Download Options

Book Title

Command Reference BookMap-1

Chapter Title

This is a command wrapper topic

Cisco Enable Secure Access - Wireless v2.1
Published: October 28, 2022
Talking points
    About

    About

    About This Demonstration

    This demo focuses on how to deploy a WLAN within a campus network using Cisco DNA Center. Within this design, a Cisco Catalyst 9800 wireless LAN controller (WLC) is configured and it functions as the enterprise WLC for access points (APs) located on multiple floors, within a specific building of a campus.

    Requirements

    The table below outlines the requirements for this preconfigured demonstration.

    Required Details

    Endpoint router with Standalone Access Point (CAPWAP in EZVPN1) or Standalone Access Point (CAWAP2)

    1- TCP Port 443 required.

    2- UDP Port 5246 and 5247 required.

    dCloud Endpoint Router Kit, example (819HWD router), registered and configured for dCloud

    Note: Internal AP will not work with this demo and should be disabled.

    Can be used along with an Endpoint Router (preferred) but can also be used without. See this page for more information

    Supported wireless access point for the C9800-CL v17.8.1 For more information refer to Release Notes for Cisco Catalyst 9800 Series Wireless Controller, Cisco IOS XE Cupertino 17.8.x
    Monitoring Workstation Laptop
    User Devices

    Tablet, smartphone, or additional laptop

    Note: For best experience use an iOS device, Android may also work but not as seamless as the iOS devices for BYOD onboarding
    Note: BYOD onboarding in this demo is only supported with MAC OSX, Windows, Android and Apple iOS

    About This Solution

    This guide focuses on how to deploy a wireless local area network (WLAN) within a campus network, using Catalyst 9800 Series WLAN controllers (WLCs) with access points (APs) in centralized (local mode) operation, using Cisco DNA Center.

    This guide is intended to provide technical guidance to design, deploy, and operate a Cisco WLAN using Cisco DNA Center.

    Implementation Flow

    This guide contains four major scenarios:

    • Define the Wireless Network presents an overview of the campus WLAN which will be designed and deployed through Cisco DNA Center. It consists of an enterprise high availability (HA) stateful switch-over (SSO) WLC pair, with APs operating in centralized (local) mode, along with a traditional guest anchor controller.

    • Design the Wireless Network discusses the integration of Cisco DNA Center with Cisco Identity Services Engine (ISE); creation of the site hierarchy including the importing of floor maps within Cisco DNA Center; configuration of various network services necessary for network operations such as AAA, DNS, DHCP, NTP, SNMP, and Syslog servers; and configuration of wireless settings including WLANs/SSIDs, VLANs, and RF profiles for the WLAN deployment. Most of this scenario is already prebuilt and we will simply review it.

    • Deploy the Wireless Network discusses discovery of the WLC; managing the software image running on the WLC; configuring HA SSO redundancy on the WLC; provisioning the enterprise and guest WLCs within Cisco DNA Center; joining AP to the enterprise WLC HA SSO pair; provisioning the AP within Cisco DNA Center; and positioning the APs on the floor maps within Cisco DNA Center.

    • Operate the Wireless Network briefly discusses how Cisco DNA Assurance can be used to monitor and troubleshoot the WLAN deployment.

    Topology

    This content includes preconfigured users and components to illustrate the scripted scenarios and features of the solution. Most components are fully configurable with predefined administrative user accounts.

    You can see the IP address and user account credentials to use to access a component by clicking the component icon in the Topology menu of your active session and in the scenario steps that require their use.

    dCloud Topology

    Table Server Details

    Device IP Address Access Method Username Password Device
    C9800-CL (17.8.1)

    Private: 100.64.0.7

    Workstation1 Browser

    		 Session Owner Session ID

    C9800-CL

    Bookmark

    Public: See Session Details

    Local Browser
    Workstation 1

    198.18.133.36

    NAT address: 198.18.128.250

    Cisco AnyConnect

    RDP

    		 WIN10\Administrator C1sco12345 Workstation1

    Active Directory (AD)

    198.18.133.1

    RDP, VM Console

    DCLOUD\administrator

    C1sco12345

    Automation (AD)
    ISE (3.1 patch 3)

