Page 1 of 13

Lab 7: 802.1X: Wireless Networks

Lab Overview
In this lab, you will expand your knowledge with 802.1X from the previous lab. You will configure SSIDs and ACLs locally on the WLC. ISE behaves slightly
different with wireless controllers than with a switch, in that the ACLs need to be created locally on the WLC first, and then ISE will tell the WLC which ACL to
use depending on the user. In other words, ISE passes down to the WLC the name of the ACL, but not the content. You′ll enable a wireless profile for the
User-PC and test the connection.

Estimated Completion Time

Lab Procedures
• Configure and Verify the WLC

• Configure the AnyConnect NAM Profile for Wireless

• Review ISE Authentication Policies

• Configure ISE Authorization Policies

• Test Wireless 802.1X

Perform Only If You Have Done a Reset

If you have performed a reset to this lab or are using the Global Knowledge e-Labs (meaning that you are accessing the system after you have attended the 5
day course), you will need to prepare or verify the environment. Perform the following:

Access the module in the lab guide titled Post Reset and follow the directions there.

Task 1: Configure and Verify the WLC

This task will primarily focus on the configuration of the WLC. You will create two WLANs and two SSIDs for your pod, one for employees and another for
guest access. You will then log in and verify the WLC configuration.

Note: For your convenience, a PDF has been placed on the Admin-PC at Desktop\ISE\ How-To_11_Universal_WLC_Config. If you have questions about the
GK WLC configuration, feel free to consult that document as it was referenced heavily during development.

1. Identify your pod number.

You are about to create WLANs and SSIDs. It is imperative that you identify your pod number correctly before proceeding.

1.1. Access the Topology Diagram in your lab environment.

http://www.remotelabs.com/ldhtm/Gb/cisco/3972/3972_L07.htm 19/09/2017
 Page 2 of 13

1.2. Take note of the number (XX here), it will range from 01-60, this is your pod number write it down and use it for the rest of the class.

Pod number = ______________

1.3. Close the window when done viewing.

2. Create WLANs and SSIDs.

2.1. From the desktop of the Admin-PC, navigate to Desktop\ISE\WLC.

2.2. Open the WLC Commands for Adding WLANs.txt file.

2.3. Replace XX in GK-XX and “GK Guest-XX” with your assigned pod number. (For example, if you are pod 53, then you would use GK-53 and “GK Guest-
53”. Make sure to use YOUR POD NUMBER.)

2.4. Press Ctrl+A and then Ctrl+C.

2.5. Launch SecureCRT on the desktop of the Admin-PC if it is not already open. Double-click the entry for the Virtual WLC and log in using the
admin/admin$Pwd credentials.

2.6. Once you′ve logged in, right-click and paste the contents of the clipboard. Note that the WLAN interface must be disabled to accept the following
pasted commands. Make sure that the last line pasted, which turns back on your WLAN interface, is executed by pressing Enter.

Note: You do not need to enter global configuration mode in order to paste in the configuration. The wireless networks will now be made available for use.

3. Log on to the WLC and verify software version and AP association.

3.1.
In the Firefox browser from the Admin-PC, open a new tab and click or browse to https://10.10.2.80.

3.2. The WLC currently does not have a valid certificate installed for SSL communication which explains why you are receiving a warning from the browser.
Accept all security warnings and log in as admin/admin$Pwd.

Note: The minimum WLC software version that is required to work with the Cisco ISE is version 7.0.114.x. This is because of the CoA requirement (RFC-
3576). There are significant enhancements for ISE in newer versions of the software which can be leveraged. In this class, you′ll be using version 7.4.150 of
software, the currently recommended Cisco version for a virtual WLC.

http://www.remotelabs.com/ldhtm/Gb/cisco/3972/3972_L07.htm 19/09/2017
 Page 3 of 13

3.3. You should see the Access Point Summary on the bottom left of the screen indicating that a single AP has attached.

Note: The Wireless Controller used in the course is actually a virtual machine. This version of WLC mandates FlexConnect mode, which enables you to
configure and control APs in a branch office without deploying a controller in each location. FlexConnect APs can switch client data traffic locally or, when
they are connected to the controller, they can also send traffic back to the controller which is how this lab will operate (central switching).

4. Verify the authentication and accounting servers in the WLC.

4.1. Navigate to Security > AAA > RADIUS > Authentication and verify that two servers appear: 10.10.2.50 (ISE) and 10.10.2.60 (ISE-Secondary).

