Académique Documents
Professionnel Documents
Culture Documents
Config Guide
Connected
Architectures
Partner
Organization
(CAPO)
Secure
Access
and
Mobility
Product
Group
(SAMPG)
April
6th
2015
ise_nfr_partner_bundle@cisco.com
Table
of
Contents
1
Introduction
.......................................................................................................................................
3
2
Topology
.............................................................................................................................................
4
3
Equipment
Specifications
................................................................................................................
6
4
VM
Networking
Configuration
.......................................................................................................
7
5
Next
Steps
........................................................................................................................................
24
CLEANUP:
BEFORE
YOU
PROCEED
..................................................................................................
26
SCENARIO
1:
DEMONSTRATE
THE
GUEST
ACCESS
FOR
A
WIRELESS
HOTSPOT
...........................
27
SCENARIO
2:
DEMONSTRATE
THE
GUEST
ACCESS
FOR
A
SELF-REGISTER
PORTAL
.....................
29
SCENARIO
3:
DEMONSTRATE
THE
GUEST
ACCESS
FROM
A
SPONSORED
ACCOUNT
..................
32
SCENARIO
4:
DEMONSTRATE
ONBOARDING
OF
A
NON-CORPORATE
APPLE
IPAD
....................
35
6
Appendix
1:
Bill
of
Materials
.........................................................................................................
40
7
Appendix
2:
Catalyst
3560
Configuration
...................................................................................
41
8
Appendix
3:
Virtual
Wireless
LAN
Controller
.............................................................................
44
9
Appendix
4:
ASAv
Configuration
..................................................................................................
51
10
Appendix
5:
Configure
a
Network
Serial
Console
Port
..........................................................
52
11
Appendix
6:
Telnet
to
Network
Serial
Console
Port
...............................................................
53
Introduction
This
document
provides
details
to
build
out
hardware
and
software
components
for
the
Identity
Services
Engine
(ISE)
Not
For
Resale
(NFR)
partner
bundle.
The
bundle
provides
partners
with
ISE,
NetSvc
VM
and
other
Cisco
infrastructure
VMs
such
as
virtual
ASA
and
virtual
WLC
that
partners
can
leverage
to
configure
a
purpose
built
lab.
The
ISE
OVA
image
included
with
the
NFR
kit
comes
already
configured
for
simple
insertion
into
a
lab
environment.
The
Services
image
included
with
the
NFR
kit
is
a
Linux
(CentOS)
VM
that
provides
key
ISE
services
such
as
NTP,
DNS,
DHCP,
LDAP
and
MAIL.
The
Linux
VM
is
preconfigured,
but
can
be
customized
to
meet
specific
customer
use
cases
or
scenarios.
This
document
was
written
with
specific
hardware
in
mind,
but
can
be
customized
to
match
your
environment.
The
table
below
lists
the
hardware
components
used
in
this
guide.
A
detailed
Bill
of
Materials
is
also
available
in
Appendix
1.
This
guide
provides
step-by-step
procedure
on
how
to
setup
ISE
1.3
environment
to
demonstrate
key
customer
use
cases
such
as
Secure
Access,
Guest
Services
and
BYOD.
Topology
Below presents the recommended physical topology for the ISE NFR program.
SWITCH
(Catalyst
3560CG)
Interface
G0/1
G0/2
G0/10
Switch Mode
Access
Access
TRUNK
VLAN
10
100
All
Destination
VMNIC 1
AP
VMNIC 0
VLAN
70
Destination
Internet
3k-Access G0/10
VLAN
100
Destination
3k-Access G0/10
NAME
IP SUBNET
DESCRIPTION
10
ACCESS
10.1.10.0/24
50
WIRELESS GUESTS
10.1.50.0/24
GUEST
70
CORP
10.1.70.0/24
100
MGMT
10.1.100.0/24
MANAGEMENT
DNS Names
IP Address
Login Credentials
10.1.100.1 (MGMT)
admin / ISEc0ld
Domain:
securitydemo.net
SWITCH
3560CG
10.1.70.2
(CORP)
ASAv
(EGFW)
egfw
10.1.70.1 (CORP)
admin / ISEc0ld
10.1.100.254
(MGMT)
vWLC
vwlc
10.1.100.41 (MGMT)
10.1.20.41
(SERVICE-PORT)
ISE
ise
10.1.100.21
admin / ISEc0ld
NETSVC*
[AD/CS/DNS/DHCP/NTP/MAIL]
netsvc
10.1.100.40
root / ISEc0ld
updates
10.1.100.221
portal
10.1.100.222
biz
10.1.100.223
it
admin
/
ISc0ld
employee
/
ISEc0ld
sponsor /ISEc0ld
10.1.100.224
records
10.1.100.225
dev
10.1.20.40
prod
10.1.20.39
CIMC
10.1.100.3
ESXI
10.1.100.2
root / ISEc0ld
Equipment Specifications
3.1
Hardware1
HARDWARE
3.2
3.3
DESCRIPTION
2 x 2.4GHz CPU, 8 x 300GB HD, 64GB RAM, 1 x Quad NIC (+2 x NICs Incl. onboard, Total 6 NICs require)
WS-C3560CG-8PC-S
AIR-CAP2602I-A-K9
WINDOWS PC
VERSION
Catalyst 3560CG
15.2(2)E2
c3560c405ex-universalk9-mz.152-2.E2.bin
vWLC (VM)
7.6.130
AIR-CTVM-K9-7-6-130-0.aes
ASAv (VM)
9.3(2)
asa932-smp-k8.bin
VMware
APPLICATIONS
DESCRIPTION
DOWNLOAD
VMware Hypervisor.
Go To VMware
Go To VMware
vSphere Client
Show Me
3.4
Virtual
Machines4
NAME
DESCRIPTION
FILE
NETSVC
OVA
OVA
OVA
Virtual ASA
OVA
vWLC
ASAv
DOWNLOAD
Click
Here
(Box.net)
NOTE:
To
download
the
appropriate
VMs
(OVA)
and
NAD
configurations
please
use
the
links
provided
in
the
above
table.
For
the
VMs
that
are
to
be
downloaded
from
Cisco.com
(links
provided
above)
please
match
the
code
version
in
(3.2).
VM Networking Configuration
This
section
covers
the
process
to
install
all
the
VMs
needed
in
this
guide
including
ISE,
NetSvc
VM,
WLC
virtual
controller
(vWLC)
and
Virtual
ASA
(vASA).
For
simplicity,
this
guide
will
cover
direct
connection
from
the
vSphere
client
to
an
ESXi
host
instead
of
vSphere.
The
steps
that
follow
assume
that
there
is
a
working
ESXi
environment
with
the
vSphere
client
installed
and
the
admin
machine.
It
is
very
important
to
plan
physical
connections
and
VLANs
early
in
the
development
process.
This
will
ensure
that
you
are
able
to
complete
all
desired
use
cases
with
available
NICs.
As
per
the
above
diagram
there
will
be
only
three
network
Card
interfaces
need
on
the
UCS
which
means
we
need
to
configure
3
vSwitches
(Virtual
Switches)
as
follow:
To
configure
networking
in
the
vSphere
client
select
the
UCS
host
and
click
the
Configuration
tab.
Select
Networking
in
the
Hardware
pane
and
ensure
vSphere
Standard
Switch
is
selected.
Click
on
Properties
under
vSwitch1
(It
may
start
from
vSwitch0)
then
go
through
the
next
steps
below
as
per
the
diagram
to
rename.
Change
Network
Label
Management
Network
to
VMK-NET
and
Note:
VMKernel
Networking
layer
provides
connectivity
to
hosts.
Repeat
the
above
steps
to
change
the
Network
Label
and
VLAN
ID
to
MGMT
and
100
respectively.
7
Next
configure
vSwitch2
by
mapping
it
to
vmnic1.
Start
by
clicking
Add
Networking
Pick
connection
type
as
Virtual
Machine
then
click
on
Next.
Change
the
Network
Label
to
ACCESS.
Click
Next
and
then
Finish
when
done
which
should
take
you
back
to
the
Network
Configuration
main
screen.
Follow
the
previous
steps
to
configure
vSwitch3
and
check
vmnic2
as
the
assigned
network
adapter
then
click
Next.
Change
the
Network
Label
to
EGFW-OUTSIDE.
Click
Next
and
then
Finish
when
done
which
should
take
you
back
to
the
Network
Configuration
main
screen.
Next
we
will
add
vSwitch4
and
skip
Network
Access
step
and
NOT
SELECT
any
vmnic
and
then
change
the
Network
Label
to
ESXI-HOST-ONLY
and
click
Next.
As
per
the
network
diagram
we
will
be
adding
two
VM
Port
Groups
to
vSwitch1.
Click
on
vSwitch1
Properties.
Click
on
Add
Then
select
Virtual
Machine
Change
the
Network
Label
and
VLAN
ID
to
CORP
and
70
respectively.
Click
Next
and
Finish
when
done
and
then
repeat
the
above
steps
to
add
another
port
group
called
Trunk
with
a
VLAN
ID
All
(4095).
10
If
you
follow
the
above
steps
correctly
the
VM
Networking
will
look
like
the
following
screenshot:
The
Virtual
Wireless
LAN
Controller
requires
virtual
switch
to
operate
in
Promiscuous
Mode.
This
is
not
the
default
setting
and
you
will
need
to
update
the
TRUNK
port
group.
Select
the
Properties
link
above
the
vSwitch
with
the
TRUNK
port
group.
Within
the
vSwitch
Properties
window,
select
the
TRUNK
port
group
and
click
Edit,
now
click
the
Security
tab,
select
the
Promiscuous
Mode
check
box,
and
change
the
option
to
Accept.
Click
OK
when
complete.
11
4.1
NetSVC
The
NetSVC
VM
provides
key
ISE
services
such
as
DNS,
DHCP,
NTP,
HTTP,
and
MAIL.
