Professional Documents
Culture Documents
Americas Headquarters
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, CA 95134-1706
USA
http://www.cisco.com
Tel: 408 526-4000
800 553-NETS (6387)
Fax: 408 527-0883
© 2020 Cisco Systems, Inc. All rights reserved.
CONTENTS
CHAPTER 1 About 1
About This Demonstration 1
Hands-on Description 1
About This Solution 3
CHAPTER 2 Requirements 5
Requirements 5
CHAPTER 3 Topology 7
Topology 7
Before Presenting 9
Get Started 9
CHAPTER 5 Scenarios 11
What's Next 87
Hands-on Description
This hands-on lab will walk students through multiple exercises to provide an introduction to the new Cisco
9800 WLAN Controller. Here is an overview of the steps you will walk through in this lab.
• Use the Basic WLAN Design Flow to create a WLAN
• Test the WLAN
• Review the Configuration that was generated from the Basic Design Flow
• Review the CLI for the WLAN Configuration
• ISE Configuration
• Validate C9800 is added to ISE as Network Device
• Modify Native Supplicant Provisioning Profile
• Review Portals
• BYOD Portal
• Hotspot Portal
• Create/Review downloadable ACLs (dACLs)
• Create/Modify Authorization Profiles
• NSP_Onboard
• Cisco_WebAuth
• Internet_Only
• Create Policy Sets
• Create Policy for Internal SSID
• Create Policy for Guest SSID
• Client Testing for Guest & BYOD
• Hotspot Flow
The Cisco Catalyst 9800 Series Wireless Controllers support open and programmable APIs that enable flexible
management and automation of your day-0 to day-N network operations. Model-driven streaming telemetry
provides deep insights into your network and client health.
For more information regarding 9800 Platform please refer to
https://www.cisco.com/c/en/us/products/wireless/catalyst-9800-series-wireless-controllers/index.html
Requirements
The table below outlines the requirements for this preconfigured demonstration.
Required Details
Endpoint router with dCloud Endpoint Router Kit, example (819HWD router), registered and
Standalone Access Point configured for dCloud
(CAPWAP in EZVPN1) or
Note Internal AP will not work with this demo and should be disabled.
Standalone Access Point
(CAWAP2)1- TCP Port 443 Can be used along with an Endpoint Router (preferred) but can also be used
required.2- UDP Port 5246 without. See this page for more information
and 5247 required.
Supported wireless access point for the C9800-CL v17.2. For more information
refer to
https://www.cisco.com/c/en/us/td/docs/wireless/controller/9800/17-2/release-notes/rn-17-2-9800.html#id_88396
Note It is required that you have at least two end user devices for this demonstration—one for monitoring and
connecting to the backend components, and at least one device to onboard.
Important If you plan on onboarding a laptop during the demonstration, it is required that you have a second laptop. The
first laptop would be necessary to access the dCloud Workstation1 via RDP or the component portal(s) directly
using the VPN option (to show the ISE UI and other demo features) and the second laptop would be necessary
to demonstrate joining the hotspot or guest networks.
Topology
This content includes preconfigured users and components to illustrate the scripted scenarios and features of
the solution. Most components are fully configurable with predefined administrative user accounts. You can
see the IP address and user account credentials to use to access a component by clicking the component icon
in the Topology menu of your active session and in the scenario steps that require their use.
Before Presenting
Cisco dCloud strongly recommends that you perform the tasks in this document before presenting in front of
a live audience. This will allow you to become familiar with the structure of the document and content.
Get Started
Follow the steps to schedule a session of the content and configure your presentation environment
Procedure
Step 2 For best performance, connect to the workstation with Cisco AnyConnect VPN [Show Me How] and the local
RDP client on your laptop [Show Me How]
Workstation 1: 198.18.133.36, Username: administrator, Password: C1sco12345
Note You can also connect to the workstation using the Cisco dCloud Remote Desktop client [Show Me
How]. The dCloud Remote Desktop client works best for accessing an active session with minimal
interaction. However, many users experience connection and performance issues with this method.
