Deploying Identity Services within a Converged Plantwide Ethernet ...

Deploying Identity Services within a Converged Plantwide Ethernet Architecture

Design and Implementation Guide

June 2015

Document Reference Number: ENET-TD008A-EN-P

Preface

This Deploying Identity Services within a Converged Plantwide Ethernet Architecture Design and Implementation Guide (DIG) outlines the following key requirements and design considerations to help in the successful deployment of the Cisco® Identity Services Engine (Cisco ISE) within Industrial Automation and Control System (IACS) plant-wide architectures:

• Cisco ISE Use Case Overview

• Review of Cisco ISE Technology

• Important Steps and Considerations for Cisco ISE Implementation and Configuration Recommendations within IACS applications

• Maintaining and Troubleshooting Cisco ISE

Note This release of the CPwE architecture focuses on EtherNet/IP™, which is driven by the ODVA Common Industrial Protocol (CIP™). Refer to the IACS Communication Protocols section of the CPwE Design and Implementation Guide.

Document OrganizationThe Deploying Identity Services within a Converged Plantwide Ethernet Architecture Design and Implementation Guide contains the following chapters:

Chapter Description

CPwE Identity Services Overview Presents introduction to CPwE Identity Services architecture, Secure Access Control, Unified Network Access Policy Management for CPwE and CPwE Identity Services in general.

System Design Considerations Presents an overview of CPwE Identity Services Technology, how to deploy Distributed CPwE Identity Services, and an overview of Microsoft® Server 2012 Active Directory.

Configuring the Infrastructure Describes how to configure Cisco ISE infrastructure in the CPwE system based on the design considerations of the previous chapters, covering the configuration of the network infrastructure, network services, data traversal, Web application access and network and application security, all from an IDMZ perspective.

iDeploying Identity Services within a Converged Plantwide Ethernet Architecture

ENET-TD008A-EN-P

http://literature.rockwellautomation.com/idc/groups/literature/documents/td/enet-td001_-en-p.pdf

Preface

For More Information

For More InformationRockwell Automation site:

• http://literature.rockwellautomation.com/idc/groups/literature/documents/td/enet-td001_-en-p.pdf

Cisco site:

• http://www.cisco.com/en/US/docs/solutions/Verticals/CPwE/CPwE_DIG.html

Troubleshooting Tips Describes Cisco ISE and WLC troubleshooting.

References Standard list of references for CPwE, Cisco Unified Access, RF Design and QoS and Wireless Security.

Configuration Examples Examples of the configurations that have been used in the testing of the wired and wireless architecture.

Test Hardware and Software Hardware and software components used in CPwE Identity Services testing.

Chapter Description

iiDeploying Identity Services within a Converged Plantwide Ethernet Architecture

ENET-TD008A-EN-P


http://www.cisco.com/en/US/docs/solutions/Verticals/CPwE/CPwE_DIG.html

Deploying Identity Services within a Conver

ENET-TD008A-EN-P

C H A P T E R 1
CPwE Identity Services Overview
This chapter includes the following major topics:

• Identity Services Architecture Introduction, page1-1

• Secure Access Control, page1-2

• Unified Network Access Policy Management for CPwE, page1-3

• Converged Plantwide Ethernet Identity Services, page1-4

Identity Services Architecture IntroductionIndustrial Automation and Control System (IACS) networks are generally open by default, which facilitates both technology coexistence and IACS interoperability. IACS networks must be secured by configuration and architecture. Connectivity of unknown contractor computers (such as from OEMs and System Integrators), presents challenges to the security of plant-wide operations. A different approach to device authentication and authorization is required to securely manage the connectivity of these computers to the IACS network. Converged Plantwide Ethernet (CPwE) uses the Cisco Identity Services Engine (Cisco ISE) to support secure wired and wireless connectivity of plant personnel and contractor computers to the IACS network. Cisco ISE is a centralized security policy management platform, which automates and enforces secure access to network resources across a distributed Industrial Zone. Cisco ISE enforces network security based on the type of device hardware connecting to the network, the computer’s operating system and the user.

CPwE is the underlying architecture that provides standard network services for control and information disciplines, devices and equipment found in modern IACS applications. Cisco ISE is used in conjunction with the CPwE architecture to provide an additional and dynamic layer of network access control security by supporting the Microsoft-based computer operating system and logged-on user to push security policies to the network infrastructure that the computer is accessing. The CPwE architecture provides design and implementation guidance to achieve the real-time communication, reliability, scalability, security and resiliency requirements of the IACS. Cisco ISE builds on top of the defined best practices and network architecture with a centrally managed architectural model where the IT department maintains the management of the Cisco ISE platform that operates in the Industrial Zone.

1-1ged Plantwide Ethernet Architecture

Chapter 1 CPwE Identity Services Overview

Secure Access Control

Cisco ISE incorporation for CPwE is brought to market through a strategic alliance between Cisco Systems and Rockwell Automation. This CPwE Identity Services Cisco Validated Design details design and implementation considerations to help with the successful design and implementation of Identity Services within the Industrial Zone.

Secure Access ControlProtecting IACS assets requires a centrally manageable defense-in-depth security approach that addresses internal and external security threats. Cisco ISE supports authentication and authorization for both wired and wireless access methods to the IACS networks by company employees and trusted partners (OEM, SI). Adhering to a distributed architecture, Cisco ISE uses the Administration, Policy Service and Monitoring nodes described in detail later in this document.

The CPwE Industrial Network Security Framework (Figure1-1) is aligned to industrial security standards such as ISA/IEC-62443 (formerly ISA-99) Industrial Automation and Control Systems (IACS) Security, and NIST 800-82 Industrial Control System (ICS) Security.

Designing and implementing a comprehensive IACS network access security framework should serve as a natural extension to the IACS. Network access security should not be implemented as an afterthought. The industrial network access security framework should be pervasive and core to the IACS. However, atop existing IACS deployments, the same defense-in-depth layers can be applied incrementally to help improve the access security stance of the IACS.

CPwE defense-in-depth layers (Figure1-1) include:

• Control System Engineers (highlighted in tan)—IACS device hardening (for example, physical and electronic), infrastructure device hardening (for example, port security), network segmentation, IACS application authentication, authorization and accounting (AAA)

• Control System Engineers in collaboration with IT Network Engineers (highlighted in blue)—Zone-based policy firewall at the IACS application, operating system hardening, network device hardening (such as access control, resiliency), wired and wireless LAN access policies

• IT Security Architects in collaboration with Control Systems Engineers (highlighted in purple)—Identity Services (wired and wireless), Active Directory (AD), Remote Access Servers (RAS), plant firewalls, Industrial Demilitarized Zone (IDMZ) design best practices

1-2Deploying Identity Services within a Converged Plantwide Ethernet Architecture

ENET-TD008A-EN-P


Unified Network Access Policy Management for CPwE

Figure1-1 CPwE Industrial Network Security Framework

Unified Network Access Policy Management for CPwECisco ISE empowers Enterprise IT to help sustain a highly secure wired and wireless access within the plant by providing:

• Comprehensive centralized policy management

• Streamlined computer onboarding

• Dynamic security enforcement

A rules-based, catalog-driven policy model is provided to create access control based upon IEEE-802.1X authentication and authorization policies. The 802.1X standard describes how port- based security rules can be applied to each switch port. Cisco ISE includes the ability to create fine-grained authorization policies that include the association of a user or Microsoft-based computer to an associated VLAN or an associated downloadable access control list (dACL). Attributes can be created dynamically that include one or more identity groups, then saved for later use, as new device management computers are introduced to the IACS network. As shown in Figure1-2, Cisco ISE supports multiple external identity repositories, including AD authorities for both authentication and authorization.

Zone-basedPolicy Firewall

(ZFW)

EnterpriseWAN Internet

Firewall(Active)

Firewall

(Standby)

MCC

Enterprise Zone: Levels 4-5

Core switches

Soft Starter

I/O

Level 0 - ProcessLevel 1 -Controller

Level 3 - Site Operations:

Controller

Drive

Level 2 - Area Supervisory Control

FactoryTalkClient

Controller

Physical or Virtualized ServersPatch ManagementAV ServerApplication Mirror

•••• Remote Desktop Gateway Server

Industrial Demilitarized Zone (IDMZ)

Industrial Zone: Levels 0-3

Authentication, Authorization and Accounting (AAA)

Distribution switch

External DMZ/

Firewall

LWAP

SSID2.4 GHz

SSID5 GHz

WGB

I/O

Active

Wireless LAN Controller

(WLC)UCS

RADIUS

AAA Server

Standby

Inter-zone traffic segmentationACLs, IPS and IDSVPN ServicesPortal and Remote Desktop Services proxy

Plant Firewalls

Standard DMZ Design Best Practices

HardeningAccess ControlResiliency

VLANs, Segmenting Domains of Trust

PhysicalProceduresElectronicEncrypted Communications

OS Hardening

Remote Access Server

FactoryTalk Security

Identity Services Engine (ISE)RADIUS

Active Directory (AD)Network Statusand Monitoring

Device Hardening

••••

Access Policy Equipment SSID Plant Personnel SSID Trusted Partners SSIDWPA2 with AES EncryptionAutonomous WLAN Pre-Shared Key 802.1X - (EAP-FAST)Unified WLAN 802.1X - (EAP-TLS) CAPWAP DTLS

•••

•

Wireless LAN (WLAN)

•

••

•

••

•

Port Security

•••

Network Infrastructure

3746

23

••••


ENET-TD008A-EN-P


Converged Plantwide Ethernet Identity Services

Figure1-2 Unified Identity Services for Wired and Wireless

Through the application of Cisco ISE, provision policies are applied across the IACS network in real-time, creating a consistent user access experience to services from wired and wireless connections. Cisco ISE allows IT to define roles such as employees and trusted partners. These roles can be configured to permit and limit access to assets within the Industrial Zone, the Industrial Demilitarized Zone (IDMZ) and the Enterprise Zone. The Stratix™ and Cisco industrial Ethernet switches (IES) work in conjunction with Cisco ISE to apply and enforce the security policies that are configured. For example, if an employee attaches to the IACS network in the Industrial Zone with a computer, Cisco ISE will be sent the hardware and user information. Cisco ISE will send the preconfigured network security policies to the Stratix or Cisco IES where the user will be limited by the security policy. It is also possible to limit or direct traffic of unknown devices with a Cisco ISE security policy.

Cisco ISE services for wireless access use the Cisco wireless LAN controllers (WLC) to facilitate authentication and authorization of Microsoft-based computers accessing the IACS network. Cisco ISE allows IT to define a set of contractors, and for each contractor, define a set of RADIUS attributes (see across both the wired and wireless environments, see Wired Access Overview, page 2-9 and Wireless Access Overview, page 2-13). Attributes are used for authorization profiles and in policy conditions. Through Cisco ISE, IT can create, edit and delete RADIUS contractor dictionaries and contractor-specific attributes as needed.

Converged Plantwide Ethernet Identity ServicesCisco ISE grants permission to Microsoft-based computers to access the plant-wide network based on the result of the policy evaluation. The profiling service facilitates management of authentication by using IEEE standard 802.1X port-based authentication access control supported within the Stratix and Cisco IES supported within the CPwE architecture.

EnterpriseWAN

Firewalls(Active/Standby)

MCC


IO

Level 3Site Operations

Drive



FactoryTalk Client

Internet

ExternalDMZ / Firewall

WGB

IO

WLC (Active)

ISE PSN

WLC (Standby)

PACPAC

PACLevels 0-2Cell/Area Zone

Distribution switch

LWAP

3746

40

WLC (Enterprise)

ISE MnT

ISE PAN/PSN

Remote Access Server (RAS)

ISE Synchronization

ISE Logging

Laptop Client

Core switches

Core switches


ENET-TD008A-EN-P


Converged Plantwide Ethernet Identity Services

Cisco ISE provides a self-service registration portal for plant personnel and contractors to register and provision their portable Microsoft-based OS computers according to the business policies defined by IT. Cisco ISE permits the plant personnel to get the automated device provisioning and profiling they need to comply with industrial security policies while keeping it extremely simple to get their Microsoft-based OS computers onto the IACS network with limited IT help.

Within the Industrial Zone, Cisco ISE provides centrally managed context-aware identity management critical for IT to manage access control. Cisco ISE determines if users are accessing the network on an authorized, policy-compliant computer, and assigns access based on the assigned user role, group and associated policy. Variables such as employee (plant or corporate), contractor (OEM, SI or other trusted partner), location and device type are taken into consideration. Cisco ISE grants access to specific segments of the Industrial Zone to authenticated users.


ENET-TD008A-EN-P


ENET-TD008A-EN-P

C H A P T E R 2
System Design Considerations

• CPwE Identity Services Technology Overview, page 2-1

• Roles and Access, page 2-8

• Industrial Zone Wired Access Design, page 2-8

• Industrial Zone Wireless Access Design, page 2-12

Note This solution provides support for user validation and authorization when using Microsoft Windows computers within the context of the Industrial Zone. This solution does not provide support or include other devices with Bring Your Own Device (BYOD) capabilities such as laptops not running Windows OS, smart phones or tablets.

Note For more details about the design and implementation of the Industrial Demilitarized Zone (IDMZ) as part of the CPwE security architecture, refer to the Securely Traversing IACS Data Across the Industrial Demilitarized Zone Design and Implementation Guide.

CPwE Identity Services Technology OverviewWith the introduction of secure employee and contractor access, the use of Cisco ISE as an identity and access control policy platform enables organizations to enforce compliance, enhance infrastructure security and streamline their service operations. Its architecture allows an organization to gather real-time contextual information from the network, users and devices to make proactive policy decisions by tying identity into various network elements including IES access switches and Wireless LAN Controllers (WLC).

This deployment uses Cisco ISE as the authentication and authorization server for the wired and wireless networks using RADIUS. Cisco ISE uses Microsoft Active Directory (AD) as an external identity source to access resources such as users, computers, groups and attributes. Cisco ISE supports Microsoft AD sites and services when integrated with AD. Cisco ISE needs an identity certificate that is signed by a Certificate Authority (CA) server so that it can be trusted by endpoints, gateways and servers.


Chapter 2 System Design Considerations

CPwE Identity Services Technology Overview

This section describes Distributed ISE, Active Directory and Certificate Services and provides design recommendations for CPwE Identity Services.

ISE Distributed Deployment

Within the CPwE architecture, the recommendation is to deploy the Cisco ISE platform as a distributed solution. In this solution, the corporate IT department maintains the management of the Cisco ISE platform for central management. In the distributed installation, Cisco ISE is divided into three discrete nodes—Administration, Policy Service, and Monitoring—which are described as follows:

• Policy Administration Node (PAN)—A CPwE Identity Services Node with the Administration persona allows the Enterprise IT team to perform all administrative operations on CPwE Identity Services. PAN (located within the Enterprise Zone) handles all system-related configurations that are related to functionality such as authentication and authorization. In a CPwE-distributed deployment, the CPwE architecture can have one or a maximum of two nodes running the Administration persona. The Administration persona can take on the standalone, primary or secondary role.

• Policy Service Node (PSN)—A CPwE Identity Services Node with the Policy Service persona provides network access, plant personnel and contractors access and client provisioning and profiling services. PSN (located within the Industrial Zone) evaluates the policies and provides network access to computers based on the result of the policy evaluation. More than one PSN (located within the Enterprise Zone) can assume this persona. Typically, more than one Policy Service Node exists in a large distributed deployment. At least one node in a distributed setup should assume the Policy Service persona. The PAN Node also can (and usually does) serve as a PSN.

Note CPwE Identity Services recommends to have a PSN in the Industrial Zone (Level 0-3), as shown in Figure 2-1. If the Enterprise and Industrial Zones become isolated, any existing clients in the Industrial Zone will still be able to securely access the network.

• Monitoring Node (MnT)—A CPwE Identity Services Node with the Monitoring persona, which functions as the log collector and stores log messages from all the Administration and Policy Service Nodes in a network. MnT (located in the Enterprise Zone) provides advanced monitoring and troubleshooting tools that the Enterprise IT team can use to effectively manage a network and resources. A MnT with this persona aggregates and correlates the data that it collects, and provides the Enterprise IT team with meaningful reports. CPwE Identity Services allows the Enterprise IT team to have a maximum of two nodes with this persona, which can take on primary or secondary roles for high availability. Both the primary and secondary Monitoring Nodes collect log messages. If the primary Monitoring Node goes down, the secondary Monitoring Node automatically becomes the primary Monitoring Node. At least one node in a distributed setup should assume the Monitoring persona.

Note The Monitoring and Policy Service personas should not be enabled on the same CPwE Identity Services Node. The Monitoring node should be dedicated solely to monitoring for optimum performance.

Figure 2-1 is an example deployment of the distributed Cisco ISE configuration using the CPwE logical framework.


ENET-TD008A-EN-P



Figure 2-1 Distributed CPwE Identity Services Architecture

As indicated in Figure 2-1:

1. The Enterprise Zone Cisco ISE PAN/PSN synchronizes its policy configurations with the Industrial Zone Cisco ISE PSN.

2. The Enterprise and Industrial Cisco ISE PSNs send detailed logs to the Enterprise Cisco ISE MnT

Note For the recommended installation and deployment of Distributed ISE in the Industrial Zone, please follow the best practices and deployment guidelines as prescribed in Cisco Identity Services Engine Administrator Guide, Release 1.3, which is located at the following URL:

• http://www.cisco.com/c/en/us/td/docs/security/ise/1-3/admin_guide/b_ise_admin_guide_13/b_ise_admin_guide_sample_chapter_011.html

Active Directory Services

While Cisco ISE can maintain an internal list of users for authentication purposes, most organizations rely on an external directory as the main identity source. By integrating with Microsoft AD, objects such as users and groups, which can be accessed from a single source, become critical in the authorization process.

Companies need a central repository of information about people and their access rights that applies to both the Industrial and Enterprise Zones. AD services in the Industrial Zone should be designed to allow secure replication of information across the IDMZ while being able to operate independently if necessary.

The following sections describe AD and provide design recommendations for CPwE Identity Services.

EnterpriseWAN


MCC


IO


Drive



FactoryTalk Client

Internet


WGB

IO

WLC (Active)

ISE PSN

WLC (Standby)

PACPAC


Core switches

Distribution switch

Core switches

LWAP

3746

41

WLC (Enterprise)

ISE MnT

ISE PAN/PSN

2

1

2


ENET-TD008A-EN-P

http://www.cisco.com/c/en/us/td/docs/security/ise/1-3/admin_guide/b_ise_admin_guide_13/b_ise_admin_guide_sample_chapter_011.html



Active Directory Overview

Active Directory Domain Services (AD DS) provides a distributed database that stores and manages information about network resources and application-specific data from directory- enabled applications. A server that is running AD DS is called an Active Directory Domain Controller (AD DC). Administrators can use AD DS to organize elements of a network, such as users, computers and other devices, into a hierarchical containment structure. The hierarchical containment structure includes the AD forest, domains in the forest and Organizational Units (OUs) in each domain.

Organizing network elements into a hierarchical containment structure provides the following benefits:

• The forest acts as a security boundary for an organization and defines the scope of authority for administrators. By default, a forest contains a single domain, which is known as the forest root domain.

• Additional domains can be created in the forest to provide partitioning of AD DS data, which enables organizations to replicate data only where it is needed. This makes it possible for AD DS to scale globally over a network that has limited available bandwidth. An AD domain also supports a number of other core functions that are related to administration, including network-wide user identity, authentication and trust relationships.

• OUs simplify the delegation of authority to facilitate the management of large numbers of objects. Through delegation, owners can transfer full or limited authority over objects to other users or groups. Delegation is important because it helps to distribute the management of large numbers of objects to a number of people who are trusted to perform management tasks.

Security is integrated with AD DS through logon authentication and access control to resources in the directory. With a single network logon, administrators can manage directory data and organization throughout their network. Authorized network users can also use a single network logon to access resources anywhere in the network. Policy-based administration eases the management of even the most complex network.

Additional AD DS features include the following:

• A set of rules, the schema, that defines the classes of objects and attributes that are contained in the directory, the constraints and limits on instances of these objects and the format of their names.

• A global catalog that contains information about every object in the directory. Users and administrators can use the global catalog to find directory information, regardless of which domain in the directory actually contains the data.

• A query and index mechanism, so that objects and their properties can be published and found by network users or applications.

• A replication service that distributes directory data across a network. All writable domain controllers in a domain participate in replication and contain a complete copy of all directory information for their domain. Any change to directory data is replicated to all domain controllers in the domain.

• Operations master roles (also known as flexible single master operations or FSMO). Domain controllers that hold operations master roles are designated to perform specific tasks to verify consistency and eliminate conflicting entries in the directory.

• Resource organizations, which are organizations that own and manage resources that are accessible from the Internet can deploy Active Directory Federation Services (AD FS) servers and AD FS-enabled Web servers that manage access to protected resources for trusted partners. These trusted partners can include external third parties or other departments or subsidiaries in the same organization.


ENET-TD008A-EN-P



• Account organizations, which are organizations that own and manage user accounts can deploy AD FS federation servers that authenticate local users and create security tokens that those federation servers in the resource organization use later to make authorization decisions.

Note For information about Active Directory Domain Services, please refer to the following URL:

• https://technet.microsoft.com/en-us/windowsserver/dd448614

Active Directory Deployment Recommendation

The recommended deployment of the AD DS in the CPwE architecture is based on the corporate data center AD implementation in a single domain. Since the CPwE design consists of a set of LANs connected by a high-speed backbone, the entire network can be a single site. The first domain controller installed automatically creates the first site, known as the Default-First-Site-Name. After installing the first domain controller, all additional domain controllers are automatically added to the same site as the original domain controller.

To deploy the recommended topology, the addition of an AD DC in the Industrial Zone is required. AD DS should be installed in accordance with the Microsoft best practices and deployment guidelines (Deploy Active Directory Domain Services (AD DS) in Your Enterprise), which is provided at the following URL:

• https://technet.microsoft.com/en-us/library/hh472160.aspx

For security implementation, the synchronization between the Enterprise Zone DC and the Industrial Zone DC should be bi-directional. An AD administrator must be able to create, delete and update accounts in the Industrial Zone and have the changes replicated to the Enterprise Zone, and vice versa.

Directory information within a site is replicated frequently and automatically. Intra-site replication is tuned to minimize replication latency; that is, keep the data as up-to-date as possible. Intra-site directory updates are not compressed. Uncompressed exchanges use more network resources. but require less domain controller processing power.

Note For information about Active Directory replication, please refer to the following resources:

• How Active Directory Replication Works https://technet.microsoft.com/en-us/library/cc772726(v=ws.10).aspx

• Active Directory Replication Technologies https://technet.microsoft.com/en-us/library/cc776877%28v=ws.10%29.aspx

Figure 2-2 illustrates the AD replication between the DCs in the Industrial and Enterprise Zones.


ENET-TD008A-EN-P

https://technet.microsoft.com/en-us/windowsserver/dd448614

https://technet.microsoft.com/en-us/library/hh472160.aspx

https://technet.microsoft.com/en-us/library/cc772726(v=ws.10).aspx

https://technet.microsoft.com/en-us/library/cc776877%28v=ws.10%29.aspx



Figure 2-2 Domain Controller Bi-Directional Replication


1. The Enterprise Domain Controller replicates any changes to the Industrial Zone Domain Controller.

2. The Industrial Domain Controller replicates any changes to the Enterprise Zone Domain Controller.

Certificate Services

Cisco ISE needs an identity certificate that is signed by a certificate authority (CA) server so that it can be trusted by endpoints, gateways and servers. The following sections describe certificate services and provide design recommendations for CPwE Identity Services.

Certificate Services Overview

The certificate services or CA is a trusted entity that manages and issues security certificates and public keys that are used for secure communication in a public network. The CA is part of the public key infrastructure (PKI) along with the registration authority (RA) who verifies the information provided by a requester of a digital certificate. If the information is verified as correct, the certificate authority can then issue a certificate.

PKI is a scalable architecture that includes software, hardware and procedures to facilitate the management of digital certificates. Certificate-based authentication methods are required for plant personnel network access. To provide a local CA for each zone, the root CA should be configured in the Enterprise Zone, with a subordinate CA in the secured Industrial Zone.

Certificate Services can also be used to:

• Enroll users for certificates from the CA using the Web or the Certificates Microsoft Management Console (MMC) snap-in, or transparently through auto enrollment.

EnterpriseWAN


MCC


IO


Drive



FactoryTalk Client

Internet


WGB

IO

WLC (Active)

ISE PSN

WLC (Standby)

PACPAC


Core switches

Distribution switch

Core switches

LWAP

3746

33

WLC (Enterprise)

ISE (Enterprise)

2

Enterprise ZoneDomain Controller

Industrial ZoneDomain Controller

1


ENET-TD008A-EN-P



• Use certificate templates to help simplify the choices a certificate requester has to make when requesting a certificate, depending upon the policy used by the CA.

• Take advantage of the AD service for publishing trusted root certificates, publishing issued certificates, and publishing CRLs.

• Implement the ability to log on to a Microsoft Windows operating system domain using a smart card.

Note For more information about CAs, please refer to Certificate Services at the following URL:

• https://technet.microsoft.com/en-us/library/cc758473%28v=ws.10%29.aspx

Certificate Services Deployment Recommendation

Within a CPwE architecture, it is recommended to choose a distributed certificate service model with Root-CA located inside the Enterprise Zone and subordinate CA residing in the Industrial Zone. A root CA is the most trusted CA in a CA hierarchy. When a root CA issues certificates to other CAs, these CAs become subordinate CAs of the root CA. When a root CA remains online, it is used to issue certificates to subordinate CAs. The root CA never usually directly issues certificates to users, computers, applications or services.

