Introduction
Configuring a wireless controller for 802.1X and MAC Authentication Bypass (MAB) is critical in ensuring secure, identity-based access control for your wireless network. This allows organizations to maintain secure, flexible access control across their wireless environment. In this post, we’ll guide you through configuring a wireless controller to enable 802.1X and MAB, ensuring seamless communication with Cisco ISE for enforcing dynamic and secure network access policies.
Configure AAA
Log in to the Catalyst 9800 Wireless Controller.
Navigate to Configuration>Security>AAA
Click the Add button under the Servers/Groups tab to add a RADIUS server.
Name the AAA server.
Put your ISE PSN IP address as the Server Address.
Use the shared secret you have configured in ISE for the key for this NAD.
Ensure that Support for CoA is enabled.
Put the same shared secret in the CoA Server Key fields.
Click the Apply to Device button when finished.
Click on the Server Groups tab.
Click the Add button.
Name the AAA Radius Server Group.
Add your ISE servers to the group as the Assigned Servers.
Click the Apply to Device button.
Click on the AAA Method List tab.
Navigate to Authentication on the left-hand pane.
Click the Add button.
Keep the name as default.
From the Type dropdown, choose dot1x.
Move your server group into the Assigned Server Groups.
Click the Apply to Device button.
Move to the Authorization tab on the left-hand pane.
Click the Add button.
Keep the name as default.
From the Type dropdown, choose network.
Move your server group into the Assigned Server Groups.
Click the Apply to Device button.
Navigate to Accounting on the left-hand pane.
Click the Add button.
Name the AAA account method list as default.
From the Type dropdown, choose identity.
Move your server group into the Assigned Server Groups.
Click the Apply to Device button.
Configure Web Auth
Navigate to Configuration>Security>Web Auth
Click the Add button.
Name the Web Auth Parameter Map as Captive-Bypass-Portal.
Keep the rest of the defaults.
Click the Apply to Device button.
Configure the VLANs
Navigate to Configuration>Layer 2>VLAN.
Click on the VLAN tab.
We are going to create VLANs for employees and guests.
Click the Add button.
Put the VLAN number in the VLAN ID field.
In the Name field, name it Employee.
Ensure that the VLAN is Activated.
Under Port Members, assign the VLAN a port.
Click the Apply to Device button.
Click the Add button again.
Put the VLAN number in the VLAN ID field.
In the Name field, name it Guest.
Ensure that the VLAN is Activated.
Under Port Members, assign the VLAN a port.
Click the Apply to Device button.
Configure the WLANs
Navigate to Configuration>Tags & Profiles>WLANs.
Click the Add button.
We will configure the profile and SSID name.
Change the Status to Enabled if you wish this SSID enabled immediately.
Navigate to the Security tab.
Navigate to the Layer2 sub-tab.
From the Layer 2 Security Mode dropdown, choose None.
Check the box for MAC Filtering.
From the Authorization List dropdown, choose default.
Navigate to the AAA subtab.
From the Authentication List dropdown, choose default.
Click the Apply to Device button.
Click the Add button to create another WLAN.
We will configure the profile and SSID name.
Change the Status to Enabled if you wish this SSID enabled immediately.
Navigate to the Security tab.
Navigate to the Layer2 sub-tab.
Ensure that WPA + WPA2 is selected from the Layer 2 Security Mode dropdown.
Navigate to the Layer3 subtab.
From the Web Auth Parameter Map dropdown, choose Captive-Bypass-Portal.
Navigate to the AAA subtab.
From the Authentication List dropdown, choose default.
Click the Apply to Device button.
Configure the Policy
Navigate to Configuration>Tags & Profiles>Policy.
We are going to start with creating a policy for our guest users.
Click the Add button.
Give this policy profile the name of the Guest and enable the policy.
Navigate to the Access Policies tab.
Check the box for RADIUS Profiling, HTTP TLV Caching, and DHCP TLV Caching.
Under the VLAN/VLAN Group option, choose your VLAN for guests from the dropdown.
Navigate to the Advanced tab.
