Cisco Catalyst 9800 Series - IOS-XE

Owned by Santiago Nanclares (Unlicensed)
Last updated: Oct 18, 2021 by Pedro Doroshenko
9 min read

CONFIGURATION GUIDE

The purpose of the following manual is to describe the necessary configuration of Cisco Catalyst 9800 equipment with IOS-XE software for integration with Octopus Platform.

1- Pre-requisites

  • If there is a firewall in the network that might block the traffic, you will need to allow access to some domains to enable user's authentication:

    • Radius Servers:

      • Primary: <IP_Radius_1> 1812 and 1813 UDP ports

      • Secondary: <IP_Radius_2> 1812 and 1813 UDP ports

    • Splash Portal server: 

      • Domain <captive_portal_domain> 80 and 443 TCP ports

  • For the operation of the Guest and Enterprise modules configuration, it will be necessary to previously contract the Octopus platform licenses with the respective modules.

2- Guest module configuration

2.1 Radius Server

To configure the radius servers go to Configuration > Security > AAA > Servers / Groups > RADIUS > Servers.

Once inside click on the buttom Add to add the new authentication servers and configure the following local parametres.

  • Name:  octopus_radius1

  • IPv4 / IPv6 Server Address: <IP_Radius_1>

  • Key: <Secret>

  • Confirm key: <Secret>

  • Auth Port: 1812

  • Acct Port: 1813

  • Server Timeout: 

  • Retry Count: 2

  • Name: octopus_radius2

  • IPv4 / IPv6 Server Address: <IP_Radius_2>

  • Key: <Secret>

  • Confirm key: <Secret>

  • Auth Port: 1812

  • Acct Port: 1813

  • Server Timeout: 

  • Retry Count:

Servers Group

Create a group where the data of the previously created radius will be added. To do this access AAA > Servers / Groups > Server Groups > Radius and create a new one: 

  • Group Name: octopus_radiusgroup

  • Group type: RADIUS

  • MAC-delimiter: hyphen

  • MAC-filtering: none

  • Dead time: 2

  • Assigned Servers: select octopus_radius1 and octopus_radius2 and add them to the right quadrant

Method Lists

Next, we will access AAA > AAA Method Lists > Authentication and add a new one with the following parameters

  • Method List Name: octopus_methodauth

  • Type: login

  • Group Type: group

  • Fallback to local: disabled

  • Assigned Server Groups: select octopus_radiusgroup and add it to the right quadrant

In AAA > Method Lists > Accounting, click on Add and configure the following parameters:

  • Method List Name: octopus_methodacct

  • Type: network

  • Group type: Group

  • Groups In This Method: Select octopus_radiusgroup and add it to the right quadrant

AAA Advanced

In AAA > AAA Advanced > Global Config click on Show Advanced Settings and select in both Accounting and Authentication:

  • Call Station ID: ap-macaddress-ssid

  • Call Station ID Case: lower

  • MAC-Delimeter: hidden

Finally, to activate the accounting, add another Method List using the commands:

#configure terminal

#(config)#aaa accounting identity octopus_methodacct start-stop group octopus_radiusgroup

#(config)#aaa accounting update periodic 10

2.2 WebAuth

Create a new Webauth profile. To do this access to Configuration > Security > Web Auth > Webauth Parameter Map, click on Add and configure the following parametres:

  • Parameter-map name: octopus_webauth

  • Maximum HTTP connection: 100

  • Init-State Timeout(secs): 300

  • Type: webauth

Edit the created entry and configure it in the General tab:

  • Banner Type: none

  • Turn-on Consent with Email: Disabled.

  • Captive Bypass Portal: Disabled.

  • Disable Success Window: Enabled

  • Disable Logout Window: Enabled.

Advanced Tab:

Then edit the Parameter Map global:

  • Type: webauth

  • Virtual IPv4 Hostname: <domain associated with the certificate>

  • Webauth intercept HTTPs: Enabled

 

The domain associated to the certificate has to resolve to the Virtual IP of the controller (Configuration > Security > WEbauth Parameter Map > Global > Virtual IPv4 Address)

Finally in Configuration > Security > Web Auth > Certificate, add a new certificate with the following data:

  • Server IP Address: <ip servidor tftp>

  • Certificate File Path: <path>

  • Certificate destination File: <name of the certificate>.pfx

  • Certificate Password: <password>

In CLI interface, execute command: 

#configure terminal

#(config)#parameter-map type webauth global

#(config-parameter-map)#trustpoint <name of the certificate>

 

Restart the web service to apply changes:

#configure terminal

#(config)#no ip http server

#(config)#ip http server

 

In case the controller not deliver the correct certificate, it would be necessary to restart it. 

