Deploying Identity Services within a Converged Plantwide Ethernet Architecture Design and Implementation Guide
June 2015
Document Reference Number: ENET-TD008A-EN-P
Preface This Deploying Identity Services within a Converged Plantwide Ethernet Architecture Design and Implementation Guide (DIG) outlines the following key requirements and design considerations to help in the successful deployment of the Cisco® Identity Services Engine (Cisco ISE) within Industrial Automation and Control System (IACS) plant-wide architectures:
Note
•
Cisco ISE Use Case Overview
•
Review of Cisco ISE Technology
•
Important Steps and Considerations for Cisco ISE Implementation and Configuration Recommendations within IACS applications
•
Maintaining and Troubleshooting Cisco ISE
This release of the CPwE architecture focuses on EtherNet/IP™, which is driven by the ODVA Common Industrial Protocol (CIP™ ). Refer to the IACS Communication Protocols section of the CPwE Design and Implementation Guide.
Document Organization The Deploying Identity Services within a Converged Plantwide Ethernet Architecture Design and Implementation Guide contains the following chapters: Chapter
Description
CPwE Identity Services Overview
Presents introduction to CPwE Identity Services architecture, Secure Access Control, Unified Network Access Policy Management for CPwE and CPwE Identity Services in general.
System Design Considerations
Presents an overview of CPwE Identity Services Technology, how to deploy Distributed CPwE Identity Services, and an overview of Microsoft® Server 2012 Active Directory.
Configuring the Infrastructure
Describes how to configure Cisco ISE infrastructure in the CPwE system based on the design considerations of the previous chapters, covering the configuration of the network infrastructure, network services, data traversal, Web application access and network and application security, all from an IDMZ perspective.
Deploying Identity Services within a Converged Plantwide Ethernet Architecture ENET-TD008A-EN-P
i
Preface For More Information
Chapter
Description
Troubleshooting Tips
Describes Cisco ISE and WLC troubleshooting.
References
Standard list of references for CPwE, Cisco Unified Access, RF Design and QoS and Wireless Security.
Configuration Examples
Examples of the configurations that have been used in the testing of the wired and wireless architecture.
Test Hardware and Software
Hardware and software components used in CPwE Identity Services testing.
For More Information Rockwell Automation site: •
http://literature.rockwellautomation.com/idc/groups/literature/documents/td/enet-td001_-en-p. pdf
Cisco site: •
http://www.cisco.com/en/US/docs/solutions/Verticals/CPwE/CPwE_DIG.html
Deploying Identity Services within a Converged Plantwide Ethernet Architecture ENET-TD008A-EN-P
ii
CHAPTER
1
CPwE Identity Services Overview This chapter includes the following major topics: •
Identity Services Architecture Introduction, page 1-1
•
Secure Access Control, page1-2
•
Unified Network Access Policy Management for CPwE, page1-3
•
Converged Plantwide Ethernet Identity Services, page 1-4
Identity Services Architecture Introduction Industrial Automation and Control System (IACS) networks are generally open by default, which facilitates both technology coexistence and IACS interoperability. IACS networks must be secured by configuration and architecture. Connectivity of unknown contractor computers (such as from OEMs and System Integrators), presents challenges to the security of plant-wide operations. A different approach to device authentication and authorization is required to securely manage the connectivity of these computers to the IACS network. Converged Plantwide Ethernet (CPwE) uses the Cisco Identity Services Engine (Cisco ISE) to support secure wired and wireless connectivity of plant personnel and contractor computers to the IACS network. Cisco ISE is a centralized security policy management platform, which automates and enforces secure access to network resources across a distributed Industrial Zone. Cisco ISE enforces network security based on the type of device hardware connecting to the network, the computer’s operating system and the user. CPwE is the underlying architecture that provides standard network services for control and information disciplines, devices and equipment found in modern IACS applications. Cisco ISE is used in conjunction with the CPwE architecture to provide an additional and dynamic layer of network access control security by supporting the Microsoft-based computer operating system and logged-on user to push security policies to the network infrastructure that the computer is accessing. The CPwE architecture provides design and implementation guidance to achieve the real-time communication, reliability, scalability, security and resiliency requirements of the IACS. Cisco ISE builds on top of the defined best practices and network architecture with a centrally managed architectural model where the IT department maintains the management of the Cisco ISE platform that operates in the Industrial Zone.
Deploying Identity Services within a Converged Plantwide Ethernet Architecture ENET-TD008A-EN-P
1-1
Chapter 1
CPwE Identity Services Overview
Secure Access Control
Cisco ISE incorporation for CPwE is brought to market through a strategic alliance between Cisco Systems and Rockwell Automation. This CPwE Identity Services Cisco Validated Design details design and implementation considerations to help with the successful design and implementation of Identity Services within the Industrial Zone.
Secure Access Control Protecting IACS assets requires a centrally manageable defense-in-depth security approach that addresses internal and external security threats. Cisco ISE supports authentication and authorization for both wired and wireless access methods to the IACS networks by company employees and trusted partners (OEM, SI). Adhering to a distributed architecture, Cisco ISE uses the Administration, Policy Service and Monitoring nodes described in detail later in this document. The CPwE Industrial Network Security Framework (Figure 1-1) is aligned to industrial security standards such as ISA/IEC-62443 (formerly ISA-99) Industrial Automation and Control Systems (IACS) Security, and NIST 800-82 Industrial Control System (ICS) Security. Designing and implementing a comprehensive IACS network access security framework should serve as a natural extension to the IACS. Network access security should not be implemented as an afterthought. The industrial network access security framework should be pervasive and core to the IACS. However, atop existing IACS deployments, the same defense-in-depth layers can be applied incrementally to help improve the access security stance of the IACS. CPwE defense-in-depth layers (Figure1-1) include: •
Control System Engineers (highlighted in tan)—IACS device hardening (for example, physical and electronic), infrastructure device hardening (for example, port security), network segmentation, IACS application authentication, authorization and accounting (AAA)
•
Control System Engineers in collaboration with IT Network Engineers (highlighted in blue)—Zone-based policy firewall at the IACS application, operating system hardening, network device hardening (such as access control, resiliency), wired and wireless LAN access policies
•
IT Security Architects in collaboration with Control Systems Engineers (highlighted in purple)—Identity Services (wired and wireless), Active Directory (AD), Remote Access Servers (RAS), plant firewalls, Industrial Demilitarized Zone (IDMZ) design best practices
Deploying Identity Services within a Converged Plantwide Ethernet Architecture
1-2
ENET-TD008A-EN-P
Chapter 1
CPwE Identity Services Overview Unified Network Access Policy Management for CPwE
Figure1-1
CPwE Industrial Network Security Framework Enterprise WAN
Enterprise Zone: Levels 4-5
Internet External DMZ/ Firewall
Industrial Demilitarized Zone (IDMZ) Physical or Virtualized Servers • Patch Management • AV Server • Application Mirror • Remote Desktop Gateway Server
Firewall (Active)
Plant Firewalls • Inter-zone traffic segmentation • ACLs, IPS and IDS • VPN Services • Portal and Remote Desktop Services proxy
Firewall (Standby)
Industrial Zone: Levels 0-3 Standard DMZ Design Best Practices RADIUS AAA Server
Authentication, Authorization and Accounting (AAA) Network Status and Monitoring
Identity Services Engine (ISE) RADIUS
Wireless LAN Controller (WLC) Active
UCS
FactoryTalk Security
Wireless LAN (WLAN) • Access Policy • Equipment SSID • Plant Personnel SSID • Trusted Partners SSID • WPA2 with AES Encryption • Autonomous WLAN • Pre-Shared Key • 802.1X - (EAP-FAST) • Unified WLAN • 802.1X - (EAP-TLS) • CAPWAP DTLS
Standby Distribution switch
Remote Access Server
Network Infrastructure • Hardening • Access Control • Resiliency
Level 3 - Site Operations:
OS Hardening
Level 2 - Area Supervisory Control
Port Security
FactoryTalk Client
LWAP
VLANs, Segmenting Domains of Trust Device Hardening • Physical • Procedures • Electronic • Encrypted Communications
Controller
SSID 2.4 GHz
Controller
Level 1 -Controller
Zone-based Policy Firewall (ZFW)
SSID 5 GHz I/O
Soft Starter
WGB
MCC
Level 0 - Process
I/O
Drive
374623
Active Directory (AD)
Core switches
Unified Network Access Policy Management for CPwE Cisco ISE empowers Enterprise IT to help sustain a highly secure wired and wireless access within the plant by providing: •
Comprehensive centralized policy management
•
Streamlined computer onboarding
•
Dynamic security enforcement
A rules-based, catalog-driven policy model is provided to create access control based upon IEEE-802.1X authentication and authorization policies. The 802.1X standard describes how portbased security rules can be applied to each switch port. Cisco ISE includes the ability to create fine-grained authorization policies that include the association of a user or Microsoft-based computer to an associated VLAN or an associated downloadable access control list (dACL). Attributes can be created dynamically that include one or more identity groups, then saved for later use, as new device management computers are introduced to the IACS network. As shown in Figure 1-2, Cisco ISE supports multiple external identity repositories, including AD authorities for both authentication and authorization.
Deploying Identity Services within a Converged Plantwide Ethernet Architecture ENET-TD008A-EN-P
1-3
Chapter 1
CPwE Identity Services Overview Converged Plantwide Ethernet Identity Services
Figure1-2
Unified Identity Services for Wired and Wireless
Enterprise Zone: Levels 4-5
Enterprise WAN
Internet External DMZ / Firewall
WLC (Enterprise) ISE PAN/PSN
Core switches
ISE MnT Industrial Demilitarized Zone (IDMZ)
Firewalls (Active/Standby) Industrial Zone: Levels 0-3 ISE PSN Core switches
WLC (Active)
Remote Access Server (RAS)
WLC (Standby) Level 3 Site Operations
Distribution switch
ISE Synchronization LWAP
ISE Logging Laptop Client
PAC FactoryTalk Client
IO
Drive
MCC
PAC
PAC
374640
WGB Levels 0-2 Cell/Area Zone
Through the application of Cisco ISE, provision policies are applied across the IACS network in real-time, creating a consistent user access experience to services from wired and wireless connections. Cisco ISE allows IT to define roles such as employees and trusted partners. These roles can be configured to permit and limit access to assets within the Industrial Zone, the Industrial Demilitarized Zone (IDMZ) and the Enterprise Zone. The Stratix™ and Cisco industrial Ethernet switches (IES) work in conjunction with Cisco ISE to apply and enforce the security policies that are configured. For example, if an employee attaches to the IACS network in the Industrial Zone with a computer, Cisco ISE will be sent the hardware and user information. Cisco ISE will send the preconfigured network security policies to the Stratix or Cisco IES where the user will be limited by the security policy. It is also possible to limit or direct traffic of unknown devices with a Cisco ISE security policy. Cisco ISE services for wireless access use the Cisco wireless LAN controllers (WLC) to facilitate authentication and authorization of Microsoft-based computers accessing the IACS network. Cisco ISE allows IT to define a set of contractors, and for each contractor, define a set of RADIUS attributes (see across both the wired and wireless environments, see Wired Access Overview, page 2-9 and Wireless Access Overview, page 2-13). Attributes are used for authorization profiles and in policy conditions. Through Cisco ISE, IT can create, edit and delete RADIUS contractor dictionaries and contractor-specific attributes as needed.
Converged Plantwide Ethernet Identity Services Cisco ISE grants permission to Microsoft-based computers to access the plant-wide network based on the result of the policy evaluation. The profiling service facilitates management of authentication by using IEEE standard 802.1X port-based authentication access control supported within the Stratix and Cisco IES supported within the CPwE architecture.
Deploying Identity Services within a Converged Plantwide Ethernet Architecture ENET-TD008A-EN-P
1-4
Chapter 1
CPwE Identity Services Overview
Converged Plantwide Ethernet Identity Services
Cisco ISE provides a self-service registration portal for plant personnel and contractors to register and provision their portable Microsoft-based OS computers according to the business policies defined by IT. Cisco ISE permits the plant personnel to get the automated device provisioning and profiling they need to comply with industrial security policies while keeping it extremely simple to get their Microsoft-based OS computers onto the IACS network with limited IT help. Within the Industrial Zone, Cisco ISE provides centrally managed context-aware identity management critical for IT to manage access control. Cisco ISE determines if users are accessing the network on an authorized, policy-compliant computer, and assigns access based on the assigned user role, group and associated policy. Variables such as employee (plant or corporate), contractor (OEM, SI or other trusted partner), location and device type are taken into consideration. Cisco ISE grants access to specific segments of the Industrial Zone to authenticated users.
Deploying Identity Services within a Converged Plantwide Ethernet Architecture
1-5
ENET-TD008A-EN-P
CHAPTER
2
System Design Considerations This chapter includes the following major topics: •
CPwE Identity Services Technology Overview, page 2-1
•
Roles and Access, page 2-8
•
Industrial Zone Wired Access Design, page 2-8
•
Industrial Zone Wireless Access Design, page 2-12
Note
This solution provides support for user validation and authorization when using Microsoft Windows computers within the context of the Industrial Zone. This solution does not provide support or include other devices with Bring Your Own Device (BYOD) capabilities such as laptops not running Windows OS, smart phones or tablets.
Note
For more details about the design and implementation of the Industrial Demilitarized Zone (IDMZ) as part of the CPwE security architecture, refer to the Securely Traversing IACS Data Across the
Industrial Demilitarized Zone Design and Implementation Guide.
CPwE Identity Services Technology Overview With the introduction of secure employee and contractor access, the use of Cisco ISE as an identity and access control policy platform enables organizations to enforce compliance, enhance infrastructure security and streamline their service operations. Its architecture allows an organization to gather real-time contextual information from the network, users and devices to make proactive policy decisions by tying identity into various network elements including IES access switches and Wireless LAN Controllers (WLC). This deployment uses Cisco ISE as the authentication and authorization server for the wired and wireless networks using RADIUS. Cisco ISE uses Microsoft Active Directory (AD) as an external identity source to access resources such as users, computers, groups and attributes. Cisco ISE supports Microsoft AD sites and services when integrated with AD. Cisco ISE needs an identity certificate that is signed by a Certificate Authority (CA) server so that it can be trusted by endpoints, gateways and servers.
Deploying Identity Services within a Converged Plantwide Ethernet Architecture ENET-TD008A-EN-P
2-1
Chapter 2
System Design Considerations
CPwE Identity Services Technology Overview
This section describes Distributed ISE, Active Directory and Certificate Services and provides design recommendations for CPwE Identity Services.
ISE Distributed Deployment Within the CPwE architecture, the recommendation is to deploy the Cisco ISE platform as a distributed solution. In this solution, the corporate IT department maintains the management of the Cisco ISE platform for central management. In the distributed installation, Cisco ISE is divided into three discrete nodes—Administration, Policy Service, and Monitoring—which are described as follows: •
Policy Administration Node (PAN)—A CPwE Identity Services Node with the Administration persona allows the Enterprise IT team to perform all administrative operations on CPwE Identity Services. PAN (located within the Enterprise Zone) handles all system-related configurations that are related to functionality such as authentication and authorization. In a CPwE-distributed deployment, the CPwE architecture can have one or a maximum of two nodes running the Administration persona. The Administration persona can take on the standalone, primary or secondary role.
•
Policy Service Node (PSN)—A CPwE Identity Services Node with the Policy Service persona provides network access, plant personnel and contractors access and client provisioning and profiling services. PSN (located within the Industrial Zone) evaluates the policies and provides network access to computers based on the result of the policy evaluation. More than one PSN (located within the Enterprise Zone) can assume this persona. Typically, more than one Policy Service Node exists in a large distributed deployment. At least one node in a distributed setup should assume the Policy Service persona. The PAN Node also can (and usually does) serve as a PSN.
Note
•
Note
CPwE Identity Services recommends to have a PSN in the Industrial Zone (Level 0-3), as shown in Figure 2-1. If the Enterprise and Industrial Zones become isolated, any existing clients in the Industrial Zone will still be able to securely access the network. Monitoring Node (MnT)—A CPwE Identity Services Node with the Monitoring persona, which functions as the log collector and stores log messages from all the Administration and Policy Service Nodes in a network. MnT (located in the Enterprise Zone) provides advanced monitoring and troubleshooting tools that the Enterprise IT team can use to effectively manage a network and resources. A MnT with this persona aggregates and correlates the data that it collects, and provides the Enterprise IT team with meaningful reports. CPwE Identity Services allows the Enterprise IT team to have a maximum of two nodes with this persona, which can take on primary or secondary roles for high availability. Both the primary and secondary Monitoring Nodes collect log messages. If the primary Monitoring Node goes down, the secondary Monitoring Node automatically becomes the primary Monitoring Node. At least one node in a distributed setup should assume the Monitoring persona. The Monitoring and Policy Service personas should not be enabled on the same CPwE Identity Services Node. The Monitoring node should be dedicated solely to monitoring for optimum performance.
Figure 2-1 is an example deployment of the distributed Cisco ISE configuration using the CPwE logical framework.
Deploying Identity Services within a Converged Plantwide Ethernet Architecture
2-2
ENET-TD008A-EN-P
Chapter 2
System Design Considerations CPwE Identity Services Technology Overview
Figure 2-1
Distributed CPwE Identity Services Architecture
Enterprise Zone: Levels 4-5
Enterprise WAN
Internet External DMZ / Firewall
WLC (Enterprise)
2
ISE PAN/PSN
Core switches
ISE MnT
1
Industrial Demilitarized Zone (IDMZ)
2 Firewalls (Active/Standby) Industrial Zone: Levels 0-3 ISE PSN
Core switches
WLC (Active) WLC (Standby)
Level 3 Site Operations
Distribution switch LWAP
PAC FactoryTalk Client
IO
Drive
MCC
PAC
PAC
374641
WGB Levels 0-2 Cell/Area Zone
As indicated in Figure 2-1: 1. The Enterprise Zone Cisco ISE PAN/PSN synchronizes its policy configurations with the Industrial Zone Cisco ISE PSN. 2. The Enterprise and Industrial Cisco ISE PSNs send detailed logs to the Enterprise Cisco ISE MnT
Note
For the recommended installation and deployment of Distributed ISE in the Industrial Zone, please follow the best practices and deployment guidelines as prescribed in Cisco Identity Services Engine Administrator Guide, Release 1.3, which is located at the following URL: •
http://www.cisco.com/c/en/us/td/docs/security/ise/1-3/admin_guide/b_ise_admin_guide_13/ b_ise_admin_guide_sample_chapter_011.html
Active Directory Services While Cisco ISE can maintain an internal list of users for authentication purposes, most organizations rely on an external directory as the main identity source. By integrating with Microsoft AD, objects such as users and groups, which can be accessed from a single source, become critical in the authorization process. Companies need a central repository of information about people and their access rights that applies to both the Industrial and Enterprise Zones. AD services in the Industrial Zone should be designed to allow secure replication of information across the IDMZ while being able to operate independently if necessary. The following sections describe AD and provide design recommendations for CPwE Identity Services.
Deploying Identity Services within a Converged Plantwide Ethernet Architecture ENET-TD008A-EN-P
2-3
Chapter 2
System Design Considerations
CPwE Identity Services Technology Overview
Active Directory Overview Active Directory Domain Services (AD DS) provides a distributed database that stores and manages information about network resources and application-specific data from directoryenabled applications. A server that is running AD DS is called an Active Directory Domain Controller (AD DC). Administrators can use AD DS to organize elements of a network, such as users, computers and other devices, into a hierarchical containment structure. The hierarchical containment structure includes the AD forest, domains in the forest and Organizational Units (OUs) in each domain. Organizing network elements into a hierarchical containment structure provides the following benefits: •
The forest acts as a security boundary for an organization and defines the scope of authority for administrators. By default, a forest contains a single domain, which is known as the forest root domain.
•
Additional domains can be created in the forest to provide partitioning of AD DS data, which enables organizations to replicate data only where it is needed. This makes it possible for AD DS to scale globally over a network that has limited available bandwidth. An AD domain also supports a number of other core functions that are related to administration, including network-wide user identity, authentication and trust relationships.
•
OUs simplify the delegation of authority to facilitate the management of large numbers of objects. Through delegation, owners can transfer full or limited authority over objects to other users or groups. Delegation is important because it helps to distribute the management of large numbers of objects to a number of people who are trusted to perform management tasks.
Security is integrated with AD DS through logon authentication and access control to resources in the directory. With a single network logon, administrators can manage directory data and organization throughout their network. Authorized network users can also use a single network logon to access resources anywhere in the network. Policy-based administration eases the management of even the most complex network. Additional AD DS features include the following: •
A set of rules, the schema, that defines the classes of objects and attributes that are contained in the directory, the constraints and limits on instances of these objects and the format of their names.
•
A global catalog that contains information about every object in the directory. Users and administrators can use the global catalog to find directory information, regardless of which domain in the directory actually contains the data.
•
A query and index mechanism, so that objects and their properties can be published and found by network users or applications.
•
A replication service that distributes directory data across a network. All writable domain controllers in a domain participate in replication and contain a complete copy of all directory information for their domain. Any change to directory data is replicated to all domain controllers in the domain.
•
Operations master roles (also known as flexible single master operations or FSMO). Domain controllers that hold operations master roles are designated to perform specific tasks to verify consistency and eliminate conflicting entries in the directory.
•
Resource organizations, which are organizations that own and manage resources that are accessible from the Internet can deploy Active Directory Federation Services (AD FS) servers and AD FS-enabled Web servers that manage access to protected resources for trusted partners. These trusted partners can include external third parties or other departments or subsidiaries in the same organization.
Deploying Identity Services within a Converged Plantwide Ethernet Architecture
2-4
ENET-TD008A-EN-P
Chapter 2
System Design Considerations CPwE Identity Services Technology Overview
•
Note
Account organizations, which are organizations that own and manage user accounts can deploy AD FS federation servers that authenticate local users and create security tokens that those federation servers in the resource organization use later to make authorization decisions.
For information about Active Directory Domain Services, please refer to the following URL: •
https://technet.microsoft.com/en-us/windowsserver/dd448614
Active Directory Deployment Recommendation The recommended deployment of the AD DS in the CPwE architecture is based on the corporate data center AD implementation in a single domain. Since the CPwE design consists of a set of LANs connected by a high-speed backbone, the entire network can be a single site. The first domain controller installed automatically creates the first site, known as the Default-First-Site-Name. After installing the first domain controller, all additional domain controllers are automatically added to the same site as the original domain controller. To deploy the recommended topology, the addition of an AD DC in the Industrial Zone is required. AD DS should be installed in accordance with the Microsoft best practices and deployment guidelines (Deploy Active Directory Domain Services (AD DS) in Your Enterprise), which is provided at the following URL: •
https://technet.microsoft.com/en-us/library/hh472160.aspx
For security implementation, the synchronization between the Enterprise Zone DC and the Industrial Zone DC should be bi-directional. An AD administrator must be able to create, delete and update accounts in the Industrial Zone and have the changes replicated to the Enterprise Zone, and vice versa. Directory information within a site is replicated frequently and automatically. Intra-site replication is tuned to minimize replication latency; that is, keep the data as up-to-date as possible. Intra-site directory updates are not compressed. Uncompressed exchanges use more network resources. but require less domain controller processing power.
Note
For information about Active Directory replication, please refer to the following resources: •
How Active Directory Replication Works https://technet.microsoft.com/en-us/library/cc772726(v=ws.10).aspx
•
Active Directory Replication Technologies https://technet.microsoft.com/en-us/library/cc776877%28v=ws.10%29.aspx
Figure 2-2 illustrates the AD replication between the DCs in the Industrial and Enterprise Zones.
Deploying Identity Services within a Converged Plantwide Ethernet Architecture ENET-TD008A-EN-P
2-5
Chapter 2
System Design Considerations
CPwE Identity Services Technology Overview
Figure 2-2
Domain Controller Bi-Directional Replication
Enterprise Zone: Levels 4-5
Enterprise WAN
Internet External DMZ / Firewall
Enterprise Zone Domain Controller
WLC (Enterprise) ISE (Enterprise)
Core switches
Industrial Demilitarized Zone (IDMZ)
1
Firewalls (Active/Standby) Industrial Zone: Levels 0-3 ISE PSN
Core switches
2
WLC (Active)
Industrial Zone Domain Controller
WLC (Standby) Level 3 Site Operations
Distribution switch LWAP
WGB PAC FactoryTalk Client
IO
Drive
MCC
PAC
PAC
374633
Levels 0-2 Cell/Area Zone
As indicated in Figure 2-2: 1. The Enterprise Domain Controller replicates any changes to the Industrial Zone Domain Controller. 2. The Industrial Domain Controller replicates any changes to the Enterprise Zone Domain Controller.
Certificate Services Cisco ISE needs an identity certificate that is signed by a certificate authority (CA) server so that it can be trusted by endpoints, gateways and servers. The following sections describe certificate services and provide design recommendations for CPwE Identity Services.
Certificate Services Overview The certificate services or CA is a trusted entity that manages and issues security certificates and public keys that are used for secure communication in a public network. The CA is part of the public key infrastructure (PKI) along with the registration authority (RA) who verifies the information provided by a requester of a digital certificate. If the information is verified as correct, the certificate authority can then issue a certificate. PKI is a scalable architecture that includes software, hardware and procedures to facilitate the management of digital certificates. Certificate-based authentication methods are required for plant personnel network access. To provide a local CA for each zone, the root CA should be configured in the Enterprise Zone, with a subordinate CA in the secured Industrial Zone. Certificate Services can also be used to: •
Enroll users for certificates from the CA using the Web or the Certificates Microsoft Management Console (MMC) snap-in, or transparently through auto enrollment.
Deploying Identity Services within a Converged Plantwide Ethernet Architecture
2-6
ENET-TD008A-EN-P
Chapter 2
System Design Considerations CPwE Identity Services Technology Overview
Note
•
Use certificate templates to help simplify the choices a certificate requester has to make when requesting a certificate, depending upon the policy used by the CA.
•
Take advantage of the AD service for publishing trusted root certificates, publishing issued certificates, and publishing CRLs.
•
Implement the ability to log on to a Microsoft Windows operating system domain using a smart card.
For more information about CAs, please refer to Certificate Services at the following URL: •
https://technet.microsoft.com/en-us/library/cc758473%28v=ws.10%29.aspx
Certificate Services Deployment Recommendation Within a CPwE architecture, it is recommended to choose a distributed certificate service model with Root-CA located inside the Enterprise Zone and subordinate CA residing in the Industrial Zone. A root CA is the most trusted CA in a CA hierarchy. When a root CA issues certificates to other CAs, these CAs become subordinate CAs of the root CA. When a root CA remains online, it is used to issue certificates to subordinate CAs. The root CA never usually directly issues certificates to users, computers, applications or services. AD CS service can be deployed into Enterprise CA and stand-alone CA depends on the customer-specific requirements. Both Enterprise CA and stand-alone CA can do the following: •
Digital certificates
•
Email, S/MIME
•
Web servers, SSL
However, based on their location and deployment type difference, Enterprise CA and stand-alone CA have the following differences: •
Enterprise Root CA—This is the topmost CA in the CA hierarchy, and is the first CA installed in the enterprise. Enterprise root CAs are reliant on AD. Enterprise root CAs issue certificates to subordinate CAs.
•
Enterprise Subordinate CA—This CA also needs AD, and is used to issue certificates to users and computers.
•
Stand-alone Root CA—A stand-alone root CA is also the topmost CA in the certificate chain. A stand-alone root CA is not, however, dependent on AD, and can be removed from the network. This makes a stand-alone root CAs the solution for implementing a secure offline root CA.
