Catalyst 9800 WLC Configuration for ISE (FlexConnect)

Configuring a wireless controller for 802.1X and MAC Authentication Bypass (MAB) is critical in ensuring secure, identity-based access control for your wireless network. This allows organizations to maintain secure, flexible access control across their wireless environment. In this post, we’ll guide you through configuring a wireless controller to enable 802.1X and MAB, ensuring seamless communication with Cisco ISE for enforcing dynamic and secure network access policies.

Log in to the Catalyst 9800 Wireless Controller.

Navigate to Configuration>Security>AAA

Click the Add button under the Servers/Groups tab to add a RADIUS server.

Name the AAA server.

Put your ISE PSN IP address as the Server Address.

Use the shared secret you have configured in ISE for the key for this NAD.

Ensure that Support for CoA is enabled.

Put the same shared secret in the CoA Server Key fields.

Click the Apply to Device button when finished.

Click on the Server Groups tab.

Click the Add button.

Name the AAA Radius Server Group.

Add your ISE servers to the group as the Assigned Servers.

Click the Apply to Device button.

Click on the AAA Method List tab.

Navigate to Authentication on the left-hand pane.

Click the Add button.

Keep the name as default.

From the Type dropdown, choose dot1x.

Move your server group into the Assigned Server Groups.

Click the Apply to Device button.

Move to the Authorization tab on the left-hand pane.

Click the Add button.

Keep the name as default.

From the Type dropdown, choose network.

Move your server group into the Assigned Server Groups.

Click the Apply to Device button.

Navigate to Accounting on the left-hand pane.

Click the Add button.

Name the AAA account method list as default.

From the Type dropdown, choose identity.

Move your server group into the Assigned Server Groups.

Click the Apply to Device button.

Navigate to Configuration>Security>Web Auth

Click the Add button.

Name the Web Auth Parameter Map as Captive-Bypass-Portal.

Keep the rest of the defaults.

Click the Apply to Device button.

Navigate to Configuration>Layer 2>VLAN.

Click on the VLAN tab.

We are going to create VLANs for employees and guests.

Click the Add button.

Put the VLAN number in the VLAN ID field.

In the Name field, name it Employee.

Ensure that the VLAN is Activated.

Under Port Members, assign the VLAN a port.

Click the Apply to Device button.

Click the Add button again.

Put the VLAN number in the VLAN ID field.

In the Name field, name it Guest.

Ensure that the VLAN is Activated.

Under Port Members, assign the VLAN a port.

Click the Apply to Device button.

Navigate to Configuration>Tags & Profiles>WLANs.

Click the Add button.

We will configure the profile and SSID name.

Change the Status to Enabled if you wish this SSID enabled immediately.

Navigate to the Security tab.

Navigate to the Layer2 sub-tab.

From the Layer 2 Security Mode dropdown, choose None.

Check the box for MAC Filtering.

From the Authorization List dropdown, choose default.

Navigate to the AAA subtab.

From the Authentication List dropdown, choose default.

Click the Apply to Device button.

Click the Add button to create another WLAN.

We will configure the profile and SSID name.

Change the Status to Enabled if you wish this SSID enabled immediately.

Navigate to the Security tab.

Navigate to the Layer2 sub-tab.

Ensure that WPA + WPA2 is selected from the Layer 2 Security Mode dropdown.

Navigate to the Layer3 subtab.

From the Web Auth Parameter Map dropdown, choose Captive-Bypass-Portal.

Navigate to the AAA subtab.

From the Authentication List dropdown, choose default.

Click the Apply to Device button.

Navigate to Configuration>Tags & Profiles>Policy.

We are going to start with creating a policy for our guest users.

Click the Add button.

Give this policy profile the name of Guest.

Set the Status of the policy as Enabled.

Choose the Disabled option for the Central Switching policy.

Navigate to the Access Policies tab.

