Universal NGWC/3850 Wireless Configuration

For Cisco Identity Services Engine

Author: Hosuk Won

Current Document Version: 2.0
September 1, 2013

Table of Contents
Table of Contents ............................................................................................................................ 2
3850 Switch Wireless Configuration ............................................................................................... 3
Overall Design: ............................................................................................................................................................................................................... 3
Components used: ......................................................................................................................................................................................................... 3
Few notes about NGWC wireless functions: ....................................................................................................................................................... 3
3850 Switch Wireless Configuration Steps ......................................................................................................................................................... 4
3850 Example Configuration .................................................................................................................................................................................13
ISE Configuration to suppress RADIUS test messages from the switch .................................................................................................15

HowTo-$$-Universal_NGWC/3850_Config

3850 Switch Wireless Configuration

The Cisco Catalyst 3850 is the first stackable access switching platform that enables wired plus wireless services on a single
Cisco IOS XE Software-based platform. It provides a host of rich capabilities such as high availability based on stateful
switchover (SSO) on stacking, granular QoS, security, and Flexible Netflow (FNF) across wired and wireless in a seamless
fashion. Also, the wired plus wireless features are bundled into a single Cisco IOS Software image, which reduces the
number of software images that users have to qualify/certify before enabling them in their network. The single console port
for command-line interface (CLI) management reduces the number of touch points to manage for wired plus wireless
services, thereby reducing network complexity, simplifying network operations, and lowering the TCO to manage the
infrastructure.
Converged wired plus wireless not only improves wireless bandwidth across the network but also the scale of wireless
deployment. Each 48-port Cisco Catalyst 3850 provides 40 Gbps of wireless throughput (20 Gbps on the 24-port model).
This wireless capacity increases with the number of members in the stack. This makes sure that the network can scale with
current wireless bandwidth requirements, as dictated by IEEE 802.11n-based access points and with future wireless standards
such as IEEE 802.11ac. Additionally, the Cisco Catalyst 3850 distributes the wireless controller functions to achieve better
scalability. Each Cisco Catalyst 3850 switch/stack can operate as the wireless controller in two modes:
-

Mobility agent (MA): This is the default mode in which the Cisco Catalyst 3850 switch ships. In this mode the
switch is capable of terminating the CAPWAP tunnels from the access points and providing wireless connectivity to
wireless clients. Maintaining wireless client databases and configuring and enforcing security and QoS policies for
wireless clients and access points can be enforced in this mode. No additional license on top of IP Base is required
to operate in the mobility agent mode.

Mobility controller (MC): In this mode, the Cisco Catalyst 3850 switch can perform all the mobility agent tasks in
addition to mobility coordination, radio resource management (RRM), and Cisco CleanAir coordination within a
mobility subdomain. The mobility controller mode can be enabled on the switch CLI. IP Base license level is
required when the Cisco Catalyst 3850 switch is acting as the mobility controller. A centrally located Cisco 5508
Wireless LAN Controller (WLC 5508), Cisco Wireless Services Module 2 (WiSM2) (when running AireOS Version
7.3), and Wireless LAN Controller 5760 can also perform this role for larger deployments.

Overall Design:
Following diagram shows the overall layout of the components. There are two Service Set IDentifiers (SSIDs), one secured
with WPA2 (Wi-Fi Protected Access V2) + 802.1x and another Open + Central Web Authentication (CWA). Although we
won't go into the details of different Bring Your Own Device (BYOD) policies or posture policies within Cisco Identity
Services Engine (ISE), this setup will provide a baseline for such operations. This document will only cover the baseline
configurations on 3850 switches for wireless configuration, for deploying 3850 on wired network or other ISE configurations
please refer to respective ISE How-to documents.

