IPExpert Wireless Workbook Detailed Solutions Guide 3.1a (2 of 2) PDF

WI
REL
ESS
CCI
EWi
rel
ess(
v3)Vol
ume1Detai
l
edSol
uti
onGui
de
Par
t2of2
[ 1A]
v3.
i
Pex
per
tInc
. 3100Ki
ngRd.
Eas
tChi
na,
Mic
higan48054USA Phone:
+1.
810.
326.
1444 Fax
:+1.
810.
454.
0130 Emai
l:
sal
es@i
pex
per
t.
com URL:
www.
i
Pex
per
t.
com
CCIE Wireless (v3)
Volume 1 Detailed Solution Guide
Part 2 of 2
Version 3.1A
iPexpert’s Detailed Solution Guide
for Cisco’s CCIE Wireless v3 Lab Exam, Volume 1
Table of Contents
Section 4: Converged IOS-XE Controllers ....................................................................................................... 7
Lab 118: Management Access :: Detailed Solutions ...................................................................................... 8
Lab 119: Mobility (MA/MC) :: Detailed Solutions ........................................................................................ 26
Lab 120: AP Joins :: Detailed Solutions ........................................................................................................ 48
Lab 121: Logging :: Detailed Solutions ......................................................................................................... 55
Lab 122: Client RADIUS :: Detailed Solutions ............................................................................................... 60
Lab 123: ACLs :: Detailed Solutions .............................................................................................................. 71
Lab 124: Rogue Policies :: Detailed Solutions .............................................................................................. 80
Lab 125: Client Exclusion :: Detailed Solutions ............................................................................................ 90
Lab 126: MFP and 802.11w :: Detailed Solutions ......................................................................................... 95
Lab 127: AP Configurations :: Detailed Solutions ....................................................................................... 103
Lab 128: Client Load Balancing :: Detailed Solutions ................................................................................. 108
Lab 129: Band Select :: Detailed Solutions ................................................................................................. 112
Lab 130: General Radio Settings :: Detailed Solutions ............................................................................... 117
Lab 131: RF Groups :: Detailed Solutions ................................................................................................... 123
Lab 132: TPC :: Detailed Solutions ............................................................................................................. 130
Lab 133: DCA :: Detailed Solutions ............................................................................................................. 137
Lab 134: Coverage Hole Detection :: Detailed Solutions ............................................................................ 144
Lab 135: CCX Assisted Roaming :: Detailed Solutions ................................................................................ 150
Lab 136: DFS :: Detailed Solutions ............................................................................................................. 155
Lab 137: 802.11n/ac High Throughput :: Detailed Solutions ..................................................................... 160
Lab 138: CleanAir :: Detailed Solutions ...................................................................................................... 169
Lab 139: Country Codes :: Detailed Solutions ............................................................................................ 180
Lab 140: General Controller Settings :: Detailed Solutions ........................................................................ 187
Lab 141: Multicast :: Detailed Solutions .................................................................................................... 191
Lab 142: WLANs- Non-Guest :: Detailed Solutions..................................................................................... 197
Lab 143: Guest WLANs- Local Web :: Detailed Solutions ........................................................................... 208
Lab 144: Guest WLANs- External Web :: Detailed Solutions ...................................................................... 226
Lab 145: AP Groups :: Detailed Solutions ................................................................................................... 237
Section 5: Prime Infrastructure and MSE ....................................................................................................242
Lab 146: PI CLI Configurations :: Detailed Solutions................................................................................... 244
Lab 147: Adding Devices to PI :: Detailed Solutions ................................................................................... 254
Lab 148: Device Configuration Templates :: Detailed Solutions ................................................................ 277
Lab 149: Configuration Groups :: Detailed Solutions ................................................................................. 300
Lab 150: Configuration Auditing :: Detailed Solutions ............................................................................... 314
Lab 151: Basic Map Setup :: Detailed Solutions ......................................................................................... 324
Lab 152: Advanced Map Configurations :: Detailed Solutions ................................................................... 339
Lab 153: Virtual Domains :: Detailed Solutions .......................................................................................... 355
Lab 154: Management AAA :: Detailed Solutions ...................................................................................... 366
Lab 155: Administrative Settings :: Detailed Solutions .............................................................................. 380
Version 3.1A 2|Page

Lab 156: Reports :: Detailed Solutions ....................................................................................................... 396

Lab 157: Alarms and Events :: Detailed Solutions ...................................................................................... 408
Lab 158: Rogue Management :: Detailed Solutions ................................................................................... 417
Lab 159: MSE Management :: Detailed Solutions ...................................................................................... 425
Lab 160: MSE Basic Location :: Detailed Solutions ..................................................................................... 439
Lab 161: MSE Advanced Location :: Detailed Solutions ............................................................................. 458
Lab 162: MSE WIPS :: Detailed Solutions ................................................................................................... 481
Section 6: Security and Identity Management with ISE ...............................................................................494
Lab 163: CLI Configurations :: Detailed Solutions ...................................................................................... 494
Lab 164: Administrative Settings :: Detailed Solutions .............................................................................. 505
Lab 165: Certificates :: Detailed Solutions ................................................................................................. 523
Lab 166: Identity Management :: Detailed Solutions ................................................................................. 536
Lab 167: Network Devices :: Detailed Solutions ........................................................................................ 565
Lab 168: Authentication Policies :: Detailed Solutions ............................................................................... 580
Lab 169: Authorization :: Detailed Solutions.............................................................................................. 594
Lab 170: AAA Overrides :: Detailed Solutions ............................................................................................ 619
Lab 171: Management Authentications :: Detailed Solutions .................................................................... 633
Lab 172: Client Profiling :: Detailed Solutions ............................................................................................ 651
Lab 173: Guest- AUP :: Detailed Solutions ................................................................................................. 670
Lab 174: Guest- Self Registration :: Detailed Solutions .............................................................................. 683
Lab 175: Guest- Sponsor Portal :: Detailed Solutions................................................................................. 697
Section 7: WLAN Media and Application Services .......................................................................................719
Lab 176: Wireless QoS on AireOS :: Detailed Solutions.............................................................................. 719
Lab 177: Wireless QoS on IOS-XE :: Detailed Solutions .............................................................................. 732
Lab 178: VideoStream on AireOS :: Detailed Solutions .............................................................................. 747
Lab 179: VideoStream on IOS-XE :: Detailed Solutions .............................................................................. 755
Lab 180: mDNS :: Detailed Solutions.......................................................................................................... 763
Lab 181: AVC :: Detailed Solutions ............................................................................................................. 775
3|Page Version 3.1A

Version 3.1A 4|Page

5|Page Version 3.1A

Welcome, and Thank You!
On behalf of the entire iPexpert team, I'd personally like to thank you for putting your greatest
certification journey in our hands, and trusting us to deliver cutting-edge training to help you
accomplish this goal. Although there is no way to guarantee a 100% pass rate on the CCIE Lab, my team
and I feel extremely confident that your chances of passing will improve dramatically with the use of
our training materials.
-Respectfully, Wayne A. Lawson II, CCIE #5244 (Emeritus) / Founder & CEO - iPexpert, Inc.
Feedback
At iPexpert, we value the feedback (both positive and constructive) offered by our clientele. Our
dedication to offering the best tools and content to help students succeed could not be possible
without your comments and suggestions. Your feedback is what continually keeps us enhancing our
product portfolio, and it is greatly appreciated. If there is anything you'd like us to know, please do so
via the feedback@ipexpert.com alias.
In addition, when you pass your CCIE Lab exam, we want to hear about it! Please email your Full Name
(used in the CCIE Verification Tool), CCIE number and the track to success@ipexpert.com and let us
know how iPexpert played a role in your success. We would like to be sure you're welcomed into the
"CCIE Club" appropriately, send you a gift for your accomplishment.
Technical Support and Freebies

To conclude, we are also proud to lead the industry with multiple support options at your disposal, free
of charge. Our online support community has attracted a membership of your peers from around the
world, and is monitored on a daily basis by our instructors and our students. We also consistently
publish technical articles / papers on our blog. You can also follow up on Facebook, Twitter, LinkedIn,
Google+ and YouTube for more in-depth discussion on current industry trends and CCIE preparation
tips.
Lastly, referrals are very important to us. It tells us that; 1) you like, value, and approve of our training
and 2) it helps us to continue to grow as a company. If you have any of your peers who you feel will
value by the use of any of our training materials, please send us their name, email address, telephone
number and what certification and track you feel that they're interested in. If your referral makes a
purchase, we will provide you with in-house credit that can be used at any time. If your referrals exceed
a certain threshold, we will also include a gift card of your choice (either an American Express or
Amazon gift card).
Version 3.1A 6|Page

Section 4: Converged IOS-XE Controllers
7|Page Version 3.1A

Lab 118: Management Access :: Detailed

Solutions
Technologies Covered
 Management GUI Access
Detailed Solution Guide
This portion of the material is designed to provide our students with the exact commands to use, when
to use them, and also the various show commands that will allow you to understand what you're
looking for. In addition, the instructor has provided some detail as to why the various solutions have
been used versus another potential command set that would have accomplished the same outcome.
Version 3.1A 8|Page

iPexpert’s Recommended Reading Material
All referenced reading material can be found in the associated Reading Material file located in your
Member's Area.
 3650 Config Guide 3.6- Chapter 2
iPexpert’s Recommended Video Training
iPexpert’s Video on Demand training library contains a wealth of videos pertaining to the CCIE Wireless
Lab exam. We recommend watching the following learning videos prior to completing this lab scenario.
 Video Title: Unified Wireless (Converged)- Management Access- Web Management
Topology Detail
This lab requires access to CAT3-4 and WLC3 in your rack.
9|Page Version 3.1A

Diagram 118.1: Management Access Topology
Lab 118 Setup
 Can this lab be practiced without completing a previous lab: YES

 If so, which lab load should be used: Converged Controllers- Basic Layer 3
 Can this lab be practiced without a fresh lab load by using the final config of the previous lab: NO
Version 3.1A 10 | P a g e
Configuration Tasks :: Detailed Solutions
General Web GUI Configs
1. Disable HTTP and HTTPS access to WLC3.
2. Ensure that HTTP and HTTPS access is enabled and working on CAT3.
HTTP and HTTPS access on our converged access devices is enabled by default. So on WLC3, we should
need to disable it. On CAT3, just ensure that it’s enabled and that you can access the page (even though
you can’t login yet).
WLC3#conf t
Enter configuration commands, one per line. End with CNTL/Z.
WLC3(config)#no ip http server
WLC3(config)#no ip http secure-server
WLC3(config)#end
WLC3#sho ip http server status

HTTP server status: Disabled
HTTP server port: 80
HTTP server authentication method: local
HTTP server access class: 0
HTTP server base path: webui:/express
HTTP server help root:
Maximum number of concurrent server connections allowed: 50
Maximum number of secondary server connections allowed: 50
Server idle time-out: 180 seconds
Server life time-out: 180 seconds
Server session idle time-out: 180 seconds
Maximum number of requests allowed on a connection: 25
HTTP server active session modules: ALL
HTTP secure server capability: Present
HTTP secure server status: Disabled
HTTP secure server port: 443
HTTP secure server ciphersuite: 3des-ede-cbc-sha des-cbc-sha rc4-128-md5
rc4-128-sha aes-128-cbc-sha aes-256-cbc-sha dhe-aes-128-cbc-sha
dhe-aes-256-cbc-sha
HTTP secure server client authentication: Disabled
HTTP secure server trustpoint:
11 | P a g e Version 3.1A
HTTP secure server active session modules: ALL
CAT3#sho ip http server status

HTTP server status: Enabled
HTTP secure server status: Enabled
dhe-aes-256-cbc-sha
HTTP is the above image and HTTPS is the below image for CAT3.
Sometimes I have seen the default self-signed certificate not allow HTTPS access. There’s something
about the keys that are not correct. Or sometimes it’s missing. If you run into that, here is what to do.
First, look for the existing self-signed trustpoint. It should be named similar to the output below.
CAT4#sho run | in trust

crypto pki trustpoint TP-self-signed-2783389905
If it’s there, disable HTTPS, delete it, and re-enable HTTPS. If it’s not there, just disable and then enable
HTTPS. A new self signed cert should be created for you that should work.
3. Restrict access to the GUI on CAT3 so that only clients on VLAN 5 are able to access the GUI.
We will use a standard numbered ACL to control which IPs are allowed to access the web GUI.
Fortunately, our WIN7 client is in that VLAN.
CAT3#conf t
CAT3(config)#access-list 1 permit 10.10.210.0 0.0.0.255
CAT3(config)#ip http access-class 1
CAT3(config)#end
If I access the GUI from the WIN7 PC, it works.
If I try and access it from a different VLAN, it won’t. Since I don’t have a client with a browser on a
different VLAN, I can just use telnet to port 80 as a good test.
CAT2#telnet 10.10.113.13 80
Trying 10.10.113.13, 80 ...
% Connection refused by remote host
CAT2#telnet 10.10.113.13 80 /source-interface vlan5

Trying 10.10.113.13, 80 ... Open
exit
HTTP/1.1 400 Bad Request
Date: Thu, 27 Aug 2015 16:04:09 GMT
Server: cisco-IOS
Accept-Ranges: none
400 Bad Request

[Connection to 10.10.113.13 closed by foreign host]
The first attempt used the connected interface (which would have been a source of 10.10.113.3). The
second attempt used a source interface of vlan5 (which would have been 10.10.210.3). The first
attempt was denied and the 2nd worked.
4. Idle web sessions should be timed out after 10 minutes on CAT3.
5. Limit the maximum number of connections to the GUI on CAT3 to 10.
Here we have a couple of basic settings for the GUI behavior.
CAT3#conf t
CAT3(config)#ip http session-idle-timeout 600
CAT3(config)#ip http max-connections 10
CAT3(config)#end
CAT3#sho ip http ser status


dhe-aes-256-cbc-sha
6. Install a web certificate on CAT3 to be used for the management GUI. The needed files can be
found on the WIN7 PC at C:\Rack Files\Certificates\.
 CA file= CA.pem
 Private key file= cat3key.pem
 Switch certificate file= cat3.pem
 Certificate password= IPexpert123
 Use a trustpoint named HTTPS.
To complete this task, you’ll need to install the certificate into a trustpoint, call that trustpoint out in
the HTTPS config, and reboot. The new cert doesn’t seem to take effect without the reboot.
When pasting in the certificate info, be sure to paste in the correct order. It goes CA cert > Private Key
> Device cert.
CAT3#conf t
CAT3(config)#crypto pki import HTTPS pem terminal password IPexpert123

% Enter PEM-formatted CA certificate.
% End with a blank line or "quit" on a line by itself.
-----BEGIN CERTIFICATE-----
MIIDlzCCAn+gAwIBAgIQLGnalJWj3J1GQa+/HM05XDANBgkqhkiG9w0BAQsFADBS
MRUwEwYKCZImiZPyLGQBGRYFbG9jYWwxGDAWBgoJkiaJk/IsZAEZFghJUEVYUEVS
VDEfMB0GA1UEAxMWSVBFWFBFUlQtU0VSVkVSMjAxMi1DQTAeFw0xNTA5MTcxOTQ1
NTBaFw0zNTA5MTcxOTU1NTBaMFIxFTATBgoJkiaJk/IsZAEZFgVsb2NhbDEYMBYG
CgmSJomT8ixkARkWCElQRVhQRVJUMR8wHQYDVQQDExZJUEVYUEVSVC1TRVJWRVIy
MDEyLUNBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtoNQnrQU+QR6
uYbMNX74baf/uzl3EOayuECyl/GdTTeiIa4OTVg2uJWXaJ1TuQGnFSSPJixk+dQE
0PcC8/Ky5W7ZZJcOQ9jnXGb32pcq3wEjRDiJBjm5xm9FVg22X0aMzwMZwLY/ZLG3
YJEQ/8wK0BgOK1yeUi9cfoM55EzfZgZuyfeBM0dDpaHHWTHSE2SZUtzz+Uvia1kk
7Wx8jYO1EeuVPwWHRMna8G4GEeBBJRet7dvF14MT5XwEKifePSThYX5dNs2iKPtP
EZRIWPA2ynjK2Fwyq33m/E72K5E/u2xR04QeoxV1ruim3Iscw6VEQnkHW/KZv9wp
CSFrIj1LiwIDAQABo2kwZzATBgkrBgEEAYI3FAIEBh4EAEMAQTAOBgNVHQ8BAf8E
BAMCAYYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUWdBHGERuRiR4+nfFQS07
X4t8hV8wEAYJKwYBBAGCNxUBBAMCAQAwDQYJKoZIhvcNAQELBQADggEBAGyHjpal
Wwb+uUSCDz2RGe5GnXY62U8dNkdNnB+sBSIG5mHqJDeZl5NR4f+8dH9Cxin66hxs
QKiyQUHNEDiOkdljIGgFASso2GVTa3Xi4/9kXjCOTIt/IUJmfce5Fg6b2+TYIeS4
WxbLEPdqgohWLiXepJ7fOm+xY9gl4/pVt8W0ipqQ+jExOsMfJ/tHVkPrqCfs9wrk
ot2m3Q79w6EgWwslzI9R41T1B6qzxQtJtUCrpyDZo5kNsXHWW3xD0V0P+RMiJQOw
FxmNoSF3oxqWZzgY9iuS6uoDpnlrgoxC0Cb9hTEmwvWfc73q124ETxNU0Q/76ZaX
MT6jrN4gx80Z/7A=
-----END CERTIFICATE-----
% Enter PEM-formatted encrypted private General Purpose key.

% End with "quit" on a line by itself.
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,C4B2FA1157D28B1A
Q+v7Xu44Z3M0MXPQp3Ya8Ql/5iHDjg4kmZXYTkuIEGtG+3tuef7vQvMa8HRnYXU/
1d9bepPNIH5dnHQZok7b793Ohy/Z8Yc0IFqFESpcNNeDuFz/ArEfHGeQjoY1SuP/
3Z/UG/HDbPOVsoLfaQ6gsnD6MSvzhrwN+to4f6pTovi4SgO11QcRDEDSTHK31tXS
wdHWt/rmX46DKEIhsRsb1devGhYdiPZPX6+3LXfgNPK8/+Qz+pPeqkrdmJEztD3i
4hASiGv99eBxQxN+Xn6LkuwkzjLHpVxmhHNJ4HsLej7HA2XNgJ2euCRbL+adpOpk
U0q1q3OfuuF0/NDbbphTWEWiA10mdA7E/ropeA/KI7V3GVmnAEXgUXSRa1aTkXIn
HH5XxY1WBJLeqFmNbAHCOrF1zA1FqitVM8t7nXjQPofuC4arCCpjVmZE3MFn76mH
1noFDQ4mExVlKVQUkS+AHHkuZQUP7Pr2hg6Y2cNjia8gNT9WRFYKUyBFDqMTwqcj
CyRzwZjVW/bnZ6k/FX/NxHs8uA80Z76CaYDSZiuAVx8+Oy0ZFxxL1LWXYTQEeiiT
sbhCzKUP2KPlf19kBA74Jk1CMxyIMrEBWcxnsnkchfaVUip3vE90+bT90KCAbVDu
Pr6jHKQ0of2wzgtU8ms5Bv01MK7BtJi4Heog90LLnmvelgLqZg1G7Nrl6hJty0Ij
kKd8cZZbEK6+pT1/5K834fozHNdbAdzH6HbBEIPl4mgw6Qp7a572dsH0RfhI2Fkw
+bGxOVqwWByQvwk45zvahw4pTlx2mgBj7ap66h+09rL1QbsP8dj+GE+cLURqHecU
RGDkan7H9rDFDXRQSUiskvR0JNTlztU3tGxo0kWOMoPxnW7WjRwMjmBugYw5+3sR
UE3q2h+tjHu/YhkafmiIwvEyjetYvAh7maBaLeIcc/VcbiNidN9LVPedmFBVL3j0
qQbV4Vogg4aHh7DnNeyARHphwPmJcHbf5t2kNce95j9j+kpT+YkkFQZa6GovwqFe
mggOEYJYjdW9leTyaLr68TIoecBII7/8RrlJDShPxipn+RxtFJurgW2fAdGa5kJE
KBrnk1g8DLbaBPVrKcmgnxuFhKcWqlIsTlbMTRQcyezRRQJePiEsQR4n2/FBWzeJ
HSti97dzTxYhEkLOtz9YBJUZi/bsSCkwlYeyrIcZH0yyPhlb5QR0JVM4WjuaP5wh
t0NAHWAkhgKVt8s97zKMBqQJsO/ufLfAMJ8Y7otidv4R0XMBOYS3oGVpNWSwcS8R
yEhckTkQ1E3ttBA9MS7pDTcf0hB2PJKfensjNHirfTakgOB0YS4xLkjMH1lUcyYz
8fVO4UWNoR/r+WZzSI4u55DYYRSHwhZcxNOIl7yZLEZ3sd2wypS6Gb9jSjFlQH2q
55aDJ5RanAcQzbXQIhTVHjYSAncDH4/nqNoP7hNJzWZKcP61sp33yRBbFsQrZ52c
GfjUolKULZ6UYvJmiy+UqM1VCrUJS0RddmacTrEp3o6lEoEuznzz1wXDcxzFAPzz
laF4Ia8Yt8n4zjPM5jGRIpVinc/RcUpXn7Gtp2d3LFXaglTKoyBvOw==
-----END RSA PRIVATE KEY-----
quit
% Enter PEM-formatted General Purpose certificate.
MIIGATCCBOmgAwIBAgITaQAAABumys58XGUMMAAAAAAAGzANBgkqhkiG9w0BAQsF
ADBSMRUwEwYKCZImiZPyLGQBGRYFbG9jYWwxGDAWBgoJkiaJk/IsZAEZFghJUEVY
UEVSVDEfMB0GA1UEAxMWSVBFWFBFUlQtU0VSVkVSMjAxMi1DQTAeFw0xNTA5MjIy
MjA2MzlaFw0yNTA5MTkyMjA2MzlaMIGZMQswCQYDVQQGEwJVUzESMBAGA1UECBMJ
TWlubmVzb3RhMRIwEAYDVQQHEwlMaW5kc3Ryb20xETAPBgNVBAoTCGlQZXhwZXJ0
MQ4wDAYDVQQLEwVDQ0lFVzEcMBoGA1UEAxMTQ0FUMy5JUEVYUEVSVC5sb2NhbDEh
MB8GCSqGSIb3DQEJARYSY2NpZXdAaXBleHBlcnQuY29tMIIBIjANBgkqhkiG9w0B
AQEFAAOCAQ8AMIIBCgKCAQEAqFJ2YlNIqHCXlnJmSW+pbp2Sivgep2MWmHNO+xY5
pNxOTYZQnqGqXxMKbpTsPpL1L8Xcch93yk+W5exGQbNyK+laZ2r4vSlLVmpVnP89
n6DY7r/WbWOQTPtzFG+BSHr+XRHje+69c6D7QfzOetaqb6+9bAfll0j6rF3n6bwO
vZQ2eQQ5oFHs8EhO65jAjs/q5raie7EMZG6DcAqz9hDde4MbkCt7cTtz7m76IFHP
kVLB7p7aQ01i52MrQ/U8x5X6aTTK+0KxReZyAbn7ZthSbYGH+IVXgk+Zf9KoojhH
I+pr0R1+V8scC1mvhp8/SXu06M0RJ3hWZ22f0y1nc4iFzwIDAQABo4IChjCCAoIw
HQYDVR0OBBYEFHbIm/2ZlzMWd83JV67y7STJFfDwMB8GA1UdIwQYMBaAFFnQRxhE
bkYkePp3xUEtO1+LfIVfMIHaBgNVHR8EgdIwgc8wgcyggcmggcaGgcNsZGFwOi8v
L0NOPUlQRVhQRVJULVNFUlZFUjIwMTItQ0EsQ049U2VydmVyMjAxMixDTj1DRFAs
Q049UHVibGljJTIwS2V5JTIwU2VydmljZXMsQ049U2VydmljZXMsQ049Q29uZmln
dXJhdGlvbixEQz1JUEVYUEVSVCxEQz1sb2NhbD9jZXJ0aWZpY2F0ZVJldm9jYXRp
b25MaXN0P2Jhc2U/b2JqZWN0Q2xhc3M9Y1JMRGlzdHJpYnV0aW9uUG9pbnQwgcsG
CCsGAQUFBwEBBIG+MIG7MIG4BggrBgEFBQcwAoaBq2xkYXA6Ly8vQ049SVBFWFBF
UlQtU0VSVkVSMjAxMi1DQSxDTj1BSUEsQ049UHVibGljJTIwS2V5JTIwU2Vydmlj
ZXMsQ049U2VydmljZXMsQ049Q29uZmlndXJhdGlvbixEQz1JUEVYUEVSVCxEQz1s
b2NhbD9jQUNlcnRpZmljYXRlP2Jhc2U/b2JqZWN0Q2xhc3M9Y2VydGlmaWNhdGlv
bkF1dGhvcml0eTAOBgNVHQ8BAf8EBAMCBaAwPQYJKwYBBAGCNxUHBDAwLgYmKwYB
BAGCNxUIgai2HIXL4TWG0Z8Zh6oqgaqwCoEEhu79CIb97j4CAWQCAQQwHQYDVR0l
BBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMCcGCSsGAQQBgjcVCgQaMBgwCgYIKwYB
BQUHAwIwCgYIKwYBBQUHAwEwDQYJKoZIhvcNAQELBQADggEBAGgNFPGOy4T1fHmv
NWwgv6OVCpmgx5xxJaFMOswlK9NpnTogWm2QPa3j5lOdb6+nAvh/+L1WGJN81UQP
Zglk2TTyKe05Mqp1LKzy70JHsXkoDG4GKLUY7oeZUbvuIPmn8SnH18CnlwvpbYxx
Qgr7dRpZ85KKgMh1+Vvm4Stncbi6XRTk+NXs7+g+0NdW4xHtknjt68Bp9m2BlFGZ
1l/dQUjUJcmPpQw+mygA3lUN5LiK04mDV4t7IZFgPeYuTGSIY2gEsFk6V13JSQeR
Ssv+srMqxo14SjaicpavZs5mvvylvMLqL1t1uftbbtPGCWSVlt8Cm9M6PdjnR9AJ
YX5AH+A=
% PEM files import succeeded.
CAT3(config)#ip http secure-trustpoint HTTPS

CAT3(config)#end
CAT3#wr mem
Building configuration...
Compressed configuration from 4145 bytes to 2213 bytes[OK]
CAT3#reload
Reload command is being issued on Active unit, this will reload the whole stack
Proceed with reload? [confirm]
Here is where you can confirm which trustpoint is in use for HTTPS.
CAT3#sho ip http server status


dhe-aes-256-cbc-sha
HTTP secure server trustpoint: HTTPS
After the reboot, when you go to the website, you can look at the certificate and see that it’s the CA-
signed cert.
Web Authentication Configs
7. Configure a local user on CAT4 with the credentials below that will allow it to login to the web GUI.
 User= admin
 Password= IPexpert123
GUI access requires Priv 15 level access.
CAT4#conf t
CAT4(config)#user admin priv 15 secret IPexpert123
CAT4(config)#end
8. Configure CAT3 to use ISE to authenticate GUI users. If ISE is not responding, CAT3 should use its
local user repository.
 ISE info
o IP= 10.10.210.5
o shared secret= ipexpert
 Mark the RADIUS server dead for 10 minutes when it stops responding.
 Create a local account on CAT3 to be used when ISE isn’t responding.
o User= admin
o Password= Ipexpert123
Special note: due to an apparent bug (link below), the switch doesn’t seem to use the method lists
specified in the ip http authentication commands like it should, so you’ll need to enable the
method lists on the console line as well.
https://tools.cisco.com/bugsearch/bug/CSCeb82510
The first steps on this are related to getting the RDAIUS server configured on the switch. Define the
RADIUS server and then build a server group. Lastly, build a method list for both login and exec
authorization, then you can call out those method lists for HTTPS authentications.
This is actually the same drill that we had for autonomous AP HTTP authentication.
CAT3#conf t
CAT3(config)#aaa new-model
CAT3(config)#radius-server deadtime 10
CAT3(config)#radius server ISE
CAT3(config-radius-server)#address ipv4 10.10.210.5 auth-port 1812 acct-port 1813
CAT3(config-radius-server)#key ipexpert
CAT3(config-radius-server)#exit
CAT3(config)#aaa group server radius ISE

CAT3(config-sg-radius)#server name ISE
CAT3(config-sg-radius)#exit
CAT3(config)#aaa authentication login HTTPS group ISE local

CAT3(config)#aaa authorization exec HTTPS group ISE local
CAT3(config)#ip http authentication aaa login-authentication HTTPS

CAT3(config)#ip http authentication aaa exec-authorization HTTPS
CAT3(config)#user admin priv 15 sec IPexpert123

CAT3(config)#end
Now this is what the config should need to be without the bug. It works just fine on our autonomous
APs, which have the same configurations available, but what you’ll find is that you can login, however
things just won’t work correctly. The webpages don’t always reflect reality and you cannot configure
anything (even though it sometimes says that the configs apply). It won’t matter if you auth through
ISE or locally. The end result is the same.
Feel free to attempt to make a simple configuration, like changing the host name at Configuration >
System > General. It won’t pull the correct name when the page loads, and attempts to configure the
name won’t alter the host name in the CLI like it should.
Let’s configure the console port to get around the bug. Just know that if you logout of the console
connection, you will need to login again. If you lock yourself out of the switch, just reload the lab.
CAT3#conf t
CAT3(config)#line con 0
CAT3(config-line)#login authentication HTTPS
CAT3(config-line)#authorization exec HTTPS
%Authorization without the global command 'aaa authorization console' is useless
CAT3(config-line)#end
9. Test the CAT3 configuration by logging in with the credentials iosadmin/Ipexpert123.
 You can test the failover by blocking traffic to/from the ISE server.
Here is the RADIUS login result and the logs on ISE of the authentications.
Once RADIUS auths work, shut down the server port and test the failover.
CAT1#conf t
CAT1(config)#int fa0/6
CAT1(config-if)#shut
CAT1(config-if)#end
Once you are done testing, bring the server port back up.
Helpful Verification Commands
 show ip http server status
Technical Verification and Support

For instructor and developer support, please be sure to submit questions through our interactive
support community that’s accessible from the Member’s Area.
This concludes Lab 118 of iPexpert’s CCIE Wireless DSG, Section 4, Volume 1
Copyright© iPexpert. All Rights Reserved.
Lab 119: Mobility (MA/MC) :: Detailed

Solutions
 Converged Access Mobility

 MA/MC configurations
 New Mobility
Member's Area.
iPexpert’s video on demand training library contains a wealth of videos pertaining to the CCIE Wireless
 Video Title: Unified Wireless (Converged)- Converged Access Overview
 Video Title: Unified Wireless (Converged)- MA/MC configurations- Part 1
 Video Title: Unified Wireless (Converged)- MA/MC configurations- Part 2
Topology Detail
This lab requires access to CAT3-4, WLC1, and WLC3 in your rack.
Diagram 119.1: Mobility (MA/MC) Topology
Lab 119 Setup

 If so, which lab load should be use: Converged Controllers- Basic Layer 3
 Can this lab be practiced without a fresh lab load by using the final config of the previous lab: YES
Scenario 1
This is a scenario where the 3650s are acting as MAs, only in the same SPG with the 5760 as their MC.
The 5760 is adding WLC1 as a mobility group member for future DMZ anchoring needs. This seems like
a fairly real-world design based on our hardware and topology.
1. Configure WLC3 to be a Mobility Controller (MC) for the mobility group named HQ.
5760 WLCs are MCs by default, so you should just need to configure the mobility group name.
WLC3#conf t
WLC3(config)#wireless mobility group name HQ
WLC3(config)#end
WLC3#sho wireless mobility summary
Mobility Controller Summary:
Mobility Role : Mobility Controller

Mobility Protocol Port : 16666
Mobility Group Name : HQ
[lines omitted]
2. Configure CAT3 and CAT4 to be Mobility Agents (MAs) with WLC3 as their MC.
 CAT3 and CAT4 should both be in a Switch Peer Group (SPG) named CCIEW.
3650s are MAs by default. Placing them into the same SPG will allow for optimal roaming between their
APs. The SPG is defined on the MC. We’ll also enable the wireless management interfaces on each
device. They only have 1 layer 3 interface each, so it should be pretty obvious which to pick.
WLC3#conf t
WLC3(config)#wireless management interface vlan112
WLC3(config)#wireless mobility controller peer-group CCIEW member ip 10.10.113.13
WLC3(config)#wireless mobility controller peer-group CCIEW member ip 10.10.113.14
WLC3(config)#end
CAT3#conf t
CAT3(config)#wireless management interface vlan113
CAT3(config)#wireless mobility controller ip 10.10.112.10
CAT3(config)#end
CAT4#conf t
CAT4(config)#wireless management interface vlan113
CAT4(config)#wireless mobility controller ip 10.10.112.10
CAT4(config)#end
After a few minutes, there should be tunnels between the MC and the Mas, as well as between the
MAs (since they are in the same SPG).
WLC3#sho wire mob sum

Mobility Oracle Configured Mode : Disabled
Mobility Oracle Runtime Mode : Disabled
Mobility Oracle IP Address : 0.0.0.0
DTLS Mode : Enabled
Mobility Domain ID for 802.11r : 0x6b2f
Mobility Keepalive Interval : 10
Mobility Keepalive Count : 3
Mobility Control Message DSCP Value : 48
Mobility Domain Member Count : 1
Link Status is Control Link Status : Data Link Status
Controllers configured in the Mobility Domain:
IP Public IP Group Name Multicast IP Link Status

-------------------------------------------------------------------------------
10.10.112.10 N/A HQ 0.0.0.0 N/A
Switch Peer Group Name : CCIEW

Switch Peer Group Member Count : 2
Bridge Domain ID : 0
Multicast IP Address : 0.0.0.0
IP Public IP Link Status

--------------------------------------------------
10.10.113.13 10.10.113.13 UP : UP
10.10.113.14 10.10.113.14 UP : UP
CAT3#sho wire mob sum
Mobility Agent Summary:
Mobility Role : Mobility Agent

Mobility Switch Peer Group Name : CCIEW
DTLS Mode : Enabled
Switch Peer Group Members Configured : 2
The status of Mobility Controller:

------------------------------------------------
10.10.112.10 10.10.112.10 UP : UP
Switch Peer Group members:
IP Public IP Data Link Status

-----------------------------------------------------
10.10.113.13 10.10.113.13 N/A
10.10.113.14 10.10.113.14 UP

DTLS Mode : Enabled

------------------------------------------------
10.10.112.10 10.10.112.10 UP : UP

-----------------------------------------------------
10.10.113.13 10.10.113.13 UP
10.10.113.14 10.10.113.14 N/A
3. Enable new mobility on WLC1 and configure WLC1 to be in the mobility group named DMZ.
4. Add WLC1 and WLC3 to each other’s mobility domain list.
5. Verify this configuration on the devices.
6. After you are done verifying, remove WLC1 and WLC3 from each other’s mobility domain list.
New mobility allows certain AireOS controllers to support mobility between AireOS and IOS-XE
controllers. Enabling new mobility on the controller will require a reboot.
(WLC1) >config mobility new-architecture enable
Enabling new-mobility would change mobility architecture from old to new(Converged

Access) !!!
Configuration changes will be saved and System will be rebooted. !!!
Are you sure you want to continue? (y/n) y
The system has unsaved changes.

Configuration saved!
System will now restart!
After the reboot, configure the rest of the mobility group/domain task.
(WLC1) >config mobility group domain DMZ

(WLC1) >config mobility group member add 10.10.112.10 group-name HQ
WLC3#conf t
WLC3(config)#wireless mobility group member ip 10.10.111.10 group DMZ
WLC3(config)#end
After a minute or two, the peering should come up.
(WLC1) >show mobility summary
New Mobility (Converged Access).................. Enabled

Mobility Protocol Port........................... 16666
Default Mobility Domain.......................... DMZ
Multicast Mode .................................. Disabled
DTLS Mode ....................................... Enabled
Mobility Domain ID for 802.11r................... 0x43cd
Mobility Keepalive Interval...................... 10
Mobility Keepalive Count......................... 3
Mobility Group Members Configured................ 2
Mobility Control Message DSCP Value.............. 0
Mobility Oracle.................................. Disabled
Mobility MC public IP ........................... 10.10.111.10
Mobility Oracle IP address ...................... 0.0.0.0
Controllers configured in the Mobility Group

IP Address Public IP Address Group Name Multicast IP MAC Address
Status
10.10.111.10 10.10.111.10 DMZ 0.0.0.0
6c:20:56:6c:92:40 Up
10.10.112.10 10.10.112.10 HQ 0.0.0.0
00:00:00:00:00:00 Up
WLC3#sho wi mo sum

DTLS Mode : Enabled


-------------------------------------------------------------------------------
10.10.112.10 N/A HQ 0.0.0.0 N/A
10.10.111.10 10.10.111.10 DMZ UP : UP


--------------------------------------------------
10.10.113.13 10.10.113.13 UP : UP
10.10.113.14 10.10.113.14 UP : UP
Scenario 2
This is a scenario where the 3650s are acting as MAs, only in different SPGs with WLC1 as their MC.
While different SPGs in the same physical location is not uncommon, having the 5508 be the MC for
the 3650s is probably lower on the likelihood scale.
7. Remove the SPG config from WLC3.
8. Remove the mobility member config from WLC1 and WLC3.
This is just some cleanup from the previous scenario.
WLC3#conf terminal
WLC3(config)#no wireless mobility controller peer-group CCIEW
WLC3(config)#no wireless mobility group member ip 10.10.111.10
WLC3(config)#end
(WLC1) >config mobility group member delete 10.10.112.1
9. Configure WLC1 to be a Mobility Controller (MC) for the mobility group named HQ.
10. Configure CAT3 and CAT4 to be Mobility Agents (MAs) with WLC1 as their MC.
 CAT3 should be in a Switch Peer Group (SPG) named CCIEW3.
 CAT4 should be in a Switch Peer Group (SPG) named CCIEW4.
Cisco gave us the option to make an AireOS controller the MC for our MAs, so at least you could migrate
without having to buy all of your AP licenses again. Now that CAT3 and CAT4 are in different SPGs, they
will not form a tunnel between them.
(WLC1) >config mobility group domain HQ

(WLC1) >config mobility switchPeerGroup create CCIEW3
(WLC1) >config mobility switchPeerGroup create CCIEW4
(WLC1) >config mobility switchPeerGroup member add 10.10.113.13 CCIEW3
(WLC1) >config mobility switchPeerGroup member add 10.10.113.14 CCIEW4
CAT3#conf t
CAT3(config)#wire mob contr ip 10.10.111.10
CAT3(config)#end
CAT4#conf t
CAT4(config)#wire mob contr ip 10.10.111.10
CAT4(config)#end
(WLC1) >show mobility summary
New Mobility (Converged Access).................. Enabled

Mobility Protocol Port........................... 16666
Default Mobility Domain.......................... HQ
Multicast Mode .................................. Disabled
DTLS Mode ....................................... Enabled

Mobility Domain ID for 802.11r................... 0x6b2f
Mobility Keepalive Interval...................... 10
Mobility Keepalive Count......................... 3
Mobility Group Members Configured................ 1
Mobility Control Message DSCP Value.............. 0
Mobility Oracle.................................. Disabled
Mobility MC public IP ........................... 10.10.111.10
Mobility Oracle IP address ...................... 0.0.0.0
Controllers configured in the Mobility Group

IP Address Public IP Address Group Name Multicast IP MAC Address
Status
10.10.111.10 10.10.111.10 HQ 0.0.0.0
6c:20:56:6c:92:40 Up
Switch Peer Group Configuration:
Switches configured in Switch Peer Group: CCIEW3
IP Address Public IP Address Status

10.10.113.13 10.10.113.13 Up
Switches configured in Switch Peer Group: CCIEW4
IP Address Public IP Address Status

10.10.113.14 10.10.113.14 Up
CAT3#sho wire mo sum

Mobility Switch Peer Group Name : CCIEW3
DTLS Mode : Enabled


------------------------------------------------
10.10.111.10 10.10.111.10 UP : UP

-----------------------------------------------------
10.10.113.13 10.10.113.13 N/A
CAT4#sho wi mo su

Mobility Switch Peer Group Name : CCIEW4
DTLS Mode : Enabled

------------------------------------------------
10.10.111.10 10.10.111.10 UP : UP

-----------------------------------------------------
10.10.113.14 10.10.113.14 N/A
12. When you are done, remove the SPG configuration from WLC1.
(WLC1) >config mobility switchPeerGroup delete CCIEW3

(WLC1) >config mobility switchPeerGroup delete CCIEW4
Scenario 3
This is a scenario where the 3650s are back in the same SPG, but this time one of the 3650s is the MC
of the SPG. We are also adding another MC to the mobility domain list to support things like theoretical
roaming or anchoring possibilities. This scenario is fairly realistic for the real world.
13. Configure CAT3 to be a Mobility Controller (MC) for the mobility group named HQ.
Switching from MA to MC mode does require a reboot.
CAT3#conf t
CAT3(config)#wire mob controller
%
Mobility role changed to Mobility Controller.
Please save config and reboot the whole stack.
CAT3(config)#end
CAT3#wr memory
CAT3#reload
Go grab a cup of coffee while you wait for the reboot to complete.
14. Configure CAT4 to be in a SPG named CCIEW, where CAT3 is the MC.
CAT3#conf terminal
CAT3(config)#wire mobility group name HQ
CAT3(config)#wire mobility controller peer-group CCIEW
CAT3(config)#wire mobility controller peer-group CCIEW member ip 10.10.113.14
CAT3(config)#end
CAT4#conf t
CAT4(config)#wire mo contr ip 10.10.113.13
CAT4(config)#end

DTLS Mode : Enabled

-------------------------------------------------------------------------------
10.10.113.13 N/A HQ 0.0.0.0 N/A


--------------------------------------------------
10.10.113.14 10.10.113.14 UP : UP
CAT4#sho wi mo su

DTLS Mode : Enabled

------------------------------------------------
10.10.113.13 10.10.113.13 UP : UP

-----------------------------------------------------
10.10.113.14 10.10.113.14 N/A
15. Configure CAT3 and CAT4 to send mobility messages to each other using multicast group
239.34.34.34.
If we actually had a bunch of MAs, this would be helpful. This config only needs to be done on the MC
and it will be propagated to the MAs in the SPG.
CAT3#conf t
CAT3(config)#wire mob controller peer-group CCIEW multicast ip 239.34.34.34
CAT3(config)#end
CAT3#sho wi mo su
[lines omitted]

