B c9800 Wireless Controller v1

Catalyst 9800 Series Wireless Controller v1
First Published: 2020-04-30
Americas Headquarters
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, CA 95134-1706
USA
http://www.cisco.com
Tel: 408 526-4000
800 553-NETS (6387)
Fax: 408 527-0883
© 2020 Cisco Systems, Inc. All rights reserved.
CONTENTS
CHAPTER 1 About 1
About This Demonstration 1
Hands-on Description 1
About This Solution 3
CHAPTER 2 Requirements 5
Requirements 5
CHAPTER 3 Topology 7
Topology 7
CHAPTER 4 Getting Started 9
Before Presenting 9
Get Started 9
CHAPTER 5 Scenarios 11
Scenario 1: Basic WLAN Design Flow to create a WLAN 11

Define a Location 11
Provision an AP to the location 14
Define DHCP Server 15
Review Configuration 16
Test Connectivity 18
Scenario 2: Use Advance WLAN Design Flow to create a WLAN 18
Create a WLAN Profile 20
Create a Policy Profile 24
Create a Policy Tag 26

iii
Contents
Tag the Access Point 27

Verify the connectivity 28
Scenario 3: Application Visibility and App Qos Policy 29
Enable Application Visibility 30
View the Applications detected 31
View and Verify the App QoS Policy 33
Scenario 4: Local Profiling on the WLC 35
Enable local profiling and view the device types 35
Create a local profiling policy to apply different policies based on device types 37
View Samsung Device Details 40
Scenario 5: Detailed WLAN Configuration 42

Define AAA Servers on C9800 43
Define AAA Server Groups and Global settings on C9800 44
Define Authentication, Authorization and Accounting Lists on C9800 46
Create Webauth Parameter Map (Required for BYOD) 49
Create VLANs 50
Create WLAN Profiles 51
Create Policy Profiles 55
Create Policy Tag 59
Assign Policy Tag to AP 59
Create Redirect ACL (Referenced via RADIUS) 60
(Optional) Create URL Filter for BYOD Flow (Referenced via RADIUS) 61
Scenario 6: ISE Configuration for .1x & BYOD 62
Validate C9800 is added to ISE as Network Device 63
Modify Native Supplicant Provisioning Profile 64
Review Portals: BYOD Portal 65
Review Portals: Hotspot Portal 66
Create/Review downloadable ACLs (dACLs) 67
Create/Modify Authorization Profiles: NSP_Onboard 68
Create/Modify Authorization Profiles: Cisco_WebAuth 70
Internet_Only Authorization 71
Create Policy for Internal SSID 74
Create Policy for Guest SSID 75
Scenario 7: Client Testing for Guest & BYOD 77

iv
Contents
Test Hotspot Flow 77

Test BYOD flow 79
Scenario 8: Create a Flex Connect WLAN 79
Create your Flex Profile 80
Create a new Policy for the Flex WLAN 81
Modify the Employee WLAN to use the new Policy 83
Create a new Site Tag for Flex 84
Apply the new Site Tag to your AP 85
CHAPTER 6 What's Next? 87
What's Next 87

v
Contents

vi
CHAPTER 1
About
• About This Demonstration, on page 1
• About This Solution, on page 3
About This Demonstration

With 26 billion networked devices connections by 2020, 120 million new malware variants every year,
businesses losing $700 billion a year to IT downtime and 86 percent cloud adoption among enterprises by
2019, customers expect a wireless and wired network that is always on, has integrated security, and can be
deployed anywhere, including in the cloud of their choice.
Hands-on Description
This hands-on lab will walk students through multiple exercises to provide an introduction to the new Cisco
9800 WLAN Controller. Here is an overview of the steps you will walk through in this lab.
• Use the Basic WLAN Design Flow to create a WLAN
• Test the WLAN
• Review the Configuration that was generated from the Basic Design Flow
• Review the CLI for the WLAN Configuration
• Use the Advanced WLAN Design to create a WLAN

• Create Wlan Profile , Policy Profile and Policy Tag using the advanced wizard
• Test the WLAN
• Enable Application Visibility on the WLAN

• Enable Application Visibility and View the Applications
• Define a QoS Policy to control the applications
• Local Profiling on the WLC

• Enable the Local Profiling on the WLCDetailed WLAN Configuration

1
About
Hands-on Description
• Detailed WLAN Configuration

• Define AAA on C9800
• Create Webauth Parameter Map (Required for BYOD)
• Create VLANs
• Create WLAN Profiles
• Create Policy Profiles
• Create Policy Tag
• Assign Policy Tag to AP
• Create Redirect ACL
• Create URL Filter for BYOD Flow
• ISE Configuration
• Validate C9800 is added to ISE as Network Device
• Modify Native Supplicant Provisioning Profile
• Review Portals
• BYOD Portal
• Hotspot Portal
• Create/Review downloadable ACLs (dACLs)
• Create/Modify Authorization Profiles
• NSP_Onboard
• Cisco_WebAuth
• Internet_Only
• Create Policy Sets
• Create Policy for Internal SSID
• Create Policy for Guest SSID
• Client Testing for Guest & BYOD
• Hotspot Flow
• Test BYOD Flow

• Create a FlexConnect WLAN and apply to an AP
• Convert your AP to FlexConnect Mode

2
About
About This Solution
About This Solution

Built from the ground up for intent-based networking and Cisco DNA, Cisco Catalyst 9800 Series Wireless
Controllers bring together Cisco IOS XE Software and Cisco RF excellence to create a best-in-class wireless
experience for your evolving and growing organization.
The Cisco Catalyst 9800 Series Wireless Controllers are based on an open, programmable architecture with
built-in security, streaming telemetry, and rich analytics.
The controllers are always on, are secure, and can be deployed anywhere—three pillars of network excellence
that strengthen the network by providing the best wireless experience without compromise, while saving time
and money.
• Always on: High availability and seamless software updates, enabled by hot patching, keep your clients
and services always on in planned and unplanned events. Bug fixes, access point deployment at multiple
sites, network updates, and more can be handled without rebooting the controller or impacting the
operation of the networks
• Secure: Wireless infrastructure becomes the strongest first line of defense with Encrypted Traffic Analytics
and Cisco Software-Defined Access. The controllers come with built-in security to secure the controller
and the network: Secure Boot, runtime defenses, image signing, integrity verification, and hardware
authenticity
• Deploy anywhere: Whether your deployment choice is an on-premises solution or a cloud deployment
solution, the Cisco Catalyst 9800 Series Wireless Controllers allow for management and deployment of
the controller anywhere.
The Cisco Catalyst 9800 Series Wireless Controllers support open and programmable APIs that enable flexible
management and automation of your day-0 to day-N network operations. Model-driven streaming telemetry
provides deep insights into your network and client health.
For more information regarding 9800 Platform please refer to
https://www.cisco.com/c/en/us/products/wireless/catalyst-9800-series-wireless-controllers/index.html

3
About
About This Solution

4
CHAPTER 2
Requirements
• Requirements, on page 5
Requirements
The table below outlines the requirements for this preconfigured demonstration.
Required Details
Endpoint router with dCloud Endpoint Router Kit, example (819HWD router), registered and
Standalone Access Point configured for dCloud
(CAPWAP in EZVPN1) or
Note Internal AP will not work with this demo and should be disabled.
Standalone Access Point
(CAWAP2)1- TCP Port 443 Can be used along with an Endpoint Router (preferred) but can also be used
required.2- UDP Port 5246 without. See this page for more information
and 5247 required.
Supported wireless access point for the C9800-CL v17.2. For more information
refer to
https://www.cisco.com/c/en/us/td/docs/wireless/controller/9800/17-2/release-notes/rn-17-2-9800.html#id_88396
Monitoring Workstation Laptop
User Devices Tablet or Smartphone, or additional laptop

Notes For best experience use an iOS device, Android will also work but
not as seamless as the iOS devices for BYOD onboarding.
BYOD onboarding in this demo is only supported with MAC OSX,
Windows, Android and Apple iOS.
Note It is required that you have at least two end user devices for this demonstration—one for monitoring and
connecting to the backend components, and at least one device to onboard.