Components used:
Cisco ISE 1.2.0.899
Cisco 3850 running IOS-XE version 03.02.02.SE
Cisco LWAP 3602
Microsoft Windows 2008 as AD/DNS/DHCP server

Few notes about NGWC wireless functions:

-

Wireless management interface has to be same as AP access VLAN, APs in FlexConnect mode is not supported in
this layout

Client idle timeout is global setting (As opposed to latest AireOS)

- AP needs to be directly connected to 3850 switch

HowTo-$$-Universal_NGWC/3850_Config

No need for legacy discovery method for AP using DHCP option 43 or DNS entry, with CAPWAP snooping all
directly connected AP can join the 3850 if they are configured with correct VLAN. Due to CAPWAP snooping, if
wireless management interface is configured on 3850 all directly connected APs can only talk to 3850

Support for https redirect, however, user will be required to trust the cert of 3850 https before continuing

With IOS-XE version 03.02.02.SE, the 3850 switch provides some functions of GUI based wireless configuration

Note: Cisco 3850 can act as Mobility Agent (MA) mode or Mobility Controller (MC) mode. Every mobility deployment requires at least one MC
and since our design consists of one 3850 switch, we will be configuring the switch as MC mode.

3850 Switch Wireless Configuration Steps

The Cisco 3850 is a Unified Access platform that provides convergence of the wired and wireless networks into one physical
infrastructure. This configuration example shows how to integrate Cisco 3850 switches for wireless authentication with ISE
to provide basis for advanced identity functionality such as BYOD and Posture assessment. The example provided in this
document will primarily focus on command line interface on the 3850 for wireless configuration.
Note: With Version 03.02.02.SE, Cisco introduces GUI access to wireless configuration on the 3850. However, many part of the configuration
still relies on CLI. For this document, only CLI configuration will be covered.

Procedure 1

Validate licensing

3850 comes with Right-To-Use (RTU) license scheme. RTU licensing allows one to order and activate a specific license type
and level, and to manage license usage on the switch. To activate a license, one is required to accept the End-User License
Agreement (EULA). For the evaluation license, one is notified to purchase a permanent license or deactivate the license
before the 90-day period expires. Before one can enable wireless function on the 3850 switch, one needs to be running either
ipbase or ipservices feature pack and RTU license present and have accepted EULA. The RTU also governs number of AP
count in case the switch is acting as Mobility Controller (MC).
Note: Prerequisite configuration: This guide assumes that the switches have the required licenses and following step will focus on validation
of RTU license on the platform.

Step 1 Validate RTU licenses are in place.

Run following show command to view what licenses are available and in use:
3850#show license right-to-use summary

Sample output
3850#show license right-to-use summary
License Name
Type
Count
Period left
----------------------------------------------ipservices
permanent
N/A
Lifetime
apcount
base
0
Lifetime
apcount
adder
10
Lifetime
-------------------------------------------License Level In Use: ipservices
License Level on Reboot: ipservices
Evaluation AP-Count: Disabled
Total AP Count Licenses: 10
AP Count Licenses In-use: 4
AP Count Licenses Remaining: 6
3850#

HowTo-$$-Universal_NGWC/3850_Config

Step 2 Activate feature set that supports wireless controller functionality and also activate AP count RTU as well:
3850#license right-to-use activate ipservices slot 1 acceptEULA
3850#license right-to-use activate apcount 10 slot 1 acceptEULA
Note: Activating AP count RTU may require to have mobility controller feature enabled first

Procedure 2

Configure the HTTP Server on the Switch

Step 1 Set the DNS domain name on the switch.

Cisco IOS Software does not allow for certificates, or even self-generated keys, to be created and installed without
first defining a DNS domain name on the device. Enter the following:
3850(config)#ip domain-name example.com

Step 3 Generate keys to be used for HTTPS by entering the following:

3850(config)#crypto key generate rsa general-keys modulus 2048
Note: To avoid possible certificate mismatch errors during web redirection, we recommend that you use a certificate that is issued by
your trusted certificate authority instead of a local certificate. This topic is beyond the scope of this document.

Step 4 Enable the HTTP servers on the switch.

The HTTP server must be enabled on the switch to perform the HTTP / HTTPS capture and redirection. Enter the
following:
3850(config)#ip http server
3850(config)#ip http secure-server
Note: Do not run the ip http secure-server command prior to generating the keys in step 2. If you perform the commands out of order,
the switch will automatically generate a certificate with a smaller key size. This certificate can cause undesirable behaviour when
redirecting HTTPS traffic. Unlike WLC with AireOS, 3850 Series wireless supports redirection of HTTPS request, however,
endpoints will be prompted to trust the switchs self-signed certificate during the redirection.