4.2. Now, click the Accounting section and verify two new entries for the 10.10.2.50 and 10.10.2.60 addresses.

5. Verify the ACLs used to apply to sessions. These ACLs are not applied yet. ISE will tell the WLC which ACL to apply to a session when a user authenticates.

5.1. Navigate to Security > Access Control Lists > Access Control Lists.

5.2. In this lab, you will be using the ADMINISTRATORS (Permits All Access), CORPORATE (Denies Access to Mgmt subnet (10.10.2.0) and permits
everything else) and DEFAULT (Denies All Access) ACLs. In subsequent labs, you will take advantage of the other ACLs listed. Take time to review these
three ACLs. They should look as follows.

http://www.remotelabs.com/ldhtm/Gb/cisco/3972/3972_L07.htm 19/09/2017
 Page 4 of 13

6. Verify the interfaces on the WLC which the endpoints will be connected to once they are authorized. These interfaces are based on VLANs used in
production; VLAN 7 for corporate access, VLAN 10 for guest access, and VLAN 6 for administrative access.

6.1. Navigate to Controller > Interfaces.

6.2. Click the corporate interface and familiarize yourself with the configuration.

6.3. Click Back and then click the guest interface to familiarize yourself with that configuration.

Note: The guest interface will not be used in this lab, you will use it in a subsequent lab.

7. Verify the WLAN for EMPLOYEES.

7.1. Navigate to WLANs and verify the two WLANs that you just created.

http://www.remotelabs.com/ldhtm/Gb/cisco/3972/3972_L07.htm 19/09/2017
 Page 5 of 13

Note: You should NOT see XX in your pod, you should see YOUR POD NUMBER 01 thru 60 instead.

7.2. Click WLAN ID 1, the EMPLOYEES WLAN.

7.3. On the General tab verify that the WLAN is enabled and is set to use Interface corporate by default.

7.4. Select the Security tab, and on the Layer 2 sub tab, Layer 2 security should be set to Wifi Protected Access WPA+WPA2.

7.5. On the AAA Servers sub tab, Radius Server Overwrite interface should be enabled and the two ISE servers should be listed for Authentication and
Accounting.

Note: Enabling Radius Server Overwrite uses the interface associated with the WLAN (corporate) to submit RADIUS requests to ISE. This requires a second
entry on the WLC Network Device in ISE. You can check the WLC in ISE to verify the second address of 10.10.10.2. You configured this in an earlier lab.

7.6. On the Advanced tab, verify that Allow AAA Override is enabled to allow attributes from ISE to be applied. Also, verify that NAC State is set to Radius
NAC, which is required for CoA enforcement.

http://www.remotelabs.com/ldhtm/Gb/cisco/3972/3972_L07.htm 19/09/2017
 Page 6 of 13

7.7. To configure Profiling through ISE, verify that both Client Profiling options are selected.

7.8. Click Back when done viewing the WLAN.

8. Finally, you need to adjust the radio settings so that the APs are not stepping all over one another in your overpopulated lab environment.

8.1. Navigate to Wireless > Access Points > Radios > 802.11 b/g/n.

8.2. You′ll see your AP listed. Scroll to the right and mouse-over (do not click) the blue arrow and select Configure.

8.3. In the RF Channel Assignment section, change your channel, under Assignment Method > Custom, based upon an odd or even pod number
assignment. If your pod number is even, change your channel to 6. If your pod number is odd, assign your AP to channel 11. If there are any
connectivity issues later on, such as the SSID drops out-of-sight on the User-PC, come back to this setting and change the channel to 1. Click Apply and
OK, if you get a warning.

Note: Also, ensure that the TX power level is set to 1. This setting is just under the Channel Assignment setting.

9. Configure Flexconnect mode on the wireless controller. Navigate to Wireless > Access Points > All APs.

Note: Some of the following settings for FlexConnect may already be set up. That is due to the AP being configured from previous courses. Nevertheless, run
through the following.

9.1. Click the AP that appears.

9.2. On the General tab, ensure that the AP Mode is set to be FlexConnect.

9.3. On the FlexConnect tab ensure that the VLAN Support check box is checked.

9.4. In the Native VLAN ID field, ensure that 8 is listed and click VLAN Mappings.

9.5. Verify that WLANs 1 and 2 are centrally switched.

9.6. Click Apply and accept any warnings. The AP will reset the interface configuration to support trunking.

http://www.remotelabs.com/ldhtm/Gb/cisco/3972/3972_L07.htm 19/09/2017
 Page 7 of 13

Task 2: Configure the AnyConnect NAM Profile for Wireless

So far, you have used a NAM profile that allows us to connect to the GK Wired network using 802.1X. Now, it is time to configure a custom profile for the GK
Wireless network to allow clients to attach to the secure Employees SSID.