5
Requirements
Requirements
Important If you plan on onboarding a laptop during the demonstration, it is required that you have a second laptop. The
first laptop would be necessary to access the dCloud Workstation1 via RDP or the component portal(s) directly
using the VPN option (to show the ISE UI and other demo features) and the second laptop would be necessary
to demonstrate joining the hotspot or guest networks.

6
CHAPTER 3
Topology
• Topology, on page 7
Topology
This content includes preconfigured users and components to illustrate the scripted scenarios and features of
the solution. Most components are fully configurable with predefined administrative user accounts. You can
see the IP address and user account credentials to use to access a component by clicking the component icon
in the Topology menu of your active session and in the scenario steps that require their use.

7
Topology
Topology
Figure 1: dCloud Topology
Table 1: Equipment Details
Device IP Address Access Method Username Password Device

C9800-CL Private: 198.19.11.10 Workstation1 Session Session ID Wlc.dcloud.cisco.com
(17.2) Browser Owner
Public: See Session Local Browser
Details
WKST1 198.18.133.36 WebRDP or administrator C1sco12345 Workstation1
AnyConnect (RDP access)
Exchange 198.18.133.2 WebRDP or administrator C1sco12345 OWA Mail –
Server AnyConnect access through
the bookmarks
AD1 198.18.133.1 WebRDP or administrator C1sco12345 AD1 (RDP
AnyConnect access)
Portals 198.18.133.110 Putty linuxuser C1sco12345 Portals see Table
3.
ISE (2.4) 198.18.133.27 Workstation1 admin C1sco12345 Ise.securitydemo.net
Browser

8
CHAPTER 4
Getting Started
• Before Presenting, on page 9
• Get Started, on page 9
Before Presenting
Cisco dCloud strongly recommends that you perform the tasks in this document before presenting in front of
a live audience. This will allow you to become familiar with the structure of the document and content.
PREPARATION IS KEY TO A SUCCESSFUL PRESENTATION.
Get Started
Follow the steps to schedule a session of the content and configure your presentation environment
Procedure
Step 1 Initiate your dCloud session. [Show Me How]

Note It may take up to 10 minutes for your session to become active.
Step 2 For best performance, connect to the workstation with Cisco AnyConnect VPN [Show Me How] and the local
RDP client on your laptop [Show Me How]
Workstation 1: 198.18.133.36, Username: administrator, Password: C1sco12345
Note You can also connect to the workstation using the Cisco dCloud Remote Desktop client [Show Me
How]. The dCloud Remote Desktop client works best for accessing an active session with minimal
interaction. However, many users experience connection and performance issues with this method.
Step 3 Open Firefox on Workstation1.

Your homepage is set to http://topo.dcloud.cisco.com, which allows you to view the topology and links to
backend demo components. Click the Home button in Firefox if you ever need to get back to the topology
screen.
Step 4 On Workstation1, ensure your Country is enabled on the demo wireless controller (WLC). [Show Me How]

9
Getting Started
Get Started
Note The WLC login for this demo requires session specific credentials. The username is the name you
use to log in to the dCloud UI and the password is the session ID. You can obtain this information
from the session details section of your active demo. The generic username of dcloud is also provided,
and can be used with the unique session ID as password, if necessary.
Step 5 Provision your compatible AP [Show Me How].

Note If using an endpoint router, this step only needs to be completed once. This is HIGHLY recommended
when using these demos. Without an endpoint router, the AP must be re-provisioning with the new
demo WLC IP address EACH time you schedule a new demo.
Step 6 Verify your AP is operational. [Show Me How]
You now have the option of connecting to Workstation1 through the AP. [Show Me How]
You may need to complete additional demonstration preparation activities, based on the location of your
demonstration.
• Complete the additional demonstration preparation activities for demonstrating at a Cisco Office. [Show
Me How]
• Complete the additional demonstration preparation activities for demonstrating at a Customer Site. [Show
Me How]

10
CHAPTER 5
Scenarios
• Scenario 1: Basic WLAN Design Flow to create a WLAN, on page 11
• Scenario 2: Use Advance WLAN Design Flow to create a WLAN, on page 18
• Scenario 3: Application Visibility and App Qos Policy, on page 29
• Scenario 4: Local Profiling on the WLC, on page 35
• Scenario 5: Detailed WLAN Configuration, on page 42
• Scenario 6: ISE Configuration for .1x & BYOD, on page 62
• Scenario 7: Client Testing for Guest & BYOD, on page 77
• Scenario 8: Create a Flex Connect WLAN, on page 79
Scenario 1: Basic WLAN Design Flow to create a WLAN

Exercise Objective
The goal of this exercise is to use the Basic Wireless Setup to create an admin WLAN that you will use for
connectivity for the rest of the lab exercises. This will serve as the first introduction to the new 9800 UI.
Exercise Description
In this Exercise you will use the Basic WLAN Setup to perform the following tasks.
• Define a Location
• Create and Apply the WLAN to the location
• Provision an AP to the location
• Define DHCP Server
• Review Configuration
• Test Connectivity
Define a Location
The Basic Wireless configuration starts from defining a location. This is the location that will deploy APs
and the APs will support the defined wireless services.

11
Scenarios
Define a Location
Procedure
Step 1 Connect to the Lab network.

a) Connect to the 9800 public IP address provided by the session details. Log in with username/session
ID.
Note Once you log into the CL-9800 GUI, it may take up to 2 minutes to fully load the main dashboard.
After the initial load, navigation to other screens should load quickly. Preload the dashboard
prior to customer presentations to avoid wait times during your demo. This performance behavior
is being investigated further for the next release.
Step 2 Select the Wireless Setup icon from the top right of the 9800 browser interface and from the drop down select
Basic.
Example:
Step 3 Click Add.

Example:
Step 4 Under the General tab, create a Location Name of Podx_location (where x is your pod number). Leave
the Location Type as Local and Client Density as Typical.
Example:
Note While we set this Location Name to Pod1_location, remember that assigning a Podx_location
name is relative. As a user, you can name your own location name as desired. Pod name\number is
needed mostly in a group environment to keep multiple user AP SSIDs from overlapping.
Step 5 Create and apply the WLAN to the location.

12
Scenarios
Define a Location
Step 6 Select the Wireless Networks tab and click Add.

Example:
A new window titled Add Location Setup displays.

Step 7 For the WLAN select Define new.
Example:
Step 8 Enter the following items in the 2 different tabs
Tab Parameter Value

General Profile Name podx_admin
SSID podx_admin (will auto fill)
WLAN ID 1
Status Enable
Security/Layer2 Auth Key Mgmt PSK
Pre-Shared Key ciscocisco
Example:

13
Scenarios
Provision an AP to the location
Use the default setting for all those not listed above. Explore the other tabs and notice the configuration options.
Also notice the other tabs under the Security tab.
Step 9 After exploring select Save & Apply to Device which will reaturn you to Add Location Setup.
Step 10 Under Policy Details select mgmt for VLAN/VLAN Group.
Notice the characteristics of the policy, all centralized services.
Step 11 Select Add.
You have now created the WLAN and the policy applied to that WLAN.
Provision an AP to the location

Now it is time to provision the AP that will support the WLAN we just defined.
Procedure
Step 1 Select the AP Provisioning tab.

The left side column, Add/Select APs has a section titled Available AP list. The AP associated to the 9800
should be listed.
Step 2 Select the check box in front of the AP and then select the Right Arrow to add the AP to the APs on this
Location column.
Step 3 Select Apply.
Example:

14
Scenarios
Define DHCP Server
You have now created the WLAN and applied it to the AP.
Define DHCP Server

The Basic WLAN configuration assumes the WLAN is connecting to a network that has a DHCP available
locally. That is not the case for our lab. Now we’ll need to define the location of the DHCP server in the policy
used by this WLAN.

