Universal NGWC/3850 Wireless Configuration

For Cisco Identity Services Engine Author: Hosuk Won Current Document Version: 2.0 September 1, 2013

HowTo-$$-Universal_NGWC/3850_Config 2

Table of Contents

Table of Contents ............................................................................................................................ 2

3850 Switch Wireless Configuration ............................................................................................... 3 Overall Design: ............................................................................................................................................................................................................... 3 Components used: ......................................................................................................................................................................................................... 3 Few notes about NGWC wireless functions: ....................................................................................................................................................... 3 3850 Switch Wireless Configuration Steps ......................................................................................................................................................... 4 3850 Example Configuration ................................................................................................................................................................................. 13 ISE Configuration to suppress RADIUS test messages from the switch ................................................................................................. 15

HowTo-$$-Universal_NGWC/3850_Config 3

3850 Switch Wireless Configuration

The Cisco Catalyst 3850 is the first stackable access switching platform that enables wired plus wireless services on a single

Cisco IOS XE Software-based platform. It provides a host of rich capabilities such as high availability based on stateful

switchover (SSO) on stacking, granular QoS, security, and Flexible Netflow (FNF) across wired and wireless in a seamless

fashion. Also, the wired plus wireless features are bundled into a single Cisco IOS Software image, which reduces the

number of software images that users have to qualify/certify before enabling them in their network. The single console port

for command-line interface (CLI) management reduces the number of touch points to manage for wired plus wireless

services, thereby reducing network complexity, simplifying network operations, and lowering the TCO to manage the

infrastructure.

Converged wired plus wireless not only improves wireless bandwidth across the network but also the scale of wireless

deployment. Each 48-port Cisco Catalyst 3850 provides 40 Gbps of wireless throughput (20 Gbps on the 24-port model).

This wireless capacity increases with the number of members in the stack. This makes sure that the network can scale with

current wireless bandwidth requirements, as dictated by IEEE 802.11n-based access points and with future wireless standards

such as IEEE 802.11ac. Additionally, the Cisco Catalyst 3850 distributes the wireless controller functions to achieve better

scalability. Each Cisco Catalyst 3850 switch/stack can operate as the wireless controller in two modes:

- Mobility agent (MA): This is the default mode in which the Cisco Catalyst 3850 switch ships. In this mode the

switch is capable of terminating the CAPWAP tunnels from the access points and providing wireless connectivity to

wireless clients. Maintaining wireless client databases and configuring and enforcing security and QoS policies for

wireless clients and access points can be enforced in this mode. No additional license on top of IP Base is required

to operate in the mobility agent mode.

- Mobility controller (MC): In this mode, the Cisco Catalyst 3850 switch can perform all the mobility agent tasks in

addition to mobility coordination, radio resource management (RRM), and Cisco CleanAir® coordination within a

mobility subdomain. The mobility controller mode can be enabled on the switch CLI. IP Base license level is

required when the Cisco Catalyst 3850 switch is acting as the mobility controller. A centrally located Cisco 5508

Wireless LAN Controller (WLC 5508), Cisco Wireless Services Module 2 (WiSM2) (when running AireOS Version

7.3), and Wireless LAN Controller 5760 can also perform this role for larger deployments.

Overall Design:

Following diagram shows the overall layout of the components. There are two Service Set IDentifiers (SSIDs), one secured

with WPA2 (Wi-Fi Protected Access V2) + 802.1x and another Open + Central Web Authentication (CWA). Although we

won't go into the details of different Bring Your Own Device (BYOD) policies or posture policies within Cisco Identity

Services Engine (ISE), this setup will provide a baseline for such operations. This document will only cover the baseline

configurations on 3850 switches for wireless configuration, for deploying 3850 on wired network or other ISE configurations

please refer to respective ISE How-to documents.

