Universal Wireless Controller Configuration for Cisco Identity Services Engine. Secure Access How-To Guide Series

Transcription

1 Universal Wireless Controller Configuration for Cisco Identity Services Engine Secure Access How-To Guide Series Author: Hosuk Won Date: November 2015

2 Table of Contents Introduction... 3 What Is Cisco Identity Services Engine?... 3 Cisco Wireless Controllers... 3 About This Document... 4 Configuration... 5 Initial Configuration... 5 Controller Configuration... 6 Security Configuration... 8 WLAN Configuration Management Configuration Appendix A: Sample Configuration Configuration for WLC Running 8.x Code Configuration for Cisco IOS Switch Interface Connected to the WLC Configuration for Cisco IOS Switch SVI Appendix B: Design Considerations FlexConnect AP & WLAN Auto-Anchored WLAN Cisco Systems 2016 Page 2

3 Introduction What Is Cisco Identity Services Engine? Cisco Identity Services Engine (ISE) is an all-in-one enterprise policy control product that enables comprehensive secure wired, wireless, and Virtual Private Networking (VPN) access. Cisco ISE offers a centralized control point for comprehensive policy management and enforcement in a single RADIUS-based product. The unique architecture of Cisco ISE allows enterprises to gather real-time contextual information from networks, users, and devices. The administrator can then use that information to make proactive governance decisions. Cisco ISE is an integral component of Cisco Secure Access. Cisco Secure Access is an advanced Network Access Control and Identity Solution that is integrated into the Network Infrastructure. It is a fully tested, validated solution where all the components within the solution are thoroughly vetted and rigorously tested as an integrated system. Cisco Wireless Controllers Unlike overlay Network Access Control solutions the Cisco Secure Access utilizes the access layer devices (switches, wireless controllers, etc.) for enforcement. The access device itself now handles functions that were commonly handled by appliances and other overlay devices, such as URL redirection for web authentications. The Cisco Secure Access not only combines standards-based identity and enforcement models, such as IEEE 802.1X and VLAN control, it also has many more advanced identity and enforcement capabilities such as URL Redirect, Named Access Control Lists (AireSpace ACLs), Security Group Tagging (SGT), device profiling, guest and web authentications services, posture assessments, and integration with leading Mobile Device Management (MDM) vendors for compliance validation of mobile devices before and during network access. Cisco Systems 2016 Page 3

4 About This Document The following section describes the universal configuration for Cisco Wireless LAN Controllers (WLC). These recommended configurations are compiled as a best practice to be used for all deployments, and they remain consistent through the different stages of deployment, as well as the different deployment types chosen. The following diagram shows the overall layout of the components. There are two access VLANs, ACCESS VLAN for Employee users and GUEST VLAN for Guest users. Although this document doesn t include policy configurations on ISE such as BYOD, Posture Assessment, and profiling configuration provided here allows baseline for such operations. Figure 1 Component In the appendix, there are sample configurations that can be copied and pasted with minimal modification. Also in the appendix are the additional configurations that pertain to FlexConnect mode WLAN/AP and WLANs configured in Auto-Anchor mode. Cisco Systems 2016 Page 4

5 Configuration Initial Configuration This section covers initial bootstrapping of WLC using the CLI-based configuration tool. Table 1. Initial Configuration Option Value Management Interface IP Management Interface Mask Management Interface Gateway Management Interface VLAN ID 0 (Untagged) Management Interface Port Number 1 Virtual Gateway IP Mobility/RF Group Name Main NTP Server IP Note: Initial Configuration applies to new WLC with no prior configuration. If the ISE-related configurations are being added to a WLC with existing configuration, then proceed to the Controller Configuration section. Step 1 Connect to the console port of the WLC or use virtual console for vwlc. Refer to the following settings to bootstrap the WLC. (Cisco Controller) Welcome to the Cisco Wizard Configuration Tool Use the '-' character to backup Would you like to terminate autoinstall? [yes]:yes AUTO-INSTALL: process terminated -- no configuration loaded System Name [Cisco_91:e2:64] (31 characters max): Enter Administrative User Name (24 characters max): admin Enter Administrative Password (3 to 24 characters): ******** Re-enter Administrative Password : ******** Service Interface IP Address Configuration [static][dhcp]:dhcp Enable Link Aggregation (LAG) [yes][no]: no Management Interface IP Address: Management Interface Netmask: Management Interface Default Router: Management Interface VLAN Identifier (0 = untagged): 0 Management Interface Port Num [1 to 8]: 1 Management Interface DHCP Server IP Address: Virtual Gateway IP Address: Cisco Systems 2016 Page 5

6 Mobility/RF Group Name: Main Network Name (SSID): EXAMPLE Configure DHCP Bridging Mode [yes][no]: no Allow Static IP Addresses [YES][no]: no Configure a RADIUS Server now? [YES][no]: no Warning! The default WLAN security policy requires a RADIUS server. Please see documentation for more details. Enter Country Code list (enter 'help' for a list of countries) [US]:us Enable b Network [YES][no]: yes Enable a Network [YES][no]: yes Enable g Network [YES][no]: yes Enable Auto-RF [YES][no]: yes Configure a NTP server now? [YES][no]: yes Enter the NTP server's IP address: Enter a polling interval between 3600 and secs: 3600 Configuration correct? If yes, system will save it and reset. [yes][no]: yes We recommend that you set the Cisco WLC virtual gateway address to The address you use must be a non-routed IP with a fully qualified domain name (FQDN) mapped in the Domain Name System (DNS). This FQDN/ IP address should be added to certificates generated by your CA. This configuration stops users from seeing untrusted certificate errors when they are redirected to the WLC s virtual gateway. Step 2 After the WLC resets, configure the rest of the WLC settings. This guide includes both GUI and CLI-based configuration for the following sections. Note: Please note that the SSID named EXAMPLE configured during the initialization will not be used in this guide and can be removed by running the following command after the WLC resets. (WLC) >config wlan delete 1 Controller Configuration This section covers configuration related to the controller. This includes interface and VLAN configurations for endpoint devices and global controller settings. Table 2. Interface Configuration Options Employee Guest Interface Name ACCESS GUEST VLAN ID Dynamic IP Subnet Mask Cisco Systems 2016 Page 6