10. Disable the Wired NIC on the User-PC.

10.1. If necessary, log off the User-PC and log on as admin/admin$Pwd.

10.2. Open Network and Sharing Center. Select Change Adapter Settings. Right-click Local Area Network card and select Disable.

Note: At this point, verify that there is a Wireless NIC on the User-PC. If no wireless NIC appears, notify your instructor now.

11. Configure the NAM on the User-PC.

11.1. Launch the NAM Profile Editor from the desktop of the User-PC. It will take time to load.

11.2. Click File > Open and select configuration to load the current NAM configuration profile.

11.3. You have already configured Client Policy and Authentication when working with Wired networks. Those settings won′t change here.

11.4. Click Networks from the menu tree.

11.5. Select GK Wireless and click Edit.

11.6. In the SSID field, replace GK-XX with GK-##, where ## is YOUR POD NUMBER.

Note: The SSID is case-sensitive and needs to match the SSID you entered on the WLC. Double-check your work.

11.7. Verify that Corporate Network is selected. This prohibits users from connecting to other SSIDs, such as Guest, while they are in range of this SSID.

11.8. Click Next, and on the Security Level page verify that Association Mode is set to WPA2 Enterprise (AES).

11.9. Click Next all the way through the rest of the options as they are no different than those configured for the Wired profile.

11.10. Click Done, then click File > Save to commit the profile.

11.11. Close the NAM Profile Editor.

11.12. Enable the profile by performing a network repair.

http://www.remotelabs.com/ldhtm/Gb/cisco/3972/3972_L07.htm 19/09/2017
 Page 8 of 13

11.13. Open the AnyConnect Secure Mobility client and click the down arrow in the NAM in order to see a very long list of SSIDs. All but one entry should be
grayed out (for wireless). The profile labeled GK Wireless should be listed.

Note: Don′t expect the connection to work just yet; the ISE Wireless Policy set hasn′t been configured yet.

Note: The remaining SSIDs are grayed out since you enabled the Corporate Network option in the NAM. This is a great way of keeping employees on the
correct network.

Task 3: Review ISE Authentication Policies

12. Configure the ISE Authentication policies for Wireless 802.1X networks.

12.1. Use Firefox to log in to ISE as admin/admin$Pwd.

12.2. In ISE, navigate to Policy > Policy Sets > Wireless.

Note: All Network Devices belonging to the Wireless Device Group (for example, the WLC) will send authentication requests to this Policy Set.

Wireless MAB requests will be checked against the Internal Endpoints Identity Store.

Dot1X requests will be checked against the All_User_ID_Stores sequence.

12.3. Make no changes as the Authentication Policy for Wireless is already sufficient.

Task 4: Configure ISE Authorization Policies

Although the previous authentication policies used conditions that were based on the physical connection method, the authorization policies are where you
can really use users′ environment variables and assign very restrictive policies. In this task, you will review the current authorization policies configured and
modify the DACLs to support the wireless controller.

13. Investigate the current authorization policies.

13.1. Scroll down to Authorization. The output should look as follows.

http://www.remotelabs.com/ldhtm/Gb/cisco/3972/3972_L07.htm 19/09/2017
 Page 9 of 13

Note: There isn′t much going on here right now. Four of the rules are disabled and the Wireless Black List rule doesn′t match anything until an endpoint is
added to the Black List. All wireless connections will receive the Default of DenyAccess. You will build off of the existing polices and throw in some specific
wireless setting such as a condition that matches the WLAN ID of a session in order to assign specific policies.

Since you will perform authorization with a Wireless LAN Controller (WLC), the current method of pushing DACLs needs to be adjusted. WLCs do not support
the use of DACLs the way switches do. With a WLC, the ACL must pre-exist on the controller. When authorization occurs, only the name of that ACL is
supplied by ISE and associated with the session.

14. Modify Authorization Profiles to support wireless.

14.1. Navigate to Policy > Policy Elements > Results.

14.2. In the menu list, navigate to Authorization > Authorization Profiles (make sure you select the Authorization Profiles folder).

14.3. You′ll notice the policies created in the previous labs. Edit Employee Access and add the following.

◾ Airespace ACL Name: CORPORATE

Note: The ACL name is case-sensitive, so be careful or you′ll have a very long lab of troubleshooting.

14.4. Click Save.

15. Create another profile to be used by our Admins. This time, you are going to assign a DACL, a VLAN, and an Airespace ACL.

