acceptEULA


3850#license right-to-use activate apcount 10 slot 1 acceptEULA

Cisco Systems 2015

Page 5

SECURE ACCESS HOW-TO GUIDES


Note: Activating AP count RTU may require to have mobility controller feature enabled first

Configure the HTTP Server on the Switch


Step 1
Step 2

Set the DNS domain name on the switch. Cisco IOS Software does not allow for certificates, or even selfgenerated keys, to be created and installed without first defining a DNS domain name on the device.
Enter the following:
3850(config)#ip domain-name example.com

Step 3

Generate keys to be used for HTTPS by entering the following:


3850(config)#crypto key generate rsa general-keys modulus 2048

Note: To avoid possible certificate mismatch errors during web redirection, we recommend that you use a certificate
that is issued by your trusted certificate authority instead of a local certificate. This topic is beyond the scope of this
document.
Step 4

Enable the HTTP servers on the switch.


The HTTP server must be enabled on the switch to perform the HTTP / HTTPS capture and redirection. Enter
the following:
3850(config)#ip http server
3850(config)#ip http secure-server

Note: Do not run the ip http secure-server command prior to generating the keys in step 2. If you perform the
commands out of order, the switch will automatically generate a certificate with a smaller key size. This certificate
can cause undesirable behaviour when redirecting HTTPS traffic. Unlike WLC with AireOS, 3850 Series wireless
supports redirection of HTTPS request, however, endpoints will be prompted to trust the switchs self-signed
certificate during the redirection.
Step 5

Disable HTTP & HTTPS for other switch management functions (Optional):
3850(config)#ip http active-session-modules none
3850(config)#ip http secure-active-session-modules none

Note: This will disable management access to the 3850 wireless configuration as well as configuration from NCS
Prime Infrastructure

Configure the Global AAA Commands


Step 1

Enable authentication, authorization, and accounting (AAA) on the access switches.


By default, the AAA subsystem of the Cisco switch is disabled. Prior to enabling the AAA subsystem,
none of the required commands will be available in the configuration. Enter the following:

Cisco Systems 2015

Page 6

SECURE ACCESS HOW-TO GUIDES

3850(config)#aaa new-model
3850(config)#aaa session-id common

Note: This command enables any of the services that AAA network security services providefor example, local
login authentication and authorization, defining and applying method lists, and so on. For further details, please refer
to the Cisco IOS Security Configuration Guide.
Step 2

Create an authentication method for 802.1X.


An authentication method is required to instruct the switch on which group of RADIUS servers to use for
802.1X authentication requests:
3850(config)#aaa authentication dot1x default group radius

Step 3

Create an authorization method for 802.1X.


The method created in step 2 will enable the user/device identity (username/password or certificate) to be
validated by the RADIUS server. However, simply having valid credentials is not enough. There must be
an authorization as well. The authorization is what defines that the user or device is actually allowed to
access the network, and what level of access is actually permitted.
3850(config)#aaa authorization network default group radius

Step 4

Create an accounting method for 802.1X.


RADIUS accounting packets are extremely useful and are required for many ISE functions. These types of
packets will help ensure that the RADIUS server (Cisco ISE) knows the exact state of the interface and
endpoint. Without the accounting packets, Cisco ISE would have knowledge only of the authentication and
authorization communication. Accounting packets provide information on length of the authorized session,
as well as bandwidth usage of the client.
3850(config)#aaa accounting dot1x default start-stop group radius

Step 5

Configure periodic RADIUS accounting update.


Periodic RADIUS accounting packets allows Cisco ISE to track which sessions are still active on the
network. This command sends periodic updates every 15 minutes.
3850(config)#aaa accounting update periodic 15

Configure the Global RADIUS Commands


We configure a proactive method to check the availability of the RADIUS server. With this practice, the switch will
send periodic test authentication messages to the RADIUS server (Cisco ISE). It is looking for a RADIUS response
from the server. A success message is not necessary; a failed authentication will suffice, because it shows that the
server is alive.

Cisco Systems 2015

Page 7

SECURE ACCESS HOW-TO GUIDES


Best Practice: With ISE 1.2 there is a feature to suppress authentications with certain conditions. We will use that
feature to suppress any RADIUS keep alive messages. See end of this document for instructions.
Step 1

Add the Cisco ISE servers to the RADIUS group.


