Saturday, May 6, 2017

Configuring Device Profile and Local Policy on a Cisco WLC

Channels in the 2.4-GHz ISM Band

In the 2.4-GHz ISM band, the frequency space is divided up into 14 channels, numbered 1 through 14. With the exception of channel 14, the channels are spaced 5 MHz apart.

IEEE 802.11 Channel Layout in the 2.4-GHz Band

Channel        Frequency (GHz)
     1              2.412

     2             2.417

     3             2.422

     4             2.427

     5             2.432

     6             2.437

     7            2.442

     8            2.447

    9             2.452

   10           2.457

   11           2.462

  12           2.467

  13           2.472

  14          2.484


Channels in the 5-GHz U-NII Bands

Recall that the 5-GHz band is organized as four separate, smaller bands: U-NII-1, U-NII-2, U-NII-2 Extended, and U-NII-3. The bands are all divided into channels that are 20 MHz apart.

IEEE 802.11 Channel Layout in the 5-GHz Bands

Band            Channel        Frequency (GHz)

U-NII-1            36        5.180
                         40        5.200
                         44        5.220
                         48        5.240

U-NII-2            52        5.260
                         56        5.280
                         60        5.300
                         64        5.320

U-NII-2 Extended    100        5.500
                         104        5.520
                         108        5.540
                         112        5.560
                         116        5.580
                         120        5.600
                         124        5.620
                         128        5.640
                         132        5.660
                         136        5.680
                         140        5.700
          
U-NII-3            149        5.475
                         153        5.765
                         157        5.785
                         161        5.805


There's a feature on a Cisco WLC (started on version 7.5) where you can profile wireless devices and enforce a local policy. It's like running a mini version of Cisco ISE on a WLC. My lab WLC is running 8.0 and it has 156 built-in profiles . These can be verified using the show sysinfo and show profiling policy summary command.

(Cisco Controller) >show sysinfo

Manufacturer's Name.............................. Cisco Systems Inc.
Product Name..................................... Cisco Controller
Product Version.................................. 8.0.133.0
Bootloader Version............................... 1.0.16
Field Recovery Image Version..................... 1.0.0
Firmware Version................................. PIC 16.0
Build Type....................................... DATA + WPS
System Name...................................... WLC1
System Location..................................
System Contact...................................
System ObjectID.................................. 1.3.6.1.4.1.9.1.1279
IP Address....................................... 192.168.1.4
IPv6 Address..................................... ::
Last Reset....................................... Software reset
System Up Time................................... 0 days 0 hrs 6 mins 10 secs
System Timezone Location.........................
System Stats Realtime Interval................... 5
System Stats Normal Interval..................... 180
Configured Country............................... US  - United States
Operating Environment............................ Commercial (0 to 40 C)
Internal Temp Alarm Limits....................... 0 to 65 C
Internal Temperature............................. +34 C
External Temperature............................. +40 C
Fan Status....................................... 4300 rpm
State of 802.11b Network......................... Enabled
State of 802.11a Network......................... Enabled
Number of WLANs.................................. 1
Number of Active Clients......................... 0
Burned-in MAC Address............................ 10:F3:11:A5:41:23
Maximum number of APs supported.................. 75
System Nas-Id....................................
WLC MIC Certificate Types........................ SHA1


Cisco Controller) >show profiling ?

policy         Display local device classification profile information.

oui-string     Display OUI String-Id information.

(Cisco Controller) >show profiling policy ?

summary        Display local device classification profile summary.

