06 CPwE - ISE - CVD Enet-Td008 - En-P PDF

Deploying Identity
Services within a
Converged Plantwide
Ethernet Architecture
Design and Implementation Guide
June 2015
Document Reference Number: ENET-TD008A-EN-P

Preface
This Deploying Identity Services within a Converged Plantwide Ethernet Architecture Design and
Implementation Guide (DIG) outlines the following key requirements and design considerations to
help in the successful deployment of the Cisco® Identity Services Engine (Cisco ISE) within
Industrial Automation and Control System (IACS) plant-wide architectures:
• Cisco ISE Use Case Overview
• Review of Cisco ISE Technology
• Important Steps and Considerations for Cisco ISE Implementation and Configuration
Recommendations within IACS applications
• Maintaining and Troubleshooting Cisco ISE
Note This release of the CPwE architecture focuses on EtherNet/IP™, which is driven by the ODVA
Common Industrial Protocol (CIP™ ). Refer to the IACS Communication Protocols section of the
CPwE Design and Implementation Guide.
Document Organization
The Deploying Identity Services within a Converged Plantwide Ethernet Architecture Design and
Implementation Guide contains the following chapters:
Chapter Description
CPwE Identity Services Overview Presents introduction to CPwE Identity Services architecture, Secure Access
Control, Unified Network Access Policy Management for CPwE and CPwE
Identity Services in general.
System Design Considerations Presents an overview of CPwE Identity Services Technology, how to deploy
Distributed CPwE Identity Services, and an overview of Microsoft® Server 2012
Active Directory.
Configuring the Infrastructure Describes how to configure Cisco ISE infrastructure in the CPwE system based
on the design considerations of the previous chapters, covering the configuration
of the network infrastructure, network services, data traversal, Web application
access and network and application security, all from an IDMZ perspective.
Deploying Identity Services within a Converged Plantwide Ethernet Architecture

ENET-TD008A-EN-P i
Preface
For More Information
Chapter Description
Troubleshooting Tips Describes Cisco ISE and WLC troubleshooting.
References Standard list of references for CPwE, Cisco Unified Access, RF Design and QoS
and Wireless Security.
Configuration Examples Examples of the configurations that have been used in the testing of the wired
and wireless architecture.
Test Hardware and Software Hardware and software components used in CPwE Identity Services testing.
For More Information

Rockwell Automation site:
• http://literature.rockwellautomation.com/idc/groups/literature/documents/td/enet-td001_-en-p.
pdf
Cisco site:
• http://www.cisco.com/en/US/docs/solutions/Verticals/CPwE/CPwE_DIG.html

ENET-TD008A-EN-P ii
CHAPTER 1
CPwE Identity Services Overview
This chapter includes the following major topics:

• Identity Services Architecture Introduction, page 1-1
• Secure Access Control, page1-2
• Unified Network Access Policy Management for CPwE, page1-3
• Converged Plantwide Ethernet Identity Services, page 1-4
Identity Services Architecture Introduction

Industrial Automation and Control System (IACS) networks are generally open by default, which
facilitates both technology coexistence and IACS interoperability. IACS networks must be secured
by configuration and architecture. Connectivity of unknown contractor computers (such as from
OEMs and System Integrators), presents challenges to the security of plant-wide operations. A
different approach to device authentication and authorization is required to securely manage the
connectivity of these computers to the IACS network. Converged Plantwide Ethernet (CPwE) uses
the Cisco Identity Services Engine (Cisco ISE) to support secure wired and wireless connectivity
of plant personnel and contractor computers to the IACS network. Cisco ISE is a centralized
security policy management platform, which automates and enforces secure access to network
resources across a distributed Industrial Zone. Cisco ISE enforces network security based on the
type of device hardware connecting to the network, the computer’s operating system and the user.
CPwE is the underlying architecture that provides standard network services for control and
information disciplines, devices and equipment found in modern IACS applications. Cisco ISE is
used in conjunction with the CPwE architecture to provide an additional and dynamic layer of
network access control security by supporting the Microsoft-based computer operating system
and logged-on user to push security policies to the network infrastructure that the computer is
accessing. The CPwE architecture provides design and implementation guidance to achieve the
real-time communication, reliability, scalability, security and resiliency requirements of the IACS.
Cisco ISE builds on top of the defined best practices and network architecture with a centrally
managed architectural model where the IT department maintains the management of the Cisco ISE
platform that operates in the Industrial Zone.

ENET-TD008A-EN-P 1-1
Chapter 1 CPwE Identity Services Overview
Secure Access Control
Cisco ISE incorporation for CPwE is brought to market through a strategic alliance between Cisco
Systems and Rockwell Automation. This CPwE Identity Services Cisco Validated Design details
design and implementation considerations to help with the successful design and implementation
of Identity Services within the Industrial Zone.
Secure Access Control

Protecting IACS assets requires a centrally manageable defense-in-depth security approach that
addresses internal and external security threats. Cisco ISE supports authentication and
authorization for both wired and wireless access methods to the IACS networks by company
employees and trusted partners (OEM, SI). Adhering to a distributed architecture, Cisco ISE uses
the Administration, Policy Service and Monitoring nodes described in detail later in this document.
The CPwE Industrial Network Security Framework (Figure 1-1) is aligned to industrial security
standards such as ISA/IEC-62443 (formerly ISA-99) Industrial Automation and Control Systems
(IACS) Security, and NIST 800-82 Industrial Control System (ICS) Security.
Designing and implementing a comprehensive IACS network access security framework should
serve as a natural extension to the IACS. Network access security should not be implemented as
an afterthought. The industrial network access security framework should be pervasive and core to
the IACS. However, atop existing IACS deployments, the same defense-in-depth layers can be
applied incrementally to help improve the access security stance of the IACS.
CPwE defense-in-depth layers (Figure1-1) include:
• Control System Engineers (highlighted in tan)—IACS device hardening (for example, physical
and electronic), infrastructure device hardening (for example, port security), network
segmentation, IACS application authentication, authorization and accounting (AAA)
• Control System Engineers in collaboration with IT Network Engineers (highlighted in
blue)—Zone-based policy firewall at the IACS application, operating system hardening,
network device hardening (such as access control, resiliency), wired and wireless LAN access
policies
• IT Security Architects in collaboration with Control Systems Engineers (highlighted in
purple)—Identity Services (wired and wireless), Active Directory (AD), Remote Access Servers
(RAS), plant firewalls, Industrial Demilitarized Zone (IDMZ) design best practices

1-2 ENET-TD008A-EN-P
Unified Network Access Policy Management for CPwE
Figure1-1 CPwE Industrial Network Security Framework
Enterprise
WAN Internet
External DMZ/
Enterprise Zone: Levels 4-5 Firewall
Industrial Demilitarized Zone (IDMZ)

Plant Firewalls
Physical or Virtualized Servers
• Inter-zone traffic segmentation
• Patch Management • ACLs, IPS and IDS
• AV Server • VPN Services
• Application Mirror Firewall Firewall
(Active) • Portal and Remote Desktop Services proxy
• Remote Desktop Gateway Server (Standby)
Industrial Zone: Levels 0-3

Standard DMZ Design Best Practices
Authentication, Authorization and Accounting (AAA) RADIUS
Core AAA Server Wireless LAN
Active Directory (AD) switches Controller
Network Status UCS (WLC)
and Monitoring Active
Identity Services Engine (ISE)
Wireless LAN (WLAN)
RADIUS
• Access Policy
• Equipment SSID
FactoryTalk Security Standby • Plant Personnel SSID
• Trusted Partners SSID
Distribution • WPA2 with AES Encryption
Remote Access Server switch
Network Infrastructure • Autonomous WLAN
Level 3 - Site Operations: • Hardening • Pre-Shared Key
• Access Control • 802.1X - (EAP-FAST)
• Resiliency • Unified WLAN
OS Hardening • 802.1X - (EAP-TLS)
• CAPWAP DTLS
FactoryTalk Port Security SSID
Level 2 - Area Supervisory Control Client 2.4 GHz
LWAP
VLANs, Segmenting
Domains of Trust
SSID WGB
Device Hardening Zone-based 5 GHz
• Physical Policy Firewall
• Procedures I/O Soft
(ZFW)
Controller Controller MCC
374623
• Electronic Starter
• Encrypted Communications Level 1 -Controller I/O
Level 0 - Process Drive
Unified Network Access Policy Management for CPwE

Cisco ISE empowers Enterprise IT to help sustain a highly secure wired and wireless access within
the plant by providing:
• Comprehensive centralized policy management
• Streamlined computer onboarding
• Dynamic security enforcement
A rules-based, catalog-driven policy model is provided to create access control based upon
IEEE-802.1X authentication and authorization policies. The 802.1X standard describes how port-
based security rules can be applied to each switch port. Cisco ISE includes the ability to create
fine-grained authorization policies that include the association of a user or Microsoft-based
computer to an associated VLAN or an associated downloadable access control list (dACL).
Attributes can be created dynamically that include one or more identity groups, then saved for later
use, as new device management computers are introduced to the IACS network. As shown in
Figure 1-2, Cisco ISE supports multiple external identity repositories, including AD authorities for
both authentication and authorization.

Converged Plantwide Ethernet Identity Services
Figure1-2 Unified Identity Services for Wired and Wireless
Enterprise Zone: Levels 4-5

Enterprise
Internet
WAN
External
DMZ / Firewall
WLC (Enterprise)
Core ISE PAN/PSN

switches
ISE MnT
Firewalls
(Active/Standby)

ISE PSN
Core WLC
switches (Active)
Remote Access WLC
Server (RAS) (Standby)
Level 3 Distribution
Site Operations switch
ISE Synchronization
LWAP
ISE Logging
Laptop Client
WGB
Levels 0-2 PAC
374640
Cell/Area Zone
FactoryTalk Client IO Drive PAC PAC
MCC
Through the application of Cisco ISE, provision policies are applied across the IACS network in
real-time, creating a consistent user access experience to services from wired and wireless
connections. Cisco ISE allows IT to define roles such as employees and trusted partners. These
roles can be configured to permit and limit access to assets within the Industrial Zone, the Industrial
Demilitarized Zone (IDMZ) and the Enterprise Zone. The Stratix™ and Cisco industrial Ethernet
switches (IES) work in conjunction with Cisco ISE to apply and enforce the security policies that are
configured. For example, if an employee attaches to the IACS network in the Industrial Zone with a
computer, Cisco ISE will be sent the hardware and user information. Cisco ISE will send the pre-
configured network security policies to the Stratix or Cisco IES where the user will be limited by the
security policy. It is also possible to limit or direct traffic of unknown devices with a Cisco ISE
security policy.
Cisco ISE services for wireless access use the Cisco wireless LAN controllers (WLC) to facilitate
authentication and authorization of Microsoft-based computers accessing the IACS network. Cisco
ISE allows IT to define a set of contractors, and for each contractor, define a set of RADIUS attributes
(see across both the wired and wireless environments, see Wired Access Overview, page 2-9 and
Wireless Access Overview, page 2-13). Attributes are used for authorization profiles and in policy
conditions. Through Cisco ISE, IT can create, edit and delete RADIUS contractor dictionaries and
contractor-specific attributes as needed.

Cisco ISE grants permission to Microsoft-based computers to access the plant-wide network
based on the result of the policy evaluation. The profiling service facilitates management of
authentication by using IEEE standard 802.1X port-based authentication access control supported
within the Stratix and Cisco IES supported within the CPwE architecture.

Cisco ISE provides a self-service registration portal for plant personnel and contractors to register
and provision their portable Microsoft-based OS computers according to the business policies
defined by IT. Cisco ISE permits the plant personnel to get the automated device provisioning and
profiling they need to comply with industrial security policies while keeping it extremely simple to
get their Microsoft-based OS computers onto the IACS network with limited IT help.
Within the Industrial Zone, Cisco ISE provides centrally managed context-aware identity
management critical for IT to manage access control. Cisco ISE determines if users are accessing
the network on an authorized, policy-compliant computer, and assigns access based on the
assigned user role, group and associated policy. Variables such as employee (plant or corporate),
contractor (OEM, SI or other trusted partner), location and device type are taken into consideration.
Cisco ISE grants access to specific segments of the Industrial Zone to authenticated users.

CHAPTER 2
System Design Considerations

• CPwE Identity Services Technology Overview, page 2-1
• Roles and Access, page 2-8
• Industrial Zone Wired Access Design, page 2-8
• Industrial Zone Wireless Access Design, page 2-12
Note This solution provides support for user validation and authorization when using Microsoft Windows
computers within the context of the Industrial Zone. This solution does not provide support or
include other devices with Bring Your Own Device (BYOD) capabilities such as laptops not running
Windows OS, smart phones or tablets.
Note For more details about the design and implementation of the Industrial Demilitarized Zone (IDMZ)
as part of the CPwE security architecture, refer to the Securely Traversing IACS Data Across the
Industrial Demilitarized Zone Design and Implementation Guide.
CPwE Identity Services Technology Overview

With the introduction of secure employee and contractor access, the use of Cisco ISE as an identity
and access control policy platform enables organizations to enforce compliance, enhance
infrastructure security and streamline their service operations. Its architecture allows an
organization to gather real-time contextual information from the network, users and devices to make
proactive policy decisions by tying identity into various network elements including IES access
switches and Wireless LAN Controllers (WLC).
This deployment uses Cisco ISE as the authentication and authorization server for the wired and
wireless networks using RADIUS. Cisco ISE uses Microsoft Active Directory (AD) as an external
identity source to access resources such as users, computers, groups and attributes. Cisco ISE
supports Microsoft AD sites and services when integrated with AD. Cisco ISE needs an identity
certificate that is signed by a Certificate Authority (CA) server so that it can be trusted by endpoints,
gateways and servers.

Chapter 2 System Design Considerations
This section describes Distributed ISE, Active Directory and Certificate Services and provides
design recommendations for CPwE Identity Services.
ISE Distributed Deployment

Within the CPwE architecture, the recommendation is to deploy the Cisco ISE platform as a
distributed solution. In this solution, the corporate IT department maintains the management of the
Cisco ISE platform for central management. In the distributed installation, Cisco ISE is divided into
three discrete nodes—Administration, Policy Service, and Monitoring—which are described as
follows:
• Policy Administration Node (PAN)—A CPwE Identity Services Node with the Administration
persona allows the Enterprise IT team to perform all administrative operations on CPwE Identity
Services. PAN (located within the Enterprise Zone) handles all system-related configurations
that are related to functionality such as authentication and authorization. In a CPwE-distributed
deployment, the CPwE architecture can have one or a maximum of two nodes running the
Administration persona. The Administration persona can take on the standalone, primary or
secondary role.
• Policy Service Node (PSN)—A CPwE Identity Services Node with the Policy Service persona
provides network access, plant personnel and contractors access and client provisioning and
profiling services. PSN (located within the Industrial Zone) evaluates the policies and provides
network access to computers based on the result of the policy evaluation. More than one PSN
(located within the Enterprise Zone) can assume this persona. Typically, more than one Policy
Service Node exists in a large distributed deployment. At least one node in a distributed setup
should assume the Policy Service persona. The PAN Node also can (and usually does) serve
as a PSN.
Note CPwE Identity Services recommends to have a PSN in the Industrial Zone (Level 0-3), as
shown in Figure 2-1. If the Enterprise and Industrial Zones become isolated, any existing
clients in the Industrial Zone will still be able to securely access the network.
• Monitoring Node (MnT)—A CPwE Identity Services Node with the Monitoring persona, which
functions as the log collector and stores log messages from all the Administration and Policy
Service Nodes in a network. MnT (located in the Enterprise Zone) provides advanced
monitoring and troubleshooting tools that the Enterprise IT team can use to effectively manage
a network and resources. A MnT with this persona aggregates and correlates the data that it
collects, and provides the Enterprise IT team with meaningful reports. CPwE Identity Services
allows the Enterprise IT team to have a maximum of two nodes with this persona, which can take
on primary or secondary roles for high availability. Both the primary and secondary Monitoring
Nodes collect log messages. If the primary Monitoring Node goes down, the secondary
Monitoring Node automatically becomes the primary Monitoring Node. At least one node in a
distributed setup should assume the Monitoring persona.
Note The Monitoring and Policy Service personas should not be enabled on the same CPwE
Identity Services Node. The Monitoring node should be dedicated solely to monitoring for
optimum performance.
Figure 2-1 is an example deployment of the distributed Cisco ISE configuration using the CPwE
logical framework.

Figure 2-1 Distributed CPwE Identity Services Architecture

Enterprise
Internet
WAN
External
DMZ / Firewall
WLC (Enterprise)
2 ISE PAN/PSN
Core
switches
ISE MnT
Industrial Demilitarized Zone (IDMZ) 1

2
Firewalls
(Active/Standby)

Core ISE PSN
switches
WLC
(Active)
WLC
(Standby)
LWAP
WGB
Levels 0-2 PAC
374641
Cell/Area Zone
MCC
As indicated in Figure 2-1:

1. The Enterprise Zone Cisco ISE PAN/PSN synchronizes its policy configurations with the
Industrial Zone Cisco ISE PSN.
2. The Enterprise and Industrial Cisco ISE PSNs send detailed logs to the Enterprise Cisco ISE
MnT
Note For the recommended installation and deployment of Distributed ISE in the Industrial Zone, please
follow the best practices and deployment guidelines as prescribed in Cisco Identity Services
Engine Administrator Guide, Release 1.3, which is located at the following URL:
• http://www.cisco.com/c/en/us/td/docs/security/ise/1-3/admin_guide/b_ise_admin_guide_13/
b_ise_admin_guide_sample_chapter_011.html
Active Directory Services

While Cisco ISE can maintain an internal list of users for authentication purposes, most
organizations rely on an external directory as the main identity source. By integrating with Microsoft
AD, objects such as users and groups, which can be accessed from a single source, become
critical in the authorization process.
Companies need a central repository of information about people and their access rights that
applies to both the Industrial and Enterprise Zones. AD services in the Industrial Zone should be
designed to allow secure replication of information across the IDMZ while being able to operate
independently if necessary.
The following sections describe AD and provide design recommendations for CPwE Identity
Services.

Active Directory Overview

Active Directory Domain Services (AD DS) provides a distributed database that stores and
manages information about network resources and application-specific data from directory-
enabled applications. A server that is running AD DS is called an Active Directory Domain Controller
(AD DC). Administrators can use AD DS to organize elements of a network, such as users, computers
and other devices, into a hierarchical containment structure. The hierarchical containment structure
includes the AD forest, domains in the forest and Organizational Units (OUs) in each domain.
Organizing network elements into a hierarchical containment structure provides the following
benefits:
• The forest acts as a security boundary for an organization and defines the scope of authority
for administrators. By default, a forest contains a single domain, which is known as the forest root
domain.
• Additional domains can be created in the forest to provide partitioning of AD DS data, which
enables organizations to replicate data only where it is needed. This makes it possible for AD
DS to scale globally over a network that has limited available bandwidth. An AD domain also
supports a number of other core functions that are related to administration, including
network-wide user identity, authentication and trust relationships.
• OUs simplify the delegation of authority to facilitate the management of large numbers of
objects. Through delegation, owners can transfer full or limited authority over objects to other
users or groups. Delegation is important because it helps to distribute the management of large
numbers of objects to a number of people who are trusted to perform management tasks.
Security is integrated with AD DS through logon authentication and access control to resources in
the directory. With a single network logon, administrators can manage directory data and
organization throughout their network. Authorized network users can also use a single network
logon to access resources anywhere in the network. Policy-based administration eases the
management of even the most complex network.
Additional AD DS features include the following:
• A set of rules, the schema, that defines the classes of objects and attributes that are contained
in the directory, the constraints and limits on instances of these objects and the format of their
names.
• A global catalog that contains information about every object in the directory. Users and
administrators can use the global catalog to find directory information, regardless of which
domain in the directory actually contains the data.
• A query and index mechanism, so that objects and their properties can be published and found
by network users or applications.
• A replication service that distributes directory data across a network. All writable domain
controllers in a domain participate in replication and contain a complete copy of all directory
information for their domain. Any change to directory data is replicated to all domain controllers
in the domain.
• Operations master roles (also known as flexible single master operations or FSMO). Domain
controllers that hold operations master roles are designated to perform specific tasks to verify
consistency and eliminate conflicting entries in the directory.
• Resource organizations, which are organizations that own and manage resources that are
accessible from the Internet can deploy Active Directory Federation Services (AD FS) servers
and AD FS-enabled Web servers that manage access to protected resources for trusted
partners. These trusted partners can include external third parties or other departments or
subsidiaries in the same organization.