    100.64.0.100

    NAT address: 198.18.128.100

    Workstation1

    Cisco AnyConnect, Local Browser, VM Console

    		 admin C1sco12345 ISE bookmark
    Prime Infrastructure (3.10) 198.18.136.100 Workstation1 Browser root @Dm!n12345 Cisco PI Bookmark
    DNA Center (2.3.2.1 Frey)

    100.64.0.101

    NAT address: 198.18.128.101

    Workstation1

    Cisco AnyConnect, Local Browser, VM Console

    		 admin C1sco12345 DNA Center Bookmark

    Before You Present

    Cisco dCloud strongly recommends that you perform the tasks in this document before presenting it in front of a live audience. This will allow you to become familiar with the structure of the document and content.

    dCloud recommends using the Chrome browser for all demos.

    PREPARATION IS KEY TO A SUCCESSFUL PRESENTATION.

    Get Started

    Follow these steps to schedule a session of the content and configure your presentation environment.

    Procedure

     1   

    Initiate your dCloud session. [Show Me How]

    Note: It may take up to 55 minutes –1 hour for your session to become active.
     2   

    For best performance, connect to the workstation with Cisco AnyConnect VPN [Show Me How] and the local RDP client on your laptop. [Show Me How]

    Workstation 1 198.18.133.36
    Username win10\administrator
    Password C1sco12345
    Note: You can also connect to the workstation using the Cisco dCloud Remote Desktop client. [Show Me How] The dCloud Remote Desktop client works best for accessing an active session with minimal interaction. However, many users experience connection and performance issues with this method.

    On Workstation1, ensure that your Country is enabled on the demo wireless controller (Cisco WLC). [Show Me How]

    Note: The Cisco WLC login for this demo requires session-specific credentials. The username is the name that you use to log in to the dCloud UI and the password is the session ID. You can obtain this information in the session details section of your active demo. The generic username of dcloud is also provided and can be used with the unique session ID as password, if necessary.
     3   

    Provision your compatible AP. [Show Me How]

    Note: If you are using an endpoint router, this step only needs to be completed once. This is a HIGHLY recommended when using these demos. Without an endpoint router, the AP must be re-provisioned with the new demo Cisco WLC IP address EACH time you schedule a new demo.
     4   

    Verify your AP is operational. [Show Me How]

    You now have the option of connecting to Workstation1 through the AP. [Show Me How]

     5   

    You may need to complete other demonstration preparation activities, based on the location of your demonstration.

    Complete the additional demonstration preparation activities for demonstrating at a Cisco Office. [Show Me How]

    Complete the additional demonstration preparation activities for demonstrating at a Customer Site. [Show Me How]

    Scenarios

    Scenarios

    Check AP status on the CL-9800 GUI

    Procedure

     1   

    Open the 9800-CL Wireless Controller dashboard at https://100.64.0.7. Log in using username/Session ID.

    You can also use the public IP that is provided under dCloud session details.
     2   

    Verify no AP is joined, nor any configuration made.



    Once your compatible AP is joined, you should see it with a status of Connected but not operational.



    Note: If this is the first time that your AP is joining to this specific version code, it upgrades for about 30 minutes until you have it fully operational. You can continue with the next steps.
     3   

    Confirm that the AP appears fully joined in the CL-9800 main dashboard. Click the number 1 to verify that it shows an Operational Status as Registered.



    Note: If the device is still upgrading\downloading, please be patient, you can move forward to the next step and confirm it is operational later on.
    Important: Joining the compatible AP to the controller [Show Me How] can also be skipped and configured later on this demonstration right after the Provisioning the C9800 Device section when it’s time to provision your Access Point. Please note that we have set up our Controller to have APs with several country codes. You can confirm that information by logging into the C9800-CL Dashboard, navigating to Configuration > Wireless > Access Point > Scroll to Country and see the codes set by default.


    To be able to join any other AP that runs at a different country code frequency region, you can simply log in to DNA Center by opening the DNAC bookmark and use admin\C1sco12345 credentials, then click the menu, select Design > Network Hierarchy. Scroll down to the SJC Building 13 hierarchy, click the gear icon, and then Edit Building.





    You can either update the Address or simply place a Latitude and Longitude that fits into your region and AP country code. The frequency will be detected after implementing changes and the AP should join with no issue.

    Define and Discover Wireless LAN Controller

    Value Proposition: DNA Center is a system for centralized deployment and policy management of devices within a campus network. Many aspects of DNA-C can be preconfigured before adding devices to it.

