Dual SSID's

I am looking into purchasing 2 1131AG's. What I want to do is have 1 access point on each floor of my buidling, 2 floors total. Now I want to make sure that when an employee gets on with a wireless laptop, he can access the wireless network with full permissions. When a guest comes, I want him to access only the internet and no internal network.
This brings me to create 2 seperate SSID's. One for Internal Network and one for Guests.
Is it possible to setup 2 different SSID's on both Access points in this way so that a guest or employee walks between floors and has uninteruppted connectivity?
These access points will be connected to Cisco 3750 Layer 3 switches in a Windows server 2003 environment.
Users will have mixed vendor Wireless A G and B wireless network cards.
Can this be possible ?

Assuming you have the coverage you need with one AP per floor, yes, it's certainly possible.
Set up two VLANs, assign an SSID to each. Set up your L3 switch for trunking the two VLANs. Forward the traffic from your guest VLAN to your Internet Gateway device, Send the traffic for the internal network to your network gateway device (putting that VLAN in a DMZ would be a good thing.
Put in some ACLs for good measure, establish whatever encryption you feel appropriate, and you're good-to-go.
The MS IAS can only handle PEAP, EAP-TLS, EAP-TTLS, and (probably) MD5. Using MS-CHAPv2 for internal auth is recommended. Microsoft has some pretty good white papers on setting all of this up on their site.
Good Luck
Scott

Similar Messages

Channel configuration on dual SSID

I am installing a few aironet around a environment which requires dual SSID one for Guest and the other for business.
When configuring the channel for each SSID should I make both SSIDs on the same aironet the same channel and then ensure the closest aironet with the same dual SSIDs is both on the same but different (non-overlapping) channels ?
Or should both SSIDs on each aironet be on different channels?
Thank you.

Channel selection ... Hmmmm ... autonomous IOS ... Not a good combo.
I mean the issue here is your 802.11b radio. If you have neighborhood wifi around, smart money 802.11b is being used and Channels 1, 6 and 11 are used too. No issues with 802.11a since there are more channels to play with.
It's OK if you have a WLC because of the Dynamic Channel Assignment feature. But with autonomous WAP, you need to constantly monitor your neighbor.

Creating Dual SSID's

We are running phat architecture (WLSE, ACS, 1230 AP's) and PEAProtocol. I want to create additional SSID's on every AP (WPA-PSK) for vendors.
My questions is this: "Are there any good documents that discuss the creation of dual SSID's, VLAN/AP configuration, and/or best practice approaches?"

Hi Darin,
jep there are some documents.
Using VLANs with Cisco Aironet Wireless Equipment
http://www.cisco.com/en/US/products/hw/wireless/ps4570/products_configuration_example09186a00801d0815.shtml
For usage of a WLSE, PEAP and ACS have a look here
Protected EAP (PEAP) Application Note
http://www.cisco.com/en/US/products/hw/wireless/ps430/products_technical_reference_chapter09186a008025d6ee.html
Additional Information about WDS can be found here
Wireless Domain Services Configuration
http://www.cisco.com/en/US/products/hw/wireless/ps4570/products_configuration_example09186a00801c951f.shtml
These documents will give you the right hints for your task.
Best reagrds,
Frank

AP1200 dual SSID's with 128 bit encryption

I trying to setup a AP1200 radio with two different SSID's with encryption.
Each SSID must use a different 128 bit WEP encryption.
Both SSID's must have simultaneous access to the wireless radio.
I get the client & radio associated but can not pass
data. And the Clients Link Speed is listed at 1Mbps.
Any help on the would be greatly appreciated.

I too have tried this (multiple SSIDs with multiple wep keys). After re-reading the document pointed to in the previous reply I still do not know how to set multiple WEP keys and assign them to the SSIDs. The document doesn't mention WEP keys at all.
Anone have a sample config using more than 1 WEP key and multiple SSIDs?
michael