Check the box for RADIUS Profiling, HTTP TLV Caching, and DHCP TLV Caching.

Under the VLAN/VLAN Group option, choose your VLAN for guests from the dropdown.

Navigate to the Advanced tab.

Check the box for Allow AAA Override and NAC State.

From the Accounting List dropdown, choose default.

Click on the Apply to Device button.

Next, we are going to create a policy for our employee users.

Click the Add button.

Choose the Disabled option for the Central Switching policy.

Give this policy profile the name of Employee.

Set the Status of the policy as Enabled.

Choose the Disabled option for the Central Switching policy.

Navigate to the Access Policies tab.

Check the box for RADIUS Profiling, HTTP TLV Caching, and DHCP TLV Caching.

Under the VLAN/VLAN Group option, choose your VLAN for employees from the dropdown.

Navigate to the Advanced tab.

Check the box for Allow AAA Override and NAC State.

From the Accounting List dropdown, choose default.

Click on the Apply to Device button.

Next, we will configure the access control lists.

Navigate to Configuration>Security>ACL.

Click the Add button.

We are going to name this first ACL as ACL_WEBAUTH_REDIRECT. 

Add the following rules:

Click the Apply to Device button.

Click the Add button.

This time, we will make an ACL for the BYOD flow.

We are going to name this  ACL as BYOD_Flow. 

Add the following rules:

Click the Apply to Device button.

Next, we will create URL filters.

Navigate to Configuration>Security>URL Filters.

We will start by creating a URL filter for the BYOD flow. For Android devices, they will need to access the Google Play Store during onboarding so we will create a URL filter that will allow this.

Click the Add button.

We are going to name this rule BYOD-URL-Filter.

From the Type dropdown, choose PRE-AUTH.

Move the Action slider to Permit.

Add the following URLs in the URL field:

*.google.com
accounts.youtube.com
gstatic.com
*.googleapis.com
*.appspot.com
ggpht.com
gvt1.com
market.android.com
android.pool.ntp.org
*.googleusercontent.com
*.google-analytics.com

Click the Apply to Device button.

Add one more URL filter if you plan to use the Social Network guest flow.

Click the Add button.

We are going to name this rule SM-Guest-URL-Filter.

From the Type dropdown, choose PRE-AUTH.

Move the Action slider to Permit.

Add the following URLs in the URL field:

*.facebook.com
*.akamai.com
*.fbcdn.net
*.akamaihd.net

Click the Apply to Device button.

Navigate to Configuration>Tags & Profiles>Flex.

Click on the Add button.

Give the Flex Profile a name.

Navigate to the Policy ACL tab.

Click the Add button.

Choose ACL_WEBAUTH_REDIRECT from the ACL Name dropdown.

Check the box next to Central Web Auth.

If you plan on using this for BYOD, choose BYOD-URL-Filter from the URL Filter dropdown.

Click the Save button.

Navigate to the VLAN tab.

Click the Add button.

From the VLAN Name dropdown, choose your Employee VLAN.

Fill in the correct VLAN ID field.

Click Save.

Click Add again.

This time, from the VLAN Name dropdown, choose your Guest VLAN.

Fill in the correct VLAN ID field.

Click Save.

Click the Apply to Device button to save the Flex Profile.

Navigate to Configuration>Tags & Profiles>Tags.

Click the Site tab.

Click the Add button.

Give the site tag the name of the Branch.

Uncheck the Enable Local Site box.

Choose your Flex Profile from the Flex Profile dropdown.

Click the Apply to Device Button

Navigate to Configuration>Wireless>Access Points

Click on an AP name or MAC address.

Under the General>Tags, select ISE Enabled.

Under General>Tags>Site.

Select Branch.

Click the Update & Apply to Device button.

And that’s it! You’ve now configured your Catalyst 9800 WLC for an 802.1x SSID and another SSID for Guest. The remainder of the configuration is on ISE, which we will cover in an upcoming post.