Step 5 Disable HTTP & HTTPS for other switch management functions (Optional):
3850(config)#ip http active-session-modules none
3850(config)#ip http secure-active-session-modules none
Note: This will disable management access to the 3850 wireless configuration as well as configuration from NCS Prime Infrastructure

Procedure 3

Configure the Global AAA Commands

Step 1 Enable authentication, authorization, and accounting (AAA) on the access switches.
By default, the AAA subsystem of the Cisco switch is disabled. Prior to enabling the AAA subsystem, none of the
required commands will be available in the configuration. Enter the following:
3850(config)#aaa new-model
3850(config)#aaa session-id common
Note: This command enables any of the services that AAA network security services providefor example, local login authentication and
authorization, defining and applying method lists, and so on. For further details, please refer to the Cisco IOS Security
Configuration Guide.

Step 2 Create an authentication method for 802.1X.

An authentication method is required to instruct the switch on which group of RADIUS servers to use for 802.1X
authentication requests:
HowTo-$$-Universal_NGWC/3850_Config

3850(config)#aaa authentication dot1x default group radius

Step 3 Create an authorization method for 802.1X.

The method created in step 2 will enable the user/device identity (username/password or certificate) to be validated by
the RADIUS server. However, simply having valid credentials is not enough. There must be an authorization as well.
The authorization is what defines that the user or device is actually allowed to access the network, and what level of
access is actually permitted.
3850(config)#aaa authorization network default group radius

Step 4 Create an accounting method for 802.1X.

RADIUS accounting packets are extremely useful and are required for many ISE functions. These types of packets will
help ensure that the RADIUS server (Cisco ISE) knows the exact state of the interface and endpoint. Without the
accounting packets, Cisco ISE would have knowledge only of the authentication and authorization communication.
Accounting packets provide information on length of the authorized session, as well as bandwidth usage of the client.
3850(config)#aaa accounting dot1x default start-stop group radius

Step 5 Configure periodic RADIUS accounting update.

Periodic RADIUS accounting packets allows Cisco ISE to track which sessions are still active on the network. This
command sends periodic updates every 15 minutes.
3850(config)#aaa accounting update periodic 15

Procedure 4

Configure the Global RADIUS Commands

We configure a proactive method to check the availability of the RADIUS server. With this practice, the switch will send
periodic test authentication messages to the RADIUS server (Cisco ISE). It is looking for a RADIUS response from the
server. A success message is not necessary; a failed authentication will suffice, because it shows that the server is alive.
Best Practice: With ISE 1.2 there is a feature to suppress authentications with certain conditions. We will use that feature to suppress any
RADIUS keepalive messages. See end of this document for instructions.

Step 1 Add the Cisco ISE servers to the RADIUS group.

In this step we will add each Cisco ISE Policy Services Node (PSN) to the switch configuration, using the radius-test
account. Repeat for each PSN.
3850(config)#radius-server host 192.168.201.88 auth-port 1812 acct-port 1813 test
username radius-test idle-time 5 key cisco123
Note: The server will be proactively checked for responses once every 5 minutes, in addition to any authentications or authorizations
occurring through normal processes. This value may be too aggressive for non ISE 1.2 deployments due to lack of log suppression
feature on older versions of ISE, in that case increase this value to 60 minutes or higher.

Step 2 Set the dead criteria.

The switch has been configured to proactively check the Cisco ISE server for RADIUS responses. Now configure the
counters on the switch to determine if the server is alive or dead. Our settings will be to wait 10 seconds for a response
from the RADIUS server and attempt the test 3 times before marking the server dead. If a Cisco ISE server doesnt
have a valid response within 30 seconds, it will be marked as dead. Also deadtime defines how long the switch will
mark the server dead, which we are setting it to 15 minutes.
3850(config)#radius-server dead-criteria time 10 tries 3
3850(config)#radius-server deadtime 15
Note: We will discuss high availability in more detail in the deployment mode sections.

HowTo-$$-Universal_NGWC/3850_Config

Step 3 Enable change of authorization (CoA).