Cisco 877W Dual SSID/VLAN Security Issue

Hi All
I have an issue with my 877W that is as fascinating as it is frustrating. I have two SSIDs/VLANs, one for trusted LAN users (PRIVATE), and one for guests (GUEST). The PRIVATE network is secured from the GUEST nework by zone based firewall. Everything works fine, guest devices cannot access private devices, except for one thing - the BVI interface on the PRIVATE network is always accessible to guest devices, and all services open to attack eg telnet/ssh/http/dns etc. I've tried everything to secure this interface from the guest network, including putting deny any any on physical, BVI and VLAN interfaces
Am I missing something obvious, or some fundamental architecture of the 877 that would stop this interface being secured? Any help aprreciated!
P.S config has been pared down to basics below
version 15.1
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
hostname ROUTER
boot-start-marker
boot-end-marker
logging buffered 4096
enable secret 5 $1$BdpF$r/mAhQGYs8LBlqEpANmke0
no aaa new-model
dot11 syslog
dot11 ssid PRIVATE@123
vlan 100
authentication open
authentication key-management wpa
wpa-psk ascii 7 046B0A535A15441D2D0C11141A5A5F
dot11 ssid VISITOR@123
vlan 200
authentication open
authentication key-management wpa
mbssid guest-mode
wpa-psk ascii 7 03374C0A08392040420C00
ip source-route
no ip dhcp conflict logging
ip dhcp excluded-address 172.16.1.1 172.16.1.10
ip dhcp excluded-address 192.168.0.1 192.168.0.10
ip dhcp pool GUEST
utilization mark low 70 log
network 172.16.1.0 255.255.255.0
dns-server 192.168.0.1 61.9.242.33 61.9.226.33
default-router 172.16.1.1
ip dhcp pool PRIVATE
utilization mark low 70 log
network 192.168.0.0 255.255.255.0
dns-server 192.168.0.1 61.9.242.33 61.9.226.33
default-router 192.168.0.1
ip cef
no ipv6 cef
multilink bundle-name authenticated
username cisco privilege 15 password 7 073F205F5D1E491713
policy-map type inspect PM-DENYGUEST
class class-default
drop
zone security GUEST
zone security PRIVATE
zone-pair security GUEST-TO-PRIVATE source GUEST destination PRIVATE
service-policy type inspect PM-DENYGUEST
bridge irb
interface ATM0
no ip address
shutdown
no atm ilmi-keepalive
interface FastEthernet0
no ip address
interface FastEthernet1
switchport access vlan 100
no ip address
interface FastEthernet2
switchport access vlan 100
no ip address
interface FastEthernet3
no ip address
interface Dot11Radio0
no ip address
encryption vlan 100 mode ciphers aes-ccm
encryption vlan 200 mode ciphers aes-ccm
broadcast-key vlan 100 change 30
broadcast-key vlan 200 change 30
ssid PRIVATE@123
ssid VISITOR@123
mbssid
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
station-role root
interface Dot11Radio0.100
encapsulation dot1Q 100 native
zone-member security PRIVATE
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
interface Dot11Radio0.200
encapsulation dot1Q 200
zone-member security GUEST
bridge-group 2
bridge-group 2 subscriber-loop-control
bridge-group 2 spanning-disabled
bridge-group 2 block-unknown-source
no bridge-group 2 source-learning
no bridge-group 2 unicast-flooding
interface Vlan1
no ip address
interface Vlan100
no ip address
bridge-group 1
interface Vlan200
no ip address
bridge-group 2
interface Dialer0
ip address negotiated
ip access-group 101 out
ip nat outside
ip virtual-reassembly in
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap callin
ppp chap hostname [email protected]
ppp chap password 7 10580A4F1C4005005B
interface BVI1
ip address 192.168.0.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
zone-member security PRIVATE
interface BVI2
ip address 172.16.1.1 255.255.0.0
ip nat inside
ip virtual-reassembly in
zone-member security GUEST
ip forward-protocol nd
ip http server
ip http access-class 2
ip http authentication local
ip http secure-server
ip nat inside source list 1 interface Dialer0 overload
ip route 0.0.0.0 0.0.0.0 Dialer0
logging trap debugging
logging 192.168.0.11
control-plane
bridge 1 protocol ieee
bridge 1 route ip
bridge 2 protocol ieee
bridge 2 route ip
line con 0
exec-timeout 5 0
no modem enable
transport output all
line aux 0
exec-timeout 0 1
no exec
transport output none
line vty 0 4
exec-timeout 5 0
login local
transport input telnet ssh
transport output none
end

Ignore that. self zone got me. Argh! phew!

Dual SSID (with dual VLAN) on Cisco AiroNet 1130

Cisco Community,
I need some major help in figuring out how to change our wireless setup. Currently, we have 2 Cisco AiroNet 1130 WAP's in the office that go directly into the 2 POE ports on our Cisco ASA 5500. These WAP's have 1 SSID and are using WEP for security. After demonstrating the flaws of WEP to my boss, he has agreed that we should use something more secure and I've suggested WPA. We want visitors to our office to be able to hop on our wireless but on a separate guest SSID with WEP.
I'd like the internal SSID to route to the ASA and take the default route to the internet (it will be our new fiber connection once it's installed in a couple weeks). The default route is whichever connection is working since our ASA 5500 will fail over when it detects an outage.
I'd like the guest SSID to route to the ASA and then go over our existing cable connection. This connection will be our backup once the fiber connection is installed. Since we won't be using it very often, but will be paying for it, I advised that we send all guest wireless traffic over this connection since 50/5 is plenty for guests.
I have no idea how to create a VLAN and implement it but I can generally figure things out with a little help. The current SSID (which will be the internal SSID) has no VLAN. We do currently have a few VLANS on our network, one for voice (.42) and one for data (.100) and the default (.0). What device to I create the VLAN on (Cisco 5500?) and how to I setup the WAP? I need very basic instructions to start and I'm also trying to do this without causing downtime if possible.
I've attached a diagram of what it should look like. Red indicates our internal network and Blue indicates the guest network. I can send screenshots as well.
Hope everyone is enjoying their holidays.
Thanks,
Cody

Cody,
Here is a good doc to follow... it explains multiple ssid's and vlans
https://supportforums.cisco.com/docs/DOC-14496
Sent from Cisco Technical Support iPad App

Cisco ISE 1.1.1 - Single SSID

I'm working on our ISE implementation and these are my two goals.
1. Single SSID for BYOD users and corporate managed systems.
Login to the NAC agent if not part of the domain (EX: windows laptop not part of the domain joins the SSID, goes through the self service portal, downloads NAC agent, must login to NAC agent whenever joining network with AD credentials)
AD login required to join this SSID, no guests allowed
2. Guest SSID
Guest login only - requires sponsor
web agent required for windows machine
AV required
Current AV definitions required
Are these goals attainable or am I better to go in a different direction is my first question.
Second, using the Cisco BYOD Smart Solution Guide (link at bottom of post) it mentions the single SSID as not being a complicated component but it only runs through the dual SSID solution, what settings are needed for a single SSID? I'm using Open + MAC Filtering but when the supplicant attempts to connect it doesn't work because it's looking for a WPA2 network with the same SSID name.
http://www.cisco.com/en/US/docs/solutions/Enterprise/Borderless_Networks/Unified_Access/byoddg.html
Single SSID is specifically mentioned here:
http://www.cisco.com/en/US/docs/solutions/Enterprise/Borderless_Networks/Unified_Access/byoddg.html#wp504735

