I’m on the fence as to whether the new 9800’s AAA configuration is easier or not, when compared to the AireOS controllers.
In this blog, I am creating the config for the new 9800 controllers. Six WLANs – just to use for example’s sake. We would never create this many in production!
We need to create RADIUS server instances. I want to use ranges of ISE instances since groups of WLANs often use the same instances.
Instances 1-9 can be for CorpWiFi, MedGear and Voice WLANs
Instances 10-19 can be for BYOD and Contractor
Instances 20-29 can be for Guest.
This way when we want to add another auth&acct instance for CorpWiFi, we can just pick index 3 everywhere. We can even use a template to deploy it as index 3 with DNAC in the future. We can continue to recycle instances 1-9 for the same group of WLANs. Same goes for the other groups of WLANs.
*note* The 9800 does things differently than the 5508, where it had an accounting instance and an authentication instance. The 9800’s config has the accounting and authorization as a combined configuration. At least that’s my understanding. I tried to make them separate, to no avail.
I am using a naming convention RADSER_AUTH_ACCT_X, (X=index number). This convention initially came from the config translator, and I liked it so I kept it around.
radius server RADSER_AUTH_ACCT_1 ß CorpWiFi, MedGear and Voice
address ipv4 10.44.17.210 auth-port 1812 acct-port 1813
key Secret_Key123
!
radius server RADSER_AUTH_ACCT_2 ß CorpWiFi, MedGear and Voice
address ipv4 10.155.214.39 auth-port 1812 acct-port 1813
key Secret_Key123
!
radius server RADSER_AUTH_ACCT_11ß BYOD and Contractor
address ipv4 10.151.6.102 auth-port 1812 acct-port 1813
key Secret_Key123
!
radius server RADSER_AUTH_ACCT_12ß BYOD and Contractor
address ipv4 10.224.5.4 auth-port 1812 acct-port 1813
key Secret_Key123
!
radius server RADSER_AUTH_ACCT_21ß Guest
address ipv4 10.224.5.6 auth-port 1812 acct-port 1813
key Secret_Key123
!
radius server RADSER_AUTH_ACCT_22ß Guest
address ipv4 10.224.5.6 auth-port 1812 acct-port 1813
key Secret_Key123
!
>>>>> Now we group the RADIUS authorization and accounting into AAA Groups for simplicity<<<<<
aaa group server radius RAD_GRP_AUTH_ACCT_CorpWiFi ß This creates a group that does authentication and accounting
server name RADSER_AUTH_ACCT_1
server name RADSER_AUTH_ACCT_2
!
aaa group server radius RAD_GRP_AUTH_ACCT_MedGear
server name RADSER_AUTH_ACCT_1
server name RADSER_AUTH_ACCT_2
!
aaa group server radius RAD_GRP_AUTH_ACCT_Voice
server name RADSER_AUTH_ACCT_1
server name RADSER_AUTH_ACCT_2
!
aaa group server radius RAD_GRP_AUTH_ACCT_BYOD
server name RADSER_AUTH_ACCT_11
server name RADSER_AUTH_ACCT_12
!
aaa group server radius RAD_GRP_AUTH_ACCT_Contractor
server name RADSER_AUTH_ACCT_11
server name RADSER_AUTH_ACCT_12
!
aaa group server radius RAD_GRP_AUTH_ACCT_SHGuestNet
server name RADSER_AUTH_ACCT_21
server name RADSER_AUTH_ACCT_22
Now we create an 802.1x authentication groups using DOT1X_AUTH_CorpWiFi nomenclature for simplicity and point it to the similarly named RADIUS auth & accounting group.
aaa authentication dot1x DOT1X_AUTH_CorpWiFi group RAD_GRP_AUTH_ACCT_CorpWiFi
aaa authentication dot1x DOT1X_AUTH_MedGear group RAD_GRP_AUTH_ACCT_MedGear
aaa authentication dot1x DOT1X_AUTH_Voice group RAD_GRP_AUTH_ACCT_Voice
aaa authentication dot1x DOT1X_AUTH_BYOD group RAD_GRP_AUTH_ACCT_BYOD
aaa authentication dot1x DOT1X_AUTH_Contractor group RAD_GRP_AUTH_ACCT_Contractor
aaa authorization network MAB_AUTH_SHGuestNet group RAD_GRP_AUTH_ACCT_SHGuestNet
!