--------------------------------------------------
10.10.113.14 10.10.113.14 UP : UP
CAT4#sho wi mo su

DTLS Mode : Enabled
[lines omitted]
16. CAT4 should start trying to send excess clients to other MAs after it reaches 500 local clients.
This is a common config on switches that handle the APs at the entrances of buildings, where many
clients will get their point of presence (PoP) anchored.
CAT4#config t
CAT4(config)#wire mob load-balance threshold 500
CAT4(config)#end
CAT4#sho wire mob load-balance summary
Mobility Load-Balancing Summary

Load-balancing status : Enabled
Load-balancing threshold : 500
17. Configure WLC3 as a MC in the mobility group DMZ.
18. Add WLC3 and CAT3 to each other’s mobility domain list.
WLC3#conf terminal
WLC3(config)#wire mo group name DMZ
WLC3(config)#wire mob group member ip 10.10.113.13 group HQ
WLC3(config)#end
CAT3#conf terminal
CAT3(config)#wire mob group mem ip 10.10.112.10 group DMZ
CAT3(config)#end
WLC3#sho wi mo su

Mobility Group Name : DMZ
DTLS Mode : Enabled
Mobility Domain ID for 802.11r : 0x43cd

-------------------------------------------------------------------------------
10.10.112.10 N/A DMZ 0.0.0.0 N/A
10.10.113.13 10.10.113.13 HQ UP : UP
Scenario 4
This is a scenario where the 3650s are both their own MCs. They will peer with each other, as well as
with the 5760. This is another good real-world scenario.
20. Configure CAT3 to be its own Mobility Controller (MC) for the mobility group named HQ1.
We already have it as a MC, we just need to change the domain name. We should also remove the SPG
config from the last scenario.
CAT3#conf t
CAT3(config)#wire mob group name HQ1
CAT3(config)#no wire mob cont peer CCIEW
CAT3(config)#end
21. Configure CAT4 to be its own Mobility Controller (MC) for the mobility group named HQ2.
Get ready for another long reboot.
CAT4#conf t
CAT4(config)#wire mob contr
%
Mobility role changed to Mobility Controller.
Please save config and reboot the whole stack.
CAT4(config)#end
CAT4#wr mem
CAT4#reload
[wait a long time for the reload to complete]
CAT4#conf t
CAT4(config)#wire mob group name HQ2
CAT4(config)#end
22. Configure WLC3 as an MC in the mobility group DMZ.
23. Add CAT3, CAT4, and WLC3 to each other’s mobility domain list.
24. These three devices should send mobility keepalives every 5 seconds and consider a peer down
after 5 retries.
WLC3#conf t
WLC3(config)#no wireless mobility group member ip 10.10.113.13
WLC3(config)#wire mo group name DMZ
WLC3(config)#wire mob group member ip 10.10.113.13 group HQ2
WLC3(config)#wire mob group member ip 10.10.113.14 group HQ2
WLC3(config)#wire mob group keepalive interval 5
WLC3(config)#wire mob group keepalive count 5

WLC3(config)#end
CAT3#conf t
CAT3(config)#wire mob group member ip 10.10.112.10 group DMZ
CAT3(config)#wire mob group member ip 10.10.113.14 group HQ2
CAT3(config)#wire mob group keepalive interval 5
CAT3(config)#wire mob group keepalive count 5
CAT3(config)#end
CAT4#conf t
CAT4(config)#wire mob group member ip 10.10.112.10 group DMZ
CAT4(config)#wire mob group member ip 10.10.113.13 group HQ1
CAT4(config)#wire mob group keepalive interval 5
CAT4(config)#wire mob group keepalive count 5
CAT4(config)#end

Mobility Group Name : HQ1
DTLS Mode : Enabled
Mobility Domain ID for 802.11r : 0x7f53

-------------------------------------------------------------------------------
10.10.113.13 N/A HQ1 0.0.0.0 N/A
10.10.112.10 10.10.112.10 DMZ UP : UP
10.10.113.14 10.10.113.14 HQ2 UP : UP
 show wireless mobility summary (IOS-XE)

 show mobility summary (AireOS)
Lab 120: AP Joins :: Detailed Solutions
 AP Joins
 AP Authorization
Member's Area.
 Video Title: Unified Wireless (Converged)- AP Controller Discovery and Join Authorization
Topology Detail
This lab requires access to CAT1-4, WLC3, and HQ LAPs in your rack.
Diagram 120.1: AP Joins Topology
Lab 120 Setup

 If so, which lab load should be used: Converged Controllers- Base
In this scenario, CAT3-4 are in a SPG named CCIEW with WLC3 configured as their MC.
1. Configure LAP1 and LAP3 to join their local switch as their controller.
APs joining to their MA just need to be placed in the same VLAN as the MA’s wireless management
interface. The CATs are using VLAN 113 as their management interface. Right now, LAP1-2 are already
in VLAN113 and LAP3 is in VLAN 114, so let’s move LAP3 into VLAN 113.
CAT4#conf t
CAT4(config)#int gi1/0/3
CAT4(config-if)#sw acc vl 113
CAT4(config-if)#end
CAT4#sho ap sum
Number of APs: 2
Global AP User Name: Not configured

Global AP Dot1x User Name: Not configured
AP Name AP Model Ethernet MAC Radio MAC State

--------------------------------------------------------------------------------------
--
APfc99.4794.6393 1262N fc99.4794.6393 34a8.4ec5.4500
Downloading
AP74a2.e661.2ea7 1602I 74a2.e661.2ea7 a055.4f40.cb40 Registered
2. Configure CAT3 so that it only accepts APs with MICs.
CAT3#conf t
CAT3(config)#ap auth-list ap-policy mic
CAT3(config)#end
CAT3#sho ap auth-list
Authorize MIC APs against AAA : Disabled
APs Allowed to Join:
AP with Manufacturing Installed Certificate : Enabled

AP with Self-Signed Certificate : Disabled
3. Configure CAT4 to only allow LAP3 to be able to join it by using AP authorization.
When dealing with filtering, I always like to ensure that my desired AP(s) join without it first. Once they
are joined, I use that information to build the policy. Rather than rebooting the APs, a faster method
to kick them off is to clear their DHCP address.
CAT4#sho ap summary
Number of APs: 2


--------------------------------------------------------------------------------------
--
APfc99.4794.6393 1262N fc99.4794.6393 34a8.4ec5.4500 Registered
AP74a2.e661.2ea7 1602I 74a2.e661.2ea7 a055.4f40.cb40 Registered
CAT4#conf t
CAT4(config)#ap auth-list ap-policy authorize-ap
CAT4(config)#user 34a84ec54500 mac
CAT4(config)#end
AP74a2.e661.2ea7#release dhcp bvi1

APfc99.4794.6393#release dhcp bvi1
[after the APs drop from the WLC, they pull a new IP and try to rejoin. Only LAP3 is
able to]
CAT4#sho ap sum
Number of APs: 1


--------------------------------------------------------------------------------------
--
APfc99.4794.6393 1262N fc99.4794.6393 34a8.4ec5.4500 Registered
4. Configure LAP2 and LAP4 to join WLC3 by making WLC3 their primary controller.
We will do as asked and make WLC3 the primary controller, but we also must take LAP2 out of VLAN
113, otherwise the request never makes it to WLC3. CAT4 will absorb the CAPWAP traffic and not
forward it on when it arrives on the wireless management VLAN.
LAP2
AP74a2.e661.2ea7#capwap ap primary-base WLC3 10.10.112.10
LAP4
AP6c20.56d7.63dd#capwap ap primary-base WLC3 10.10.112.10
WLC3#sho ap sum
Number of APs: 2


--------------------------------------------------------------------------------------
--
AP6c20.56d7.63dd 1042N 6c20.56d7.63dd 1ce6.c784.3c10 Registered
AP74a2.e661.2ea7 1602I 74a2.e661.2ea7 a055.4f40.cb40
Downloading
5. Rename all APs to their friendly names (i.e. LAP1, LAP2, etc.).
Repeat the process below for each AP.
CAT3#sho ap sum
Number of APs: 1


--------------------------------------------------------------------------------------
--
AP84b8.0264.d890 3702I 84b8.0264.d890 84b8.0265.4d60 Registered
CAT3#ap name AP84b8.0264.d890 name LAP1

CAT3#sho ap sum
Number of APs: 1


--------------------------------------------------------------------------------------
--
LAP1 3702I 84b8.0264.d890 84b8.0265.4d60 Registered
 show ap summary
 show ap auth-list
Lab 121: Logging :: Detailed Solutions
 Wireless Logging
Member's Area.
 Video Title: Unified Wireless (Converged)- AP Logging
Topology Detail
Diagram 121.1: Logging Topology
Lab 121 Setup

1. Configure CAT4 for the following global wireless AP logging settings.
 Send logs to 10.10.210.8.
 Send informational or higher severity.
 Mark the logs with a facility of Local3.
You should wait to configure logging until all of the APs have joined the switch. While the server IP
should apply to future APs, I don’t know that the level and facility will.
CAT4#conf t
CAT4(config)#ap syslog host 10.10.210.8
CAT4(config)#ap syslog facility local3
CAT4(config)#ap syslog level inform
CAT4(config)#end
CAT4#sho ap conf global

AP global system logging host : 10.10.210.8
CAT4#sho ap conf gen | in AP N|Logg

Cisco AP Name : LAP3
Logging Trap Severity Level : informational
Cisco AP System Logging Host : 10.10.210.8
Logging Trap Severity Level : informational
2. Configure LAP1 specifically to log at warnings or higher with a facility of local5.
We can do per-AP logging configs as well.
CAT3#ap name LAP1 syslog level warning

CAT3#ap name LAP1 syslog facility local5
CAT3#sho ap conf gen | in AP N|Logg

Logging Trap Severity Level : warnings
For whatever reason, the facility never shows. Although this goes along with the switch syslog facility
information as well. I’ve never found a show command that reveals it outside of a show run.
3. Verify the settings on the associated APs.
Verified in previous tasks.
 show ap conf global

 show ap conf general
Lab 122: Client RADIUS :: Detailed Solutions
 External RADIUS
 Local EAP
 EAP Settings
Member's Area.
 Video Title: Unified Wireless (Converged)- RADIUS Servers- External Client RADIUS
 Video Title: Unified Wireless (Converged)- RADIUS Servers- Local Client RADIUS
Topology Detail
This lab requires access to CAT3 and the WIN7 PC in your rack.
Diagram 122.1: Local EAP Topology
Lab 122 Setup

External RADIUS
1. Configure ISE as a RADIUS server on CAT3.
 IP= 10.10.210.5
 Shared secret= ipexpert
 Auth/acct ports= 1812/1813
2. Configure a server group named ISE that references the ISE server.
3. Configure a dot1x authentication method list named ISE that references the ISE server group only.
4. Enable dot1x system auth control.
You’ve actually done all of this already in the network infrastructure section of the workbook.
CAT3#conf t
CAT3(config)#aaa new
CAT3(config-radius-server)#address ipv4 10.10.210.5 auth 1812 acc 1813

CAT3(config)#aaa authentication dot1x ISE group ISE
CAT3(config)#dot1x system-auth-control
CAT3(config)#end
5. Configure a WLAN on CAT3 to use ISE as the RADIUS server.
 SSID= HQ-WPAEAP1-Pod# (where # is your rack #).
 VLAN= 13
 Security= WPA2/AES with 802.1x
6. Have your client connect using PEAP and supply the credentials below.
 User= iseuser1
WLANs are WPA2/AES with 802.1x by default, so there’s not too much to the config.
CAT3#conf t
CAT3(config)#wlan HQ-WPAEAP1-Pod1 1 HQ-WPAEAP1-Pod1
CAT3(config-wlan)#sec dot1x authentication-list ISE
CAT3(config-wlan)#client vlan 13
CAT3(config-wlan)#no shut
CAT3(config-wlan)#end
Local RADIUS
7. Install a server certificate for CAT3 to present to clients during PEAP or EAP-TLS authentications.
The needed files can be found on the WIN7 PC at C:\Rack Files\Certificates\.
 CA file= CA.pem
 Private key file= cat3key.pem
 Switch certificate file= cat3.pem
 Use a trustpoint named LOCALEAP.
This is the same process (and same certificate) used for the HTTPS cert install earlier in this section.
CAT3#conf t
CAT3(config)#crypto pki import LOCALEAP pem term password IPexpert123
MT6jrN4gx80Z/7A=

DEK-Info: DES-EDE3-CBC,C4B2FA1157D28B1A
Q+v7Xu44Z3M0MXPQp3Ya8Ql/5iHDjg4kmZXYTkuIEGtG+3tuef7vQvMa8HRnYXU/
1d9bepPNIH5dnHQZok7b793Ohy/Z8Yc0IFqFESpcNNeDuFz/ArEfHGeQjoY1SuP/
3Z/UG/HDbPOVsoLfaQ6gsnD6MSvzhrwN+to4f6pTovi4SgO11QcRDEDSTHK31tXS
wdHWt/rmX46DKEIhsRsb1devGhYdiPZPX6+3LXfgNPK8/+Qz+pPeqkrdmJEztD3i
4hASiGv99eBxQxN+Xn6LkuwkzjLHpVxmhHNJ4HsLej7HA2XNgJ2euCRbL+adpOpk
U0q1q3OfuuF0/NDbbphTWEWiA10mdA7E/ropeA/KI7V3GVmnAEXgUXSRa1aTkXIn
HH5XxY1WBJLeqFmNbAHCOrF1zA1FqitVM8t7nXjQPofuC4arCCpjVmZE3MFn76mH
1noFDQ4mExVlKVQUkS+AHHkuZQUP7Pr2hg6Y2cNjia8gNT9WRFYKUyBFDqMTwqcj
CyRzwZjVW/bnZ6k/FX/NxHs8uA80Z76CaYDSZiuAVx8+Oy0ZFxxL1LWXYTQEeiiT
sbhCzKUP2KPlf19kBA74Jk1CMxyIMrEBWcxnsnkchfaVUip3vE90+bT90KCAbVDu
Pr6jHKQ0of2wzgtU8ms5Bv01MK7BtJi4Heog90LLnmvelgLqZg1G7Nrl6hJty0Ij
kKd8cZZbEK6+pT1/5K834fozHNdbAdzH6HbBEIPl4mgw6Qp7a572dsH0RfhI2Fkw
+bGxOVqwWByQvwk45zvahw4pTlx2mgBj7ap66h+09rL1QbsP8dj+GE+cLURqHecU
RGDkan7H9rDFDXRQSUiskvR0JNTlztU3tGxo0kWOMoPxnW7WjRwMjmBugYw5+3sR
UE3q2h+tjHu/YhkafmiIwvEyjetYvAh7maBaLeIcc/VcbiNidN9LVPedmFBVL3j0
qQbV4Vogg4aHh7DnNeyARHphwPmJcHbf5t2kNce95j9j+kpT+YkkFQZa6GovwqFe
mggOEYJYjdW9leTyaLr68TIoecBII7/8RrlJDShPxipn+RxtFJurgW2fAdGa5kJE
KBrnk1g8DLbaBPVrKcmgnxuFhKcWqlIsTlbMTRQcyezRRQJePiEsQR4n2/FBWzeJ
HSti97dzTxYhEkLOtz9YBJUZi/bsSCkwlYeyrIcZH0yyPhlb5QR0JVM4WjuaP5wh
t0NAHWAkhgKVt8s97zKMBqQJsO/ufLfAMJ8Y7otidv4R0XMBOYS3oGVpNWSwcS8R
yEhckTkQ1E3ttBA9MS7pDTcf0hB2PJKfensjNHirfTakgOB0YS4xLkjMH1lUcyYz
8fVO4UWNoR/r+WZzSI4u55DYYRSHwhZcxNOIl7yZLEZ3sd2wypS6Gb9jSjFlQH2q
55aDJ5RanAcQzbXQIhTVHjYSAncDH4/nqNoP7hNJzWZKcP61sp33yRBbFsQrZ52c
GfjUolKULZ6UYvJmiy+UqM1VCrUJS0RddmacTrEp3o6lEoEuznzz1wXDcxzFAPzz
laF4Ia8Yt8n4zjPM5jGRIpVinc/RcUpXn7Gtp2d3LFXaglTKoyBvOw==
quit
MIIGATCCBOmgAwIBAgITaQAAABumys58XGUMMAAAAAAAGzANBgkqhkiG9w0BAQsF
UEVSVDEfMB0GA1UEAxMWSVBFWFBFUlQtU0VSVkVSMjAxMi1DQTAeFw0xNTA5MjIy
MjA2MzlaFw0yNTA5MTkyMjA2MzlaMIGZMQswCQYDVQQGEwJVUzESMBAGA1UECBMJ
MQ4wDAYDVQQLEwVDQ0lFVzEcMBoGA1UEAxMTQ0FUMy5JUEVYUEVSVC5sb2NhbDEh
MB8GCSqGSIb3DQEJARYSY2NpZXdAaXBleHBlcnQuY29tMIIBIjANBgkqhkiG9w0B
AQEFAAOCAQ8AMIIBCgKCAQEAqFJ2YlNIqHCXlnJmSW+pbp2Sivgep2MWmHNO+xY5
pNxOTYZQnqGqXxMKbpTsPpL1L8Xcch93yk+W5exGQbNyK+laZ2r4vSlLVmpVnP89
n6DY7r/WbWOQTPtzFG+BSHr+XRHje+69c6D7QfzOetaqb6+9bAfll0j6rF3n6bwO
vZQ2eQQ5oFHs8EhO65jAjs/q5raie7EMZG6DcAqz9hDde4MbkCt7cTtz7m76IFHP
kVLB7p7aQ01i52MrQ/U8x5X6aTTK+0KxReZyAbn7ZthSbYGH+IVXgk+Zf9KoojhH
I+pr0R1+V8scC1mvhp8/SXu06M0RJ3hWZ22f0y1nc4iFzwIDAQABo4IChjCCAoIw
HQYDVR0OBBYEFHbIm/2ZlzMWd83JV67y7STJFfDwMB8GA1UdIwQYMBaAFFnQRxhE
bkYkePp3xUEtO1+LfIVfMIHaBgNVHR8EgdIwgc8wgcyggcmggcaGgcNsZGFwOi8v
L0NOPUlQRVhQRVJULVNFUlZFUjIwMTItQ0EsQ049U2VydmVyMjAxMixDTj1DRFAs
Q049UHVibGljJTIwS2V5JTIwU2VydmljZXMsQ049U2VydmljZXMsQ049Q29uZmln
dXJhdGlvbixEQz1JUEVYUEVSVCxEQz1sb2NhbD9jZXJ0aWZpY2F0ZVJldm9jYXRp
b25MaXN0P2Jhc2U/b2JqZWN0Q2xhc3M9Y1JMRGlzdHJpYnV0aW9uUG9pbnQwgcsG
CCsGAQUFBwEBBIG+MIG7MIG4BggrBgEFBQcwAoaBq2xkYXA6Ly8vQ049SVBFWFBF
UlQtU0VSVkVSMjAxMi1DQSxDTj1BSUEsQ049UHVibGljJTIwS2V5JTIwU2Vydmlj
ZXMsQ049U2VydmljZXMsQ049Q29uZmlndXJhdGlvbixEQz1JUEVYUEVSVCxEQz1s
b2NhbD9jQUNlcnRpZmljYXRlP2Jhc2U/b2JqZWN0Q2xhc3M9Y2VydGlmaWNhdGlv
bkF1dGhvcml0eTAOBgNVHQ8BAf8EBAMCBaAwPQYJKwYBBAGCNxUHBDAwLgYmKwYB
BAGCNxUIgai2HIXL4TWG0Z8Zh6oqgaqwCoEEhu79CIb97j4CAWQCAQQwHQYDVR0l
BBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMCcGCSsGAQQBgjcVCgQaMBgwCgYIKwYB
BQUHAwIwCgYIKwYBBQUHAwEwDQYJKoZIhvcNAQELBQADggEBAGgNFPGOy4T1fHmv
NWwgv6OVCpmgx5xxJaFMOswlK9NpnTogWm2QPa3j5lOdb6+nAvh/+L1WGJN81UQP
Zglk2TTyKe05Mqp1LKzy70JHsXkoDG4GKLUY7oeZUbvuIPmn8SnH18CnlwvpbYxx
Qgr7dRpZ85KKgMh1+Vvm4Stncbi6XRTk+NXs7+g+0NdW4xHtknjt68Bp9m2BlFGZ
1l/dQUjUJcmPpQw+mygA3lUN5LiK04mDV4t7IZFgPeYuTGSIY2gEsFk6V13JSQeR
Ssv+srMqxo14SjaicpavZs5mvvylvMLqL1t1uftbbtPGCWSVlt8Cm9M6PdjnR9AJ
YX5AH+A=

CAT3(config)#crypto pki trustpoint LOCALEAP
CAT3(ca-trustpoint)#revocation-check none
CAT3(ca-trustpoint)#end
I tend to disable the revocation check in the trustpoint as a matter of habit, as I’ve had it break things
before if there are issues with the lookup.
8. Create a local EAP profile named “CCIEW”
 Allow all EAP types except for LEAP.
 Choose to use the newly installed server cert during EAP-TLS or PEAP authentications.
This controls what EAP methods are allowed for the clients. Be sure to call out the trustpoint to support
PEAP/EAP-TLS clients.
CAT3#conf t
CAT3(config)#eap profile CCIEW
CAT3(config-eap-profile)# method peap
CAT3(config-eap-profile)# method tls
CAT3(config-eap-profile)# method fast
CAT3(config-eap-profile)# pki-trustpoint LOCALEAP
CAT3(config-eap-profile)#end
9. Create an EAP-FAST profile named FAST with the following settings.
 Server Key= 1234567890
 Authority ID= CAT3
This determines how EAP-FAST will be handled. Normally the default settings are fine.
CAT3#conf t
CAT3(config)#eap method fast profile FAST
CAT3(config-eap-method-profile)# authority-id identity CAT3
CAT3(config-eap-method-profile)# local-key 0 1234567890
CAT3(config-eap-method-profile)#end
10. Create a local user account for client authentications.
 User= catuser1
These are different than the management users you have created before.
CAT3#conf t
CAT3(config)#user-name catuser1
CAT3(config-user-name)# privilege 15
CAT3(config-user-name)# password 0 IPexpert123
CAT3(config-user-name)# type network-user description catuser1

CAT3(config-user-name)#end
11. Alter the HQ-WPAEAP1-PodX WLAN to strictly use local EAP.
Before we do the WLAN config, we need to define some other settings for the local authentications.
These lines basically just say to look local for everything.
CAT3#conf t
CAT3(config)#aaa authentication dot1x default local
CAT3(config)#aaa authentication dot1x LOCALEAP local
CAT3(config)#aaa authorization credential-download LOCALEAP local
CAT3(config)#aaa local authentication LOCALEAP authorization LOCALEAP
CAT3(config)#wlan HQ-WPAEAP1-Pod1
CAT3(config-wlan)#shut
CAT3(config-wlan)#no security dot1x authentication-list ISE
CAT3(config-wlan)#local-auth CCIEW
12. Test connecting to the WLAN using the WIN7 client using PEAP and EAP-TLS.
You should be able to connect with both PEAP using the new local credentials or with EAP-TLS.
 show run
Lab 123: ACLs :: Detailed Solutions
 Wireless ACLs
Member's Area.
 Video Title: Unified Wireless (Converged)- Wireless ACLs
Topology Detail
This lab requires access to CAT3 and the WIN7 PC in your rack.
Diagram 123.1: ACLs Topology
Lab 123 Setup

 If so, which lab load should be used: Converged Controllers- WLANs
All configurations are on CAT3.
1. Configure an extended IPv4 ACL named CCIEW1 that would apply to traffic coming a wireless client
that does the following.
 Disallows all ping attempts from the clients.
 Other VLANs should be able to ping the wireless clients.
 Allows all other traffic.
2. Configure an extended IPv4 ACL named CCIEW2 that would apply to traffic coming from a wireless
client that does the following.
 Allows all ICMP traffic.
 Allows the clients to pull IPs via DHCP.
 Allows the client to use the DNS server at 10.10.210.8.
 Disallows all other traffic.
ACLs on converged access are applied in the inbound direction (as traffic comes from the client to the
AP/controller). We don’t need to worry about allowing/blocking traffic heading out to the wireless
client.
To prevent clients from pinging, but allow the clients to be pinged, we just need to make sure that we
only block incoming echo requests, while allowing the echo replies. We can do that with IOS-based
ACLs.
On the 2nd ACL, be sure to allow DNS using both UDP and TCP. It’s normally just UDP between the client
and server, but depending on the size of the reply, TCP can be invoked.
CAT3#conf t
CAT3(config)#ip access-list extended CCIEW1
CAT3(config-ext-nacl)#deny icmp any any echo
CAT3(config-ext-nacl)#permit ip any any
CAT3(config-ext-nacl)#exit
CAT3(config)#ip access-list extended CCIEW2

CAT3(config-ext-nacl)#permit icmp any any
CAT3(config-ext-nacl)#permit udp any any eq 67

CAT3(config-ext-nacl)#permit udp any host 10.10.210.8 eq 53
CAT3(config-ext-nacl)#permit tcp any host 10.10.210.8 eq 53
CAT3(config-ext-nacl)#end
3. Rename the HQ-WPAPSK1-PodX and HQ-WPAPSK2-PodX WLANs to reflect your rack number (i.e.
rename –PodX to –Pod5 if you are on rack 5).
4. Enable these WLANs.
Unfortunately, we can’t simply rename the WLANs without removing them like we can do on the
AireOS controllers, but at least the config of the converged access controllers makes this not too big of
a deal. Simply copy the running config of the WLANs and paste it into notepad. Then, alter the
profile/SSID names, then delete the WLANs and paste in the updated config. Here is the config to paste
(assuming you were on rack 1).
conf t
no wlan HQ-WPAPSK1-PodX 3 HQ-WPAPSK1-PodX
no wlan HQ-WPAPSK2-PodX 4 HQ-WPAPSK2-PodX
wlan HQ-WPAPSK1-Pod1 3 HQ-WPAPSK1-Pod1

client vlan HQData2
no security wpa akm dot1x
security wpa akm psk set-key ascii 0 ipexpert
session-timeout 1800
no shutdown
wlan HQ-WPAPSK2-Pod1 4 HQ-WPAPSK2-Pod1
client vlan HQData3
no security wpa akm dot1x
security wpa akm psk set-key ascii 0 ipexpert
security wpa wpa1
security wpa wpa1 ciphers tkip
session-timeout 1800
no shutdown
5. Apply the CCIEW1 ACL to HQ-WPAPSK1-PodX.
6. Apply the CCIEW2 ACL to HQ-WPAPSK2 PodX.
CAT3#conf t

CAT3(config)#wlan HQ-WPAPSK1-Pod1
CAT3(config-wlan)#ip access-group CCIEW1
CAT3(config-wlan)#wlan HQ-WPAPSK2-Pod1
CAT3(config-wlan)#ip access-group CCIEW2
7. Connect to these WLANs and test your ACLs.
NOTE
The WIN7 PC has a wired interface on VLAN5, so do not test to targets on VLAN 5 as that traffic will exit
the wired interface rather than the wireless interface.
First, I’ll connect to the HQ-WPAPSK1-PodX WLAN. I pull the IP address 10.10.14.151. When I do ping
tests, I can ping via IPv6, but not via IPv4.
But, I can go over to CAT2 and ping the wireless client.
CAT2#ping 10.10.14.151
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.14.151, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/7/9 ms
Now, let’s test the other WLAN. I connect and pull an address of 10.10.15.153.
I can ping WLC4 by name (testing both ICMP and DNS). But I cannot pull up the web page for WLC4.
8. Configure the HQ-WPAEAP1-PodX WLAN so that it supports dACLs.
DACLs require AAA override to be enabled to accept the ACL.
CAT3#conf t
CAT3(config)#wlan HQ-WPAEAP1-PodX
CAT3(config-wlan)#aaa-override
CAT3#sho wlan name HQ-WPAEAP1-PodX

WLAN Profile Name : HQ-WPAEAP1-PodX
================================================
Identifier : 1
Network Name (SSID) : HQ-WPAEAP1-PodX
Status : Disabled
Broadcast SSID : Enabled
Max Associated Clients per WLAN : 0
Max Associated Clients per AP per WLAN : 0
Max Associated Clients per AP Radio per WLAN : 0
AAA Policy Override : Enabled
[lines omitted]
 Show access-list
 Show wlan name
Lab 124: Rogue Policies :: Detailed

Solutions
 Rogue Policies
Member's Area.
 Video Title: Unified Wireless (Converged)- Rogue Policies
Topology Detail
This lab requires access to CAT3 in your rack.
Diagram 124.1: Rogue Policies Topology
Lab 124 Setup

General Rogue Configs
1. Configure monitor mode APs to attempt to associate to rogue APs advertising open SSIDs to
determine if they are on your wired network.
 If the rogue AP is determined to be on your wired network, automatically contain it using

a single monitor mode AP.
2. Disable the detection of peer-to-peer 802.11 wireless networks.
3. Remove rogue APs from the rogue list if they haven’t been seen in the last 10 minutes.
4. Ignore rogue APs at RSSIs below -78.
5. Check with AAA servers to see if any detected rogue clients are yours.
6. APs should report their detected rogues to their WLC every 42 seconds.
7. Have your APs only scan for rogues on channels configured in the DCA list.
 Your APs should scan through the list of channels every 2 minutes.
In real life, be extremely cautious about enabling auto-contain. You could end up with a big fine if you
aren’t careful.
CAT3#conf t
CAT3(config)#wireless wps rogue ap rldp auto-contain monitor-ap-only
Warning! Enabling rogue containment may have legal consequences.
Do you want to continue? (y/n)[y]: y
CAT3(config)#wireless wps rogue auto-contain level 1
CAT3(config)#no wireless wps rogue adhoc
CAT3(config)#wireless wps rogue ap timeout 600
CAT3(config)#wireless wps rogue detection min-rssi -78
CAT3(config)#wireless wps rogue client aaa
CAT3(config)#wireless wps rogue detection report-interval 42
CAT3(config)#ap dot11 24ghz rrm monitor channel-list dca

CAT3(config)#ap dot11 24ghz rrm monitor noise 120
CAT3(config)#ap dot11 5ghz rrm monitor noise 120
CAT3(config)#end
CAT3#show wireless wps rogue adhoc summary
Detect and report Ad-Hoc Networks : Disabled

Auto-Contain Ad-Hoc Networks : Disabled
CAT3#show wireless wps rogue ap summary
Rogue Location Discovery Protocol : Enabled and Monitor-Only

Rogue on wire Auto-Contain : Enabled
Rogue using our SSID Auto-Contain : Disabled
Valid client on rogue AP Auto-Contain : Disabled
Rogue AP timeout : 600
Rogue Detection Report Interval : 42
Rogue AP minimum RSSI : -78
Rogue AP minimum transient time : 0
Number of rogue APs detected : 28
Rogue Rules
Create the following rogue rules.
8. Rule 1
 Name= rule1
 Type= Friendly
 Match any of the following conditions.
o SSID= Lab1
o SSID= Lab2
CAT3#conf t
CAT3(config)#wire wps rogue rule rule1 priority 1
CAT3(config-rule)#classify friendly
CAT3(config-rule)#condition ssid Lab1
CAT3(config-rule)#condition ssid Lab2
CAT3(config-rule)#no shut
CAT3(config-rule)#end
CAT3#sho wire wps rog rule detailed rule1
Priority : 1
Rule Name : rule1
State : Enabled
Type : Friendly
Match Operation : Any
Hit Count : 0
Total Conditions : 1
Condition :
type : Ssid
SSID Count : 2
SSID 1 : Lab1
SSID 2 : Lab2
The match operation doesn’t really matter here since we only have 1 condition.
9. Rule 2
 Name= rule2
 Type= Friendly
 Match all of the following conditions.
o RSSI is less than -70 dBm.
o It has been around for at least 30 minutes.
o Uses an open SSID.
CAT3#conf t
CAT3(config-rule)#classify friendly
CAT3(config-rule)#match all
CAT3(config-rule)#condition rssi -70
CAT3(config-rule)#con duration 1800
CAT3(config-rule)#cond encryption off
Priority : 2
Rule Name : rule2
State : Enabled
Type : Friendly
Match Operation : All
Hit Count : 3
Condition :
type : Duration
value (seconds) : 1800
Condition :
type : No-encryption
value : Enabled
Condition :
type : Rssi
value (dBm) : -70
10. Rule 3
 Name= rule3
 Type= malicious
 Match all of the following criteria.
o Uses one of your SSIDs.
o Has at least 2 clients associated.
11. Ensure that rule 3 is processed before the other rules.
12. Ensure all of these rules are enabled.
CAT3# conf t
CAT3(config-rule)#classify malicious
CAT3(config-rule)#match all
CAT3(config-rule)#condition infrastructure ssid
CAT3(config-rule)#condition client-count 2
Priority : 1
Rule Name : rule3
State : Enabled
Type : Malicious
Match Operation : All
Hit Count : 0
Condition :
type : Client-count
value : 2
Condition :
type : Managed-ssid
value : Enabled
CAT3#sho wire wps rog rule summary
Priority Rule Name State Type Match Hit Count

------------------------------------------------------------------------
2 rule1 Enabled Friendly Any 0
3 rule2 Enabled Friendly All 3

1 rule3 Enabled Malicious All 0
Ensure that rule3 has priority 1 so that it is processed first.
13. Ensure that a rogue AP with the MAC address of 00:11:22:33:44:55 is automatically marked as
friendly-internal, regardless of if it would have matched the malicious rule.
CAT3#conf t
CAT3(config)#wire wps rogue ap friendly 00:11:22:33:44:55 state internal
CAT3(config)#end
CAT3#sho wireless wps rogue ap friendly summary
Number of APs : 4
MAC Address State # APs # Clients Last Heard

--------------------------------------------------------------------------------------
0011.2233.4455 Internal 0 0 Not Heard
001c.0f82.b131 Alert 1 0 Fri Aug 28 19:40:54 2015
203a.07b6.85e0 Alert 1 0 Fri Aug 28 19:37:25 2015
3436.3bc2.2503 Alert 1 0 Fri Aug 28 19:40:55 2015
 show wireless wps rogue adhoc summary

 show wireless wps rogue ap summary
 show wire wps rog rule detailed
 show wireless wps rogue ap friendly summary
Lab 125: Client Exclusion :: Detailed

Solutions
 Client Exclusion
Member's Area.
 N/A
 Video Title: Unified Wireless (Converged)- Client Exclusion
Topology Detail
This lab requires access to CAT3.
Diagram 125.1: Client Exclusion Topology
Lab 125 Setup

1. Configure the HQ-WPAEAP1-PodX WLAN on CAT3 such that clients who experience excessive
authentication or association failures are excluded from associating for 5 minutes.
 Clients should not be excluded if they are statically configured for an IP that is already
currently in use.
We have a few extra exclusion reasons on the switches than we do on the AireOS controllers.
CAT3#conf t
CAT3(config-wlan)#exclusionlist
CAT3(config-wlan)#exclusionlist timeout 300
CAT3(config-wlan)#exit
CAT3(config)#wireless wps client-exclusion all

CAT3(config)#no wireless wps client-exclusion ip-theft
CAT3(config)#end
CAT3#sho wire wps summary

Auto-Immune
Auto-Immune : Disabled
Client Exclusion Policy

Excessive 802.11-association failures : Enabled
Excessive 802.11-authentication failures: Enabled
Excessive 802.1x-authentication : Enabled
IP-theft : Disabled
Excessive Web authentication failure : Enabled
Cids Shun failure : Enabled
Misconfiguration failure : Enabled
Failed Qos Policy : Enabled
Failed Epm : Enabled
CAT3#sho wlan name HQ-WPAEAP1-PodX | in Excl

Exclusionlist Timeout : 300
 show wire wps summary

 show wlan name
Lab 126: MFP and 802.11w :: Detailed

Solutions
 Infrastructure MFP
 Client MFP
 802.11w

Member's Area.
 N/A
iPexpert’s Video on Demand training library contains a wealth of videos pertaining to the CCIE
Wireless Lab exam. We recommend watching the following learning videos prior to completing
this lab scenario.
 Video Title: Unified Wireless (Converged)- MFP and 802.11w
Topology Detail
This lab requires access to CAT3-4 in your rack.
Diagram 126.1: MFP and 802.11w Topology
Lab 126 Setup

In this scenario, CAT3-4 are in the same SPG with WLC3 as their MC.
1. Configure CAT3 and CAT4 to use 10.10.205.20 as their NTP server (no authentication).
CAT3#conf t
CAT3(config)#ntp server 10.10.205.20
CAT3(config)#end
CAT4#conf t
CAT4(config)#ntp server 10.10.205.20
CAT4(config)#end
MFP
2. Enable Infrastructure MFP on both CAT3 and CAT4.
3. Configure the HQ-WPAEAP1-PodX WLAN so that clients who are CCX v5 capable are able to use
client MFP.
 Non-CCX v5 clients should still be allowed to use the WLAN as well.
4. Ensure that HQ-WPAEAP1-PodX is using only WPA2 for key management.
CAT3#conf t
CAT3(config)#wire wps mfp infrastructure
CAT3(config-wlan)#mfp infrastructure-protection
CAT3(config-wlan)#mfp client
CAT3#sho wire wps mfp summary

Global Infrastructure MFP state : Enabled
Controller Time Source Valid : True
WLAN ID WLAN Name WLAN Status Infra. Protection Column Client

Protection
--------------------------------------------------------------------------------------
-------------------------------
1 HQ-WPAEAP1-PodX Disabled Enabled Optional
[lines omitted]
CAT3#sho wlan name HQ-WPAEAP1-PodX | in WPA

Wi-Fi Protected Access (WPA/WPA2) : Enabled
WPA (SSN IE) : Disabled
WPA2 (RSN IE) : Enabled
CAT4#conf t
CAT4(config)#wire wps mfp infrastructure
CAT4(config-wlan)#mfp infrastructure-protection
CAT4(config-wlan)#mfp client
CAT4#sho wire wps mfp summary

Global Infrastructure MFP state : Enabled
Controller Time Source Valid : True
WLAN ID WLAN Name WLAN Status Infra. Protection Column Client

Protection
--------------------------------------------------------------------------------------
-------------------------------
1 HQ-WPAEAP1-PodX Disabled Enabled Optional
[lines omitted]
CAT4#sho wlan name HQ-WPAEAP1-PodX | in WPA


802.11w
5. Ensure that HQ-WPAPSK1-PodX is only using WPA2/AES for the layer 2 key management and
encryption.
6. Enable 802.11w on the HQ-WPAPSK1-PodX WLAN.
 Clients that do not support 802.11w should still be able to use the WLAN.
 SA Queries should time out after 300 ms.
 Set the comeback timer to 5 seconds.
7. Enable PMF PSK in addition to regular PSK to support the optional nature that we specified.
CAT3#conf t
CAT3(config)#wlan HQ-WPAPSK1-Pod1
CAT3(config-wlan)#no security wpa wpa1
CAT3(config-wlan)#security wpa wpa2 ciphers aes
CAT3(config-wlan)#security pmf optional
CAT3(config-wlan)#security pmf saquery-retry-time 300
CAT3(config-wlan)#security pmf association-comeback 5
CAT3(config-wlan)#security wpa akm pmf psk
CAT3#sho wlan name HQ-WPAPSK1-Pod1 | b Security

Security
802.11 Authentication : Open System
Static WEP Keys : Disabled
802.1X : Disabled

TKIP Cipher : Disabled

AES Cipher : Enabled
Auth Key Management
802.1x : Disabled
PSK : Enabled
CCKM : Disabled
FT dot1x : Disabled
FT PSK : Disabled
PMF dot1x : Disabled
PMF PSK : Enabled
FT Support : Disabled
FT Reassociation Timeout : 20
FT Over-The-DS mode : Enabled
PMF Support : Optional
PMF Association Comeback Timeout : 5
PMF SA Query Time : 300
[lines omitted]
CAT4#conf t
CAT4(config)#wlan HQ-WPAPSK1-PodX
CAT4(config-wlan)#no security wpa wpa1
CAT4(config-wlan)#security pmf optional
CAT4(config-wlan)#security pmf saquery-retry-time 300
CAT4(config-wlan)#security pmf association-comeback 5
CAT4(config-wlan)#security wpa akm pmf psk
CAT4#sho wlan name HQ-WPAPSK1-PodX | b Security

Security
802.1X : Disabled

Auth Key Management

802.1x : Disabled
PSK : Enabled
CCKM : Disabled
FT dot1x : Disabled
FT PSK : Disabled
PMF dot1x : Disabled
PMF PSK : Enabled
FT Support : Disabled
FT Reassociation Timeout : 20
FT Over-The-DS mode : Enabled
PMF Support : Optional
PMF Association Comeback Timeout : 5
PMF SA Query Time : 300
 show wire wps mfp summary

 show wlan name

Lab 127: AP Configurations :: Detailed

Solutions
 AP Configurations


Member's Area.
 N/A
this lab scenario.
 Video Title: Unified Wireless (Converged)- AP Configurations
Topology Detail

Diagram 127.1: AP Configurations Topology
Lab 127 Setup


1. Configure all APs joined to IOS-XE controllers to try to negotiate 802.1x on their wired ports with
the following credentials.
 User name= lap
2. Have LAP2 use different credentials for 802.1x.
 User name= lap2
3. Have LAP2 use different management credentials than the default.
 User name= admin
4. Enable telnet and SSH access on LAP2.
Be sure to know how to configure AP settings both at a global level and at a per-AP level.
CAT3#conf t
CAT3(config)#ap dot1x username lap password 0 IPexpert123
CAT3(config)#end
WLC3#conf t
WLC3(config)#ap dot1x username lap password 0 IPexpert123
WLC3(config)#end
CAT4#conf t
CAT4(config)#ap dot1x username lap password 0 IPexpert123
CAT4(config)#end
CAT4#ap name LAP2 dot1x-user username lap2 password IPexpert123
CAT4#ap name LAP2 mgmtuser username admin password IPexpert123 secret IPexpert123

CAT4#ap name LAP2 ssh

CAT4#ap name LAP2 telnet
CAT4#sho ap summary
Number of APs: 2

Global AP Dot1x User Name: lap
[lines omitted]
CAT4#sho ap conf gen | in AP N|1X

AP 802.1X User Mode : Global
AP 802.1X User Name : lap
AP 802.1X User Mode : Customized
AP 802.1X User Name : lap2
 show ap summary

Lab 128: Client Load Balancing :: Detailed

Solutions
 Client Load Balancing


Member's Area.
this lab scenario.
 Video Title: Unified Wireless (Converged)- Client Load Balancing and BandSelect
Topology Detail

Diagram 128.1: Client Load Balancing Topology
Lab 128 Setup


1. Enable client load balancing on the HQ-WPAEAP1-PodX WLAN on CAT3.
2. Consider an AP busy if it has 7 more clients than the least loaded AP in the area.
3. If a client attempts to join a busy AP, it should be denied twice before being allowed to join.
CAT3#conf t
CAT3(config-wlan)#load-balance
CAT3(config)#wireless load-balancing denial 2

CAT3(config)#wireless load-balancing window 7
CAT3(config)#end
CAT3#sho wlan name HQ-WPAEAP1-PodX | in Load

Load Balancing : Enabled
CAT3#sho wire load-balancing

Aggressive Load Balancing............................: per WLAN enabling
Aggressive Load Balancing Window (clients).................:: 7
Aggressive Load Balancing Denial Count.....................:: 2
 show wire load-balancing

 show wlan name

Lab 129: Band Select :: Detailed Solutions
 Band Select


Member's Area.
this lab scenario.
 Video Title: Unified Wireless (Converged)- Client Load Balancing and BandSelect
Topology Detail

Diagram 129.1: Band Select Topology
Lab 129 Setup


1. Enable band select on the HQ-WPAEAP1-PodX WLAN.
2. Configure the following global settings for band select.
 Delay responding to 3 probe requests per client on the 2.4 GHz radios.
 Ensure the probe responses are spaced at least 150 ms apart to count as unique.
 Purge 2.4 GHz-only clients from the band select suppression table after 15 seconds.
 Purge dual band clients after 50 seconds.
CAT3#conf t
CAT3(config-wlan)#band-select
CAT3(config)#wireless client band-select cycle-count 3

CAT3(config)#wireless client band-select cycle-threshold 150
CAT3(config)#wireless client band-select expire suppression 15
CAT3(config)#wireless client band-select expire dual-band 50
CAT3(config)#end
CAT3#sho wlan name HQ-WPAEAP1-PodX | in Band

Band Select : Enabled
Dual Band Support : Disabled
CAT3#sho wireless band-select

Band Select Probe Response : per WLAN enabling
Cycle Count : 3
Cycle Threshold (millisec) : 150
Age Out Suppression (sec) : 15
Age Out Dual Band (sec) : 50
Client RSSI (dBm) : -80

 show wireless band-select

 show wlan name

Lab 130: General Radio Settings :: Detailed

Solutions
 Radio Settings


Member's Area.
 N/A
this lab scenario.
 Video Title: Unified Wireless (Converged)- General Radio Settings
Topology Detail
This lab requires access to CAT3-4 and WLC3.