•
Stand-alone Subordinate CA—This type of CA is also not dependent on AD, and is used to issue certificates to users, computers, and other CAs.
Root-CA deployed inside the Enterprise Zone will have well developed functionalities to provide the following services: •
Certification Authorities (CAs)—Root and subordinate CAs are used to issue certificates to users, computers, and services, and to manage certificate validity.
•
CA Web Enrollment—Web enrollment allows users to connect to a CA by means of a Web browser in order to request certificates and retrieve certificate revocation lists (CRLs).
Deploying Identity Services within a Converged Plantwide Ethernet Architecture ENET-TD008A-EN-P
2-7
Chapter 2
System Design Considerations
Roles and Access
•
Online Responder—The Online Responder service accepts revocation status requests for specific certificates, evaluates the status of these certificates, and sends back a signed response containing the requested certificate status information.
•
Network Device Enrollment Service—The Network Device Enrollment Service allows routers and other network devices that do not have domain accounts to obtain certificates.
•
Certificate Enrollment Web Service—The Certificate Enrollment Web Service enables users and computers to perform certificate enrollment that uses the HTTPS protocol. Together with the Certificate Enrollment Policy Web Service, this enables policy-based certificate enrollment when the client computer is not a member of a domain or when a domain member is not connected to the domain.
•
Certificate Enrollment Policy Web Service—The Certificate Enrollment Policy Web Service enables users and computers to obtain certificate enrollment policy information. Together with the Certificate Enrollment Web Service, this enables policy-based certificate enrollment when the client computer is not a member of a domain or when a domain member is not connected to the domain.
Subordinate CA is responsible for issuing and validating client's Certificate Signing Request (CSR) and authentication requests inside the Industrial Zone. In addition, to prevent Root-CA and associated private key from being compromised, certificates needs to be issued to users or devices in the Industrial Zone instead of forwarding all requests to the Enterprise Zone Root-CA. Multiple subordinate CA need to be deployed inside the Industrial Zone for redundancy.
Note
Please refer to the following URLs for detailed information about AD CS services: •
https://technet.microsoft.com/en-us/windowsserver/dd448615.aspx
•
https://technet.microsoft.com/en-us/library/cc772192.aspx
Roles and Access An organization's business policies will dictate the network access requirements that their solution must enforce. The network access requirements are primarily based on the roles and responsibilities of the personnel in their organization. CPwE Identity Services classifies personnel roles into the following three broad categories: •
Plant Personnel or Industrial Employee
•
Non-Plant Personnel or Corporate Employee
•
Contractor or Trusted Partner (OEM, SI)
Industrial Zone Wired Access Design Industrial customers need to provide on-site access for contractors and employees. Wired Employee/Trusted Partner Access is being proposed for the Industrial Zone of the CPwE Identity Services architecture using the following two methods: •
Plant Personnel access with direct access to Industrial Zone equipment (see Figure 2-4 on page 2-12)
Deploying Identity Services within a Converged Plantwide Ethernet Architecture
2-8
ENET-TD008A-EN-P
Chapter 2
System Design Considerations Industrial Zone Wired Access Design
•
Employee (non-Plant Personnel)/Trusted Partner access via the Remote Access Server using Terminal Emulation for all IACS applications such as Studio 5000 Logix Designer® (see Figure 2-3 on page 2-11)
Both of these access methods use IEEE 802.1X authentication for permitting access to the network based on user login credentials. Access for both methods will be limited to Levels 0-3 with no access allowed through the IDMZ firewall.
Wired Access Overview For a user/computer to obtain access, the user must authenticate and present its credentials, which are verified by Cisco ISE; the result is an authorization profile that is applied to the IES access layer switch. To avoid confusion, the ports on the switch will be labeled accordingly on the plant floor regarding which ports are open and active for use as a convenience port. Under normal network operations, the user device would pass through the following steps before being allowed to access the network: 1. Authentication 2. Authorization
Authentication 802.1X authentication involves three parties: •
The supplicant, which is a client computer that wishes to attach to the network
•
The authenticator, which is the Stratix or Cisco IES
•
The authentication server (Cisco ISE), which supports the authentication protocols
Authentication policies are used to define the protocols used by CPwE Identity Services to communicate with the computers and the identity sources to be used for authentication. CPwE Identity Services evaluates the conditions and, based on whether the result is true or false, applies the configured result.
Authorization Policies Authorization policies are critical to determine what each user is allowed to access within the network. Authorization policies are composed of authorization rules and can contain conditional requirements that combine one or more identity groups. The permissions granted to the user are defined in authorization profiles, which act as containers for specific permissions. Authorization profiles group the specific permissions granted to a user or computer and can include tasks such as an associated VLAN and an associated downloadable ACL (dACL). For CPwE Identity Services, an additional identity group must be defined for the purpose of uniquely identifying corporate computers. This identity group, named Whitelist, maintains a list of computers owned by the corporation. The Whitelist is manually updated by the IT administrator and contains the MAC addresses of the computers that are granted access. The following is a wired CPwE Identity Services example (as displayed in Figure 2-2 on page 2-6 and Figure 2-3 on page 2-11). 1. User attaches computer to designated Employee/Trusted Partner convenience port on the IES.
Deploying Identity Services within a Converged Plantwide Ethernet Architecture ENET-TD008A-EN-P
2-9
Chapter 2
System Design Considerations
Industrial Zone Wired Access Design
2. Wired computers authenticate using 802.1X against the Cisco ISE PSN located within the Industrial Zone. Initially, all computers are confined to a single default VLAN. Differentiated access control for wired computers is provided by different RADIUS dACL applied to the IES, which overrided a pre-configured static ACL on the IES access port and separate VLANs. The different access types are. a. User is allowed complete access to the entire Industrial Zone. b. User is allowed limited access to the specific Cell/Area Zone or to specific devices within the Cell/Area Zone. c. User is allowed access to the RAS.
Caution
CONFIGURATION NOTE: IP Device tracking (IPDT), which operates in accordance with RFC 5227, must be enabled on the IES in order to implement RADIUS downloadable ACL and should ONLY be enabled on convenience and/or designated non-IACS equipment ports.
Caution
IPDT should NOT be enabled on ports connected to IACS devices. IPDT uses ARP probes to determine the IP addresses of hosts on different ports; IPDT may disrupt IACS applications. Please see the links below for more details. https://rockwellautomation.custhelp.com/app/answers/detail/a_id/568750 http://www.cisco.com/c/en/us/support/docs/ip/address-resolution-protocol-arp/118630-technot e-ipdt-00.html
Wired Access Use Cases The following sections describe wired use case implementation for the roles such as Industrial Employee, Corporate Personnel and Trusted Partner for CPwE Identity Services.
Deploying Identity Services within a Converged Plantwide Ethernet Architecture
2-10
ENET-TD008A-EN-P
Chapter 2
System Design Considerations Industrial Zone Wired Access Design
Wired Industrial Employee Access Figure 2-3
CPwE Identity Services Validation - Direct Access to Devices
Enterprise Zone: Levels 4-5
Enterprise WAN
Internet External DMZ / Firewall
WLC (Enterprise) ISE PAN/PSN
Core switches
ISE MnT
Industrial Demilitarized Zone (IDMZ)
Firewalls (Active/Standby) Industrial Zone: Levels 0-3 ISE PSN
Core switches
Remote Access Server (RAS)
WLC (Active)
3
WLC (Standby)
2 Level 3 Site Operations
Distribution switch LWAP
4 Laptop Client
1
PAC FactoryTalk Client
IO
Drive
MCC
PAC
PAC
374631
WGB Levels 0-2 Cell/Area Zone
As indicated in Figure 2-3: 1. Wired computer (connected to IES convenience port) logs in and sends 802.1X authentication request. 2. IES forwards RADIUS authentication request on behalf of computer to the Cisco ISE PSN. 3. The Cisco ISE PSN checks AD for the user. If found, it approves the request with a RADIUS response that carries information on the VLAN assignment and dACL to be applied at the IES, which verifies that the computer can directly access devices within the Industrial Zone. 4. Computer connects to desired devices.
Deploying Identity Services within a Converged Plantwide Ethernet Architecture ENET-TD008A-EN-P
2-11
Chapter 2
System Design Considerations
Industrial Zone Wireless Access Design
Wired Corporate Employee/Trusted Partner Access Figure 2-4
CPwE Identity Services Validation - Access to Devices via Remote Access Server
Enterprise Zone: Levels 4-5
Enterprise WAN
Internet External DMZ / Firewall
WLC (Enterprise) ISE PAN/PSN
Core switches
ISE MnT
Industrial Demilitarized Zone (IDMZ)
Firewalls (Active/Standby) Industrial Zone: Levels 0-3 ISE PSN
Core switches
Remote Access Server (RAS)
WLC (Active)
3
WLC (Standby)
2 Level 3 Site Operations
Distribution switch LWAP
4 Laptop Client
1
PAC FactoryTalk Client
IO
Drive
MCC
PAC
PAC
374632
WGB Levels 0-2 Cell/Area Zone
As indicated in Figure 2-4: 1. Wired computer (connected to the IES convenience port) logs in and sends 802.1X authentication request. 2. IES forwards RADIUS authentication request on behalf of client to the Cisco ISE PSN. 3. The Cisco ISE PSN checks AD for the user. If found, it approves the request with a RADIUS response that carries information on the VLAN assignment and dACL to be applied at the IES, which verifies that the computer can only access the RAS. 4. Computer connects via Remote Desktop to RAS and uses the same login as before. FactoryTalk® Security enforces permissions for computer.
Industrial Zone Wireless Access Design Industrial customers need to provide onsite wireless access for contractors and employees. Wireless Employee/Trusted Partner Access is being proposed for the Industrial Zone of the CPwE Identity Services architecture using the following two methods: •
Plant Personnel access with direct access to Industrial Zone equipment (see Figure 2-3 on page 2-11)
•
Employee (non-Plant Personnel)/Trusted Partner access via the Remote Access Server using Terminal Emulation for all IACS applications such as Studio 5000 Logix Designer (see Figure 2-4 on page 2-12 and Figure 2-5 on page 2-15).
Both of these access methods use IEEE 802.1X authentication for permitting access to the network based on user login credentials. Access for both methods will be limited to Levels 0-3 with no access allowed through the IDMZ firewall.
Deploying Identity Services within a Converged Plantwide Ethernet Architecture
2-12
ENET-TD008A-EN-P
Chapter 2
System Design Considerations Industrial Zone Wireless Access Design
Note
Use 2.4 GHz band for personnel access. Use only 5 GHz frequency band for critical IACS applications such as I/O, peer to peer and safety control. For more information, please refer to the
Deploying 802.11 Wireless LAN Technology within a Converged Plantwide Ethernet Architecture Design and Implementation Guide at the following URLs: •
http://www.cisco.com/c/en/us/td/docs/solutions/Verticals/CPwE/NovCVD/CPwE_WLAN_CVD. html
•
http://literature.rockwellautomation.com/idc/groups/literature/documents/td/enet-td006_-en-p. pdf
Wireless Access Overview For a user/computer to obtain access the user must authenticate and present its credentials, which are verified by the ISE; the result is an authorization profile that is applied to WLC. Under normal network operations, the user device would pass through the following steps before being allowed to access the network: 1. Authentication 2. Authorization
Authentication 802.1X authentication involves three parties: •
The supplicant, which is a client computer that wishes to attach to the network
•
The authenticator, which is the WLC
•
The authentication server (Cisco ISE), which supports the authentication protocols
Authentication policies are used to define the protocols used by CPwE Identity Services to communicate with the computers and the identity sources to be used for authentication. CPwE Identity Services evaluates the conditions and, based on whether the result is true or false, applies the configured result.
Authorization Policies Authorization policies are critical to determine what each user is allowed to access within the network. Authorization policies are composed of authorization rules and can contain conditional requirements that combine one or more identity groups. The permissions granted to the user are defined in authorization profiles, which act as containers for specific permissions. Authorization profiles group the specific permissions granted to a user or computer and can include tasks such as an associated VLAN and ACL. Cisco Wireless LAN Controllers support named ACLs (known as Airespace ACLs), meaning that the ACL must be previously configured on the controller rather than being downloaded from ISE. Using the RADIUS Airespace-ACL Name attribute-value pair, ISE instructs the WLC to apply the ACL.
Deploying Identity Services within a Converged Plantwide Ethernet Architecture ENET-TD008A-EN-P
2-13
Chapter 2
System Design Considerations
Industrial Zone Wireless Access Design
For CPwE Identity Services, an additional identity group must be defined for the purpose of uniquely identifying corporate computers. This identity group, named Whitelist, maintains a list of computers owned by the corporation. The Whitelist is manually updated by the IT administrator and contains the MAC addresses that are granted full access. The following is CPwE Identity Services wireless access example (as displayed in Figure 2-5 on page 2-15 and Figure 2-6 on page 2-16). 1. User connects computer to designated Employee/Trusted Partner SSID. 2. Wireless computers authenticate using 802.1X against the Cisco ISE PSN located within the Industrial Zone. Differentiated access control for wireless clients is provided by Airespace ACLs applied to the WLC. The different access scenarios are: a. User is allowed complete access to the entire Industrial Zone. b. User is allowed limited access to the specific Cell/Area Zone or to specific devices within the Cell/Area Zone. c. User is allowed access to the RAS only.
Wireless Access Use Cases The following sections describe wireless use case implementation for the roles such as Industrial Employee, Corporate Personnel and Trusted Partner for CPwE Identity Services.
Wireless Industrial Employee Access Wireless plant personnel access from the Industrial Zone is a requirement that is implemented based on the Unified Wireless Architecture already designed in Deploying 802.11 Wireless LAN Technology within a Converged Plantwide Ethernet Architecture. Since wireless access points support the use of multiple Service Set Identifiers (SSID), a Plant Personnel (Industrial Employee) Access SSID can be defined on the APs that will allow for Plant Personnel (Industrial Employee) User access to the wireless network. Any user connecting to the wireless network using the Plant Personnel (Industrial Employee) Access SSID will be directed by the AP to the Wireless LAN Controller located in the Level 3. From that location, the user will validate their credentials and be given access to the Industrial Zone, either directly or via the RAS. Figure 2-5 is a diagram of the network architecture used in this solution.
Deploying Identity Services within a Converged Plantwide Ethernet Architecture
2-14
ENET-TD008A-EN-P
Chapter 2
System Design Considerations Industrial Zone Wireless Access Design
Figure 2-5
Wireless Plant Personnel (Industrial Employee) User Access
Enterprise Zone: Levels 4-5
Enterprise WAN
Internet External DMZ / Firewall
WLC (Enterprise) ISE PAN/PSN
Core switches
Industrial Demilitarized Zone (IDMZ)
4
ISE MnT
4
Remote Desktop Gateway (RDG)
Firewalls (Active/Standby)
4
Industrial Zone: Levels 0-3
ISE PSN
Core switches
3
2 Remote Access Server (RAS)
1 Level 3 Site Operations
WLC (Active) WLC (Standby)
4 Distribution switch LWAP
PAC FactoryTalk Client
IO
Drive
MCC
PAC
PAC
374645
WGB Levels 0-2 Cell/Area Zone
As indicated in Figure 2-5: 1. Wireless client connects to Plant Personnel (Industrial Employee) User SSID, logs in and sends 802.1X authentication request, which gets tunneled to the local WLC. 2. WLC forwards RADIUS authentication request on behalf of client to the Cisco ISE PSN. 3. ISE PSN checks AD for the user. If found, it approves the request with a RADIUS response that carries information on ACL to be applied at the Industrial WLC, which verifies that the client can access Industrial Zone directly or via the RAS
Wireless Trusted Partner Access Use Cases Wireless Trusted Partner access from the Industrial Zone is a requirement that is easily implemented based on the Unified Wireless Architecture already designed in Deploying 802.11 Wireless LAN Technology within a Converged Plantwide Ethernet Architecture. Since wireless access points support the use of multiple Service Set Identifiers (SSID), a Trusted Partner SSID will be defined on the APs that will allow for Trusted Partner access to the wireless network. Any user connecting to the wireless network using the Trusted Partner SSID will be directed by the AP to the Trusted Partner Wireless Anchor Controller located in the corporate DMZ. From that location, the Trusted Partner will validate their credentials, and if allowed access, will be attached to the Industrial RAS via the Remote Desktop Gateway (RDG) in the IDMZ. They will log in and be granted access rights based upon their login credentials in the RAS. Figure 2-6 is a diagram of the network architecture used in this solution.
Deploying Identity Services within a Converged Plantwide Ethernet Architecture ENET-TD008A-EN-P
2-15
Chapter 2
System Design Considerations
Industrial Zone Wireless Access Design
Figure 2-6
Wireless Trusted Partner Access
Enterprise Zone: Levels 4-5
Enterprise WAN
Internet External DMZ / Firewall
WLC (Trusted Partner)
ISE PAN/PSN Core switches
Industrial Demilitarized Zone (IDMZ)
4
ISE MnT
4
Remote Desktop Gateway (RDG)
Firewalls (Active/Standby)
4
Industrial Zone: Levels 0-3
ISE PSN
Core switches
3
2 Remote Access Server (RAS)
1 Level 3 Site Operations
WLC (Active) WLC (Standby)
4 Distribution switch LWAP
Laptop Client Levels 0-2 Cell/Area Zone
PAC FactoryTalk Client
IO
Drive
MCC
PAC
PAC
374694
WGB
As indicated in Figure 2-6: 1. Wireless client connects to Trusted Partner User SSID, logs in and sends 802.1X authentication request, which gets tunneled to the local WLC. 2. WLC forwards RADIUS authentication request on behalf of client to the Cisco ISE PSN. 3. The Cisco ISE PSN checks AD for the user. If found, it approves the request with a RADIUS response that carries information on ACL to be applied at the Trusted Partner Anchor WLC, which verifies that the client can only access the RAS. 4. Client traffic is now tunneled to the Trusted Partner Anchor WLC, and the client connects via the RDG to RAS using the same login as before. FactoryTalk Security enforces permissions for client.
Wireless Corporate Employee Access Wireless Corporate employee access from the Industrial Zone is a requirement that is implemented based on the Unified Wireless Architecture already designed in Deploying 802.11 Wireless LAN Technology within a Converged Plantwide Ethernet Architecture. Since wireless access points support the use of multiple Service Set Identifiers (SSID), a Corporate Employee Personnel Access SSID will defined on the APs that will allow for Corporate Employee User access to the wireless network. Any user connecting to the wireless network using the Corporate Access SSID will be directed by the AP to the Corporate Wireless LAN Controller located in the corporate network. From that location, the Corporate User will validate their credentials, and if allowed access, will be attached to the Industrial RAS via the RDG in the IDMZ. They will log in and be granted access rights based upon their login credentials in the RAS. Figure 2-7 is a diagram of the network architecture used in this solution.
Deploying Identity Services within a Converged Plantwide Ethernet Architecture
2-16
ENET-TD008A-EN-P
Chapter 2
System Design Considerations Industrial Zone Wireless Access Design
Figure 2-7
Wireless Corporate Employee Personnel User Access
Enterprise Zone: Levels 4-5
Enterprise WAN
Internet External DMZ / Firewall
WLC (Enterprise) ISE PAN/PSN
Core switches
Industrial Demilitarized Zone (IDMZ)
4
ISE MnT
4
Remote Desktop Gateway (RDG)
Firewalls (Active/Standby)
4
Industrial Zone: Levels 0-3
ISE PSN
Core switches
3
2 Remote Access Server (RAS)
1 Level 3 Site Operations
WLC (Active) WLC (Standby)
4 Distribution switch LWAP
PAC FactoryTalk Client
IO
Drive
MCC
PAC
PAC
374645
WGB Levels 0-2 Cell/Area Zone
As indicated in Figure 2-7: 1. Wireless client connects to Corporate User SSID, logs in and sends 802.1X authentication request, which gets tunneled to the local WLC. 2. WLC forwards RADIUS authentication request on behalf of client to the Cisco ISE PSN. 3. The Cisco ISE PSN checks AD for the user. If found, it approves the request with a RADIUS response that carries information on ACL to be applied at the Enterprise WLC, which verifies that the client can only access the RAS. 4. Client traffic is now tunneled to the Enterprise WLC, and the client connects via the RDG to RAS using the same login as before. FactoryTalk Security enforces permissions for client.
Deploying Identity Services within a Converged Plantwide Ethernet Architecture ENET-TD008A-EN-P
2-17
CHAPTER
3
Configuring the Infrastructure This chapter describes how to configure the Cisco ISE infrastructure in the CPwE Identity Services architecture based on the design considerations of the previous chapters. It covers the configuration of the network infrastructure, network services, data traversal, Web application access and network and application security, all from an IDMZ perspective. The included configurations have been validated during the testing effort. It includes the following major topics: •
Network Infrastructure Configuration, page 3-1
•
Initial Cisco ISE Configuration, page 3-6
•
Wired Access Configuration, page 3-12
•
Wireless Access Configuration, page 3-20
Network Infrastructure Configuration This section describes validated configurations for the network infrastructure that is needed to support Cisco ISE use cases for an IACS network. The following configuration steps are covered in this section: •
Active Directory Configuration
•
DNS Configuration
•
DHCP Configuration
•
Certificate Services Configuration
•
NTP Configuration
Active Directory Configuration The following steps describe the configuration required to install and configure AD DS replication between the Enterprise and Industrial Zones: Step 1 Install AD DS services on the Enterprise server: a. Open the Server Manager console and click Add roles and features.
Deploying Identity Services within a Converged Plantwide Ethernet Architecture ENET-TD008A-EN-P
3-1
Chapter 3
Configuring the Infrastructure
Network Infrastructure Configuration
b. Select Role-based of featured-based installation and then click Next. c. Select the Active Directory Services role. d. Accept the default features required by clicking Add Features. e. On the Features screen, click Next. f. On the Confirm installation selections screen, click Install. Installation will complete. g. Click Close. Once completed, notification is made available on the dashboard highlighted by an exclamation mark. h. Select the notification and from the drop-down menu, select Promote this server to a domain controller (see Figure 3-1). Step 2 Install AD DS services on the Industrial server: a. Select Add a Domain Controller into existing domain. Confirm the target domain is specified. If not, select the proper domain or enter the proper domain in the field provided. b. Click Change, provide the required Enterprise Administrator credentials and then click Next. c. Define if server should be a Domain Name System DNS server and Global Catalog (GC). d. Select the Site to which this DC belongs and define the Directory Services Restoration Mode (DSRM) password for this DC. e. Click Next on the DNS options screen. f. In the Additional Options screen, you are provided with the option to install the Domain Controller from Install From Media (IFM). Additionally, you are provided the option to select the point from which DC replication should be completed. The server will choose the best location for AD database replication if not specified. Click Next once completed. g. Specify location for AD database and SYSVOL and then click Next. h. Next step is the Schema and Domain preparation. Alternately, you could run Adprep prior to commencing these steps. Regardless, if Adprep is not detected, it will automatically be completed on your behalf. i. Finally the Review Options screen provides a summary of all of the selected options for server promotion. As a bonus, after clicking View Script, you are provided with the PowerShell script to automate future installations. Click Next to continue. j. Should all the prerequisites pass, click Install to start the installation. After it completes the required tasks and the server restarts, the new Windows Server 2012 Domain Controller setup is completed (see Figure 3-1).
Note
For testing purposes, the following services were installed on a single server: AD DS, DHCP, DNS and Certificate Services.
Deploying Identity Services within a Converged Plantwide Ethernet Architecture
3-2
ENET-TD008A-EN-P
Chapter 3
Configuring the Infrastructure Network Infrastructure Configuration
Figure 3-1
Windows Server 2012 Server Manager View
k. Set up the firewall to allow traffic between the servers for replication. Step 3 Configure AD replication: a. From the Active Directory Sites and Services tool in the Administrative Tools program group, expand the Sites folder. b. Right-click the Default-First-Site-Name item and then choose Rename. c. Rename the site to Enterprise-AD. d. Create a new site by right-clicking the Sites object and then selecting New Site. e. On the New Object-Site dialog box, type a site name. f. Click the DEFAULTIPSITELINK item. An information screen displays. g. Click OK to create the site. h. Create another new site. Again, choose the DEFAULTIPSITELINK item. Notice the new site is listed in the Sites object. i. When you are finished, close the Active Directory Sites And Services tool. Step 4 Create subnets to define IP address ranges for AD DCs: a. From the Active Directory Sites and Services tool in the Administrative Tools program group, expand the Sites folder. b. Right-click the Subnets folder and then click New Subnet. In the New Object-Subnet dialog box, you are prompted for information about the IPv4 or IPv6 details for the new subnet. c. Click the site, and then click OK to create the subnet. d. In the Active Directory Sites and Services tool, right-click the newly created 10.1.1.0/24 subnet object and then click Properties. e. On the subnet's Properties dialog box, type 100Mbit LAN for the description. Click OK to continue. f. Create a new subnet for the Industrial AD DC by filling in the Address and Site fields. g. Finally, create another subnet for the Enterprise AD DC by filling in the Address and Site fields.
Deploying Identity Services within a Converged Plantwide Ethernet Architecture ENET-TD008A-EN-P
3-3
Chapter 3
Configuring the Infrastructure Network Infrastructure Configuration
Figure 3-2
Windows Server 2012 Active Directory Sites and Services Window
Refer to the following URL for more details on Active Directory setup: •
https://technet.microsoft.com/en-us/library/hh831477.aspx
DNS Configuration Refer to the following URL for guidance and procedures on configuring DNS: •
https://technet.microsoft.com/en-us/library/cc730921.aspx
DHCP Configuration Refer to the following URL for guidance and procedures on configuring DHCP: •
https://technet.microsoft.com/en-us/library/cc755282.aspx
Certificate Services Configuration This section describes configuration of certificate services using Microsoft server implementation. Public Key Infrastructure (PKI) is a scalable architecture that includes software, hardware and procedures to facilitate the management of digital certificates. PEAP-based authentication was used for personnel authentication. To provide a local CA for each zone, the root CA was configured in the Enterprise Zone, with a subordinate CA in the secured Industrial Zone. Step 1 Set up the root CA in the Enterprise Zone: a. From Server Manager, click Add Roles and then click Next. b. Click Active Directory Certificate Services and then click Next twice. c. On the Select Role Services page, click Certification Authority and then click Next. d. On the Specify Setup Type page, click Standalone or Enterprise and then click Next.
Note
You must have a network connection to an AD DC in order to install an Enterprise CA.
e. On the Specify CA Type page, click Root CA and then click Next.