The
CentOS
5.11
VM
is
preconfigured,
but
can
be
customized
to
meet
specific
customer
use
cases
or
scenarios.
To
begin
importing
the
VM
into
your
environment,
open
the
vSphere
client
and
connect
to
the
desired
ESXi
host.
From
the
menu
bar,
select
File
>
Deploy
OVF
Template
Browse
to
and
select
the
Source,
NetSvc.ova,
from
the
USB
drive.
Select
Next
to
continue.
Click
Next
to
accept
the
default
values
on
the
OVF
Template
Details,
Name
and
Location,
Resource
Pool
and
Disk
Format.
If
you
havent
already
downloaded
the
OVA
Please
refer
to
Table
3.4.
Except
in
Network
Mapping
section
select
MGMT
as
the
Destination
Network.
Confirm the settings on the Ready to complete screen and click Finish to begin the VM Deployment.
12
From
vSphere,
you
have
the
ability
to
control
multiple
facets
of
Virtual
Machine
operations.
At
the
most
basic
level,
you
can
power
on,
power
off,
or
open
the
console
of
VMs.
To
power
on
the
NetSvc
VM,
right-click
the
NetSvc
VM
and
select
Power
>
Power
On.
Also,
you
can
use
a
shortcut
(Ctrl+B)
or
Power-On
button
from
the
top
menu
after
selecting
the
VM
Click
the
Once
the
VM
boots
up,
verify
the
DNS,
DHCP,
NTP,
HTTP,
and
MAIL
services
are
running
properly.
You
can
use
the
VM
Console
or
SSH
to
verify.
To
SSH
into
the
NetSvc
VM
(IP:
10.1.100.40).
Login
with
user:
root
and
password:
ISEc0ld.
DNS
[root@netsvc
~]#
service
named
status
number
of
zones:
7
debug
level:
0
xfers
running:
0
xfers
deferred:
0
soa
queries
in
progress:
0
query
logging
is
OFF
recursive
clients:
0/1000
tcp
clients:
0/100
server
is
up
and
running
named
(pid
2407)
is
running...
[root@netsvc
~]#
host
netsvc.securitydemo.net
netsvc.securitydemo.net
has
address
10.1.100.40
[root@netsvc
~]#
host
ise.securitydemo.net
ise.securitydemo.net
is
an
alias
for
ise-1.securitydemo.net.
ise-1.securitydemo.net
has
address
10.1.100.21
Here
is
just
an
example,
Please
configure
as
per
your
environment.
Configuration
file
named.conf
located
at
/var/named/chroot/etc/
Adjust
forwarders
as
needed;
e.g.
at
Cisco
Lab
networks.
forwarders
{
//
Google
public
DNS
servers
8.8.8.8;
8.8.4.4;
//
OpenDNS
servers
208.67.222.222;
208.67.220.220;
};
13
DHCP
[root@netsvc
~]#
service
dhcpd
status
dhcpd
(pid
2602)
is
running...
NTP
[root@netsvc
~]#
service
ntpd
status
ntpd
(pid
2587)
is
running...
[root@netsvc
~]#
ntpq
-np
remote
refid
st
t
when
poll
reach
delay
offset
jitter
==============================================================================
127.127.1.0
.LOCL.
10
l
5
64
3
0.000
0.000
0.001
Here
is
just
an
example,
Please
configure
as
per
your
environment.
Configuration
file
located
at
/etc/ntp.conf.
Adjust
the
list
of
external
NTP
servers
as
needed.
HTTP
[root@netsvc
~]#
service
httpd
status
httpd
(pid
2705)
is
running...
Mail
(Postfix)
[root@netsvc
~]#
service
postfix
status
master
(pid
2673)
is
running...
IMAP
(Dovecot)
[root@netsvc
~]#
service
dovecot
status
dovecot
(pid
2615)
is
running...
14
4.2
ISE NFR
The
ISE
NFR
VM
ships
with
configurations
for
most
of
the
features
in
ISE
including
Dot1x,
Guest,
BYOD
and
Posture.
Follow
the
same
procedure
as
the
NetSvc
VM
to
import
the
ISE
NFR
OVA.
From
the
vSphere
client,
select
File
>
Deploy
OVF
Template
(If
you
havent
already
downloaded
the
OVA
Please
refer
to
Table
3.4)
Browse
to
and
select
the
Source,
ISE-1.3-NFR.ova,
from
the
USB
drive.
Select
Next
to
continue.
Change
the
Name
to
ISE
NFR
and
select
Next
and
accept
default
Disk
Format
and
then
select
Next
again
Next
under
Network
Mapping
section
select
MGMT
as
the
Destination
Network.
Confirm
the
settings
on
the
Ready
to
Complete
screen
and
click
Finish
to
begin
the
VM
Deployment.
To
power
on
the
ISE
NFR
VM,
right-click
the
VM
and
select
Power
>
Power
On.
Also,
you
can
use
a
shortcut
(Ctrl+B)
after
selecting
the
VM.
To
verify
that
services
are
running
properly,
SSH
to
the
ISE
NFR
VM
at
10.1.100.21.
Login
with
user:
admin
and
password:
ISEc0ld.
login
as:
admin
admin@10.1.100.21's
password:
ISEc0ld
Verify
that
ISE
services
are
running
by
issuing
the
show
applications
status
ise
command
and
confirming
that
all
services
are
running.
ise/admin#
show
application
status
ise
15
Verify
that
NTP
is
properly
synced
to
the
ISE
NFR
VM
by
issuing
the
show
ntp
command
and
confirming
that
10.1.100.40
is
the
current
time
source.
The
asterisk
shows
what
timeserver
ISE
is
synchronized
with.
Allow
a
few
minutes
for
synchronization
to
complete.
ise/admin#
show
ntp
Configured
NTP
Servers:
10.1.100.40
synchronized
to
NTP
server
(10.1.100.40)
at
stratum
11
time
correct
to
within
961
ms
polling
server
every
64
s
remote
refid
st
t
when
poll
reach
delay
offset
jitter
==============================================================================
*127.127.1.0
.LOCL.
10
l
9
64
377
0.000
0.000
0.001
10.1.100.40
------
16
u
-
256
0
0.000
0.000
0.000
Current
time
source,
+
Candidate
Warning:
Output
results
may
conflict
during
periods
of
changing
synchronization.
Now
lets
try
to
access
ISE
from
GUI
and
test.
Open
http://10.1.100.21
in
a
browser
(ex:
Firefox)
and
login
to
ISE.
User:
admin
and
pass:
ISEc0ld
16
4.3
Installation
Download
the
Virtual
Wireless
LAN
Controller
(vWLC)
ver
7.6.130.0
(Supports
OEAP)
from
Cisco.
The
.OVA
file
is
required
for
the
first
time
installation
only
and
the
.aes
file
is
used
for
upgrades.
After
downloading
the
appropriate
ova,
deploy
the
vWLC
ova
by
selecting
your
ESXi
host
and
clicking
File
>
Deploy
OVF
Template
Browse
to
download
location
of
your
ova
and
click
Open.
Click
Next
to
confirm
the
source
and
Next
again
to
confirm
the
OVF
Template
Details.
Change
the
Name
to
vWLC
and
select
Next
and
accept
default
Disk
Format
and
then
select
Next
again
Next
under
Network
Mapping
section
Change
the
Destination
Network
to
TRUNK
and
click
Next.
17
Finally,
confirm
appliance
details
and
click
Finish
to
deploy
the
VM.
Installation
will
complete
in
a
few
minutes
and
the
vWLC
will
be
ready
for
configuration.
When
the
vWLC
Virtual
Machine
is
ready
to
power
on
and
bootstrap,
select
the
vWLC
VM
in
the
Home
>
Inventory
>
Inventory
window,
and
use
shortcut
(Ctrl+B)
to
power
it
on.
Click
the
The
installation
process
will
continue.
When
prompted
to
Press
any
key
to
use
this
terminal
as
the
default
terminal,
be
sure
to
click
in
the
window
and
press
any
key.
Wait
until
the
vWLC
prompts
Would
you
like
to
terminate
autoinstall?
Type
yes
and
click
Enter.
When
prompted,
enter
the
following
information
to
bootstrap
the
vWLC
and
press
Enter
Prompt
System
Name
Enter
Administrative
User
Name
Enter
Administrative
Password
Re-enter
Administrative
Password
Service
Interface
IP
Address
Configuration
Service
Interface
IP
Address
Service
Interface
Netmask
Management
Interface
IP
Address
Management
Interface
Netmask
Management
Interface
Default
Router
Management
Interface
VLAN
Identifier
(0
=
untagged)
Management
Interface
Port
Num
Management
Interface
DHCP
Server
IP
Address
Virtual
Gateway
IP
Address
Mobility/RF
Group
Name
Network
Name
(SSID)
Configure
DHCP
Bridging
Mode
Value
vWLC
admin
ISEc0ld
ISEc0ld
static
10.1.20.41
255.255.255.0
10.1.100.41
255.255.255.0
10.1.100.1
100
1
10.1.100.40
1.1.1.1
ISECOLD
ISECOLD
NO
18
Allow
Static
IP
Address
Configure
a
RADIUS
Server
now
Enter
the
RADIUS
Servers
Address
Enter
the
RADIUS
Servers
Port
Enter
the
RADIUS
Servers
Secret
Enter
Country
Code
list
Enable
802.11b
Network
Enable
802.11a
Network
Enable
802.11g
Network
Enable
Auto-RF
Configure
a
NTP
server
now
Enter
the
NTP
servers
IP
address
Enter
a
polling
interval
between
3600
and
604800
Configuration
correct?
If
yes
system
will
save
it
and
reset
YES
YES
10.1.100.21
1812
ISEc0ld
US
YES
YES
YES
YES
YES
10.1.100.40
3600
YES
After
the
vWLC
reboots,
login
with
the
credentials
admin
/
ISEc0ld.
Issue
a
show
interface
summary
to
ensure
the
management
interface
is
up.