Diagram 130.1: General Radio Settings Topology
Lab 130 Setup


In this scenario, CAT3 and CAT4 are in the same SPG with WLC3 as their MC.
Configure the following on CAT3 and CAT4.
1. Have beacons sent out 5 times per second on the 2.4 GHz radios.
2. Configure 12 Mbps to be the lowest enabled data rate on the 5 GHz radios and ensure that
multicasts are sent out at that data rate.
3. Configure 11 Mbps as the lowest enabled data rate on the 2.4 GHz radios and maintain support for
802.11b clients.
4. Ensure that the APs can inform clients about their power levels so that compatible clients can adjust
their power levels appropriately.
 Ensure that the HQ-WPAEAP1-PodX WLAN supports this feature.
5. Have APs request that CCX v2 compatible clients send out probes every 60 seconds in order for the
unified network to have more location data points for them.
CAT3#conf t
CAT3(config)#ap dot11 24ghz shut
CAT3(config)#ap dot11 24ghz beaconperiod 200
CAT3(config)#ap dot11 5ghz rate RATE_6M disable

CAT3(config)#ap dot11 5ghz rate RATE_24M supported

CAT3(config)#ap dot11 24ghz rate RATE_5_5M disable
CAT3(config)#ap dot11 24ghz dtpc

CAT3(config)#ap dot11 5ghz dtpc

CAT3(config-wlan)#ccx aironet-iesupport
CAT3(config)#ap dot11 24ghz rrm ccx location-measurement 60

CAT3(config)#ap dot11 5ghz rrm ccx location-measurement 60
CAT3(config)#no ap dot11 24ghz shut

CAT3(config)#no ap dot11 5ghz shut
CAT3(config)#end
CAT3#sho ap dot11 24ghz network
802.11b Network : Enabled

11gSupport : Enabled
11nSupport : Enabled
802.11b/g Operational Rates

802.11b 1M : Unsupported
802.11b 5.5M : Unsupported
802.11g 6M : Unsupported
802.11b 11M : Mandatory
802.11g 12M : Supported
[lines omitted]
Beacon Interval : 200

CF Pollable Mandatory : Disabled
CF Poll Request Mandatory : Disabled
CFP Period : 4
CFP Maximum Duration : 60
Default Channel : 11
Default Tx Power Level : 1
DTPC Status : true

[lines omitted]
802.11a Network : Enabled

802.11a Low Band : Enabled
802.11a Mid Band : Enabled
802.11a High Band : Enabled
802.11a Operational Rates

802.11a 6M : Unsupported
802.11a 9M : Unsupported
802.11a 12M : Mandatory
802.11a 18M : Supported
[lines omitted]
DTPC Status : Enabled

[lines omitted]
 show ap dot11 24ghz network


Lab 131: RF Groups :: Detailed Solutions
 RF Groups


Member's Area.
this lab scenario.
 Video Title: Unified Wireless (Converged)- RF Groups
Topology Detail

Diagram 131.1: RF Groups Topology
Lab 131 Setup


1. Configure CAT3-4 and WLC3 to be in an RF group named HQ.
Configure both the MAs and MC in the RF group.
CAT3#conf t
CAT3(config)#wireless rf-network HQ
CAT3(config)#end
CAT4#conf t
CAT4(config)#wireless rf-network HQ
CAT4(config)#end
WLC3#conf t
WLC3(config)#wireless rf-network HQ
WLC3(config)#end
WLC3#sho wireless detail

User Timeout : 300
RF network : HQ
Fast SSID : Disabled
2. WLC3 should coordinate RRM with WLC1.
 When available, WLC3 should make all channel and power decisions for the RF group on
both radios.
The MC is the one that makes the RRM decisions. If there are multiple MCs, or if the converged access
network needs to play nice with the AireOS network, the MC is the one that forms the RF group with
other controllers.

(WLC1) >config network rf-network-name HQ
WLC3#conf t
WLC3(config)#ap dot11 24ghz rrm group-mode leader
WLC3(config)#ap dot11 24ghz rrm group-member WLC1 10.10.111.10
WLC3(config)#ap dot11 5ghz rrm group-mode leader
WLC3(config)#ap dot11 5ghz rrm group-member WLC1 10.10.111.10
WLC3(config)#end
WLC3#show ap dot11 24ghz group

Radio RF Grouping
802.11b Group Mode : STATIC
802.11b Group Update Interval : 600 seconds
802.11b Group Leader : WLC3 (10.10.112.10)
802.11b Group Member : WLC3(10.10.112.10)
WLC1(10.10.111.10)
802.11b Last Run : 81 seconds ago
Mobility Agents RF membership information

--------------------------------------------------------------------
No of 802.11b MA RF-members : 2
MA Member name IP address

--------------------------------------------------
CAT4 10.10.113.14
CAT3 10.10.113.13
WLC3#show ap dot11 5ghz group

Radio RF Grouping
802.11a Group Mode : STATIC

802.11a Group Update Interval : 600 seconds
802.11a Group Leader : WLC3 (10.10.112.10)
802.11a Group Member : WLC3(10.10.112.10)
WLC1(10.10.111.10)

802.11a Last Run : 79 seconds ago
Mobility Agents RF membership information

------------------------------------------------------------
No of 802.11a MA RF-members : 2
MA Member name IP address

--------------------------------------------------
CAT4 10.10.113.14
CAT3 10.10.113.13
3. Have APs on CAT3-4 send neighbor messages every 90 seconds on all radios.
4. APs on CAT3-4 should only scan channels on the DCA when looking for rogues and noise off-
channel.
CAT3#conf t
CAT3(config)#ap dot11 24ghz rrm monitor signal 90
CAT3(config)#end
CAT4#conf t
CAT4(config)#end
CAT3#sho ap dot11 24ghz monitor

Default 802.11b AP monitoring
802.11b Monitor Mode : Enabled
802.11b Monitor Channels : DCA channels

802.11b RRM Neighbor Discover Type : Transparent

802.11b AP Coverage Interval : 180 seconds
802.11b AP Load Interval : 60 seconds
802.11b AP Noise Interval : 120 seconds
802.11b AP Signal Strength Interval : 90 seconds
802.11b NDP RSSI Normalization : Enabled
 show wireless detail

 show ap dot11 24ghz group
 show ap dot11 5ghz group
 show ap dot11 24ghz monitor

Lab 132: TPC :: Detailed Solutions
 TPC


Member's Area.
this lab scenario.
 Video Title: Unified Wireless (Converged)- TPC
Topology Detail

Diagram 132.1: TPC Topology
Lab 132 Setup


In this scenario, CAT3 and CAT4 are in the same SPG with WLC3 as their MC. TPC settings are configured
on the MC for all associated MAs.
With TPC in Auto mode, the MC will control the transmit power of the APs on itself and the MAs. With
TPC turned off, the MAs are then responsible for manually setting the transmit power. When in doubt,
configure RRM settings identically on both MAs and the MC.
1. Configure WLC3 to automatically calculate power levels on the MA APs every 10 minutes on the 5
GHz radios.
 Power levels should never go above 25 mW or below 9 dBm.
2. Configure CAT3-4 and WLC3 to statically set power levels to 3 on the 2.4 GHz radios.
Since RRM is enabled on the 5 GHz radios, we only need to configure the min/max settings on WLC3.
Although it’s not hurting anything if you also configured them on CAT3-4. But, to statically set the power
levels to 3 on the 2.4 GHz radios, you must turn TPC off. With TPC off, these power settings are static
settings. This must be done on each MA (including WLC3 which is an MA to LAP4) in order for the
settings to apply to the associated APs.
WLC3#conf t
WLC3(config)#ap dot11 5ghz shut
WLC3(config)#ap dot11 5ghz rrm txpower auto
WLC3(config)#ap dot11 5ghz rrm txpower max 14
WLC3(config)#ap dot11 5ghz rrm txpower min 9

WLC3(config)#no ap dot11 24ghz rrm txpower auto
WLC3(config)#ap dot11 24ghz rrm txpower 3
WLC3(config)#end
CAT3#conf t
CAT3(config)#no ap dot11 24ghz rrm txpower auto
CAT3(config)#ap dot11 24ghz rrm txpower 3
CAT3(config)#end
CAT4#conf t


CAT4(config)#no ap dot11 24ghz rrm txpower auto
CAT4(config)#ap dot11 24ghz rrm txpower 3
CAT4(config)#end
3. Configure LAP1 to use power level 1 on both of its radios.
Per-AP power configs are done on the MA, since you are directly configuring an AP.
CAT3#ap name LAP1 dot11 24ghz shutdown

CAT3#ap name LAP1 dot11 24ghz txpower 1
CAT3#ap name LAP1 no dot11 24ghz shutdown
CAT3#ap name LAP1 dot11 5ghz shut

CAT3#ap name LAP1 dot11 5ghz txpower 1
CAT3#ap name LAP1 no dot11 5ghz shut
CAT3#sho ap dot11 24ghz summary

AP Name MAC Address Slot Admin State Oper State Channel Width
TxPwr
--------------------------------------------------------------------------------------
--------
LAP1 84b8.0265.4d60 0 Enabled Up 1* 20
1( )

AP Name MAC Address Slot Admin State Oper State Channel
Width TxPwr
--------------------------------------------------------------------------------------
-------------
LAP1 84b8.0265.4d60 1 Enabled Up 149*
20 1( )
4. Change the TPC threshold on WLC3 so that the average power levels on the 5 GHz radios drop by
1 compared to the default threshold value (assuming they are in between the max/min settings at
the moment).
Drop the threshold 3 dB from the default of -70. Also, enable the radios since we are done with the
tasks.

WLC3#conf t
WLC3(config)#ap dot11 5ghz rrm tpc-threshold -73
WLC3(config)#no ap dot11 24ghz shutdown
WLC3(config)#no ap dot11 5ghz shutdown
WLC3(config)#end
WLC3#sho ap dot11 24ghz txpower

Automatic Transmit Power Assignment
Transmit Power Assignment Mode : OFF

Transmit Power Update Interval : 600 seconds
Transmit Power Threshold : -70 dBm
Transmit Power Neighbor Count : 3 APs
Min Transmit Power : -10 dBm
Max Transmit Power : 30 dBm
Transmit Power Update Contribution : SNI..
Transmit Power Assignment Leader : WLC3 (10.10.112.10)
Last Run : 48 seconds ago
WLC3#sho ap dot11 5ghz txpower

Automatic Transmit Power Assignment
Transmit Power Assignment Mode : AUTO
Transmit Power Update Interval : 600 seconds
Transmit Power Threshold : -73 dBm
Transmit Power Neighbor Count : 3 APs
Min Transmit Power : 9 dBm
Max Transmit Power : 14 dBm
Transmit Power Update Contribution : SNI..
Transmit Power Assignment Leader : WLC3 (10.10.112.10)
It can take some time until the global TPC settings are enforced on the AP. You may have to give it a
couple of 10 minute cycles.

 show ap dot11 24ghz summary

 show ap dot11 24ghz txpower
 show ap dot11 5ghz txpower

Lab 133: DCA :: Detailed Solutions
 DCA


Member's Area.
this lab scenario.
 Video Title: Unified Wireless (Converged)- DCA
Topology Detail

Diagram 133.1: DCA Topology
Lab 133 Setup


Most DCA settings are configured on the MC for all associated MAs, as long as DCA is set to Auto and
not turned off. But if you are ever in doubt where a setting should be configured, you can configure
these settings on both the MC and the MAs.
1. Have WLC3 dynamically evaluate the channel plan every 2 hours starting at midnight.
2. When running the DCA algorithm:
 Ignore rogue APs.
 Take into account non-wifi signals (including CleanAir detected interferers).
 Take AP 802.11 traffic utilization levels into account.
 Set the DCA channel sensitivity to the setting that would cause the fewest channel
change events.
These are some basic DCA settings. As with TPC, DCA is run on the MC.
WLC3#conf t
WLC3(config)#ap dot11 24ghz rrm channel dca anchor-time 0
WLC3(config)#ap dot11 24ghz rrm channel dca interval 2
WLC3(config)#no ap dot11 24ghz rrm channel foreign

WLC3(config)#ap dot11 24ghz rrm channel noise
WLC3(config)#ap dot11 24ghz rrm channel device
WLC3(config)#ap dot11 24ghz rrm channel load
WLC3(config)#ap dot11 24ghz rrm channel dca sensitivity low
WLC3(config)#ap dot11 5ghz rrm channel dca anchor-time 0

WLC3(config)#ap dot11 5ghz rrm channel dca interval 2
WLC3(config)#no ap dot11 5ghz rrm channel foreign

WLC3(config)#ap dot11 5ghz rrm channel noise
WLC3(config)#ap dot11 5ghz rrm channel device
WLC3(config)#ap dot11 5ghz rrm channel load
WLC3(config)#ap dot11 5ghz rrm channel dca sensitivity low
WLC3(config)#end

3. Use 40 MHz wide channels where possible.
This is only possible on the 5 GHz radios.
WLC3#conf t
WLC3(config)#ap dot11 5ghz rrm channel dca chan-width 40
WLC3(config)#no ap dot11 5ghz shut
WLC3(config)#end
4. Disable the use of UNII-3 band channels on the 5 GHz radios for use in DCA.
WLC3#conf t
WLC3(config)#ap dot11 5ghz rrm channel dca remove 149
WLC3(config)#no ap dot11 5ghz shut
WLC3(config)#end
WLC3#sho ap dot11 24ghz channel

Automatic Channel Assignment
Channel Assignment Mode : AUTO
Channel Update Interval : 2 Hours
Anchor time (Hour of the day) : 0
Channel Update Contribution : SN.UD
Channel Assignment Leader : WLC3 (10.10.112.10)
DCA Sensitivity Level : LOW (20 dB)

Channel Energy Levels
Minimum : -30
Average : -30
Maximum : -30
Channel Dwell Times

Minimum : 4 hours 2 minutes 22 seconds

Average : 4 hours 2 minutes 22 seconds
Maximum : 4 hours 2 minutes 22 seconds
802.11b Auto-RF Channel List
802.11b Auto-RF Allowed Channel List : 1,6,11
Auto-RF Unused Channel List : 2,3,4,5,7,8,9,10
WLC3#sho ap dot11 5ghz channel

DCA Sensitivity Level : LOW (20 dB)
DCA 802.11n/ac Channel Width : 40 MHz
Channel Energy Levels
Minimum : unknown
Average : unknown
Maximum : unknown
Channel Dwell Times
Minimum : 9 hours 38 minutes 5 seconds
Average : 9 hours 38 minutes 5 seconds
Maximum : 9 hours 38 minutes 5 seconds
802.11a 5 GHz Auto-RF Channel List
Allowed Channel List : 36,40,44,48,52,56,60,64
Unused Channel List :
100,104,108,112,116,132,136,140,149,153,157,161,165
802.11a 4.9 GHz Auto-RF Channel List
Allowed Channel List :
Unused Channel List :
1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26
5. Configure LAP1 to use channel 149 and only be 20 MHz wide.
Again, per-AP configs are done on the MA.
CAT3#ap name LAP1 dot11 5ghz shutdown

CAT3#ap name LAP1 dot11 5ghz channel 149

CAT3#ap name LAP1 dot11 5ghz channel width 20

CAT3#ap name LAP1 no dot11 5ghz shutdown

Width TxPwr
--------------------------------------------------------------------------------------
-------------
LAP1 84b8.0265.4d60 1 Enabled Up 149
20 1( )
 show ap dot11 24ghz channel

 show ap dot11 5ghz channel

Lab 134: Coverage Hole Detection ::

Detailed Solutions
 Coverage Hole Detection


Member's Area.
this lab scenario.
 Video Title: Unified Wireless (Converged)- Coverage Hole Detection
Topology Detail

Diagram 134.1: Coverage Hole Detection Topology
Lab 134 Setup


In this scenario, CAT3 and CAT4 are in the same SPG with WLC3 as their MC. CHD settings are
configured on the MAs.
All configurations are on CAT3-4.
1. Only use coverage hole detection on the 5 GHz radios.
2. Consider clients to be at a low signal level based on a threshold value of -78 dBm for data queue
traffic and -76 dBm for voice queue traffic.
3. Clients should be considered in a pre-alarm condition when they experience at least 50 failed
packets, which represents at least 40% of its total packets.
4. Coverage hole detection should kick in for pre-alarm clients below the RSSI threshold when there
are at least 2 of them on an AP and they represent at least 20% of the total clients.
CAT3#conf t
CAT3(config)#ap dot11 24ghz shutdown
CAT3(config)#no ap dot11 24ghz rrm coverage
CAT3(config)#no ap dot11 24ghz shutdown
CAT3(config)#ap dot11 5ghz rrm coverage data rssi-threshold -78

CAT3(config)#ap dot11 5ghz rrm coverage voice rssi-threshold -76
CAT3(config)#ap dot11 5ghz rrm coverage data fail-percentage 40

CAT3(config)#ap dot11 5ghz rrm coverage data packet-count 50
CAT3(config)#ap dot11 5ghz rrm coverage voice fail-percentage 40
CAT3(config)#ap dot11 5ghz rrm coverage voice packet-count 50
CAT3(config)#ap dot11 5ghz rrm coverage level global 2

CAT3(config)#ap dot11 5ghz rrm coverage exception global 20
CAT3(config)#end
CAT4#conf t
CAT4(config)#no ap dot11 24ghz rrm coverage

CAT4(config)#ap dot11 5ghz rrm coverage data rssi-threshold -78

CAT4(config)#ap dot11 5ghz rrm coverage voice rssi-threshold -76
CAT4(config)#ap dot11 5ghz rrm coverage data fail-percentage 40

CAT4(config)#ap dot11 5ghz rrm coverage data packet-count 50
CAT4(config)#ap dot11 5ghz rrm coverage voice fail-percentage 40
CAT4(config)#ap dot11 5ghz rrm coverage voice packet-count 50
CAT4(config)#ap dot11 5ghz rrm coverage level global 2

CAT4(config)#ap dot11 5ghz rrm coverage exception global 20
CAT4(config)#end
CAT3#sho ap dot11 24ghz coverage

Coverage Hole Detection
802.11b Coverage Hole Detection Mode : Disabled
802.11b Coverage Voice Packet Count : 100 packet(s)
802.11b Coverage Voice Packet Percentage : 50%
802.11b Coverage Voice RSSI Threshold : -80 dBm
802.11b Coverage Data Packet Count : 50 packet(s)
802.11b Coverage Data Packet Percentage : 50%
802.11b Coverage Data RSSI Threshold : -80 dBm
802.11b Global coverage exception level : 25 %
802.11b Global client minimum exception level : 3 clients
CAT3#sho ap dot11 5ghz coverage

Coverage Hole Detection
802.11a Coverage Hole Detection Mode : Enabled
802.11a Coverage Voice Packet Count : 50 packet(s)
802.11a Coverage Voice Packet Percentage : 40 %
802.11a Coverage Voice RSSI Threshold : -76dBm
802.11a Coverage Data Packet Count : 50 packet(s)
802.11a Coverage Data Packet Percentage : 40 %
802.11a Coverage Data RSSI Threshold : -78dBm
802.11a Global coverage exception level : 20
802.11a Global client minimum exception level : 2 clients

5. Ensure coverage hole detection is enabled on the HQ-WPAEAP1-PodX WLAN.
CAT3#config t
CAT3(config-wlan)#chd
CAT4#conf t
CAT4(config-wlan)#chd
CAT4#sho wlan name HQ-WPAEAP1-PodX | in CHD

CHD per WLAN : Enabled
 show ap dot11 24ghz coverage

 show ap dot11 5ghz coverage

Lab 135: CCX Assisted Roaming :: Detailed

Solutions
 CCX Assisted Roaming


Member's Area.
this lab scenario.
 Video Title: Unified Wireless (Converged)- CCX Assisted Roaming
Topology Detail

Diagram 135.1: CCX Assisted Roaming Topology
Lab 135 Setup


In this scenario, CAT3 and CAT4 are in the same SPG with WLC3 as their MC. CCX Roaming settings are
configured on the MAs.
1. Configure the following CCX roaming settings on CAT3 and CAT4’s 5 GHz radios.
 CCX clients should not associate to (or stay associated to) APs at a signal level below -82
dBm.
 Clients should roam to another AP only when its signal is at least 4 times better than its
current AP’s signal.
 Clients should start trying to roam when its signal drops to -75dBm or worse.
 The roam should complete within 4 seconds of hitting the scan threshold.
CAT3#config t
CAT3(config)#ap dot11 5ghz l2roam rf-params custom -82 6 -75 4
CAT3(config)#end
CAT4#conf t
CAT4(config)#end
CAT4#sho ap dot11 5ghz l2roam rf-param

L2Roam 802.11a RF Parameters
Config Mode : Custom
Minimum RSSI : -82
Roam Hysteresis : 6
Scan Threshold : -75
Transition time : 4
 show ap dot11 5ghz l2roam rf-param


Lab 136: DFS :: Detailed Solutions
 DFS


Member's Area.
this lab scenario.
 Video Title: Unified Wireless (Converged)- DFS
Topology Detail

Diagram 136.1: DFS Topology
Lab 136 Setup


In this scenario, CAT3 and CAT4 are in the same SPG with WLC3 as their MC. DFS settings are configured
on the MAs.
Configure the following on CAT3 and CAT4.
1. When an AP encounters a radar signal while using a DFS channel, it should move to a new channel
and tell its associated clients which channel it is moving to.
2. Enable 802.11h based TPC and set the power constraint to 9 dBm.
In order to enable the power constraint, you must disable DTPC. Only one of the two settings can be
enabled at a time.
CAT3#config t
CAT3(config)#ap dot11 5ghz channelswitch mode 1
CAT3(config)#no ap dot11 5ghz dtpc
CAT3(config)#ap dot11 5ghz power-constraint 9
CAT3(config)#end
CAT4#conf t
CAT4(config)#ap dot11 5ghz channelswitch mode 1
CAT4(config)#no ap dot11 5ghz dtpc
CAT4(config)#ap dot11 5ghz power-constraint 9
CAT4(config)#end
CAT4#sho run | s 5ghz

ap dot11 5ghz rrm monitor channel-list dca
ap dot11 5ghz rrm monitor signal 90
no ap dot11 5ghz dtpc
ap dot11 5ghz channelswitch mode 1
ap dot11 5ghz power-constraint 9
ap dot11 5ghz l2roam rf-params custom -82 6 -75 4

 Show run

Lab 137: 802.11n/ac High Throughput ::

Detailed Solutions
 802.11n/ac High Throughput


Member's Area.
this lab scenario.
 Video Title: Unified Wireless (Converged)- 802.11n/ac High Throughput
Topology Detail

Diagram 137.1: 802.11n/ac High Throughput Topology
Lab 137 Setup


In this scenario, CAT3 and CAT4 are in the same SPG with WLC3 as their MC. 802.11n/ac settings are
configured on the MAs (except for the DCA channel width settings).
All configurations are on CAT3 and CAT4 unless otherwise noted.
1. Disable all 3 spatial stream data rates on the 2.4 GHz radios.
CAT3#conf t
CAT3(config)#no ap dot11 24ghz dot11n mcs tx 16
CAT3(config)#end
CAT4#conf t
CAT4(config)#end
802.11b Network : Disabled

11gSupport : Enabled
802.11b/g Operational Rates

802.11b 5.5M : Unsupported
802.11b 11M : Mandatory
802.11n MCS Settings:
MCS 0 : Supported
MCS 1 : Supported
MCS 2 : Supported
MCS 3 : Supported
MCS 4 : Supported
MCS 5 : Supported
MCS 6 : Supported
MCS 7 : Supported
MCS 8 : Supported
MCS 9 : Supported
MCS 10 : Supported
MCS 11 : Supported
MCS 12 : Supported
MCS 13 : Supported
MCS 14 : Supported
MCS 15 : Supported
MCS 16 : Disabled
MCS 17 : Disabled
MCS 18 : Disabled
MCS 19 : Disabled
MCS 20 : Disabled
MCS 21 : Disabled

MCS 22 : Disabled
MCS 23 : Disabled
2. Ensure that A-MSDU is enabled for all packet priorities on the 2.4 GHz radios.
3. Ensure short guard intervals are enabled on both radios.
4. Ensure that RIFS is enabled on both radios.
CAT3#conf t
CAT3(config)#ap dot11 24ghz dot11n a-msdu tx priority all
CAT3(config)#ap dot11 24ghz dot11n guard-interval any
CAT3(config)#ap dot11 24ghz dot11n rifs rx

CAT3(config)#end
CAT4#conf t
CAT4(config)#ap dot11 24ghz dot11n a-msdu tx priority all

CAT4(config)#end
CAT3#sho ap dot11 24ghz network | b 802.11n Status

802.11n Status:
A-MPDU Tx:
Priority 0 : Enabled
Priority 1 : Disabled

Aggregation scheduler : Enabled
Realtime timeout : 10
A-MSDU Tx:
Guard Interval : Any
Rifs Rx : Enabled
5. Ensure that clients can achieve the fastest 802.11ac data rates.
6. Ensure that 802.11n/ac data rates are possible on the HQ-WPAEAP1-PodX WLAN.
The previous tasks of ensuring RIFS and short guard intervals have helped with ensuring the fastest
802.11ac speeds. The other settings are going to be surrounding the allowed rates and using 80 MHz
wide channels. All rates are enabled by default, so we should only need to configure 80 MHz wide
channels. Since the MC controls the RRM settings, we need to enable it on WLC3.
For the WLAN to support 802.11ac, it needs Open or WPA2/AES security and WMM enabled.
WLC3#conf t
WLC3(config)#ap dot11 5g shut
WLC3(config)#ap dot11 5g rrm chan dca chan 80
WLC3(config)#no ap dot11 5g shut
WLC3(config)#end
WLC3#sho ap dot11 5g channel



DCA Sensitivity Level : STARTUP (5 dB)
DCA 802.11n/ac Channel Width : 80 MHz
LAP1 is the only 802.11ac lightweight AP in our rack. It might still be set to statically use a channel-
width of 20 MHz. So, I’ll remove the static setting and let RRM configure it. Let’s also get our radios
enabled globally on all switches.
CAT3#conf t
CAT3(config)#no ap dot11 24 shut
CAT3(config)#no ap dot11 5g shut
CAT3(config)#end
CAT3#ap name LAP1 dot11 5g shut

CAT3#ap name LAP1 dot11 5g channel auto
CAT3#ap name LAP1 no dot11 5g shut
CAT4#conf t
CAT4(config)#end
CAT3#show ap dot11 5gh sum

Width TxPwr
--------------------------------------------------------------------------------------
-------------
LAP1 84b8.0265.4d60 1 Enabled Up (36,40,44,48)*
80 1( )
CAT3#sho wlan name HQ-WPAEAP1-PodX | in WMM

WMM : Allowed
CAT3#sho wlan name HQ-WPAEAP1-PodX | b Secu
Security


802.1X : Disabled

 show ap dot11 5g channel
 show ap dot11 5gh sum
 show wlan name

Lab 138: CleanAir :: Detailed Solutions
 CleanAir


Member's Area.
this lab scenario.
 Video Title: Unified Wireless (Converged)- CleanAir
Topology Detail

Diagram 138.1: CleanAir Topology
Lab 138 Setup


In this scenario, CAT3 and CAT4 are in the same SPG with WLC3 as their MC. CleanAir settings are
configured on the MC for all associated MAs.
All configurations are on WLC3.
1. Enable CleanAir on both radios globally.
Enable it on WLC3 and watch the config propagate to the MAs.
WLC3#conf t
WLC3(config)#ap dot11 24gh cleanair
WLC3(config)#ap dot11 5gh cleanair
WLC3(config)#end
WLC3#sho ap dot11 24 cleanair config
CleanAir Solution................................ : Enabled

Air Quality Settings:
Air Quality Reporting........................ : Enabled
Air Quality Reporting Period (min)........... : 15
Air Quality Alarms........................... : Enabled
Air Quality Alarm Threshold.................. : 10
CAT3#sho ap dot11 24gh clean con
Mobility Controller Link Status.................. : UP

CAT3#sho ap dot11 24gh clean sum

AP Name MAC Address Slot ID Spectrum Capable Spectrum
Intelligence Spectrum Oper State
--------------------------------------------------------------------------------------
---------------------------

LAP1 84b8.0265.4d60 0 Enabled Enabled

Up
2. When an AP detects a persistent interferer device, its neighboring APs should be informed about
it.
WLC3#conf t
WLC3(config)#ap dot11 24 rrm channel pda-prop
WLC3(config)#ap dot11 5g rrm channel pda-prop
WLC3(config)#end
3. Have the WLC ignore Bluetooth related interferers.
4. Traps should be sent out if an AP’s AQI score drops to 40, or when Microwave Ovens are detected.
 No other known interferer types should generate traps when seen.
5. If APs on WLC1 have their AQI scores drop to 35 or worse for a period of time, they should change
channels.
Bluetooth is only in the 2.4 GHz spectrum. Same with microwave ovens.
WLC3#conf t
WLC3(config)#no ap dot11 24 clean device bt-discovery
WLC3(config)#no ap dot11 24 clean device bt-link
WLC3(config)#ap dot11 24 clean alarm air-quality

WLC3(config)#ap dot11 24 clean alarm air-quality threshold 40
WLC3(config)#ap dot11 5g clean alarm air-quality
WLC3(config)#ap dot11 5g clean alarm air-quality threshold 40
WLC3(config)#ap dot11 24 clean alarm device

WLC3(config)#ap dot11 24 clean alarm device mw-oven
WLC3(config)#no ap dot11 24 clean alarm device inv
WLC3(config)#no ap dot11 24 clean alarm device nonstd
WLC3(config)#no ap dot11 5g clean alarm device inv
WLC3(config)#no ap dot11 5g clean alarm device nonstd
WLC3(config)#ap dot11 24 rrm channel cleanair-event sen

WLC3(config)#ap dot11 24 rrm channel cleanair-event sensitivity low

WLC3(config)#ap dot11 5g rrm channel cleanair-event
WLC3(config)#ap dot11 5g rrm channel cleanair-event sensitivity low
WLC3(config)#end
Now let’s look at the config on the MC as well as one of the MAs.
WLC3#show ap dot11 24 cleanair config

Interference Device Settings:
Interference Device Reporting................ : Enabled
Bluetooth Link........................... : Disabled
Microwave Oven........................... : Enabled
802.11 FH................................ : Enabled
Bluetooth Discovery...................... : Disabled
TDD Transmitter.......................... : Enabled
Jammer................................... : Enabled
Continuous Transmitter................... : Enabled
DECT-like Phone.......................... : Enabled
Video Camera............................. : Enabled
802.15.4................................. : Enabled
WiFi Inverted............................ : Enabled
WiFi Invalid Channel..................... : Enabled
SuperAG.................................. : Enabled
Canopy................................... : Enabled
Microsoft Device......................... : Enabled
WiMax Mobile............................. : Enabled
WiMax Fixed.............................. : Enabled
Interference Device Types Triggering Alarms:
802.11 FH................................ : Disabled

TDD Transmitter.......................... : Disabled

Jammer................................... : Disabled
Continuous Transmitter................... : Disabled
DECT-like Phone.......................... : Disabled
Video Camera............................. : Disabled
802.15.4................................. : Disabled
WiFi Inverted............................ : Disabled
WiFi Invalid Channel..................... : Disabled
SuperAG.................................. : Disabled
Canopy................................... : Disabled
Microsoft Device......................... : Disabled
WiMax Mobile............................. : Disabled
WiMax Fixed.............................. : Disabled
Interference Device Alarms................... : Enabled
AdditionalClean Air Settings:
CleanAir Event-driven RRM State.............. : Enabled
CleanAir Driven RRM Sensitivity.............. : LOW
CleanAir Persistent Devices state............ : Enabled
CleanAir Persistent Device Propagation....... : Enabled
WLC3#show ap dot11 5g cleanair config

Jammer................................... : Enabled

SuperAG.................................. : Enabled
Canopy................................... : Enabled
Jammer................................... : Disabled
Canopy................................... : Disabled
Additional CleanAir Settings:
CleanAir Persistent Devices state............ : Enabled
CleanAir Persistent Device Propagation....... : Enabled
CAT3#sho ap dot11 24gh clean con
Mobility Controller Link Status.................. : UP

802.11 FH................................ : Enabled

Jammer................................... : Enabled
802.15.4................................. : Enabled
SuperAG.................................. : Enabled
Canopy................................... : Enabled
Microsoft Device......................... : Enabled
802.11 FH................................ : Disabled
Jammer................................... : Disabled
802.15.4................................. : Disabled
Canopy................................... : Disabled
Microsoft Device......................... : Disabled
AdditionalClean Air Settings:
CleanAir Persistent Devices state............ : Disabled
CleanAir Persistent Device Propagation....... : Disabled
So interestingly enough, the device propagation shows as disabled on the MA (last line in the output
above), but it cannot be configured on the MA.

CAT3#conf t
CAT3(config)#ap dot11 24 rrm channel device
% switch-1:wcm:This command is not available on Mobility Agent
CAT3(config)#ap dot11 24 rrm channel pda-prop
% switch-1:wcm:This is command is not available on Mobility Agent
So I guess we just worry about what the MC says, and mainly look to see that the MC link status shows
UP on the MAs.
6. Ensure CleanAir is enabled on both radios of LAP1.
This should be enabled by default once CleanAir itself is enabled.
CAT3#sho ap dot11 24 cleanair summary

--------------------------------------------------------------------------------------
---------------------------
Up
CAT3#sho ap dot11 5g cleanair summary

--------------------------------------------------------------------------------------
---------------------------
Up
 show ap dot11 24 cleanair config

 show ap dot11 5g cleanair config
 show ap dot11 24gh clean sum
 show ap dot11 5g cleanair summary


Lab 139: Country Codes :: Detailed

Solutions
 Country Codes


Member's Area.
this lab scenario.
 Video Title: Unified Wireless (Converged)- Country Codes
Topology Detail

Diagram 139.1: Country Codes Topology
Lab 139 Setup


In this scenario, CAT3 and CAT4 are in the same SPG with WLC3 as their MC. Configure country codes
on all of these devices.
Country codes control a number of different things. They affect RRM calculations, so you want them
configured on the MC. They also impact the regulatory domain, which controls which APs can join an
MA, so you want them on the MAs as well.
1. You bought an AP from someone in Germany and it’s having issues joining your controller (which
is in the United States), configure your country codes so that it will be supported.
 Be sure to maintain support for your US-based APs.
CAT3#conf t
CAT3(config)#ap dot11 24 shut
CAT3(config)#ap dot11 5g shut
CAT3(config)#ap country US,DE
Changing country code could reset channel and RRM grouping configuration. If running
in RRM One-Time mode, reassign channels after this command. Check customized APs for
valid channel values after this command.
Are you sure you want to continue? (y/n)[y]: y
CAT3(config)#end
CAT4#conf t
CAT4(config)#ap country US,DE
CAT4(config)#end

WLC3#conf t
WLC3(config)#ap dot11 24 shut
WLC3(config)#ap country US,DE
WLC3(config)#no ap dot11 24 shut
WLC3(config)#end
CAT3#sho wireless country configured
Configured Country.............................: Multiple Countries:DE,US

Configured Country Codes
DE - Germany : 802.11a Indoor,Outdoor/ 802.11b / 802.11g
US - United States : 802.11a Indoor,Outdoor/ 802.11b / 802.11g
CAT3#sho wireless country channels
Configured Country.............................: Multiple

Countries:DE,US
KEY: * = Channel is legal in this country and may be configured manually.
A = Channel is the Auto-RF default in this country.
. = Channel is not legal in this country.
C = Channel has been configured for use by Auto-RF.
x = Channel is available to be configured for use by Auto-RF.
(-,-) = (indoor, outdoor) regulatory domain allowed by this country.
-----------------:+-+-+-+-+-+-+-+-+-+-+-+-+-+-
802.11bg :
Channels : 1 1 1 1 1
: 1 2 3 4 5 6 7 8 9 0 1 2 3 4
-----------------:+-+-+-+-+-+-+-+-+-+-+-+-+-+-
DE (-E ,-E ): A * * * * A * * * * A * * .
US (-A ,-AB ): A * * * * A * * * * A . . .

Auto-RF : C x x x x C x x x x C x x .
-----------------:+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
802.11a : 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1
Channels : 3 3 3 4 4 4 4 4 5 5 6 6 0 0 0 1 1 2 2 2 3 3 4 4 5 5 6 6
: 4 6 8 0 2 4 6 8 2 6 0 4 0 4 8 2 6 0 4 8 2 6 0 9 3 7 1 5
-----------------:+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
DE (-E ,-E ): . A . A . A . A A A A A * * * * * * * * * * * . . . . .
US (-A ,-AB ): . A . A . A . A A A A A * * * * * . . . * * * A A A A *
Auto-RF : . C . C . C . C C C C C x x x x x x x x x x x C C C C x
-----------------:+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
4.9GHz 802.11a :
Channels : 1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2
: 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6
-----------------:+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
DE (-E ,-E ): . . . . . . . . . . . . . . . . . . . . . . . . . .
US (-A ,-AB ): * * * * * * * * * * * * * * * * * * * A * * * * * A
Auto-RF : . . . . . . . . . . . . . . . . . . . . . . . . . .
-----------------:+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
2. Now that you made your changes, none of your mesh APs are able to join your WLC, go back to
just the US country code.
CAT3#conf t
CAT3(config)#ap country US
CAT3(config)#end
CAT4#conf t


CAT4(config)#ap country US
CAT4(config)#end
WLC3#conf t
WLC3(config)#ap dot11 24 shut
WLC3(config)#ap country US
WLC3(config)#no ap dot11 24 shut
WLC3(config)#end
3. Hang on, mesh APs are not supported on IOS-XE controllers. Oh well, just leave it at US only.
 show wireless country configured

 show wireless country channels

Lab 140: General Controller Settings ::

Detailed Solutions
 General Controller Settings


Member's Area.
 N/A
this lab scenario.
 Video Title: Unified Wireless (Converged)- General Controller Settings
Topology Detail

Diagram 140.1: General Controller Settings Topology
Lab 140 Setup


There are more general settings, but most of them were already handled in the Network Infrastructure
labs. These are a few “controller” related settings.
1. Ensure that clients can change between different WLANs on the same controller quickly.
2. Client sessions should be removed if they haven’t been heard from in 10 minutes.
CAT3#conf t
CAT3(config)#wireless client fast-ssid-change
CAT3(config)#wireless client user-timeout 600
CAT3(config)#end
 Show run

Lab 141: Multicast :: Detailed Solutions
 Wireless Multicast


Member's Area.
 N/A
this lab scenario.
 Video Title: Unified Wireless (Converged)- Client Multicast
Topology Detail
This lab requires access to CAT3-4.

