AAA configuration on the 9800 WLC

I’m on the fence as to whether the new 9800’s AAA configuration is easier or not, when compared to the AireOS controllers.

 

In this blog, I am creating the config for the new 9800 controllers.  Six WLANs – just to use for example’s sake.  We would never create this many in production!

 

We need to create RADIUS server instances.  I want to use ranges of ISE instances since groups of WLANs often use the same instances.

 

Instances 1-9 can be for CorpWiFi, MedGear and Voice WLANs

Instances 10-19 can be for BYOD and Contractor

Instances 20-29 can be for Guest.

 

This way when we want to add another auth&acct instance for CorpWiFi, we can just pick index 3 everywhere.  We can even use a template to deploy it as index 3 with DNAC in the future.  We can continue to recycle instances 1-9 for the same group of WLANs.  Same goes for the other groups of WLANs.

 

*note*  The 9800 does things differently than the 5508, where it had an accounting instance and an authentication instance.  The 9800’s config has the accounting and authorization as a combined configuration.  At least that’s my understanding.  I tried to make them separate, to no avail.

 

I am using a naming convention RADSER_AUTH_ACCT_X, (X=index number).  This convention initially came from the config translator, and I liked it so I kept it around.

 

radius server RADSER_AUTH_ACCT_1  ß CorpWiFi, MedGear and Voice

address ipv4 10.44.17.210 auth-port 1812 acct-port 1813

key Secret_Key123

!

radius server RADSER_AUTH_ACCT_2 ß CorpWiFi, MedGear and Voice

address ipv4 10.155.214.39 auth-port 1812 acct-port 1813

key Secret_Key123

!

radius server RADSER_AUTH_ACCT_11ß BYOD and Contractor

address ipv4 10.151.6.102 auth-port 1812 acct-port 1813

key Secret_Key123

!

radius server RADSER_AUTH_ACCT_12ß BYOD and Contractor

address ipv4 10.224.5.4 auth-port 1812 acct-port 1813

key Secret_Key123

!

radius server RADSER_AUTH_ACCT_21ß Guest

address ipv4 10.224.5.6 auth-port 1812 acct-port 1813

key Secret_Key123

!

radius server RADSER_AUTH_ACCT_22ß Guest 

address ipv4 10.224.5.6 auth-port 1812 acct-port 1813

key Secret_Key123

!

>>>>> Now we group the RADIUS authorization and accounting into AAA Groups for simplicity<<<<<

 

aaa group server radius RAD_GRP_AUTH_ACCT_CorpWiFi  ß This creates a group that does authentication and accounting

server name RADSER_AUTH_ACCT_1

server name RADSER_AUTH_ACCT_2

!

aaa group server radius RAD_GRP_AUTH_ACCT_MedGear

server name RADSER_AUTH_ACCT_1

server name RADSER_AUTH_ACCT_2

!

aaa group server radius RAD_GRP_AUTH_ACCT_Voice

server name RADSER_AUTH_ACCT_1

server name RADSER_AUTH_ACCT_2

!

aaa group server radius RAD_GRP_AUTH_ACCT_BYOD

server name RADSER_AUTH_ACCT_11

server name RADSER_AUTH_ACCT_12

!

aaa group server radius RAD_GRP_AUTH_ACCT_Contractor

server name RADSER_AUTH_ACCT_11

server name RADSER_AUTH_ACCT_12

!

aaa group server radius RAD_GRP_AUTH_ACCT_SHGuestNet

server name RADSER_AUTH_ACCT_21

server name RADSER_AUTH_ACCT_22

 

Now we create an 802.1x authentication groups using DOT1X_AUTH_CorpWiFi nomenclature for simplicity and point it to the similarly named RADIUS auth & accounting group. 

 

aaa authentication dot1x DOT1X_AUTH_CorpWiFi group RAD_GRP_AUTH_ACCT_CorpWiFi

aaa authentication dot1x DOT1X_AUTH_MedGear group RAD_GRP_AUTH_ACCT_MedGear

aaa authentication dot1x DOT1X_AUTH_Voice group RAD_GRP_AUTH_ACCT_Voice

aaa authentication dot1x DOT1X_AUTH_BYOD group RAD_GRP_AUTH_ACCT_BYOD

aaa authentication dot1x DOT1X_AUTH_Contractor group RAD_GRP_AUTH_ACCT_Contractor

aaa authorization network MAB_AUTH_SHGuestNet group RAD_GRP_AUTH_ACCT_SHGuestNet

!

Now we create an 802.1x accounting group using ACCT_LIST_POL_PROF_CorpWiFi nomenclature for simplicity and point it to the RADIUS auth & accounting group.   Why POL_PROF in the nomenclature?  Because the accounting list is referenced in the WLAN’s Profile Policy, not the WLAN config itself.

 

aaa accounting identity ACCT_LIST_POL_PROF_CorpWiFi start-stop group RAD_GRP_AUTH_ACCT_CorpWiFi (see how we are re-using this, instead of creating all new config lines)

aaa accounting identity ACCT_LIST_POL_PROF_MedGear start-stop group RAD_GRP_AUTH_ACCT_MedGear

aaa accounting identity ACCT_LIST_POL_PROF_Voice start-stop group RAD_GRP_AUTH_ACCT_Voice

aaa accounting identity ACCT_LIST_POL_PROF_SHGuesNet start-stop group RAD_GRP_AUTH_ACCT_BYOD

aaa accounting identity ACCT_LIST_POL_PROF_BYOD start-stop group RAD_GRP_AUTH_ACCT_Contractor

aaa accounting identity ACCT_LIST_POL_PROF_Contractor start-stop group RAD_GRP_AUTH_ACCT_SHGuestNet

 

Now we reference the authentication group in the WLAN itself:

 

wlan CorpWiFi 1 CorpWiFi

<output omitted>

security dot1x authentication-list DOT1X_AUTH_CorpWiFi

 no shutdown

 

Now we reference the accounting group in the WLAN Profile Policy for CorpWiFi

 

wireless profile policy POL_PROF_CorpWiFi

<output omitted>

aaa-override

accounting-list ACCT_LIST_POL_PROF_CorpWiFi

description "Policy profile for CorpWiFi"

no shutdown

 

I know it seems like a lot, but I chose six instances of ISE to help illustrate how things are grouped and mapped.

 

Do you think the old way was easier?  Which way do you think scales more?

 

 

Virus-free.www.avg.com