Deploying Identity Services within a Converged Plantwide Ethernet Architecture ENET-TD008A-EN-P
3-4
Chapter 3
Configuring the Infrastructure
Network Infrastructure Configuration
f. On the Set Up Private Key page, click Create a new private key and then click Next. g. On the Configure Cryptography page, select a cryptographic service provider, key length, and hash algorithm and then click Next. h. On the Configure CA Name page, create a unique name to identify the CA and then click Next. i. On the Set Validity Period page, specify the number of years or months that the root CA certificate will be valid and then click Next. j. On the Configure Certificate Database page, accept the default locations unless you want to specify a custom location for the certificate database and certificate database log and then click Next. k. On the Confirm Installation Options page, review all of the configuration settings that you have selected (see Figure 3-3). If you want to accept all of these options, click Install and wait until the setup process has finished. Figure 3-3
Windows Server 2012 Root Certification Authority Window
Step 2 Set up subordinate CA in the Industrial Zone: a. From Server Manager, click Add Roles and then click Next. b. Click Active Directory Certificate Services and then click Next twice. c. On the Select Role Services page, click Certification Authority and then click Next. d. On the Specify Setup Type page, click Enterprise CA and then click Next. e. On the Specify CA Type page, click Subordinate CA and then click Next. f. On the Set Up Private Key page, click Create a new private key and then click Next. g. On the Configure Cryptography page, select a cryptographic service provider, key length and hash algorithm. Click Next. h. On the Request Certificate page, browse to locate the root CA, or if the root CA is not connected to the network, save the certificate request to a file so that it can be processed later. Click Next. i. On the Configure CA Name page, create a unique name to identify the CA. Click Next. j. On the Set Validity Period page, specify the number of years or months that the CA certificate will be valid. Click Next. k. On the Configure Certificate Database page, accept the default locations unless you want to specify a custom location for the certificate database and certificate database log. l. On the Confirm Installation Options page, review all of the configuration settings that you have selected (see Figure 3-4). If you want to accept all of these options, click Install and wait until the setup process has finished.
Deploying Identity Services within a Converged Plantwide Ethernet Architecture
3-5
ENET-TD008A-EN-P
Chapter 3
Configuring the Infrastructure Initial Cisco ISE Configuration
Figure 3-4
Windows Server 2012 Subordinate Certification Authority Window
Step 3 Create a certificate template with intended purposes of Server and Client Authentication. This template is needed for Cisco ISE system certificates to function properly. To create the template, refer to the following guide: •
http://social.technet.microsoft.com/wiki/contents/articles/13303.windows-server-2012-certifica te-template-versions-and-options.aspx
NTP Configuration Cisco ISE requires NTP servers for each zone so that it can synchronize the time across the distributed setup and avoid problems with certificate validity, unsynchronized logs, etc. To configure NTP, refer to Network Time Protocol: Best Practices White Paper for best practices: •
http://www.cisco.com/c/en/us/support/docs/availability/high-availability/19643-ntpm.html
Initial Cisco ISE Configuration This section describes validated configurations to perform the initial Cisco ISE setup that is required before configuring authentication and authorization policies for clients. The following configuration steps are covered in this section: •
Prerequisite Configuration
•
Distributed Setup Configuration
•
External Identity Source (AD) Configuration
•
Whitelist Configuration
•
Network Device Configuration
Prerequisite Configuration The following steps describe the prerequisite configuration needed before proceeding with the initial Cisco ISE setup: Step 1 Import a Plus (or higher) license on the PAN: a. Obtain the license file from Cisco. b. From Administration > System > Licensing, scroll to the License Files section. c. Click Import License, browse for the license file and then click Import. d. Confirm that the new license is displayed in the License Files section (see Figure 3-5).
Deploying Identity Services within a Converged Plantwide Ethernet Architecture ENET-TD008A-EN-P
3-6
Chapter 3
Configuring the Infrastructure
Initial Cisco ISE Configuration
Figure 3-5
Cisco ISE License Import Window
Step 2 Install a server certificate signed by the root CA on each Cisco ISE node: e. From Administration > System > Certificates, choose Certificate Signing Requests in the left pane. f. Click Generate Certificate Signing Requests (CSR), fill in the required fields and then click Generate (see Figure 3-6). g. Click Export in the window that appears to download the request. h. From https://
/certsrv/ > Request a certificate > Advanced Certificate Request, click Submit a certificate request using base 64-encoded CMC or PKCS # 10 file, or submit a renewal request by using a base-64-encoded PKCS # 7 file i. Copy and paste the CSR request > Select the certificate template > Submit > Download the certificate chain > convert the extension to .csr format.
Note
The certificate template selected should be the same one configured as part of the Certificate Services infrastructure configuration.
j. Click the CSR check box and then click Bind Certificate to append the CA signed certificate. Now this certificate will be a part of system certificate. k. Browse to the certificate file returned by the CA, fill in the Friendly Name field, if desired, and then click Submit. l. Once complete, click System Certificates in the left pane and verify that the new server certificate appears there. Select its check box and then click Edit. m. Under Usage, check all boxes to allow this certificate to be used by all services. Finally click Save.
Note
For disaster recovery, Cisco recommends exporting all system certificates and their private key pairs to a reliable backup location.
Note
When the system certificate is uploaded, the root and subordinate CA certificates will also be added to the Trusted Certificate store automatically (see Figure 3-6).
Deploying Identity Services within a Converged Plantwide Ethernet Architecture
3-7
ENET-TD008A-EN-P
Chapter 3
Configuring the Infrastructure Initial Cisco ISE Configuration
Figure 3-6
Cisco ISE Certificate Signing Requests Window
Figure 3-7
Cisco ISE Trusted Certificates Window
Step 3 Configure each Cisco ISE node with the domain name and DNS server in their respective zone: From the CLI (not configurable via GUI), enter the following commands: ip domain-name ip name-server
Step 4 Confirm each Cisco ISE node is in the correct mode to create the distributed setup (PAN primary, all other nodes standalone): a. On the PAN, from Administration > System > Deployment, click the node name in the table. b. Under Personas and next to Administration, change the Role from STANDALONE to PRIMARY and then click Save. c. Wait for Cisco ISE services to restart, then return to the Deployment page and confirm the PAN Administration Role is now PRIMARY.
Deploying Identity Services within a Converged Plantwide Ethernet Architecture ENET-TD008A-EN-P
3-8
Chapter 3
Configuring the Infrastructure
Initial Cisco ISE Configuration
d. On the other Cisco ISE nodes, from Administration > System > Deployment, click the node name and confirm that the Role is STANDALONE. If not, follow the same procedure as above to change it. Figure 3-8
Cisco ISE Deployment Roles Window
Distributed Setup Configuration As discussed in “System Design Considerations”, the Cisco ISE distributed setup supports centralized configuration and management. The distributed setup consists of three types of nodes, as described in Table 3-1: Table 3-1
Cisco ISE Distributed Setup Node Types
Type of Node
Admin node (PAN)
Policy node (PSN)
Monitoring node (MnT)
Location in CPwE
Enterprise Zone
Industrial Zone
Enterprise Zone
Feature
All system-related configuration (that is, AuthC, AuthZ profiles)
Evaluates the policies and makes all the decisions
Log collector and store log messages
To establish the distributed setup, follow the Cisco ISE 1.3 Distributed Setup Guide located at: •
Note
http://www.cisco.com/c/en/us/td/docs/security/ise/1-3/admin_guide/b_ise_admin_guide_13/ b_ise_admin_guide_sample_chapter_011.html
Once the distributed setup has been created, all configurations should be performed on the PAN, since that node will then synchronize with the others automatically. The GUI for the other Cisco ISE nodes will have only limited configuration options available.
Deploying Identity Services within a Converged Plantwide Ethernet Architecture
3-9
ENET-TD008A-EN-P
Chapter 3
Configuring the Infrastructure Initial Cisco ISE Configuration
External Identity Source (AD) Configuration The following steps describe the configuration of AD as an external identity source for Cisco ISE: Step 1 Create the AD join point: a. From Administration > Identity Management > External Identity Sources, click Active Directory in the left pane. b. Click Add and then type any desired value for the Join Point Name and the domain to join for the Active Directory Domain. c. Once finished, click Submit. Step 2 Join the AD domain using the join point: a. Once the join point has been created, all distributed Cisco ISE nodes should be listed and show a status of “Not Joined.” Select each node's check box and then click Join. b. Specify a User Name and Password with permissions to join the domain and then click OK. If the operation succeeds, the node will show a status of "Operational" and the host name of the local AD server (see Figure 3-9). Figure 3-9
Cisco ISE AD Join Point Window
Step 3 Retrieve all necessary groups from the AD server (as configured in Active Directory section above): a. From the Active Directory Join Point window, click the Groups tab. b. From Add > Select Groups from Directory, click Retrieve Groups. c. Select the check boxes for any groups that will be referenced in client policies and then click OK. d. Verify that the groups are now listed in the table (see Figure 3-10) and then click Save.
Deploying Identity Services within a Converged Plantwide Ethernet Architecture ENET-TD008A-EN-P
3-10
Chapter 3
Configuring the Infrastructure
Initial Cisco ISE Configuration
Figure 3-10
Cisco ISE AD Groups Window
Whitelist Configuration The following steps describe the configuration of the Whitelist: Step 1 Add a corporate device manually to the Whitelist: a. From Administration > Identity Management > Identities > Endpoints, click Add. b. On the Endpoint page, enter the MAC address in the MAC Address field. c. Select the Static Group Assignment check box and then select Whitelist from the Identity Group Assignment drop-down menu. d. At the bottom of the window, click Save (see Figure 3-11). Figure 3-11
Cisco ISE Endpoints Page
Network Device Configuration This section describes how to define network devices (such as a switch or a router) through which RADIUS service requests are sent to Cisco ISE. You must define network devices for Cisco ISE to be able to interact with them. The following steps describe the configuration of network devices:
Deploying Identity Services within a Converged Plantwide Ethernet Architecture
3-11
ENET-TD008A-EN-P
Chapter 3
Configuring the Infrastructure Wired Access Configuration
Step 1 Create network device groups to organize network devices by type and location, if desired. For this procedure, refer to: •
http://www.cisco.com/c/en/us/td/docs/security/ise/1-3/admin_guide/b_ise_admin_guide_13/ b_ise_admin_guide_sample_chapter_01001.html#reference_2424A156765D42E98207B93A 0E0F0CB3.
Step 2 Add any network devices that will send RADIUS requests to Cisco ISE on behalf of clients: a. From Administration > Network Resources > Network Devices, click Add. b. Fill in the Name field with the hostname of the device. c. Fill in the IP Address field with the address of the device. d. Under Network Device Group, select either the default location and type or any specific groups created earlier. e. Select the check box next to Authentication Settings and expand it and then enter the desired shared secret RADIUS password.
Note
The RADIUS shared secret password must match in the configuration of the network device itself or RADIUS exchanges will fail.
f. Click Save (see Figure 3-12). Figure 3-12
Cisco ISE Add Network Device Window
Wired Access Configuration This section describes configurations details for Cisco ISE and the IES based on the design recommendations in System Design Considerations. The following configuration steps are covered in this section:
Deploying Identity Services within a Converged Plantwide Ethernet Architecture ENET-TD008A-EN-P
3-12
Chapter 3
Configuring the Infrastructure
Wired Access Configuration
•
Cisco ISE Configuration
•
IES Configuration
Cisco ISE Configuration This section describes how to configure Cisco ISE to properly authenticate and authorize wired computers and limit their access to the network. The following configuration steps are covered in this section: •
Identity Store Sequence Configuration
•
Policy Element Configuration
•
Authentication Policy Configuration
•
Authorization Policy Configuration
•
Client Configuration
Identity Store Sequence Configuration The following steps describe the configuration of identity store sequences: Step 1 Create a certificate authentication profile: a. From Administration > Identity Management > External Identity Sources, click Certificate Authentication Profile in the left pane and then click Add. b. Fill in the Name field with any desired name. c. Select the AD join point from the Identity Store drop-down. d. Next to Use Identity From, select Any Subject or Alternative Name Attributes in the Certificate (for Active Directory Only). e. Finally, click Submit (see Figure 3-13). Figure 3-13
Cisco ISE Certificate Authentication Profile Window
Step 2 Create the identity store sequence: a. From Administration > Identity Management > Identity Source Sequences, click Add. b. Fill in the Name field as All_Stores_Sequence.
Deploying Identity Services within a Converged Plantwide Ethernet Architecture
3-13
ENET-TD008A-EN-P
Chapter 3
Configuring the Infrastructure Wired Access Configuration
c. Select the check box next to Certificate Based Authentication and then select the certificate profile created in the previous step from the drop-down. d. Under Authentication Search List, in the Available list, select the AD join point and then click the right arrow button to move it to the selected list. e. Under Advanced Search List Settings, select Do not access other stores in the sequence and set the AuthenticationStatus attributes to ProcesError. f. Finally, click Save (see Figure 3-14). Figure 3-14
Cisco ISE Identity Source Sequence Window
Policy Element Configuration The following steps describe the configuration of policy elements: Step 1 Create the allowed protocol service to define which protocols are allowed for authentication: a. From Policy > Policy Elements > Results, expand Authentication in the left pane and select Allowed Protocols. b. Click Add. c. Fill in the Name field and select the check boxes for only the authentication protocols that will be used by wired clients. d. Once complete, click Save (see Figure 3-15).
Deploying Identity Services within a Converged Plantwide Ethernet Architecture ENET-TD008A-EN-P
3-14
Chapter 3
Configuring the Infrastructure
Wired Access Configuration
Figure 3-15
Cisco ISE Allowed Protocol Service Window
Step 2 Create the downloadable ACLs: a. From Policy > Policy Elements > Results, expand Authorization in the left pane and select Downloadable ACLs. b. Click Add. c. Fill in the Name field and then add the desired ACL entries in the DACL Content area. These ACL entries are defined in the same fashion as Cisco IOS. d. To validate the ACL, expand Check DACL Syntax and click Recheck. e. Confirm that the returned text is "DACL is valid" and then click Submit (see Figure 3-16). Figure 3-16
Cisco ISE Downloadable ACL Window
Step 3 Create an authorization profile to limit wired clients based on the rules defined here: a. From Policy > Policy Elements > Results, expand Authorization > Authorization profiles. b. Click Add to add a profile.
Deploying Identity Services within a Converged Plantwide Ethernet Architecture
3-15
ENET-TD008A-EN-P
Chapter 3
Configuring the Infrastructure Wired Access Configuration
c. Fill in the Name field. d. Choose the Access Type from the Access Type drop-down menu. e. Check the DACL Name check box to choose a DACL from the drop-down menu. f. Check the VLAN check box to allow the traffic to traverse through a VLAN. g. Enter the VLAN number in the ID/Name field. h. Click Save (see Figure 3-17). Figure 3-17
Cisco ISE Authorization Profile Window
Authentication Policy Configuration The following steps describe the configuration of authentication policies for wired clients: Step 1 Create an authentication policy for wired clients: a. From Policy > Authorization, select Policy Type as Rule-Based. b. Click Edit to insert authentication rule below or above the existing rule (or duplicate the policy above or below the existing rule). c. Enter the rule name in the Standard Rule box and choose the condition for the Select condition > Select Existing condition from the Library. d. From the Select condition drop-down menu, choose the compound condition and the wired 802.1X. e. From the Network Access drop-down menu, click Allowed Protocols. f. Choose the Protocol you wish to allow. g. Click Done to save the configuration (see Figure 3-18).
Deploying Identity Services within a Converged Plantwide Ethernet Architecture ENET-TD008A-EN-P
3-16
Chapter 3
Configuring the Infrastructure
Wired Access Configuration
Figure 3-18
Cisco ISE Authentication Policy Window
Authorization Policy Configuration The following steps describe the configuration of authorization policies for wired clients: Step 1 Create an authorization policy for wired clients: a. From Policy > Authorization, choose how the rule applies from the drop-down menu (First Matched Rule Applies or Multiple Matched Rule Applies). b. Click Edit to insert the authorization rule below or above the existing rule or duplicate the policy above or below the existing rule. c. Enter the rule name in the Standard Rule box. d. Click the Any drop-down menu from the If box. e. From Any > Endpoint Identity Group > Whitelist, choose the condition for the Select condition > Select Existing condition from Library. f. From the Select condition drop-down menu, choose the compound condition and the wired 802.1X. g. Click Edit to expand the Profiles. h. Click the Select an item drop-down menu to choose a profile. i. Click Standard and choose the permission rule from the menu. j. Click Done to save the configuration (see Figure 3-19). Figure 3-19
Cisco ISE Authorization Policy Window
IES Configuration This section describes how to configure the IES hosting the convenience port(s) to communicate with the computer via 802.1X, relay these requests to Cisco ISE via RADIUS and limit the computer’s access based on the authorization result.
Deploying Identity Services within a Converged Plantwide Ethernet Architecture
3-17
ENET-TD008A-EN-P
Chapter 3
Configuring the Infrastructure Wired Access Configuration
The following configuration steps are covered in this section: •
VLAN Configuration
•
AAA and RADIUS Configuration
•
ACL Configuration
•
802.1X Configuration
VLAN Configuration Log in to the IES and in the global configuration mode enter the VLAN values to create the VLANs (as defined in the authorization profiles configured on Cisco ISE): (conf)# vlan 181,182,183,351
AAA and RADIUS Configuration The following steps describe the RADIUS configuration on the IES access switch: Step 1 The following steps are required to configure the IES switch for AAA: a. Enable Authentication, Authorization, and Accounting (AAA): (config)# aaa new-model
b. Create an authentication method for 802.1X (default use all RADIUS servers for authentication): (config)# aaa authentication dot1x default group radius
c. Create an authorization method for 802.1X (enables RADIUS for policy enforcement): (config)# aaa authorization network default group radius
d. Create an accounting method for 802.1X (provides additional information about sessions to Cisco ISE): {config)# aaa accounting dot1x default start-stop group radius
e. Add Cisco ISE server to the RADIUS group: (config)# radius-server host 10.225.41.115 auth-port 1812 acct-port 1813 key shared-secret
Step 2 The following steps are required to configure the IES access switch for RADIUS: a. Configure Cisco ISE server dead time (15 seconds total-3 retries of 5 second timeout): (config)# radius-server dead-criteria time 5 tries 3
b. Configure the switch to send Cisco Vendor-Specific attributes: (config)# radius-server vsa send accounting (config)# radius-server vsa send authentication
c. Configure the Cisco Vendor-Specific attributes: (config)# radius-server attribute 6 on-for-login-auth (config)# radius-server attribute 8 include-in-access-req (config)# radius-server attribute 25 access-request include
d. Configure IP address to be used to source RADIUS messages:
Deploying Identity Services within a Converged Plantwide Ethernet Architecture ENET-TD008A-EN-P
3-18
Chapter 3
Configuring the Infrastructure
Wired Access Configuration
(config)# ip radius source-interface interface-name Vlan4093
ACL Configuration The following describes the configuration of ACLs on the IES access switch: Log in to the IES and in the global configuration mode enter the extended access list to be applied on the interface during client login to restrict access: ip access-list extended ACL-DEFAULT permit udp any eq bootpc and eq bootps log permit udp any host eq domain deny ip any any log
Note
ACL-DEFAULT—This ACL is configured on the IES and used as a default ACL on the port. Its purpose is to prevent unauthorized access. In an 802.1X authentication/authorization scenario, after the computer is authenticated and authorized, if no DACL is applied to the port or if a mistake exists in the syntax of the downloadable ACL, the IES rejects the DACL sent by Cisco ISE.
802.1X Configuration The following describes the 802.1x configuration on the IES: Enable 802.1X globally (command by itself does not enable authentication on the switchports): (config)# dot1x system-auth-control
Step 1 The following steps describe the configuration on the desired convenience port: a. Enable IP device tracking: (config)# ip device tracking
b. Configure the authentication method priority on the interface: (config-if)# authentication priority dot1x
c. Configure the authentication method order (dot1x first): (config-if)# authentication order dot1x
d. Enable Flex-Auth: (config-if)# authentication event fail action next-method
e. Enable support for more than one MAC address on the physical port: (config-if)# authentication host-mode multi-auth
f. Configure the violation action (restrict access for additional devices that may fail authentication): (config-if)# authentication violation restrict
g. Enable port for 802.1X: (config-if)# dot1x pae authenticator
h. Configure timers:
Deploying Identity Services within a Converged Plantwide Ethernet Architecture
3-19
ENET-TD008A-EN-P
Chapter 3
Configuring the Infrastructure Wireless Access Configuration
(config-if)# dot1x timeout tx-period 10
i. Turn authentication on: (config-if)# authentication port-control auto
j. Apply ACL to the port: (config-if)# ip access-group ACL-DEFAULT in
k. Make the an access port: (config-if)# switchport mode access
l. Make the port access to a specific VLAN initially to authenticate with Cisco ISE: (config-if)# switchport access vlan
Caution
CONFIGURATION NOTE: IP Device tracking (IPDT), which operates in accordance with RFC 5227, must be enabled on the IES to implement RADIUS downloadable ACL and should ONLY be enabled on convenience and/or designated non-IACS equipment ports.
Caution
IPDT should NOT be enabled on ports connected to IACS devices. IPDT uses ARP probes to determine the IP addresses of hosts on different ports; IPDT may disrupt IACS applications. Please refer to the URLs below for more details: https://rockwellautomation.custhelp.com/app/answers/detail/a_id/568750 http://www.cisco.com/c/en/us/support/docs/ip/address-resolution-protocol-arp/118630-technot e-ipdt-00.html
Client Configuration Wired clients must be preconfigured to use the proper authentication method before they can be authenticated and authorized via a convenience port. Refer to the following URL for guidance on configuring Windows clients: •
http://windows.microsoft.com/en-us/windows/enable-802-1x-authentication#1TC=windows-7.
Wireless Access Configuration This section describes configuration details for Cisco ISE and the WLC based on the design recommendations in System Design Considerations. The following configuration steps are covered in this section: •
Cisco ISE Configuration
•
Industrial WLC Configuration
•
Trusted Partner Anchor WLC Configuration
•
Corporate Employee Anchor WLC Configuration
Deploying Identity Services within a Converged Plantwide Ethernet Architecture ENET-TD008A-EN-P
3-20
Chapter 3
Configuring the Infrastructure
Wireless Access Configuration
Cisco ISE Configuration This section describes how to configure Cisco ISE to properly authenticate and authorize wireless clients and limit their access to the network. The following configuration steps are covered in this section: •
Identity Store Sequence Configuration
•
Policy Element Configuration
•
Authentication Policy Configuration
•
Authorization Policy Configuration
Identity Store Sequence Configuration Refer to Identity Store Sequence Configuration, page 3-13 for this configuration.
Policy Element Configuration The following steps describe the configuration of policy elements: Step 1 Create simple conditions: a. From ISE PAN node > Policy > Policy Elements > Conditions > Authorization > Simple Conditions, click Add. b. For every SSID, create a simple rule as shown in Figure 3-20. Figure 3-20 Industrial_Employee_WLAN Condition
Note
The Attribute Value (above case value 7) must match wireless LAN controller WLAN ID # for that SSID (above case Industrial_Employee_WLAN).
c. Similarly, create a simple condition for rest of the SSID too. That is: – Trusted_Partner_WLAN: Airespace:Airespace-Wlan-Id Equals 4 – Corporate_Employee_WLAN: Airespace:Airespace-Wlan-Id Equals 6
Step 2 For Industrial Employee to have full access on plant floor, follow the compound condition in Cisco ISE that includes these expressions (see Figure 3-21).
Deploying Identity Services within a Converged Plantwide Ethernet Architecture
3-21
ENET-TD008A-EN-P
Chapter 3
Configuring the Infrastructure Wireless Access Configuration
Figure 3-21 Wireless_PEAP Compound Condition
Step 3 Follow the same format for Industrial partial and RAS-only access use cases. Step 4 An authorization profile acts as a container where a number of specific permissions allow access to a set of network services. Airspace ACL controls access on the network. Since this is a user who has an access to every device in the plant floor, the airspace ACL applied here is ACL_Full_Access.
Note
The ACL is configured in WLC. Refer to ACL Configuration using GUI, page 3-40 for more detail.
Figure 3-22 Airespace ACL Name Selection
Authentication Policy Configuration Authentication policies are used to define the protocols used by Cisco ISE to communicate with the endpoints and the identity sources to be used for authentication. Cisco ISE evaluates the conditions and based on whether the result is true or false, it applies the configured result. An authentication policy includes:
Deploying Identity Services within a Converged Plantwide Ethernet Architecture ENET-TD008A-EN-P
3-22
Chapter 3
Configuring the Infrastructure
Wireless Access Configuration
•
An allowed protocol service, such as PEAP, EAP-TLS, etc.
•
An identity source used for authentication
Similar to the way access lists are processed, authentication rules are processed from the top down. When the first condition is met, processing stops and the assigned identity rule is used. The rules are evaluated using "If, then, else" logic:
IF Wireless_802.1X Then Allow EAP-TLS and PEAP Else if next condition Take action Else Use Default Rule The following steps describe the configuration of authentication policies for wireless clients: Step 1 Configure AuthC policy: a. From Policy > Authentication, either customize the default Wireless dot1x policy or insert a new policy above/below any existing policy by clicking the down arrow beside Edit. b. Write a Rule name (such as Wireless dotx AuthC). c. Click + beside the "If" condition > Select Existing Condition from Library > Select Condition > Compound Conditions > Wireless_802.1X. d. Select Allowed protocols as EAP-TLS and PEAP.
Note
For more information on how to customize allowed protocol, check Figure 3-15 on page 3-15.
Step 2 Define Network Access Conditions: a. Click to the default condition, change the Identity store from Internal Users to All_Stores_Sequence and keep other options as default. b. Beside the default rule, from Action > Insert new row above, enter the store rule name. c. Click the small square to open expression builder > Create New condition > Network Access:EapAuthentication EQUALS EAP-TLS. d. In the Use section, change the Identity store from Internal Users to All_Stores_Sequence and keep other options as default. Repeat the previous two steps to create a rule for PEAP: Network Access: EapTunnel EQUALS PEAP. e. In the Use section, change the Identity store from Internal Users to All_Stores_Sequence and keep other options as default. Step 3 Click OK.
Deploying Identity Services within a Converged Plantwide Ethernet Architecture
3-23
ENET-TD008A-EN-P
Chapter 3
Configuring the Infrastructure Wireless Access Configuration
Figure 3-23 Figure 4-4: Authentication Rules
In a normal deployment scenario, the endpoints would primarily use the 802.1X protocol to communicate with Cisco ISE. Cisco ISE authenticates these endpoints against an AD or authenticates them via digital certificates. The default Authentication policy is Deny Access.
Authorization Policy Configuration Authorization policies define the overall security policy to access the network. Network authorization controls user access to the network and its resources and what each device can do on the system with those resources. An Authorization Policy is composed of multiple rules. Authorization rules are defined by three main elements: •
Names
•
Conditions
•
Permissions
Permissions are enforced by authorization profiles. Similar to the authentication rules, authorization rules are processed from the top down. When the first condition is met, processing stops and the assigned permission dictates what authorization policy to use. The four conditions are: 1. Match the SSID: Airespace:Airespace-Wlan-Id Equals 7 2. Match Wireless client: Radius:Service-Type equals Framed and Radius:NAS-Port-Type Equals Wireless - IEEE 802.11 3. Match external groups AD2: ExternalGroups Equals cpwe-ra-cisco.local/Users/Industrial_Employee_Full 4. Network Access: EapTunnel Equals PEAP
Note
Based on your requirement, these can all be individual simple condition, combined together in one compound condition, or a combination of both. The combination is shown here. The following steps describe the configuration of authorization policies for wireless clients. Full AuthZ profiles for wireless users are as follows:
Step 1 From ISE PAN node > Policy > Authorization, select how the rule applies from the drop-down menu First Matched Rule Applies or Multiple Matched Rule Applies. The default is First Matched Rule Applies. Step 2 Click Edit to insert authorization rule below or above the existing rule.
