Configuring Identity Networking | Cisco Systems OL-8335-02 specification

Chapter 5 Configuring Security Solutions

Configuring Identity Networking

Configuring Identity Networking

These sections explain the Identity Networking feature, how it is configured, and the expected behavior for various security policies:

•Identity Networking Overview, page 5-16

•RADIUS Attributes Used in Identity Networking, page 5-17

Identity Networking Overview

In most wireless LAN systems, each WLAN has a static policy that applies to all clients associated with an SSID. Although powerful, this method has limitations since it requires clients to associate with different SSIDs to inherit different QoS and security policies.

However, the Cisco Wireless LAN Solution supports Identity Networking, which allows the network to advertise a single SSID but allows specific users to inherit different QoS or security policies based on their user profiles. The specific policies that you can control using identity networking include:

•Quality of Service. When present in a RADIUS Access Accept, the QoS-Levelvalue overrides the QoS value specified in the WLAN profile.

•ACL. When the ACL attribute is present in the RADIUS Access Accept, the system applies the ACL-Nameto the client station after it authenticates. This overrides any ACLs that are assigned to the interface.

•VLAN. When a VLAN Interface-Nameor VLAN-Tagis present in a RADIUS Access Accept, the system places the client on a specific interface.

Note The VLAN feature only supports MAC filtering, 802.1X, and WPA. The VLAN feature does not support Web Auth or IPSec.

•Tunnel Attributes.

Note When any of the other RADIUS attributes in this section are returned, the Tunnel Attributes must also be returned.

In order for this feature to be enabled, on a per WLAN basis, the Enable AAA Override configuration flag must be enabled.

The Operating System’s local MAC Filter database has been extended to include the interface name, allowing local MAC filters to specify to which interface the client should be assigned. A separate RADIUS server can also be used, but the RADIUS server must be defined using the Security menus.

Cisco Wireless LAN Controller Configuration Guide

5-16	OL-8335-02

Image 122

Cisco Systems OL-8335-02 manual Configuring Identity Networking, Identity Networking Overview