• Account organizations, which are organizations that own and manage user accounts can
deploy AD FS federation servers that authenticate local users and create security tokens that
those federation servers in the resource organization use later to make authorization decisions.
Note For information about Active Directory Domain Services, please refer to the following URL:
• https://technet.microsoft.com/en-us/windowsserver/dd448614
Active Directory Deployment Recommendation

The recommended deployment of the AD DS in the CPwE architecture is based on the corporate
data center AD implementation in a single domain. Since the CPwE design consists of a set of LANs
connected by a high-speed backbone, the entire network can be a single site. The first domain
controller installed automatically creates the first site, known as the Default-First-Site-Name. After
installing the first domain controller, all additional domain controllers are automatically added to the
same site as the original domain controller.
To deploy the recommended topology, the addition of an AD DC in the Industrial Zone is required.
AD DS should be installed in accordance with the Microsoft best practices and deployment
guidelines (Deploy Active Directory Domain Services (AD DS) in Your Enterprise), which is provided
at the following URL:
• https://technet.microsoft.com/en-us/library/hh472160.aspx
For security implementation, the synchronization between the Enterprise Zone DC and the
Industrial Zone DC should be bi-directional. An AD administrator must be able to create, delete and
update accounts in the Industrial Zone and have the changes replicated to the Enterprise Zone, and
vice versa.
Directory information within a site is replicated frequently and automatically. Intra-site replication is
tuned to minimize replication latency; that is, keep the data as up-to-date as possible. Intra-site
directory updates are not compressed. Uncompressed exchanges use more network resources.
but require less domain controller processing power.
Note For information about Active Directory replication, please refer to the following resources:
• How Active Directory Replication Works
https://technet.microsoft.com/en-us/library/cc772726(v=ws.10).aspx
• Active Directory Replication Technologies
https://technet.microsoft.com/en-us/library/cc776877%28v=ws.10%29.aspx
Figure 2-2 illustrates the AD replication between the DCs in the Industrial and Enterprise Zones.

Figure 2-2 Domain Controller Bi-Directional Replication

Enterprise
Internet
WAN
External
DMZ / Firewall
Enterprise Zone WLC (Enterprise)
Domain Controller
ISE (Enterprise)
Core
switches
Industrial Demilitarized Zone (IDMZ) 1
Firewalls
(Active/Standby)

Core ISE PSN
switches
2 WLC
(Active)
Industrial Zone WLC

Domain Controller (Standby)
LWAP
WGB
Levels 0-2 PAC
374633
Cell/Area Zone
MCC

1. The Enterprise Domain Controller replicates any changes to the Industrial Zone Domain
Controller.
2. The Industrial Domain Controller replicates any changes to the Enterprise Zone Domain
Controller.
Certificate Services
Cisco ISE needs an identity certificate that is signed by a certificate authority (CA) server so that it
can be trusted by endpoints, gateways and servers. The following sections describe certificate
services and provide design recommendations for CPwE Identity Services.
Certificate Services Overview

The certificate services or CA is a trusted entity that manages and issues security certificates and
public keys that are used for secure communication in a public network. The CA is part of the public
key infrastructure (PKI) along with the registration authority (RA) who verifies the information
provided by a requester of a digital certificate. If the information is verified as correct, the certificate
authority can then issue a certificate.
PKI is a scalable architecture that includes software, hardware and procedures to facilitate the
management of digital certificates. Certificate-based authentication methods are required for plant
personnel network access. To provide a local CA for each zone, the root CA should be configured
in the Enterprise Zone, with a subordinate CA in the secured Industrial Zone.
Certificate Services can also be used to:
• Enroll users for certificates from the CA using the Web or the Certificates Microsoft
Management Console (MMC) snap-in, or transparently through auto enrollment.

• Use certificate templates to help simplify the choices a certificate requester has to make when
requesting a certificate, depending upon the policy used by the CA.
• Take advantage of the AD service for publishing trusted root certificates, publishing issued
certificates, and publishing CRLs.
• Implement the ability to log on to a Microsoft Windows operating system domain using a smart
card.
Note For more information about CAs, please refer to Certificate Services at the following URL:
• https://technet.microsoft.com/en-us/library/cc758473%28v=ws.10%29.aspx
Certificate Services Deployment Recommendation

Within a CPwE architecture, it is recommended to choose a distributed certificate service model
with Root-CA located inside the Enterprise Zone and subordinate CA residing in the Industrial Zone.
A root CA is the most trusted CA in a CA hierarchy. When a root CA issues certificates to other CAs,
these CAs become subordinate CAs of the root CA. When a root CA remains online, it is used to
issue certificates to subordinate CAs. The root CA never usually directly issues certificates to users,
computers, applications or services.
AD CS service can be deployed into Enterprise CA and stand-alone CA depends on the
customer-specific requirements. Both Enterprise CA and stand-alone CA can do the following:
• Digital certificates
• Email, S/MIME
• Web servers, SSL
However, based on their location and deployment type difference, Enterprise CA and stand-alone
CA have the following differences:
• Enterprise Root CA—This is the topmost CA in the CA hierarchy, and is the first CA installed in
the enterprise. Enterprise root CAs are reliant on AD. Enterprise root CAs issue certificates to
subordinate CAs.
• Enterprise Subordinate CA—This CA also needs AD, and is used to issue certificates to users
and computers.
• Stand-alone Root CA—A stand-alone root CA is also the topmost CA in the certificate chain. A
stand-alone root CA is not, however, dependent on AD, and can be removed from the network.
This makes a stand-alone root CAs the solution for implementing a secure offline root CA.
• Stand-alone Subordinate CA—This type of CA is also not dependent on AD, and is used to
issue certificates to users, computers, and other CAs.
Root-CA deployed inside the Enterprise Zone will have well developed functionalities to provide the
following services:
• Certification Authorities (CAs)—Root and subordinate CAs are used to issue certificates to
users, computers, and services, and to manage certificate validity.
• CA Web Enrollment—Web enrollment allows users to connect to a CA by means of a Web
browser in order to request certificates and retrieve certificate revocation lists (CRLs).

Roles and Access
• Online Responder—The Online Responder service accepts revocation status requests for
specific certificates, evaluates the status of these certificates, and sends back a signed
response containing the requested certificate status information.
• Network Device Enrollment Service—The Network Device Enrollment Service allows routers
and other network devices that do not have domain accounts to obtain certificates.
• Certificate Enrollment Web Service—The Certificate Enrollment Web Service enables users
and computers to perform certificate enrollment that uses the HTTPS protocol. Together with
the Certificate Enrollment Policy Web Service, this enables policy-based certificate enrollment
when the client computer is not a member of a domain or when a domain member is not
connected to the domain.
• Certificate Enrollment Policy Web Service—The Certificate Enrollment Policy Web Service
enables users and computers to obtain certificate enrollment policy information. Together with
the Certificate Enrollment Web Service, this enables policy-based certificate enrollment when
the client computer is not a member of a domain or when a domain member is not connected
to the domain.
Subordinate CA is responsible for issuing and validating client's Certificate Signing Request (CSR)
and authentication requests inside the Industrial Zone. In addition, to prevent Root-CA and
associated private key from being compromised, certificates needs to be issued to users or
devices in the Industrial Zone instead of forwarding all requests to the Enterprise Zone Root-CA.
Multiple subordinate CA need to be deployed inside the Industrial Zone for redundancy.
Note Please refer to the following URLs for detailed information about AD CS services:
• https://technet.microsoft.com/en-us/windowsserver/dd448615.aspx
• https://technet.microsoft.com/en-us/library/cc772192.aspx
Roles and Access

An organization's business policies will dictate the network access requirements that their solution
must enforce. The network access requirements are primarily based on the roles and
responsibilities of the personnel in their organization. CPwE Identity Services classifies personnel
roles into the following three broad categories:
• Plant Personnel or Industrial Employee
• Non-Plant Personnel or Corporate Employee
• Contractor or Trusted Partner (OEM, SI)
Industrial Zone Wired Access Design

Industrial customers need to provide on-site access for contractors and employees. Wired
Employee/Trusted Partner Access is being proposed for the Industrial Zone of the CPwE Identity
Services architecture using the following two methods:
• Plant Personnel access with direct access to Industrial Zone equipment (see Figure 2-4 on
page 2-12)

• Employee (non-Plant Personnel)/Trusted Partner access via the Remote Access Server using
Terminal Emulation for all IACS applications such as Studio 5000 Logix Designer® (see
Figure 2-3 on page 2-11)
Both of these access methods use IEEE 802.1X authentication for permitting access to the network
based on user login credentials. Access for both methods will be limited to Levels 0-3 with no
access allowed through the IDMZ firewall.
Wired Access Overview

For a user/computer to obtain access, the user must authenticate and present its credentials, which
are verified by Cisco ISE; the result is an authorization profile that is applied to the IES access layer
switch. To avoid confusion, the ports on the switch will be labeled accordingly on the plant floor
regarding which ports are open and active for use as a convenience port.
Under normal network operations, the user device would pass through the following steps before
being allowed to access the network:
1. Authentication
2. Authorization
Authentication
802.1X authentication involves three parties:
• The supplicant, which is a client computer that wishes to attach to the network
• The authenticator, which is the Stratix or Cisco IES
• The authentication server (Cisco ISE), which supports the authentication protocols
Authentication policies are used to define the protocols used by CPwE Identity Services to
communicate with the computers and the identity sources to be used for authentication. CPwE
Identity Services evaluates the conditions and, based on whether the result is true or false, applies
the configured result.
Authorization Policies
Authorization policies are critical to determine what each user is allowed to access within the
network. Authorization policies are composed of authorization rules and can contain conditional
requirements that combine one or more identity groups. The permissions granted to the user are
defined in authorization profiles, which act as containers for specific permissions.
Authorization profiles group the specific permissions granted to a user or computer and can
include tasks such as an associated VLAN and an associated downloadable ACL (dACL).
For CPwE Identity Services, an additional identity group must be defined for the purpose of
uniquely identifying corporate computers. This identity group, named Whitelist, maintains a list of
computers owned by the corporation. The Whitelist is manually updated by the IT administrator and
contains the MAC addresses of the computers that are granted access.
The following is a wired CPwE Identity Services example (as displayed in Figure 2-2 on page 2-6
and Figure 2-3 on page 2-11).
1. User attaches computer to designated Employee/Trusted Partner convenience port on the
IES.

2. Wired computers authenticate using 802.1X against the Cisco ISE PSN located within the
Industrial Zone. Initially, all computers are confined to a single default VLAN. Differentiated
access control for wired computers is provided by different RADIUS dACL applied to the IES,
which overrided a pre-configured static ACL on the IES access port and separate VLANs. The
different access types are.
a. User is allowed complete access to the entire Industrial Zone.
b. User is allowed limited access to the specific Cell/Area Zone or to specific devices within
the Cell/Area Zone.
c. User is allowed access to the RAS.
Caution CONFIGURATION NOTE: IP Device tracking (IPDT), which operates in accordance with RFC 5227,
must be enabled on the IES in order to implement RADIUS downloadable ACL and should ONLY be
enabled on convenience and/or designated non-IACS equipment ports.
Caution IPDT should NOT be enabled on ports connected to IACS devices. IPDT uses ARP probes to
determine the IP addresses of hosts on different ports; IPDT may disrupt IACS applications. Please
see the links below for more details.
https://rockwellautomation.custhelp.com/app/answers/detail/a_id/568750
http://www.cisco.com/c/en/us/support/docs/ip/address-resolution-protocol-arp/118630-technot
e-ipdt-00.html
Wired Access Use Cases

The following sections describe wired use case implementation for the roles such as Industrial
Employee, Corporate Personnel and Trusted Partner for CPwE Identity Services.

Wired Industrial Employee Access
Figure 2-3 CPwE Identity Services Validation - Direct Access to Devices

Enterprise
Internet
WAN
External
DMZ / Firewall
WLC (Enterprise)
ISE PAN/PSN
Core
switches
ISE MnT
Firewalls
(Active/Standby)

Core ISE PSN
switches
WLC
(Active)
Remote Access
Server (RAS)
3 WLC
2 (Standby)
LWAP
4
Laptop Client
1
WGB
Levels 0-2 PAC
374631
Cell/Area Zone
MCC

1. Wired computer (connected to IES convenience port) logs in and sends 802.1X authentication
request.
2. IES forwards RADIUS authentication request on behalf of computer to the Cisco ISE PSN.
3. The Cisco ISE PSN checks AD for the user. If found, it approves the request with a RADIUS
response that carries information on the VLAN assignment and dACL to be applied at the IES,
which verifies that the computer can directly access devices within the Industrial Zone.
4. Computer connects to desired devices.

Industrial Zone Wireless Access Design
Wired Corporate Employee/Trusted Partner Access
Figure 2-4 CPwE Identity Services Validation - Access to Devices via Remote Access Server

Enterprise
Internet
WAN
External
DMZ / Firewall
WLC (Enterprise)
ISE PAN/PSN
Core
switches
ISE MnT
Firewalls
(Active/Standby)

Core ISE PSN
switches
WLC
(Active)
Remote Access
Server (RAS)
3 WLC
2 (Standby)
LWAP
4
Laptop Client
1
WGB
Levels 0-2 PAC
374632
Cell/Area Zone
MCC

1. Wired computer (connected to the IES convenience port) logs in and sends 802.1X
authentication request.
2. IES forwards RADIUS authentication request on behalf of client to the Cisco ISE PSN.
response that carries information on the VLAN assignment and dACL to be applied at the IES,
which verifies that the computer can only access the RAS.
4. Computer connects via Remote Desktop to RAS and uses the same login as before.
FactoryTalk® Security enforces permissions for computer.

Industrial customers need to provide onsite wireless access for contractors and employees.
Wireless Employee/Trusted Partner Access is being proposed for the Industrial Zone of the CPwE
Identity Services architecture using the following two methods:
• Plant Personnel access with direct access to Industrial Zone equipment (see Figure 2-3 on
page 2-11)
• Employee (non-Plant Personnel)/Trusted Partner access via the Remote Access Server using
Terminal Emulation for all IACS applications such as Studio 5000 Logix Designer (see Figure 2-4
on page 2-12 and Figure 2-5 on page 2-15).
Both of these access methods use IEEE 802.1X authentication for permitting access to the network
based on user login credentials. Access for both methods will be limited to Levels 0-3 with no
access allowed through the IDMZ firewall.

Note Use 2.4 GHz band for personnel access. Use only 5 GHz frequency band for critical IACS
applications such as I/O, peer to peer and safety control. For more information, please refer to the
Deploying 802.11 Wireless LAN Technology within a Converged Plantwide Ethernet Architecture
Design and Implementation Guide at the following URLs:
• http://www.cisco.com/c/en/us/td/docs/solutions/Verticals/CPwE/NovCVD/CPwE_WLAN_CVD.
html
• http://literature.rockwellautomation.com/idc/groups/literature/documents/td/enet-td006_-en-p.
pdf
Wireless Access Overview

For a user/computer to obtain access the user must authenticate and present its credentials, which
are verified by the ISE; the result is an authorization profile that is applied to WLC.
Under normal network operations, the user device would pass through the following steps before
being allowed to access the network:
1. Authentication
2. Authorization
Authentication
802.1X authentication involves three parties:
• The supplicant, which is a client computer that wishes to attach to the network
• The authenticator, which is the WLC
• The authentication server (Cisco ISE), which supports the authentication protocols
Authentication policies are used to define the protocols used by CPwE Identity Services to
communicate with the computers and the identity sources to be used for authentication. CPwE
Identity Services evaluates the conditions and, based on whether the result is true or false, applies
the configured result.
Authorization Policies
Authorization policies are critical to determine what each user is allowed to access within the
network. Authorization policies are composed of authorization rules and can contain conditional
requirements that combine one or more identity groups. The permissions granted to the user are
defined in authorization profiles, which act as containers for specific permissions.
Authorization profiles group the specific permissions granted to a user or computer and can
include tasks such as an associated VLAN and ACL. Cisco Wireless LAN Controllers support
named ACLs (known as Airespace ACLs), meaning that the ACL must be previously configured on
the controller rather than being downloaded from ISE. Using the RADIUS Airespace-ACL Name
attribute-value pair, ISE instructs the WLC to apply the ACL.

For CPwE Identity Services, an additional identity group must be defined for the purpose of
uniquely identifying corporate computers. This identity group, named Whitelist, maintains a list of
computers owned by the corporation. The Whitelist is manually updated by the IT administrator and
contains the MAC addresses that are granted full access.
The following is CPwE Identity Services wireless access example (as displayed in Figure 2-5 on
page 2-15 and Figure 2-6 on page 2-16).
1. User connects computer to designated Employee/Trusted Partner SSID.
2. Wireless computers authenticate using 802.1X against the Cisco ISE PSN located within the
Industrial Zone. Differentiated access control for wireless clients is provided by Airespace
ACLs applied to the WLC. The different access scenarios are:
a. User is allowed complete access to the entire Industrial Zone.
b. User is allowed limited access to the specific Cell/Area Zone or to specific devices within
the Cell/Area Zone.
c. User is allowed access to the RAS only.
Wireless Access Use Cases

The following sections describe wireless use case implementation for the roles such as Industrial
Employee, Corporate Personnel and Trusted Partner for CPwE Identity Services.
Wireless Industrial Employee Access

Wireless plant personnel access from the Industrial Zone is a requirement that is implemented
based on the Unified Wireless Architecture already designed in Deploying 802.11 Wireless LAN
Technology within a Converged Plantwide Ethernet Architecture. Since wireless access points
support the use of multiple Service Set Identifiers (SSID), a Plant Personnel (Industrial Employee)
Access SSID can be defined on the APs that will allow for Plant Personnel (Industrial Employee)
User access to the wireless network. Any user connecting to the wireless network using the Plant
Personnel (Industrial Employee) Access SSID will be directed by the AP to the Wireless LAN
Controller located in the Level 3. From that location, the user will validate their credentials and be
given access to the Industrial Zone, either directly or via the RAS.
Figure 2-5 is a diagram of the network architecture used in this solution.

Figure 2-5 Wireless Plant Personnel (Industrial Employee) User Access

Enterprise
Internet
WAN
External
DMZ / Firewall
WLC (Enterprise)
ISE PAN/PSN
Core
switches
ISE MnT
Industrial Demilitarized Zone (IDMZ) 4 4
Remote Desktop
Gateway (RDG) Firewalls
(Active/Standby)
Industrial Zone: Levels 0-3 4

Core ISE PSN
switches
3 WLC
2 (Active)
Remote Access 1 WLC
Server (RAS) 4 (Standby)
LWAP
WGB
Levels 0-2 PAC
374645
Cell/Area Zone
MCC

1. Wireless client connects to Plant Personnel (Industrial Employee) User SSID, logs in and sends
802.1X authentication request, which gets tunneled to the local WLC.
2. WLC forwards RADIUS authentication request on behalf of client to the Cisco ISE PSN.
3. ISE PSN checks AD for the user. If found, it approves the request with a RADIUS response that
carries information on ACL to be applied at the Industrial WLC, which verifies that the client can
access Industrial Zone directly or via the RAS
Wireless Trusted Partner Access Use Cases

Wireless Trusted Partner access from the Industrial Zone is a requirement that is easily
implemented based on the Unified Wireless Architecture already designed in Deploying 802.11
Wireless LAN Technology within a Converged Plantwide Ethernet Architecture. Since wireless
access points support the use of multiple Service Set Identifiers (SSID), a Trusted Partner SSID will
be defined on the APs that will allow for Trusted Partner access to the wireless network. Any user
connecting to the wireless network using the Trusted Partner SSID will be directed by the AP to the
Trusted Partner Wireless Anchor Controller located in the corporate DMZ. From that location, the
Trusted Partner will validate their credentials, and if allowed access, will be attached to the Industrial
RAS via the Remote Desktop Gateway (RDG) in the IDMZ. They will log in and be granted access
rights based upon their login credentials in the RAS.