Components used:

Cisco ISE 1.2.0.899

Cisco 3850 running IOS-XE version 03.02.02.SE

Cisco LWAP 3602

Microsoft Windows 2008 as AD/DNS/DHCP server

Few notes about NGWC wireless functions:

- Wireless management interface has to be same as AP access VLAN, APs in FlexConnect mode is not supported in

this layout

- Client idle timeout is global setting (As opposed to latest AireOS)

- AP needs to be directly connected to 3850 switch

HowTo-$$-Universal_NGWC/3850_Config 4

- No need for legacy discovery method for AP using DHCP option 43 or DNS entry, with CAPWAP snooping all

directly connected AP can join the 3850 if they are configured with correct VLAN. Due to CAPWAP snooping, if

wireless management interface is configured on 3850 all directly connected APs can only talk to 3850

- Support for https redirect, however, user will be required to trust the cert of 3850 https before continuing

- With IOS-XE version 03.02.02.SE, the 3850 switch provides some functions of GUI based wireless configuration

Note: Cisco 3850 can act as Mobility Agent (MA) mode or Mobility Controller (MC) mode. Every mobility deployment requires at least one MC and since our design consists of one 3850 switch, we will be configuring the switch as MC mode.

3850 Switch Wireless Configuration Steps

The Cisco 3850 is a Unified Access platform that provides convergence of the wired and wireless networks into one physical

infrastructure. This configuration example shows how to integrate Cisco 3850 switches for wireless authentication with ISE

to provide basis for advanced identity functionality such as BYOD and Posture assessment. The example provided in this

document will primarily focus on command line interface on the 3850 for wireless configuration.

Note: With Version 03.02.02.SE, Cisco introduces GUI access to wireless configuration on the 3850. However, many part of the configuration still relies on CLI. For this document, only CLI configuration will be covered.

Procedure 1 Validate licensing

3850 comes with Right-To-Use (RTU) license scheme. RTU licensing allows one to order and activate a specific license type

and level, and to manage license usage on the switch. To activate a license, one is required to accept the End-User License

Agreement (EULA). For the evaluation license, one is notified to purchase a permanent license or deactivate the license

before the 90-day period expires. Before one can enable wireless function on the 3850 switch, one needs to be running either

ipbase or ipservices feature pack and RTU license present and have accepted EULA. The RTU also governs number of AP

count in case the switch is acting as Mobility Controller (MC).

Note: Prerequisite configuration: This guide assumes that the switches have the required licenses and following step will focus on validation

of RTU license on the platform.

Step 1 Validate RTU licenses are in place.

Run following show command to view what licenses are available and in use:

3850#show license right-to-use summary

Sample output

3850#show license right-to-use summary

License Name Type Count Period left

-----------------------------------------------

ipservices permanent N/A Lifetime

apcount base 0 Lifetime

apcount adder 10 Lifetime

--------------------------------------------

License Level In Use: ipservices

License Level on Reboot: ipservices

Evaluation AP-Count: Disabled

Total AP Count Licenses: 10

AP Count Licenses In-use: 4

AP Count Licenses Remaining: 6

3850#

HowTo-$$-Universal_NGWC/3850_Config 5

Step 2 Activate feature set that supports wireless controller functionality and also activate AP count RTU as well:

3850#license right-to-use activate ipservices slot 1 acceptEULA

3850#license right-to-use activate apcount 10 slot 1 acceptEULA

Note: Activating AP count RTU may require to have mobility controller feature enabled first

Procedure 2 Configure the HTTP Server on the Switch

Step 1 Set the DNS domain name on the switch.

Cisco IOS® Software does not allow for certificates, or even self-generated keys, to be created and installed without

first defining a DNS domain name on the device. Enter the following:

3850(config)#ip domain-name example.com

Step 3 Generate keys to be used for HTTPS by entering the following:

3850(config)#crypto key generate rsa general-keys modulus 2048

Note: To avoid possible certificate mismatch errors during web redirection, we recommend that you use a certificate that is issued by

your trusted certificate authority instead of a local certificate. This topic is beyond the scope of this document.

Step 4 Enable the HTTP servers on the switch.

The HTTP server must be enabled on the switch to perform the HTTP / HTTPS capture and redirection. Enter the

following:

3850(config)#ip http server

3850(config)#ip http secure-server

Note: Do not run the ip http secure-server command prior to generating the keys in step 2. If you perform the commands out of order, the switch will automatically generate a certificate with a smaller key size. This certificate can cause undesirable behaviour when redirecting HTTPS traffic. Unlike WLC with AireOS, 3850 Series wireless supports redirection of HTTPS request, however, endpoints will be prompted to trust the switch’s self-signed certificate during the redirection.

