Friday, January 1, 2010

CCIE-LAB-WLC

1) tacacs user can be an admin on WLC but the ‘shell profile’ needs to have one attribute: role1=ALL (double check if there is no space!!!!)

Authorization Result 
{Type=Authorization; Author-Reply-Status=PassAdd; AVPair=role1=ALL; } 

2) radius user can be an admin on WLC but the user needs to have following attributes:
 
IETF Service-Type attributes:

  NAS Prompt for readonly
  Administrative for readwrite
  Callback Administrative for lobbyadmin

3) adding a new admin user on WLC:
 
config mgmtuser add testuser testpAss1 read-write

4) you can have different rules for malicious and trusted networks:
 
(Cisco Controller) >show rogue rule summary 

Priority Rule Name               State    Type          Match Hit Count
-------- ----------------------- -------- ------------- ----- ---------
1        KNOWN                   Enabled  Friendly      All   0       
2        UNKNOWN                 Enabled  Malicious     Any   0       

(Cisco Controller) >

5) you can manually add (MAC address) which APs are trusted:
 
(Cisco Controller) >show auth-list 

Authorize MIC APs against AAA ................... enabled
Authorize LSC APs against Auth-List ............. disabled
APs Allowed to Join
  AP with Manufacturing Installed Certificate.... yes
  AP with Self-Signed Certificate................ no
  AP with Locally Significant Certificate........ no

Mac Addr                  Cert Type    Key Hash
-----------------------   ----------   ------------------------------------------
00:06:f6:16:f0:c5         MIC          


(Cisco Controller) >

6) mac filtering per each WLAN

7) exclusion
  • timeout under WLAN
  • policy under security tab
8) flexconnect
  • under WLAN you enable this feature (Advanced tab)
  • under each AP you need to specify 'AP mode’=flexconnect
  • DHCP enabled on local switch:
SW5#show ip dhcp binding 
Bindings from all pools not associated with VRF:
IP address          Client-ID/              Lease expiration        Type
                    Hardware address/
                    User name
136.1.47.100        0100.06f6.16f0.c5       Mar 02 1993 12:28 AM    Automatic
136.1.147.2         01fc.7516.88bd.19       Mar 02 1993 12:56 AM    Automatic
SW5#

9) ACL downloaded from ACS

You need to add one Radius attribute:
User-Name=peapuser
 Class=CACS:ACS2/210041497/3
 Airespace-ACL-Name=PEAP-ACL

No comments:

Post a Comment