Figure 2-6 Wireless Trusted Partner Access

Enterprise
Internet
WAN
External
DMZ / Firewall
WLC (Trusted Partner)
ISE PAN/PSN
Core
switches
ISE MnT
Remote Desktop
(Active/Standby)

Core ISE PSN
switches
3 WLC
2 (Active)
Remote Access 1 WLC
LWAP
Laptop Client
WGB
Levels 0-2 PAC
374694
Cell/Area Zone
MCC

1. Wireless client connects to Trusted Partner User SSID, logs in and sends 802.1X authentication
request, which gets tunneled to the local WLC.
response that carries information on ACL to be applied at the Trusted Partner Anchor WLC,
which verifies that the client can only access the RAS.
4. Client traffic is now tunneled to the Trusted Partner Anchor WLC, and the client connects via the
RDG to RAS using the same login as before. FactoryTalk Security enforces permissions for
client.
Wireless Corporate Employee Access

Wireless Corporate employee access from the Industrial Zone is a requirement that is implemented
based on the Unified Wireless Architecture already designed in Deploying 802.11 Wireless LAN
Technology within a Converged Plantwide Ethernet Architecture. Since wireless access points
support the use of multiple Service Set Identifiers (SSID), a Corporate Employee Personnel Access
SSID will defined on the APs that will allow for Corporate Employee User access to the wireless
network. Any user connecting to the wireless network using the Corporate Access SSID will be
directed by the AP to the Corporate Wireless LAN Controller located in the corporate network. From
that location, the Corporate User will validate their credentials, and if allowed access, will be
attached to the Industrial RAS via the RDG in the IDMZ. They will log in and be granted access rights
based upon their login credentials in the RAS.

Figure 2-7 Wireless Corporate Employee Personnel User Access

Enterprise
Internet
WAN
External
DMZ / Firewall
WLC (Enterprise)
ISE PAN/PSN
Core
switches
ISE MnT
Remote Desktop
(Active/Standby)

Core ISE PSN
switches
3 WLC
2 (Active)
Remote Access 1 WLC
LWAP
WGB
Levels 0-2 PAC
374645
Cell/Area Zone
MCC

1. Wireless client connects to Corporate User SSID, logs in and sends 802.1X authentication
request, which gets tunneled to the local WLC.
response that carries information on ACL to be applied at the Enterprise WLC, which verifies
that the client can only access the RAS.
4. Client traffic is now tunneled to the Enterprise WLC, and the client connects via the RDG to RAS
using the same login as before. FactoryTalk Security enforces permissions for client.

CHAPTER 3
Configuring the Infrastructure
This chapter describes how to configure the Cisco ISE infrastructure in the CPwE Identity Services
architecture based on the design considerations of the previous chapters. It covers the
configuration of the network infrastructure, network services, data traversal, Web application access
and network and application security, all from an IDMZ perspective. The included configurations
have been validated during the testing effort. It includes the following major topics:
• Network Infrastructure Configuration, page 3-1
• Initial Cisco ISE Configuration, page 3-6
• Wired Access Configuration, page 3-12
• Wireless Access Configuration, page 3-20
Network Infrastructure Configuration

This section describes validated configurations for the network infrastructure that is needed to
support Cisco ISE use cases for an IACS network.
The following configuration steps are covered in this section:
• Active Directory Configuration
• DNS Configuration
• DHCP Configuration
• Certificate Services Configuration
• NTP Configuration
Active Directory Configuration

The following steps describe the configuration required to install and configure AD DS replication
between the Enterprise and Industrial Zones:
Step 1 Install AD DS services on the Enterprise server:

a. Open the Server Manager console and click Add roles and features.

Chapter 3 Configuring the Infrastructure
b. Select Role-based of featured-based installation and then click Next.

c. Select the Active Directory Services role.
d. Accept the default features required by clicking Add Features.
e. On the Features screen, click Next.
f. On the Confirm installation selections screen, click Install. Installation will complete.
g. Click Close. Once completed, notification is made available on the dashboard highlighted by an
exclamation mark.
h. Select the notification and from the drop-down menu, select Promote this server to a domain
controller (see Figure 3-1).
Step 2 Install AD DS services on the Industrial server:
a. Select Add a Domain Controller into existing domain. Confirm the target domain is specified. If
not, select the proper domain or enter the proper domain in the field provided.
b. Click Change, provide the required Enterprise Administrator credentials and then click Next.
c. Define if server should be a Domain Name System DNS server and Global Catalog (GC).
d. Select the Site to which this DC belongs and define the Directory Services Restoration Mode
(DSRM) password for this DC.
e. Click Next on the DNS options screen.
f. In the Additional Options screen, you are provided with the option to install the Domain
Controller from Install From Media (IFM). Additionally, you are provided the option to select the
point from which DC replication should be completed. The server will choose the best location
for AD database replication if not specified. Click Next once completed.
g. Specify location for AD database and SYSVOL and then click Next.
h. Next step is the Schema and Domain preparation. Alternately, you could run Adprep prior to
commencing these steps. Regardless, if Adprep is not detected, it will automatically be
completed on your behalf.
i. Finally the Review Options screen provides a summary of all of the selected options for server
promotion. As a bonus, after clicking View Script, you are provided with the PowerShell script to
automate future installations. Click Next to continue.
j. Should all the prerequisites pass, click Install to start the installation. After it completes the
required tasks and the server restarts, the new Windows Server 2012 Domain Controller setup
is completed (see Figure 3-1).
Note For testing purposes, the following services were installed on a single server: AD DS, DHCP,
DNS and Certificate Services.

Figure 3-1 Windows Server 2012 Server Manager View
k. Set up the firewall to allow traffic between the servers for replication.
Step 3 Configure AD replication:
a. From the Active Directory Sites and Services tool in the Administrative Tools program group,
expand the Sites folder.
b. Right-click the Default-First-Site-Name item and then choose Rename.
c. Rename the site to Enterprise-AD.
d. Create a new site by right-clicking the Sites object and then selecting New Site.
e. On the New Object-Site dialog box, type a site name.
f. Click the DEFAULTIPSITELINK item. An information screen displays.
g. Click OK to create the site.
h. Create another new site. Again, choose the DEFAULTIPSITELINK item. Notice the new site is
listed in the Sites object.
i. When you are finished, close the Active Directory Sites And Services tool.
Step 4 Create subnets to define IP address ranges for AD DCs:
a. From the Active Directory Sites and Services tool in the Administrative Tools program group,
expand the Sites folder.
b. Right-click the Subnets folder and then click New Subnet. In the New Object-Subnet dialog box,
you are prompted for information about the IPv4 or IPv6 details for the new subnet.
c. Click the site, and then click OK to create the subnet.
d. In the Active Directory Sites and Services tool, right-click the newly created 10.1.1.0/24 subnet
object and then click Properties.
e. On the subnet's Properties dialog box, type 100Mbit LAN for the description. Click OK to
continue.
f. Create a new subnet for the Industrial AD DC by filling in the Address and Site fields.
g. Finally, create another subnet for the Enterprise AD DC by filling in the Address and Site fields.

Figure 3-2 Windows Server 2012 Active Directory Sites and Services Window
Refer to the following URL for more details on Active Directory setup:
• https://technet.microsoft.com/en-us/library/hh831477.aspx
DNS Configuration
Refer to the following URL for guidance and procedures on configuring DNS:
DHCP Configuration
Refer to the following URL for guidance and procedures on configuring DHCP:
Certificate Services Configuration

This section describes configuration of certificate services using Microsoft server implementation.
Public Key Infrastructure (PKI) is a scalable architecture that includes software, hardware and
procedures to facilitate the management of digital certificates. PEAP-based authentication was
used for personnel authentication. To provide a local CA for each zone, the root CA was configured
in the Enterprise Zone, with a subordinate CA in the secured Industrial Zone.
Step 1 Set up the root CA in the Enterprise Zone:

a. From Server Manager, click Add Roles and then click Next.
b. Click Active Directory Certificate Services and then click Next twice.
c. On the Select Role Services page, click Certification Authority and then click Next.
d. On the Specify Setup Type page, click Standalone or Enterprise and then click Next.
Note You must have a network connection to an AD DC in order to install an Enterprise CA.
e. On the Specify CA Type page, click Root CA and then click Next.

f. On the Set Up Private Key page, click Create a new private key and then click Next.
g. On the Configure Cryptography page, select a cryptographic service provider, key length, and
hash algorithm and then click Next.
h. On the Configure CA Name page, create a unique name to identify the CA and then click Next.
i. On the Set Validity Period page, specify the number of years or months that the root CA
certificate will be valid and then click Next.
j. On the Configure Certificate Database page, accept the default locations unless you want to
specify a custom location for the certificate database and certificate database log and then
click Next.
k. On the Confirm Installation Options page, review all of the configuration settings that you have
selected (see Figure 3-3). If you want to accept all of these options, click Install and wait until the
setup process has finished.
Figure 3-3 Windows Server 2012 Root Certification Authority Window
Step 2 Set up subordinate CA in the Industrial Zone:

a. From Server Manager, click Add Roles and then click Next.
b. Click Active Directory Certificate Services and then click Next twice.
c. On the Select Role Services page, click Certification Authority and then click Next.
d. On the Specify Setup Type page, click Enterprise CA and then click Next.
e. On the Specify CA Type page, click Subordinate CA and then click Next.
f. On the Set Up Private Key page, click Create a new private key and then click Next.
g. On the Configure Cryptography page, select a cryptographic service provider, key length and
hash algorithm. Click Next.
h. On the Request Certificate page, browse to locate the root CA, or if the root CA is not connected
to the network, save the certificate request to a file so that it can be processed later. Click Next.
i. On the Configure CA Name page, create a unique name to identify the CA. Click Next.
j. On the Set Validity Period page, specify the number of years or months that the CA certificate
will be valid. Click Next.
k. On the Configure Certificate Database page, accept the default locations unless you want to
specify a custom location for the certificate database and certificate database log.
l. On the Confirm Installation Options page, review all of the configuration settings that you have
selected (see Figure 3-4). If you want to accept all of these options, click Install and wait until the
setup process has finished.

Initial Cisco ISE Configuration
Figure 3-4 Windows Server 2012 Subordinate Certification Authority Window
Step 3 Create a certificate template with intended purposes of Server and Client Authentication. This
template is needed for Cisco ISE system certificates to function properly. To create the template,
refer to the following guide:
• http://social.technet.microsoft.com/wiki/contents/articles/13303.windows-server-2012-certifica
te-template-versions-and-options.aspx
NTP Configuration
Cisco ISE requires NTP servers for each zone so that it can synchronize the time across the
distributed setup and avoid problems with certificate validity, unsynchronized logs, etc. To
configure NTP, refer to Network Time Protocol: Best Practices White Paper for best practices:
• http://www.cisco.com/c/en/us/support/docs/availability/high-availability/19643-ntpm.html

This section describes validated configurations to perform the initial Cisco ISE setup that is
required before configuring authentication and authorization policies for clients.
• Prerequisite Configuration
• Distributed Setup Configuration
• External Identity Source (AD) Configuration
• Whitelist Configuration
• Network Device Configuration
Prerequisite Configuration
The following steps describe the prerequisite configuration needed before proceeding with the
initial Cisco ISE setup:
Step 1 Import a Plus (or higher) license on the PAN:

a. Obtain the license file from Cisco.
b. From Administration > System > Licensing, scroll to the License Files section.
c. Click Import License, browse for the license file and then click Import.
d. Confirm that the new license is displayed in the License Files section (see Figure 3-5).

Figure 3-5 Cisco ISE License Import Window
Step 2 Install a server certificate signed by the root CA on each Cisco ISE node:
e. From Administration > System > Certificates, choose Certificate Signing Requests in the left
pane.
f. Click Generate Certificate Signing Requests (CSR), fill in the required fields and then click
Generate (see Figure 3-6).
g. Click Export in the window that appears to download the request.
h. From https://<CA_IP_ADDRESS>/certsrv/ > Request a certificate > Advanced Certificate
Request, click Submit a certificate request using base 64-encoded CMC or PKCS # 10 file, or
submit a renewal request by using a base-64-encoded PKCS # 7 file
i. Copy and paste the CSR request > Select the certificate template > Submit > Download the
certificate chain > convert the extension to .csr format.
Note The certificate template selected should be the same one configured as part of the
Certificate Services infrastructure configuration.
j. Click the CSR check box and then click Bind Certificate to append the CA signed certificate.
Now this certificate will be a part of system certificate.
k. Browse to the certificate file returned by the CA, fill in the Friendly Name field, if desired, and
then click Submit.
l. Once complete, click System Certificates in the left pane and verify that the new server
certificate appears there. Select its check box and then click Edit.
m. Under Usage, check all boxes to allow this certificate to be used by all services. Finally click
Save.
Note For disaster recovery, Cisco recommends exporting all system certificates and their private
key pairs to a reliable backup location.
Note When the system certificate is uploaded, the root and subordinate CA certificates will also
be added to the Trusted Certificate store automatically (see Figure 3-6).

Figure 3-6 Cisco ISE Certificate Signing Requests Window
Figure 3-7 Cisco ISE Trusted Certificates Window
Step 3 Configure each Cisco ISE node with the domain name and DNS server in their respective zone:
From the CLI (not configurable via GUI), enter the following commands:
ip domain-name <DOMAIN NAME>
ip name-server <DNS SERVER IP ADDRESS>
Step 4 Confirm each Cisco ISE node is in the correct mode to create the distributed setup (PAN primary,
all other nodes standalone):
a. On the PAN, from Administration > System > Deployment, click the node name in the table.
b. Under Personas and next to Administration, change the Role from STANDALONE to PRIMARY
and then click Save.
c. Wait for Cisco ISE services to restart, then return to the Deployment page and confirm the PAN
Administration Role is now PRIMARY.

d. On the other Cisco ISE nodes, from Administration > System > Deployment, click the node
name and confirm that the Role is STANDALONE. If not, follow the same procedure as above to
change it.
Figure 3-8 Cisco ISE Deployment Roles Window
Distributed Setup Configuration

As discussed in “System Design Considerations”, the Cisco ISE distributed setup supports
centralized configuration and management. The distributed setup consists of three types of nodes,
as described in Table 3-1:
Table 3-1 Cisco ISE Distributed Setup Node Types
Type of Node Admin node (PAN) Policy node (PSN) Monitoring node (MnT)
Location in CPwE Enterprise Zone Industrial Zone Enterprise Zone
Feature All system-related Evaluates the policies Log collector and store
configuration (that is, and makes all the log messages
AuthC, AuthZ profiles) decisions
To establish the distributed setup, follow the Cisco ISE 1.3 Distributed Setup Guide located at:
Note Once the distributed setup has been created, all configurations should be performed on the PAN,
since that node will then synchronize with the others automatically. The GUI for the other Cisco ISE
nodes will have only limited configuration options available.

External Identity Source (AD) Configuration

The following steps describe the configuration of AD as an external identity source for Cisco ISE:
Step 1 Create the AD join point:

a. From Administration > Identity Management > External Identity Sources, click Active Directory
in the left pane.
b. Click Add and then type any desired value for the Join Point Name and the domain to join for
the Active Directory Domain.
c. Once finished, click Submit.
Step 2 Join the AD domain using the join point:
a. Once the join point has been created, all distributed Cisco ISE nodes should be listed and show
a status of “Not Joined.” Select each node's check box and then click Join.
b. Specify a User Name and Password with permissions to join the domain and then click OK. If
the operation succeeds, the node will show a status of "Operational" and the host name of the
local AD server (see Figure 3-9).
Figure 3-9 Cisco ISE AD Join Point Window
Step 3 Retrieve all necessary groups from the AD server (as configured in Active Directory section above):
a. From the Active Directory Join Point window, click the Groups tab.
b. From Add > Select Groups from Directory, click Retrieve Groups.
c. Select the check boxes for any groups that will be referenced in client policies and then click
OK.
d. Verify that the groups are now listed in the table (see Figure 3-10) and then click Save.

Figure 3-10 Cisco ISE AD Groups Window
Whitelist Configuration
The following steps describe the configuration of the Whitelist:
Step 1 Add a corporate device manually to the Whitelist:

a. From Administration > Identity Management > Identities > Endpoints, click Add.
b. On the Endpoint page, enter the MAC address in the MAC Address field.
c. Select the Static Group Assignment check box and then select Whitelist from the Identity
Group Assignment drop-down menu.
d. At the bottom of the window, click Save (see Figure 3-11).
Figure 3-11 Cisco ISE Endpoints Page
Network Device Configuration

This section describes how to define network devices (such as a switch or a router) through which
RADIUS service requests are sent to Cisco ISE. You must define network devices for Cisco ISE to
be able to interact with them.
The following steps describe the configuration of network devices:

Wired Access Configuration
Step 1 Create network device groups to organize network devices by type and location, if desired. For this
procedure, refer to:
b_ise_admin_guide_sample_chapter_01001.html#reference_2424A156765D42E98207B93A
0E0F0CB3.
Step 2 Add any network devices that will send RADIUS requests to Cisco ISE on behalf of clients:
a. From Administration > Network Resources > Network Devices, click Add.
b. Fill in the Name field with the hostname of the device.
c. Fill in the IP Address field with the address of the device.
d. Under Network Device Group, select either the default location and type or any specific groups
created earlier.
e. Select the check box next to Authentication Settings and expand it and then enter the desired
shared secret RADIUS password.
Note The RADIUS shared secret password must match in the configuration of the network device
itself or RADIUS exchanges will fail.
f. Click Save (see Figure 3-12).
Figure 3-12 Cisco ISE Add Network Device Window

This section describes configurations details for Cisco ISE and the IES based on the design
recommendations in System Design Considerations.

• Cisco ISE Configuration

• IES Configuration
Cisco ISE Configuration

This section describes how to configure Cisco ISE to properly authenticate and authorize wired
computers and limit their access to the network.
• Identity Store Sequence Configuration
• Policy Element Configuration
• Authentication Policy Configuration
• Authorization Policy Configuration
• Client Configuration
Identity Store Sequence Configuration

The following steps describe the configuration of identity store sequences:
Step 1 Create a certificate authentication profile:

a. From Administration > Identity Management > External Identity Sources, click Certificate
Authentication Profile in the left pane and then click Add.
b. Fill in the Name field with any desired name.
c. Select the AD join point from the Identity Store drop-down.
d. Next to Use Identity From, select Any Subject or Alternative Name Attributes in the Certificate
(for Active Directory Only).
e. Finally, click Submit (see Figure 3-13).
Figure 3-13 Cisco ISE Certificate Authentication Profile Window
Step 2 Create the identity store sequence:

a. From Administration > Identity Management > Identity Source Sequences, click Add.
b. Fill in the Name field as All_Stores_Sequence.

c. Select the check box next to Certificate Based Authentication and then select the certificate
profile created in the previous step from the drop-down.
d. Under Authentication Search List, in the Available list, select the AD join point and then click the
right arrow button to move it to the selected list.
e. Under Advanced Search List Settings, select Do not access other stores in the sequence and
set the AuthenticationStatus attributes to ProcesError.
f. Finally, click Save (see Figure 3-14).
Figure 3-14 Cisco ISE Identity Source Sequence Window
Policy Element Configuration

The following steps describe the configuration of policy elements:
Step 1 Create the allowed protocol service to define which protocols are allowed for authentication:
a. From Policy > Policy Elements > Results, expand Authentication in the left pane and select
Allowed Protocols.
b. Click Add.
c. Fill in the Name field and select the check boxes for only the authentication protocols that will
be used by wired clients.
d. Once complete, click Save (see Figure 3-15).

Figure 3-15 Cisco ISE Allowed Protocol Service Window
Step 2 Create the downloadable ACLs:

a. From Policy > Policy Elements > Results, expand Authorization in the left pane and select
Downloadable ACLs.
b. Click Add.
c. Fill in the Name field and then add the desired ACL entries in the DACL Content area. These
ACL entries are defined in the same fashion as Cisco IOS.
d. To validate the ACL, expand Check DACL Syntax and click Recheck.
e. Confirm that the returned text is "DACL is valid" and then click Submit (see Figure 3-16).
Figure 3-16 Cisco ISE Downloadable ACL Window
Step 3 Create an authorization profile to limit wired clients based on the rules defined here:
a. From Policy > Policy Elements > Results, expand Authorization > Authorization profiles.
b. Click Add to add a profile.

c. Fill in the Name field.

d. Choose the Access Type from the Access Type drop-down menu.
e. Check the DACL Name check box to choose a DACL from the drop-down menu.
f. Check the VLAN check box to allow the traffic to traverse through a VLAN.
g. Enter the VLAN number in the ID/Name field.
h. Click Save (see Figure 3-17).
Figure 3-17 Cisco ISE Authorization Profile Window
Authentication Policy Configuration

The following steps describe the configuration of authentication policies for wired clients:
Step 1 Create an authentication policy for wired clients:

a. From Policy > Authorization, select Policy Type as Rule-Based.
b. Click Edit to insert authentication rule below or above the existing rule (or duplicate the policy
above or below the existing rule).
c. Enter the rule name in the Standard Rule box and choose the condition for the Select condition
> Select Existing condition from the Library.
d. From the Select condition drop-down menu, choose the compound condition and the wired
802.1X.
e. From the Network Access drop-down menu, click Allowed Protocols.
f. Choose the Protocol you wish to allow.
g. Click Done to save the configuration (see Figure 3-18).