David,
What the documentation did was that it created a condition which does the check for the ssid in the access-request:
Guest_Authz is a user-defined simple authorization condition for guests accessing the Internet via Web authentication through the WLAN corresponding to the open guest SSID. It matches the following RADIUS AV pair from the Airespace dictionary:
Airespace-Wlan-Id - [1] EQUALS 1
So that when the user connects to the network they are connecting through the guest ssid in which this has the wlan id of 1. Either you can do that in your authorization rule right in the screenshot or you can create this condition under the policy elements tab.
Thanks,
Tarik Admani
*Please rate helpful posts*

Speed up BlackBerry Wi-Fi connections a knottyrope tip

These knottyrope tips might help you out. This is not an end all solution but I have come across these issues in the past years. Go slow and document what you do. Worst case is resetting your router to default and starting over.
Router running latest firmware? Update it as many are shipped with and old version as they sometimes sit on a shelf for months. Also a Wi-Fi router more than 5 years old might not work well with multiple devices.
Using a Hidden SSID? You should never hide SSID - hiding SSID is a violation of the 802.11 spec and this can be a pain with setup. Most new devices can see them anyways.
Using the same SSID as your neighbor? This is not good, you need a unique name or it can try to connect to both. I have seen NetGear 5 times in one neighborhood and after a simple name change you can have fast Wi-Fi
Using 2.4 and 5 ghz on one single SSID? This can be a burden, drop it to 2.4 and it could make a difference. Newer routers support a separate SSID for both frequencies.
Using WiFi B? If not using B then disable it or a rouge device might try to connect and knock your speed down to B speed.
WEP vs WPA? Not all N devices support WEP or WPA, Best to use WPA2 if all devices support it. Don’t try both WPA and WPA2 as some devices get confused. Some Wi-Fi routers do not support WPA2 AES-CCMP just AES, see if yours supports it. Most newer routers do have accelerated AES encryption but not for WEP. Older encryption methods will be slower.
WEP can be hacked in minutes not matter what password you use. If you have no choice but to use WEP, use only one WEP key as some devices will not know what to do with the other ones. Remember thath this encryption method will be slower.
Channel speed settings 20, 40 or both? Try 20 as most will work on it. Some devices will not like 40 only or even set to both. Check this on both 2.4 ghz and 5ghz on dual SSID routers. Using the default channel your router was setup with? Try a different channel other than the common 6 or 11 channel. Use the Auto Channel hopping feature if your router has it, mine didn’t work but it may for you.
Using Multiple Wi-Fi routers? place them on separate Wi-Fi channels so they don’t interfere.
Newer routers do QOS better so don’t be making this change right away on a newer model. older models with QOS for WMM Wi-Fi multimedia and VOIP priority on older models may not work well. if you don’t need or use it, don’t enable it. I turn off all QOS settings with great results since we don’t use the features.
Does your router only support 1 VPN connection? If this is the case then you might not be able to access BIS over Wi-Fi when other devices are using it or VPN. Many newer routers support 4 or more VPN connections.
DNS servers slow? Try OpenDNS.org and see if speed improves.
MTU matched up? Not a common issue but this can be a fun one as not all routers will set it to your ISP setting. 1500 is a standard but you can try 1492 for DSL lines or ones that use PPOE.
Using Extended range? If you don’t have matching card for your brand router it might not work well. Try turning it off.
UPNP turned off? Turn it on as your device may setup some port forwarding rules.
Using ISP modem and your own router/Wi-Fi router? Don’t enable NAT on your own routers as Double NAT can cause connection problems.
All port speeds matched? Check your Router WAN port speed, mine was set to 10Mbit by the ISP before. Also make sure its set to correct duplex mode and match it with other equipment.
Using cordless phones? Replace your 2.4GHz cordless phones with either a 900Mhz or 5.8GHz style so they won’t interfere.
Use Wi-Fi sharing on a PlayBook? It’s important to switch off AP Isolation if your router has it. Mine has it on by default
Custom firewall rules can be fun, try to allow default and slowly make changes and take notes on what you enable or disable.
Click here to Backup the data on your BlackBerry Device! It's important, and FREE!
Click "Accept as Solution" if your problem is solved. To give thanks, click thumbs up
Click to search the Knowledge Base at BTSC and click to Read The Fabulous Manuals
BESAdmin's, please make a signature with your BES environment info.
SIM Free BlackBerry Unlocking FAQ
Follow me on Twitter @knottyrope
Want to thank me? Buy my KnottyRope App here
BES 12 and BES 5.0.4 with Exchange 2010 and SQL 2012 Hyper V

Janetsa, whatever truth may be in your posts, your lack of diplomacy renders it valueless.