In this step we will add each Cisco ISE Policy Services Node (PSN) to the switch configuration, using the
radius-test account. Repeat for each PSN.
3850(config)#radius-server host 192.168.201.88 auth-port 1812 acct-port 1813 test username radiustest idle-time 5 key cisco123

Note: The server will be proactively checked for responses once every 5 minutes, in addition to any authentications or
authorizations occurring through normal processes. This value may be too aggressive for non ISE 1.2 deployments due
to lack of log suppression feature on older versions of ISE, in that case increase this value to 60 minutes or higher.
Step 2

Set the dead criteria.


The switch has been configured to proactively check the Cisco ISE server for RADIUS responses. Now
configure the counters on the switch to determine if the server is alive or dead. Our settings will be to wait
10 seconds for a response from the RADIUS server and attempt the test 3 times before marking the server
dead. If a Cisco ISE server doesnt have a valid response within 30 seconds, it will be marked as dead.
Also deadtime defines how long the switch will mark the server dead, which we are setting it to 15
minutes.
3850(config)#radius-server dead-criteria time 10 tries 3
3850(config)#radius-server deadtime 15

Note: We will discuss high availability in more detail in the deployment mode sections.
Step 3

Enable change of authorization (CoA).


Previously we defined the IP address of a RADIUS server that the switch will send RADIUS messages to.
However, we define the servers that are allowed to perform change of authorization (RFC 3576) operations
in a different listing, also within global configuration mode, as follows:
3850(config)#aaa server radius dynamic-author
3850(config-locsvr-da-radius)#client 192.168.201.88 server-key cisco123
3850(config-locsvr-da-radius)#auth-type any

Step 4

Configure the switch to use the Cisco vendor-specific attributes.


Here we configure the switch to send any defined vendor-specific attributes (VSA) to Cisco ISE PSNs
during authentication requests and accounting updates.
3850(config)#radius-server vsa send authentication
3850(config)#radius-server vsa send accounting

Step 5

Next, we will enable the vendor-specific attributes (VSAs).

Cisco Systems 2015

Page 8

SECURE ACCESS HOW-TO GUIDES

3850(config)#radius-server
3850(config)#radius-server
3850(config)#radius-server
3850(config)#radius-server
3850(config)#radius-server

Step 6

attribute
attribute
attribute
attribute
attribute

6 on-for-login-auth
8 include-in-access-req
25 access-request include
31 mac format ietf upper-case
31 send nas-port-detail mac-only

Ensure the switch always sends traffic from the correct interface for RADIUS request.
Switches may often have multiple IP addresses associated to them. Therefore, it is a best practice to always
force any management communications to occur through a specific interface. This interface IP address
must match the IP address defined in the Cisco ISE Network Device object.

Cisco Best Practice: As a network management best practice, use a loopback adapter for all management
communications, and advertise that loopback interface into the internal routing protocol.
3850(config)#ip radius source-interface vlan 201

Configure VLANs and SVIs.


Wireless management interface is required to create CAPWAP tunnel with the Light Weigh APs. Also, VLANs will
need to be created for each of the WLAN that will be setup for wireless access. Also, we will need to create any user
VLANs that will map to WLANs.
Step 1

Add the following VLANs for wireless management and WLAN interface:
3850(config)#vlan 80
3850(config-vlan)#name
3850(config-vlan)#vlan
3850(config-vlan)#name
3850(config-vlan)#vlan
3850(config-vlan)#name

Step 2

AP_VLAN
30
WLAN_USER
40
WLAN_GUEST

Create SVI for wireless management interface.

This interface will be used to communicate with the LWAP. The LWAPs needs to be connected directly
to the 3850 switch and the interface needs to be configured with same VLAN as wireless management
VLAN. Also, configure ip helper to forward DHCP request from the LWAP to DHCP server.
3850(config)#
3850(config-if)#ip address 192.168.80.1 255.255.255.0
3850(config-if)#ip helper-address 192.168.201.72
3850(config-if)#no shutdown

Configure DHCP Snooping (Optional)


DHCP snooping is not required for 3850 wireless feature to function, but it is considered a best practice to
require all endpoints to get addresses assigned by the DHCP server. This is done by enabling DHCP
snooping globally and running the dhcp required option on the WLAN configuration.
Cisco Systems 2015

Page 9

SECURE ACCESS HOW-TO GUIDES


Before configuring DHCP snooping, be sure to note the location of your trusted DHCP servers. When you
configure DHCP snooping, the switch will deny DHCP server replies from any port not configured as
trusted. Enter interface configuration mode for the uplink interface and configure it as a trusted port.
Step 1

Configure Dynamic Host Configuration Protocol (DHCP) snooping for trusted ports.
3850(config)#interface
3850(config-if)#description Server
3850(config-if)#ip dhcp snooping trust

Step 2

Enable DHCP snooping.