Figure 3-18 Cisco ISE Authentication Policy Window
Authorization Policy Configuration

The following steps describe the configuration of authorization policies for wired clients:
Step 1 Create an authorization policy for wired clients:

a. From Policy > Authorization, choose how the rule applies from the drop-down menu (First
Matched Rule Applies or Multiple Matched Rule Applies).
b. Click Edit to insert the authorization rule below or above the existing rule or duplicate the policy
above or below the existing rule.
c. Enter the rule name in the Standard Rule box.
d. Click the Any drop-down menu from the If box.
e. From Any > Endpoint Identity Group > Whitelist, choose the condition for the Select condition
> Select Existing condition from Library.
f. From the Select condition drop-down menu, choose the compound condition and the wired
802.1X.
g. Click Edit to expand the Profiles.
h. Click the Select an item drop-down menu to choose a profile.
i. Click Standard and choose the permission rule from the menu.
j. Click Done to save the configuration (see Figure 3-19).
Figure 3-19 Cisco ISE Authorization Policy Window
IES Configuration
This section describes how to configure the IES hosting the convenience port(s) to communicate
with the computer via 802.1X, relay these requests to Cisco ISE via RADIUS and limit the computer’s
access based on the authorization result.


• VLAN Configuration
• AAA and RADIUS Configuration
• ACL Configuration
• 802.1X Configuration
VLAN Configuration
Log in to the IES and in the global configuration mode enter the VLAN values to create the VLANs
(as defined in the authorization profiles configured on Cisco ISE):
(conf)# vlan 181,182,183,351
AAA and RADIUS Configuration

The following steps describe the RADIUS configuration on the IES access switch:
Step 1 The following steps are required to configure the IES switch for AAA:
a. Enable Authentication, Authorization, and Accounting (AAA):
(config)# aaa new-model
b. Create an authentication method for 802.1X (default use all RADIUS servers for authentication):
(config)# aaa authentication dot1x default group radius
c. Create an authorization method for 802.1X (enables RADIUS for policy enforcement):
(config)# aaa authorization network default group radius
d. Create an accounting method for 802.1X (provides additional information about sessions to
Cisco ISE):
{config)# aaa accounting dot1x default start-stop group radius
e. Add Cisco ISE server to the RADIUS group:

(config)# radius-server host 10.225.41.115 auth-port 1812 acct-port 1813 key
shared-secret
Step 2 The following steps are required to configure the IES access switch for RADIUS:
a. Configure Cisco ISE server dead time (15 seconds total-3 retries of 5 second timeout):
(config)# radius-server dead-criteria time 5 tries 3
b. Configure the switch to send Cisco Vendor-Specific attributes:

(config)# radius-server vsa send accounting
(config)# radius-server vsa send authentication
c. Configure the Cisco Vendor-Specific attributes:

(config)# radius-server attribute 6 on-for-login-auth
(config)# radius-server attribute 8 include-in-access-req
(config)# radius-server attribute 25 access-request include
d. Configure IP address to be used to source RADIUS messages:

(config)# ip radius source-interface interface-name Vlan4093
ACL Configuration
The following describes the configuration of ACLs on the IES access switch:
Log in to the IES and in the global configuration mode enter the extended access list to be applied
on the interface during client login to restrict access:
ip access-list extended ACL-DEFAULT
permit udp any eq bootpc and eq bootps log permit udp any host <DNS_Server IP_Address>
eq domain
deny ip any any log
Note ACL-DEFAULT—This ACL is configured on the IES and used as a default ACL on the port. Its
purpose is to prevent unauthorized access. In an 802.1X authentication/authorization scenario, after
the computer is authenticated and authorized, if no DACL is applied to the port or if a mistake exists
in the syntax of the downloadable ACL, the IES rejects the DACL sent by Cisco ISE.
802.1X Configuration
The following describes the 802.1x configuration on the IES:
Enable 802.1X globally (command by itself does not enable authentication on the switchports):
(config)# dot1x system-auth-control
Step 1 The following steps describe the configuration on the desired convenience port:
a. Enable IP device tracking:
(config)# ip device tracking
b. Configure the authentication method priority on the interface:

(config-if)# authentication priority dot1x
c. Configure the authentication method order (dot1x first):

(config-if)# authentication order dot1x
d. Enable Flex-Auth:
(config-if)# authentication event fail action next-method
e. Enable support for more than one MAC address on the physical port:
(config-if)# authentication host-mode multi-auth
f. Configure the violation action (restrict access for additional devices that may fail
authentication):
(config-if)# authentication violation restrict
g. Enable port for 802.1X:

(config-if)# dot1x pae authenticator
h. Configure timers:

Wireless Access Configuration
(config-if)# dot1x timeout tx-period 10
i. Turn authentication on:

(config-if)# authentication port-control auto
j. Apply ACL to the port:

(config-if)# ip access-group ACL-DEFAULT in
k. Make the an access port:

(config-if)# switchport mode access
l. Make the port access to a specific VLAN initially to authenticate with Cisco ISE:
(config-if)# switchport access vlan <number>
Caution CONFIGURATION NOTE: IP Device tracking (IPDT), which operates in accordance with RFC 5227,
must be enabled on the IES to implement RADIUS downloadable ACL and should ONLY be enabled
on convenience and/or designated non-IACS equipment ports.
Caution IPDT should NOT be enabled on ports connected to IACS devices. IPDT uses ARP probes to
determine the IP addresses of hosts on different ports; IPDT may disrupt IACS applications. Please
refer to the URLs below for more details:
https://rockwellautomation.custhelp.com/app/answers/detail/a_id/568750
http://www.cisco.com/c/en/us/support/docs/ip/address-resolution-protocol-arp/118630-technot
e-ipdt-00.html
Client Configuration
Wired clients must be preconfigured to use the proper authentication method before they can be
authenticated and authorized via a convenience port. Refer to the following URL for guidance on
configuring Windows clients:
• http://windows.microsoft.com/en-us/windows/enable-802-1x-authentication#1TC=windows-7.

This section describes configuration details for Cisco ISE and the WLC based on the design
recommendations in System Design Considerations.
• Cisco ISE Configuration
• Industrial WLC Configuration
• Trusted Partner Anchor WLC Configuration
• Corporate Employee Anchor WLC Configuration

Cisco ISE Configuration

This section describes how to configure Cisco ISE to properly authenticate and authorize wireless
clients and limit their access to the network.
• Identity Store Sequence Configuration
• Policy Element Configuration
• Authentication Policy Configuration
• Authorization Policy Configuration
Identity Store Sequence Configuration

Refer to Identity Store Sequence Configuration, page 3-13 for this configuration.
Policy Element Configuration

The following steps describe the configuration of policy elements:
Step 1 Create simple conditions:

a. From ISE PAN node > Policy > Policy Elements > Conditions > Authorization > Simple
Conditions, click Add.
b. For every SSID, create a simple rule as shown in Figure 3-20.
Figure 3-20 Industrial_Employee_WLAN Condition
Note The Attribute Value (above case value 7) must match wireless LAN controller WLAN ID # for
that SSID (above case Industrial_Employee_WLAN).
c. Similarly, create a simple condition for rest of the SSID too. That is:
– Trusted_Partner_WLAN: Airespace:Airespace-Wlan-Id Equals 4
– Corporate_Employee_WLAN: Airespace:Airespace-Wlan-Id Equals 6
Step 2 For Industrial Employee to have full access on plant floor, follow the compound condition in Cisco
ISE that includes these expressions (see Figure 3-21).

Figure 3-21 Wireless_PEAP Compound Condition
Step 3 Follow the same format for Industrial partial and RAS-only access use cases.
Step 4 An authorization profile acts as a container where a number of specific permissions allow access to
a set of network services. Airspace ACL controls access on the network. Since this is a user who has
an access to every device in the plant floor, the airspace ACL applied here is ACL_Full_Access.
Note The ACL is configured in WLC. Refer to ACL Configuration using GUI, page 3-40 for more
detail.
Figure 3-22 Airespace ACL Name Selection
Authentication Policy Configuration

Authentication policies are used to define the protocols used by Cisco ISE to communicate with the
endpoints and the identity sources to be used for authentication. Cisco ISE evaluates the
conditions and based on whether the result is true or false, it applies the configured result. An
authentication policy includes:

• An allowed protocol service, such as PEAP, EAP-TLS, etc.

• An identity source used for authentication
Similar to the way access lists are processed, authentication rules are processed from the top
down. When the first condition is met, processing stops and the assigned identity rule is used.
The rules are evaluated using "If, then, else" logic:
IF Wireless_802.1X Then
Allow EAP-TLS and PEAP
Else if next condition
Take action
Else
Use Default Rule
The following steps describe the configuration of authentication policies for wireless clients:
Step 1 Configure AuthC policy:

a. From Policy > Authentication, either customize the default Wireless dot1x policy or insert a new
policy above/below any existing policy by clicking the down arrow beside Edit.
b. Write a Rule name (such as Wireless dotx AuthC).
c. Click + beside the "If" condition > Select Existing Condition from Library > Select Condition >
Compound Conditions > Wireless_802.1X.
d. Select Allowed protocols as EAP-TLS and PEAP.
Note For more information on how to customize allowed protocol, check Figure 3-15 on page 3-15.
Step 2 Define Network Access Conditions:

a. Click to the default condition, change the Identity store from Internal Users to
All_Stores_Sequence and keep other options as default.
b. Beside the default rule, from Action > Insert new row above, enter the store rule name.
c. Click the small square to open expression builder > Create New condition > Network
Access:EapAuthentication EQUALS EAP-TLS.
d. In the Use section, change the Identity store from Internal Users to All_Stores_Sequence and
keep other options as default.
Repeat the previous two steps to create a rule for PEAP: Network Access: EapTunnel EQUALS
PEAP.
e. In the Use section, change the Identity store from Internal Users to All_Stores_Sequence and
keep other options as default.
Step 3 Click OK.

Figure 3-23 Figure 4-4: Authentication Rules
In a normal deployment scenario, the endpoints would primarily use the 802.1X protocol to
communicate with Cisco ISE. Cisco ISE authenticates these endpoints against an AD or
authenticates them via digital certificates.
The default Authentication policy is Deny Access.
Authorization Policy Configuration

Authorization policies define the overall security policy to access the network. Network
authorization controls user access to the network and its resources and what each device can do
on the system with those resources. An Authorization Policy is composed of multiple rules.
Authorization rules are defined by three main elements:
• Names
• Conditions
• Permissions
Permissions are enforced by authorization profiles. Similar to the authentication rules, authorization
rules are processed from the top down. When the first condition is met, processing stops and the
assigned permission dictates what authorization policy to use. The four conditions are:
1. Match the SSID: Airespace:Airespace-Wlan-Id Equals 7
2. Match Wireless client: Radius:Service-Type equals Framed and Radius:NAS-Port-Type Equals
Wireless - IEEE 802.11
3. Match external groups AD2: ExternalGroups Equals
cpwe-ra-cisco.local/Users/Industrial_Employee_Full
4. Network Access: EapTunnel Equals PEAP
Note Based on your requirement, these can all be individual simple condition, combined together in one
compound condition, or a combination of both. The combination is shown here.
The following steps describe the configuration of authorization policies for wireless clients.
Full AuthZ profiles for wireless users are as follows:
Step 1 From ISE PAN node > Policy > Authorization, select how the rule applies from the drop-down menu
First Matched Rule Applies or Multiple Matched Rule Applies. The default is First Matched Rule
Applies.
Step 2 Click Edit to insert authorization rule below or above the existing rule.

Step 3 Enter the rule name in the Standard Rule box and click the If Any box in the Select Endpoint Identity
Group > Whitelist drop-down menu.
Step 4 Click the And conditions box in the Select Existing condition from Library drop-down menu.
Step 5 Click the Select condition > compound condition > Wireless_Industrial_User_Full_Access
drop-down menu.
Step 6 Similarly, click the gear icon and select Add Condition from Library > Select Condition > Simple
Condition > Industrial_Employee_WLAN.
Step 7 Click Done to save the configuration (see Figure 3-24).
Figure 3-24 Wireless Authorization Policy Window
Industrial WLC Configuration

This section describes how to configure the industrial WLC.
Note To create the unified wireless infrastructure and associate APs in the Industrial Zone, refer to the
Deploying 802.11 Wireless LAN Technology within a Converged Plantwide Ethernet Architecture
Design and Implementation Guide at the following URL:
• http://www.cisco.com/c/en/us/td/docs/solutions/Verticals/CPwE/NovCVD/CPwE_WLAN_CVD.
html

• RADIUS Configuration
• Interface Configuration
• WLAN Configuration
• Mobility Configuration
Note CLI configuration for the WLC section is provided in References.

RADIUS Configuration
RADIUS is a client/server protocol that provides centralized security for users attempting to gain
management access to a network. We are using ISE PSN node as a RADIUS server for user traffic.
The following steps describe the RADIUS configuration on the industrial WLC (see Figure 3-25):
Step 1 From Security > RADIUS > Authentication, click New.

Step 2 Fill in Server IP address and Shared Secret and then leave all others as default.
Step 3 Click Apply.
Step 4 Click Save Configuration.
Figure 3-25 WLC RADIUS Configuration
RADIUS Configuration using CLI

Add a RADIUS authentication server using the following command:
config radius auth add index server_ip_address port# {ascii | hex} shared_secret
Interface Configuration using GUI

The virtual interface IP address is used only in communications between the controller and wireless
clients.
The following steps describe the interface configuration on the industrial WLC (see Figure 3-26
through Figure 3-28):
Step 1 Choose Controller > Interfaces to open the Interfaces page.

Step 2 Click New.
Step 3 Enter the following parameters:
• Physical Information > Port number
• Interface Address > VLAN Identifier, IP address, Netmask, Gateway
• DHCP information > DHCP proxy mode disables

Step 4 Click Apply to commit your changes.
Figure 3-26 Industrial Employee Provisioning Interface Configuration
Figure 3-27 Corporate Employee Provisioning Interface Configuration

Figure 3-28 Trusted Partners Provisioning Interface Configuration
Interface Configuration using CLI

Add Interface Configuration using the following command:
config interface create operator_defined_interface_name {vlan_id | x}
config interface address operator_defined_interface_name ip_addr ip_netmask [gateway]
config interface vlan operator_defined_interface_name {vlan_id | 0}
config interface port operator_defined_interface_name physical_ds_port_number
config interface dhcp dynamic-interface operator_defined_interface_name proxy-mode
disable
WLAN Configuration using GUI

The following steps describe the WLAN configuration on the industrial WLC (see Figure 3-29
Step 1 Choose WLANs to open the WLANs page.

Step 2 Create a new WLAN by choosing Create New from the drop-down list and then clicking Go. The
WLANs > New page appears.
Step 3 From the Type drop-down list, choose WLAN to create a WLAN.
Step 4 Assign Profile Name, SSID name and ID #. Use the parameters on the General, Security and
Advanced tabs to configure this WLAN.
Step 6 Click Save Configuration to save your changes.

Figure 3-29 Industrial Employee WLAN Configuration General
Figure 3-30 Industrial Employee WLAN Configuration L2 Security
Figure 3-31 Industrial Employee WLAN Configuration AAA Servers

Figure 3-32 Industrial Employee WLAN Configuration Advanced
Note Corporate_Employee_WLAN and Trusted_partners_WLAN SSID have the same configuration by

selecting their respective interfaces.
WLAN Configuration using CLI

Add WLAN Configuration using the following command:
config wlan create wlan_id {profile_name | foreign_ap} ssid
config wlan disable {wlan_id | foreign_ap | all}
config wlan security wpa wpa2 {enable | disable} wlan_id
config wlan security wpa wpa2 ciphers {aes | tkip} {enable | disable} wlan_id
config wlan radius_server auth {enable | disable} wlan_id
config wlan radius_server auth add wlan_id [<Radius Server Index>/all]'
config wlan aaa-override {enable | disable} wlan_id
config wlan Nac radius {enable | disable} wlan_id
config wlan disable {wlan_id | foreign_ap | all}
ACL Configuration using GUI

ACL application to the client is a part of AuthZ policy. These name-based ACLs are defined on WLC
and are being called in Cisco ISE. These ACLs are called Airespace ACL.
The following steps describe the WLAN configuration on the industrial WLC:
Step 1 From Security > Access Control Lists > Access Control Lists, click New.
Step 2 Write Access Control List Name > Keep default IPv4.
Step 3 Click the ACL name you created and then click Add new rule.
Step 4 Configure the following access lists:
a. Industrial Full Access: Allow access to all devices to plant floor:
– Sequence: 1 > Source: Any > Destination: Any > Protocol: Any > DSCP: Any > Direction: Any
> Action: Permit > Apply
b. Industrial Partial Access: Limit to particular cell area:
– Sequence: 1 > Source: Any > Destination: <Destination IP Address> Protocol: Any > DSCP:
Any > Direction: Inbound > Action: Permit. Then click Apply.

– Sequence: 2 > Source: <Source IP_Adress > Destination: Any > Protocol: Any > DSCP: Any
> Direction: Outbound> Action: Permit. Then click Apply.
– Sequence: 3 > Source: Any > Destination: Any > Protocol: Any > DSCP: Any> Direction: Any
> Action: Deny. Then click Apply.
c. Industrial RAS-only Access: Only to remote access server (RAS):
– Sequence: 1 > Source: Any > Destination: <RAS_Server_IP_Address> Protocol: Any >
DSCP: Any > Direction: Inbound > Action: Permit. Then click Apply.
– Sequence: 2 > Source: <RAS_Server_IP_Address> Destination: Any > Protocol: Any >
DSCP: Outbound > Direction: Any > Action: Permit. Then click Apply.
d. Corporate RAS only (via RDG) Access: Only to remote desktop gateway (RDG):
– Sequence: 1 > Source: Any > Destination: <RDG_Server_IP_Address> Protocol: tcp/https
> DSCP: Any > Direction: Any > Action: Permit. Then click Apply.
– Sequence: 2 > Source: <RDG_Server_IP_Address> Destination: Any > Protocol: https >
DSCP: Any > Direction: Any > Action: Permit. Then click Apply.
– Sequence: 3> Source: Any > Destination: Any > Protocol: Any > DSCP: Any> Direction: Any
Step 5 Click Apply.
Step 6 Click Save Configuration.
Note Refer to Authorization Policy Configuration, page 3-17 for ACL details.
Figure 3-33 ACL_Partial_Access
ACL Configuration using CLI

Add ACL Configuration using the following command:
config acl create <name>
config acl rule add <name> <index>
config acl rule action <name> <index> permit
config acl rule destination address <name> <index> <IP address> <Netmask>
config acl rule direction <name> <index> <in/out/any>
Configure IP deny rule at the end

Mobility Configuration using GUI

With the auto-anchor mobility feature of Cisco wireless controllers, packets from the wireless client
are encapsulated through a mobility tunnel between the internal wireless controller (known as the
industrial WLC/foreign controller) to the trusted partner wireless controller (known as the anchor
controller), where they are de-capsulated and delivered to the wired network.
Note Use OLD mobility (EOIP tunnel) to anchor the trusted partner traffic.
The following steps describe the mobility configuration on the industrial WLC (see Figure 3-34
Step 1 From Controller > Mobility Management, click Default Mobility Domain Name. Give it the same
name as that of the foreign controller.
Step 2 From Controller > Mobility Management > Mobility Groups, click New.
Step 3 Assign the IP address, MAC address and group name of the Anchor Controller's management
interface.
Step 4 From WLAN > trusted_Partner_WLAN, hover your mouse on the down arrow and click Mobility
Anchors.
Step 5 From Switch IP address (Anchor), select Trusted_Partner WLC management IP from the drop-down
menu.
Step 6 Click Mobility Anchor Create.
Step 7 Click OK when a warning "If the WLAN is in Enabled state, adding Mobility Anchors will cause the
WLAN to be momentarily disabled and thus may result in loss of connectivity for some clients.”
displays.
Step 8 Press OK to continue.
Step 9 Repeat the same steps for Corporate_employee WLAN.
Figure 3-34 IIndustrial WLC Mobility Configuration
Figure 3-35 Industrial WLC Mobility Anchors

Figure 3-36 Industrial WLC Mobility Anchors Configuration
Mobility Configuration using CLI

Add Mobility Configuration using the following command:
config mobility group domain domain_name
config mobility group member add mac_address ip_address
config {wlan | guest-lan} disable {wlan_id | guest_lan_id} (Disable the WLAN or wired
guest LAN for which you are configuring mobility anchors by entering this command)
config mobility group anchor add {wlan | guest-lan} {wlan_id | guest_lan_id}
anchor_controller_ip_address
config {wlan | guest-lan}enable {wlan_id | guest_lan_id}
Trusted Partner Anchor WLC Configuration

The CPwE architecture recommends the use of a controller dedicated to trusted partner wireless
traffic. This controller is known as the trusted partner anchor controller. The anchor controller is
usually located in an unsecured network area (that is, Enterprise Zone/Enterprise External DMZ).
Other internal WLAN controllers from where the traffic originates are located in the Industrial Zone.
An EoIP tunnel is established between the internal WLAN controllers and the anchor controller in
order to achieve path isolation of trusted partner traffic from Industrial data traffic/IACS device
traffic. Path isolation is a critical security management feature for trusted partner access. It confirms
that security policies can be separate, and are differentiated between trusted partner traffic and
internal traffic.
An important feature of the Cisco Unified Wireless Network architecture is the ability to use an EoIP
tunnel to statically map one or more provisioned WLANs (that is, SSIDs) to a specific anchor
controller within the network. All traffic-both to and from a mapped WLAN-traverses a static EoIP
tunnel that is established between a remote controller and the anchor controller.
One EoIP tunnel is configured between the trusted partner anchor controller and industrial WLC, it
will support access points with guest client associations.