Previously we defined the IP address of a RADIUS server that the switch will send RADIUS messages to. However,
we define the servers that are allowed to perform change of authorization (RFC 3576) operations in a different listing,
also within global configuration mode, as follows:
3850(config)#aaa server radius dynamic-author
3850(config-locsvr-da-radius)#client 192.168.201.88 server-key cisco123
3850(config-locsvr-da-radius)#auth-type any

Step 4 Configure the switch to use the Cisco vendor-specific attributes.

Here we configure the switch to send any defined vendor-specific attributes (VSA) to Cisco ISE PSNs during
authentication requests and accounting updates.
3850(config)#radius-server vsa send authentication
3850(config)#radius-server vsa send accounting

Step 5 Next, we will enable the vendor-specific attributes (VSAs).

3850(config)#radius-server
3850(config)#radius-server
3850(config)#radius-server
3850(config)#radius-server
3850(config)#radius-server

attribute
attribute
attribute
attribute
attribute

6 on-for-login-auth
8 include-in-access-req
25 access-request include
31 mac format ietf upper-case
31 send nas-port-detail mac-only

Step 6 Ensure the switch always sends traffic from the correct interface for RADIUS request.
Switches may often have multiple IP addresses associated to them. Therefore, it is a best practice to always force any
management communications to occur through a specific interface. This interface IP address must match the IP address
defined in the Cisco ISE Network Device object.
Cisco Best Practice: As a network management best practice, use a loopback adapter for all management communications, and advertise
that loopback interface into the internal routing protocol.

3850(config)#ip radius source-interface vlan 201

Procedure 5

Configure VLANs and SVIs.

Wireless management interface is required to create CAPWAP tunnel with the Light Weigh APs. Also, VLANs will need to
be created for each of the WLAN that will be setup for wireless access. Also, we will need to create any user VLANs that
will map to WLANs.
Step 1 Add the following VLANs for wireless management and WLAN interface:
3850(config)#vlan 80
3850(config-vlan)#name
3850(config-vlan)#vlan
3850(config-vlan)#name
3850(config-vlan)#vlan
3850(config-vlan)#name

AP_VLAN
30
WLAN_USER
40
WLAN_GUEST

Step 2 Create SVI for wireless management interface.

This interface will be used to communicate with the LWAP. The LWAPs needs to be connected directly to the 3850
switch and the interface needs to be configured with same VLAN as wireless management VLAN. Also, configure ip
helper to forward DHCP request from the LWAP to DHCP server.
3850(config)#interface Vlan 80

HowTo-$$-Universal_NGWC/3850_Config

3850(config-if)#ip address 192.168.80.1 255.255.255.0

3850(config-if)#ip helper-address 192.168.201.72
3850(config-if)#no shutdown

Procedure 6

Configure DHCP Snooping (Optional).

DHCP snooping is not required for 3850 wireless feature to function, but it is considered a best practice to require all
endpoints to get addresses assigned by the DHCP server. This is done by enabling DHCP snooping globally and running the
dhcp required option on the WLAN configuration.
Before configuring DHCP snooping, be sure to note the location of your trusted DHCP servers. When you configure DHCP
snooping, the switch will deny DHCP server replies from any port not configured as trusted. Enter interface configuration
mode for the uplink interface and configure it as a trusted port.
Step 1 Configure Dynamic Host Configuration Protocol (DHCP) snooping for trusted ports.
3850(config)#interface GigabitEthernet x/y/z
3850(config-if)#description Server
3850(config-if)#ip dhcp snooping trust

Step 2 Enable DHCP snooping.

DHCP snooping is enabled at global configuration mode. After enabling DHCP snooping, you must configure the
VLANs it should work with, which in our example is VLAN 30 & 40.
3850(config)#ip dhcp snooping vlan 30, 40
3850(config)#no ip dhcp snooping information option
3850(config)#ip dhcp snooping

Procedure 7

Configure Local Access Control Lists.

Certain functions on the switch require the use of locally configured access control lists (ACLs), such as URL redirection.
Some of these ACLs you create will be used immediately, and some may not be used until a much later phase of your
deployment. The goal of this section is to prepare the switches for all possible deployment models at one time, and limit the
operational expense of repeated switch configuration.
Step 1 Add the following ACL to be used for URL redirection with web authentication:
3850(config)#ip access-list extended REDIRECT-ACL
3850(config-ext-nacl)#deny udp any host 192.168.201.72 eq 53
3850(config-ext-nacl)#deny udp any eq bootpc host 192.168.201.72 eq bootps
3850(config-ext-nacl)#deny ip any host 192.168.201.88
3850(config-ext-nacl)#permit ip any any

Procedure 8

Configure the Global 802.1X Commands

Step 2 Enable 802.1X globally on the switch.