The
service-port
is
not
being
used
and
should
not
have
connectivity.
4.4
NOTE:
To
deploy
ASAv
you
will
require
a
vCenter
and
cant
be
done
directly
from
ESXi
host.
We
will
use
vSphere
Desktop
Client.
If
you
prefer
Web
Client
please
refer
to
cisco
docs
here.
But
you
would
need
to
match
the
Networking
Mapping
as
per
the
below.
After
downloading
the
appropriate
OVA,
first
login
to
the
vCenter
and
make
sure
you
select
the
correct
ESXi
Host
(under
the
appropriate
Datacenter/Cluster
if
any)
and
then
deploy
the
ASAv
OVA
by
selecting
your
ESXi
host
and
clicking
File
>
Deploy
OVF
Template
Browse
to
download
location
of
your
ova
and
click
Open.
19
Click
Next
to
confirm
the
source
and
Accept
License
and
click
Next.
Now
accept
ALL
default
settings
and
start
the
deployment,
as
we
will
apply
the
appropriate
configuration
later.
Once
the
ASAv
VM
installation
is
complete
(Dont
Power-On
the
VM
yet).
First
right-click
the
ASAv
and
select
Edit
Settings
and
assign
Network
adapters
to
the
appropriate
Port
Groups:
Network
adapter
1
>
MGMT
Network
adapter
2
>
EGFW-OUTSID
Network
adapter
3
>
CORP
Then
follow
the
steps
below
to
Configure
Network
Serial
Port
and
ASAv
to
be
able
to
Telnet
to
it.
1. Fix
Repeated
characters
Issue.
2. Configure
a
Network
Serial
Console
Port.
(Port
URL:
telnet://:10062)
[Refer:
Appendix
5
]
3. Select
the
ASAv
VM
and
Power-On
(Ctrl+B).
Then
click
the
icon
to
launch
the
VM
console.
4. Once
at
ASAv
cmd
prompt,
create
a
blank
file
called
use_ttyS0
in
the
root
directory
of
disk0.
Easiest
way
is
to
copy
another
file
and
rename.
Here
are
the
commands
to
do
just
that.
ciscoasa(config)#
cd
coredumpinfo
ciscoasa(config)#
copy
coredump.cfg
disk0:/use_ttyS0
5. Reload
the
ASAv.
Enter
reload
cmd.
6. Test
the
telnet
connection
to
the
ASAv
via
Service
Port
we
configured.
[
Refer:
Appendix
6
]
In
the
next
section
you
will
deploy
the
NAD
Configuration.
4.5
Please
refer
to
Appendix
1
-
Bill
of
Materials
for
more
information.
Note:
Download
NAD
Configs
from
here
or
copy-&-paste
from
Appendix
2,
3
and
4.
Partners
can
leverage
the
NFR
program
for
the
most
cost
effective
vWLC
licensing.
It
does
ship
with
an
evaluation
license
by
default,
but
the
best
practice
is
to
purchase
a
full
license.
The
Cisco
SKU
for
the
vWLC
is
L-AIR-CTVM-5-K9
and
it
is
part
of
the
sample
BoM
provided
in
Appendix
1.
Point
the
browser
of
your
admin
machine
to
https://vwlc
or
https://10.1.100.41
and
login
with
the
credentials
admin
/
ISEc0ld.
Use
a
supported
browser
such
as
FireFox
for
the
best
results.
Initially,
there
are
0
Access
Points
Supported.
If
you
have
a
full
license,
navigate
to
Management
>
Software
Activation
>
Commands.
From
the
Action
drop-down,
select
Install
License.
Enter
the
appropriate
path
to
your
license
and
click
Install
License.
Accept
the
EULA
and
restart
the
vWLC.
Go
to
Commands
>
Reboot
and
click
the
Reboot
button.
Adjust
popup
blocker
settings
in
your
browser
as
required
to
show
the
EULA.
21
After
the
vWLC
reloads,
navigate
to
Management
>
Software
Activation
>
Licenses.
Select
the
base-ap-count
link
next
to
the
appropriate
license.
Regardless
of
the
license
type,
select
High
from
the
Priority
drop-down
box
and
click
Set
Priority.
Click
I
Accept
to
accept
the
EULA
and
OK
to
acknowledge
the
requirement
to
reboot
the
controller.
Go
to
Commands
>
Reboot
and
click
the
Reboot
button.
The
controller
will
restart
and
you
should
see
the
correct
number
of
access
points
supported
in
the
Monitor
>
Summary
screen.
vWLC
Configuration
New
APs
with
the
proper
code
level
should
readily
join
the
vWLC.
If
your
AP
does
not,
console
into
it
and
view
the
join
information.
Troubleshoot
DHCP
and
communications
with
the
vWLC
as
required.
Also,
verify
that
the
clock
and
the
AP
and
vWLC
are
in
sync.
If
it
can
communicate
with
the
vWLC
but
cannot
join,
ensure
that
the
code
level
is
7.6.130.0
or
above.
This
is
a
requirement
to
join
the
vWLC
and
the
AP
will
need
to
be
updated
by
a
physical
WLC
if
it
is
not
at
this
level.
To
perform
the
software
update,
you
can
point
the
AP
to
a
local
WLC.
(Note:
This
issue
has
been
resolved
in
ver
8.0
and
we
will
include
8.x
ver
in
our
next
release.)
22
Another
reason
an
AP
may
not
join
the
vWLC
is
if
there
is
an
older
SSC
hash
from
previously
joining
a
controller.
If
this
is
the
case,
issue
the
following
commands
on
the
AP
and
monitor
the
console
to
determine
if
the
AP
is
able
to
join.
AP1111.1111.1111#
test
capwap
erase
AP1111.1111.1111#
test
capwap
restart
From
your
admin
machine,
browse
back
to
the
controller
at
https://vwlc
or
https://10.1.100.41
and
login
with
the
credentials
admin
/
ISEc0ld.
Click
the
WIRELESS
tab
and
ensure
your
AP
is
listed.
Now
that
the
AP
is
registered,
select
the
AP
name
to
change
the
Mode
to
FlexConnect.
The
vWLC
does
not
yet
support
local
mode
APs
so
this
is
a
required
step
for
vWLC
deployments
only.
In
the
AP
Details
screen,
select
FlexConnect
from
the
AP
Mode
drop-down
box
and
click
Apply.
Click
OK
to
confirm
the
warning
that
the
AP
will
reboot.
In
order
to
activate
ASAv
License
it
should
be
configured
to
be
able
to
reach
to
the
Internet.
ASAv
will
also
need
to
periodically
connect
with
Cisco's
SMART
licensing
servers
to
obtain
entitlement.
ASAv
Configuration
Telnet
[see
Appendix
6]
to
ASAv
and
Copy-and-Past
the
config
provided
in
Appendix
4.
Note:
Please
make
any
necessary
changes
to
the
base
config
as
per
your
environment.
ASAv
License
Starting
version
9.3(2),
ASAv
licensing
has
moved
to
Cisco
Smart
Software
Licensing.
You
will
need
an
active
account
to
request
a
token.
If
you
prefer
to
use
a
licensed
ASAv
you
will
need
to
register
for
SMART
Licensing
account.
For
detailed
instruction
download
the
guide
here.
Incase
you
already
have
SMART
Account
and
you
have
already
requested
for
token,
then
follow
the
instructions
below:
Once
enter
the
following
commands:
ASAv(config)#
license
smart
ASAv(config-smart-lic)#
feature
tier
standard
ASAv(config-smart-lic)#
throughput
level
100M
ASAv(config-smart-lic)#
exit
ASAv(config)#
exit
ASAv#
license
smart
register
idtoken
<token-for-internal-asav>
Fore
more
details
go
to
link.
5
Next Steps
At
this
point,
your
ISE
NFR
environment
has
demo
configuration
loaded
on
each
of
the
VMs
and
NADs.
We
recommend
taking
snapshots
of
each
of
your
VMs.
This
will
be
beneficial
if
you
need
to
revert
to
this
state
at
any
time
in
the
future.
Prior
to
taking
snapshots,
it
is
a
best
practice
to
power
down
virtual
machines.
Use
the
native
OS
when
possible
to
ensure
minimum
disruption.
For
ISE,
access
the
CLI
and
issue
app
stop
ise
followed
by
halt
to
cleanly
shut
down
the
appliance.
24
Once
a
VM
is
powered
down,
use
the
vSphere
client
to
take
a
snapshot.
Navigate
to
Home
>
Inventory
>
Inventory
and
select
the
appropriate
VM.
From
the
toolbar,
select
the
Take
Snapshot
button.
In
the
pop-up
window
enter
a
Name
and
Description
and
click
OK.
More
information
about
snapshot
best
practices
is
available
in
VMware
documentation.
We
recommend
updating
software
versions
to
current
releases
as
desired.
Refer
to
individual
product
release
notes
and
upgrade
guides
for
detailed
release
and
configuration
information.
This
completes
the
ISE
NFR
guide.
Please
submit
feedback
to
ise_nfr_partner_bundle@cisco.com
25
a.
APPLE
IPAD
1.
2.
Go
to
Settings
>
Wi-Fi
and
forget
the
WIFI
network
its
connected
to
and
slide
the
virtual
switch
to
disable
Wi-Fi.
3.
Next
on
the
iPad,
go
to
Settings
>
Safari
and
hit
Clear
History
as
well
as
Clear
Cookies
and
Data.
4.
On
the
iPad,
navigate
to
Settings
>
General
>
Profiles.
Remove
any
existing
profiles,
if
present.
Note: You might not see the Profiles menu option, if there are no profiles installed on the iPad.
b.
ISE
SESSION
1.
Navigate
to
Operations
>
Authentications
>
Show
Live
Sessions.
In
the
column
marked
CoA
Action,
click
on
the
pull
down
for
any
active
session
and
choose
Session
termination.
2.
3.
