Scribd
Upload
9 views

Wireless3Notes

Uploaded by

Partha Sarathi Nandi
Copyright
© © All Rights Reserved
Available Formats
Download as TXT, PDF, TXT or read online on Scribd
9 views

Wireless3Notes

Uploaded by

Partha Sarathi Nandi
Copyright
© © All Rights Reserved
Available Formats
Download as TXT, PDF, TXT or read online on Scribd
You are on page 1/ 12

1.

Physical to Logical Setup


2. Static Routing
3. NTP Server
4. DHCP Server
5. WLC Initialization
6. ISE & WLC Integration
7. Configuring WLAN using WPA+WPA2 (802.1x with ISE)
8. Downloadable ACLs (DACLs)
9. Integratinng AD with ISE
10. Ceritificate Based Authentication1
11. Basic Guest Access - WEP
12. Basic Guest Access - Local Web Authentication
13. Anchor Configuration
====================================================================
====================================================================
1. Physical to Logical Setup
====================================================================

====================================================================
2. Static Routing
====================================================================

----------
CAT1
----------

ip route 10.0.12.0 255.255.255.0 10.0.13.22


ip route 10.0.14.0 255.255.255.0 10.0.13.22
ip route 10.0.30.0 255.255.255.0 10.0.13.22
ip route 10.0.40.0 255.255.255.0 10.0.13.22

----------
CAT2
----------

ip route 10.0.10.0 255.255.255.0 10.0.13.11


ip route 10.0.11.0 255.255.255.0 10.0.13.11
ip route 10.0.20.0 255.255.255.0 10.0.13.11
ip route 10.0.1.0 255.255.255.0 10.0.13.11

====================================================================
3. NTP
====================================================================

-----------
CAT1
-----------

clock timezone GST 4


do clock set 18:45:00 11 mar 2020
!
ntp master
ntp source vlan 101

-----------
CAT2
-----------

clock timezone EST -4


!
ntp server 10.0.1.101
ntp source vlan 13

====================================================================
4. NTP
====================================================================

-----------
CAT1
-----------

ip dhcp excluded-address 10.0.11.1 10.0.11.100


ip dhcp excluded-address 10.0.12.1 10.0.12.100
ip dhcp excluded-address 10.0.20.1 10.0.20.100
ip dhcp excluded-address 10.0.30.1 10.0.30.100
ip dhcp excluded-address 10.0.40.1 10.0.40.100
!
ip dhcp pool AP1
network 10.0.11.0 /24
default-router 10.0.11.11
dns-server 10.0.1.12
option 43 hex f104.0A00.0A15
!
ip dhcp pool AP2
network 10.0.12.0 /24
default-router 10.0.12.22
dns-server 10.0.1.12
option 43 hex f104.0A00.0A15
!
ip dhcp pool EXECS
network 10.0.20.0 /24
default-router 10.0.20.11
dns-server 10.0.1.12
!
ip dhcp pool EMPLOYEES
network 10.0.30.0 /24
default-router 10.0.30.22
dns-server 10.0.1.12
!
ip dhcp pool GUESTS
network 10.0.40.0 /24
default-router 10.0.40.22
dns-server 10.0.1.12

====================================================================
5. WLC Initialization
====================================================================

-----------
WLC1
-----------

System Name: WLC1


Admin Name: admin
Password: NDojo123
Service Port: Default
LAG: Yes
IP Address: 10.0.10.21
S.Mask: 255.255.255.0
Default GW: 10.0.10.11
VLAN:10
***************************************************************************
System Name [Cisco_5c:f8:e4] (31 characters max): WLC1
Enter Administrative User Name (24 characters max): admin
Enter Administrative Password (3 to 24 characters): ********
Re-enter Administrative Password : ********

Service Interface IP Address Configuration [static][DHCP]:

Enable Link Aggregation (LAG) [yes][NO]: yes

Management Interface IP Address: 10.0.10.21


Management Interface Netmask: 255.255.255.0
Management Interface Default Router: 10.0.10.11
Management Interface VLAN Identifier (0 = untagged): 10
Management Interface DHCP Server IP Address: 10.0.10.11

Enable HA [yes][NO]: no

Virtual Gateway IP Address: 192.0.2.1

Mobility/RF Group Name: ABC

Network Name (SSID): MGMT

Configure DHCP Bridging Mode [yes][NO]: no

Allow Static IP Addresses [YES][no]: no

Configure a RADIUS Server now? [YES][no]: no


Warning! The default WLAN security policy requires a RADIUS server.
Please see documentation for more details.