15
Scenarios
Review Configuration
Procedure
Step 1 Go to Configuration > Tags & Profiles > Policy.

Step 2 Select Podx_location_WLANID_1.
Step 3 Select the Advanced tab.
Step 4 Under DHCP select IPv4 DHCP Required and specify the DHCP Server IP Address as 198.18.133.1.
Step 5 Select Update & Apply to Device.
Example
You have now created a fully functional WLAN. Take the time to explore the configurations that have been
applied.
Procedure
Step 1 Navigate to Configuration > Wireless Setup > Advanced.

This page does an excellent job of summarizing the components that make up a WLAN configuration. From
this page you can start a more complex configuration, we’ll come back to this later.
Step 2 Navigate to Configuration > Tags & Profiles > WLANs and notice the podx_admin WLAN that was
configured.
Step 3 Select the WLAN and explore the details of the WLAN.

16
Scenarios
Step 4 Go to Configuration > Tags & Profiles > Policy and select Podx_location_WLANID_1.
Step 5 Explore the details of the policy.
Step 6 Navigate to Configuration > Tags & Profiles > Tags.
Notice there are 4 Tags – Policy, Site, RF, AP. Review the details of each tab for Pod1_location. For the AP
tab under Static you’ll see your AP selected with Policy, Site and RF Tag all applied to Podx_location.
Step 7 Navigate to Configuration > Wireless > Access Points.
Step 8 Select the AP.
Notice the details of the APs settings. Also notice under Tags section that Podx_location is applied to Policy,
Site & RF.
Step 9 Select the Save icon at the top right of the 9800 browser interface.
Example:
Step 10 Select Show Diff.

Example:

17
Scenarios
Test Connectivity
This opens a new window that shows a comparison between the Startup Config on the 9800 and the current
Running Config. Notice the CLI commands added to the 9800 after going through the Basic WLAN Config.
Test Connectivity
The Basic Wireless configuration starts from defining a location. This is the location that will deploy an AP
and the AP will support the defined wireless services.
Procedure
Step 1 First Connect to the Lab network.

Step 2 Connect to the 9800 public IP address and then log in with the credentials provided for you ahead of time.
Step 3 Using your personal laptop, connect to the lab network, pod1_admin using ciscocisco.
Step 4 Using a Chrome browser go to 198.19.11.10 and log in with username/session ID.
Under the dashboard you’ll see that the AP is joined to the controller.
What to do next
In the next section we will create another SSID using the advance flow and connect to the device.
Scenario 2: Use Advance WLAN Design Flow to create a WLAN

Exercise Objective
In the Previous exercise we used the Basic Wireless Setup to create a WLAN.
In the exercise we will switch the gears to use the advanced Wireless Setup to create another SSID. The SSID
created in this exercise will be used to enable the further features on the 9800 in the next exercises.
We will be using C9800-CL GUI to configure C9800.
In this Exercise you will use the Advanced WLAN Setup to:
• Create a WLAN Profile
• Create a Policy Profile
• Create a Policy TAG
• Tag the AP

18
Scenarios
Scenario 2: Use Advance WLAN Design Flow to create a WLAN
Recap on C9800 Configuration Model
Note C9800 Configuration Models maps a Policy Tag, Site Tag and RF Tag to Access points.
In the previous exercise this is an abstracted from the user when using the basic configuration model.

19
Scenarios
Create a WLAN Profile

Procedure
Step 1 Connect to the Lab network.

Step 2 Connect to the 9800 public IP address provided by the session details and log in with username/session
ID.
Step 3 Select the Wireless Setup icon from the top right of the 9800 browser interface and from the drop down select
Advanced.
Example:
This opens the Advanced Configuration Wizard.

Step 4 Click Start Now to start the wizard.
Example:

20
Scenarios

21
Scenarios
Step 5 In Tags & Profile to the right side of the WLAN Profile section click on the + to start creating a new WLan
Profile
Example:
Step 6 Enter the following items in the 3 different tabs of the WLAN Dialog.

22
Scenarios
Tab Parameter Value

General Tab Profile Name Pod1-psk
SSID Pod1-psk (will auto fill)
WLAN ID 2
Status Enable
Security/Layer2 Auth Key Mgmt PSK
Pre-Shared Key “cisco123”
Example:
Use the default setting for all those not listed above. Explore the other tabs and notice the configuration options.
Also notice the other tabs under the Security tab.
Step 7 After exploring select Save & Apply to Device.

This action returns you to the Advanced Wizard.

23
Scenarios
Create a Policy Profile

Procedure
Step 1 In Tags & Profile to the right side of the Policy Profile section click on the + to start creating a new Policy
Profile
Step 2 Configure the Policy Profiles using following table (Any configuration not defined in the table assumes default
settings).
Tab Section and Parameters Value

General Name localPolicy
Status Enabled
Access Policies VLAN VLAN/VLAN Group mgmt
Advanced DHCP IPv4 DHCP Required
DHCP Server IP Address 198.18.133.1
Example:
Figure 2: General Tab

24
Scenarios
Figure 3: Access Policies Tab

25
Scenarios
Create a Policy Tag
Figure 4: Advanced Tab
Explore the other tabs and notice the configuration options.
Step 3 After exploring select Save & Apply to Device.

This returns you to the Advanced Wizard.
Create a Policy Tag

Procedure
Step 1 In Tags & Profile to the right side of the Policy Tag section click on + to start creating a new Policy Tag
Profile
Step 2 Enter Name: localPsk.
Step 3 In the Policy Tag window, click Add to map the following WLAN profile to a Policy Profile.

26
Scenarios
Tag the Access Point
Example:
WLAN Profile Policy Profile
pod1-psk localPolicy
Step 4 Click Save & Apply to Device.

This returns you to the Advanced Wizard.
Tag the Access Point

Procedure
Step 1 In Tags & Profile navigate to the Apply section and click Tag APs.
Step 2 Select the Access Point and click the Tag APs button above the table.
Example:

27
Scenarios
Verify the connectivity
This opens the Tag APs dialog.

Step 3 Select localPsk for the policy tag, do not change the other tags, and then click Apply to Device.
Example:
Note This step causes the AP to rejoin the WLC and applies the configuration.
Verify the connectivity

Now AP should be Broadcasting the SSID created pod1-psk.

28
Scenarios
Scenario 3: Application Visibility and App Qos Policy
Procedure
Step 1 Using your personal laptop or mobile, connect to the lab network, pod1-psk using the credentials userid: PSK
and password: cisco123.
Step 2 Navigate to the Dashboard and observe that the client has joined the Access Point.
Step 3 Click on the client to open the details page and browse through the details.
Scenario 3: Application Visibility and App Qos Policy

Exercise Objective
The goal of this exercise is to provide detailed steps to enable Application Visibility on the WLAN we just
created.
We will use the QOS Policy to configure an application policy on the WLAN and verify the same.
In this Exercise you will:
1. Enable the application visibility on the WLAN we have created in the previous exercise.
2. View the applications detected by WLC.

29
Scenarios
Enable Application Visibility
3. Enable an App QoS policy and verify the policy works.
Enable Application Visibility

Procedure
Step 1 Navigate to Configuration > Services > Application Visibility > .

Step 2 Click the arrow next to localPolicy.
Example:
Step 3 Verify that Visibility and Local Collector are selected.

(These are enabled by default, so nothing has to be done here.)
Example:

30
Scenarios
View the Applications detected
Step 4 Click Apply to enable Application Visibility.

Procedure
Step 1 Verify that the client is connected to the SSID pod1-psk and browse different applications, for example,
YouTube, Google, and few other applications.
Step 2 Navigate to Monitoring > Services > Application Visibility.
Step 3 Verify the application is detected in the client view.
Example:

31
Scenarios
Step 4 Hover on the pie chart to show the application name, click on Direction to verify the traffic in different
direction.
Example:
Step 5 Click on Applications to the view list of all the application detected.
Example:

32
Scenarios
View and Verify the App QoS Policy

Procedure
Step 1 Navigate to Configuration > Services > QOS.