7 Gateway DHCP Server Port 1 1 Step 3 Configure dynamic interfaces. For GUI, go to Controller Interfaces. (WLC) >config interface create ACCESS 10 (WLC) >config interface create GUEST 50 Step 4 Assign a physical port for the dynamic interfaces created above. In this example, all interfaces are assigned to same physical interface and utilize trunking. (WLC) >config interface port ACCESS 1 (WLC) >config interface port GUEST 1 Step 5 Configure ip addresses on the interfaces. (WLC) >config interface address dynamic-interface ACCESS (WLC) >config interface address dynamic-interface GUEST Step 6 Configure DHCP server for user interfaces. (WLC) >config interface dhcp dynamic-interface ACCESS primary (WLC) >config interface dhcp dynamic-interface GUEST primary Step 7 Disable DHCP proxy globally and use router s SVI to forward DHCP request to the DHCP server. For GUI, go to Controller Advanced DHCP. (WLC) >config dhcp proxy disable Note: When dhcp proxy is disabled, WLC bridges DHCP requests to the upstream router. The upstream router should be configured with ip helper-address for the DHCP server, and as an ISE PSN node for profiling purposes. While the WLC device sensor can capture DHCP attributes for ISE, it lacks several DHCP attributes, such as the DHCP options attribute. By configuring the upstream router to forward DHCP requests to the ISE node, ISE can collect additional DHCP information for profiling purposes. Step 8 (Optional) Enable fast-ssid-change feature to accommodate apple devices transitioning from different SSIDs for dual SSID deployment. For GUI, go to Controller General (WLC) >config network fast-ssid-change enable Cisco Systems 2016 Page 7

8 Note: When fast SSID changing is enabled, the controller allows clients to move between SSIDs. When the client sends a new association for a different SSID, the client entry in the controller connection table is cleared before the client is added to the new SSID. When fast SSID changing is disabled, the controller enforces a delay before clients are allowed to move to a new SSID, which impacts user experience in dual SSID BYOD deployment. Security Configuration This section covers configuration related to the security, which includes RADIUS server and ACLs. The RADIUS servers are using ID values of 11 and 12 so as to not overwrite any existing RADIUS settings. Step 9 Create a RADIUS Authentication server. In this example, there are two ISE nodes, and CoA is enabled, and timeout is set to 5 seconds (default is 2 seconds). Device Management via RADIUS is disabled, and these RADIUS servers are dedicated for network user authentication. For GUI configuration, go to Security AAA RADIUS Authentication New (WLC) >config radius auth add ascii ISEc0ld (WLC) >config radius auth disable 11 (WLC) >config radius auth management 11 disable (WLC) >config radius auth retransmit-timeout 11 5 (WLC) >config radius auth rfc3576 enable 11 (WLC) >config radius auth enable 11 (WLC) >config radius auth add ascii ISEc0ld (WLC) >config radius auth disable 12 (WLC) >config radius auth management 12 disable (WLC) >config radius auth retransmit-timeout 12 5 (WLC) >config radius auth rfc3576 enable 12 (WLC) >config radius auth enable 12 Step 10 (Optional) Ensure that the MAC address format sent in the Calling-Station-ID field matches the ISE. This should be the default setting. (WLC) >config radius auth mac-delimiter hyphen Step 11 (Optional) Configure the format of the RADIUS Called-Station-ID attribute with additional information. The default format is APMAC:SSID. The option for this attribute varies depending on the WLC code version. This field can be used to provide location-based authentication using AP location information that endpoint associated for initial authentication. (WLC) >config radius callstationidtype ap-macaddr-ssid Note: This is different from MSE location integration that uses endpoint location using WiFi triangulation. Step 12 Configure RADIUS fallback mode so the primary ISE node is used when it is back online. Without this option, a second or tertiary server is used, even if the primary server is back online. For GUI, go to Security AAA RADIUS Fallback. Cisco Systems 2016 Page 8

9 (WLC) >config radius fallback-test username RADIUS-TEST (WLC) >config radius fallback-test mode active Note: Selecting active causes the Cisco WLC to revert to a server with a lower priority from the available backup servers. To select a server, it uses RADIUS probe messages to proactively determine whether a server that has been marked inactive is back online. The controller ignores all inactive servers for all active RADIUS requests. Selecting passive mode causes the Cisco WLC to revert to a server with a lower priority from the available backup servers without using extraneous probe messages. The controller ignores all inactive servers for a time period, and retries later when a RADIUS message needs to be sent. Step 13 (Optional) The interval specifies the probe interval in the case of active mode fallback or inactive time in the case of passive mode fallback. The default value is 300 seconds. (WLC) >config radius fallback-test mode interval 300 Step 14 Disable RADIUS aggressive failover mechanism so the RADIUS server is not marked dead in error. (WLC) >config radius aggressive-failover disable Note: If the aggressive failover feature is enabled in the WLC, the WLC is too aggressive to mark the AAA server as "not responding". One reason you should not enable this feature is because the AAA server is possibly not responsive only to a particular client, if you configured silent discard. It could also be a response to other valid clients with valid certificates. The WLC can still mark the AAA server as "not responding" and "not functional". To overcome this, disable the aggressive failover feature. If this is disabled, then the controller only fails over to the next AAA server if there are three consecutive clients that fail to receive a response from the RADIUS server. Step 15 Create RADIUS Accounting servers. For GUI, go to Security AAA RADIUS Accounting New (WLC) >config radius acct add ascii ISEc0ld (WLC) >config radius acct disable 11 (WLC) >config radius acct retransmit-timeout 11 5 (WLC) >config radius acct enable 11 (WLC) >config radius acct add ascii ISEc0ld (WLC) >config radius acct disable 12 (WLC) >config radius acct retransmit-timeout 12 5 (WLC) >config radius acct enable 12 Step 16 Create ACL_WEBAUTH_REDIRECT ACL. For GUI, go to Security Access Control Lists Access Control Lists New (WLC) >config acl delete ACL_WEBAUTH_REDIRECT (WLC) >config acl create ACL_WEBAUTH_REDIRECT (WLC) >config acl rule add ACL_WEBAUTH_REDIRECT 1 (WLC) >config acl rule action ACL_WEBAUTH_REDIRECT 1 permit (WLC) >config acl rule protocol ACL_WEBAUTH_REDIRECT 1 6 Cisco Systems 2016 Page 9