Enabling 802.1X globally on the switch does not actually enable authentication on any of the WLANs or interfaces.
3850(config)#dot1x system-auth-control

Step 3 Enable Downloadable ACLs to function.

Downloadable access control lists (dACLs) are a very common enforcement mechanism in a Cisco ISE deployment. In
order for dACLs to function properly on a switch, IP device tracking must be enabled globally, as follows:
3850(config)#ip device tracking

HowTo-$$-Universal_NGWC/3850_Config

Note: There are some uncommon cases with Windows 7 and devices that do not respond to ARPs where it may be required to use the
command ip device tracking use SVI.

Procedure 9

Configure the Global Wireless feature

Step 1 Enable mobility controller (MC) feature on the switch.

3850 switch can act as Mobility Agent (MA) only or MC+MA. For any 3850 wireless deployment there needs to be at
least one MC available for the deployment. We are configuring the 3850 as MC+MA as we only have one 3850 switch.
3850(config)#wireless mobility controller
Note: 3850 switch is always configured as MA

Step 2 Enable management interface.

With 3850, all AP needs to be on the same VLAN as the management interface. This allows CAPWAP tunnel between
the APs and the 3850 switch.
3850(config)#wireless management interface Vlan80
Note: If there are LWAPs configured with CUWN WLC connected to the 3850 switch, after above command is entered all the LWAPs
connected to the 3850 will lose connection to the CUWN WLC and start registering with the 3850 switch. The LWAPs will then go
through code upgrade and finally join the 3850 switch.

Step 3 Enable fast-ssid-change feature.

Fast-SSID-Change feature allows clients to move from one SSID to another without delay. This feature allows client to
move from open SSID to secure SSID in dual-SSID scenario for BYOD without delay.
3850(config)#wireless client fast-ssid-change
Note: This is primarily to address Apple iOS devices shifting from one SSID to another within short period of time

Step 4 Configure client idle timeout.

Idle-time out allows the switch to remove the client session when no traffic has been seen from the client within
configured timeframe. If this value is too short, client devices will be forced to reauthenticate when coming out of
stand-by mode. Here we are setting it to 2 hours.
3850(config)#wireless client user-timeout 7200

Step 5 Enable captive portal bypass feature.

Apple introduced an iOS feature to facilitate network access when captive portals are present. This feature attempts to
detect the presence of captive portal by sending a web request upon connecting to a wireless network, and directs the
request to http://www.apple.com/library/test/success.html. If a response is received, then Internet access is assumed and
no further interaction is required. If no response is received, Internet access is assumed to be blocked by captive portal
and CNA auto - launches the pseudo browser to request portal login in a controlled window. CNA may break when
redirecting to an ISE captive portal. Following CLI command will prevent the pseudo browser from popping up.
3850(config)#captive-portal-bypass

Procedure 10

Configure WLANs

Step 1 Add 802.1x enabled WLAN.

This command creates a WLAN with example_employee as profile and SSID with WLAN ID of 1. If this 3850 switch
is part of bigger deployments, make sure all the settings match on all the switches for the WLAN settings.
3850(config)#wlan example_employee 1 example_employee
Note: Although we are not entering L2 security settings for the wlan, the default setting for any wlan is WPA2/AES with 802.1x

HowTo-$$-Universal_NGWC/3850_Config

Step 2 Configure WLAN to accept RADIUS Authorization and instructions from the RADIUS server.
The AAA Override option of a WLAN enables you to configure the WLAN for identity networking. It enables you to
apply VLAN tagging, Quality of Service (QoS), and Access Control Lists (ACLs) to individual clients based on the
returned RADIUS attributes from the ISE. Also, the nac directive enables different client state based on instructions in
the URL-Redirect such as CWA, DRW, MDM, NSP, and CPP.
3850(config-wlan)#aaa-override
3850(config-wlan)#nac

Step 3 Map VLAN to the WLAN.