    Procedure

     1   

    Open https://100.64.0.101 in a new tab, click Advance and proceed in order to be prompted for the login page.

    Note: You can also establish Cisco AnyConnect VPN Show Me How and navigate locally based on the NAT address provided.
     2   

    Log in using admin\C1sco12345 credentials.



     3   

    On the DNAC main dashboard, go to the left top corner, accept the navigation notification, and click menu icon, then select Tools > Discovery.



     4   

    Click Add Discovery. We will work with the Cisco WLC this time.



    Note: 

    The discovery tool quickly helps DNA-Center find network devices in your environment. This is done by using a seed device for CDP and then allowing DNA-Center to walk, neighbor by neighbor, through your network. In our case we are going to use the IP Range feature to tighten the search to only find our device.

     5   

    Apply the following configuration options:

    1. For Discovery Name, enter WLC.

    2. Select IP Address/Range.

    3. For From, enter 100.64.0.7.

    4. For To, enter 100.64.0.7.

    Important: DO NOT use a loopback address as it might break the configuration.


     6   

    Review the credentials section.

    CLI and SNMP credentials are already pre-built with the purpose of avoiding mismatches at the time of provisioning the devices.
     7   

    On the right, click the + icon to add credentials. NETCONF must be enabled.

     8   

    Click the NETCONF tab, add port 830 and check the Save as global settings check box. Click Save.

    Note: This is beneficial when it comes time to provision the devices. Feel free to click the X to close the tab.
     9   

    Scroll down to the lower right corner and click Discover.

     10   

    Under Discover Devices tab, click Start.





     11   

    At this point we should pick up the WLCs, so click View Inventory and wait to have it displayed.

    Important: 

    From now on, scroll to the right and verify that the device appears as Managed under Manageability.



    Design and Deploy: Create Wireless Network

    SSIDs are going to get attached to profiles, and profiles will get attached to locations. Once the wireless network is created, you will notice there is a wireless profile in the network profiles section. If we go there and click on the sites, you will see the area which is what we selected when we created the SSID.

    It is the combination of the SSID and the profile that is going to determine where the SSID will be broadcast at. We could add more than one location when we added the network profile, to allow us to broadcast this SSID in multiple places.

    Enterprise Wireless Network

    Procedure

     1   

    In the top left of the dashboard, click the menu icon and then click Design > Network Settings.

     2   

    Under Network Settings, click Wireless.

     3   

    Go to the right side under SSID and hover your mouse on the + icon, and click Add to add the new wireless SSID.

     4   

    For Wireless Network Name (SSID), enter Employee-c9800-username, where username is your username. Click Next.

     5   

    Check the Fast Lane check box, then click Configure AAA and select ISE server.





     6   

    Click Configure.

     7   

    Click the Next light blue icon in lower right corner.

     8   

    Click Next again on the Advance Settings section.

     9   

    Let’s associate the SSID to the already prebuilt Wireless Profile named “Bay-Area.” Click it, and as we can see, we have set up on the DNA Center by default the management interface. Nevertheless, we are adding a trunk interface to come out of it. Click over the Plus (+) icon under Interface.

     10   

    For sanity and in order to simply have an aligned configuration, let’s use the VLAN name and numbering as follows.

    1. Interface Name: vlan128

    2. VLAN ID: 128
     11   

    Click Save.

     12   

    The proper VLAN Interface displays after saving, click Associate Profile.



     13   

    Click Next light blue icon in the lower right corner. Validate the Summary of the Wireless SSID built and click Save.

     14   

    Click to return to Wireless Home.

    Guest Wireless Network

    Procedure

     1   

    Go to the right side under SSID and hover your mouse on the + icon and click Add to add the new wireless SSID.

     2   

    For Wireless Network Name (SSID), enter Employee-c9800-username, where username is your username. Click Next.

     3   

    Check the Fast Lane check box, then click Configure AAA and select ISE server.





     4   

    Click Configure.

     5   

    Under the Authentication Server section, you can see that you can select either “Self-Registered” or “HotSpot” for the type of portal that you are creating.

    The only difference is that when you are testing Wireless, you get a hotspot portal link where you must follow the prompts.

    Click OK for registration and connect to the Internet as guest user, this time we leave it as Self-Registered.