Note All controllers within a mobility group must be configured with the similar interface configuration
and same WLAN configuration. Otherwise, inter-controller roaming may appear to work, but the
handoff does not complete and the client loses connectivity for a period of time.
The following steps describe the interface configuration on the trusted partner anchor WLC (see
Figure 3-37):
Step 1 From Controller > Interfaces, open the Interfaces page and then click New.
a. Physical Information > Port number
b. Interface Address > VLAN Identifier, IP address, Netmask, Gateway
c. DHCP information > DHCP proxy mode disables
Figure 3-37 Trusted Partners Provisioning interface Configuration

To have Interface configuration for trusted partners anchor WLC, refer to Interface Configuration
using CLI, page 3-28. The procedure remains the same.

The following steps describe the WLAN configuration on the trusted partner anchor WLC (see
Figure 3-38):

Step 1 Click WLANs to open the WLANs page.

Step 2 Create a new WLAN by clicking Create New from the drop-down list and then clicking Go. The
WLANs > New page displays.
Step 3 From the Type drop-down list, choose WLAN to create a WLAN.
Step 4 Assign Profile Name, SSID name and WLAN ID #.
Note Make sure the WLAN ID # matches the number with Industrial WLC
Trusted_Partners_WLAN.
Step 5 Use the parameters on the General, Security and Advanced tabs to configure this WLAN.
a. General > Interface/Interface groups > Select Trusted_Partners_Provisioning > Radio Policy
(Optional): All / 802.11 b/g only
b. Security > Layer 2 > Layer 2 security: WPA+WPA2
c. Security > AAA servers > Select PSN node as a authentication server
d. Advanced > Allow AAA Override: Checked > NAC state: Radius NAC
Figure 3-38 Trusted Partners SSID Configuration
Note The rest of the WLAN security and advanced configuration is the same as for the industrial
WLC, so refer to WLAN Configuration using GUI, page 3-28 for these configurations.

To have WLAN configuration for trusted partners anchor WLC, refer to the WLAN configuration
under the Industrial WLC configuration section. The procedure remains the same.

Enterprise Edge Firewall ACL Configuration using GUI

Trusted Partner can access the device only through RAS via the RDG. Since the trusted partners
WLC resides in Enterprise External DMZ, ACL is enforced through enterprise edge firewall and not
through the WLC. Also, ports to form mobility tunnel must be open (see Figure 3-39).
Figure 3-39 Enterprise Edge ACL (GUI)
Enterprise Edge Firewall ACL Configuration using CLI

Add Enterprise Edge Firewall ACL Configuration using the following commands:
object network WLC-Trusted_PartnerGuest-Anchor host
10.1.4.77<Trusted_Partner_WLC_Management_IP_Address>
description WLC- Trusted_Partner -Anchor object network
WLC_Industrial
service udp destination range 16666 16667
object network RDG
host 10.1.2.3
object-group service DM_INLINE_SERVICE_2
host <<Industrial WLC_Management_IP_Address>
object service EOIP_IP_Protocol service 97
object service Mobility_Anchor
service udp destination range 16666 16667 object network RDG
host <Remote Desktop Gateway IP_Address>10.1.2.3
object-group service DM_INLINE_SERVICE_2 service-object icmp
service-object object EOIP_IP_Protocol service-object object Mobility_Anchor
object-group service DM_INLINE_SERVICE_4 service-object icmp
service-object tcp destination eq https
access-list DMZ_access_in extended permit object-group DM_INLINE_SERVICE_2 object
WLC-Guest-Anchor object WLC_Industrial
access-list DMZ1_access_in extended permit object-group DM_INLINE_SERVICE_4 any object
RDG
Note Use the OLD mobility (EOIP tunnel) to anchor the trusted partner traffic.
The following steps describe the mobility configuration on the trusted partner anchor WLC (see
Figure 3-40 through Figure 3-42):
Step 1 From Controller > Mobility Management, give Default Mobility Domain Name the same name as that
of Industrial WLC.

Step 3 Assign IP address, MAC address and group name of the Industrial WLC management Interface.
Note Make sure to open mobility ports (UPD port # 16666, 16667 and IP 97) on IDMZ and
enterprise edge firewall to anchor traffic to Anchor WLC.
Step 4 From WLAN > Trusted_Partners_WLAN, hover your mouse on the down arrow and click Mobility
Anchors.
Step 5 Switch IP address (Anchor) > Local.
Figure 3-40 Trusted Partner Anchor WLC Mobility Configuration
Figure 3-41 Trusted Partners Anchor WLC Mobility Anchors
Figure 3-42 Trusted Partners Anchor WLC Mobility Anchors Configuration

To have mobility configuration for trusted partners anchor WLC, refer to Mobility Configuration
using CLI, page 3-33. The procedure remains the same.

Corporate Anchor WLC Configuration

This section describes how to configure the corporate anchor WLC. The following configuration
steps are covered in this section:
Note All controllers within a mobility group must be configured with the similar interface configuration
and same WLAN configuration. Otherwise, inter-controller roaming may appear to work, but the
hand off does not complete, and the client loses connectivity for a period of time.
The following steps describe the interface configuration on the corporate anchor WLC (see
Figure 3-43):
Step 1 From Controller > Interfaces, open the Interfaces page, and then click New.
a. Physical Information > Port number
b. Interface Address > VLAN Identifier, IP address, Netmask, Gateway
c. DHCP information > DHCP proxy mode > Disable

Figure 3-43 Corporate Employee Provisioning Interface Configuration

To have Interface configuration for corporate anchor WLC, refer to Interface Configuration using CLI,
page 3-28. The procedure remains the same.

Refer to WLAN Configuration using GUI, page 3-34 for this configuration steps (see Figure 3-44):
Step 1 Click WLANs to open the WLANs page.

Step 2 Create a new WLAN by clicking Create New and then clicking Go. The WLANs > New page displays.
Step 3 From the Type drop-down list, click WLAN to create a WLAN.
Step 4 Assign Profile Name, SSID name and WLAN ID #.
Note Make sure the WLAN ID # matches the number with Industrial WLC
Corporate_Employee_WLAN.
Step 5 Use the parameters on the General, Security and Advanced tabs to configure this WLAN:
a. General > Interface/Interface groups > Select
b. Corporate_Employee_Provisioning > Radio Policy (Optional): All / 802.11 b/g only
c. Security > Layer 2 > Layer 2 security: WPA+WPA2
d. Security > AAA servers > Select PSN node as a authentication server
e. Advanced > Allow AAA Override: Checked > NAC state: Radius NAC


Figure 3-44 Corporate Employee SSID Configuration

To have WLAN configuration for corporate anchor WLC, refer to WLAN Configuration using CLI,
page 3-30 section. The procedure remains the same.
ACL Configuration using GUI

The following steps describe the WLAN configuration on the corporate anchor WLC (see
Figure 3-45):
Step 1 From Security > Access Control Lists > Access Control Lists. click New.
Step 2 Configure the following access lists:
a. Corporate RDG-only Access: To RAS via remote desktop gateway:
– Sequence: 1 > Source: Any > Destination: <RDG sever IP address > Protocol: tcp/https >
DSCP: Any > Direction: Any > Action: Permit. Then click Apply.
– Sequence: 2 > Source: <RDG sever IP address> Destination: Any > Protocol: https > DSCP:
Any > Direction: Any > Action: Permit. Then click Apply.

Figure 3-45 Corporate Employee ACL Configuration

To have ACL configuration for corporate anchor WLC, refer to ACL Configuration using CLI,
Note Use the OLD mobility (EOIP tunnel) to anchor the trusted partner traffic.
The following steps describe the mobility configuration on the corporate anchor WLC (see
Figure 3-46 through Figure 3-48):
Step 1 From Controller > Mobility Management, give Default Mobility Domain Name the same name as that
of Industrial WLC.
Step 3 Assign IP address, MAC address and group name of the Industrial WLC management Interface.
Step 4 From WLAN > Corporate_Employee_WLAN, hover your mouse on the down arrow and then click
Mobility Anchors.
Step 5 Switch IP address (Anchor) > Local.
Note Both Control and Data Path should be up once the mobility tunnel is created.
Figure 3-46 Corporate Employee Anchor WLC Mobility Anchors

Figure 3-47 Corporate Employee Anchor WLC Mobility Anchors Configuration
Figure 3-48 Corporate Employee Anchor WLC Mobility Anchors Control and Data Path

To have mobility configuration for corporate anchor WLC, refer to Mobility Configuration using CLI,

CHAPTER 4
Troubleshooting Tips

• Cisco ISE Troubleshooting Tips, page 4-1
• WLC Troubleshooting Tips, page 4-6
Cisco ISE Troubleshooting Tips

The following section provides high level troubleshooting information to assist in identifying and
resolving problems you may encounter when you use the Cisco Identity Services Engine (ISE)
For more troubleshooting tips, review Monitoring and Troubleshooting at the following URL:
Cisco ISE Processes Check

To check whether Cisco ISE is working if the web pages don't load, log into the CLI and run the
command to check the status of the Complete Cisco ISE processes running and disabled.
ISE# Show application status ISE
ISE PROCESS NAME STATE PROCESS ID
--------------------------------------------------------------------
Database Listener running 13373
Database Server running 44 PROCESSES
Application Server running 16208
Profiler Database running 14334
AD Connector running 16616
M&T Session Database running 14248
M&T Log Collector running 16314
M&T Log Processor running 3521
Certificate Authority Service disabled
pxGrid Infrastructure Service running 31179
pxGrid Publisher Subscriber Service running 31420
pxGrid Connection Manager running 31388
pxGrid Controller running 31280
Identity Mapping Service running 30937

Chapter 4 Troubleshooting Tips
Test Users for Active Directory Authentication

Test authentication is useful to troubleshoot authentication and authorization issues for end users.
You can use the Test User feature to test Active Directory authentications. The test returns the
results along with group and attribute details (authorization information) that can be viewed on the
Admin Portal. Follow these steps to test users:
Step 1 From Administrator > Identity Management > External Identity Stores > Active Directory > AD2 >
Connection, select the Cisco ISE node you want to test.
Step 2 Click the user and then click Test user.
Step 3 Click Write credentials > Test (see Figure 4-49).
Figure 4-49 AD Test User Tool
AD Diagnostic Tool
The Diagnostic Tool allows you to automatically test and diagnose the Active Directory deployment
for general connectivity issues. This tool provides information on:
• The Cisco ISE node on which the test is run
• Connectivity to the Active Directory
• Detailed status about the domain
• Detailed status about Cisco ISE-DNS server connectivity
Follow these steps to run diagnostic report using the Diagnostic Tool:
Step 1 From Administrator > Identity Management > External Identity Stores > Active Directory > AD2 >
Connection, select the Cisco ISE node for which you want to test the user.

Step 2 Click Diagnostic Tool > Run All tests (see Figure 4-50).
Figure 4-50 AD Diagnostic Tool
Authentication Errors
One of the most useful ways to troubleshoot any error is to check events on Cisco ISE. Follow these
steps to check GUI report of any user authentication / authorization:
Step 1 From Operations > Authentications, click the magnifying glass.

Step 2 Check for any errors (see Figure 4-51).
Figure 4-51 Cisco ISE Certificate Error

• Reason—If End client does not have root CA in a Trusted root CA store, than It will not trust Cisco
ISE during the authentication process thus client will not be able to join the SSID.
• Solution—Add the root CA certificate in a client trusted root CA certificate stores as a part of
user account and retry authenticating the device.
Successful Authentication/Authorization Steps Output

From Operations > Authentications, click the magnifying glass. The following is the output of a
successful authentication:
Received RADIUS Access-Request
RADIUS created a new session
Evaluating Policy Group
Evaluating Service Selection Policy
Queried PIP - Network Access.NetworkDeviceName
Queried PIP - Radius.Service-Type
Queried PIP - Radius.NAS-Port-Type
Matched rule - Wireless dot1x AuthC
Extracted EAP-Response/Identity
Prepared EAP-Request proposing EAP-TLS with challenge
Returned RADIUS Access-Challenge
RADIUS is re-using an existing session
Extracted EAP-Response/NAK requesting to use PEAP instead
Prepared EAP-Request proposing PEAP with challenge
Extracted EAP-Response containing PEAP challenge-response and accepting PEAP as
negotiated
Successfully negotiated PEAP version 0
Extracted first TLS record; TLS handshake started
Extracted TLS ClientHello message
Prepared TLS ServerHello message
Prepared TLS Certificate message
Prepared TLS ServerDone message
Prepared EAP-Request with another PEAP challenge
Extracted EAP-Response containing PEAP challenge-response
Successfully negotiated PEAP version 0
Extracted TLS ClientKeyExchange message

Extracted TLS Finished message

Prepared TLS ChangeCipherSpec message
Prepared TLS Finished message
TLS handshake succeeded
PEAP full handshake finished successfully
PEAP inner method started
Prepared EAP-Request/Identity for inner EAP method
Extracted EAP-Response/Identity for inner EAP method
Prepared EAP-Request for inner method proposing EAP-MSCHAP with challenge
Extracted EAP-Response containing EAP-MSCHAP challenge-response for inner method and
accepting EAP-MSCHAP as negotiated
Evaluating Identity Policy
Queried PIP - Network Access.EapAuthentication
Queried PIP - Network Access.EapTunnel
Matched rule - User_Authentication
Selected identity source sequence - All_Stores_Sequence
Selected Identity Source - AD2
Authenticating user against Active Directory - AD2
Resolving identity - richa_guest_ras
Search for matching accounts at join point - cpwe-ra-cisco.local
Single matching account found in forest - cpwe-ra-cisco.local
Identity resolution detected single matching account
RPC Logon request succeeded - Richa_guest_RAS@cpwe-ra-cisco.local
User authentication against Active Directory succeeded - AD2
Authentication Passed
EAP-MSCHAP authentication attempt passed
Extracted EAP-Response for inner method containing MSCHAP challenge-response
Inner EAP-MSCHAP authentication succeeded
Prepared EAP-Success for inner EAP method
PEAP inner method finished successfully
ISE has not been able to confirm previous successful machine authentication
Evaluating Authorization Policy
Queried PIP - Session.EPSStatus
Queried PIP - Radius.Service-Type
Queried PIP - Radius.NAS-Port-Type
Looking up user in Active Directory - AD2
LDAP fetch succeeded - cpwe-ra-cisco.local
User's Groups retrieval from Active Directory succeeded - AD2
Queried PIP - AD2.ExternalGroups

WLC Troubleshooting Tips
Queried PIP - Airespace.Airespace-Wlan-Id

Matched rule - Dot1x_wireless - Trusted Partner RAS Only_copy
Selected Authorization Profile - Wireless_Trusted_Partner_RAS_Only_Authz_Profile
PEAP authentication succeeded
Prepared EAP-Success
Returned RADIUS Access-Accept
Diagnostic Tools/TCP Dump

Step 1 Use the tcpdump command in the NAD CLI or from the Administration portal at Operations >
Troubleshoot > Diagnostic Tools > General Tools > TCP Dump to verify whether the machine is
receiving and forwarding traffic as required for your network.
Step 2 If the TCP dump operation indicates that the Cisco ISE or NAD is working as configured, verify other
adjacent network components.