2.3 WLAN

This is where you configure or edit the WLAN object of the Guest. Within the configuration, go to Configuration > Tags & Profiles > WLANs. Press Add to add a new WLAN profile with the following parameters:

  • Profile Name: octopus_wlan

  • SSID: Name of the WiFi Network to be radiated.

  • Status: Enabled

  • Broadcast SSID: Enabled

 

Security > Layer2:

  • Layer 2 Security Mode: None

Security > Layer3:

  • Web Policy: Enabled

  • Web Auth Parameter Map: octopus_webauth (Previously created)

  • Authentication List: octopus_methodauth (Previously created)

2.4 URL Filter

In order for the user validation process to work properly, it is necessary to allow access to certain domains, a new ACL entry will need to be created. To do this, access the Security > URL Filters section and add a new one with the following parameters:

  • Name: octopus_urlfilter

  • Type: PREAUTH

  • Action: permit

  • URLs: In order for the user validation process to work properly, it is necessary to allow access to certain domains, a new ACL entry will need to be created. To do this, access the Security > URL Filters section and add a new one with the following parameters:

In case the management mode of the APs is FlexConnect, this configuration is not necessary.

2.5 Policy

At this point the Wifi Guests object policy will be configured or edited. Go to Configuration > Tags & Profiles > Policy. Press Add to add a new WLAN profile with the following parameters:

General Tab:

  • Name: octopus_policy

  • Status: Enabled

  • Central Switching: Depending on our network configuration.

  • Central Authentication: Enabled

  • Central DHCP: Depending on our network configuration.

  • Central Association: Depending on our network configuration.

Access Policies Tab

  • VLAN > VLAN/VLAN Group: Depending if Central Switching has been selected, select VLAN or writte the ID.

  • URL Filters: urlfilter (Previously created)

 

Advanced Tab

  • Idle Timeout: 600

  • Allow AAA Override: Enabled

  • Accounting List: octopus_methodacct (Previously created)

 

2.6 Tags

Once the configurations have been made, the changes must be made to the Tags that will later be applied to the Access Points. To do this, go to Configuration > Tags & Profiles > Tags > Policy and click on Add. 

  • Name: octopus_tagpolicy

  • WLAN-Policy: Add

    • WLAN Profile: octopus_wlan (Previously created)

    • Policy Profile: octopus_policy (Previously created)

2.7 Option of Flexconnect configuration

In case the APs are configured in FlexConnect mode, access Configuration > Tags & Profiles > Flex and click Add. within the configuration:

General Tab

  • Name: octopus_flex

  • Native VLAN ID: Add the ID of the native VLAN applied to the AP

VLAN

  • Click ADD and create the VLAN or VLANs of the networks that will radiate on the Access Point and its associated ID.

Later inside Configuration > Tags & Profiles > Tags > Site, click Add:

  • Name: octopus_sitetag

  • Enable Local Site: Disabled

  • Flex Profile: octopus_flex (Previously created)

2.8 Deploy configuration in Access Point

In the section Configuration > Wireless > Access Points in the Access Points that we want to display the configuration, in the section Tags, configure:

  • Policy: octopus_tagpolicy (Previously created)

  • Site: octopus_sitetag (Previously created)

 

2.9 Other configurations

Finally, we will make some necessary configurations for the correct functioning of the service.

Within the configuration interface at Administration > HTTP/HTTPS/Netconf check the following parameters:

  • HTTP Access: Enabled

  • HTTPS Access: Enabled

 

2.10 Authorized MAC Addresses

For user validation to work properly, it is necessary to identify the NAS that will be able to make authentication requests to the Radius Server. In this case, the Radio MAC Base of the computers in each Locations must be added to the WIFI platform.

  • CCheck in the section "Monitoring > AP Statistics > Join Statistics" and column Base Radio MAC

3 - Enterprise module configuration

In order to integrate the configurations of this module with the platform, it is necessary to contract the Octopus Platform Enterprise Module.