Step 5 Disable HTTP & HTTPS for other switch management functions (Optional):

3850(config)#ip http active-session-modules none

3850(config)#ip http secure-active-session-modules none

Note: This will disable management access to the 3850 wireless configuration as well as configuration from NCS Prime Infrastructure

Procedure 3 Configure the Global AAA Commands

Step 1 Enable authentication, authorization, and accounting (AAA) on the access switches.

By default, the AAA “subsystem” of the Cisco switch is disabled. Prior to enabling the AAA subsystem, none of the

required commands will be available in the configuration. Enter the following:

3850(config)#aaa new-model

3850(config)#aaa session-id common

Note: This command enables any of the services that AAA network security services provide—for example, local login authentication and authorization, defining and applying method lists, and so on. For further details, please refer to the Cisco IOS Security Configuration Guide.

Step 2 Create an authentication method for 802.1X.

An authentication method is required to instruct the switch on which group of RADIUS servers to use for 802.1X

authentication requests:

HowTo-$$-Universal_NGWC/3850_Config 6

3850(config)#aaa authentication dot1x default group radius

Step 3 Create an authorization method for 802.1X.

The method created in step 2 will enable the user/device identity (username/password or certificate) to be validated by

the RADIUS server. However, simply having valid credentials is not enough. There must be an authorization as well.

The authorization is what defines that the user or device is actually allowed to access the network, and what level of

access is actually permitted.

3850(config)#aaa authorization network default group radius

Step 4 Create an accounting method for 802.1X.

RADIUS accounting packets are extremely useful and are required for many ISE functions. These types of packets will

help ensure that the RADIUS server (Cisco ISE) knows the exact state of the interface and endpoint. Without the

accounting packets, Cisco ISE would have knowledge only of the authentication and authorization communication.

Accounting packets provide information on length of the authorized session, as well as bandwidth usage of the client.

3850(config)#aaa accounting dot1x default start-stop group radius

Step 5 Configure periodic RADIUS accounting update.

Periodic RADIUS accounting packets allows Cisco ISE to track which sessions are still active on the network. This

command sends periodic updates every 15 minutes.

3850(config)#aaa accounting update periodic 15

Procedure 4 Configure the Global RADIUS Commands

We configure a proactive method to check the availability of the RADIUS server. With this practice, the switch will send

periodic test authentication messages to the RADIUS server (Cisco ISE). It is looking for a RADIUS response from the

server. A success message is not necessary; a failed authentication will suffice, because it shows that the server is alive.

Best Practice: With ISE 1.2 there is a feature to suppress authentications with certain conditions. We will use that feature to suppress any RADIUS keepalive messages. See end of this document for instructions.

Step 1 Add the Cisco ISE servers to the RADIUS group.

In this step we will add each Cisco ISE Policy Services Node (PSN) to the switch configuration, using the radius-test

account. Repeat for each PSN.

3850(config)#radius-server host 192.168.201.88 auth-port 1812 acct-port 1813 test

username radius-test idle-time 5 key cisco123

Note: The server will be proactively checked for responses once every 5 minutes, in addition to any authentications or authorizations occurring through normal processes. This value may be too aggressive for non ISE 1.2 deployments due to lack of log suppression feature on older versions of ISE, in that case increase this value to 60 minutes or higher.

Step 2 Set the dead criteria.

The switch has been configured to proactively check the Cisco ISE server for RADIUS responses. Now configure the

counters on the switch to determine if the server is alive or dead. Our settings will be to wait 10 seconds for a response

from the RADIUS server and attempt the test 3 times before marking the server dead. If a Cisco ISE server doesn’t

have a valid response within 30 seconds, it will be marked as dead. Also deadtime defines how long the switch will

mark the server dead, which we are setting it to 15 minutes.

3850(config)#radius-server dead-criteria time 10 tries 3

3850(config)#radius-server deadtime 15

Note: We will discuss high availability in more detail in the deployment mode sections.

HowTo-$$-Universal_NGWC/3850_Config 7

Step 3 Enable change of authorization (CoA).