The following section provides high level troubleshooting information to assist in identifying and
resolving problems you may encounter when you use the Wireless LAN Controller (WLC)
For more troubleshooting tips, check Cisco Wireless LAN Controller System Message Guide at the
following URL:
• http://www.cisco.com/c/en/us/td/docs/wireless/controller/8-0/message/guide/sysmsg80.html
Mobility (EoIP) Tunnel Status

Check if mobility tunnel is up via the GUI.
From WLC > Controller > Mobility Management > Mobility Groups, check the status of the group
members, as shown in Figure 4-52.
Figure 4-52 Status of the Group Members
If the status is not up, follow these troubleshooting steps:
Step 1 Check whether the group member information is correct and if the firewall is blocking any
control/data ports.
Step 2 To test the mobility UDP control packet communication between two controllers, enter this
command:

mping <mobility_peer_IP_address >
Step 3 To test the mobility EoIP data packet communication between two controllers, enter this command:
eping <mobility_peer_IP_address>
DHCP-Related Issue
When the client is either unable to get an IP address or encounters delay in getting the IP address
through DHCP. The debug dhcp on the controller indicates the following:
(Cisco Controller) >debug dhcp packet enable
*DHCP Socket Task: May 27 12:28:34.566: [PA] 20:7c:8f:46:83:84 DHCP processing DHCP
NAK (6)
Solution—Activate DHCP scope for that subnet in DHCP server
Caution Because debugging output is assigned high priority in the CPU process, it can render the system
unusable. For this reason, use debug commands only to troubleshoot specific problems. Moreover,
use debug commands only during periods of lower network traffic and fewer users. Debugging
during these periods decreases the likelihood that increased debug command processing
overhead will affect system use.
Successful DHCP Process

Following is a debug output of a successful DHCP process:
(Cisco Controller) >debug dhcp packet enable
(Cisco Controller) >*DHCP Socket Task: May 27 12:27:46.533: [PA] 20:7c:8f:46:83:84
DHCP received op BOOTREQUEST (1) (len 332,vlan 150, port 1, encap 0xec03, xid
0x3a26069b)
*DHCP Socket Task: May 27 12:27:46.533: [PA] 20:7c:8f:46:83:84 DHCP (encap type
0xec03) mstype 0ff:ff:ff:ff:ff:ff
REQUEST (3)
*DHCP Socket Task: May 27 12:27:46.533: [PA] 20:7c:8f:46:83:84 DHCP op: BOOTREQUEST,
htype: Ethernet, hlen: 6, hops: 0
*DHCP Socket Task: May 27 12:27:46.533: [PA] 20:7c:8f:46:83:84 DHCP xid: 0x3a26069b
(975570587), secs: 0, flags: 0
*DHCP Socket Task: May 27 12:27:46.533: [PA] 20:7c:8f:46:83:84 DHCP chaddr:
20:7c:8f:46:83:84
*DHCP Socket Task: May 27 12:27:46.533: [PA] 20:7c:8f:46:83:84 DHCP ciaddr: 0.0.0.0,
yiaddr: 0.0.0.0
*DHCP Socket Task: May 27 12:27:46.533: [PA] 20:7c:8f:46:83:84 DHCP siaddr: 0.0.0.0,
giaddr: 0.0.0.0
*DHCP Socket Task: May 27 12:27:46.533: [PA] 20:7c:8f:46:83:84 DHCP requested ip:
10.13.181.55
*DHCP Socket Task: May 27 12:27:46.533: [PA] 20:7c:8f:46:83:84 DHCP Opt82 bridge mode
insertion enabled, inserts opt82 if opt82 is enabled vlan=181, datalen =18, optlen=88
*DHCP Socket Task: May 27 12:27:46.533: [PA] 20:7c:8f:46:83:84 DHCP successfully
bridged packet to DS
*DHCP Socket Task: May 27 12:27:46.538: [PA] 20:7c:8f:46:83:84 DHCP received op
BOOTREPLY (2) (len 316,vlan 181, port 1, encap 0xec00, xid 0x3a26069b)
ACK (5)

*DHCP Socket Task: May 27 12:27:46.538: [PA] 20:7c:8f:46:83:84 DHCP op: BOOTREPLY,
*DHCP Socket Task: May 27 12:27:46.538: [PA] 20:7c:8f:46:83:84 DHCP xid: 0x3a26069b
(975570587), secs: 0, flags: 0
20:7c:8f:46:83:84
*DHCP Socket Task: May 27 12:27:46.538: [PA] 20:7c:8f:46:83:84 DHCP ciaddr: 0.0.0.0,
yiaddr: 10.13.181.55
giaddr: 10.13.181.1
*DHCP Socket Task: May 27 12:27:46.538: [PA] 20:7c:8f:46:83:84 DHCP server id:
10.13.48.26 rcvd server id: 10.13.48.26
bridged packet to STA
BOOTREQUEST (1) (len 308,vlan 150, port 1, encap 0xec03, xid 0x71ed59a1)
*DHCP Socket Task: May 27 12:27:50.075: [PA] 20:7c:8f:46:83:84 DHCP (encap type
0xec03) mstype 0ff:ff:ff:ff:ff:ff
INFORM (8)
*DHCP Socket Task: May 27 12:27:50.075: [PA] 20:7c:8f:46:83:84 DHCP op: BOOTREQUEST,
*DHCP Socket Task: May 27 12:27:50.075: [PA] 20:7c:8f:46:83:84 DHCP xid: 0x71ed59a1
(1911380385), secs: 0, flags: 0
20:7c:8f:46:83:84
*DHCP Socket Task: May 27 12:27:50.075: [PA] 20:7c:8f:46:83:84 DHCP ciaddr:
10.13.181.55, yiaddr: 0.0.0.0
giaddr: 0.0.0.0
*DHCP Socket Task: May 27 12:27:50.075: [PA] 20:7c:8f:46:83:84 DHCP Opt82 bridge mode
insertion enabled, inserts opt82 if opt82 is enabled vlan=181, datalen =18, optlen=64
bridged packet to DS
BOOTREPLY (2) (len 308,vlan 181, port 1, encap 0xec00, xid 0x71ed59a1)
ACK (5)
*DHCP Socket Task: May 27 12:27:50.096: [PA] 20:7c:8f:46:83:84 DHCP op: BOOTREPLY,
*DHCP Socket Task: May 27 12:27:50.096: [PA] 20:7c:8f:46:83:84 DHCP xid: 0x71ed59a1
(1911380385), secs: 0, flags: 0
20:7c:8f:46:83:84
*DHCP Socket Task: May 27 12:27:50.096: [PA] 20:7c:8f:46:83:84 DHCP ciaddr:
10.13.181.55, yiaddr: 0.0.0.0
giaddr: 10.13.181.1
*DHCP Socket Task: May 27 12:27:50.097: [PA] 20:7c:8f:46:83:84 DHCP server id:
10.13.48.26 rcvd server id: 10.13.48.26
bridged packet to STA
Debug Client
Use the Debug client to troubleshoot client association and authentication-related issues:
(Cisco Controller) > debug client <Client_MAC _address>

APP ENDIX A
References
This appendix includes the following major topics:

• Converged Plantwide Ethernet (CPwE), page A-1
• Cisco Unified Access, page A-2
• RF Design and QoS, page A-2
• Wireless Security, page A-3
Converged Plantwide Ethernet (CPwE)

• Converged Plantwide Ethernet (CPwE) Design and Implementation Guide (CPwE)
– Rockwell Automation site:
http://literature.rockwellautomation.com/idc/groups/literature/documents/td/enet-td001_
-en-p.pdf
– Cisco site:
http://www.cisco.com/c/en/us/td/docs/solutions/Verticals/CPwE/CPwE_DIG.html
• Deploying the Resilient Ethernet Protocol (REP) in a Converged Plantwide Ethernet System
(CPwE) Design Guide
-en-p.pdf
– Cisco site:
http://www.cisco.com/c/en/us/td/docs/solutions/Verticals/CPwE/REP/CPwE_REP_DG.ht
ml
• Deploying 802.11 Wireless LAN Technology within a Converged Plantwide Ethernet
Architecture Design and Implementation Guide
-en-p.pdf
– Cisco site:
http://www.cisco.com/c/en/us/td/docs/solutions/Verticals/CPwE/NovCVD/CPwE_WLAN
_CVD.html

ENET-TD008A-EN-P A-1
Appendix A References
Cisco Unified Access
• Deploying Network Address Translation within a Converged Plantwide Ethernet Architecture

Design and Implementation Guide
-en-p.pdf
– Cisco site:
http://www.cisco.com/c/en/us/td/docs/solutions/Verticals/CPwE/3-5-1/NAT/DIG/CPwE_
NAT_CVD.html
Cisco Unified Access

• Cisco Unified Access webpage
http://www.cisco.com/en/US/netsol/ns1187/index.html
• Enterprise Mobility Design Guide
http://www.cisco.com/en/US/docs/solutions/Enterprise/Mobility/emob73dg/eMob73.pdf
• The Benefits of Centralization in Wireless LANs
http://www.cisco.com/c/en/us/products/collateral/switches/catalyst-6500-series-switches/pr
od_white_paper0900aecd8040f7b2.pdf
• Outdoor Wireless Network Solution
http://www.cisco.com/en/US/netsol/ns621/index.html
• Cisco Wireless Mesh Access Points Design and Deployment Guide
http://www.cisco.com/c/en/us/td/docs/wireless/technology/mesh/7-6/design/guide/mesh76
.html
RF Design and QoS

• Wireless LAN Compliance Status
http://www.cisco.com/go/aironet/compliance
• RF Spectrum Policy: Future-Proof Wireless Investment through Better Compliance
http://www.cisco.com/c/en/us/products/collateral/wireless/spectrum-expert/prod_white_pa
per0900aecd8073bef9.html
• Design Zone for Mobility - High Density Wireless
http://www.cisco.com/c/en/us/solutions/enterprise/design-zone-mobility/density_wireless.ht
ml
• Enterprise Mobility 7.3 Design Guide
http://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Mobility/emob73dg/emob73.ht
ml
• Cisco Aironet 1600/2600/3600 Series Access Point Deployment Guide
http://www.cisco.com/c/en/us/td/docs/wireless/technology/apdeploy/Cisco_Aironet.html
• Antenna Product Portfolio for Cisco Aironet 802.11n Access Points
http://www.cisco.com/en/US/prod/collateral/wireless/ps7183/ps469/at_a_glance_c45-5138
37.pdf
• Cisco Aironet Antennas and Accessories Reference Guide
http://www.cisco.com/en/US/prod/collateral/wireless/ps7183/ps469/product_data_sheet09
186a008008883b.pdf

ENET-TD008A-EN-P A-2
Appendix A References
Wireless Security
• Antenna Patterns and Their Meaning

http://www.cisco.com/en/US/prod/collateral/wireless/ps7183/ps469/prod_white_paper0900
aecd806a1a3e.pdf
• Antenna Cabling
http://www.cisco.com/image/gif/paws/27222/antcable.pdf
• Site Survey Guidelines for WLAN Deployment
http://www.cisco.com/c/en/us/support/docs/wireless/5500-series-wireless-controllers/1160
57-site-survey-guidelines-wlan-00.html
• Site Survey and RF Design Validation
http://www.cisco.com/en/US/docs/wireless/technology/vowlan/troubleshooting/8_Site_Sur
vey_RF_Design_Valid.pdf
• Cisco Unified Wireless QoS
http://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Mobility/emob73dg/emob73/ch
5_QoS.html
Wireless Security
• Cisco Unified Wireless Network Architecture - Base Security Features
http://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Mobility/emob73dg/emob73/ch
4_Secu.html
• Design Zone for Mobility - Wireless Security
http://www.cisco.com/en/US/solutions/ns340/ns414/ns742/ns820/landing_sec_wireless.htm
l

A-3 ENET-TD008A-EN-P
APP ENDIX B
Configuration Examples
This appendix includes the following major topics:

• Example: Industrial WLC Configuration, page B-1
• Example: Corporate Anchor WLC Configuration, page B-14
• Example: Trusted Partner Anchor WLC Configuration, page B-19
• Example: IES Access Switch Configuration, page B-24
This section contains examples of the configurations that have been used in the testing of the wired
and wireless architecture. Note the following:
• The configurations are provided for reference only and must not be used "as is" without
adapting for a particular design and topology.
• Future software releases may change some of the commands shown in the configurations.
• Many commands are factory default and do not have to be configured during the initial setup.
Example: Industrial WLC Configuration

This example shows an Industrial WLC configuration.
(Cisco Controller) >show run-config commands
redundancy mode SSO
802.11a 11nSupport a-mpdu tx priority 6 enable
802.11a 11nSupport a-mpdu tx priority 7 enable
802.11a 11nSupport a-mpdu tx scheduler enable
802.11a 11nSupport a-mpdu tx scheduler timeout rt 10
802.11a 11nSupport disable
802.11a beacon range 0
802.11a rx-sop threshold auto default
802.11a cca threshold 0 default
802.11a multicast buffer 0
802.11a multicast data-rate 0 default
802.11a cac voice max-bandwidth 40
802.11a cac video max-bandwidth 40
802.11a cac voice roam-bandwidth 15
802.11a cac video roam-bandwidth 15
802.11a channel global off
802.11a rssi-check enable
802.11a max-clients 200

ENET-TD008A-EN-P B-1
Appendix B Configuration Examples
802.11a rate disabled 9

802.11a txPower global 1
802.11a cleanair device enable radar
802.11a dfs-peakdetect enable
802.11b 11nSupport a-mpdu tx scheduler enable
802.11b 11nSupport a-mpdu tx scheduler timeout rt 10
802.11b 11gSupport disable
802.11b beacon range 0
802.11b rx-sop threshold auto default
802.11b cca threshold 0 default
802.11b multicast buffer 0
802.11b multicast data-rate 0 default
802.11b cac video cac-method static
802.11b channel global off
802.11b max-clients 200
802.11b txPower global 1
aaa auth mgmt local radius
flexconnect fallback-radio-shut disable
connect fallback-radio-shut disable
acl create ACL_Full_Access
acl create ACL_RDG_Only
acl create ACL_Partial_Access
acl create ACL_RAS_Only
acl create bla
acl apply ACL_Full_Access
acl apply ACL_RDG_Only
acl apply ACL_Partial_Access
acl apply ACL_RAS_Only
acl apply bla
acl counter start
acl rule add ACL_Full_Access 1
acl rule add ACL_RDG_Only 1
acl rule add ACL_Partial_Access 1
acl rule add ACL_RAS_Only 1
acl rule add bla 1
acl rule action ACL_Full_Access 1 permit
acl rule action ACL_RDG_Only 1 permit
acl rule action ACL_RDG_Only 3 deny
acl rule action ACL_Partial_Access 1 permit
acl rule action ACL_Partial_Access 2 permit
acl rule action ACL_Partial_Access 3 deny
acl rule action ACL_RAS_Only 1 permit
acl rule action ACL_RAS_Only 2 permit
acl rule action ACL_RAS_Only 3 deny
acl rule action bla 1 permit
acl rule destination address ACL_Full_Access 1 0.0.0.0 0.0.0.0
acl rule destination address ACL_RDG_Only 1 10.1.2.3 255.255.255.255
acl rule destination address ACL_Partial_Access 1 10.17.10.0 255.255.255.0
acl rule destination address ACL_RAS_Only 1 10.13.48.28 255.255.255.255

B-2 ENET-TD008A-EN-P

acl rule destination port range ACL_Full_Access 1 0 65535
acl rule destination port range ACL_RDG_Only 1 443 443
acl rule destination port range ACL_Partial_Access 1 0 65535
acl rule destination port range ACL_RAS_Only 1 0 65535
acl rule destination port range bla 1 0 65535
acl rule source address ACL_Full_Access 1 0.0.0.0 0.0.0.0
acl rule source address ACL_RDG_Only 1 0.0.0.0 0.0.0.0
acl rule source address ACL_Partial_Access 1 0.0.0.0 0.0.0.0
acl rule source address ACL_RAS_Only 1 0.0.0.0 0.0.0.0
acl rule source port range ACL_Full_Access 1 0 65535
acl rule source port range ACL_RDG_Only 1 0 65535
acl rule source port range ACL_Partial_Access 1 0 65535
acl rule source port range ACL_RAS_Only 1 0 65535
acl rule direction ACL_Full_Access 1 Any
acl rule direction ACL_RDG_Only 1 In
acl rule direction ACL_RDG_Only 2 Out
acl rule direction ACL_RDG_Only 3 Any
acl rule direction ACL_Partial_Access 1 In
acl rule direction ACL_Partial_Access 2 Out
acl rule direction ACL_Partial_Access 3 Any
acl rule direction ACL_RAS_Only 1 Any
acl rule dscp ACL_Full_Access 1 Any
acl rule dscp ACL_RDG_Only 1 Any
acl rule dscp ACL_Partial_Access 1 Any
acl rule dscp ACL_RAS_Only 1 Any
acl rule protocol ACL_Full_Access 1 Any
acl rule protocol ACL_RDG_Only 1 6
acl rule protocol ACL_RDG_Only 3 Any
acl rule protocol ACL_Partial_Access 1 Any
acl rule protocol ACL_RAS_Only 1 Any
acl apply ACL_Full_Access

acl apply ACL_Partial_Access

acl apply ACL_RAS_Only
advanced 802.11a channel dca interval 0

advanced 802.11a channel dca startup-interval 0
advanced 802.11a channel dca anchor-time 0
advanced 802.11a channel dca chan-width 20
advanced 802.11a channel dca sensitivity 15
advanced 802.11a channel dca min-metric -95
advanced 802.11a channel delete 20
advanced 802.11a group-mode off
advanced 802.11a reporting neighbor 180
advanced 802.11a reporting interference 120
advanced 802.11b channel dca interval 0

advanced 802.11b channel dca startup-interval 0
advanced 802.11b channel dca anchor-time 0
advanced 802.11b channel dca sensitivity 10
advanced 802.11b channel dca min-metric -95
advanced 802.11b reporting neighbor 180
advanced 802.11b reporting interference 120
location info rogue extended

location rssi-half-life tags 0
location rssi-half-life client 0
location rssi-half-life rogue-aps 0
location expiry tags 5
location expiry client 5
location expiry calibrating-client 5
location expiry rogue-aps 5
advanced timers ap-heartbeat-timeout 10

advanced timers ap-fast-heartbeat flexconnect enable 1
advanced backup-controller primary

advanced backup-controller secondary
advanced backup-controller
advanced sip-snooping-ports 0 0
avc profile PAC_IO_SAFETY create

advanced eap bcast-key-interval 3600
advanced 802.11-abgn pak-rssi-location threshold -100
advanced 802.11-abgn pak-rssi-location trigger-threshold 10
advanced 802.11-abgn pak-rssi-location reset-threshold 8
advanced 802.11-abgn pak-rssi-location ntp 10.13.15.254
advanced 802.11-abgn pak-rssi-location timeout 3
advanced hotspot cmbk-delay 50
ap syslog host global ::

ap dtls-cipher-suite RSA-AES128-SHA
auth-list ap-policy ssc enable
auth-list add mic 3c:08:f6:20:d2:17
auth-list add mic 3c:08:f6:a2:d3:b0
auth-list add mic 3c:08:f6:b2:8d:d6
auth-list add mic 3c:08:f6:b2:98:e4
auth-list add mic 78:da:6e:42:9c:2e
auth-list add mic a8:0c:0d:be:a6:7e
cdp advertise-v2 enable

cts sxp disable
cts sxp connection default password ****
cts sxp retry period 120

cts sxp sxpversion 2

database size 2048
dhcp opt-82 remote-id ap-mac
flexconnect acl create ACL_Provisioning_Redirect

flexconnect acl apply ACL_Provisioning_Redirect
flexconnect acl rule add ACL_Provisioning_Redirect 1
flexconnect acl rule action ACL_Provisioning_Redirect 1 permit
flexconnect acl rule action ACL_Provisioning_Redirect 5 deny
flexconnect acl rule destination address ACL_Provisioning_Redirect 1 10.13.48.26
255.255.255.255
flexconnect acl rule destination address ACL_Provisioning_Redirect 2 0.0.0.0 0.0.0.0
flexconnect acl rule destination address ACL_Provisioning_Redirect 3 10.13.48.32
255.255.255.255
flexconnect acl rule destination port range ACL_Provisioning_Redirect 1 0 65535
flexconnect acl rule source address ACL_Provisioning_Redirect 1 0.0.0.0 0.0.0.0
flexconnect acl rule source address ACL_Provisioning_Redirect 2 10.13.48.26
255.255.255.255
flexconnect acl rule source address ACL_Provisioning_Redirect 4 10.13.48.32
255.255.255.255
flexconnect acl rule source port range ACL_Provisioning_Redirect 1 0 65535
flexconnect acl rule dscp ACL_Provisioning_Redirect 1 Any
flexconnect acl rule protocol ACL_Provisioning_Redirect 1 Any
flexconnect group FastRoam_CCKM_Flex_Ring add
flexconnect group FastRoam_CCKM_Flex_Ring ap add 3c:08:f6:20:d2:17
flexconnect group FastRoam_CCKM_Flex_Ring radius ap server-key <hidden>
flexconnect group FastRoam_CCKM_Flex_Ring radius ap authority id
436973636f0000000000000000000000
flexconnect group FastRoam_CCKM_Flex_Ring radius ap authority info Cisco A_ID
flexconnect group FastRoam_CCKM_Flex_Star add
flexconnect group FastRoam_CCKM_Flex_Star radius ap server-key <hidden>
flexconnect group FastRoam_CCKM_Flex_Star radius ap authority id
436973636f0000000000000000000000
flexconnect group FastRoam_CCKM_Flex_Star radius ap authority info Cisco A_ID
flexconnect group Industrial_FlexConnect_Group add
flexconnect group Industrial_FlexConnect_Group radius ap server-key <hidden>

flexconnect group Industrial_FlexConnect_Group radius ap authority id

436973636f0000000000000000000000
flexconnect group Industrial_FlexConnect_Group radius ap authority info Cisco A_ID
flexconnect group Industrial_FlexConnect_Group policy acl add
ACL_Provisioning_Redirect
local-auth eap-profile add CPwE350-EAP-FAST
local-auth eap-profile add CPwE350-EAP-TLS

local-auth eap-profile cert-issuer cisco CPwE350-EAP-FAST
local-auth eap-profile cert-issuer vendor CPwE350-EAP-TLS
local-auth eap-profile method add fast CPwE350-EAP-FAST
local-auth eap-profile method add tls CPwE350-EAP-TLS
local-auth eap-profile method fast client-cert enable CPwE350-EAP-TLS
local-auth eap-profile method fast local-cert enable CPwE350-EAP-TLS
local-auth method fast server-key ****
local-auth eap-profile cert-verify ca-issuer disable CPwE350-EAP-FAST
local-auth eap-profile cert-verify date-valid disable CPwE350-EAP-FAST
interface create corporate_employee_provisioning 182

interface create industrial_employee_provisionin 181
interface create trusted_partners_provisioning 183
interface create wgb-roam-client 250
interface address dynamic-interface corporate_employee_provisioning 10.1.182.251
255.255.255.0 10.1.182.1
interface address dynamic-interface industrial_employee_provisionin 10.13.181.251
255.255.255.0 10.13.181.1
interface address management 10.13.50.251 255.255.255.0 10.13.50.1
interface address service-port 192.168.254.83 255.255.255.0
interface address dynamic-interface trusted_partners_provisioning 10.1.183.251
255.255.255.0 10.1.183.1
interface address virtual 1.1.1.1
interface address dynamic-interface wgb-roam-client 10.17.250.251 255.255.255.0
10.17.250.1
interface address redundancy-management 10.13.50.253
redundancy interface address peer-redundancy-management 10.13.50.252

interface dhcp management primary 10.13.48.26
interface dhcp dynamic-interface wgb-roam-client primary 10.13.48.26
interface vlan corporate_employee_provisioning 182
interface vlan industrial_employee_provisionin 181
interface vlan management 150
interface vlan trusted_partners_provisioning 183
interface vlan wgb-roam-client 250
interface nasid corporate_employee_provisioning
interface nasid industrial_employee_provisionin
interface nasid trusted_partners_provisioning

interface nasid wgb-roam-client
interface port corporate_employee_provisioning 1
interface port industrial_employee_provisionin 1
interface port management 1
interface port trusted_partners_provisioning 1
interface port wgb-roam-client 1
mdns snooping disable

mdns policy service-group create default-mdns-policy default-mdns-policy
mdns policy service-group user-role add default-mdns-policy admin
mdns profile create default-mdns-profile
mdns service create AirPrint _ipp._tcp.local. origin All LSS disable query enable
mdns service create AirTunes _raop._tcp.local. origin All LSS disable query enable
mdns service create AppleTV _airplay._tcp.local. origin All LSS disable query enable
mdns service create HP_Photosmart_Printer_1 _universal._sub._ipp._tcp.local. origin
All LSS disable query enable

mdns service create HP_Photosmart_Printer_2 _cups._sub._ipp._tcp.local. origin All