Navigate
to
Administration
>
Identity
Management
>
Identities
>
Endpoints
and
delete
the
Apple
iPad,
26
SCENARIO
1:
DEMONSTRATE
THE
GUEST
ACCESS
FOR
A
WIRELESS
HOTSPOT
DEMO DESCRIPTION
The guest can connect to a Wireless Hotspot and quickly get access to the network. Also, notice that
the customized guest portals are shown to the guest.
NOTICE: iPAD is required for this demonstration and make sure to follow the above steps to clean it before each demo.
Step 1
2.
3.
Check
WLAN
ID
2
##-ISECOLD-hotspot,
select
Enable
Selected
from
the
drop-down
and
hit
Go.
Step 2
The
following
sequence
provides
the
progression
of
onboarding
the
Apple
iPad:
1. Navigate
to
Settings
>
Wi-Fi
and
slide
the
virtual
switch
to
enable
Wi-Fi.
Select
and
connect
to
the
network
##-ISECOLD-hotpot
(##
refers
to
the
POD
No.)
2. Now
launch
the
mobile
Safari
app,
close
any
tabs,
and
access
Google
via
the
bookmarks.
If
receiving
a
warning
Cannot
Verify
Server
Identity,
click
Continue
and
it
will
redirect
to
the
Guest
page.
3. Enter
isecold
as
the
Access
Code
and
Accept
the
AUP
(Acceptable
Use
Policy).
Show
that
the
customized
portal
is
now
shown
to
the
guest
as
below
27
4.
After
accepting
the
AUP,
the
message
is
shown
that
you
have
successfully
connected.
Retry
going
back
to
the
Google
website
or
click
on
the
link
to
go
to
cisco.com
and
if
the
site
loads
successfully,
then
this
Use-case
is
complete.
STOP! Before you proceed to the next demo please clean the iPad and ISE Session [Click Here]
Hotspot complete! You have now completed hotspot use-case. Next lets look into self-registration.
End
of
Exercise:
You
have
successfully
completed
this
exercise.
28
SCENARIO
2:
DEMONSTRATE
THE
GUEST
ACCESS
FOR
A
SELF-REGISTER
PORTAL
DEMO DESCRIPTION
The guest comes to a company and would like to create their own guest account. After registration,
the credentials are shown instantly on the next screen or can be sent via email for the guest to log on
and get Internet access. Though not shown in this demo, after self-registration you can also add
sponsor approval to the flow.
DEMO
ACTIONS
Step 1
2.
3.
Check
WLAN
ID
2
##-ISECOLD-host,
Select
Disable
Selected
from
the
drop-down
and
hit
Go.
4.
Check
WLAN
ID
3
##-ISECOLD-guest,
Select
Enable
Selected
from
the
drop-down
and
hit
Go.
Step 2
The
following
sequence
provides
the
progression
of
onboarding
the
Apple
iPad:
1.
Navigate
to
Settings
>
Wi-Fi
and
slide
the
virtual
switch
to
enable
Wi-Fi.
Select
and
connect
to
the
network
##-ISECOLD-guest
2.
Now
launch
the
mobile
Safari
app,
close
any
tabs,
and
go
to
Google.com.
If
you
receive
any
warning,
click
Continue
and
it
will
redirect
to
the
Guest
page.
3.
Since
this
is
a
self-registered
use
case,
Click
on
Dont
have
an
account
to
create
your
own
account.
4.
Attribute
Value
Username
First
Name
Last
Name
Email
address
Guest
John
Doe
guest@securitydemo.net
NOTE:
Incase
you
want
to
demo
sponsor
approval
you
will
have
to
fill
in
Person
being
Visited
(email)
field.
29
5.
6.
Note
the
Login
Credentials,
and
then
click
the
Sign
On
button.
7.
Enter
Login
Credentials
and
Access
Code
isecold
and
Accept
AUP
and
Click
Sign
On
Note:
Access
Code
adds
an
extra
layer
of
security
and
its
usually
given
offline.
Example:
In
a
classroom,
the
instructor
will
put
it
on
the
whiteboard.
8.
After
Signing
On,
the
message
is
shown
that
you
have
successfully
connected.
Retry
going
back
to
the
Google
website
or
click
on
the
link
to
go
to
cisco.com
9.
30
Warning:
If
you
see
a
message,
Maximum
Devices
Reached,
then
please
follow
the
steps
below
to
clean
up
the
iPad
connection,
this
was
caused
because
the
endpoint
is
already
in
the
store
and
you
didnt
delete
it
after
you
ran
through
the
previous
exercise.
STOP! Before you proceed to the next demo please clean the iPad and ISE Session [Click Here]
You have now completed setup of Self-registration with sponsor approval flow
31
SCENARIO
3:
DEMONSTRATE
THE
GUEST
ACCESS
FROM
A
SPONSORED
ACCOUNT
DEMO DESCRIPTION
The employee would like to provision guest access to a visitor guest who is visiting the hospital. The
employee would like to do that only for a couple of hours. To do so the employee will login to the
network and will go to the guest provisioning service page (ISE Sponsor Portal). Then enter the name
and email address for the guest along with the time of access and the guest server will generate a
password that the guest can use to gain access.
DEMO
ACTIONS
1.
Access
Sponsor
Portal
via
desktop
browser,
go
to
Sponsor.SecurityDemo.net
and
login
as
sponsor
/
ISEc0ld
2.
3.
Before creating a new account please delete the guest account created in previous demo.
4.
Now
go
to
Create
Accounts
tab,
by
default
the
Guest
Type
is
Contractor
for
this
portal.
Change
it
if
you
need
to.
Enter
the
following
information
and
Click
on
Submit.
Attribute
First
Name
Last
Name
Email
address
Duration
(Days)
From
Date
To
Date
Value
John
Doe
guest@securitydemo.net
10
Set
the
Start
Date/Time
Set
the
End
Date/Time
Note
Enter
email
as
it
is.
You
can
set
as
desired
5.
The
Sponsor
Portal
creates
an
account
and
generates
an
account
password
for
the
guest
user.
Click
on
Notify
at
the
bottom
on
the
screen
to
send
the
info
to
the
guest
via
email
(sms
or
print).
6. Check
the
Email
box
and
enter
32
sponsor@securitydemo.net
in
the
Sponsors
email
field
and
click
OK.
7.
Now
the
email
is
sent
to
the
Guest
and
Sponsor.
To
verify
go
to
the
mail.securitydemo.net
and
log
in
using
the
credentials
guest
/
ISEc0ld.
From
the
email
get
the
username/password
to
login
to
WIFI
as
guest.
8.
The
following
sequence
provide
the
progression
of
onboarding
the
Apple
iPad:
1)
Navigate
to
Settings
>
Wi-Fi
and
slide
the
virtual
switch
to
enable
Wi-Fi.
Select
and
connect
to
the
network
##-ISECOLD-guest
(##
refers
to
the
POD
No.)
2)
Now
launch
the
mobile
Safari
app,
close
any
tabs,
and
access
Google.com
and
it
will
redirect
to
the
Guest
page.
3)
Enter user/pass and access code isecold. Then accept AUP and click Sign On
Note: Access Code adds an extra layer of security (given offline). Ex: In a classroom, the instructor will put it on a whiteboard.
33
4)
After
Signing
On,
the
message
is
shown
that
you
have
successfully
connected.
Retry
going
back
to
the
Google
website
or
click
on
the
link
to
go
to
cisco.com
5)
PREVIEW
T HE
M ANAGED
A CCOUNTS
O PTION
1.
2.
The managed account option is a quick easy way to see all the accounts and perform sponsor actions. The admin
account is auto-authenticated and not part of any sponsor group. It has permissions to do everything and see
everything, accept if the guest changes their password they wont be able to see it (just like any other sponsor). If
the sponsor portal session terminates for any reason, the admin will have to go back to the admin UI to get back in
or login with a valid sponsor account. Their admin credentials will not get them back in unless it is part of a sponsor
group. This was just a preview and we will be using the sponsor portal to do our work.
STOP! Before you proceed to the next demo please clean the iPad and ISE Session [Click Here]
End
of
Exercise:
You
have
successfully
completed
this
exercise.
34
SCENARIO
4:
DEMONSTRATE
ONBOARDING
OF
A
NON-CORPORATE
APPLE
IPAD
DEMO DESCRIPTION
In this demo you will get the experience of onboarding an Apple iPad onto the network in a BYOD use
case. From the iPad you will connect over the wireless network to the single SSID (corp). You will use
your AD (NetSvc) credentials to let Cisco ISE know that the iPad is a personal device that belongs to
you the employee. When you connect to the network you will verify profile installation for the native
supplicant on the iPad. Using Cisco ISE live logs you will monitor the onboarding process and verify
successful completion via the My Devices Portal.
DEMO
ACTIONS
Step 1
2.
3.
Check WLAN ID 3 ##-ISECOLD-guest, Select Disable Selected from the drop-down and hit Go.
4.
Check
WLAN
ID
1
##-ISECOLD-corp,
Select
Enable
Selected
from
the
drop-down
and
hit
Go.
Step 2
Policy -> Policy Elements -> Results -> Client Provisioning -> Resources.
35
Step 3
The
following
sequence
provides
the
progression
of
onboarding
the
Apple
iPad:
1.
Navigate
to
Settings
>
Wi-Fi
and
slide
the
virtual
switch
to
enable
Wi-Fi.
Select
and
connect
to
the
network
##-ISECOLD-corp
(##
refers
to
the
POD
number
if
any.)
2.
Enter the login (Internal AD) credentials, user: employee pass: ISEc0ld and click Join
3.
4.
Next click on the blue arrow of the connected network and verify the IP address assigned
5.
Now
launch
the
mobile
Safari
app,
close
any
tabs,
and
access
Google.com
and
it
will
redirect
to
the
ISE
1.3
BYOD
Welcome
Screen,
which
guides
the
end-user
over
a
series
of
steps
to
on-
board
the
device
and
also
keeps
tracks
of
these
steps
with
proper
numbering.