    In both instances, we achieve the main goal, click Next in the lower right corner.

     6   

    Click Next again on the Advance Settings section.

     7   

    Let’s associate the SSID to the already prebuilt Wireless Profile named “Bay-Area.”

    Click it, and as we can see, we have set up on DNAC by default the management interface. Nevertheless, we add a trunk interface to come out of it.

    Click over the Plus (+) icon under Interface.

     8   

    For sanity and in order to simply have an aligned configuration, let’s use the VLAN name and numbering as follows:

    1. Interface Name: vlan129

    2. VLAN ID: 129
     9   

    Click Save.

     10   

    The proper VLAN Interface displays after saving, click Associate Profile.



     11   

    Click Next.

     12   

    Here in the Portal Builder, you can make customizations to the portal window that users can see when connecting to the network, you can replace the logo, change the order, wording, and so on.

    Note: When creating the Guest profile, you could for example customize it vertically as doctor, visitor, nurse, among others. If you are planning on doing this ahead of time, please consider that for some reason DNAC does not read portals already created from ISE. It does not matter how many times you go to this same flow. You have to perform it inflow.
     13   

    In the left hand under Portal Name (max 64 characters), let’s type it this time as portal-one, then click Save.

     14   

    Review the Portal Settings and click Next.

     15   

    Revise the Guest SSID and click Save.

    Now both Employee and Guest SSID are successfully saved.

    Configure ISE Portal

    You need to configure the portal created in DNAC to use via IP address instead of its name; otherwise when the clients are redirected to the portal it will not be reached.

    Procedure

     1   

    Open https://100.64.0.100 in a new browser tab. Log in using admin and C1sco12345 credentials.

    Note: You can also establish Cisco AnyConnect VPN Show Me How and navigate locally based on the provided NAT Table details.
     2   

    Click on Policy > Results > Authorization > Authorization Profiles, then scroll down and click portal-one_Profile.

     3   

    Once you are into the mentioned profile, we are ready to establish the static IP, so scroll down under Common Tasks section, scroll down over that list and check the Static IP/Host name/FQDN box, once the square is displayed, type in 100.64.0.100.

     4   

    Click Save.

    Provisioning the C9800 Device

    Procedure

     1   

    From DNAC, select Provision > Network Devices > Inventory.

     2   

    After the device is fully synced, select the C9800-CL-One device and then select Actions > Provision > Provision Device.

     3   

    Click Choose a site.

     4   

    Select San Jose BLDG 13 – Floor 2.

     5   

    Click Save and then click Next.

    The Configuration section displays.

     6   

    Click Managing 1 Primary location(s).

     7   

    Check Bay-Area check box and click Save.

    Managing 6 Primary Locations should be displayed this time.

    Note: The hierarchy of Area > Building > Floor is useful and necessary for managing network settings, devices, IP Pools, Fabric, and SSIDs in a controllable fashion. It allows for consistency at scale, while providing granular control when needed.
     8   

    Under Assign Interface, assign the following values to the interfaces.

    1. For vlan128, enter the following values.

      IP Address 100.128.100.1
      Gateway IP Address 100.128.100.254
      Subnet Mask 24

    2. For vlan129, enter the following values.

      IP Address 100.129.100.1
      Gateway IP Address 100.129.100.254
      Subnet Mask 24
    Important: DO NOT enable the Rolling Upgrade AP check box since it breaks the demo.
     9   

    Click Next three times until you see section 5 Summary section.

     10   

    Accept the Fastlane configuration warning message.

    Please notice all the Interface configurations made in our network settings, also look at the 2 SSIDs we created a while back ago under Design with all its proper specs.



     11   

    Click Deploy, and then click Apply.

    The provision operation starts.

    After 30 seconds, the device might be shown through the Inventory again.
     12   

    Verify Last Sync Status is listed as Managed.

    It may take a minute or more to display.

    Provisioning the Access Point

    Procedure

     1   

    On the CL-9800-One tab, log back in using username\sessionID credentials and confirm the access point is fully operational.

     2   

    Verify the access point under Inventory is listed as Managed for the Manageability column.



    Note: If the device does not display within five minutes, go to Actions > Inventory > Resync Device to push the C9800 to detect the access point.


     3   

    Check AP check box under Device Name, and then select Actions > Provision > Provision Device.

