CT5760 Controller Deployment Guide
Secure WLAN Configuration
Downloads: This chapterpdf (PDF - 162.0KB) The complete bookPDF (PDF - 4.18MB) | Feedback

Table of Contents

Secure WLAN Configuration

Secure WLAN Configuration on Catalyst 3850/WLC5760

Wireless Dot1x Configuration

Dynamic Authorization Configuration (Optional)

Radius Server Configuration (Optional)

URL-Redirect Access-list Configuration

HTTP Configuration

WLAN Configuration

Verify Wireless Dot1x Session

Deauthenticate Client

Secure WLAN Configuration

Secure WLAN Configuration on Catalyst 3850/WLC5760

Wireless Dot1x Configuration

aaa new-model

aaa group server radius Cisco

server name Cisco

aaa authentication login no_auth none

aaa authentication dot1x default group radius

aaa authentication dot1x Cisco_dot1x group Cisco

aaa authorization network default group Cisco

aaa accounting network default start-stop group Cisco

dot1x system-auth-control

radius server Cisco

address ipv4 10.10.200.60 auth-port 1812 acct-port 1813

key secret

Dynamic Authorization Configuration (Optional)

aaa server radius dynamic-author

client 10.10.200.60 server-key Cisco123

auth-type any

Radius Server Configuration (Optional)

radius-server attribute 6 on-for-login-auth

radius-server dead-criteria time 10 tries 3

radius-server deadtime 3

radius-server vsa send accounting

radius-server vsa send authentication

URL-Redirect Access-list Configuration

ip access-list extended NSP-ACL <- Supplicant Provisioning ACL

deny ip any host 10.10.200.60

permit ip any any

HTTP Configuration

!

ip http server

ip http authentication local

ip http secure-server

ip http secure-client-auth

WLAN Configuration

wireless mobility controller

wireless management interface 200

wireless client user-timeout 600

wlan BYOD-Dot1x 1 BYOD-Dot1x <- Secure Corporate SSID

aaa-override

accounting-list Cisco

client vlan 100

ip access-group NSP-ACL

nac

security dot1x authentication-list Cisco

session-timeout 600

no shutdown

wlan BYOD-Open 2 BYOD-Open <- Guest SSID

aaa-override

client vlan 100

ip access-group NSP-ACL

nac

no security wpa

no security wpa akm dot1x

no security wpa wpa2

no security wpa wpa2 ciphers aes

security dot1x authentication-list Cisco

no shutdown

Verify Wireless Dot1x Session

Controller-MC#show access-session method dot1x details

Controller-MC#show access-session interface capwap 1 details

Controller-MC#show access-session mac 6420.0c37.5108 interface capwap 1

Controller-MC#show wireless client summary

Deauthenticate Client

Controller-MC#wireless client mac-address 6420.0c37.5108 deauthenticate

Controller-MC#show wireless client summary