Diagram 141.1: Multicast Topology
Lab 141 Setup


All configurations are on CAT3 and CAT4.
1. Allow wireless clients to receive multicast traffic.
2. Have the CATs snoop in on the IGMP messages of the wireless clients.
Multicast is disabled by default, but IGMP snooping is enabled by default. So once multicast is turned
on, IGMP snooping should already be there.
CAT3#conf t
CAT3(config)#wireless multicast
CAT3(config)#end
CAT4#conf t
CAT4(config)#end
CAT3#sho wireless multicast
Multicast : Enabled
mDNS : Enabled
AP Capwap Multicast : Unicast
Wireless Broadcast : Disabled
Wireless Multicast non-ip-mcast : Disabled
3. When the CATs need to send multicast packets to wireless clients, it should send a single packet
rather than individual packets addressed to each AP.
 CAT3 should send the packet to 239.33.33.33
 CAT4 should send the packet to 239.44.44.44
CAT3#conf t
CAT3(config)#ap capwap multicast 239.33.33.33
CAT3(config)#end

CAT4#conf t
CAT4(config)#ap capwap multicast 239.44.44.44
CAT4(config)#end
CAT3#sho wireless multicast
Multicast : Enabled
mDNS : Enabled
AP Capwap Multicast : Multicast
AP Capwap Multicast group Address : 239.33.33.33
To see that the APs joined the groups, you can check the IGMP snooping tables on the MAs.
CAT3#sho ip igmp sno groups

Vlan Group Type Version Port List
-----------------------------------------------------------------------
113 239.33.33.33 igmp v2 Gi1/0/1
CAT4#sho ip igmp sno group

Vlan Group Type Version Port List
-----------------------------------------------------------------------
113 239.44.44.44 igmp v2 Gi1/0/2, Gi1/0/3
On 3650s (and 3850s), since the joined APs and management interfaces are always on the same
VLAN/subnet, I don’t know why you wouldn’t want to use multicast mode. There is no wired routing
needed for this.
4. Disable non-IP multicast on VLAN 13.
Non-IP multicast is disabled globally by default, but enabled on every interface. So once you enable it
globally, all interfaces would allow it. We weren’t asked to enable it globally, but we will disable it on
the VLAN.
CAT3#conf t
CAT3(config)#no wireless multicast non-ip vlan 13
CAT3(config)#end

CAT4#conf t
CAT4(config)#no wireless multicast non-ip vlan 13
CAT4(config)#end
CAT3#sho wire multi
Multicast : Enabled
mDNS : Enabled
AP Capwap Multicast : Multicast
AP Capwap Multicast group Address : 239.33.33.33
Vlan Non-ip-mcast Broadcast MGID

------------------------------------------------------
1 Enabled Enabled Disabled
11 Enabled Enabled Enabled
13 Disabled Enabled Enabled
 show wireless multicast

 show ip igmp snoop groups

Lab 142: WLANs- Non-Guest :: Detailed

Solutions
 WLANs


Member's Area.
this lab scenario.
 Video Title: Unified Wireless (Converged)- WLAN Configs- Layer 2 Security
 Video Title: Unified Wireless (Converged)- WLAN Configs- Misc. Features
 Video Title: Unified Wireless (Converged)- WLAN Configs- Anchoring and L2 roaming
Topology Detail
This lab requires access to CAT3-4 and the WIN7 client.

Diagram 142.1: WLANs- Non-Guest Topology
Lab 142 Setup


Static WEP WLAN with local MAC filtering
1. Create a WLAN with the following settings.
 SSID= HQ-WEP1-Pod# (where # is your rack number).
 Enabled only on the 2.4 GHz radios.
 Place clients on VLAN 13 by default.
 Use open static WEP using WEP key 1 with a static key of “cciew”.
 Enable MAC filtering.
o MAC filtering should only be handle by CAT3 and ISE should not be queried.
 Clients should not need to re-authenticate after a period of time as long as they stay
connected to the WLAN.
 Do not enable Aironet Information Elements on the WLAN.
2. Configure a local MAC filtering entry for your WIN7 client.
3. Configure another MAC filtering entry for a client using the MAC address 00:11:22:33:44:55.
I often like to make things work without MAC filtering first before I turn it on. It lets me know that I got
everything configured correctly and it also allows me to easily grab the MAC address of my client.
CAT3#conf t
CAT3(config)#wlan HQ-WEP1-Pod1 1 HQ-WEP1-Pod1
CAT3(config-wlan)#radio dot11b
CAT3(config-wlan)#no sec wpa
CAT3(config-wlan)#security static-wep-key encryption 40 ascii 0 cciew 1
CAT3(config-wlan)#no session-timeout
CAT3(config-wlan)#no ccx aironet-iesupport

CAT3#sho wireless client summary

Number of Local Clients : 1
MAC Address AP Name WLAN State Protocol

--------------------------------------------------------------------------------
c8d7.19c0.0590 AP80e0.1d58.6780 1 UP 11g
I was able to connect without the filtering and now I know the MAC address of my client. Let’s add on
the local MAC filtering.
CAT3#conf t
CAT3(config)#username c8d719c00590 mac aaa attribute list wep1
CAT3(config)#username 001122334455 mac aaa attribute list wep1
CAT3(config)#wlan HQ-WEP1-Pod1
CAT3(config-wlan)#mac-filtering wep1
After applying and reconnecting, I was still able to connect and pull an IP.
WPA-PSK WLAN with external MAC filtering
 SSID= HQ-WPAPSK1-Pod# (where # is your rack number).
 Allow only OFDM clients.

 Place clients on either VLAN 14 or VLAN 15 based on a hashing algorithm.
 Ensure that the upstream switches only receive IGMP join requests from clients on this
WLAN on VLAN 14 to prevent duplicate multicast streams.
 Use security settings that support only RSN and a pre-shared key of ipexpert.
 Enable MAC filtering.
o MAC filtering should be handled by ISE only.
 Limit the WLAN to 100 clients.
 If a statically IPed client associates to the WLAN, and CAT3 doesn’t have an interface that
supports it, have CAT3 see if it can tunnel the client to another controller.
5. Connect the WIN7 client to the WLAN.
 Check to see the auth log on ISE for the MAC address lookup when you test connecting to
the WLAN.
This WLAN requires a bit of pre-work. We’ll need to get the VLAN group defined as well as the RADIUS
server config.
CAT3#conf t
CAT3(config)#vlan group VLAN1415 vlan-list 14,15
CAT3(config-radius-server)#address ipv4 10.10.210.5 auth 1812 acc 1813

CAT3(config-sg-radius)#subscriber mac-filtering security-mode mac
CAT3(config-sg-radius)#mac-delimiter colon
CAT3(config)#aaa authorization network ISEMAC group ISE

CAT3(config)#end

Now we should be able to configure the WLAN. The configurations below go in order of what features
were asked to be configured in the task. If you see references to RSN, translate that WPA2/AES.
CAT3#conf t
CAT3(config)#wlan HQ-WPAPSK1-Pod1 2
CAT3(config-wlan)#radio dot11ag
CAT3(config-wlan)#client vlan VLAN1415
CAT3(config-wlan)#ip multicast vlan 14
CAT3(config-wlan)#no security wpa akm dot1x
CAT3(config-wlan)#security wpa akm psk set-key ascii 0 ipexpert
CAT3(config-wlan)#mac-filtering ISEMAC
CAT3(config-wlan)#client association limit 100
CAT3(config-wlan)#static-ip tunneling

I was able to connect and pull an IP. Looking at ISE, I do see the MAC auth log. The auth matches the
MAB authentication rule in ISE, by default, and shows up as a host lookup. Unlike the AireOS controllers,
the IOS-XE devices only look where you tell them to, so the local entries that we created for the WEP
WLAN were ignored.
WPA-PSK WLAN #2
 SSID= HQ-WPAPSK2-Pod# (where # is your rack number).
 Allow only clients in the UNII band channels.
 Place clients in VLAN15 by default.
 Support the use of TSN with a pre-shared key of ipexpert.
 Only allow up to 10 clients per AP radio.
 This WLAN should try to support the following.
o Statically IPed clients that tend to only receive traffic, and not send any traffic
without the need to manually populate the MAC-to-IP binding table for each of
them.
o Non-Cisco workgroup bridges that may use different source IPs with the same
MAC address.
The only pre-work outside of the WLAN for this is enabling wireless multicast traffic globally for the
passive-client feature. Also, if you see references to TSN, translate that to WPA1/TKIP. We can’t support
WPA/TKIP alone. It must be accompanied by WPA2/AES.
CAT3#conf t
CAT3(config-wlan)#radio dot11a
CAT3(config-wlan)#security wpa wpa1
CAT3(config-wlan)#security wpa wpa1 ciphers tkip

CAT3(config-wlan)#client association limit radio 10

CAT3(config-wlan)#passive-client
WPA-EAP WLAN
 SSID= HQ-WPAEAP1-Pod# (where # is your rack number).
 Place clients on VLAN 13.
 Configure the WLAN so that clients can use 802.11n data rates after a successful EAP
authentication.
o ISE should authenticate the clients.
 Only allow clients that use DHCP to work on this WLAN.
 Have CAT3 add option 82 information to the client DHCP requests in an ACSII format that
includes the client’s SSID information.
 Configure the WLAN such that it supports client supplicant provisioning from ISE.
 Have the WLAN attempt to spread clients out across multiple APs in an area rather than
having all clients use a single AP.
 Clients should be encouraged to use the 5 GHz band.
For the DHCP portion, we need to get DHCP snooping enabled on the switch. I’ll also set it up as a relay
agent. Snooping is required to verify the client actually pulls a DHCP address.

CAT3#conf t
CAT3(config)#ip dhcp snooping
CAT3(config)#ip dhcp snooping vlan 13
CAT3(config)#int range gi1/0/21-22
CAT3(config-if-range)#ip dhcp snooping trust
CAT3(config-if-range)#interface Vlan13
CAT3(config-if)# ip dhcp relay information trusted
CAT3(config-if)# ip address 10.10.13.13 255.255.255.0
CAT3(config-if)# ip helper-address 10.10.13.3
CAT3(config-if)#end
Then you can configure the WLAN.
CAT3#conf t
CAT3(config)#wlan HQ-WPAEAP1-Pod1 4 HQ-WPAEAP1-Pod1
CAT3(config-wlan)#security dot1x authentication-list ISE
CAT3(config-wlan)#ip dhcp required
CAT3(config-wlan)#ip dhcp opt82
CAT3(config-wlan)#ip dhcp opt82 ascii
CAT3(config-wlan)#ip dhcp opt82 format add-ssid
CAT3(config-wlan)#nac
CAT3(config-wlan)#load-balance
CAT3(config-wlan)#band-select
 show wireless client summary

 show wlan name


Lab 143: Guest WLANs- Local Web ::

Detailed Solutions
 Guest WLANs


Member's Area.
this lab scenario.
 Video Title: Unified Wireless (Converged)- Guest WLANs with Local Web Auth
Topology Detail
This lab requires access to CAT3-4, WLC3, and the WIN7 client.

Diagram 143.1: Guest WLANs- Local Web Topology
Lab 143 Setup


Guest- Local Consent
1. Create a WLAN on CAT3 with the following settings.
 SSID= Guest1-Pod# (where # is your rack number).
 Clients should be assigned to VLAN 11.
 No layer 2 authentication.
 Clients should be redirected to a local web page on CAT3 that requires no

username/password.
o Request that users input their email address.
 Use the built-in webpage for this.
 Configure a virtual IP of 192.0.2.1, but clients should see guest.IPEXPERT.local in their

URL.
 Once clients complete the layer 3 authentication, they should be redirected to

https://10.10.210.6 (the PI server).
 Clients should not be allowed to talk to each other on this WLAN (assume this WLAN only
exists on CAT3).
The first step in this task is to define the global webauth settings on the switch. We’ll create a parameter
map specifically for this webpage, and we’ll also set the virtual IP settings in the global parameter map.
CAT3#conf t
CAT3(config)#parameter-map type webauth PASS
This operation will permanently convert all relevant authentication commands to their
CPL control-policy equivalents. As this conversion is irreversible and will disable
the conversion CLI 'authentication display [legacy|new-style]', you are strongly
advised to back up your current configuration before proceeding.
Do you wish to continue? [yes]: yes
CAT3(config-params-parameter-map)#type consent
CAT3(config-params-parameter-map)#consent email
CAT3(config-params-parameter-map)#redirect on-success https://10.10.210.6
CAT3(config-params-parameter-map)#exit
CAT3(config)#parameter-map type webauth global

CAT3(config-params-parameter-map)#virtual-ip ipv4 192.0.2.1 virtual-host

guest.IPEXPERT.local
CAT3(config-params-parameter-map)#end
Now we’ll configure the WLAN.
CAT3#conf t
CAT3(config)#wlan Guest1-Pod1 1
CAT3(config-wlan)#no security wpa
CAT3(config-wlan)#security web-auth
CAT3(config-wlan)#security web-auth parameter-map PASS
CAT3(config-wlan)#peer-blocking drop
My client was able to connect and pull an IP. Let’s initiate the web redirect.

Not the most impressive webpage, but we do see the guest.ipexpert.local entry in the URL and the
prompt for the email address. After entering my info and accepting, I was successfully logged in and
then redirected to PI.

Guest- Local WebAuth
2. Install the custom webauth bundle from the Windows 2012 server.
 TFTP server= 10.10.210.8
 Located in the root directory
 File name= iosxewebauth.tar
Extract the tar file to the local flash drive. I put mine in a directory called webauth.
CAT3#archive tar /xtract tftp://10.10.210.8/iosxewebauth.tar webauth

Loading iosxewebauth.tar from 10.10.210.8 (via Vlan113): !
extracting ./._Thumbs.db (222 bytes)
extracting Thumbs.db (18432 bytes)
extracting ./._failed.html (272 bytes)
extracting failed.html (332 bytes)
extracting ./._login.html (272 bytes)
extracting login.html (4031 bytes)
extracting ./._loginscript.js (222 bytes)
extracting loginscript.js (318 bytes)
extracting ./._logout.html (222 bytes)
extracting logout.html (1116 bytes)
extracting ./._yourlogo.jpg (177 bytes)
extracting yourlogo.jpg (171266 bytes)
[OK - 206848 bytes]
CAT3#dir flash:webauth
Directory of flash:/webauth/
69698 -rw- 222 Sep 24 2015 16:18:30 +00:00 ._Thumbs.db

69699 -rw- 18432 Sep 24 2015 16:18:30 +00:00 Thumbs.db
69700 -rw- 272 Sep 24 2015 16:18:30 +00:00 ._failed.html
69701 -rw- 332 Sep 24 2015 16:18:30 +00:00 failed.html
69702 -rw- 272 Sep 24 2015 16:18:30 +00:00 ._login.html
69703 -rw- 4031 Sep 24 2015 16:18:30 +00:00 login.html
69704 -rw- 222 Sep 24 2015 16:18:30 +00:00 ._loginscript.js
69705 -rw- 318 Sep 24 2015 16:18:30 +00:00 loginscript.js
69706 -rw- 222 Sep 24 2015 16:18:30 +00:00 ._logout.html
69707 -rw- 1116 Sep 24 2015 16:18:30 +00:00 logout.html

69708 -rw- 177 Sep 24 2015 16:18:30 +00:00 ._yourlogo.jpg

69709 -rw- 171266 Sep 24 2015 16:18:32 +00:00 yourlogo.jpg
 No layer 2 authentication.
 Clients should be redirected to a local web page on CAT3 that requires a

username/password.
 Use the customized webpages for this.
o You will need to override the default as to not break the previous WLAN.
o Files
 Login page= login.html
 Login failure page= failed.html
 All clients should have to re-login after 12 hours of being connected to the WLAN.
 Clients should not be allowed to talk to each other on this WLAN.
o Assume that this WLAN will also be configured on WLC2.
o Make sure that your solution also prevents clients between WLCs from talking to
each other.
o This solution should not impact any other WLANs with clients on VLAN 12.
We’ll start again with the global webauth settings. We’ll also be sure to configure the AAA part to allow
for the local login.
CAT3#conf t
CAT3(config)#parameter-map type webauth WEBAUTH
CAT3(config-params-parameter-map)#typ webauth
CAT3(config-params-parameter-map)#custom-page login device flash:/webauth/login.html
CAT3(config-params-parameter-map)#custom-page failure device
flash:/webauth/failed.html

CAT3(config-params-parameter-map)#exit
CAT3(config)#aaa authentication login WEBAUTH local
CAT3(config)#aaa authorization network WEBAUTH local
CAT3(config)#aaa authorization credential-download WEBAUTH local
CAT3(config)#end
Next, we’ll need an ACL to do the P2P blocking across switches.
CAT3#conf t
CAT3(config)#ip access-list extended GUEST2
CAT3(config-ext-nacl)#deny ip 10.10.12.0 0.0.0.255 10.10.12.0 0.0.0.255
Now let’s configure the WLAN.
CAT3#conf t
CAT3(config-wlan)#security web-auth
CAT3(config-wlan)#security web-auth authentication-list WEBAUTH
CAT3(config-wlan)#security web-auth parameter-map WEBAUTH
CAT3(config-wlan)#session-timeout 43200
CAT3(config-wlan)#ip access-group GUEST2
4. Create a Guest user to use with this WLAN.
 Username= guest
 Password= guest
 Lifetime of 7 days
CAT3#conf t

CAT3(config)#user-name guest
CAT3(config-user-name)#password 0 guest
CAT3(config-user-name)#type network-user description guest guest-user lifetime year 0
month 0 day 7
CAT3(config-user-name)#end
I was able to connect and pull an IP in VLAN 12. The web redirect sent me to our custom page as
expected.

Looks like the auth worked as well.
Tunneled Guest- Local WebAuth
5. Expand the Guest2-PodX configuration so that it is available on CAT3, CAT4, and WLC3.
 CAT3 and CAT4 should tunnel the clients on that WLAN up to WLC3 (which is their MC).
 Web authentications should be handled by ISE.
o Use credentials iseguest1/IPexpert123 for testing.
o Use a shared key of ipexpert with ISE.
 Remove the ACL portion of the config from the WLAN.
6. Just use the built-in webauth pages on WLC3.
7. Install a certificate to be used during webauth to try and avoid certificate warnings.
 The cert files can be found on the WIN7 client at C:\Rack Files\Certificates\.
 CA file= CA.pem
 Private key= iosxegestkey.pem
 Device certificate file= iosxeguest.pem
 Be sure clients are redirected to guest.IPEXPERT.local, so the URL matches the certificate
CN.
Rather than tweak the WLAN on CAT3, I’m just going to blow it away and configure it from scratch since
there are some notable differences in the config when we tunnel.

First put identical WLAN configs on CAT3 and CAT4.
CAT3#conf t
CAT3(config)#no wlan Guest2-Pod1 2 Guest2-Pod1
CAT3(config)#wlan Guest2-Pod1 2 Guest2-Pod1
CAT3(config-wlan)# client vlan 12
CAT3(config-wlan)# no security wpa
CAT3(config-wlan)# security web-auth
CAT3(config-wlan)# mobility anchor 10.10.112.10
CAT3(config-wlan)# no shutdown
CAT4#conf t
CAT4(config)#wlan Guest2-Pod1 2 Guest2-Pod1
CAT4(config-wlan)# client vlan 12
CAT4(config-wlan)# no security wpa
CAT4(config-wlan)# mobility anchor 10.10.112.10
CAT4(config-wlan)# aaa-override
CAT4(config-wlan)# no shutdown
Now configure WLC3. Let’s start with the AAA configs.
WLC3#conf t
WLC3(config)#aaa new
WLC3(config)#radius server ISE
WLC3(config-radius-server)#add ipv4 10.10.210.5 auth 1812 acc 1813
WLC3(config-radius-server)#key ipexpert
WLC3(config-radius-server)#exit
WLC3(config)#aaa group server radius ISE

WLC3(config-sg-radius)#server name ISE
WLC3(config-sg-radius)#exit
WLC3(config)#aaa authentication login ISE group ISE
Next we’ll import the certificate.

WLC3#conf t
WLC3(config)#crypto pki import GUEST pem terminal password IPexpert123
MT6jrN4gx80Z/7A=

DEK-Info: DES-EDE3-CBC,A3D88BC26DA73469
3jx+nH2mZy1CV3UgovjmbGlf7XisRc+ZUV6fEh0sBs8ZFcDqg/Cy09vpNWQPibuw
f9YIoAEEXZLqYw2cW21SdneCR/NW8Qh1NN+m9FsVUgDciH0q5NEisaIvScvwd4WA
bW+CC5TabDSvT9xy6tNjGHOpu+Ln9SN6rPPfEWuPaldFxv/BBKDkFdAT5ftkjQ12
+CUeJmSigh4cZI9HDncSMAi78roOnrPGqc5aCTk3nKdmVIJXsWLNvHPlt0BGKR57

c5lVS90oAxL6ZD2QjBom2FiQQz8GDE8ibijbmoK2ARCORIyRUAZFJb1W5Mu8dEGb
WvmEaz5p0hQlPKlRcF5sJLFlncTY7c6bfik/QaCunClsvVFKa0kWZSnN5yca9p1A
owBieLMjbcWSeigyxcpSl6oL2426rrdrNoyDnuOrzcMb6scC5PoR4EQ3079AEX8E
4q5u3vmLeLZtXsLiwLZLOCKBG5UgJL+IN50VBwpPP0123jq9fVGUrHxlvgqdhPk7
QD+9jP3XhtJSh77X4clMQOO/ysEY36OGsYSNxvZw/BbBVRtYIbUIRRmw8t+o/GeQ
gwls5YH9WUQPXIXxlZFa7ANwJ7z7KQYBmq9z17JzmwOWe6gWO7rqS367BG+iDOpw
J8yy6USOh5cwdRu+Q9NG60SnO+tvrdT99ZKAepOkwab7uW3JUeOOUm9MfL+fjzFu
7GO79pbRsTlzWbVQhX8DIPe+b6XsEfnP6HRIMX/TsTd3/c8kFMutiyYOeoPJlibk
i6EyU5uNimA28iWASdmvk1uMaisKngZ+yTZ4jVeeTQrDEB8WFq8TiDSrIH/4418P
qjlgRIacC99gb2QfA2tBQCFsEcwWrsW6TqlpasqL+2wM0K0xjCiQIFcmQca5L42d
n+oaop2JNJHUo1lHocEOrGOvXRV2Aw/2DjtKbxhd5gNWtVNjXDS+dBaxZkSc29Sz
LCpXXdbOk4HFgw/r/s4NoPaU1r7YpIVZVOTOd8OaKc67gXItX5yOGIOuXIBq/yg6
J47rpQEUE/5gAZ6vNJ77nvC3QaNBGYFfrQ1j3i2tjY73zgYO3iFNfQqZ8G3zdS7a
WwqfyvmIYTneCac1/DkLVuA4m+u8elvIwPUHKu3rorGM7pRN3oOuxBkoRa3oY6F9
d4duGMEziQsb8OTmXzphG9NSMOIkM3CO7R9ubRenLBh0mhz7X2Qdi1xxy2vOSCbL
qFs1qE4fr1JwP8aIKZXDUOFCPGEN0fPvNgh3H6itKREIefrikEWJNm3GUVmqr3bF
juh/Lz5K7asxR9SYcARsMyopxcfOLxoA8/NgwXd9ufWDLHY8BGiJNCYMiK0cYzox
ZgG1EcWapse5NV1uPNsT0mbX1/NvfBNquFRPRhayg/rmEOObVM6bGC6NQP2MsbG8
ndgoSRvISFoIhcq0GWxWa2Sf6xXUXsSExEuayQXDhB1ytk7r1xIvcYCazT72jIzB
OfJtIFIxpVOfOL7TlQqa98ntxigqp2hgxZfPwSliS0SuJuH2gy/eoWrhdcBiGZ2h
EqGLQiwHGfx6Ijxr5pY2bhI6ZVYbPEIE2jJAlo/AXLR2LAM4gzOxFA==
quit
MIIGAjCCBOqgAwIBAgITaQAAACAK4PTWdhuZfwAAAAAAIDANBgkqhkiG9w0BAQsF
UEVSVDEfMB0GA1UEAxMWSVBFWFBFUlQtU0VSVkVSMjAxMi1DQTAeFw0xNTA5MjQx
ODE3NTVaFw0yNTA5MjExODE3NTVaMIGaMQswCQYDVQQGEwJVUzESMBAGA1UECBMJ
MQ4wDAYDVQQLEwVDQ0lFVzEdMBsGA1UEAxMUZ3Vlc3QuSVBFWFBFUlQubG9jYWwx
ITAfBgkqhkiG9w0BCQEWEmNjaWV3QGlwZXhwZXJ0LmNvbTCCASIwDQYJKoZIhvcN
AQEBBQADggEPADCCAQoCggEBAKnbKTDM2cq3nGV7IbqxHV6gacep8uOZCfKnp17X
m8nA8K9ZmlOjIvwsUt0UnMDIqns5X00o2r2stvZ1WbV8+po6Wq/p0NzpR922aGtU
iYq9kTxebZdsbY5b+5wLobFV3do7Ijy6TOnsIjN9WGqYSdo6rR2dobkL/jlU6c/I
aX/iMA3cVERBOSvlGKFpBnTwqTJa/FQsjUI/w6f87pU4nVhsUazLkXy6vgQnWTjA
eEAmF67qeqRjQ0C1Trc9PDMPKYIometdS7u5sRRRmtwbrTvcLQSxLRXHgUl4fNb2

TQD4A7htAIL/6JN/Y5UuTkBNZ2PnCswh4X9j/qVcrA0rCzkCAwEAAaOCAoYwggKC
MB0GA1UdDgQWBBS7uWC+dNcuHXKMUeSS7BQCgjcTNTAfBgNVHSMEGDAWgBRZ0EcY
RG5GJHj6d8VBLTtfi3yFXzCB2gYDVR0fBIHSMIHPMIHMoIHJoIHGhoHDbGRhcDov
Ly9DTj1JUEVYUEVSVC1TRVJWRVIyMDEyLUNBLENOPVNlcnZlcjIwMTIsQ049Q0RQ
LENOPVB1YmxpYyUyMEtleSUyMFNlcnZpY2VzLENOPVNlcnZpY2VzLENOPUNvbmZp
Z3VyYXRpb24sREM9SVBFWFBFUlQsREM9bG9jYWw/Y2VydGlmaWNhdGVSZXZvY2F0
aW9uTGlzdD9iYXNlP29iamVjdENsYXNzPWNSTERpc3RyaWJ1dGlvblBvaW50MIHL
BggrBgEFBQcBAQSBvjCBuzCBuAYIKwYBBQUHMAKGgatsZGFwOi8vL0NOPUlQRVhQ
RVJULVNFUlZFUjIwMTItQ0EsQ049QUlBLENOPVB1YmxpYyUyMEtleSUyMFNlcnZp
Y2VzLENOPVNlcnZpY2VzLENOPUNvbmZpZ3VyYXRpb24sREM9SVBFWFBFUlQsREM9
bG9jYWw/Y0FDZXJ0aWZpY2F0ZT9iYXNlP29iamVjdENsYXNzPWNlcnRpZmljYXRp
b25BdXRob3JpdHkwDgYDVR0PAQH/BAQDAgWgMD0GCSsGAQQBgjcVBwQwMC4GJisG
AQQBgjcVCIGothyFy+E1htGfGYeqKoGqsAqBBIbu/QiG/e4+AgFkAgEEMB0GA1Ud
JQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDATAnBgkrBgEEAYI3FQoEGjAYMAoGCCsG
AQUFBwMCMAoGCCsGAQUFBwMBMA0GCSqGSIb3DQEBCwUAA4IBAQCu3RQvPnuqrSPD
NKt/1o2z5hM3DaEISOP5a7XpGtAtbf9olJGSONlSpETp3ZGTT8tLR4Bdal9qBtCf
Ze5sg1nVv9WuNoWxzSXWU1FgGJvVoOh4zXKoeAgw3NbNlKujqAd3+IHMf7bXJ88i
7a/ks6tprle1/SU2sxo2YcOr5WGo+mUJ9IiFqSjs12XBeogL2QJfHTZ8PAFtxalQ
tzR5umuchIWbwLze8xQKpcEkqtTz1X8c/lbIb67BPUEXRGfkdd+lqsUs6ib2TvW2
mQ+7i1QQoudyEGjG3HCeFQucdxNC2vVaeHWQtH0h79Qg+Jva6tEIvU3Uh9hjlDrT
q5C+x4Io

WLC3(config)#end
Next we’ll configure the webauth settings.
WLC3#conf t
WLC3(config)#parameter-map type webauth WEBAUTH
WLC3(config-params-parameter-map)#type webauth
WLC3(config-params-parameter-map)#exit
WLC3(config)#parameter-map type webauth global

WLC3(config-params-parameter-map)#virtual-ip ipv4 192.0.2.1 virtual-host

guest.ipexpert.local
WLC3(config-params-parameter-map)#end
Lastly, I had to configure an interface on WLC3 for VLAN12 with DHCP relay info for the client to pull
an IP.
WLC3#conf t
WLC3(config)#interface Vlan12
WLC3(config-if)# ip dhcp relay information trusted
WLC3(config-if)# ip address 10.10.12.23 255.255.255.0
WLC3(config-if)# ip helper-address 10.10.12.3
WLC3(config-if)#end
The webpage used the newly installed certificate.

Authentication was successful against ISE.

 Show wlan name

 Show run

Lab 144: Guest WLANs- External Web ::

Detailed Solutions
 Guest WLANs with ISE


Member's Area.
Wireless Lab exam. We recommend watching the following learning videos prior t o completing
this lab scenario.
 Video Title: Unified Wireless (Converged)- Guest WLANs with Central Web Auth
Topology Detail
This lab requires access to CAT3-4, WLC3, and the WIN7 client.

Diagram 144.1: Guest WLANs- External Web Topology
Lab 144 Setup


Guest- Central WebAuth
1. Create a WLAN on CAT3 with the following settings.
 Configure the WLAN with the appropriate settings to support central web authentication
using the ISE server.
o Open layer 2 with MAC filtering
o No layer 3 auth
o ISE as the RADIUS server
o AAA override enabled
o RADIUS NAC
To get ready for CWA, we need to do a bunch of AAA config. We need a RADIUS server with support
for CoA, and we need a number of method lists defined for the different functions.
CAT3#conf t
CAT3(config-radius-server)#add ipv4 10.10.210.5 auth 1812 acc 1813
CAT3(config)#aaa group ser radius ISE

CAT3(config-sg-radius)#ser name ISE
CAT3(config)#aaa authent dot1x ISE group ISE

CAT3(config)#aaa author netw ISE group ISE
CAT3(config)#aaa author netw MACFILTER group ISE
CAT3(config)#aaa account ident ISE start-stop group ISE


CAT3(config)#aaa server radius dynamic-author

CAT3(config-locsvr-da-radius)#client 10.10.210.5 server-key ipexpert
CAT3(config-locsvr-da-radius)#auth-type any
CAT3(config-locsvr-da-radius)#end
Now we can configure the WLAN. Don’t forget to enable NAC, AAA override, and accounting on top of
MAC filtering.
CAT3#conf t
CAT3(config-wlan)#mac-filtering ISE
CAT3(config-wlan)#accounting-list ISE
CAT3(config-wlan)#no exclusionlist
2. Create an ACL to be used for the CWA redirect named REDIRECT that allows the needed services
and triggers on HTTP or HTTPS traffic.
When writing the redirect ACL, keep in mind what permits and denies do. Traffic that matches a permit
rule will trigger the redirect, so you want to deny all needed services (DHCP, DNS, ISE traffic), then
permit HTTP and HTTPS traffic.
CAT3#conf t
CAT3(config)#ip access-list extended REDIRECT
CAT3(config-ext-nacl)#deny icmp any any
CAT3(config-ext-nacl)#deny udp any any eq bootps

CAT3(config-ext-nacl)#deny udp any any eq bootpc

CAT3(config-ext-nacl)#deny udp any any eq domain
CAT3(config-ext-nacl)#deny ip any host 10.10.210.5
CAT3(config-ext-nacl)#permit tcp any any eq www
CAT3(config-ext-nacl)#permit tcp any any eq 443
3. ISE already has the following credentials that you can use
 User name= iseguest
My client connects and pulls an IP in VLAN 11.
Looking at the access-session gives us some nice details.
CAT3#show access-session mac c8d7.19c0.0590 details

Interface: Capwap2
IIF-ID: 0xE139800000000B
MAC Address: c8d7.19c0.0590
IPv6 Address: Unknown
IPv4 Address: 10.10.11.4
Status: Authorized
Domain: DATA
Oper host mode: multi-auth
Oper control dir: both
Session timeout: N/A
Common Session ID: 0a0a710d560572aa0000000c
Acct Session ID: 0x00000002
Handle: 0x49000002

Current Policy: (No Policy)
Server Policies:
URL Redirect:
https://ISE.IPEXPERT.local:8443/portal/gateway?sessionId=0a0a710d560572aa0000000c&port
al=e2e6fed0-5fca-11e5-8e95-
0050569bca4b&action=cwa&token=cd1d8e911d91921cad08ba18f29791bc
URL Redirect ACL: REDIRECT
Method status list: empty
The redirect sends me to the portal where I log in.

Now my client is fully up and able to communicate on the network.
Tunneled Guest- Central WebAuth
4. WLC3 is currently configured as CAT3’s MC. Expand the Guest1-PodX configuration so that CAT3
tunnels the traffic up to WLC3.
 Have WLC3 drop the client off onto VLAN 12.
We should just need to add WLC3 as a mobility anchor on CAT3.
CAT3#conf t
CAT3(config)#wlan Guest1-Pod1
CAT3(config-wlan)#mob anchor 10.10.112.10
As with AireOS controllers, the layer 2 auths (which CWA uses) are done on the foreign controllers.
WLC3 doesn’t even need any AAA config for this to work. Just configure the WLAN, referencing dummy
method lists. You do however need to configure the redirect ACL.
WLC3#conf t
WLC3(config)#wlan Guest1-Pod1 1 Guest1-Pod1
WLC3(config-wlan)# aaa-override
WLC3(config-wlan)# client vlan 12
WLC3(config-wlan)# mac-filtering MACFILTER
WLC3(config-wlan)# mobility anchor
WLC3(config-wlan)# nac
WLC3(config-wlan)# no security wpa
WLC3(config-wlan)# no shutdown
WLC3(config-wlan)#
WLC3(config-wlan)#ip access-list extended REDIRECT
WLC3(config-ext-nacl)# deny icmp any any
WLC3(config-ext-nacl)# deny udp any any eq bootps
WLC3(config-ext-nacl)# deny udp any any eq bootpc
WLC3(config-ext-nacl)# deny udp any any eq domain

WLC3(config-ext-nacl)# deny ip any host 10.10.210.5

WLC3(config-ext-nacl)# permit tcp any any eq www
WLC3(config-ext-nacl)# permit tcp any any eq 443
WLC3(config-ext-nacl)#end
My client drops off on the anchor-defined VLAN.
Let’s look at the access-session details on each switch.
CAT3#sho access-session mac c8d7.19c0.0590 det

Interface: Capwap2
IIF-ID: 0xDAD2400000002F
Status: Authorized
Domain: DATA
Common Session ID: 0a0a710d5605768f0000002d
Acct Session ID: 0x00000005
Handle: 0xE1000023
WLC3#show authentication sessions mac c8d7.19c0.0590 details

Interface: Capwap0


Status: Unauthorized
Domain: UNKNOWN
Common Session ID: 0A0A700A00000FAD001AD556
Acct Session ID: Unknown
Handle: 0xE8000002
Server Policies:
URL Redirect:
https://ISE.IPEXPERT.local:8443/portal/gateway?sessionId=0a0a710d5605768f0000002d&port
al=e2e6fed0-5fca-11e5-8e95-
0050569bca4b&action=cwa&token=70634da05fdd2260eef17365672faa29
URL Redirect ACL: REDIRECT
We see that the server policies only show up on the anchor. The redirect and login remain the same.

 show access-session mac

 show authentication sessions mac
 show run
 show wlan name

Lab 145: AP Groups :: Detailed Solutions
 AP Groups


Member's Area.
this lab scenario.
 Video Title: Unified Wireless (Converged)- AP Groups
Topology Detail

Diagram 145.1: AP Groups Topology
Lab 145 Setup


1. Configure a new WLAN with the following attributes.
 SSID= HQ-WPAPSK3-PodX (where X is your rack number).
 Security= WPA2/AES with a PSK of ipexpert.
 The WLAN should not be configured on APs in the default AP group.
This is a basic PSK WLAN. The only thing we do different is to specify a WLAN ID number higher than
16 to keep it out of the default AP group. I chose 20.
CAT4#config t
CAT4#sho wlan sum
Number of WLANs: 1
WLAN Profile Name SSID VLAN Status

--------------------------------------------------------------------------------
20 HQ-WPAPSK3-Pod1 HQ-WPAPSK3-Pod1 15 UP
CAT4#sho ap groups
Site Name: default-group

Site Description:
WLAN ID WLAN Name Interface

----------------------------------------------------

AP Name Ethernet MAC Location

-----------------------------------------------------------
LAP2 24e9.b3ec.83ea default location
LAP3 fc99.472c.fdcd default location
Note the absence of our new WLAN under the default-group.
2. Configure an AP group named CCIEW.
 Only include the PSK WLANs in the group.
 All WLANs should place clients on VLAN 13.
 Add LAP2 and LAP3 to the group.
I did this lab after a fresh load, so I only have the 1 PSK WLAN. If you have other, go ahead and add
them as well. All WLANs should use VLAN 13.
CAT4#conf t
CAT4(config)#ap group CCIEW
CAT4(config-apgroup)#wlan HQ-WPAPSK3-Pod1
CAT4(config-wlan-apgroup)#vlan 13
CAT4(config-wlan-apgroup)#end
CAT4#ap name LAP2 ap-groupname CCIEW

Changing the AP's group name will cause the AP to reboot.
CAT4#ap name LAP3 ap-groupname CCIEW
Changing the AP's group name will cause the AP to reboot.
Once the APs reboot and re-join the controller, we can verify.
CAT4#sho ap groups
Site Name: CCIEW

Site Description:

-----------------------------------------------------
20 HQ-WPAPSK3-Pod1 HQData1

-----------------------------------------------------------
LAP2 24e9.b3ec.83ea default location
LAP3 fc99.472c.fdcd default location
Site Name: default-group

Site Description:

----------------------------------------------------

-----------------------------------------------------------
 Show ap group

Section 5: Prime Infrastructure and MSE

Lab 146: PI CLI Configurations :: Detailed

Solutions
 PI CLI Configurations


Member's Area.
 N/A
this lab scenario.
 Video Title: Prime and MSE- Prime CLI Configurations
Topology Detail
This lab requires access to the PI server and the WIN7 client.

Diagram 146.1: PI CLI Configurations Topology
Lab 146 Setup

 If so, which lab load should be used: PI/MSE- Base

1. SSH to the PI server at 10.10.210.6 to access the CLI.
 User= admin
2. Manually set the date/time to reflect your current date/time.
Ideally you are using NTP, but if you must set the clock manually, do so. Notice that it starts in UTC.
PI/admin# clock set Aug 7 09:26:30 2015

PI/admin# show clock
Fri Aug 7 09:26:35 UTC 2015
3. Configure the time zone to be EST5EDT.
4. Configure 10.10.210.20 as an NTP server.
Normally I will only change the time zone when asked; otherwise it’s fairly irrelevant. UTC is always a
good one to use as a default.
PI/admin# conf t
PI/admin(config)# clock timezone EST5EDT
% Warning: System timezone was modified, NCS will need to be restarted.
PI/admin(config)# ntp server 10.10.210.20
PI/admin(config)# end
PI/admin# show ntp

NTP Server 1 : 10.10.210.20
unsynchronized
time server re-starting
polling server every 64 s
remote refid st t when poll reach delay offset jitter

==============================================================================

10.10.210.20 LOCAL(1) 8 u 18 64 3 0.877 0.039 0.274
Warning: Output results may conflict during periods of changing synchronization.
Notice how it is not synchronized yet? PI takes a few minutes get to a synchronized state, but based
on the information in the delay, offset, and jitter columns, we can see that communications are
happening. That’s a good sign. Usually once I see that, I’m pretty confident that the synchronization
will take place and I don’t hang around waiting to see. I’ll just come back during my final verifications
and ensure that it made its way to a fully synchronized state. This is what it should eventually look like.
PI/admin# show ntp

NTP Server 1 : 10.10.210.20
synchronised to NTP server (10.10.210.20) at stratum 9

time correct to within 942 ms

==============================================================================
*10.10.210.20 LOCAL(1) 8 u 8 64 77 0.829 -0.240 0.141
5. Configure an IPv6 management IP of 2001:cc1e:0:210::6/64.
6. Verify the IPv4 address and default gateway configurations.
7. Configure PI to use 10.10.210.8 as a DNS server.
8. Set ipexpert.com as the DNS suffix.
These are all connectivity/related CLI configurations. In all likeliness, this is all preconfigured for you,
but it’s good to know about just in case you have connectivity related issues.
PI/admin# show run

Generating configuration...
!
hostname PI
!

ip domain-name ipexpert.com
!
interface GigabitEthernet 0
ip address 10.10.210.6 255.255.255.0
ipv6 address static 2001:CC1E:0:210:0:0:0:6/64
!
ip name-server 10.10.210.8
!
ip default-gateway 10.10.210.1
[lines omitted]
PI/admin#ping 10.10.205.20
PING 10.10.205.20 (10.10.205.20) 56(84) bytes of data.
64 bytes from 10.10.205.20: icmp_seq=1 ttl=255 time=5.69 ms
From 10.10.210.1: icmp_seq=1 Redirect Network(New nexthop: 10.10.210.20)
--- 10.10.205.20 ping statistics ---

4 packets transmitted, 4 received, 0% packet loss, time 3001ms
rtt min/avg/max/mdev = 0.634/1.939/5.690/2.166 ms
PI/admin#Ping6 2001:cc1e:0:205::20
PING 2001:cc1e:0:205::20(2001:cc1e:0:205::20) from 2001:cc1e:0:210::6 eth0: 56 data
bytes
64 bytes from 2001:cc1e:0:205::20: icmp_seq=0 ttl=64 time=3.14 ms
--- 2001:cc1e:0:205::20 ping statistics ---

4 packets transmitted, 4 received, 0% packet loss, time 3001ms
rtt min/avg/max/mdev = 0.601/1.256/3.144/1.090 ms, pipe 2
9. Create another CLI user account
 User= bytor

 Role= admin
Users created in the CLI are only valid for CLI access.
PI/admin# conf t
PI/admin(config)# username bytor password plain IPexpert123 role admin
PI/admin(config)# end
10. Pretend that you’ve lost the password for the GUI account named admin and reset it to
IPexpert123.
11. Configure FTP user credentials for the PI FTP service.
 User= ftpuser
In case you ever get locked out of the GUI due to “losing” the password, you have a method in the CLI
to reset it. You can also set the user/pass for the FTP account in case you ever need to FTP files to/from
the server and you don’t know the credentials.
PI/admin# ncs password root password IPexpert123
Loading USER - root

Validating new password..
Resetting password ..
Resetting password COMPLETED.
EXECUTION STATUS : Success
PI/admin# ncs password ftpuser ftpuser password IPexpert123

Initializing...
Updating FTP password.
This may take a few minutes...
Successfully updated location ftp user
12. Save the running config.
Be sure to save any CLI config changes in case of a server reboot.

PI/admin# wr mem
PI/admin#
NOTE
This next task will take a LONG, time to complete (like 20+ minutes). So you can skip it if you want (just
know what the commands are) and jump forward to verifying the application is running.
13. Stop the PI service and then start it up again.
Even though PI has been around for a while now, they still call the service NCS in the CLI. If you suspect
that PI is having issues internally, try giving the service a restart.
PI/admin# app stop NCS
Stopping Prime Infrastructure...
This may take a few minutes...
Prime Infrastructure successfully shutdown.
Plug and Play Gateway is being shut down..... Please wait!!!
Stop of Plug and Play Gateway Completed!!

Stopping SAM daemon...
Checking for SAM daemon again ...
Found SAM daemon ...
Stopping SAM daemon ...
Stopping DA daemon ...
Checking for DA daemon again ...
DA Daemon not found...
Stopping strongSwan IPsec...
PI/admin# app start NCS

Starting Prime Infrastructure...
This may take a while (10 minutes or more) ...
Eventually it will complete and you can verify.
14. Verify that the application restarts with the show application status NCS command.
 The following services should get into a running state
o Health Monitor Server is running.
o Matlab Server Instance 1 is running
o Ftp Server is running
o Database server is running
o Matlab Server is running
o Tftp Server is running
o NMS Server is running.
o Plug and Play Gateway is running.
o SAM Daemon is running ...
o DA Daemon is running ...
PI/admin# show ap st NCS
Health Monitor Server is running.

Matlab Server Instance 1 is running
Ftp Server is running
Database server is running
Matlab Server is running
Tftp Server is running
NMS Server is running.
Plug and Play Gateway is running.
SAM Daemon is running ...
DA Daemon is running ...

 show clock
 show ntp
 show run
 ncs password root
 ncs password ftpuser
 show app status NCS

Lab 147: Adding Devices to PI :: Detailed

Solutions
 Adding WLCs
 Adding Switches
 Adding AAPs


Member's Area.
 Prime Infrastructure Config Guide- Chapter 8
this lab scenario.
 Video Title: Prime and MSE- Adding Devices to PI
Topology Detail
This lab requires access to pretty much everything in the rack.

Diagram 147.1: Adding Devices to PI Topology
Lab 147 Setup


1. Add WLC1, WLC2, and WLC3 to PI using the most secure methods of communication.
 Create an SNMPv3 user named “prime” for this task.
 Ensure that PI is able to make changes on the WLCs.
 Ensure that PI can login to WLC3 with the following credentials using SSH.
o User= admin
o Password= IPexpert123
o Enable Secret= IPexpert123
First, create the snmpv3 user. It was left up to us what security methods to choose and the associated
passwords. Just make sure the name is prime and the mode is RW. On WLC3, you’ll need to specify
128-bit AES rather than the more secure 256-bit. The reason is that PI doesn’t support 256.
(WLC1) >config snmp v3user create prime rw hmacsha aescfb128 IPexpert12345

IPexpert12345
(WLC2) >config snmp v3user create prime rw hmacsha aescfb128 IPexpert12345

IPexpert12345
WLC3#conf t
WLC3(config)#snmp-server group prime v3 priv read v1default write v1default
WLC3(config)#snmp-server user prime prime v3 auth sha IPexpert12345 priv aes 128
IPexpert12345
WLC3(config)#user admin priv 15 password IPexpert123
WLC3(config)#enable secret IPexpert123
WLC3(config)#no aaa new
WLC3(config)#line vty 0 15
WLC3(config-line)#login local
WLC3(config)#end
Now go to PI and add the WLCs.

Repeat this process for WLC1 and WLC2.

I recommend verifying the credentials prior to adding the device. It just helps to ensure that you
entered the information correctly on this screen, and that the device itself is also configured to allow
the communications.
The config for WLC3 is nearly identical than that for WLC1-2. We just want to also specify the Enable
password.

Once they have been added, you should see them listed in the managed devices as shown below.
2. Add WLC4 to PI using SNMPv2.
 PI should not be able to make changes to WLC4.
 Create community named “primero” and only allow PI to use it.
 Add a RO management user to WLC4 named “prime” and use that to prevent any CLI RW
possibilities.
(WLC4) >config snmp community create primero

(WLC4) >config snmp community ipaddr 10.10.210.6 255.255.255.255 primero
(WLC4) >config snmp community accessmode ro primero
(WLC4) >config snmp community mode enable primero
(WLC4) >config mgmtuser add prime IPexpert123 read-only
Now add it to PI.


3. Create the following device credential profile.
 Name= IOS_Devices
 SNMP version= v2c
 RO community= public
 RW community= private
 CLI method= telnet
 CLI user name= admin
 CLI password= IPexpert123
 CLI enable password= IPexpert123
Credential sets make life easier for the repetitive task of adding many devices that use the same
credentials.


4. Manually add the AAPs to PI using this IOS_Devices credential profile. Be sure to add the needed
config to the AAPs to support this.
AAPs use different user/enable credentials by default and they do not have the communities
configured.
AAP1#conf t
AAP1(config)#user admin pass IPexpert123
AAP1(config)#snmp-server comm public ro
AAP1(config)#snmp-server comm private rw
AAP1(config)#enable secret IPexpert123
AAP1(config)#end
AAP2#conf t
AAP2(config)#user admin pass IPexpert123
AAP2(config)#snmp-server comm public ro
AAP2(config)#snmp-server comm private rw
AAP2(config)#enable secret IPexpert123
AAP2(config)#end
Now add them to PI using the credential set.

Choose the credential set, and the credentials are automatically populated for you. So it’s a little bit
easier than what we were doing before, but we are still adding one device at a time.
5. Attempt to add all 5 switches using a discovery.
 Do a ping sweep of VLANs 10 and 113 and the IP 10.10.20.1.
 Use the “IOS_Devices” credential profile for all IPs.

 Ensure all switches are configured to work with the credential set.
First, configure the switches, just like you did the AAPs.
CAT1#conf t
CAT1(config)#user admin pass IPexpert123
CAT1(config)#snmp-server comm public ro
CAT1(config)#snmp-server comm private rw
CAT1(config)#enable secret IPexpert123
CAT5(config)#line vty 0 15
CAT5(config-line)#login local
CAT1(config)#end
[repeat on all switches]
This method in PI makes life simpler when adding many devices that use the same credentials.




The job will take a number of minutes to complete. Once it does, it should hopefully have discovered
all 5 of your switches. Overall, it takes longer to add devices using this method, but it takes less work.
So if you can fire it off and go do something else for a while, you could ultimately save yourself a minute
of time in the lab, but I think I’d probably just go for the manual adds with the credential set rather
than a discovery if the choice was mine, but you never know if they might ask you to use this method.
So you should know it.
Notice how the IPs chosen for CAT1 and CAT2 aren’t in VLAN10? The discovery process seems to reach
out to the devices that it finds, analyzes it, and then it picks an IP. Based on the default settings in the
discovery, Loopbacks are preferred. That’s why CAT5 is managed using its 10.10.20.1 address rather
than its 10.10.99.2 address.
6. Create the following location groups under All Locations.
 HQ
 MO
7. Create an additional location named DMZ under HQ.


Repeat this for MO and the DMZ groups as asked. At the end, your hierarchy should look like this.

8. Add devices to locations as described below.
 WLC3 should be in the DMZ.
 All other devices in the HQ should be in the HQ.
 All device in the medium office should be in the MO.

Once you complete all of the assignments, it should look like this.


 N/A

Lab 148: Device Configuration Templates ::

Detailed Solutions
 AireOS WLC Templates

 IOS-XE Templates
 Lightweight AP Templates
 Autonomous AP Templates


Member's Area.
this lab scenario.
 Video Title: Prime and MSE- Device Configurations in PI
Topology Detail
This lab requires access to pretty much every device in your rack.

Diagram 148.1: Device Configuration Templates Topology
Lab 148 Setup
 Can this lab be practiced without completing a previous lab: NO

 If not, which lab(s) need to be completed first: Lab 147

AireOS WLC Templates
1. Create a template to configure a RADIUS authentication server on an AireOS controller
 IP= 10.10.210.5
 Support CoA
 Use for client authentications only.
2. Push out the RADIUS template to WLC1 and WLC2

It takes a little digging to find the template. You can get to it by going to Features and Technologies >
Controller > Security > AAA > RADIUS Auth Servers.
Go ahead and fill in the details as requested. In general, I try to apply the default settings that you’d
find when configuring it in the CLI or GUI unless told otherwise. Once saved, you can click on the
template and get the Deploy option at the bottom.

Once it completes, you should see the server configured on WLC1-2.

3. Create a template to configure a WLAN on an AireOS controller
 Profile/SSID name= HQData1-Pod# (where # is your rack number)
 Use WLAN ID# 17
 Assign the clients to the vlan13 interface
 Use WPA2/AES with 802.1x for security
o Use ISE as your RADIUS server
 Leave all other settings at their default
4. Push out the WLAN template to WLC1 and WLC2.


Once saved, go ahead and deploy it, just as you did with the RADIUS template. Here is the WLAN on
one of the WLCs after the job completes.

IOS-XE Templates
5. Use the “Radius Configuration-IOS” CLI template to configure RADIUS and AAA configs on your IOS-
XE devices.
 Use the default template config.
 Allow the template to be pushed out to 5760 WLCs.
 Do not use this template to configure management authentication.
6. Push out the template to WLC3, CAT3, and CAT4.
Save the template, and then deploy it.

Click OK after applying the Value Assignment settings. The template should deploy.
WLC3#sho run aaa

!
aaa authentication dot1x default group ISE
aaa authorization network default group ISE
aaa authorization configuration default group ISE
aaa accounting dot1x default start-stop group ISE
username admin password 0 IPexpert123

!
radius-server host 10.10.210.5 auth-port 1812 acct-port 1813
radius-server key ipexpert
!
aaa group server radius ISE
server 10.10.210.5 auth-port 1812 acct-port 1813
!
aaa new-model
aaa session-id common
7. Create a template to configure a WLAN on WLC3, CAT4, and CAT5
 Profile/SSID name= HQData1-Pod# (where # is your rack number)
 Use WLAN ID# 17
 Assign the clients to the vlan13
 Use WPA2/AES with 802.1x for security
 Use ISE as your RADIUS server
 Leave all other settings at their default.
8. Push out the WLAN template to WLC3, CAT3, and CAT4.
Here we can use the same Controller WLAN template as we did with WLC1-2, but we need to flip it to
the IOS/UA device type.


For whatever reason, PI isn’t seeing the method list that was just created. I couldn’t figure out how to
get it to show up, so we will need to manually remediate later.

PI will require us to enable a session timeout. Configure and then save the template. Then deploy it to
the IOS-XE devices.
CAT3#sho wlan sum
Number of WLANs: 1
WLAN Profile Name SSID VLAN Status

--------------------------------------------------------------------------------
17 HQData1-Pod1 HQData1-Pod1 13 UP
To make this work, we need 2 manual configs. One is that we need to enable dot1x system auth control
globally. The other is to configure the WLAN to use the AAA method list that we created earlier. As you
can see, the IOS-XE templates aren’t totally bullet-proof, so be sure to pay attention to what they do,
and do not configure.
CAT3#conf t
CAT3(config)#wlan HQData1-Pod1
Repeat this on CAT4 and WLC3 and you should have a valid WLAN with 802.1x.

Lightweight AP Templates
9. Create a template to configure WLC1 as a primary WLC and WLC2 as a secondary WLC for
lightweight APs
 Try to push this template out to all LAPs in the HQ location.
Choose to add a new template and configure as shown.


Notice that it worked for the APs joined to WLCs in centralized mode, but not to CAT3-4 as converged
access MA switches. These switches are managed in a RW fashion, so it’s not a permissions thing. I
think it’s probably because we just don’t have that configuration available on those devices. When the
APs are joined that way, the pri/sec/ter configuration is meaningless anyways.
10. Create a template to enable telnet and SSH access to lightweight APs.
 Try to push this template out to all LAPs
Create a new template, give it a name, and configure as shown.
Try to deploy to all LAPs. This is what I got.

It worked OK on the IOS-XE devices, but the other APs had issues. First, LAP5 is on WLC4, which is
managed in a RO fashion. So we shouldn’t be able to make any changes there, but what about LAP3-4,
which are currently on WLC1 thanks to the previous template. That is managed in a RW fashion. If we
try and manually apply the config on a per-AP basis (not using a template), we get a clue.
We actually have to change the credentials in order for an AireOS joined AP to enable telnet/SSH. Let’s
tweak our template and do just that. Set it to admin/IPexpert123/IPexpert123 as the credentials.

Now let’s try once more.
I don’t know why it said LAP2 was a partial success. I was able to login with the admin/IPexpert123
credentials and verify telnet/ssh are indeed enabled.
Username: admin
Password: IPexpert123
LAP2>en
LAP2#sho capw cli con | in Tel|ssh
ssh status Enabled
Telnet status Enabled
Autonomous AP Templates
11. Create a template to configure 10.10.205.20 as an sntp server for autonomous Aps.
 Push this out to both AAPs.

All that we have for autonomous APs are CLI templates that we configure ourselves from scratch. Now
all we need are the commands. Assume that you will start in “conf t” mode and that it will exit out of
config mode for you. So we just need a single command.
Create a new template as shown below.

Once you save it, choose to apply it to the APs.
And it doesn’t go so well.
Interesting… I verified my credentials earlier and specified Telnet when adding the AAPs. Evidently
that’s not being honored when pushing out the templates. Let’s go ahead and change our config CLI
method at the global level for AAPs and try again.

Now try the template push again.
Lesson learned… The global CLI method settings are the ones that matter and not what you specified
when adding the devices.
 N/A

Lab 149: Configuration Groups :: Detailed

Solutions
 Configuration Groups


Member's Area.
 Prime Infrastructure User Guide- Chapter 16
this lab scenario.
 Video Title: Prime and MSE- Configuration Groups
Topology Detail
This lab requires access to PI, WIN7, and WLC1-2.

Diagram 149.1: Configuration Groups Topology
Lab 149 Setup

 If not, which lab(s) need to be completed first: Lab 147 - 148

Controller Configuration Groups
1. Create a controller config group named HQ_WLCs.
 Add WLC1 and WLC2 to the group.
 Have the WLCs use a mobility group name of HQ.
 Have DCA only assign the following channels.
o 2.4 GHz= 1, 6, or 11
o 5 GHz= UNII-1 or UNII-2 channels (no UNII-2 extended or UNII-3).
 Use 40 MHz channels.
 Apply the RADIUS Auth Server and WLAN templates that you created in the previous
section.
2. Apply the config group settings to the WLCs.
Config groups allow you to push out consistent settings across multiple controllers.
Choose to add a config group.

Basically hit Save on every screen that you can.




So we have a partial success. Let’s look closer. Click on the details of one of them.
So it won’t disable the radios for you to automatically push this stuff out. Manually disable the radios
on both WLCs and try again.
(WLC2) >config 802.11b disable network

(WLC2) >config 802.11a disable network
Disabling the 802.11a network may strand mesh APs. Are you sure you want to continue?
(y/n)y

Better, but this time it fails with some generic message.
Let’s see what applied and what (if anything) didn’t.

Looks like the channel width setting applied, but the UNII-3 channels were not removed from the list.
Evidently it was too much for PI to handle.
Configuration Groups (non-controller)
3. Create a CLI template from scratch named NTP that configures 10.10.205.20 as an NTP server for
your ISO-XE devices.
4. Create a configuration group names IOS_WLCs.
 Add the NTP template that you just created.
 Add the IOS-XE devices to the config group.
5. Deploy the template to the config group.
First create the CLI config template. The config groups do not support any sort of forms, so we just
need static configs in the templates.

Then create the config group as shown. Save and deploy.


Now the NTP config should be on the devices.
WLC3#sho run | in ntp

ntp server 10.10.205.20
 N/A

Lab 150: Configuration Auditing :: Detailed

Solutions
 Configuration Auditing


Member's Area.
 N/A
this lab scenario.
 Video Title: Prime and MSE- Configuration Auditing
Topology Detail
This lab requires access to PI, WIN7, and WLC1-2.

Diagram 150.1: Configuration Auditing Topology
Lab 150 Setup

 If not, which lab(s) need to be completed first: Lab 147 - 149

1. Enable background auditing on the HQ_WLCs controller config group.
2. If configurations on the WLCs in the group do not match the templates during an audit, PI should
automatically remediate the issue.
In order to enable this, we need to first enable Template-based auditing in the administrative settings.
Now go into the controller configuration group and make the configurations.

Test this configuration with the following steps.
3. Run an audit from within the config group.
 It should pass. If not, apply the templates in the config group again and then audit again.
After running the audit, it complains that they are out-of-sync. Looking at the details, it seems to expect
these WLCs to be in each other’s mobility group list, and they are not.

I’m guessing that’s stemming from setting them to use the same mobility group name. Well, let’s just
manually do it to get around this error and move on. Be sure to sync the configs to PI after making the
change so that PI knows about it.
Yay! Now I’m in sync.
4. Go directly to WLC1 and uncheck the “network user” setting from the RADIUS server and apply.
(WLC1) >config radius auth network 1 disable

(WLC1) >show radius sum
Vendor Id Backward Compatibility................. Disabled

Call Station Id Case............................. lower
Acct Call Station Id Type........................ Mac Address
Auth Call Station Id Type........................ AP's Radio MAC Address:SSID
Aggressive Failover.............................. Enabled
Keywrap.......................................... Disabled
Fallback Test:

Test Mode.................................... Off

Probe User Name.............................. cisco-probe
Interval (in seconds)........................ 300
MAC Delimiter for Authentication Messages........ hyphen
MAC Delimiter for Accounting Messages............ hyphen
Authentication Servers
Idx Type Server Address Port State Tout MgmtTout RFC3576 IPSec -
AuthMode/Phase1/Group/Lifetime/Auth/Encr/Region
--- ---- ---------------- ------ -------- ---- -------- ------- --------------
-----------------------------------------
1 10.10.210.5 1812 Enabled 2 2 Enabled
Disabled - none/unknown/group-0/0 none/none/none
5. Manually sync the config of WLC1 to PI, and run the audit again from the config group. It should
show that it is not passing audit, but it won’t be remedied yet.
Once the sync completes, run the audit.

Looking at the details, we see the setting mismatch.
At this point, the difference has not been reconciled.
6. Now go into the PI background tasks and manually execute the wireless configuration audit task.
 Once this completes, the auto-enforcement should have happened and the Network
User setting should be enabled again.

You will find this under the Other Background Tasks section. Check the box, scroll to the top, and choose
to execute now. Otherwise you’d need to wait unit 4 AM for the task to run on its own.
Now the setting has been reconciled with the template on WLC1.
(WLC1) >show radius sum
Vendor Id Backward Compatibility................. Disabled

Call Station Id Case............................. lower
Acct Call Station Id Type........................ Mac Address
Auth Call Station Id Type........................ AP's Radio MAC Address:SSID
Aggressive Failover.............................. Enabled
Keywrap.......................................... Disabled
Fallback Test:
Test Mode.................................... Off
Probe User Name.............................. cisco-probe
Interval (in seconds)........................ 300
MAC Delimiter for Authentication Messages........ hyphen
MAC Delimiter for Accounting Messages............ hyphen
Authentication Servers

Idx Type Server Address Port State Tout MgmtTout RFC3576 IPSec -
AuthMode/Phase1/Group/Lifetime/Auth/Encr/Region
--- ---- ---------------- ------ -------- ---- -------- ------- --------------
-----------------------------------------
1 N 10.10.210.5 1812 Enabled 2 2 Enabled
Disabled - none/unknown/group-0/0 none/none/none
 N/A

Lab 151: Basic Map Setup :: Detailed

Solutions
 Adding maps
 Adding/positioning APs


Member's Area.
this lab scenario.
 Video Title: Prime and MSE- Maps
Topology Detail
This lab requires access to PI and WIN7.

Diagram 151.1: Basic Map Setup Topology
Lab 151 Setup


Adding Campuses, Buildings, and Floors
1. Create a new campus named “CCIE Land”.
 Use the image on the WIN7 PC located at C:\Rack Files\Campus.jpg.
 Set the dimensions to 700 x 475.
Go to Maps > Site Maps and choose to add a campus.
In order to set the dimensions, you’ll need to uncheck the Maintain Aspect Ratio option.

2. Add a new building to CCIE Land.
 Name the building “Wireless”.
 Put the box over the bottom-right building.
 Set the dimensions to 125x75.
 There should be 1 floor and no basements.
From within the campus, choose to add a new building.

Drag the blue box over the building as shown. Set the size by just typing in the dimensions for the
horizontal and vertical spans. It should roughly look like this.

Once you’ve got it dialed in, click on Save.
3. Add a floor to the Wireless building.
 Name the floor “Floor1”.
 Use the image on the WIN7 PC located at C:\Rack Files\Floor1.png.
 Set the dimensions to 125 x 75.
 Use an RF model of cubes and walled offices.
 Set the floor height to 12 feet.
From within the Wireless building view, choose to add a new floor area.


When the floor is first added, you might not see the image. It might look something like this.

NOTE
The message at the top says that the floor image enhancement is in progress. Give it a few minutes and
then zoom in or out. Eventually the image will appear. Just keep trying a zoom change every so often.

Add APs to Floors
4. Add LAPs 1-4 and AAP2 to Floor 1 as shown in the image below.
 Set LAP1 to a height of 8 feet.
o Leave the others at the default height.
 Change the 5 GHz antenna type for AAP2 to be AIR-ANT5145V-R.
o Set the Azimuth to 0 degrees.
o Set the Elevation to a 15 degree down tilt.

From the Floor 1 page, click on the icon below.
Choose the specified APs and click OK.

Arrange the APs on the map as requested. It doesn’t really matter at the moment if radios are down or
in alarm. Choose LAP1 and set the height.
Next choose AAP2 and make the requested antenna changes.

When you are done, click the Save button near the top.
PI will process your configs and eventually spit you back out at the map with a heat map displayed.

 N/A

Lab 152: Advanced Map Configurations ::

Detailed Solutions
 Location Presence
 Map Editor
 Controlling Map Display


Member's Area.
this lab scenario.
 Video Title: Prime and MSE- Maps
Topology Detail

Diagram 152.1: Advanced Map Configurations Topology
Lab 152 Setup
 Can this lab be practiced without completing a previous lab? NO

 If not, which lab(s) need to be completed first? Labs 147 and 151

1. Configure location presence information for Floor 1 with the following details.
 Name= CCIE Land
 Street= 123 Phy Way
 City= Lindstrom
 State= MN
 Postal Code= 55045
 Country= USA
 Building= Wireless
 Floor= 1

Once you are done, click Save.
2. Edit the map as described below.
 Create a location inclusion range that lines up with the perimeter of the floor (do not
include the few feet of outside space on the left side of the image).

 Create a location exclusion range that encompasses the bottom-center room on the
map. It’s been boarded up and nothing should be in there.
 The top-left room used to be an x-ray room for a clinic and has lead-lined walls. Draw
walls on all 4 sides of the room with a type of Thick Wall.
 There’s a mini conveyor belt in the top-right room. Draw a horizontal rail along the
length of the room with a width of 5 feet.
 Place a marker named Jeff in the middle of the bottom-right room.
 Be sure to save changes when you are done.
Choose the map editor from the top-right drop-down box and click Go.
Click on the Location Region button and draw an Inclusion region as shown below.

Click on the button again and create an Exclusion range as shown below.

Click on the obstacle button and choose Thick Wall.

Trace the outline of the top-right room and then double-click when done.

Click on the Rail button and enter a 5-foot width.
It’s a little annoying when you just want to draw a straight line, but you need at least 3 index points. So
click once on one end, then once in the middle, and then finally at the other end.
Click on the Marker icon and name it Jeff. Then click on the middle of the room to place it.


3. Configure what displays on the Floor 1 map as specified below.
 Show the Location inclusion/exclusion regions.
 Have the heat map display the 5 GHz spectrum with an RSSI cutoff of -70 dBm.
 Do not let LAP2 or AAP2 contribute to the heat map.
 Rather than see the AP names in their tags, show their current power and channel.
 Remove the measurement grid lines.
 Be sure to save the settings.
The map should look something like this to begin with.
Turn on Location Regions.

Switch to the 5 GHz spectrum and change the RSSI cutoff.
Next remove AAP2 and LAP4 from the heat map.

Change the AP display flags.

Turn off the grid lines. Then click Save Settings.

The map should now look something like this. Channel and power info will vary.
 N/A

Lab 153: Virtual Domains :: Detailed

Solutions
 Virtual Domains


Member's Area.
 N/A
 Video Title: Prime and MSE- Virtual Domains
Topology Detail

Diagram 153.1: Virtual Domains Topology
Lab 153 Setup

 If not, which lab(s) need to be completed first: Labs 147 and 151

Create the following virtual domains that contain the specified items.
1. Virtual Domain= HQ
 Include all CCIE Land maps (campus, building, and floor).
 Include all switches, WLCs, and AAPs in the HQ.
o CAT1-4
o WLC1-2
o AAP1-2
Go to the Virtual Domains configuration screen.
Choose to create a new Virtual Domain.

Add the maps.

Next add the devices.
No need to specify the Access Points. Although you could have chosen to call out the AAPs on that tab
rather than under the Network Devices tab. Once you have things specified, click on Submit.

2. Virtual Domain= Remote
 Include WLC4 and CAT5.
Click on the Root domain and then choose to add a new domain.
No maps this time. Just network devices.
3. Virtual Domain= DMZ
 Include WLC3.
Same process, one last time.

4. Assign these new virtual domains to the Root user.
Get to the PI user list and edit the Root user.

Add all of the domains to the right-side and apply.

5. Switch between virtual domains as the root user and verify your settings
 You should see that even though you didn’t specify the LAPs in any virtual domain that
they naturally fall into the virtual domain of their associated WLC.
You can switch between virtual domains, by clicking the virtual domain on top and choosing a different
one.
The Inventory screen is a good place to look at this. Here is the inventory for the DMZ domain.
Here are the Lightweight APs in the HQ domain. As noted earlier, they show up by virtue of their
associated WLCs being in the domain.

If I try to look at maps in the Remote domain, I don’t see any.
 N/A

Lab 154: Management AAA :: Detailed

Solutions
 Management AAA

Member's Area.
 N/A
 Video Title: Prime and MSE- Management AAA
Topology Detail

Diagram 154.1: Management AAA Topology
Lab 154 Setup


1. Create a new management user for PI.
 User name= cciew
 Password= ciscooo
 Groups= Lobby Ambassador
 Virtual Domain= DMZ
2. Change the local password policy to allow for this new user.
The default password policies won’t allow for these credentials, so we’ll have to relax them. You’ll have
to reduce or turn off the minimum length and then disable the following.
 Password cannot contain username.
 Password cannot contain cisco.
 Password must contain character from three classes.

Now create the user as asked.

Feel free to log out and log in as this user to test it.
3. Configure PI to use ISE as a management server.
 If ISE authentication fails, the local users should still be able to login.
First add a new RADIUS server.

Next enable RADIUS authentications. Be sure to choose the correct fallback method. Luckily the local
Root account is always able to login, regardless of any of these settings.

4. Test this by logging in with the credentials below. ISE has already been preconfigured for this
authentication.
 User name= lobby
 Note the default settings.
Log out and log back in as the lobby user. Choose to add a new guest user and look at the advanced
tab.
By default, no profile is specified and the account will have a limited lifetime of 1 day into the future.
There is also a generic disclaimer.

5. Log back in as root and create a local user named lobby in the Lobby Ambassador group in the DMZ
virtual domain.
 Use a password of ASD123fgh
 Configure the following Lobby Ambassador default settings.
o Unlimited lifetime
o Disclaimer of “Isn’t this cool?”
Create a new lobby user as asked.

6. Login again with the lobby user.
 First try using the local user’s password and see that it succeeds, only thanks to the
fallback settings that were configured earlier.
 Then use the IPexpert123 password and see that it also succeeds.
 Now check the settings and see that they are inherited form the local user, even though
you authenticated with the ISE user credentials.

 This shows what happens when there is the same user account on RADIUS/TACACS+ and
local (authentication is done externally and permissions/settings are pulled form the local
user).
You can only login with the local credentials because of the fallback in case of failure. If it was only
fallback on no response, this would not work, but login with the IPexpert123 password and try to create
a new user.

See that we inherited the settings of the local user of the same name, even though we authenticated
with the external users.
7. Now remove the local lobby user from the Lobby Ambassador group and place it into the Super
Users group and the root virtual domain.

8. Login again and see what permissions you were given.
We are back at the lobby ambassador view in the DMZ virtual domain, so we can’t go too far with this.
The functionality of the local settings with external authentications, I believe, are pretty much isolated
to Guest account default settings, since those cannot be defined with RADIUS/TACACS attributes.

 N/A

Lab 155: Administrative Settings :: Detailed

Solutions
 System Settings
 Background Tasks
 Logging
 User Settings
 ISE Integration


Member's Area.
 N/A
 Video Title: Prime and MSE- Administrative Settings- Part 1
 Video Title: Prime and MSE- Administrative Settings- Part 2
Topology Detail

Diagram 155.1: Administrative Settings Topology
Lab 155 Setup


System Settings
1. Ensure that PI uses SSH to communicate to WLCs and Telnet to communicate with Autonomous
APs when a CLI method is used.
This section includes a sampling of configs under the System Settings page. This particular setting is in
the CLI Session section.
2. Have PI look up the DNS names of clients that it learns about.
This is found under Client.

3. Have PI back up device configurations prior to pushing out new configurations.
4. Have PI remove expired guest account stored locally on WLCs.
This one is under Guest Account Settings.

5. Create a login banner for PI that says “Someday, this will be as solid as WCS used to be.”
Under Login Disclaimer.
6. Define an SMTP server at IP 10.10.210.8 for PI to use.
 Default From and To addresses should be cciew@ipexpert.com.

 Don’t bother testing as there is no actual SMTP server at that IP.
Under Mail Server Configuration.
7. Configure a northbound notification receiver.
 IP= 10.10.210.8
 Name= CCIEW
 Include all categories with a severity of Critical or Major.
Go to Notification Receivers and choose to add a new one. This will allow received traps to be sent out
to another SNMP server.

8. Ensure TFTP and FTP services are enabled on their default ports.
You’ll find this under Server Settings. Everything is turned on using the default ports already, but it’s
good to know where this is.

9. Add a new MAC vender OUI.
 OUI= 00:99:99
 Name= CCIEW
Go to User Defined OUI and choose to add a new one.

10. Overwrite an existing OUI.
 OUI= 00:11:22
 Name= CCIEW
Same location as before. Choose to add a new OUI, but since it already exists, you need to check the
“Change Vendor Name” option.
Background Tasks
11. Have “CleanAir Air Quality” data collected every 30 minutes and keep the data non-aggregated for
10 days.
Background tasks are the things that PI does on a repetitive basis, like poll devices for info or backup
configurations.

Click into the Clean Air Quality task to edit it.
12. Disable Mesh data collection.
There are 2 Mesh data gathering tasks. Check both of them.
Then choose to disable them from the dropdown menu on top.
13. Ensure that controller configuration backups are being done every day at 21:12 to the default TFTP
server.
 Use telnet to communicate to the IOS-XE controllers.

Config backups are in the bottom section. Click into Controller Configuration Backup.
PI Logging
14. Have PI send syslogs to 10.10.210.8.
 Send Error logs or higher for all log modules.
 Mark syslogs with a facility of Local7.

This is the configuration of logs generated by PI. All categories are enabled by default.
User Settings
15. Configure the following user settings for the root user.
 Restrict lists to 30 items per page.
 Refresh alarm counts every 5 minutes in the alarm summary.
 Don’t show the warning message when acknowledging alarms.

These settings are per-user, so be sure to be logged in as the user in question when configuring this.

Integrating ISE
16. Configure PI to collect additional information about clients from ISE.
 User= admin
This allows PI to grab client authentication and other information from ISE.
Choose to add an ISE server.

 N/A

Lab 156: Reports :: Detailed Solutions
 Reports

Member's Area.
 Video Title: Prime and MSE- Reports
Topology Detail

Diagram 156.1: Reports Topology
Lab 156 Setup

 If not, which lab(s) need to be completed first: Lab 147 and 153

1. Create a device inventory report.
 The report should be usable in all virtual domains.
 Give it a title of Inventory.
 The type should be a combined inventory.
 In the Controller Inventory portion, include the serial number and sort by model first,
then name in an ascending fashion.
 Do not include Router Inventory in the report.
 This report should only be run on demand and not scheduled.
Go to the Report Launch Pad.
Find the Inventory report under the Device category.


Choose to create a new one and configure as shown. Ensure that you are currently in the ROOT-
DOMAIN as you create this.
In Customize, you can set the particulars of how data is displayed in the report.
Go to the Controller Inventory part and make the changes.

Scroll down to configure the sorting.
Then go to the Router Inventory part and exclude it.
Apply your customizations and then save the report. You can see that it creates a copy for each virtual
domain.
Feel free to run the report and view your handiwork.

2. Create a device CPU utilization report.
 It should only be available in the root virtual domain.
 Give it a title of CPU_Utilization.
 Limit it to devices in the HQ.
 Set the reporting period to the last 7 days.
 Schedule the report to run weekly on Sundays at noon starting on September 13, 2015.
 Email it as a PDF to cciew@ipexpert.com.
 Manually run and save the output as a PDF named CPU.pdf and place it on the WIN7 PC
desktop.
Back to the report Launchpad to create a new one.

Configure the report as shown.
Save the report and then run it. Once run, choose to Save and Export.
Choose a type of PDF and do not choose to email it when complete. Once complete, you’ll be able to
download it.
3. Create a device AP summary report.
 It should only be available in the HQ virtual domain.
 Give it a title of AP_Summary.
 Report by AP Mode for all SSIDs.
 Schedule the report to run daily at noon starting on September 13, 2015.

o Save the report to a CSV on the PI server.
o The CSV files should be located directly in a folder named

/localdisk/ftp/reports/cciew/APSummary.
o The save reports should be retained for 90 days.
One last report to create… Yet another Device report.
Before creating the report, be sure to switch into the HQ virtual domain so that the report is created
there.

We can configure almost everything here, but look at the file path.
It’s not saving to the requested directory, yet we can’t alter it on this screen. Go ahead and save the
report and we’ll fix it. Go to Administration > System Settings > Report. This is where we set the location
of all saved reports. This is also where we set the retention period.
Note that I didn’t put the full path, but rather the root folder. Each report type gets its own subfolder
automatically defined in the root folder. So, if the file should be saved in
/localdisk/ftp/reports/cciew/APSummary, we specify a root folder of /localdisk/ftp/reports/cciew and
the APSummary folder will get automatically added to the path. Also, take care not to put a / at the
end of the path or the URL will break. Save this config and go back to the report.

This is what we want to see. Also, if you look at the list of saved reports, you should see that the report
is in the HQ virtual domain. The reason I see other reports in other virtual domains right now is because
I had to jump back to the ROOT-DOMAIN to edit the server setting.
 N/A

Lab 157: Alarms and Events :: Detailed

Solutions
 Alarms
 Events


Member's Area.
this lab scenario.
 Video Title: Prime and MSE- Alarms and Events
Topology Detail

Diagram 157.1: Alarms and Events Topology
Lab 157 Setup


1. Go into the Alarms list.
 Clear out the first alarm on the list so that it isn’t shown, but will come back if the
underlying issue reoccurs.
 Acknowledge the next alarm so that you don’t get further emails about it if it reoccurs
over the next 7 days.
o It should still show up on the list of alarms though.
 Delete active and cleared alarms automatically after 15 days.
The first request is to clear the alarm. This will cause it not to be seen, unless the issue reoccurs or is
still happening. Check the alarm’s box and choose to clear it.
Next, we are acknowledging an alarm. Normally this will hide the alarm and prevent any notifications
about it for the next 7 days, but we are asked to still see it. Go ahead and acknowledge it while we are
here.

Then go to Administration > System Settings > Alarms and Events and uncheck the option to hide
acknowledged alarms.
Head back to the alarms list and it should still show up.

2. Configure PI to email out alarms.
 Only email out critical AP alarms, as well as critical and major Controller alarms.
 Alarms should be emailed to cciew@ipexpert.com.
 The emails should have a subject that only says “Find Your Love Matches for Free”.
 Ensure that the alarm “AP radio interface down due to configuration changes” is emailed
out by altering its severity to Critical.
From the Alarms page, click on the Email notifications option.
Click into the Controller alarms and edit the severity levels.


Then check each alarm category that you want enabled and Save.
Now we’ll edit the subject line. Head to Administration > System Settings > Alarms and Events. I took
this subject line from one of the emails in my spam folder.
For the last requirement, we need to alter the severity level of a particular alarm so that it falls into one
of the severity levels that we have enabled globally. From within the System Settings, go to Severity
Configuration. Find the alarm, and change it to be critical.

Hint- the alarms are listed in alphabetical order by default. You can also sort by category if that makes
it easier.
Now the alarm is critical, and will be emailed out.
 N/A

Lab 158: Rogue Management :: Detailed

Solutions
 Rogue Management


Member's Area.
 N/A
this lab scenario.
 Video Title: Prime and MSE- Rogue Management
Topology Detail

Diagram 158.1: Rogue Management Topology
Lab 158 Setup


1. Find an alarm for the rogue AP with an SSID of GoodRogue.
 Classify it as a Friendly-Internal rogue AP.
Search for GoodRogue in the top-right box, and you should get some hits. Click on View List.
Expand one of the alarms and set it to friendly-internal.

2. Find an alarm for the rogue AP with an SSID of Rogue-PodX (where X is your rack #).
 Classify it as Malicious-Alert.
 Initiate containment with 1 AP.
Search for Rogue-PodX in the top-right box, and you should get some hits. Click on View List.

Expand one of the alarms and set its status.

Then initiate containment.

 N/A

Lab 159: MSE Management :: Detailed

Solutions
 MSE CLI Tools

 MSE GUI Management


Member's Area.
 CMX Config Guide 8.0- Chapter 2
this lab scenario.
 Video Title: Prime and MSE- MSE Management
Topology Detail
This lab requires access to the MSE, PI, and WIN7.

Diagram 159.1: MSE Management Topology
Lab 159 Setup

 If so, which lab load should be used: PI/MSE- Maps

1. Stop and then start the MSE service from the CLI.
 Verify the service is running when you are done.
SSH to the MSE from the WIN7 PC and login with the credentials root/IPexpert123, then run the
commands below.
[root@MSE ~]# cd /etc/init.d

[root@MSE init.d]# ./msed stop
Stopping MSE Platform
Apache Service is running...will not stop it
Shutting down framework and services ......

Framework and services successfully shutdown. Shutting down database ......
MSE platform shutdown complete
[root@MSE init.d]# ./msed status
STATUS:
Health Monitor is not running
[root@MSE init.d]# ./msed start
Starting MSE Platform
Flushing any pending data from Admin Process read and write pipe.
Starting Apache HTTPD Server
Apache Server is already running. Skipping restart.
Starting Health Monitor, Waiting to check the status.
Health Monitor successfully started
Starting Admin process...
Started Admin process.
Starting database ......
Database started successfully. Starting framework and services
...............................
Framework and services successfully started

[root@MSE init.d]# ./msed status
STATUS:
Health Monitor is running
Retrieving MSE Services status.
MSE services are up, getting the status
-------------
Server Config
-------------
Product name: Cisco Mobility Service Engine

Version: 8.0.110.0
Health Monitor Ip Address: 1.1.1.1
High Availability Role: 1
Hw Version: V01
Hw Product Identifier: AIR-MSE-VA-K9
Hw Serial Number: MSE_e13fe944-59cf-11e5-acef-0050569b45fa
HTTPS: null
Legacy Port: 8001
Log Modules: -1
Log Level: INFO
Days to keep events: 2
Session timeout in mins: 30
DB backup in days: 2
[lines omitted]
2. Run the CLI setup wizard and ensure the following are set.
 Default gateway of 10.10.210.1.
 Use an NTP server of 10.10.205.20.
 Use a PI communication password of IPexpert123.
You can use either the wizard or the menu interface if you’d like. I chose the wizard. Just know how to
configure things.

[root@MSE init.d]# cd /opt/mse/setup

[root@MSE setup]# ./setup.sh
--------------------------------------------------------------
Welcome to the Cisco Mobility Services Engine Appliance Setup.
You may exit the setup at any time by typing <Ctrl+C>.
--------------------------------------------------------------
Would you like to configure MSE using :

1. Menu mode
2. Wizard mode
Choose 1 or 2 : 2
--------------------------------------------------------------
Mobility Services Engine Setup.
Please enter the requested information. At any prompt,

enter ^ to go back to the previous prompt. You may exit at
any time by typing <Ctrl+C>.
You will be prompted to choose whether you wish to configure a parameter, skip it, or
reset it to its initial default value.
Skipping a parameter will leave it unchanged from its current value.
Please note that the following parameters are mandatory
and must be configured at least once.

-> Hostname
-> Network interface eth0
-> Timezone settings
-> Root password
-> NTP settings
-> Prime Infrastructure password
Changes made will only be applied to the system once all the information is entered
and verified.
--------------------------------------------------------------

Current Hostname=[MSE]
Configure Hostname? (Y)es/(S)kip/(U)se default [Skip]:
Current eth0 interface IP address=[10.10.210.10]

Current eth0 interface netmask=[255.255.255.0]
Current IPv4 gateway address=[10.10.210.1]
Configure eth0 interface parameters? (Y)es/(S)kip/(U)se default [Skip]:
Current Timezone=[UTC]
Configure Timezone? (Y)es/(S)kip/(U)se default [Skip]:
Root password is currently configured.

Configure root password? (Y)es/(S)kip/(U)se default [Skip]:
Network Time Protocol (NTP) Setup.
NTP is currently disabled.

Configure NTP related parameters? (Y)es/(S)kip/(U)se default [Skip]: yes
Enable NTP? (yes/no): yes
Default NTP server 1=[time.nist.gov]
Enter NTP server name or address [time.nist.gov]: 10.10.205.20
Enter another NTP server name or address (or none) [none]:
Configure NTP Authentication ? (Y)es/(S)kip/(U)se default [Skip]:
Cisco Prime Infrastructure communication password is currently configured.

Prime Infrastructure password for admin? (Y)es/(S)kip/(U)se default [Skip]: yes
Enter a password for the admin user.
The admin user is used by the Cisco Prime Infrastructure and other northbound systems
to authenticate their SOAP/XML session with the MSE.
Once this password is updated, it must also be updated on the Cisco Prime
Infrastructure page for MSE General Parameters so that the Cisco Prime Infrastructure
can communicate with the MSE.
Enter Cisco Prime Infrastructure communication password: IPexpert123

Confirm Cisco Prime Infrastructure communication password: IPexpert123

Configuration of mandatory parameters is complete. Do you want to continue with

remaining parameters ? (Y)es/(N)o/(U)se default [no]: no
Please verify the following setup information.
-----------------------------BEGIN----------------------------
Enable NTP=yes, NTP servers=10.10.205.20

Cisco Prime Infrastructure password is changed.
------------------------------END-----------------------------
You may enter "yes" to proceed with configuration, "no" to make

more changes, or "^" to go back to the previous step.
Configuration Changed
Is the above information correct (yes, no, or ^): yes
--------------------------------------------------------------
Checking mandatory configuration information...
Mandatory parameters (Hostname, Network interface eth0,

Timezone Settings, Root password, Cisco Prime Infrastructure communication username
and Cisco Prime Infrastructure communication password)
have all been configured.