Deploying Identity Services within a Converged Plantwide Ethernet Architecture ENET-TD008A-EN-P
3-24
Chapter 3
Configuring the Infrastructure
Wireless Access Configuration
Step 3 Enter the rule name in the Standard Rule box and click the If Any box in the Select Endpoint Identity Group > Whitelist drop-down menu. Step 4 Click the And conditions box in the Select Existing condition from Library drop-down menu. Step 5 Click the Select condition > compound condition > Wireless_Industrial_User_Full_Access drop-down menu. Step 6 Similarly, click the gear icon and select Add Condition from Library > Select Condition > Simple Condition > Industrial_Employee_WLAN. Step 7 Click Done to save the configuration (see Figure 3-24). Figure 3-24 Wireless Authorization Policy Window
Industrial WLC Configuration This section describes how to configure the industrial WLC.
Note
To create the unified wireless infrastructure and associate APs in the Industrial Zone, refer to the
Deploying 802.11 Wireless LAN Technology within a Converged Plantwide Ethernet Architecture Design and Implementation Guide at the following URL: •
http://www.cisco.com/c/en/us/td/docs/solutions/Verticals/CPwE/NovCVD/CPwE_WLAN_CVD. html
The following configuration steps are covered in this section:
Note
•
RADIUS Configuration
•
Interface Configuration
•
WLAN Configuration
•
ACL Configuration
•
Mobility Configuration
CLI configuration for the WLC section is provided in References.
Deploying Identity Services within a Converged Plantwide Ethernet Architecture
3-25
ENET-TD008A-EN-P
Chapter 3
Configuring the Infrastructure Wireless Access Configuration
RADIUS Configuration RADIUS is a client/server protocol that provides centralized security for users attempting to gain management access to a network. We are using ISE PSN node as a RADIUS server for user traffic. The following steps describe the RADIUS configuration on the industrial WLC (see Figure 3-25): Step 1 From Security > RADIUS > Authentication, click New. Step 2 Fill in Server IP address and Shared Secret and then leave all others as default. Step 3 Click Apply. Step 4 Click Save Configuration. Figure 3-25 WLC RADIUS Configuration
RADIUS Configuration using CLI Add a RADIUS authentication server using the following command: config radius auth add index server_ip_address port# {ascii | hex} shared_secret
Interface Configuration using GUI The virtual interface IP address is used only in communications between the controller and wireless clients. The following steps describe the interface configuration on the industrial WLC (see Figure 3-26 through Figure 3-28): Step 1 Choose Controller > Interfaces to open the Interfaces page. Step 2 Click New. Step 3 Enter the following parameters: •
Physical Information > Port number
•
Interface Address > VLAN Identifier, IP address, Netmask, Gateway
•
DHCP information > DHCP proxy mode disables
Deploying Identity Services within a Converged Plantwide Ethernet Architecture ENET-TD008A-EN-P
3-26
Chapter 3
Configuring the Infrastructure
Wireless Access Configuration
Step 4 Click Apply to commit your changes. Figure 3-26 Industrial Employee Provisioning Interface Configuration
Figure 3-27 Corporate Employee Provisioning Interface Configuration
Deploying Identity Services within a Converged Plantwide Ethernet Architecture
3-27
ENET-TD008A-EN-P
Chapter 3
Configuring the Infrastructure Wireless Access Configuration
Figure 3-28 Trusted Partners Provisioning Interface Configuration
Interface Configuration using CLI Add Interface Configuration using the following command: config interface config interface config interface config interface config interface disable
create operator_defined_interface_name {vlan_id | x} address operator_defined_interface_name ip_addr ip_netmask [gateway] vlan operator_defined_interface_name {vlan_id | 0} port operator_defined_interface_name physical_ds_port_number dhcp dynamic-interface operator_defined_interface_name proxy-mode
WLAN Configuration using GUI The following steps describe the WLAN configuration on the industrial WLC (see Figure 3-29 through Figure 3-32): Step 1 Choose WLANs to open the WLANs page. Step 2 Create a new WLAN by choosing Create New from the drop-down list and then clicking Go. The WLANs > New page appears. Step 3 From the Type drop-down list, choose WLAN to create a WLAN. Step 4 Assign Profile Name, SSID name and ID #. Use the parameters on the General, Security and Advanced tabs to configure this WLAN. Step 5 Click Apply to commit your changes. Step 6 Click Save Configuration to save your changes.
Deploying Identity Services within a Converged Plantwide Ethernet Architecture ENET-TD008A-EN-P
3-28
Chapter 3
Configuring the Infrastructure
Wireless Access Configuration
Figure 3-29 Industrial Employee WLAN Configuration General
Figure 3-30 Industrial Employee WLAN Configuration L2 Security
Figure 3-31 Industrial Employee WLAN Configuration AAA Servers
Deploying Identity Services within a Converged Plantwide Ethernet Architecture
3-29
ENET-TD008A-EN-P
Chapter 3
Configuring the Infrastructure Wireless Access Configuration
Figure 3-32 Industrial Employee WLAN Configuration Advanced
Note
Corporate_Employee_WLAN and Trusted_partners_WLAN SSID have the same configuration by selecting their respective interfaces.
WLAN Configuration using CLI Add WLAN Configuration using the following command: config config config config config config config config config
wlan wlan wlan wlan wlan wlan wlan wlan wlan
create wlan_id {profile_name | foreign_ap} ssid disable {wlan_id | foreign_ap | all} security wpa wpa2 {enable | disable} wlan_id security wpa wpa2 ciphers {aes | tkip} {enable | disable} wlan_id radius_server auth {enable | disable} wlan_id radius_server auth add wlan_id [/all]' aaa-override {enable | disable} wlan_id Nac radius {enable | disable} wlan_id disable {wlan_id | foreign_ap | all}
ACL Configuration using GUI ACL application to the client is a part of AuthZ policy. These name-based ACLs are defined on WLC and are being called in Cisco ISE. These ACLs are called Airespace ACL. The following steps describe the WLAN configuration on the industrial WLC: Step 1 From Security > Access Control Lists > Access Control Lists, click New. Step 2 Write Access Control List Name > Keep default IPv4. Step 3 Click the ACL name you created and then click Add new rule. Step 4 Configure the following access lists: a. Industrial Full Access: Allow access to all devices to plant floor: – Sequence: 1 > Source: Any > Destination: Any > Protocol: Any > DSCP: Any > Direction: Any
> Action: Permit > Apply b. Industrial Partial Access: Limit to particular cell area: – Sequence: 1 > Source: Any > Destination: Protocol: Any > DSCP:
Any > Direction: Inbound > Action: Permit. Then click Apply.
Deploying Identity Services within a Converged Plantwide Ethernet Architecture ENET-TD008A-EN-P
3-30
Chapter 3
Configuring the Infrastructure
Wireless Access Configuration
– Sequence: 2 > Source: <Source IP_Adress > Destination: Any > Protocol: Any > DSCP: Any
> Direction: Outbound> Action: Permit. Then click Apply. – Sequence: 3 > Source: Any > Destination: Any > Protocol: Any > DSCP: Any> Direction: Any
> Action: Deny. Then click Apply. c. Industrial RAS-only Access: Only to remote access server (RAS): – Sequence: 1 > Source: Any > Destination: Protocol: Any >
DSCP: Any > Direction: Inbound > Action: Permit. Then click Apply. – Sequence: 2 > Source: Destination: Any > Protocol: Any >
DSCP: Outbound > Direction: Any > Action: Permit. Then click Apply. – Sequence: 3 > Source: Any > Destination: Any > Protocol: Any > DSCP: Any > Direction: Any
> Action: Deny. Then click Apply. d. Corporate RAS only (via RDG) Access: Only to remote desktop gateway (RDG): – Sequence: 1 > Source: Any > Destination: Protocol: tcp/https
> DSCP: Any > Direction: Any > Action: Permit. Then click Apply. – Sequence: 2 > Source: Destination: Any > Protocol: https >
DSCP: Any > Direction: Any > Action: Permit. Then click Apply. – Sequence: 3> Source: Any > Destination: Any > Protocol: Any > DSCP: Any> Direction: Any
> Action: Deny. Then click Apply. Step 5 Click Apply. Step 6 Click Save Configuration.
Note
Refer to Authorization Policy Configuration, page 3-17 for ACL details. Figure 3-33 ACL_Partial_Access
ACL Configuration using CLI Add ACL Configuration using the following command: config acl create config acl rule add config acl rule action permit config acl rule destination address config acl rule direction Configure IP deny rule at the end
Deploying Identity Services within a Converged Plantwide Ethernet Architecture
3-31
ENET-TD008A-EN-P
Chapter 3
Configuring the Infrastructure Wireless Access Configuration
Mobility Configuration using GUI With the auto-anchor mobility feature of Cisco wireless controllers, packets from the wireless client are encapsulated through a mobility tunnel between the internal wireless controller (known as the industrial WLC/foreign controller) to the trusted partner wireless controller (known as the anchor controller), where they are de-capsulated and delivered to the wired network.
Note
Use OLD mobility (EOIP tunnel) to anchor the trusted partner traffic. The following steps describe the mobility configuration on the industrial WLC (see Figure 3-34 through Figure 3-36):
Step 1 From Controller > Mobility Management, click Default Mobility Domain Name. Give it the same name as that of the foreign controller. Step 2 From Controller > Mobility Management > Mobility Groups, click New. Step 3 Assign the IP address, MAC address and group name of the Anchor Controller's management interface. Step 4 From WLAN > trusted_Partner_WLAN, hover your mouse on the down arrow and click Mobility Anchors. Step 5 From Switch IP address (Anchor), select Trusted_Partner WLC management IP from the drop-down menu. Step 6 Click Mobility Anchor Create. Step 7 Click OK when a warning "If the WLAN is in Enabled state, adding Mobility Anchors will cause the WLAN to be momentarily disabled and thus may result in loss of connectivity for some clients.” displays. Step 8 Press OK to continue. Step 9 Repeat the same steps for Corporate_employee WLAN. Figure 3-34 IIndustrial WLC Mobility Configuration
Figure 3-35 Industrial WLC Mobility Anchors
Deploying Identity Services within a Converged Plantwide Ethernet Architecture ENET-TD008A-EN-P
3-32
Chapter 3
Configuring the Infrastructure
Wireless Access Configuration
Figure 3-36 Industrial WLC Mobility Anchors Configuration
Mobility Configuration using CLI Add Mobility Configuration using the following command: config mobility group domain domain_name config mobility group member add mac_address ip_address config {wlan | guest-lan} disable {wlan_id | guest_lan_id} (Disable the WLAN or wired guest LAN for which you are configuring mobility anchors by entering this command) config mobility group anchor add {wlan | guest-lan} {wlan_id | guest_lan_id} anchor_controller_ip_address config {wlan | guest-lan}enable {wlan_id | guest_lan_id}
Trusted Partner Anchor WLC Configuration The CPwE architecture recommends the use of a controller dedicated to trusted partner wireless traffic. This controller is known as the trusted partner anchor controller. The anchor controller is usually located in an unsecured network area (that is, Enterprise Zone/Enterprise External DMZ). Other internal WLAN controllers from where the traffic originates are located in the Industrial Zone. An EoIP tunnel is established between the internal WLAN controllers and the anchor controller in order to achieve path isolation of trusted partner traffic from Industrial data traffic/IACS device traffic. Path isolation is a critical security management feature for trusted partner access. It confirms that security policies can be separate, and are differentiated between trusted partner traffic and internal traffic. An important feature of the Cisco Unified Wireless Network architecture is the ability to use an EoIP tunnel to statically map one or more provisioned WLANs (that is, SSIDs) to a specific anchor controller within the network. All traffic-both to and from a mapped WLAN-traverses a static EoIP tunnel that is established between a remote controller and the anchor controller. One EoIP tunnel is configured between the trusted partner anchor controller and industrial WLC, it will support access points with guest client associations. The following configuration steps are covered in this section: •
Interface Configuration
•
WLAN Configuration
•
ACL Configuration
•
Mobility Configuration
Deploying Identity Services within a Converged Plantwide Ethernet Architecture
3-33
ENET-TD008A-EN-P
Chapter 3
Configuring the Infrastructure Wireless Access Configuration
Interface Configuration using GUI Note
All controllers within a mobility group must be configured with the similar interface configuration and same WLAN configuration. Otherwise, inter-controller roaming may appear to work, but the handoff does not complete and the client loses connectivity for a period of time. The following steps describe the interface configuration on the trusted partner anchor WLC (see Figure 3-37):
Step 1 From Controller > Interfaces, open the Interfaces page and then click New. Step 2 Enter the following parameters: a. Physical Information > Port number b. Interface Address > VLAN Identifier, IP address, Netmask, Gateway c. DHCP information > DHCP proxy mode disables Step 3 Click Apply to commit your changes. Figure 3-37 Trusted Partners Provisioning interface Configuration
Interface Configuration using CLI To have Interface configuration for trusted partners anchor WLC, refer to Interface Configuration using CLI, page 3-28. The procedure remains the same.
WLAN Configuration using GUI The following steps describe the WLAN configuration on the trusted partner anchor WLC (see Figure 3-38):
Deploying Identity Services within a Converged Plantwide Ethernet Architecture ENET-TD008A-EN-P
3-34
Chapter 3
Configuring the Infrastructure
Wireless Access Configuration
Step 1 Click WLANs to open the WLANs page. Step 2 Create a new WLAN by clicking Create New from the drop-down list and then clicking Go. The WLANs > New page displays. Step 3 From the Type drop-down list, choose WLAN to create a WLAN. Step 4 Assign Profile Name, SSID name and WLAN ID #.
Note
Make sure the WLAN ID # matches the number with Industrial WLC Trusted_Partners_WLAN.
Step 5 Use the parameters on the General, Security and Advanced tabs to configure this WLAN. a. General > Interface/Interface groups > Select Trusted_Partners_Provisioning > Radio Policy (Optional): All / 802.11 b/g only b. Security > Layer 2 > Layer 2 security: WPA+WPA2 c. Security > AAA servers > Select PSN node as a authentication server d. Advanced > Allow AAA Override: Checked > NAC state: Radius NAC Step 6 Click Apply to commit your changes. Step 7 Click Save Configuration to save your changes. Figure 3-38 Trusted Partners SSID Configuration
Note
The rest of the WLAN security and advanced configuration is the same as for the industrial WLC, so refer to WLAN Configuration using GUI, page 3-28 for these configurations.
WLAN Configuration using CLI To have WLAN configuration for trusted partners anchor WLC, refer to the WLAN configuration under the Industrial WLC configuration section. The procedure remains the same.
Deploying Identity Services within a Converged Plantwide Ethernet Architecture
3-35
ENET-TD008A-EN-P
Chapter 3
Configuring the Infrastructure Wireless Access Configuration
Enterprise Edge Firewall ACL Configuration using GUI Trusted Partner can access the device only through RAS via the RDG. Since the trusted partners WLC resides in Enterprise External DMZ, ACL is enforced through enterprise edge firewall and not through the WLC. Also, ports to form mobility tunnel must be open (see Figure 3-39). Figure 3-39 Enterprise Edge ACL (GUI)
Enterprise Edge Firewall ACL Configuration using CLI Add Enterprise Edge Firewall ACL Configuration using the following commands: object network WLC-Trusted_PartnerGuest-Anchor host 10.1.4.77 description WLC- Trusted_Partner -Anchor object network WLC_Industrial service udp destination range 16666 16667 object network RDG host 10.1.2.3 object-group service DM_INLINE_SERVICE_2 host < object service EOIP_IP_Protocol service 97 object service Mobility_Anchor service udp destination range 16666 16667 object network RDG host 10.1.2.3 object-group service DM_INLINE_SERVICE_2 service-object icmp service-object object EOIP_IP_Protocol service-object object Mobility_Anchor object-group service DM_INLINE_SERVICE_4 service-object icmp service-object tcp destination eq https access-list DMZ_access_in extended permit object-group DM_INLINE_SERVICE_2 object WLC-Guest-Anchor object WLC_Industrial access-list DMZ1_access_in extended permit object-group DM_INLINE_SERVICE_4 any object RDG
Mobility Configuration using GUI Note
Use the OLD mobility (EOIP tunnel) to anchor the trusted partner traffic. The following steps describe the mobility configuration on the trusted partner anchor WLC (see Figure 3-40 through Figure 3-42):
Step 1 From Controller > Mobility Management, give Default Mobility Domain Name the same name as that of Industrial WLC. Step 2 From Controller > Mobility Management > Mobility Groups, click New.
Deploying Identity Services within a Converged Plantwide Ethernet Architecture ENET-TD008A-EN-P
3-36
Chapter 3
Configuring the Infrastructure
Wireless Access Configuration
Step 3 Assign IP address, MAC address and group name of the Industrial WLC management Interface.
Note
Make sure to open mobility ports (UPD port # 16666, 16667 and IP 97) on IDMZ and enterprise edge firewall to anchor traffic to Anchor WLC.
Step 4 From WLAN > Trusted_Partners_WLAN, hover your mouse on the down arrow and click Mobility Anchors. Step 5 Switch IP address (Anchor) > Local. Step 6 Click Mobility Anchor Create. Figure 3-40 Trusted Partner Anchor WLC Mobility Configuration
Figure 3-41 Trusted Partners Anchor WLC Mobility Anchors
Figure 3-42 Trusted Partners Anchor WLC Mobility Anchors Configuration
Mobility Configuration using CLI To have mobility configuration for trusted partners anchor WLC, refer to Mobility Configuration using CLI, page 3-33. The procedure remains the same.
Deploying Identity Services within a Converged Plantwide Ethernet Architecture
3-37
ENET-TD008A-EN-P
Chapter 3
Configuring the Infrastructure Wireless Access Configuration
Corporate Anchor WLC Configuration This section describes how to configure the corporate anchor WLC. The following configuration steps are covered in this section: •
Interface Configuration
•
WLAN Configuration
•
ACL Configuration
•
Mobility Configuration
Interface Configuration using GUI Note
All controllers within a mobility group must be configured with the similar interface configuration and same WLAN configuration. Otherwise, inter-controller roaming may appear to work, but the hand off does not complete, and the client loses connectivity for a period of time. The following steps describe the interface configuration on the corporate anchor WLC (see Figure 3-43):
Step 1 From Controller > Interfaces, open the Interfaces page, and then click New. Step 2 Enter the following parameters: a. Physical Information > Port number b. Interface Address > VLAN Identifier, IP address, Netmask, Gateway c. DHCP information > DHCP proxy mode > Disable Step 3 Click Apply to commit your changes.
Deploying Identity Services within a Converged Plantwide Ethernet Architecture ENET-TD008A-EN-P
3-38
Chapter 3
Configuring the Infrastructure
Wireless Access Configuration
Figure 3-43 Corporate Employee Provisioning Interface Configuration
Interface Configuration using CLI To have Interface configuration for corporate anchor WLC, refer to Interface Configuration using CLI, page 3-28. The procedure remains the same.
WLAN Configuration using GUI Refer to WLAN Configuration using GUI, page 3-34 for this configuration steps (see Figure 3-44): Step 1 Click WLANs to open the WLANs page. Step 2 Create a new WLAN by clicking Create New and then clicking Go. The WLANs > New page displays. Step 3 From the Type drop-down list, click WLAN to create a WLAN. Step 4 Assign Profile Name, SSID name and WLAN ID #.
Note
Make sure the WLAN ID # matches the number with Industrial WLC Corporate_Employee_WLAN.
Step 5 Use the parameters on the General, Security and Advanced tabs to configure this WLAN: a. General > Interface/Interface groups > Select b. Corporate_Employee_Provisioning > Radio Policy (Optional): All / 802.11 b/g only c. Security > Layer 2 > Layer 2 security: WPA+WPA2 d. Security > AAA servers > Select PSN node as a authentication server e. Advanced > Allow AAA Override: Checked > NAC state: Radius NAC
Deploying Identity Services within a Converged Plantwide Ethernet Architecture
3-39
ENET-TD008A-EN-P
Chapter 3
Configuring the Infrastructure Wireless Access Configuration
Step 6 Click Apply to commit your changes. Step 7 Click Save Configuration to save your changes. Figure 3-44 Corporate Employee SSID Configuration
WLAN Configuration using CLI To have WLAN configuration for corporate anchor WLC, refer to WLAN Configuration using CLI, page 3-30 section. The procedure remains the same.
ACL Configuration using GUI The following steps describe the WLAN configuration on the corporate anchor WLC (see Figure 3-45): Step 1 From Security > Access Control Lists > Access Control Lists. click New. Step 2 Configure the following access lists: a. Corporate RDG-only Access: To RAS via remote desktop gateway: – Sequence: 1 > Source: Any > Destination: Protocol: tcp/https >
DSCP: Any > Direction: Any > Action: Permit. Then click Apply. – Sequence: 2 > Source: Destination: Any > Protocol: https > DSCP:
Any > Direction: Any > Action: Permit. Then click Apply. – Sequence: 3 > Source: Any > Destination: Any > Protocol: Any > DSCP: Any > Direction: Any
> Action: Deny. Then click Apply.
Deploying Identity Services within a Converged Plantwide Ethernet Architecture ENET-TD008A-EN-P
3-40
Chapter 3
Configuring the Infrastructure
Wireless Access Configuration
Figure 3-45 Corporate Employee ACL Configuration
WLAN Configuration using CLI To have ACL configuration for corporate anchor WLC, refer to ACL Configuration using CLI, page 3-31. The procedure remains the same.
Mobility Configuration using GUI Note
Use the OLD mobility (EOIP tunnel) to anchor the trusted partner traffic. The following steps describe the mobility configuration on the corporate anchor WLC (see Figure 3-46 through Figure 3-48):
Step 1 From Controller > Mobility Management, give Default Mobility Domain Name the same name as that of Industrial WLC. Step 2 From Controller > Mobility Management > Mobility Groups, click New. Step 3 Assign IP address, MAC address and group name of the Industrial WLC management Interface. Step 4 From WLAN > Corporate_Employee_WLAN, hover your mouse on the down arrow and then click Mobility Anchors. Step 5 Switch IP address (Anchor) > Local. Step 6 Click Mobility Anchor Create.
Note
Both Control and Data Path should be up once the mobility tunnel is created.
Figure 3-46 Corporate Employee Anchor WLC Mobility Anchors
Deploying Identity Services within a Converged Plantwide Ethernet Architecture
3-41
ENET-TD008A-EN-P
Chapter 3
Configuring the Infrastructure Wireless Access Configuration
Figure 3-47 Corporate Employee Anchor WLC Mobility Anchors Configuration
Figure 3-48 Corporate Employee Anchor WLC Mobility Anchors Control and Data Path
Mobility Configuration using CLI To have mobility configuration for corporate anchor WLC, refer to Mobility Configuration using CLI, page 3-33. The procedure remains the same.
Deploying Identity Services within a Converged Plantwide Ethernet Architecture ENET-TD008A-EN-P
3-42
CHAPTER
4
Troubleshooting Tips This chapter includes the following major topics: •
Cisco ISE Troubleshooting Tips, page 4-1
•
WLC Troubleshooting Tips, page 4-6
Cisco ISE Troubleshooting Tips The following section provides high level troubleshooting information to assist in identifying and resolving problems you may encounter when you use the Cisco Identity Services Engine (ISE) For more troubleshooting tips, review Monitoring and Troubleshooting at the following URL: •
http://www.cisco.com/c/en/us/td/docs/security/ise/1-3/admin_guide/b_ise_admin_guide_13/ b_ise_admin_guide_sample_chapter_011001.html
Cisco ISE Processes Check To check whether Cisco ISE is working if the web pages don't load, log into the CLI and run the command to check the status of the Complete Cisco ISE processes running and disabled. ISE# Show application status ISE ISE PROCESS NAME STATE PROCESS ID -------------------------------------------------------------------Database Listener running 13373 Database Server running 44 PROCESSES Application Server running 16208 Profiler Database running 14334 AD Connector running 16616 M&T Session Database running 14248 M&T Log Collector running 16314 M&T Log Processor running 3521 Certificate Authority Service disabled pxGrid Infrastructure Service running 31179 pxGrid Publisher Subscriber Service running 31420 pxGrid Connection Manager running 31388 pxGrid Controller running 31280 Identity Mapping Service running 30937
Deploying Identity Services within a Converged Plantwide Ethernet Architecture ENET-TD008A-EN-P
4-1
Chapter 4
Troubleshooting Tips Cisco ISE Troubleshooting Tips
Test Users for Active Directory Authentication Test authentication is useful to troubleshoot authentication and authorization issues for end users. You can use the Test User feature to test Active Directory authentications. The test returns the results along with group and attribute details (authorization information) that can be viewed on the Admin Portal. Follow these steps to test users: Step 1 From Administrator > Identity Management > External Identity Stores > Active Directory > AD2 > Connection, select the Cisco ISE node you want to test. Step 2 Click the user and then click Test user. Step 3 Click Write credentials > Test (see Figure 4-49). Figure 4-49 AD Test User Tool
AD Diagnostic Tool The Diagnostic Tool allows you to automatically test and diagnose the Active Directory deployment for general connectivity issues. This tool provides information on: •
The Cisco ISE node on which the test is run
•
Connectivity to the Active Directory
•
Detailed status about the domain
•
Detailed status about Cisco ISE-DNS server connectivity
Follow these steps to run diagnostic report using the Diagnostic Tool: Step 1 From Administrator > Identity Management > External Identity Stores > Active Directory > AD2 > Connection, select the Cisco ISE node for which you want to test the user.
Deploying Identity Services within a Converged Plantwide Ethernet Architecture ENET-TD008A-EN-P
4-2
Chapter 4
Troubleshooting Tips
Cisco ISE Troubleshooting Tips
Step 2 Click Diagnostic Tool > Run All tests (see Figure 4-50). Figure 4-50 AD Diagnostic Tool
Authentication Errors One of the most useful ways to troubleshoot any error is to check events on Cisco ISE. Follow these steps to check GUI report of any user authentication / authorization: Step 1 From Operations > Authentications, click the magnifying glass. Step 2 Check for any errors (see Figure 4-51). Figure 4-51 Cisco ISE Certificate Error
Deploying Identity Services within a Converged Plantwide Ethernet Architecture
4-3
ENET-TD008A-EN-P
Chapter 4
Troubleshooting Tips Cisco ISE Troubleshooting Tips
•
Reason—If End client does not have root CA in a Trusted root CA store, than It will not trust Cisco ISE during the authentication process thus client will not be able to join the SSID.
•
Solution—Add the root CA certificate in a client trusted root CA certificate stores as a part of user account and retry authenticating the device.