     4   

    Click Choose a floor.

     5   

    Select San Jose BLDG 13 – Floor 1.

     6   

    Click Save.

    The floor is selected.
     7   

    Click Next.

     8   

    Verify RF Profile is set to TYPICAL and then click Next.

     9   

    Verify the AP Summary, click Deploy, and click Apply.

     10   

    If a warning is displayed, click OK to reboot the AP.

     11   

    After the AP is fully provisioned, confirm that it is listed as Managed in the Manageability column. After checking that out, we are ready to proceed with 802.1x client wireless networks authentication.

    Operate the Wireless Network

    At this point of the demo, we have now discovered, designed, deployed, and provisioned correctly our CL-9800 Wireless Controller, and our access point.

    We have prebuilt already within DNAC, the proper network settings operations such as:

    • AAA

    • ISE Protocol

    • DNS

    • DHCP

    • NTP

    • SNMP

    • syslog servers

    • CLI credentials

    Therefore, you can confirm that Cisco DNA Center has been integrated with Identity Service Engine (ISE). You can confirm all these settings at Design > Network Settings > Network.

    Note: Once you log into the CL-9800 GUI, it might take up to two (2) minutes to fully load the main dashboard. After the initial load, navigation to other screens should load quickly. Preload the dashboard before customer presentations to avoid wait times during your demo. This performance behavior is being investigated further for the next release.

    Procedure

     1   

    On the CL-9800-One tab, log in using username\session ID credentials. You can also use the public IP that is provided under your session details.

     2   

    On the main dashboard under Wireless LANs, click the number that is created within DNAC.

     3   

    Verify the Guest and the Enterprise (Employee) SSIDs are created.
     4   

    Go back to the ISE link and log in using admin\C1sco12345 credentials.

     5   

    Navigate to Administration > Identity Management, and click Identities.

    Once you are under Identities, you are prompted to the Network Access Users already created within ISE, all of them could be authenticated. For consistency, use the employee-one user identity for connections.

     6   

    On your mobile device, clear the Web Cache. [Show Me How]

     7   

    Clear Personal Device Settings. [Show Me How]

     8   

    Disconnect from any current network and connect to the Employee-c9800-username SSID, using employee-one\C1sco12345 credentials.

     9   

    Accept any trust certificate on your device.

    Your device client should be displayed and authenticated as indicated.



    You can also click it and confirm that the device is under VLAN 128 and the proper subnet.



    See client details over 360 View in the CL-9800 side.
     10   

    You can enable some application visibility by going to Monitoring > Services > Application Visibility, selecting the Applications tab, and then clicking click here.

     11   

    For the Employee SSID, select the Enable column and click Apply.

    After 3–5 minutes, you should be able to see Client\Applications Visibility.
     12   

    Let’s jump into ISE, go to Context Visibility > Endpoints, and confirm that the client is successfully connected.

     13   

    Go to Operations > RADIUS > Live Logs to confirm that the authentication is successful.



    You can click the gadget to view the main authentication overview.



    Tip: 

    You can also navigate under Assurance within DNAC and select the Wireless Client being authenticated in order to see further details about Client Health. This might take a bit longer in order to display telemetry data.



     14   

    Disconnect from any network on your phone and connect to the Guest-c9800-username SSID, using acct1\C1sco12345 credentials. Accept any Use Policy on the Portal.

    Clients that are connected should appear in the CL-9800 main dashboard.
     15   

    Click each client and verify that they belong to the 100.129.100.x subnet on vlan129.



     16   

    Under Monitoring > Services > Local Profiling you can also confirm the specific device type classification.

    Note: 

    There’s no need to go to the step above, you can simply search the main dashboard for the Client Device Types widget.

    Note: You can check some Application visibility by enabling AVC on the Guest SSID. On Monitoring > Services > Application Visibility you can switch to the specific SSID you want to see traffic from, or you can have it by default on All-SSID.


     17   

    Go to Operations > RADIUS > Live Logs to verify the authentication.

    What's Next?
    Was this page useful ?
    Was this page useful ?
    Email*
    Enter Valid Email Address
    What can we do to improve your experience?
    Help us with more info.*


    *Required field
    Was this page useful ?
    Email*
    Enter Valid Email Address
    What did you like about it?
    *Required field
    The feedback has been submitted successfully!