无线/移动 : "无线, LAN (WLAN)"

无线局域网模板的聚合的访问统一的快速参考

2016 年 10 月 27 日 - 机器翻译
其他版本: PDFpdf | 英语 (2015 年 8 月 22 日) | 反馈

简介

本文为基本和已知Layer2和第3层无线局域网(WLAN)配置提供快速参考CLI配置模板。基本模板为快速提供复制和插入到思科下一代配线间(NGWC) 5760和3850无线局域网控制器(WLC)实验室重新创建和客户初始安装。

贡献用尚卡尔Ramanathan, Cisco TAC工程师。

先决条件

要求

思科建议您有知识NGWC版本3.3或以上。预计交换机虚拟接口(SVIs),并且监听的DHCP池/每最佳实践预先配置。

使用的组件

本文档不限于特定的软件和硬件版本。

本文档中的信息都是基于特定实验室环境中的设备编写的。本文档中使用的所有设备最初均采用原始(默认)配置。如果您使用的是真实网络,请确保您已经了解所有命令的潜在影响。

第2层安全

打开WLAN没有安全

wlan 1 name testwlan ssid testwlan
    client vlan 20
    no security wpa
    no shut

静态有线等效保密(WEP)

wlan staticWEP 6 staticWEP
 client vlan 79
 no security wpa
 no security wpa akm dot1x
 no security wpa wpa2
 no security wpa wpa2 ciphers aes
 security static-wep-key encryption 40 ascii 0 Cisco 1
 session-timeout 1800
 no shutdown

MAC过滤器-本地数据库

username 24770319eB75 mac

aaa new-model
aaa authorization network test_mac local

wlan macfiltering 6 macfiltering
client vlan Vlan7
mac-filtering test_mac
no security wpa
no security wpa akm dot1x
no security wpa wpa2
no security wpa wpa2 ciphers aes
no shutdown

MAC过滤器-外部Radius

aaa new-model
aaa group server radius wcm_rad

server name RAD_EXT
subscriber mac-filtering security-mode mac
mac-delimiter colon

radius server RAD_EXT
address ipv4 x.x.x.x auth-port 1812 acct-port 1813
key cisco

aaa authorization network wcm_macfilter group wcm_rad

wlan macfiltering 1 macfiltering
client vlan Vlan7
mac-filtering wcm_macfilter
no security wpa
no security wpa akm dot1x
no security wpa wpa2
no security wpa wpa2 ciphers aes
no shutdown

无线受保护的访问2 (WPA2)预先共享密钥(PSK)

wlan wpa2psk 1 wpa2psk
 client vlan 20
 no security wpa akm dot1x
 security wpa akm psk set-key ascii 0 Cisco123
 no shutdown

802.1x本地可扩展的认证协议(EAP)验证(作为本地RADIUS使用的NGWC)

user-name test
 privilege 15
 password 0 cisco
 type network-user description pass=cisco
aaa new-model
aaa authentication dot1x default local
aaa authorization credential-download author_list  local
aaa authentication dot1x authen_list local
aaa local authentication authen_list authorization author_list
dot1x system-auth-control
eap profile PEAPProfile
method ?
  fast      EAP-FAST method allowed
  gtc       EAP-GTC method allowed
  leap      EAP-LEAP method allowed
  md5       EAP-MD5 method allowed
  mschapv2  EAP-MSCHAPV2 method allowed
  peap      EAP-PEAP method allowed
  tls       EAP-TLS method allowed

 method peap
 method mschapv2
wlan TestNGWC 1 TestNGWC
 client vlan VLAN0080
 ip dhcp server 192.168.80.14
 local-auth PEAPProfile

在外部Radius的802.1x

aaa new-model
   !
   !
   aaa group server radius ACS
    server name ACS
   !
   aaa authentication dot1x ACS group ACS

   radius server ACS
    address ipv4 10.106.102.50 auth-port 1645 acct-port 1646
    key Cisco123


 dot1x system-auth-control

wlan EAPFAST 4 EAPFAST
    client vlan VLAN0020
    security dot1x authentication-list ACS
    session-timeout 1800
    no shutdown

第3层安全

Web Passthrough

parameter-map type webauth global
 type consent
 virtual-ip ipv4 192.168.200.1
!
!
parameter-map type webauth web
 type consent
 

wlan Webauth 9 Webauth
 client vlan VLAN0020
 no security wpa
 no security wpa akm dot1x
 no security wpa wpa2
 no security wpa wpa2 ciphers aes
 security web-auth
 security web-auth parameter-map web
 session-timeout 1800

Web验证本地认证

aaa new-model
aaa authentication login wcm_local local
aaa authorization network default local  
aaa authorization credential-download default local 
username test password 0 test12345
parameter-map type webauth global
virtual-ip ipv4 1.1.1.1 
parameter-map type webauth test_web
            type webauth 
            banner    c test webauth c   
ip http server      
ip http authentication local
ip http secure-server

wlan local_webauth 11 local_webauth
 client vlan 263
 no security wpa
 no security wpa akm dot1x
 no security wpa wpa2
 no security wpa wpa2 ciphers aes
 security web-auth
 security web-auth authentication-list wcm_local
 security web-auth parameter-map test_web