(Cisco Controller) >show profiling policy summary

Number of Builtin Classification Profiles: 156
ID   Name                                             Parent Min CM Valid
==== ================================================ ====== ====== =====
   0 Android                                            None     30   Yes
   1 Android-Amazon-Kindle                                 0     40   Yes
   2 Android-Asus                                          0     30   Yes
   3 Android-Google                                        0     40   Yes
   4 Android-HTC                                           0     40   Yes
   5 Android-LG                                            0     40   Yes
   6 Android-Micromax                                      0     40   Yes
   7 Android-Motorola                                      0     40   Yes
   8 Android-Motorola-Tablet                               7     40   Yes
   9 Android-Nook                                          0     40   Yes
  10 Android-Samsung                                       0     40   Yes
  11 Android-Samsung-Galaxy-Note                          10     40   Yes
  12 Android-Samsung-Galaxy-Phone                         10     40   Yes
  13 Android-Samsung-Galaxy-Tablet                        10     40   Yes
  14 Android-Sony-Ericsson                                 0     40   Yes
  15 Android-Sony-Ericsson-Phone                          14     40   Yes
  16 Android-Sony-Ericsson-Tablet                         14     40   Yes
  17 Apple-Device                                       None     10   Yes
  18 Apple-MacBook                                        17     20   Yes
  19 Apple-iPad                                           17     20   Yes
  20 Apple-iPhone                                         17     20   Yes
  21 Apple-iPod                                           17     20   Yes
  22 Apple-iPod-3                                         21     10   Yes
  23 Aruba-Device                                       None     10   Yes
  24 Aruba-AP                                             23     20   Yes
  25 Avaya-Device                                       None     10   Yes
  26 Avaya-IP-Phone                                       25     20   Yes
  27 Axis-Device                                        None     10   Yes
  28 BlackBerry                                         None     20   Yes
  29 Brother-Device                                     None     10   Yes
  30 Canon-Device                                       None     10   Yes
  31 Cisco-Device                                       None     10   Yes
  32 Cisco-Access-Point                                   31     10   Yes
  33 Cisco-AP-Aironet-1130                                32     30   Yes
  34 Cisco-AP-Aironet-1240                                32     30   Yes
  35 Cisco-DMP                                            31     20   Yes
  36 Cisco-DMP-4305                                       35     70   Yes
  37 Cisco-DMP-4310                                       35     70   Yes
  38 Cisco-DMP-4400                                       35     70   Yes
  39 Cisco-IP-Phone                                       31     20   Yes
  40 Cisco-IP-Conference-Station-7935                     39     70   Yes
  41 Cisco-IP-Conference-Station-7936                     39     70   Yes
  42 Cisco-IP-Conference-Station-7937                     39     70   Yes
  43 Cisco-IP-Phone-7945G                                 39     70   Yes
  44 Cisco-IP-Phone-7975                                  39     70   Yes
  45 Cisco-IP-Phone-9971                                  39     70   Yes
  46 Linksys-Device                                       31     20   Yes
  47 LinksysWAP54G-Device                                 46     30   Yes
  48 Cisco_CIUS                                         None     10   Yes
  49 DLink-Device                                       None     10   Yes
  50 DLink-DAP-1522                                       49     20   Yes
  51 Draeger-Device                                     None     10   Yes
  52 Enterasys-Device                                   None     10   Yes
  53 Epson-Device                                       None     10   Yes
  54 HP-Device                                          None     10   Yes
  55 HP-JetDirect-Printer                                 54     30   Yes
  56 HP-TouchPad-Tablet                                   54     30   Yes
  57 HTC-Device                                         None     10   Yes
  58 HTC-Phone                                            57     20   Yes
  59 HTC-Windows-Phone                                    58     70   Yes
  60 Konica-Device                                      None     10   Yes
  61 Lexmark-Device                                     None     10   Yes
  62 Lexmark-Printer-E260dn                               61     30   Yes
  63 Microsoft-Device                                   None     10   Yes
  64 Microsoft-Surface-Tablet                             63    100   Yes
  65 Microsoft-Surface-RT-Tablet                          64    100   Yes
  66 XBOX360                                              63     20   Yes
  67 MotorolaMobile-Device                              None     10   Yes
  68 MotorolaDroid-Device                                 67     20   Yes
  69 Netgear-Device                                     None     10   Yes
  70 NintendoWII                                        None     10   Yes
  71 Nokia-Device                                       None     20   Yes
  72 Nokia-Smart-Phone                                    71     40   Yes
  73 Nokia-Windows-Phone                                  72     70   Yes
  74 Nortel-Device                                      None     10   Yes
  75 Nortel-IP-Phone-2000-Series                          74     20   Yes
  76 Nortel-Phone                                       None     10   Yes
  77 Philips-Device                                     None     10   Yes
  78 Polycom-Device                                     None     10   Yes
  79 RICOH-Device                                       None     10   Yes
  80 Samsung-Device                                     None     10   Yes
  81 Samsung-Phone                                        80     20   Yes
  82 Samsung-Windows-Phone                                81     70   Yes
  83 SonyPS3                                            None     10   Yes
  84 SymbianOS-Device                                   None     10   Yes
  85 Trendnet-Device                                    None     10   Yes
  86 Trendnet-Camera                                      85     20   Yes
  87 VMWare-Device                                      None     10   Yes
  88 Vizio-Device                                       None     10   Yes
  89 WYSE-Device                                        None     10   Yes
  90 Workstation                                        None     10   Yes
  91 ChromeBook-Workstation                               90     10   Yes
  92 FreeBSD-Workstation                                  90     10   Yes
  93 Linux-Workstation                                    90     10   Yes
  94 CentOS-Workstation                                   93     20   Yes
  95 Debian-Workstation                                   93     20   Yes
  96 Fedora-Workstation                                   93     20   Yes
  97 Gentoo-Workstation                                   93     20   Yes
  98 Kubuntu-Workstation                                  93     20   Yes
  99 LinuxMint-Workstation                                93     20   Yes
 100 Mandriva-Workstation                                 93     20   Yes
 101 OracleEnterpriseLinux-Workstation                    93     20   Yes
 102 PCLinuxOS-Workstation                                93     20   Yes
 103 RedHat-Workstation                                   93     20   Yes
 104 SUSE-Workstation                                     93     20   Yes
 105 Ubuntu-Workstation                                   93     20   Yes
 106 Xandros-Workstation                                  93     20   Yes
 107 Macintosh-Workstation                                90     10   Yes
 108 OS_X-Workstation                                    107     20   Yes
 109 OS_X_Leopard-Workstation                            108     30   Yes
 110 OS_X_Lion-Workstation                               108     30   Yes
 111 OS_X_Mavericks-Workstation                          108     30   Yes
 112 OS_X_MountainLion-Workstation                       108     30   Yes
 113 OS_X_SnowLeopard-Workstation                        108     30   Yes
 114 OS_X_Tiger-Workstation                              108     30   Yes
 115 Microsoft-Workstation                                90     10   Yes
 116 Vista-Workstation                                   115     20   Yes
 117 Windows7-Workstation                                115     20   Yes
 118 Windows8-Workstation                                115     20   Yes
 119 WindowsXP-Workstation                               115     20   Yes
 120 OpenBSD-Workstation                                  90     10   Yes
 121 Sun-Workstation                                      90     10   Yes
 122 Solaris-Workstation                                 121     20   Yes
 123 Xerox-Device                                       None     10   Yes
 124 Xerox-ColorQube-8700S                               123     30   Yes
 125 Xerox-ColorQube-8700XF                              123     30   Yes
 126 Xerox-ColorQube-8900X                               123     30   Yes
 127 Xerox-ColorQube-9302                                123     30   Yes
 128 Xerox-ColorQube-9303                                123     30   Yes
 129 Xerox-Phaser-6700DT                                 123     30   Yes
 130 Xerox-Printer-Phaser3250                            123     30   Yes
 131 Xerox-WorkCentre-5150                               123     30   Yes
 132 Xerox-WorkCentre-5325                               123     30   Yes
 133 Xerox-WorkCentre-5330                               123     30   Yes
 134 Xerox-WorkCentre-5335                               123     30   Yes
 135 Xerox-WorkCentre-5740                               123     30   Yes
 136 Xerox-WorkCentre-5745                               123     30   Yes
 137 Xerox-WorkCentre-5775                               123     30   Yes
 138 Xerox-WorkCentre-5845                               123     30   Yes
 139 Xerox-WorkCentre-5855                               123     30   Yes
 140 Xerox-WorkCentre-5865                               123     30   Yes
 141 Xerox-WorkCentre-5875                               123     30   Yes
 142 Xerox-WorkCentre-5890                               123     30   Yes
 143 Xerox-WorkCentre-6605DN                             123     30   Yes
 144 Xerox-WorkCentre-7125                               123     30   Yes
 145 Xerox-WorkCentre-7220                               123     30   Yes
 146 Xerox-WorkCentre-7225                               123     30   Yes
 147 Xerox-WorkCentre-7525                               123     30   Yes
 148 Xerox-WorkCentre-7530                               123     30   Yes
 149 Xerox-WorkCentre-7545                               123     30   Yes
 150 Xerox-WorkCentre-7765                               123     30   Yes
 151 Xerox-WorkCentre-7830                               123     30   Yes
 152 Xerox-WorkCentre-7835                               123     30   Yes
 153 Xerox-WorkCentre-7845                               123     30   Yes
 154 Xerox-WorkCentre-7855                               123     30   Yes
 155 Xerox-WorkCentre-Pro-245                            123     30   Yes