DHCP snooping is enabled at global configuration mode. After enabling DHCP snooping, you must
configure the VLANs it should work with, which in our example is VLAN 30 & 40.
3850(config)#
3850(config)#no ip dhcp snooping information option
3850(config)#ip dhcp snooping

Configure Local Access Control Lists


Certain functions on the switch require the use of locally configured access control lists (ACLs), such as
URL redirection. Some of these ACLs you create will be used immediately, and some may not be used until
a much later phase of your deployment. The goal of this section is to prepare the switches for all possible
deployment models at one time, and limit the operational expense of repeated switch configuration.
Step 1

Add the following ACL to be used for URL redirection with web authentication:
3850(config)#ip access-list extended REDIRECT-ACL
3850(config-ext-nacl)#deny udp any host 192.168.201.72 eq 53
3850(config-ext-nacl)#deny udp any eq bootpc host 192.168.201.72 eq bootps
3850(config-ext-nacl)#deny ip any host 192.168.201.88
3850(config-ext-nacl)#permit ip any any

Configure the Global 802.1X Commands


Step 1

Enable 802.1X globally on the switch.


Enabling 802.1X globally on the switch does not actually enable authentication on any of the WLANs or
interfaces.
3850(config)#

Step 2

Enable Downloadable ACLs to function.

Downloadable access control lists (dACLs) are a very common enforcement mechanism in a Cisco ISE deployment.
In order for dACLs to function properly on a switch, IP device tracking must be enabled globally, as follows:
Cisco Systems 2015

Page 10

SECURE ACCESS HOW-TO GUIDES

3850(config)#

Note: There are some uncommon cases with Windows 7 and devices that do not respond to ARPs where it may be
required to use the command ip device tracking use SVI.

Configure the Global Wireless feature


Step 1

Enable mobility controller (MC) feature on the switch.

3850 switch can act as Mobility Agent (MA) only or MC+MA. For any 3850 wireless deployment there
needs to be at least one MC available for the deployment. We are configuring the 3850 as MC+MA as
we only have one 3850 switch.
3850(config)#

Note: 3850 switch is always configured as MA


Step 2

Enable management interface.

With 3850, all AP needs to be on the same VLAN as the management interface. This allows CAPWAP
tunnel between the APs and the 3850 switch.
3850(config)#

Note: If there are LWAPs configured with CUWN WLC connected to the 3850 switch, after above command is
entered all the LWAPs connected to the 3850 will lose connection to the CUWN WLC and start registering with the
3850 switch. The LWAPs will then go through code upgrade and finally join the 3850 switch.
Step 3

Enable fast-ssid-change feature.

Fast-SSID-Change feature allows clients to move from one SSID to another without delay. This feature
allows client to move from open SSID to secure SSID in dual-SSID scenario for BYOD without delay.
3850(config)#

Note: This is primarily to address Apple iOS devices shifting from one SSID to another within short period of time
Step 4

Configure client idle timeout.

Idle-time out allows the switch to remove the client session when no traffic has been seen from the client
within configured timeframe. If this value is too short, client devices will be forced to reauthenticate
when coming out of stand-by mode. Here we are setting it to 2 hours.
3850(config)#

Cisco Systems 2015

Page 11

SECURE ACCESS HOW-TO GUIDES

Step 5

Enable captive portal bypass feature.

Apple introduced an iOS feature to facilitate network access when captive portals are present. This
feature attempts to detect the presence of captive portal by sending a web request upon connecting to a
wireless network, and directs the request to http://www.apple.com/library/test/success.html. If a
response is received, then Internet access is assumed and no further interaction is required. If no
response is received, Internet access is assumed to be blocked by captive portal and CNA auto launches the pseudo browser to request portal login in a controlled window. CNA may break when
redirecting to an ISE captive portal. Following CLI command will prevent the pseudo browser from
popping up.
3850(config)#

Configure WLANs
Step 1

Add 802.1x-enabled WLAN.

