Académique Documents
Professionnel Documents
Culture Documents
Table of Contents
Table of Contents ............................................................................................................................ 2
3850 Switch Wireless Configuration ............................................................................................... 3
Overall Design: ............................................................................................................................................................................................................... 3
Components used: ......................................................................................................................................................................................................... 3
Few notes about NGWC wireless functions: ....................................................................................................................................................... 3
3850 Switch Wireless Configuration Steps ......................................................................................................................................................... 4
3850 Example Configuration .................................................................................................................................................................................13
ISE Configuration to suppress RADIUS test messages from the switch .................................................................................................15
HowTo-$$-Universal_NGWC/3850_Config
Mobility agent (MA): This is the default mode in which the Cisco Catalyst 3850 switch ships. In this mode the
switch is capable of terminating the CAPWAP tunnels from the access points and providing wireless connectivity to
wireless clients. Maintaining wireless client databases and configuring and enforcing security and QoS policies for
wireless clients and access points can be enforced in this mode. No additional license on top of IP Base is required
to operate in the mobility agent mode.
Mobility controller (MC): In this mode, the Cisco Catalyst 3850 switch can perform all the mobility agent tasks in
addition to mobility coordination, radio resource management (RRM), and Cisco CleanAir coordination within a
mobility subdomain. The mobility controller mode can be enabled on the switch CLI. IP Base license level is
required when the Cisco Catalyst 3850 switch is acting as the mobility controller. A centrally located Cisco 5508
Wireless LAN Controller (WLC 5508), Cisco Wireless Services Module 2 (WiSM2) (when running AireOS Version
7.3), and Wireless LAN Controller 5760 can also perform this role for larger deployments.
Overall Design:
Following diagram shows the overall layout of the components. There are two Service Set IDentifiers (SSIDs), one secured
with WPA2 (Wi-Fi Protected Access V2) + 802.1x and another Open + Central Web Authentication (CWA). Although we
won't go into the details of different Bring Your Own Device (BYOD) policies or posture policies within Cisco Identity
Services Engine (ISE), this setup will provide a baseline for such operations. This document will only cover the baseline
configurations on 3850 switches for wireless configuration, for deploying 3850 on wired network or other ISE configurations
please refer to respective ISE How-to documents.
Components used:
Cisco ISE 1.2.0.899
Cisco 3850 running IOS-XE version 03.02.02.SE
Cisco LWAP 3602
Microsoft Windows 2008 as AD/DNS/DHCP server
Wireless management interface has to be same as AP access VLAN, APs in FlexConnect mode is not supported in
this layout
No need for legacy discovery method for AP using DHCP option 43 or DNS entry, with CAPWAP snooping all
directly connected AP can join the 3850 if they are configured with correct VLAN. Due to CAPWAP snooping, if
wireless management interface is configured on 3850 all directly connected APs can only talk to 3850
Support for https redirect, however, user will be required to trust the cert of 3850 https before continuing
With IOS-XE version 03.02.02.SE, the 3850 switch provides some functions of GUI based wireless configuration
Note: Cisco 3850 can act as Mobility Agent (MA) mode or Mobility Controller (MC) mode. Every mobility deployment requires at least one MC
and since our design consists of one 3850 switch, we will be configuring the switch as MC mode.
Procedure 1
Validate licensing
3850 comes with Right-To-Use (RTU) license scheme. RTU licensing allows one to order and activate a specific license type
and level, and to manage license usage on the switch. To activate a license, one is required to accept the End-User License
Agreement (EULA). For the evaluation license, one is notified to purchase a permanent license or deactivate the license
before the 90-day period expires. Before one can enable wireless function on the 3850 switch, one needs to be running either
ipbase or ipservices feature pack and RTU license present and have accepted EULA. The RTU also governs number of AP
count in case the switch is acting as Mobility Controller (MC).
Note: Prerequisite configuration: This guide assumes that the switches have the required licenses and following step will focus on validation
of RTU license on the platform.
Sample output
3850#show license right-to-use summary
License Name
Type
Count
Period left
----------------------------------------------ipservices
permanent
N/A
Lifetime
apcount
base
0
Lifetime
apcount
adder
10
Lifetime
-------------------------------------------License Level In Use: ipservices
License Level on Reboot: ipservices
Evaluation AP-Count: Disabled
Total AP Count Licenses: 10
AP Count Licenses In-use: 4
AP Count Licenses Remaining: 6
3850#
HowTo-$$-Universal_NGWC/3850_Config
Step 2 Activate feature set that supports wireless controller functionality and also activate AP count RTU as well:
3850#license right-to-use activate ipservices slot 1 acceptEULA
3850#license right-to-use activate apcount 10 slot 1 acceptEULA
Note: Activating AP count RTU may require to have mobility controller feature enabled first
Procedure 2
Step 5 Disable HTTP & HTTPS for other switch management functions (Optional):
3850(config)#ip http active-session-modules none
3850(config)#ip http secure-active-session-modules none
Note: This will disable management access to the 3850 wireless configuration as well as configuration from NCS Prime Infrastructure
Procedure 3
Step 1 Enable authentication, authorization, and accounting (AAA) on the access switches.
By default, the AAA subsystem of the Cisco switch is disabled. Prior to enabling the AAA subsystem, none of the
required commands will be available in the configuration. Enter the following:
3850(config)#aaa new-model
3850(config)#aaa session-id common
Note: This command enables any of the services that AAA network security services providefor example, local login authentication and
authorization, defining and applying method lists, and so on. For further details, please refer to the Cisco IOS Security
Configuration Guide.
Procedure 4
We configure a proactive method to check the availability of the RADIUS server. With this practice, the switch will send
periodic test authentication messages to the RADIUS server (Cisco ISE). It is looking for a RADIUS response from the
server. A success message is not necessary; a failed authentication will suffice, because it shows that the server is alive.
