Wireless Dot1x Configuration
aaa new-model
aaa group server radius Cisco
server name Cisco
aaa authentication login no_auth none
aaa authentication dot1x default group radius
aaa authentication dot1x Cisco_dot1x group Cisco
aaa authorization network default group Cisco
aaa accounting network default start-stop group Cisco
dot1x system-auth-control
radius server Cisco
address ipv4 10.10.200.60 auth-port 1812 acct-port 1813
key secret
Dynamic Authorization Configuration (Optional)
aaa server radius dynamic-author
client 10.10.200.60 server-key Cisco123
auth-type any
Radius Server Configuration (Optional)
radius-server attribute 6 on-for-login-auth
radius-server dead-criteria time 10 tries 3
radius-server deadtime 3
radius-server vsa send accounting
radius-server vsa send authentication
URL-Redirect Access-list Configuration
ip access-list extended NSP-ACL <- Supplicant Provisioning ACL
deny ip any host 10.10.200.60
permit ip any any
HTTP Configuration
!
ip http server
ip http authentication local
ip http secure-server
ip http secure-client-auth
WLAN Configuration
wireless mobility controller
wireless management interface 200
wireless client user-timeout 600
wlan BYOD-Dot1x 1 BYOD-Dot1x <- Secure Corporate SSID
aaa-override
accounting-list Cisco
client vlan 100
ip access-group NSP-ACL
nac
security dot1x authentication-list Cisco
session-timeout 600
no shutdown
wlan BYOD-Open 2 BYOD-Open <- Guest SSID
aaa-override
client vlan 100
ip access-group NSP-ACL
nac
no security wpa
no security wpa akm dot1x
no security wpa wpa2
no security wpa wpa2 ciphers aes
security dot1x authentication-list Cisco
no shutdown
Verify Wireless Dot1x Session
Controller-MC#show access-session method dot1x details
Controller-MC#show access-session interface capwap 1 details
Controller-MC#show access-session mac 6420.0c37.5108 interface capwap 1
Controller-MC#show wireless client summary