6.
36
7.
Peronal_iPAD
This
is
my
Personal
iPAD
8.
Click
Continue
to
proceed
and
when
it
prompts
the
user
to
launch
Apple
Profile
and
Certificate
Installers
Now,
click
the
button
to
proceed
9.
When
prompted
to
install
the
Root
CA
certificate
that
signed
the
SSL
server
certificate
of
ISE,
click
Install.
Again
click
Install
to
accept
any
Warnings
to
complete
this
installation.
The
process
switches
back
to
the
self-provisioning
page
in
Safari,
and
the
ISE
Profile
Service
pops
up
and
prompts
Install
Now.
10. Click
Install
Now
to
start
the
Apple
Over-The-Air
(OTA)
enrollment
process.
This
will
automatically
generate
the
key,
enroll
the
identity
certificate,
and
save
the
resulting
signed
Wi-Fi
profile
to
the
iPad.
Youll see the following message on the browser showing that you are now connected.
37
11. Now
entering
portal.securitydemo.net
in
the
mobile
Safari
app
should
take
you
to
the
internal
website
to
show
you
have
the
correct
access.
Note:
If
you
still
cant
redirect
to
portal.securitydemo.net
then
check
if
SSID
was
updated
in
Native
Supplicant
Profile
in
Policy
12. Verifying
Settings
>
General
>
Profiles
shows
two
profiles
are
installed
13. Check
the
live
logs
on
ISE
admin
web
console
to
verify
that
the
correct
authorization
profiles
were
applied.
The
sequence
will
look
similar
to
the
following.
14. Go
to
the
https://mydevices.securitydemo.net
and
inspect
the
endpoint
registration
states.
Login
as
employee/ISEc0ld.
15. Once
the
newly
installed
Wi-Fi
profile
authenticates
the
device
to
the
network,
this
state
will
move
to
Registered.
38
16. On
ISE,
navigate
to
Administration
>
System
>
Certificates:
17. Navigate
to
Certificate
Management
>
Endpoint
Certificates,
look
at
the
certs
issued.
You
can
view
and
revoke
any
certs
from
here.
39
Catalyst
Switch
WS-C3560CG-8PC-S
CAB-AC-RA
RCKMNT-19-CMPCT=
Description
Catalyst
3560C
Switch
8
GE
PoE(+),
2
x
Dual
Uplink,
IP
Base
Power
Cord,110V,
Right
Angle
19in
RackMount
for
Catalyst
3560
Compact
Switch
CON-SNT-WSC3560C
ASAv
1
102
Quantity
List
Price
LASAV5SK9=
Virtual
WLC
L-AIR-CTVM-5-K9
CON-SAU-CTVM5K9
1
3-4K
Quantity
List
Price
1
750
1
150
Access
Point
AIR-CAP2602I-A-K9
Description
802.11n
CAP
w/CleanAir;
3x4:3SS;
Mod;
Int
Ant;
A
Reg
Domain
CON-SNT-AIRCAPN2
UCS
Server
UCSC-C22-M3S
UCS-CPU-E5-2440
UCS-MR-1X162RY-A
A03-D300GA2
UCSC-RAID-9240-8I
R2XX-RAID5
UCSC-PCIE-IRJ45
UCSC-PSU-450W
CAB-9K12A-NA
UCSC-RAIL1
CON-SNT-C22M3S
Third
Party
Products
Power
Strip
Rack
Screws
Cable
Ties
VMware
License
Microsoft
Subscription
Description
UCS
C22
M3
SFF
w/
rail
kit,
w/o
PSU,
CPU,
mem,
HDD,
PCIe
2.40
GHz
E5-2440/95W
6C/15MB
Cache/DDR3
1333MHz
16GB
DDR3-1600-MHz
RDIMM/PC3-12800/dual
rank/1.35v
300GB
6Gb
SAS
10K
RPM
SFF
HDD/drive
sled
mounted
MegaRAID
9240-8i,
RAID
0/1/10/5/50
for
C22/C24
Enable
RAID
5
Setting
Intel
i350
Quad
Port
1Gb
Adapter
450W
power
supply
for
C-series
rack
servers
Power
Cord,
125VAC
13A
NEMA
5-15
Plug,
North
America
Rail
Kit
for
C220,
C22,
C24
rack
servers
SMARTNET
8X5XNBD
UCS
C22
M3
Server
-
SFF
Description
Tripp
Lite
Waber
Power
Strip
15ft
Premium
Screws
with
washers
4",
8",
and
14"
ties
to
secure
equipment
vSphere
Essentials
Kit
MSDN
or
TechNet
options
available
40
44
800
!GLOBAL
SETTINGS
hostname
3560CG
!
boot-start-marker
boot-end-marker
!
enable
secret
5
$1$5EQI$44ry3iROTTWKRp3IXeYeR1
!
username
admin
privilege
15
password
0
ISEc0ld
username
radius-test
password
0
ISEc0ld
aaa
new-model
!
!
aaa
authentication
login
default
local
aaa
authentication
enable
default
enable
aaa
authentication
dot1x
default
group
radius
aaa
authorization
exec
default
local
aaa
authorization
network
default
group
radius
aaa
accounting
update
newinfo
aaa
accounting
dot1x
default
start-stop
group
radius
!
!
!
!
!
aaa
server
radius
dynamic-author
client
10.1.100.21
server-key
ISEc0ld
!
aaa
session-id
common
system
mtu
routing
1500
ip
routing
!
!
ip
dhcp
snooping
vlan
10,20,50,100
ip
dhcp
snooping
no
ip
cef
optimize
neighbor
resolution
no
ip
domain-lookup
ip
domain-name
securitydemo.net
ip
device
tracking
vtp
domain
securitydemo
vtp
mode
transparent
!
epm
logging
!
crypto
pki
trustpoint
TP-self-signed-504244352
enrollment
selfsigned
subject-name
cn=IOS-Self-Signed-Certificate-504244352
revocation-check
none
rsakeypair
TP-self-signed-504244352
!
!
crypto
pki
certificate
chain
TP-self-signed-504244352
certificate
self-signed
01
30820229
30820192
A0030201
02020101
300D0609
2A864886
F70D0101
05050030
30312E30
2C060355
04031325
494F532D
53656C66
2D536967
6E65642D
43657274
69666963
6174652D
35303432
34343335
32301E17
0D313130
33333030
31323935
375A170D
32303031
30313030
30303030
5A303031
2E302C06
03550403
1325494F
532D5365
6C662D53
69676E65
642D4365
72746966
69636174
652D3530
34323434
33353230
819F300D
06092A86
4886F70D
01010105
0003818D
00308189
02818100
9A17456B
9AD3E7E6
BC02A23F
85FE0656
3D2ACB24
8CF41470
A0088D9D
0EB01EC2
41
5F8F4D48
B3CBE769
238D193F
D0EC4135
7A51FBF8
7514BB46
6C6F579D
557408F2
BFB83849
BE376D00
9C913754
A0A610CD
4FE4667B
26A3698E
58E6CAFB
4A8DF840
8E226F59
50F3A8A9
E27B379A
0B082222
45BCE7D3
2F1B5C8E
7009A859
E8E425F1
02030100
01A35330
51300F06
03551D13
0101FF04
05300301
01FF301F
0603551D
23041830
168014E5
A509B44F
68B8025A
4BB2BE02
338A4A18
810D6A30
1D060355
1D0E0416
0414E5A5
09B44F68
B8025A4B
B2BE0233
8A4A1881
0D6A300D
06092A86
4886F70D
01010505
00038181
002901F3
F4E12038
D9E86F9E
662269CE
DF0A335D
EB586188
AC84257B
CB9B09CE
16D2CA73
543FDAF5
BC6BE244
87EB67AE
C204200E
8C988856
347B907D
1778371D
2524FA7B
192EC573
5EBCB585
149459B9
721A8450
231D3B33
B1C65ADF
3CCC66BA
C8E8F5D4
A08382D9
A13BD755
EC9C35F2
20281305
501861F0
B31E4A60
A9D811FE
8A
quit
dot1x
system-auth-control
spanning-tree
mode
pvst
spanning-tree
extend
system-id
!
!
!
!
!
!
!
!
!
vlan
internal
allocation
policy
ascending
!
vlan
10
name
ACCESS
!
vlan
20
name
SGFW
!
vlan
50
name
GUEST
!
vlan
70
name
CORP
!
vlan
100
name
MGMT
!
!
ip
ssh
version
2
lldp
run
!
!
!
!
!
!
!
!
!
!
interface
GigabitEthernet0/1
description
UCS-vmnic1
switchport
access
vlan
10
switchport
mode
access
shutdown
authentication
event
fail
action
next-method
authentication
event
server
dead
action
reinitialize
vlan
50
authentication
host-mode
multi-auth
authentication
open
authentication
order
dot1x
mab
authentication
priority
dot1x
mab
authentication
port-control
auto
42
authentication
periodic
authentication
timer
reauthenticate
server
authentication
timer
inactivity
server
authentication
violation
restrict
mab
dot1x
pae
authenticator
dot1x
timeout
tx-period
10
spanning-tree
portfast
!
interface
GigabitEthernet0/2
description
AP
switchport
access
vlan
100
switchport
mode
access
!
interface
GigabitEthernet0/3
description
UCS-M
switchport
access
vlan
100
switchport
mode
access
!
interface
GigabitEthernet0/4
!
interface
GigabitEthernet0/5
!
interface
GigabitEthernet0/6
!
interface
GigabitEthernet0/7
!
interface
GigabitEthernet0/8
!
interface
GigabitEthernet0/9
!
interface
GigabitEthernet0/10
description
UCS-vmnic0
switchport
trunk
encapsulation
dot1q
switchport
mode
trunk
ip
dhcp
snooping
trust
!
interface
Vlan1
no
ip
address
shutdown
!
interface
Vlan10
ip
address
10.1.10.1
255.255.255.0
ip
helper-address
10.1.100.40
!
interface
Vlan50
ip
address
10.1.50.1
255.255.255.0
ip
helper-address
10.1.100.40
!
interface
Vlan70
ip
address
10.1.70.2
255.255.255.0
!
interface
Vlan100
ip
address
10.1.100.1
255.255.255.0
!
ip
http
server
ip
http
secure-server
ip
http
active-session-modules
none
!
ip
route
0.0.0.0
0.0.0.0
10.1.70.1
ip
route
172.17.0.0
255.255.0.0
192.168.100.2
!
ip
access-list
standard
SNMP-RO
permit
10.1.100.21
deny
any
!