This command creates a WLAN with example_employee as profile and SSID with WLAN ID of 1. If
this 3850 switch is part of bigger deployments, make sure all the settings match on all the switches for
the WLAN settings.
3850(config)#

Note: Although we are not entering L2 security settings for the wlan, the default setting for any wlan is WPA2/AES
with 802.1x
Step 2

Configure WLAN to accept RADIUS Authorization and instructions from the RADIUS server.

The AAA Override option of a WLAN enables you to configure the WLAN for identity networking. It
enables you to apply VLAN tagging, Quality of Service (QoS), and Access Control Lists (ACLs) to
individual clients based on the returned RADIUS attributes from the ISE. Also, the nac directive enables
different client state based on instructions in the URL-Redirect such as CWA, DRW, MDM, NSP, and
CPP.
3850(config-wlan)#
3850(config-wlan)#nac

Step 3

Map VLAN to the WLAN.

Assign user VLAN created earlier to the WLAN.


3850(config-wlan)#

Cisco Systems 2015

Page 12

SECURE ACCESS HOW-TO GUIDES

Step 4

Prevent network access from clients with static IP (Optional).

If DHCP snooping was configured for the above VLAN in previous steps, this setting prevents client
devices with static IP address.
3850(config-wlan)#

Step 5

Configure session timeout (Reauthentication timer).

This value dictates how often the client will re-authenticate via the RADIUS server.
3850(config-wlan)#

Step 6

Enable the WLAN.

3850(config-wlan)#

Note: Whenever wlan configuration needs to be modified, the wlan has o be shutdown. Once modified it can be reenabled by running above command. Note that this will disconnect all users on the respective wlan.
Step 7

Add open SSID to use with ISE CWA.


3850(config)#

Step 8

Enable MAC filtering on the WLAN.

Since this is open SSID, enabling MAC-Filtering with default RADIUS list will provide CWA using
ISE as external web server.
3850(config-wlan)#

Step 9

Configure WLAN to accept RADIUS Authorization messages from the RADIUS server
3850(config-wlan)#
3850(config-wlan)#nac

Step 10

Map VLAN to the WLAN.


3850(config-wlan)#

Step 11

Prevent network access from clients with static IP (Optional).

Cisco Systems 2015

Page 13

SECURE ACCESS HOW-TO GUIDES

3850(config-wlan)#

Step 12

Disable WPA and 802.1x on the WLAN.

Disable all L2 security features and set the WLAN as open SSID.
3850(config-wlan)#
3850(config-wlan)#
3850(config-wlan)#
3850(config-wlan)#

Step 13

Configure session timeout (Reauthentication timer).


3850(config-wlan)#

Note: The session-timeout for open SSID is set to lower value than secure SSID, as reauthentication of MAB request
does not impact ISE as much as 802.1x request
Step 14

Enable the WLAN


3850(config)#

Configure Interfaces for Wireless APs


Step 1

Identify and configure interfaces where LWAP plugs in.


3850(config)#
3850(config-if)#description AP

Note: With 3850 switch, the LWAP needs to be directly connected to the switch
Step 2

Assign wireless management VLAN.

Enabling 802.1X globally on the switch does not actually enable authentication on any of the
switchports. Authentication will be configured, but not enabled until we configure Monitor Mode.
3850(config-if)#
3850(config-if)#switchport access vlan 80

Note: 3850 introduces a new way of discovering new LWAPs by using CAPWAP snooping feature. There is no need
to configure DHCP option 43 or DNS entry for 3850 wireless management IP address
Step 3

Enable spanning-tree portfast.

Cisco Systems 2015

Page 14

SECURE ACCESS HOW-TO GUIDES

3850(config-if)#

Step 4

Enable the interface.


3850(config-if)#

Step 5

Validate AP status.