Enter Country Code list (enter 'help' for a list of countries) [US]:

Enable 802.11b Network [YES][no]:


Enable 802.11a Network [YES][no]:
Enable 802.11g Network [YES][no]:
Enable Auto-RF [YES][no]:

Configure a NTP server now? [YES][no]: yes


Enter the NTP server's IP address: 10.0.1.101
Enter a polling interval between 3600 and 604800 secs: 3600

Would you like to configure IPv6 parameters[YES][no]: no

Configuration correct? If yes, system will save it and reset. [yes][NO]: yes
***************************************************************************

-----------
WLC2
-----------

System Name: WLC2


Admin Name: admin
Password: NDojo123
Service Port: Default
LAG: Yes
IP Address: 10.0.14.21
S.Mask: 255.255.255.0
Default GW: 10.0.14.22
VLAN:14

***************************************************************************
System Name [Cisco_ac:2d:a5] (31 characters max): WLC2
Enter Administrative User Name (24 characters max): admin
Enter Administrative Password (3 to 24 characters): ********
Re-enter Administrative Password : ********

Enable Link Aggregation (LAG) [yes][NO]: yes

Management Interface IP Address: 10.0.14.21


Management Interface Netmask: 255.255.255.0
Management Interface Default Router: 10.0.14.22
Cleaning up Provisioning SSID
Error: failed to disable Day0 ssid. return Code : 7
Management Interface VLAN Identifier (0 = untagged): 14
Management Interface DHCP Server IP Address: 10.0.13.11

Virtual Gateway IP Address: 192.0.2.1

Multicast IP Address: 225.11.11.11

Mobility/RF Group Name: ABC

Network Name (SSID): MGMT

Configure DHCP Bridging Mode [yes][NO]: no

Allow Static IP Addresses [YES][no]: no

Configure a RADIUS Server now? [YES][no]: no


Warning! The default WLAN security policy requires a RADIUS server.

Please see documentation for more details.

Enter Country Code list (enter 'help' for a list of countries) [US]:

Enable 802.11b Network [YES][no]:


Enable 802.11a Network [YES][no]:
Enable 802.11g Network [YES][no]:
Enable Auto-RF [YES][no]:

Configure a NTP server now? [YES][no]: yes


Enter the NTP server's IP address: 10.0.1.101
Enter a polling interval between 3600 and 604800 secs: 3600

Would you like to configure IPv6 parameters[YES][no]: no

Configuration correct? If yes, system will save it and reset. [yes][NO]: yes

====================================================================
6. ISE & WLC Integration
====================================================================

------
WLC1
------

Security -> AAA -> RADIUS -> Authentication -> New

IP: 10.0.1.5
Key: cisco123
authentication port: 1812
Timeout: 5

Security -> AAA -> RADIUS -> Accounting -> New

IP: 10.0.1.5
Key: cisco123
authentication port: 1812
Timeout: 5

====================================================================
7. Configuring the WLC for ISE-Based Authentication
====================================================================

------------------------------
1. Create the VLAN Interfaces
------------------------------

Controllers -> Interfaces -> New

Name: execs
VLAN: 20
IP Address: 10.0.20.99
Subnet Mask: 255.255.255.0
Default Gateway: 10.0.20.11
DHCP Server: 10.0.13.11

Name: employees
VLAN: 30
IP Address: 10.0.30.99
Subnet Mask: 255.255.255.0
Default Gateway: 10.0.30.22
DHCP Server: 10.0.13.11

Name: guests
VLAN: 40
IP Address: 10.0.40.99
Subnet Mask: 255.255.255.0
Default Gateway: 10.0.40.22
DHCP Server: 10.0.13.11

------------------------------
2. Create the SSID
------------------------------

WLANs -> Create New

General

Profile Name: ABC


SSID: ABC
Enabled: Checked
Interface: management

Security:

Layer2: WPA+WPA2
AAA Server:
Check RADIUS Server Overwrite Interface
Select the ISE as Authentication and Accounting

Advanced:

Check "Allow AAA Override"

====================================================================
8. Configuring the ISE for WLC based Authentication
====================================================================

------------------------------
1. Create the Groups and Users
------------------------------

Administration -> Identity Management -> Groups -> User Identity Groups -> Add

Name: EXECS

Name: EMPLOYEES

Administration -> Identity Management -> Identities -> Add

Name: Exec1
Password: Ciso123*
Group: EXECS

Name: Employee1
Password: Ciso123*
Group: EMPLOYEES

--------------------------------------
2. Configure an Authorization Profile
--------------------------------------

Policy -> Policy Elements -> Results -> Authorization -> Authorization Profiles ->
Add

Name: EXECS-PROFILE
VLAN: 20

Name: EMPLOYEES-PROFILE
VLAN: 30

--------------------------------------
3. Configure an Authorization Policy
--------------------------------------

Policy -> Authorization -> Add

-----------------------------------
Name: EXECS-POLICY
Identity Group: EXECS

Conditions:
Wireless_802.1x
Device:Device-Type = HQ-WLCs
Radius:Called-Station endswith ABC

Permission:
Name: EXECS-PROFILE
-----------------------------------

-----------------------------------
Name: EMPLOYEE-POLICY
Identity Group: EMPLOYEES

Conditions:
Wireless_802.1x
Device:Device-Type = HQ-WLCs
Radius:Called-Station endswith ABC

Permission:
Name: EMPLOYEE-PROFILE
-----------------------------------

====================================================================
9. Downloadable ACLs
====================================================================

--------------------------------
1. Create the ACL on the WLC
--------------------------------

Security -> Access Control Lists -> ACL

Name: EMP-ACL
Put the entries in

Permit ICMP from and To 10.0.13.0/24


Block ICMP from the Rest
Permit the Rest

--------------------------------
2. Configure the ISE Profile
--------------------------------

Policy -> Policy Elements -> Results -> Authorization -> Authorization Profile ->
EMPLOYEE-PROFILE -> Edit

Airespace ACL Name = EMP-ACL

Verification/Logs:

WLC - Monitor -> Clients -> Click on the Client

ISE - Operations -> RADIUS -> Live Logs

===========================================================
9. Integrating AD with ISE
===========================================================
-----------------------------------------------------------------------------------
-------------
1. Importing the Root Certificate for the Company - Required if you are doing
Certificate based authentcation
-----------------------------------------------------------------------------------
-------------

Administration -> System -> Certificates -> Trusted Certificates -> Import

Check all the boxes

Save

------------------------------------------------------
2. Add Active Directory to ISE
------------------------------------------------------

Administration -> Identity Management -> External Identity Sources -> Active
Directory -> Add

Name: AD-ABC
Domain: networkdojo.local
Admin User: admin
Password: NDojo123

Administration -> Identity Management -> External Identity Sources -> Active
Directory -> AD-ABC -> Groups -> Import

ADgroup1
ADgroup2
DomainUsers
DomainAdmins
DomainGuest

----------------------------------------------------------------------------
3. Enable Certificates from AD - if using Certificate based Authentication
----------------------------------------------------------------------------

Administration -> Identity Management -> External Identity Sources -> Certificate
Authentication Profile -> Pre-Load ceritificate Profile -> Add AD-ABC to the
Identity Store

Save

----------------------------------------------------------------------------
4. Enable/Use AD based authentication
----------------------------------------------------------------------------

Administration -> Identity Management -> Identity Source Sequences ->


All_Users_ID_Stores ->

-> Add AD and Internal Endpoint to the Select list.