Previously we defined the IP address of a RADIUS server that the switch will send RADIUS messages to. However,

we define the servers that are allowed to perform change of authorization (RFC 3576) operations in a different listing,

also within global configuration mode, as follows:

3850(config)#aaa server radius dynamic-author

3850(config-locsvr-da-radius)#client 192.168.201.88 server-key cisco123

3850(config-locsvr-da-radius)#auth-type any

Step 4 Configure the switch to use the Cisco vendor-specific attributes.

Here we configure the switch to send any defined vendor-specific attributes (VSA) to Cisco ISE PSNs during

authentication requests and accounting updates.

3850(config)#radius-server vsa send authentication

3850(config)#radius-server vsa send accounting

Step 5 Next, we will enable the vendor-specific attributes (VSAs).

3850(config)#radius-server attribute 6 on-for-login-auth

3850(config)#radius-server attribute 8 include-in-access-req

3850(config)#radius-server attribute 25 access-request include

3850(config)#radius-server attribute 31 mac format ietf upper-case

3850(config)#radius-server attribute 31 send nas-port-detail mac-only

Step 6 Ensure the switch always sends traffic from the correct interface for RADIUS request.

Switches may often have multiple IP addresses associated to them. Therefore, it is a best practice to always force any

management communications to occur through a specific interface. This interface IP address must match the IP address

defined in the Cisco ISE Network Device object.

Cisco Best Practice: As a network management best practice, use a loopback adapter for all management communications, and advertise

that loopback interface into the internal routing protocol.

3850(config)#ip radius source-interface vlan 201

Procedure 5 Configure VLANs and SVIs.

Wireless management interface is required to create CAPWAP tunnel with the Light Weigh APs. Also, VLANs will need to

be created for each of the WLAN that will be setup for wireless access. Also, we will need to create any user VLANs that

will map to WLANs.

Step 1 Add the following VLANs for wireless management and WLAN interface:

3850(config)#vlan 80

3850(config-vlan)#name AP_VLAN

3850(config-vlan)#vlan 30

3850(config-vlan)#name WLAN_USER

3850(config-vlan)#vlan 40

3850(config-vlan)#name WLAN_GUEST

Step 2 Create SVI for wireless management interface.

This interface will be used to communicate with the LWAP. The LWAPs needs to be connected directly to the 3850

switch and the interface needs to be configured with same VLAN as wireless management VLAN. Also, configure ip

helper to forward DHCP request from the LWAP to DHCP server.

3850(config)#interface Vlan 80

HowTo-$$-Universal_NGWC/3850_Config 8

3850(config-if)#ip address 192.168.80.1 255.255.255.0

3850(config-if)#ip helper-address 192.168.201.72

3850(config-if)#no shutdown

Procedure 6 Configure DHCP Snooping (Optional).

DHCP snooping is not required for 3850 wireless feature to function, but it is considered a best practice to require all

endpoints to get addresses assigned by the DHCP server. This is done by enabling DHCP snooping globally and running the

dhcp required option on the WLAN configuration.

Before configuring DHCP snooping, be sure to note the location of your trusted DHCP servers. When you configure DHCP

snooping, the switch will deny DHCP server replies from any port not configured as “trusted.” Enter interface configuration

mode for the uplink interface and configure it as a trusted port.

Step 1 Configure Dynamic Host Configuration Protocol (DHCP) snooping for trusted ports.

3850(config)#interface GigabitEthernet x/y/z

3850(config-if)#description Server

3850(config-if)#ip dhcp snooping trust

Step 2 Enable DHCP snooping.

DHCP snooping is enabled at global configuration mode. After enabling DHCP snooping, you must configure the

VLANs it should work with, which in our example is VLAN 30 & 40.

3850(config)#ip dhcp snooping vlan 30, 40

3850(config)#no ip dhcp snooping information option

3850(config)#ip dhcp snooping

Procedure 7 Configure Local Access Control Lists.

Certain functions on the switch require the use of locally configured access control lists (ACLs), such as URL redirection.

Some of these ACLs you create will be used immediately, and some may not be used until a much later phase of your

deployment. The goal of this section is to prepare the switches for all possible deployment models at one time, and limit the

operational expense of repeated switch configuration.