Note The WLC login for this demo requires session specific credentials. The username is the name you
use to log in to the dCloud UI and the password is the session ID. You can obtain this information
from the session details section of your active demo. The generic username of dcloud is also provided,
and can be used with the unique session ID as password, if necessary.
You now have the option of connecting to Workstation1 through the AP. [Show Me How]
You may need to complete additional demonstration preparation activities, based on the location of your
demonstration.
• Complete the additional demonstration preparation activities for demonstrating at a Cisco Office. [Show
Me How]
• Complete the additional demonstration preparation activities for demonstrating at a Customer Site. [Show
Me How]
Exercise Description
In this Exercise you will use the Basic WLAN Setup to perform the following tasks.
• Define a Location
• Create and Apply the WLAN to the location
• Provision an AP to the location
• Define DHCP Server
• Review Configuration
• Test Connectivity
Define a Location
The Basic Wireless configuration starts from defining a location. This is the location that will deploy APs
and the APs will support the defined wireless services.
Procedure
Step 2 Select the Wireless Setup icon from the top right of the 9800 browser interface and from the drop down select
Basic.
Example:
Step 4 Under the General tab, create a Location Name of Podx_location (where x is your pod number). Leave
the Location Type as Local and Client Density as Typical.
Example:
Note While we set this Location Name to Pod1_location, remember that assigning a Podx_location
name is relative. As a user, you can name your own location name as desired. Pod name\number is
needed mostly in a group environment to keep multiple user AP SSIDs from overlapping.
Example:
Use the default setting for all those not listed above. Explore the other tabs and notice the configuration options.
Also notice the other tabs under the Security tab.
Step 9 After exploring select Save & Apply to Device which will reaturn you to Add Location Setup.
Step 10 Under Policy Details select mgmt for VLAN/VLAN Group.
Notice the characteristics of the policy, all centralized services.
Step 11 Select Add.
You have now created the WLAN and the policy applied to that WLAN.
Procedure
You have now created the WLAN and applied it to the AP.
Procedure
Example
Review Configuration
You have now created a fully functional WLAN. Take the time to explore the configurations that have been
applied.
Procedure
Step 4 Go to Configuration > Tags & Profiles > Policy and select Podx_location_WLANID_1.
Step 5 Explore the details of the policy.
Step 6 Navigate to Configuration > Tags & Profiles > Tags.
Notice there are 4 Tags – Policy, Site, RF, AP. Review the details of each tab for Pod1_location. For the AP
tab under Static you’ll see your AP selected with Policy, Site and RF Tag all applied to Podx_location.
Step 7 Navigate to Configuration > Wireless > Access Points.
Step 8 Select the AP.
Notice the details of the APs settings. Also notice under Tags section that Podx_location is applied to Policy,
Site & RF.
Step 9 Select the Save icon at the top right of the 9800 browser interface.
Example:
This opens a new window that shows a comparison between the Startup Config on the 9800 and the current
Running Config. Notice the CLI commands added to the 9800 after going through the Basic WLAN Config.
Test Connectivity
The Basic Wireless configuration starts from defining a location. This is the location that will deploy an AP
and the AP will support the defined wireless services.
Procedure
What to do next
In the next section we will create another SSID using the advance flow and connect to the device.
Exercise Description
In this Exercise you will use the Advanced WLAN Setup to:
• Create a WLAN Profile
• Create a Policy Profile
• Create a Policy TAG
• Tag the AP
• Test Connectivity
Note C9800 Configuration Models maps a Policy Tag, Site Tag and RF Tag to Access points.
In the previous exercise this is an abstracted from the user when using the basic configuration model.
Step 5 In Tags & Profile to the right side of the WLAN Profile section click on the + to start creating a new WLan
Profile
Example:
Step 6 Enter the following items in the 3 different tabs of the WLAN Dialog.
Example:
Use the default setting for all those not listed above. Explore the other tabs and notice the configuration options.
Also notice the other tabs under the Security tab.
Step 1 In Tags & Profile to the right side of the Policy Profile section click on the + to start creating a new Policy
Profile
Step 2 Configure the Policy Profiles using following table (Any configuration not defined in the table assumes default
settings).