43
ip
access-list
extended
ISE-URL-REDIRECT
deny
tcp
any
host
10.1.100.221
eq
www
permit
tcp
any
any
eq
www
ip
access-list
extended
vtyAccess
permit
tcp
10.1.100.0
0.0.0.255
any
eq
22
!
ip
radius
source-interface
Vlan100
ip
sla
enable
reaction-alerts
logging
trap
debugging
logging
origin-id
ip
logging
source-interface
Vlan100
logging
host
10.1.100.21
transport
udp
port
20514
!
!
radius-server
attribute
6
on-for-login-auth
radius-server
attribute
8
include-in-access-req
radius-server
attribute
25
access-request
include
radius-server
attribute
31
mac
format
ietf
upper-case
radius-server
attribute
31
send
nas-port-detail
radius-server
dead-criteria
time
5
tries
3
radius-server
vsa
send
accounting
radius-server
vsa
send
authentication
!
radius
server
ise
address
ipv4
10.1.100.21
auth-port
1812
acct-port
1813
automate-tester
username
radius-test
ignore-acct-port
idle-time
5
key
ISEc0ld
!
!
!
line
con
0
exec-timeout
0
0
logging
synchronous
line
vty
0
4
access-class
vtyAccess
in
exec-timeout
0
0
privilege
level
15
logging
synchronous
transport
preferred
none
transport
input
ssh
line
vty
5
15
access-class
vtyAccess
in
exec-timeout
0
0
privilege
level
15
logging
synchronous
transport
preferred
none
transport
input
ssh
!
ntp
server
10.1.100.40
end
44
config
acl
rule
source
port
range
ISE-URL-REDIRECT
2
0
65535
config
acl
rule
source
address
ISE-URL-REDIRECT
2
10.1.100.40
255.255.255.255
config
acl
rule
direction
ISE-URL-REDIRECT
2
out
config
acl
rule
action
ISE-URL-REDIRECT
2
permit
config
acl
rule
destination
port
range
ISE-URL-REDIRECT
2
53
53
config
acl
rule
protocol
ISE-URL-REDIRECT
2
17
config
acl
rule
add
ISE-URL-REDIRECT
3
config
acl
rule
source
port
range
ISE-URL-REDIRECT
3
0
65535
config
acl
rule
direction
ISE-URL-REDIRECT
3
in
config
acl
rule
action
ISE-URL-REDIRECT
3
permit
config
acl
rule
destination
port
range
ISE-URL-REDIRECT
3
8443
8443
config
acl
rule
destination
address
ISE-URL-REDIRECT
3
10.1.100.21
255.255.255.255
config
acl
rule
protocol
ISE-URL-REDIRECT
3
6
config
acl
rule
add
ISE-URL-REDIRECT
4
config
acl
rule
source
port
range
ISE-URL-REDIRECT
4
8443
8443
config
acl
rule
source
address
ISE-URL-REDIRECT
4
10.1.100.21
255.255.255.255
config
acl
rule
direction
ISE-URL-REDIRECT
4
out
config
acl
rule
action
ISE-URL-REDIRECT
4
permit
config
acl
rule
destination
port
range
ISE-URL-REDIRECT
4
0
65535
config
acl
rule
protocol
ISE-URL-REDIRECT
4
6
config
acl
rule
add
ISE-URL-REDIRECT
5
config
acl
rule
source
port
range
ISE-URL-REDIRECT
5
0
65535
config
acl
rule
direction
ISE-URL-REDIRECT
5
in
config
acl
rule
action
ISE-URL-REDIRECT
5
permit
config
acl
rule
destination
port
range
ISE-URL-REDIRECT
5
8905
8905
config
acl
rule
destination
address
ISE-URL-REDIRECT
5
10.1.100.21
255.255.255.255
config
acl
rule
protocol
ISE-URL-REDIRECT
5
6
config
acl
rule
add
ISE-URL-REDIRECT
6
config
acl
rule
source
port
range
ISE-URL-REDIRECT
6
8905
8905
config
acl
rule
source
address
ISE-URL-REDIRECT
6
10.1.100.21
255.255.255.255
config
acl
rule
direction
ISE-URL-REDIRECT
6
out
config
acl
rule
action
ISE-URL-REDIRECT
6
permit
config
acl
rule
destination
port
range
ISE-URL-REDIRECT
6
0
65535
config
acl
rule
protocol
ISE-URL-REDIRECT
6
6
config
acl
rule
add
ISE-URL-REDIRECT
7
config
acl
rule
source
port
range
ISE-URL-REDIRECT
7
0
65535
config
acl
rule
direction
ISE-URL-REDIRECT
7
in
config
acl
rule
action
ISE-URL-REDIRECT
7
permit
config
acl
rule
destination
port
range
ISE-URL-REDIRECT
7
8905
8905
config
acl
rule
destination
address
ISE-URL-REDIRECT
7
10.1.100.21
255.255.255.255
config
acl
rule
protocol
ISE-URL-REDIRECT
7
17
config
acl
rule
add
ISE-URL-REDIRECT
8
config
acl
rule
source
port
range
ISE-URL-REDIRECT
8
8905
8905
config
acl
rule
source
address
ISE-URL-REDIRECT
8
10.1.100.21
255.255.255.255
config
acl
rule
direction
ISE-URL-REDIRECT
8
out
config
acl
rule
action
ISE-URL-REDIRECT
8
permit
config
acl
rule
destination
port
range
ISE-URL-REDIRECT
8
0
65535
config
acl
rule
protocol
ISE-URL-REDIRECT
8
17
config
acl
rule
add
ISE-URL-REDIRECT
9
config
acl
rule
source
port
range
ISE-URL-REDIRECT
9
0
65535
config
acl
rule
direction
ISE-URL-REDIRECT
9
in
config
acl
rule
action
ISE-URL-REDIRECT
9
permit
config
acl
rule
destination
port
range
ISE-URL-REDIRECT
9
80
80
config
acl
rule
destination
address
ISE-URL-REDIRECT
9
10.1.100.221
255.255.255.255
config
acl
rule
protocol
ISE-URL-REDIRECT
9
6
config
acl
rule
add
ISE-URL-REDIRECT
10
config
acl
rule
source
port
range
ISE-URL-REDIRECT
10
80
80
config
acl
rule
source
address
ISE-URL-REDIRECT
10
10.1.100.221
255.255.255.255
45
config
acl
rule
direction
ISE-URL-REDIRECT
10
out
config
acl
rule
action
ISE-URL-REDIRECT
10
permit
config
acl
rule
destination
port
range
ISE-URL-REDIRECT
10
0
65535
config
acl
rule
protocol
ISE-URL-REDIRECT
10
6
config
acl
rule
add
ISE-URL-REDIRECT
11
config
acl
rule
source
port
range
ISE-URL-REDIRECT
11
0
65535
config
acl
rule
action
ISE-URL-REDIRECT
11
permit
config
acl
rule
destination
port
range
ISE-URL-REDIRECT
11
0
65535
config
acl
rule
protocol
ISE-URL-REDIRECT
11
1
config
acl
rule
add
ISE-URL-REDIRECT
65
config
acl
rule
source
port
range
ISE-URL-REDIRECT
65
0
65535
config
acl
rule
destination
port
range
ISE-URL-REDIRECT
65
0
65535
config
acl
rule
add
MACHINE_ACL
1
config
acl
rule
source
port
range
MACHINE_ACL
1
0
65535
config
acl
rule
destination
port
range
MACHINE_ACL
1
0
65535
config
acl
rule
destination
address
MACHINE_ACL
1
10.1.100.2
255.255.255.255
config
acl
rule
add
MACHINE_ACL
2
config
acl
rule
source
port
range
MACHINE_ACL
2
0
65535
config
acl
rule
destination
port
range
MACHINE_ACL
2
0
65535
config
acl
rule
destination
address
MACHINE_ACL
2
10.1.100.224
255.255.255.254
config
acl
rule
add
MACHINE_ACL
3
config
acl
rule
source
port
range
MACHINE_ACL
3
0
65535
config
acl
rule
action
MACHINE_ACL
3
permit
config
acl
rule
destination
port
range
MACHINE_ACL
3
0
65535
config
acl
rule
add
MACHINE_ACL
65
config
acl
rule
source
port
range
MACHINE_ACL
65
0
65535
config
acl
rule
destination
port
range
MACHINE_ACL
65
0
65535
config
acl
rule
add
EMPLOYEE_ACL
1
config
acl
rule
source
port
range
EMPLOYEE_ACL
1
0
65535
config
acl
rule
destination
port
range
EMPLOYEE_ACL
1
0
65535
config
acl
rule
destination
address
EMPLOYEE_ACL
1
10.1.100.2
255.255.255.255
config
acl
rule
add
EMPLOYEE_ACL
2
config
acl
rule
source
port
range
EMPLOYEE_ACL
2
0
65535
config
acl
rule
destination
port
range
EMPLOYEE_ACL
2
0
65535
config
acl
rule
destination
address
EMPLOYEE_ACL
2
10.1.100.224
255.255.255.254
config
acl
rule
add
EMPLOYEE_ACL
3
config
acl
rule
source
port
range
EMPLOYEE_ACL
3
0
65535
config
acl
rule
action
EMPLOYEE_ACL
3
permit
config
acl
rule
destination
port
range
EMPLOYEE_ACL
3
0
65535
config
acl
rule
add
EMPLOYEE_ACL
65
config
acl
rule
source
port
range
EMPLOYEE_ACL
65
0
65535
config
acl
rule
destination
port
range
EMPLOYEE_ACL
65
0
65535
config
acl
rule
add
ITADMIN_ACL
1
config
acl
rule
source
port
range
ITADMIN_ACL
1
0
65535
config
acl
rule
action
ITADMIN_ACL
1
permit
config
acl
rule
destination
port
range
ITADMIN_ACL
1
0
65535
config
acl
rule
add
ITADMIN_ACL
65
config
acl
rule
source
port
range
ITADMIN_ACL
65
0
65535
config
acl
rule
destination
port
range
ITADMIN_ACL
65
0
65535
config
acl
rule
add
CONTRACTOR_ACL
1
config
acl
rule
source
port
range
CONTRACTOR_ACL
1
0
65535
config
acl
rule
destination
port
range
CONTRACTOR_ACL
1
0
65535