AD CS service can be deployed into Enterprise CA and stand-alone CA depends on the customer-specific requirements. Both Enterprise CA and stand-alone CA can do the following:

• Digital certificates

• Email, S/MIME

• Web servers, SSL

However, based on their location and deployment type difference, Enterprise CA and stand-alone CA have the following differences:

• Enterprise Root CA—This is the topmost CA in the CA hierarchy, and is the first CA installed in the enterprise. Enterprise root CAs are reliant on AD. Enterprise root CAs issue certificates to subordinate CAs.

• Enterprise Subordinate CA—This CA also needs AD, and is used to issue certificates to users and computers.

• Stand-alone Root CA—A stand-alone root CA is also the topmost CA in the certificate chain. A stand-alone root CA is not, however, dependent on AD, and can be removed from the network. This makes a stand-alone root CAs the solution for implementing a secure offline root CA.

• Stand-alone Subordinate CA—This type of CA is also not dependent on AD, and is used to issue certificates to users, computers, and other CAs.

Root-CA deployed inside the Enterprise Zone will have well developed functionalities to provide the following services:

• Certification Authorities (CAs)—Root and subordinate CAs are used to issue certificates to users, computers, and services, and to manage certificate validity.

• CA Web Enrollment—Web enrollment allows users to connect to a CA by means of a Web browser in order to request certificates and retrieve certificate revocation lists (CRLs).


ENET-TD008A-EN-P

https://technet.microsoft.com/en-us/library/cc758473%28v=ws.10%29.aspx


Roles and Access

• Online Responder—The Online Responder service accepts revocation status requests for specific certificates, evaluates the status of these certificates, and sends back a signed response containing the requested certificate status information.

• Network Device Enrollment Service—The Network Device Enrollment Service allows routers and other network devices that do not have domain accounts to obtain certificates.

• Certificate Enrollment Web Service—The Certificate Enrollment Web Service enables users and computers to perform certificate enrollment that uses the HTTPS protocol. Together with the Certificate Enrollment Policy Web Service, this enables policy-based certificate enrollment when the client computer is not a member of a domain or when a domain member is not connected to the domain.

• Certificate Enrollment Policy Web Service—The Certificate Enrollment Policy Web Service enables users and computers to obtain certificate enrollment policy information. Together with the Certificate Enrollment Web Service, this enables policy-based certificate enrollment when the client computer is not a member of a domain or when a domain member is not connected to the domain.

Subordinate CA is responsible for issuing and validating client's Certificate Signing Request (CSR) and authentication requests inside the Industrial Zone. In addition, to prevent Root-CA and associated private key from being compromised, certificates needs to be issued to users or devices in the Industrial Zone instead of forwarding all requests to the Enterprise Zone Root-CA. Multiple subordinate CA need to be deployed inside the Industrial Zone for redundancy.

Note Please refer to the following URLs for detailed information about AD CS services:

• https://technet.microsoft.com/en-us/windowsserver/dd448615.aspx

• https://technet.microsoft.com/en-us/library/cc772192.aspx

Roles and Access An organization's business policies will dictate the network access requirements that their solution must enforce. The network access requirements are primarily based on the roles and responsibilities of the personnel in their organization. CPwE Identity Services classifies personnel roles into the following three broad categories:

• Plant Personnel or Industrial Employee

• Non-Plant Personnel or Corporate Employee

• Contractor or Trusted Partner (OEM, SI)

Industrial Zone Wired Access DesignIndustrial customers need to provide on-site access for contractors and employees. Wired Employee/Trusted Partner Access is being proposed for the Industrial Zone of the CPwE Identity Services architecture using the following two methods:

• Plant Personnel access with direct access to Industrial Zone equipment (see Figure 2-4 on page 2-12)


ENET-TD008A-EN-P

https://technet.microsoft.com/en-us/windowsserver/dd448615.aspx

https://technet.microsoft.com/en-us/library/cc772192.aspx


Industrial Zone Wired Access Design

• Employee (non-Plant Personnel)/Trusted Partner access via the Remote Access Server using Terminal Emulation for all IACS applications such as Studio 5000 Logix Designer® (see Figure 2-3 on page 2-11)

Both of these access methods use IEEE 802.1X authentication for permitting access to the network based on user login credentials. Access for both methods will be limited to Levels 0-3 with no access allowed through the IDMZ firewall.

Wired Access Overview

For a user/computer to obtain access, the user must authenticate and present its credentials, which are verified by Cisco ISE; the result is an authorization profile that is applied to the IES access layer switch. To avoid confusion, the ports on the switch will be labeled accordingly on the plant floor regarding which ports are open and active for use as a convenience port.

Under normal network operations, the user device would pass through the following steps before being allowed to access the network:

1. Authentication

2. Authorization

Authentication

802.1X authentication involves three parties:

• The supplicant, which is a client computer that wishes to attach to the network

• The authenticator, which is the Stratix or Cisco IES

• The authentication server (Cisco ISE), which supports the authentication protocols

Authentication policies are used to define the protocols used by CPwE Identity Services to communicate with the computers and the identity sources to be used for authentication. CPwE Identity Services evaluates the conditions and, based on whether the result is true or false, applies the configured result.

Authorization Policies

Authorization policies are critical to determine what each user is allowed to access within the network. Authorization policies are composed of authorization rules and can contain conditional requirements that combine one or more identity groups. The permissions granted to the user are defined in authorization profiles, which act as containers for specific permissions.

Authorization profiles group the specific permissions granted to a user or computer and can include tasks such as an associated VLAN and an associated downloadable ACL (dACL).

For CPwE Identity Services, an additional identity group must be defined for the purpose of uniquely identifying corporate computers. This identity group, named Whitelist, maintains a list of computers owned by the corporation. The Whitelist is manually updated by the IT administrator and contains the MAC addresses of the computers that are granted access.

The following is a wired CPwE Identity Services example (as displayed in Figure 2-2 on page 2-6 and Figure 2-3 on page 2-11).

1. User attaches computer to designated Employee/Trusted Partner convenience port on the IES.


ENET-TD008A-EN-P



2. Wired computers authenticate using 802.1X against the Cisco ISE PSN located within the Industrial Zone. Initially, all computers are confined to a single default VLAN. Differentiated access control for wired computers is provided by different RADIUS dACL applied to the IES, which overrided a pre-configured static ACL on the IES access port and separate VLANs. The different access types are.

a. User is allowed complete access to the entire Industrial Zone.

b. User is allowed limited access to the specific Cell/Area Zone or to specific devices within the Cell/Area Zone.

c. User is allowed access to the RAS.

Caution CONFIGURATION NOTE: IP Device tracking (IPDT), which operates in accordance with RFC 5227, must be enabled on the IES in order to implement RADIUS downloadable ACL and should ONLY be enabled on convenience and/or designated non-IACS equipment ports.

Caution IPDT should NOT be enabled on ports connected to IACS devices. IPDT uses ARP probes to determine the IP addresses of hosts on different ports; IPDT may disrupt IACS applications. Please see the links below for more details. https://rockwellautomation.custhelp.com/app/answers/detail/a_id/568750 http://www.cisco.com/c/en/us/support/docs/ip/address-resolution-protocol-arp/118630-technote-ipdt-00.html

Wired Access Use Cases

The following sections describe wired use case implementation for the roles such as Industrial Employee, Corporate Personnel and Trusted Partner for CPwE Identity Services.


ENET-TD008A-EN-P

https://rockwellautomation.custhelp.com/app/answers/detail/a_id/568750

http://www.cisco.com/c/en/us/support/docs/ip/address-resolution-protocol-arp/118630-technote-ipdt-00.html



Wired Industrial Employee Access

Figure 2-3 CPwE Identity Services Validation - Direct Access to Devices


1. Wired computer (connected to IES convenience port) logs in and sends 802.1X authentication request.

2. IES forwards RADIUS authentication request on behalf of computer to the Cisco ISE PSN.

3. The Cisco ISE PSN checks AD for the user. If found, it approves the request with a RADIUS response that carries information on the VLAN assignment and dACL to be applied at the IES, which verifies that the computer can directly access devices within the Industrial Zone.

4. Computer connects to desired devices.

EnterpriseWAN


MCC


IO


Drive



FactoryTalk Client

Internet


WGB

IO

WLC (Active)

ISE PSN

WLC (Standby)

PACPAC


Core switches

Distribution switch

Core switches

LWAP

3746

31

WLC (Enterprise)

ISE MnT

ISE PAN/PSN

4

1


Laptop Client

23


ENET-TD008A-EN-P


Industrial Zone Wireless Access Design

Wired Corporate Employee/Trusted Partner Access

Figure 2-4 CPwE Identity Services Validation - Access to Devices via Remote Access Server


1. Wired computer (connected to the IES convenience port) logs in and sends 802.1X authentication request.

2. IES forwards RADIUS authentication request on behalf of client to the Cisco ISE PSN.

3. The Cisco ISE PSN checks AD for the user. If found, it approves the request with a RADIUS response that carries information on the VLAN assignment and dACL to be applied at the IES, which verifies that the computer can only access the RAS.

4. Computer connects via Remote Desktop to RAS and uses the same login as before. FactoryTalk® Security enforces permissions for computer.

Industrial Zone Wireless Access Design Industrial customers need to provide onsite wireless access for contractors and employees. Wireless Employee/Trusted Partner Access is being proposed for the Industrial Zone of the CPwE Identity Services architecture using the following two methods:

• Plant Personnel access with direct access to Industrial Zone equipment (see Figure 2-3 on page 2-11)

• Employee (non-Plant Personnel)/Trusted Partner access via the Remote Access Server using Terminal Emulation for all IACS applications such as Studio 5000 Logix Designer (see Figure 2-4 on page 2-12 and Figure 2-5 on page 2-15).

Both of these access methods use IEEE 802.1X authentication for permitting access to the network based on user login credentials. Access for both methods will be limited to Levels 0-3 with no access allowed through the IDMZ firewall.

EnterpriseWAN


MCC


IO


Drive



FactoryTalk Client

Internet


WGB

IO

WLC (Active)

ISE PSN

WLC (Standby)

PACPAC


Core switches

Distribution switch

Core switches

LWAP

3746

32

WLC (Enterprise)

ISE MnT

ISE PAN/PSN

4

1


Laptop Client

23


ENET-TD008A-EN-P



Note Use 2.4 GHz band for personnel access. Use only 5 GHz frequency band for critical IACS applications such as I/O, peer to peer and safety control. For more information, please refer to the Deploying 802.11 Wireless LAN Technology within a Converged Plantwide Ethernet Architecture Design and Implementation Guide at the following URLs:

• http://www.cisco.com/c/en/us/td/docs/solutions/Verticals/CPwE/NovCVD/CPwE_WLAN_CVD.html

• http://literature.rockwellautomation.com/idc/groups/literature/documents/td/enet-td006_-en-p.pdf

Wireless Access Overview

For a user/computer to obtain access the user must authenticate and present its credentials, which are verified by the ISE; the result is an authorization profile that is applied to WLC.

Under normal network operations, the user device would pass through the following steps before being allowed to access the network:

1. Authentication

2. Authorization

Authentication

802.1X authentication involves three parties:

• The supplicant, which is a client computer that wishes to attach to the network

• The authenticator, which is the WLC

• The authentication server (Cisco ISE), which supports the authentication protocols

Authentication policies are used to define the protocols used by CPwE Identity Services to communicate with the computers and the identity sources to be used for authentication. CPwE Identity Services evaluates the conditions and, based on whether the result is true or false, applies the configured result.

Authorization Policies

Authorization policies are critical to determine what each user is allowed to access within the network. Authorization policies are composed of authorization rules and can contain conditional requirements that combine one or more identity groups. The permissions granted to the user are defined in authorization profiles, which act as containers for specific permissions.

Authorization profiles group the specific permissions granted to a user or computer and can include tasks such as an associated VLAN and ACL. Cisco Wireless LAN Controllers support named ACLs (known as Airespace ACLs), meaning that the ACL must be previously configured on the controller rather than being downloaded from ISE. Using the RADIUS Airespace-ACL Name attribute-value pair, ISE instructs the WLC to apply the ACL.


ENET-TD008A-EN-P

http://www.cisco.com/c/en/us/td/docs/solutions/Verticals/CPwE/NovCVD/CPwE_WLAN_CVD.html




For CPwE Identity Services, an additional identity group must be defined for the purpose of uniquely identifying corporate computers. This identity group, named Whitelist, maintains a list of computers owned by the corporation. The Whitelist is manually updated by the IT administrator and contains the MAC addresses that are granted full access.

The following is CPwE Identity Services wireless access example (as displayed in Figure 2-5 on page 2-15 and Figure 2-6 on page 2-16).

1. User connects computer to designated Employee/Trusted Partner SSID.

2. Wireless computers authenticate using 802.1X against the Cisco ISE PSN located within the Industrial Zone. Differentiated access control for wireless clients is provided by Airespace ACLs applied to the WLC. The different access scenarios are:

a. User is allowed complete access to the entire Industrial Zone.

b. User is allowed limited access to the specific Cell/Area Zone or to specific devices within the Cell/Area Zone.

c. User is allowed access to the RAS only.

Wireless Access Use Cases

The following sections describe wireless use case implementation for the roles such as Industrial Employee, Corporate Personnel and Trusted Partner for CPwE Identity Services.

Wireless Industrial Employee Access

Wireless plant personnel access from the Industrial Zone is a requirement that is implemented based on the Unified Wireless Architecture already designed in Deploying 802.11 Wireless LAN Technology within a Converged Plantwide Ethernet Architecture. Since wireless access points support the use of multiple Service Set Identifiers (SSID), a Plant Personnel (Industrial Employee) Access SSID can be defined on the APs that will allow for Plant Personnel (Industrial Employee) User access to the wireless network. Any user connecting to the wireless network using the Plant Personnel (Industrial Employee) Access SSID will be directed by the AP to the Wireless LAN Controller located in the Level 3. From that location, the user will validate their credentials and be given access to the Industrial Zone, either directly or via the RAS.

Figure 2-5 is a diagram of the network architecture used in this solution.


ENET-TD008A-EN-P



Figure 2-5 Wireless Plant Personnel (Industrial Employee) User Access


1. Wireless client connects to Plant Personnel (Industrial Employee) User SSID, logs in and sends 802.1X authentication request, which gets tunneled to the local WLC.

2. WLC forwards RADIUS authentication request on behalf of client to the Cisco ISE PSN.

3. ISE PSN checks AD for the user. If found, it approves the request with a RADIUS response that carries information on ACL to be applied at the Industrial WLC, which verifies that the client can access Industrial Zone directly or via the RAS

Wireless Trusted Partner Access Use Cases

Wireless Trusted Partner access from the Industrial Zone is a requirement that is easily implemented based on the Unified Wireless Architecture already designed in Deploying 802.11 Wireless LAN Technology within a Converged Plantwide Ethernet Architecture. Since wireless access points support the use of multiple Service Set Identifiers (SSID), a Trusted Partner SSID will be defined on the APs that will allow for Trusted Partner access to the wireless network. Any user connecting to the wireless network using the Trusted Partner SSID will be directed by the AP to the Trusted Partner Wireless Anchor Controller located in the corporate DMZ. From that location, the Trusted Partner will validate their credentials, and if allowed access, will be attached to the Industrial RAS via the Remote Desktop Gateway (RDG) in the IDMZ. They will log in and be granted access rights based upon their login credentials in the RAS.


EnterpriseWAN


MCC


IO


Drive



FactoryTalk Client

Internet


WGB

IO

WLC (Active)

ISE PSN

WLC (Standby)

PACPAC


Core switches

Distribution switch

Core switches

LWAP

3746

45

WLC (Enterprise)

ISE MnT

ISE PAN/PSN

23


Remote Desktop Gateway (RDG)

14

44

4


ENET-TD008A-EN-P



Figure 2-6 Wireless Trusted Partner Access


1. Wireless client connects to Trusted Partner User SSID, logs in and sends 802.1X authentication request, which gets tunneled to the local WLC.


3. The Cisco ISE PSN checks AD for the user. If found, it approves the request with a RADIUS response that carries information on ACL to be applied at the Trusted Partner Anchor WLC, which verifies that the client can only access the RAS.

4. Client traffic is now tunneled to the Trusted Partner Anchor WLC, and the client connects via the RDG to RAS using the same login as before. FactoryTalk Security enforces permissions for client.

Wireless Corporate Employee Access

Wireless Corporate employee access from the Industrial Zone is a requirement that is implemented based on the Unified Wireless Architecture already designed in Deploying 802.11 Wireless LAN Technology within a Converged Plantwide Ethernet Architecture. Since wireless access points support the use of multiple Service Set Identifiers (SSID), a Corporate Employee Personnel Access SSID will defined on the APs that will allow for Corporate Employee User access to the wireless network. Any user connecting to the wireless network using the Corporate Access SSID will be directed by the AP to the Corporate Wireless LAN Controller located in the corporate network. From that location, the Corporate User will validate their credentials, and if allowed access, will be attached to the Industrial RAS via the RDG in the IDMZ. They will log in and be granted access rights based upon their login credentials in the RAS.


EnterpriseWAN


MCC


IO


Drive



FactoryTalk Client

Internet


WGB

IO

WLC (Active)

ISE PSN

WLC (Standby)

PACPAC


Core switches

Distribution switch

Core switches

LWAP

3746

94

WLC (Trusted Partner)

ISE MnT

ISE PAN/PSN

23



14

44

4

Laptop Client


ENET-TD008A-EN-P



Figure 2-7 Wireless Corporate Employee Personnel User Access


1. Wireless client connects to Corporate User SSID, logs in and sends 802.1X authentication request, which gets tunneled to the local WLC.


3. The Cisco ISE PSN checks AD for the user. If found, it approves the request with a RADIUS response that carries information on ACL to be applied at the Enterprise WLC, which verifies that the client can only access the RAS.

4. Client traffic is now tunneled to the Enterprise WLC, and the client connects via the RDG to RAS using the same login as before. FactoryTalk Security enforces permissions for client.

EnterpriseWAN


MCC


IO


Drive



FactoryTalk Client

Internet


WGB

IO

WLC (Active)

ISE PSN

WLC (Standby)

PACPAC


Core switches

Distribution switch

Core switches

LWAP

3746

45

WLC (Enterprise)

ISE MnT

ISE PAN/PSN

23



14

44

4


ENET-TD008A-EN-P


ENET-TD008A-EN-P

C H A P T E R 3
Configuring the Infrastructure
This chapter describes how to configure the Cisco ISE infrastructure in the CPwE Identity Services architecture based on the design considerations of the previous chapters. It covers the configuration of the network infrastructure, network services, data traversal, Web application access and network and application security, all from an IDMZ perspective. The included configurations have been validated during the testing effort. It includes the following major topics:

• Network Infrastructure Configuration, page 3-1

• Initial Cisco ISE Configuration, page 3-6

• Wired Access Configuration, page 3-12

• Wireless Access Configuration, page 3-20

Network Infrastructure ConfigurationThis section describes validated configurations for the network infrastructure that is needed to support Cisco ISE use cases for an IACS network.

The following configuration steps are covered in this section:

• Active Directory Configuration

• DNS Configuration

• DHCP Configuration

• Certificate Services Configuration

• NTP Configuration

Active Directory Configuration

The following steps describe the configuration required to install and configure AD DS replication between the Enterprise and Industrial Zones:

Step 1 Install AD DS services on the Enterprise server:

a. Open the Server Manager console and click Add roles and features.


Chapter 3 Configuring the Infrastructure

Network Infrastructure Configuration

b. Select Role-based of featured-based installation and then click Next.

c. Select the Active Directory Services role.

d. Accept the default features required by clicking Add Features.

e. On the Features screen, click Next.

f. On the Confirm installation selections screen, click Install. Installation will complete.

g. Click Close. Once completed, notification is made available on the dashboard highlighted by an exclamation mark.

h. Select the notification and from the drop-down menu, select Promote this server to a domain controller (see Figure 3-1).

Step 2 Install AD DS services on the Industrial server:

a. Select Add a Domain Controller into existing domain. Confirm the target domain is specified. If not, select the proper domain or enter the proper domain in the field provided.

b. Click Change, provide the required Enterprise Administrator credentials and then click Next.

c. Define if server should be a Domain Name System DNS server and Global Catalog (GC).

d. Select the Site to which this DC belongs and define the Directory Services Restoration Mode (DSRM) password for this DC.

e. Click Next on the DNS options screen.

f. In the Additional Options screen, you are provided with the option to install the Domain Controller from Install From Media (IFM). Additionally, you are provided the option to select the point from which DC replication should be completed. The server will choose the best location for AD database replication if not specified. Click Next once completed.

g. Specify location for AD database and SYSVOL and then click Next.

h. Next step is the Schema and Domain preparation. Alternately, you could run Adprep prior to commencing these steps. Regardless, if Adprep is not detected, it will automatically be completed on your behalf.

i. Finally the Review Options screen provides a summary of all of the selected options for server promotion. As a bonus, after clicking View Script, you are provided with the PowerShell script to automate future installations. Click Next to continue.

j. Should all the prerequisites pass, click Install to start the installation. After it completes the required tasks and the server restarts, the new Windows Server 2012 Domain Controller setup is completed (see Figure 3-1).

Note For testing purposes, the following services were installed on a single server: AD DS, DHCP, DNS and Certificate Services.


ENET-TD008A-EN-P



Figure 3-1 Windows Server 2012 Server Manager View

k. Set up the firewall to allow traffic between the servers for replication.

Step 3 Configure AD replication:

a. From the Active Directory Sites and Services tool in the Administrative Tools program group, expand the Sites folder.

b. Right-click the Default-First-Site-Name item and then choose Rename.

c. Rename the site to Enterprise-AD.

d. Create a new site by right-clicking the Sites object and then selecting New Site.

e. On the New Object-Site dialog box, type a site name.

f. Click the DEFAULTIPSITELINK item. An information screen displays.

g. Click OK to create the site.

h. Create another new site. Again, choose the DEFAULTIPSITELINK item. Notice the new site is listed in the Sites object.

i. When you are finished, close the Active Directory Sites And Services tool.

Step 4 Create subnets to define IP address ranges for AD DCs:

a. From the Active Directory Sites and Services tool in the Administrative Tools program group, expand the Sites folder.

b. Right-click the Subnets folder and then click New Subnet. In the New Object-Subnet dialog box, you are prompted for information about the IPv4 or IPv6 details for the new subnet.

c. Click the site, and then click OK to create the subnet.

d. In the Active Directory Sites and Services tool, right-click the newly created 10.1.1.0/24 subnet object and then click Properties.

e. On the subnet's Properties dialog box, type 100Mbit LAN for the description. Click OK to continue.

f. Create a new subnet for the Industrial AD DC by filling in the Address and Site fields.

g. Finally, create another subnet for the Enterprise AD DC by filling in the Address and Site fields.


ENET-TD008A-EN-P



Figure 3-2 Windows Server 2012 Active Directory Sites and Services Window

Refer to the following URL for more details on Active Directory setup:

• https://technet.microsoft.com/en-us/library/hh831477.aspx

DNS Configuration

Refer to the following URL for guidance and procedures on configuring DNS:


DHCP Configuration

Refer to the following URL for guidance and procedures on configuring DHCP:


Certificate Services Configuration

This section describes configuration of certificate services using Microsoft server implementation. Public Key Infrastructure (PKI) is a scalable architecture that includes software, hardware and procedures to facilitate the management of digital certificates. PEAP-based authentication was used for personnel authentication. To provide a local CA for each zone, the root CA was configured in the Enterprise Zone, with a subordinate CA in the secured Industrial Zone.

Step 1 Set up the root CA in the Enterprise Zone:

a. From Server Manager, click Add Roles and then click Next.

b. Click Active Directory Certificate Services and then click Next twice.

c. On the Select Role Services page, click Certification Authority and then click Next.

d. On the Specify Setup Type page, click Standalone or Enterprise and then click Next.

Note You must have a network connection to an AD DC in order to install an Enterprise CA.

e. On the Specify CA Type page, click Root CA and then click Next.


ENET-TD008A-EN-P

https://technet.microsoft.com/en-us/library/hh831477.aspx





f. On the Set Up Private Key page, click Create a new private key and then click Next.

g. On the Configure Cryptography page, select a cryptographic service provider, key length, and hash algorithm and then click Next.

h. On the Configure CA Name page, create a unique name to identify the CA and then click Next.

i. On the Set Validity Period page, specify the number of years or months that the root CA certificate will be valid and then click Next.

j. On the Configure Certificate Database page, accept the default locations unless you want to specify a custom location for the certificate database and certificate database log and then click Next.

k. On the Confirm Installation Options page, review all of the configuration settings that you have selected (see Figure 3-3). If you want to accept all of these options, click Install and wait until the setup process has finished.

Figure 3-3 Windows Server 2012 Root Certification Authority Window

Step 2 Set up subordinate CA in the Industrial Zone:

a. From Server Manager, click Add Roles and then click Next.

b. Click Active Directory Certificate Services and then click Next twice.

c. On the Select Role Services page, click Certification Authority and then click Next.

d. On the Specify Setup Type page, click Enterprise CA and then click Next.

e. On the Specify CA Type page, click Subordinate CA and then click Next.

f. On the Set Up Private Key page, click Create a new private key and then click Next.

g. On the Configure Cryptography page, select a cryptographic service provider, key length and hash algorithm. Click Next.

h. On the Request Certificate page, browse to locate the root CA, or if the root CA is not connected to the network, save the certificate request to a file so that it can be processed later. Click Next.

i. On the Configure CA Name page, create a unique name to identify the CA. Click Next.

j. On the Set Validity Period page, specify the number of years or months that the CA certificate will be valid. Click Next.

k. On the Configure Certificate Database page, accept the default locations unless you want to specify a custom location for the certificate database and certificate database log.

l. On the Confirm Installation Options page, review all of the configuration settings that you have selected (see Figure 3-4). If you want to accept all of these options, click Install and wait until the setup process has finished.