Step 1 Add the following ACL to be used for URL redirection with web authentication:

3850(config)#ip access-list extended REDIRECT-ACL

3850(config-ext-nacl)#deny udp any host 192.168.201.72 eq 53

3850(config-ext-nacl)#deny udp any eq bootpc host 192.168.201.72 eq bootps

3850(config-ext-nacl)#deny ip any host 192.168.201.88

3850(config-ext-nacl)#permit ip any any

Procedure 8 Configure the Global 802.1X Commands

Step 2 Enable 802.1X globally on the switch.

Enabling 802.1X globally on the switch does not actually enable authentication on any of the WLANs or interfaces.

3850(config)#dot1x system-auth-control

Step 3 Enable Downloadable ACLs to function.

Downloadable access control lists (dACLs) are a very common enforcement mechanism in a Cisco ISE deployment. In

order for dACLs to function properly on a switch, IP device tracking must be enabled globally, as follows:

3850(config)#ip device tracking

HowTo-$$-Universal_NGWC/3850_Config 9

Note: There are some uncommon cases with Windows 7 and devices that do not respond to ARPs where it may be required to use the command ip device tracking use SVI.

Procedure 9 Configure the Global Wireless feature

Step 1 Enable mobility controller (MC) feature on the switch.

3850 switch can act as Mobility Agent (MA) only or MC+MA. For any 3850 wireless deployment there needs to be at

least one MC available for the deployment. We are configuring the 3850 as MC+MA as we only have one 3850 switch.

3850(config)#wireless mobility controller

Note: 3850 switch is always configured as MA

Step 2 Enable management interface.

With 3850, all AP needs to be on the same VLAN as the management interface. This allows CAPWAP tunnel between

the APs and the 3850 switch.

3850(config)#wireless management interface Vlan80

Note: If there are LWAPs configured with CUWN WLC connected to the 3850 switch, after above command is entered all the LWAPs connected to the 3850 will lose connection to the CUWN WLC and start registering with the 3850 switch. The LWAPs will then go through code upgrade and finally join the 3850 switch.

Step 3 Enable fast-ssid-change feature.

Fast-SSID-Change feature allows clients to move from one SSID to another without delay. This feature allows client to

move from open SSID to secure SSID in dual-SSID scenario for BYOD without delay.

3850(config)#wireless client fast-ssid-change

Note: This is primarily to address Apple iOS devices shifting from one SSID to another within short period of time

Step 4 Configure client idle timeout.

Idle-time out allows the switch to remove the client session when no traffic has been seen from the client within

configured timeframe. If this value is too short, client devices will be forced to reauthenticate when coming out of

stand-by mode. Here we are setting it to 2 hours.

3850(config)#wireless client user-timeout 7200

Step 5 Enable captive portal bypass feature.

Apple introduced an iOS feature to facilitate network access when captive portals are present. This feature attempts to

detect the presence of captive portal by sending a web request upon connecting to a wireless network, and directs the

request to http://www.apple.com/library/test/success.html. If a response is received, then Internet access is assumed and

no further interaction is required. If no response is received, Internet access is assumed to be blocked by captive portal

and CNA auto - launches the pseudo browser to request portal login in a controlled window. CNA may break when

redirecting to an ISE captive portal. Following CLI command will prevent the pseudo browser from popping up.

3850(config)#captive-portal-bypass

Procedure 10 Configure WLANs

Step 1 Add 802.1x enabled WLAN.

This command creates a WLAN with example_employee as profile and SSID with WLAN ID of 1. If this 3850 switch

is part of bigger deployments, make sure all the settings match on all the switches for the WLAN settings.

3850(config)#wlan example_employee 1 example_employee

Note: Although we are not entering L2 security settings for the wlan, the default setting for any wlan is WPA2/AES with 802.1x

HowTo-$$-Universal_NGWC/3850_Config 10

Step 2 Configure WLAN to accept RADIUS Authorization and instructions from the RADIUS server.

The AAA Override option of a WLAN enables you to configure the WLAN for identity networking. It enables you to

apply VLAN tagging, Quality of Service (QoS), and Access Control Lists (ACLs) to individual clients based on the

returned RADIUS attributes from the ISE. Also, the nac directive enables different client state based on instructions in

the URL-Redirect such as CWA, DRW, MDM, NSP, and CPP.

3850(config-wlan)#aaa-override

3850(config-wlan)#nac

Step 3 Map VLAN to the WLAN.