Step 2 Click Add to add a QOS Policy.
Step 3 Configure the policy as shown in the following table and leave the default as is.
Parameter Value
Policy Name YoutubeBlock
Add Class-Maps +
AVC/User Define AVC
Match All
Drop Enabled
Match Type protocol
Selected Protocols (Select using the Arrow) youtube
Example:

33
Scenarios
Step 4 Click Save.

Step 5 Click the right arrow on the local Policy, select ingress, and then click Apply.
Example:
Step 6 Attempt to browse YouTube on the client connected to the pod1-psk WLAN and note that YouTube is now
blocked.

34
Scenarios
Scenario 4: Local Profiling on the WLC
Step 7 Navigate to Configuration > Services > QOS, check and then delete the Qos Policy, YoutubeBlock.
Scenario 4: Local Profiling on the WLC

Exercise Objective
The goal of this exercise is to enable local profiling
• Enable local profiling and note the device type.
• View, set, and verify policies using local profiling.
• (Optional) If you have a Samsung (S10) device available, verify the information that Samsung devices
share with Cisco APs/WLCs as part of echo system partnership.
Enable local profiling and view the device types

Procedure
Step 1 Navigate to Configuration > Wireless > Wireless Global.

Step 2 Enable the Device Classification check box.
Example:

35
Scenarios
Enable local profiling and view the device types
This enables the local device classification on the controller.

Step 3 Navigate to the main Dashboard and verify that the Client Devices Types dashboard shows the clients joined.
Example:
Step 4 Navigate to Monitoring > Services > Local Profiling to show the detected device and details.
Example:

36
Scenarios
Create a local profiling policy to apply different policies based on device types
Procedure
Step 1 Navigate to Configuration > Security > Local Policy.

Step 2 Under Service Template click Add.
Step 3 Fill in the Service Template using the following table without changing the defaults, then and click Apply
to Device.
Parameter Value
Service Template Name iPhone
VLAN ID 2
Example:
Step 4 Under Policy Map click Add.

Step 5 Create a new policy map called apple.
Step 6 Click the Add button under the Match Criteria List, fill in the dialog with the values in the following table,
click Add Criteria, and then click Apply to Device.
Parameters Values
Policy Map Name apple
Service Template iPhone
Device Type eq, Apple-Device

37
Scenarios
Example:
Step 7 Navigate to Configuration > Tags & Profiles > Policy.

Step 8 Click on the policy used on our SSID called localPolicy to edit the policy.
Step 9 Navigate to Access Policies in the edit Policy Profile dialog box, update the Local Subscriber Policy Name
to apple, and then click Update and apply to device.
While in this dialog box note the device classification state and that the Vlan is assigned as mgmt. There is
nothing to do in this dialog.
Parameter Value
Local Subscriber Policy Name apple
Example:

38
Scenarios
Step 10 Reconnect an apple device to the pod1-psk WLAN

Step 11 Return to Monitoring > Wireless > Clients.
Example:

39
Scenarios
View Samsung Device Details
Observe that the device is recognized as an apple device and is now in a different subnet.
Step 12 Click on the device and then navigate to General > Security Information in the client information box.
It shows the service template applied under the local policies and the device is now part of VLAN 2 (employee
VLAN) and not the mgmt VLAN.

This procedure is optional if you have a Samsung S10 based device connect to the WLAN.

40
Scenarios
Procedure
Step 1 Return to Monitoring > Wireless > Clients, click on the client to open the client details dialog and then open
the Client 360 view.
Step 2 Observe the additional information that Samsung Clients share with Cisco WLC’s and APs when local profiling
is enabled.
The exact model number, Carrier, Software version, and Client RSSI displayed comes from Samsung devices.
Example:
Step 3 (Optional) For any non-Apple device, after you are connected to the proper network, see the Device Type
assigned as Un-Classified Device.
Example:

41
Scenarios
Scenario 5: Detailed WLAN Configuration
Step 4 (Optional) Click on the device MAC Address and see its 360 view details.
Example:
Scenario 5: Detailed WLAN Configuration

Exercise Objective
The goal of this exercise is to provide detailed steps to define a secure employee WLAN & a Guest WLAN.
We will be using C9800-CL GUI to configure C9800. The following diagram shows the C9800 configuration
at a high level. Each box represents individual configuration profile with relevant options shown and how
each profile feeds into other profiles to make a working configuration. The bullet points within the profile
that are in bold represent sub profiles being fed into the profile. It also includes the suggested order to create
the profiles that maps to the main section of the document.
The following diagram shows illustrates the steps we’ll configure on the 9800 controller. Some of the settings
are preconfigured. For any preconfigured settings, we will review the settings.

42
Scenarios
Define AAA Servers on C9800
Define AAA Servers on C9800

These steps are used to add ISE PSN node as RADIUS server on C9800. We will also create RADIUS server
group and add the server entry we created. The server group can be referenced for each of the AAA method
list.
Procedure
Step 1 Using your personal laptop, connect to the lab network, pod1-psk using credentials userid: PSK and password
cisco123.
Step 2 Using a Chrome browser go to 198.19.11.10 and log in with username/session ID.
In the dashboard you’ll see that the AP is joined to the controller.
Step 3 Navigate to Configuration > Security > AAA > Servers / Groups > Servers.
Step 4 Click Add and enter the information in the following table.
Use the default settings for any values not in the table.
Parameter Value
Name* ISE01
IPv4 /IPv6 Server Address* 198.18.133.27
PAC Key (Not selected)
Key Type Clear
Key* (and confirm) C1sco12345
Support for CoA Enabled

43
Scenarios
Define AAA Server Groups and Global settings on C9800
Example:

Example:

Procedure
Step 1 Click Server Groups in the sub tab.

Example:

44
Scenarios
Step 2 Click Add and then enter following information.
Parameter Value
Name ISE
Dead-Time (mins) 10
Available Servers ISE01(move to assigned)
The Dead-Time setting controls how long the RADIUS server in the group will be marked as dead when it
fails to authenticate or fails to respond to RADIUS probes. This setting is only useful when more than one
RADIUS server configured.
Example:

45
Scenarios
Define Authentication, Authorization and Accounting Lists on C9800

Step 4 Navigate to Configuration > Security > AAA > AAA Advanced > RADIUS Fallback and confirm the
default settings, which dictates how the RADIUS servers will be marked dead.
• Retransmit Count: How many times the RADIUS server will be tried for an authentication request.
• Timeout Interval (seconds): How long the controller will wait between authentication requests.
• Dead Time (Minutes): Identical to the dead-time configured under Server Groups, but this setting is
global.
Step 5 Navigate to Configuration > Security > AAA > AAA Advanced > Global Config and confirm the default
settings which dictates how the controller will communicate with the RADIUS server:
RADIUS Server Load Balance: When enabled, and if there are more than one RADIUS server, the controller
will send RADIUS requests to each RADIUS servers in sequence based on batch settings.
Step 6 Click Show Advanced Settings >>> and note the Call Station ID under Authentication Column.
This is the attribute that C9800 populates during authentication. The default CID field is formatted as
ap-macaddress-ssid. ISE uses the SSID from the CID field for policy matching purposes.

Procedure
Step 1 Navigate to Configuration > Security > AAA > AAA Method List > Authentication, and then click Add.
Step 2 Create the Authentication list using following information which will be used for both OPEN SSID
(dCloud_Guest) and SECURE SSID (dCloud_Internal):

46
Scenarios
Name default
Type Dot1x
Group-Type Group
Available Server Groups ISE (move to assigned)
Notes The existing default method list entry of Type login is SSH to the WLC for CLI access.
For authentication list, another name can be used. We are using default so it is named same as
authorization list for which the name default has a special meaning. If clients fail to associate,
and authentication requests are not showing up in the ISE Live Log, try setting the authentication
list name to default as shown above.