与外部RADIUS验证(ISE)的Web验证

radius server ise
        address ipv4 192.168.154.119 auth-port 1812 acct-port 1813
        key Cisco123
aaa group server radius rad_ise
 server name ise

aaa authentication login ext_ise group rad_ise
parameter-map type webauth global
virtual-ip ipv4 1.1.1.1
parameter-map type webauth test_web
            type webauth 
            banner    c test webauth c
wlan local_webauth 11 local_webauth
 client vlan 263
 no security wpa
 no security wpa akm dot1x
 no security wpa wpa2
 no security wpa wpa2 ciphers aes
 security web-auth
 security web-auth authentication-list ext_ise
 security web-auth parameter-map test_web
 no shutdown

外部 Web 身份验证

//Parameter Map   //  
        parameter-map type webauth test_web
        type webauth
        redirect for-login https://192.168.154.119:8443/guestportal/portals/
external_webauth/portal.jsp

        redirect portal ipv4 192.168.154.119

            redirect on-success <url> //Optional//
        redirect on-failure <url> //Optional//

        banner

//Pre auth ACL//
  ip access-lists extended preauth_ise
        10 permit udp any eq bootps any
        20 permit udp any any eq bootpc
        30 permit udp any eq bootpc any
        40 permit udp any any eq domain
        50 permit udp any eq domain any
        60 permit ip any host 192.168.154.119
        70 permit ip host 192.168.154.119 any
wlan external_webauth 11 external_webauth
 client vlan 263
 ip access-group web preauth_ise
no security wpa
 no security wpa akm dot1x
 no security wpa wpa2
 no security wpa wpa2 ciphers aes
 security web-auth
 security web-auth authentication-list ext_ise
 security web-auth parameter-map test_web
 no shutdown

与本地认证的定制的Web验证

ip http server
ip device tracking


aaa new-model
aaa authentication login local_webauth local
aaa authorization network default local
aaa authorization credential-download default local


username <username> password 0 <password>


FTP Configuration for file transfer:
ip ftp username <username>
ip ftp password <password>

 
Upload custom html files to flash: with command:
5760# copy ftp://x.x.x.x/webauth_login.html flash:


Example of flash content:
w-5760-2#dir flash:
Directory of flash:/
64649  -rw-        1164   Oct 7 2013 04:36:23 +00:00  webauth_failure.html
64654  -rw-        2047   Oct 7 2013 13:32:38 +00:00  webauth_login.html
64655  -rw-        1208   Oct 7 2013 04:34:12 +00:00  webauth_success.html
64656  -rw-         900   Oct 7 2013 04:35:00 +00:00  webauth_expired.html
64657  -rw-       96894   Oct 7 2013 05:05:09 +00:00  web_auth_logo.png
64658  -rw-       23037   Oct 7 2013 13:17:58 +00:00  web_auth_cisco.png
64660  -rw-        2586   Oct 7 2013 13:31:27 +00:00  web_auth_aup.html

parameter-map type webauth global
virtual-ip ipv4 1.1.1.1

parameter-map type webauth custom
type webauth
redirect on-success http://www.cisco.com
banner text ^C CC global ip for redirect ^C
 custom-page login device flash:webauth_login.html
 custom-page success device flash:webauth_success.html
 custom-page failure device flash:webauth_failure.html
 custom-page login expired device flash:webauth_expired.html



wlan cisco 1 cisco
client vlan Vlanx
no security wpa
no security wpa akm dot1x
no security wpa wpa2
no security wpa wpa2 ciphers aes
security web-auth
security web-auth authentication-list local_webauth
security web-auth parameter-map custom
session-timeout 1800
no shutdown

自动锚点Web验证

//Verify//
show wireless mobility summary
<snip>
 
IP               Public IP        Group Name       Multicast IP     Link Status
-------------------------------------------------------------------------------
192.168.100.8    -                ngwc             0.0.0.0          UP   : UP
192.168.100.15   192.168.100.15   5760                              UP   : UP

radius server ise
               address ipv4 192.168.154.119 auth-port 1812 acct-port 1813
               key Cisco123
aaa group server radius rad_ise
 server name ise

aaa authentication login ext_ise group rad_ise 
parameter-map webauth global
virtual-ip ipv4 1.1.1.1
parameter-map type webauth test_web
            type webauth
            banner



WLAN configs on the Foreign 5760

wlan ngwc_guest 3 ngwc_guest
 client vlan 254
 mobility anchor 192.168.100.8   //Anchor
 no security wpa
 no security wpa akm dot1x
 no security wpa wpa2
 no security wpa wpa2 ciphers aes
 security web-auth
 security web-auth authentication-list wcm_local   
 security web-auth parameter-map test_web
 no shutdown

WLAN configs on the Anchor 5760

wlan ngwc_guest 3 ngwc_guest
 client vlan 254
 mobility anchor 192.168.100.8 //Local
 no security wpa
 no security wpa akm dot1x
 no security wpa wpa2
 no security wpa wpa2 ciphers aes
 security web-auth
 security web-auth authentication-list rad_ise
 security web-auth parameter-map test_web
 no shutdown


Document ID: 116877