config
acl
rule
destination
address
CONTRACTOR_ACL
1
10.1.100.2
255.255.255.255
config
acl
rule
add
CONTRACTOR_ACL
2
config
acl
rule
source
port
range
CONTRACTOR_ACL
2
0
65535
config
acl
rule
destination
port
range
CONTRACTOR_ACL
2
0
65535
config
acl
rule
destination
address
CONTRACTOR_ACL
2
10.1.100.224
255.255.255.254
config
acl
rule
protocol
CONTRACTOR_ACL
2
6
46
config
acl
rule
add
CONTRACTOR_ACL
3
config
acl
rule
source
port
range
CONTRACTOR_ACL
3
0
65535
config
acl
rule
action
CONTRACTOR_ACL
3
permit
config
acl
rule
destination
port
range
CONTRACTOR_ACL
3
0
65535
config
acl
rule
add
CONTRACTOR_ACL
65
config
acl
rule
source
port
range
CONTRACTOR_ACL
65
0
65535
config
acl
rule
destination
port
range
CONTRACTOR_ACL
65
0
65535
config
acl
rule
add
GUEST_ACL
1
config
acl
rule
source
port
range
GUEST_ACL
1
0
65535
config
acl
rule
direction
GUEST_ACL
1
in
config
acl
rule
action
GUEST_ACL
1
permit
config
acl
rule
destination
port
range
GUEST_ACL
1
53
53
config
acl
rule
protocol
GUEST_ACL
1
17
config
acl
rule
add
GUEST_ACL
2
config
acl
rule
source
port
range
GUEST_ACL
2
0
65535
config
acl
rule
direction
GUEST_ACL
2
in
config
acl
rule
action
GUEST_ACL
2
permit
config
acl
rule
destination
port
range
GUEST_ACL
2
8443
8443
config
acl
rule
destination
address
GUEST_ACL
2
10.1.100.16
255.255.255.240
config
acl
rule
protocol
GUEST_ACL
2
6
config
acl
rule
add
GUEST_ACL
3
config
acl
rule
source
port
range
GUEST_ACL
3
0
65535
config
acl
rule
direction
GUEST_ACL
3
in
config
acl
rule
action
GUEST_ACL
3
permit
config
acl
rule
destination
port
range
GUEST_ACL
3
80
80
config
acl
rule
destination
address
GUEST_ACL
3
10.1.100.222
255.255.255.255
config
acl
rule
protocol
GUEST_ACL
3
6
config
acl
rule
add
GUEST_ACL
4
config
acl
rule
source
port
range
GUEST_ACL
4
0
65535
config
acl
rule
direction
GUEST_ACL
4
in
config
acl
rule
destination
port
range
GUEST_ACL
4
0
65535
config
acl
rule
destination
address
GUEST_ACL
4
10.0.0.0
255.0.0.0
config
acl
rule
add
GUEST_ACL
5
config
acl
rule
source
port
range
GUEST_ACL
5
0
65535
config
acl
rule
direction
GUEST_ACL
5
in
config
acl
rule
destination
port
range
GUEST_ACL
5
0
65535
config
acl
rule
destination
address
GUEST_ACL
5
172.16.0.0
255.240.0.0
config
acl
rule
add
GUEST_ACL
6
config
acl
rule
source
port
range
GUEST_ACL
6
0
65535
config
acl
rule
direction
GUEST_ACL
6
in
config
acl
rule
destination
port
range
GUEST_ACL
6
0
65535
config
acl
rule
destination
address
GUEST_ACL
6
192.168.0.0
255.255.0.0
config
acl
rule
add
GUEST_ACL
7
config
acl
rule
source
port
range
GUEST_ACL
7
0
65535
config
acl
rule
action
GUEST_ACL
7
permit
config
acl
rule
destination
port
range
GUEST_ACL
7
0
65535
config
acl
rule
add
GUEST_ACL
65
config
acl
rule
source
port
range
GUEST_ACL
65
0
65535
config
acl
rule
destination
port
range
GUEST_ACL
65
0
65535
config
acl
rule
add
USER_ACL
1
config
acl
rule
source
port
range
USER_ACL
1
0
65535
config
acl
rule
destination
port
range
USER_ACL
1
0
65535
config
acl
rule
destination
address
USER_ACL
1
10.1.100.2
255.255.255.255
config
acl
rule
add
USER_ACL
2
config
acl
rule
source
port
range
USER_ACL
2
0
65535
config
acl
rule
destination
port
range
USER_ACL
2
0
65535
config
acl
rule
destination
address
USER_ACL
2
10.1.100.224
255.255.255.254
config
acl
rule
add
USER_ACL
3
47
config
acl
rule
source
port
range
USER_ACL
3
0
65535
config
acl
rule
action
USER_ACL
3
permit
config
acl
rule
destination
port
range
USER_ACL
3
0
65535
config
acl
rule
add
USER_ACL
65
config
acl
rule
source
port
range
USER_ACL
65
0
65535
config
acl
rule
destination
port
range
USER_ACL
65
0
65535
config
acl
rule
add
BLACKHOLE
1
config
acl
rule
source
port
range
BLACKHOLE
1
0
65535
config
acl
rule
direction
BLACKHOLE
1
out
config
acl
rule
action
BLACKHOLE
1
permit
config
acl
rule
destination
port
range
BLACKHOLE
1
0
65535
config
acl
rule
add
BLACKHOLE
2
config
acl
rule
source
port
range
BLACKHOLE
2
0
65535
config
acl
rule
direction
BLACKHOLE
2
in
config
acl
rule
action
BLACKHOLE
2
permit
config
acl
rule
destination
port
range
BLACKHOLE
2
53
53
config
acl
rule
protocol
BLACKHOLE
2
17
config
acl
rule
add
BLACKHOLE
3
config
acl
rule
source
port
range
BLACKHOLE
3
0
65535
config
acl
rule
direction
BLACKHOLE
3
in
config
acl
rule
action
BLACKHOLE
3
permit
config
acl
rule
destination
port
range
BLACKHOLE
3
8444
8444
config
acl
rule
destination
address
BLACKHOLE
3
10.1.100.21
255.255.255.255
config
acl
rule
protocol
BLACKHOLE
3
6
config
acl
rule
add
BLACKHOLE
4
config
acl
rule
source
port
range
BLACKHOLE
4
0
65535
config
acl
rule
destination
port
range
BLACKHOLE
4
0
65535
config
acl
rule
add
BLACKHOLE
65
config
acl
rule
source
port
range
BLACKHOLE
65
0
65535
config
acl
rule
destination
port
range
BLACKHOLE
65
0
65535
config
acl
create
ISE-URL-REDIRECT
config
acl
apply
ISE-URL-REDIRECT
config
acl
create
MACHINE_ACL
config
acl
apply
MACHINE_ACL
config
acl
create
EMPLOYEE_ACL
config
acl
apply
EMPLOYEE_ACL
config
acl
create
ITADMIN_ACL
config
acl
apply
ITADMIN_ACL
config
acl
create
CONTRACTOR_ACL
config
acl
apply
CONTRACTOR_ACL
config
acl
create
GUEST_ACL
config
acl
apply
GUEST_ACL
config
acl
create
USER_ACL
config
acl
apply
USER_ACL
config
acl
create
BLACKHOLE
config
acl
apply
BLACKHOLE
config
location
expiry
tags
5
config
dhcp
proxy
disable
bootp-broadcast
disable
config
serial
timeout
0
config
remote-lan
session-timeout
5
0
config
remote-lan
mac-filtering
disable
5
config
remote-lan
create
5
EtherTunnel
EtherTunnel
config
remote-lan
exclusionlist
5
60
config
remote-lan
interface
5
access
config
remote-lan
security
web-auth
server-precedence
5
local
radius
ldap
config
sysname
vWLC
config
802.11a
cac
voice
sip
bandwidth
64
sample-interval
20
config
802.11a
cac
voice
sip
codec
g711
sample-interval
20
48
config
802.11a
cleanair
alarm
device
enable
802.11-nonstd
config
802.11a
cleanair
alarm
device
enable
802.11-inv
config
802.11a
cleanair
alarm
device
enable
jammer
config
snmp
version
v3
disable
config
snmp
community
delete
public
config
snmp
community
delete
private
config
snmp
community
ipaddr
10.1.100.0
255.255.255.0
ISEc0ld
config
snmp
community
mode
enable
ISEc0ld
config
snmp
community
create
ISEc0ld
config
advanced
probe
limit
2
500
config
advanced
802.11a
channel
add
36
config
advanced
802.11a
channel
add
40
config
advanced
802.11a
channel
add
44
config
advanced
802.11a
channel
add
48
config
advanced
802.11a
channel
add
52
config
advanced
802.11a
channel
add
56
config
advanced
802.11a
channel
add
60
config
advanced
802.11a
channel
add
64
config
advanced
802.11a
channel
add
149
config
advanced
802.11a
channel
add
153
config
advanced
802.11a
channel
add
157
config
advanced
802.11a
channel
add
161
config
advanced
probe-limit
2
500
config
advanced
802.11b
channel
add
1
config
advanced
802.11b
channel
add
6
config
advanced
802.11b
channel
add
11
config
country
US
config
interface
port
management
1
config
interface
nat-address
management
set
172.23.112.165
config
interface
nat-address
management
enable
config
interface
address
management
10.1.100.41
255.255.255.0
10.1.100.1
config
interface
dhcp
management
primary
10.1.100.40
config
interface
vlan
management
100
config
interface
address
service-port
10.1.20.41
255.255.255.0
config
interface
dhcp
service-port
disable
config
interface
address
virtual
1.1.1.1
config
interface
port
access
1
config
interface
address
dynamic-interface
access
10.1.10.41
255.255.255.0
10.1.10.1
config
interface
create
access
10
config
interface
dhcp
dynamic-interface
access
primary
10.1.100.40
config
interface
vlan
access
10
config
interface
port
guest
1
config
interface
address
dynamic-interface
guest
10.1.50.41
255.255.255.0
10.1.50.1
config
interface
create
guest
50
config
interface
dhcp
dynamic-interface
guest
primary
10.1.100.40
config
interface
vlan
guest
50
config
sessions
timeout
120
config
time
ntp
interval
3600
config
time
ntp
server
1
10.1.100.40
config
wlan
session-timeout
1
7200
config
wlan
exclusionlist
1
60
config
wlan
broadcast-ssid
enable
1
config
wlan
session-timeout
2
1800
config
wlan
mac-filtering
enable
2
config
wlan
exclusionlist
2
60
config
wlan
broadcast-ssid
enable
2
config
wlan
session-timeout
3
7200
config
wlan
mac-filtering
enable
3
49
config
wlan
exclusionlist
3
60
config
wlan
broadcast-ssid
enable
3
config
wlan
nac
radius
enable
1
config
wlan
interface
1
access
config
wlan
nac
radius
enable
2
config
wlan
interface
2
guest
config
wlan
nac
radius
enable
3
config
wlan
interface
3
guest
config
wlan
mfp
client
enable
1
config
wlan
create
1
01-ISECOLD-corp
01-ISECOLD-corp
config
wlan
nasid
vWLC
1
config
wlan
usertimeout
7200
1
config
wlan
wmm
allow
1
config
wlan
mfp
client
enable
2
config
wlan
create
2
01-ISECOLD-hotspot
01-ISECOLD-hotspot
config
wlan
nasid
vWLC
2
config
wlan
usertimeout
7200
2
config
wlan
wmm
allow
2
config
wlan
mfp
client
enable
3
config
wlan
create
3
01-ISECOLD-guest
01-ISECOLD-guest
config
wlan
nasid
vWLC
3
config
wlan
usertimeout
7200
3
config
wlan
wmm
allow
3
config
wlan
security
wpa
enable
1
config
wlan
security
web-auth
server-precedence
1
radius
config
wlan
dhcp_server
1
0.0.0.0
required
config
wlan
aaa-override
enable
1
config
wlan
security
wpa
akm
802.1x
disable
2
config
wlan
security
wpa
wpa2
ciphers
aes
disable
2
config
wlan
security
wpa
wpa2
disable
2
config
wlan
security
wpa
disable
2
config
wlan
security
web-auth
server-precedence
2
radius
config
wlan
dhcp_server
2
0.0.0.0
required
config
wlan
aaa-override
enable
2
config
wlan
sip-cac
send-486busy
disable
3
config
wlan
security
wpa
akm
802.1x
disable
3
config
wlan
security
wpa
wpa2
ciphers
aes
disable
3
config
wlan
security
wpa
wpa2
disable
3
config
wlan
security
wpa
disable
3
config
wlan
security
web-auth
server-precedence
3
radius
config
wlan
dhcp_server
3
0.0.0.0
required
config
wlan
aaa-override
enable
3
config
wlan
security
pmf
optional
5
config
wlan
profiling
radius
http
enable
1
config
wlan
profiling
radius
dhcp
enable
1
config
wlan
profiling
radius
http
enable
2
config
wlan
profiling
radius
dhcp
enable
2
config
wlan
profiling
radius
http
enable
3
config
wlan
profiling
radius
dhcp
enable
3
config
wlan
radius_server
auth
add
1
1
config
wlan
radius_server
auth
add
2
1
config
wlan
radius_server
auth
add
3
1
config
wlan
radius_server
acct
add
1
1
config
wlan
radius_server
acct
add
2
1
config
wlan
radius_server
acct
add
3
1
config
mobility
group
domain
01-vWLC
config
certificate
ssc
hash
validation
disable
config
certificate
generate
webauth
50
config
certificate
generate
webadmin
config
radius
auth
add
encrypt
1
10.1.100.21
1812
password
1
c26450af0b2197075df16a0043324a93
3b28ea9a08c13a56eb6ccb93220588f688c90940
16
74aa38326317080f1aea84257bb2ed4d00000000000000000000000000000000000000000000000000000000000000000000000000000000000
000000000000000000000000000000000000000000000
config
radius
auth
retransmit-timeout
1
30
config
radius
auth
rfc3576
enable
1
config
radius
auth
enable
1
config
radius
acct
add
encrypt
1
10.1.100.21
1813
password
1
cd643253085f2578b191048d4ec8178a
90cf261df5cfd6375df95e030a845266f41d31bc
16
88bb79e85a0dc02add3701aa3f51e178000000000000000000000000000000000000000000000000000000000000000000000000000000000000
00000000000000000000000000000000000000000000
config
radius
acct
retransmit-timeout
1
30
config
radius
acct
enable
1
config
nmsp
notification
interval
rssi
rfid
2
config
network
ap-discovery
nat-ip-only
disable
config
network
mgmt-via-wireless
enable
config
network
rf-network-name
01-vWLC
config
network
fast-ssid-change
enable
config
network
web-auth
captive-bypass
enable
config
network
multicast
l2mcast
disable
service-port
config
network
multicast
l2mcast
disable
virtual
config
mdns
profile
service
add
default-mdns-profile
AirPrint
config
mdns
profile
service
add
default-mdns-profile
AppleTV
config
mdns
profile
service
add
default-mdns-profile
HP_Photosmart_Printer_1
config
mdns
profile
service
add
default-mdns-profile
HP_Photosmart_Printer_2
config
mdns
profile
service
add
default-mdns-profile
Printer
config
mdns
profile
create
default-mdns-profile
config
mdns
service
query
enable
AirPrint
config
mdns
service
query
enable
AppleTV
config
mdns
service
query
enable
HP_Photosmart_Printer_1
config
mdns
service
query
enable
HP_Photosmart_Printer_2
config
mdns
service
query
enable
Printer
config
database
size
2048
config
802.11b
11gsupport
enable
config
802.11b
cac
voice
sip
bandwidth
64
sample-interval
20
config
802.11b
cac
voice
sip
codec
g711
sample-interval
20
config
802.11b
cleanair
alarm
device
enable
802.11-inv
config
802.11b
cleanair
alarm
device
enable
802.11-nonstd
config
802.11b
cleanair
alarm
device
enable
jammer
config
ap
autoconvert
flexconnect
config
ap
packet-dump
capture-time
10
config
ap
packet-dump
truncate
0
config
ap
packet-dump
buffer-size
2048
config
rfid
timeout
1200
config
rfid
status
enable
config
rfid
mobility
pango
disable
config
mgmtuser
add
encrypt
admin
1
9408040aa9832b25d3f7039f9f87efc9
f958c37c9f319b5f7062054ca885047cbf7012c1
16
7f309b05ff4d0906c890fc5f3bf4860700000000000000000000000000000000000000000000000000000000000000000000000000000000000000
00000000000000
read-write
conf
term
hostname
egfw
domain-name
securitydemo.net
51
enable
password
ISEc0ld
passwd
ISEc0ld
username
admin
password
ISEc0ld
privilege
15
!
interface
GigabitEthernet0/0
nameif
outside
security-level
0
!!-----------------------------------------
!!
outside
ip
address
is
per-pod
or
use
dhcp
ip
address
N1.N2.N3.N4
M1.M2.M3.M4
no
shut
!
interface
GigabitEthernet0/1
nameif
corp
security-level
100
ip
address
10.1.70.1
255.255.255.0
no
shut
!
interface
Management0/0
management-only
nameif
management
security-level
0
ip
address
10.1.100.254
255.255.255.0
!
dns
domain-lookup
management
dns
server-group
DefaultDNS
name-server
10.1.100.40
domain-name
securitydemo.net
!
nat
(any,outside)
after-auto
source
dynamic
any
interface
access-group
outsideIN
in
interface
outside
!!-----------------------------------------
!!
outside
route
is
per-pod
or
use
dhcp
route
outside
0.0.0.0
0.0.0.0
G1.G2.G3.G4
1
route
corp
10.1.0.0
255.255.128.0
10.1.70.2
1
!
!!-----------------------------------------
!!
generate
new
2K
key
for
SSH
crypto
key
zeroize
rsa
noconfirm
crypto
key
generate
rsa
modulus
2048
noconfirm
!
ssh
10.1.100.0
255.255.255.0
management
ssh
version
2
http
server
enable
http
10.1.100.0
255.255.255.0
management
!
ntp
server
10.1.100.40
source
management
prefer
!
!
policy-map
global_policy
class
inspection_default
inspect
icmp
!
no
call-home
reporting
anonymous
52
[1]
Right-Click
ASAv,
Select
Edit
Settings
[2]
Click
Add,
Select
Serial
Port
[4]
Select
Server
and
specify
a
Port
URL:
telnet://:<Port#>
[5]
Click
OK
to
complete
the
configuration.
WINDOWS
(Putty)
MAC
(Terminal)
user$
telnet
<ESXi-Host-IP>
<Port#>
ex:
telnet
10.1.100.2
10062
54