To configure device profiling on WLC, go to WLANs > click on a specific WLAN ID (SSID) > Advanced.
 


Tick DHCP Addr. Assignment under DHCP.
 


Tick DHCP Profiling and HTTP Profiling under Local Client Profiling > click Apply.
 


Connect a wireless device to the SSID. To view wireless devices associated to the SSID, go to Monitor > Clients.
 

Scroll further to the right and look under the last column Device Type.


You can use the show client summary devicetype command to view the same output in CLI.

(Cisco Controller) >show client ?

ap             Displays information for all clients on a Cisco AP.
calls          Displays call information.
ccx            Display Cisco Client Extension(CCX) diagnostic options.
detail         Displays detailed information for a client by mac address.
location-calibration Displays clients configured for location calibration
probing        Displays probing clients only
roam-history   Displays roam history information for a client by mac address.
state          Displays policy manager state information for client.
summary        Displays active clients.
tclas          Displays TCLAS associated with a client and User Priority
tsm            Displays traffic stream metrics for this client
username       Displays detailed information for a client by name.
voice-diag     Voice Diagnostics show commands
wifiDirect-stats Displays Wifi Direct client stats
wlan           Displays Clients in a given WLAN


(Cisco Controller) >show client summary ?
<ssid / ip / username / devicetype> Displays active clients selective details on anyone (OR) all of parameters <ssid, ip, username, devicetype> requested in any order.