10 (WLC) >config acl rule source port range ACL_WEBAUTH_REDIRECT (WLC) >config acl rule destination address ACL_WEBAUTH_REDIRECT (WLC) >config acl rule destination port range ACL_WEBAUTH_REDIRECT (WLC) >config acl rule add ACL_WEBAUTH_REDIRECT 1 (WLC) >config acl rule action ACL_WEBAUTH_REDIRECT 1 permit (WLC) >config acl rule protocol ACL_WEBAUTH_REDIRECT 1 6 (WLC) >config acl rule source address ACL_WEBAUTH_REDIRECT (WLC) >config acl rule source port range ACL_WEBAUTH_REDIRECT (WLC) >config acl rule destination port range ACL_WEBAUTH_REDIRECT (WLC) >config acl rule add ACL_WEBAUTH_REDIRECT 1 (WLC) >config acl rule action ACL_WEBAUTH_REDIRECT 1 permit (WLC) >config acl rule protocol ACL_WEBAUTH_REDIRECT 1 6 (WLC) >config acl rule source port range ACL_WEBAUTH_REDIRECT (WLC) >config acl rule destination address ACL_WEBAUTH_REDIRECT (WLC) >config acl rule destination port range ACL_WEBAUTH_REDIRECT (WLC) >config acl rule add ACL_WEBAUTH_REDIRECT 1 (WLC) >config acl rule action ACL_WEBAUTH_REDIRECT 1 permit (WLC) >config acl rule protocol ACL_WEBAUTH_REDIRECT 1 6 (WLC) >config acl rule source address ACL_WEBAUTH_REDIRECT (WLC) >config acl rule source port range ACL_WEBAUTH_REDIRECT (WLC) >config acl rule destination port range ACL_WEBAUTH_REDIRECT (WLC) >config acl rule add ACL_WEBAUTH_REDIRECT 1 (WLC) >config acl rule action ACL_WEBAUTH_REDIRECT 1 permit (WLC) >config acl rule protocol ACL_WEBAUTH_REDIRECT 1 6 (WLC) >config acl rule source port range ACL_WEBAUTH_REDIRECT (WLC) >config acl rule destination address ACL_WEBAUTH_REDIRECT (WLC) >config acl rule destination port range ACL_WEBAUTH_REDIRECT (WLC) >config acl rule add ACL_WEBAUTH_REDIRECT 1 (WLC) >config acl rule action ACL_WEBAUTH_REDIRECT 1 permit (WLC) >config acl rule protocol ACL_WEBAUTH_REDIRECT 1 6 (WLC) >config acl rule source address ACL_WEBAUTH_REDIRECT (WLC) >config acl rule source port range ACL_WEBAUTH_REDIRECT (WLC) >config acl rule destination port range ACL_WEBAUTH_REDIRECT (WLC) >config acl rule add ACL_WEBAUTH_REDIRECT 1 (WLC) >config acl rule action ACL_WEBAUTH_REDIRECT 1 permit (WLC) >config acl rule protocol ACL_WEBAUTH_REDIRECT 1 6 (WLC) >config acl rule source port range ACL_WEBAUTH_REDIRECT (WLC) >config acl rule destination address ACL_WEBAUTH_REDIRECT (WLC) >config acl rule destination port range ACL_WEBAUTH_REDIRECT (WLC) >config acl rule add ACL_WEBAUTH_REDIRECT 1 (WLC) >config acl rule action ACL_WEBAUTH_REDIRECT 1 permit (WLC) >config acl rule protocol ACL_WEBAUTH_REDIRECT 1 6 (WLC) >config acl rule source address ACL_WEBAUTH_REDIRECT (WLC) >config acl rule source port range ACL_WEBAUTH_REDIRECT (WLC) >config acl rule destination port range ACL_WEBAUTH_REDIRECT (WLC) >config acl rule add ACL_WEBAUTH_REDIRECT 1 (WLC) >config acl rule action ACL_WEBAUTH_REDIRECT 1 permit (WLC) >config acl rule protocol ACL_WEBAUTH_REDIRECT 1 17 (WLC) >config acl rule source port range ACL_WEBAUTH_REDIRECT (WLC) >config acl rule destination port range ACL_WEBAUTH_REDIRECT (WLC) >config acl rule add ACL_WEBAUTH_REDIRECT 1 (WLC) >config acl rule action ACL_WEBAUTH_REDIRECT 1 permit (WLC) >config acl rule protocol ACL_WEBAUTH_REDIRECT 1 17 (WLC) >config acl rule source port range ACL_WEBAUTH_REDIRECT (WLC) >config acl rule destination port range ACL_WEBAUTH_REDIRECT Cisco Systems 2016 Page 10