ENET-TD008A-EN-P


Initial Cisco ISE Configuration

Figure 3-4 Windows Server 2012 Subordinate Certification Authority Window

Step 3 Create a certificate template with intended purposes of Server and Client Authentication. This template is needed for Cisco ISE system certificates to function properly. To create the template, refer to the following guide:

• http://social.technet.microsoft.com/wiki/contents/articles/13303.windows-server-2012-certificate-template-versions-and-options.aspx

NTP Configuration

Cisco ISE requires NTP servers for each zone so that it can synchronize the time across the distributed setup and avoid problems with certificate validity, unsynchronized logs, etc. To configure NTP, refer to Network Time Protocol: Best Practices White Paper for best practices:

• http://www.cisco.com/c/en/us/support/docs/availability/high-availability/19643-ntpm.html

Initial Cisco ISE ConfigurationThis section describes validated configurations to perform the initial Cisco ISE setup that is required before configuring authentication and authorization policies for clients.


• Prerequisite Configuration

• Distributed Setup Configuration

• External Identity Source (AD) Configuration

• Whitelist Configuration

• Network Device Configuration

Prerequisite Configuration

The following steps describe the prerequisite configuration needed before proceeding with the initial Cisco ISE setup:

Step 1 Import a Plus (or higher) license on the PAN:

a. Obtain the license file from Cisco.

b. From Administration > System > Licensing, scroll to the License Files section.

c. Click Import License, browse for the license file and then click Import.

d. Confirm that the new license is displayed in the License Files section (see Figure 3-5).


ENET-TD008A-EN-P

http://social.technet.microsoft.com/wiki/contents/articles/13303.windows-server-2012-certificate-template-versions-and-options.aspx

http://www.cisco.com/c/en/us/support/docs/availability/high-availability/19643-ntpm.html



Figure 3-5 Cisco ISE License Import Window

Step 2 Install a server certificate signed by the root CA on each Cisco ISE node:

e. From Administration > System > Certificates, choose Certificate Signing Requests in the left pane.

f. Click Generate Certificate Signing Requests (CSR), fill in the required fields and then click Generate (see Figure 3-6).

g. Click Export in the window that appears to download the request.

h. From https://<CA_IP_ADDRESS>/certsrv/ > Request a certificate > Advanced Certificate Request, click Submit a certificate request using base 64-encoded CMC or PKCS # 10 file, or submit a renewal request by using a base-64-encoded PKCS # 7 file

i. Copy and paste the CSR request > Select the certificate template > Submit > Download the certificate chain > convert the extension to .csr format.

Note The certificate template selected should be the same one configured as part of the Certificate Services infrastructure configuration.

j. Click the CSR check box and then click Bind Certificate to append the CA signed certificate. Now this certificate will be a part of system certificate.

k. Browse to the certificate file returned by the CA, fill in the Friendly Name field, if desired, and then click Submit.

l. Once complete, click System Certificates in the left pane and verify that the new server certificate appears there. Select its check box and then click Edit.

m. Under Usage, check all boxes to allow this certificate to be used by all services. Finally click Save.

Note For disaster recovery, Cisco recommends exporting all system certificates and their private key pairs to a reliable backup location.

Note When the system certificate is uploaded, the root and subordinate CA certificates will also be added to the Trusted Certificate store automatically (see Figure 3-6).


ENET-TD008A-EN-P



Figure 3-6 Cisco ISE Certificate Signing Requests Window

Figure 3-7 Cisco ISE Trusted Certificates Window

Step 3 Configure each Cisco ISE node with the domain name and DNS server in their respective zone:

From the CLI (not configurable via GUI), enter the following commands:

ip domain-name <DOMAIN NAME>ip name-server <DNS SERVER IP ADDRESS>

Step 4 Confirm each Cisco ISE node is in the correct mode to create the distributed setup (PAN primary, all other nodes standalone):

a. On the PAN, from Administration > System > Deployment, click the node name in the table.

b. Under Personas and next to Administration, change the Role from STANDALONE to PRIMARY and then click Save.

c. Wait for Cisco ISE services to restart, then return to the Deployment page and confirm the PAN Administration Role is now PRIMARY.


ENET-TD008A-EN-P



d. On the other Cisco ISE nodes, from Administration > System > Deployment, click the node name and confirm that the Role is STANDALONE. If not, follow the same procedure as above to change it.

Figure 3-8 Cisco ISE Deployment Roles Window

Distributed Setup Configuration

As discussed in “System Design Considerations”, the Cisco ISE distributed setup supports centralized configuration and management. The distributed setup consists of three types of nodes, as described in Table 3-1:

To establish the distributed setup, follow the Cisco ISE 1.3 Distributed Setup Guide located at:


Note Once the distributed setup has been created, all configurations should be performed on the PAN, since that node will then synchronize with the others automatically. The GUI for the other Cisco ISE nodes will have only limited configuration options available.

Table 3-1 Cisco ISE Distributed Setup Node Types

Type of Node Admin node (PAN) Policy node (PSN) Monitoring node (MnT)

Location in CPwE Enterprise Zone Industrial Zone Enterprise Zone

Feature All system-related configuration (that is, AuthC, AuthZ profiles)

Evaluates the policies and makes all the decisions

Log collector and store log messages


ENET-TD008A-EN-P




External Identity Source (AD) Configuration

The following steps describe the configuration of AD as an external identity source for Cisco ISE:

Step 1 Create the AD join point:

a. From Administration > Identity Management > External Identity Sources, click Active Directory in the left pane.

b. Click Add and then type any desired value for the Join Point Name and the domain to join for the Active Directory Domain.

c. Once finished, click Submit.

Step 2 Join the AD domain using the join point:

a. Once the join point has been created, all distributed Cisco ISE nodes should be listed and show a status of “Not Joined.” Select each node's check box and then click Join.

b. Specify a User Name and Password with permissions to join the domain and then click OK. If the operation succeeds, the node will show a status of "Operational" and the host name of the local AD server (see Figure 3-9).

Figure 3-9 Cisco ISE AD Join Point Window

Step 3 Retrieve all necessary groups from the AD server (as configured in Active Directory section above):

a. From the Active Directory Join Point window, click the Groups tab.

b. From Add > Select Groups from Directory, click Retrieve Groups.

c. Select the check boxes for any groups that will be referenced in client policies and then click OK.

d. Verify that the groups are now listed in the table (see Figure 3-10) and then click Save.


ENET-TD008A-EN-P



Figure 3-10 Cisco ISE AD Groups Window

Whitelist Configuration

The following steps describe the configuration of the Whitelist:

Step 1 Add a corporate device manually to the Whitelist:

a. From Administration > Identity Management > Identities > Endpoints, click Add.

b. On the Endpoint page, enter the MAC address in the MAC Address field.

c. Select the Static Group Assignment check box and then select Whitelist from the Identity Group Assignment drop-down menu.

d. At the bottom of the window, click Save (see Figure 3-11).

Figure 3-11 Cisco ISE Endpoints Page

Network Device Configuration

This section describes how to define network devices (such as a switch or a router) through which RADIUS service requests are sent to Cisco ISE. You must define network devices for Cisco ISE to be able to interact with them.

The following steps describe the configuration of network devices:


ENET-TD008A-EN-P


Wired Access Configuration

Step 1 Create network device groups to organize network devices by type and location, if desired. For this procedure, refer to:

• http://www.cisco.com/c/en/us/td/docs/security/ise/1-3/admin_guide/b_ise_admin_guide_13/b_ise_admin_guide_sample_chapter_01001.html#reference_2424A156765D42E98207B93A0E0F0CB3.

Step 2 Add any network devices that will send RADIUS requests to Cisco ISE on behalf of clients:

a. From Administration > Network Resources > Network Devices, click Add.

b. Fill in the Name field with the hostname of the device.

c. Fill in the IP Address field with the address of the device.

d. Under Network Device Group, select either the default location and type or any specific groups created earlier.

e. Select the check box next to Authentication Settings and expand it and then enter the desired shared secret RADIUS password.

Note The RADIUS shared secret password must match in the configuration of the network device itself or RADIUS exchanges will fail.

f. Click Save (see Figure 3-12).

Figure 3-12 Cisco ISE Add Network Device Window

Wired Access ConfigurationThis section describes configurations details for Cisco ISE and the IES based on the design recommendations in System Design Considerations.



ENET-TD008A-EN-P

http://www.cisco.com/c/en/us/td/docs/security/ise/1-3/admin_guide/b_ise_admin_guide_13/b_ise_admin_guide_sample_chapter_01001.html#reference_2424A156765D42E98207B93A0E0F0CB3





• Cisco ISE Configuration

• IES Configuration

Cisco ISE Configuration

This section describes how to configure Cisco ISE to properly authenticate and authorize wired computers and limit their access to the network.


• Identity Store Sequence Configuration

• Policy Element Configuration

• Authentication Policy Configuration

• Authorization Policy Configuration

• Client Configuration

Identity Store Sequence Configuration

The following steps describe the configuration of identity store sequences:

Step 1 Create a certificate authentication profile:

a. From Administration > Identity Management > External Identity Sources, click Certificate Authentication Profile in the left pane and then click Add.

b. Fill in the Name field with any desired name.

c. Select the AD join point from the Identity Store drop-down.

d. Next to Use Identity From, select Any Subject or Alternative Name Attributes in the Certificate (for Active Directory Only).

e. Finally, click Submit (see Figure 3-13).

Figure 3-13 Cisco ISE Certificate Authentication Profile Window

Step 2 Create the identity store sequence:

a. From Administration > Identity Management > Identity Source Sequences, click Add.

b. Fill in the Name field as All_Stores_Sequence.


ENET-TD008A-EN-P



c. Select the check box next to Certificate Based Authentication and then select the certificate profile created in the previous step from the drop-down.

d. Under Authentication Search List, in the Available list, select the AD join point and then click the right arrow button to move it to the selected list.

e. Under Advanced Search List Settings, select Do not access other stores in the sequence and set the AuthenticationStatus attributes to ProcesError.

f. Finally, click Save (see Figure 3-14).

Figure 3-14 Cisco ISE Identity Source Sequence Window

Policy Element Configuration

The following steps describe the configuration of policy elements:

Step 1 Create the allowed protocol service to define which protocols are allowed for authentication:

a. From Policy > Policy Elements > Results, expand Authentication in the left pane and select Allowed Protocols.

b. Click Add.

c. Fill in the Name field and select the check boxes for only the authentication protocols that will be used by wired clients.

d. Once complete, click Save (see Figure 3-15).


ENET-TD008A-EN-P



Figure 3-15 Cisco ISE Allowed Protocol Service Window

Step 2 Create the downloadable ACLs:

a. From Policy > Policy Elements > Results, expand Authorization in the left pane and select Downloadable ACLs.

b. Click Add.

c. Fill in the Name field and then add the desired ACL entries in the DACL Content area. These ACL entries are defined in the same fashion as Cisco IOS.

d. To validate the ACL, expand Check DACL Syntax and click Recheck.

e. Confirm that the returned text is "DACL is valid" and then click Submit (see Figure 3-16).

Figure 3-16 Cisco ISE Downloadable ACL Window

Step 3 Create an authorization profile to limit wired clients based on the rules defined here:

a. From Policy > Policy Elements > Results, expand Authorization > Authorization profiles.

b. Click Add to add a profile.


ENET-TD008A-EN-P



c. Fill in the Name field.

d. Choose the Access Type from the Access Type drop-down menu.

e. Check the DACL Name check box to choose a DACL from the drop-down menu.

f. Check the VLAN check box to allow the traffic to traverse through a VLAN.

g. Enter the VLAN number in the ID/Name field.

h. Click Save (see Figure 3-17).

Figure 3-17 Cisco ISE Authorization Profile Window

Authentication Policy Configuration

The following steps describe the configuration of authentication policies for wired clients:

Step 1 Create an authentication policy for wired clients:

a. From Policy > Authorization, select Policy Type as Rule-Based.

b. Click Edit to insert authentication rule below or above the existing rule (or duplicate the policy above or below the existing rule).

c. Enter the rule name in the Standard Rule box and choose the condition for the Select condition > Select Existing condition from the Library.

d. From the Select condition drop-down menu, choose the compound condition and the wired 802.1X.

e. From the Network Access drop-down menu, click Allowed Protocols.

f. Choose the Protocol you wish to allow.

g. Click Done to save the configuration (see Figure 3-18).


ENET-TD008A-EN-P



Figure 3-18 Cisco ISE Authentication Policy Window

Authorization Policy Configuration

The following steps describe the configuration of authorization policies for wired clients:

Step 1 Create an authorization policy for wired clients:

a. From Policy > Authorization, choose how the rule applies from the drop-down menu (First Matched Rule Applies or Multiple Matched Rule Applies).

b. Click Edit to insert the authorization rule below or above the existing rule or duplicate the policy above or below the existing rule.

c. Enter the rule name in the Standard Rule box.

d. Click the Any drop-down menu from the If box.

e. From Any > Endpoint Identity Group > Whitelist, choose the condition for the Select condition > Select Existing condition from Library.

f. From the Select condition drop-down menu, choose the compound condition and the wired 802.1X.

g. Click Edit to expand the Profiles.

h. Click the Select an item drop-down menu to choose a profile.

i. Click Standard and choose the permission rule from the menu.

j. Click Done to save the configuration (see Figure 3-19).

Figure 3-19 Cisco ISE Authorization Policy Window

IES Configuration

This section describes how to configure the IES hosting the convenience port(s) to communicate with the computer via 802.1X, relay these requests to Cisco ISE via RADIUS and limit the computer’s access based on the authorization result.


ENET-TD008A-EN-P




• VLAN Configuration

• AAA and RADIUS Configuration

• ACL Configuration

• 802.1X Configuration

VLAN Configuration

Log in to the IES and in the global configuration mode enter the VLAN values to create the VLANs (as defined in the authorization profiles configured on Cisco ISE):

(conf)# vlan 181,182,183,351

AAA and RADIUS Configuration

The following steps describe the RADIUS configuration on the IES access switch:

Step 1 The following steps are required to configure the IES switch for AAA:

a. Enable Authentication, Authorization, and Accounting (AAA):

(config)# aaa new-model

b. Create an authentication method for 802.1X (default use all RADIUS servers for authentication):

(config)# aaa authentication dot1x default group radius

c. Create an authorization method for 802.1X (enables RADIUS for policy enforcement):

(config)# aaa authorization network default group radius

d. Create an accounting method for 802.1X (provides additional information about sessions to Cisco ISE):

{config)# aaa accounting dot1x default start-stop group radius

e. Add Cisco ISE server to the RADIUS group:

(config)# radius-server host 10.225.41.115 auth-port 1812 acct-port 1813 key shared-secret

Step 2 The following steps are required to configure the IES access switch for RADIUS:

a. Configure Cisco ISE server dead time (15 seconds total-3 retries of 5 second timeout):

(config)# radius-server dead-criteria time 5 tries 3

b. Configure the switch to send Cisco Vendor-Specific attributes:

(config)# radius-server vsa send accounting (config)# radius-server vsa send authentication

c. Configure the Cisco Vendor-Specific attributes:

(config)# radius-server attribute 6 on-for-login-auth(config)# radius-server attribute 8 include-in-access-req(config)# radius-server attribute 25 access-request include

d. Configure IP address to be used to source RADIUS messages:


ENET-TD008A-EN-P



(config)# ip radius source-interface interface-name Vlan4093

ACL Configuration

The following describes the configuration of ACLs on the IES access switch:

Log in to the IES and in the global configuration mode enter the extended access list to be applied on the interface during client login to restrict access:

ip access-list extended ACL-DEFAULTpermit udp any eq bootpc and eq bootps log permit udp any host <DNS_Server IP_Address> eq domaindeny ip any any log

Note ACL-DEFAULT—This ACL is configured on the IES and used as a default ACL on the port. Its purpose is to prevent unauthorized access. In an 802.1X authentication/authorization scenario, after the computer is authenticated and authorized, if no DACL is applied to the port or if a mistake exists in the syntax of the downloadable ACL, the IES rejects the DACL sent by Cisco ISE.

802.1X Configuration

The following describes the 802.1x configuration on the IES:

Enable 802.1X globally (command by itself does not enable authentication on the switchports):

(config)# dot1x system-auth-control

Step 1 The following steps describe the configuration on the desired convenience port:

a. Enable IP device tracking:

(config)# ip device tracking

b. Configure the authentication method priority on the interface:

(config-if)# authentication priority dot1x

c. Configure the authentication method order (dot1x first):

(config-if)# authentication order dot1x

d. Enable Flex-Auth:

(config-if)# authentication event fail action next-method

e. Enable support for more than one MAC address on the physical port:

(config-if)# authentication host-mode multi-auth

f. Configure the violation action (restrict access for additional devices that may fail authentication):

(config-if)# authentication violation restrict

g. Enable port for 802.1X:

(config-if)# dot1x pae authenticator

h. Configure timers:


ENET-TD008A-EN-P


Wireless Access Configuration

(config-if)# dot1x timeout tx-period 10

i. Turn authentication on:

(config-if)# authentication port-control auto

j. Apply ACL to the port:

(config-if)# ip access-group ACL-DEFAULT in

k. Make the an access port:

(config-if)# switchport mode access

l. Make the port access to a specific VLAN initially to authenticate with Cisco ISE:

(config-if)# switchport access vlan <number>

Caution CONFIGURATION NOTE: IP Device tracking (IPDT), which operates in accordance with RFC 5227, must be enabled on the IES to implement RADIUS downloadable ACL and should ONLY be enabled on convenience and/or designated non-IACS equipment ports.

Caution IPDT should NOT be enabled on ports connected to IACS devices. IPDT uses ARP probes to determine the IP addresses of hosts on different ports; IPDT may disrupt IACS applications. Please refer to the URLs below for more details: https://rockwellautomation.custhelp.com/app/answers/detail/a_id/568750 http://www.cisco.com/c/en/us/support/docs/ip/address-resolution-protocol-arp/118630-technote-ipdt-00.html

Client Configuration

Wired clients must be preconfigured to use the proper authentication method before they can be authenticated and authorized via a convenience port. Refer to the following URL for guidance on configuring Windows clients:

• http://windows.microsoft.com/en-us/windows/enable-802-1x-authentication#1TC=windows-7.

Wireless Access ConfigurationThis section describes configuration details for Cisco ISE and the WLC based on the design recommendations in System Design Considerations.


• Cisco ISE Configuration

• Industrial WLC Configuration

• Trusted Partner Anchor WLC Configuration

• Corporate Employee Anchor WLC Configuration


ENET-TD008A-EN-P

http://windows.microsoft.com/en-us/windows/enable-802-1x-authentication#1TC=windows-7

https://rockwellautomation.custhelp.com/app/answers/detail/a_id/568750

http://www.cisco.com/c/en/us/support/docs/ip/address-resolution-protocol-arp/118630-technote-ipdt-00.html



Cisco ISE Configuration

This section describes how to configure Cisco ISE to properly authenticate and authorize wireless clients and limit their access to the network.


• Identity Store Sequence Configuration

• Policy Element Configuration

• Authentication Policy Configuration

• Authorization Policy Configuration

Identity Store Sequence Configuration

Refer to Identity Store Sequence Configuration, page 3-13 for this configuration.

Policy Element Configuration

The following steps describe the configuration of policy elements:

Step 1 Create simple conditions:

a. From ISE PAN node > Policy > Policy Elements > Conditions > Authorization > Simple Conditions, click Add.

b. For every SSID, create a simple rule as shown in Figure 3-20.

Figure 3-20 Industrial_Employee_WLAN Condition

Note The Attribute Value (above case value 7) must match wireless LAN controller WLAN ID # for that SSID (above case Industrial_Employee_WLAN).

c. Similarly, create a simple condition for rest of the SSID too. That is:

– Trusted_Partner_WLAN: Airespace:Airespace-Wlan-Id Equals 4

– Corporate_Employee_WLAN: Airespace:Airespace-Wlan-Id Equals 6

Step 2 For Industrial Employee to have full access on plant floor, follow the compound condition in Cisco ISE that includes these expressions (see Figure 3-21).


ENET-TD008A-EN-P



Figure 3-21 Wireless_PEAP Compound Condition

Step 3 Follow the same format for Industrial partial and RAS-only access use cases.

Step 4 An authorization profile acts as a container where a number of specific permissions allow access to a set of network services. Airspace ACL controls access on the network. Since this is a user who has an access to every device in the plant floor, the airspace ACL applied here is ACL_Full_Access.

Note The ACL is configured in WLC. Refer to ACL Configuration using GUI, page 3-40 for more detail.

Figure 3-22 Airespace ACL Name Selection

Authentication Policy Configuration

Authentication policies are used to define the protocols used by Cisco ISE to communicate with the endpoints and the identity sources to be used for authentication. Cisco ISE evaluates the conditions and based on whether the result is true or false, it applies the configured result. An authentication policy includes:


ENET-TD008A-EN-P



• An allowed protocol service, such as PEAP, EAP-TLS, etc.

• An identity source used for authentication

Similar to the way access lists are processed, authentication rules are processed from the top down. When the first condition is met, processing stops and the assigned identity rule is used.

The rules are evaluated using "If, then, else" logic:

IF Wireless_802.1X Then

Allow EAP-TLS and PEAP

Else if next condition

Take action

Else

Use Default Rule

The following steps describe the configuration of authentication policies for wireless clients:

Step 1 Configure AuthC policy:

a. From Policy > Authentication, either customize the default Wireless dot1x policy or insert a new policy above/below any existing policy by clicking the down arrow beside Edit.

b. Write a Rule name (such as Wireless dotx AuthC).

c. Click + beside the "If" condition > Select Existing Condition from Library > Select Condition > Compound Conditions > Wireless_802.1X.

d. Select Allowed protocols as EAP-TLS and PEAP.

Note For more information on how to customize allowed protocol, check Figure 3-15 on page 3-15.

Step 2 Define Network Access Conditions:

a. Click to the default condition, change the Identity store from Internal Users to All_Stores_Sequence and keep other options as default.

b. Beside the default rule, from Action > Insert new row above, enter the store rule name.

c. Click the small square to open expression builder > Create New condition > Network Access:EapAuthentication EQUALS EAP-TLS.

d. In the Use section, change the Identity store from Internal Users to All_Stores_Sequence and keep other options as default.

Repeat the previous two steps to create a rule for PEAP: Network Access: EapTunnel EQUALS PEAP.

e. In the Use section, change the Identity store from Internal Users to All_Stores_Sequence and keep other options as default.

Step 3 Click OK.


ENET-TD008A-EN-P



Figure 3-23 Figure 4-4: Authentication Rules

In a normal deployment scenario, the endpoints would primarily use the 802.1X protocol to communicate with Cisco ISE. Cisco ISE authenticates these endpoints against an AD or authenticates them via digital certificates.

The default Authentication policy is Deny Access.

Authorization Policy Configuration

Authorization policies define the overall security policy to access the network. Network authorization controls user access to the network and its resources and what each device can do on the system with those resources. An Authorization Policy is composed of multiple rules. Authorization rules are defined by three main elements:

• Names

• Conditions

• Permissions

Permissions are enforced by authorization profiles. Similar to the authentication rules, authorization rules are processed from the top down. When the first condition is met, processing stops and the assigned permission dictates what authorization policy to use. The four conditions are:

1. Match the SSID: Airespace:Airespace-Wlan-Id Equals 7

2. Match Wireless client: Radius:Service-Type equals Framed and Radius:NAS-Port-Type Equals Wireless - IEEE 802.11

3. Match external groups AD2: ExternalGroups Equals cpwe-ra-cisco.local/Users/Industrial_Employee_Full

4. Network Access: EapTunnel Equals PEAP

Note Based on your requirement, these can all be individual simple condition, combined together in one compound condition, or a combination of both. The combination is shown here.

The following steps describe the configuration of authorization policies for wireless clients.

Full AuthZ profiles for wireless users are as follows:

Step 1 From ISE PAN node > Policy > Authorization, select how the rule applies from the drop-down menu First Matched Rule Applies or Multiple Matched Rule Applies. The default is First Matched Rule Applies.

Step 2 Click Edit to insert authorization rule below or above the existing rule.


ENET-TD008A-EN-P



Step 3 Enter the rule name in the Standard Rule box and click the If Any box in the Select Endpoint Identity Group > Whitelist drop-down menu.

Step 4 Click the And conditions box in the Select Existing condition from Library drop-down menu.

Step 5 Click the Select condition > compound condition > Wireless_Industrial_User_Full_Access drop-down menu.

Step 6 Similarly, click the gear icon and select Add Condition from Library > Select Condition > Simple Condition > Industrial_Employee_WLAN.

Step 7 Click Done to save the configuration (see Figure 3-24).

Figure 3-24 Wireless Authorization Policy Window

Industrial WLC Configuration

This section describes how to configure the industrial WLC.

Note To create the unified wireless infrastructure and associate APs in the Industrial Zone, refer to the Deploying 802.11 Wireless LAN Technology within a Converged Plantwide Ethernet Architecture Design and Implementation Guide at the following URL:

• http://www.cisco.com/c/en/us/td/docs/solutions/Verticals/CPwE/NovCVD/CPwE_WLAN_CVD.html


• RADIUS Configuration

• Interface Configuration

• WLAN Configuration


• Mobility Configuration

Note CLI configuration for the WLC section is provided in References.


ENET-TD008A-EN-P





RADIUS Configuration

RADIUS is a client/server protocol that provides centralized security for users attempting to gain management access to a network. We are using ISE PSN node as a RADIUS server for user traffic.

The following steps describe the RADIUS configuration on the industrial WLC (see Figure 3-25):

Step 1 From Security > RADIUS > Authentication, click New.

Step 2 Fill in Server IP address and Shared Secret and then leave all others as default.

Step 3 Click Apply.

Step 4 Click Save Configuration.

Figure 3-25 WLC RADIUS Configuration

RADIUS Configuration using CLI

Add a RADIUS authentication server using the following command:

config radius auth add index server_ip_address port# {ascii | hex} shared_secret

Interface Configuration using GUI

The virtual interface IP address is used only in communications between the controller and wireless clients.