3.1 Captive portal + MAC Authentication configuration

To activate the MAC Authentication functionality, prior to validation in the captive portal, the following steps must be followed:

In Configuration > Security > AAA > AAA Method lists, click on the Add buttom and configure: 

  • Method List Name: octopus_methodauthr

  • Type: network

  • Group type: Group

  • Groups In This Method: Select octopus_radiusgroup and add it to the right quadrant

Configuration > Tags & Profiles > WLANs, edit the profile created for wifi guests  

Security > Layer2:

  • Marcar la casilla MAC Filtering: Enabled

  • Authorization List: methodauth (Previously created)

Security > Layer 3 > Show Advanced Settings:

  • On Mac Filter Failure: Enabled.

3.2 Mac Authentication

To create an SSID dedicated only to validation by MAC Authentication, it is first necessary to configure the radius servers, go to Configuration > Security > AAA > Servers / Groups > RADIUS > Servers and perform the configuration specified in section 2.2 WebAuth.

Then go to the Configuration > Tags & Profiles > WLANs section and click add to add a new WLAN profile with the following parameters:

  • Profile Name: MAC_Auth

  • SSID: configure the SSID for example Mac_Auth_Guest

  • Status: Enabled

  • Broadcast SSID: Enabled

Security > Layer2:

  • Layer 2 Security Mode: None

Security > Layer3:

  • Web Policy: Enabled

  • Web Auth Parameter Map: octopus_webauth (previously created)

  • Authentication List: octopus_methodauth (previously created)

3.3 iPSK configuration

Some devices that connect to our networks, especially IoT devices, do not have the ability to make connections through secure validations such as 802.1X and therefore connect through WPA-PSK validations. This type of validation has security drawbacks since the key is unique and any device can connect. Cisco's Multi-PSK functionality allows for two-factor authentication through MAC filtering and PSK keys, which can be assigned per device or device group, enabling large-scale security and control. To configure iPSK identification:

 

Cisco Catalyst 9800 Configuration

Go to Configuration > Tags & Profiles > WLANs and in the WLAN configuration go to Security > Layer2.

  • Layer 2 Security Mode: WPA+WPA2

  • MAC Filtering: Enabled

  • Authorization List: Select previously created Authorization List

  • WPA2 Policy: Enabled

  • MPSK: Enabled

  • Auth Key Mgmt: PSK Enabled

 

Access to Security > AAA

  • Authentication list: Select the previously created

 

Octopus platform configuration > Access Profile

Radius attributes to configure:

  • cisco-av-pair = “psk-mode=ascii”

  • cisco-av-pair += “psk=password”

 

Possible to combine with local policy with the attribute

  • cisco-av-pair += “role=policyCisco9800”

 

3.4 Configuration of Access Profiles

Through the Octopus platform it is possible to configure a series of reply attributes of the Access-Accept packets, grouped in the so-called Access Profile. These Access Profiles allow to activate a series of functionalities in the Cisco Catalyst 9800. Although the most common and proprietary Cisco radius dictionaries are available, the following is a list of some of the most interesting ones:

Attribute

Description

Format

Attribute

Description

Format

Airespace-Data-Bandwidth-Average-Contract

Airespace-Real-Time-Bandwidth-Average-Contract

Airespace-Data-Bandwidth-Burst-Contract

Airespace-Real-Time-Bandwidth-Burst-Contract

They define speed limits for a given session, both upstream and downstream. It is necessary to configure all four.

Kilobyte

Airespace-Guest-Role-Name

Assignment of a QoS Role Name, previously created in Cisco Catalyst 9800.

 

Airespace-ACL-Name

Assignment of an Access Control List, previously created in Cisco Catalyst 9800.

 

cisco-av-pair

String with many possibilities

 

Reply-Message

Useful for troubleshooting functions, since it allows to identify associated elements of the Octopus platform, such as an access profile, access method, location, ...

 

Example of an Access Profile configuration with the attributes explained above:

 

QoS Role Name Assignment: Although the configuration parameters can be sent directly from the radius server, it is also possible to assign a QoS Role, which can be associated from the platform with the radius Airespace-Guest-Role-Name attribute.

ACL Name Assignment: It is also possible to assign from the Octopus platform the ACL that would apply to a specific user connected to the WLAN. To create them, follow the steps in section 2.4.