11 Step 17 (Optional) If desired, DNS ACL entries can be added to the redirect ACL. This allows endpoint access to the Google Play store during the NSP process. (WLC) >config acl url-domain add play.google.com ACL_WEBAUTH_REDIRECT (WLC) >config acl url-domain add android.clients.google.com ACL_WEBAUTH_REDIRECT (WLC) >config acl url-domain add ACL_WEBAUTH_REDIRECT (WLC) >config acl url-domain add ggpht.com ACL_WEBAUTH_REDIRECT (WLC) >config acl url-domain add android.pool.ntp.org ACL_WEBAUTH_REDIRECT (WLC) >config acl url-domain add market.android.com ACL_WEBAUTH_REDIRECT (WLC) >config acl url-domain add mtalk.google.com ACL_WEBAUTH_REDIRECT (WLC) >config acl url-domain add gvt1.com ACL_WEBAUTH_REDIRECT Note: To accommodate client devices with language setting other than English may require additional domains to be added. Up to 20 domain entries can be added per ACL. Step 18 Apply ACL to the data path (WLC) >config acl apply ACL_WEBAUTH_REDIRECT Note: When a client is in the redirect state such as POSTURE_REQ, CWA, Client Provisioning, the default behavior of the WLC is to block all traffic except DHCP/DNS. The ACL_WEBAUTH_REDIRECT ACL (which is called in the url-redirect-acl AV Pair received from Cisco ISE) is applied to the client, and it can reach only resources specifically allowed in the ACL. Step 19 Create a BLACKHOLE ACL. (WLC) >config acl delete BLACKHOLE (WLC) >config acl create BLACKHOLE (WLC) >config acl rule add BLACKHOLE 1 (WLC) >config acl rule action BLACKHOLE 1 permit (WLC) >config acl rule protocol BLACKHOLE 1 6 (WLC) >config acl rule source port range BLACKHOLE (WLC) >config acl rule destination address BLACKHOLE (WLC) >config acl rule destination port range BLACKHOLE (WLC) >config acl rule add BLACKHOLE 1 (WLC) >config acl rule action BLACKHOLE 1 permit (WLC) >config acl rule protocol BLACKHOLE 1 6 (WLC) >config acl rule source address BLACKHOLE (WLC) >config acl rule source port range BLACKHOLE (WLC) >config acl rule destination port range BLACKHOLE (WLC) >config acl rule add BLACKHOLE 1 (WLC) >config acl rule action BLACKHOLE 1 permit (WLC) >config acl rule protocol BLACKHOLE 1 6 (WLC) >config acl rule source port range BLACKHOLE (WLC) >config acl rule destination address BLACKHOLE (WLC) >config acl rule destination port range BLACKHOLE (WLC) >config acl rule add BLACKHOLE 1 (WLC) >config acl rule action BLACKHOLE 1 permit (WLC) >config acl rule protocol BLACKHOLE 1 6 (WLC) >config acl rule source address BLACKHOLE (WLC) >config acl rule source port range BLACKHOLE (WLC) >config acl rule destination port range BLACKHOLE (WLC) >config acl rule add BLACKHOLE 1 Cisco Systems 2016 Page 11

12 (WLC) >config acl rule action BLACKHOLE 1 permit (WLC) >config acl rule protocol BLACKHOLE 1 17 (WLC) >config acl rule source port range BLACKHOLE (WLC) >config acl rule destination port range BLACKHOLE (WLC) >config acl rule add BLACKHOLE 1 (WLC) >config acl rule action BLACKHOLE 1 permit (WLC) >config acl rule protocol BLACKHOLE 1 17 (WLC) >config acl rule source port range BLACKHOLE (WLC) >config acl rule destination port range BLACKHOLE Step 20 Apply ACL to the data path (WLC) >config acl apply BLACKHOLE WLAN Configuration This section covers configuration related to the Secured WLAN for Employee devices. This includes WLAN settings. The WLANs are using ID value of 11 and 12 so as not to overwrite any existing WLAN settings. This example configures two WLANs: ISE is a secured WLAN with WLAN ID 11, used for employee access and Single SSID BYOD flow. OPEN is an open WLAN with WLAN ID 12, used for guest access. Table 3. Option Secured WLAN Open WLAN WLAN ID WLAN Name ISE OPEN SSID ISE OPEN Interface ACCESS GUEST L2 Security WPA/WPA2 & MAC Filtering 802.1X L3 Security None None RADIUS Auth Server 11 & & 12 RADIUS Acct Server 11 & & 12 RADIUS Interim ACCT Enabled Enabled Interim Update Interval 0 Seconds 0 Seconds AAA Override Enabled Enabled Idle Timeout 180 Seconds 180 Seconds NAC NAC_RADIUS NAC_RADIUS Device Sensor DHCP & HTTP DHCP & HTTP Cisco Systems 2016 Page 12