Example:
Step 4 Go to Configuration > Security > AAA > AAA Method List > Authorization, click Add, and then enter
following information for the AAA Authorization list that will be shared for both SSIDs.
Parameter Value
Name default
Type Network
Group-Type Group

47
Scenarios
Notes The existing default method list entry of Type exec is SSH to the WLC for CLI access.
The Authorization name default is significant here since there is no Authorization list that can
be defined within the 802.1X WLAN. By using default as name, C9800 can use ISE to get
additional authorization details such as dACL operation. If the default authorization list cannot be
used or desired, then a named authorization list can be created and can be referenced via RADIUS
server as a Cisco VSA. The Cisco VSA to use is Method-List={authorization-method-list}, which
can be configured in ISE advanced attribute settings. Please see the examples at the end of the
document.

Example:
Step 6 Navigate to Configuration > Security > AAA > AAA Method List > Accounting, and then click Add.
Step 7 Enter following information for AAA Authorization list that will be shared for both SSIDs.
Parameter Value
Name default
Type identity

Example:

48
Scenarios
Create Webauth Parameter Map (Required for BYOD)
Create Webauth Parameter Map (Required for BYOD)

This will only be used in the SECURE SSID (dCloud_Internal) to suppress Apple Captive Network Assistant
(CAN; AKA mini browser) from popping up upon association to the WLAN. This is required because the
Apple CNA is unable to fulfill the BYOD onboarding flow.
Procedure
Step 1 Navigate to Configuration > Security > Webauth > Webauth Parameter Map and then click Add
Example:
Step 2 Enter Name Captive_Bypass_Portal and then click Apply to Device.

Example:
Step 3 Select Captive_Bypass_Portal from the Parameter-map name list.
Step 4 Check Captive Bypass Portal.
Step 5 Click Update & Apply.
Example:

49
Scenarios
Create VLANs
Create VLANs
Note DO not change anything in this section. This is already done for you because it’s a basic item on the controller.
Procedure
Step 1 Navigate to Configuration > Layer 2 > VLAN > VLAN and then click Add
Step 2 Add two VLANs using following table for User VLAN and Guest VLAN.
These VLANs will be mapped to SECURE SSID (dCloud_Internal) and OPEN SSID (dCloud_Guest)
respectively using policy profiles and tags.
VLAN ID Name State

2 employee Activated
3 guest Activated
Example:

50
Scenarios
Create WLAN Profiles

Procedure
Step 1 Navigate to Configuration > Tags & Profiles > WLANs and then click Add.
Step 2 Add WLANs using following table for OPEN WLAN (dCloud_Guest) and SECURE WLAN (dCloud_Internal).
These WLANs will be mapped to the AP using tags (Any configuration not defined in the table assumes
default settings).
Tab Parameter Open WLAN value Secure WLAN Value

General Profile Name Figure 5: Figure 6:
dCloud_Guestx dCloud_Internalx
Configuration Configuration
SSID (x is your pod#) dCloud_Guestx dCloud_Internalx
Status Enabled Enabled
Security Layer 2 Layer 2 Security mode None WPA + WPA2
MAC Filtering Enabled
Authorization List default
Layer 3 Webauth Parameter Map Captive_Bypass_Portal
WebPolicy Enabled
AAA Authentication List default default

51
Scenarios
Note There is no reference to an authorization list for dCloud_Internalx SSID. This is not an issue for
AAA override operation that applies authorization directly from RADIUS ACCESS-ACCEPT
response. However, this is an issue for applying dACL as it requires additional RADIUS
communication which requires an authorization list. To address this issue, either use the special
name default as the authorization list as configured in the preceeding or configure ISE to send Cisco
VSA Method-List={authorization-method-list} with ACCESS-ACCEPT when dACL is used.

Example:
Figure 5: dCloud_Guestx Configuration

52
Scenarios
Step 4 Click Save & Apply to Device

Example:
Figure 6: dCloud_Internalx Configuration

53
Scenarios

54
Scenarios
Create Policy Profiles

Policy profile covers device sensor, default VLAN, CoA, and RADIUS Accounting. Since VLANs are different,
two profiles are created one for each WLAN. These profiles will be mapped to the WLANs using tags.
Procedure
Step 1 Navigage to Configuration > Tags & Profiles > Policy and then click Add.
Step 2 Add Policy Profiles for both WLANs using following table.
(Any configuration not defined in the table assumes the default setting).
Tab Parameter Guest WLAN Value Employee WLAN

Value
General Access Name Figure 7: Guest Figure 8: Employee
Policies Configuration Configuration
Status Enabled Enabled
RADIUS Profiling
HTTP TLV Caching
DHCP TLV Caching
VLAN VLAN/VLAN Group guest employee
Advanced DHCP IPv4 DHCP Required
DHCP Server IP 198.18.133.1 198.18.133.1
Address
AAA Policy Allow AAA Override
NAC State
Accounting List default default

Example:

55
Scenarios
Figure 7: Guest Configuration

56
Scenarios
Figure 8: Employee Configuration

57
Scenarios

58
Scenarios
Create Policy Tag
Create Policy Tag

Procedure
Step 1 Navigate to Configuration > Tags & Profiles > Tags and, under Policy, click Add.
Step 2 Enter Name: iseEnabled.
Step 3 In the iseEnabled Tag window, click Add to map following WLANs to matching policy profiles.
WLAN Profile Policy Profile

dCloud_Guestx Guest
dCloud_Internalx Employee
pod1_admin Pod1_location_WLANID_1
This ties the WLAN to the respective Policy Profile.

Step 4 Click Save & Apply to Device
Example:
Assign Policy Tag to AP

This section shows how to apply a tag to a single AP. Using the Advanced Wireless Setup Wizard on C9800,
the same tag can be applied to multiple APs at the same time or you can manually create an AP filter tag rule
to apply the tags based on an AP name regex (e.g. .*).

59
Scenarios
Create Redirect ACL (Referenced via RADIUS)
Procedure
Step 1 Navigate to Configuration > Wireless > Access Points > .

Step 2 Click on the AP Name or MAC address.
Step 3 In General > Tags > Policy, in the Tags section, select iseEnabled for the Policy and leave Site & RF as
Pod1_location.
Example:
Step 4 Click Update & Apply to Device.
Create Redirect ACL (Referenced via RADIUS)

Procedure
Step 1 Navigate to Configuration > Security > ACL and then click Add.
Step 2 In ACL Name:. enter ACL_WEBAUTH_REDIRECT.

60
Scenarios
(Optional) Create URL Filter for BYOD Flow (Referenced via RADIUS)
Step 3 Select IPv4 Extended for ACL Type.

Step 4 Enter the following rules in the Add ACL Setup window.
Sequence Action Source Destination Protocol Source Destination Port

Type Type Port
10 permit any any tcp None www(http(80))
Example:
Step 5 Click Add.

(Optional) Create URL Filter for BYOD Flow (Referenced via RADIUS)
Note Use this only as a reference, we are not using it in the lab delivery.
Unlike AireOS which allows DNS entries to be part of redirect ACL, separate URL filter have to be created
and be called upon via RADIUS attribute from ISE to permit access to Internet hosts using FQDNs. We will
not be using Android in this lab but leave this configuration as an example of usage with the 9800s.