LSS disable query enable
mdns service create Printer _printer._tcp.local. origin All LSS disable query enable
mdns profile service add default-mdns-profile AirPrint
mdns profile service add default-mdns-profile AirTunes
mdns profile service add default-mdns-profile AppleTV
mdns profile service add default-mdns-profile HP_Photosmart_Printer_1
mdns profile service add default-mdns-profile Printer
mdns query interval 15
wlan mdns disable 1

wlan mdns disable 2
wlan mdns enable 3
wlan mdns enable 4
wlan mdns enable 6
wlan mdns disable 7
wlan mdns enable 11
wlan mdns profile 3 default-mdns-profile

ipv6 ra-guard ap enable

ipv6 capwap udplite enable all
ipv6 multicast mode unicast
load-balancing aggressive enable

load-balancing window 5
wlan apgroup add CPwE350-Flex-Ring01 FlexRing01

wlan apgroup add CPwE350-Flex-Star01 FlexStar01
wlan apgroup add CPwE350-Roam-central "For roaming clients"
wlan apgroup add default-group
wlan apgroup qinq tagging eap-sim-aka default-group enable
wlan apgroup interface-mapping add CPwE350-Flex-Ring01 1 management
wlan apgroup interface-mapping add CPwE350-Flex-Ring01 7
industrial_employee_provisionin
corporate_employee_provisioning
trusted_partners_provisioning
wlan apgroup interface-mapping add CPwE350-Flex-Star01 2 management
wlan apgroup interface-mapping add CPwE350-Roam-central 3 wgb-roam-client
wlan apgroup interface-mapping add default-group 1 management
wlan apgroup interface-mapping add default-group 2 management
wlan apgroup interface-mapping add default-group 3 wgb-roam-client
wlan apgroup interface-mapping add default-group 4 trusted_partners_provisioning
wlan apgroup interface-mapping add default-group 6 corporate_employee_provisioning
wlan apgroup interface-mapping add default-group 7 industrial_employee_provisionin
wlan apgroup nac-snmp disable CPwE350-Flex-Ring01 1
wlan apgroup nac-snmp disable CPwE350-Flex-Star01 2
wlan apgroup nac-snmp disable CPwE350-Roam-central 3
wlan apgroup nac-snmp disable default-group 1

memory monitor errors enable
memory monitor leak thresholds 10000 30000

Outdoor Mesh Ext.UNII B Domain channels: Disable
mesh security rad-mac-filter disable
mesh security eap

mesh lsc advanced ap-provision open-window enable
mgmtuser add admin **** read-write

mobility group domain CPwE351
mobility group member add 30:f7:0d:31:36:40 10.1.3.78 CPwE351
mobility group member add 6c:41:6a:5f:0e:a0 10.1.4.77 CPwE351
mobility group anchor add wlan 4
mobility group anchor add wlan 4 10.1.4.77
mobility dscp 0
netuser add AP2602-R-WGB05 **** wlan 0 userType permanent description

netuser wlan-id AP2602-R-WGB05 0
netuser guest-role create PAC_IO_SAFETY
network multicast igmp snooping enable

network multicast mld snooping enable
network ap-priority disabled
network web-auth captive-bypass enable
network fast-ssid-change enable
network rf-network-name CPwE351
network secureweb cipher-option rc4-preference disable
network client-ip-conflict-detection disable
qos protocol-type bronze dot1p

qos protocol-type silver dot1p
qos protocol-type gold dot1p
qos protocol-type platinum dot1p
qos priority bronze background background background
qos priority gold video video video
qos priority platinum voice voice voice
qos priority silver besteffort besteffort besteffort
qos dot1p-tag silver 0
qos dot1p-tag gold 4
qos dot1p-tag platinum 5
radius auth add 1 10.13.48.40 1812 ascii ****

radius callStationIdType macaddr
radius auth callStationIdType ap-macaddr-ssid
radius auth network 1 disable
radius auth management 1 disable
radius fallback-test mode off
radius fallback-test username cisco-probe
radius fallback-test interval 300
radius dns disable
radius dns auth network disable
radius dns auth management disable
radius dns acct network disable
radius dns auth rfc3576 disable
tacacs dns disable

rogue detection report-interval 10

rogue detection min-rssi -128
rogue detection transient-rogue-interval 0
rogue detection client-threshold 0
rogue detection security-level custom
rogue ap aaa-auth disable
rogue ap aaa-auth polling-interval 0
rogue ap ssid alarm
rogue ap valid-client alarm
rogue adhoc enable
rogue adhoc alert
rogue ap rldp disable
rogue auto-contain level 1
rogue containment flex-connect disable
rogue containment auto-rate disable
serial timeout 0
sessions timeout 0
snmp version v2c enable
snmp version v3 enable
snmp snmpEngineId 0000376300004000fb320d0a
snmp community ipsec ike auth-mode pre-shared-key ****
switchconfig strong-pwd case-check enabled

switchconfig strong-pwd consecutive-check enabled
switchconfig strong-pwd default-check enabled
switchconfig strong-pwd username-check enabled
switchconfig strong-pwd position-check disabled
switchconfig strong-pwd case-digit-check disabled
switchconfig strong-pwd minimum upper-case 0
switchconfig strong-pwd minimum lower-case 0
switchconfig strong-pwd minimum digits-chars 0
switchconfig strong-pwd minimum special-chars 0
switchconfig strong-pwd min-length 3
sysname WLC_Primary
stats-timer realtime 5
stats-timer normal 180
time ntp interval 3600
time ntp server 1 10.13.15.254
rf-profile create 802.11a CPwE350-Flex-RFPolicy

rf-profile create 802.11a CPwE350-Roam-RFPolicy
rf-profile create 802.11a High-Client-Density-(802.11a)
rf-profile create 802.11b High-Client-Density-(802.11bg)
rf-profile create 802.11a Low-Client-Density-(802.11a)
rf-profile create 802.11b Low-Client-Density-(802.11bg)
rf-profile create 802.11b Typical-Client-Density(802.11bg)
rf-profile create 802.11a Typical-Client-Density-(802.11a)
rf-profile description Single Cell/Area LWAP RF Policy CPwE350-Flex-RFPolicy
rf-profile description Plant-wide Roaming LWAP RF Policy CPwE350-Roam-RFPolicy
rf-profile tx-power-min 7 High-Client-Density-(802.11a)
rf-profile tx-power-min 7 High-Client-Density-(802.11bg)
rf-profile tx-power-control-thresh-v1 -65 High-Client-Density-(802.11a)
rf-profile tx-power-control-thresh-v1 -60 Low-Client-Density-(802.11a)
rf-profile tx-power-control-thresh-v1 -65 Low-Client-Density-(802.11bg)
rf-profile data-rates 802.11a mandatory 6 CPwE350-Flex-RFPolicy
rf-profile data-rates 802.11a supported 9 CPwE350-Flex-RFPolicy

rf-profile data-rates 802.11a mandatory 6 CPwE350-Roam-RFPolicy

rf-profile data-rates 802.11a supported 9 CPwE350-Roam-RFPolicy
rf-profile data-rates 802.11a mandatory 6 High-Client-Density-(802.11a)
rf-profile data-rates 802.11a disabled 9 High-Client-Density-(802.11a)
rf-profile data-rates 802.11a supported 54 High-Client-Density-(802.11a)
rf-profile data-rates 802.11b disabled 1 High-Client-Density-(802.11bg)
rf-profile data-rates 802.11b disabled 2 High-Client-Density-(802.11bg)
rf-profile data-rates 802.11b disabled 5.5 High-Client-Density-(802.11bg)
rf-profile data-rates 802.11a mandatory 6 Low-Client-Density-(802.11a)
rf-profile data-rates 802.11a disabled 9 Low-Client-Density-(802.11a)
rf-profile data-rates 802.11a supported 54 Low-Client-Density-(802.11a)
rf-profile data-rates 802.11b mandatory 1 Low-Client-Density-(802.11bg)
rf-profile data-rates 802.11b mandatory 2 Low-Client-Density-(802.11bg)
rf-profile data-rates 802.11b mandatory 5.5 Low-Client-Density-(802.11bg)
rf-profile data-rates 802.11b disabled 1 Typical-Client-Density(802.11bg)
rf-profile data-rates 802.11b disabled 2 Typical-Client-Density(802.11bg)
rf-profile data-rates 802.11b disabled 5.5 Typical-Client-Density(802.11bg)
rf-profile data-rates 802.11a mandatory 6 Typical-Client-Density-(802.11a)
rf-profile data-rates 802.11a disabled 9 Typical-Client-Density-(802.11a)
rf-profile data-rates 802.11a supported 54 Typical-Client-Density-(802.11a)
rf-profile rx-sop threshold medium High-Client-Density-(802.11a)
rf-profile rx-sop threshold medium High-Client-Density-(802.11bg)
rf-profile rx-sop threshold low Low-Client-Density-(802.11a)
rf-profile rx-sop threshold low Low-Client-Density-(802.11bg)
rf-profile coverage data -90 Low-Client-Density-(802.11a)
rf-profile coverage data -90 Low-Client-Density-(802.11bg)
rf-profile coverage voice -90 Low-Client-Density-(802.11a)
rf-profile coverage voice -90 Low-Client-Density-(802.11bg)
rf-profile channel delete 20 CPwE350-Flex-RFPolicy
rf-profile channel delete 26 CPwE350-Flex-RFPolicy
rf-profile channel delete 20 CPwE350-Roam-RFPolicy
rf-profile channel delete 26 CPwE350-Roam-RFPolicy
rf-profile channel delete 20 High-Client-Density-(802.11a)
rf-profile channel delete 26 High-Client-Density-(802.11a)
rf-profile channel delete 20 Low-Client-Density-(802.11a)
rf-profile channel delete 26 Low-Client-Density-(802.11a)
rf-profile channel delete 20 Typical-Client-Density-(802.11a)
rf-profile channel delete 26 Typical-Client-Density-(802.11a)
trapflags client nac-alert enable

trapflags ap ssidKeyConflict disable
trapflags ap timeSyncFailure disable
trapflags mfp disable

trapflags adjchannel-rogueap disable

trapflags mesh excessive hop count disable
trapflags mesh sec backhaul change disable
wlan create 1 "CPwE350 Ring#1 Flex" CPwE350-R1-Flex
wlan create 2 "CPwE350 Star#1 Flex" CPwE350-S1-Flex
wlan create 3 CPwE350-Roam CPwE350-Roam
wlan create 4 Trusted_Partners_WLAN Trusted_Partners
wlan create 6 Corporate_Employee_WLAN Corporate_Employee
wlan create 7 Industrial_Employee_WLAN Industrial_Employee
wlan create 11 xyz xyz
wlan nac snmp disable 1
wlan nac radius disable 1
wlan nac radius enable 4
wlan interface 3 wgb-roam-client
wlan interface 4 trusted_partners_provisioning
wlan interface 6 corporate_employee_provisioning
wlan interface 7 industrial_employee_provisionin
wlan multicast interface 1 disable
wlan aaa-override enable 4
wlan broadcast-ssid disable 1
wlan band-select allow disable 1
wlan load-balance allow disable 1
wlan multicast buffer disable 0 1
wlan qos 1 platinum

wlan qos 2 platinum

wlan qos 3 platinum
wlan radio 1 802.11a-only
wlan radio 4 802.11bg
wlan session-timeout 1 1800
wlan flexconnect local-switching 1 enable
wlan flexconnect local-switching 2 enable
wlan flexconnect local-switching 3 disable
wlan flexconnect learn-ipaddr 1 enable
wlan security wpa disable 2
wlan radius_server auth add 1 2
wlan radius_server acct disable 1
wlan radius_server overwrite-interface apgroup 3
wlan security splash-page-web-redir disable 1
wlan user-idle-threshold 70 1
wlan security web-auth server-precedence 6 radius
wlan security wpa akm 802.1x enable 1
wlan security wpa akm cckm enable 3


wlan security wpa akm cckm timestamp-tolerance 1000 1
wlan security ft over-the-ds disable 1
wlan security wpa gtk-random disable 1
wlan security pmf association-comeback 1 1
wlan security pmf saquery-retrytimeout 200 1
wlan profiling radius dhcp disable 1
wlan profiling radius http disable 1
wlan apgroup hotspot venue type CPwE350-Flex-Ring01 0 0
wlan apgroup hotspot venue type CPwE350-Flex-Star01 0 0
wlan apgroup hotspot venue type CPwE350-Roam-central 0 0
wlan enable 1
wlan enable 2
wlan enable 3
wlan enable 4
wlan enable 6
wlan enable 7
license boot base

coredump disable
media-stream multicast-direct disable
media-stream message url
media-stream message email

Example: Corporate Anchor WLC Configuration
media-stream message phone

media-stream message note denial
media-stream message state disable
802.11a media-stream multicast-direct enable

802.11b media-stream multicast-direct enable
802.11a media-stream multicast-direct radio-maximum 0

802.11b media-stream multicast-direct radio-maximum 0
802.11a media-stream multicast-direct client-maximum 0

802.11b media-stream multicast-direct client-maximum 0
802.11a media-stream multicast-direct admission-besteffort disable

802.11b media-stream multicast-direct admission-besteffort disable
802.11a media-stream video-redirect enable

802.11b media-stream video-redirect enable
ipv6 neighbor-binding timers reachable-lifetime 300

ipv6 neighbor-binding timers stale-lifetime 86400
ipv6 neighbor-binding timers down-lifetime 30
ipv6 neighbor-binding ra-throttle disable
ipv6 neighbor-binding ra-throttle allow at-least 1 at-most 1
ipv6 neighbor-binding ra-throttle max-through 10
ipv6 neighbor-binding ra-throttle throttle-period 600
ipv6 neighbor-binding ra-throttle interval-option passthrough
ipv6 ns-mcast-fwd disable
ipv6 na-mcast-fwd enable
ipv6 enable
nmheartbeat disable
ipv6 slaac service-port disable
sys-nas
tunnel eogre heart-beat interval 30
tunnel eogre heart-beat primary-fallback-timeout 30
tunnel eogre heart-beat max-skip-count 5
tunnel gtpv2 heart-beat echo-request 60
tunnel gtpv2 heart-beat echo-response 1
tunnel gtpv2 heart-beat max-skip-count 5
WLAN Express Setup - False
(Cisco Controller) >

This example shows the Corporate Anchor WLC Configuration
802.11a cac video cac-method static


advanced 802.11a channel dca chan-width-11n 20



cts sxp disable
cts sxp connection default password ****
cts sxp retry period 120
cts sxp sxpversion 2
database size 2048
interface create corporate_employee_provisioning 182
interface create test 175
interface address dynamic-interface corporate_employee_provisioning 10.1.182.252
255.255.255.0 10.1.182.1
interface address dynamic-interface test 10.1.175.251 255.255.255.0 10.1.175.1
interface dhcp dynamic-interface test primary 10.1.3.39
interface vlan corporate_employee_provisioning 182
interface vlan test 175
interface nasid corporate_employee_provisioning
interface nasid test
interface port corporate_employee_provisioning 1
interface port test 1
mdns service create HP_Photosmart_Printer_2 _cups._sub._ipp._tcp.local. origin All
LSS disable query enable
wlan mdns enable 6


wlan apgroup add test test
wlan apgroup qinq tagging eap-sim-aka test enable
wlan apgroup interface-mapping add default-group 6 corporate_employee_provisioning
mesh security eap
mobility group member add 3c:08:f6:cc:40:00 10.13.50.251 CPwE351
mobility dscp 0
radius acct add 1 10.1.3.48 1813 ascii ****
radius auth rfc3576 enable 2
radius dns disable
tacacs dns disable
rogue detection security-level custom
rogue ap ssid alarm
rogue adhoc enable
rogue adhoc alert
rogue containment auto-rate disable
snmp version v2c enable
snmp snmpEngineId 00003763000036404e300d0a


sysname WLC-Corporate-Anchor
wlan create 6 Corporate_Employee_WLAN Corporate_Employee

wlan interface 6 corporate_employee_provisioning
wlan apgroup hotspot venue type test 0 0
wlan enable 6
license boot base
WMM-AC disabled
coredump disable


Example: Trusted Partner Anchor WLC Configuration

ipv6 enable
nmheartbeat disable
sys-nas Cisco_31:36:44

This example shows the Trusted Partner Anchor WLC Configuration.
802.11a cac video cac-method static
802.11a cleanair device enable radar




acl rule protocol ACL_RDG_Only 4 Any acl apply ACL_RDG_Only

advanced 802.11a channel dca chan-width-11n 20






cts sxp disable
cts sxp connection default password ****cts sxp retry period 120cts sxp sxpversion
2database size 2048

interface create dhcp_test 175

interface create trusted_partners_provisioning 183
interface address dynamic-interface dhcp_test 10.1.175.252 255.255.255.0 10.1.175.1
interface address dynamic-interface trusted_partners_provisioning 10.1.183.252
255.255.255.0 10.1.183.1
interface dhcp management primary 10.1.3.1
interface dhcp management option-82 enable
interface vlan dhcp_test 175
interface vlan trusted_partners_provisioning 183
interface nasid dhcp_test
interface nasid trusted_partners_provisioning
interface port dhcp_test 1
interface port trusted_partners_provisioning 1

mdns service create HP_Photosmart_Printer_2 _cups._sub._ipp._tcp.local. origin All LSS
disable query enable
wlan mdns enable 4




wlan apgroup add Dhcp_guest "for testing"

wlan apgroup qinq tagging eap-sim-aka Dhcp_guest enable
wlan apgroup interface-mapping add default-group 4 trusted_partners_provisioning


mesh security eap

mobility group member add 3c:08:f6:cc:40:00 10.13.50.251 CPwE351
mobility dscp 0

network fast-ssid-change enable


radius auth rfc3576 enable 1
radius dns disabletacacs dns disable

rogue detection security-level customrogue ap ssid alarm
rogue adhoc enable
rogue adhoc alert
rogue containment auto-rate disablesnmp version v2c enable

snmp snmpEngineId 0000376300000ea04d04010a



sysname WLC-Guest-Anchor


wlan create 4 Trusted_Partners_WLAN Trusted_Partners

wlan interface 4 trusted_partners_provisioning

wlan apgroup hotspot venue type Dhcp_guest 0 0
wlan enable 4
license boot base
WMM-AC disabled
coredump disable