Contents

Cisco Wireless LAN Controller Configuration Guide Corporate Headquarters Cisco Wireless LAN Controller Configuration Guide N T E N T S Iii Client Location Enabling Web and Secure Web Modes Configuring Ports Configuring the System for SpectraLink NetLink Telephones Vii QoS-Level5-17 ACL-Name5-17 Interface-Name5-18 VLAN-Tag5-18 Viii Using Dhcp Option 43 Radio Resource Monitoring Prerequisites Series Wireless LAN Controllers B-8 Xii Preface Xiii Organization AudiencePurpose Xiv Conventions Xvi Cisco.com Related PublicationsObtaining Documentation Xvii Ordering Documentation Documentation FeedbackProduct Documentation DVD Xviii Xix Reporting Security Problems in Cisco ProductsCisco Product Security Overview Cisco Technical Support & Documentation Website Submitting a Service RequestObtaining Technical Assistance Xxi Definitions of Service Request SeverityObtaining Additional Publications and Information Xxii Overview Cisco Wireless LAN Solution Overview Cisco Wlan Solution Components Single-Controller Deployments Multiple-Controller Deployments Single-Controller Deployment Operating System Software Operating System Security Cisco Wlan Solution Wired Security Layer 2 and Layer 3 Lwapp Operation Cisco Wireless LAN ControllersConfiguration Requirements Operational Requirements Same-Subnet Layer 2 Roaming Client RoamingPrimary, Secondary, and Tertiary Controllers Inter-Controller Layer 2 Roaming Special Case Voice Over IP Telephone Roaming Inter-Subnet Layer 3 RoamingClient Location Per-Interface Assignment Per-Wireless LAN AssignmentExternal Dhcp Servers Security Considerations Cisco Wlan Solution Wired Connections Cisco Wlan Solution Wireless LANs Access Control Lists Identity Networking File Transfers Enhanced Integration with Cisco Secure ACS Power over Ethernet Pico Cell Functionality Intrusion Detection Service IDS Wireless LAN Controller Platforms Cisco 2000 Series Wireless LAN Controllers Cisco 4100 Series Wireless LAN Controllers Cisco 4400 Series Wireless LAN Controllers Cisco 2000 Series Wireless LAN Controller Model Numbers Cisco 4100 Series Wireless LAN Controller Model Numbers Cisco 4400 Series Wireless LAN Controller Model Numbers Startup Wizard Cisco Wireless LAN Controller Memory Cisco Wireless LAN Controller Failover Protection Cisco Wireless LAN Controller Time Zones Cisco Wireless LAN Controller Automatic Time SettingNetwork Connections to Cisco Wireless LAN Controllers Cisco 2000 Series Wireless LAN Controllers Cisco 4100 Series Wireless LAN Controllers Cisco 4400 Series Wireless LAN Controllers 6shows connections to the 4100 series controller Rogue Access Points Web User Interface Rogue Access Point Location, Tagging, and ContainmentWeb User Interface and the CLI Command Line Interface Using the Web-Browser and CLI Interfaces Configuring the GUI for Https Using the Web-Browser InterfaceGuidelines for Using the GUI Enabling Web and Secure Web Modes Loading an Externally Generated Https Certificate Show certificate summary Web Administration Certificate file webadmincertname.pem Disabling the GUI Using the CLIUsing Online Help Logging into the CLI Using a Local Serial Connection Using a Remote Ethernet Connection Navigating the CLI Command ActionLogging Out of the CLI Enter config network mgmt-via-wireless enable Configuring Ports and Interfaces Overview of Ports and Interfaces Ports Distribution System Ports Service Port Interfaces Management Interface AP-Manager Interface Virtual Interface Service-Port Interface Dynamic Interface WLANs Ports, Interfaces, and WLANs Configuring Ports and Interfaces Management Interface Interfaces Virtual Interface Service-Port InterfaceAP-Manager Interface Config interface acl management access-control-list-name Using the CLI to Configure the Management InterfaceUsing the CLI to Configure the AP-Manager Interface Using the CLI to Configure the Virtual Interface Config interface acl ap-manager access-control-list-name Using the CLI to Configure the Service-Port Interface Configuring Dynamic InterfacesUsing the GUI to Configure Dynamic Interfaces Interfaces New Using the CLI to Configure Dynamic Interfaces Configuring Ports Ports Parameter Description Controller Available Data Rates Controller Supported Data Rates Default EnableDefault Auto Configuring Port Mirroring Configuring Spanning Tree Protocol Using the GUI to Configure Spanning Tree Protocol STP State Description Default Default OffSTP Mode Description 10 Controller Spanning Tree Configuration Range Default DisableRange Default Using the CLI to Configure Spanning Tree Protocol Default 2 seconds Enabling Link Aggregation 11illustrates LAG 12 Link Aggregation with Catalyst 6500 Neighbor Switch Link Aggregation Guidelines Using the GUI to Enable Link Aggregation 13 General Using the CLI to Enable Link