--------------------------------------------------------------
Setup will now attempt to apply the configuration.
[lines omitted]
3. Add the MSE to the PI server using the credentials admin/IPexpert123.
 Enable all services when adding the MSE
 Leave the rest of the settings at their default.

Choose to add a MSE.



Once complete, you should see it in the list of MSEs as shown below.
4. Click on the MSE in PI to open its management webpage.
5. Add another SNMP trap destination.
 Send them to 10.10.210.8
 Use a v2 community of cciew.

Set the MSE logging level to ERROR.

 Service msed status

Lab 160: MSE Basic Location :: Detailed

Solutions
 MSE Location Basics


Member's Area.
this lab scenario.
 Video Title: Prime and MSE- MSE Location- Basic Setup
Topology Detail

Diagram 160.1: MSE Basic Location Topology
Lab 160 Setup


1. Add the following devices to PI in any manner you’d like, paying attention to the RO/RW
requirement. This requirement only applies to the SNMP portion. Use the admin credentials to give
RW CLI access.
 WLC1- RW
 WLC3- RW
 WLC4- RO
 CAT3- RW
 CAT4- RO
It’s probably simplest to use the built-in v2 communities on the AireOS WLCs and then create some v2
communities and user credentials on the switches and WLC3. So, no extra config is needed on the
WLCs. You could do something like this on the switches.
CAT3#conf t
CAT3(config)#snmp-server community public RO
CAT3(config)#snmp-server community private RW
CAT3(config)#user admin priv 15 sec IPexpert123
CAT4(config)#enable sec IPexpert123
CAT3(config)#line vty 0 15
CAT3(config-line)#login local
CAT3(config-line)#end
Once done, you should have all 4 devices managed in PI.

2. Place LAPs 1-5 onto the Floor1 map anywhere that you’d like, but be sure to have APs near the 4
corners of the building.
Here’s how I placed mine. As long as you spread them out a bit, that’s fine for our purposes.

3. Ensure that the Context Aware Notification (CAS) service has been enabled on the MSE and that
the MSE has been joined to PI.
Go to Services > Mobility Services Engine and you’ll see the status of each service on the MSE.
4. Synchronize all devices and all maps to the MSE for CAS.
Synchronizing tells the MSE what to keep track of, as well as all of the details of how the floors and APs
are laid out.

Next, go to synchronize the controllers.

Note that almost all of the devices are already assigned to the MSE thanks to us synchronizing our
maps. When there are dependencies, they are also synchronized. Since the maps had APs, and the APs
were joined to WLCs, those WLCs were automatically added.
You should always check to ensure that all needed WLCs were added. If a WLC didn’t have any APs on
it, it wouldn’t automatically get added with the maps. That could be bad if you miss it and one of the
APs moves over to that WLC. Let’s get WLC3 synched.

5. Ensure that all devices have an active NMSP connection with the MSE.
After synchronizing your devices, this is the first thing to check. Be sure to check every time as any
NMSP issues will cause issues elsewhere, and probably point loss in the lab.
Click onto the MSE from the Mobility Services Engines list to open its management GUI and go to the
Configuration screen.
Go to the NMSP status page.
We have 1 device that is not active.

We need to fix this. Fortunately, you can get some good help by clicking on the stethoscope icon.

Here we see 2 potential issues. The WLC time and the Key Hash match. At the moment, it’s actually just
the key hash. Since PI is managing WLC4 without the benefit of a RW SNMP community/user, PI
couldn’t add the key hash for the MSE. If we look at WLC1 or either of the 3650s, we’ll see the needed
config for the MSE to be able to talk to the devices via NMSP.
(WLC1) >show auth-list
Authorize MIC APs against Auth-list or AAA ...... disabled

Authorize LSC APs against Auth-List ............. disabled
APs Allowed to Join
AP with Manufacturing Installed Certificate.... yes
AP with Self-Signed Certificate................ no
AP with Locally Significant Certificate........ no
Mac Addr Cert Type Key Hash

----------------------- ---------- ------------------------------------------

00:50:56:9b:45:fa LBS-SSC-SHA256
6e35bda262e3dfd56781ccc2d99afda3c0c3bf5c5fa3c17fce70aebc188a3f82
CAT3#sho run | s mse

service timestamps debug datetime msec
service timestamps log datetime msec
username 0050569b45fa mac aaa attribute list mse_0050569b45fa
aaa attribute list mse_0050569b45fa
attribute type password
6E35BDA262E3DFD56781CCC2D99AFDA3C0C3BF5C5FA3C17FCE70AEBC188A3F82
CAT3#sho run | in nmsp
nmsp enable
CAT3#sho run | s wcm
aaa authorization credential-download wcm_loc_serv_cert local
CAT4 was OK since we provided RW CLI credentials. PI uses SNMP to configure the AireOS devices and
CLI to configure the IOS-XE devices.
Let’s add in the auth-list entry on WLC4, and we should be good after that. A simple way to create this
is to simply find it in the running config of WLC1 and copy/paste it into WLC4.
(WLC4) >config auth-list add sha256-lbs-ssc 00:50:56:9b:45:fa

6e35bda262e3dfd56781ccc2d99afda3c0c3bf5c5fa3c17fce70aebc188a3f82
Go back to the MSE and reload the page. All should be good.

6. Configure the MSE to track only the following types of devices with the requested limits.
 Wired Clients- no limit
 Wireless Clients- no limit
 Rogue APs- limit of 100
 Interferers- limit of 200
Go to Tracking under the CAS section and configure things as shown below.
If the MSE isn’t configured to track things, they won’t show up on the map. As you saw, not everything
is tracked by default.
7. Keep track of location history for the following devices for 45 days.
 Wireless Clients

 Interferers
This allows you to see where devices have been, and not just where they currently are.
8. Go to the Floor1 map in PI and configure the following devices show up on the map.
 Wireless clients (including those that are just probing and not associated).
 Rogue APs with small icons.
 All active CleanAir interferers with a severity greater than 10 along with their zone of
impact.
o You might not actually get any interferers to show on the map with these settings.
 Ensure that you at least see Wireless Clients and Rogue APs on the map when you are
done.
Go to the Floor1 map and enable Clients on the map. Be sure to edit the clients that show and check
the “Show All Clients” box to show non-connected, probing clients. Otherwise, you will only see
currently associated clients.


Next, enable rogues and choose to show small icons.


Next, configure the Clean Air interferers.

I didn’t get any interferers that matched that, but here is what it would look like if I just showed all
active interferers.
 N/A

Lab 161: MSE Advanced Location ::

Detailed Solutions
 Location Filtering
 Advanced Settings
 Context Aware Notifications


Member's Area.
this lab scenario.
 Video Title: Prime and MSE- MSE Location- Advanced Settings
 Video Title: Prime and MSE- MSE Location- Context Aware Notifications
Topology Detail

Diagram 161.1: MSE Advanced Location Topology
Lab 161 Setup

 If not, which lab(s) need to be completed first: Labs 159 - 160

Location Filtering
1. Configure the following filtering parameters on the MSE.
 Only track Clean Air detected interferers with a duty cycle of at least 5%.
 Continue to track probing clients, but only when their probes are heard at a signal level of
-75 dB or louder.
 Enable location MAC filtering, (but do not add any entries yet).
 View your map. It probably hasn’t changed much.
 View the tracking numbers on the MSE to see if anything is being filtered out.
Go to the MSE config GUI to the CAS section and configure Filtering.
After saving, nothing should show up under the filtering boxes.

Jump up to the Tracking parameters and you can see if anything is being filtered. In my case, nothing
is.

Here is my map.
2. Find the MAC addresses of the rogue AP that is broadcasting the Rogue-Pod# SSID (where # is your
rack number).
Search for the SSID in PI to get to the alarm. In the alarm is the MAC address. Since our rogue has 2
radios, you’ll see 2 instances, but the MAC addresses will probably be sequential.
Here are my 2 entries for the rogue.

I expanded one of the alarms and then heighted/copied one of the MAC addresses to my clipboard.
3. Add a Disallow location filtering entry for the MAC address of your rogue AP, where the last octet
is a wildcard.
 You should see 2 MAC entries show up in the blocked list when you save these settings.
 The Rogue AP should not show up on your map (though it can be hard to see something
missing with lots of other stuff around).
Back to the MSE GUI > CAS > Filtering. I pasted in my MAC address and replaced the last 2 characters
with a *.

After saving, this is what I see.
If I look at the tracking parameters, I see 2 rogue APs not being tracked.
The rogue will not show up on my map now.

4. Switch the filter entry to be in the Allowed list and save.
 Note that once you use the allowed list, anything not on the list is blocked.
 Go to your map, you should only see that rogue AP.
As long as the Allowed list is empty, everything that is not being disallowed is allowed by default. Once
you start putting entries in the Allowed list, now it’s a white list and all things not on the list are blocked
by default.
Once I make the switch and save, this is what I see.
Here are my tracking parameters.


And here is my map ONLY showing the Rogue-Pod1 rogue AP. It shows them in different locations, but
looking at the MAC addresses, I see it’s just the 2 different radios of the same rogue.

5. Disable location MAC filtering so everything starts showing up again.
Turn off filtering and everything should come back.

The lone non-tracked client is probably due to it being only a probing client below my RSSI threshold.

Other MSE Advanced Configs
6. Configure presence parameters so that clients can be informed about their location.
 Limit the resolution to the current building.
 Choose both Cisco and Civic for the Format.
Unfortunately, we don’t have a CCX5 client to be able to see this in action.
7. Have the MSE take into account all measurements of at least -78dBm for location calculations for
a given device.
8. Do not use chokepoints for location calculations.
9. Look at the other settings under Advanced Configuration to get a feel for what is there. Most of
these are not to be changed except under guidance of TAC.

I don’t know how prone the lab will be to delve into these settings, but know where they are just in
case.
Context Aware Notifications
10. Create the following Context Aware Notification.
 Use an event group name of CCIEW.
 Create an event definition named EVENT1.
o It should trigger if a client with the MAC address of 00:11:22:33:44:55 goes missing
for at least 30 minutes.
o In addition to the notice to PI, send a syslog to 10.10.210.8.
 Create an event definition named EVENT2.
o It should trigger if a tag in an asset group named TAG has a low battery level.
o In addition to the notice to PI, send an email using the SMTP server at 10.10.210.8.
 To address= cciew@ipexpert.com

 From address= cciew@ipexpert.com
 Subject prefix= Battery Low
o This definition should always be serviced first.
Go to Notification Definitions and choose to add an Event Group.

Click into the group and choose to add a new Event Definition.
Go to the Condition tab and add a new one as shown below.

Go to the Destination and Transport tab and add a new one as shown below.

Finally, go to the General tab, enable the definition and save it.

Create a second event in the group named EVENT2 as shown below.
Set the condition.
Set the email.

Then, enable and max out the priority.
Now you should have 2 events in the group.

11. Ensure that the notification group is synced to the MSE.
Go to the Synchronize Services page and assign the group to the MSE.

 N/A

Lab 162: MSE WIPS :: Detailed Solutions
 Wireless Intrusion Prevention System (WIPS)


Member's Area.
 WIPS Deployment Guide 8.0
this lab scenario.
 Video Title: Prime and MSE- MSE WIPS
Topology Detail

Diagram 162.1: MSE WIPS Topology
Lab 162 Setup


1. If you haven’t done it already, add the network devices to PI as described in lab 160- task 1.
I have this done already. Look at lab 160- task 1, if you skipped past that before doing this one.
2. Ensure that the WIPS service is enabled on the MSE.
This should have already been done before, but you can verify it on the screen that lists your MSE.
3. Synchronize all devices to the MSE for the WIPS service.


4. LAPs 1-5 should be in local mode. Enable the WIPS sub-mode on all APs to put them into enhanced
local mode.
We can support WIPS on local, FlexConnect, and monitor mode APs. Typically, if you are using local or
FlexConnect APs, you’ll be enabling WIPS on all of them.
(WLC1) >config ap mode local submode wips LAP4
(WLC4) >config ap mode local submode wips LAP5
CAT3#ap name LAP1 mode local submode wips

Changing the AP's mode will cause the AP to reboot.

5. Create a new WIPS profile as described below.
 Give the profile the name CCIEW.
 Base the profile off of the Retail template.
 In addition to the WLANs on your WLCs, you have some autonomous APs with the
following SSIDs that should be considered your SSIDs for WIPS detections.
o SSID 1= Auto1
o SSID 2= Auto2
 Enable the “DoS: Probe request flood” signature detection with a threshold of 400
requests per sampling period.
 Edit the “DoS: Association Flood” signature as described below.
o Severity= Critical
o Should detect attacks on Guest networks as well as the autonomous SSIDs that
you added earlier.

o Perform a forensic packet capture when this signature is triggered.
We can see that the default profile has been automatically pushed out to the WLCs, so it’s already
functional, but we’ll be creating our own custom profile to use.
Name it CCIEW and copy it from the Retail profile template.

In order to add SSIDs to a category that wouldn’t be there automatically, check the box of the category
(MyWLAN in our case) and edit the group.

Type in the SSIDs, one per line as instructed.

Now that you have the SSIDs defined, save and move to the next screen.
Enable the probe request flood signature and then edit it.

Choose to edit the Assoc flood signature as shown below.
Once you’re done, save and go to the next screen.

6. Try to push this new profile out to each device managed by PI.
Check all of the boxes and choose to Apply.
All of the profiles should apply thanks to NMSP.
Even WLC4, which only has a RO SNMP community defined in PI, gets the update.
(WLC4) >show wps wips summary
Policy Name...................................... WCS-Retail-10_01_2015_03_23_05_778

Policy Version................................... 1

7. Configure the MSE so that it reserves 10 GB for forensic captures and ages out alarms after 60 days.
Get to the MSE config GUI and make your way down to the WIPs section.
 N/A

Section 6: Security and Identity

Management with ISE

Lab 163: CLI Configurations :: Detailed

Solutions
 CLI Configurations


Member's Area.
 N/A
this lab scenario.
 Video Title: ISE- CLI Configurations
Topology Detail
This lab requires access to ISE and WIN7.

Diagram 163.1: CLI Configurations Topology
Lab 163 Setup

 If so, which lab load should be used: ISE- Base

1. SSH to the ISE server from the WIN7 PC.
 IP= 10.10.210.5
 User= admin
2. Manually set the date/time to reflect your current date/time.
 Skip any service restarts until the very end.
If at all possible, it’s much better to use NTP with ISE, but if that’s not allowed, it’s good to manually
ensure the clock is correct. I would use the AD server as your reference clock in the lab.
ISE/admin# clock set Oct 1 12:44:00 2015
% On ISE distributed deployments, it is recommended all nodes use

% NTP as a clock source.
Continue with clock change? Y/N [N]: y
System clock was modified. You must restart ISE for change to take effect.
Do you want to restart ISE now? (yes/no) no
ISE/admin# show clock

Thu Oct 1 12:44:31 UTC 2015
3. Configure the time zone to be EST5EDT.
Unless told to set a timezone, I would recommend leaving things in UTC.
ISE/admin# conf t
ISE/admin(config)# clock timezone EST5EDT
% On ISE distributed deployments, it is recommended all nodes be

% configured with the same time zone.
Continue with time zone change? Y/N [N]: y
System timezone was modified. You must restart ISE for change to take effect.
Do you want to restart ISE now? (yes/no) no

ISE/admin(config)# end

Thu Oct 1 08:46:31 EDT 2015
ISE/admin# show timezone
EST5EDT
4. Configure 10.10.210.8 as an NTP server.
ISE/admin# conf t
ISE/admin(config)# ntp server 10.10.210.8
ISE/admin# show ntp

Configured NTP Servers:
10.10.210.8
unsynchronised
time server re-starting

==============================================================================
127.127.1.0 .LOCL. 10 l 28 64 1 0.000 0.000 0.000
10.10.210.8 .LOCL. 1 u 27 64 1 0.611 9.696 0.000
* Current time source, + Candidate , x False ticker
ISE takes a little while to sync up to an NTP server. You may need to wait 5-10 minutes, but based on
the output above, you can know that at least communications are happening. We see the stratum and
some delay/offset numbers. Usually once I see these, I assume synchronization will complete
eventually.

This is what is looks like after synchronization.
ISE/admin# show ntp

Configured NTP Servers:
10.10.210.8
synchronised to NTP server (10.10.210.8) at stratum 11

time correct to within 449 ms

==============================================================================
127.127.1.0 .LOCL. 10 l 26 64 77 0.000 0.000 0.000
*10.10.210.8 .LOCL. 1 u 23 64 77 0.611 9.696 3.059
* Current time source, + Candidate , x False ticker

Thu Oct 1 13:02:24 EDT 2015
5. Ensure that the server pulled an IPv6 address via stateless autoconfig.
For whatever reason, ISE doesn’t seem to have the ability to configure a static IPv6 address, so dynamic
methods are all that you have.
ISE/admin# show interface gi 0

GigabitEthernet 0
Link encap:Ethernet HWaddr 00:50:56:9B:CA:4B
inet addr:10.10.210.5 Bcast:10.10.210.255 Mask:255.255.255.0
inet6 addr: 2001:cc1e:0:210:250:56ff:fe9b:ca4b/64 Scope:Global
inet6 addr: fe80::250:56ff:fe9b:ca4b/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:1727 errors:0 dropped:0 overruns:0 frame:0
TX packets:2542 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:145159 (141.7 KiB) TX bytes:2925570 (2.7 MiB)

6. Verify the IPv4 default gateway configuration.
There is an outside chance that you may need to configure or fix this if devices off subnet cannot talk
to ISE.
ISE/admin# show run | in def

ip default-gateway 10.10.210.1
7. Have ISE use 10.10.210.8 as a DNS server.
I really doubt you’ll ever configure a new DNS suffix, since that has implications for the certificate, but
you may need to configure a DNS server.
ISE/admin# conf t
ISE/admin(config)# ip name-server 10.10.210.8
8. Add another CLI user account.
 User= cciew
 Role= admin
ISE/admin# conf t
ISE/admin(config)# user cciew pass plain IPexpert123 role admin
9. Pretend that you’ve lost the password for the GUI account named admin and try to reset it to
IPexpert123.
 This will fail since that is the password already, but the idea was to just ensure that you
know the command in case it actually happens.

This is a good command to know on the off chance you are locked out of the GUI.
ISE/admin# app reset-passwd ise admin

Enter new password: IPexpert123
Confirm new password: IPexpert123
Password can't be set to one of the earlier 3 password(s)
10. Save the running config.
ISE/admin# wr mem
11. Stop and restart the ISE service.
 Verify that the service restarts with the show application status ise command.
 It should look similar to the output below.
ISE PROCESS NAME STATE PROCESS ID

------------------------------------------------------------------------------
Database Listener running 2657
Database Server running 44 PROCESSES
Application Server running 5200
Profiler Database running 3659
AD Connector running 5586
M&T Session Database running 2234
M&T Log Collector running 5475
M&T Log Processor running 5430
Certificate Authority Service running 5393
If ISE seems to be not working correctly, this is something to try. I’d do this over rebooting the entire
server, as I wouldn’t want to risk something going wrong during the reboot and losing all access.
ISE/admin# app stop ise
Stopping ISE Monitoring & Troubleshooting Log Collector...

Stopping ISE Monitoring & Troubleshooting Log Processor...
ISE Identity Mapping Service is disabled
ISE pxGrid processes are disabled

Stopping ISE Application Server...

Stopping ISE Certificate Authority Service...
Stopping ISE Profiler Database...
Stopping ISE Monitoring & Troubleshooting Session Database...
Stopping ISE AD Connector...
Stopping ISE Database processes...
ISE/admin# app start ise
Starting ISE Monitoring & Troubleshooting Session Database...

Starting ISE Profiler Database...
Starting ISE Application Server...
Starting ISE Certificate Authority Service...
Starting ISE Monitoring & Troubleshooting Log Processor...
Starting ISE Monitoring & Troubleshooting Log Collector...
Starting ISE AD Connector...
Note: ISE Processes are initializing. Use 'show application status ise'
CLI to verify all processes are in running state.
It’ll take some time for this to complete. Once it’s done, you should see output like this.
ISE/admin# show app st ise
ISE PROCESS NAME STATE PROCESS ID

--------------------------------------------------------------------
Database Listener running 21544
Database Server running 37 PROCESSES
Application Server running 24228
Profiler Database running 22687
AD Connector running 24602
M&T Session Database running 22597
M&T Log Collector running 24503
M&T Log Processor running 24458
Certificate Authority Service running 24407
pxGrid Infrastructure Service disabled
pxGrid Publisher Subscriber Service disabled
pxGrid Connection Manager disabled
pxGrid Controller disabled
Identity Mapping Service disabled

 show clock
 show timezone
 show ntp
 show run
 show app status ise

Lab 164: Administrative Settings :: Detailed

Solutions
 Logging
 Backups/Restores
 Admin Access
 Settings


Member's Area.
 ISE Config Guide 1.3- Chapter 6
this lab scenario.
 Video Title: ISE- Administrative Settings
Topology Detail

Diagram 164.1: Administrative Settings Topology
Lab 164 Setup


1. Login to the GUI at https://10.10.210.5 from the WIN7 PC with the credentials below.
 User= admin
Logging
2. Keep local logs stored for 5 days.
3. Configure 10.10.210.8 as a syslog server named WIN2012.

 Use the standard syslog transport and port.
 Mark the logs with a facility of LOCAL7.
 Be sure alarms are sent as syslogs to this server.
4. Send all AAA Audit logs (including failed attempts and passed authentications) to the WIN2012
syslog server.
Just because you defined a syslog server doesn’t mean syslogs are being sent to it. We need to specify
why categories of logs to send to it.

Move the WIN2012 server to the right and save.
Unfortunately, this doesn’t propagate to the child categories. Repeat this for failed attempts and
passed auths.

Backups
5. Create an FTP repository.
 Name= WIN2012-FTP
 Server= 10.10.210.8
 Path= /
 User= administrator
The repository can be created under the Maintenance section. They are needed any time you want to
copy files to or from an external source.

6. Create a scheduled configuration backup.
 Name= CCIEW
 Repository= WIN2012-FTP
 Encryption key= IPexpert123
 Run monthly on the first day of the month at midnight, starting tomorrow.

Admin Access
7. Set a maximum of 5 concurrent sessions for both GUI and CLI.
8. Users should see a pre-login banner that says “Only future CCIE’s allowed!” when logging into the
GUI.


9. Only users in the 10.10.0.0/16 IP range should be allowed to access the web GUI of ISE.

10. Set the maximum user idle timeout value.
The description of the feature tells you that the max is 100 minutes.

11. Create a new admin user.
 User= CCIEW
 Password= CCIEW
 Email address= cciew@ipexpert.com
 Give it the same access as the admin user.
12. Ensure that admin users never have their passwords expire or have their accounts get locked out.
This password is too simple with the default password policies. Let’s edit those first. You’ll notice that
the admin accounts are already set not to expire or be locked out. This is on purpose.

Now create the user account.

Settings
13. Disable the alarm named “AD Connector had to be restarted”.
This is the first alarm on the list.

14. Email alarms to cciew@ipexpert.com from ise@ipexpert.com.
 Use 10.10.210.8 as the email server.

15. Set the EAP-FAST master key generation period to be every 2 weeks.
16. Configure ISE to not have to check the user credentials on PEAP re-authentications within 1 hour
of the original authentication.
This is the Fast Reconnect feature, which requires the Session Resume feature.

17. Use 10.10.210.8 as an NTP server without authentication.
We already set the NTP server in the last lab, but I wanted you to know that you can do it in the GUI as
well.
 N/A

Lab 165: Certificates :: Detailed Solutions
 Local server certificates

 Internal CA server
 SCEP servers


Member's Area.
this lab scenario.
 Video Title: ISE- Certificates
Topology Detail

Diagram 165.1: Certificates Topology
Lab 165 Setup


1. Renew the ISE server self-signed certificate for 10 years.

We can see that the existing cert hasn’t expired by any means, but you can still renew it if asked. Scroll
down to the bottom to find the renewal option.
2. On second thought, generate a new self-signed certificate that’s good for 1 year.
 Leave settings at their default unless otherwise asked.
 Use this new certificate for all possible purposes.
 Assign it a portal cert group tag of CCIEW.
 Replace the existing certificate when asked.
We can go with a new self-signed certificate altogether, rather than renewing an existing cert.

Scroll down to find the things that you need to configure.
Wait for the service to restart and log back in.
3. On third thought, install a CA signed server certificate.
 Files can be found on the WIN7 PC at C:\Rack Files\Certificates\.
 Cert File name= ISE.pem
 Private Key File name= isekey.pem

 Friendly name= ISE
 Use this new certificate for all possible purposes.
 Assign it a portal cert group tag of CCIEW.

You’ll get kicked out again and have to wait for the service to restart. Once it has, log back in.
If you want, you can go to https://ise.ipexpert.local and see that your browser (hopefully) shouldn’t
complain about an untrusted cert.
4. Install a new CA cert that can be used to verify EAP-TLS client authentications.
 Files can be found on the WIN7 PC at C:\Rack Files\Certificates\.
 CA Cert File name= ca.pem
 Friendly Name= iPexpert-CA

If you need to support EAP-TLS auths, you need to add in a CA cert to validate the client certificates.

5. Ensure that the internal CA server is enabled on ISE.
It’s enabled by default, but look for the green box to verify.
6. Create a new internal CA certificate template.
 Name= TLS_Clients
 OU= Wireless
 O= iPexpert
 City= Lindstrom
 State= MN
 Country= USA
 SAN= MAC address
 Key size= 2048
 Use the internal ISE CA to issue the certificates.
 Make them valid for as long as possible.


7. Add the WIN2012 server as an external SCEP server.
 Name= iPexpert_CA
 URL= http://10.10.210.8/certsrv/mscep/
This is an alternative the built-in CA server for automatic cert provisioning.
Fill in the information and test the connection. You should get a successful response, then submit.

 N/A

Lab 166: Identity Management :: Detailed

Solutions
 Internal users/groups
 External identity stores


Member's Area.
this lab scenario.
 Video Title: ISE- Identity Management- Local Users and Endpoints
 Video Title: ISE- Identity Management- Active Directory and LDAP
 Video Title: ISE- Identity Management- CA Profiles and ID Store Sequences
Topology Detail

Diagram 166.1: Identity Management Topology
Lab 166 Setup


Internal Groups
1. Create the following internal user groups.
 Admins1
 Admins2
 Users1
 Users2
 Lobby
 Guest
Internal users are probably the most common credentials used in the lab. Adding users to groups makes
your rule writing much simpler.
As you see, we have a number of pre-configured groups that could be used for different things, but
you’ll probably want to create your own.

Repeat the process until all groups have been added.

2. Create the following Endpoint groups at the top level of the hierarchy.
 Employees
 BYOD
Endpoint groups are where MAC address entries are placed into.

Repeat for the other group.
Internal Users
3. Create the following users as shown in the table below.
Table 166.2
User Name Password Group

admin1 IPexpert123 Admins1
admin2 IPexpert123 Admins2
iseuser1 IPexpert123 Users1
iseuser2 IPexpert123 Users2
lobby IPexpert123 Lobby
guest guest Guest

4. If users change their passwords, they should not be able to reuse any of their previous 5 passwords.
5. New passwords must have at least 3 different characters than the last.
In order to create the guest user with the supplied credentials, we’ll need to tweak the password policy.
So let’s do all of those at the same time.
Now create the users.

Repeat until all of the users have been created.

6. Purge endpoints in the GuestEndpoints group after 60 days.
7. Do not automatically purge any other endpoints.

You could either delete this rule, or disable it. Either one gets the job done. Disabling is nice for the
ability to turn it back on later if you want, without having to recreate it.
Don’t forget to save your changes when done.
8. Create a new user attribute named CCIE_Num that is a type of Integer.
I don’t know if they’ll ever go this deep in the lab, but it’s kind of fun to play with.

9. Configure the iseuser1 users with a CCIE_Num of 24834.
Head back to the users list and edit iseuser1.

Evidently this makes iseuser1 me (that’s my CCIE number).
10. Configure the iseuser2 with a CCIE_Num of 50000.
Do the same for the next user.

External ID Stores- AD
11. Add an active directory connection to ISE.
 Join point name= iPexpert-AD
 Domain= IPEXPERT.local
 User= administrator
Joining ISE to AD requires a few different things to succeed. Two of the less obvious being that ISE and
the AD server’s clocks are in synch (think NTP), and that ISE can resolve the domain name (think DNS
server).

Hopefully this is what you get when it’s done.

At this point, you can validate credentials against AD.
12. Once added, call out the following AD groups in ISE.
 Domain Users
 Domain Computers
 adgroup1
 adgroup2
In a lab environment, with smaller numbers of groups in AD, this is probably the simplest method to
call out your groups. Be sure to call out any groups that you’d ever want to write rules against.

This will list every group in AD. Just find the ones that you want.

It should look like this when done.
13. Ensure that you are able to write AuthZ rules against which department the users are in (based on
their AD information).
 Use the user aduser1 to help you grab these attributes.
By default, you can write rules based on group membership. If you want to write rules based on other
AD data, call it out in the Attributes tab.


External ID Stores- LDAP
14. Add an LDAP server to the external identity sources using the information below.
 Name= WIN2012LDAP
 Schema= Custom
o Subject Objectclass= person
o Group Objectclass= group
o Subject Name Attribute= sAMAccountName
o Group Map Attribute= memberOf
o Subjects contain references to groups.
 Host= 10.10.210.8
 Use authenticated access
o Admin DN= “CN=Administrator,CN=Users,DC=IPEXPERT,DC=local” (without the

quotes)
o Password= IPexpert123
 Subject Search Base= “CN=Users,DC= IPEXPERT,DC= local” (without the quotes)
 Group search Base= “CN=Users,DC= IPEXPERT,DC= local” (without the quotes)
While LDAP is technically possible, I’d hope that they’d prefer AD connections. But just in case, know
how to configure this.



If you want to test the config, go back to the Connections tab and do a test bind.
You should get some results. The numbers might be different, but they shouldn’t be zeros.

Be sure to save when you are done.
15. Once added, call out the following LDAP groups in ISE.
 Domain Users
 Domain Computers
 adgroup1
 adgroup2

This is the same drill as what we did with AD.

External ID Stores- Certificate Authentication Profiles
16. Create a new CA profile with the following settings.
 Name- CCIEW
 Use the common name of the client certificate to find the user name.
 Have ISE reach out to the WIN2012 AD server and perform a binary certificate
comparison between the client cert and the AD-stored cert for the client.

Normally you can use the pre-configured profile for everything. The only time you need a different
profile is if you want to look at a different part of the cert for the username or if you want to involve
AD or LDAP.

ID Store Sequences
17. Create a new ID store sequence with the following settings.
 Name= EVERYTHING
 Have it work for both certificate and user/password authentications.
 Reference the CCIEW CA profile for cert-based authentications.
 Have it search through user/password ID stores in the following order.
o Internal Users
o Internal Endpoints
o iPexpert-AD
o Guest Users
 If AD is unavailable fore whatever reason, ISE should still proceed to check the Guest
Users ID store.
These can greatly simplify your authentication policies. They allow ISE to look in multiple locations for
user credential verification.

 N/A

Lab 167: Network Devices :: Detailed

Solutions
 Network Devices


Member's Area.
this lab scenario.
 Video Title: ISE- Network Devices
Topology Detail

Diagram 167.1: Network Devices Topology
Lab 167 Setup

 If not, which lab(s) need to be completed first: Labs 165 - 166

1. Configure the following locations for network devices under All Locations.
 HQ
 DMZ
 MO
2. Create the following sub-locations under HQ.
 Building 1
 Building 2
Network device groups makes your rule writing easier. While they are often not required by the lab, I
use them as a standard matter of course.


Repeat this for the other 2 top level locations. It should look like this when you are done.
Next create the two buildings underneath the HQ location. Just click on the HQ location first, and then
choose to add.
When you finish adding them, it should look like this.

3. Create the following device types under All Device Types.
 WLC
 AP
4. Create the following device sub-types under WLC.
 AireOS
 IOS-XE
5. Create the following device sub-types under AP.
 AAP
 LAP
This is the same process as the locations. We’re just calling out device types.

Add the groups as specified. It should look like this when you are done.
6. Create the following network devices.
 WLC1
o IP= 10.10.111.10/32
o Location= Building1
o Device Type= AireOS
o Shared secret= ipexpert

o Enable Keywrap
 KEK= 1234567890123456
 MACK= 12345678901234567890
o Enable SNMP and use a v2c RO community of public.
Choose to add a new network device and fill in the info as requested.

 WLC4
o IP= 10.10.120.10/32
o Location= MO
o Device Type= AireOS

 CAT3_4
o IP= 10.10.113.13/32 and 10.10.113.14/32
o Location= HQ
o Device Type= IOS-XE

Here we are adding multiple devices under a single logical entry in ISE. This is totally fine with a couple
of caveats. First, you cannot easily apply different policies to the individual devices under the one logical
device. Second, you lose granularity in logging/reports if you ever wanted to view by network device.
Often for devices of the same type in the same location in the lab, this is perfectly acceptable.
 AAP1
o IP= 10.10.110.100/32
o Location= HQ
o Device Type= AAP

 LAP5
o IP= 10.10.121.0/24
o Location= MO
o Device Type= LAP

Since LAP5 uses DHCP to pull an IP (without a reservation), we can’t just specify its current IP, so we
specify its subnet.
7. If an auth comes into ISE that doesn’t match one of these network devices, ISE should still process
it as long as the device uses a shared secret of ipexpert.
This is an easy way to get auths from any device allowed in ISE. The major downside of using the default
network device is that it matches auths coming from anywhere and anything. So we don’t have the
ability to specify network device groups, which can complicate rule writing depending on our
requirements.
This is disabled by default, so you will need to enable it if you want to use it.

 N/A

Lab 168: Authentication Policies :: Detailed

Solutions
 AuthC rules
 Allowed Protocols


Member's Area.
this lab scenario.
 Video Title: ISE- Policy Sets
 Video Title: ISE- Authentication Policies
 Video Title: ISE- Authentication Verifications
Topology Detail

Diagram 168.1: Authentication Policies Topology
Lab 168 Setup

 If so, which lab load should be used: ISE- Staged

Allowed Protocols
1. Edit the Default Network Access allowed protocols list as requested below.
 Unless specified, leave all default settings as is.
 Allow LEAP authentications.
 Allow ISE to authenticate expired client certificates for EAP-TLS.
 Allow CHAP.
In almost all instances, a single allowed protocols list is fine for the lab. Just make sure all needed
protocols are allowed.

2. Create a new allowed protocols list as requested below.
 Name= BYOD
 Only allow the protocols listed below.
o Host Lookups
o PAP/ASCII
o EAP-TLS
 Allow expired certificates
o PEAP with MS-CHAPv2

Authentication Conditions
3. Create a compound condition to match 802.1x authentications from autonomous APs as directed
below.
 Duplicate the Wireless_802.1X AuthC compound condition as a starting point.
 Name= AAP_802.1X

 Change the service type to match a value of Login instead of Framed.
This is under the Conditions category. Go to the Authentications > compound conditions and duplicate
the wireless 802.1x condition.
This will match the default service type used by autonomous APs.

4. Create a compound condition to match authentications on a BYOD WLAN from WLCs as directed
below.
 Name= BYOD
 Match on a RADIUS Called-Station-ID that ends with HQ-WPAEAP2-Pod# where # is your

rack #.
o For instance, if you are on rack 5, the called-station-ID should end with HQ-
WPAEAP2-Pod5.
Authentication Rules
5. Switch to a policy type of Simple in the Authentication Policy (Policy > Authentication).
 Select the Default Network Access allowed protocols list.

 Choose the EVERYTHING ID store sequence for the identity source.
 Change the behavior for when a user is not found to continue on to the authorization
phase.
 Save this config
Jump over to Authentications, choose Simple, and click OK on the warning.
This bring you to something like the default in ACS, where all authentications are subject to the same
policy. This was generally OK in ACS, but in ISE, it might not be the best choice if you are doing any
Guest portals.

6. Switch back to a Rule-Based policy type.
My guess is that you’ll be using rule-based policies in the lab, since it’s the default. I’d be very
comfortable working with them.
7. Create a rule to be processed first as described below.
 Name= BYOD
 Match on authentications coming from WLCs on the BYOD WLAN (use the condition that
you created earlier).
 Use the BYOD allowed protocols list.
 Use the EVERYTHING ID store sequence.
Rules are processed like an ACL. Top-down, and first rule matched determines the result, so pay
attention to your order as you configure things.

Click the triangle at the end of the default rule and add a new rule above.
When creating the rule, in the If section, choose an existing compound condition to find the BYOD
condition that was created earlier.
8. Create a rule to be processed second as described below.
 Name= MAB
 Match on the pre-configured compound conditions of Wired_MAB or Wireless_MAB.
 Use the Default Network Access allowed protocols list.
 Use the Internal Endpoints ID store.
 If the user is not found, allow the authentication to move to the authorization phase.
As you define the If conditions, specify Wired MAB and then click the cog to the right and add a second
condition.

Be sure to specify an OR condition.
Specify the ID source and failure condition actions.
The reason we want to Continue if the MAC address is not found is primarily for Guest flows. Since
CWA uses MAB to interact with ISE, if it was Reject, new guests would always be rejected on their first
connection attempt.

9. Create a rule to be processed third as described below.
 Name= Dot1x
 Match on the pre-configured compound conditions of Wired_802.1X, Wireless_802.1X,

or AAP_802.1X.
10. Configure the default rules as described below.

Things should look like this when you are all done. Don’t forget to save!
 N/A

Lab 169: Authorization :: Detailed Solutions
 AuthZ Policies


Member's Area.
this lab scenario.
 Video Title: ISE- Authorization Rules- Basics and the Exception Policy
 Video Title: ISE- Authorization Rules- Matching on Network Devices
 Video Title: ISE- Authorization Rules- Matching on Protocols
 Video Title: ISE- Authorization Rules- Matching on User/Device Information
 Video Title: ISE- Authorization Rules- Misc. and Rule Guidelines
Topology Detail

Diagram 169.1: Authorization Topology
Lab 169 Setup


This lab focuses on being able to configure authorization (authZ) rules to match on specific conditions.
The results will pretty much always be a simple permit. As you test each of these rules, it is important
that you look at the auth logs and verify that you indeed matched on the expected rule, so you will be
building both your rule writing skills and your auth log reading skills at the same time.
As you look at the auth logs, be sure to pull out these key pieces of information.
 Which authC rule was matched
 Which AuthZ rule was matched
 Look for each piece of information that the associated authZ rule referenced in the log.
o For instance, if the rule matched on PEAP auths that it came from a WLC in the
HQ, look for those 3 pieces of matching criteria (PEAP, WLC, HQ).
o When rules don’t match as expected, you want to be able to troubleshoot the
scenario, and reading auth logs is a critical part of that.
1. Rename and enable the SSIDs on WLC1 and AAP1 to reflect your rack number (i.e. –Pod5 for rack
5).
You can simply rename them on WLC1. On AAP1, take the running config, tweak it in notepad, then
remove/read the SSID.
(WLC1) >config wlan ssid 1 HQ-WPAEAP1-Pod1

SSID Updated successfully.
(WLC1) >config wlan ssid 2 HQ-WPAEAP2-Pod1

(WLC1) >config wlan ssid 3 HQ-WPAPSK1-Pod1

(WLC1) >config wlan ssid 6 Guest1-Pod1

(WLC1) >config wlan enable 1


(WLC1) >show wlan sum
Number of WLANs.................................. 4
WLAN ID WLAN Profile Name / SSID Status Interface Name PMIPv6

Mobility
------- ------------------------------------- -------- -------------------- ------
---------
1 HQ-WPAEAP1-PodX / HQ-WPAEAP1-Pod1 Enabled vlan13 none
2 HQ-WPAEAP2-PodX / HQ-WPAEAP2-Pod1 Enabled vlan14 none
3 HQ-WPAPSK1-PodX / HQ-WPAPSK1-Pod1 Enabled vlan14 none
6 Guest1-PodX / Guest1-Pod1 Enabled vlan11 none
AAP1#conf t
AAP1(config)#no dot11 ssid AutoEAP-PodX
AAP1(config)#dot11 ssid AutoEAP-Pod1
AAP1(config-ssid)#vlan 12
AAP1(config-ssid)#authentication open mac-address eap_methods eap eap_methods
AAP1(config-ssid)#authentication key-management wpa version 2
AAP1(config-ssid)#mbssid guest-mode
AAP1(config-ssid)#no dot11 ssid AutoOpen-PodX
AAP1(config)#dot11 ssid AutoOpen-Pod1
AAP1(config-ssid)#vlan 11
AAP1(config-ssid)#authentication open mac-address eap_methods
AAP1(config-ssid)#mbssid guest-mode
AAP1(config-ssid)#int d0
AAP1(config-if)#ssid AutoEAP-Pod1
AAP1(config-if)#ssid AutoOpen-Pod1
AAP1(config-if)#int d1
AAP1(config-if)#ssid AutoEAP-Pod1
AAP1(config-if)#ssid AutoOpen-Pod1
AAP1(config-if)#end
AAP1#sho dot11 bss

Interface BSSID Guest SSID
Dot11Radio0 80e0.1d61.8850 Yes AutoEAP-Pod1
Dot11Radio0 80e0.1d61.8851 Yes AutoOpen-Pod1
Dot11Radio1 80e0.1d61.57e0 Yes AutoEAP-Pod1
Dot11Radio1 80e0.1d61.57e1 Yes AutoOpen-Pod1

2. Install the AnyConnect profiles for your rack by running the appropriate batch file for your rack,
found under the AnyConnect Profiles folder.
Open the AnyConnect Profiles shortcut on the desktop and run the WB1-ISE batch file. The profiles
should install.
3. Ensure that the authZ policy uses a “first matched rule applies” policy model.
4. Delete the exiting authZ rules.

First Rule Matched should be the default. It should look like this when you are done.
Match on the Network Device
The result of all rules should be a Permit. Rules should be ordered numerically (rule1 is above rule2,
which is above rule3, etc.).
5. Rule1- match on all authentications coming from the Medium Office.
Add a new rule above the default rule. Click the triangle on the right and add a new rule above.

Type in the rule name and choose your condition.
Match on the device type information for the next few rules.
Once you have the rule the way that you want it, click on Done.
6. Rule2- match on all authentications coming from an AireOS WLC.
7. Rule3- match on all authentications coming from a WLC in the HQ.
Here are rules 2-3. Pay attention to the rule 3 matching conditions.

8. Rule4- match on all authentications coming from 10.10.110.101.
You will find this under RADIUS > NAS IP Address.
9. Rule5- match on all authentications coming from a Network Device configured in ISE named AAP1.
This criterion is found under Network Access > NetworkDeviceName.

10. Rule6- match on all authentications coming from a device named WLC2 as called out in the RADIUS
communications.
This criterion is RADIUS > NAS Identifier.
Here are the completed 6 rules. Be sure to save before testing.
Test these rules as described below. The tests should match the referenced rule. It’s OK if you aren’t
able to actually login to the devices. We just need to generate an auth that will match a rule.
 Rule1- login to the WLC4 GUI using credentials admin1/IPexpert123
 Rule3- login to the CAT3 GUI using credentials admin1/IPexpert123
 Rule4- login to the AAP2 GUI using credentials admin1/IPexpert123

 Rule5- login to the AAP1 GUI using credentials admin1/IPexpert123
 Default- login to the WLC3 GUI using credentials admin1/IPexpert123
You’ll notice order of rules is important. For instance, WLC4 can match both rule1 and rule2, but based
on the ordering of the rules, it matches rule1.
Go ahead and test connections to each device. You should use HTTP access for the non-AireOS devices,
since the AAPs don’t have HTTPS enabled, and the IOS-XE devices sometimes don’t always work without
some tweaking.
After you’re done attempting to login to each device, go ahead and look at the logs to verify that each
auth hit the appropriate rule. I won’t show every log, but here is what to look for. First, get to the auth
logs.

Here we see the most recent auths on ISE, with the most recent on top. There is a good amount of
high-level info here. We can even see which rule was matched in the AuthZ policy on the right-hand
column in the image below.
But to look at the full log (which you MUST be familiar with interpreting), click on an individual log’s
Details link.
The Overview section has high-level info about the auth. This info is all available on the high-level list
where we were just looking, but we can see which AuthC and AuthZ rules were matched. This was my
WLC4 auth, which was supposed to match Rule1, so that’s a good sign.
Under the Authentication Details section, we get more good info. Here is some info on the user and
the AuthC process.

Here we see that the user in question was named admin1. It was found in the identity store named
“Internal Users” and it was in an internal group named Admins1. The protocol used for the
authentication was PAP_ASCII, which is typically indicative of a web authentication.
As we scroll down, we see more good info.

The Service Type can come into play with distinguishing between different methods of authentications.
Some of the pre-canned matching conditions will reference that field, so be aware of it.
Next we see information about the network device. In this part of the log, the network device name is
based on the Network Device configured on ISE. We have one configured called WLC4, which is what’s
referenced here. It’s important to know that this field is a reference to the network device in ISE and
not necessarily the actual name locally configured on the device. We also see the network device type
and location info as well as the IP address that the auth came from. Lastly, we see which AuthZ profile
was assigned. In this case, a simple Permit.
The next section (Other Attributes) will have a mixed bag of info depending on what happened with
the authentication.
In the above image, we can see what UDP port was used for the RADIUS communication. We can also
see all of the possible identity stores that could have been used to find the user credentials.
At the bottom, we have what seems to be redundant information from up above. That’s somewhat
true, except for the NAS Identifier. This is the name of the network devices as told to ISE by the network
device itself. So this should be the real name of the device as configured on the device.

So if you had some authentications that did not match your intended rules, this is where you need to
look. Look at the rule that you didn’t want to match (if it was above your intended rule), or the rule
that you intended to match (if you instead matched a rule below that one) and figure out what
happened. Compare the matching criteria of the rule in question to the data in the auth log and figure
out what went wrong.
Match on the Client Protocol
11. Delete the 6 rules that you created in the previous section and start from scratch.
12. Rule1- match on all authentications that use LEAP.
13. Rule2- match on all authentications that use EAP-FAST.
14. Rule3- match on all authentications that use PEAP.
15. Rule4- match on all authentications that use EAP-TLS.
Here are the first 4 rules to match on different EAP methods.
Basically, if it has an inner/outer method, you’ll find It under EapTunnel. Otherwise, it’s under
EapAuthentication.
16. Rule5- match on all MAC filter lookups from a WLC.
17. Rule6- match on all MAC authentications from an AAP.
18. Rule7- match on all guest web authentications from a WLC.

The last three rules get a little more interesting.
AireOS WLCs send MAC filter authentications as Host Lookups. Hence, they will want to match an entry
in the Internal Endpoints database, it’s just a MAC check. The AAP MAC authentications unfortunately
come in an actual username/password lookup using PAP_ASCII, but management authentications also
come in using PAP_ASCII as you may have noticed in the previous section. So to be able to distinguish
between MAC auths and management auths, we also need to match on the NAS port type, which will
define if it’s a wireless auth or a management auth.
Lastly, we also run into an issue distinguishing an AAP MAC auth from an AireOS WLC guest web auth.
They are both PAP_ASCII by default and use the same NAS Port type. They are virtually indistinguishable
when you look at the auth logs, so we need to additionally call out if the auths are coming from an
autonomous AP or an AireOS controller.
The easiest way to build your rules when you are unsure of what to match on is to just do some test
authentications. They’ll probably fail, but now you have an auth log to comb through to see what
interesting pieces of information are available to write rules against.
 Rule1- Connect to the HQ-WPAEAP1-PodX WLAN using LEAP.
 Rule2- Connect to the HQ-WPAEAP1-PodX WLAN using EAP-FAST.
 Rule3- Connect to the HQ-WPAEAP1-PodX WLAN using PEAP.
 Rule4- Connect to the HQ-WPAEAP1-PodX WLAN using EAP-TLS.
 Rule5- Connect to the HQ-WPAPSK1-PodX WLAN.
 Rule6- Connect to the AutoOpen-PodX WLAN.

o This will fail due to the missing user account. Use the info in the auth log and create
a user account for this to pass.
 Rule7- Connect to the Guest1-PodX WLAN and attempt a webauth.
Here are the results of my initial run through the tests. Note the failure. That was my AutoOpen-Pod1
attempt.
Now I need to fix the AAP MAC filter issue. Go to the internal users ID store and add a new user. The
account is the MAC address, all lower case, with no delineators. The password is identical to the user
name.
Unfortunately, we have another issue (probably). My client tried to authenticate with an unknown user
name for too many times and it tripped a filtering threshold that ISE has by default to prevent a
misconfigured client from eating up too many resources as it continually tries to reauthenticate. Here
is what to look for and how to get around it.

Look at the auth list for the most recent entry of the client auth. Click into the full auth log.
Notice the message about the endpoint conducting several failed authentications of the same type of
scenario. Right-click on the ball icon next to the endpoint MAC address and choose to bypass
suppression filtering for 1 hour.
Now retry the authentication and you should get some fresh attempts in the logs (hopefully successful
ones). Now my Rule6 is matching.

Match on User/Device Groups
20. Rule1- match on all authentications where the user is in the internal group named Users1.
21. Rule2- match on all authentications where the user is in the AD group named Domain Users.
22. Rule3- match on all authentications where the device is in the internal endpoint group named
Profiled.
Here are the rules for these requirements.
As you build the rules, the left-hand condition box (below) is used to reference internal group
membership for either users or devices (endpoints).
So for rules 1 and 3, you can get away with only specifying those. AD groups need to be called out with
a normal condition.
able to actually login to the devices, we just need to generate an auth that will match a rule.
 Rule1- Connect to the HQ-WPAEAP1-PodX WLAN using PEAP with the iseuser1 user.

 Rule2- Connect to the HQ-WPAEAP1-PodX WLAN using PEAP with the aduser1 user.
 Rule3- Connect to the HQ-WPAEAP1-PodX WLAN using PEAP with the iseuser2 user.
 Rule3- Connect to the HQ-WPAPSK1-PodX WLAN.
Here are my results. I ended up doing the WPAPSK test before the iseuser2 test for rule 3.
This is a good illustration about matching on an internal endpoint group. Even when I was only doing a
user/password authentication and not doing a MAC lookup, the matching criteria still applied because
the wireless device was in an endpoint group.
Match on other User/Device Information
24. Rule1- match on all EAP-TLS authentications where the client certificate has a SAN that ends in
@IPEXPERT.local as shown in the image below.

25. Rule2- match on all EAP-TLS authentications where the client certificate was signed by a CA named
IPEXPERT-SERVER2012-CA.
26. Rule3- match on all authentications where the credentials used a username of iseuser1.
27. Rule4- match on all authentications where the internal user has a CCIE number of at least 25000
(based on a custom internal user attribute).
You should be comfortable matching in information fields in client certificates. Fortunately, all of the
certificate info that you need is in the auth logs. So when in doubt, do a test auth and comb the logs.

 Rule1- Connect to the HQ- WPAEAP1-PodX WLAN using EAP-TLS.
 Rule2- Disable rule1 and connect to the HQ- WPAEAP1-PodX WLAN using EAP-TLS.
 Rule3- Connect to the HQ- WPAEAP1-PodX WLAN using PEAP with the user named iseuser1.
 Rule4- Connect to the HQ- WPAEAP1-PodX WLAN using PEAP with the user named iseuser2.
Here are my results. There was one errant failure in there, but eventually everything authed against
the correct rules. I saved my testing of rule 2 until the end.
Other Matching Options
29. Rule1- match on all authentications on the SSID HQ-WPAEAP1-Pod# (where # is your rack #).

30. Rule2- match on all authentications on SSIDs that begin “HQ-“ (without the quotes).
31. Rule3- match on all authentications where they happen during business hours (M-F 9AM to 5 PM).
 You will need to create a date/time condition for this.
32. Rule4- match on all authentications where they happen outside of business hours.
You can configure the date/time condition by going to Policy Elements > Conditions > Common > Time
and Date.

Then, create the rules as shown below.
Unfortunately, there doesn’t seem to be the possibility of just saying NOT in Business_Hours. So we’re
left with 2 choices. Create multiple date/time conditions to call out the times outside of business hours
(which would be a pain), or just create a rule right below the one matching on Business_Hours with the
same conditions minus the date/time. That’s what I ended up doing.
 Rule1- Connect to the HQ-WPAEAP1-PodX WLAN using PEAP.
 Rule2- Connect to the HQ-WPAPSK-PodX WLAN.
 Rule3 and rule4- Login to the WLC1 GUI using admin1/IPexpert123 credentials. Depending
on the day/time, it should match one of these rules. Remember that the date/time is based
on the ISE server’s clock.

Here are my results. I’m testing this on a Saturday (because I’m dedicated to getting this workbook out
to you all ASAP), so I matched rule 4 instead of rule 3.
 N/A

Lab 170: AAA Overrides :: Detailed

Solutions
 AAA Overrides


Member's Area.
Wireless Lab exam. We recommend watching the following learn ing videos prior to completing
this lab scenario.
 Video Title: ISE- Authorization Profiles- Client AAA Overrides
Topology Detail

Diagram 170.1: AAA Overrides Topology
Lab 170 Setup


1. Rename and enable the WLAN on CAT3 to reflect your rack number (i.e. –Pod5 for rack 5).
CAT3#conf t
CAT3(config)#no wlan HQ-CATEAP1-PodX 1 HQ-CATEAP1-PodX
CAT3(config)#wlan HQ-CATEAP1-Pod1 1 HQ-CATEAP1-Pod1
CAT3(config-wlan)#no shutdown
Create the following Authorization Profiles in ISE. The format below is NAME – ACTION.
2. VLAN15- assign users to VLAN 15 using the VLAN common task.
Head over to the policy elements > results.

Then AuthZ > AuthZ Profiles.
Use the Common Task to make life much simpler.

You can see at the bottom what it does.
3. INTERFACE14- assign users to the vlan14 interface on AireOS WLCs using an Airespace attribute.
For this one, we need to manually create our entry. It’s under the Airespace category.
4. CLIENTACL- assign an ACL named CLIENTACL to AireOS WLCs to the client session.
We find this under the Airespace category as well. We also have a common task for it.

5. TIMEOUT- assign a session timeout of 5 minutes.

6. PLATINUM- assign the client to the platinum QoS profile.
7. NOPING- assign a DACL with 2 rules to clients on IOS-XE WLCs.
 Rule 1- deny all ICMP
 Rule 2- allow everything
First we create the DACL.

This one can be accomplished in just 2 lines. When you are done, use the “check DACL syntax” option
to make sure that you didn’t make any syntax mistakes.
Now create the AuthZ profile.

Create the following authorization rules in ISE. We are assigning multiple authZ profiles at a time to
make less work for rules and testing.
8. Rule1- if coming from an AireOS WLC and a user in Users1, then assign the VLAN15, TIMEOUT, and
PLATINUM authZ profiles.
9. Rule2- if coming from an AireOS WLC and a user in Users2, then assign the INTERFACE14 and
CLIENTACL authZ profiles.
10. Rule3- if coming from an IOS-XE WLC, then assign the VLAN15 and NOPING authZ profiles.
11. Rule4- if coming from an AAP, then assign the VLAN15 authZ profile.
Here are the rules. It’s more normal to only assign a single AuthZ profile to a rule. I mainly stacked them
up for simplicity.
Test these authZ profiles using the methods below. Verify the results of the overrides by looking at the
client sessions and doing appropriate tests.
 Rule1- connect to HQ-WPAEAP1-Pod# using PEAP with the user named iseuser1.
I connected and pulled a VLAN 15 IP address. Let’s look at the other items.

This command has a bunch of stuff taken out to help focus on the important stuff.
(WLC1) >show client detail c8:d7:19:c0:05:90

Client MAC Address............................... c8:d7:19:c0:05:90
Client Username ................................. iseuser1
Wireless LAN Network Name (SSID)................. HQ-WPAEAP1-Pod1
Wireless LAN Profile Name........................ HQ-WPAEAP1-PodX
IP Address....................................... 10.10.15.9
IPv6 Address..................................... 2001:cc1e:0:15:9d93:1658:b0af:cd53
IPv6 Address..................................... 2001:cc1e:0:15:e0b3:cb74:bff3:d8ad
Re-Authentication Timeout........................ 256
QoS Level........................................ Platinum
Interface........................................ vlan15
VLAN............................................. 15
 Rule2- connect to HQ- WPAEAP1-Pod# using PEAP with the user named iseuser2.
Here I get placed on VLAN 14.

(WLC1) >show client detail c8:d7:19:c0:05:90

Client MAC Address............................... c8:d7:19:c0:05:90
Client Username ................................. iseuser2
Wireless LAN Network Name (SSID)................. HQ-WPAEAP1-Pod1
Wireless LAN Profile Name........................ HQ-WPAEAP1-PodX
IP Address....................................... 10.10.14.6
IPv6 Address..................................... fe80::9d93:1658:b0af:cd53
IPv6 Address..................................... 2001:cc1e:0:14:9d93:1658:b0af:cd53
IPv6 Address..................................... 2001:cc1e:0:14:c8bd:4a1b:f37:56ca
Re-Authentication Timeout........................ 1760
QoS Level........................................ Silver
IPv4 ACL Name.................................... CLIENTACL
Interface........................................ vlan14
VLAN............................................. 14
 Rule3- connect to HQ-CATEAP1-Pod#.

Here is the access-session info showing the ACL being applied.
CAT3#sho access-session mac c8d7.19c0.0590 details

Interface: Capwap2
IIF-ID: 0xF687400000002E
User-Name: iseuser1
Status: Authorized
Domain: DATA
Common Session ID: 0a0a710d561046a500000020
Acct Session ID: Unknown
Handle: 0x70000017
Server Policies:
ACS ACL: xACSACLx-IP-NOPING-56104bd0
Method status list:

Method State
dot1x Authc Success
CAT3#sho access-lists
[lines omitted]
Extended IP access list xACSACLx-IP-NOPING-56104bd0 (per-user)

1 deny icmp any any
2 permit ip any any

 Rule4- connect to AutoEAP-Pod#.
 N/A

Lab 171: Management Authentications ::

Detailed Solutions
 AireOS Management Authentications

 IOS Management Authentications
 PI Management Authentications
 ISE Management Authentications


Member's Area.
 N/A
this lab scenario.
 Video Title: ISE- Authorization Profiles- Management
Topology Detail
This lab requires access to most of the devices in your rack.

Diagram 171.1: Management Authentications Topology
Lab 171 Setup


AireOS WLC Management
1. Configure an authorization profile to grant RW access to AireOS controllers named WLC-Admin.
We need to configure more AuthZ Profiles. Here are the needed settings for RW WLC access.
2. Configure an authorization profile to grant RO access to AireOS controllers named WLC-RO.
3. Configure an authorization profile to grant Lobby access to AireOS controllers named WLC-Lobby.

4. Configure an AuthZ rule so that users in the Admins1 group are given RW access to AireOS WLCs
5. Configure an AuthZ rule so that users in the Admins2 group are given RO access to AireOS WLCs.
6. Configure an AuthZ rule so that users in the Lobby group are given Lobby access to AireOS WLCs.
Here are the rules that I created for this. The matching criteria has some wiggle room.

Login to WLC1 as each of the 3 users (admin1, admin2, and lobby). When I logged in as admin1, I could
make changes. When I logged in as admin2, I could not. Logging in as lobby, I get the lobby ambassador
interface as shown below.
IOS Device Management
7. Configure an authorization profile to grant RW access to IOS devices (AAPs or CATs) named IOS-
Admin.

8. Configure an authorization profile to grant RO access to IOS devices (AAPs or CATs) named IOS-RO.
9. Configure AuthZ rules so that users in the Admins1 group are given RW access to IOS devices.
10. Configure AuthZ rules so that users in the Admins2 group are given RO access to IOS devices.

Since we want to test both RO and RW, telnet is probably the simplest method to demonstrate. RW
access drops the user right into Priv Exec mode whereas RO access drops the user into User Exec mode.
CAT2#telnet 10.10.113.13
Trying 10.10.113.13 ... Open
User Access Verification
Username: admin1
CAT3#exit

CAT2#telnet 10.10.113.13
Trying 10.10.113.13 ... Open
Username: admin2
CAT3>exit
CAT2#telnet 10.10.110.100
Trying 10.10.110.100 ... Open
Username: admin1

AAP1#exit

CAT2#telnet 10.10.110.100
Trying 10.10.110.100 ... Open
Username: admin2
AAP1>exit
PI Management
11. Add PI as a network device to ISE as a device type of PI.

12. Configure an authorization profile to grant Lobby Ambassador access to the ROOT-DOMAIN to the
PI server named PI-Lobby.
Login to the PI server and get to the groups. Grab the task list info for the Lobby Ambassador group
and then for the virtual domain. You normally need these entries.
But if you look at the note on the user group page, you see this.

So let’s try skipping the tasks and just specify the Virtual Domain and the Role.
13. Configure an AuthZ rule so that users in the Lobby group are given Lobby Ambassador access to
the PI server.
14. Configure PI to use ISE for management authentications and test access.
Add ISE as a RADIUS server in PI.

Then enable RADIUS management auths.

Log out and login as the lobby user.
Hooray for not needing to add every single task individually in the AuthZ profile!!!
ISE Management
15. Configure ISE to allow management authentications using both internal and AD users.

16. Configure the Super Admin group to allow both local users as well as AD users in the Domain
Admins group to gain the associated rights.
In order to reference the Administrators group, we need to call it out in the Identity Store.

Now go back to the Admin access and edit the Super Admins group.


Save the settings, then login as administrator.
And the login worked!

Testing
Login to the GUIs or telnet/SSH to the IOS devices and test your configurations with the users below as
appropriate.
 admin1/IPexpert123 is in the admins1 group
 admin2/IPexpert123 is in the admins2 group
 lobby/IPexpert123 is in the Lobby group
 administrator/IPexpert123 is in the Administrators AD group
 N/A

Lab 172: Client Profiling :: Detailed

Solutions
 Client Profiling


Member's Area.
this lab scenario.
 Video Title: ISE- Client Profiling
Topology Detail

Diagram 172.1: Client Profiling Topology
Lab 172 Setup


1. In addition to the default profile data collecting methods, enable HTTP profiling on ISE.

Now the ISE server can use browser user agent information to help figure out what things are. This is a
handy one to help differentiate between different types of similar devices.
2. Allow ISE to send a Reauth CoA action in response to profiling.
When ISE profiles something and assigns it to a new profile group, there is the option of forcing the
client to reauth. For instance, maybe you have a vendetta against iPads and none should be allowed
on your network, but other Apple devices are OK. So once ISE realizes that something is an iPad, it can
force a reauth, which would then hit a rule that blocks the iPad from the network. Otherwise, you’d
have to wait until the next natural auth for this to happen.

3. Ensure that ISE uses an SNMP string of public when doing SNMP checks with NMAP scans.
4. Clients should never be identified as BlackBerry devices.


5. If clients are identified as Apple iPhones or Apple iPads, they should be placed into an endpoint
group named Apple-iPhone or Apple-iPad respectively. These groups should be directly under the
Profiled endpoint group.
Repeat this for the Apple-iPad profile.

Now look at the endpoint groups that were created.
When dealing with the endpoint groups in combination with profiling, you need to pay close attention
to the hierarchy. If you look at the iPad and iPhone profiles, they are under the Apple-Device parent
policy. Now if the Apple-Device profile had the option to create an identity group for it, the iPad and
iPhone groups would have been created underneath the Apple-Device group in the endpoints group
list, but since that wasn’t the case, ISE just recursed up the parent policy list until it either ran out of
parent policies, or found one that did have a group created. In this case, there were none, so they were
placed directly under Profiled in the hierarchy.
6. Configure the Microsoft-Workstation profile as follows.
 Have it run an NMAP Common Ports and OS scan if the device matches the WinPlatform
condition.
 Also, do not have ISE perform a CoA event when a device is classified as a Microsoft-
Workstation.

The list of profiles is long and it can be a pain scrolling to find what you want. If you know the name (or
part of it), use the filtering option as shown below to make life easier.
In order to take an NMAP action, you need a rule that says to perform an NMAP action, so add the rule
as shown above (don’t remove/modify the existing rules).
7. Alter the Apple-iPod profile so that BOTH of the default configured conditions must be a match for
a device to be profiled as an iPod.
 Do not change the Minimum Certainty Factor.
A device can be profiled once it meets the minimum certainty score for a particular profile. By default,
the profile has a minimum score of 20, and both rules increase the score by 20. So if either rule is
matched, the device can be profiled as an iPod. Since we were not allowed to alter the minimum score,
we need to alter the rules.

You can make the rules add most any score you want as long as they are each less than 20 and their
sums add up to at least 20. I’ll set them to 10 and 10.
8. Connect your WIN7 client to the HQ- WPAEAP1-PodX WLAN and see how it is profiled.
 Tweak any AuthZ rules or other settings to allow your client to connect successfully.
 Look at the details of the endpoint to see what info ISE knows about it.

Looks like it’s just profiled as a Cisco-Device right now. Let’s look at the endpoint details.
Find the endpoint with the matching MAC address of your client and click into it.

It’s a whole bunch of information for sure, but this is pretty much all gathered through the RADIUS
profiler. Let’s gather some more profiling information and see if we can get a little more accurately
identified.
9. Configure the HQ-WPAEAP1-PodX WLAN on WLC1 to send DHCP profiling information to ISE. Then,
connect to the WLAN again and see if there is any profiling change to your client.
Based on the current config of the WLAN, we need to do a couple of things for DHCP profiling. Add ISE
as an accounting server, require DHCP on the WLAN, and enable the DHCP RADIUS profiling.
(WLC1) >config radius acct add 1 10.10.210.5 1813 ascii ipexpert

(WLC1) >config wlan disable 1
(WLC1) >config wlan radius_server acct add 1 1
(WLC1) >config wlan dhcp_server 1 0.0.0.0 required
(WLC1) >config wlan profiling radius dhcp enable 1
DHCP Profiling successfully enabled.

If you look at the auth logs, we see a good sign. There is evidence of the client being assigned to a new
profile.
Here is our device in the endpoint list showing the new profile of Microsoft-Workstation.

Look at the client info and scroll down to find some new DHCP profiler info.
10. Next, enable HTTP profiling on the same WLAN. Have the client connect and go to
https://10.10.120.10, then look for more profiling info in the endpoint details.
 Next try going to http://10.10.113.13, then look at the profiling info in the endpoint.
If you are relying on the WLC for HTTP profiling, it will need to be HTTP and not HTTPS. HTTPS will be
encrypted end-to-end between the client and the web server and the WLC will not be able to snoop in
on it, but HTTP will work just fine.
Here is the captured browser user agent info after the HTTP session.

In this case, I used FireFox. The web user agent typically is a great way to distinguish between different
types of similar devices or even different versions of the same type of device (i.e. Windows 7 vs
Windows 10).
11. Create a new policy named CCIEW.
 Your WIN7 client should match this policy based on matching its MAC address.
 Ensure that your WIN7 client doesn’t get profiled as any of the other default ISE profiles.
 Have the policy create a matching ID group for it.
Head over to the profiles again and choose to add a new one.
This is an unlikely profile to create (matching on a single MAC address). You can match on anything that
you want really, but the big thing to key in on here is the requirement to not have the device profiled
as one of the other DEFAULT profiles. I believe all of the default profiles have fairly low minimum
certainty scores. I don’t know that any of them get above 200, so if you make your minimum certainty
score 1000 or more, the client will always use this one. If a single endpoint meets the minimum
certainty score of multiple profiles, it will be placed in the one where it has the highest score.

12. Force your WIN7 client to reauthenticate to HQ- WPAEAP1-PodX. It should be re-profiled as your
new CCIEW device.

Here we see the endpoint group with our client in it.
13. Write an authZ rule that places CCIEW devices onto VLAN 15 and test it on the HQ-WPAEAP1-PodX
WLAN.
Here is a rule I placed at the top of the AuthZ policy list.
And the subsequent auth result.

 N/A

Lab 173: Guest- AUP :: Detailed Solutions
 Guest access with an AUP


Member's Area.
this lab scenario.
 Video Title: ISE- Guest Portals- HotSpot
Topology Detail

Diagram 173.1: Guest- AUP Topology
Lab 173 Setup


1. Configure a Guest- Hotspot portal as described below.
 Portal Name= CCIEW Hotspot
 Use the CA-signed certificate for this portal.
 Endpoints using this portal should be placed in the GuestEndpoints identity group.
 Require an access code of CCIEW.
 Change the AUP to read “Be nice, or we’ll rate limit you down to dial-up speeds!”
 After entering the code and accepting the AUP, clients should be sent to
HTTPS://pi.ipexpert.local/.
You could create things more from scratch, but we have pre-configured portals for each of the major
CWA types. Let’s just use these as a starting point. I’ll duplicate the hotspot portal.
Click into the newly created portal and edit it as shown below.

The Certificate Group Tag controls which server certificate will be used. We want the CA-signed cert,
which is in the group named CCIEW.

Head back to the top and switch to the Portal Page Customization.
Be sure you are editing the AUP page.
Scroll down and replace the AUP text.

Refresh the preview on the right to see what it will look like. This is what you want to see.
Once done, scroll to the top and Save.

2. Create an AuthZ rule that will engage this hotspot portal when users connect to the Guest2-PodX
WLAN on a WLC.
 Use an ACL named CWA in your AuthZ Profile.
To create the rule, we need to first create an AuthZ Profile. Let’s do that.
Give it a name and configure a Web Redirection common task as shown below.
Then create your AuthZ rule to match the initial auth coming from the Guest2-PodX WLAN (which will
be a plain MAB request).

So I matched on the auth coming from the Guest2-Pod1 WLAN and being a MAC lookup.
3. Create a 2nd AuthZ rule to permit the clients who complete the AUP acceptance.
Here I’m matching on the SSID again, and also on the auth being a part of the Guest flow.
4. Ensure that WLC1 and CAT3 are configured for this to work.
 Create a new SSID on each of them named Guest2-PodX (where X is your rack number).
o This should support a CWA setup (no tunneling).
o Place clients on VLAN 11.
 Configure a Pre-Auth ACL named CWA to support this.
The WLAN should be an open SSID with MAC filtering enabled. Specify ISE as the RADIUS server and be
sure to enable AAA override and RADIUS NAC.
(WLC1) >config wlan create 7 Guest2-Pod1

(WLC1) >config wlan security wpa disable 7
(WLC1) >config wlan mac-filtering enable 7
(WLC1) >config wlan interface 7 vlan11
(WLC1) >config wlan radius_server auth add 7 1
(WLC1) >config wlan radius_server acct add 7 1
(WLC1) >config wlan aaa-override enable 7
(WLC1) >config wlan nac radius enable 7
CAT3#config t

CAT3(config-wlan)#mac-filtering ISE
CAT3(config-wlan)#accounting-list ISE
Next we need the Pre-Auth ACL named CWA to go along with the AuthZ profile that was created. Here
is what the ACL should look like on WLC1.
DHCP always works because it uses broadcasts, so we need to allow DNS and access to the ISE portal.
I was fairly specific for DNS specifying the use of 10.10.210.8, and I was also fairly specific with the ISE
communication, limiting it to just port 8443. You could be a little more loose with your rules. Just pay
attention to any requirements.
Here is the ACL on CAT3. With this, we are trying to specify what triggers a redirect, so we deny
DHCP/DNS/ISE traffic (those should not trigger the redirect) and match on everything else.
CAT3#conf t
CAT3(config)#ip access-list extended CWA
CAT3(config-ext-nacl)#deny udp any any eq 67
CAT3(config-ext-nacl)#deny udp any any eq 68

CAT3(config-ext-nacl)#deny udp any host 10.10.210.8 eq domain

CAT3(config-ext-nacl)#deny tcp any host 10.10.210.5 eq 8443
5. Test your connections with the WIN7 client.
In the first connection, I went to WLC1. After opening a browser and going to http://1.2.3.4, I was
redirected to the portal.
After accepting I was sent over to PI.

Next I shut down the WLAN on WLC1 and re-ran the scenario going through CAT3. I found that my
session seemed to still be alive in ISE and I was just redirected to PI without being asked to login. So I
removed the endpoint from the GuestEndpoints group, and then reconnected.
After connecting again, this time I was sent to the portal.

 N/A

Lab 174: Guest- Self Registration :: Detailed

Solutions
 Guest access using self registration


Member's Area.
this lab scenario.
 Video Title: ISE- Guest Portals- Self Registration
Topology Detail

Diagram 174.1: Guest- Self Registration Topology
Lab 174 Setup


1. Configure a Guest- Self Registration portal as described below.
 Portal Name= CCIEW Self
 On the login page
o Guests should be able to change passwords after login.
o Allow guest to create their own accounts.
o Include the AUP on the page and require acceptance.
o Only show users the AUP on their first login.
o After a successful authentication, show them the auth success page.
 On the self-registration page
o Self registered guest should be assigned a guest type of Daily (default) with the
account valid for 2 days.
o Ask guests to supply their first and last names, their email address, and their
company.
 Require the first/last names and email address.
Self registration portals are just username/password portals with the ability for guests to create their
own accounts. Let’s duplicate the pre-configured self registration portal.

Then edit it.

Rename it.
Set the certificate.

Configure some of the login page settings.
Ensure the AUP only appears on the first login.
Upon a successful authentication, just show the auth success page rather than sending them
elsewhere.

Finally, set the self registration page settings.

Scroll down and turn off some more fields.
Save the config when you are done.
2. Create an AuthZ rule that will send users to the CWA portal that you just created when users
connect to the Guest2-PodX WLAN on a WLC.
 This should replace the CWA AuthZ rule from the last lab if that is still there.

Let’s create a new AuthZ profile and then update the AuthZ rule from before.
Then update the redirect rule to use this AuthZ profile.
3. Create a 2nd AuthZ rule to permit the clients who complete the web login.
This rule can be left alone from the last lab.
4. Ensure that the WLANs on WLC1 and CAT3 are configured for this to work.
There is no need to alter these to support a different portal.

5. Test your connections with the WIN7 client.
Connect and trigger the redirect. Scroll down to the bottom and click on the “Don’t have an account?”
link.

Fill in your info and Register.

Here are my automatically created credentials. Copy them and choose to login. Fill in your info (and
change your password if you want) and Sign On.
And we’re on!

 N/A

Lab 175: Guest- Sponsor Portal :: Detailed

Solutions
 Guest access with sponsor portals


Member's Area.
this lab scenario.
 Video Title: ISE- Guest Portals- Sponsor Portal
Topology Detail

Diagram 175.1: Guest- Sponsor Portal Topology
Lab 175 Setup


1. Configure a Guest- Sponsored Guest Portal as described below.
 Portal Name= CCIEW Sponsor
 On the login page
o Guests should not be able to create their own accounts or edit their own
passwords.
o Rate limit login attempts after 4 failures with 4 minutes in between login attempts
when rate limited.
o Include the AUP, but only as a link and do not require acceptance.
o After a successful login, users should be sent to their original URL.
o The browser title of the web login page should read “Lasciate ogne speranza, voi
ch'intrate”.
 Or, if you prefer the English translation, “Abandon all hope, ye who enter
here”.
 Configure the following sponsor groups.
o ALL_ACCOUNTS (default)- Add the ISE Admins1 group to this sponsor group.
o GROUP_ACCOUNTS (default)- Disable this group.
o OWN_ACCOUNTS (default)- add the AD Domain Users group to this sponsor group.
 Should only be able to create the Daily and Weekly guest types.
 Allow them to send SMS notifications with guest credentials.
 Create a new sponsor portal as described below.
o Name= Sponsor CCIEW
o When printing off the account information, the first line should say “Hello [first
name] [last name],”.

Again, we’ll duplicate the existing sponsored guest portal to start off with.
Rename and set the certificate group.

Configure some of the login page settings.
Turn off the separate AUP, or you will see it after the login page.

Define what happens on a successful login.
Jump over to the page customizations to set the browser title.
Then save your portal changes.

Now jump over to the Sponsor Groups and edit the ALL_ACCOUNTS group.
Click on the Members button.

Then add Admins1 to the right-hand box.
Save your changes.

Next edit the GROUP_ACCOUNTS group and disable it.
Lastly, edit the OWN_ACCOUNTS group. Add the AD group to the members list.
Remove the Contractors group from the list.

Enable SMS sending of credentials and Save.
Lastly, we need to create a sponsor portal.

Rename it.
Jump over to the Page Customization and scroll down to Notify Guests > Print Notification.

Edit the page text by adding the last name variable to the first line as shown.
Save the config.
2. Create an AuthZ rule that will send users to the CWA portal that you just created when users
connect to the Guest2-PodX WLAN on a WLC.
Here we need a new AuthZ profile and to tweak the existing redirection rule.

3. Create a 2nd AuthZ rule to permit the clients who complete the web login.
No need to alter this rule. It still applies.
4. Ensure that the WLANs on WLC1 and CAT3 are configured for this to work.
No need to alter the WLANs. There is no difference in config for any of the CWA portals.
5. Try out the sponsor portal at the URL below with different categories of sponsors and create a few
guest users.
 You can find the URL in the sponsor portal config screen.
Go into the Sponsor CCIEW portal config screen and click on the Portal Test URL.

I’ll login with an AD user.
Accept the AUP.

I’ll create a guest account for one of my favorite drummers of all time. Note how I can only choose
between Daily and Weekly guest types.

Here’s the created account info.
Let’s Notify. I’ll choose to print and save it to a file on my desktop.

And looking at the print job, the first line reads as asked.
6. Use the WIN7 client to connect to the guest WLANs and login with the sponsor-created users.
Now, let’s login with those credentials.
Here is the login page as requested. AUP is there, but only as a link and no option to create your own
login.

And I get this is a response.
What’s the deal? Let’s look at the auth logs.

There are the attempts. Let’s click on one.
So the account is not active yet, but the timestamp is 16:38:03 and looking back at the user, it had a
start time of 16:29:00.

So what gives? Well, look a little closer at the time. It’s 16:29:00 PDT (-7:00), and ISE’s clock is in EDT
(-4:00). This won’t be valid for another 3 hours. If you jump back to the sponsor groups page, you can
see that we are defining guest accounts at the San Jose site.
If you need to ever create guests in a different timezone, you can define them in the Guest Access
settings as shown below.
So if you did the same thing as me, you could either recreate the user in a different timezone, or with
an earlier start time (maybe), or you could just be lazy and wait.

Once you actually login, you should see this.
Continue and you should be sent to your original URL.
 N/A

Section 7: WLAN Media and Application

Services

Lab 176: Wireless QoS on AireOS :: Detailed

Solutions
 WLANs for Voice

 Call Admission Control
 Rate Limiting
 QoS


Member's Area.
 WLC Config Guide 8.0- Chapter 15
this lab scenario.
 Video Title: Media and Application Services- Jabber Client
 Video Title: Media and Application Services- AireOS QoS Basics
 Video Title: Media and Application Services- AireOS Voice- WLAN Configs
 Video Title: Media and Application Services- AireOS Voice- Call Admission Control
 Video Title: Media and Application Services- AireOS Voice- Rate Limiting
 Video Title: Media and Application Services- AireOS Voice- QoS Profiles
 Video Title: Media and Application Services- AireOS Voice- Other Radio Settings
Topology Detail
This lab requires access to WLC1 and WIN7.

Diagram 176.1: Wireless QoS on AireOS Topology
Lab 176 Setup

 If so, which lab load should be used: Media Services- Base

WLAN Configurations for Voice
1. Configure a WLAN on WLC1 for 792x phones as described below.
 SSID= Voice1-PodX (where X is your rack number)
 Choose WPA+WPA2 as the layer 2 security and enable the most secure options to allow
for CCKM fast roaming for both 7920 and 7925 phones (assuming they are the most
recent revisions and using recent firmware).
o Do not allow non-CCKM devices to use this WLAN.
 Use ISE as the RADIUS server.
 Ensure that the 7925 phones can have their voice traffic marked with a WMM UP of 6.
 Configure off-channel scan defer so that the only UP markings used for 792x phone audio
or call control prevent the APs from going off channel to scan.
 Allow the phones to only have to wake up for every other beacon to see if there is
buffered broadcast traffic for sleeping clients.
While the 7921 and newer Cisco phones support CCKM with WPA2/AES (on current firmware), the
7920 is stuck at WPA1/TKIP, so enable support for both.
Markings are controlled by the QoS policy. Without platinum QoS, the APs at least will mark down the
UP markings and the phones also will have issues if they try and use UP 6. For the scan defer
requirement, UPs 4-6 are selected by default. Cisco phones should only use 4 and 6 for calling (4 for
call control and 6 for audio). The last requirement is to set DTIM to 2.
(WLC1) >config wlan create 1 Voice1-Pod1

(WLC1) >config wlan security wpa akm cckm enable 1
(WLC1) >config wlan security wpa wpa1 enable 1
(WLC1) >config wlan security wpa wpa1 ciphers tkip enable 1
(WLC1) >config wlan qos 1 platinum
(WLC1) >config wlan channel-scan defer-priority 5 disable 1
(WLC1) >config wlan dtim 802.11a 2 1
(WLC1) >config wlan dtim 802.11b 2 1

2. Configure a WLAN on WLC1 for corporate devices that will be using Jabber clients as described
below.
 SSID= HQ-WPAEAP1-PodX (where X is your rack number).
 Configure the WLAN to support 802.11n/ac speeds.
 Configure the WLAN to support 802.11r clients as well as non-802.11r clients.
 Use ISE as the RADIUS server for client authentications.
 Ensure that WMM capable clients with Jabber can use appropriate WMM UP markings.
o Non-WMM devices should be allowed, but their traffic should be marked as Best
Effort.
Since the lab uses a Jabber client rather than a Cisco 7925 phone in this version, my guess is that you’ll
have a higher probability of configuring WLANs that will not be voice-specific. Rather it will have to
support regular clients that need to run voice applications. This WLAN digs into a few of the common
configurations for this type of WLAN. You’ll want to apply the platinum QoS profile, but if you have to
support non-WMM devices, you probably don’t want their traffic getting Voice treatment across the
board. So you’ll need to edit the QoS profile itself and mark down the default unicast traffic. I also
marked down the default multicast traffic.
(WLC1) >config wlan create 2 HQ-WPAEAP1-Pod1

(WLC1) >config wlan security ft enable 2
(WLC1) >config wlan security wpa akm ft 802.1x enable 2
(WLC1) >config wlan qos 2 platinum
(WLC1) >config wlan disable all

(WLC1) >config qos priority platinum voice besteffort besteffort
(WLC1) >config wlan enable all
Test connecting to these WLANs using the WIN7 PC with PEAP and credentials of iseuser1/IPexpert123.
You’ll need to connect to Voice1-PodX with regular 802.1x and not CCKM.

Call Admission
3. Enable call admission control on both radios as described below.
 Use a CAC method that takes into account the entire channel utilization.
 Reserve 50% of the bandwidth for voice with 6% for roaming clients.
 Ensure non-TSPEC SIP phones are also included in CAC.
o Assume the use of the G.711 protocol with a 20 ms sample interval.
 CCXv5 clients should be able to complete high-priority calls, even if it pushes the
utilization past 50%.
For these requirements, we’ll use load-based CAC to take account for the entire channel utilization. SIP
CAC handles the non-TSPEC WMM devices that use SIP. Be sure to enable SIP snooping to actually
detect when these calls are originating (which is requested in the next task). The last feature is the
Expedited Bandwidth option.
First, disable the radios.

Disabling the 802.11a network may strand mesh APs. Are you sure you want to continue?
(y/n)y
Then configure CAC. Be sure to configure it on both radios unless told otherwise.

(WLC1) >config 802.11a cac voice acm enable

(WLC1) >config 802.11a cac voice cac-method load-based
Warning! Enable/Disable Load-Based CAC applies only to non-mesh APs.
It is not applicable to mesh APs. Only static CAC is applicable. Are you sure you
want to continue? (y/N)y
(WLC1) >config 802.11a cac voice max-bandwidth 50
(WLC1) >config 802.11a cac voice roam-bandwidth 6
(WLC1) >config 802.11a cac voice sip enable
(WLC1) >config 802.11a cac voice sip codec g711 sample-interval 20
(WLC1) >config 802.11a exp-bwreq enable
(WLC1) >config 802.11b cac voice acm enable

(WLC1) >config 802.11b cac voice cac-method load-based
Warning! Enable/Disable Load-Based CAC applies only to non-mesh APs.
It is not applicable to mesh APs. Only static CAC is applicable. Are you sure you
want to continue? (y/N)y
(WLC1) >config 802.11b cac voice max-bandwidth 50
(WLC1) >config 802.11b cac voice roam-bandwidth 6
(WLC1) >config 802.11b cac voice sip enable
(WLC1) >config 802.11b cac voice sip codec g711 sample-interval 20
(WLC1) >config 802.11b exp-bwreq enable
The last part of the config enable SIP snooping on the WLANs.
4. Configure other CAC-related settings as directed below.
 Ensure that the Voice1-PodX WLAN is configured to support CAC on the 7920 phones.
 Ensure that the HQ-WPAEAP1-PodX WLAN is configured to detect the origination of SIP
calls for use in CAC.
 Configure the WLC to consider SIP ports used for SIP snooping to be from 5060 through
5070.
 Configure the WLC to allow SIP calls to 911 to exceed the maximum call/bandwidth limit.
The 7920 support is theoretical, but since they don’t support WMM or SIP, they have their own special
CAC setting on the WLAN itself. Unless you turn WMM off (very doubtful), you’ll always pick 7920 AP
CAC.