61
Scenarios
Scenario 6: ISE Configuration for .1x & BYOD
Procedure
Command or Action Purpose

Step 1 Navigate to Configuration > Security > URL
Filters and then click Add.
Step 2 Using following table, set the following values The example allows access to the Google Play
in the Edit URL Filter window. store for BYOD. The PRE-AUTH URL filter
always works if the Action is Permit regardless
Example:
of whether the filter is set to Permit or Deny.
Name BYOD-URL-Filter
Type PRE-AUTH
Action Permit
URLs *.google.com
accounts.youtube.com
gstatic.com
*.googleapis.com
*.appspot.com
ggpht.com
gvt1.com
market.android.com
android.pool.ntp.org
*.googleusercontent.com
*.google-analytics.com
Step 3 Click Update & Apply to Device. Important Save the configuration.
Scenario 6: ISE Configuration for .1x & BYOD

Exercise Objective
The goal of this exercise is to detail the configuration of ISE to provide .1x authentication and BYOD for
employees.
The following diagram shows the related ISE configuration at a high level. Many of the settings are already
preconfigured on ISE. For preconfigured settings, we will review the settings.

62
Scenarios
Validate C9800 is added to ISE as Network Device
Validate C9800 is added to ISE as Network Device

These steps will validate that the C9800 is configured.
Before you begin

The C9800 should already be added to ISE as a network device.
Procedure
Step 1 On workstation1, open Firefox or Chrome, connect to ISE 2.4 at 198.18.133.27, and then log in with
admin/C1sco12345.
Step 2 Navigate to Administration > Network Resources > Network Devices.
Step 3 Verify that WLC1 is listed.
a) Click WLC1.
b) Review the following settings.
Setting Value
Network Devices Settings
Name WLC1
IP Address 198.19.11.10/32
Device Profile Cisco
RADIUS authentication Settings
Shared Secret C1sco12345
CoA Port 1700
Example:

63
Scenarios
Modify Native Supplicant Provisioning Profile
Step 4 Click Network Devices at the top to return to the list of network devices.
Modify Native Supplicant Provisioning Profile

Let’s modify the profile to use our SSID. Some steps are skipped as they are already pre-configured.
Procedure
Step 1 Navigate to Policy > Policy Elements > Results > Client Provisioning > Resources > .
Step 2 Check Cisco-ISE-NSP and then click Edit.
There are a lot to of entries choose from, so you may want to search with your browser. Cisco-ISE-NSP is
about ¾ way down the list.
This is the Native Supplicant Profile referenced and used in the ISE Client Provisioning Policy (Policy >
Client Provisioning Policy > Apple iOS Devices).
Step 3 After selecting, scroll down, check the ISE box, and then click Edit to modify the Wireless Profile.
Step 4 Change the SSID Name from ISE to dCloud_Internalx and confirm the rest of the settings.
Note The SSID Name must match exactly with the same character case to the secure SSID name (e.g.
dCloud_Internalx) configured in Create WLAN Profiles, on page 51 or the client will not reconnect
with the certificate after completing BYOD.
Parameter Value
SSID Name * dCloud_Internalx
Security * WPA2 Enterprise
Allowed Protocol * TLS
Certificate Template EAP_Authentication_Certificate_Template

64
Scenarios
Review Portals: BYOD Portal
Step 5 Click Submit on the pop-up window.

Step 6 Click Submit at the bottom of the page.
Review Portals: BYOD Portal

The BYOD portal is used for Single-SSID flow that we will be testing.
Procedure
Step 1 Navigate to Work Centers > BYOD > Portals & Components > BYOD Portals.
Step 2 In Portal Name: select BYOD Portal (default).

65
Scenarios
Review Portals: Hotspot Portal
Step 3 Note the BYOD Flow and notice the detail settings.
Step 4 Click Close.
Review Portals: Hotspot Portal

In our tests we are going to focus on setting up a guest flow using the hotspot. This review will also give you
an understanding on how COA, redirection and clearing out the sessions will work. For more detailed
configuration information around the guest, reference ISE Guest & Web Authentication.
Procedure
Step 1 Navigate to Work Centers > Guest Access > Portals & Components > Guest Portals.
Step 2 Click Hotspot Guest Portal (default).
Step 3 Review the portal flow and the setting details.
Step 4 Expand the AUP Page settings.

66
Scenarios
Create/Review downloadable ACLs (dACLs)
Example:
We are using an access code dcloud to prevent anyone, who maybe near our wireless signal, using our
hotspot.
Step 5 At the top right of the settings page click Close.
Create/Review downloadable ACLs (dACLs)

Unlike the AireOS controller, C9800 supports dACLs. Here we are going to create dACLs.
Procedure
Step 1 Navigage to Policy > Policy Elements > Results > Authorization > Downloadable ACLs.
Step 2 Click Add.
Step 3 Enter CWA.
Step 4 Expand Check DACL Syntax to verify the ACL is correct and then enter the lines for CWA from the following
table.
Note For the other ACLs, please use the table as reference. These are already built on ISE for you.
dACL Name dACL Content Description (Not part of the config)

CWA permit udp any host 198.18.133.1 eq Allow access to default guest
domain portal port TCP/8443 and DNS.
Create this to learn how they
permit tcp any host 198.18.133.27 eq This is used for devices upon
are built.
8443 redirection to the guest portal. This
deny ip any any can be used for any guest flow.

67
Scenarios
Create/Modify Authorization Profiles: NSP_Onboard
dACL Name dACL Content Description (Not part of the config)

ISE_PROVISION_ACCESS permit udp any host 198.18.133.1 eq Allow access to default BYOD
domain portal port TCP/8443, NSP Wizard
This ACL already exists on
permit tcp any host 198.18.133.27 eq port TCP/8905, EST Server
ISE, use this as an example
8443 TCP/8084, and DNS. This is used
for what to include and why.
permit tcp any host 198.18.133.27 eq for devices upon redirection to be
8905 able to go through BYOD
permit tcp any host 198.18.133.27 eq redirection and onboarding.
8084
deny ip any any
INTERNET_ACCESS permit udp any host 198.18.133.1 eq Deny internal IP for dCloud and
domain internal client networks and allow
This ACL already exists on
permit tcp any host 198.18.133.27 eq rest of the IP for Internet Access
ISE, use this as an example
8443 and to ISE (portal success pages)
for what to include and why.
permit tcp any host 198.18.133.27 eq and DNS.
8084
deny ip any 198.18.0.0 0.1.255.255
permit ip any any
Example:
Step 5 Click Submit.

We will update the authorization profile used for Single-SSID BYOD.

68
Scenarios
Procedure
Step 1 Navigate to Policy > Policy Elements > Results > Authorization > Authorization Profiles > .
Step 2 Check NSP_Onboard checkbox and then click Edit.
Step 3 Verify that the DACL Name checkbox and ISE_PROVISION_ACCESS are selected.
Note This is the downloadable ACL to permit/deny defined during onboarding. If not using the default
authorization method, add Cisco VSA Method-List={authorization-method-list} under Advanced
Attribute Settings.
Example:
Step 4 Scroll to Common Tasks and confirm that Web Redirection (CWA, MDM, NSP, CPP) is checked and has
the following settings.
Native Supplicant Provisioning ACL select value select BYOD Portal

ACL_WEBAUTH_REDIRECT (default)
Example:

69
Scenarios
Create/Modify Authorization Profiles: Cisco_WebAuth
Notes The authorization result shows a BYOD flow, with an ACL send to the controller to indicate
redirection state and utilize the default BYOD Portal. ACL_WEBAUTH_REDIRECT is created in
Step Step 4, on page 61 in Create Redirect ACL (Referenced via RADIUS), on page 60.
[For Reference only] This lab is not using the BYOD-URL-Filter, which permits access to certain
internet sites during BYOD for Android devices. If you need that in your own lab, add the following
Cisco VSA under Advanced Attribute Settings. Cisco:cisco-av-pair =
url-filter-preauth=BYOD-URL-Filter. where BYOD-URL-Filter exactly matches the name configured
in C9800 WLC in Step Step 2, on page 62 in (Optional) Create URL Filter for BYOD Flow
(Referenced via RADIUS), on page 61.
Step 5 Click Save.
Create/Modify Authorization Profiles: Cisco_WebAuth

We will configure the hotspot authorization profile.
Procedure
Step 1 Click Authorization Profiles.