Aggregation Configuring Neighbor Devices to Support LAG Using Link Aggregation Using Multiple AP-Manager Interfaces Examples 14 Two AP-Manager Interfaces 15 Three AP-Manager Interfaces 16 Four AP-Manager Interfaces 17 Interfaces New Connecting Additional Ports Configuring Controller Settings Using the Configuration Wizard Before You Start Resetting to Default Settings Using the GUI Resetting the Device to Default SettingsResetting to Default Settings Using the CLI Browse to the Commands/Reset to Factory Defaults Running the Configuration Wizard on the CLI Configuring NTP Configuring a Country CodeConfiguring Time and Date Manually Managing the System Time and Date Enabling and Disabling 802.11 Bands Country Code Bands Allowed Configuring Snmp Settings Configuring Administrator Usernames and PasswordsConfiguring Radius Settings Enabling 802.3x Flow Control Enabling Dynamic Transmit Power ControlConfig 802.11a 802.11bg dtpc enable disable Enabling System Logging Guidelines for Using Multicast Mode Configuring Multicast ModeUnderstanding Multicast Mode Command Multicast Mode Configuring the Supervisor 720 to Support the WiSMEnabling Multicast Mode General WiSM Guidelines Configuring the SupervisorCommand Purpose Interface GigabitEthernet9/1-4 Switchport mode trunk Channel-group 1 mode onWism service-vlan vlan Interface GigabitEthernet9/5-8 Using the Wireless LAN Controller Network Module Service-module wlan-controller 1/0 reset OL-8335-02 Configuring Security Solutions Layer 2 Solutions Cisco Wlan Solution SecurityLayer 1 Solutions Security Overview Rogue Access Point Challenges Layer 3 SolutionsRogue Access Point Solutions Tagging and Containing Rogue Access Points Configuring the System for SpectraLink NetLink Telephones Integrated Security Solutions Using the GUI to Enable Long Preambles Using the CLI to Enable Long Preambles Using Management over Wireless Using the GUI to Enable Management over Wireless Using the GUI to Configure Dhcp Configuring DhcpUsing the CLI to Enable Management over Wireless Config wlan disable wlan-id Customizing the Web Authentication Login ScreenUsing the CLI to Configure Dhcp Config wlan enable wlan-id Default Web Authentication Operation Typical Web-Browser Security Alert Typical Web Authentication Login Window Changing the Web Authentication Login Window Title Customizing Web Authentication OperationHiding and Restoring the Cisco Wlan Solution Logo Changing the Logo Config custom-web webmessage messageChanging the Web Message Clear webmessage Downloading the Logo or Graphic Creating a Custom URL Redirect Verifying Web Authentication ChangesConfig custom-web redirecturl url Example Sample Customized Web Authentication Login Window Example of a Customized Web Authentication Login Window Configuring Identity Networking Identity Networking Overview ACL-Name Radius Attributes Used in Identity NetworkingQoS-Level Interface-Name VLAN-Tag Tunnel Attributes OL-8335-02 Configuring WLANs Displaying, Creating, Disabling, and Deleting Wireless LANs Wireless LAN OverviewConfiguring Wireless LANs Configuring MAC Filtering for Wireless LANs Activating Wireless LANsAssigning a Wireless LAN to a Dhcp Server Enabling MAC Filtering Configuring a Timeout for Disabled Clients Assigning Wireless LANs to VLANsConfiguring Layer 2 Security Dynamic 802.1X Keys and Authorization WEP Keys Dynamic WPA Keys and Encryption IPSec Authentication Configuring Layer 3 SecurityConfiguring a Wireless LAN for Both Static and Dynamic WEP IPSec IKE Lifetime Timeout IKE AuthenticationIKE Phase 1 Aggressive and Main Modes IKE Diffie-Hellman Group IPSec Passthrough Configuring Quality of ServiceWeb-Based Authentication Local Netuser Traffic Type Configuring QoS Enhanced BSS QbssConfig wlan wmm disabled allowed required wlan-id Ieee 802.11e UP Enabling 7920 Support Mode Config wlan 7920-support client-cac-limit enable wlan-id Controlling Lightweight Access Points Lightweight Access Point Overview Cisco 1000 Series Ieee 802.11a/b/g Lightweight Access Points Cisco 1030 Remote Edge Lightweight Access Points Typical 1030 Lightweight Access Point Configuration Cisco 1000 Series Lightweight Access Point Part Numbers Antenna Sectorization Cisco 1000 Series Lightweight Access Point LEDsExternal Antenna Connectors Cisco 1000 Series Lightweight Access Point Connectors Cisco 1000 Series Lightweight Access Point Monitor Mode Using the DNS for Controller DiscoveryCisco 1000 Series Lightweight Access Point Mounting Options Dynamic Frequency Selection Autonomous Access Points Converted to Lightweight Mode Reverting from Lightweight Mode to Autonomous Mode Using a Controller to Return to a Previous Release Using Dhcp Option Access Point VCI String Display of MAC Addresses for Converted Access Points Converted Access Points Send Radio Core Dumps to