Best Practice: With ISE 1.2 there is a feature to suppress authentications with certain conditions. We will use that feature to suppress any
RADIUS keepalive messages. See end of this document for instructions.
HowTo-$$-Universal_NGWC/3850_Config
attribute
attribute
attribute
attribute
attribute
6 on-for-login-auth
8 include-in-access-req
25 access-request include
31 mac format ietf upper-case
31 send nas-port-detail mac-only
Step 6 Ensure the switch always sends traffic from the correct interface for RADIUS request.
Switches may often have multiple IP addresses associated to them. Therefore, it is a best practice to always force any
management communications to occur through a specific interface. This interface IP address must match the IP address
defined in the Cisco ISE Network Device object.
Cisco Best Practice: As a network management best practice, use a loopback adapter for all management communications, and advertise
that loopback interface into the internal routing protocol.
Procedure 5
Wireless management interface is required to create CAPWAP tunnel with the Light Weigh APs. Also, VLANs will need to
be created for each of the WLAN that will be setup for wireless access. Also, we will need to create any user VLANs that
will map to WLANs.
Step 1 Add the following VLANs for wireless management and WLAN interface:
3850(config)#vlan 80
3850(config-vlan)#name
3850(config-vlan)#vlan
3850(config-vlan)#name
3850(config-vlan)#vlan
3850(config-vlan)#name
AP_VLAN
30
WLAN_USER
40
WLAN_GUEST
HowTo-$$-Universal_NGWC/3850_Config
Procedure 6
DHCP snooping is not required for 3850 wireless feature to function, but it is considered a best practice to require all
endpoints to get addresses assigned by the DHCP server. This is done by enabling DHCP snooping globally and running the
dhcp required option on the WLAN configuration.
Before configuring DHCP snooping, be sure to note the location of your trusted DHCP servers. When you configure DHCP
snooping, the switch will deny DHCP server replies from any port not configured as trusted. Enter interface configuration
mode for the uplink interface and configure it as a trusted port.
Step 1 Configure Dynamic Host Configuration Protocol (DHCP) snooping for trusted ports.
3850(config)#interface GigabitEthernet x/y/z
3850(config-if)#description Server
3850(config-if)#ip dhcp snooping trust
Procedure 7
Certain functions on the switch require the use of locally configured access control lists (ACLs), such as URL redirection.
Some of these ACLs you create will be used immediately, and some may not be used until a much later phase of your
deployment. The goal of this section is to prepare the switches for all possible deployment models at one time, and limit the
operational expense of repeated switch configuration.
Step 1 Add the following ACL to be used for URL redirection with web authentication:
3850(config)#ip access-list extended REDIRECT-ACL
3850(config-ext-nacl)#deny udp any host 192.168.201.72 eq 53
3850(config-ext-nacl)#deny udp any eq bootpc host 192.168.201.72 eq bootps
3850(config-ext-nacl)#deny ip any host 192.168.201.88
3850(config-ext-nacl)#permit ip any any
Procedure 8
HowTo-$$-Universal_NGWC/3850_Config
Note: There are some uncommon cases with Windows 7 and devices that do not respond to ARPs where it may be required to use the
command ip device tracking use SVI.
Procedure 9
Procedure 10
Configure WLANs
HowTo-$$-Universal_NGWC/3850_Config
Step 2 Configure WLAN to accept RADIUS Authorization and instructions from the RADIUS server.
The AAA Override option of a WLAN enables you to configure the WLAN for identity networking. It enables you to
apply VLAN tagging, Quality of Service (QoS), and Access Control Lists (ACLs) to individual clients based on the
returned RADIUS attributes from the ISE. Also, the nac directive enables different client state based on instructions in
the URL-Redirect such as CWA, DRW, MDM, NSP, and CPP.
3850(config-wlan)#aaa-override
3850(config-wlan)#nac
Step 9 Configure WLAN to accept RADIUS Authorization messages from the RADIUS server
3850(config-wlan)#aaa-override
3850(config-wlan)#nac
HowTo-$$-Universal_NGWC/3850_Config
10
security
security
security
security
wpa
wpa akm dot1x
wpa wpa2
wpa wpa2 ciphers aes
Procedure 11
Sample output
3850#show ap status
AP Name
HowTo-$$-Universal_NGWC/3850_Config
Status
Mode
Country
11
------------------------------------------------------------------------AP4c4e.350d.35f8
Enabled
Local
US
APd48c.b5e4.3b88
Enabled
Local
US
AP4c4e.35c7.1572
Enabled
Local
US
AP44d3.ca42.58cd
Enabled
Local
US
3850#show ap join stats summary
Number of APs : 4
Base MAC
Ethernet MAC
AP Name
IP Address
Status
----------------------------------------------------------------------------20bb.c067.fda0 4c4e.350d.35f8 AP4c4e.350d.35f8
192.168.80.103
Joined
34bd.c890.52f0 d48c.b5e4.3b88 APd48c.b5e4.3b88
192.168.80.101
Joined
5006.046e.f300 4c4e.35c7.1572 AP4c4e.35c7.1572
192.168.80.100
Joined
64d9.8946.b160 44d3.ca42.58cd AP44d3.ca42.58cd
192.168.80.102
Joined
3850#
HowTo-$$-Universal_NGWC/3850_Config
12
13
HowTo-$$-Universal_NGWC/3850_Config
14
Procedure 1
Step 5 Select User Name from the Attribute pull down menu
Step 6 Enter radius-test for Value
Step 7 Select Filter All from the Filter Type pull down menu
Step 8 Click Save
HowTo-$$-Universal_NGWC/3850_Config
15