Example:
Figure 2: General Tab
Step 1 In Tags & Profile to the right side of the Policy Tag section click on + to start creating a new Policy Tag
Profile
Step 2 Enter Name: localPsk.
Step 3 In the Policy Tag window, click Add to map the following WLAN profile to a Policy Profile.
Example:
WLAN Profile Policy Profile
pod1-psk localPolicy
Step 1 In Tags & Profile navigate to the Apply section and click Tag APs.
Step 2 Select the Access Point and click the Tag APs button above the table.
Example:
Note This step causes the AP to rejoin the WLC and applies the configuration.
Procedure
Step 1 Using your personal laptop or mobile, connect to the lab network, pod1-psk using the credentials userid: PSK
and password: cisco123.
Step 2 Navigate to the Dashboard and observe that the client has joined the Access Point.
Step 3 Click on the client to open the details page and browse through the details.
Exercise Description
In this Exercise you will:
1. Enable the application visibility on the WLAN we have created in the previous exercise.
2. View the applications detected by WLC.
Step 1 Verify that the client is connected to the SSID pod1-psk and browse different applications, for example,
YouTube, Google, and few other applications.
Step 2 Navigate to Monitoring > Services > Application Visibility.
Step 3 Verify the application is detected in the client view.
Example:
Step 4 Hover on the pie chart to show the application name, click on Direction to verify the traffic in different
direction.
Example:
Step 5 Click on Applications to the view list of all the application detected.
Example:
Parameter Value
Policy Name YoutubeBlock
Add Class-Maps +
AVC/User Define AVC
Match All
Drop Enabled
Match Type protocol
Selected Protocols (Select using the Arrow) youtube
Example:
Step 6 Attempt to browse YouTube on the client connected to the pod1-psk WLAN and note that YouTube is now
blocked.
Step 7 Navigate to Configuration > Services > QOS, check and then delete the Qos Policy, YoutubeBlock.
Exercise Description
• Enable local profiling and note the device type.
• View, set, and verify policies using local profiling.
• (Optional) If you have a Samsung (S10) device available, verify the information that Samsung devices
share with Cisco APs/WLCs as part of echo system partnership.
Step 4 Navigate to Monitoring > Services > Local Profiling to show the detected device and details.
Example:
Create a local profiling policy to apply different policies based on device types
Procedure
Parameter Value
Service Template Name iPhone
VLAN ID 2
Example:
Parameters Values
Policy Map Name apple
Service Template iPhone
Device Type eq, Apple-Device
Example:
Parameter Value
Local Subscriber Policy Name apple
Example:
Observe that the device is recognized as an apple device and is now in a different subnet.
Step 12 Click on the device and then navigate to General > Security Information in the client information box.
It shows the service template applied under the local policies and the device is now part of VLAN 2 (employee
VLAN) and not the mgmt VLAN.
Procedure
Step 1 Return to Monitoring > Wireless > Clients, click on the client to open the client details dialog and then open
the Client 360 view.
Step 2 Observe the additional information that Samsung Clients share with Cisco WLC’s and APs when local profiling
is enabled.
The exact model number, Carrier, Software version, and Client RSSI displayed comes from Samsung devices.
Example:
Step 3 (Optional) For any non-Apple device, after you are connected to the proper network, see the Device Type
assigned as Un-Classified Device.
Example:
Step 4 (Optional) Click on the device MAC Address and see its 360 view details.
Example:
Exercise Description
The following diagram shows illustrates the steps we’ll configure on the 9800 controller. Some of the settings
are preconfigured. For any preconfigured settings, we will review the settings.
Procedure
Step 1 Using your personal laptop, connect to the lab network, pod1-psk using credentials userid: PSK and password
cisco123.
Step 2 Using a Chrome browser go to 198.19.11.10 and log in with username/session ID.
In the dashboard you’ll see that the AP is joined to the controller.
Step 3 Navigate to Configuration > Security > AAA > Servers / Groups > Servers.
Step 4 Click Add and enter the information in the following table.