13 Step 21 Create ISE WLAN using WLAN ID 11. For GUI, go to WLANs Create New Go. (WLC) >config wlan create 11 ISE ISE Step 22 Assign previously created interface ISE to the WLAN. (WLC) >config wlan interface 11 ACCESS Note: When WLANs are added to the WLC, it is already enabled with WPA and 802.1X. Step 23 Assign previously created RADIUS Auth and Acct servers to the WLAN. (WLC) >config wlan radius_server auth add (WLC) >config wlan radius_server auth add (WLC) >config wlan radius_server acct add (WLC) >config wlan radius_server acct add Step 24 Configure interim accounting updates for the endpoints. Following setting applies to 8.x code. (WLC) >config wlan radius_server acct interim-update 0 11 (WLC) >config wlan radius_server acct interim-update enable 11 Note: For 7.6 code disable interim accounting. Although disabled the WLC will still send accounting updates for mobility events for the endpoint. (WLC) >config wlan radius_server acct interim-update disable 11 Note: For any other previous versions. (WLC) >config wlan radius_server acct interim-update (WLC) >config wlan radius_server acct interim-update enable 11 Step 25 Configure WLAN to accept AuthZ attributes from ISE. (WLC) >config wlan aaa-override enable 11 Step 26 (Optional) Configure idle timeout. (WLC) >config wlan usertimeout Step 27 Enable nac-radius for the WLAN. Cisco Systems 2016 Page 13

14 (WLC) >config wlan nac radius enable 11 Step 28 Enable device sensor for http and dhcp. (WLC) >config wlan profiling radius all enable 11 Step 29 Enable Secured WLAN. (WLC) >config wlan enable 11 Step 30 Create OPEN WLAN using WLAN ID 12. (WLC) >config wlan create 12 OPEN OPEN Step 31 Assign previously created interface GUEST to the WLAN. (WLC) >config wlan interface 12 GUEST Step 32 Disable L2 security for open WLAN. (WLC) >config wlan security wpa disable 12 Step 33 Enable MAC filtering for CWA. (WLC) >config wlan mac-filtering enable 12 Step 34 Assign previously created RADIUS Auth and Acct servers to the WLAN. (WLC) >config wlan radius_server auth add (WLC) >config wlan radius_server auth add (WLC) >config wlan radius_server acct add (WLC) >config wlan radius_server acct add Step 35 Configure interim accounting updates for the endpoints. Following setting applies to 8.x code. (WLC) >config wlan radius_server acct interim-update 0 12 (WLC) >config wlan radius_server acct interim-update enable 12 Cisco Systems 2016 Page 14

15 Note: For 7.6 code disable interim accounting. Although disabled the WLC will still send accounting updates for mobility events for the endpoint. (WLC) >config wlan radius_server acct interim-update disable 12 Note: For any other previous versions. (WLC) >config wlan radius_server acct interim-update (WLC) >config wlan radius_server acct interim-update enable 12 Step 36 Configure WLAN to accept AuthZ attributes from ISE (WLC) >config wlan aaa-override enable 12 Step 37 Configure session timeout. (WLC) >config wlan session-timeout Step 38 Configure idle timeout. (WLC) >config wlan usertimeout Step 39 (Optional) Configure other parameters necessary for open WLAN. (WLC) >config wlan chd 12 disable (WLC) >config wlan ccx AironetIeSupport disable 12 (WLC) >config wlan dhcp_server required Step 40 Enable nac-radius for the WLAN. (WLC) >config wlan nac radius enable 12 Step 41 Enable device sensor for http and dhcp. (WLC) >config wlan profiling radius all enable 12 Step 42 Enable Open WLAN. (WLC) >config wlan enable 12 Cisco Systems 2016 Page 15

16 Management Configuration This section covers configuration related to the General Controller Management. This includes Captive Portal Bypass, and HTTPS redirect settings. Step 43 Enable captive portal bypass to disable mini browser from popping up when Apple device associates to the WLAN. This will be in effect after the WLC has been restarted. There is no GUI for this configuration. (WLC) >config network web-auth captive-bypass enable Step 44 (Optional) Enable HTTPS redirect on 8.x code. For GUI, go to Management HTTP-HTTPS HTTPS Redirection Enabled. (WLC) >config network web-auth https-redirect enable Note: This is not recommended in production environment due to added load on the controller and reduced web auth sessions that WLC can handle when enabled. Step 45 Save configuration. (WLC) >save config Step 46 Reload the controller to have captive portal bypass setting take effect. (WLC) >reset system Cisco Systems 2016 Page 16

17 Appendix A: Sample Configuration Configuration for WLC Running 8.x Code Configuration for previous versions of WLC is identical with the exception of interim accounting settings under each of the WLAN configuration. Please refer to main section of the document for proper configuration for previous versions. config interface create ACCESS 10 config interface create GUEST 50 config interface port ACCESS 1 config interface port GUEST 1 config interface address dynamic-interface ACCESS config interface address dynamic-interface GUEST config interface dhcp dynamic-interface ACCESS primary config interface dhcp dynamic-interface GUEST primary config dhcp proxy disable config radius auth add ascii ISEc0ld config radius auth disable 11 config radius auth management 11 disable config radius auth retransmit-timeout 11 5 config radius auth rfc3576 enable 11 config radius auth enable 11 config radius auth add ascii ISEc0ld config radius auth disable 12 config radius auth management 12 disable config radius auth retransmit-timeout 12 5 config radius auth rfc3576 enable 12 config radius auth enable 12 config radius fallback-test username RADIUS-TEST config radius fallback-test mode active config radius aggressive-failover disable config radius acct add ascii ISEc0ld config radius acct disable 11 config radius acct retransmit-timeout 11 5 config radius acct enable 11 config radius acct add ascii ISEc0ld config radius acct disable 12 config radius acct retransmit-timeout 12 5 config radius acct enable 12 config acl delete ACL_WEBAUTH_REDIRECT config acl create ACL_WEBAUTH_REDIRECT config acl rule add ACL_WEBAUTH_REDIRECT 1 config acl rule action ACL_WEBAUTH_REDIRECT 1 permit config acl rule protocol ACL_WEBAUTH_REDIRECT 1 6 config acl rule source port range ACL_WEBAUTH_REDIRECT config acl rule destination address ACL_WEBAUTH_REDIRECT config acl rule destination port range ACL_WEBAUTH_REDIRECT config acl rule add ACL_WEBAUTH_REDIRECT 1 config acl rule action ACL_WEBAUTH_REDIRECT 1 permit config acl rule protocol ACL_WEBAUTH_REDIRECT 1 6 config acl rule source address ACL_WEBAUTH_REDIRECT config acl rule source port range ACL_WEBAUTH_REDIRECT config acl rule destination port range ACL_WEBAUTH_REDIRECT config acl rule add ACL_WEBAUTH_REDIRECT 1 config acl rule action ACL_WEBAUTH_REDIRECT 1 permit config acl rule protocol ACL_WEBAUTH_REDIRECT 1 6 Cisco Systems 2016 Page 17