The following steps describe the interface configuration on the industrial WLC (see Figure 3-26 through Figure 3-28):

Step 1 Choose Controller > Interfaces to open the Interfaces page.

Step 2 Click New.

Step 3 Enter the following parameters:

• Physical Information > Port number

• Interface Address > VLAN Identifier, IP address, Netmask, Gateway

• DHCP information > DHCP proxy mode disables


ENET-TD008A-EN-P



Step 4 Click Apply to commit your changes.

Figure 3-26 Industrial Employee Provisioning Interface Configuration

Figure 3-27 Corporate Employee Provisioning Interface Configuration


ENET-TD008A-EN-P



Figure 3-28 Trusted Partners Provisioning Interface Configuration

Interface Configuration using CLI

Add Interface Configuration using the following command:

config interface create operator_defined_interface_name {vlan_id | x} config interface address operator_defined_interface_name ip_addr ip_netmask [gateway]config interface vlan operator_defined_interface_name {vlan_id | 0} config interface port operator_defined_interface_name physical_ds_port_numberconfig interface dhcp dynamic-interface operator_defined_interface_name proxy-mode disable

WLAN Configuration using GUI

The following steps describe the WLAN configuration on the industrial WLC (see Figure 3-29 through Figure 3-32):

Step 1 Choose WLANs to open the WLANs page.

Step 2 Create a new WLAN by choosing Create New from the drop-down list and then clicking Go. The WLANs > New page appears.

Step 3 From the Type drop-down list, choose WLAN to create a WLAN.

Step 4 Assign Profile Name, SSID name and ID #. Use the parameters on the General, Security and Advanced tabs to configure this WLAN.


Step 6 Click Save Configuration to save your changes.


ENET-TD008A-EN-P



Figure 3-29 Industrial Employee WLAN Configuration General

Figure 3-30 Industrial Employee WLAN Configuration L2 Security

Figure 3-31 Industrial Employee WLAN Configuration AAA Servers


ENET-TD008A-EN-P



Figure 3-32 Industrial Employee WLAN Configuration Advanced

Note Corporate_Employee_WLAN and Trusted_partners_WLAN SSID have the same configuration by selecting their respective interfaces.

WLAN Configuration using CLI

Add WLAN Configuration using the following command:

config wlan create wlan_id {profile_name | foreign_ap} ssid config wlan disable {wlan_id | foreign_ap | all}config wlan security wpa wpa2 {enable | disable} wlan_id config wlan security wpa wpa2 ciphers {aes | tkip} {enable | disable} wlan_id config wlan radius_server auth {enable | disable} wlan_idconfig wlan radius_server auth add wlan_id [<Radius Server Index>/all]'config wlan aaa-override {enable | disable} wlan_idconfig wlan Nac radius {enable | disable} wlan_idconfig wlan disable {wlan_id | foreign_ap | all}

ACL Configuration using GUI

ACL application to the client is a part of AuthZ policy. These name-based ACLs are defined on WLC and are being called in Cisco ISE. These ACLs are called Airespace ACL.

The following steps describe the WLAN configuration on the industrial WLC:

Step 1 From Security > Access Control Lists > Access Control Lists, click New.

Step 2 Write Access Control List Name > Keep default IPv4.

Step 3 Click the ACL name you created and then click Add new rule.

Step 4 Configure the following access lists:

a. Industrial Full Access: Allow access to all devices to plant floor:

– Sequence: 1 > Source: Any > Destination: Any > Protocol: Any > DSCP: Any > Direction: Any > Action: Permit > Apply

b. Industrial Partial Access: Limit to particular cell area:

– Sequence: 1 > Source: Any > Destination: <Destination IP Address> Protocol: Any > DSCP: Any > Direction: Inbound > Action: Permit. Then click Apply.


ENET-TD008A-EN-P



– Sequence: 2 > Source: <Source IP_Adress > Destination: Any > Protocol: Any > DSCP: Any > Direction: Outbound> Action: Permit. Then click Apply.

– Sequence: 3 > Source: Any > Destination: Any > Protocol: Any > DSCP: Any> Direction: Any > Action: Deny. Then click Apply.

c. Industrial RAS-only Access: Only to remote access server (RAS):

– Sequence: 1 > Source: Any > Destination: <RAS_Server_IP_Address> Protocol: Any > DSCP: Any > Direction: Inbound > Action: Permit. Then click Apply.

– Sequence: 2 > Source: <RAS_Server_IP_Address> Destination: Any > Protocol: Any > DSCP: Outbound > Direction: Any > Action: Permit. Then click Apply.

– Sequence: 3 > Source: Any > Destination: Any > Protocol: Any > DSCP: Any > Direction: Any > Action: Deny. Then click Apply.

d. Corporate RAS only (via RDG) Access: Only to remote desktop gateway (RDG):

– Sequence: 1 > Source: Any > Destination: <RDG_Server_IP_Address> Protocol: tcp/https > DSCP: Any > Direction: Any > Action: Permit. Then click Apply.

– Sequence: 2 > Source: <RDG_Server_IP_Address> Destination: Any > Protocol: https > DSCP: Any > Direction: Any > Action: Permit. Then click Apply.

– Sequence: 3> Source: Any > Destination: Any > Protocol: Any > DSCP: Any> Direction: Any > Action: Deny. Then click Apply.

Step 5 Click Apply.

Step 6 Click Save Configuration.

Note Refer to Authorization Policy Configuration, page 3-17 for ACL details.

Figure 3-33 ACL_Partial_Access

ACL Configuration using CLI

Add ACL Configuration using the following command:

config acl create <name>config acl rule add <name> <index> config acl rule action <name> <index> permit config acl rule destination address <name> <index> <IP address> <Netmask>config acl rule direction <name> <index> <in/out/any>Configure IP deny rule at the end


ENET-TD008A-EN-P



Mobility Configuration using GUI

With the auto-anchor mobility feature of Cisco wireless controllers, packets from the wireless client are encapsulated through a mobility tunnel between the internal wireless controller (known as the industrial WLC/foreign controller) to the trusted partner wireless controller (known as the anchor controller), where they are de-capsulated and delivered to the wired network.

Note Use OLD mobility (EOIP tunnel) to anchor the trusted partner traffic.

The following steps describe the mobility configuration on the industrial WLC (see Figure 3-34 through Figure 3-36):

Step 1 From Controller > Mobility Management, click Default Mobility Domain Name. Give it the same name as that of the foreign controller.

Step 2 From Controller > Mobility Management > Mobility Groups, click New.

Step 3 Assign the IP address, MAC address and group name of the Anchor Controller's management interface.

Step 4 From WLAN > trusted_Partner_WLAN, hover your mouse on the down arrow and click Mobility Anchors.

Step 5 From Switch IP address (Anchor), select Trusted_Partner WLC management IP from the drop-down menu.

Step 6 Click Mobility Anchor Create.

Step 7 Click OK when a warning "If the WLAN is in Enabled state, adding Mobility Anchors will cause the WLAN to be momentarily disabled and thus may result in loss of connectivity for some clients.” displays.

Step 8 Press OK to continue.

Step 9 Repeat the same steps for Corporate_employee WLAN.

Figure 3-34 IIndustrial WLC Mobility Configuration

Figure 3-35 Industrial WLC Mobility Anchors


ENET-TD008A-EN-P



Figure 3-36 Industrial WLC Mobility Anchors Configuration

Mobility Configuration using CLI

Add Mobility Configuration using the following command:

config mobility group domain domain_name config mobility group member add mac_address ip_address config {wlan | guest-lan} disable {wlan_id | guest_lan_id} (Disable the WLAN or wired guest LAN for which you are configuring mobility anchors by entering this command)config mobility group anchor add {wlan | guest-lan} {wlan_id | guest_lan_id} anchor_controller_ip_address config {wlan | guest-lan}enable {wlan_id | guest_lan_id}

Trusted Partner Anchor WLC Configuration

The CPwE architecture recommends the use of a controller dedicated to trusted partner wireless traffic. This controller is known as the trusted partner anchor controller. The anchor controller is usually located in an unsecured network area (that is, Enterprise Zone/Enterprise External DMZ). Other internal WLAN controllers from where the traffic originates are located in the Industrial Zone.

An EoIP tunnel is established between the internal WLAN controllers and the anchor controller in order to achieve path isolation of trusted partner traffic from Industrial data traffic/IACS device traffic. Path isolation is a critical security management feature for trusted partner access. It confirms that security policies can be separate, and are differentiated between trusted partner traffic and internal traffic.

An important feature of the Cisco Unified Wireless Network architecture is the ability to use an EoIP tunnel to statically map one or more provisioned WLANs (that is, SSIDs) to a specific anchor controller within the network. All traffic-both to and from a mapped WLAN-traverses a static EoIP tunnel that is established between a remote controller and the anchor controller.

One EoIP tunnel is configured between the trusted partner anchor controller and industrial WLC, it will support access points with guest client associations.







ENET-TD008A-EN-P




Note All controllers within a mobility group must be configured with the similar interface configuration and same WLAN configuration. Otherwise, inter-controller roaming may appear to work, but the handoff does not complete and the client loses connectivity for a period of time.

The following steps describe the interface configuration on the trusted partner anchor WLC (see Figure 3-37):

Step 1 From Controller > Interfaces, open the Interfaces page and then click New.


a. Physical Information > Port number

b. Interface Address > VLAN Identifier, IP address, Netmask, Gateway

c. DHCP information > DHCP proxy mode disables


Figure 3-37 Trusted Partners Provisioning interface Configuration


To have Interface configuration for trusted partners anchor WLC, refer to Interface Configuration using CLI, page 3-28. The procedure remains the same.


The following steps describe the WLAN configuration on the trusted partner anchor WLC (see Figure 3-38):


ENET-TD008A-EN-P



Step 1 Click WLANs to open the WLANs page.

Step 2 Create a new WLAN by clicking Create New from the drop-down list and then clicking Go. The WLANs > New page displays.

Step 3 From the Type drop-down list, choose WLAN to create a WLAN.

Step 4 Assign Profile Name, SSID name and WLAN ID #.

Note Make sure the WLAN ID # matches the number with Industrial WLC Trusted_Partners_WLAN.

Step 5 Use the parameters on the General, Security and Advanced tabs to configure this WLAN.

a. General > Interface/Interface groups > Select Trusted_Partners_Provisioning > Radio Policy (Optional): All / 802.11 b/g only

b. Security > Layer 2 > Layer 2 security: WPA+WPA2

c. Security > AAA servers > Select PSN node as a authentication server

d. Advanced > Allow AAA Override: Checked > NAC state: Radius NAC



Figure 3-38 Trusted Partners SSID Configuration

Note The rest of the WLAN security and advanced configuration is the same as for the industrial WLC, so refer to WLAN Configuration using GUI, page 3-28 for these configurations.


To have WLAN configuration for trusted partners anchor WLC, refer to the WLAN configuration under the Industrial WLC configuration section. The procedure remains the same.


ENET-TD008A-EN-P



Enterprise Edge Firewall ACL Configuration using GUI

Trusted Partner can access the device only through RAS via the RDG. Since the trusted partners WLC resides in Enterprise External DMZ, ACL is enforced through enterprise edge firewall and not through the WLC. Also, ports to form mobility tunnel must be open (see Figure 3-39).

Figure 3-39 Enterprise Edge ACL (GUI)

Enterprise Edge Firewall ACL Configuration using CLI

Add Enterprise Edge Firewall ACL Configuration using the following commands:

object network WLC-Trusted_PartnerGuest-Anchor host 10.1.4.77<Trusted_Partner_WLC_Management_IP_Address>description WLC- Trusted_Partner -Anchor object network WLC_Industrialservice udp destination range 16666 16667object network RDG host 10.1.2.3object-group service DM_INLINE_SERVICE_2host <<Industrial WLC_Management_IP_Address>object service EOIP_IP_Protocol service 97object service Mobility_Anchorservice udp destination range 16666 16667 object network RDGhost <Remote Desktop Gateway IP_Address>10.1.2.3object-group service DM_INLINE_SERVICE_2 service-object icmpservice-object object EOIP_IP_Protocol service-object object Mobility_Anchorobject-group service DM_INLINE_SERVICE_4 service-object icmpservice-object tcp destination eq httpsaccess-list DMZ_access_in extended permit object-group DM_INLINE_SERVICE_2 object WLC-Guest-Anchor object WLC_Industrialaccess-list DMZ1_access_in extended permit object-group DM_INLINE_SERVICE_4 any object RDG


Note Use the OLD mobility (EOIP tunnel) to anchor the trusted partner traffic.

The following steps describe the mobility configuration on the trusted partner anchor WLC (see Figure 3-40 through Figure 3-42):

Step 1 From Controller > Mobility Management, give Default Mobility Domain Name the same name as that of Industrial WLC.



ENET-TD008A-EN-P



Step 3 Assign IP address, MAC address and group name of the Industrial WLC management Interface.

Note Make sure to open mobility ports (UPD port # 16666, 16667 and IP 97) on IDMZ and enterprise edge firewall to anchor traffic to Anchor WLC.

Step 4 From WLAN > Trusted_Partners_WLAN, hover your mouse on the down arrow and click Mobility Anchors.

Step 5 Switch IP address (Anchor) > Local.


Figure 3-40 Trusted Partner Anchor WLC Mobility Configuration

Figure 3-41 Trusted Partners Anchor WLC Mobility Anchors

Figure 3-42 Trusted Partners Anchor WLC Mobility Anchors Configuration


To have mobility configuration for trusted partners anchor WLC, refer to Mobility Configuration using CLI, page 3-33. The procedure remains the same.


ENET-TD008A-EN-P



Corporate Anchor WLC Configuration

This section describes how to configure the corporate anchor WLC. The following configuration steps are covered in this section:






Note All controllers within a mobility group must be configured with the similar interface configuration and same WLAN configuration. Otherwise, inter-controller roaming may appear to work, but the hand off does not complete, and the client loses connectivity for a period of time.

The following steps describe the interface configuration on the corporate anchor WLC (see Figure 3-43):

Step 1 From Controller > Interfaces, open the Interfaces page, and then click New.


a. Physical Information > Port number

b. Interface Address > VLAN Identifier, IP address, Netmask, Gateway

c. DHCP information > DHCP proxy mode > Disable



ENET-TD008A-EN-P



Figure 3-43 Corporate Employee Provisioning Interface Configuration


To have Interface configuration for corporate anchor WLC, refer to Interface Configuration using CLI, page 3-28. The procedure remains the same.


Refer to WLAN Configuration using GUI, page 3-34 for this configuration steps (see Figure 3-44):

Step 1 Click WLANs to open the WLANs page.

Step 2 Create a new WLAN by clicking Create New and then clicking Go. The WLANs > New page displays.

Step 3 From the Type drop-down list, click WLAN to create a WLAN.

Step 4 Assign Profile Name, SSID name and WLAN ID #.

Note Make sure the WLAN ID # matches the number with Industrial WLC Corporate_Employee_WLAN.

Step 5 Use the parameters on the General, Security and Advanced tabs to configure this WLAN:

a. General > Interface/Interface groups > Select

b. Corporate_Employee_Provisioning > Radio Policy (Optional): All / 802.11 b/g only

c. Security > Layer 2 > Layer 2 security: WPA+WPA2

d. Security > AAA servers > Select PSN node as a authentication server

e. Advanced > Allow AAA Override: Checked > NAC state: Radius NAC


ENET-TD008A-EN-P





Figure 3-44 Corporate Employee SSID Configuration


To have WLAN configuration for corporate anchor WLC, refer to WLAN Configuration using CLI, page 3-30 section. The procedure remains the same.

ACL Configuration using GUI

The following steps describe the WLAN configuration on the corporate anchor WLC (see Figure 3-45):

Step 1 From Security > Access Control Lists > Access Control Lists. click New.

Step 2 Configure the following access lists:

a. Corporate RDG-only Access: To RAS via remote desktop gateway:

– Sequence: 1 > Source: Any > Destination: <RDG sever IP address > Protocol: tcp/https > DSCP: Any > Direction: Any > Action: Permit. Then click Apply.

– Sequence: 2 > Source: <RDG sever IP address> Destination: Any > Protocol: https > DSCP: Any > Direction: Any > Action: Permit. Then click Apply.

– Sequence: 3 > Source: Any > Destination: Any > Protocol: Any > DSCP: Any > Direction: Any > Action: Deny. Then click Apply.


ENET-TD008A-EN-P



Figure 3-45 Corporate Employee ACL Configuration


To have ACL configuration for corporate anchor WLC, refer to ACL Configuration using CLI, page 3-31. The procedure remains the same.


Note Use the OLD mobility (EOIP tunnel) to anchor the trusted partner traffic.

The following steps describe the mobility configuration on the corporate anchor WLC (see Figure 3-46 through Figure 3-48):

Step 1 From Controller > Mobility Management, give Default Mobility Domain Name the same name as that of Industrial WLC.


Step 3 Assign IP address, MAC address and group name of the Industrial WLC management Interface.

Step 4 From WLAN > Corporate_Employee_WLAN, hover your mouse on the down arrow and then click Mobility Anchors.

Step 5 Switch IP address (Anchor) > Local.


Note Both Control and Data Path should be up once the mobility tunnel is created.

Figure 3-46 Corporate Employee Anchor WLC Mobility Anchors


ENET-TD008A-EN-P



Figure 3-47 Corporate Employee Anchor WLC Mobility Anchors Configuration

Figure 3-48 Corporate Employee Anchor WLC Mobility Anchors Control and Data Path


To have mobility configuration for corporate anchor WLC, refer to Mobility Configuration using CLI, page 3-33. The procedure remains the same.


ENET-TD008A-EN-P


ENET-TD008A-EN-P

C H A P T E R 4
Troubleshooting Tips

• Cisco ISE Troubleshooting Tips, page 4-1

• WLC Troubleshooting Tips, page 4-6

Cisco ISE Troubleshooting TipsThe following section provides high level troubleshooting information to assist in identifying and resolving problems you may encounter when you use the Cisco Identity Services Engine (ISE)

For more troubleshooting tips, review Monitoring and Troubleshooting at the following URL:


Cisco ISE Processes Check

To check whether Cisco ISE is working if the web pages don't load, log into the CLI and run the command to check the status of the Complete Cisco ISE processes running and disabled.

ISE# Show application status ISEISE PROCESS NAME STATE PROCESS ID--------------------------------------------------------------------Database Listener running 13373Database Server running 44 PROCESSESApplication Server running 16208Profiler Database running 14334AD Connector running 16616M&T Session Database running 14248M&T Log Collector running 16314M&T Log Processor running 3521Certificate Authority Service disabledpxGrid Infrastructure Service running 31179pxGrid Publisher Subscriber Service running 31420pxGrid Connection Manager running 31388pxGrid Controller running 31280Identity Mapping Service running 30937



http://www.cisco.com/c/en/us/td/docs/security/ise/1-3/admin_guide/b_ise_admin_guide_13/ b_ise_admin_guide_sample_chapter_011001.html



Chapter 4 Troubleshooting Tips

Cisco ISE Troubleshooting Tips

Test Users for Active Directory Authentication

Test authentication is useful to troubleshoot authentication and authorization issues for end users. You can use the Test User feature to test Active Directory authentications. The test returns the results along with group and attribute details (authorization information) that can be viewed on the Admin Portal. Follow these steps to test users:

Step 1 From Administrator > Identity Management > External Identity Stores > Active Directory > AD2 > Connection, select the Cisco ISE node you want to test.

Step 2 Click the user and then click Test user.

Step 3 Click Write credentials > Test (see Figure 4-49).

Figure 4-49 AD Test User Tool

AD Diagnostic Tool

The Diagnostic Tool allows you to automatically test and diagnose the Active Directory deployment for general connectivity issues. This tool provides information on:

• The Cisco ISE node on which the test is run

• Connectivity to the Active Directory

• Detailed status about the domain

• Detailed status about Cisco ISE-DNS server connectivity

Follow these steps to run diagnostic report using the Diagnostic Tool:

Step 1 From Administrator > Identity Management > External Identity Stores > Active Directory > AD2 > Connection, select the Cisco ISE node for which you want to test the user.


ENET-TD008A-EN-P



Step 2 Click Diagnostic Tool > Run All tests (see Figure 4-50).

Figure 4-50 AD Diagnostic Tool

Authentication Errors

One of the most useful ways to troubleshoot any error is to check events on Cisco ISE. Follow these steps to check GUI report of any user authentication / authorization:

Step 1 From Operations > Authentications, click the magnifying glass.

Step 2 Check for any errors (see Figure 4-51).

Figure 4-51 Cisco ISE Certificate Error


ENET-TD008A-EN-P



• Reason—If End client does not have root CA in a Trusted root CA store, than It will not trust Cisco ISE during the authentication process thus client will not be able to join the SSID.

• Solution—Add the root CA certificate in a client trusted root CA certificate stores as a part of user account and retry authenticating the device.

Successful Authentication/Authorization Steps Output

From Operations > Authentications, click the magnifying glass. The following is the output of a successful authentication:

Received RADIUS Access-Request RADIUS created a new session Evaluating Policy Group Evaluating Service Selection Policy Queried PIP - Network Access.NetworkDeviceName Queried PIP - Radius.Service-Type Queried PIP - Radius.NAS-Port-Type Matched rule - Wireless dot1x AuthC Extracted EAP-Response/Identity Prepared EAP-Request proposing EAP-TLS with challenge Returned RADIUS Access-Challenge Received RADIUS Access-Request RADIUS is re-using an existing session Extracted EAP-Response/NAK requesting to use PEAP instead Prepared EAP-Request proposing PEAP with challenge Returned RADIUS Access-Challenge Received RADIUS Access-Request RADIUS is re-using an existing session Extracted EAP-Response containing PEAP challenge-response and accepting PEAP as negotiated Successfully negotiated PEAP version 0 Extracted first TLS record; TLS handshake started Extracted TLS ClientHello message Prepared TLS ServerHello message Prepared TLS Certificate message Prepared TLS ServerDone message Prepared EAP-Request with another PEAP challenge Returned RADIUS Access-Challenge Received RADIUS Access-Request RADIUS is re-using an existing session Extracted EAP-Response containing PEAP challenge-response Prepared EAP-Request with another PEAP challenge Returned RADIUS Access-Challenge Received RADIUS Access-Request RADIUS is re-using an existing session Extracted EAP-Response containing PEAP challenge-response Prepared EAP-Request with another PEAP challenge Returned RADIUS Access-Challenge Received RADIUS Access-Request RADIUS is re-using an existing session Extracted EAP-Response containing PEAP challenge-response Prepared EAP-Request with another PEAP challenge Returned RADIUS Access-Challenge Received RADIUS Access-Request RADIUS is re-using an existing session Extracted EAP-Response containing PEAP challenge-response Successfully negotiated PEAP version 0 Extracted TLS ClientKeyExchange message


ENET-TD008A-EN-P



Extracted TLS Finished message Prepared TLS ChangeCipherSpec message Prepared TLS Finished message TLS handshake succeeded PEAP full handshake finished successfully Prepared EAP-Request with another PEAP challenge Returned RADIUS Access-Challenge Received RADIUS Access-Request RADIUS is re-using an existing session Extracted EAP-Response containing PEAP challenge-response PEAP inner method started Prepared EAP-Request/Identity for inner EAP method Prepared EAP-Request with another PEAP challenge Returned RADIUS Access-Challenge Received RADIUS Access-Request RADIUS is re-using an existing session Extracted EAP-Response containing PEAP challenge-response Extracted EAP-Response/Identity for inner EAP method Prepared EAP-Request for inner method proposing EAP-MSCHAP with challenge Prepared EAP-Request with another PEAP challenge Returned RADIUS Access-Challenge Received RADIUS Access-Request RADIUS is re-using an existing session Extracted EAP-Response containing PEAP challenge-response Extracted EAP-Response containing EAP-MSCHAP challenge-response for inner method and accepting EAP-MSCHAP as negotiated Evaluating Identity Policy Queried PIP - Network Access.EapAuthentication Queried PIP - Network Access.EapTunnel Matched rule - User_Authentication Selected identity source sequence - All_Stores_Sequence Selected Identity Source - AD2 Authenticating user against Active Directory - AD2 Resolving identity - richa_guest_ras Search for matching accounts at join point - cpwe-ra-cisco.local Single matching account found in forest - cpwe-ra-cisco.local Identity resolution detected single matching account RPC Logon request succeeded - [email protected] User authentication against Active Directory succeeded - AD2 Authentication Passed EAP-MSCHAP authentication attempt passed Prepared EAP-Request with another PEAP challenge Returned RADIUS Access-Challenge Received RADIUS Access-Request RADIUS is re-using an existing session Extracted EAP-Response containing PEAP challenge-response Extracted EAP-Response for inner method containing MSCHAP challenge-response Inner EAP-MSCHAP authentication succeeded Prepared EAP-Success for inner EAP method PEAP inner method finished successfully Prepared EAP-Request with another PEAP challenge Returned RADIUS Access-Challenge Received RADIUS Access-Request RADIUS is re-using an existing session Extracted EAP-Response containing PEAP challenge-response ISE has not been able to confirm previous successful machine authentication Evaluating Authorization Policy Queried PIP - Session.EPSStatus Queried PIP - Radius.Service-Type Queried PIP - Radius.NAS-Port-Type Looking up user in Active Directory - AD2 LDAP fetch succeeded - cpwe-ra-cisco.local User's Groups retrieval from Active Directory succeeded - AD2 Queried PIP - AD2.ExternalGroups


ENET-TD008A-EN-P


WLC Troubleshooting Tips

Queried PIP - Airespace.Airespace-Wlan-Id Matched rule - Dot1x_wireless - Trusted Partner RAS Only_copy Selected Authorization Profile - Wireless_Trusted_Partner_RAS_Only_Authz_Profile PEAP authentication succeeded Prepared EAP-Success Returned RADIUS Access-Accept

Diagnostic Tools/TCP Dump

Step 1 Use the tcpdump command in the NAD CLI or from the Administration portal at Operations > Troubleshoot > Diagnostic Tools > General Tools > TCP Dump to verify whether the machine is receiving and forwarding traffic as required for your network.

