CT5760 Controller Deployment Guide

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

Book Contents

Find Matches in This Book

Results

Updated:: July 1, 2014

Chapter: Secure WLAN Configuration

Secure WLAN Configuration on Catalyst 3850/WLC5760
Wireless Dot1x Configuration

Secure WLAN Configuration

Secure WLAN Configuration on Catalyst 3850/WLC5760

Wireless Dot1x Configuration

aaa new-model

aaa group server radius Cisco

server name Cisco

aaa authentication login no_auth none

aaa authentication dot1x default group radius

aaa authentication dot1x Cisco_dot1x group Cisco

aaa authorization network default group Cisco

aaa accounting network default start-stop group Cisco

dot1x system-auth-control

radius server Cisco

address ipv4 10.10.200.60 auth-port 1812 acct-port 1813

key secret

Dynamic Authorization Configuration (Optional)

aaa server radius dynamic-author

client 10.10.200.60 server-key Cisco123

auth-type any

Radius Server Configuration (Optional)

radius-server attribute 6 on-for-login-auth

radius-server dead-criteria time 10 tries 3

radius-server deadtime 3

radius-server vsa send accounting

radius-server vsa send authentication

URL-Redirect Access-list Configuration

ip access-list extended NSP-ACL <- Supplicant Provisioning ACL

deny ip any host 10.10.200.60

permit ip any any

HTTP Configuration

!

ip http server

ip http authentication local

ip http secure-server

ip http secure-client-auth

WLAN Configuration

wireless mobility controller

wireless management interface 200

wireless client user-timeout 600

wlan BYOD-Dot1x 1 BYOD-Dot1x <- Secure Corporate SSID

aaa-override

accounting-list Cisco

client vlan 100

ip access-group NSP-ACL

nac

security dot1x authentication-list Cisco

session-timeout 600

no shutdown

wlan BYOD-Open 2 BYOD-Open <- Guest SSID

aaa-override

client vlan 100

ip access-group NSP-ACL

nac

no security wpa

no security wpa akm dot1x

no security wpa wpa2

no security wpa wpa2 ciphers aes

security dot1x authentication-list Cisco

no shutdown

Verify Wireless Dot1x Session

Controller-MC#show access-session method dot1x details

Controller-MC#show access-session interface capwap 1 details

Controller-MC#show access-session mac 6420.0c37.5108 interface capwap 1

Controller-MC#show wireless client summary

Deauthenticate Client

Controller-MC#wireless client mac-address 6420.0c37.5108 deauthenticate

Controller-MC#show wireless client summary

Note For information on ISE, refer to http://www.cisco.com/c/en/us/support/security/identity-services-engine/products-implementation-design-guides-list.html.

Was this Document Helpful?

Feedback

Contact Cisco

Open a Support Case
(Requires a Cisco Service Contract)