SIP snooping ensures the WLC knows when SIP calls are originating. By default, the WLC should snoop
on port 5060 for SIP calls, but we can alter the port list if called upon. We can also add the expedited
bandwidth feature to SIP calls by specifying phone numbers.

(WLC1) >config wlan 7920-support ap-cac-limit enable 1

(WLC1) >config wlan call-snoop enable 2
(WLC1) >config advanced sip-snooping-ports 5060 5070

(WLC1) >config advanced sip-preferred-call-no 1 911
Rate Limiting
5. Configure individual user rate limiting for clients assigned to the Platinum QoS profile as described
below.
 Rate limit using the same values for upstream and downstream traffic.
 Set an average rate of 5000 Kbps and a burst rate of 7500 Kbps for non UDP traffic.
 Set an average rate of 2000 Kbps and a burst rate of 3000 Kbps for UDP traffic.
(WLC1) >config wlan disable all

(WLC1) >config qos average-data-rate platinum per-client upstream 5000
(WLC1) >config qos average-data-rate platinum per-client downstream 5000
(WLC1) >config qos burst-data-rate platinum per-client upstream 7500
(WLC1) >config qos burst-data-rate platinum per-client downstream 7500
(WLC1) >config qos average-realtime-rate platinum per-client upstream 2000
(WLC1) >config qos average-realtime-rate platinum per-client downstream 2000
(WLC1) >config qos burst-realtime-rate platinum per-client upstream 3000
(WLC1) >config qos burst-realtime-rate platinum per-client downstream 3000
(WLC1) >show qos platinum
Description...................................... For Voice Applications

Maximum Priority................................. voice

Unicast Default Priority......................... besteffort

Multicast Default Priority....................... besteffort
Per-SSID Rate Limits............................. Upstream Downstream
Average Data Rate................................ 0 0
Average Realtime Data Rate....................... 0 0
Burst Data Rate.................................. 0 0
Burst Realtime Data Rate......................... 0 0
Per-Client Rate Limits........................... Upstream Downstream
Burst Data Rate.................................. 7500 7500
protocol......................................... none
6. Configure the Voice1-PodX WLAN to override these global settings as described below.
 Rate limit using the same values for upstream and downstream traffic.
 Set an average rate of 500 Kbps and a burst rate of 750 Kbps for non UDP traffic.
 Set an average rate of 800 Kbps and a burst rate of 1000 Kbps for UDP traffic.
Here we’ll override the global settings on the WLAN.
(WLC1) >config wlan override-rate-limit 1 average-data-rate per-client upstream 500

(WLC1) >config wlan override-rate-limit 1 average-data-rate per-client downstream 500
(WLC1) >config wlan override-rate-limit 1 burst-data-rate per-client upstream 750
(WLC1) >config wlan override-rate-limit 1 burst-data-rate per-client downstream 750
(WLC1) >config wlan override-rate-limit 1 average-realtime-rate per-client upstream
800
(WLC1) >config wlan override-rate-limit 1 average-realtime-rate per-client downstream
800
(WLC1) >config wlan override-rate-limit 1 burst-realtime-rate per-client upstream 1000
(WLC1) >config wlan override-rate-limit 1 burst-realtime-rate per-client downstream
1000
(WLC1) >show wlan 1
[lines omitted]
Quality of Service............................... Platinum
Per-SSID Rate Limits............................. Upstream Downstream


Burst Data Rate.................................. 0 0
Per-Client Rate Limits........................... Upstream Downstream
Burst Data Rate.................................. 750 750
Other Voice-specific Configs
7. Configure the DHCP scope for VLANs 16-17 on CAT2 to advertise a TFTP server of 10.10.205.20 so
that the wired desk phone on CAT3 (or any other Cisco phones on those VLANs) can discover its
call manager.
The scopes are on CAT2. Use option 150 to accomplish this. This is not needed for the Jabber client.
CAT2#conf t
CAT2(config)#ip dhcp pool vlan16
CAT2(dhcp-config)#option 150 ip 10.10.205.20
CAT2(dhcp-config)#ip dhcp pool vlan17
CAT2(dhcp-config)#end
8. Configure the WLC to manipulate CWmin and CWmax values to more heavily favor the sending of
frames in the Platinum queue over the other 3 queues.
This is accomplished with the EDCA profiles.
(WLC1) >config advanced 802.11a edca-parameter optimized-voice

(WLC1) >config advanced 802.11b edca-parameter optimized-voice
9. If voice AC packets are not ACKed after 3 attempts to send them, they should be discarded.
 Ignore the data rate limitations for this feature.

This is the low-latency MAC feature. Most voice guides that I see recommend this actually stays
disabled for Cisco phones.
(WLC1) >config advanced 802.11a voice-mac-optimization enable

(WLC1) >config advanced 802.11b voice-mac-optimization enable
10. The WLC should collect basic metrics on the voice calls happening on the associated APs.
This is the traffic stream metric feature.
(WLC1) >config 802.11a tsm enable

(WLC1) >config 802.11b tsm enable
11. If voice clients undergo a layer-3 roam on the Voice1-PodX WLAN, the client should be kicked off
and forced to reconnect without the layer 3 tunnel when not on a call.
This is the re-anchor roamed voice clients feature. It’s another feature that Cisco recommends to leave
off for Cisco voice deployments.
(WLC1) >config wlan roamed-voice-client re-anchor enable 1
12. Configure the WLC to properly mark CoS values for traffic on WLANs using the Platinum QoS profile.
This is done under the QoS profile. It used to be very important in the previous version of the lab. With
current deployment guides and features, we tend to rely solely on DSCP rather than CoS. So this feature
isn’t as important as before, but one change from old code is that we now specify the CoS value rather
than the UP value.
(WLC1) >config qos protocol-type platinum dot1p

(WLC1) >config qos dot1p-tag platinum 5
You can use Jabber on the WIN7 PC to make phone calls. Assuming the desk phone has registered after
your option 150 config, open the Jabber client and call 1000. That’s the phone number of the desk
phone (1001 is the Jabber client’s phone number). The desk phone should automatically answer.
Once the call completes, you should be able to see traffic stream metrics for the WIN7 client and other
CAC related information.

 show qos platinum

 show wlan

Lab 177: Wireless QoS on IOS-XE :: Detailed

Solutions
 WLANs for Voice

 Call Admission Control
 Rate Limiting
 QoS


Member's Area.
this lab scenario.
 Video Title: Media and Application Services- IOS-XE Wireless QoS Basics
 Video Title: Media and Application Services- IOS-XE Voice- WLAN Configs
 Video Title: Media and Application Services- IOS-XE Voice- Call Admission Control
 Video Title: Media and Application Services- IOS-XE Voice- QoS Policies
 Video Title: Media and Application Services- IOS-XE Voice- Other Radio Settings
Topology Detail
This lab requires access to CAT3 and WIN7.

Diagram 177.1: Wireless QoS on IOS-XE Topology
Lab 177 Setup


WLAN Configurations for Voice
1. Configure a WLAN on CAT3 for 792x phones as described below.
 SSID= Voice1-PodX (where X is your rack number)
 Choose WPA+WPA2 as the layer 2 security and enable the most secure options to allow
for CCKM fast roaming for both 7920 and 7925 phones (assuming they are the most
recent revisions and using recent firmware).
o Also allow non-CCKM devices to use this WLAN.
 Use ISE as the RADIUS server.
 Configure off-channel scan defer so that the only UP markings used for 792x phone audio
or call control prevent the APs from going off channel to scan.
 Allow the phones to only have to wake up for every other beacon to see if there is
buffered broadcast traffic for sleeping clients.
This is pretty much the same setup as the last lab.
CAT3#conf t
CAT3(config)#wlan Voice1-Pod1 1
CAT3(config-wlan)#security wpa wpa1 ciphers tkip
CAT3(config-wlan)#security wpa akm cckm
CAT3(config-wlan)#no channel-scan defer-priority 5
CAT3(config-wlan)#dtim dot11 24ghz 2
CAT3(config-wlan)#dtim dot11 5ghz 2

2. Configure a WLAN on CAT3 for corporate devices that will be using Jabber clients as described
below.
 SSID= HQ-WPAEAP1-PodX (where X is your rack number)
 Configure the WLAN to support 802.11r clients as well as non-802.11r clients.
Again, pretty much the same as the last lab.
CAT3#conf t
CAT3(config)#wlan HQ-WPAEAP1-Pod1 2
CAT3(config-wlan)#security ft
CAT3(config-wlan)#security wpa akm ft dot1x
Test connecting to these WLANs using the WIN7 PC with PEAP and credentials of iseuser1/IPexpert123.

Basic Wireless QoS Config
3. Ensure that CAT3 is configured to trust markings from the wireless clients by default.
In our lab code, this should be enabled by default. In earlier IOS-XE code is wasn’t. You can always put
the command in just to be safe. Without this, all wireless traffic is remarked to DSCP 0 by default.
CAT3#conf t
CAT3(config)#no qos wireless-default-untrust
CAT3(config)#end
4. Configure the default wireless port policy to enable all 4 wireless queues.
 Create a VOICE class-map that matches traffic with a DSCP of EF.
o Traffic in the class should be given the highest priority and multicast traffic should
be rate limited to 10% of the total bandwidth.
 Create a VIDEO class-map that matches traffic with a DSCP of CS3, AF31, or AF41.
o Traffic in the class should be given the next highest priority and multicast traffic
should be rate limited to 20% of the total bandwidth
 The class-default class should get 90% of the remaining bandwidth.
 The non-client NRT class should get 10% of the remaining bandwidth.
The wireless port policy primarily controls queuing. All ports that have a joined AP inherit this policy.
By default, only 2 of the 4 queues are in use. Here we are getting all 4 into play. Q0 is the voice queue
and Q1 is the video queue. These are strict priority queues. You’ll normally want to limit bandwidth to
prevent starvation of the lower priority queues, although the policing here is for multicast traffic only.
Unicast traffic is policed at the client and SSID level.
The policy-map is there by default. You’ll just need to add a few class-maps for Q0 and Q1 and then
edit the policy-map.
CAT3#conf t
CAT3(config)#class-map VOICE
CAT3(config-cmap)#match dscp ef
CAT3(config-cmap)#class-map VIDEO
CAT3(config-cmap)#match dscp cs3 af31 af41

CAT3(config-cmap)#exit
CAT3(config)#policy-map port_child_policy
CAT3(config-pmap)#class VOICE
CAT3(config-pmap-c)#priority level 1 percent 10
CAT3(config-pmap-c)#class VIDEO
CAT3(config-pmap-c)#priority level 2 percent 20
CAT3(config-pmap-c)#class class-default
CAT3(config-pmap-c)#bandwidth remaining ratio 90
CAT3(config-pmap-c)#end
CAT3#sho policy-map
Policy Map port_child_policy
Class non-client-nrt-class
bandwidth remaining ratio 10
Class VOICE
priority level 1 10 (%)
Class VIDEO
Class class-default
CAT3#sho policy-map interface wireless ap
AP LAP1 iifid: 0x0107D74000000009
Service-policy output: defportac
Class-map: class-default (match-any)

Match: any
Queueing
(total drops) 0
(bytes output) 3232085
shape (average) cir 1000000000, bc 4000000, be 4000000
target shape rate 1000000000
Service-policy : port_child_policy

queue stats for all priority classes:

Queueing
priority level 1
(total drops) 0
(bytes output) 0
queue stats for all priority classes:

Queueing
priority level 2
(total drops) 0
(bytes output) 0
Class-map: non-client-nrt-class (match-any)

Match: non-client-nrt
0 packets, 0 bytes
30 second rate 0 bps
Queueing
(total drops) 0
(bytes output) 0
Class-map: VOICE (match-any)

Match: dscp ef (46)
0 packets, 0 bytes
Priority: 10% (100000 kbps), burst bytes 2500000,
Priority Level: 1
Class-map: VIDEO (match-any)

Match: dscp cs3 (24) af31 (26) af41 (34)
0 packets, 0 bytes
Priority: 20% (200000 kbps), burst bytes 5000000,

Priority Level: 2

Match: any
Queueing
(total drops) 0
(bytes output) 35822
Call Admission
5. Enable call admission control on both radios as described below.
 Use a CAC method that takes into account the entire channel utilization.
 Reserve 50% of the bandwidth for voice with 6% for roaming clients.
 Ensure non-TSPEC SIP phones are also included in CAC.
o Assume the use of the G.711 protocol with a 20ms sample interval.
 CCXv5 clients should be able to complete high-priority calls, even if it pushes the
utilization past 50%.
CAT3#conf t
CAT3(config)#ap dot11 24ghz cac voice acm
CAT3(config)#ap dot11 24ghz cac voice load-based
CAT3(config)#ap dot11 24ghz cac voice max-bandwidth 50
CAT3(config)#ap dot11 24ghz cac voice roam-bandwidth 6
CAT3(config)#ap dot11 24ghz cac voice sip
CAT3(config)#ap dot11 24ghz cac voice sip bandwidth 64 sample-interval 20
CAT3(config)#ap dot11 24ghz exp-bwreq
CAT3(config)#ap dot11 5ghz cac voice acm
CAT3(config)#ap dot11 5ghz cac voice load-based
CAT3(config)#ap dot11 5ghz cac voice max-bandwidth 50
CAT3(config)#ap dot11 5ghz cac voice roam-bandwidth 6
CAT3(config)#ap dot11 5ghz cac voice sip

CAT3(config)#ap dot11 5ghz cac voice sip bandwidth 64 sample-interval 20

CAT3(config)#ap dot11 5ghz exp-bwreq
CAT3(config)#end
[lines omitted]
Voice AC
Voice AC - Admission control (ACM) : Enabled
Voice Stream-Size : 84000
Voice Max-Streams : 2
Voice Max RF Bandwidth : 50
Voice Reserved Roaming Bandwidth : 6
Voice Load-Based CAC mode : Enabled
Voice tspec inactivity timeout : Enabled
CAC SIP-Voice configuration
SIP based CAC : Enabled
SIP call bandwidth : 64
SIP call bandwith sample-size : 20
Video AC
Video AC - Admission control (ACM) : Disabled
Video max RF bandwidth : Infinite
Video reserved roaming bandwidth : 0
6. Configure other CAC-related settings as directed below.
 Ensure that the HQ-WPAEAP1-PodX WLAN is configured to detect the origination of SIP
calls for use in CAC.
 Configure the WLC to consider SIP ports used for SIP snooping to be from 5060 through
5070.
 Configure the WLC to allow SIP calls to 911 to exceed the maximum call/bandwidth limit.
CAT3#conf t
CAT3(config-wlan)#call-snoop

CAT3(config)#wireless sip preferred-call-no 1 911
CAT3(config)#end
Rate Limiting
7. Configure the Voice1-PodX WLAN to do per-client rate limiting as described below.
 Police traffic at 500 Kbps for traffic in the VIDEO class.
 Police traffic at 1000 Kbps for traffic in the VOICE class.
 Apply this policy in both directions.
This will require a policy-map that will be assigned to the client. We’ll re-use the class-maps from
before.
CAT3#conf t
CAT3(config)#policy-map VOICE1_CLIENT
CAT3(config-pmap)#class VOICE
CAT3(config-pmap-c)#police 500k conform-action transmit exceed-action drop
CAT3(config-pmap-c-police)#exit
CAT3(config-pmap-c)#class VIDEO
CAT3(config-pmap-c)#police 1000k conform-action transmit exceed-action drop
CAT3(config-pmap-c-police)#exit
CAT3(config-pmap-c)#exit
CAT3(config-pmap)#exit
CAT3(config)#wlan Voice1-Pod1
CAT3(config-wlan)#service-policy client input VOICE1_CLIENT
CAT3(config-wlan)#service-policy client output VOICE1_CLIENT
If you connect your WIN7 client to the Voice1-PodX WLAN, you can see the policy being applied.
CAT3#sho policy-map interface wireless client
Client C8D7.19C0.0590 iifid: 0x0107D74000000009.0x00C76B4000000005.0x00DAE5000

Service-policy input: VOICE1_CLIENT
Counters last updated 00:00:28 ago

0 packets
Match: dscp ef (46)
0 packets, 0 bytes
police:
cir 500000 bps, bc 15625 bytes
conformed 0 packets, 0 bytes; actions:
transmit
exceeded 0 packets, 0 bytes; actions:
drop
conformed 0000 bps, exceeded 0000 bps

1 packets
1 packets, 90 bytes
police:
conformed 1 packets, 90 bytes; actions:
transmit
exceeded 0 packets, 0 bytes; actions:
drop

83 packets
Match: any
Service-policy output: VOICE1_CLIENT

Match: dscp ef (46)

0 packets, 0 bytes
police:
conformed 0 bytes; actions:
transmit
exceeded 0 bytes; actions:
drop

0 packets, 0 bytes
police:
conformed 0 bytes; actions:
transmit
exceeded 0 bytes; actions:
drop

Match: any
Other Voice-specific Configs
8. Configure the DHCP scope for VLANs 16-17 on CAT2 to advertise a TFTP server of 10.10.205.20 so
that the wired desk phone on CAT3 (or any other Cisco phones on those VLANs) can discover its
call manager.
CAT2#conf t
CAT2(config)#ip dhcp pool vlan16
CAT2(dhcp-config)#ip dhcp pool vlan17
CAT2(dhcp-config)#end

9. Configure the WLC to manipulate CWmin and CWmax values to more heavily favor the sending of
frames in the Platinum queue over the other 3 queues.
CAT3#conf t
CAT3(config)#ap dot11 24 edca-parameters optimized-voice
CAT3(config)#ap dot11 5g edca-parameters optimized-voice
CAT3(config)#end
10. The WLC should collect basic metrics on the voice calls happening on the associated APs.
CAT3#conf t
CAT3(config)#ap dot11 24 tsm
CAT3(config)#ap dot11 5g tsm
CAT3(config)#end
You can use Jabber on the WIN7 PC to make phone calls. Assuming the desk phone has registered after
your option 150 config, open the Jabber client and call 1000. That’s the phone number of the desk
phone (1001 is the Jabber client’s phone number). The desk phone should automatically answer.
Once the call completes, you should be able to see traffic stream metrics for the WIN7 client and other
CAC related information.

 sho policy-map
 sho policy-map interface wireless ap
 sho ap dot11 24ghz network
 sho policy-map interface wireless client

Lab 178: VideoStream on AireOS :: Detailed

Solutions
 VideoStream on AireOS


Member's Area.
this lab scenario.
 Video Title: Media and Application Services- VideoStream on AireOS
Topology Detail
This lab requires access to WLC1, WIN7, and WIN2012.

Diagram 178.1: VideoStream on AireOS Topology
Lab 178 Setup


Stage the WLC for VideoStream
1. If you didn’t do the Voice lab, create the HQ-WPAEAP1-PodX WLAN as described below. Otherwise,
just reuse that WLAN.
 Specify the platinum QoS profile.
2. Enable multicast for wireless clients with IGMP snooping.
3. Have the WLC send multicast traffic to its APs using the multicast group 239.10.111.10.
4. Use the Voice and Video EDCA profile to give video AC traffic better priority access to the RF
medium.
VideoStream requires multicast with IGMP snooping enabled globally. An AP mode of multicast-
multicast is optional, but recommended. Same with the EDCA profile setting.
(WLC1) >config network multicast global enable

(WLC1) >config network multicast igmp snooping enable
(WLC1) >config network multicast mode multicast 239.10.111.10
(WLC1) >config advanced 802.11a edca-parameter optimized-video-voice
(WLC1) >config advanced 802.11b edca-parameter optimized-video-voice
Configure VideoStream
5. Enable multicast direct globally.
6. Configure Video Stream behavior as described below.

 Traffic for multicast groups 239.99.99.99-100 should be subject to VideoStream.
 Assume each stream will take 1000 Kbps of bandwidth with the default packet size.
 Only 5 GHz clients on the HQ-WPAEAP1-PodX WLAN should be able to take advantage of
VideoStream.
 Reserve 30% of the channel bandwidth for video traffic.
 If the RRC check fails on the initial join, allow the stream with Best Effort access.
 Clients should only be able to join one stream at a time.
 Periodically recheck if there is still enough bandwidth to support the existing streams.
 If a periodic recheck determines there is not enough bandwidth for all of the existing
streams, have it start dropping client streams.
 Ensure that users of this stream are the lasts ones to be kicked off by giving the stream
the highest priority.
VideoStream requires configurations in a number of different areas. First enable it globally, next define
the stream. Configure the radio policies. Finally, enable it on the WLAN.
(WLC1) >config media-stream multicast-direct enable

(WLC1) >config media-stream add multicast-direct CCIEW 239.99.99.99 239.99.99.100
detail 1000 1200 periodic video 8 fallback
(WLC1) >config 802.11b media-stream multicast-direct disable
(WLC1) >config 802.11a cac video acm enable
(WLC1) >config 802.11a cac video max-bandwidth 30
(WLC1) >config 802.11a media-stream multicast-direct client-maximum 1
(WLC1) >config 802.11a media-stream multicast-direct admission-besteffort disable
(WLC1) >config 802.11a enable network
(WLC1) >config 802.11b enable network
(WLC1) >config wlan media-stream multicast-direct 2 enable
(WLC1) >config wlan enable all
Testing
Connect the WIN7 PC to the WLAN using PEAP with the credentials iseuser1/IPexpert123.

There is an application called Multicast Hammer on the WIN7 client and on the Windows 2012 server
that can be used to send and receive multicast traffic. Use the application to have the Windows 2012
server send traffic to 239.99.99.99 and have the WIN7 client receive it on its wireless interface.
Windows 2012 settings.
WIN7 settings.
Once the stream is going, you should be able to view its details on the WLC and see if it was included
in VideoStream.
Most likely in the lab you won’t have any means to test the functionality.

Here is my client receiving the multicast feed.
And here is the stream as seen on the WLC.
(WLC1) >show media-stream client summary
Number of Clients................................ 1
Client Mac Stream Name Stream Type Radio WLAN QoS Status
----------------- ----------- ----------- ---- ---- ------ -------
c8:d7:19:c0:05:90 CCIEW MC-direct 5 2 Video Admitted
Here we can see that the stream is getting the VideoStream treatment.

 show media-stream client summary

 show media-stream group detail

Lab 179: VideoStream on IOS-XE :: Detailed

Solutions
 VideoStream on IOS-XE


Member's Area.
this lab scenario.
 Video Title: Media and Application Services- VideoStream on IOS-XE
Topology Detail
This lab requires access to CAT3, WIN7, and WIN2012.

Diagram 179.1: VideoStream on IOS-XE Topology
Lab 179 Setup


Stage the switch for VideoStream
 Specify the platinum QoS profile for the SSID egress QoS policy.
 Specify the platinum-up QoS profile for the SSID ingress QoS policy.
2. Enable multicast for wireless clients.
3. Ensure IGMP snooping is enabled globally and on all VLANs.
4. Have the switch send multicast traffic to its APs using the multicast group 239.10.113.13.
5. Use the Voice and Video EDCA profile to give video AC traffic better priority access to the RF
medium.
6. Enable Q0 and Q1 on wireless ports on the switch.
This is mostly the same as the last lab. I already have Q0 and Q1 enabled from an earlier lab.
CAT3#conf t
CAT3(config)#ip multicast-routing
CAT3(config)#ip igmp snooping
CAT3(config)#ap capwap multicast 239.10.113
CAT3(config)#ap dot11 24 edca-parameters optimized-video-voice
CAT3(config)#ap dot11 5g edca-parameters optimized-video-voice

CAT3(config)#end
CAT3#sho policy-map
Policy Map VOICE1_CLIENT
Class VOICE
police cir 500000 bc 15625
conform-action transmit
exceed-action drop
Class VIDEO
police cir 1000000 bc 31250
conform-action transmit
exceed-action drop
Policy Map port_child_policy

Class non-client-nrt-class
Class VOICE
Class VIDEO
Class class-default
Configure VideoStream
7. Enable multicast direct globally.
8. Configure Video Stream behavior as described below.
 Traffic for multicast groups 239.13.13.13 should be subject to VideoStream.
 Assume each stream will take 500 Kbps of bandwidth with the default packet size.
 Only 5 GHz clients on the HQ-WPAEAP1-PodX WLAN should be able to take advantage of
VideoStream.
 Reserve 30% of the channel bandwidth for video traffic.
 If the RRC check fails on the initial join, they should be denied access to the stream.
 Send those users a SAP message saying “Try again later!”

o Only allow 10 streams per radio.
CAT3#conf t
CAT3(config)#wireless media-stream multicast-direct
CAT3(config)#wireless media-stream group CCIEW 239.13.13.13 239.13.13.13
CAT3(config-media-stream)#max-bandwidth 500
CAT3(config-media-stream)#qos video
CAT3(config-media-stream)#exit
CAT3(config)#wireless media-stream message

CAT3(config)#wireless media-stream message notes "Please try again later!"
CAT3(config)#no ap dot11 24ghz media-stream multicast-direct

CAT3(config)#ap dot11 5g media-stream multicast-direct
CAT3(config)#ap dot11 5g media-stream video-redirect
CAT3(config)#ap dot11 5g media-stream multicast-direct radio-maximum 10
CAT3(config)#ap dot11 5g cac video acm

CAT3(config)#ap dot11 5g cac video max-bandwidth 30
CAT3(config-wlan)#media-stream multicast-direct
CAT3(config-wlan)#service-policy input platinum-up
CAT3(config-wlan)#service-policy output platinum

CAT3(config)#end
Testing
Connect the WIN7 PC to the WLAN using PEAP with the credentials iseuser1/IPexpert123.
There is an application called Multicast Hammer on the WIN7 client and on the Windows 2012 server
that can be used to send and receive multicast traffic. Use the application to have the Windows 2012
server send traffic to 239.13.13.13 and have the WIN7 client receive it on its wireless interface.

Once the stream is going, you should be able to view its details on the WLC and see if it was included
in VideoStream.
Most likely in the lab you won’t have any means to test the functionality.
Once my client connected I was able to start receiving traffic.
Here’s the media stream info for the client.
CAT3#show wireless media-stream client summary

Number of Clients : 1
Client Mac Stream Name Dest IP Address AP

Name Radio WLAN QoS Status
--------------------------------------------------------------------------------------
---------------------------------------------------------------
c8d7.19c0.0590 CCIEW 239.13.13.13
LAP1 5G 2 video Admitted

 show policy-map
 show wireless media-stream client summary
 show wireless media-stream group detail

Lab 180: mDNS :: Detailed Solutions
 mDNS/Bonjour Gateway


Member's Area.
this lab scenario.
 Video Title: Media and Application Services- mDNS on AireOS
Topology Detail
This lab requires access to WLC1, CAT3, and WIN7.

Diagram 180.1: mDNS Topology
Lab 180 Setup


Enabling mDNS and Basic Wireless Snooping
I already have this working from before.
2. Enable mDNS snooping globally.
This is disabled by default.
(WLC1) >config mdns snooping enable
(WLC1) >show mdns service summary
Number of Services.............................. 9
Mobility learning status ........................ Enabled
Service-Name LSS Origin No SP Service-string
-------------------------------- ---- ---------- ----- ---------------
AirTunes No All 0 _raop._tcp.local.
Airplay No All 0 _airplay._tcp.local.
HP_Photosmart_Printer_1 No All 0
_universal._sub._ipp._tcp.local.
HP_Photosmart_Printer_2 No All 0 _cups._sub._ipp._tcp.local.
HomeSharing No All 0 _home-sharing._tcp.local.
Printer-IPP No All 0 _ipp._tcp.local.
Printer-IPPS No All 0 _ipps._tcp.local.
Printer-LPD No All 0 _printer._tcp.local.
Printer-SOCKET No All 0 _pdl-datastream._tcp.local.
* -> If access policy is enabled LSS will be ignored.

3. Verify that the default mDNS profile is enabled on the WLAN and connect your client using PEAP
with the credentials iseuser1/IPexpert123.
This is enabled by default on WLANs.
(WLC1) >show wlan 2
[lines omitted]
mDNS Status...................................... Enabled
mDNS Profile Name................................ default-mdns-profile
4. Open iTunes on the WIN7 client and look at the mDNS browser information. You should see an
entry from your client for _daap._tcp.local. This is the iTunes Music Sharing service. Services not
on the master service list will show up on this list when detected.
iTunes gives you an error about not being able to play stuff correctly, but that’s OK. Click past it. Now
look at the mDNS browser info.
(WLC1) >show mdns service browser

**** PRINTING BONJOUR BROWSER AVL TREE ENTRIES ***********
-------------------------------------------------
Total service types NOT-LEARNT BY WLC.... = 2
Key................................... = 1134.13.10.10.in-addr.arpa.
Service string type................... = 4.13.10.10.in-addr.arpa.
Service Provider Client MAC........... = C8:D7:19:C0:05:90
Service Provider AP-MAC............... = 54:78:1A:89:37:E0
Is this a Priority SP................. = No
Service Provider VLAN................. = 13
Service Provider Origin Type.......... = Wireless
Service Provider TTL.................. = 120
TTL Time remaining (sec) ............. = 20
-------------------------------------------------
Key................................... = 113_daap._tcp.local.
Service string type................... = _daap._tcp.local.
Service Provider Client MAC........... = C8:D7:19:C0:05:90
Service Provider AP-MAC............... = 54:78:1A:89:37:E0

Is this a Priority SP................. = No

Service Provider VLAN................. = 13
Service Provider Origin Type.......... = Wireless
Service Provider TTL.................. = 120
TTL Time remaining (sec) ............. = 23
-------------------------------------------------
Here we see that the WLC received two different service advertisements. The 2nd one is the one that
we care about. It only has a TTL of 2 minutes. So if you missed it, just close/reopen iTunes for a fresh
advertisement. We see that it was learned over the wireless network on VLAN 13.
5. Add this service to the master services list with a service name of “iTunes Music Sharing”. You
should see the entry that was under the mDNS browser now shows under this service.
There is actually a pre-canned service in the GUI for this, but we’ll do it in the CLI as usual.
(WLC1) >config mdns service create "iTunes Music Sharing" _daap._tcp.local. origin all
lss disable query enable
(WLC1) >show mdns service summary
Number of Services.............................. 10
Mobility learning status ........................ Enabled
Service-Name LSS Origin No SP Service-string
-------------------------------- ---- ---------- ----- ---------------
AirTunes No All 0 _raop._tcp.local.
Airplay No All 0 _airplay._tcp.local.
HP_Photosmart_Printer_1 No All 0
_universal._sub._ipp._tcp.local.
HP_Photosmart_Printer_2 No All 0 _cups._sub._ipp._tcp.local.
HomeSharing No All 0 _home-sharing._tcp.local.
Printer-IPP No All 0 _ipp._tcp.local.
Printer-IPPS No All 0 _ipps._tcp.local.
Printer-LPD No All 0 _printer._tcp.local.
Printer-SOCKET No All 0 _pdl-datastream._tcp.local.
iTunes Music Sharing No All 1 _daap._tcp.local.
* -> If access policy is enabled LSS will be ignored.

Now the WLC knows about the service. It won’t show up in the mDNS browser list any more. Instead,
you see the advertisements under the service.
(WLC1) >show mdns service detailed "iTunes Music Sharing"
Service Name..................................... iTunes Music Sharing

Service String................................... _daap._tcp.local.
Service Id....................................... 10
Service query status............................. Enabled
Service LSS status............................... Disabled
Service learn origin............................. Wireless and Wired
Number of Profiles............................... 0
Number of Service Providers ..................... 1
Number of priority MAC addresses ................ 0
ServiceProvider MAC Address AP Radio MAC

Vlan Id Type TTL Time left
(sec) (sec)
-------------------- ---------------- ----------------
------- ------ ----- ---------
admin’s Library._daap._tcp.local. C8:D7:19:C0:05:90 54:78:1A:89:37:E0
13 Wireless 4500 4397
Also note that the WLC jacked up the TTL quite a bit from what it was before.
6. Add this new service to the default mDNS profile so that others can learn about it.
Until we do this, the service is not discoverable by other wireless clients on different subnets.
(WLC1) >config mdns profile service add default-mdns-profile "iTunes Music Sharing"
(WLC1) >show mdns profile detailed default-mdns-profile
Profile Name..................................... default-mdns-profile

Profile Id....................................... 1
No of Services................................... 10
Services......................................... AirTunes
Airplay
HP_Photosmart_Printer_1
HP_Photosmart_Printer_2

HomeSharing
Printer-IPP
Printer-IPPS
Printer-LPD
Printer-SOCKET
iTunes Music Sharing
Wired mDNS snooping
7. Enable the default mDNS profile on the WLC vlan13 and vlan15 interfaces.
This is disabled by default. Enabling this allows the WLC to snoop the wired network on these VLANs
for mDNS service advertisements. This way, wireless clients will be able to learn about wired devices
on different subnets.

(WLC1) >config interface mdns-profile vlan13 default-mdns-profile
(WLC1) >config interface mdns-profile vlan15 default-mdns-profile
8. Shut/no shut the switch port connecting to the Apple Airport device on CAT3, which will cause
some fresh mDNS advertisements to flow. You should see them listed on WLC1 in the mDNS
browser.
There are a number of advertisements that go out. Here is the list of the strings.
CAT3#conf t
CAT3(config)#int gi1/0/6
CAT3(config-if)#shut
CAT3(config-if)#no shut
CAT3(config-if)#end
(WLC1) >grep include string "show mdns service browser"

Press any key to continue..
Service string type................... =
2.9.D.B.B.B.E.F.F.F.B.3.6.3.6.3.0.0.0.0.0.0.0.0.0.0.0.0.0.8.E.F.ip6.arpa.

Service string type................... = _airport._tcp.local.

Service string type................... = _device-info._tcp.local.
Service string type................... = _sleep-proxy._udp.local.
9. Find the airport service and add it to the global services list with a name of Airport
 Have the WLC query for this service every 10 minutes.
(WLC1) >config mdns service create Airport _airport._tcp.local. origin all lss disable
query enable
(WLC1) >config mdns query interval 10
(WLC1) >show mdns service detailed Airport
Service Name..................................... Airport

Service String................................... _airport._tcp.local.
Service Id....................................... 11

(sec) (sec)
-------------------- ---------------- ----------------
------- ------ ----- ---------
Rack3._airport._tcp.local. 34:36:3B:BB:BD:92 ------
15 Wired 4500 4431
10. Add this service to the default mDNS profile.
(WLC1) >config mdns profile service add default-mdns-profile Airport

11. Ensure that the WIN7 client is connected to the HQ-WPAEAP1-POdX WLAN, open a command
prompt and run the command dns-sd -B _airport._tcp command and look for an entry to
populate.
 This command does a service request, asking if anyone is offering that service. With the
Bonjour Gateway, services do need to be requested and not just passively heard by the
wireless clients.
Here we see a single response for the airport express named Rack3. It’ll sit there for a while looking.
Just press Ctrl+C to break out of it after you get your entry to show up.
12. Enable AP-based mDNS snooping on the LAP4 AP. Have it snoop on VLAN 5, then configure the
switch port to be a trunk with VLANs 5 and 115 allowed and 115 as the native VLAN.
Often times our WLC cannot snoop all of the wired VLANs itself. So we can enlist the help of our APs to
do it.
(WLC1) >config mdns ap enable LAP4 vlan 5
CAT2#conf t
CAT2(config)#int fa0/4
CAT2(config-if)#sw tr en do
CAT2(config-if)#sw tr nat vl 115

CAT2(config-if)#sw tr all vl 5,115

CAT2(config-if)#sw mo tr
CAT2(config-if)#end
CAT2#sho int fa0/4 trunk
Port Mode Encapsulation Status Native vlan

Fa0/4 on 802.1q trunking 115
Port Vlans allowed on trunk

Fa0/4 5,115
Port Vlans allowed and active in management domain

Fa0/4 5,115
Port Vlans in spanning tree forwarding state and not pruned

Fa0/4 5,115
13. Disconnect the WIN7 client from the wireless network and open up iTunes (close and open if it’s
current still open). This will send an mDNS service advertisement on the wired interface on VLAN
5.
Open iTunes. In my testing, if you do it while the client is connected wirelessly, the service
advertisement only goes out the wireless interface.
14. Verify that the entry shows up under the iTunes Music Sharing service list as being seen through
wired snooping on VLAN 5.
(WLC1) >show mdns service detailed "iTunes Music Sharing"

Service Name..................................... iTunes Music Sharing

Service String................................... _daap._tcp.local.
Service Id....................................... 10
Profile.......................................... default-mdns-profile


(sec) (sec)
-------------------- ---------------- ----------------
------- ------ ----- ---------
admin’s Library._daap._tcp.local. 00:50:56:9B:D4:FC 54:78:1A:89:37:E0
5 mDNS AP 4500 4473
Note how the Type is an mDNS AP; so you can tell that it was the AP that detected the advertisement.
 show mdns service summary

 show wlan
 show mdns service browser
 show mdns service detailed
 show mdns profile detailed

Lab 181: AVC :: Detailed Solutions
 Application Visibility and Control (AVC)

Member's Area.
this lab scenario.
 Video Title: Media and Application Services- AVC on AireOS
Topology Detail
This lab requires access to WLC1 and WIN7.

Diagram 181.1: AVC Topology
Lab 181 Setup

 Can this lab be practiced without a fresh lab load by using the final config of the previous lab: Yes

Enable AVC and Track Information
I already have this from a previous lab.
2. Enable AVC on the WLAN.
This will allow the tracking of applications on the WLAN. No actions will be taken yet.

(WLC1) >config wlan avc 2 visibility enable
3. Connect your WIN7 client to the WLAN using PEAP and credentials iseuser1/IPexpert123, then
browse to https://10.10.113.13 and https://10.10.120.10 to generate some web traffic. Ping
10.10.13.1. Feel free to do other things as well to generate traffic. Just don’t target things on VLAN
5 or the WIN7 client should send that traffic out its wired interface.
4. Look at the AVC information for the controller as well as on your client.
It can take a little bit for the AVC records to catch up, but only 1-2 minutes. The GUI is the nicest place
to see much of this. To look at the WLAN stats, go to Monitor > Applications > WLAN #.


And you can also look at the individual client stats as well.
Configure an AVC profile
5. Create a new AVC profile named CCIEW with the following best practice settings for Jabber.
 Apply the following marking in both directions.
 Jabber Audio= DSCP 46
 Jabber Video= DSCP 34

 Jabber Call Control= DSCP 24
6. Additionally, add the following application rules in the profile.
 Drop all ping traffic
 Rate limit HTTP and HTTPS traffic to 1000 Kbps with a burst of 1000 Kbps in both
directions.
Creating a profile in the CLI is pretty painful, unless you have the specific application list. There is no
context sensitive help here, so let’s just do it in the GUI.
Name it and then edit it as shown below.
HTTPS traffic is categorized as SSL in AVC.

7. Assign the profile to the WLAN and connect your client again.

(WLC1) >config wlan avc 2 profile CCIEW enable
The markings are hard to test. You probably also won’t be able to see the rate limiting in action either,
but pings will be an easy one to test.
The pings that worked before now are getting dropped by the AVC policy.

 Use the GUI

IPExpert Wireless Workbook Detailed Solutions Guide 3.1a (2 of 2) PDF

Încărcat de

Informații document

Titlu original

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

IPExpert Wireless Workbook Detailed Solutions Guide 3.1a (2 of 2) PDF

Încărcat de

Drepturi de autor:

Formate disponibile

WI

Version 3.1A 2|Page

Lab 156: Reports :: Detailed Solutions ....................................................................................................... 396

3|Page Version 3.1A

Version 3.1A 4|Page

5|Page Version 3.1A

Welcome, and Thank You!

Technical Support and Freebies

Version 3.1A 6|Page

Section 4: Converged IOS-XE Controllers

7|Page Version 3.1A

Lab 118: Management Access :: Detailed

 Management GUI Access

Detailed Solution Guide

Version 3.1A 8|Page

iPexpert’s Recommended Reading Material

 3650 Config Guide 3.6- Chapter 2

iPexpert’s Recommended Video Training

 Video Title: Unified Wireless (Converged)- Management Access- Web Management

This lab requires access to CAT3-4 and WLC3 in your rack.

9|Page Version 3.1A

Diagram 118.1: Management Access Topology

Lab 118 Setup

 Can this lab be practiced without completing a previous lab: YES

Configuration Tasks :: Detailed Solutions

General Web GUI Configs

1. Disable HTTP and HTTPS access to WLC3.

WLC3#sho ip http server status

HTTP secure server active session modules: ALL

CAT3#sho ip http server status

CAT4#sho run | in trust

If I access the GUI from the WIN7 PC, it works.

CAT2#telnet 10.10.113.13 80 /source-interface vlan5

400 Bad Request

4. Idle web sessions should be timed out after 10 minutes on CAT3.

5. Limit the maximum number of connections to the GUI on CAT3 to 10.

Here we have a couple of basic settings for the GUI behavior.

CAT3#sho ip http ser status

HTTP server access class: 1

 Private key file= cat3key.pem

 Switch certificate file= cat3.pem

 Certificate password= IPexpert123

 Use a trustpoint named HTTPS.

CAT3(config)#crypto pki import HTTPS pem terminal password IPexpert123

% Enter PEM-formatted encrypted private General Purpose key.

% PEM files import succeeded.

CAT3(config)#ip http secure-trustpoint HTTPS

CAT3#sho ip http server status

HTTP server base path: webui:/express

Web Authentication Configs

GUI access requires Priv 15 level access.

o shared secret= ipexpert

 Create a local account on CAT3 to be used when ISE isn’t responding.

CAT3(config)#aaa group server radius ISE

CAT3(config)#aaa authentication login HTTPS group ISE local

CAT3(config)#ip http authentication aaa login-authentication HTTPS

CAT3(config)#user admin priv 15 sec IPexpert123

9. Test the CAT3 configuration by logging in with the credentials iosadmin/Ipexpert123.

Helpful Verification Commands

 show ip http server status

Technical Verification and Support

Lab 119: Mobility (MA/MC) :: Detailed

 Converged Access Mobility