Assign user VLAN created earlier to the WLAN.
3850(config-wlan)#client vlan 30

Step 4 Prevent network access from clients with static IP (Optional).

If DHCP snooping was configured for the above VLAN in previous steps, this setting prevents client devices with static
IP address.
3850(config-wlan)#ip dhcp required

Step 5 Configure session timeout (Reauthentication timer).

This value dictates how often the client will re-authenticate via the RADIUS server.
3850(config-wlan)#session-timeout 86400

Step 6 Enable the WLAN.

3850(config-wlan)#no shutdown
Note: Whenever wlan configuration needs to be modified, the wlan has o be shutdown. Once modified it can be re-enabled by running
above command. Note that this will disconnect all users on the respective wlan.

Step 7 Add open SSID to use with ISE CWA.

3850(config)#wlan example_open 2 example_open

Step 8 Enable MAC filtering on the WLAN.

Since this is open SSID, enabling MAC-Filtering with default RADIUS list will provide CWA using ISE as external
web server.
3850(config-wlan)#mac-filtering default

Step 9 Configure WLAN to accept RADIUS Authorization messages from the RADIUS server
3850(config-wlan)#aaa-override
3850(config-wlan)#nac

Step 10 Map VLAN to the WLAN.

3850(config-wlan)#client vlan 40

Step 11 Prevent network access from clients with static IP (Optional).

3850(config-wlan)#ip dhcp required

HowTo-$$-Universal_NGWC/3850_Config

10

Step 12 Disable WPA and 802.1x on the WLAN.

Disable all L2 security features and set the WLAN as open SSID.
3850(config-wlan)#no
3850(config-wlan)#no
3850(config-wlan)#no
3850(config-wlan)#no

security
security
security
security

wpa
wpa akm dot1x
wpa wpa2
wpa wpa2 ciphers aes

Step 13 Configure session timeout (Reauthentication timer).

3850(config-wlan)#session-timeout 7200
Note: The session-timeout for open SSID is set to lower value than secure SSID, as reauthentication of MAB request does not impact
ISE as much as 802.1x request

Step 14 Enable the WLAN

3850(config)#no shutdown

Procedure 11

Configure Interfaces for Wireless APs

Step 1 Identify and configure interfaces where LWAP plugs in.

3850(config)#interface GigabitEthernet x/y/z
3850(config-if)#description AP
Note: With 3850 switch, the LWAP needs to be directly connected to the switch

Step 2 Assign wireless management VLAN.

Enabling 802.1X globally on the switch does not actually enable authentication on any of the switchports.
Authentication will be configured, but not enabled until we configure Monitor Mode.
3850(config-if)#switchport mode access
3850(config-if)#switchport access vlan 80
Note: 3850 introduces a new way of discovering new LWAPs by using CAPWAP snooping feature. There is no need to configure
DHCP option 43 or DNS entry for 3850 wireless management IP address

Step 3 Enable spanning-tree portfast.

3850(config-if)#spanning-tree portfast

Step 4 Enable the interface.

3850(config-if)#no shutdown

Step 5 Validate AP status.

After APs have been upgraded and rebooted, validate that all APs are running in Local mode and the Country setting is
correct. Also, make sure all AP Status shows up as Joined.
3850#show ap status
3850#show ap join stats summary
Note: Currently 3850 only supports LWAPs in Local, Monitor, se-connect, and sniffer mode. If the LWAP was previously configured as
FlexConnect mode then run ap name {AP_NAME} mode local command

Sample output

3850#show ap status
AP Name
HowTo-$$-Universal_NGWC/3850_Config

Status

Mode

Country
11

------------------------------------------------------------------------AP4c4e.350d.35f8
Enabled
Local
US
APd48c.b5e4.3b88
Enabled
Local
US
AP4c4e.35c7.1572
Enabled
Local
US
AP44d3.ca42.58cd
Enabled
Local
US
3850#show ap join stats summary
Number of APs : 4
Base MAC
Ethernet MAC
AP Name
IP Address
Status
----------------------------------------------------------------------------20bb.c067.fda0 4c4e.350d.35f8 AP4c4e.350d.35f8
192.168.80.103
Joined
34bd.c890.52f0 d48c.b5e4.3b88 APd48c.b5e4.3b88
192.168.80.101
Joined
5006.046e.f300 4c4e.35c7.1572 AP4c4e.35c7.1572
192.168.80.100
Joined
64d9.8946.b160 44d3.ca42.58cd AP44d3.ca42.58cd
192.168.80.102
Joined
3850#

Step 6 Save configuration.