Use the default settings for any values not in the table.
Parameter Value
Name* ISE01
IPv4 /IPv6 Server Address* 198.18.133.27
PAC Key (Not selected)
Key Type Clear
Key* (and confirm) C1sco12345
Support for CoA Enabled
Example:
Parameter Value
Name ISE
Dead-Time (mins) 10
Available Servers ISE01(move to assigned)
The Dead-Time setting controls how long the RADIUS server in the group will be marked as dead when it
fails to authenticate or fails to respond to RADIUS probes. This setting is only useful when more than one
RADIUS server configured.
Example:
Step 5 Navigate to Configuration > Security > AAA > AAA Advanced > Global Config and confirm the default
settings which dictates how the controller will communicate with the RADIUS server:
RADIUS Server Load Balance: When enabled, and if there are more than one RADIUS server, the controller
will send RADIUS requests to each RADIUS servers in sequence based on batch settings.
Step 6 Click Show Advanced Settings >>> and note the Call Station ID under Authentication Column.
This is the attribute that C9800 populates during authentication. The default CID field is formatted as
ap-macaddress-ssid. ISE uses the SSID from the CID field for policy matching purposes.
Step 1 Navigate to Configuration > Security > AAA > AAA Method List > Authentication, and then click Add.
Step 2 Create the Authentication list using following information which will be used for both OPEN SSID
(dCloud_Guest) and SECURE SSID (dCloud_Internal):
Name default
Type Dot1x
Group-Type Group
Available Server Groups ISE (move to assigned)
Notes The existing default method list entry of Type login is SSH to the WLC for CLI access.
For authentication list, another name can be used. We are using default so it is named same as
authorization list for which the name default has a special meaning. If clients fail to associate,
and authentication requests are not showing up in the ISE Live Log, try setting the authentication
list name to default as shown above.
Step 4 Go to Configuration > Security > AAA > AAA Method List > Authorization, click Add, and then enter
following information for the AAA Authorization list that will be shared for both SSIDs.
Parameter Value
Name default
Type Network
Group-Type Group
Available Server Groups ISE (move to assigned)
Notes The existing default method list entry of Type exec is SSH to the WLC for CLI access.
The Authorization name default is significant here since there is no Authorization list that can
be defined within the 802.1X WLAN. By using default as name, C9800 can use ISE to get
additional authorization details such as dACL operation. If the default authorization list cannot be
used or desired, then a named authorization list can be created and can be referenced via RADIUS
server as a Cisco VSA. The Cisco VSA to use is Method-List={authorization-method-list}, which
can be configured in ISE advanced attribute settings. Please see the examples at the end of the
document.
Step 6 Navigate to Configuration > Security > AAA > AAA Method List > Accounting, and then click Add.
Step 7 Enter following information for AAA Authorization list that will be shared for both SSIDs.
Parameter Value
Name default
Type identity
Available Server Groups ISE (move to assigned)
Procedure
Step 1 Navigate to Configuration > Security > Webauth > Webauth Parameter Map and then click Add
Example:
Create VLANs
Note DO not change anything in this section. This is already done for you because it’s a basic item on the controller.
Procedure
Step 1 Navigate to Configuration > Layer 2 > VLAN > VLAN and then click Add
Step 2 Add two VLANs using following table for User VLAN and Guest VLAN.
These VLANs will be mapped to SECURE SSID (dCloud_Internal) and OPEN SSID (dCloud_Guest)
respectively using policy profiles and tags.
Example:
Step 1 Navigate to Configuration > Tags & Profiles > WLANs and then click Add.
Step 2 Add WLANs using following table for OPEN WLAN (dCloud_Guest) and SECURE WLAN (dCloud_Internal).
These WLANs will be mapped to the AP using tags (Any configuration not defined in the table assumes
default settings).
Note There is no reference to an authorization list for dCloud_Internalx SSID. This is not an issue for
AAA override operation that applies authorization directly from RADIUS ACCESS-ACCEPT
response. However, this is an issue for applying dACL as it requires additional RADIUS
communication which requires an authorization list. To address this issue, either use the special
name default as the authorization list as configured in the preceeding or configure ISE to send Cisco
VSA Method-List={authorization-method-list} with ACCESS-ACCEPT when dACL is used.