Step 2 If the TCP dump operation indicates that the Cisco ISE or NAD is working as configured, verify other adjacent network components.

WLC Troubleshooting TipsThe following section provides high level troubleshooting information to assist in identifying and resolving problems you may encounter when you use the Wireless LAN Controller (WLC)

For more troubleshooting tips, check Cisco Wireless LAN Controller System Message Guide at the following URL:

• http://www.cisco.com/c/en/us/td/docs/wireless/controller/8-0/message/guide/sysmsg80.html

Mobility (EoIP) Tunnel Status

Check if mobility tunnel is up via the GUI.

From WLC > Controller > Mobility Management > Mobility Groups, check the status of the group members, as shown in Figure 4-52.

Figure 4-52 Status of the Group Members

If the status is not up, follow these troubleshooting steps:

Step 1 Check whether the group member information is correct and if the firewall is blocking any control/data ports.

Step 2 To test the mobility UDP control packet communication between two controllers, enter this command:


ENET-TD008A-EN-P

http://www.cisco.com/c/en/us/td/docs/wireless/controller/8-0/message/guide/sysmsg80.html



mping <mobility_peer_IP_address >

Step 3 To test the mobility EoIP data packet communication between two controllers, enter this command:

eping <mobility_peer_IP_address>

DHCP-Related Issue

When the client is either unable to get an IP address or encounters delay in getting the IP address through DHCP. The debug dhcp on the controller indicates the following:

(Cisco Controller) >debug dhcp packet enable*DHCP Socket Task: May 27 12:28:34.566: [PA] 20:7c:8f:46:83:84 DHCP processing DHCP NAK (6)

Solution—Activate DHCP scope for that subnet in DHCP server

Caution Because debugging output is assigned high priority in the CPU process, it can render the system unusable. For this reason, use debug commands only to troubleshoot specific problems. Moreover, use debug commands only during periods of lower network traffic and fewer users. Debugging during these periods decreases the likelihood that increased debug command processing overhead will affect system use.

Successful DHCP Process

Following is a debug output of a successful DHCP process:

(Cisco Controller) >debug dhcp packet enable(Cisco Controller) >*DHCP Socket Task: May 27 12:27:46.533: [PA] 20:7c:8f:46:83:84 DHCP received op BOOTREQUEST (1) (len 332,vlan 150, port 1, encap 0xec03, xid 0x3a26069b)*DHCP Socket Task: May 27 12:27:46.533: [PA] 20:7c:8f:46:83:84 DHCP (encap type 0xec03) mstype 0ff:ff:ff:ff:ff:ff*DHCP Socket Task: May 27 12:27:46.533: [PA] 20:7c:8f:46:83:84 DHCP processing DHCP REQUEST (3)*DHCP Socket Task: May 27 12:27:46.533: [PA] 20:7c:8f:46:83:84 DHCP op: BOOTREQUEST, htype: Ethernet, hlen: 6, hops: 0*DHCP Socket Task: May 27 12:27:46.533: [PA] 20:7c:8f:46:83:84 DHCP xid: 0x3a26069b (975570587), secs: 0, flags: 0*DHCP Socket Task: May 27 12:27:46.533: [PA] 20:7c:8f:46:83:84 DHCP chaddr: 20:7c:8f:46:83:84*DHCP Socket Task: May 27 12:27:46.533: [PA] 20:7c:8f:46:83:84 DHCP ciaddr: 0.0.0.0, yiaddr: 0.0.0.0*DHCP Socket Task: May 27 12:27:46.533: [PA] 20:7c:8f:46:83:84 DHCP siaddr: 0.0.0.0, giaddr: 0.0.0.0*DHCP Socket Task: May 27 12:27:46.533: [PA] 20:7c:8f:46:83:84 DHCP requested ip: 10.13.181.55*DHCP Socket Task: May 27 12:27:46.533: [PA] 20:7c:8f:46:83:84 DHCP Opt82 bridge mode insertion enabled, inserts opt82 if opt82 is enabled vlan=181, datalen =18, optlen=88*DHCP Socket Task: May 27 12:27:46.533: [PA] 20:7c:8f:46:83:84 DHCP successfully bridged packet to DS*DHCP Socket Task: May 27 12:27:46.538: [PA] 20:7c:8f:46:83:84 DHCP received op BOOTREPLY (2) (len 316,vlan 181, port 1, encap 0xec00, xid 0x3a26069b)*DHCP Socket Task: May 27 12:27:46.538: [PA] 20:7c:8f:46:83:84 DHCP processing DHCP ACK (5)


ENET-TD008A-EN-P



*DHCP Socket Task: May 27 12:27:46.538: [PA] 20:7c:8f:46:83:84 DHCP op: BOOTREPLY, htype: Ethernet, hlen: 6, hops: 0*DHCP Socket Task: May 27 12:27:46.538: [PA] 20:7c:8f:46:83:84 DHCP xid: 0x3a26069b (975570587), secs: 0, flags: 0*DHCP Socket Task: May 27 12:27:46.538: [PA] 20:7c:8f:46:83:84 DHCP chaddr: 20:7c:8f:46:83:84*DHCP Socket Task: May 27 12:27:46.538: [PA] 20:7c:8f:46:83:84 DHCP ciaddr: 0.0.0.0, yiaddr: 10.13.181.55*DHCP Socket Task: May 27 12:27:46.538: [PA] 20:7c:8f:46:83:84 DHCP siaddr: 0.0.0.0, giaddr: 10.13.181.1*DHCP Socket Task: May 27 12:27:46.538: [PA] 20:7c:8f:46:83:84 DHCP server id: 10.13.48.26 rcvd server id: 10.13.48.26*DHCP Socket Task: May 27 12:27:46.539: [PA] 20:7c:8f:46:83:84 DHCP successfully bridged packet to STA*DHCP Socket Task: May 27 12:27:50.075: [PA] 20:7c:8f:46:83:84 DHCP received op BOOTREQUEST (1) (len 308,vlan 150, port 1, encap 0xec03, xid 0x71ed59a1)*DHCP Socket Task: May 27 12:27:50.075: [PA] 20:7c:8f:46:83:84 DHCP (encap type 0xec03) mstype 0ff:ff:ff:ff:ff:ff*DHCP Socket Task: May 27 12:27:50.075: [PA] 20:7c:8f:46:83:84 DHCP processing DHCP INFORM (8)*DHCP Socket Task: May 27 12:27:50.075: [PA] 20:7c:8f:46:83:84 DHCP op: BOOTREQUEST, htype: Ethernet, hlen: 6, hops: 0*DHCP Socket Task: May 27 12:27:50.075: [PA] 20:7c:8f:46:83:84 DHCP xid: 0x71ed59a1 (1911380385), secs: 0, flags: 0*DHCP Socket Task: May 27 12:27:50.075: [PA] 20:7c:8f:46:83:84 DHCP chaddr: 20:7c:8f:46:83:84*DHCP Socket Task: May 27 12:27:50.075: [PA] 20:7c:8f:46:83:84 DHCP ciaddr: 10.13.181.55, yiaddr: 0.0.0.0*DHCP Socket Task: May 27 12:27:50.075: [PA] 20:7c:8f:46:83:84 DHCP siaddr: 0.0.0.0, giaddr: 0.0.0.0*DHCP Socket Task: May 27 12:27:50.075: [PA] 20:7c:8f:46:83:84 DHCP Opt82 bridge mode insertion enabled, inserts opt82 if opt82 is enabled vlan=181, datalen =18, optlen=64*DHCP Socket Task: May 27 12:27:50.075: [PA] 20:7c:8f:46:83:84 DHCP successfully bridged packet to DS*DHCP Socket Task: May 27 12:27:50.096: [PA] 20:7c:8f:46:83:84 DHCP received op BOOTREPLY (2) (len 308,vlan 181, port 1, encap 0xec00, xid 0x71ed59a1)*DHCP Socket Task: May 27 12:27:50.096: [PA] 20:7c:8f:46:83:84 DHCP processing DHCP ACK (5)*DHCP Socket Task: May 27 12:27:50.096: [PA] 20:7c:8f:46:83:84 DHCP op: BOOTREPLY, htype: Ethernet, hlen: 6, hops: 0*DHCP Socket Task: May 27 12:27:50.096: [PA] 20:7c:8f:46:83:84 DHCP xid: 0x71ed59a1 (1911380385), secs: 0, flags: 0*DHCP Socket Task: May 27 12:27:50.096: [PA] 20:7c:8f:46:83:84 DHCP chaddr: 20:7c:8f:46:83:84*DHCP Socket Task: May 27 12:27:50.096: [PA] 20:7c:8f:46:83:84 DHCP ciaddr: 10.13.181.55, yiaddr: 0.0.0.0*DHCP Socket Task: May 27 12:27:50.096: [PA] 20:7c:8f:46:83:84 DHCP siaddr: 0.0.0.0, giaddr: 10.13.181.1*DHCP Socket Task: May 27 12:27:50.097: [PA] 20:7c:8f:46:83:84 DHCP server id: 10.13.48.26 rcvd server id: 10.13.48.26*DHCP Socket Task: May 27 12:27:50.097: [PA] 20:7c:8f:46:83:84 DHCP successfully bridged packet to STA

Debug Client

Use the Debug client to troubleshoot client association and authentication-related issues:

(Cisco Controller) > debug client <Client_MAC _address>


ENET-TD008A-EN-P


ENET-TD008A-EN-P

A P P E N D I X A
References
This appendix includes the following major topics:

• Converged Plantwide Ethernet (CPwE), page A-1

• Cisco Unified Access, page A-2

• RF Design and QoS, page A-2

• Wireless Security, page A-3

Converged Plantwide Ethernet (CPwE)• Converged Plantwide Ethernet (CPwE) Design and Implementation Guide (CPwE)

– Rockwell Automation site: http://literature.rockwellautomation.com/idc/groups/literature/documents/td/enet-td001_-en-p.pdf

– Cisco site: http://www.cisco.com/c/en/us/td/docs/solutions/Verticals/CPwE/CPwE_DIG.html

• Deploying the Resilient Ethernet Protocol (REP) in a Converged Plantwide Ethernet System (CPwE) Design Guide

– Rockwell Automation site: http://literature.rockwellautomation.com/idc/groups/literature/documents/td/enet-td005_-en-p.pdf

– Cisco site: http://www.cisco.com/c/en/us/td/docs/solutions/Verticals/CPwE/REP/CPwE_REP_DG.html

• Deploying 802.11 Wireless LAN Technology within a Converged Plantwide Ethernet Architecture Design and Implementation Guide

– Rockwell Automation site:http://literature.rockwellautomation.com/idc/groups/literature/documents/td/enet-td006_-en-p.pdf

– Cisco site:http://www.cisco.com/c/en/us/td/docs/solutions/Verticals/CPwE/NovCVD/CPwE_WLAN_CVD.html

A-1ged Plantwide Ethernet Architecture

http://www.cisco.com/c/en/us/td/docs/solutions/Verticals/CPwE/CPwE_DIG.html


http://www.cisco.com/c/en/us/td/docs/solutions/Verticals/CPwE/REP/CPwE_REP_DG.html






Appendix A References

Cisco Unified Access

• Deploying Network Address Translation within a Converged Plantwide Ethernet Architecture Design and Implementation Guide

– Rockwell Automation site:http://literature.rockwellautomation.com/idc/groups/literature/documents/td/enet-td007_-en-p.pdf

– Cisco site: http://www.cisco.com/c/en/us/td/docs/solutions/Verticals/CPwE/3-5-1/NAT/DIG/CPwE_NAT_CVD.html

Cisco Unified Access• Cisco Unified Access webpage

http://www.cisco.com/en/US/netsol/ns1187/index.html

• Enterprise Mobility Design Guidehttp://www.cisco.com/en/US/docs/solutions/Enterprise/Mobility/emob73dg/eMob73.pdf

• The Benefits of Centralization in Wireless LANshttp://www.cisco.com/c/en/us/products/collateral/switches/catalyst-6500-series-switches/prod_white_paper0900aecd8040f7b2.pdf

• Outdoor Wireless Network Solutionhttp://www.cisco.com/en/US/netsol/ns621/index.html

• Cisco Wireless Mesh Access Points Design and Deployment Guidehttp://www.cisco.com/c/en/us/td/docs/wireless/technology/mesh/7-6/design/guide/mesh76.html

RF Design and QoS• Wireless LAN Compliance Status

http://www.cisco.com/go/aironet/compliance

• RF Spectrum Policy: Future-Proof Wireless Investment through Better Compliancehttp://www.cisco.com/c/en/us/products/collateral/wireless/spectrum-expert/prod_white_paper0900aecd8073bef9.html

• Design Zone for Mobility - High Density Wireless http://www.cisco.com/c/en/us/solutions/enterprise/design-zone-mobility/density_wireless.html

• Enterprise Mobility 7.3 Design Guidehttp://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Mobility/emob73dg/emob73.html

• Cisco Aironet 1600/2600/3600 Series Access Point Deployment Guidehttp://www.cisco.com/c/en/us/td/docs/wireless/technology/apdeploy/Cisco_Aironet.html

• Antenna Product Portfolio for Cisco Aironet 802.11n Access Pointshttp://www.cisco.com/en/US/prod/collateral/wireless/ps7183/ps469/at_a_glance_c45-513837.pdf

• Cisco Aironet Antennas and Accessories Reference Guidehttp://www.cisco.com/en/US/prod/collateral/wireless/ps7183/ps469/product_data_sheet09186a008008883b.pdf

A-2Deploying Identity Services within a Converged Plantwide Ethernet Architecture

ENET-TD008A-EN-P

Converged Plantwide Ethernet (CPwE) Design and Implementation Guide (CPwE) http://literature.rockwellautomation.com/idc/groups/literature/documents/td/enet-td001_-en-p.pdf


http://www.cisco.com/en/US/docs/solutions/Enterprise/Mobility/emob73dg/eMob73.pdf

http://www.cisco.com/c/en/us/products/collateral/switches/catalyst-6500-series-switches/prod_white_paper0900aecd8040f7b2.pdf


http://www.cisco.com/c/en/us/td/docs/wireless/technology/mesh/7-6/design/guide/mesh76.html

http://www.cisco.com/go/aironet/compliance

http://www.cisco.com/c/en/us/products/collateral/wireless/spectrum-expert/prod_white_paper0900aecd8073bef9.html

http://www.cisco.com/c/en/us/solutions/enterprise/design-zone-mobility/density_wireless.html

http://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Mobility/emob73dg/emob73.html

http://www.cisco.com/c/en/us/td/docs/wireless/technology/apdeploy/Cisco_Aironet.html

http://www.cisco.com/en/US/prod/collateral/wireless/ps7183/ps469/at_a_glance_c45-513837.pdf

http://www.cisco.com/en/US/prod/collateral/wireless/ps7183/ps469/product_data_sheet09186a008008883b.pdf

http://www.cisco.com/en/US/prod/collateral/wireless/ps7183/ps469/product_data_sheet09186a008008883b.pdf

http://www.cisco.com/c/en/us/td/docs/solutions/Verticals/CPwE/3-5-1/NAT/DIG/CPwE_NAT_CVD.html


Appendix A References

Wireless Security

• Antenna Patterns and Their Meaninghttp://www.cisco.com/en/US/prod/collateral/wireless/ps7183/ps469/prod_white_paper0900aecd806a1a3e.pdf

• Antenna Cablinghttp://www.cisco.com/image/gif/paws/27222/antcable.pdf

• Site Survey Guidelines for WLAN Deploymenthttp://www.cisco.com/c/en/us/support/docs/wireless/5500-series-wireless-controllers/116057-site-survey-guidelines-wlan-00.html

• Site Survey and RF Design Validationhttp://www.cisco.com/en/US/docs/wireless/technology/vowlan/troubleshooting/8_Site_Survey_RF_Design_Valid.pdf

• Cisco Unified Wireless QoShttp://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Mobility/emob73dg/emob73/ch5_QoS.html

Wireless Security• Cisco Unified Wireless Network Architecture - Base Security Features

http://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Mobility/emob73dg/emob73/ch4_Secu.html

• Design Zone for Mobility - Wireless Securityhttp://www.cisco.com/en/US/solutions/ns340/ns414/ns742/ns820/landing_sec_wireless.html

A-3Deploying Identity Services within a Converged Plantwide Ethernet Architecture

ENET-TD008A-EN-P

http://www.cisco.com/en/US/prod/collateral/wireless/ps7183/ps469/prod_white_paper0900aecd806a1a3e.pdf

http://www.cisco.com/image/gif/paws/27222/antcable.pdf

http://www.cisco.com/c/en/us/support/docs/wireless/5500-series-wireless-controllers/116057-site-survey-guidelines-wlan-00.html

http://www.cisco.com/en/US/docs/wireless/technology/vowlan/troubleshooting/8_Site_Survey_RF_Design_Valid.pdf

http://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Mobility/emob73dg/emob73/ch5_QoS.html

http://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Mobility/emob73dg/emob73/ch4_Secu.html

http://www.cisco.com/en/US/solutions/ns340/ns414/ns742/ns820/landing_sec_wireless.html


ENET-TD008A-EN-P

A P P E N D I X B
Configuration Examples
This appendix includes the following major topics:

• Example: Industrial WLC Configuration, page B-1

• Example: Corporate Anchor WLC Configuration, page B-14

• Example: Trusted Partner Anchor WLC Configuration, page B-19

• Example: IES Access Switch Configuration, page B-24

This section contains examples of the configurations that have been used in the testing of the wired and wireless architecture. Note the following:

• The configurations are provided for reference only and must not be used "as is" without adapting for a particular design and topology.

• Future software releases may change some of the commands shown in the configurations.

• Many commands are factory default and do not have to be configured during the initial setup.

Example: Industrial WLC ConfigurationThis example shows an Industrial WLC configuration.

(Cisco Controller) >show run-config commands redundancy mode SSO 802.11a 11nSupport a-mpdu tx priority 6 enable 802.11a 11nSupport a-mpdu tx priority 7 enable 802.11a 11nSupport a-mpdu tx scheduler enable 802.11a 11nSupport a-mpdu tx scheduler timeout rt 10 802.11a 11nSupport disable 802.11a beacon range 0 802.11a rx-sop threshold auto default 802.11a cca threshold 0 default 802.11a multicast buffer 0 802.11a multicast data-rate 0 default 802.11a cac voice max-bandwidth 40 802.11a cac video max-bandwidth 40 802.11a cac voice roam-bandwidth 15 802.11a cac video roam-bandwidth 15 802.11a channel global off 802.11a rssi-check enable 802.11a max-clients 200

B-1ged Plantwide Ethernet Architecture

Appendix B Configuration Examples

Example: Industrial WLC Configuration

802.11a rate disabled 9 802.11a rate disabled 18 802.11a rate disabled 36 802.11a rate disabled 48 802.11a txPower global 1 802.11a cleanair device enable radar 802.11a dfs-peakdetect enable 802.11b 11nSupport a-mpdu tx scheduler enable 802.11b 11nSupport a-mpdu tx scheduler timeout rt 10 802.11b 11gSupport disable 802.11b beacon range 0 802.11b rx-sop threshold auto default 802.11b cca threshold 0 default 802.11b multicast buffer 0 802.11b multicast data-rate 0 default 802.11b cac video cac-method static 802.11b channel global off 802.11b max-clients 200 802.11b txPower global 1 aaa auth mgmt local radius flexconnect fallback-radio-shut disableconnect fallback-radio-shut disable acl create ACL_Full_Access acl create ACL_RDG_Only acl create ACL_Partial_Access acl create ACL_RAS_Only acl create bla acl apply ACL_Full_Access acl apply ACL_RDG_Only acl apply ACL_Partial_Access acl apply ACL_RAS_Only acl apply bla acl counter start acl rule add ACL_Full_Access 1 acl rule add ACL_RDG_Only 1 acl rule add ACL_RDG_Only 2 acl rule add ACL_RDG_Only 3 acl rule add ACL_Partial_Access 1 acl rule add ACL_Partial_Access 2 acl rule add ACL_Partial_Access 3 acl rule add ACL_RAS_Only 1 acl rule add ACL_RAS_Only 2 acl rule add ACL_RAS_Only 3 acl rule add bla 1 acl rule action ACL_Full_Access 1 permit acl rule action ACL_RDG_Only 1 permit acl rule action ACL_RDG_Only 2 permit acl rule action ACL_RDG_Only 3 deny acl rule action ACL_Partial_Access 1 permit acl rule action ACL_Partial_Access 2 permit acl rule action ACL_Partial_Access 3 deny acl rule action ACL_RAS_Only 1 permit acl rule action ACL_RAS_Only 2 permit acl rule action ACL_RAS_Only 3 deny acl rule action bla 1 permit acl rule destination address ACL_Full_Access 1 0.0.0.0 0.0.0.0 acl rule destination address ACL_RDG_Only 1 10.1.2.3 255.255.255.255 acl rule destination address ACL_RDG_Only 2 0.0.0.0 0.0.0.0 acl rule destination address ACL_RDG_Only 3 0.0.0.0 0.0.0.0 acl rule destination address ACL_Partial_Access 1 10.17.10.0 255.255.255.0 acl rule destination address ACL_Partial_Access 2 0.0.0.0 0.0.0.0 acl rule destination address ACL_Partial_Access 3 0.0.0.0 0.0.0.0 acl rule destination address ACL_RAS_Only 1 10.13.48.28 255.255.255.255 acl rule destination address ACL_RAS_Only 2 0.0.0.0 0.0.0.0

B-2Deploying Identity Services within a Converged Plantwide Ethernet Architecture

ENET-TD008A-EN-P



acl rule destination address ACL_RAS_Only 3 0.0.0.0 0.0.0.0 acl rule destination port range ACL_Full_Access 1 0 65535 acl rule destination port range ACL_RDG_Only 1 443 443 acl rule destination port range ACL_RDG_Only 2 0 65535 acl rule destination port range ACL_RDG_Only 3 0 65535 acl rule destination port range ACL_Partial_Access 1 0 65535 acl rule destination port range ACL_Partial_Access 2 0 65535 acl rule destination port range ACL_Partial_Access 3 0 65535 acl rule destination port range ACL_RAS_Only 1 0 65535 acl rule destination port range ACL_RAS_Only 2 0 65535 acl rule destination port range ACL_RAS_Only 3 0 65535 acl rule destination port range bla 1 0 65535 acl rule source address ACL_Full_Access 1 0.0.0.0 0.0.0.0 acl rule source address ACL_RDG_Only 1 0.0.0.0 0.0.0.0 acl rule source address ACL_RDG_Only 2 10.1.2.3 255.255.255.255 acl rule source address ACL_RDG_Only 3 0.0.0.0 0.0.0.0 acl rule source address ACL_Partial_Access 1 0.0.0.0 0.0.0.0 acl rule source address ACL_Partial_Access 2 10.17.10.0 255.255.255.0 acl rule source address ACL_Partial_Access 3 0.0.0.0 0.0.0.0 acl rule source address ACL_RAS_Only 1 0.0.0.0 0.0.0.0 acl rule source address ACL_RAS_Only 2 10.13.48.28 255.255.255.255 acl rule source address ACL_RAS_Only 3 0.0.0.0 0.0.0.0 acl rule source port range ACL_Full_Access 1 0 65535 acl rule source port range ACL_RDG_Only 1 0 65535 acl rule source port range ACL_RDG_Only 2 443 443 acl rule source port range ACL_RDG_Only 3 0 65535 acl rule source port range ACL_Partial_Access 1 0 65535 acl rule source port range ACL_Partial_Access 2 0 65535 acl rule source port range ACL_Partial_Access 3 0 65535 acl rule source port range ACL_RAS_Only 1 0 65535 acl rule source port range ACL_RAS_Only 2 0 65535 acl rule source port range ACL_RAS_Only 3 0 65535 acl rule direction ACL_Full_Access 1 Any acl rule direction ACL_RDG_Only 1 In acl rule direction ACL_RDG_Only 2 Out acl rule direction ACL_RDG_Only 3 Any acl rule direction ACL_Partial_Access 1 In acl rule direction ACL_Partial_Access 2 Out acl rule direction ACL_Partial_Access 3 Any acl rule direction ACL_RAS_Only 1 Any acl rule direction ACL_RAS_Only 2 Any acl rule direction ACL_RAS_Only 3 Any acl rule dscp ACL_Full_Access 1 Any acl rule dscp ACL_RDG_Only 1 Any acl rule dscp ACL_RDG_Only 2 Any acl rule dscp ACL_RDG_Only 3 Any acl rule dscp ACL_Partial_Access 1 Any acl rule dscp ACL_Partial_Access 2 Any acl rule dscp ACL_Partial_Access 3 Any acl rule dscp ACL_RAS_Only 1 Any acl rule dscp ACL_RAS_Only 2 Any acl rule dscp ACL_RAS_Only 3 Any acl rule protocol ACL_Full_Access 1 Any acl rule protocol ACL_RDG_Only 1 6 acl rule protocol ACL_RDG_Only 2 6 acl rule protocol ACL_RDG_Only 3 Any acl rule protocol ACL_Partial_Access 1 Any acl rule protocol ACL_Partial_Access 2 Any acl rule protocol ACL_Partial_Access 3 Any acl rule protocol ACL_RAS_Only 1 Any acl rule protocol ACL_RAS_Only 2 Any acl rule protocol ACL_RAS_Only 3 Any acl apply ACL_Full_Access acl apply ACL_RDG_Only