3850#write memory

HowTo-$$-Universal_NGWC/3850_Config

12

3850 Example Configuration

hostname 3850
!
aaa new-model
aaa session-id common
aaa authentication dot1x default group radius
aaa authorization network default group radius
aaa accounting dot1x default start-stop group radius
aaa accounting update periodic 15
!
aaa server radius dynamic-author
client 192.168.201.88 server-key cisco123
auth-type any
!
vlan 80
name AP_VLAN
vlan 30
name WLAN_USER
vlan 40
name WLAN_GUEST
!
interface vlan 80
ip address 192.168.80.1
ip helper 192.168.201.72
no shut
interface vlan 30
ip address 192.168.30.1
ip helper 192.168.201.72
ip helper 192.168.201.88
no shut
interface vlan 40
ip address 192.168.40.1
ip helper 192.168.201.72
ip helper 192.168.201.88
no shut
!
ip device tracking
!
ip dhcp snooping vlan 30, 40
no ip dhcp snooping information option
ip dhcp snooping
!
ip domain-name example.com
!
crypto key generate rsa general-keys modulus 2048
!
dot1x system-auth-control
!
ip http server
ip http secure-server
ip http secure-active-session-modules none
ip http active-session-modules none
!
ip access-list extended REDIRECT-ACL
deny udp any host 192.168.201.72 eq 53
deny udp any eq bootpc host 192.168.201.72 eq bootps
deny ip any host 192.168.201.88
permit ip any any
!
ip radius source-interface Vlan201
snmp-server community cisco123 RO
HowTo-$$-Universal_NGWC/3850_Config

13

radius-server attribute 6 on-for-login-auth

radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
radius-server attribute 31 mac format ietf upper-case
radius-server attribute 31 send nas-port-detail mac-only
radius-server dead-criteria time 10 tries 3
radius-server host 192.168.201.88 auth-port 1812 acct-port 1813 test username
radius-test idle-time 5 key cisco123
radius-server deadtime 15
radius-server vsa send accounting
radius-server vsa send authentication
!
wireless mobility controller
wireless management interface Vlan80
wireless client fast-ssid-change
wireless mgmt-via-wireless
wireless client user-timeout 7200
captive-portal-bypass
!
wlan example_employee 1 example_employee
aaa-override
client vlan 30
nac
ip dhcp required
session-timeout 86400
no shutdown
!
wlan example_open 2 example_open
aaa-override
client vlan 40
mac-filtering default
nac
ip dhcp required
no security wpa
no security wpa akm dot1x
no security wpa wpa2
no security wpa wpa2 ciphers aes
session-timeout 7200
no shutdown
!
interface GigabitEthernet 1/0/17
description Server
switch port mode access
switch port access vlan 201
ip dhcp snooping trust
spanning-tree portfast
no shut
!
interface GigabitEthernet 1/0/9
description AP
switch port mode access
switch port access vlan 80
spanning-tree portfast
no shut

HowTo-$$-Universal_NGWC/3850_Config

14

ISE Configuration to suppress RADIUS test messages from the switch

You can configure collection filters to suppress syslog messages being sent to the monitoring and external servers. The
suppression can be performed at the Policy Services Node level based on different attribute types. You can disable the
suppression as well. You can define multiple filters with a specific attribute type and corresponding value.
Note: It is recommended to limit the number of collection filter to 20

Procedure 1

Configure ISE to suppress RADIUS test messages

Step 1 Login to ISE primary admin node.

Step 2 Navigate to Administration > System > Logging
Step 3 Click on Collection Filters on left pane
Step 4 Click on Add on the top of the right pane

Step 5 Select User Name from the Attribute pull down menu
Step 6 Enter radius-test for Value
Step 7 Select Filter All from the Filter Type pull down menu
Step 8 Click Save

HowTo-$$-Universal_NGWC/3850_Config

15