ISE 1.2 - CWA supplicant provisioning with anchor WLC

Hi all,
Having an issue with supplicant provisioning via CWA on an anchor controller. I am able to connect via CWA and authenticate etc no problems but when the device registration page appears it says "unable to connect to the network at this time" - the mac address is populated but the button says try again. Once I click try again it cycles back to the original guest portal login page. In the reports section the failed supplicant provisioning message is "Error while trying to determine access privileges: Fail to get hostName from session cache.".
I have tried the same policy without the anchor (ie local controller) and it works perfectly. Interestingly enough if I manually register the device first then connect to the guest portal it allows me to click register and proceed to supplicant provisioning. I have also tried the anchor setup using peap and the NSP redirect - this also works perfectly.
I can confirm ahead of time that firewalls etc are not an issue with permit IP any any between all working parts - no blocks no drops etc. The policy is the standard trustsec CWA setup with Enable self-provisioning ticked. For what it is worth I am absolutely confident with the config having deployed this before - albeit without an anchor controller.

Stephen,
I was able to work with TAC the customer account team to find a resolution. The issue is with the Anchor WLC and the session not being replicated. I was able to get around it by disabling radius accounting for the ssid on the anchor controller, but when looking at the bug it looks like an alternative fix is to disable fast ssid switching, which would cause issues with BYOD in the dual ssid world. I'm still doing testing, but the accounting change seems to have solved it. The bug ID is: CSCui38627

Cisco ISE 1.2 - BYOD Guest Access Error with Certificate

Hi all !
I'm running on Cisco ISE 1.2. I'm trying to setup BYOD (dual SSID).
Here's a walkthrough of what's happening:
1. I connect to open SSID, enter username/password and register MAC
2. I download WinSPwizard, get trust root CA but WinSPwizard error
This is spwprofilelog
[Wed Oct 01 11:27:17 2014] Installed [pvgas-DC-CA, hash: d0 ad c2 1e 19 b0 8b 61 8a 2d 81 88 da 8a a2 ca
da d3 ab e8
] as rootCA
[Wed Oct 01 11:27:17 2014] Warning - [HTTPConnection] InternetOpen() failed with code: [12038]
[Wed Oct 01 11:27:17 2014] Warning - [HTTPConnection] Abort the HTTP connection due to invalid certificate CN
[Wed Oct 01 11:27:17 2014] HttpWrapper::SendScepRequest - Retrying: [1] time, after: [4] secs , Error: [2]
[Wed Oct 01 11:27:21 2014] Warning - [HTTPConnection] InternetOpen() failed with code: [12038]
[Wed Oct 01 11:27:21 2014] Warning - [HTTPConnection] Abort the HTTP connection due to invalid certificate CN
[Wed Oct 01 11:27:21 2014] HttpWrapper::SendScepRequest - Retrying: [2] time, after: [4] secs , Error: [2]
[Wed Oct 01 11:27:25 2014] Warning - [HTTPConnection] InternetOpen() failed with code: [12038]
[Wed Oct 01 11:27:25 2014] Warning - [HTTPConnection] Abort the HTTP connection due to invalid certificate CN
[Wed Oct 01 11:27:25 2014] HttpWrapper::SendScepRequest - Retrying: [3] time, after: [4] secs , Error: [2]
[Wed Oct 01 11:27:29 2014] Warning - [HTTPConnection] InternetOpen() failed with code: [12038]
[Wed Oct 01 11:27:29 2014] Warning - [HTTPConnection] Abort the HTTP connection due to invalid certificate CN
[Wed Oct 01 11:27:29 2014] Failed to get certificate from server - Error: [2]
[Wed Oct 01 11:27:29 2014] Failed to generate scep request. Error code:
[Wed Oct 01 11:27:29 2014] ApplyCert - End...
[Wed Oct 01 11:27:29 2014] Failed to configure the device.
[Wed Oct 01 11:27:29 2014] ApplyProfile - End...
[Wed Oct 01 11:27:32 2014] Cleaning up profile xml: success
This is SCEP RA profiles
Other Cert
ACL On WLC
and policy
Please help me fix error.
Thanks.

you could create an ISE local user with a GUEST membership and provided you have your ISE password policy set so that it doesn't expire accounts, etc it would be a "permanent" guest account. we do something similiar. sponsors make temporary accounts while long-term or test guest accounts are created in the ise local identity store as guests and are processed the same way. you just have to ensure that the internal user store is part of your guest identity source sequence.

881W NAT and Firewall

Hello all,
I recently configured my 881W for dual SSID, and NATing to separate the VLAN traffic. Afterwards, I used Cisco Configuration Professional to configure the firewall for medium security, and then I tested it by connecting it to my U-Verse residential gateway in DMZplus mode. I was able to get a DHCP address from my IP to the 881W, but I can't resolve DNS, or get to any outside internet sites. Based on my configuration below, does anyone have any insight into what could be wrong?
R1-881W#show run
Building configuration...
Current configuration : 14484 bytes
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
hostname R1-881W
boot-start-marker
boot-end-marker
security authentication failure rate 3 log
security passwords min-length 6
logging message-counter syslog
logging buffered 51200
logging console critical
enable secret 5 xxxxxxxxxxxxxx
aaa new-model
aaa authentication login default local
aaa authorization exec default local
aaa session-id common
service-module wlan-ap 0 bootimage autonomous
crypto pki trustpoint TP-self-signed-1234567890
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1234567890
revocation-check none
rsakeypair TP-self-signed-1392450818
crypto pki certificate chain TP-self-signed-1234567890
certificate self-signed 01
<some cert>
        quit
no ip source-route
ip dhcp excluded-address 172.16.1.1 172.16.1.200
ip dhcp excluded-address 192.168.12.200 192.168.12.254
ip dhcp pool Private
   import all
   network 172.16.1.0 255.255.255.0
   default-router 172.16.1.1
   dns-server 172.16.1.1 255.255.255.0
ip dhcp pool Guest
   network 192.168.12.0 255.255.255.0
   default-router 192.168.12.1
   dns-server 192.168.12.1 255.255.255.0
ip cef
no ip bootp server
ip domain name somedomain.local
ip name-server 68.94.156.1
ip name-server 68.94.157.1
ip name-server 8.8.8.8
login block-for 120 attempts 5 within 60
login delay 3
no ipv6 cef
multilink bundle-name authenticated
parameter-map type regex ccp-regex-nonascii
pattern [^\x00-\x80]
parameter-map type protocol-info yahoo-servers
server name scs.msg.yahoo.com
server name scsa.msg.yahoo.com
server name scsb.msg.yahoo.com
server name scsc.msg.yahoo.com
server name scsd.msg.yahoo.com
server name cs16.msg.dcn.yahoo.com
server name cs19.msg.dcn.yahoo.com
server name cs42.msg.dcn.yahoo.com
server name cs53.msg.dcn.yahoo.com
server name cs54.msg.dcn.yahoo.com
server name ads1.vip.scd.yahoo.com
server name radio1.launch.vip.dal.yahoo.com
server name in1.msg.vip.re2.yahoo.com
server name data1.my.vip.sc5.yahoo.com
server name address1.pim.vip.mud.yahoo.com
server name edit.messenger.yahoo.com
server name messenger.yahoo.com
server name http.pager.yahoo.com
server name privacy.yahoo.com
server name csa.yahoo.com
server name csb.yahoo.com
server name csc.yahoo.com
parameter-map type protocol-info aol-servers
server name login.oscar.aol.com
server name toc.oscar.aol.com
server name oam-d09a.blue.aol.com
parameter-map type protocol-info msn-servers
server name messenger.hotmail.com
server name gateway.messenger.hotmail.com
server name webmessenger.msn.com
username someuser privilege 15 secret 5 xxxxxxxxxxxxxx
archive
log config
hidekeys
ip tcp synwait-time 10
ip ssh version 2
class-map type inspect match-any SDM_BOOTPC
match access-group name SDM_BOOTPC
class-map type inspect imap match-any ccp-app-imap
match invalid-command
class-map type inspect match-any ccp-cls-protocol-p2p
match protocol edonkey signature
match protocol gnutella signature
match protocol kazaa2 signature
match protocol fasttrack signature
match protocol bittorrent signature
class-map type inspect match-any SDM_DHCP_CLIENT_PT
match class-map SDM_BOOTPC
class-map type inspect match-any ccp-skinny-inspect
match protocol skinny
class-map type inspect match-any sdm-cls-bootps
match protocol bootps
class-map type inspect match-any ccp-cls-insp-traffic
match protocol cuseeme
match protocol dns
match protocol ftp
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol netshow
match protocol shell
match protocol realmedia
match protocol rtsp
match protocol smtp extended
match protocol sql-net
match protocol streamworks
match protocol tftp
match protocol vdolive
match protocol tcp
match protocol udp
class-map type inspect match-all ccp-insp-traffic
match class-map ccp-cls-insp-traffic
class-map type inspect gnutella match-any ccp-app-gnutella
match file-transfer
class-map type inspect msnmsgr match-any ccp-app-msn-otherservices
match service any
class-map type inspect ymsgr match-any ccp-app-yahoo-otherservices
match service any
class-map type inspect match-any ccp-h323nxg-inspect
match protocol h323-nxg
class-map type inspect match-any ccp-cls-icmp-access
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-any ccp-cls-protocol-im
match protocol ymsgr yahoo-servers
match protocol msnmsgr msn-servers
match protocol aol aol-servers
class-map type inspect aol match-any ccp-app-aol-otherservices
match service any
class-map type inspect match-all ccp-protocol-pop3
match protocol pop3
class-map type inspect match-any ccp-h225ras-inspect
match protocol h225ras
class-map type inspect match-any ccp-h323annexe-inspect
match protocol h323-annexe
class-map type inspect pop3 match-any ccp-app-pop3
match invalid-command
class-map type inspect kazaa2 match-any ccp-app-kazaa2
match file-transfer
class-map type inspect match-all ccp-protocol-p2p
match class-map ccp-cls-protocol-p2p
class-map type inspect match-any ccp-h323-inspect
match protocol h323
class-map type inspect msnmsgr match-any ccp-app-msn
match service text-chat
class-map type inspect ymsgr match-any ccp-app-yahoo
match service text-chat
class-map type inspect match-all ccp-protocol-im
match class-map ccp-cls-protocol-im
class-map type inspect match-all ccp-icmp-access
match class-map ccp-cls-icmp-access
class-map type inspect match-all ccp-invalid-src
match access-group 101
class-map type inspect http match-any ccp-app-httpmethods
match request method bcopy
match request method bdelete
match request method bmove
match request method bpropfind
match request method bproppatch
match request method connect
match request method copy
match request method delete
match request method edit
match request method getattribute
match request method getattributenames
match request method getproperties
match request method index
match request method lock
match request method mkcol
match request method mkdir
match request method move
match request method notify
match request method options
match request method poll
match request method propfind
match request method proppatch
match request method put
match request method revadd
match request method revlabel
match request method revlog
match request method revnum
match request method save
match request method search
match request method setattribute
match request method startrev
match request method stoprev
match request method subscribe
match request method trace
match request method unedit
match request method unlock
match request method unsubscribe
class-map type inspect edonkey match-any ccp-app-edonkey
match file-transfer
match text-chat
match search-file-name
class-map type inspect match-any ccp-sip-inspect
match protocol sip
class-map type inspect http match-any ccp-http-blockparam
match request port-misuse im
match request port-misuse p2p
match req-resp protocol-violation
class-map type inspect edonkey match-any ccp-app-edonkeydownload
match file-transfer
class-map type inspect match-all ccp-protocol-imap
match protocol imap
class-map type inspect aol match-any ccp-app-aol
match service text-chat
class-map type inspect edonkey match-any ccp-app-edonkeychat
match search-file-name
match text-chat
class-map type inspect fasttrack match-any ccp-app-fasttrack
match file-transfer
class-map type inspect http match-any ccp-http-allowparam
match request port-misuse tunneling
class-map type inspect match-all ccp-protocol-http
match protocol http
policy-map type inspect ccp-permit-icmpreply
class type inspect ccp-icmp-access
inspect
class class-default
pass
policy-map type inspect p2p ccp-action-app-p2p
class type inspect edonkey ccp-app-edonkeychat
log
allow
class type inspect edonkey ccp-app-edonkeydownload
log
allow
class type inspect fasttrack ccp-app-fasttrack
log
allow
class type inspect gnutella ccp-app-gnutella
log
allow
class type inspect kazaa2 ccp-app-kazaa2
log
allow
policy-map type inspect im ccp-action-app-im
class type inspect aol ccp-app-aol
log
allow
class type inspect msnmsgr ccp-app-msn
log
allow
class type inspect ymsgr ccp-app-yahoo
log
allow
class type inspect aol ccp-app-aol-otherservices
log
reset
class type inspect msnmsgr ccp-app-msn-otherservices
log
reset
class type inspect ymsgr ccp-app-yahoo-otherservices
log
reset
policy-map type inspect http ccp-action-app-http
class type inspect http ccp-http-blockparam
log
reset
class type inspect http ccp-app-httpmethods
log
reset
class type inspect http ccp-http-allowparam
log
allow
policy-map type inspect imap ccp-action-imap
class type inspect imap ccp-app-imap
log
policy-map type inspect pop3 ccp-action-pop3
class type inspect pop3 ccp-app-pop3
log
policy-map type inspect ccp-inspect
class type inspect ccp-invalid-src
drop log
class type inspect ccp-protocol-http
inspect
service-policy http ccp-action-app-http
class type inspect ccp-protocol-imap
inspect
service-policy imap ccp-action-imap
class type inspect ccp-protocol-pop3
inspect
service-policy pop3 ccp-action-pop3
class type inspect ccp-protocol-p2p
inspect
service-policy p2p ccp-action-app-p2p
class type inspect ccp-protocol-im
inspect
service-policy im ccp-action-app-im
class type inspect ccp-insp-traffic
inspect
class type inspect ccp-sip-inspect
inspect
class type inspect ccp-h323-inspect
inspect
class type inspect ccp-h323annexe-inspect
inspect
class type inspect ccp-h225ras-inspect
inspect
class type inspect ccp-h323nxg-inspect
inspect
class type inspect ccp-skinny-inspect
inspect
class class-default
drop
policy-map type inspect ccp-permit
class class-default
drop
zone security out-zone
zone security in-zone
zone-pair security ccp-zp-out-self source out-zone destination self
service-policy type inspect ccp-permit
zone-pair security ccp-zp-in-out source in-zone destination out-zone
service-policy type inspect ccp-inspect
zone-pair security ccp-zp-self-out source self destination out-zone
interface Null0
no ip unreachables
interface FastEthernet0
switchport access vlan 11
interface FastEthernet1
interface FastEthernet2
switchport access vlan 11
interface FastEthernet3
interface FastEthernet4
description ISP Connection$FW_OUTSIDE$
ip address dhcp
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat outside
ip virtual-reassembly
zone-member security out-zone
shutdown
duplex auto
speed auto
no cdp enable
interface wlan-ap0
description Service module to manage the enbedded AP
ip unnumbered Vlan1
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
arp timeout 0
interface Wlan-GigabitEthernet0
description Internal switch interface connecting to the embedded AP
switchport mode trunk
interface Vlan1
description $FW_INSIDE$
ip address 172.16.1.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly
zone-member security in-zone
ip tcp adjust-mss 1452
interface Vlan11
description $FW_INSIDE$
ip address 10.10.10.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly
zone-member security in-zone
interface Vlan12
description Guest Vlan$FW_INSIDE$
ip address 192.168.12.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly
zone-member security in-zone
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 dhcp
no ip http server
ip http authentication local
ip http secure-server
ip dns server
ip nat inside source list 100 interface FastEthernet4 overload
ip access-list extended SDM_BOOTPC
remark CCP_ACL Category=0
permit udp any any eq bootpc
logging trap debugging
access-list 100 remark CCP_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip 172.16.1.0 0.0.0.255 any
access-list 101 remark CCP_ACL Category=128
access-list 101 permit ip host 255.255.255.255 any
access-list 101 permit ip 127.0.0.0 0.255.255.255 any
no cdp run
control-plane
banner login ^CWarning! Authorized Access Only!^C
line con 0
password 7 xxxxxxxxxxxxxx
logging synchronous
no modem enable
transport output telnet
line aux 0
transport output telnet
line 2
no activation-character
no exec
transport preferred none
transport input all
line vty 0 4
password 7 xxxxxxxxxxxxxx
transport input telnet ssh
transport output telnet
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
end

Henrik,
I redid the changes you suggested (excluding the
config to make the guest-zone only allowed to ping and get an IP-address of the route). I cannot connect to the internet from VLAN12. Here is my config below:
R1-881W#show run
Building configuration...
Current configuration : 8875 bytes
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
hostname R1-881W
boot-start-marker
boot-end-marker
security authentication failure rate 3 log
security passwords min-length 6
logging message-counter syslog
logging buffered 51200
logging console critical
enable secret 5 xxxxxxxxxxxxxxx
aaa new-model
aaa authentication login default local
aaa authorization exec default local
aaa session-id common
service-module wlan-ap 0 bootimage autonomous
crypto pki trustpoint TP-self-signed-1234567890
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1234567890
revocation-check none
rsakeypair TP-self-signed-1234567890
crypto pki certificate chain TP-self-signed-1234567890
certificate self-signed 01
        quit
no ip source-route
ip dhcp excluded-address 172.16.1.1 172.16.1.200
ip dhcp excluded-address 192.168.12.200 192.168.12.254
ip dhcp pool Private
   import all
   network 172.16.1.0 255.255.255.0
   default-router 172.16.1.1
   dns-server 172.16.1.1 255.255.255.0
ip dhcp pool Guest
   network 192.168.12.0 255.255.255.0
   default-router 192.168.12.1
   dns-server 192.168.12.1 255.255.255.0
ip cef
no ip bootp server
ip domain name lab.local
ip name-server 68.94.156.1
ip name-server 68.94.157.1
ip name-server 8.8.8.8
login block-for 120 attempts 5 within 60
login delay 3
no ipv6 cef
multilink bundle-name authenticated
parameter-map type regex ccp-regex-nonascii
pattern [^\x00-\x80]
username somerookieuser privilege 15 secret 5 xxxxxxxxxxxxxxx
archive
log config
hidekeys
ip tcp synwait-time 10
ip ssh version 2
class-map type inspect match-any SDM_BOOTPC
match access-group name SDM_BOOTPC
class-map type inspect match-any SDM_DHCP_CLIENT_PT
match class-map SDM_BOOTPC
class-map type inspect match-any ccp-skinny-inspect
match protocol skinny
class-map type inspect match-any sdm-cls-bootps
match protocol bootps
class-map type inspect match-any ccp-cls-insp-traffic
match protocol cuseeme
match protocol dns
match protocol ftp
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol netshow
match protocol shell
match protocol realmedia
match protocol rtsp
match protocol smtp extended
match protocol sql-net
match protocol streamworks
match protocol tftp
match protocol vdolive
match protocol tcp
match protocol udp
class-map type inspect match-all ccp-insp-traffic
match class-map ccp-cls-insp-traffic
class-map type inspect match-any ccp-h323nxg-inspect
match protocol h323-nxg
class-map type inspect match-any ccp-cls-icmp-access
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-any ccp-h225ras-inspect
match protocol h225ras
class-map type inspect match-any ccp-h323annexe-inspect
match protocol h323-annexe
class-map type inspect match-any ccp-h323-inspect
match protocol h323
class-map type inspect match-all GUEST-TO-OUTSIDE_CMAP
match access-group name GUEST-TO-OUTSIDE_ACL
class-map type inspect match-all ccp-icmp-access
match class-map ccp-cls-icmp-access
class-map type inspect match-all ccp-invalid-src
match access-group 101
class-map type inspect match-any ccp-sip-inspect
match protocol sip
class-map type inspect match-all ccp-protocol-http
match protocol http
policy-map type inspect ccp-permit-icmpreply
class type inspect sdm-cls-bootps
pass
class type inspect ccp-icmp-access
inspect
class class-default
pass
policy-map type inspect ccp-inspect
class type inspect ccp-invalid-src
drop log
class type inspect ccp-protocol-http
inspect
class type inspect ccp-insp-traffic
inspect
class type inspect ccp-sip-inspect
inspect
class type inspect ccp-h323-inspect
inspect
class type inspect ccp-h323annexe-inspect
inspect
class type inspect ccp-h225ras-inspect
inspect
class type inspect ccp-h323nxg-inspect
inspect
class type inspect ccp-skinny-inspect
inspect
class class-default
drop
policy-map type inspect ccp-permit
class type inspect SDM_DHCP_CLIENT_PT
pass
class class-default
drop
policy-map type inspect GUEST-TO-OUTSIDE_PMAP
class type inspect GUEST-TO-OUTSIDE_CMAP
class class-default
drop
zone security out-zone
zone security in-zone
zone security guest-zone
zone-pair security ccp-zp-out-self source out-zone destination self
service-policy type inspect ccp-permit
zone-pair security ccp-zp-in-out source in-zone destination out-zone
service-policy type inspect ccp-inspect
zone-pair security ccp-zp-self-out source self destination out-zone
zone-pair security ccp-zp-guest-out source guest-zone destination out-zone
service-policy type inspect GUEST-TO-OUTSIDE_PMAP
interface Null0
no ip unreachables
interface FastEthernet0
interface FastEthernet1
interface FastEthernet2
interface FastEthernet3
interface FastEthernet4
description ISP Connection$FW_OUTSIDE$
ip address dhcp
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat outside
ip virtual-reassembly
zone-member security out-zone
duplex auto
speed auto
no cdp enable
interface wlan-ap0
description Service module to manage the enbedded AP
ip unnumbered Vlan1
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
arp timeout 0
interface Wlan-GigabitEthernet0
description Internal switch interface connecting to the embedded AP
switchport mode trunk
interface Vlan1
description $FW_INSIDE$
ip address 172.16.1.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly
zone-member security in-zone
ip tcp adjust-mss 1452
interface Vlan11
description $FW_INSIDE$
ip address 10.10.10.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly
zone-member security in-zone
interface Vlan12
description Guest Vlan$FW_INSIDE$
ip address 192.168.12.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly
zone-member security guest-zone
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 dhcp
no ip http server
ip http authentication local
ip http secure-server
ip dns server
ip nat inside source list NAT_ALLOWED interface FastEthernet4 overload
ip access-list extended GUEST-TO-OUTSIDE_ACL
permit ip 192.168.12.0 0.0.0.255 any
ip access-list extended NAT_ALLOWED
permit ip 172.16.1.0 0.0.0.255 any
permit ip 192.168.12.0 0.0.0.255 any
ip access-list extended SDM_BOOTPC
remark CCP_ACL Category=0
permit udp any any eq bootpc
logging trap debugging
access-list 101 remark CCP_ACL Category=128
access-list 101 permit ip host 255.255.255.255 any
access-list 101 permit ip 127.0.0.0 0.255.255.255 any
no cdp run
control-plane
banner login ^CWarning! Authorized Access Only!^C
line con 0
password 7 somestrongpassword
logging synchronous
no modem enable
transport output telnet
line aux 0
transport output telnet
line 2
no activation-character
no exec
transport preferred none
transport input all
line vty 0 4
password 7 somestrongpassword
transport input telnet ssh
transport output telnet
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
end
R1-881W#

Cisco ISE Guest Login without provisioning

Hi,
I have setup the ise based on https://supportforums.cisco.com/docs/DOC-26442 whereby I have an authorization rule for CWA and an authorization rule for guestflow with provisioning. All is working great, however I was wondering if it may be possible to setup the ise with the following scenarios with dual ssid:
1. user login to guest ssid and redirects to guest web portal and input guest credential created by sponsor (this is working well)
2. user login to guest ssid and redirects to guest web portal and input credential from AD goes to provisioning (this is working well)
3. user login to guest ssid and redirects to guest web portal and input credential from specified AD group and get internet/network access without provisioning.
For point 3, I was wondering if it may be possible and if so on how it may be accomplished? I have attached the present Authz rule for reference as well as the rule I have tried which does not seems to be working.
Any help is appreciated!
Thanks.

No it doesn't, you can test the same , while editing the wireless SSID profile, opting authentication method as smart card other than PEAP/EAP.

NAC Agent and NSP provisioning with ISE 1.1.1

I am trying to get all workstations (OSX and Windows) to install both the Native Supplicant Wizard and NAC Agent during the On-boarding process.
I am currently using the default guest portal in ISE.
The environment has been setup using a Dual SSID design.
At the moment, devices can connect to the provisioning SSID and get CWA. Device registration works, the portal runs the NSP setup which correctly sets up the network adapter.
The problem is the portal never attempts to install the NAC Agent.
The client provisioning policy has a separate policies for wireless/wired as well as OS. Each policy applies both a NSP and NAC Agent configuration. It appears the guest portal only checks the NSP configuration and not the NAC Agent config.
Any ideas?

Just so i understand this correctly you are using both a client provisioning portal and a native supplicant provisoning portal tied into seperate authz policies.
With that out of the way are you checking to see if the client is compliant in the client provisioning portal policy.
Let me know if you have the following configured (example windows OS), this is assuming that the endpoint is statically assigned to RegisteredDevices after native suppliant provisioning.
Rule 0 (endpoint group = RegisteredDevice) AND (AD:Domain user and authentication method:x509 and posturestatus:COMPLIANT) = Permit Access
Rule 1 (endpoint group = RegisteredDevice) AND (AD:domain user AND authentication method:x509[if you deployed certs in the native supp condition] AND workstation NOT EQUAL:COMPLIANT) RESULT client provisioning portal.
Rule 2 (endpoint group = Workstation) AND (AD:Domain User AND authentication mehod using mschapv2) RESULT windows provisioning portal
Hope that helps,
Tarik Admani
*Please rate helpful posts*

ISE 1.3 - internal CA for EAP client

Hi Experts,
Could you please give me the right way and step to configure ISE 1.3 built in CA for EAP client auth. I'm trying to complete my dual SSIDs procedure. My configure may has some missing config on Certificate section. That make client can not get through device enrollment & provisioning but auth, authorise are fine.
It s hard to config 100% correctly with out detailed guide. I know by fundamental setup the config must comprise of subordinate CA, OCSP, endpoint RA which I can not figure out those steps myself.
The steps or complete document are welcome. Official document does not help me get through.
Thank you in advance,
Nipat CCIE#29422

I would like to see something similar if anyone has anything with a little more detail then what the Admin Guide has.

Possible to get 'Automatic' device register without NSP ?

Hi
Anybody pleade hint me config ISE1.2
I need to do separated ssid called on-board. Once non registed device comes in, ISE get sredirect to registering portal.
I can finish self fill in device register which user need to fill in his MAC manually. And I also finish dual ssid practice as dCloud ISE demo. However I need configure in between of those.
Anyone please give me configures or suggestions
Thank you
Nipat

Hello Nipat. This is not possible in version 1.2. In version 1.2 you have two options to get the device registration process:
1. DRW (Device Registration Web Auth): But this method cannot be combined with any other authentication methods
2. NSP (Native Supplicant Provisioning): You already knew about this one but it sounds like it is not an option
You can look into upgrading to 1.3 as i believe you will be able to "chain" the CWA and DRW methods with other authentication methods.
Thank you for rating helpful posts!

Dual SSID's

Similar Messages

Maybe you are looking for