Procedure
Step 1 Navigage to Configuration > Tags & Profiles > Policy and then click Add.
Step 2 Add Policy Profiles for both WLANs using following table.
(Any configuration not defined in the table assumes the default setting).
Step 1 Navigate to Configuration > Tags & Profiles > Tags and, under Policy, click Add.
Step 2 Enter Name: iseEnabled.
Step 3 In the iseEnabled Tag window, click Add to map following WLANs to matching policy profiles.
Procedure
Step 1 Navigate to Configuration > Security > ACL and then click Add.
Step 2 In ACL Name:. enter ACL_WEBAUTH_REDIRECT.
Example:
(Optional) Create URL Filter for BYOD Flow (Referenced via RADIUS)
Note Use this only as a reference, we are not using it in the lab delivery.
Unlike AireOS which allows DNS entries to be part of redirect ACL, separate URL filter have to be created
and be called upon via RADIUS attribute from ISE to permit access to Internet hosts using FQDNs. We will
not be using Android in this lab but leave this configuration as an example of usage with the 9800s.
Procedure
Name BYOD-URL-Filter
Type PRE-AUTH
Action Permit
URLs *.google.com
accounts.youtube.com
gstatic.com
*.googleapis.com
*.appspot.com
ggpht.com
gvt1.com
market.android.com
android.pool.ntp.org
*.googleusercontent.com
*.google-analytics.com
Step 3 Click Update & Apply to Device. Important Save the configuration.
Exercise Description
The following diagram shows the related ISE configuration at a high level. Many of the settings are already
preconfigured on ISE. For preconfigured settings, we will review the settings.
Procedure
Step 1 On workstation1, open Firefox or Chrome, connect to ISE 2.4 at 198.18.133.27, and then log in with
admin/C1sco12345.
Step 2 Navigate to Administration > Network Resources > Network Devices.
Step 3 Verify that WLC1 is listed.
a) Click WLC1.
b) Review the following settings.
Setting Value
Network Devices Settings
Name WLC1
IP Address 198.19.11.10/32
Device Profile Cisco
RADIUS authentication Settings
Shared Secret C1sco12345
CoA Port 1700
Example:
Step 4 Click Network Devices at the top to return to the list of network devices.
Procedure
Step 1 Navigate to Policy > Policy Elements > Results > Client Provisioning > Resources > .
Step 2 Check Cisco-ISE-NSP and then click Edit.
There are a lot to of entries choose from, so you may want to search with your browser. Cisco-ISE-NSP is
about ¾ way down the list.
This is the Native Supplicant Profile referenced and used in the ISE Client Provisioning Policy (Policy >
Client Provisioning Policy > Apple iOS Devices).
Step 3 After selecting, scroll down, check the ISE box, and then click Edit to modify the Wireless Profile.
Step 4 Change the SSID Name from ISE to dCloud_Internalx and confirm the rest of the settings.
Note The SSID Name must match exactly with the same character case to the secure SSID name (e.g.
dCloud_Internalx) configured in Create WLAN Profiles, on page 51 or the client will not reconnect
with the certificate after completing BYOD.
Parameter Value
SSID Name * dCloud_Internalx
Security * WPA2 Enterprise
Allowed Protocol * TLS
Certificate Template EAP_Authentication_Certificate_Template
Procedure
Step 1 Navigate to Work Centers > BYOD > Portals & Components > BYOD Portals.
Step 2 In Portal Name: select BYOD Portal (default).
Step 3 Note the BYOD Flow and notice the detail settings.
Step 4 Click Close.
Procedure
Step 1 Navigate to Work Centers > Guest Access > Portals & Components > Guest Portals.
Step 2 Click Hotspot Guest Portal (default).
Step 3 Review the portal flow and the setting details.
Step 4 Expand the AUP Page settings.
Example:
We are using an access code dcloud to prevent anyone, who maybe near our wireless signal, using our
hotspot.
Procedure
Step 1 Navigage to Policy > Policy Elements > Results > Authorization > Downloadable ACLs.
Step 2 Click Add.
Step 3 Enter CWA.
Step 4 Expand Check DACL Syntax to verify the ACL is correct and then enter the lines for CWA from the following
table.
Note For the other ACLs, please use the table as reference. These are already built on ISE for you.
INTERNET_ACCESS permit udp any host 198.18.133.1 eq Deny internal IP for dCloud and
domain internal client networks and allow
This ACL already exists on
permit tcp any host 198.18.133.27 eq rest of the IP for Internet Access
ISE, use this as an example
8443 and to ISE (portal success pages)
for what to include and why.
permit tcp any host 198.18.133.27 eq and DNS.
8084
deny ip any 198.18.0.0 0.1.255.255
permit ip any any
Example:
Procedure
Step 1 Navigate to Policy > Policy Elements > Results > Authorization > Authorization Profiles > .
Step 2 Check NSP_Onboard checkbox and then click Edit.
Step 3 Verify that the DACL Name checkbox and ISE_PROVISION_ACCESS are selected.
Note This is the downloadable ACL to permit/deny defined during onboarding. If not using the default
authorization method, add Cisco VSA Method-List={authorization-method-list} under Advanced
Attribute Settings.
Example:
Step 4 Scroll to Common Tasks and confirm that Web Redirection (CWA, MDM, NSP, CPP) is checked and has
the following settings.
Example:
Notes The authorization result shows a BYOD flow, with an ACL send to the controller to indicate
redirection state and utilize the default BYOD Portal. ACL_WEBAUTH_REDIRECT is created in
Step Step 4, on page 61 in Create Redirect ACL (Referenced via RADIUS), on page 60.
[For Reference only] This lab is not using the BYOD-URL-Filter, which permits access to certain
internet sites during BYOD for Android devices. If you need that in your own lab, add the following
Cisco VSA under Advanced Attribute Settings. Cisco:cisco-av-pair =
url-filter-preauth=BYOD-URL-Filter. where BYOD-URL-Filter exactly matches the name configured
in C9800 WLC in Step Step 2, on page 62 in (Optional) Create URL Filter for BYOD Flow
(Referenced via RADIUS), on page 61.
Procedure
Step 4 Scroll to Common Tasks and confirm that Web Redirection (CWA, MDM, NSP, CPP) is checked and
contains the following settings.
Hot Spot ACL select ACL_WEBAUTH_REDIRECT value select Hotspot Guest Portal (default)
Note The authorization result shows a hotspot flow, with a named ACL sending to the controller to
indicate redirection state and utilize the default Hotspot Portal. ACL_WEBAUTH_REDIRECT is
created in Step 4, on page 61 in Create Redirect ACL (Referenced via RADIUS), on page 60.
Example:
Internet_Only Authorization
We will create Internet Only Authorization Profile.
Here you’re creating permissions to allow internet access for associated rules.
Procedure
Step 1 In the View column for dCould-Internal policy set, click >.
Step 2 Click > next to Authorization Policy to expand the Authorization policy.
Step 3 Click x next to DenyAccess for default rule profiles.
This forces you to select another profile.
Step 4 Select NSP_Onboard from the list.
Note This rule is used for those devices not using EAP-TLS and requires BYOD onboarding.
Example:
Step 13 After returning to the dCloud_Internal Policy Sets page, navigate to Results > Profiles, and then select
PermitAccess.
Step 14 Click Save.
Example:
Step 15 Click the Policy Sets hyperlink in the top left corner of the page to return to the main policy set page.
Note The default setup for guest would include most of these authentication policies. We are showing it in case
you are not using the defaults.
Procedure
Step 1 In the View column for the dCloud_Guest policy set, click >.
Step 2 Next to Authentication Policy, > to expand the Authentication policy.
Step 3 In the Use column, select Internal Endpoints.
Step 4 Click > Options to display the advanced options.
Step 5 If you receive the message, If User not found select CONTINUE.
Example:
Step 6 Next to Authorization Policy, click > to expand the Authorization policy.