Example: IES Access Switch Configuration







ipv6 enable
nmheartbeat disable
sys-nas Cisco_5f:0e:a4

This example shows the IES access switch configuration.
Current configuration : 13499 bytes
!
! Last configuration change at 12:14:08 EDT Tue May 12 2015
!
version 15.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname <host name>
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$SN29$HqWnhKsfLDJFuOkEvtBLZ1
!
username <name> password <password>
aaa new-model
!
!

aaa group server tacacs+ TACACS-SERVERS

server name TACACS-SERVER-1
!
aaa authentication login default group TACACS-SERVERS local
aaa authentication dot1x default group radius
aaa authorization console
aaa authorization exec default group TACACS-SERVERS local
aaa authorization network default group radius
aaa accounting dot1x default start-stop group radius
!
!
!
!
!
!
aaa session-id common
clock timezone EST -5 0
clock summer-time EDT recurring
system mtu routing 1500
!
!
ip domain-name cpwe-ra-cisco.local
ip name-server 10.13.48.26
ptp mode forward
rep admin vlan 800
vtp domain CPwE350
vtp mode transparent
!
!
!
!
!
!
mls qos map policed-dscp 24 27 31 43 46 47 55 59 to 0
mls qos map dscp-cos 9 11 12 13 14 15 to 0
mls qos map dscp-cos 25 26 28 29 30 to 2
mls qos map dscp-cos 40 41 42 44 45 49 50 51 to 4
mls qos map dscp-cos 52 53 54 56 57 58 60 61 to 4
mls qos map dscp-cos 62 63 to 4
mls qos map cos-dscp 0 8 16 27 32 47 55 59
mls qos srr-queue input bandwidth 40 60
mls qos srr-queue input threshold 1 16 66
mls qos srr-queue input threshold 2 34 66
mls qos srr-queue input buffers 40 60
mls qos srr-queue input cos-map queue 1 threshold 2 1
mls qos srr-queue input cos-map queue 1 threshold 3 0 2
mls qos srr-queue input cos-map queue 2 threshold 2 4
mls qos srr-queue input cos-map queue 2 threshold 3 3 5 6 7
mls qos srr-queue input dscp-map queue 1 threshold 2 8 10
mls qos srr-queue input dscp-map queue 1 threshold 3 0 1 2 3 4 5 6 7
mls qos srr-queue input dscp-map queue 1 threshold 3 28 29 30
mls qos srr-queue input dscp-map queue 2 threshold 2 62 63
mls qos srr-queue input dscp-map queue 2 threshold 3 59
mls qos srr-queue output cos-map queue 1 threshold 3 7
mls qos srr-queue output cos-map queue 2 threshold 3 0 2 4
mls qos srr-queue output cos-map queue 3 threshold 3 5 6

mls qos srr-queue output dscp-map queue 1 threshold 3 59

mls qos srr-queue output dscp-map queue 2 threshold 2 8 10
mls qos srr-queue output dscp-map queue 2 threshold 3 0 1 2 3 4 5 6 7
mls qos srr-queue output dscp-map queue 2 threshold 3 58 60 61 62 63
mls qos srr-queue output dscp-map queue 3 threshold 3 43 46 47 48 55
mls qos srr-queue output dscp-map queue 4 threshold 3 24 27 31
mls qos queue-set output 1 buffers 10 25 40 25
mls qos queue-set output 2 buffers 10 25 40 25
no mls qos rewrite ip dscp
mls qos
!
crypto pki trustpoint TP-self-signed-4135611392
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-4135611392
revocation-check none
rsakeypair TP-self-signed-4135611392
!
crypto pki trustpoint cpwe3.5.1
enrollment terminal pem
serial-number
ip-address 10.40.93.140
revocation-check none
rsakeypair cpwe3.5.1 2048
!
!
crypto pki certificate chain TP-self-signed-4135611392
certificate self-signed 01
3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 34313335 36313133 3932301E 170D3933 30333037 31383432
35305A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D34 31333536
31313339 3230819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100F311 7892A43E A35B223A AC4F7A0C B9288D57 D42123DC E196E556 62B00B33
CCCF69EB E5FC529A 0310BDFA D4364872 C0C0BA77 31AC8913 FFAB5D72 BAC598FE
B69B3AAC 4EDF62E1 8DCCFBB3 809E50DC 41682755 2B33DCBD F39982F3 511B0E07
154A4C14 E93D9515 0050D57E 5A20DB14 61C8EC7C DF6C0AF4 2DBDA1E4 7B4AEB99
B2A70203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603
551D2304 18301680 14B34BD0 03099694 FA195936 D9D9F656 F866F155 A3301D06
03551D0E 04160414 B34BD003 099694FA 195936D9 D9F656F8 66F155A3 300D0609
2A864886 F70D0101 05050003 81810006 62D8E503 7D54DAEA 94F4E3B4 91A5DF3F
7DB0C50F 507CE257 5DA794A5 DA7E3ECE 2CAA15CF 690989C3 EB80741F 432FE0DB
992981F1 69C45FC7 4CC62651 AEB193B5 C5618FBA 8FC8A7CF ED34EB2F 7F32E055
5EE69EAF 098F7304 6228B6CB C1DCE037 EAF63D01 5967B9D2 33DF56AD 15E26404
2F53CE37 AD06F88D 8899BEE2 E7E6DA
quit
crypto pki certificate chain cpwe3.5.1
certificate ca 69A16061433F31A64F68B1C00B20E117
30820377 3082025F A0030201 02021069 A1606143 3F31A64F 68B1C00B 20E11730
0D06092A 864886F7 0D010105 0500304E 31153013 060A0992 268993F2 2C640119
16056C6F 63616C31 1D301B06 0A099226 8993F22C 64011916 0D637077 652D7261
2D636973 636F3116 30140603 55040313 0D456E74 65727072 6973652D 4341301E
170D3135 30313235 30343236 34375A17 0D323530 31323530 34333634 365A304E
31153013 060A0992 268993F2 2C640119 16056C6F 63616C31 1D301B06 0A099226
8993F22C 64011916 0D637077 652D7261 2D636973 636F3116 30140603 55040313
0D456E74 65727072 6973652D 43413082 0122300D 06092A86 4886F70D 01010105
00038201 0F003082 010A0282 010100F9 3A9722D0 E315CFBA 66DC81D4 98475082
B9A74635 EB55E224 7E91F275 094B5D5E B21BD188 5AA65F02 86C7F7A9 9AFB4E2E
1F41929D DA61C310 AC3BA341 CFAA6FE1 C84E5EEC BFA94A3C F6DE4EFB 46E50AF9

FA8B7E74 16E3A4C8 B4E6F739 DCA30039 D9350B39 842AFFA2 91F51795 9C151D7F

1CF0F2D9 52C8ABFB 0D2ED403 92599E18 E19329F6 7F89910E F0F43185 A5DCD350
5225362D 1A26581A D1C5E789 162436B3 38282A22 1DDF6AB5 90BF181E 782DAD70
B183A46A 7FDBE1AC CBB243E9 CD5E5FCA DCD9F3AC 4FBC503F 78D9678D B5E1FD55
3C2AE97B CF663556 5F2D68D2 204DCF4C 44754097 AC34379A 9B7518BC FE91FB9A
D5A92386 181EDAB5 D357E0EE 46057B02 03010001 A351304F 300B0603 551D0F04
04030201 86300F06 03551D13 0101FF04 05300301 01FF301D 0603551D 0E041604
145F61A9 C1FB4AAA 340A1428 2C810F91 3B776282 A3301006 092B0601 04018237
15010403 02010030 0D06092A 864886F7 0D010105 05000382 010100EE 999B576C
6D6C230A E02AB9FC 289D0A1B 0586E27D F403C16E AA225024 3171C570 CB36DFE9
E64AF66A CDA503A7 AF8A6ABF 6721C589 FA87B0A1 D47C6B48 1F43E881 68151780
DA3E727E 3E61E5DF 181BA638 91DB349C 8C1801C3 93206B75 73B8E22A 754D4A13
C5547B0C 6EA73D56 090FDF73 5B421975 B68A3236 B7866610 DA8F3DFF 5C067572
D2A218C7 57AF236E BF7E1899 1DCB82EB F5D39513 BE617CCA 4B2D36F3 8793CBB3
FC5FA518 4926A8CC 2A3EA1DA 50FFC26E EF5DFC95 258D81D6 EB0D19B8 9982B378
CF710E18 2E92E216 4ECEC790 057EAD68 E73645DF B3349646 1220FB46 A9CBBD61
E0DDA035 671BF89E FB352AF2 0AC8EF82 095BBBF2 77E51645 2CA0FB
quit
dot1x system-auth-control
spanning-tree mode pvst
spanning-tree extend system-id
!
alarm profile defaultPort
alarm not-operating
syslog not-operating
notifies not-operating
!
!
vlan internal allocation policy ascending
!
vlan 148,181-186
!
vlan 200
name REP#1
!
vlan 351
name default VLAN for convenience port
!
vlan 800
name Native-Vlan
!
vlan 4093
name RADIUS
!
lldp run
!
class-map match-all 1588-PTP-General
match access-group 107
class-map match-all 1588-PTP-Event
class-map match-all CIP-Implicit_dscp_any
class-map match-all CIP-Other
class-map match-all voip-data
match ip dscp ef
class-map match-all voip-control
match ip dscp cs3 af31
class-map match-all default-data
match access-group name default-data-acl
class-map match-all CIP-Implicit_dscp_43


!
policy-map Voice-Map
class voip-data
set dscp ef
police 128000 8000 exceed-action policed-dscp-transmit
class voip-control
set dscp cs3
class default-data
set dscp default
policy-map CIP-PTP-Traffic
class CIP-Implicit_dscp_55
set ip dscp 55
set ip dscp 47
set ip dscp 43
class CIP-Implicit_dscp_any
set ip dscp 31
class CIP-Other
set ip dscp 27
class 1588-PTP-Event
set ip dscp 59
class 1588-PTP-General
set ip dscp 47
!
!
!
!
!
!
interface FastEthernet1/1
!
!
!
description convenience port
switchport access vlan 351
switchport mode access
ip access-group ACL-DEFAULT in
authentication host-mode multi-host
authentication order dot1x
authentication priority dot1x
authentication port-control auto
authentication violation restrict
dot1x pae authenticator
dot1x timeout tx-period 3
!
!
!
!
!
description to IACS CLX_B09 temp


load-interval 30
srr-queue bandwidth share 1 19 40 40
priority-queue out
service-policy input CIP-PTP-Traffic
!
description to IACS PIO_09 temp
load-interval 30
priority-queue out
!
description to IACS CLX_B10 temp
load-interval 30
priority-queue out
!
description to IACS PIO_10 temp
load-interval 30
priority-queue out
!
!
!
!
!
interface GigabitEthernet1/1
description to WS3750-Ring int gi 2/1/1
switchport trunk native vlan 800
switchport trunk allowed vlan 148,181-186,200,351,800,4093
switchport mode trunk
load-interval 30
priority-queue out
rep segment 200
mls qos trust cos
!
interface GigabitEthernet1/2
description trunk uplink interface
switchport trunk native vlan 800
switchport trunk allowed vlan 148,181-186,200,351,800,4093
switchport mode trunk
load-interval 30
priority-queue out
rep segment 200
mls qos trust cos
!
interface Vlan1

no ip address
!
interface Vlan148
ip address 10.13.51.6 255.255.255.0
ip helper-address 10.13.48.26
!
interface Vlan181
ip address 10.20.181.6 255.255.255.0
!
interface Vlan182
ip address 10.20.182.6 255.255.255.0
!
interface Vlan183
ip address 10.20.183.6 255.255.255.0
!
interface Vlan184
ip address 10.20.184.6 255.255.255.0
!
interface Vlan185
ip address 10.20.185.6 255.255.255.0
!
interface Vlan186
ip address 10.20.186.6 255.255.255.0
!
interface Vlan200
ip address 10.20.10.6 255.255.255.0
!
interface Vlan4093
ip address 10.40.93.140 255.255.255.0
!
ip default-gateway 10.40.93.1
ip http server
ip http secure-server
!
ip access-list extended ACL-DEFAULT
permit udp any eq bootpc any eq bootps log
permit udp any host 10.13.48.26 eq domain
permit icmp any any
permit udp any any eq tftp
permit ip any any log
ip radius source-interface Vlan4093
access-list 101 permit udp any eq 2222 any dscp 55
access-list 104 permit udp any eq 2222 any
access-list 105 permit tcp any eq 44818 any
snmp-server enable traps rep
tacacs server TACACS-SERVER-1
address ipv4 192.168.254.24
key 7 01200307490E12242455
!
radius-server attribute 6 on-for-login-auth
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
!

radius server ISE

address ipv4 10.13.48.32 auth-port 1812 acct-port 1813
timeout 5
retransmit 3
key 7 106D580A061843595F
!
line con 0
line vty 0 4
exec-timeout 0 0
transport preferred none
transport input ssh
line vty 5 15
exec-timeout 0 0
transport preferred none
transport input ssh
!
ntp server 10.13.15.254
end

APP ENDIX C
Test Hardware and Software
The hardware and software components listed in Table C-1 were used in CPwE Identity Services
testing.
Table C-1 Test Hardware and Software
Role Product SW Version Notes

IES Access Switch Cisco IE 2000, Stratix 5700™ 15.2(3)EA (Cisco),
15.2(3)EA (RA) Cisco to test with IE2000, Rockwell Automation to test Stratix
5700
IES Access Switch Cisco IE 3000, Stratix 8000™ 15.2(3)EA (Cisco),
15.2(3)EA (RA) Cisco to test with IE3000, Rockwell Automation to test Stratix
8000
Access Point Aironet 3602E 12.4(23)JY Light Weight Access Point
Wireless LAN Controller (WLC) Cisco 5508 8.0.100.0
Distribution Switch Catalyst 3750-X 15.2(3)E Switch stack
Core Switch Catalyst 6500 15.1(2)SY4 Virtual Switching System (VSS)
Core Switch Catalyst 4500E 3.6.1E Virtual Switching System (VSS)
Firewall ASA 5515-X 9.3(1) Active and standby
Policy Server ISE 3415, ISE 3495 1.3 Distributed ISE
Client Microsoft Windows Laptop Windows7

ENET-TD008A-EN-P C-1
Appendix C Test Hardware and Software
Cisco is the worldwide leader in networking that transforms how people connect, communicate and collaborate. Information about Cisco can be found at www.cisco.com. For
ongoing news, please go to http://newsroom.cisco.com. Cisco equipment in Europe is supplied by Cisco Systems International BV, a wholly owned subsidiary of Cisco
Systems, Inc.
www.cisco.com
Americas Headquarters Asia Pacific Headquarters Europe Headquarters
Cisco Systems, Inc. Cisco Systems (USA) Pte. Ltd. Cisco Systems International BV
San Jose, CA Singapore Amsterdam, The Netherlands
Cisco has more than 200 offices worldwide. Addresses, phone numbers, and fax numbers are listed on the Cisco Website at www.cisco.com/go/offices.
CCDE, CCENT, Cisco Eos, Cisco HealthPresence, the Cisco logo, Cisco Lumin, Cisco Nexus, Cisco StadiumVision, Cisco TelePresence, Cisco WebEx, DCE, and Welcome to the Human Network are trademarks; Changing the
Way We Work, Live, Play, and Learn and Cisco Store are service marks; and Access Registrar, Aironet, AsyncOS, Bringing the Meeting To You, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, CCSP, CCVP, Cisco, the Cisco
Certified Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Collaboration Without Limitation, EtherFast, EtherSwitch, Event Center, Fast Step, Follow
Me Browsing, FormShare, GigaDrive, HomeLink, Internet Quotient, IOS, iPhone, iQuick Study, IronPort, the IronPort logo, LightStream, Linksys, MediaTone, MeetingPlace, MeetingPlace Chime Sound, MGX, Networkers, Net-
working Academy, Network Registrar, PCNow, PIX, PowerPanels, ProConnect, ScriptShare, SenderBase, SMARTnet, Spectrum Expert, StackWise, The Fastest Way to Increase Your Internet Quotient, TransPath, WebEx, and the
WebEx logo are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.
All other trademarks mentioned in this document or website are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0812R)
Rockwell Automation is a leading provider of power, control and information solutions that enable customers to get products to market faster, reduce their total cost of
ownership, better utilize plant assets, and minimize risks in their manufacturing environments.
www.rockwellautomation.com
Americas: Asia Pacific: Europe/Middle East/Africa:
Rockwell Automation Rockwell Automation Rockwell Automation
1201 South Second Street Level 14, Core F, Cyberport 3 Vorstlaan/Boulevard du Souverain 36
Milwaukee, WI 53204-2496 USA 100 Cyberport Road, Hong Kong 1170 Brussels, Belgium
Tel: (1) 414.382.2000, Fax: (1) 414.382.4444 Tel: (852) 2887 4788, Fax: (852) 2508 1846 Tel: (32) 2 663 0600, Fax: (32) 2 663 0640
FactoryTalk, Stratix™, Stratix 8000, Stratix 5700 and Studio 5000 Logix Designer are trademarks of Rockwell Publication ENET-TD008A-EN-P June 2015
Automation, Inc. Trademarks not belonging to Rockwell Automation are property of their respective companies.
© 2015 Cisco Systems, Inc. and Rockwell Automation, Inc. All rights reserved.

06 CPwE - ISE - CVD Enet-Td008 - En-P PDF

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

06 CPwE - ISE - CVD Enet-Td008 - En-P PDF

Uploaded by

Copyright:

Available Formats

Deploying Identity

Design and Implementation Guide

Document Reference Number: ENET-TD008A-EN-P

Deploying Identity Services within a Converged Plantwide Ethernet Architecture

For More Information

Deploying Identity Services within a Converged Plantwide Ethernet Architecture

This chapter includes the following major topics:

Identity Services Architecture Introduction

Deploying Identity Services within a Converged Plantwide Ethernet Architecture

Secure Access Control

Deploying Identity Services within a Converged Plantwide Ethernet Architecture

Figure1-1 CPwE Industrial Network Security Framework

Industrial Demilitarized Zone (IDMZ)

Industrial Zone: Levels 0-3

Unified Network Access Policy Management for CPwE

Deploying Identity Services within a Converged Plantwide Ethernet Architecture

Figure1-2 Unified Identity Services for Wired and Wireless

Enterprise Zone: Levels 4-5

Core ISE PAN/PSN

Industrial Demilitarized Zone (IDMZ)

Industrial Zone: Levels 0-3

Converged Plantwide Ethernet Identity Services

Deploying Identity Services within a Converged Plantwide Ethernet Architecture

Deploying Identity Services within a Converged Plantwide Ethernet Architecture

This chapter includes the following major topics:

CPwE Identity Services Technology Overview

Deploying Identity Services within a Converged Plantwide Ethernet Architecture

ISE Distributed Deployment

Deploying Identity Services within a Converged Plantwide Ethernet Architecture

Figure 2-1 Distributed CPwE Identity Services Architecture

Enterprise Zone: Levels 4-5

Industrial Demilitarized Zone (IDMZ) 1

Industrial Zone: Levels 0-3

As indicated in Figure 2-1:

Active Directory Services

Deploying Identity Services within a Converged Plantwide Ethernet Architecture

Active Directory Overview

Deploying Identity Services within a Converged Plantwide Ethernet Architecture

Active Directory Deployment Recommendation

Deploying Identity Services within a Converged Plantwide Ethernet Architecture

Figure 2-2 Domain Controller Bi-Directional Replication

Enterprise Zone: Levels 4-5

Industrial Demilitarized Zone (IDMZ) 1

Industrial Zone: Levels 0-3

Industrial Zone WLC

As indicated in Figure 2-2:

Certificate Services Overview

Deploying Identity Services within a Converged Plantwide Ethernet Architecture

Certificate Services Deployment Recommendation

Deploying Identity Services within a Converged Plantwide Ethernet Architecture

Roles and Access

Industrial Zone Wired Access Design

Deploying Identity Services within a Converged Plantwide Ethernet Architecture

Wired Access Overview

Deploying Identity Services within a Converged Plantwide Ethernet Architecture

Wired Access Use Cases

Deploying Identity Services within a Converged Plantwide Ethernet Architecture

Wired Industrial Employee Access

Figure 2-3 CPwE Identity Services Validation - Direct Access to Devices

Enterprise Zone: Levels 4-5

Industrial Demilitarized Zone (IDMZ)

Industrial Zone: Levels 0-3

As indicated in Figure 2-3: