Escolar Documentos
Profissional Documentos
Cultura Documentos
Table of Contents
3850 Switch Wireless Configuration ............................................................................................................................. 3
Overall Design............................................................................................................................................ 3
3850 Switch Wireless Configuration Steps................................................................................................. 4
Validate licensing ................................................................................................................................. 5
Configure the HTTP Server on the Switch ................................................................................................. 6
Configure the Global AAA Commands ....................................................................................................... 6
Configure the Global RADIUS Commands................................................................................................. 7
Configure VLANs and SVIs. ....................................................................................................................... 9
Configure DHCP Snooping (Optional) ........................................................................................................ 9
Configure Local Access Control Lists ....................................................................................................... 10
Configure the Global 802.1X Commands ................................................................................................. 10
Configure the Global Wireless feature ..................................................................................................... 11
Configure WLANs .................................................................................................................................... 12
Configure Interfaces for Wireless APs ..................................................................................................... 14
Create Identity Sequence ......................................................................................................................... 19
Enable policy Set ..................................................................................................................................... 19
Configure Policy ....................................................................................................................................... 21
ISE Configuration - Suppressing RADIUS test messages ......................................................................................... 23
Configure ISE to suppress RADIUS test messages ................................................................................. 23
Page 2
Mobility agent (MA): This is the default mode in which the Cisco Catalyst 3850 switch ships. In this mode the
switch is capable of terminating the CAPWAP tunnels from the access points and providing wireless
connectivity to wireless clients. Maintaining wireless client databases and configuring and enforcing security
and QoS policies for wireless clients and access points can be enforced in this mode. No additional license on
top of IP Base is required to operate in the mobility agent mode.
Mobility controller (MC): In this mode, the Cisco Catalyst 3850 switch can perform all the mobility agent
tasks in addition to mobility coordination, radio resource management (RRM), and Cisco CleanAir
coordination within a mobility subdomain. The mobility controller mode can be enabled on the switch CLI. IP
Base license level is required when the Cisco Catalyst 3850 switch is acting as the mobility controller. A
centrally located Cisco 5508 Wireless LAN Controller (WLC 5508), Cisco Wireless Services Module 2
(WiSM2) (when running AireOS Version 7.3), and Wireless LAN Controller 5760 can also perform this role
for larger deployments.
Overall Design
Following diagram shows the overall layout of the components. There are two Service Set IDentifiers (SSIDs), one
secured with WPA2 (Wi-Fi Protected Access V2) + 802.1x and another Open + Central Web Authentication (CWA).
Although we won't go into the details of different Bring Your Own Device (BYOD) policies or posture policies within
Cisco Identity Services Engine (ISE), this setup will provide a baseline for such operations. This document will only
cover the baseline configurations on 3850 switches for wireless configuration, for deploying 3850 on wired network or
other ISE configurations please refer to respective ISE How-to documents.
Page 3
Figure 1.
Components used:
Wireless management interface has to be same as AP access VLAN, APs in FlexConnect mode is not
supported in this layout
Client idle timeout is global setting (As opposed to latest AireOS)
AP needs to be directly connected to 3850 switch
No need for legacy discovery method for AP using DHCP option 43 or DNS entry, with CAPWAP snooping
all directly connected AP can join the 3850 if they are configured with correct VLAN. Due to CAPWAP
snooping, if wireless management interface is configured on 3850 all directly connected APs can only talk to
3850
Support for https redirect, however, user will be required to trust the certificate of 3850 https before continuing
to login page
With IOS-XE version 03.02.02.SE, the 3850 switch provides some functions of GUI based wireless
configuration
Note: Cisco 3850 can act as Mobility Agent (MA) mode or Mobility Controller (MC) mode. Every mobility
deployment requires at least one MC and since our design consists of one 3850 switch, we will be configuring the
switch as MC mode.
Page 4
Validate licensing
3850 comes with Right-To-Use (RTU) license scheme. RTU licensing allows one to order and activate a specific
license type and level, and to manage license usage on the switch. To activate a license, one is required to accept the
End-User License Agreement (EULA). For the evaluation license, one is notified to purchase a permanent license or
deactivate the license before the 90-day period expires. Before one can enable wireless function on the 3850 switch,
one needs to be running either ipbase or ipservices feature pack and RTU license present and have accepted EULA.
The RTU also governs number of AP count in case the switch is acting as Mobility Controller (MC).
Note: Prerequisite configuration: This guide assumes that the switches have the required licenses and following step
will focus on validation of RTU license on the platform.
Step 1
Step 2
Sample output
3850#show license right-to-use summary
License Name
Type
Count
Period left
----------------------------------------------ipservices
permanent
N/A
Lifetime
apcount
base
0
Lifetime
apcount
adder
10
Lifetime
-------------------------------------------License Level In Use: ipservices
License Level on Reboot: ipservices
Evaluation AP-Count: Disabled
Total AP Count Licenses: 10
AP Count Licenses In-use: 4
AP Count Licenses Remaining: 6
3850#
Step 1 Activate feature set that supports wireless controller functionality and also activate AP count RTU
as well:
Page 5
Set the DNS domain name on the switch. Cisco IOS Software does not allow for certificates, or even selfgenerated keys, to be created and installed without first defining a DNS domain name on the device.
Enter the following:
3850(config)#ip domain-name example.com
Step 3
Note: To avoid possible certificate mismatch errors during web redirection, we recommend that you use a certificate
that is issued by your trusted certificate authority instead of a local certificate. This topic is beyond the scope of this
document.
Step 4
Note: Do not run the ip http secure-server command prior to generating the keys in step 2. If you perform the
commands out of order, the switch will automatically generate a certificate with a smaller key size. This certificate
can cause undesirable behaviour when redirecting HTTPS traffic. Unlike WLC with AireOS, 3850 Series wireless
supports redirection of HTTPS request, however, endpoints will be prompted to trust the switchs self-signed
certificate during the redirection.
Step 5
Disable HTTP & HTTPS for other switch management functions (Optional):
3850(config)#ip http active-session-modules none
3850(config)#ip http secure-active-session-modules none
Note: This will disable management access to the 3850 wireless configuration as well as configuration from NCS
Prime Infrastructure
Page 6
3850(config)#aaa new-model
3850(config)#aaa session-id common
Note: This command enables any of the services that AAA network security services providefor example, local
login authentication and authorization, defining and applying method lists, and so on. For further details, please refer
to the Cisco IOS Security Configuration Guide.
Step 2
Step 3
Step 4
Step 5
Page 7
Note: The server will be proactively checked for responses once every 5 minutes, in addition to any authentications or
authorizations occurring through normal processes. This value may be too aggressive for non ISE 1.2 deployments due
to lack of log suppression feature on older versions of ISE, in that case increase this value to 60 minutes or higher.
Step 2
Note: We will discuss high availability in more detail in the deployment mode sections.
Step 3
Step 4
Step 5
Page 8
3850(config)#radius-server
3850(config)#radius-server
3850(config)#radius-server
3850(config)#radius-server
3850(config)#radius-server
Step 6
attribute
attribute
attribute
attribute
attribute
6 on-for-login-auth
8 include-in-access-req
25 access-request include
31 mac format ietf upper-case
31 send nas-port-detail mac-only
Ensure the switch always sends traffic from the correct interface for RADIUS request.
Switches may often have multiple IP addresses associated to them. Therefore, it is a best practice to always
force any management communications to occur through a specific interface. This interface IP address
must match the IP address defined in the Cisco ISE Network Device object.
Cisco Best Practice: As a network management best practice, use a loopback adapter for all management
communications, and advertise that loopback interface into the internal routing protocol.
3850(config)#ip radius source-interface vlan 201
Add the following VLANs for wireless management and WLAN interface:
3850(config)#vlan 80
3850(config-vlan)#name
3850(config-vlan)#vlan
3850(config-vlan)#name
3850(config-vlan)#vlan
3850(config-vlan)#name
Step 2
AP_VLAN
30
WLAN_USER
40
WLAN_GUEST
This interface will be used to communicate with the LWAP. The LWAPs needs to be connected directly
to the 3850 switch and the interface needs to be configured with same VLAN as wireless management
VLAN. Also, configure ip helper to forward DHCP request from the LWAP to DHCP server.
3850(config)#
3850(config-if)#ip address 192.168.80.1 255.255.255.0
3850(config-if)#ip helper-address 192.168.201.72
3850(config-if)#no shutdown
Page 9
Configure Dynamic Host Configuration Protocol (DHCP) snooping for trusted ports.
3850(config)#interface
3850(config-if)#description Server
3850(config-if)#ip dhcp snooping trust
Step 2
DHCP snooping is enabled at global configuration mode. After enabling DHCP snooping, you must
configure the VLANs it should work with, which in our example is VLAN 30 & 40.
3850(config)#
3850(config)#no ip dhcp snooping information option
3850(config)#ip dhcp snooping
Add the following ACL to be used for URL redirection with web authentication:
3850(config)#ip access-list extended REDIRECT-ACL
3850(config-ext-nacl)#deny udp any host 192.168.201.72 eq 53
3850(config-ext-nacl)#deny udp any eq bootpc host 192.168.201.72 eq bootps
3850(config-ext-nacl)#deny ip any host 192.168.201.88
3850(config-ext-nacl)#permit ip any any
Step 2
Downloadable access control lists (dACLs) are a very common enforcement mechanism in a Cisco ISE deployment.
In order for dACLs to function properly on a switch, IP device tracking must be enabled globally, as follows:
Cisco Systems 2015
Page 10
3850(config)#
Note: There are some uncommon cases with Windows 7 and devices that do not respond to ARPs where it may be
required to use the command ip device tracking use SVI.
3850 switch can act as Mobility Agent (MA) only or MC+MA. For any 3850 wireless deployment there
needs to be at least one MC available for the deployment. We are configuring the 3850 as MC+MA as
we only have one 3850 switch.
3850(config)#
With 3850, all AP needs to be on the same VLAN as the management interface. This allows CAPWAP
tunnel between the APs and the 3850 switch.
3850(config)#
Note: If there are LWAPs configured with CUWN WLC connected to the 3850 switch, after above command is
entered all the LWAPs connected to the 3850 will lose connection to the CUWN WLC and start registering with the
3850 switch. The LWAPs will then go through code upgrade and finally join the 3850 switch.
Step 3
Fast-SSID-Change feature allows clients to move from one SSID to another without delay. This feature
allows client to move from open SSID to secure SSID in dual-SSID scenario for BYOD without delay.
3850(config)#
Note: This is primarily to address Apple iOS devices shifting from one SSID to another within short period of time
Step 4
Idle-time out allows the switch to remove the client session when no traffic has been seen from the client
within configured timeframe. If this value is too short, client devices will be forced to reauthenticate
when coming out of stand-by mode. Here we are setting it to 2 hours.
3850(config)#
Page 11
Step 5
Apple introduced an iOS feature to facilitate network access when captive portals are present. This
feature attempts to detect the presence of captive portal by sending a web request upon connecting to a
wireless network, and directs the request to http://www.apple.com/library/test/success.html. If a
response is received, then Internet access is assumed and no further interaction is required. If no
response is received, Internet access is assumed to be blocked by captive portal and CNA auto launches the pseudo browser to request portal login in a controlled window. CNA may break when
redirecting to an ISE captive portal. Following CLI command will prevent the pseudo browser from
popping up.
3850(config)#
Configure WLANs
Step 1
This command creates a WLAN with example_employee as profile and SSID with WLAN ID of 1. If
this 3850 switch is part of bigger deployments, make sure all the settings match on all the switches for
the WLAN settings.
3850(config)#
Note: Although we are not entering L2 security settings for the wlan, the default setting for any wlan is WPA2/AES
with 802.1x
Step 2
Configure WLAN to accept RADIUS Authorization and instructions from the RADIUS server.
The AAA Override option of a WLAN enables you to configure the WLAN for identity networking. It
enables you to apply VLAN tagging, Quality of Service (QoS), and Access Control Lists (ACLs) to
individual clients based on the returned RADIUS attributes from the ISE. Also, the nac directive enables
different client state based on instructions in the URL-Redirect such as CWA, DRW, MDM, NSP, and
CPP.
3850(config-wlan)#
3850(config-wlan)#nac
Step 3
Page 12
Step 4
If DHCP snooping was configured for the above VLAN in previous steps, this setting prevents client
devices with static IP address.
3850(config-wlan)#
Step 5
This value dictates how often the client will re-authenticate via the RADIUS server.
3850(config-wlan)#
Step 6
3850(config-wlan)#
Note: Whenever wlan configuration needs to be modified, the wlan has o be shutdown. Once modified it can be reenabled by running above command. Note that this will disconnect all users on the respective wlan.
Step 7
Step 8
Since this is open SSID, enabling MAC-Filtering with default RADIUS list will provide CWA using
ISE as external web server.
3850(config-wlan)#
Step 9
Configure WLAN to accept RADIUS Authorization messages from the RADIUS server
3850(config-wlan)#
3850(config-wlan)#nac
Step 10
Step 11
Page 13
3850(config-wlan)#
Step 12
Disable all L2 security features and set the WLAN as open SSID.
3850(config-wlan)#
3850(config-wlan)#
3850(config-wlan)#
3850(config-wlan)#
Step 13
Note: The session-timeout for open SSID is set to lower value than secure SSID, as reauthentication of MAB request
does not impact ISE as much as 802.1x request
Step 14
Note: With 3850 switch, the LWAP needs to be directly connected to the switch
Step 2
Enabling 802.1X globally on the switch does not actually enable authentication on any of the
switchports. Authentication will be configured, but not enabled until we configure Monitor Mode.
3850(config-if)#
3850(config-if)#switchport access vlan 80
Note: 3850 introduces a new way of discovering new LWAPs by using CAPWAP snooping feature. There is no need
to configure DHCP option 43 or DNS entry for 3850 wireless management IP address
Step 3
Page 14
3850(config-if)#
Step 4
Step 5
Validate AP status.
After APs have been upgraded and rebooted, validate that all APs are running in Local mode and the
Country setting is correct. Also, make sure all AP Status shows up as Joined.
3850#show ap status
3850#show ap join stats summary
Note: Currently 3850 only supports LWAPs in Local, Monitor, se-connect, and sniffer mode. If the LWAP was
previously configured as FlexConnect mode then run ap name {AP_NAME} mode local command
Page 15
Step 6
Save configuration.
3850#write memory
Page 16
Page 17
radius-server host 192.168.201.88 auth-port 1812 acct-port 1813 test username radius-test idletime 5 key cisco123
radius-server deadtime 15
radius-server vsa send accounting
radius-server vsa send authentication
!
wireless mobility controller
wireless management interface Vlan80
wireless client fast-ssid-change
wireless mgmt-via-wireless
wireless client user-timeout 7200
captive-portal-bypass
!
wlan example_secure 1 example_secure
aaa-override
client vlan 30
nac
ip dhcp required
session-timeout 86400
no shutdown
!
wlan example_open 2 example_open
aaa-override
client vlan 40
mac-filtering default
nac
ip dhcp required
no security wpa
no security wpa akm dot1x
no security wpa wpa2
no security wpa wpa2 ciphers aes
session-timeout 7200
no shutdown
!
interface GigabitEthernet 1/0/17
description Server
switch port mode access
switch port access vlan 201
ip dhcp snooping trust
spanning-tree portfast
no shut
!
interface GigabitEthernet 1/0/9
description AP
switch port mode access
switch port access vlan 80
spanning-tree portfast
no shut
ISE Configuration
There are no specific configurations for ISE to integrate with 3850 switches for wireless access. The 3850
can be integrated in the same way as Catalyst switches to support advanced ISE features such as CWA,
BYOD, and Posture Assessment. While this document covers policies related to BYOD, please refer to
BYOD how-to guide for configuring the underlying services to enable BYOD. This includes configuration of
CA server, external identity sources, and supplicant provisioning policy.
Page 18
1
2
3
4
Figure 2.
Step 5
Click Save.
To Enable policy set feature navigate to Administration System Settings Policy Sets
Select Enabled and click Save
Page 19
Procedure 1
INTERNET-ONLY
DACL Content
NSP
Common Tasks
Web Redirection
Web Redirection
Type
ACL
REDIRECT-ACL
WebAuth
Common Tasks
Web Redirection
Web Redirection
Page 20
Name
WebAuth
Type
ACL
REDIRECT-ACL
Internet
Common Tasks
DACL Name
ACL
INTERNET-ONLY
Configure Policy
Step 1
Step 2
Figure 3.
Step 3
Page 21
Figure 4.
Step 4
Step 5
Click Submit.
Define Policy set as example_open as name and following parameters
Figure 5.
Step 6
Click Submit.
Page 22
1
2
3
4
Figure 6.
Step
Step
Step
Step
5
6
7
8
Page 23