After APs have been upgraded and rebooted, validate that all APs are running in Local mode and the
Country setting is correct. Also, make sure all AP Status shows up as Joined.
3850#show ap status
3850#show ap join stats summary

Note: Currently 3850 only supports LWAPs in Local, Monitor, se-connect, and sniffer mode. If the LWAP was
previously configured as FlexConnect mode then run ap name {AP_NAME} mode local command

Cisco Systems 2015

Page 15

SECURE ACCESS HOW-TO GUIDES


Sample output
3850#show ap status
AP Name
Status
Mode
Country
------------------------------------------------------------------------AP4c4e.350d.35f8
Enabled
Local
US
APd48c.b5e4.3b88
Enabled
Local
US
AP4c4e.35c7.1572
Enabled
Local
US
AP44d3.ca42.58cd
Enabled
Local
US
3850#show ap join stats summary
Number of APs : 4
Base MAC
Ethernet MAC
AP Name
IP Address
Status
----------------------------------------------------------------------------20bb.c067.fda0 4c4e.350d.35f8 AP4c4e.350d.35f8
192.168.80.103
Joined
34bd.c890.52f0 d48c.b5e4.3b88 APd48c.b5e4.3b88
192.168.80.101
Joined
5006.046e.f300 4c4e.35c7.1572 AP4c4e.35c7.1572
192.168.80.100
Joined
64d9.8946.b160 44d3.ca42.58cd AP44d3.ca42.58cd
192.168.80.102
Joined
3850#

Step 6

Save configuration.
3850#write memory

Cisco Systems 2015

Page 16

SECURE ACCESS HOW-TO GUIDES

3850 Example Configuration


hostname 3850
!
aaa new-model
aaa session-id common
aaa authentication dot1x default group radius
aaa authorization network default group radius
aaa accounting dot1x default start-stop group radius
aaa accounting update periodic 15
!
aaa server radius dynamic-author
client 192.168.201.88 server-key cisco123
auth-type any
!
vlan 80
name AP_VLAN
vlan 30
name WLAN_USER
vlan 40
name WLAN_GUEST
!
interface vlan 80
ip address 192.168.80.1
ip helper 192.168.201.72
no shut
interface vlan 30
ip address 192.168.30.1
ip helper 192.168.201.72
ip helper 192.168.201.88
no shut
interface vlan 40
ip address 192.168.40.1
ip helper 192.168.201.72
ip helper 192.168.201.88
no shut
!
ip device tracking
!
ip dhcp snooping vlan 30, 40
no ip dhcp snooping information option
ip dhcp snooping
!
ip domain-name example.com
!
crypto key generate rsa general-keys modulus 2048
!
dot1x system-auth-control
!
ip http server
ip http secure-server
ip http secure-active-session-modules none
ip http active-session-modules none
!
ip access-list extended REDIRECT-ACL
deny udp any host 192.168.201.72 eq 53
deny udp any eq bootpc host 192.168.201.72 eq bootps
deny ip any host 192.168.201.88
permit ip any any
!
ip radius source-interface Vlan201
snmp-server community cisco123 RO
radius-server attribute 6 on-for-login-auth
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
radius-server attribute 31 mac format ietf upper-case
radius-server attribute 31 send nas-port-detail mac-only
radius-server dead-criteria time 10 tries 3

Cisco Systems 2015

Page 17

SECURE ACCESS HOW-TO GUIDES

radius-server host 192.168.201.88 auth-port 1812 acct-port 1813 test username radius-test idletime 5 key cisco123
radius-server deadtime 15
radius-server vsa send accounting
radius-server vsa send authentication
!
wireless mobility controller
wireless management interface Vlan80
wireless client fast-ssid-change
wireless mgmt-via-wireless
wireless client user-timeout 7200
captive-portal-bypass
!
wlan example_secure 1 example_secure
aaa-override
client vlan 30
nac
ip dhcp required
session-timeout 86400
no shutdown
!
wlan example_open 2 example_open
aaa-override
client vlan 40
mac-filtering default
nac
ip dhcp required
no security wpa
no security wpa akm dot1x
no security wpa wpa2
no security wpa wpa2 ciphers aes
session-timeout 7200
no shutdown
!
interface GigabitEthernet 1/0/17
description Server
switch port mode access
switch port access vlan 201
ip dhcp snooping trust
spanning-tree portfast
no shut
!
interface GigabitEthernet 1/0/9
description AP
switch port mode access
switch port access vlan 80
spanning-tree portfast
no shut

ISE Configuration
There are no specific configurations for ISE to integrate with 3850 switches for wireless access. The 3850
can be integrated in the same way as Catalyst switches to support advanced ISE features such as CWA,
BYOD, and Posture Assessment. While this document covers policies related to BYOD, please refer to
BYOD how-to guide for configuring the underlying services to enable BYOD. This includes configuration of
CA server, external identity sources, and supplicant provisioning policy.