ENET-TD008A-EN-P



acl apply ACL_Partial_Access acl apply ACL_RAS_Only

advanced 802.11a channel dca interval 0 advanced 802.11a channel dca startup-interval 0 advanced 802.11a channel dca anchor-time 0 advanced 802.11a channel dca chan-width 20 advanced 802.11a channel dca sensitivity 15 advanced 802.11a channel dca min-metric -95 advanced 802.11a channel delete 20 advanced 802.11a channel delete 26 advanced 802.11a group-mode off advanced 802.11a reporting neighbor 180 advanced 802.11a reporting interference 120

advanced 802.11b channel dca interval 0 advanced 802.11b channel dca startup-interval 0 advanced 802.11b channel dca anchor-time 0 advanced 802.11b channel dca sensitivity 10 advanced 802.11b channel dca min-metric -95 advanced 802.11b reporting neighbor 180 advanced 802.11b reporting interference 120

location info rogue extended location rssi-half-life tags 0 location rssi-half-life client 0 location rssi-half-life rogue-aps 0 location expiry tags 5 location expiry client 5 location expiry calibrating-client 5 location expiry rogue-aps 5

advanced timers ap-heartbeat-timeout 10 advanced timers ap-fast-heartbeat flexconnect enable 1

advanced backup-controller primary advanced backup-controller secondary advanced backup-controller advanced backup-controller advanced sip-snooping-ports 0 0

avc profile PAC_IO_SAFETY create advanced eap bcast-key-interval 3600 advanced 802.11-abgn pak-rssi-location threshold -100 advanced 802.11-abgn pak-rssi-location trigger-threshold 10 advanced 802.11-abgn pak-rssi-location reset-threshold 8 advanced 802.11-abgn pak-rssi-location ntp 10.13.15.254 advanced 802.11-abgn pak-rssi-location timeout 3 advanced hotspot cmbk-delay 50

ap syslog host global :: ap dtls-cipher-suite RSA-AES128-SHA auth-list ap-policy ssc enable auth-list add mic 3c:08:f6:20:d2:17 auth-list add mic 3c:08:f6:a2:d3:b0 auth-list add mic 3c:08:f6:b2:8d:d6 auth-list add mic 3c:08:f6:b2:98:e4 auth-list add mic 78:da:6e:42:9c:2e auth-list add mic a8:0c:0d:be:a6:7e

cdp advertise-v2 enable cts sxp disable cts sxp connection default password **** cts sxp retry period 120


ENET-TD008A-EN-P



cts sxp sxpversion 2 database size 2048

dhcp opt-82 remote-id ap-mac

flexconnect acl create ACL_Provisioning_Redirect flexconnect acl apply ACL_Provisioning_Redirect flexconnect acl rule add ACL_Provisioning_Redirect 1 flexconnect acl rule add ACL_Provisioning_Redirect 2 flexconnect acl rule add ACL_Provisioning_Redirect 3 flexconnect acl rule add ACL_Provisioning_Redirect 4 flexconnect acl rule add ACL_Provisioning_Redirect 5 flexconnect acl rule action ACL_Provisioning_Redirect 1 permit flexconnect acl rule action ACL_Provisioning_Redirect 2 permit flexconnect acl rule action ACL_Provisioning_Redirect 3 permit flexconnect acl rule action ACL_Provisioning_Redirect 4 permit flexconnect acl rule action ACL_Provisioning_Redirect 5 deny flexconnect acl rule destination address ACL_Provisioning_Redirect 1 10.13.48.26 255.255.255.255 flexconnect acl rule destination address ACL_Provisioning_Redirect 2 0.0.0.0 0.0.0.0 flexconnect acl rule destination address ACL_Provisioning_Redirect 3 10.13.48.32 255.255.255.255 flexconnect acl rule destination address ACL_Provisioning_Redirect 4 0.0.0.0 0.0.0.0 flexconnect acl rule destination address ACL_Provisioning_Redirect 5 0.0.0.0 0.0.0.0 flexconnect acl rule destination port range ACL_Provisioning_Redirect 1 0 65535 flexconnect acl rule destination port range ACL_Provisioning_Redirect 2 0 65535 flexconnect acl rule destination port range ACL_Provisioning_Redirect 3 0 65535 flexconnect acl rule destination port range ACL_Provisioning_Redirect 4 0 65535 flexconnect acl rule destination port range ACL_Provisioning_Redirect 5 0 65535 flexconnect acl rule source address ACL_Provisioning_Redirect 1 0.0.0.0 0.0.0.0 flexconnect acl rule source address ACL_Provisioning_Redirect 2 10.13.48.26 255.255.255.255 flexconnect acl rule source address ACL_Provisioning_Redirect 3 0.0.0.0 0.0.0.0 flexconnect acl rule source address ACL_Provisioning_Redirect 4 10.13.48.32 255.255.255.255 flexconnect acl rule source address ACL_Provisioning_Redirect 5 0.0.0.0 0.0.0.0 flexconnect acl rule source port range ACL_Provisioning_Redirect 1 0 65535 flexconnect acl rule source port range ACL_Provisioning_Redirect 2 0 65535 flexconnect acl rule source port range ACL_Provisioning_Redirect 3 0 65535 flexconnect acl rule source port range ACL_Provisioning_Redirect 4 0 65535 flexconnect acl rule source port range ACL_Provisioning_Redirect 5 0 65535 flexconnect acl rule dscp ACL_Provisioning_Redirect 1 Any flexconnect acl rule dscp ACL_Provisioning_Redirect 2 Any flexconnect acl rule dscp ACL_Provisioning_Redirect 3 Any flexconnect acl rule dscp ACL_Provisioning_Redirect 4 Any flexconnect acl rule dscp ACL_Provisioning_Redirect 5 Any flexconnect acl rule protocol ACL_Provisioning_Redirect 1 Any flexconnect acl rule protocol ACL_Provisioning_Redirect 2 Any flexconnect acl rule protocol ACL_Provisioning_Redirect 3 Any flexconnect acl rule protocol ACL_Provisioning_Redirect 4 Any flexconnect acl rule protocol ACL_Provisioning_Redirect 5 Any flexconnect group FastRoam_CCKM_Flex_Ring add flexconnect group FastRoam_CCKM_Flex_Ring ap add 3c:08:f6:20:d2:17 flexconnect group FastRoam_CCKM_Flex_Ring radius ap server-key <hidden> flexconnect group FastRoam_CCKM_Flex_Ring radius ap authority id 436973636f0000000000000000000000 flexconnect group FastRoam_CCKM_Flex_Ring radius ap authority info Cisco A_ID flexconnect group FastRoam_CCKM_Flex_Star add flexconnect group FastRoam_CCKM_Flex_Star radius ap server-key <hidden> flexconnect group FastRoam_CCKM_Flex_Star radius ap authority id 436973636f0000000000000000000000 flexconnect group FastRoam_CCKM_Flex_Star radius ap authority info Cisco A_ID flexconnect group Industrial_FlexConnect_Group add flexconnect group Industrial_FlexConnect_Group radius ap server-key <hidden>


ENET-TD008A-EN-P



flexconnect group Industrial_FlexConnect_Group radius ap authority id 436973636f0000000000000000000000 flexconnect group Industrial_FlexConnect_Group radius ap authority info Cisco A_ID flexconnect group Industrial_FlexConnect_Group policy acl add ACL_Provisioning_Redirect local-auth eap-profile add CPwE350-EAP-FAST

local-auth eap-profile add CPwE350-EAP-TLS local-auth eap-profile cert-issuer cisco CPwE350-EAP-FAST local-auth eap-profile cert-issuer vendor CPwE350-EAP-TLS local-auth eap-profile method add fast CPwE350-EAP-FAST local-auth eap-profile method add tls CPwE350-EAP-TLS local-auth eap-profile method fast client-cert enable CPwE350-EAP-TLS local-auth eap-profile method fast local-cert enable CPwE350-EAP-TLS local-auth method fast server-key **** local-auth eap-profile cert-verify ca-issuer disable CPwE350-EAP-FAST local-auth eap-profile cert-verify date-valid disable CPwE350-EAP-FAST

interface create corporate_employee_provisioning 182interface create industrial_employee_provisionin 181interface create trusted_partners_provisioning 183interface create wgb-roam-client 250interface address dynamic-interface corporate_employee_provisioning 10.1.182.251 255.255.255.0 10.1.182.1 interface address dynamic-interface industrial_employee_provisionin 10.13.181.251 255.255.255.0 10.13.181.1 interface address management 10.13.50.251 255.255.255.0 10.13.50.1 interface address service-port 192.168.254.83 255.255.255.0 interface address dynamic-interface trusted_partners_provisioning 10.1.183.251 255.255.255.0 10.1.183.1 interface address virtual 1.1.1.1 interface address dynamic-interface wgb-roam-client 10.17.250.251 255.255.255.0 10.17.250.1 interface address redundancy-management 10.13.50.253

redundancy interface address peer-redundancy-management 10.13.50.252 interface dhcp management primary 10.13.48.26 interface dhcp dynamic-interface wgb-roam-client primary 10.13.48.26 interface vlan corporate_employee_provisioning 182 interface vlan industrial_employee_provisionin 181 interface vlan management 150 interface vlan trusted_partners_provisioning 183 interface vlan wgb-roam-client 250 interface nasid corporate_employee_provisioning interface nasid industrial_employee_provisionin

interface nasid trusted_partners_provisioning interface nasid wgb-roam-client interface port corporate_employee_provisioning 1 interface port industrial_employee_provisionin 1 interface port management 1 interface port trusted_partners_provisioning 1 interface port wgb-roam-client 1

mdns snooping disable mdns policy service-group create default-mdns-policy default-mdns-policy mdns policy service-group user-role add default-mdns-policy admin mdns profile create default-mdns-profile mdns service create AirPrint _ipp._tcp.local. origin All LSS disable query enable mdns service create AirTunes _raop._tcp.local. origin All LSS disable query enable mdns service create AppleTV _airplay._tcp.local. origin All LSS disable query enable mdns service create HP_Photosmart_Printer_1 _universal._sub._ipp._tcp.local. origin All LSS disable query enable


ENET-TD008A-EN-P



mdns service create HP_Photosmart_Printer_2 _cups._sub._ipp._tcp.local. origin All LSS disable query enable mdns service create Printer _printer._tcp.local. origin All LSS disable query enable mdns profile service add default-mdns-profile AirPrint mdns profile service add default-mdns-profile AirTunes mdns profile service add default-mdns-profile AppleTV mdns profile service add default-mdns-profile HP_Photosmart_Printer_1 mdns profile service add default-mdns-profile HP_Photosmart_Printer_2 mdns profile service add default-mdns-profile Printer mdns query interval 15

wlan mdns disable 1 wlan mdns disable 2 wlan mdns enable 3 wlan mdns enable 4 wlan mdns enable 6 wlan mdns disable 7 wlan mdns enable 11

wlan mdns profile 3 default-mdns-profile wlan mdns profile 4 default-mdns-profile wlan mdns profile 6 default-mdns-profile wlan mdns profile 11 default-mdns-profile

ipv6 ra-guard ap enable ipv6 capwap udplite enable all ipv6 multicast mode unicast

load-balancing aggressive enable load-balancing window 5

wlan apgroup add CPwE350-Flex-Ring01 FlexRing01 wlan apgroup add CPwE350-Flex-Star01 FlexStar01 wlan apgroup add CPwE350-Roam-central "For roaming clients" wlan apgroup add default-group wlan apgroup qinq tagging eap-sim-aka default-group enable wlan apgroup interface-mapping add CPwE350-Flex-Ring01 1 management wlan apgroup interface-mapping add CPwE350-Flex-Ring01 7 industrial_employee_provisionin wlan apgroup interface-mapping add CPwE350-Flex-Ring01 6 corporate_employee_provisioning wlan apgroup interface-mapping add CPwE350-Flex-Ring01 4 trusted_partners_provisioning wlan apgroup interface-mapping add CPwE350-Flex-Star01 2 management wlan apgroup interface-mapping add CPwE350-Roam-central 3 wgb-roam-client wlan apgroup interface-mapping add default-group 1 management wlan apgroup interface-mapping add default-group 2 management wlan apgroup interface-mapping add default-group 3 wgb-roam-client wlan apgroup interface-mapping add default-group 4 trusted_partners_provisioning wlan apgroup interface-mapping add default-group 6 corporate_employee_provisioning wlan apgroup interface-mapping add default-group 7 industrial_employee_provisionin wlan apgroup nac-snmp disable CPwE350-Flex-Ring01 1 wlan apgroup nac-snmp disable CPwE350-Flex-Ring01 7 wlan apgroup nac-snmp disable CPwE350-Flex-Ring01 6 wlan apgroup nac-snmp disable CPwE350-Flex-Ring01 4 wlan apgroup nac-snmp disable CPwE350-Flex-Star01 2 wlan apgroup nac-snmp disable CPwE350-Roam-central 3 wlan apgroup nac-snmp disable default-group 1 wlan apgroup nac-snmp disable default-group 2 wlan apgroup nac-snmp disable default-group 3 wlan apgroup nac-snmp disable default-group 4 wlan apgroup nac-snmp disable default-group 6 wlan apgroup nac-snmp disable default-group 7


ENET-TD008A-EN-P



wlan apgroup nac-snmp disable default-group 11

memory monitor errors enable

memory monitor leak thresholds 10000 30000Outdoor Mesh Ext.UNII B Domain channels: Disablemesh security rad-mac-filter disablemesh security rad-mac-filter disable

mesh security eapmesh lsc advanced ap-provision open-window enable

mgmtuser add admin **** read-write mobility group domain CPwE351 mobility group member add 30:f7:0d:31:36:40 10.1.3.78 CPwE351 mobility group member add 6c:41:6a:5f:0e:a0 10.1.4.77 CPwE351 mobility group anchor add wlan 4 mobility group anchor add wlan 4 10.1.4.77 mobility group anchor add wlan 6 mobility group anchor add wlan 6 10.1.3.78 mobility dscp 0

netuser add AP2602-R-WGB05 **** wlan 0 userType permanent description netuser wlan-id AP2602-R-WGB05 0 netuser guest-role create PAC_IO_SAFETY

network multicast igmp snooping enable network multicast mld snooping enable network ap-priority disabled network web-auth captive-bypass enable network fast-ssid-change enable network rf-network-name CPwE351 network secureweb cipher-option rc4-preference disable network client-ip-conflict-detection disable

qos protocol-type bronze dot1p qos protocol-type silver dot1p qos protocol-type gold dot1p qos protocol-type platinum dot1p qos priority bronze background background background qos priority gold video video video qos priority platinum voice voice voice qos priority silver besteffort besteffort besteffort qos dot1p-tag silver 0 qos dot1p-tag gold 4 qos dot1p-tag platinum 5

radius auth add 1 10.13.48.40 1812 ascii **** radius auth add 2 10.13.48.32 1812 ascii **** radius callStationIdType macaddr radius auth callStationIdType ap-macaddr-ssid radius auth network 1 disable radius auth management 1 disable radius fallback-test mode off radius fallback-test username cisco-probe radius fallback-test interval 300 radius dns disable radius dns auth network disable radius dns auth management disable radius dns acct network disable radius dns auth rfc3576 disable

tacacs dns disable


ENET-TD008A-EN-P



rogue detection report-interval 10 rogue detection min-rssi -128 rogue detection transient-rogue-interval 0 rogue detection client-threshold 0 rogue detection security-level custom rogue ap aaa-auth disable rogue ap aaa-auth polling-interval 0 rogue ap ssid alarm rogue ap valid-client alarm rogue adhoc enable rogue adhoc alert rogue ap rldp disable rogue auto-contain level 1 rogue containment flex-connect disable rogue containment auto-rate disable serial timeout 0 sessions timeout 0 snmp version v2c enable snmp version v3 enable snmp snmpEngineId 0000376300004000fb320d0asnmp community ipsec ike auth-mode pre-shared-key ****

switchconfig strong-pwd case-check enabled switchconfig strong-pwd consecutive-check enabled switchconfig strong-pwd default-check enabled switchconfig strong-pwd username-check enabled switchconfig strong-pwd position-check disabled switchconfig strong-pwd case-digit-check disabled switchconfig strong-pwd minimum upper-case 0 switchconfig strong-pwd minimum lower-case 0 switchconfig strong-pwd minimum digits-chars 0 switchconfig strong-pwd minimum special-chars 0 switchconfig strong-pwd min-length 3

sysname WLC_Primary

stats-timer realtime 5 stats-timer normal 180 time ntp interval 3600 time ntp server 1 10.13.15.254

rf-profile create 802.11a CPwE350-Flex-RFPolicy rf-profile create 802.11a CPwE350-Roam-RFPolicy rf-profile create 802.11a High-Client-Density-(802.11a) rf-profile create 802.11b High-Client-Density-(802.11bg) rf-profile create 802.11a Low-Client-Density-(802.11a) rf-profile create 802.11b Low-Client-Density-(802.11bg) rf-profile create 802.11b Typical-Client-Density(802.11bg) rf-profile create 802.11a Typical-Client-Density-(802.11a) rf-profile description Single Cell/Area LWAP RF Policy CPwE350-Flex-RFPolicy rf-profile description Plant-wide Roaming LWAP RF Policy CPwE350-Roam-RFPolicy rf-profile tx-power-min 7 High-Client-Density-(802.11a) rf-profile tx-power-min 7 High-Client-Density-(802.11bg) rf-profile tx-power-control-thresh-v1 -65 High-Client-Density-(802.11a) rf-profile tx-power-control-thresh-v1 -60 Low-Client-Density-(802.11a) rf-profile tx-power-control-thresh-v1 -65 Low-Client-Density-(802.11bg) rf-profile data-rates 802.11a mandatory 6 CPwE350-Flex-RFPolicy rf-profile data-rates 802.11a supported 9 CPwE350-Flex-RFPolicy rf-profile data-rates 802.11a mandatory 12 CPwE350-Flex-RFPolicy rf-profile data-rates 802.11a supported 18 CPwE350-Flex-RFPolicy rf-profile data-rates 802.11a mandatory 24 CPwE350-Flex-RFPolicy rf-profile data-rates 802.11a supported 36 CPwE350-Flex-RFPolicy rf-profile data-rates 802.11a supported 48 CPwE350-Flex-RFPolicy rf-profile data-rates 802.11a supported 54 CPwE350-Flex-RFPolicy


ENET-TD008A-EN-P



rf-profile data-rates 802.11a mandatory 6 CPwE350-Roam-RFPolicy rf-profile data-rates 802.11a supported 9 CPwE350-Roam-RFPolicy rf-profile data-rates 802.11a mandatory 12 CPwE350-Roam-RFPolicy rf-profile data-rates 802.11a supported 18 CPwE350-Roam-RFPolicy rf-profile data-rates 802.11a mandatory 24 CPwE350-Roam-RFPolicy rf-profile data-rates 802.11a supported 36 CPwE350-Roam-RFPolicy rf-profile data-rates 802.11a supported 48 CPwE350-Roam-RFPolicy rf-profile data-rates 802.11a supported 54 CPwE350-Roam-RFPolicy rf-profile data-rates 802.11a mandatory 6 High-Client-Density-(802.11a) rf-profile data-rates 802.11a disabled 9 High-Client-Density-(802.11a) rf-profile data-rates 802.11a mandatory 12 High-Client-Density-(802.11a) rf-profile data-rates 802.11a disabled 18 High-Client-Density-(802.11a) rf-profile data-rates 802.11a mandatory 24 High-Client-Density-(802.11a) rf-profile data-rates 802.11a disabled 36 High-Client-Density-(802.11a) rf-profile data-rates 802.11a disabled 48 High-Client-Density-(802.11a) rf-profile data-rates 802.11a supported 54 High-Client-Density-(802.11a) rf-profile data-rates 802.11b disabled 1 High-Client-Density-(802.11bg) rf-profile data-rates 802.11b disabled 2 High-Client-Density-(802.11bg) rf-profile data-rates 802.11b disabled 5.5 High-Client-Density-(802.11bg) rf-profile data-rates 802.11a mandatory 6 Low-Client-Density-(802.11a) rf-profile data-rates 802.11a disabled 9 Low-Client-Density-(802.11a) rf-profile data-rates 802.11a mandatory 12 Low-Client-Density-(802.11a) rf-profile data-rates 802.11a disabled 18 Low-Client-Density-(802.11a) rf-profile data-rates 802.11a mandatory 24 Low-Client-Density-(802.11a) rf-profile data-rates 802.11a disabled 36 Low-Client-Density-(802.11a) rf-profile data-rates 802.11a disabled 48 Low-Client-Density-(802.11a) rf-profile data-rates 802.11a supported 54 Low-Client-Density-(802.11a) rf-profile data-rates 802.11b mandatory 1 Low-Client-Density-(802.11bg) rf-profile data-rates 802.11b mandatory 2 Low-Client-Density-(802.11bg) rf-profile data-rates 802.11b mandatory 5.5 Low-Client-Density-(802.11bg) rf-profile data-rates 802.11b disabled 1 Typical-Client-Density(802.11bg) rf-profile data-rates 802.11b disabled 2 Typical-Client-Density(802.11bg) rf-profile data-rates 802.11b disabled 5.5 Typical-Client-Density(802.11bg) rf-profile data-rates 802.11a mandatory 6 Typical-Client-Density-(802.11a) rf-profile data-rates 802.11a disabled 9 Typical-Client-Density-(802.11a) rf-profile data-rates 802.11a mandatory 12 Typical-Client-Density-(802.11a) rf-profile data-rates 802.11a disabled 18 Typical-Client-Density-(802.11a) rf-profile data-rates 802.11a mandatory 24 Typical-Client-Density-(802.11a) rf-profile data-rates 802.11a disabled 36 Typical-Client-Density-(802.11a) rf-profile data-rates 802.11a disabled 48 Typical-Client-Density-(802.11a) rf-profile data-rates 802.11a supported 54 Typical-Client-Density-(802.11a) rf-profile rx-sop threshold medium High-Client-Density-(802.11a) rf-profile rx-sop threshold medium High-Client-Density-(802.11bg) rf-profile rx-sop threshold low Low-Client-Density-(802.11a) rf-profile rx-sop threshold low Low-Client-Density-(802.11bg) rf-profile coverage data -90 Low-Client-Density-(802.11a) rf-profile coverage data -90 Low-Client-Density-(802.11bg) rf-profile coverage voice -90 Low-Client-Density-(802.11a) rf-profile coverage voice -90 Low-Client-Density-(802.11bg) rf-profile channel delete 20 CPwE350-Flex-RFPolicy rf-profile channel delete 26 CPwE350-Flex-RFPolicy rf-profile channel delete 20 CPwE350-Roam-RFPolicy rf-profile channel delete 26 CPwE350-Roam-RFPolicy rf-profile channel delete 20 High-Client-Density-(802.11a) rf-profile channel delete 26 High-Client-Density-(802.11a) rf-profile channel delete 20 Low-Client-Density-(802.11a) rf-profile channel delete 26 Low-Client-Density-(802.11a) rf-profile channel delete 20 Typical-Client-Density-(802.11a) rf-profile channel delete 26 Typical-Client-Density-(802.11a)

trapflags client nac-alert enable trapflags ap ssidKeyConflict disable trapflags ap timeSyncFailure disable trapflags mfp disable


ENET-TD008A-EN-P



trapflags adjchannel-rogueap disable trapflags mesh excessive hop count disable trapflags mesh sec backhaul change disable wlan create 1 "CPwE350 Ring#1 Flex" CPwE350-R1-Flex wlan create 2 "CPwE350 Star#1 Flex" CPwE350-S1-Flex wlan create 3 CPwE350-Roam CPwE350-Roam wlan create 4 Trusted_Partners_WLAN Trusted_Partners wlan create 6 Corporate_Employee_WLAN Corporate_Employee wlan create 7 Industrial_Employee_WLAN Industrial_Employee wlan create 11 xyz xyz wlan nac snmp disable 1 wlan nac snmp disable 2 wlan nac snmp disable 3 wlan nac snmp disable 4 wlan nac snmp disable 6 wlan nac snmp disable 7 wlan nac snmp disable 11 wlan nac radius disable 1 wlan nac radius disable 2 wlan nac radius disable 3 wlan nac radius enable 4 wlan nac radius enable 6 wlan nac radius enable 7 wlan nac radius enable 11 wlan interface 3 wgb-roam-client wlan interface 4 trusted_partners_provisioning wlan interface 6 corporate_employee_provisioning wlan interface 7 industrial_employee_provisionin wlan multicast interface 1 disable wlan multicast interface 2 disable wlan multicast interface 3 disable wlan multicast interface 4 disable wlan multicast interface 6 disable wlan multicast interface 7 disable wlan multicast interface 11 disable wlan aaa-override enable 4 wlan aaa-override enable 6 wlan aaa-override enable 7 wlan aaa-override enable 11 wlan broadcast-ssid disable 1 wlan broadcast-ssid disable 2 wlan broadcast-ssid disable 3 wlan band-select allow disable 1 wlan band-select allow disable 2 wlan band-select allow disable 3 wlan band-select allow disable 4 wlan band-select allow disable 6 wlan band-select allow disable 7 wlan band-select allow disable 11 wlan load-balance allow disable 1 wlan load-balance allow disable 2 wlan load-balance allow disable 3 wlan load-balance allow disable 4 wlan load-balance allow disable 6 wlan load-balance allow disable 7 wlan load-balance allow disable 11 wlan multicast buffer disable 0 1 wlan multicast buffer disable 0 2 wlan multicast buffer disable 0 3 wlan multicast buffer disable 0 4 wlan multicast buffer disable 0 6 wlan multicast buffer disable 0 7 wlan multicast buffer disable 0 11 wlan qos 1 platinum


ENET-TD008A-EN-P



wlan qos 2 platinum wlan qos 3 platinum wlan radio 1 802.11a-only wlan radio 2 802.11a-only wlan radio 3 802.11a-only wlan radio 4 802.11bg wlan radio 6 802.11bg wlan radio 7 802.11bg wlan session-timeout 1 1800 wlan session-timeout 2 1800 wlan session-timeout 3 1800 wlan session-timeout 4 1800 wlan session-timeout 6 1800 wlan session-timeout 7 1800 wlan session-timeout 11 1800 wlan flexconnect local-switching 1 enable wlan flexconnect local-switching 2 enable wlan flexconnect local-switching 3 disable wlan flexconnect local-switching 4 disable wlan flexconnect local-switching 6 disable wlan flexconnect local-switching 7 disable wlan flexconnect local-switching 11 disable wlan flexconnect learn-ipaddr 1 enable wlan flexconnect learn-ipaddr 2 enable wlan flexconnect learn-ipaddr 3 enable wlan flexconnect learn-ipaddr 4 enable wlan flexconnect learn-ipaddr 6 enable wlan flexconnect learn-ipaddr 7 enable wlan flexconnect learn-ipaddr 11 enable wlan security wpa disable 2 wlan radius_server auth add 1 2 wlan radius_server acct disable 1 wlan radius_server auth add 2 1 wlan radius_server acct disable 2 wlan radius_server auth add 3 1 wlan radius_server acct disable 3 wlan radius_server auth add 4 2 wlan radius_server auth add 6 2 wlan radius_server auth add 7 2 wlan radius_server acct disable 7 wlan radius_server auth add 11 2 wlan radius_server overwrite-interface apgroup 3 wlan security splash-page-web-redir disable 1 wlan security splash-page-web-redir disable 2 wlan security splash-page-web-redir disable 3 wlan security splash-page-web-redir disable 4 wlan security splash-page-web-redir disable 6 wlan security splash-page-web-redir disable 7 wlan security splash-page-web-redir disable 11 wlan user-idle-threshold 70 1 wlan user-idle-threshold 70 2 wlan user-idle-threshold 70 3 wlan user-idle-threshold 70 4 wlan user-idle-threshold 70 6 wlan user-idle-threshold 70 7 wlan user-idle-threshold 70 11 wlan security web-auth server-precedence 6 radius wlan security web-auth server-precedence 7 radius wlan security wpa akm 802.1x enable 1 wlan security wpa akm 802.1x enable 3 wlan security wpa akm cckm enable 3 wlan security wpa akm 802.1x enable 4 wlan security wpa akm 802.1x enable 6 wlan security wpa akm 802.1x enable 7


ENET-TD008A-EN-P



wlan security wpa akm 802.1x enable 11 wlan security wpa akm cckm timestamp-tolerance 1000 1 wlan security wpa akm cckm timestamp-tolerance 1000 2 wlan security wpa akm cckm timestamp-tolerance 1000 3 wlan security wpa akm cckm timestamp-tolerance 1000 4 wlan security wpa akm cckm timestamp-tolerance 1000 6 wlan security wpa akm cckm timestamp-tolerance 1000 7 wlan security wpa akm cckm timestamp-tolerance 1000 11 wlan security ft over-the-ds disable 1 wlan security ft over-the-ds disable 2 wlan security ft over-the-ds disable 3 wlan security ft over-the-ds disable 4 wlan security ft over-the-ds disable 6 wlan security ft over-the-ds disable 7 wlan security wpa gtk-random disable 1 wlan security wpa gtk-random disable 2 wlan security wpa gtk-random disable 3 wlan security wpa gtk-random disable 4 wlan security wpa gtk-random disable 6 wlan security wpa gtk-random disable 7 wlan security wpa gtk-random disable 11 wlan security pmf association-comeback 1 1 wlan security pmf association-comeback 1 2 wlan security pmf association-comeback 1 3 wlan security pmf association-comeback 1 4 wlan security pmf association-comeback 1 6 wlan security pmf association-comeback 1 7 wlan security pmf association-comeback 1 11 wlan security pmf saquery-retrytimeout 200 1 wlan security pmf saquery-retrytimeout 200 2 wlan security pmf saquery-retrytimeout 200 3 wlan security pmf saquery-retrytimeout 200 4 wlan security pmf saquery-retrytimeout 200 6 wlan security pmf saquery-retrytimeout 200 7 wlan security pmf saquery-retrytimeout 200 11 wlan profiling radius dhcp disable 1 wlan profiling radius http disable 1 wlan profiling radius dhcp disable 2 wlan profiling radius http disable 2 wlan profiling radius dhcp disable 3 wlan profiling radius http disable 3 wlan profiling radius dhcp disable 4 wlan profiling radius http disable 4 wlan profiling radius dhcp disable 6 wlan profiling radius http disable 6 wlan profiling radius dhcp disable 7 wlan profiling radius http disable 7 wlan profiling radius dhcp disable 11 wlan profiling radius http disable 11 wlan apgroup hotspot venue type CPwE350-Flex-Ring01 0 0 wlan apgroup hotspot venue type CPwE350-Flex-Star01 0 0 wlan apgroup hotspot venue type CPwE350-Roam-central 0 0 wlan enable 1 wlan enable 2 wlan enable 3 wlan enable 4 wlan enable 6 wlan enable 7

license boot basecoredump disablemedia-stream multicast-direct disablemedia-stream message url media-stream message email


ENET-TD008A-EN-P


Example: Corporate Anchor WLC Configuration

media-stream message phone media-stream message note denial media-stream message state disable

802.11a media-stream multicast-direct enable802.11b media-stream multicast-direct enable

802.11a media-stream multicast-direct radio-maximum 0802.11b media-stream multicast-direct radio-maximum 0

802.11a media-stream multicast-direct client-maximum 0802.11b media-stream multicast-direct client-maximum 0

802.11a media-stream multicast-direct admission-besteffort disable802.11b media-stream multicast-direct admission-besteffort disable

802.11a media-stream video-redirect enable802.11b media-stream video-redirect enable

ipv6 neighbor-binding timers reachable-lifetime 300 ipv6 neighbor-binding timers stale-lifetime 86400 ipv6 neighbor-binding timers down-lifetime 30 ipv6 neighbor-binding ra-throttle disable ipv6 neighbor-binding ra-throttle allow at-least 1 at-most 1 ipv6 neighbor-binding ra-throttle max-through 10 ipv6 neighbor-binding ra-throttle throttle-period 600 ipv6 neighbor-binding ra-throttle interval-option passthrough ipv6 ns-mcast-fwd disable ipv6 na-mcast-fwd enable ipv6 enable nmheartbeat disable ipv6 slaac service-port disable sys-nas tunnel eogre heart-beat interval 30 tunnel eogre heart-beat primary-fallback-timeout 30 tunnel eogre heart-beat max-skip-count 5 tunnel gtpv2 heart-beat echo-request 60 tunnel gtpv2 heart-beat echo-response 1 tunnel gtpv2 heart-beat max-skip-count 5 WLAN Express Setup - False (Cisco Controller) >

Example: Corporate Anchor WLC ConfigurationThis example shows the Corporate Anchor WLC Configuration

(Cisco Controller) >show run-config commands 802.11a 11nSupport a-mpdu tx scheduler enable 802.11a 11nSupport a-mpdu tx scheduler timeout rt 10 802.11a beacon range 0 802.11a rx-sop threshold auto default 802.11a cca threshold 0 default 802.11a multicast buffer 0 802.11a multicast data-rate 0 default 802.11a cac video cac-method static 802.11a channel global off 802.11a max-clients 200 802.11a txPower global 1 802.11a dfs-peakdetect enable 802.11b 11nSupport a-mpdu tx scheduler enable 802.11b 11nSupport a-mpdu tx scheduler timeout rt 10


ENET-TD008A-EN-P



802.11b beacon range 0 802.11b rx-sop threshold auto default 802.11b cca threshold 0 default 802.11b multicast buffer 0 802.11b multicast data-rate 0 default 802.11b cac video cac-method static 802.11b channel global off 802.11b max-clients 200 802.11b txPower global 1aaa auth mgmt local radius flexconnect fallback-radio-shut disable acl create ACL_RDG_Only acl apply ACL_RDG_Only acl rule add ACL_RDG_Only 1 acl rule add ACL_RDG_Only 2 acl rule add ACL_RDG_Only 3 acl rule action ACL_RDG_Only 1 permit acl rule action ACL_RDG_Only 2 permit acl rule action ACL_RDG_Only 3 deny acl rule destination address ACL_RDG_Only 1 10.1.2.3 255.255.255.255 acl rule destination address ACL_RDG_Only 2 0.0.0.0 0.0.0.0 acl rule destination address ACL_RDG_Only 3 0.0.0.0 0.0.0.0 acl rule destination port range ACL_RDG_Only 1 443 443 acl rule destination port range ACL_RDG_Only 2 0 65535 acl rule destination port range ACL_RDG_Only 3 0 65535 acl rule source address ACL_RDG_Only 1 0.0.0.0 0.0.0.0 acl rule source address ACL_RDG_Only 2 10.1.2.3 255.255.255.255 acl rule source address ACL_RDG_Only 3 0.0.0.0 0.0.0.0 acl rule source port range ACL_RDG_Only 1 0 65535 acl rule source port range ACL_RDG_Only 2 443 443 acl rule source port range ACL_RDG_Only 3 0 65535 acl rule direction ACL_RDG_Only 1 Any acl rule direction ACL_RDG_Only 2 Any acl rule direction ACL_RDG_Only 3 Any acl rule dscp ACL_RDG_Only 1 Any acl rule dscp ACL_RDG_Only 2 Any acl rule dscp ACL_RDG_Only 3 Any acl rule protocol ACL_RDG_Only 1 6 acl rule protocol ACL_RDG_Only 2 6 acl rule protocol ACL_RDG_Only 3 Any acl apply ACL_RDG_Only advanced 802.11a channel dca interval 0 advanced 802.11a channel dca anchor-time 0 advanced 802.11a channel dca chan-width-11n 20 advanced 802.11a channel dca sensitivity 15 advanced 802.11a channel dca min-metric -95

advanced 802.11a channel delete 20 advanced 802.11a channel delete 26 advanced 802.11a reporting neighbor 180 advanced 802.11a reporting interference 120 advanced 802.11b channel dca interval 0 advanced 802.11b channel dca anchor-time 0 advanced 802.11b channel dca sensitivity 10 advanced 802.11b channel dca min-metric -95 advanced 802.11b reporting neighbor 180advanced 802.11b reporting interference 120 location info rogue extended location rssi-half-life tags 0 location rssi-half-life client 0 location rssi-half-life rogue-aps 0 location expiry tags 5 location expiry client 5 location expiry calibrating-client 5


ENET-TD008A-EN-P



location expiry rogue-aps 5 advanced backup-controller primary advanced backup-controller secondary advanced backup-controller advanced backup-controller advanced sip-snooping-ports 0 0 advanced eap bcast-key-interval 3600 advanced 802.11-abgn pak-rssi-location threshold -100 advanced 802.11-abgn pak-rssi-location trigger-threshold 10 advanced 802.11-abgn pak-rssi-location reset-threshold 8 advanced 802.11-abgn pak-rssi-location ntp 10.13.15.241 advanced 802.11-abgn pak-rssi-location timeout 3 advanced hotspot cmbk-delay 50ap syslog host global :: ap dtls-cipher-suite RSA-AES128-SHA cdp advertise-v2 enable cts sxp disable cts sxp connection default password **** cts sxp retry period 120 cts sxp sxpversion 2 database size 2048 dhcp opt-82 remote-id ap-mac local-auth method fast server-key ****interface create corporate_employee_provisioning 182interface create test 175interface address dynamic-interface corporate_employee_provisioning 10.1.182.252 255.255.255.0 10.1.182.1 interface address management 10.1.3.78 255.255.255.0 10.1.3.1 interface address service-port 192.168.254.78 255.255.255.0 interface address dynamic-interface test 10.1.175.251 255.255.255.0 10.1.175.1 interface address virtual 1.1.1.1 interface dhcp dynamic-interface test primary 10.1.3.39 interface vlan corporate_employee_provisioning 182 interface vlan management 300 interface vlan test 175 interface nasid corporate_employee_provisioning interface nasid test interface port corporate_employee_provisioning 1 interface port management 1 interface port test 1 mdns snooping disable mdns policy service-group create default-mdns-policy default-mdns-policy mdns policy service-group user-role add default-mdns-policy admin mdns profile create default-mdns-profile mdns service create AirPrint _ipp._tcp.local. origin All LSS disable query enable mdns service create AirTunes _raop._tcp.local. origin All LSS disable query enable mdns service create AppleTV _airplay._tcp.local. origin All LSS disable query enablemdns service create HP_Photosmart_Printer_1 _universal._sub._ipp._tcp.local. origin All LSS disable query enable mdns service create HP_Photosmart_Printer_2 _cups._sub._ipp._tcp.local. origin All LSS disable query enable mdns service create Printer _printer._tcp.local. origin All LSS disable query enablemdns profile service add default-mdns-profile AirPrint mdns profile service add default-mdns-profile AirTunes mdns profile service add default-mdns-profile AppleTV mdns profile service add default-mdns-profile HP_Photosmart_Printer_1 mdns profile service add default-mdns-profile HP_Photosmart_Printer_2 mdns profile service add default-mdns-profile Printer mdns query interval 15 wlan mdns enable 6 wlan mdns profile 6 default-mdns-profile ipv6 ra-guard ap enable ipv6 capwap udplite enable all ipv6 multicast mode unicast


ENET-TD008A-EN-P



load-balancing aggressive enable load-balancing window 5 wlan apgroup add default-group wlan apgroup add test test wlan apgroup qinq tagging eap-sim-aka default-group enable wlan apgroup qinq tagging eap-sim-aka test enable wlan apgroup interface-mapping add default-group 6 corporate_employee_provisioning wlan apgroup nac-snmp disable default-group 6 memory monitor errors enable memory monitor leak thresholds 10000 30000mesh security rad-mac-filter disablemesh security rad-mac-filter disable mesh security eapmesh lsc advanced ap-provision open-window enable mgmtuser add admin **** read-write mobility group domain CPwE351 mobility group member add 3c:08:f6:cc:40:00 10.13.50.251 CPwE351 mobility group anchor add wlan 6 10.1.3.78 mobility group anchor add wlan 6 mobility dscp 0 network multicast igmp snooping enable network multicast mld snooping enable network ap-priority disabled network web-auth captive-bypass enable network rf-network-name CPwE351 network secureweb cipher-option rc4-preference disable qos priority bronze background background background qos priority gold video video video qos priority platinum voice voice voice qos priority silver besteffort besteffort besteffort radius acct add 1 10.1.3.48 1813 ascii **** radius acct add 2 10.13.48.32 1813 ascii **** radius auth add 1 10.1.3.48 1812 ascii **** radius auth add 2 10.13.48.32 1812 ascii **** radius callStationIdType macaddr radius auth callStationIdType ap-macaddr-ssid radius auth rfc3576 enable 2 radius fallback-test mode off radius fallback-test username cisco-probe radius fallback-test interval 300 radius dns disable tacacs dns disable rogue detection report-interval 10 rogue detection min-rssi -128 rogue detection transient-rogue-interval 0 rogue detection client-threshold 0 rogue detection security-level custom rogue ap ssid alarm rogue ap valid-client alarm rogue adhoc enable rogue adhoc alert rogue ap rldp disable rogue auto-contain level 1 rogue containment flex-connect disable rogue containment auto-rate disable snmp version v2c enable snmp version v3 enable snmp snmpEngineId 00003763000036404e300d0asnmp community ipsec ike auth-mode pre-shared-key **** switchconfig strong-pwd case-check enabled switchconfig strong-pwd consecutive-check enabledswitchconfig strong-pwd default-check enabled switchconfig strong-pwd username-check enabled switchconfig strong-pwd position-check disabled


ENET-TD008A-EN-P



switchconfig strong-pwd case-digit-check disabled switchconfig strong-pwd minimum upper-case 0 switchconfig strong-pwd minimum lower-case 0 switchconfig strong-pwd minimum digits-chars 0 switchconfig strong-pwd minimum special-chars 0 switchconfig strong-pwd min-length 3 sysname WLC-Corporate-Anchor stats-timer realtime 5 stats-timer normal 180 time ntp interval 3600 time ntp server 1 10.13.15.241 trapflags client nac-alert enable trapflags ap ssidKeyConflict disable trapflags ap timeSyncFailure disable trapflags mfp disable trapflags adjchannel-rogueap disable trapflags mesh excessive hop count disable trapflags mesh sec backhaul change disable wlan create 6 Corporate_Employee_WLAN Corporate_Employee

wlan nac snmp disable 6 wlan nac radius enable 6 wlan interface 6 corporate_employee_provisioningwlan multicast interface 6 disablewlan aaa-override enable 6wlan band-select allow disable 6 wlan load-balance allow disable 6 wlan multicast buffer disable 0 6 wlan session-timeout 6 1800 wlan flexconnect local-switching 6 disable wlan flexconnect learn-ipaddr 6 enable wlan radius_server auth add 6 2 wlan security splash-page-web-redir disable 6 wlan user-idle-threshold 70 6 wlan security web-auth server-precedence 6 radius wlan security wpa akm 802.1x enable 6 wlan security wpa akm cckm timestamp-tolerance 1000 6wlan security ft over-the-ds disable 6 wlan security wpa gtk-random disable 6 wlan security pmf association-comeback 1 6 wlan security pmf saquery-retrytimeout 200 6 wlan profiling radius dhcp disable 6 wlan profiling radius http disable 6 wlan apgroup hotspot venue type test 0 0 wlan enable 6 license boot base WMM-AC disabled coredump disablemedia-stream multicast-direct disablemedia-stream message url media-stream message email media-stream message phone media-stream message note denial media-stream message state disable

802.11a media-stream multicast-direct enable802.11b media-stream multicast-direct enable802.11a media-stream multicast-direct radio-maximum 0802.11b media-stream multicast-direct radio-maximum 0802.11a media-stream multicast-direct client-maximum 0802.11b media-stream multicast-direct client-maximum 0802.11a media-stream multicast-direct admission-besteffort disable802.11b media-stream multicast-direct admission-besteffort disable802.11a media-stream video-redirect enable


ENET-TD008A-EN-P


Example: Trusted Partner Anchor WLC Configuration

802.11b media-stream video-redirect enable

ipv6 neighbor-binding timers reachable-lifetime 300 ipv6 neighbor-binding timers stale-lifetime 86400 ipv6 neighbor-binding timers down-lifetime 30 ipv6 neighbor-binding ra-throttle disable ipv6 neighbor-binding ra-throttle allow at-least 1 at-most 1 ipv6 neighbor-binding ra-throttle max-through 10 ipv6 neighbor-binding ra-throttle throttle-period 600 ipv6 neighbor-binding ra-throttle interval-option passthrough ipv6 ns-mcast-fwd disable ipv6 na-mcast-fwd enable ipv6 enable nmheartbeat disable ipv6 slaac service-port disable sys-nas Cisco_31:36:44(Cisco Controller) >

Example: Trusted Partner Anchor WLC ConfigurationThis example shows the Trusted Partner Anchor WLC Configuration.

(Cisco Controller) >show run-config commands 802.11a 11nSupport a-mpdu tx scheduler enable 802.11a 11nSupport a-mpdu tx scheduler timeout rt 10 802.11a beacon range 0 802.11a rx-sop threshold auto default 802.11a cca threshold 0 default 802.11a multicast buffer 0 802.11a multicast data-rate 0 default 802.11a cac video cac-method static 802.11a channel global off 802.11a max-clients 200 802.11a txPower global 1 802.11a cleanair device enable radar 802.11a dfs-peakdetect enable 802.11b 11nSupport a-mpdu tx scheduler enable 802.11b 11nSupport a-mpdu tx scheduler timeout rt 10 802.11b beacon range 0 802.11b rx-sop threshold auto default 802.11b cca threshold 0 default 802.11b multicast buffer 0 802.11b multicast data-rate 0 default 802.11b cac video cac-method static 802.11b channel global off 802.11b max-clients 200 802.11b txPower global 1 aaa auth mgmt local radius flexconnect fallback-radio-shut disable

acl create ACL_RDG_Only acl apply ACL_RDG_Only acl rule add ACL_RDG_Only 1 acl rule add ACL_RDG_Only 2 acl rule add ACL_RDG_Only 3 acl rule add ACL_RDG_Only 4 acl rule action ACL_RDG_Only 1 permit acl rule action ACL_RDG_Only 2 permit acl rule action ACL_RDG_Only 3 permit acl rule action ACL_RDG_Only 4 deny


ENET-TD008A-EN-P



acl rule destination address ACL_RDG_Only 1 0.0.0.0 0.0.0.0 acl rule destination address ACL_RDG_Only 2 10.1.2.3 255.255.255.255 acl rule destination address ACL_RDG_Only 3 0.0.0.0 0.0.0.0 acl rule destination address ACL_RDG_Only 4 0.0.0.0 0.0.0.0 acl rule destination port range ACL_RDG_Only 1 0 65535 acl rule destination port range ACL_RDG_Only 2 0 65535 acl rule destination port range ACL_RDG_Only 3 0 65535 acl rule destination port range ACL_RDG_Only 4 0 65535 acl rule source address ACL_RDG_Only 1 0.0.0.0 0.0.0.0 acl rule source address ACL_RDG_Only 2 0.0.0.0 0.0.0.0 acl rule source address ACL_RDG_Only 3 10.1.2.3 255.255.255.255 acl rule source address ACL_RDG_Only 4 0.0.0.0 0.0.0.0 acl rule source port range ACL_RDG_Only 1 0 65535 acl rule source port range ACL_RDG_Only 2 0 65535 acl rule source port range ACL_RDG_Only 3 0 65535 acl rule source port range ACL_RDG_Only 4 0 65535 acl rule direction ACL_RDG_Only 1 Any acl rule direction ACL_RDG_Only 2 Any acl rule direction ACL_RDG_Only 3 Any acl rule direction ACL_RDG_Only 4 Any acl rule dscp ACL_RDG_Only 1 Any acl rule dscp ACL_RDG_Only 2 Any acl rule dscp ACL_RDG_Only 3 Any acl rule dscp ACL_RDG_Only 4 Any acl rule protocol ACL_RDG_Only 1 Any acl rule protocol ACL_RDG_Only 2 Any acl rule protocol ACL_RDG_Only 3 Any acl rule protocol ACL_RDG_Only 4 Any acl apply ACL_RDG_Only

advanced 802.11a channel dca interval 0advanced 802.11a channel dca anchor-time 0advanced 802.11a channel dca chan-width-11n 20advanced 802.11a channel dca sensitivity 15advanced 802.11a channel dca min-metric -95advanced 802.11a channel delete 20advanced 802.11a channel delete 26advanced 802.11a reporting neighbor 180advanced 802.11a reporting interference 120advanced 802.11b channel dca interval 0advanced 802.11b channel dca anchor-time 0advanced 802.11b channel dca sensitivity 10advanced 802.11b channel dca min-metric -95advanced 802.11b reporting neighbor 180advanced 802.11b reporting interference 120location info rogue extended

location rssi-half-life tags 0location rssi-half-life client 0location rssi-half-life rogue-aps 0location expiry tags 5location expiry client 5location expiry calibrating-client 5location expiry rogue-aps 5

advanced backup-controller primary advanced backup-controller secondary advanced backup-controller advanced backup-controller

advanced sip-snooping-ports 0 0advanced eap bcast-key-interval 3600advanced 802.11-abgn pak-rssi-location threshold -100advanced 802.11-abgn pak-rssi-location trigger-threshold 10


ENET-TD008A-EN-P



advanced 802.11-abgn pak-rssi-location reset-threshold 8advanced 802.11-abgn pak-rssi-location ntp 10.13.15.241advanced 802.11-abgn pak-rssi-location timeout 3advanced hotspot cmbk-delay 50

ap syslog host global ::ap dtls-cipher-suite RSA-AES128-SHA

cdp advertise-v2 enablects sxp disablects sxp connection default password ****cts sxp retry period 120cts sxp sxpversion 2database size 2048

dhcp opt-82 remote-id ap-maclocal-auth method fast server-key ****

interface create dhcp_test 175interface create trusted_partners_provisioning 183interface address dynamic-interface dhcp_test 10.1.175.252 255.255.255.0 10.1.175.1 interface address management 10.1.4.77 255.255.255.0 10.1.4.1 interface address service-port 192.168.254.77 255.255.255.0 interface address dynamic-interface trusted_partners_provisioning 10.1.183.252 255.255.255.0 10.1.183.1 interface address virtual 1.1.1.1 interface dhcp management primary 10.1.3.1 interface dhcp management option-82 enable interface vlan dhcp_test 175 interface vlan management 400 interface vlan trusted_partners_provisioning 183 interface nasid dhcp_test interface nasid trusted_partners_provisioning interface port dhcp_test 1 interface port management 1 interface port trusted_partners_provisioning 1

mdns snooping disablemdns policy service-group create default-mdns-policy default-mdns-policymdns policy service-group user-role add default-mdns-policy adminmdns profile create default-mdns-profilemdns service create AirPrint _ipp._tcp.local. origin All LSS disable query enablemdns service create AirTunes _raop._tcp.local. origin All LSS disable query enablemdns service create AppleTV _airplay._tcp.local. origin All LSS disable query enablemdns service create HP_Photosmart_Printer_1 _universal._sub._ipp._tcp.local. origin All LSS disable query enablemdns service create HP_Photosmart_Printer_2 _cups._sub._ipp._tcp.local. origin All LSS disable query enablemdns service create Printer _printer._tcp.local. origin All LSS disable query enablemdns profile service add default-mdns-profile AirPrint mdns profile service add default-mdns-profile AirTunes mdns profile service add default-mdns-profile AppleTV mdns profile service add default-mdns-profile HP_Photosmart_Printer_1 mdns profile service add default-mdns-profile HP_Photosmart_Printer_2 mdns profile service add default-mdns-profile Printer mdns query interval 15

wlan mdns enable 4 wlan mdns profile 4 default-mdns-profile

ipv6 ra-guard ap enableipv6 capwap udplite enable allipv6 multicast mode unicast

load-balancing aggressive enableload-balancing window 5


ENET-TD008A-EN-P



wlan apgroup add Dhcp_guest "for testing"wlan apgroup add default-group wlan apgroup qinq tagging eap-sim-aka Dhcp_guest enablewlan apgroup qinq tagging eap-sim-aka default-group enablewlan apgroup interface-mapping add default-group 4 trusted_partners_provisioningwlan apgroup nac-snmp disable default-group 4

memory monitor errors enablememory monitor leak thresholds 10000 30000

mesh security rad-mac-filter disablemesh security rad-mac-filter disablemesh security eapmesh lsc advanced ap-provision open-window enablemgmtuser add admin **** read-write

mobility group domain CPwE351mobility group member add 3c:08:f6:cc:40:00 10.13.50.251 CPwE351mobility dscp 0

network multicast igmp snooping enable network multicast mld snooping enable network ap-priority disabled network web-auth captive-bypass enable network fast-ssid-change enable network rf-network-name CPwE351network secureweb cipher-option rc4-preference disable

qos priority bronze background background backgroundqos priority gold video video videoqos priority platinum voice voice voiceqos priority silver besteffort besteffort besteffort

radius acct add 1 10.1.3.48 1813 ascii ****radius acct add 2 10.13.48.32 1813 ascii ****radius auth add 1 10.1.3.48 1812 ascii ****radius auth add 2 10.13.48.32 1812 ascii ****radius callStationIdType macaddrradius auth callStationIdType ap-macaddr-ssidradius auth rfc3576 enable 1radius fallback-test mode offradius fallback-test username cisco-proberadius fallback-test interval 300radius dns disabletacacs dns disable

rogue detection report-interval 10rogue detection min-rssi -128rogue detection transient-rogue-interval 0rogue detection client-threshold 0rogue detection security-level customrogue ap ssid alarmrogue ap valid-client alarmrogue adhoc enablerogue adhoc alertrogue ap rldp disablerogue auto-contain level 1 rogue containment flex-connect disablerogue containment auto-rate disablesnmp version v2c enable

snmp version v3 enablesnmp snmpEngineId 0000376300000ea04d04010asnmp community ipsec ike auth-mode pre-shared-key ****

switchconfig strong-pwd case-check enabled


ENET-TD008A-EN-P



switchconfig strong-pwd consecutive-check enabledswitchconfig strong-pwd default-check enabledswitchconfig strong-pwd username-check enabled

switchconfig strong-pwd position-check disabledswitchconfig strong-pwd case-digit-check disabledswitchconfig strong-pwd minimum upper-case 0switchconfig strong-pwd minimum lower-case 0switchconfig strong-pwd minimum digits-chars 0switchconfig strong-pwd minimum special-chars 0switchconfig strong-pwd min-length 3sysname WLC-Guest-Anchorstats-timer realtime 5stats-timer normal 180time ntp interval 3600

time ntp server 1 10.13.15.241 trapflags client nac-alert enabletrapflags ap ssidKeyConflict disabletrapflags ap timeSyncFailure disabletrapflags mfp disable

trapflags adjchannel-rogueap disabletrapflags mesh excessive hop count disabletrapflags mesh sec backhaul change disablewlan create 4 Trusted_Partners_WLAN Trusted_Partnerswlan nac snmp disable 4

wlan nac radius enable 4 wlan interface 4 trusted_partners_provisioningwlan multicast interface 4 disablewlan aaa-override enable 4wlan band-select allow disable 4 wlan load-balance allow disable 4

wlan multicast buffer disable 0 4wlan session-timeout 4 1800wlan flexconnect local-switching 4 disablewlan flexconnect learn-ipaddr 4 enablewlan radius_server auth add 4 2 wlan security splash-page-web-redir disable 4wlan user-idle-threshold 70 4 wlan security wpa akm 802.1x enable 4wlan security wpa akm cckm timestamp-tolerance 1000 4wlan security ft over-the-ds disable 4wlan security wpa gtk-random disable 4wlan security pmf association-comeback 1 4wlan security pmf saquery-retrytimeout 200 4wlan profiling radius dhcp disable 4 wlan profiling radius http disable 4 wlan apgroup hotspot venue type Dhcp_guest 0 0wlan enable 4license boot baseWMM-AC disabled

coredump disable

media-stream multicast-direct disablemedia-stream message url media-stream message email media-stream message phone


ENET-TD008A-EN-P


Example: IES Access Switch Configuration

media-stream message note denial media-stream message state disable

802.11a media-stream multicast-direct enable802.11b media-stream multicast-direct enable

802.11a media-stream multicast-direct radio-maximum 0802.11b media-stream multicast-direct radio-maximum 0

802.11a media-stream multicast-direct client-maximum 0802.11b media-stream multicast-direct client-maximum 0

802.11a media-stream multicast-direct admission-besteffort disable802.11b media-stream multicast-direct admission-besteffort disable

802.11a media-stream video-redirect enable802.11b media-stream video-redirect enable

ipv6 neighbor-binding timers reachable-lifetime 300ipv6 neighbor-binding timers stale-lifetime 86400ipv6 neighbor-binding timers down-lifetime 30ipv6 neighbor-binding ra-throttle disableipv6 neighbor-binding ra-throttle allow at-least 1 at-most 1ipv6 neighbor-binding ra-throttle max-through 10ipv6 neighbor-binding ra-throttle throttle-period 600ipv6 neighbor-binding ra-throttle interval-option passthroughipv6 ns-mcast-fwd disableipv6 na-mcast-fwd enableipv6 enable

nmheartbeat disableipv6 slaac service-port disable sys-nas Cisco_5f:0e:a4

(Cisco Controller) >

Example: IES Access Switch Configuration This example shows the IES access switch configuration.

Current configuration : 13499 bytes!! Last configuration change at 12:14:08 EDT Tue May 12 2015!version 15.2no service padservice timestamps debug datetime msecservice timestamps log datetime msecservice password-encryption!hostname <host name>!boot-start-markerboot-end-marker!enable secret 5 $1$SN29$HqWnhKsfLDJFuOkEvtBLZ1!username <name> password <password>aaa new-model!!


ENET-TD008A-EN-P



aaa group server tacacs+ TACACS-SERVERSserver name TACACS-SERVER-1!aaa authentication login default group TACACS-SERVERS localaaa authentication dot1x default group radiusaaa authorization consoleaaa authorization exec default group TACACS-SERVERS localaaa authorization network default group radiusaaa accounting dot1x default start-stop group radius!!!!!!aaa session-id commonclock timezone EST -5 0clock summer-time EDT recurringsystem mtu routing 1500!!ip domain-name cpwe-ra-cisco.localip name-server 10.13.48.26ptp mode forwardrep admin vlan 800vtp domain CPwE350vtp mode transparent!!!!!!mls qos map policed-dscp 24 27 31 43 46 47 55 59 to 0mls qos map dscp-cos 9 11 12 13 14 15 to 0mls qos map dscp-cos 25 26 28 29 30 to 2mls qos map dscp-cos 40 41 42 44 45 49 50 51 to 4mls qos map dscp-cos 52 53 54 56 57 58 60 61 to 4mls qos map dscp-cos 62 63 to 4mls qos map cos-dscp 0 8 16 27 32 47 55 59mls qos srr-queue input bandwidth 40 60mls qos srr-queue input threshold 1 16 66mls qos srr-queue input threshold 2 34 66mls qos srr-queue input buffers 40 60mls qos srr-queue input cos-map queue 1 threshold 2 1mls qos srr-queue input cos-map queue 1 threshold 3 0 2mls qos srr-queue input cos-map queue 2 threshold 2 4mls qos srr-queue input cos-map queue 2 threshold 3 3 5 6 7mls qos srr-queue input dscp-map queue 1 threshold 2 8 10mls qos srr-queue input dscp-map queue 1 threshold 3 0 1 2 3 4 5 6 7mls qos srr-queue input dscp-map queue 1 threshold 3 9 11 12 13 14 15 16 17mls qos srr-queue input dscp-map queue 1 threshold 3 18 19 20 21 22 23 25 26mls qos srr-queue input dscp-map queue 1 threshold 3 28 29 30mls qos srr-queue input dscp-map queue 2 threshold 2 32 33 34 35 36 37 38 39mls qos srr-queue input dscp-map queue 2 threshold 2 40 41 42 44 45 49 50 51mls qos srr-queue input dscp-map queue 2 threshold 2 52 53 54 56 57 58 60 61mls qos srr-queue input dscp-map queue 2 threshold 2 62 63mls qos srr-queue input dscp-map queue 2 threshold 3 24 27 31 43 46 47 48 55mls qos srr-queue input dscp-map queue 2 threshold 3 59mls qos srr-queue output cos-map queue 1 threshold 3 7mls qos srr-queue output cos-map queue 2 threshold 2 1mls qos srr-queue output cos-map queue 2 threshold 3 0 2 4mls qos srr-queue output cos-map queue 3 threshold 3 5 6mls qos srr-queue output cos-map queue 4 threshold 3 3


ENET-TD008A-EN-P



mls qos srr-queue output dscp-map queue 1 threshold 3 59mls qos srr-queue output dscp-map queue 2 threshold 2 8 10mls qos srr-queue output dscp-map queue 2 threshold 3 0 1 2 3 4 5 6 7mls qos srr-queue output dscp-map queue 2 threshold 3 9 11 12 13 14 15 16 17mls qos srr-queue output dscp-map queue 2 threshold 3 18 19 20 21 22 23 25 26mls qos srr-queue output dscp-map queue 2 threshold 3 28 29 30 32 33 34 35 36mls qos srr-queue output dscp-map queue 2 threshold 3 37 38 39 40 41 42 44 45mls qos srr-queue output dscp-map queue 2 threshold 3 49 50 51 52 53 54 56 57mls qos srr-queue output dscp-map queue 2 threshold 3 58 60 61 62 63mls qos srr-queue output dscp-map queue 3 threshold 3 43 46 47 48 55mls qos srr-queue output dscp-map queue 4 threshold 3 24 27 31mls qos queue-set output 1 buffers 10 25 40 25mls qos queue-set output 2 buffers 10 25 40 25no mls qos rewrite ip dscpmls qos!crypto pki trustpoint TP-self-signed-4135611392enrollment selfsignedsubject-name cn=IOS-Self-Signed-Certificate-4135611392revocation-check nonersakeypair TP-self-signed-4135611392!crypto pki trustpoint cpwe3.5.1enrollment terminal pemserial-numberip-address 10.40.93.140revocation-check nonersakeypair cpwe3.5.1 2048!!crypto pki certificate chain TP-self-signed-4135611392certificate self-signed 01 3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030 31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274 69666963 6174652D 34313335 36313133 3932301E 170D3933 30333037 31383432 35305A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649 4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D34 31333536 31313339 3230819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281 8100F311 7892A43E A35B223A AC4F7A0C B9288D57 D42123DC E196E556 62B00B33 CCCF69EB E5FC529A 0310BDFA D4364872 C0C0BA77 31AC8913 FFAB5D72 BAC598FE B69B3AAC 4EDF62E1 8DCCFBB3 809E50DC 41682755 2B33DCBD F39982F3 511B0E07 154A4C14 E93D9515 0050D57E 5A20DB14 61C8EC7C DF6C0AF4 2DBDA1E4 7B4AEB99 B2A70203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603 551D2304 18301680 14B34BD0 03099694 FA195936 D9D9F656 F866F155 A3301D06 03551D0E 04160414 B34BD003 099694FA 195936D9 D9F656F8 66F155A3 300D0609 2A864886 F70D0101 05050003 81810006 62D8E503 7D54DAEA 94F4E3B4 91A5DF3F 7DB0C50F 507CE257 5DA794A5 DA7E3ECE 2CAA15CF 690989C3 EB80741F 432FE0DB 992981F1 69C45FC7 4CC62651 AEB193B5 C5618FBA 8FC8A7CF ED34EB2F 7F32E055 5EE69EAF 098F7304 6228B6CB C1DCE037 EAF63D01 5967B9D2 33DF56AD 15E26404 2F53CE37 AD06F88D 8899BEE2 E7E6DA quitcrypto pki certificate chain cpwe3.5.1certificate ca 69A16061433F31A64F68B1C00B20E117 30820377 3082025F A0030201 02021069 A1606143 3F31A64F 68B1C00B 20E11730 0D06092A 864886F7 0D010105 0500304E 31153013 060A0992 268993F2 2C640119 16056C6F 63616C31 1D301B06 0A099226 8993F22C 64011916 0D637077 652D7261 2D636973 636F3116 30140603 55040313 0D456E74 65727072 6973652D 4341301E 170D3135 30313235 30343236 34375A17 0D323530 31323530 34333634 365A304E 31153013 060A0992 268993F2 2C640119 16056C6F 63616C31 1D301B06 0A099226 8993F22C 64011916 0D637077 652D7261 2D636973 636F3116 30140603 55040313 0D456E74 65727072 6973652D 43413082 0122300D 06092A86 4886F70D 01010105 00038201 0F003082 010A0282 010100F9 3A9722D0 E315CFBA 66DC81D4 98475082 B9A74635 EB55E224 7E91F275 094B5D5E B21BD188 5AA65F02 86C7F7A9 9AFB4E2E 1F41929D DA61C310 AC3BA341 CFAA6FE1 C84E5EEC BFA94A3C F6DE4EFB 46E50AF9


ENET-TD008A-EN-P



FA8B7E74 16E3A4C8 B4E6F739 DCA30039 D9350B39 842AFFA2 91F51795 9C151D7F 1CF0F2D9 52C8ABFB 0D2ED403 92599E18 E19329F6 7F89910E F0F43185 A5DCD350 5225362D 1A26581A D1C5E789 162436B3 38282A22 1DDF6AB5 90BF181E 782DAD70 B183A46A 7FDBE1AC CBB243E9 CD5E5FCA DCD9F3AC 4FBC503F 78D9678D B5E1FD55 3C2AE97B CF663556 5F2D68D2 204DCF4C 44754097 AC34379A 9B7518BC FE91FB9A D5A92386 181EDAB5 D357E0EE 46057B02 03010001 A351304F 300B0603 551D0F04 04030201 86300F06 03551D13 0101FF04 05300301 01FF301D 0603551D 0E041604 145F61A9 C1FB4AAA 340A1428 2C810F91 3B776282 A3301006 092B0601 04018237 15010403 02010030 0D06092A 864886F7 0D010105 05000382 010100EE 999B576C 6D6C230A E02AB9FC 289D0A1B 0586E27D F403C16E AA225024 3171C570 CB36DFE9 E64AF66A CDA503A7 AF8A6ABF 6721C589 FA87B0A1 D47C6B48 1F43E881 68151780 DA3E727E 3E61E5DF 181BA638 91DB349C 8C1801C3 93206B75 73B8E22A 754D4A13 C5547B0C 6EA73D56 090FDF73 5B421975 B68A3236 B7866610 DA8F3DFF 5C067572 D2A218C7 57AF236E BF7E1899 1DCB82EB F5D39513 BE617CCA 4B2D36F3 8793CBB3 FC5FA518 4926A8CC 2A3EA1DA 50FFC26E EF5DFC95 258D81D6 EB0D19B8 9982B378 CF710E18 2E92E216 4ECEC790 057EAD68 E73645DF B3349646 1220FB46 A9CBBD61 E0DDA035 671BF89E FB352AF2 0AC8EF82 095BBBF2 77E51645 2CA0FB quitdot1x system-auth-controlspanning-tree mode pvstspanning-tree extend system-id!alarm profile defaultPortalarm not-operatingsyslog not-operatingnotifies not-operating!!vlan internal allocation policy ascending!vlan 148,181-186!vlan 200name REP#1!vlan 351name default VLAN for convenience port!vlan 800name Native-Vlan!vlan 4093name RADIUS!lldp run!class-map match-all 1588-PTP-Generalmatch access-group 107class-map match-all 1588-PTP-Eventmatch access-group 106class-map match-all CIP-Implicit_dscp_anymatch access-group 104class-map match-all CIP-Othermatch access-group 105class-map match-all voip-datamatch ip dscp efclass-map match-all voip-controlmatch ip dscp cs3 af31class-map match-all default-datamatch access-group name default-data-aclclass-map match-all CIP-Implicit_dscp_43match access-group 103class-map match-all CIP-Implicit_dscp_55match access-group 101


ENET-TD008A-EN-P



class-map match-all CIP-Implicit_dscp_47match access-group 102!policy-map Voice-Mapclass voip-data set dscp ef police 128000 8000 exceed-action policed-dscp-transmitclass voip-control set dscp cs3 police 32000 8000 exceed-action policed-dscp-transmitclass default-data set dscp default police 10000000 8000 exceed-action policed-dscp-transmitpolicy-map CIP-PTP-Trafficclass CIP-Implicit_dscp_55 set ip dscp 55class CIP-Implicit_dscp_47 set ip dscp 47class CIP-Implicit_dscp_43 set ip dscp 43class CIP-Implicit_dscp_any set ip dscp 31class CIP-Other set ip dscp 27class 1588-PTP-Event set ip dscp 59class 1588-PTP-General set ip dscp 47!!!!!!interface FastEthernet1/1!interface FastEthernet1/2!interface FastEthernet1/3!interface FastEthernet1/4description convenience portswitchport access vlan 351switchport mode accessip access-group ACL-DEFAULT inauthentication host-mode multi-hostauthentication order dot1xauthentication priority dot1xauthentication port-control autoauthentication violation restrictdot1x pae authenticatordot1x timeout tx-period 3!interface FastEthernet1/5!interface FastEthernet1/6!interface FastEthernet1/7!interface FastEthernet1/8!interface FastEthernet1/9description to IACS CLX_B09 tempswitchport access vlan 200


ENET-TD008A-EN-P



switchport mode accessload-interval 30srr-queue bandwidth share 1 19 40 40priority-queue outservice-policy input CIP-PTP-Traffic!interface FastEthernet1/10description to IACS PIO_09 tempswitchport access vlan 200switchport mode accessload-interval 30srr-queue bandwidth share 1 19 40 40priority-queue outservice-policy input CIP-PTP-Traffic!interface FastEthernet1/11description to IACS CLX_B10 tempswitchport access vlan 200switchport mode accessload-interval 30srr-queue bandwidth share 1 19 40 40priority-queue outservice-policy input CIP-PTP-Traffic!interface FastEthernet1/12description to IACS PIO_10 tempswitchport access vlan 200switchport mode accessload-interval 30srr-queue bandwidth share 1 19 40 40priority-queue outservice-policy input CIP-PTP-Traffic!interface FastEthernet1/13!interface FastEthernet1/14!interface FastEthernet1/15!interface FastEthernet1/16!interface GigabitEthernet1/1description to WS3750-Ring int gi 2/1/1switchport trunk native vlan 800switchport trunk allowed vlan 148,181-186,200,351,800,4093switchport mode trunkload-interval 30srr-queue bandwidth share 1 19 40 40priority-queue outrep segment 200mls qos trust cos!interface GigabitEthernet1/2description trunk uplink interfaceswitchport trunk native vlan 800switchport trunk allowed vlan 148,181-186,200,351,800,4093switchport mode trunkload-interval 30srr-queue bandwidth share 1 19 40 40priority-queue outrep segment 200mls qos trust cos!interface Vlan1


ENET-TD008A-EN-P



no ip address!interface Vlan148ip address 10.13.51.6 255.255.255.0ip helper-address 10.13.48.26!interface Vlan181ip address 10.20.181.6 255.255.255.0ip helper-address 10.13.48.26!interface Vlan182ip address 10.20.182.6 255.255.255.0ip helper-address 10.13.48.26!interface Vlan183ip address 10.20.183.6 255.255.255.0ip helper-address 10.13.48.26!interface Vlan184ip address 10.20.184.6 255.255.255.0ip helper-address 10.13.48.26!interface Vlan185ip address 10.20.185.6 255.255.255.0ip helper-address 10.13.48.26!interface Vlan186ip address 10.20.186.6 255.255.255.0ip helper-address 10.13.48.26!interface Vlan200ip address 10.20.10.6 255.255.255.0!interface Vlan4093ip address 10.40.93.140 255.255.255.0!ip default-gateway 10.40.93.1ip http serverip http secure-server!ip access-list extended ACL-DEFAULTpermit udp any eq bootpc any eq bootps logpermit udp any host 10.13.48.26 eq domainpermit icmp any anypermit udp any any eq tftppermit ip any any logip radius source-interface Vlan4093access-list 101 permit udp any eq 2222 any dscp 55access-list 102 permit udp any eq 2222 any dscp 47access-list 103 permit udp any eq 2222 any dscp 43access-list 104 permit udp any eq 2222 anyaccess-list 105 permit udp any eq 44818 anyaccess-list 105 permit tcp any eq 44818 anyaccess-list 106 permit udp any eq 319 anyaccess-list 107 permit udp any eq 320 anysnmp-server enable traps reptacacs server TACACS-SERVER-1address ipv4 192.168.254.24key 7 01200307490E12242455!radius-server attribute 6 on-for-login-authradius-server attribute 8 include-in-access-reqradius-server attribute 25 access-request include!


ENET-TD008A-EN-P



radius server ISE address ipv4 10.13.48.32 auth-port 1812 acct-port 1813 timeout 5 retransmit 3 key 7 106D580A061843595F!line con 0line vty 0 4exec-timeout 0 0transport preferred nonetransport input sshline vty 5 15exec-timeout 0 0transport preferred nonetransport input ssh!ntp server 10.13.15.254end


ENET-TD008A-EN-P


ENET-TD008A-EN-P

A P P E N D I X C
Test Hardware and Software
The hardware and software components listed in Table C-1 were used in CPwE Identity Services testing.

Table C-1 Test Hardware and Software

Role Product SW Version Notes

IES Access Switch Cisco IE 2000, Stratix 5700™ 15.2(3)EA (Cisco),

15.2(3)EA (RA) Cisco to test with IE2000, Rockwell Automation to test Stratix

5700

IES Access Switch Cisco IE 3000, Stratix 8000™ 15.2(3)EA (Cisco),

15.2(3)EA (RA) Cisco to test with IE3000, Rockwell Automation to test Stratix

8000

Access Point Aironet 3602E 12.4(23)JY Light Weight Access Point

Wireless LAN Controller (WLC) Cisco 5508 8.0.100.0

Distribution Switch Catalyst 3750-X 15.2(3)E Switch stack

Core Switch Catalyst 6500 15.1(2)SY4 Virtual Switching System (VSS)

Core Switch Catalyst 4500E 3.6.1E Virtual Switching System (VSS)

Firewall ASA 5515-X 9.3(1) Active and standby

Policy Server ISE 3415, ISE 3495 1.3 Distributed ISE

Client Microsoft Windows Laptop Windows7

C-1ged Plantwide Ethernet Architecture

Appendix C Test Hardware and Software

Cisco is the worldwide leader in networking that transforms how people connect, communicate and collaborate. Information about Cisco can be found at www.cisco.com. For

ongoing news, please go to http://newsroom.cisco.com. Cisco equipment in Europe is supplied by Cisco Systems International BV, a wholly owned subsidiary of Cisco

Systems, Inc.

www.cisco.com

Americas Headquarters

Cisco Systems, Inc.

San Jose, CA

Asia Pacific Headquarters

Cisco Systems (USA) Pte. Ltd.

Singapore

Europe Headquarters

Cisco Systems International BV

Amsterdam, The Netherlands

Cisco has more than 200 offices worldwide. Addresses, phone numbers, and fax numbers are listed on the Cisco Website at www.cisco.com/go/offices.

CCDE, CCENT, Cisco Eos, Cisco HealthPresence, the Cisco logo, Cisco Lumin, Cisco Nexus, Cisco StadiumVision, Cisco TelePresence, Cisco WebEx, DCE, and Welcome to the Human Network are trademarks; Changing the

Way We Work, Live, Play, and Learn and Cisco Store are service marks; and Access Registrar, Aironet, AsyncOS, Bringing the Meeting To You, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, CCSP, CCVP, Cisco, the Cisco

Certified Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Collaboration Without Limitation, EtherFast, EtherSwitch, Event Center, Fast Step, Follow

Me Browsing, FormShare, GigaDrive, HomeLink, Internet Quotient, IOS, iPhone, iQuick Study, IronPort, the IronPort logo, LightStream, Linksys, MediaTone, MeetingPlace, MeetingPlace Chime Sound, MGX, Networkers, Net-

working Academy, Network Registrar, PCNow, PIX, PowerPanels, ProConnect, ScriptShare, SenderBase, SMARTnet, Spectrum Expert, StackWise, The Fastest Way to Increase Your Internet Quotient, TransPath, WebEx, and the

WebEx logo are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.

All other trademarks mentioned in this document or website are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0812R)

Rockwell Automation is a leading provider of power, control and information solutions that enable customers to get products to market faster, reduce their total cost of

ownership, better utilize plant assets, and minimize risks in their manufacturing environments.

www.rockwellautomation.com

Americas:

Rockwell Automation

1201 South Second Street

Milwaukee, WI 53204-2496 USA

Tel: (1) 414.382.2000, Fax: (1) 414.382.4444

Asia Pacific:

Rockwell Automation

Level 14, Core F, Cyberport 3

100 Cyberport Road, Hong Kong

Tel: (852) 2887 4788, Fax: (852) 2508 1846

Europe/Middle East/Africa:

Rockwell Automation

Vorstlaan/Boulevard du Souverain 36

1170 Brussels, Belgium

Tel: (32) 2 663 0600, Fax: (32) 2 663 0640

FactoryTalk, Stratix™, Stratix 8000, Stratix 5700 and Studio 5000 Logix Designer are trademarks of Rockwell

Automation, Inc. Trademarks not belonging to Rockwell Automation are property of their respective companies.

© 2015 Cisco Systems, Inc. and Rockwell Automation, Inc. All rights reserved.

Publication ENET-TD008A-EN-P June 2015

Date post:	02-Feb-2017
Category:	Documents
Upload:	hathu
View:	222 times
Download:	1 times

Deploying Identity Services within a Converged Plantwide Ethernet ...

Documents