Successful Authentication/Authorization Steps Output From Operations > Authentications, click the magnifying glass. The following is the output of a successful authentication: Received RADIUS Access-Request RADIUS created a new session Evaluating Policy Group Evaluating Service Selection Policy Queried PIP - Network Access.NetworkDeviceName Queried PIP - Radius.Service-Type Queried PIP - Radius.NAS-Port-Type Matched rule - Wireless dot1x AuthC Extracted EAP-Response/Identity Prepared EAP-Request proposing EAP-TLS with challenge Returned RADIUS Access-Challenge Received RADIUS Access-Request RADIUS is re-using an existing session Extracted EAP-Response/NAK requesting to use PEAP instead Prepared EAP-Request proposing PEAP with challenge Returned RADIUS Access-Challenge Received RADIUS Access-Request RADIUS is re-using an existing session Extracted EAP-Response containing PEAP challenge-response and accepting PEAP as negotiated Successfully negotiated PEAP version 0 Extracted first TLS record; TLS handshake started Extracted TLS ClientHello message Prepared TLS ServerHello message Prepared TLS Certificate message Prepared TLS ServerDone message Prepared EAP-Request with another PEAP challenge Returned RADIUS Access-Challenge Received RADIUS Access-Request RADIUS is re-using an existing session Extracted EAP-Response containing PEAP challenge-response Prepared EAP-Request with another PEAP challenge Returned RADIUS Access-Challenge Received RADIUS Access-Request RADIUS is re-using an existing session Extracted EAP-Response containing PEAP challenge-response Prepared EAP-Request with another PEAP challenge Returned RADIUS Access-Challenge Received RADIUS Access-Request RADIUS is re-using an existing session Extracted EAP-Response containing PEAP challenge-response Prepared EAP-Request with another PEAP challenge Returned RADIUS Access-Challenge Received RADIUS Access-Request RADIUS is re-using an existing session Extracted EAP-Response containing PEAP challenge-response Successfully negotiated PEAP version 0 Extracted TLS ClientKeyExchange message
Deploying Identity Services within a Converged Plantwide Ethernet Architecture ENET-TD008A-EN-P
4-4
Chapter 4
Troubleshooting Tips
Cisco ISE Troubleshooting Tips
Extracted TLS Finished message Prepared TLS ChangeCipherSpec message Prepared TLS Finished message TLS handshake succeeded PEAP full handshake finished successfully Prepared EAP-Request with another PEAP challenge Returned RADIUS Access-Challenge Received RADIUS Access-Request RADIUS is re-using an existing session Extracted EAP-Response containing PEAP challenge-response PEAP inner method started Prepared EAP-Request/Identity for inner EAP method Prepared EAP-Request with another PEAP challenge Returned RADIUS Access-Challenge Received RADIUS Access-Request RADIUS is re-using an existing session Extracted EAP-Response containing PEAP challenge-response Extracted EAP-Response/Identity for inner EAP method Prepared EAP-Request for inner method proposing EAP-MSCHAP with challenge Prepared EAP-Request with another PEAP challenge Returned RADIUS Access-Challenge Received RADIUS Access-Request RADIUS is re-using an existing session Extracted EAP-Response containing PEAP challenge-response Extracted EAP-Response containing EAP-MSCHAP challenge-response for inner method and accepting EAP-MSCHAP as negotiated Evaluating Identity Policy Queried PIP - Network Access.EapAuthentication Queried PIP - Network Access.EapTunnel Matched rule - User_Authentication Selected identity source sequence - All_Stores_Sequence Selected Identity Source - AD2 Authenticating user against Active Directory - AD2 Resolving identity - richa_guest_ras Search for matching accounts at join point - cpwe-ra-cisco.local Single matching account found in forest - cpwe-ra-cisco.local Identity resolution detected single matching account RPC Logon request succeeded - [email protected] User authentication against Active Directory succeeded - AD2 Authentication Passed EAP-MSCHAP authentication attempt passed Prepared EAP-Request with another PEAP challenge Returned RADIUS Access-Challenge Received RADIUS Access-Request RADIUS is re-using an existing session Extracted EAP-Response containing PEAP challenge-response Extracted EAP-Response for inner method containing MSCHAP challenge-response Inner EAP-MSCHAP authentication succeeded Prepared EAP-Success for inner EAP method PEAP inner method finished successfully Prepared EAP-Request with another PEAP challenge Returned RADIUS Access-Challenge Received RADIUS Access-Request RADIUS is re-using an existing session Extracted EAP-Response containing PEAP challenge-response ISE has not been able to confirm previous successful machine authentication Evaluating Authorization Policy Queried PIP - Session.EPSStatus Queried PIP - Radius.Service-Type Queried PIP - Radius.NAS-Port-Type Looking up user in Active Directory - AD2 LDAP fetch succeeded - cpwe-ra-cisco.local User's Groups retrieval from Active Directory succeeded - AD2 Queried PIP - AD2.ExternalGroups
Deploying Identity Services within a Converged Plantwide Ethernet Architecture
4-5
ENET-TD008A-EN-P
Chapter 4
Troubleshooting Tips WLC Troubleshooting Tips
Queried PIP - Airespace.Airespace-Wlan-Id Matched rule - Dot1x_wireless - Trusted Partner RAS Only_copy Selected Authorization Profile - Wireless_Trusted_Partner_RAS_Only_Authz_Profile PEAP authentication succeeded Prepared EAP-Success Returned RADIUS Access-Accept
Diagnostic Tools/TCP Dump Step 1 Use the tcpdump command in the NAD CLI or from the Administration portal at Operations > Troubleshoot > Diagnostic Tools > General Tools > TCP Dump to verify whether the machine is receiving and forwarding traffic as required for your network. Step 2 If the TCP dump operation indicates that the Cisco ISE or NAD is working as configured, verify other adjacent network components.
WLC Troubleshooting Tips The following section provides high level troubleshooting information to assist in identifying and resolving problems you may encounter when you use the Wireless LAN Controller (WLC) For more troubleshooting tips, check Cisco Wireless LAN Controller System Message Guide at the following URL: •
http://www.cisco.com/c/en/us/td/docs/wireless/controller/8-0/message/guide/sysmsg80.html
Mobility (EoIP) Tunnel Status Check if mobility tunnel is up via the GUI. From WLC > Controller > Mobility Management > Mobility Groups, check the status of the group members, as shown in Figure 4-52. Figure 4-52 Status of the Group Members
If the status is not up, follow these troubleshooting steps: Step 1 Check whether the group member information is correct and if the firewall is blocking any control/data ports. Step 2 To test the mobility UDP control packet communication between two controllers, enter this command:
Deploying Identity Services within a Converged Plantwide Ethernet Architecture ENET-TD008A-EN-P
4-6
Chapter 4
Troubleshooting Tips
WLC Troubleshooting Tips
mping <mobility_peer_IP_address >
Step 3 To test the mobility EoIP data packet communication between two controllers, enter this command: eping <mobility_peer_IP_address>
DHCP-Related Issue When the client is either unable to get an IP address or encounters delay in getting the IP address through DHCP. The debug dhcp on the controller indicates the following: (Cisco Controller) >debug dhcp packet enable *DHCP Socket Task: May 27 12:28:34.566: [PA] 20:7c:8f:46:83:84 DHCP processing DHCP NAK (6)
Solution—Activate DHCP scope for that subnet in DHCP server
Caution
Because debugging output is assigned high priority in the CPU process, it can render the system unusable. For this reason, use debug commands only to troubleshoot specific problems. Moreover, use debug commands only during periods of lower network traffic and fewer users. Debugging during these periods decreases the likelihood that increased debug command processing overhead will affect system use.
Successful DHCP Process Following is a debug output of a successful DHCP process: (Cisco Controller) >debug dhcp packet enable (Cisco Controller) >*DHCP Socket Task: May 27 12:27:46.533: [PA] 20:7c:8f:46:83:84 DHCP received op BOOTREQUEST (1) (len 332,vlan 150, port 1, encap 0xec03, xid 0x3a26069b) *DHCP Socket Task: May 27 12:27:46.533: [PA] 20:7c:8f:46:83:84 DHCP (encap type 0xec03) mstype 0ff:ff:ff:ff:ff:ff *DHCP Socket Task: May 27 12:27:46.533: [PA] 20:7c:8f:46:83:84 DHCP processing DHCP REQUEST (3) *DHCP Socket Task: May 27 12:27:46.533: [PA] 20:7c:8f:46:83:84 DHCP op: BOOTREQUEST, htype: Ethernet, hlen: 6, hops: 0 *DHCP Socket Task: May 27 12:27:46.533: [PA] 20:7c:8f:46:83:84 DHCP xid: 0x3a26069b (975570587), secs: 0, flags: 0 *DHCP Socket Task: May 27 12:27:46.533: [PA] 20:7c:8f:46:83:84 DHCP chaddr: 20:7c:8f:46:83:84 *DHCP Socket Task: May 27 12:27:46.533: [PA] 20:7c:8f:46:83:84 DHCP ciaddr: 0.0.0.0, yiaddr: 0.0.0.0 *DHCP Socket Task: May 27 12:27:46.533: [PA] 20:7c:8f:46:83:84 DHCP siaddr: 0.0.0.0, giaddr: 0.0.0.0 *DHCP Socket Task: May 27 12:27:46.533: [PA] 20:7c:8f:46:83:84 DHCP requested ip: 10.13.181.55 *DHCP Socket Task: May 27 12:27:46.533: [PA] 20:7c:8f:46:83:84 DHCP Opt82 bridge mode insertion enabled, inserts opt82 if opt82 is enabled vlan=181, datalen =18, optlen=88 *DHCP Socket Task: May 27 12:27:46.533: [PA] 20:7c:8f:46:83:84 DHCP successfully bridged packet to DS *DHCP Socket Task: May 27 12:27:46.538: [PA] 20:7c:8f:46:83:84 DHCP received op BOOTREPLY (2) (len 316,vlan 181, port 1, encap 0xec00, xid 0x3a26069b) *DHCP Socket Task: May 27 12:27:46.538: [PA] 20:7c:8f:46:83:84 DHCP processing DHCP ACK (5)
Deploying Identity Services within a Converged Plantwide Ethernet Architecture
4-7
ENET-TD008A-EN-P
Chapter 4
Troubleshooting Tips WLC Troubleshooting Tips
*DHCP Socket Task: May 27 12:27:46.538: [PA] 20:7c:8f:46:83:84 DHCP op: BOOTREPLY, htype: Ethernet, hlen: 6, hops: 0 *DHCP Socket Task: May 27 12:27:46.538: [PA] 20:7c:8f:46:83:84 DHCP xid: 0x3a26069b (975570587), secs: 0, flags: 0 *DHCP Socket Task: May 27 12:27:46.538: [PA] 20:7c:8f:46:83:84 DHCP chaddr: 20:7c:8f:46:83:84 *DHCP Socket Task: May 27 12:27:46.538: [PA] 20:7c:8f:46:83:84 DHCP ciaddr: 0.0.0.0, yiaddr: 10.13.181.55 *DHCP Socket Task: May 27 12:27:46.538: [PA] 20:7c:8f:46:83:84 DHCP siaddr: 0.0.0.0, giaddr: 10.13.181.1 *DHCP Socket Task: May 27 12:27:46.538: [PA] 20:7c:8f:46:83:84 DHCP server id: 10.13.48.26 rcvd server id: 10.13.48.26 *DHCP Socket Task: May 27 12:27:46.539: [PA] 20:7c:8f:46:83:84 DHCP successfully bridged packet to STA *DHCP Socket Task: May 27 12:27:50.075: [PA] 20:7c:8f:46:83:84 DHCP received op BOOTREQUEST (1) (len 308,vlan 150, port 1, encap 0xec03, xid 0x71ed59a1) *DHCP Socket Task: May 27 12:27:50.075: [PA] 20:7c:8f:46:83:84 DHCP (encap type 0xec03) mstype 0ff:ff:ff:ff:ff:ff *DHCP Socket Task: May 27 12:27:50.075: [PA] 20:7c:8f:46:83:84 DHCP processing DHCP INFORM (8) *DHCP Socket Task: May 27 12:27:50.075: [PA] 20:7c:8f:46:83:84 DHCP op: BOOTREQUEST, htype: Ethernet, hlen: 6, hops: 0 *DHCP Socket Task: May 27 12:27:50.075: [PA] 20:7c:8f:46:83:84 DHCP xid: 0x71ed59a1 (1911380385), secs: 0, flags: 0 *DHCP Socket Task: May 27 12:27:50.075: [PA] 20:7c:8f:46:83:84 DHCP chaddr: 20:7c:8f:46:83:84 *DHCP Socket Task: May 27 12:27:50.075: [PA] 20:7c:8f:46:83:84 DHCP ciaddr: 10.13.181.55, yiaddr: 0.0.0.0 *DHCP Socket Task: May 27 12:27:50.075: [PA] 20:7c:8f:46:83:84 DHCP siaddr: 0.0.0.0, giaddr: 0.0.0.0 *DHCP Socket Task: May 27 12:27:50.075: [PA] 20:7c:8f:46:83:84 DHCP Opt82 bridge mode insertion enabled, inserts opt82 if opt82 is enabled vlan=181, datalen =18, optlen=64 *DHCP Socket Task: May 27 12:27:50.075: [PA] 20:7c:8f:46:83:84 DHCP successfully bridged packet to DS *DHCP Socket Task: May 27 12:27:50.096: [PA] 20:7c:8f:46:83:84 DHCP received op BOOTREPLY (2) (len 308,vlan 181, port 1, encap 0xec00, xid 0x71ed59a1) *DHCP Socket Task: May 27 12:27:50.096: [PA] 20:7c:8f:46:83:84 DHCP processing DHCP ACK (5) *DHCP Socket Task: May 27 12:27:50.096: [PA] 20:7c:8f:46:83:84 DHCP op: BOOTREPLY, htype: Ethernet, hlen: 6, hops: 0 *DHCP Socket Task: May 27 12:27:50.096: [PA] 20:7c:8f:46:83:84 DHCP xid: 0x71ed59a1 (1911380385), secs: 0, flags: 0 *DHCP Socket Task: May 27 12:27:50.096: [PA] 20:7c:8f:46:83:84 DHCP chaddr: 20:7c:8f:46:83:84 *DHCP Socket Task: May 27 12:27:50.096: [PA] 20:7c:8f:46:83:84 DHCP ciaddr: 10.13.181.55, yiaddr: 0.0.0.0 *DHCP Socket Task: May 27 12:27:50.096: [PA] 20:7c:8f:46:83:84 DHCP siaddr: 0.0.0.0, giaddr: 10.13.181.1 *DHCP Socket Task: May 27 12:27:50.097: [PA] 20:7c:8f:46:83:84 DHCP server id: 10.13.48.26 rcvd server id: 10.13.48.26 *DHCP Socket Task: May 27 12:27:50.097: [PA] 20:7c:8f:46:83:84 DHCP successfully bridged packet to STA
Debug Client Use the Debug client to troubleshoot client association and authentication-related issues: (Cisco Controller) > debug client
Deploying Identity Services within a Converged Plantwide Ethernet Architecture ENET-TD008A-EN-P
4-8
APP ENDIX
A
References This appendix includes the following major topics: •
Converged Plantwide Ethernet (CPwE), page A-1
•
Cisco Unified Access, page A-2
•
RF Design and QoS, page A-2
•
Wireless Security, page A-3
Converged Plantwide Ethernet (CPwE) •
Converged Plantwide Ethernet (CPwE) Design and Implementation Guide (CPwE) – Rockwell Automation site:
http://literature.rockwellautomation.com/idc/groups/literature/documents/td/enet-td001_ -en-p.pdf – Cisco site:
http://www.cisco.com/c/en/us/td/docs/solutions/Verticals/CPwE/CPwE_DIG.html •
Deploying the Resilient Ethernet Protocol (REP) in a Converged Plantwide Ethernet System (CPwE) Design Guide – Rockwell Automation site:
http://literature.rockwellautomation.com/idc/groups/literature/documents/td/enet-td005_ -en-p.pdf – Cisco site:
http://www.cisco.com/c/en/us/td/docs/solutions/Verticals/CPwE/REP/CPwE_REP_DG.ht ml •
Deploying 802.11 Wireless LAN Technology within a Converged Plantwide Ethernet Architecture Design and Implementation Guide – Rockwell Automation site:
http://literature.rockwellautomation.com/idc/groups/literature/documents/td/enet-td006_ -en-p.pdf – Cisco site:
http://www.cisco.com/c/en/us/td/docs/solutions/Verticals/CPwE/NovCVD/CPwE_WLAN _CVD.html
Deploying Identity Services within a Converged Plantwide Ethernet Architecture ENET-TD008A-EN-P
A-1
Appendix A
References Cisco Unified Access
•
Deploying Network Address Translation within a Converged Plantwide Ethernet Architecture Design and Implementation Guide – Rockwell Automation site:
http://literature.rockwellautomation.com/idc/groups/literature/documents/td/enet-td007_ -en-p.pdf – Cisco site:
http://www.cisco.com/c/en/us/td/docs/solutions/Verticals/CPwE/3-5-1/NAT/DIG/CPwE_ NAT_CVD.html
Cisco Unified Access •
Cisco Unified Access webpage http://www.cisco.com/en/US/netsol/ns1187/index.html
•
Enterprise Mobility Design Guide http://www.cisco.com/en/US/docs/solutions/Enterprise/Mobility/emob73dg/eMob73.pdf
•
The Benefits of Centralization in Wireless LANs http://www.cisco.com/c/en/us/products/collateral/switches/catalyst-6500-series-switches/pr od_white_paper0900aecd8040f7b2.pdf
•
Outdoor Wireless Network Solution http://www.cisco.com/en/US/netsol/ns621/index.html
•
Cisco Wireless Mesh Access Points Design and Deployment Guide http://www.cisco.com/c/en/us/td/docs/wireless/technology/mesh/7-6/design/guide/mesh76 .html
RF Design and QoS •
Wireless LAN Compliance Status http://www.cisco.com/go/aironet/compliance
•
RF Spectrum Policy: Future-Proof Wireless Investment through Better Compliance http://www.cisco.com/c/en/us/products/collateral/wireless/spectrum-expert/prod_white_pa per0900aecd8073bef9.html
•
Design Zone for Mobility - High Density Wireless http://www.cisco.com/c/en/us/solutions/enterprise/design-zone-mobility/density_wireless.ht ml
•
Enterprise Mobility 7.3 Design Guide http://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Mobility/emob73dg/emob73.ht ml
•
Cisco Aironet 1600/2600/3600 Series Access Point Deployment Guide http://www.cisco.com/c/en/us/td/docs/wireless/technology/apdeploy/Cisco_Aironet.html
•
Antenna Product Portfolio for Cisco Aironet 802.11n Access Points http://www.cisco.com/en/US/prod/collateral/wireless/ps7183/ps469/at_a_glance_c45-5138 37.pdf
•
Cisco Aironet Antennas and Accessories Reference Guide http://www.cisco.com/en/US/prod/collateral/wireless/ps7183/ps469/product_data_sheet09 186a008008883b.pdf
Deploying Identity Services within a Converged Plantwide Ethernet Architecture ENET-TD008A-EN-P
A-2
Appendix A
References
Wireless Security
•
Antenna Patterns and Their Meaning http://www.cisco.com/en/US/prod/collateral/wireless/ps7183/ps469/prod_white_paper0900 aecd806a1a3e.pdf
•
Antenna Cabling http://www.cisco.com/image/gif/paws/27222/antcable.pdf
•
Site Survey Guidelines for WLAN Deployment http://www.cisco.com/c/en/us/support/docs/wireless/5500-series-wireless-controllers/1160 57-site-survey-guidelines-wlan-00.html
•
Site Survey and RF Design Validation http://www.cisco.com/en/US/docs/wireless/technology/vowlan/troubleshooting/8_Site_Sur vey_RF_Design_Valid.pdf
•
Cisco Unified Wireless QoS http://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Mobility/emob73dg/emob73/ch 5_QoS.html
Wireless Security •
Cisco Unified Wireless Network Architecture - Base Security Features http://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Mobility/emob73dg/emob73/ch 4_Secu.html
•
Design Zone for Mobility - Wireless Security http://www.cisco.com/en/US/solutions/ns340/ns414/ns742/ns820/landing_sec_wireless.htm l
Deploying Identity Services within a Converged Plantwide Ethernet Architecture
A-3
ENET-TD008A-EN-P
APP ENDIX
B
Configuration Examples This appendix includes the following major topics: •
Example: Industrial WLC Configuration, page B-1
•
Example: Corporate Anchor WLC Configuration, page B-14
•
Example: Trusted Partner Anchor WLC Configuration, page B-19
•
Example: IES Access Switch Configuration, page B-24
This section contains examples of the configurations that have been used in the testing of the wired and wireless architecture. Note the following: •
The configurations are provided for reference only and must not be used "as is" without adapting for a particular design and topology.
•
Future software releases may change some of the commands shown in the configurations.
•
Many commands are factory default and do not have to be configured during the initial setup.
Example: Industrial WLC Configuration This example shows an Industrial WLC configuration. (Cisco Controller) >show run-config commands redundancy mode SSO 802.11a 11nSupport a-mpdu tx priority 6 enable 802.11a 11nSupport a-mpdu tx priority 7 enable 802.11a 11nSupport a-mpdu tx scheduler enable 802.11a 11nSupport a-mpdu tx scheduler timeout rt 10 802.11a 11nSupport disable 802.11a beacon range 0 802.11a rx-sop threshold auto default 802.11a cca threshold 0 default 802.11a multicast buffer 0 802.11a multicast data-rate 0 default 802.11a cac voice max-bandwidth 40 802.11a cac video max-bandwidth 40 802.11a cac voice roam-bandwidth 15 802.11a cac video roam-bandwidth 15 802.11a channel global off 802.11a rssi-check enable 802.11a max-clients 200
Deploying Identity Services within a Converged Plantwide Ethernet Architecture ENET-TD008A-EN-P
B-1
Appendix B
Configuration Examples
Example: Industrial WLC Configuration
802.11a rate disabled 9 802.11a rate disabled 18 802.11a rate disabled 36 802.11a rate disabled 48 802.11a txPower global 1 802.11a cleanair device enable radar 802.11a dfs-peakdetect enable 802.11b 11nSupport a-mpdu tx scheduler enable 802.11b 11nSupport a-mpdu tx scheduler timeout rt 10 802.11b 11gSupport disable 802.11b beacon range 0 802.11b rx-sop threshold auto default 802.11b cca threshold 0 default 802.11b multicast buffer 0 802.11b multicast data-rate 0 default 802.11b cac video cac-method static 802.11b channel global off 802.11b max-clients 200 802.11b txPower global 1 aaa auth mgmt local radius flexconnect fallback-radio-shut disable connect fallback-radio-shut disable acl create ACL_Full_Access acl create ACL_RDG_Only acl create ACL_Partial_Access acl create ACL_RAS_Only acl create bla acl apply ACL_Full_Access acl apply ACL_RDG_Only acl apply ACL_Partial_Access acl apply ACL_RAS_Only acl apply bla acl counter start acl rule add ACL_Full_Access 1 acl rule add ACL_RDG_Only 1 acl rule add ACL_RDG_Only 2 acl rule add ACL_RDG_Only 3 acl rule add ACL_Partial_Access 1 acl rule add ACL_Partial_Access 2 acl rule add ACL_Partial_Access 3 acl rule add ACL_RAS_Only 1 acl rule add ACL_RAS_Only 2 acl rule add ACL_RAS_Only 3 acl rule add bla 1 acl rule action ACL_Full_Access 1 permit acl rule action ACL_RDG_Only 1 permit acl rule action ACL_RDG_Only 2 permit acl rule action ACL_RDG_Only 3 deny acl rule action ACL_Partial_Access 1 permit acl rule action ACL_Partial_Access 2 permit acl rule action ACL_Partial_Access 3 deny acl rule action ACL_RAS_Only 1 permit acl rule action ACL_RAS_Only 2 permit acl rule action ACL_RAS_Only 3 deny acl rule action bla 1 permit acl rule destination address ACL_Full_Access 1 0.0.0.0 0.0.0.0 acl rule destination address ACL_RDG_Only 1 10.1.2.3 255.255.255.255 acl rule destination address ACL_RDG_Only 2 0.0.0.0 0.0.0.0 acl rule destination address ACL_RDG_Only 3 0.0.0.0 0.0.0.0 acl rule destination address ACL_Partial_Access 1 10.17.10.0 255.255.255.0 acl rule destination address ACL_Partial_Access 2 0.0.0.0 0.0.0.0 acl rule destination address ACL_Partial_Access 3 0.0.0.0 0.0.0.0 acl rule destination address ACL_RAS_Only 1 10.13.48.28 255.255.255.255 acl rule destination address ACL_RAS_Only 2 0.0.0.0 0.0.0.0
Deploying Identity Services within a Converged Plantwide Ethernet Architecture
B-2
ENET-TD008A-EN-P
Appendix B
Configuration Examples Example: Industrial WLC Configuration
acl acl acl acl acl acl acl acl acl acl acl acl acl acl acl acl acl acl acl acl acl acl acl acl acl acl acl acl acl acl acl acl acl acl acl acl acl acl acl acl acl acl acl acl acl acl acl acl acl acl acl acl acl acl acl acl acl acl acl acl acl acl acl acl
rule destination address ACL_RAS_Only 3 0.0.0.0 0.0.0.0 rule destination port range ACL_Full_Access 1 0 65535 rule destination port range ACL_RDG_Only 1 443 443 rule destination port range ACL_RDG_Only 2 0 65535 rule destination port range ACL_RDG_Only 3 0 65535 rule destination port range ACL_Partial_Access 1 0 65535 rule destination port range ACL_Partial_Access 2 0 65535 rule destination port range ACL_Partial_Access 3 0 65535 rule destination port range ACL_RAS_Only 1 0 65535 rule destination port range ACL_RAS_Only 2 0 65535 rule destination port range ACL_RAS_Only 3 0 65535 rule destination port range bla 1 0 65535 rule source address ACL_Full_Access 1 0.0.0.0 0.0.0.0 rule source address ACL_RDG_Only 1 0.0.0.0 0.0.0.0 rule source address ACL_RDG_Only 2 10.1.2.3 255.255.255.255 rule source address ACL_RDG_Only 3 0.0.0.0 0.0.0.0 rule source address ACL_Partial_Access 1 0.0.0.0 0.0.0.0 rule source address ACL_Partial_Access 2 10.17.10.0 255.255.255.0 rule source address ACL_Partial_Access 3 0.0.0.0 0.0.0.0 rule source address ACL_RAS_Only 1 0.0.0.0 0.0.0.0 rule source address ACL_RAS_Only 2 10.13.48.28 255.255.255.255 rule source address ACL_RAS_Only 3 0.0.0.0 0.0.0.0 rule source port range ACL_Full_Access 1 0 65535 rule source port range ACL_RDG_Only 1 0 65535 rule source port range ACL_RDG_Only 2 443 443 rule source port range ACL_RDG_Only 3 0 65535 rule source port range ACL_Partial_Access 1 0 65535 rule source port range ACL_Partial_Access 2 0 65535 rule source port range ACL_Partial_Access 3 0 65535 rule source port range ACL_RAS_Only 1 0 65535 rule source port range ACL_RAS_Only 2 0 65535 rule source port range ACL_RAS_Only 3 0 65535 rule direction ACL_Full_Access 1 Any rule direction ACL_RDG_Only 1 In rule direction ACL_RDG_Only 2 Out rule direction ACL_RDG_Only 3 Any rule direction ACL_Partial_Access 1 In rule direction ACL_Partial_Access 2 Out rule direction ACL_Partial_Access 3 Any rule direction ACL_RAS_Only 1 Any rule direction ACL_RAS_Only 2 Any rule direction ACL_RAS_Only 3 Any rule dscp ACL_Full_Access 1 Any rule dscp ACL_RDG_Only 1 Any rule dscp ACL_RDG_Only 2 Any rule dscp ACL_RDG_Only 3 Any rule dscp ACL_Partial_Access 1 Any rule dscp ACL_Partial_Access 2 Any rule dscp ACL_Partial_Access 3 Any rule dscp ACL_RAS_Only 1 Any rule dscp ACL_RAS_Only 2 Any rule dscp ACL_RAS_Only 3 Any rule protocol ACL_Full_Access 1 Any rule protocol ACL_RDG_Only 1 6 rule protocol ACL_RDG_Only 2 6 rule protocol ACL_RDG_Only 3 Any rule protocol ACL_Partial_Access 1 Any rule protocol ACL_Partial_Access 2 Any rule protocol ACL_Partial_Access 3 Any rule protocol ACL_RAS_Only 1 Any rule protocol ACL_RAS_Only 2 Any rule protocol ACL_RAS_Only 3 Any apply ACL_Full_Access apply ACL_RDG_Only
Deploying Identity Services within a Converged Plantwide Ethernet Architecture ENET-TD008A-EN-P
B-3
Appendix B
Configuration Examples
Example: Industrial WLC Configuration
acl apply ACL_Partial_Access acl apply ACL_RAS_Only advanced advanced advanced advanced advanced advanced advanced advanced advanced advanced advanced
802.11a 802.11a 802.11a 802.11a 802.11a 802.11a 802.11a 802.11a 802.11a 802.11a 802.11a
channel dca interval 0 channel dca startup-interval 0 channel dca anchor-time 0 channel dca chan-width 20 channel dca sensitivity 15 channel dca min-metric -95 channel delete 20 channel delete 26 group-mode off reporting neighbor 180 reporting interference 120
advanced advanced advanced advanced advanced advanced advanced
802.11b 802.11b 802.11b 802.11b 802.11b 802.11b 802.11b
channel dca interval 0 channel dca startup-interval 0 channel dca anchor-time 0 channel dca sensitivity 10 channel dca min-metric -95 reporting neighbor 180 reporting interference 120
location location location location location location location location
info rogue extended rssi-half-life tags 0 rssi-half-life client 0 rssi-half-life rogue-aps 0 expiry tags 5 expiry client 5 expiry calibrating-client 5 expiry rogue-aps 5
advanced timers ap-heartbeat-timeout 10 advanced timers ap-fast-heartbeat flexconnect enable 1 advanced advanced advanced advanced advanced
backup-controller primary backup-controller secondary backup-controller backup-controller sip-snooping-ports 0 0
avc profile PAC_IO_SAFETY create advanced eap bcast-key-interval 3600 advanced 802.11-abgn pak-rssi-location advanced 802.11-abgn pak-rssi-location advanced 802.11-abgn pak-rssi-location advanced 802.11-abgn pak-rssi-location advanced 802.11-abgn pak-rssi-location advanced hotspot cmbk-delay 50
threshold -100 trigger-threshold 10 reset-threshold 8 ntp 10.13.15.254 timeout 3
ap syslog host global :: ap dtls-cipher-suite RSA-AES128-SHA auth-list ap-policy ssc enable auth-list add mic 3c:08:f6:20:d2:17 auth-list add mic 3c:08:f6:a2:d3:b0 auth-list add mic 3c:08:f6:b2:8d:d6 auth-list add mic 3c:08:f6:b2:98:e4 auth-list add mic 78:da:6e:42:9c:2e auth-list add mic a8:0c:0d:be:a6:7e cdp cts cts cts
advertise-v2 enable sxp disable sxp connection default password **** sxp retry period 120
Deploying Identity Services within a Converged Plantwide Ethernet Architecture
B-4
ENET-TD008A-EN-P
Appendix B
Configuration Examples Example: Industrial WLC Configuration
cts sxp sxpversion 2 database size 2048 dhcp opt-82 remote-id ap-mac flexconnect acl create ACL_Provisioning_Redirect flexconnect acl apply ACL_Provisioning_Redirect flexconnect acl rule add ACL_Provisioning_Redirect 1 flexconnect acl rule add ACL_Provisioning_Redirect 2 flexconnect acl rule add ACL_Provisioning_Redirect 3 flexconnect acl rule add ACL_Provisioning_Redirect 4 flexconnect acl rule add ACL_Provisioning_Redirect 5 flexconnect acl rule action ACL_Provisioning_Redirect 1 permit flexconnect acl rule action ACL_Provisioning_Redirect 2 permit flexconnect acl rule action ACL_Provisioning_Redirect 3 permit flexconnect acl rule action ACL_Provisioning_Redirect 4 permit flexconnect acl rule action ACL_Provisioning_Redirect 5 deny flexconnect acl rule destination address ACL_Provisioning_Redirect 1 10.13.48.26 255.255.255.255 flexconnect acl rule destination address ACL_Provisioning_Redirect 2 0.0.0.0 0.0.0.0 flexconnect acl rule destination address ACL_Provisioning_Redirect 3 10.13.48.32 255.255.255.255 flexconnect acl rule destination address ACL_Provisioning_Redirect 4 0.0.0.0 0.0.0.0 flexconnect acl rule destination address ACL_Provisioning_Redirect 5 0.0.0.0 0.0.0.0 flexconnect acl rule destination port range ACL_Provisioning_Redirect 1 0 65535 flexconnect acl rule destination port range ACL_Provisioning_Redirect 2 0 65535 flexconnect acl rule destination port range ACL_Provisioning_Redirect 3 0 65535 flexconnect acl rule destination port range ACL_Provisioning_Redirect 4 0 65535 flexconnect acl rule destination port range ACL_Provisioning_Redirect 5 0 65535 flexconnect acl rule source address ACL_Provisioning_Redirect 1 0.0.0.0 0.0.0.0 flexconnect acl rule source address ACL_Provisioning_Redirect 2 10.13.48.26 255.255.255.255 flexconnect acl rule source address ACL_Provisioning_Redirect 3 0.0.0.0 0.0.0.0 flexconnect acl rule source address ACL_Provisioning_Redirect 4 10.13.48.32 255.255.255.255 flexconnect acl rule source address ACL_Provisioning_Redirect 5 0.0.0.0 0.0.0.0 flexconnect acl rule source port range ACL_Provisioning_Redirect 1 0 65535 flexconnect acl rule source port range ACL_Provisioning_Redirect 2 0 65535 flexconnect acl rule source port range ACL_Provisioning_Redirect 3 0 65535 flexconnect acl rule source port range ACL_Provisioning_Redirect 4 0 65535 flexconnect acl rule source port range ACL_Provisioning_Redirect 5 0 65535 flexconnect acl rule dscp ACL_Provisioning_Redirect 1 Any flexconnect acl rule dscp ACL_Provisioning_Redirect 2 Any flexconnect acl rule dscp ACL_Provisioning_Redirect 3 Any flexconnect acl rule dscp ACL_Provisioning_Redirect 4 Any flexconnect acl rule dscp ACL_Provisioning_Redirect 5 Any flexconnect acl rule protocol ACL_Provisioning_Redirect 1 Any flexconnect acl rule protocol ACL_Provisioning_Redirect 2 Any flexconnect acl rule protocol ACL_Provisioning_Redirect 3 Any flexconnect acl rule protocol ACL_Provisioning_Redirect 4 Any flexconnect acl rule protocol ACL_Provisioning_Redirect 5 Any flexconnect group FastRoam_CCKM_Flex_Ring add flexconnect group FastRoam_CCKM_Flex_Ring ap add 3c:08:f6:20:d2:17 flexconnect group FastRoam_CCKM_Flex_Ring radius ap server-key flexconnect group FastRoam_CCKM_Flex_Ring radius ap authority id 436973636f0000000000000000000000 flexconnect group FastRoam_CCKM_Flex_Ring radius ap authority info Cisco A_ID flexconnect group FastRoam_CCKM_Flex_Star add flexconnect group FastRoam_CCKM_Flex_Star radius ap server-key flexconnect group FastRoam_CCKM_Flex_Star radius ap authority id 436973636f0000000000000000000000 flexconnect group FastRoam_CCKM_Flex_Star radius ap authority info Cisco A_ID flexconnect group Industrial_FlexConnect_Group add flexconnect group Industrial_FlexConnect_Group radius ap server-key
Deploying Identity Services within a Converged Plantwide Ethernet Architecture ENET-TD008A-EN-P
B-5
Appendix B
Configuration Examples
Example: Industrial WLC Configuration
flexconnect group Industrial_FlexConnect_Group radius ap authority id 436973636f0000000000000000000000 flexconnect group Industrial_FlexConnect_Group radius ap authority info Cisco A_ID flexconnect group Industrial_FlexConnect_Group policy acl add ACL_Provisioning_Redirect local-auth eap-profile add CPwE350-EAP-FAST local-auth local-auth local-auth local-auth local-auth local-auth local-auth local-auth local-auth local-auth
eap-profile eap-profile eap-profile eap-profile eap-profile eap-profile eap-profile method fast eap-profile eap-profile
add CPwE350-EAP-TLS cert-issuer cisco CPwE350-EAP-FAST cert-issuer vendor CPwE350-EAP-TLS method add fast CPwE350-EAP-FAST method add tls CPwE350-EAP-TLS method fast client-cert enable CPwE350-EAP-TLS method fast local-cert enable CPwE350-EAP-TLS server-key **** cert-verify ca-issuer disable CPwE350-EAP-FAST cert-verify date-valid disable CPwE350-EAP-FAST
interface create corporate_employee_provisioning 182 interface create industrial_employee_provisionin 181 interface create trusted_partners_provisioning 183 interface create wgb-roam-client 250 interface address dynamic-interface corporate_employee_provisioning 10.1.182.251 255.255.255.0 10.1.182.1 interface address dynamic-interface industrial_employee_provisionin 10.13.181.251 255.255.255.0 10.13.181.1 interface address management 10.13.50.251 255.255.255.0 10.13.50.1 interface address service-port 192.168.254.83 255.255.255.0 interface address dynamic-interface trusted_partners_provisioning 10.1.183.251 255.255.255.0 10.1.183.1 interface address virtual 1.1.1.1 interface address dynamic-interface wgb-roam-client 10.17.250.251 255.255.255.0 10.17.250.1 interface address redundancy-management 10.13.50.253 redundancy interface address peer-redundancy-management 10.13.50.252 interface dhcp management primary 10.13.48.26 interface dhcp dynamic-interface wgb-roam-client primary 10.13.48.26 interface vlan corporate_employee_provisioning 182 interface vlan industrial_employee_provisionin 181 interface vlan management 150 interface vlan trusted_partners_provisioning 183 interface vlan wgb-roam-client 250 interface nasid corporate_employee_provisioning interface nasid industrial_employee_provisionin interface interface interface interface interface interface interface
nasid trusted_partners_provisioning nasid wgb-roam-client port corporate_employee_provisioning 1 port industrial_employee_provisionin 1 port management 1 port trusted_partners_provisioning 1 port wgb-roam-client 1
mdns snooping disable mdns policy service-group create default-mdns-policy default-mdns-policy mdns policy service-group user-role add default-mdns-policy admin mdns profile create default-mdns-profile mdns service create AirPrint _ipp._tcp.local. origin All LSS disable query enable mdns service create AirTunes _raop._tcp.local. origin All LSS disable query enable mdns service create AppleTV _airplay._tcp.local. origin All LSS disable query enable mdns service create HP_Photosmart_Printer_1 _universal._sub._ipp._tcp.local. origin All LSS disable query enable
Deploying Identity Services within a Converged Plantwide Ethernet Architecture
B-6
ENET-TD008A-EN-P
Appendix B
Configuration Examples Example: Industrial WLC Configuration
mdns service create HP_Photosmart_Printer_2 _cups._sub._ipp._tcp.local. origin All LSS disable query enable mdns service create Printer _printer._tcp.local. origin All LSS disable query enable mdns profile service add default-mdns-profile AirPrint mdns profile service add default-mdns-profile AirTunes mdns profile service add default-mdns-profile AppleTV mdns profile service add default-mdns-profile HP_Photosmart_Printer_1 mdns profile service add default-mdns-profile HP_Photosmart_Printer_2 mdns profile service add default-mdns-profile Printer mdns query interval 15 wlan wlan wlan wlan wlan wlan wlan
mdns mdns mdns mdns mdns mdns mdns
disable 1 disable 2 enable 3 enable 4 enable 6 disable 7 enable 11
wlan wlan wlan wlan
mdns mdns mdns mdns
profile profile profile profile
3 default-mdns-profile 4 default-mdns-profile 6 default-mdns-profile 11 default-mdns-profile
ipv6 ra-guard ap enable ipv6 capwap udplite enable all ipv6 multicast mode unicast load-balancing aggressive enable load-balancing window 5 wlan apgroup add CPwE350-Flex-Ring01 FlexRing01 wlan apgroup add CPwE350-Flex-Star01 FlexStar01 wlan apgroup add CPwE350-Roam-central "For roaming clients" wlan apgroup add default-group wlan apgroup qinq tagging eap-sim-aka default-group enable wlan apgroup interface-mapping add CPwE350-Flex-Ring01 1 management wlan apgroup interface-mapping add CPwE350-Flex-Ring01 7 industrial_employee_provisionin wlan apgroup interface-mapping add CPwE350-Flex-Ring01 6 corporate_employee_provisioning wlan apgroup interface-mapping add CPwE350-Flex-Ring01 4 trusted_partners_provisioning wlan apgroup interface-mapping add CPwE350-Flex-Star01 2 management wlan apgroup interface-mapping add CPwE350-Roam-central 3 wgb-roam-client wlan apgroup interface-mapping add default-group 1 management wlan apgroup interface-mapping add default-group 2 management wlan apgroup interface-mapping add default-group 3 wgb-roam-client wlan apgroup interface-mapping add default-group 4 trusted_partners_provisioning wlan apgroup interface-mapping add default-group 6 corporate_employee_provisioning wlan apgroup interface-mapping add default-group 7 industrial_employee_provisionin wlan apgroup nac-snmp disable CPwE350-Flex-Ring01 1 wlan apgroup nac-snmp disable CPwE350-Flex-Ring01 7 wlan apgroup nac-snmp disable CPwE350-Flex-Ring01 6 wlan apgroup nac-snmp disable CPwE350-Flex-Ring01 4 wlan apgroup nac-snmp disable CPwE350-Flex-Star01 2 wlan apgroup nac-snmp disable CPwE350-Roam-central 3 wlan apgroup nac-snmp disable default-group 1 wlan apgroup nac-snmp disable default-group 2 wlan apgroup nac-snmp disable default-group 3 wlan apgroup nac-snmp disable default-group 4 wlan apgroup nac-snmp disable default-group 6 wlan apgroup nac-snmp disable default-group 7
Deploying Identity Services within a Converged Plantwide Ethernet Architecture ENET-TD008A-EN-P
B-7
Appendix B
Configuration Examples
Example: Industrial WLC Configuration
wlan apgroup nac-snmp disable default-group 11 memory monitor errors enable memory monitor leak thresholds 10000 30000 Outdoor Mesh Ext.UNII B Domain channels: Disable mesh security rad-mac-filter disable mesh security rad-mac-filter disable mesh security eap mesh lsc advanced ap-provision open-window enable mgmtuser mobility mobility mobility mobility mobility mobility mobility mobility
add admin **** read-write group domain CPwE351 group member add 30:f7:0d:31:36:40 10.1.3.78 CPwE351 group member add 6c:41:6a:5f:0e:a0 10.1.4.77 CPwE351 group anchor add wlan 4 group anchor add wlan 4 10.1.4.77 group anchor add wlan 6 group anchor add wlan 6 10.1.3.78 dscp 0
netuser add AP2602-R-WGB05 **** wlan 0 userType permanent description netuser wlan-id AP2602-R-WGB05 0 netuser guest-role create PAC_IO_SAFETY network network network network network network network network
qos qos qos qos qos qos qos qos qos qos qos
multicast igmp snooping enable multicast mld snooping enable ap-priority disabled web-auth captive-bypass enable fast-ssid-change enable rf-network-name CPwE351 secureweb cipher-option rc4-preference disable client-ip-conflict-detection disable
protocol-type bronze dot1p protocol-type silver dot1p protocol-type gold dot1p protocol-type platinum dot1p priority bronze background background background priority gold video video video priority platinum voice voice voice priority silver besteffort besteffort besteffort dot1p-tag silver 0 dot1p-tag gold 4 dot1p-tag platinum 5
radius radius radius radius radius radius radius radius radius radius radius radius radius radius
auth add 1 10.13.48.40 1812 ascii **** auth add 2 10.13.48.32 1812 ascii **** callStationIdType macaddr auth callStationIdType ap-macaddr-ssid auth network 1 disable auth management 1 disable fallback-test mode off fallback-test username cisco-probe fallback-test interval 300 dns disable dns auth network disable dns auth management disable dns acct network disable dns auth rfc3576 disable
tacacs dns disable
Deploying Identity Services within a Converged Plantwide Ethernet Architecture
B-8
ENET-TD008A-EN-P
Appendix B
Configuration Examples Example: Industrial WLC Configuration
rogue detection report-interval 10 rogue detection min-rssi -128 rogue detection transient-rogue-interval 0 rogue detection client-threshold 0 rogue detection security-level custom rogue ap aaa-auth disable rogue ap aaa-auth polling-interval 0 rogue ap ssid alarm rogue ap valid-client alarm rogue adhoc enable rogue adhoc alert rogue ap rldp disable rogue auto-contain level 1 rogue containment flex-connect disable rogue containment auto-rate disable serial timeout 0 sessions timeout 0 snmp version v2c enable snmp version v3 enable snmp snmpEngineId 0000376300004000fb320d0a snmp community ipsec ike auth-mode pre-shared-key **** switchconfig switchconfig switchconfig switchconfig switchconfig switchconfig switchconfig switchconfig switchconfig switchconfig switchconfig
strong-pwd strong-pwd strong-pwd strong-pwd strong-pwd strong-pwd strong-pwd strong-pwd strong-pwd strong-pwd strong-pwd
case-check enabled consecutive-check enabled default-check enabled username-check enabled position-check disabled case-digit-check disabled minimum upper-case 0 minimum lower-case 0 minimum digits-chars 0 minimum special-chars 0 min-length 3
sysname WLC_Primary stats-timer realtime 5 stats-timer normal 180 time ntp interval 3600 time ntp server 1 10.13.15.254 rf-profile rf-profile rf-profile rf-profile rf-profile rf-profile rf-profile rf-profile rf-profile rf-profile rf-profile rf-profile rf-profile rf-profile rf-profile rf-profile rf-profile rf-profile rf-profile rf-profile rf-profile rf-profile rf-profile
create 802.11a CPwE350-Flex-RFPolicy create 802.11a CPwE350-Roam-RFPolicy create 802.11a High-Client-Density-(802.11a) create 802.11b High-Client-Density-(802.11bg) create 802.11a Low-Client-Density-(802.11a) create 802.11b Low-Client-Density-(802.11bg) create 802.11b Typical-Client-Density(802.11bg) create 802.11a Typical-Client-Density-(802.11a) description Single Cell/Area LWAP RF Policy CPwE350-Flex-RFPolicy description Plant-wide Roaming LWAP RF Policy CPwE350-Roam-RFPolicy tx-power-min 7 High-Client-Density-(802.11a) tx-power-min 7 High-Client-Density-(802.11bg) tx-power-control-thresh-v1 -65 High-Client-Density-(802.11a) tx-power-control-thresh-v1 -60 Low-Client-Density-(802.11a) tx-power-control-thresh-v1 -65 Low-Client-Density-(802.11bg) data-rates 802.11a mandatory 6 CPwE350-Flex-RFPolicy data-rates 802.11a supported 9 CPwE350-Flex-RFPolicy data-rates 802.11a mandatory 12 CPwE350-Flex-RFPolicy data-rates 802.11a supported 18 CPwE350-Flex-RFPolicy data-rates 802.11a mandatory 24 CPwE350-Flex-RFPolicy data-rates 802.11a supported 36 CPwE350-Flex-RFPolicy data-rates 802.11a supported 48 CPwE350-Flex-RFPolicy data-rates 802.11a supported 54 CPwE350-Flex-RFPolicy
Deploying Identity Services within a Converged Plantwide Ethernet Architecture ENET-TD008A-EN-P
B-9
Appendix B
Configuration Examples
Example: Industrial WLC Configuration
rf-profile rf-profile rf-profile rf-profile rf-profile rf-profile rf-profile rf-profile rf-profile rf-profile rf-profile rf-profile rf-profile rf-profile rf-profile rf-profile rf-profile rf-profile rf-profile rf-profile rf-profile rf-profile rf-profile rf-profile rf-profile rf-profile rf-profile rf-profile rf-profile rf-profile rf-profile rf-profile rf-profile rf-profile rf-profile rf-profile rf-profile rf-profile rf-profile rf-profile rf-profile rf-profile rf-profile rf-profile rf-profile rf-profile rf-profile rf-profile rf-profile rf-profile rf-profile rf-profile rf-profile rf-profile rf-profile rf-profile rf-profile rf-profile rf-profile trapflags trapflags trapflags trapflags
data-rates 802.11a mandatory 6 CPwE350-Roam-RFPolicy data-rates 802.11a supported 9 CPwE350-Roam-RFPolicy data-rates 802.11a mandatory 12 CPwE350-Roam-RFPolicy data-rates 802.11a supported 18 CPwE350-Roam-RFPolicy data-rates 802.11a mandatory 24 CPwE350-Roam-RFPolicy data-rates 802.11a supported 36 CPwE350-Roam-RFPolicy data-rates 802.11a supported 48 CPwE350-Roam-RFPolicy data-rates 802.11a supported 54 CPwE350-Roam-RFPolicy data-rates 802.11a mandatory 6 High-Client-Density-(802.11a) data-rates 802.11a disabled 9 High-Client-Density-(802.11a) data-rates 802.11a mandatory 12 High-Client-Density-(802.11a) data-rates 802.11a disabled 18 High-Client-Density-(802.11a) data-rates 802.11a mandatory 24 High-Client-Density-(802.11a) data-rates 802.11a disabled 36 High-Client-Density-(802.11a) data-rates 802.11a disabled 48 High-Client-Density-(802.11a) data-rates 802.11a supported 54 High-Client-Density-(802.11a) data-rates 802.11b disabled 1 High-Client-Density-(802.11bg) data-rates 802.11b disabled 2 High-Client-Density-(802.11bg) data-rates 802.11b disabled 5.5 High-Client-Density-(802.11bg) data-rates 802.11a mandatory 6 Low-Client-Density-(802.11a) data-rates 802.11a disabled 9 Low-Client-Density-(802.11a) data-rates 802.11a mandatory 12 Low-Client-Density-(802.11a) data-rates 802.11a disabled 18 Low-Client-Density-(802.11a) data-rates 802.11a mandatory 24 Low-Client-Density-(802.11a) data-rates 802.11a disabled 36 Low-Client-Density-(802.11a) data-rates 802.11a disabled 48 Low-Client-Density-(802.11a) data-rates 802.11a supported 54 Low-Client-Density-(802.11a) data-rates 802.11b mandatory 1 Low-Client-Density-(802.11bg) data-rates 802.11b mandatory 2 Low-Client-Density-(802.11bg) data-rates 802.11b mandatory 5.5 Low-Client-Density-(802.11bg) data-rates 802.11b disabled 1 Typical-Client-Density(802.11bg) data-rates 802.11b disabled 2 Typical-Client-Density(802.11bg) data-rates 802.11b disabled 5.5 Typical-Client-Density(802.11bg) data-rates 802.11a mandatory 6 Typical-Client-Density-(802.11a) data-rates 802.11a disabled 9 Typical-Client-Density-(802.11a) data-rates 802.11a mandatory 12 Typical-Client-Density-(802.11a) data-rates 802.11a disabled 18 Typical-Client-Density-(802.11a) data-rates 802.11a mandatory 24 Typical-Client-Density-(802.11a) data-rates 802.11a disabled 36 Typical-Client-Density-(802.11a) data-rates 802.11a disabled 48 Typical-Client-Density-(802.11a) data-rates 802.11a supported 54 Typical-Client-Density-(802.11a) rx-sop threshold medium High-Client-Density-(802.11a) rx-sop threshold medium High-Client-Density-(802.11bg) rx-sop threshold low Low-Client-Density-(802.11a) rx-sop threshold low Low-Client-Density-(802.11bg) coverage data -90 Low-Client-Density-(802.11a) coverage data -90 Low-Client-Density-(802.11bg) coverage voice -90 Low-Client-Density-(802.11a) coverage voice -90 Low-Client-Density-(802.11bg) channel delete 20 CPwE350-Flex-RFPolicy channel delete 26 CPwE350-Flex-RFPolicy channel delete 20 CPwE350-Roam-RFPolicy channel delete 26 CPwE350-Roam-RFPolicy channel delete 20 High-Client-Density-(802.11a) channel delete 26 High-Client-Density-(802.11a) channel delete 20 Low-Client-Density-(802.11a) channel delete 26 Low-Client-Density-(802.11a) channel delete 20 Typical-Client-Density-(802.11a) channel delete 26 Typical-Client-Density-(802.11a) client nac-alert enable ap ssidKeyConflict disable ap timeSyncFailure disable mfp disable
Deploying Identity Services within a Converged Plantwide Ethernet Architecture
B-10
ENET-TD008A-EN-P
Appendix B
Configuration Examples Example: Industrial WLC Configuration
trapflags adjchannel-rogueap disable trapflags mesh excessive hop count disable trapflags mesh sec backhaul change disable wlan create 1 "CPwE350 Ring#1 Flex" CPwE350-R1-Flex wlan create 2 "CPwE350 Star#1 Flex" CPwE350-S1-Flex wlan create 3 CPwE350-Roam CPwE350-Roam wlan create 4 Trusted_Partners_WLAN Trusted_Partners wlan create 6 Corporate_Employee_WLAN Corporate_Employee wlan create 7 Industrial_Employee_WLAN Industrial_Employee wlan create 11 xyz xyz wlan nac snmp disable 1 wlan nac snmp disable 2 wlan nac snmp disable 3 wlan nac snmp disable 4 wlan nac snmp disable 6 wlan nac snmp disable 7 wlan nac snmp disable 11 wlan nac radius disable 1 wlan nac radius disable 2 wlan nac radius disable 3 wlan nac radius enable 4 wlan nac radius enable 6 wlan nac radius enable 7 wlan nac radius enable 11 wlan interface 3 wgb-roam-client wlan interface 4 trusted_partners_provisioning wlan interface 6 corporate_employee_provisioning wlan interface 7 industrial_employee_provisionin wlan multicast interface 1 disable wlan multicast interface 2 disable wlan multicast interface 3 disable wlan multicast interface 4 disable wlan multicast interface 6 disable wlan multicast interface 7 disable wlan multicast interface 11 disable wlan aaa-override enable 4 wlan aaa-override enable 6 wlan aaa-override enable 7 wlan aaa-override enable 11 wlan broadcast-ssid disable 1 wlan broadcast-ssid disable 2 wlan broadcast-ssid disable 3 wlan band-select allow disable 1 wlan band-select allow disable 2 wlan band-select allow disable 3 wlan band-select allow disable 4 wlan band-select allow disable 6 wlan band-select allow disable 7 wlan band-select allow disable 11 wlan load-balance allow disable 1 wlan load-balance allow disable 2 wlan load-balance allow disable 3 wlan load-balance allow disable 4 wlan load-balance allow disable 6 wlan load-balance allow disable 7 wlan load-balance allow disable 11 wlan multicast buffer disable 0 1 wlan multicast buffer disable 0 2 wlan multicast buffer disable 0 3 wlan multicast buffer disable 0 4 wlan multicast buffer disable 0 6 wlan multicast buffer disable 0 7 wlan multicast buffer disable 0 11 wlan qos 1 platinum
Deploying Identity Services within a Converged Plantwide Ethernet Architecture ENET-TD008A-EN-P
B-11
Appendix B
Configuration Examples
Example: Industrial WLC Configuration
wlan wlan wlan wlan wlan wlan wlan wlan wlan wlan wlan wlan wlan wlan wlan wlan wlan wlan wlan wlan wlan wlan wlan wlan wlan wlan wlan wlan wlan wlan wlan wlan wlan wlan wlan wlan wlan wlan wlan wlan wlan wlan wlan wlan wlan wlan wlan wlan wlan wlan wlan wlan wlan wlan wlan wlan wlan wlan wlan wlan wlan wlan wlan wlan