-> Recommended to move AD to the top

Save

====================================================================
10. Incorporating the AD Groups into your Policy
====================================================================

Policy -> Authorization -> Insert at the Top

-----------------------------------
Name: AD-EXECS-POLICY

Conditions:
Wireless_802.1x
Device:Device-Type = HQ-WLCs
Radius:Called-Station endswith ABC
AD-ABC:ExternalGroups equal Networkdojo.local/Adgroup1

Permission:
Name: EXECS-PROFILE
-----------------------------------

-----------------------------------
Name: AD-EMP-POLICY

Conditions:
Wireless_802.1x
Device:Device-Type = HQ-WLCs
Radius:Called-Station endswith ABC
AD-ABC:ExternalGroups equal Networkdojo.local/Adgroup1
Permission:
Name: EMPLOYEE-PROFILE
-----------------------------------

=============================================
11. Ceritificate Based Authentication1
=============================================

-----------------------------------------------------------------------------------
--------------
1. Change the Condition such that Certificate based authentication becomes a
requirementfor Adgroup1.
-----------------------------------------------------------------------------------
--------------

-----------------------------------
Name: AD-EXECS-POLICY

Conditions:
Wireless_802.1x
Device:Device-Type = HQ-WLCs
Radius:Called-Station endswith ABC
AD-ABC:ExternalGroups equal Networkdojo.local/Adgroup1
Network Access:EAPAuthentication equals EAP-TLS

Permission:
Name: EXECS-PROFILE
-----------------------------------

===========================================================
12. Basic Guest Access - WEP
===========================================================

----------
CAT1
----------

ip route 199.1.1.0 255.255.255.0 10.0.13.22

----------
CAT2
----------

int loo0
ip address 199.1.1.1 255.255.255.0
!
access-list 101 permit ip any 199.1.1.0 0.0.0.255
access-list 101 permit udp any any eq bootps
access-list 101 permit udp any any eq bootpc
access-list 101 permit udp any any eq domain
!
Interface vlan 40
ip access-group 101 in

------------
WLC
------------

----------------------------
A. Create the VLAN Interface
----------------------------

Controller -> Interfaces

Name: guests
VLAN: 40
IP Address: 10.0.40.99/24
Default Gateway: 10.0.40.22
DHCP: 10.0.13.11

----------------------------
B. Create the SSID
----------------------------

WLAN -> Create New

Profile Name: GUESTS-WEP


SSID: GUESTS-WEP
Enabled: checked
Interface: guests
Layer2 Security: Basic WEP : 40-bit : Cisco

===========================================================
13. Basic Guest Access - Local Web Authentication
===========================================================

------
WLC1
------

----------------------------
1. Create the SSID
----------------------------
WLAN -> Create New

Profile Name: GUESTS-LWEB


SSID: GUESTS-LWEB
Enabled: checked
Interface: guests
Layer2 Security: None
Layer3 Security: Web-Policy

--------------------------
2. Create a Local NetUser
--------------------------

Security -> AAA -> Local Net Users -> Add

Username: khawar
Password: Cisco123
Guest user: Checked
WLAN: GUESTS-LWEB

===========================================================
14. Anchor Configuration
===========================================================

--------------------------------------------------
1. Configure a relationship between the WLCs
--------------------------------------------------

Controllers -> Mobility Management -> Mobility Groups -> EditAll

Copy and Paste the config from the partner WLCs adding the Group Name at the end

-----------------------------------------------------------------------------------
----
2. Configure the Interface and WLAN for Guest on the Anchor identical to the Main
WLC
-----------------------------------------------------------------------------------
----

----------------------------
A. Create the VLAN Interface
----------------------------

Controller -> Interfaces

Name: guests
VLAN: 40
IP Address: 10.0.40.98/24
Default Gateway: 10.0.40.22
DHCP: 10.0.13.11

----------------------------
B. Create the SSID
----------------------------

WLAN -> Create New

Profile Name: GUESTS


SSID: GUESTS
Enabled: checked
Interface: guests
Layer2 Security: Basic WEP : 40-bit : Cisco

-----------------------------------------------------------------------------------
----
3. Configure the Relationship of Anchor and Foreign WLC between WLC1 & WLC2
-----------------------------------------------------------------------------------
----

--------
WLC2
--------

WLANS -> Hover over the Blue Over next to the WLAN and select "Mobility Anchor"

Select Local as the Mobility Anchor

WLANS -> Hover over the Blue Over next to the WLAN and select "Foreign Map"

Specify the MAC Address of the peer and the associated exit interface.

--------
WLC1
--------

WLANS -> Hover over the Blue Over next to the WLAN and select "Mobility Anchor"

Select WLC2 as the Anchor

You might also like