Step 7 Next to DenyAccess click x for default rule profiles.
This forces you to select another profile.
Step 8 Select Cisco_WebAuth from the list.
Step 9 Above the Default rule. click + to create an authorization rule.
Step 10 In Rule Name, enter Guest Endpoint.
Step 11 Click + to display the Conditions Studio.
Step 12 On the right-hand-side, click Click to add an attribute.
Step 13 Under dictionary, select IdentityGroup.
This filters the list to Network Access attributes.
Step 14 Select Name from the list.
Step 15 In the attribute value, select Endpoint Identity Groups:GuestEndpoints.
Note This rule permits any endpoints registered in GuestEndpoints after accepting the AUP.
Step 17 After returning to the dCloud_Guest Policy Sets page, under Results > Profiles, select Internet_Only
Example:
Step 19 In the top left corner of the page, click the Policy Sets hyperlink to return to main policy set page.
Step 1 On your client device, go to your wireless configuration, and then connect to dCloud_Guestx.
On Apple IOS devices the Captive network assistant should start.
Step 2 Enter the access code dcloud (all lowercase).
Step 3 Click Accept.
Your device connects and you should be able to browse the internet.
Step 5 In ISE, navigate to Operations > RADIUS > Live Logs and notice the following. You may need to change
some of the column sizes to see this and scroll to the right.
• Device first connects as an Apple-Device.
• Users enters code and accepts AUP.
• Device is registered and placed into Guest Endpoint group with internet access.
Notice how the device was identified as an iPhone after it hit the portal. This is part of our device profiling
service.
Step 5 Click Start and follow the prompts to go through BYOD process.
After the process completes you will receive a success page and should be able to browse the internet.
Step 6 Navigate to ISE > Operations > RADIUS > Livelogs.
Notice the flow the device went through similar to Guest .
• Device first connect as an Apple-Device.
• User is redirect to BYOD portal for onboarding (NSP_Onboard).
• Device is registered and configured with a certificate for certificate based authentication.
Notice how the device was identified as an iPhone after it hit the portal. This is part of our device profiling
service.
Exercise Description
The work of building out the enterprise WLANs has been done. Now we’re going to go through a few simple
steps to make that WLAN available to run in Flex mode. This includes:
• Create your Flex Profile
• Create a new Policy for the Flex WLAN
• Modify the Employee WLAN to use the new Policy
• Create a new Site Tag for Flex
• Apply the new Site Tag to your AP
• Test Connectivity
Procedure
Step 1 Navigate to Configuration > Tags & Profiles > Flex and then click Add.
Example:
Step 2 Name the new profile Podx_Flex and set Native VLAN ID to 33.
Example:
Step 3 Select the VLAN tab, select Add, enter VLAN Name VLAN34, and then set VLAN Id to 34.
Example:
Note This tells the AP we have these VLANs available at the AP. For our lab we’re only configuring 1
VLAN but in the real world you would likely configure multiple VLANs.
Step 4 Select Save and then select Save & Apply to Device.
Procedure
Step 1 Navigate to Configuration > Tags & Profiles > Policy and then select Add.
Example:
Example:
Procedure
Step 1 Navigate to Configuration > Tags & Policies > Tags and then select iseEnabled.
Step 2 Select the dCloud_Internal WLAN Profile, change the Policy Profile to Podx_Flex_Profile, and then click
the
khcm
ek.ra
Example:
Step 3 Select Update & Apply to Device.
Note Notice the warning on the page before the update and apply. If you had a client connected to the
WLAN, that client will lose connectivity. Also, if you look for your SSID, it is no longer being
broadcasted. Can you say why that SSID is no longer broadcasted?
Procedure
Step 1 Navigate to Configuration > Tags & Profiles > Tags, select the Site tab, and then select Add.
Example:
Procedure
Step 3 Click Update & Apply to Device. Note Because you are changing your AP
from local mode to Flex mode, the
AP will reboot.
What's Next
Check out the other ISE demos at http://cs.co/selling-ise-demos
Talk about it on the dCloud Community.