15.1. Create an Authorization Profile with the following information:

◾ Name: Administrator Access

◾ DACL Name: PERMIT_ALL_TRAFFIC

◾ VLAN ID/Name: 6

◾ Airespace ACL Name: ADMINISTRATORS

Note: The ACL name is case-sensitive, so be careful or you′ll have a very long lab of troubleshooting.
The DACL is not used for Wireless, rather it is included to allow the same level of access should this profile be used on a wired network.
The VLAN ID of 6 will instruct the WLC to use the management interface rather than the corporate interface for the session.

15.2. Click Submit.

16. Configure Authorization Policy for Wireless.

16.1. Navigate to Policy > Policy Sets and select Wireless.

16.2.
Click the Copy Policy Rules icon.

16.3. In the left pane, click the Wired Policy/Rule name.

16.4. One at a time, select and add > the Employee Access and Machine Access Authorization rules to the Wireless Policy Set. The result should look as
follows.

http://www.remotelabs.com/ldhtm/Gb/cisco/3972/3972_L07.htm 19/09/2017
 Page 10 of 13

16.5. Click OK and arrange the Policy to look as follows, then save the changes.

16.6. Edit the Employee Access rule.

16.7. Click the + (plus sign) in the Other Condition field.

16.8. Three conditions are listed. Add another line to the bottom of the list by clicking the configuration button (gear) on the right side of the condition
window and select Add Attribute/Value.

16.9. Now, you will match the WLAN used by the client with this ISE Authorization Policy. Under the Expression field, select Airespace > Airespace-Wlan-Id.
In the Operator field, enter EQUALS, and in the Value field, enter 1 to match against WLAN #1. This number represents the first WLAN you configured
on the WLC. In a later lab, you will also match on the SSID.

16.10. Click Done.

16.11. Locate the Employee Access rule and duplicate above the current entry.

16.12. In the Name field, enter Administrator Access.

http://www.remotelabs.com/ldhtm/Gb/cisco/3972/3972_L07.htm 19/09/2017
 Page 11 of 13

16.13. Modify the Conditions field of GKLABS_AD:ExternalGroups to use GKLABS_AD:ExternalGroups = gklabs.com/Users/Domain Admins.

16.14. Change the authorization permissions to Administrator Access.

16.15. Click Done, then Save. Your Authorization Policy should look as follows.

Task 5: Test Wireless 802.1X

17. Test wireless access.

17.1. Access the User-PC; you should still be logged on as admin/admin$Pwd.

17.2. Perform another network repair on the NAM.

17.3. You should now be able to successfully connect to the GK Wireless network and obtain an address on VLAN 6, the Management Subnet
(10.10.2.0/24), because you are logged in as an administrator.

17.4. Open a browser and browse to 10.10.2.10 (admin-pc.gklabs.com), 10.10.1.25 (data-srv.gklabs.com) and then to www.cisco.com. All three should
succeed based on the ADMINISTRATORS ACL used to control the session.

17.5. On the Admin-PC in ISE monitor Live Logs, you should see output similar to the following.

17.6. Click details and verify the results.

http://www.remotelabs.com/ldhtm/Gb/cisco/3972/3972_L07.htm 19/09/2017
 Page 12 of 13

17.7. Access the GUI of the WLC and navigate to Monitor > Clients. You should see the MAC address of the User-PC wireless NIC along with the parameters
associated with the session.

17.8. Click the MAC address to view the details.

Note: This is the WLC equivalent of the show authentication sessions command.

17.9. Access the User-PC and log off, then log on as employee1/gklabs.

17.10. You should get connected again to GK Wireless, this time on VLAN 7, for employees (10.10.10.0/24) with the CORPORATE ACL applied to the session.

17.11. Open a browser and browse to 10.10.1.25 (data-srv.gklabs.com) and then to www.cisco.com; both should succeed. Now try 10.10.2.10 (admin-
pc.gklabs.com) this should fail based on the CORPORATE ACL used to control the session.

http://www.remotelabs.com/ldhtm/Gb/cisco/3972/3972_L07.htm 19/09/2017
 Page 13 of 13

17.12. Look at the details of the session on ISE and on the WLC to verify the VLAN and ACL that have been applied. You will see that no VLAN value has been
specified by ISE (tag=0).This means that the WLC will use the default VLAN associated with the WAN interface (VLAN 7 assigned to the corporate
interface).

Lab Complete

http://www.remotelabs.com/ldhtm/Gb/cisco/3972/3972_L07.htm 19/09/2017