Step 2 Check Cisco_WebAuth and then click Edit.
Step 3 Check DACL Name and then select CWA.
Note This is the downloadable ACL to permit/deny during onboarding. If not using the default authorization
method, add Cisco VSA Method-List={authorization-method-list} under Advanced Attribute
Settings.
Example:

70
Scenarios
Internet_Only Authorization
Step 4 Scroll to Common Tasks and confirm that Web Redirection (CWA, MDM, NSP, CPP) is checked and
contains the following settings.
Hot Spot ACL select ACL_WEBAUTH_REDIRECT value select Hotspot Guest Portal (default)
Note The authorization result shows a hotspot flow, with a named ACL sending to the controller to
indicate redirection state and utilize the default Hotspot Portal. ACL_WEBAUTH_REDIRECT is
created in Step 4, on page 61 in Create Redirect ACL (Referenced via RADIUS), on page 60.
Example:
Step 5 Click Save.
We will create Internet Only Authorization Profile.
Here you’re creating permissions to allow internet access for associated rules.
Procedure
Step 1 Click Authorization Profiles and then click Add.

Step 2 Set Name to Internet_Only.
Step 3 In Common Tasks check DACL Name and then select INTERNET_ACCESS.
Example:

71
Scenarios
Step 4 Click Submit.

Step 5 Create Policy Sets.
a) Navigate to Policy > Policy Sets.
b) Click the Gear icon on the first line in the Actions Column and then select Insert new row above.
Example:
c) Enter dCloud_Internal as the Policy Set Name.

d) Click + in the Conditions column
This open Conditions Studio.
e) On the right-hand-side click Click to add an attribute.
f) Under dictionary, select RADIUS.
This filters the list to standard RADIUS attributes.
g) In the text box under Attribute, type Called to narrow the selection list and pick Called-Station-ID.
Example:

72
Scenarios
h) Change Equals to Contains.

Note Using Contains will match on dCloud_Guest (as well as dCloud_Internal) without worrying
about what you added at the end to make it unique.
i) In the attribute value, enter dCloud_Internal (case sensitive).
Note Match the attribute value with the WLAN name pattern for dCloud_Internal configured in Create
WLAN Profiles, on page 51.
Example:
j) Click Use on the bottom of the page.

k) After returning to the main Policy Sets page, select Default Network Access under Allowed Protocols
/ Server Sequence.
Step 6 Repeat Step 5.a, on page 72 through Step 5.k, on page 73 above for dCloud_Guest (case sensitive).
Note Match the attribute value with the WLAN name pattern for dCloud_Guest configured in Create
WLAN Profiles, on page 51.
Step 7 Click Save.
The result should resemble the following image.

73
Scenarios
Create Policy for Internal SSID
Create Policy for Internal SSID

Procedure
Step 1 In the View column for dCould-Internal policy set, click >.
Step 2 Click > next to Authorization Policy to expand the Authorization policy.
Step 3 Click x next to DenyAccess for default rule profiles.
This forces you to select another profile.
Step 4 Select NSP_Onboard from the list.
Note This rule is used for those devices not using EAP-TLS and requires BYOD onboarding.
Example:
Step 5 Click + above the default rule.

This lets you create an authorization rule.
Step 6 In Rule Name, enter EAP-TLS.
Step 7 Click + to open the Conditions Studio.
Step 8 On the right-hand-side, click Click to add an attribute.
Step 9 Under dictionary, select Network Access.
This filters the list to Network Access attributes.
Step 10 Select EapAuthentication from the list.
Step 11 In the attribute value, select EAP-TLS.
Step 12 Click Use on the bottom of the page.
Example:

74
Scenarios
Create Policy for Guest SSID
Step 13 After returning to the dCloud_Internal Policy Sets page, navigate to Results > Profiles, and then select
PermitAccess.
Step 14 Click Save.
Example:
Step 15 Click the Policy Sets hyperlink in the top left corner of the page to return to the main policy set page.
Note The default setup for guest would include most of these authentication policies. We are showing it in case
you are not using the defaults.
Procedure
Step 1 In the View column for the dCloud_Guest policy set, click >.
Step 2 Next to Authentication Policy, > to expand the Authentication policy.
Step 3 In the Use column, select Internal Endpoints.
Step 4 Click > Options to display the advanced options.

75
Scenarios
Step 5 If you receive the message, If User not found select CONTINUE.
Example:
Step 6 Next to Authorization Policy, click > to expand the Authorization policy.
Step 7 Next to DenyAccess click x for default rule profiles.
This forces you to select another profile.
Step 8 Select Cisco_WebAuth from the list.
Step 9 Above the Default rule. click + to create an authorization rule.
Step 10 In Rule Name, enter Guest Endpoint.
Step 11 Click + to display the Conditions Studio.
Step 12 On the right-hand-side, click Click to add an attribute.
Step 13 Under dictionary, select IdentityGroup.
This filters the list to Network Access attributes.
Step 14 Select Name from the list.
Step 15 In the attribute value, select Endpoint Identity Groups:GuestEndpoints.
Note This rule permits any endpoints registered in GuestEndpoints after accepting the AUP.
Step 16 Click Use on the bottom of the page.

Example:

76
Scenarios
Scenario 7: Client Testing for Guest & BYOD
Step 17 After returning to the dCloud_Guest Policy Sets page, under Results > Profiles, select Internet_Only
Example:
Step 18 Click Save.

The result should resemble the following (note that we are not configuring the Guest Login example). For
more information, refer to ISE Guest & Web Authentication.
Step 19 In the top left corner of the page, click the Policy Sets hyperlink to return to main policy set page.
Scenario 7: Client Testing for Guest & BYOD

Exercise Objective
Now that we have working configurations to showcase what’s needed to showcase Guest, BYOD and secure
wireless, we can connect with a real client. If you don’t have an Apple device, ask the proctor to use their
device. You can use your own device for the guest flow but for BYOD will ask you to use an Apple iOS
device for simplicity of configuration and time purposes.
Test Hotspot Flow

Procedure
Step 1 On your client device, go to your wireless configuration, and then connect to dCloud_Guestx.
On Apple IOS devices the Captive network assistant should start.
Step 2 Enter the access code dcloud (all lowercase).
Step 3 Click Accept.
Your device connects and you should be able to browse the internet.

77
Scenarios
Test Hotspot Flow
Step 4 On the 9800, navigate to Monitoring > Wireless > Clients.

Notice your client in Run State.
Step 5 In ISE, navigate to Operations > RADIUS > Live Logs and notice the following. You may need to change
some of the column sizes to see this and scroll to the right.
• Device first connects as an Apple-Device.
• Users enters code and accepts AUP.
• Device is registered and placed into Guest Endpoint group with internet access.
Notice how the device was identified as an iPhone after it hit the portal. This is part of our device profiling
service.
Step 6 In the upper left, switch to live sessions view.

Here you can do COA actions on the endpoint such as terminate or re-auth if needed.
Step 7 Navigate to Context Visibilty > Endpoints and look through the endpoint information available there.
Step 8 Disable your device’s wireless connection
Step 9 Under Context Visibility, delete the selected endpoint.
Example:
This allows us to go through the BYOD flow as a new client.

78
Scenarios
Test BYOD flow
Test BYOD flow

Procedure
Step 1 On your Apple iOS device, connect to the dCloud_Internalx SSID.

Step 2 Connect with credentials employee/C1sco12345.
Step 3 Trust the certificate presented.
Step 4 Open Safari and navigate to enroll.cisco.com.
Note This site is an HTTP site that redirects.
Step 5 Click Start and follow the prompts to go through BYOD process.
After the process completes you will receive a success page and should be able to browse the internet.
Step 6 Navigate to ISE > Operations > RADIUS > Livelogs.
Notice the flow the device went through similar to Guest .
• Device first connect as an Apple-Device.
• User is redirect to BYOD portal for onboarding (NSP_Onboard).
• Device is registered and configured with a certificate for certificate based authentication.
Notice how the device was identified as an iPhone after it hit the portal. This is part of our device profiling
service.
Scenario 8: Create a Flex Connect WLAN

Exercise Objective
In this exercise we’re going to configure the employee network to bridge in Flex connect mode so that wireless
clients are bridged to the network directly at the AP. This is particularly advantageous when the local site
doesn’t have a WLAN controller and you do not want the wireless client’s data plane traversing the WAN.

79
Scenarios
Create your Flex Profile
The work of building out the enterprise WLANs has been done. Now we’re going to go through a few simple
steps to make that WLAN available to run in Flex mode. This includes:
• Create your Flex Profile
• Create a new Policy for the Flex WLAN
• Modify the Employee WLAN to use the new Policy
• Create a new Site Tag for Flex
• Apply the new Site Tag to your AP
Create your Flex Profile

We need to define a Flex Profile on the 9800. This tells the AP how to interact with the switch its connected
to.
Procedure
Step 1 Navigate to Configuration > Tags & Profiles > Flex and then click Add.
Example:
Step 2 Name the new profile Podx_Flex and set Native VLAN ID to 33.
Example:
Step 3 Select the VLAN tab, select Add, enter VLAN Name VLAN34, and then set VLAN Id to 34.
Example:

80
Scenarios
Create a new Policy for the Flex WLAN
Note This tells the AP we have these VLANs available at the AP. For our lab we’re only configuring 1
VLAN but in the real world you would likely configure multiple VLANs.
Step 4 Select Save and then select Save & Apply to Device.

Now, we are going to define a new Policy Profile to define how the WLAN will be managed and how the
wireless clients will connect to the wired network at the AP.
Procedure
Step 1 Navigate to Configuration > Tags & Profiles > Policy and then select Add.
Example:
Step 2 In the General tab configure the following settings.
Parameter Value Notes

Name Podx_Flex_Profile
Status ENABLED

81
Scenarios
Parameter Value Notes

WLAN Switching Policy
Central Switching DISABLED Will not tunnel clients to the
controller. Click Yes.
Central Authentication ENABLED Authentication from the WLC.
Central DHCP DISABLE DHCP at the local VLAN.
Central Association DISABLE Association state maintained at the
AP.
Example:
Step 3 Select the Access Policies tab. For

Step 4 VLAN/VLAN Group under VLAN enter 34.
You must manually enter 34, you won’t have VLAN34 to select.
Step 5 Select Save and Apply to Device.
Example:

82
Scenarios
Modify the Employee WLAN to use the new Policy
Modify the Employee WLAN to use the new Policy

Now we will modify the Policy Tag for the WLAN we’re currently connected to. We need to change the
employee SSID to use the new Policy we just created.
Procedure
Step 1 Navigate to Configuration > Tags & Policies > Tags and then select iseEnabled.

83
Scenarios
Create a new Site Tag for Flex
Step 2 Select the dCloud_Internal WLAN Profile, change the Policy Profile to Podx_Flex_Profile, and then click
the
khcm
ek.ra
Example:
Step 3 Select Update & Apply to Device.
Note Notice the warning on the page before the update and apply. If you had a client connected to the
WLAN, that client will lose connectivity. Also, if you look for your SSID, it is no longer being
broadcasted. Can you say why that SSID is no longer broadcasted?
Create a new Site Tag for Flex

Now we create a Site Tag so that APs at this site will know they need to run in Flex mode.
Procedure
Step 1 Navigate to Configuration > Tags & Profiles > Tags, select the Site tab, and then select Add.
Example:

84
Scenarios
Apply the new Site Tag to your AP
Step 2 Name the tag Podx_Flex_Site.

Step 3 Uncheck Enable Local Site.
Notice that Flex Profile now displays.
Step 4 For Flex Profile select Podx_Flex.
Step 5 Select Save & Apply to Device.

The last step is to apply the new settings to the AP. There is only one setting that actually needs to be applied
differently at the AP.
Procedure

Step 1 Navigate to Configuration > Wireless >
Access Points and select your AP.
Step 2 In Tags change Site to Podx-Flex-Site. Notice the warning about changing tags and
that the AP is currently in Local mode.
Example:
Step 3 Click Update & Apply to Device. Note Because you are changing your AP
from local mode to Flex mode, the
AP will reboot.
Step 4 Test Connectivity After your AP has rebooted, associate it to the

internal SSID for your pod again. Notice that
you are now getting an IP address in the

85
Scenarios

192.168.34.x subnet. That is the local subnet
available at the switch.
Step 5 Log into the 9800 and look at the details of the
client connectivity, notice the FlexConnect
details.

86
CHAPTER 6
What's Next?
• What's Next, on page 87
What's Next
Check out the other ISE demos at http://cs.co/selling-ise-demos
Talk about it on the dCloud Community.

87
What's Next?
What's Next

88

B c9800 Wireless Controller v1

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

B c9800 Wireless Controller v1

Uploaded by

Copyright:

Available Formats

Catalyst 9800 Series Wireless Controller v1

First Published: 2020-04-30

CHAPTER 4 Getting Started 9

Scenario 1: Basic WLAN Design Flow to create a WLAN 11

Create a Policy Tag 26

Catalyst 9800 Series Wireless Controller v1

Tag the Access Point 27

Scenario 5: Detailed WLAN Configuration 42

Catalyst 9800 Series Wireless Controller v1

Test Hotspot Flow 77

CHAPTER 6 What's Next? 87

Catalyst 9800 Series Wireless Controller v1

Catalyst 9800 Series Wireless Controller v1

About This Demonstration

• Use the Advanced WLAN Design to create a WLAN

• Enable Application Visibility on the WLAN

• Local Profiling on the WLC

Catalyst 9800 Series Wireless Controller v1

• Detailed WLAN Configuration

• Test BYOD Flow

Catalyst 9800 Series Wireless Controller v1

About This Solution

Catalyst 9800 Series Wireless Controller v1

Catalyst 9800 Series Wireless Controller v1

Monitoring Workstation Laptop

User Devices Tablet or Smartphone, or additional laptop

Catalyst 9800 Series Wireless Controller v1

Catalyst 9800 Series Wireless Controller v1

Catalyst 9800 Series Wireless Controller v1

Figure 1: dCloud Topology

Table 1: Equipment Details

Device IP Address Access Method Username Password Device

Catalyst 9800 Series Wireless Controller v1

PREPARATION IS KEY TO A SUCCESSFUL PRESENTATION.

Step 1 Initiate your dCloud session. [Show Me How]

Step 3 Open Firefox on Workstation1.

Catalyst 9800 Series Wireless Controller v1

Step 5 Provision your compatible AP [Show Me How].

Step 6 Verify your AP is operational. [Show Me How]

Catalyst 9800 Series Wireless Controller v1

Scenario 1: Basic WLAN Design Flow to create a WLAN

Catalyst 9800 Series Wireless Controller v1

Step 1 Connect to the Lab network.

Step 3 Click Add.

Step 5 Create and apply the WLAN to the location.

Catalyst 9800 Series Wireless Controller v1

Step 6 Select the Wireless Networks tab and click Add.

A new window titled Add Location Setup displays.

Step 8 Enter the following items in the 2 different tabs

Tab Parameter Value

Catalyst 9800 Series Wireless Controller v1

Provision an AP to the location

Step 1 Select the AP Provisioning tab.

Catalyst 9800 Series Wireless Controller v1

Define DHCP Server

Catalyst 9800 Series Wireless Controller v1

Step 1 Go to Configuration > Tags & Profiles > Policy.

Step 1 Navigate to Configuration > Wireless Setup > Advanced.

Catalyst 9800 Series Wireless Controller v1

Step 10 Select Show Diff.

Catalyst 9800 Series Wireless Controller v1

Step 1 First Connect to the Lab network.

Scenario 2: Use Advance WLAN Design Flow to create a WLAN