18 config acl rule source port range ACL_WEBAUTH_REDIRECT config acl rule destination address ACL_WEBAUTH_REDIRECT config acl rule destination port range ACL_WEBAUTH_REDIRECT config acl rule add ACL_WEBAUTH_REDIRECT 1 config acl rule action ACL_WEBAUTH_REDIRECT 1 permit config acl rule protocol ACL_WEBAUTH_REDIRECT 1 6 config acl rule source address ACL_WEBAUTH_REDIRECT config acl rule source port range ACL_WEBAUTH_REDIRECT config acl rule destination port range ACL_WEBAUTH_REDIRECT config acl rule add ACL_WEBAUTH_REDIRECT 1 config acl rule action ACL_WEBAUTH_REDIRECT 1 permit config acl rule protocol ACL_WEBAUTH_REDIRECT 1 6 config acl rule source port range ACL_WEBAUTH_REDIRECT config acl rule destination address ACL_WEBAUTH_REDIRECT config acl rule destination port range ACL_WEBAUTH_REDIRECT config acl rule add ACL_WEBAUTH_REDIRECT 1 config acl rule action ACL_WEBAUTH_REDIRECT 1 permit config acl rule protocol ACL_WEBAUTH_REDIRECT 1 6 config acl rule source address ACL_WEBAUTH_REDIRECT config acl rule source port range ACL_WEBAUTH_REDIRECT config acl rule destination port range ACL_WEBAUTH_REDIRECT config acl rule add ACL_WEBAUTH_REDIRECT 1 config acl rule action ACL_WEBAUTH_REDIRECT 1 permit config acl rule protocol ACL_WEBAUTH_REDIRECT 1 6 config acl rule source port range ACL_WEBAUTH_REDIRECT config acl rule destination address ACL_WEBAUTH_REDIRECT config acl rule destination port range ACL_WEBAUTH_REDIRECT config acl rule add ACL_WEBAUTH_REDIRECT 1 config acl rule action ACL_WEBAUTH_REDIRECT 1 permit config acl rule protocol ACL_WEBAUTH_REDIRECT 1 6 config acl rule source address ACL_WEBAUTH_REDIRECT config acl rule source port range ACL_WEBAUTH_REDIRECT config acl rule destination port range ACL_WEBAUTH_REDIRECT config acl rule add ACL_WEBAUTH_REDIRECT 1 config acl rule action ACL_WEBAUTH_REDIRECT 1 permit config acl rule protocol ACL_WEBAUTH_REDIRECT 1 17 config acl rule source port range ACL_WEBAUTH_REDIRECT config acl rule destination port range ACL_WEBAUTH_REDIRECT config acl rule add ACL_WEBAUTH_REDIRECT 1 config acl rule action ACL_WEBAUTH_REDIRECT 1 permit config acl rule protocol ACL_WEBAUTH_REDIRECT 1 17 config acl rule source port range ACL_WEBAUTH_REDIRECT config acl apply ACL_WEBAUTH_REDIRECT config acl delete BLACKHOLE config acl create BLACKHOLE config acl rule add BLACKHOLE 1 config acl rule action BLACKHOLE 1 permit config acl rule protocol BLACKHOLE 1 6 config acl rule source port range BLACKHOLE config acl rule destination address BLACKHOLE config acl rule destination port range BLACKHOLE config acl rule add BLACKHOLE 1 config acl rule action BLACKHOLE 1 permit config acl rule protocol BLACKHOLE 1 6 config acl rule source address BLACKHOLE config acl rule source port range BLACKHOLE config acl rule destination port range BLACKHOLE config acl rule add BLACKHOLE 1 config acl rule action BLACKHOLE 1 permit config acl rule protocol BLACKHOLE 1 6 config acl rule source port range BLACKHOLE config acl rule destination address BLACKHOLE config acl rule destination port range BLACKHOLE config acl rule add BLACKHOLE 1 config acl rule action BLACKHOLE 1 permit Cisco Systems 2016 Page 18

19 config acl rule protocol BLACKHOLE 1 6 config acl rule source address BLACKHOLE config acl rule source port range BLACKHOLE config acl rule destination port range BLACKHOLE config acl rule add BLACKHOLE 1 config acl rule action BLACKHOLE 1 permit config acl rule protocol BLACKHOLE 1 17 config acl rule source port range BLACKHOLE config acl rule destination port range BLACKHOLE config acl rule add BLACKHOLE 1 config acl rule action BLACKHOLE 1 permit config acl rule protocol BLACKHOLE 1 17 config acl rule source port range BLACKHOLE config acl rule destination port range BLACKHOLE config acl apply BLACKHOLE config wlan create 11 ISE ISE config wlan interface 11 ACCESS config wlan radius_server auth add config wlan radius_server auth add config wlan radius_server acct add config wlan radius_server acct add config wlan radius_server acct interim-update 0 11 config wlan radius_server acct interim-update enable 11 config wlan aaa-override enable 11 config wlan usertimeout config wlan nac radius enable 11 config wlan profiling radius all enable 11 config wlan enable 11 config wlan create 12 OPEN OPEN config wlan interface 12 GUEST config wlan security wpa disable 12 config wlan mac-filtering enable 12 config wlan radius_server auth add config wlan radius_server auth add config wlan radius_server acct add config wlan radius_server acct add config wlan radius_server acct interim-update 0 12 config wlan radius_server acct interim-update enable 12 config wlan aaa-override enable 12 config wlan session-timeout config wlan usertimeout config wlan chd 12 disable config wlan ccx AironetIeSupport disable 12 config wlan dhcp_server required config wlan nac radius enable 12 config wlan profiling radius all enable 12 config wlan enable 12 config network web-auth captive-bypass enable save config Cisco Systems 2016 Page 19