Assign user VLAN created earlier to the WLAN.

3850(config-wlan)#client vlan 30

Step 4 Prevent network access from clients with static IP (Optional).

If DHCP snooping was configured for the above VLAN in previous steps, this setting prevents client devices with static

IP address.

3850(config-wlan)#ip dhcp required

Step 5 Configure session timeout (Reauthentication timer).

This value dictates how often the client will re-authenticate via the RADIUS server.

3850(config-wlan)#session-timeout 86400

Step 6 Enable the WLAN.

3850(config-wlan)#no shutdown

Note: Whenever wlan configuration needs to be modified, the wlan has o be shutdown. Once modified it can be re-enabled by running above command. Note that this will disconnect all users on the respective wlan.

Step 7 Add open SSID to use with ISE CWA.

3850(config)#wlan example_open 2 example_open

Step 8 Enable MAC filtering on the WLAN.

Since this is open SSID, enabling MAC-Filtering with default RADIUS list will provide CWA using ISE as external

web server.

3850(config-wlan)#mac-filtering default

Step 9 Configure WLAN to accept RADIUS Authorization messages from the RADIUS server

3850(config-wlan)#aaa-override

3850(config-wlan)#nac

Step 10 Map VLAN to the WLAN.

3850(config-wlan)#client vlan 40

Step 11 Prevent network access from clients with static IP (Optional).

3850(config-wlan)#ip dhcp required

HowTo-$$-Universal_NGWC/3850_Config 11

Step 12 Disable WPA and 802.1x on the WLAN.

Disable all L2 security features and set the WLAN as open SSID.

3850(config-wlan)#no security wpa

3850(config-wlan)#no security wpa akm dot1x

3850(config-wlan)#no security wpa wpa2

3850(config-wlan)#no security wpa wpa2 ciphers aes

Step 13 Configure session timeout (Reauthentication timer).

3850(config-wlan)#session-timeout 7200

Note: The session-timeout for open SSID is set to lower value than secure SSID, as reauthentication of MAB request does not impact

ISE as much as 802.1x request

Step 14 Enable the WLAN

3850(config)#no shutdown

Procedure 11 Configure Interfaces for Wireless APs

Step 1 Identify and configure interfaces where LWAP plugs in.

3850(config)#interface GigabitEthernet x/y/z

3850(config-if)#description AP

Note: With 3850 switch, the LWAP needs to be directly connected to the switch

Step 2 Assign wireless management VLAN.

Enabling 802.1X globally on the switch does not actually enable authentication on any of the switchports.

Authentication will be configured, but not enabled until we configure Monitor Mode.

3850(config-if)#switchport mode access

3850(config-if)#switchport access vlan 80

Note: 3850 introduces a new way of discovering new LWAPs by using CAPWAP snooping feature. There is no need to configure DHCP option 43 or DNS entry for 3850 wireless management IP address

Step 3 Enable spanning-tree portfast.

3850(config-if)#spanning-tree portfast

Step 4 Enable the interface.

3850(config-if)#no shutdown

Step 5 Validate AP status.

After APs have been upgraded and rebooted, validate that all APs are running in Local mode and the Country setting is

correct. Also, make sure all AP Status shows up as Joined.

3850#show ap status

3850#show ap join stats summary

Note: Currently 3850 only supports LWAPs in Local, Monitor, se-connect, and sniffer mode. If the LWAP was previously configured as

FlexConnect mode then run ‘ap name {AP_NAME} mode local’ command

Sample output

3850#show ap status

AP Name Status Mode Country

HowTo-$$-Universal_NGWC/3850_Config 12

-------------------------------------------------------------------------

AP4c4e.350d.35f8 Enabled Local US

APd48c.b5e4.3b88 Enabled Local US

AP4c4e.35c7.1572 Enabled Local US

AP44d3.ca42.58cd Enabled Local US

3850#show ap join stats summary

Number of APs : 4

Base MAC Ethernet MAC AP Name IP Address Status

-----------------------------------------------------------------------------

20bb.c067.fda0 4c4e.350d.35f8 AP4c4e.350d.35f8 192.168.80.103 Joined

34bd.c890.52f0 d48c.b5e4.3b88 APd48c.b5e4.3b88 192.168.80.101 Joined

5006.046e.f300 4c4e.35c7.1572 AP4c4e.35c7.1572 192.168.80.100 Joined

64d9.8946.b160 44d3.ca42.58cd AP44d3.ca42.58cd 192.168.80.102 Joined

3850#

Step 6 Save configuration.