Cisco Systems 2015

Page 18

SECURE ACCESS HOW-TO GUIDES

Create Identity Sequence


We will create an identity sequence to process authentication request for secure SSID. This sequence will authenticate
endpoints via certificate, AD, or internal user database.
Step
Step
Step
Step

1
2
3
4

Login to ISE primary admin node.


Navigate to Administration Identity Management Identity Source Sequences
Click Add
Create a sequence with following name CAP_AD_Internal

Figure 2.

Step 5

Click Save.

Enable policy Set


Policy set feature within ISE 1.2 allows administrator to create complex identity policy. In this document we will
create two policy sets that maps to each of the WLANs and create underlying policies within each policy set. This
provides clarity on how policies apply to each use cases with ISE policy structure.
Step 1
Step 2

To Enable policy set feature navigate to Administration System Settings Policy Sets
Select Enabled and click Save

Cisco Systems 2015

Page 19

SECURE ACCESS HOW-TO GUIDES


Note: Once policy set feature is enabled, policy will need to be recreated if one wants to go back to classic mode.
However, the initial policy will be copied to the default policy set when the feature is enabled.

Procedure 1

Create Downloadable ACL

Here, we will be creating a DACL (Downloadable ACL) to apply during Authorization


Step 1 Navigate to Policy Policy Elements Results Authorization Downloadable ACLs
Step 2 Click on Add to create NSP Authorization Profile with following parameters
Name

INTERNET-ONLY

DACL Content

permit udp any host 192.168.201.72


eq domain
permit udp any any eq bootpc
deny ip any any

Step 3 Click Save


Procedure 2

Configure Authorization Profile

Here, we will be creating three authorization profiles


Step 1 Navigate to Policy Policy Elements Results Authorization Authorization Profiles
Step 2 Click on Add to create NSP Authorization Profile with following parameters
Name

NSP

Common Tasks

Web Redirection

Web Redirection
Type

Native Supplicant Provisioning

ACL

REDIRECT-ACL

Step 3 Click Save


Step 4 Click on Add to create WebAuth Authorization Profile with following parameters
Name

WebAuth

Common Tasks

Web Redirection

Web Redirection

Centralized Web Auth

Cisco Systems 2015

Page 20

SECURE ACCESS HOW-TO GUIDES

Name

WebAuth

Type
ACL

REDIRECT-ACL

Step 5 Click Save


Step 6 Click on Add to create Internet Authorization Profile with following parameters
Name

Internet

Common Tasks

DACL Name

ACL

INTERNET-ONLY

Step 7 Click Save

Configure Policy
Step 1
Step 2

Navigate to Policy Policy Set


Click on the + sign on the left pane and click Create Above

Figure 3.

Step 3

Define Policy set as example_secure as name and following parameters

Cisco Systems 2015

Page 21

SECURE ACCESS HOW-TO GUIDES

Figure 4.

Step 4
Step 5

Click Submit.
Define Policy set as example_open as name and following parameters

Figure 5.

Step 6

Click Submit.

Cisco Systems 2015

Page 22

SECURE ACCESS HOW-TO GUIDES

ISE Configuration - Suppressing RADIUS test messages


You can configure collection filters to suppress syslog messages being sent to the monitoring and external servers. The
suppression can be performed at the Policy Services Node level based on different attribute types. You can disable the suppression
as well. You can define multiple filters with a specific attribute type and corresponding value.

Note: It is recommended to limit the number of collection filter to 20

Configure ISE to suppress RADIUS test messages


Step
Step
Step
Step

1
2
3
4

Login to ISE primary admin node.


Navigate to Administration > System > Logging.
Click on Collection Filters on left pane.
Click on Add on the top of the right pane.

Figure 6.

Step
Step
Step
Step

5
6
7
8

Select User Name from the Attribute pull down menu.


Enter radius-test for Value.
Select Filter All from the Filter Type pull down menu.
Click Save.

Cisco Systems 2015

Page 23