ControllerEnabling Memory Core Dumps from Converted Access Points Config ap get-radio-core-dump slot ap-name Config ap reset-button enable disable ap-nameall Config ap static-ip enable ap-name ip-address mask gateway OL-8335-02 Managing Controller Software Configurations Transferring Files to and from a Controller Upgrading Controller Software Transfer download path absolute-tftp-server-path-to-file Erasing the Controller Configuration Saving ConfigurationsClearing the Controller Configuration Resetting the Controller OL-8335-02 Configuring Radio Resource Management Overview of Radio Resource Management Radio Resource Monitoring Dynamic Channel Assignment Client and Network Load Balancing Dynamic Transmit Power ControlCoverage Hole Detection and Correction RF Group Leader Overview of RF GroupsRRM Benefits Configuring an RF Group RF Group Name Using the GUI to Configure an RF Group General Viewing RF Group Status Using the CLI to Configure RF GroupsUsing the GUI to View RF Group Status Global Parameters Global Parameters Auto RF Using the CLI to View RF Group Status Auto Enabling Rogue Access Point Detection Using the GUI to Enable Rogue Access Point Detection All APs Details AP Authentication Policy Configuring Dynamic RRM Using the CLI to Enable Rogue Access Point Detection RF Group Using the GUI to Configure Dynamic RRMDefault Enabled RF Channel Assignment Default AutomaticYou click Invoke Channel Update Now Channel Assignment Method Description Default Disabled Assignment Method Description Tx Power Level AssignmentClick Invoke Power Update Now Default 80% Default 10%Default -70 dBm Default 25% Default Noise/Interference/Rogue Monitoring Channels Monitor Intervals Using the CLI to Configure Dynamic RRM Config 802.11a disable Config 802.11b disable Overriding Dynamic RRM Radios Cisco APs Configure Config 802.11a txPower AP1 Config 802.11a disable Config 802.11b disable Viewing Additional RRM Settings Using the CLI Configuring Mobility Groups 10-1 Overview of Mobility 10-2 10-3 Inter-Controller Roaming 10-4 Inter-Subnet Roaming Overview of Mobility Groups 10-5 10-6 Two Mobility Groups Prerequisites Configuring Mobility GroupsDetermining When to Include Controllers in a Mobility Group 10-7 Using the GUI to Configure Mobility Groups 10-8 10-9 Mobility Group Member New 10-10 Mobility Group Members Edit All 10-11 Configuring Auto-Anchor MobilityUsing the CLI to Configure Mobility Groups 10-12 Guidelines for Using Auto-Anchor MobilityUsing the GUI to Configure Auto-Anchor Mobility 10-13 WLANs Using the CLI to Configure Auto-Anchor Mobility 10-14 Safety Considerations Translated Safety Warnings Safety Considerations Bewaar Deze Instructies Warnung Wichtige Sicherheitshinweise Avvertenza Importanti Istruzioni Sulla Sicurezza Aviso Instruções Importantes DE Segurança Guarde Estas Instruções Class 1 Laser Product Warning Aviso Produto a laser de classe Ground Conductor Warning Cisco Wireless LAN Controller Configuration Guide Chassis Warning for Rack-Mounting and Servicing Cisco Wireless LAN Controller Configuration Guide Cisco Wireless LAN Controller Configuration Guide OL-8335-02 Cisco Wireless LAN Controller Configuration Guide Page OL-8335-02 Page OL-8335-02 Page Battery Handling Warning for 4400 Series Controllers Cisco Wireless LAN Controller Configuration Guide OL-8335-02 Equipment Installation Warning Cisco Wireless LAN Controller Configuration Guide OL-8335-02 OL-8335-02 Cisco Wireless LAN Controller Configuration Guide OL-8335-02 Cisco Wireless LAN Controller Configuration Guide Cisco Wireless LAN Controller Configuration Guide OL-8335-02 OL-8335-02 Declarations of Conformity and Regulatory Information FCC Certification number Regulatory Information for 1000 Series Access PointsModel Manufacturer Certification number Department of Communications-CanadaCanadian Compliance Statement EMC Declaration of Conformity for RF Exposure 03-5549-6500 Access Points with Ieee 802.11a Radios All Access Points Declaration of Conformity Statements Cisco Wireless LAN Controller Configuration Guide OL-8335-02 OL-8335-02 End User License and Warranty End User License Agreement Cisco Wireless LAN Controller Configuration Guide OL-8335-02 Limited Warranty Appendix C End User License and Warranty Limited Warranty Disclaimer of Warranty Additional Open Source Terms OL-8335-02 System Messages and Access Point LED Patterns Error Message Description System Messages Lradifcurrentchannelchanged Client Reason Code Description Meaning Using Client Reason and Status Codes in Trap LogsClient Reason Codes Client Status Codes Client Status Code Description Meaning Using Lightweight Access Point LEDs LED Conditions Status Numerics IN-1 IN-2 DFS Dhcp IN-3 Help Hold Time parameter IN-4 Physical Mode parameter Physical Status parameter IN-5 IN-6 IN-7 IN-8