3850#write memory

HowTo-$$-Universal_NGWC/3850_Config 13

3850 Example Configuration

hostname 3850

!

aaa new-model

aaa session-id common

aaa authentication dot1x default group radius

aaa authorization network default group radius

aaa accounting dot1x default start-stop group radius

aaa accounting update periodic 15

!

aaa server radius dynamic-author

client 192.168.201.88 server-key cisco123

auth-type any

!

vlan 80

name AP_VLAN

vlan 30

name WLAN_USER

vlan 40

name WLAN_GUEST

!

interface vlan 80

ip address 192.168.80.1

ip helper 192.168.201.72

no shut

interface vlan 30

ip address 192.168.30.1

ip helper 192.168.201.72

ip helper 192.168.201.88

no shut

interface vlan 40

ip address 192.168.40.1

ip helper 192.168.201.72

ip helper 192.168.201.88

no shut

!

ip device tracking

!

ip dhcp snooping vlan 30, 40

no ip dhcp snooping information option

ip dhcp snooping

!

ip domain-name example.com

!

crypto key generate rsa general-keys modulus 2048

!

dot1x system-auth-control

!

ip http server

ip http secure-server

ip http secure-active-session-modules none

ip http active-session-modules none

!

ip access-list extended REDIRECT-ACL

deny udp any host 192.168.201.72 eq 53

deny udp any eq bootpc host 192.168.201.72 eq bootps

deny ip any host 192.168.201.88

permit ip any any

!

ip radius source-interface Vlan201

snmp-server community cisco123 RO

HowTo-$$-Universal_NGWC/3850_Config 14

radius-server attribute 6 on-for-login-auth

radius-server attribute 8 include-in-access-req

radius-server attribute 25 access-request include

radius-server attribute 31 mac format ietf upper-case

radius-server attribute 31 send nas-port-detail mac-only

radius-server dead-criteria time 10 tries 3

radius-server host 192.168.201.88 auth-port 1812 acct-port 1813 test username

radius-test idle-time 5 key cisco123

radius-server deadtime 15

radius-server vsa send accounting

radius-server vsa send authentication

!

wireless mobility controller

wireless management interface Vlan80

wireless client fast-ssid-change

wireless mgmt-via-wireless

wireless client user-timeout 7200

captive-portal-bypass

!

wlan example_employee 1 example_employee

aaa-override

client vlan 30

nac

ip dhcp required

session-timeout 86400

no shutdown

!

wlan example_open 2 example_open

aaa-override

client vlan 40

mac-filtering default

nac

ip dhcp required

no security wpa

no security wpa akm dot1x

no security wpa wpa2

no security wpa wpa2 ciphers aes

session-timeout 7200

no shutdown

!

interface GigabitEthernet 1/0/17

description Server

switch port mode access

switch port access vlan 201

ip dhcp snooping trust

spanning-tree portfast

no shut

!

interface GigabitEthernet 1/0/9

description AP

switch port mode access

switch port access vlan 80

spanning-tree portfast

no shut

HowTo-$$-Universal_NGWC/3850_Config 15

ISE Configuration to suppress RADIUS test messages from the switch

You can configure collection filters to suppress syslog messages being sent to the monitoring and external servers. The

suppression can be performed at the Policy Services Node level based on different attribute types. You can disable the

suppression as well. You can define multiple filters with a specific attribute type and corresponding value.

Note: It is recommended to limit the number of collection filter to 20

Procedure 1 Configure ISE to suppress RADIUS test messages

Step 1 Login to ISE primary admin node.

Step 2 Navigate to Administration > System > Logging

Step 3 Click on Collection Filters on left pane

Step 4 Click on Add on the top of the right pane

Step 5 Select ‘User Name’ from the Attribute pull down menu

Step 6 Enter ‘radius-test’ for Value

Step 7 Select ‘Filter All’ from the Filter Type pull down menu

Step 8 Click Save