Cisco Catalyst 9800 Wireless Controller
Overview
The following guide covers Cisco Catalyst 9800 WLAN Controller configurations required to integrate the controller with MetaAccess NAC to be leveraged as an enforcement device. Cisco Catalyst 9800 WLAN controllers running 17.3 or later are supported for centrally switched traffic. Radius Based Enforcement (RBE) is supported for Open networks and for Secure networks using WPA2E/802.1x. By configuring your MetaAccess NAC Enforcer as an Authentication and Accounting Server, creating Access-Lists and leveraging features available in the WLAN controller, MetaAccess NAC will be enabled to block, redirect or limit access based on MetaAccess NAC Policy Group definitions.
Network Preparation and Testing
Prior to integration with MetaAccess NAC, please confirm that the WLANs you will be integrating are fully functional. A simple test of successfully associating with the SSID and browsing to a non-cached website should suffice. Ensure the static route below is added to the Layer 3 routing device upstream of your wireless controller(s). Please contact your Network Specialist if you require assistance with this task.
Static Route (apply if MetaAccess NAC is not integrated with wired network)
conf t!ip route 198.31.193.211 255.255.255.255 <NAC-IP>!endAdd MetaAccess NAC Enforcer as a RADIUS Authentication server globally
config t!aaa new-model!radius server <NAC-IP> address ipv4 <NAC-IP> auth-port 1812 acct-port 1813 timeout 5 retransmit 2 key 7 <XXXXX>!!!aaa group server radius MetaAccesss_NAC_RBE server name <NAC-IP> deadtime 5!aaa group server radius MetaAccess_NAC_Acct server name <NAC-IP> deadtime 5 aaa server radius dynamic-author client <NAC-IP> server-key <Shared-Secret>!aaa authentication dot1x MetaAccesss_NAC_RBE_List group MetaAccesss_NAC_RBE group radiusaaa accounting update periodic 5aaa accounting identity MetaAccess_NAC_Acct_List start-stop group MetaAccess_NAC_Acctaaa authorization exec MetaAccesss_NAC_Authz_List group MetaAccesss_NAC_RBE aaa authorization network MetaAccesss_NAC_MAC_Auth group MetaAccesss_NAC_RBEACL Configuration
ip access-list extended sc_compliant_acl permit ip any anyip access-list extended sc_initial_acl permit ip any anyip access-list extended sc_quarantine_acl deny ip any host 198.31.193.211 deny ip host 198.31.193.211 any deny ip any host <NAC-IP> deny ip host <NAC-IP> any deny udp any any eq domain deny udp any eq domain any deny udp any any eq bootps deny udp any eq bootps any permit tcp any any eq wwwEnable Redirection for HTTP or HTTPs
The web admin portal configuration is tied with the web authentication portal configuration and it needs to listen on port 80 in order to redirect. Ensure that you have the command "ip http server" for redirection on HTTP.
If you want to be redirected when you try to access an HTTPs URL, then add the command "intercept-https-enable" under the parameter map:
ip http serverip http secure-server parameter-map type webauth global type webauth intercept-https-enable trustpoint xxxxxSecure WPA2E/802.1X Wireless RBE Configuration
config twlan <Secure-SSID-Name> 1 <Secure-SSID-Name> security dot1x authentication-list MetaAccesss_NAC_RBE_List security web-auth parameter-map global no shutdown# Policy Profile Configurationwireless profile policy MetaAccess_NAC_policy aaa-override accounting-list MetaAccess_NAC_Acct_List nac vlan <VLAN-ID> no shutdown# Link your WLAN profile to desired Policy Profile. wireless tag policy "MetaAccess NAC Policy" wlan <Secure-SSID-Name> policy MetaAccess_NAC_policy # To assign the same Policy Tag to APs ap <ethernet-mac-addr> policy-tag "MetaAccess NAC Policy"Open Wireless RBE Configuration
wlan <Open-SSID-Name> 2 <Open-SSID-Name> mac-filtering MetaAccesss_NAC_MAC_Auth ip access-group web sc_quarantine_acl security dot1x authentication-list MetaAccesss_NAC_RBE_List security web-auth parameter-map global no shutdown# Policy Profile Configurationwireless profile policy MetaAccess_NAC_Guest_policy aaa-override accounting-list MetaAccess_NAC_Acct_List nac vlan <VLAN-ID> no shutdown# Link your WLAN profile to desired Policy Profile. wireless tag policy "MetaAccess NAC Policy" wlan <Open-SSID-Name> policy MetaAccess_NAC_Guest_policy# To assign the same Policy Tag to APs ap <ethernet-mac-addr> policy-tag "MetaAccess NAC Policy"This completes the WLAN controller configuration. Please run the commands below, and send the results to your MetaAccess NAC Network Engineer for next steps to complete integration validation testing
# show run wlan // WLAN configuration# show run aaa // AAA configuration (server, server group, methods)# show aaa servers // Configured AAA servers# show ap config general // AP's configurations # show ap name <ap-name> config general // Detailed configuration of specific AP# show ap tag summary // Tag information for AP'S# show wlan { summary | id | name | all } // WLAN details# show wireless tag policy detailed <policy-tag-name> // Detailed information on given policy tag# show wireless profile policy detailed <policy-profile-name>// Detailed information on given policy profile