qos 2 platinum qos 3 platinum radio 1 802.11a-only radio 2 802.11a-only radio 3 802.11a-only radio 4 802.11bg radio 6 802.11bg radio 7 802.11bg session-timeout 1 1800 session-timeout 2 1800 session-timeout 3 1800 session-timeout 4 1800 session-timeout 6 1800 session-timeout 7 1800 session-timeout 11 1800 flexconnect local-switching 1 enable flexconnect local-switching 2 enable flexconnect local-switching 3 disable flexconnect local-switching 4 disable flexconnect local-switching 6 disable flexconnect local-switching 7 disable flexconnect local-switching 11 disable flexconnect learn-ipaddr 1 enable flexconnect learn-ipaddr 2 enable flexconnect learn-ipaddr 3 enable flexconnect learn-ipaddr 4 enable flexconnect learn-ipaddr 6 enable flexconnect learn-ipaddr 7 enable flexconnect learn-ipaddr 11 enable security wpa disable 2 radius_server auth add 1 2 radius_server acct disable 1 radius_server auth add 2 1 radius_server acct disable 2 radius_server auth add 3 1 radius_server acct disable 3 radius_server auth add 4 2 radius_server auth add 6 2 radius_server auth add 7 2 radius_server acct disable 7 radius_server auth add 11 2 radius_server overwrite-interface apgroup 3 security splash-page-web-redir disable 1 security splash-page-web-redir disable 2 security splash-page-web-redir disable 3 security splash-page-web-redir disable 4 security splash-page-web-redir disable 6 security splash-page-web-redir disable 7 security splash-page-web-redir disable 11 user-idle-threshold 70 1 user-idle-threshold 70 2 user-idle-threshold 70 3 user-idle-threshold 70 4 user-idle-threshold 70 6 user-idle-threshold 70 7 user-idle-threshold 70 11 security web-auth server-precedence 6 radius security web-auth server-precedence 7 radius security wpa akm 802.1x enable 1 security wpa akm 802.1x enable 3 security wpa akm cckm enable 3 security wpa akm 802.1x enable 4 security wpa akm 802.1x enable 6 security wpa akm 802.1x enable 7
Deploying Identity Services within a Converged Plantwide Ethernet Architecture
B-12
ENET-TD008A-EN-P
Appendix B
Configuration Examples Example: Industrial WLC Configuration
wlan wlan wlan wlan wlan wlan wlan wlan wlan wlan wlan wlan wlan wlan wlan wlan wlan wlan wlan wlan wlan wlan wlan wlan wlan wlan wlan wlan wlan wlan wlan wlan wlan wlan wlan wlan wlan wlan wlan wlan wlan wlan wlan wlan wlan wlan wlan wlan wlan wlan wlan wlan wlan wlan wlan wlan wlan wlan
security wpa akm 802.1x enable 11 security wpa akm cckm timestamp-tolerance 1000 1 security wpa akm cckm timestamp-tolerance 1000 2 security wpa akm cckm timestamp-tolerance 1000 3 security wpa akm cckm timestamp-tolerance 1000 4 security wpa akm cckm timestamp-tolerance 1000 6 security wpa akm cckm timestamp-tolerance 1000 7 security wpa akm cckm timestamp-tolerance 1000 11 security ft over-the-ds disable 1 security ft over-the-ds disable 2 security ft over-the-ds disable 3 security ft over-the-ds disable 4 security ft over-the-ds disable 6 security ft over-the-ds disable 7 security wpa gtk-random disable 1 security wpa gtk-random disable 2 security wpa gtk-random disable 3 security wpa gtk-random disable 4 security wpa gtk-random disable 6 security wpa gtk-random disable 7 security wpa gtk-random disable 11 security pmf association-comeback 1 1 security pmf association-comeback 1 2 security pmf association-comeback 1 3 security pmf association-comeback 1 4 security pmf association-comeback 1 6 security pmf association-comeback 1 7 security pmf association-comeback 1 11 security pmf saquery-retrytimeout 200 1 security pmf saquery-retrytimeout 200 2 security pmf saquery-retrytimeout 200 3 security pmf saquery-retrytimeout 200 4 security pmf saquery-retrytimeout 200 6 security pmf saquery-retrytimeout 200 7 security pmf saquery-retrytimeout 200 11 profiling radius dhcp disable 1 profiling radius http disable 1 profiling radius dhcp disable 2 profiling radius http disable 2 profiling radius dhcp disable 3 profiling radius http disable 3 profiling radius dhcp disable 4 profiling radius http disable 4 profiling radius dhcp disable 6 profiling radius http disable 6 profiling radius dhcp disable 7 profiling radius http disable 7 profiling radius dhcp disable 11 profiling radius http disable 11 apgroup hotspot venue type CPwE350-Flex-Ring01 0 0 apgroup hotspot venue type CPwE350-Flex-Star01 0 0 apgroup hotspot venue type CPwE350-Roam-central 0 0 enable 1 enable 2 enable 3 enable 4 enable 6 enable 7
license boot base coredump disable media-stream multicast-direct disable media-stream message url media-stream message email
Deploying Identity Services within a Converged Plantwide Ethernet Architecture ENET-TD008A-EN-P
B-13
Appendix B
Configuration Examples
Example: Corporate Anchor WLC Configuration
media-stream message phone media-stream message note denial media-stream message state disable 802.11a media-stream multicast-direct enable 802.11b media-stream multicast-direct enable 802.11a media-stream multicast-direct radio-maximum 0 802.11b media-stream multicast-direct radio-maximum 0 802.11a media-stream multicast-direct client-maximum 0 802.11b media-stream multicast-direct client-maximum 0 802.11a media-stream multicast-direct admission-besteffort disable 802.11b media-stream multicast-direct admission-besteffort disable 802.11a media-stream video-redirect enable 802.11b media-stream video-redirect enable ipv6 neighbor-binding timers reachable-lifetime 300 ipv6 neighbor-binding timers stale-lifetime 86400 ipv6 neighbor-binding timers down-lifetime 30 ipv6 neighbor-binding ra-throttle disable ipv6 neighbor-binding ra-throttle allow at-least 1 at-most 1 ipv6 neighbor-binding ra-throttle max-through 10 ipv6 neighbor-binding ra-throttle throttle-period 600 ipv6 neighbor-binding ra-throttle interval-option passthrough ipv6 ns-mcast-fwd disable ipv6 na-mcast-fwd enable ipv6 enable nmheartbeat disable ipv6 slaac service-port disable sys-nas tunnel eogre heart-beat interval 30 tunnel eogre heart-beat primary-fallback-timeout 30 tunnel eogre heart-beat max-skip-count 5 tunnel gtpv2 heart-beat echo-request 60 tunnel gtpv2 heart-beat echo-response 1 tunnel gtpv2 heart-beat max-skip-count 5 WLAN Express Setup - False (Cisco Controller) >
Example: Corporate Anchor WLC Configuration This example shows the Corporate Anchor WLC Configuration (Cisco Controller) >show run-config commands 802.11a 11nSupport a-mpdu tx scheduler enable 802.11a 11nSupport a-mpdu tx scheduler timeout rt 10 802.11a beacon range 0 802.11a rx-sop threshold auto default 802.11a cca threshold 0 default 802.11a multicast buffer 0 802.11a multicast data-rate 0 default 802.11a cac video cac-method static 802.11a channel global off 802.11a max-clients 200 802.11a txPower global 1 802.11a dfs-peakdetect enable 802.11b 11nSupport a-mpdu tx scheduler enable 802.11b 11nSupport a-mpdu tx scheduler timeout rt 10
Deploying Identity Services within a Converged Plantwide Ethernet Architecture
B-14
ENET-TD008A-EN-P
Appendix B
Configuration Examples Example: Corporate Anchor WLC Configuration
802.11b beacon range 0 802.11b rx-sop threshold auto default 802.11b cca threshold 0 default 802.11b multicast buffer 0 802.11b multicast data-rate 0 default 802.11b cac video cac-method static 802.11b channel global off 802.11b max-clients 200 802.11b txPower global 1 aaa auth mgmt local radius flexconnect fallback-radio-shut disable acl create ACL_RDG_Only acl apply ACL_RDG_Only acl rule add ACL_RDG_Only 1 acl rule add ACL_RDG_Only 2 acl rule add ACL_RDG_Only 3 acl rule action ACL_RDG_Only 1 permit acl rule action ACL_RDG_Only 2 permit acl rule action ACL_RDG_Only 3 deny acl rule destination address ACL_RDG_Only 1 10.1.2.3 255.255.255.255 acl rule destination address ACL_RDG_Only 2 0.0.0.0 0.0.0.0 acl rule destination address ACL_RDG_Only 3 0.0.0.0 0.0.0.0 acl rule destination port range ACL_RDG_Only 1 443 443 acl rule destination port range ACL_RDG_Only 2 0 65535 acl rule destination port range ACL_RDG_Only 3 0 65535 acl rule source address ACL_RDG_Only 1 0.0.0.0 0.0.0.0 acl rule source address ACL_RDG_Only 2 10.1.2.3 255.255.255.255 acl rule source address ACL_RDG_Only 3 0.0.0.0 0.0.0.0 acl rule source port range ACL_RDG_Only 1 0 65535 acl rule source port range ACL_RDG_Only 2 443 443 acl rule source port range ACL_RDG_Only 3 0 65535 acl rule direction ACL_RDG_Only 1 Any acl rule direction ACL_RDG_Only 2 Any acl rule direction ACL_RDG_Only 3 Any acl rule dscp ACL_RDG_Only 1 Any acl rule dscp ACL_RDG_Only 2 Any acl rule dscp ACL_RDG_Only 3 Any acl rule protocol ACL_RDG_Only 1 6 acl rule protocol ACL_RDG_Only 2 6 acl rule protocol ACL_RDG_Only 3 Any acl apply ACL_RDG_Only advanced 802.11a channel dca interval 0 advanced 802.11a channel dca anchor-time 0 advanced 802.11a channel dca chan-width-11n 20 advanced 802.11a channel dca sensitivity 15 advanced 802.11a channel dca min-metric -95 advanced 802.11a channel delete 20 advanced 802.11a channel delete 26 advanced 802.11a reporting neighbor 180 advanced 802.11a reporting interference 120 advanced 802.11b channel dca interval 0 advanced 802.11b channel dca anchor-time 0 advanced 802.11b channel dca sensitivity 10 advanced 802.11b channel dca min-metric -95 advanced 802.11b reporting neighbor 180 advanced 802.11b reporting interference 120 location info rogue extended location rssi-half-life tags 0 location rssi-half-life client 0 location rssi-half-life rogue-aps 0 location expiry tags 5 location expiry client 5 location expiry calibrating-client 5
Deploying Identity Services within a Converged Plantwide Ethernet Architecture ENET-TD008A-EN-P
B-15
Appendix B
Configuration Examples
Example: Corporate Anchor WLC Configuration
location expiry rogue-aps 5 advanced backup-controller primary advanced backup-controller secondary advanced backup-controller advanced backup-controller advanced sip-snooping-ports 0 0 advanced eap bcast-key-interval 3600 advanced 802.11-abgn pak-rssi-location threshold -100 advanced 802.11-abgn pak-rssi-location trigger-threshold 10 advanced 802.11-abgn pak-rssi-location reset-threshold 8 advanced 802.11-abgn pak-rssi-location ntp 10.13.15.241 advanced 802.11-abgn pak-rssi-location timeout 3 advanced hotspot cmbk-delay 50 ap syslog host global :: ap dtls-cipher-suite RSA-AES128-SHA cdp advertise-v2 enable cts sxp disable cts sxp connection default password **** cts sxp retry period 120 cts sxp sxpversion 2 database size 2048 dhcp opt-82 remote-id ap-mac local-auth method fast server-key **** interface create corporate_employee_provisioning 182 interface create test 175 interface address dynamic-interface corporate_employee_provisioning 10.1.182.252 255.255.255.0 10.1.182.1 interface address management 10.1.3.78 255.255.255.0 10.1.3.1 interface address service-port 192.168.254.78 255.255.255.0 interface address dynamic-interface test 10.1.175.251 255.255.255.0 10.1.175.1 interface address virtual 1.1.1.1 interface dhcp dynamic-interface test primary 10.1.3.39 interface vlan corporate_employee_provisioning 182 interface vlan management 300 interface vlan test 175 interface nasid corporate_employee_provisioning interface nasid test interface port corporate_employee_provisioning 1 interface port management 1 interface port test 1 mdns snooping disable mdns policy service-group create default-mdns-policy default-mdns-policy mdns policy service-group user-role add default-mdns-policy admin mdns profile create default-mdns-profile mdns service create AirPrint _ipp._tcp.local. origin All LSS disable query enable mdns service create AirTunes _raop._tcp.local. origin All LSS disable query enable mdns service create AppleTV _airplay._tcp.local. origin All LSS disable query enable mdns service create HP_Photosmart_Printer_1 _universal._sub._ipp._tcp.local. origin All LSS disable query enable mdns service create HP_Photosmart_Printer_2 _cups._sub._ipp._tcp.local. origin All LSS disable query enable mdns service create Printer _printer._tcp.local. origin All LSS disable query enable mdns profile service add default-mdns-profile AirPrint mdns profile service add default-mdns-profile AirTunes mdns profile service add default-mdns-profile AppleTV mdns profile service add default-mdns-profile HP_Photosmart_Printer_1 mdns profile service add default-mdns-profile HP_Photosmart_Printer_2 mdns profile service add default-mdns-profile Printer mdns query interval 15 wlan mdns enable 6 wlan mdns profile 6 default-mdns-profile ipv6 ra-guard ap enable ipv6 capwap udplite enable all ipv6 multicast mode unicast
Deploying Identity Services within a Converged Plantwide Ethernet Architecture
B-16
ENET-TD008A-EN-P
Appendix B
Configuration Examples Example: Corporate Anchor WLC Configuration
load-balancing aggressive enable load-balancing window 5 wlan apgroup add default-group wlan apgroup add test test wlan apgroup qinq tagging eap-sim-aka default-group enable wlan apgroup qinq tagging eap-sim-aka test enable wlan apgroup interface-mapping add default-group 6 corporate_employee_provisioning wlan apgroup nac-snmp disable default-group 6 memory monitor errors enable memory monitor leak thresholds 10000 30000 mesh security rad-mac-filter disable mesh security rad-mac-filter disable mesh security eap mesh lsc advanced ap-provision open-window enable mgmtuser add admin **** read-write mobility group domain CPwE351 mobility group member add 3c:08:f6:cc:40:00 10.13.50.251 CPwE351 mobility group anchor add wlan 6 10.1.3.78 mobility group anchor add wlan 6 mobility dscp 0 network multicast igmp snooping enable network multicast mld snooping enable network ap-priority disabled network web-auth captive-bypass enable network rf-network-name CPwE351 network secureweb cipher-option rc4-preference disable qos priority bronze background background background qos priority gold video video video qos priority platinum voice voice voice qos priority silver besteffort besteffort besteffort radius acct add 1 10.1.3.48 1813 ascii **** radius acct add 2 10.13.48.32 1813 ascii **** radius auth add 1 10.1.3.48 1812 ascii **** radius auth add 2 10.13.48.32 1812 ascii **** radius callStationIdType macaddr radius auth callStationIdType ap-macaddr-ssid radius auth rfc3576 enable 2 radius fallback-test mode off radius fallback-test username cisco-probe radius fallback-test interval 300 radius dns disable tacacs dns disable rogue detection report-interval 10 rogue detection min-rssi -128 rogue detection transient-rogue-interval 0 rogue detection client-threshold 0 rogue detection security-level custom rogue ap ssid alarm rogue ap valid-client alarm rogue adhoc enable rogue adhoc alert rogue ap rldp disable rogue auto-contain level 1 rogue containment flex-connect disable rogue containment auto-rate disable snmp version v2c enable snmp version v3 enable snmp snmpEngineId 00003763000036404e300d0a snmp community ipsec ike auth-mode pre-shared-key **** switchconfig strong-pwd case-check enabled switchconfig strong-pwd consecutive-check enabled switchconfig strong-pwd default-check enabled switchconfig strong-pwd username-check enabled switchconfig strong-pwd position-check disabled
Deploying Identity Services within a Converged Plantwide Ethernet Architecture ENET-TD008A-EN-P
B-17
Appendix B
Configuration Examples
Example: Corporate Anchor WLC Configuration
switchconfig strong-pwd case-digit-check disabled switchconfig strong-pwd minimum upper-case 0 switchconfig strong-pwd minimum lower-case 0 switchconfig strong-pwd minimum digits-chars 0 switchconfig strong-pwd minimum special-chars 0 switchconfig strong-pwd min-length 3 sysname WLC-Corporate-Anchor stats-timer realtime 5 stats-timer normal 180 time ntp interval 3600 time ntp server 1 10.13.15.241 trapflags client nac-alert enable trapflags ap ssidKeyConflict disable trapflags ap timeSyncFailure disable trapflags mfp disable trapflags adjchannel-rogueap disable trapflags mesh excessive hop count disable trapflags mesh sec backhaul change disable wlan create 6 Corporate_Employee_WLAN Corporate_Employee wlan nac snmp disable 6 wlan nac radius enable 6 wlan interface 6 corporate_employee_provisioning wlan multicast interface 6 disable wlan aaa-override enable 6 wlan band-select allow disable 6 wlan load-balance allow disable 6 wlan multicast buffer disable 0 6 wlan session-timeout 6 1800 wlan flexconnect local-switching 6 disable wlan flexconnect learn-ipaddr 6 enable wlan radius_server auth add 6 2 wlan security splash-page-web-redir disable 6 wlan user-idle-threshold 70 6 wlan security web-auth server-precedence 6 radius wlan security wpa akm 802.1x enable 6 wlan security wpa akm cckm timestamp-tolerance 1000 6 wlan security ft over-the-ds disable 6 wlan security wpa gtk-random disable 6 wlan security pmf association-comeback 1 6 wlan security pmf saquery-retrytimeout 200 6 wlan profiling radius dhcp disable 6 wlan profiling radius http disable 6 wlan apgroup hotspot venue type test 0 0 wlan enable 6 license boot base WMM-AC disabled coredump disable media-stream multicast-direct disable media-stream message url media-stream message email media-stream message phone media-stream message note denial media-stream message state disable 802.11a 802.11b 802.11a 802.11b 802.11a 802.11b 802.11a 802.11b 802.11a
media-stream media-stream media-stream media-stream media-stream media-stream media-stream media-stream media-stream
multicast-direct enable multicast-direct enable multicast-direct radio-maximum 0 multicast-direct radio-maximum 0 multicast-direct client-maximum 0 multicast-direct client-maximum 0 multicast-direct admission-besteffort disable multicast-direct admission-besteffort disable video-redirect enable
Deploying Identity Services within a Converged Plantwide Ethernet Architecture
B-18
ENET-TD008A-EN-P
Appendix B
Configuration Examples Example: Trusted Partner Anchor WLC Configuration
802.11b media-stream video-redirect enable ipv6 neighbor-binding timers reachable-lifetime 300 ipv6 neighbor-binding timers stale-lifetime 86400 ipv6 neighbor-binding timers down-lifetime 30 ipv6 neighbor-binding ra-throttle disable ipv6 neighbor-binding ra-throttle allow at-least 1 at-most 1 ipv6 neighbor-binding ra-throttle max-through 10 ipv6 neighbor-binding ra-throttle throttle-period 600 ipv6 neighbor-binding ra-throttle interval-option passthrough ipv6 ns-mcast-fwd disable ipv6 na-mcast-fwd enable ipv6 enable nmheartbeat disable ipv6 slaac service-port disable sys-nas Cisco_31:36:44 (Cisco Controller) >
Example: Trusted Partner Anchor WLC Configuration This example shows the Trusted Partner Anchor WLC Configuration. (Cisco Controller) >show run-config commands 802.11a 11nSupport a-mpdu tx scheduler enable 802.11a 11nSupport a-mpdu tx scheduler timeout rt 10 802.11a beacon range 0 802.11a rx-sop threshold auto default 802.11a cca threshold 0 default 802.11a multicast buffer 0 802.11a multicast data-rate 0 default 802.11a cac video cac-method static 802.11a channel global off 802.11a max-clients 200 802.11a txPower global 1 802.11a cleanair device enable radar 802.11a dfs-peakdetect enable 802.11b 11nSupport a-mpdu tx scheduler enable 802.11b 11nSupport a-mpdu tx scheduler timeout rt 10 802.11b beacon range 0 802.11b rx-sop threshold auto default 802.11b cca threshold 0 default 802.11b multicast buffer 0 802.11b multicast data-rate 0 default 802.11b cac video cac-method static 802.11b channel global off 802.11b max-clients 200 802.11b txPower global 1 aaa auth mgmt local radius flexconnect fallback-radio-shut disable acl acl acl acl acl acl acl acl acl acl
create ACL_RDG_Only apply ACL_RDG_Only rule add ACL_RDG_Only 1 rule add ACL_RDG_Only 2 rule add ACL_RDG_Only 3 rule add ACL_RDG_Only 4 rule action ACL_RDG_Only rule action ACL_RDG_Only rule action ACL_RDG_Only rule action ACL_RDG_Only
1 2 3 4
permit permit permit deny
Deploying Identity Services within a Converged Plantwide Ethernet Architecture ENET-TD008A-EN-P
B-19
Appendix B
Configuration Examples
Example: Trusted Partner Anchor WLC Configuration
acl acl acl acl acl acl acl acl acl acl acl acl acl acl acl acl acl acl acl acl acl acl acl acl acl acl acl acl
rule rule rule rule rule rule rule rule rule rule rule rule rule rule rule rule rule rule rule rule rule rule rule rule rule rule rule rule
destination address ACL_RDG_Only 1 0.0.0.0 0.0.0.0 destination address ACL_RDG_Only 2 10.1.2.3 255.255.255.255 destination address ACL_RDG_Only 3 0.0.0.0 0.0.0.0 destination address ACL_RDG_Only 4 0.0.0.0 0.0.0.0 destination port range ACL_RDG_Only 1 0 65535 destination port range ACL_RDG_Only 2 0 65535 destination port range ACL_RDG_Only 3 0 65535 destination port range ACL_RDG_Only 4 0 65535 source address ACL_RDG_Only 1 0.0.0.0 0.0.0.0 source address ACL_RDG_Only 2 0.0.0.0 0.0.0.0 source address ACL_RDG_Only 3 10.1.2.3 255.255.255.255 source address ACL_RDG_Only 4 0.0.0.0 0.0.0.0 source port range ACL_RDG_Only 1 0 65535 source port range ACL_RDG_Only 2 0 65535 source port range ACL_RDG_Only 3 0 65535 source port range ACL_RDG_Only 4 0 65535 direction ACL_RDG_Only 1 Any direction ACL_RDG_Only 2 Any direction ACL_RDG_Only 3 Any direction ACL_RDG_Only 4 Any dscp ACL_RDG_Only 1 Any dscp ACL_RDG_Only 2 Any dscp ACL_RDG_Only 3 Any dscp ACL_RDG_Only 4 Any protocol ACL_RDG_Only 1 Any protocol ACL_RDG_Only 2 Any protocol ACL_RDG_Only 3 Any protocol ACL_RDG_Only 4 Any acl apply ACL_RDG_Only
advanced advanced advanced advanced advanced advanced advanced advanced advanced advanced advanced advanced advanced advanced advanced location
802.11a channel dca interval 0 802.11a channel dca anchor-time 0 802.11a channel dca chan-width-11n 20 802.11a channel dca sensitivity 15 802.11a channel dca min-metric -95 802.11a channel delete 20 802.11a channel delete 26 802.11a reporting neighbor 180 802.11a reporting interference 120 802.11b channel dca interval 0 802.11b channel dca anchor-time 0 802.11b channel dca sensitivity 10 802.11b channel dca min-metric -95 802.11b reporting neighbor 180 802.11b reporting interference 120 info rogue extended
location location location location location location location
rssi-half-life tags 0 rssi-half-life client 0 rssi-half-life rogue-aps 0 expiry tags 5 expiry client 5 expiry calibrating-client 5 expiry rogue-aps 5
advanced advanced advanced advanced
backup-controller primary backup-controller secondary backup-controller backup-controller
advanced advanced advanced advanced
sip-snooping-ports 0 0 eap bcast-key-interval 3600 802.11-abgn pak-rssi-location threshold -100 802.11-abgn pak-rssi-location trigger-threshold 10
Deploying Identity Services within a Converged Plantwide Ethernet Architecture
B-20
ENET-TD008A-EN-P
Appendix B
Configuration Examples Example: Trusted Partner Anchor WLC Configuration
advanced advanced advanced advanced
802.11-abgn pak-rssi-location reset-threshold 8 802.11-abgn pak-rssi-location ntp 10.13.15.241 802.11-abgn pak-rssi-location timeout 3 hotspot cmbk-delay 50
ap syslog host global :: ap dtls-cipher-suite RSA-AES128-SHA cdp advertise-v2 enable cts sxp disable cts sxp connection default password ****cts sxp retry period 120cts sxp sxpversion 2database size 2048 dhcp opt-82 remote-id ap-mac local-auth method fast server-key **** interface create dhcp_test 175 interface create trusted_partners_provisioning 183 interface address dynamic-interface dhcp_test 10.1.175.252 255.255.255.0 10.1.175.1 interface address management 10.1.4.77 255.255.255.0 10.1.4.1 interface address service-port 192.168.254.77 255.255.255.0 interface address dynamic-interface trusted_partners_provisioning 10.1.183.252 255.255.255.0 10.1.183.1 interface address virtual 1.1.1.1 interface dhcp management primary 10.1.3.1 interface dhcp management option-82 enable interface vlan dhcp_test 175 interface vlan management 400 interface vlan trusted_partners_provisioning 183 interface nasid dhcp_test interface nasid trusted_partners_provisioning interface port dhcp_test 1 interface port management 1 interface port trusted_partners_provisioning 1 mdns snooping disable mdns policy service-group create default-mdns-policy default-mdns-policy mdns policy service-group user-role add default-mdns-policy admin mdns profile create default-mdns-profile mdns service create AirPrint _ipp._tcp.local. origin All LSS disable query enable mdns service create AirTunes _raop._tcp.local. origin All LSS disable query enable mdns service create AppleTV _airplay._tcp.local. origin All LSS disable query enable mdns service create HP_Photosmart_Printer_1 _universal._sub._ipp._tcp.local. origin All LSS disable query enable mdns service create HP_Photosmart_Printer_2 _cups._sub._ipp._tcp.local. origin All LSS disable query enable mdns service create Printer _printer._tcp.local. origin All LSS disable query enable mdns profile service add default-mdns-profile AirPrint mdns profile service add default-mdns-profile AirTunes mdns profile service add default-mdns-profile AppleTV mdns profile service add default-mdns-profile HP_Photosmart_Printer_1 mdns profile service add default-mdns-profile HP_Photosmart_Printer_2 mdns profile service add default-mdns-profile Printer mdns query interval 15 wlan mdns enable 4 wlan mdns profile 4 default-mdns-profile ipv6 ra-guard ap enable ipv6 capwap udplite enable all ipv6 multicast mode unicast load-balancing aggressive enable load-balancing window 5
Deploying Identity Services within a Converged Plantwide Ethernet Architecture ENET-TD008A-EN-P
B-21
Appendix B
Configuration Examples
Example: Trusted Partner Anchor WLC Configuration
wlan wlan wlan wlan wlan wlan
apgroup apgroup apgroup apgroup apgroup apgroup
add Dhcp_guest "for testing" add default-group qinq tagging eap-sim-aka Dhcp_guest enable qinq tagging eap-sim-aka default-group enable interface-mapping add default-group 4 trusted_partners_provisioning nac-snmp disable default-group 4
memory monitor errors enable memory monitor leak thresholds 10000 30000 mesh security rad-mac-filter disable mesh security rad-mac-filter disable mesh security eap mesh lsc advanced ap-provision open-window enable mgmtuser add admin **** read-write mobility group domain CPwE351 mobility group member add 3c:08:f6:cc:40:00 10.13.50.251 CPwE351 mobility dscp 0 network network network network network network network qos qos qos qos
multicast igmp snooping enable multicast mld snooping enable ap-priority disabled web-auth captive-bypass enable fast-ssid-change enable rf-network-name CPwE351 secureweb cipher-option rc4-preference disable
priority priority priority priority
radius radius radius radius radius radius radius radius radius radius radius rogue rogue rogue rogue rogue rogue rogue rogue rogue rogue rogue rogue
bronze background background background gold video video video platinum voice voice voice silver besteffort besteffort besteffort
acct add 1 10.1.3.48 1813 ascii **** acct add 2 10.13.48.32 1813 ascii **** auth add 1 10.1.3.48 1812 ascii **** auth add 2 10.13.48.32 1812 ascii **** callStationIdType macaddr auth callStationIdType ap-macaddr-ssid auth rfc3576 enable 1 fallback-test mode off fallback-test username cisco-probe fallback-test interval 300 dns disabletacacs dns disable detection report-interval 10 detection min-rssi -128 detection transient-rogue-interval 0 detection client-threshold 0 detection security-level customrogue ap ssid alarm ap valid-client alarm adhoc enable adhoc alert ap rldp disable auto-contain level 1 containment flex-connect disable containment auto-rate disablesnmp version v2c enable
snmp version v3 enable snmp snmpEngineId 0000376300000ea04d04010a snmp community ipsec ike auth-mode pre-shared-key **** switchconfig strong-pwd case-check enabled
Deploying Identity Services within a Converged Plantwide Ethernet Architecture
B-22
ENET-TD008A-EN-P
Appendix B
Configuration Examples Example: Trusted Partner Anchor WLC Configuration
switchconfig strong-pwd consecutive-check enabled switchconfig strong-pwd default-check enabled switchconfig strong-pwd username-check enabled
switchconfig strong-pwd position-check disabled switchconfig strong-pwd case-digit-check disabled switchconfig strong-pwd minimum upper-case 0 switchconfig strong-pwd minimum lower-case 0 switchconfig strong-pwd minimum digits-chars 0 switchconfig strong-pwd minimum special-chars 0 switchconfig strong-pwd min-length 3 sysname WLC-Guest-Anchor stats-timer realtime 5 stats-timer normal 180 time ntp interval 3600 time ntp server 1 10.13.15.241 trapflags client nac-alert enable trapflags ap ssidKeyConflict disable trapflags ap timeSyncFailure disable trapflags mfp disable
trapflags adjchannel-rogueap disable trapflags mesh excessive hop count disable trapflags mesh sec backhaul change disable wlan create 4 Trusted_Partners_WLAN Trusted_Partners wlan nac snmp disable 4 wlan wlan wlan wlan wlan wlan
nac radius enable 4 interface 4 trusted_partners_provisioning multicast interface 4 disable aaa-override enable 4 band-select allow disable 4 load-balance allow disable 4
wlan multicast buffer disable 0 4 wlan session-timeout 4 1800 wlan flexconnect local-switching 4 disable wlan flexconnect learn-ipaddr 4 enable wlan radius_server auth add 4 2 wlan security splash-page-web-redir disable 4 wlan user-idle-threshold 70 4 wlan security wpa akm 802.1x enable 4 wlan security wpa akm cckm timestamp-tolerance wlan security ft over-the-ds disable 4 wlan security wpa gtk-random disable 4 wlan security pmf association-comeback 1 4 wlan security pmf saquery-retrytimeout 200 4 wlan profiling radius dhcp disable 4 wlan profiling radius http disable 4 wlan apgroup hotspot venue type Dhcp_guest 0 0 wlan enable 4 license boot base WMM-AC disabled
1000 4
coredump disable media-stream media-stream media-stream media-stream
multicast-direct disable message url message email message phone
Deploying Identity Services within a Converged Plantwide Ethernet Architecture ENET-TD008A-EN-P
B-23
Appendix B
Configuration Examples
Example: IES Access Switch Configuration
media-stream message note denial media-stream message state disable 802.11a media-stream multicast-direct enable 802.11b media-stream multicast-direct enable 802.11a media-stream multicast-direct radio-maximum 0 802.11b media-stream multicast-direct radio-maximum 0 802.11a media-stream multicast-direct client-maximum 0 802.11b media-stream multicast-direct client-maximum 0 802.11a media-stream multicast-direct admission-besteffort disable 802.11b media-stream multicast-direct admission-besteffort disable 802.11a media-stream video-redirect enable 802.11b media-stream video-redirect enable ipv6 ipv6 ipv6 ipv6 ipv6 ipv6 ipv6 ipv6 ipv6 ipv6 ipv6
neighbor-binding timers reachable-lifetime 300 neighbor-binding timers stale-lifetime 86400 neighbor-binding timers down-lifetime 30 neighbor-binding ra-throttle disable neighbor-binding ra-throttle allow at-least 1 at-most 1 neighbor-binding ra-throttle max-through 10 neighbor-binding ra-throttle throttle-period 600 neighbor-binding ra-throttle interval-option passthrough ns-mcast-fwd disable na-mcast-fwd enable enable
nmheartbeat disable ipv6 slaac service-port disable sys-nas Cisco_5f:0e:a4 (Cisco Controller) >
Example: IES Access Switch Configuration This example shows the IES access switch configuration. Current configuration : 13499 bytes ! ! Last configuration change at 12:14:08 EDT Tue May 12 2015 ! version 15.2 no service pad service timestamps debug datetime msec service timestamps log datetime msec service password-encryption ! hostname ! boot-start-marker boot-end-marker ! enable secret 5 $1$SN29$HqWnhKsfLDJFuOkEvtBLZ1 ! username password <password> aaa new-model ! !
Deploying Identity Services within a Converged Plantwide Ethernet Architecture
B-24
ENET-TD008A-EN-P
Appendix B
Configuration Examples Example: IES Access Switch Configuration
aaa group server tacacs+ TACACS-SERVERS server name TACACS-SERVER-1 ! aaa authentication login default group TACACS-SERVERS local aaa authentication dot1x default group radius aaa authorization console aaa authorization exec default group TACACS-SERVERS local aaa authorization network default group radius aaa accounting dot1x default start-stop group radius ! ! ! ! ! ! aaa session-id common clock timezone EST -5 0 clock summer-time EDT recurring system mtu routing 1500 ! ! ip domain-name cpwe-ra-cisco.local ip name-server 10.13.48.26 ptp mode forward rep admin vlan 800 vtp domain CPwE350 vtp mode transparent ! ! ! ! ! ! mls qos map policed-dscp 24 27 31 43 46 47 55 59 to 0 mls qos map dscp-cos 9 11 12 13 14 15 to 0 mls qos map dscp-cos 25 26 28 29 30 to 2 mls qos map dscp-cos 40 41 42 44 45 49 50 51 to 4 mls qos map dscp-cos 52 53 54 56 57 58 60 61 to 4 mls qos map dscp-cos 62 63 to 4 mls qos map cos-dscp 0 8 16 27 32 47 55 59 mls qos srr-queue input bandwidth 40 60 mls qos srr-queue input threshold 1 16 66 mls qos srr-queue input threshold 2 34 66 mls qos srr-queue input buffers 40 60 mls qos srr-queue input cos-map queue 1 threshold 2 1 mls qos srr-queue input cos-map queue 1 threshold 3 0 2 mls qos srr-queue input cos-map queue 2 threshold 2 4 mls qos srr-queue input cos-map queue 2 threshold 3 3 5 6 7 mls qos srr-queue input dscp-map queue 1 threshold 2 8 10 mls qos srr-queue input dscp-map queue 1 threshold 3 0 1 2 3 4 5 6 7 mls qos srr-queue input dscp-map queue 1 threshold 3 9 11 12 13 14 15 16 17 mls qos srr-queue input dscp-map queue 1 threshold 3 18 19 20 21 22 23 25 26 mls qos srr-queue input dscp-map queue 1 threshold 3 28 29 30 mls qos srr-queue input dscp-map queue 2 threshold 2 32 33 34 35 36 37 38 39 mls qos srr-queue input dscp-map queue 2 threshold 2 40 41 42 44 45 49 50 51 mls qos srr-queue input dscp-map queue 2 threshold 2 52 53 54 56 57 58 60 61 mls qos srr-queue input dscp-map queue 2 threshold 2 62 63 mls qos srr-queue input dscp-map queue 2 threshold 3 24 27 31 43 46 47 48 55 mls qos srr-queue input dscp-map queue 2 threshold 3 59 mls qos srr-queue output cos-map queue 1 threshold 3 7 mls qos srr-queue output cos-map queue 2 threshold 2 1 mls qos srr-queue output cos-map queue 2 threshold 3 0 2 4 mls qos srr-queue output cos-map queue 3 threshold 3 5 6 mls qos srr-queue output cos-map queue 4 threshold 3 3
Deploying Identity Services within a Converged Plantwide Ethernet Architecture ENET-TD008A-EN-P
B-25
Appendix B
Configuration Examples
Example: IES Access Switch Configuration
mls qos srr-queue output dscp-map queue 1 threshold 3 59 mls qos srr-queue output dscp-map queue 2 threshold 2 8 10 mls qos srr-queue output dscp-map queue 2 threshold 3 0 1 2 3 4 5 6 7 mls qos srr-queue output dscp-map queue 2 threshold 3 9 11 12 13 14 15 16 17 mls qos srr-queue output dscp-map queue 2 threshold 3 18 19 20 21 22 23 25 26 mls qos srr-queue output dscp-map queue 2 threshold 3 28 29 30 32 33 34 35 36 mls qos srr-queue output dscp-map queue 2 threshold 3 37 38 39 40 41 42 44 45 mls qos srr-queue output dscp-map queue 2 threshold 3 49 50 51 52 53 54 56 57 mls qos srr-queue output dscp-map queue 2 threshold 3 58 60 61 62 63 mls qos srr-queue output dscp-map queue 3 threshold 3 43 46 47 48 55 mls qos srr-queue output dscp-map queue 4 threshold 3 24 27 31 mls qos queue-set output 1 buffers 10 25 40 25 mls qos queue-set output 2 buffers 10 25 40 25 no mls qos rewrite ip dscp mls qos ! crypto pki trustpoint TP-self-signed-4135611392 enrollment selfsigned subject-name cn=IOS-Self-Signed-Certificate-4135611392 revocation-check none rsakeypair TP-self-signed-4135611392 ! crypto pki trustpoint cpwe3.5.1 enrollment terminal pem serial-number ip-address 10.40.93.140 revocation-check none rsakeypair cpwe3.5.1 2048 ! ! crypto pki certificate chain TP-self-signed-4135611392 certificate self-signed 01 3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030 31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274 69666963 6174652D 34313335 36313133 3932301E 170D3933 30333037 31383432 35305A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649 4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D34 31333536 31313339 3230819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281 8100F311 7892A43E A35B223A AC4F7A0C B9288D57 D42123DC E196E556 62B00B33 CCCF69EB E5FC529A 0310BDFA D4364872 C0C0BA77 31AC8913 FFAB5D72 BAC598FE B69B3AAC 4EDF62E1 8DCCFBB3 809E50DC 41682755 2B33DCBD F39982F3 511B0E07 154A4C14 E93D9515 0050D57E 5A20DB14 61C8EC7C DF6C0AF4 2DBDA1E4 7B4AEB99 B2A70203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603 551D2304 18301680 14B34BD0 03099694 FA195936 D9D9F656 F866F155 A3301D06 03551D0E 04160414 B34BD003 099694FA 195936D9 D9F656F8 66F155A3 300D0609 2A864886 F70D0101 05050003 81810006 62D8E503 7D54DAEA 94F4E3B4 91A5DF3F 7DB0C50F 507CE257 5DA794A5 DA7E3ECE 2CAA15CF 690989C3 EB80741F 432FE0DB 992981F1 69C45FC7 4CC62651 AEB193B5 C5618FBA 8FC8A7CF ED34EB2F 7F32E055 5EE69EAF 098F7304 6228B6CB C1DCE037 EAF63D01 5967B9D2 33DF56AD 15E26404 2F53CE37 AD06F88D 8899BEE2 E7E6DA quit crypto pki certificate chain cpwe3.5.1 certificate ca 69A16061433F31A64F68B1C00B20E117 30820377 3082025F A0030201 02021069 A1606143 3F31A64F 68B1C00B 20E11730 0D06092A 864886F7 0D010105 0500304E 31153013 060A0992 268993F2 2C640119 16056C6F 63616C31 1D301B06 0A099226 8993F22C 64011916 0D637077 652D7261 2D636973 636F3116 30140603 55040313 0D456E74 65727072 6973652D 4341301E 170D3135 30313235 30343236 34375A17 0D323530 31323530 34333634 365A304E 31153013 060A0992 268993F2 2C640119 16056C6F 63616C31 1D301B06 0A099226 8993F22C 64011916 0D637077 652D7261 2D636973 636F3116 30140603 55040313 0D456E74 65727072 6973652D 43413082 0122300D 06092A86 4886F70D 01010105 00038201 0F003082 010A0282 010100F9 3A9722D0 E315CFBA 66DC81D4 98475082 B9A74635 EB55E224 7E91F275 094B5D5E B21BD188 5AA65F02 86C7F7A9 9AFB4E2E 1F41929D DA61C310 AC3BA341 CFAA6FE1 C84E5EEC BFA94A3C F6DE4EFB 46E50AF9
Deploying Identity Services within a Converged Plantwide Ethernet Architecture
B-26
ENET-TD008A-EN-P
Appendix B
Configuration Examples Example: IES Access Switch Configuration
FA8B7E74 16E3A4C8 B4E6F739 DCA30039 D9350B39 1CF0F2D9 52C8ABFB 0D2ED403 92599E18 E19329F6 5225362D 1A26581A D1C5E789 162436B3 38282A22 B183A46A 7FDBE1AC CBB243E9 CD5E5FCA DCD9F3AC 3C2AE97B CF663556 5F2D68D2 204DCF4C 44754097 D5A92386 181EDAB5 D357E0EE 46057B02 03010001 04030201 86300F06 03551D13 0101FF04 05300301 145F61A9 C1FB4AAA 340A1428 2C810F91 3B776282 15010403 02010030 0D06092A 864886F7 0D010105 6D6C230A E02AB9FC 289D0A1B 0586E27D F403C16E E64AF66A CDA503A7 AF8A6ABF 6721C589 FA87B0A1 DA3E727E 3E61E5DF 181BA638 91DB349C 8C1801C3 C5547B0C 6EA73D56 090FDF73 5B421975 B68A3236 D2A218C7 57AF236E BF7E1899 1DCB82EB F5D39513 FC5FA518 4926A8CC 2A3EA1DA 50FFC26E EF5DFC95 CF710E18 2E92E216 4ECEC790 057EAD68 E73645DF E0DDA035 671BF89E FB352AF2 0AC8EF82 095BBBF2 quit dot1x system-auth-control spanning-tree mode pvst spanning-tree extend system-id ! alarm profile defaultPort alarm not-operating syslog not-operating notifies not-operating ! ! vlan internal allocation policy ascending ! vlan 148,181-186 ! vlan 200 name REP#1 ! vlan 351 name default VLAN for convenience port ! vlan 800 name Native-Vlan ! vlan 4093 name RADIUS ! lldp run ! class-map match-all 1588-PTP-General match access-group 107 class-map match-all 1588-PTP-Event match access-group 106 class-map match-all CIP-Implicit_dscp_any match access-group 104 class-map match-all CIP-Other match access-group 105 class-map match-all voip-data match ip dscp ef class-map match-all voip-control match ip dscp cs3 af31 class-map match-all default-data match access-group name default-data-acl class-map match-all CIP-Implicit_dscp_43 match access-group 103 class-map match-all CIP-Implicit_dscp_55 match access-group 101
842AFFA2 7F89910E 1DDF6AB5 4FBC503F AC34379A A351304F 01FF301D A3301006 05000382 AA225024 D47C6B48 93206B75 B7866610 BE617CCA 258D81D6 B3349646 77E51645
91F51795 F0F43185 90BF181E 78D9678D 9B7518BC 300B0603 0603551D 092B0601 010100EE 3171C570 1F43E881 73B8E22A DA8F3DFF 4B2D36F3 EB0D19B8 1220FB46 2CA0FB
9C151D7F A5DCD350 782DAD70 B5E1FD55 FE91FB9A 551D0F04 0E041604 04018237 999B576C CB36DFE9 68151780 754D4A13 5C067572 8793CBB3 9982B378 A9CBBD61
Deploying Identity Services within a Converged Plantwide Ethernet Architecture ENET-TD008A-EN-P
B-27
Appendix B
Configuration Examples
Example: IES Access Switch Configuration
class-map match-all CIP-Implicit_dscp_47 match access-group 102 ! policy-map Voice-Map class voip-data set dscp ef police 128000 8000 exceed-action policed-dscp-transmit class voip-control set dscp cs3 police 32000 8000 exceed-action policed-dscp-transmit class default-data set dscp default police 10000000 8000 exceed-action policed-dscp-transmit policy-map CIP-PTP-Traffic class CIP-Implicit_dscp_55 set ip dscp 55 class CIP-Implicit_dscp_47 set ip dscp 47 class CIP-Implicit_dscp_43 set ip dscp 43 class CIP-Implicit_dscp_any set ip dscp 31 class CIP-Other set ip dscp 27 class 1588-PTP-Event set ip dscp 59 class 1588-PTP-General set ip dscp 47 ! ! ! ! ! ! interface FastEthernet1/1 ! interface FastEthernet1/2 ! interface FastEthernet1/3 ! interface FastEthernet1/4 description convenience port switchport access vlan 351 switchport mode access ip access-group ACL-DEFAULT in authentication host-mode multi-host authentication order dot1x authentication priority dot1x authentication port-control auto authentication violation restrict dot1x pae authenticator dot1x timeout tx-period 3 ! interface FastEthernet1/5 ! interface FastEthernet1/6 ! interface FastEthernet1/7 ! interface FastEthernet1/8 ! interface FastEthernet1/9 description to IACS CLX_B09 temp switchport access vlan 200
Deploying Identity Services within a Converged Plantwide Ethernet Architecture
B-28
ENET-TD008A-EN-P
Appendix B
Configuration Examples Example: IES Access Switch Configuration
switchport mode access load-interval 30 srr-queue bandwidth share 1 19 40 40 priority-queue out service-policy input CIP-PTP-Traffic ! interface FastEthernet1/10 description to IACS PIO_09 temp switchport access vlan 200 switchport mode access load-interval 30 srr-queue bandwidth share 1 19 40 40 priority-queue out service-policy input CIP-PTP-Traffic ! interface FastEthernet1/11 description to IACS CLX_B10 temp switchport access vlan 200 switchport mode access load-interval 30 srr-queue bandwidth share 1 19 40 40 priority-queue out service-policy input CIP-PTP-Traffic ! interface FastEthernet1/12 description to IACS PIO_10 temp switchport access vlan 200 switchport mode access load-interval 30 srr-queue bandwidth share 1 19 40 40 priority-queue out service-policy input CIP-PTP-Traffic ! interface FastEthernet1/13 ! interface FastEthernet1/14 ! interface FastEthernet1/15 ! interface FastEthernet1/16 ! interface GigabitEthernet1/1 description to WS3750-Ring int gi 2/1/1 switchport trunk native vlan 800 switchport trunk allowed vlan 148,181-186,200,351,800,4093 switchport mode trunk load-interval 30 srr-queue bandwidth share 1 19 40 40 priority-queue out rep segment 200 mls qos trust cos ! interface GigabitEthernet1/2 description trunk uplink interface switchport trunk native vlan 800 switchport trunk allowed vlan 148,181-186,200,351,800,4093 switchport mode trunk load-interval 30 srr-queue bandwidth share 1 19 40 40 priority-queue out rep segment 200 mls qos trust cos ! interface Vlan1
Deploying Identity Services within a Converged Plantwide Ethernet Architecture ENET-TD008A-EN-P
B-29
Appendix B
Configuration Examples
Example: IES Access Switch Configuration
no ip address ! interface Vlan148 ip address 10.13.51.6 255.255.255.0 ip helper-address 10.13.48.26 ! interface Vlan181 ip address 10.20.181.6 255.255.255.0 ip helper-address 10.13.48.26 ! interface Vlan182 ip address 10.20.182.6 255.255.255.0 ip helper-address 10.13.48.26 ! interface Vlan183 ip address 10.20.183.6 255.255.255.0 ip helper-address 10.13.48.26 ! interface Vlan184 ip address 10.20.184.6 255.255.255.0 ip helper-address 10.13.48.26 ! interface Vlan185 ip address 10.20.185.6 255.255.255.0 ip helper-address 10.13.48.26 ! interface Vlan186 ip address 10.20.186.6 255.255.255.0 ip helper-address 10.13.48.26 ! interface Vlan200 ip address 10.20.10.6 255.255.255.0 ! interface Vlan4093 ip address 10.40.93.140 255.255.255.0 ! ip default-gateway 10.40.93.1 ip http server ip http secure-server ! ip access-list extended ACL-DEFAULT permit udp any eq bootpc any eq bootps log permit udp any host 10.13.48.26 eq domain permit icmp any any permit udp any any eq tftp permit ip any any log ip radius source-interface Vlan4093 access-list 101 permit udp any eq 2222 any dscp 55 access-list 102 permit udp any eq 2222 any dscp 47 access-list 103 permit udp any eq 2222 any dscp 43 access-list 104 permit udp any eq 2222 any access-list 105 permit udp any eq 44818 any access-list 105 permit tcp any eq 44818 any access-list 106 permit udp any eq 319 any access-list 107 permit udp any eq 320 any snmp-server enable traps rep tacacs server TACACS-SERVER-1 address ipv4 192.168.254.24 key 7 01200307490E12242455 ! radius-server attribute 6 on-for-login-auth radius-server attribute 8 include-in-access-req radius-server attribute 25 access-request include !
Deploying Identity Services within a Converged Plantwide Ethernet Architecture
B-30
ENET-TD008A-EN-P
Appendix B
Configuration Examples Example: IES Access Switch Configuration
radius server ISE address ipv4 10.13.48.32 auth-port 1812 acct-port 1813 timeout 5 retransmit 3 key 7 106D580A061843595F ! line con 0 line vty 0 4 exec-timeout 0 0 transport preferred none transport input ssh line vty 5 15 exec-timeout 0 0 transport preferred none transport input ssh ! ntp server 10.13.15.254 end
Deploying Identity Services within a Converged Plantwide Ethernet Architecture ENET-TD008A-EN-P
B-31
APP ENDIX
C
Test Hardware and Software The hardware and software components listed in Table C-1 were used in CPwE Identity Services testing. Table C-1
Test Hardware and Software
Role
Product
SW Version
Notes
IES Access Switch
Cisco IE 2000, Stratix 5700™
15.2(3)EA (Cisco),
15.2(3)EA (RA)
Cisco to test with IE2000, Rockwell Automation to test Stratix 5700
IES Access Switch
Cisco IE 3000, Stratix 8000™
15.2(3)EA (RA)
Cisco to test with IE3000, Rockwell Automation to test Stratix 8000
Access Point
Aironet 3602E
12.4(23)JY
Wireless LAN Controller (WLC)
Cisco 5508
8.0.100.0
Distribution Switch
Catalyst 3750-X
15.2(3)E
Core Switch
Catalyst 6500
15.1(2)SY4
Virtual Switching System (VSS)
Core Switch
Catalyst 4500E
3.6.1E
Virtual Switching System (VSS)
Firewall
ASA 5515-X
9.3(1)
Active and standby
Policy Server
ISE 3415, ISE 3495
1.3
Distributed ISE
Client
Microsoft Windows Laptop
Windows7
15.2(3)EA (Cisco),
Light Weight Access Point
Switch stack
Deploying Identity Services within a Converged Plantwide Ethernet Architecture ENET-TD008A-EN-P
C-1
Appendix C
Test Hardware and Software
Cisco is the worldwide leader in networking that transforms how people connect, communicate and collaborate. Information about Cisco can be found at www.cisco.com. For ongoing news, please go to http://newsroom.cisco.com. Cisco equipment in Europe is supplied by Cisco Systems International BV, a wholly owned subsidiary of Cisco Systems, Inc.
www.cisco.com Americas Headquarters Cisco Systems, Inc. San Jose, CA
Asia Pacific Headquarters Cisco Systems (USA) Pte. Ltd. Singapore
Europe Headquarters Cisco Systems International BV Amsterdam, The Netherlands
Cisco has more than 200 offices worldwide. Addresses, phone numbers, and fax numbers are listed on the Cisco Website at www.cisco.com/go/offices. CCDE, CCENT, Cisco Eos, Cisco HealthPresence, the Cisco logo, Cisco Lumin, Cisco Nexus, Cisco StadiumVision, Cisco TelePresence, Cisco WebEx, DCE, and Welcome to the Human Network are trademarks; Changing the Way We Work, Live, Play, and Learn and Cisco Store are service marks; and Access Registrar, Aironet, AsyncOS, Bringing the Meeting To You, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, CCSP, CCVP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Collaboration Without Limitation, EtherFast, EtherSwitch, Event Center, Fast Step, Follow Me Browsing, FormShare, GigaDrive, HomeLink, Internet Quotient, IOS, iPhone, iQuick Study, IronPort, the IronPort logo, LightStream, Linksys, MediaTone, MeetingPlace, MeetingPlace Chime Sound, MGX, Networkers, Networking Academy, Network Registrar, PCNow, PIX, PowerPanels, ProConnect, ScriptShare, SenderBase, SMARTnet, Spectrum Expert, StackWise, The Fastest Way to Increase Your Internet Quotient, TransPath, WebEx, and the WebEx logo are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries. All other trademarks mentioned in this document or website are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0812R)
Rockwell Automation is a leading provider of power, control and information solutions that enable customers to get products to market faster, reduce their total cost of ownership, better utilize plant assets, and minimize risks in their manufacturing environments.
www.rockwellautomation.com Americas: Rockwell Automation 1201 South Second Street Milwaukee, WI 53204-2496 USA Tel: (1) 414.382.2000, Fax: (1) 414.382.4444
Asia Pacific: Rockwell Automation Level 14, Core F, Cyberport 3 100 Cyberport Road, Hong Kong Tel: (852) 2887 4788, Fax: (852) 2508 1846
FactoryTalk, Stratix™, Stratix 8000, Stratix 5700 and Studio 5000 Logix Designer are trademarks of Rockwell Automation, Inc. Trademarks not belonging to Rockwell Automation are property of their respective companies. © 2015 Cisco Systems, Inc. and Rockwell Automation, Inc. All rights reserved.
Europe/Middle East/Africa: Rockwell Automation Vorstlaan/Boulevard du Souverain 36 1170 Brussels, Belgium Tel: (32) 2 663 0600, Fax: (32) 2 663 0640 Publication ENET-TD008A-EN-P June 2015