Check the box for Allow AAA Override and NAC State.
From the Accounting List dropdown, choose default.
Click on the Apply to Device button.
Next, we are going create a policy for our employee users.
Click the Add button.
Give this policy profile the name of the Employee and enable the policy.
Navigate to the Access Policies tab.
Check the box for RADIUS Profiling, HTTP TLV Caching, and DHCP TLV Caching.
Under the VLAN/VLAN Group option, choose your VLAN for employees from the dropdown.
Navigate to the Advanced tab.
Check the box for Allow AAA Override and NAC State.
From the Accounting List dropdown, choose default.
Click on the Apply to Device button.
Configure the Tags
Navigate to Configuration>Tags & Profiles>Tags.
We will first create a policy tag for guests.
Click the Add button.
Give the Policy Tag a name.
Click the Add button.
From the WLAN Profile dropdown, choose the guest SSID.
From the Policy Profile dropdown, choose the guest policy profile you created.
Click the check box to add the mapping.
Click the Apply to Device button.
Next, we will first create a policy tag for employees.
Click the Add button again.
Give the Policy Tag a name.
Click the Add button.
From the WLAN Profile dropdown, choose the employee SSID.
From the Policy Profile dropdown, choose the employee policy profile you created.
Click the check box to add the mapping.
Click the Apply to Device button.
Configuring the Access Points
Navigate to Configuration>Wireless>Access Points
Click on an AP name or MAC address.
Under the General>Tags, select ISE Enabled.
Click the Update & Apply to Device button.
Configuring the Security ACLs
Next, we will configure the access control lists.
Navigate to Configuration>Security>ACL.
Click the Add button.
We are going to name this first ACL as ACL_WEBAUTH_REDIRECT.
Add the following rules:
| Sequence | Action | Source IP | Destination IP | Protocol | Source Port | Destination Port |
|---|---|---|---|---|---|---|
| 10 | deny | any | ISE-PSN-IP-Address | tcp | eq 8443 | |
| 20 | deny | any | DNS-IP-Address | udp | eq domain (53) | |
| 30 | permit | any | any | tcp | eq www (80) |
Click the Apply to Device button.
Click the Add button.
This time, we will make an ACL for the BYOD flow.
We are going to name this ACL as BYOD_Flow.
Add the following rules:
| Sequence | Action | Source IP | Destination IP | Protocol | Source Port | Destination Port |
|---|---|---|---|---|---|---|
| 10 | deny | any | ISE-PSN-IP-Address | tcp | eq 8443 | |
| 20 | deny | any | ISE-PSN-IP-Address | tcp | eq 8905 | |
| 30 | deny | any | DNS-IP-Address | udp | eq domain (53) | |
| 40 | permit | any | any | tcp | eq www (80) |
Click the Apply to Device button.
Configuring the URL Filters
Next, we will create URL filters.
Navigate to Configuration>Security>URL Filters.
We will start by creating a URL filter for the BYOD flow. For Android devices, they will need to access the Google Play Store during onboarding so we will create a URL filter that will allow this.
Click the Add button.
We are going to name this rule BYOD-URL-Filter.
From the Type dropdown, choose PRE-AUTH.
Move the Action slider to Permit.
Add the following URLs in the URL field:
*.google.com
accounts.youtube.com
gstatic.com
*.googleapis.com
*.appspot.com
ggpht.com
gvt1.com
market.android.com
android.pool.ntp.org
*.googleusercontent.com
*.google-analytics.com
Click the Apply to Device button.
Add one more URL filter if you plan to use the Social Network guest flow.
Click the Add button.
We are going to name this rule SM-Guest-URL-Filter.
From the Type dropdown, choose PRE-AUTH.
Move the Action slider to Permit.
Add the following URLs in the URL field:
*.facebook.com
*.akamai.com
*.fbcdn.net
*.akamaihd.net
Click the Apply to Device button.
And that’s it! You’ve now configured your Catalyst 9800 WLC for an 802.1x SSID and another SSID for Guest. The remainder of the configuration is on ISE, which we will cover in an upcoming post.