Now we create an 802.1x accounting group using ACCT_LIST_POL_PROF_CorpWiFi nomenclature for simplicity and point it to the RADIUS auth & accounting group. Why POL_PROF in the nomenclature? Because the accounting list is referenced in the WLAN’s Profile Policy, not the WLAN config itself.
aaa accounting identity ACCT_LIST_POL_PROF_CorpWiFi start-stop group RAD_GRP_AUTH_ACCT_CorpWiFi (see how we are re-using this, instead of creating all new config lines)
aaa accounting identity ACCT_LIST_POL_PROF_MedGear start-stop group RAD_GRP_AUTH_ACCT_MedGear
aaa accounting identity ACCT_LIST_POL_PROF_Voice start-stop group RAD_GRP_AUTH_ACCT_Voice
aaa accounting identity ACCT_LIST_POL_PROF_SHGuesNet start-stop group RAD_GRP_AUTH_ACCT_BYOD
aaa accounting identity ACCT_LIST_POL_PROF_BYOD start-stop group RAD_GRP_AUTH_ACCT_Contractor
aaa accounting identity ACCT_LIST_POL_PROF_Contractor start-stop group RAD_GRP_AUTH_ACCT_SHGuestNet
Now we reference the authentication group in the WLAN itself:
wlan CorpWiFi 1 CorpWiFi
<output omitted>
security dot1x authentication-list DOT1X_AUTH_CorpWiFi
no shutdown
Now we reference the accounting group in the WLAN Profile Policy for CorpWiFi
wireless profile policy POL_PROF_CorpWiFi
<output omitted>
aaa-override
accounting-list ACCT_LIST_POL_PROF_CorpWiFi
description "Policy profile for CorpWiFi"
no shutdown
I know it seems like a lot, but I chose six instances of ISE to help illustrate how things are grouped and mapped.
Do you think the old way was easier? Which way do you think scales more?
๐ด๓ ง๓ ข๓ ฅ๓ ฎ๓ ง๓ ฟ๐ด๓ ง๓ ข๓ ฅ๓ ฎ๓ ง๓ ฟ๐ด๓ ง๓ ข๓ ฅ๓ ฎ๓ ง๓ ฟ๐บ๐ธ๐บ๐ธ๐บ๐ธInvestment is one of the best ways to achieve financial freedom. For a beginner there are so many challenges you face. It's hard to know how to get started. Trading on the Cryptocurrency market has really been a life changer for me. I almost gave up on crypto at some point not until saw a recommendation on Elon musk successfully success story and I got a proficient trader/broker Mr Bernie Doran , he gave me all the information required to succeed in trading. I made more profit than I could ever imagine. I'm not here to converse much but to share my testimony; I have made total returns of $10,500.00 from an investment of just $1000.00 within 1 week. Thanks to Mr Bernie I'm really grateful,I have been able to make a great returns trading with his signals and strategies .I urge anyone interested in
ReplyDeleteINVESTMENT to take bold step in investing in the Cryptocurrency Market, you can reach him on WhatsApp : +1(424) 285-0682 or his Gmail : BERNIEDORANSIGNALS@GMAIL.COM, bitcoin is taking over the world, tell him I referred you๐บ๐ธ๐บ๐ธ๐บ๐ธ๐ด๓ ง๓ ข๓ ฅ๓ ฎ๓ ง๓ ฟ๐ด๓ ง๓ ข๓ ฅ๓ ฎ๓ ง๓ ฟ
Click Here for Your Success:
ReplyDeletePL-100 Exam Dumps