20 Configuration for Cisco IOS Switch Interface Connected to the WLC description WLC Port 1 switchport trunk encapsulation dot1q switchport trunk native vlan 60 switchport mode trunk Configuration for Cisco IOS Switch SVI interface vlan 10 description ACCESS ip address ip helper-address ip helper-address interface vlan 50 description GUEST ip address ip helper-address ip helper-address Cisco Systems 2016 Page 20

21 Appendix B: Design Considerations FlexConnect AP & WLAN FlexConnect mode, formerly known as H-REAP mode, allows APs to locally switch user traffic for certain WLANs typically deployed in branch offices. That allows wireless traffic to stay within the branch office. In this design, when an endpoint associates to a FlexConnect enabled WLAN, the endpoint authenticates inside the CAPWAP tunnel from the LAP to the controller. However, once authenticated, the traffic is switched locally from the LAP to the local LAN instead of through the central Wireless Controller. The integration with ISE and FlexConnect mode AP has been supported since WLC v7.5. However, the integration requires a specific configuration. Aside from configuring WLANs and APs into FlexConnect mode, the Redirect ACLs also must be re-created as FlexConnect ACLs, and downloaded to the FlexConnect group or individual APs. First create ACL_WEBAUTH_REDIRECT & BLACKHOLE FlexConnect ACLs config flexconnect acl create ACL_WEBAUTH_REDIRECT config flexconnect acl rule add ACL_WEBAUTH_REDIRECT 1 config flexconnect acl rule action ACL_WEBAUTH_REDIRECT 1 permit config flexconnect acl rule protocol ACL_WEBAUTH_REDIRECT 1 6 config flexconnect acl rule source port range ACL_WEBAUTH_REDIRECT config flexconnect acl rule destination address ACL_WEBAUTH_REDIRECT config flexconnect acl rule destination port range ACL_WEBAUTH_REDIRECT config flexconnect acl rule add ACL_WEBAUTH_REDIRECT 1 config flexconnect acl rule action ACL_WEBAUTH_REDIRECT 1 permit config flexconnect acl rule protocol ACL_WEBAUTH_REDIRECT 1 6 config flexconnect acl rule source address ACL_WEBAUTH_REDIRECT config flexconnect acl rule source port range ACL_WEBAUTH_REDIRECT config flexconnect acl rule destination port range ACL_WEBAUTH_REDIRECT config flexconnect acl rule add ACL_WEBAUTH_REDIRECT 1 config flexconnect acl rule action ACL_WEBAUTH_REDIRECT 1 permit config flexconnect acl rule protocol ACL_WEBAUTH_REDIRECT 1 6 config flexconnect acl rule source port range ACL_WEBAUTH_REDIRECT config flexconnect acl rule destination address ACL_WEBAUTH_REDIRECT config flexconnect acl rule destination port range ACL_WEBAUTH_REDIRECT config flexconnect acl rule add ACL_WEBAUTH_REDIRECT 1 config flexconnect acl rule action ACL_WEBAUTH_REDIRECT 1 permit config flexconnect acl rule protocol ACL_WEBAUTH_REDIRECT 1 6 config flexconnect acl rule source address ACL_WEBAUTH_REDIRECT config flexconnect acl rule source port range ACL_WEBAUTH_REDIRECT config flexconnect acl rule destination port range ACL_WEBAUTH_REDIRECT config flexconnect acl rule add ACL_WEBAUTH_REDIRECT 1 config flexconnect acl rule action ACL_WEBAUTH_REDIRECT 1 permit config flexconnect acl rule protocol ACL_WEBAUTH_REDIRECT 1 6 config flexconnect acl rule source port range ACL_WEBAUTH_REDIRECT config flexconnect acl rule destination address ACL_WEBAUTH_REDIRECT config flexconnect acl rule destination port range ACL_WEBAUTH_REDIRECT config flexconnect acl rule add ACL_WEBAUTH_REDIRECT 1 config flexconnect acl rule action ACL_WEBAUTH_REDIRECT 1 permit config flexconnect acl rule protocol ACL_WEBAUTH_REDIRECT 1 6 config flexconnect acl rule source address ACL_WEBAUTH_REDIRECT config flexconnect acl rule source port range ACL_WEBAUTH_REDIRECT config flexconnect acl rule destination port range ACL_WEBAUTH_REDIRECT config flexconnect acl rule add ACL_WEBAUTH_REDIRECT 1 config flexconnect acl rule action ACL_WEBAUTH_REDIRECT 1 permit config flexconnect acl rule protocol ACL_WEBAUTH_REDIRECT 1 6 config flexconnect acl rule source port range ACL_WEBAUTH_REDIRECT Cisco Systems 2016 Page 21

22 config flexconnect acl rule destination address ACL_WEBAUTH_REDIRECT config flexconnect acl rule destination port range ACL_WEBAUTH_REDIRECT config flexconnect acl rule add ACL_WEBAUTH_REDIRECT 1 config flexconnect acl rule action ACL_WEBAUTH_REDIRECT 1 permit config flexconnect acl rule protocol ACL_WEBAUTH_REDIRECT 1 6 config flexconnect acl rule source address ACL_WEBAUTH_REDIRECT config flexconnect acl rule source port range ACL_WEBAUTH_REDIRECT config flexconnect acl rule destination port range ACL_WEBAUTH_REDIRECT config flexconnect acl rule add ACL_WEBAUTH_REDIRECT 1 config flexconnect acl rule action ACL_WEBAUTH_REDIRECT 1 permit config flexconnect acl rule protocol ACL_WEBAUTH_REDIRECT 1 17 config flexconnect acl rule source port range ACL_WEBAUTH_REDIRECT config flexconnect acl rule destination port range ACL_WEBAUTH_REDIRECT config flexconnect acl rule add ACL_WEBAUTH_REDIRECT 1 config flexconnect acl rule action ACL_WEBAUTH_REDIRECT 1 permit config flexconnect acl rule protocol ACL_WEBAUTH_REDIRECT 1 17 config flexconnect acl rule source port range ACL_WEBAUTH_REDIRECT config flexconnect acl apply ACL_WEBAUTH_REDIRECT config flexconnect acl create BLACKHOLE config flexconnect acl rule add BLACKHOLE 1 config flexconnect acl rule action BLACKHOLE 1 permit config flexconnect acl rule protocol BLACKHOLE 1 6 config flexconnect acl rule source port range BLACKHOLE config flexconnect acl rule destination address BLACKHOLE config flexconnect acl rule destination port range BLACKHOLE config flexconnect acl rule add BLACKHOLE 1 config flexconnect acl rule action BLACKHOLE 1 permit config flexconnect acl rule protocol BLACKHOLE 1 6 config flexconnect acl rule source address BLACKHOLE config flexconnect acl rule source port range BLACKHOLE config flexconnect acl rule destination port range BLACKHOLE config flexconnect acl rule add BLACKHOLE 1 config flexconnect acl rule action BLACKHOLE 1 permit config flexconnect acl rule protocol BLACKHOLE 1 6 config flexconnect acl rule source port range BLACKHOLE config flexconnect acl rule destination address BLACKHOLE config flexconnect acl rule destination port range BLACKHOLE config flexconnect acl rule add BLACKHOLE 1 config flexconnect acl rule action BLACKHOLE 1 permit config flexconnect acl rule protocol BLACKHOLE 1 6 config flexconnect acl rule source address BLACKHOLE config flexconnect acl rule source port range BLACKHOLE config flexconnect acl rule destination port range BLACKHOLE config flexconnect acl rule add BLACKHOLE 1 config flexconnect acl rule action BLACKHOLE 1 permit config flexconnect acl rule protocol BLACKHOLE 1 17 config flexconnect acl rule source port range BLACKHOLE config flexconnect acl rule destination port range BLACKHOLE config flexconnect acl rule add BLACKHOLE 1 config flexconnect acl rule action BLACKHOLE 1 permit config flexconnect acl rule protocol BLACKHOLE 1 17 config flexconnect acl rule source port range BLACKHOLE config flexconnect acl rule destination port range BLACKHOLE config flexconnect acl apply BLACKHOLE Once created, add them to the FlexConnect Aps. config ap flexconnect policy acl add ACL_WEBAUTH_REDIRECT AP_NAME config ap flexconnect policy acl add BLACKHOLE AP_NAME Cisco Systems 2016 Page 22

23 Note: While FlexConnect mode supports additional configurations such as Local authentication, those options have not been tested as part of ISE integration. Also, while this document goes over the required configuration using individual APs, it is generally easier to configure FlexConnect groups to manage settings for the APs. Also note following caveats for FlexConnect mode AP Local Switching deployment with ISE: Endpoints utilizing FlexConnect must be able to access the ISE node FlexConnect ACL does not support DNS ACL TrustSec for locally switched traffic is not supported While it is the FlexConnect ACL that gets applied to the FlexConnect endpoint sessions, older versions of WLC may fail to apply the FlexConnect ACL without regular ACL with same ACL name already in place. At minimum it will require a regular ACL name registered to the WLC. In that case, simply create an empty ACL as following: config acl create ACL_WEBAUTH_REDIRECT config acl apply ACL_WEBAUTH_REDIRECT config acl create BLACKHOLE config acl apply BLACKHOLE Auto-Anchored WLAN Customers often configure Auto-Anchor (AKA Guest Tunneling) to tunnel guest WLAN traffic to an anchor controller residing in a DMZ for added security. This is a supported configuration with ISE Central WebAuth. However, there is specific configuration to make this work. This can be setup normally for an Auto-Anchor setup with one exception, which is the RADIUS Accounting server needs to be disabled on the Anchor Controller WLAN. Assuming the OPEN WLAN is being anchored, here is an example of WLAN setting on the anchor controller. config wlan create 12 OPEN OPEN config wlan interface 12 GUEST config wlan security wpa disable 12 config wlan mac-filtering enable 12 config wlan radius_server auth disable 12 config wlan radius_server acct disable 12 config wlan radius_server acct interim-update disable 12 config wlan aaa-override enable 12 config wlan session-timeout config wlan usertimeout config wlan chd 12 disable config wlan ccx AironetIeSupport disable 12 config wlan dhcp_server required config wlan nac radius enable 12 config wlan profiling radius all enable 12 config wlan enable 12 Note: The RADIUS settings are disabled in the preceding example, however, the anchor controller will receive the ACL name to apply to the session from ISE relayed by the foreign controller in the mobility message. It is essential that the anchor controller configuration includes the redirect ACL, so it can be applied to the user session when called upon by the foreign controller. Cisco Systems 2016 Page 23

24 Cisco Systems 2016 Page 24