(Cisco Controller) >show client summary devicetype

Number of Clients................................ 5

MAC Address       AP Name          Status        Device Type                   
----------------- ---------------- ------------- --------------------------------

60:45:bd:f3:b9:44 APf872.eaa6.e203  Associated   Microsoft-Workstation         
94:e9:79:e6:96:4d APf872.eaa6.e203  Associated   Microsoft-Workstation     // MY WIN 10 PC
d0:17:c2:4c:4a:ba APf872.eaa6.e203  Associated   Android                       
d0:25:98:90:1c:d9 APf872.eaa6.e203  Associated   Nortel-Phone                  
e4:ce:8f:23:c8:ac APf872.eaa6.e203  Associated   Apple-Device     // MY IPHONE6



To create a policy for the Profiled devices, go to Security > Local Policies > New.
 


Type a Policy Name (POLICY-MICROSOFT) > click Apply.
 


Click on the policy to edit.
 


Find Microsoft Workstation under Device Type drop-down option > click Add.
 


Configure the Action that will be enforced by the policy: ACL, VLAN ID, QoS Policy, Session Timeout and Sleeping Client Timeout. You can only Add up to 16 Device Type per policy. I've set the Action Session Timeout to 60 seconds for testing on wireless Windows machines and then click Apply.




Map the policy (POLICY-MICROSOFT) on a WLAN (LAB-WIFI), go to WLANs > click the WLAN ID.



Under Policy-Mapping tab > set the Priority Index (type 1) > click Add > click Apply.
 



I've connected my Windows machine to the SSID LAB-WIFI and it was profiled as a Microsoft-Workstation.

C:\Users\User>ipconfig

Windows IP Configuration

Wireless LAN adapter Wi-Fi:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Qualcomm Atheros QCA9377 Wireless Network Adapter
   Physical Address. . . . . . . . . : 94-E9-79-E6-96-4D
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::a026:ea0:2d87:a41%21(Preferred)
   IPv4 Address. . . . . . . . . . . : 192.168.1.7(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Lease Obtained. . . . . . . . . . : Saturday, 8 April 2017 11:23:01 PM
   Lease Expires . . . . . . . . . . : Sunday, 9 April 2017 11:23:01 PM
   Default Gateway . . . . . . . . . : 192.168.1.1
   DHCP Server . . . . . . . . . . . : 1.1.1.1
   DHCPv6 IAID . . . . . . . . . . . : 127199609
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-1F-DC-29-96-A8-1E-84-0B-6F-92
   DNS Servers . . . . . . . . . . . : fec0:0:0:ffff::1%1
                                       fec0:0:0:ffff::2%1
                                       fec0:0:0:ffff::3%1
   NetBIOS over Tcpip. . . . . . . . : Enabled




Click on the Client MAC Addr to view more details and look for Local Policy Applied.



You can use the show client detail <MAC-ADDRESS> to view the same output in CLI.

(Cisco Controller) >show client ?

ap             Displays information for all clients on a Cisco AP.
calls          Displays call information.
ccx            Display Cisco Client Extension(CCX) diagnostic options.
detail         Displays detailed information for a client by mac address.
location-calibration Displays clients configured for location calibration
probing        Displays probing clients only
roam-history   Displays roam history information for a client by mac address.
state          Displays policy manager state information for client.
summary        Displays active clients.
tclas          Displays TCLAS associated with a client and User Priority
tsm            Displays traffic stream metrics for this client
username       Displays detailed information for a client by name.
voice-diag     Voice Diagnostics show commands
wifiDirect-stats Displays Wifi Direct client stats
wlan           Displays Clients in a given WLAN

(Cisco Controller) >show client detail ?

<MAC addr>     Enter a MAC address.

(Cisco Controller) >show client detail 94:e9:79:e6:96:4d
Client MAC Address............................... 94:e9:79:e6:96:4d
Client Username ................................. N/A
AP MAC Address................................... 0c:68:03:d7:bf:90
AP Name.......................................... APf872.eaa6.e203
AP radio slot Id................................. 1
Client State..................................... Associated
Client User Group................................
Client NAC OOB State............................. Access
Wireless LAN Id.................................. 1
Wireless LAN Network Name (SSID)................. LAB-WIFI
Wireless LAN Profile Name........................ LAB-WIFI
Hotspot (802.11u)................................ Not Supported
BSSID............................................ 0c:68:03:d7:bf:9f
Connected For ................................... 40 secs
Channel.......................................... 149
IP Address....................................... 192.168.1.7
Gateway Address.................................. 192.168.1.1
Netmask.......................................... 255.255.255.0
IPv6 Address..................................... fe80::a026:ea0:2d87:a41
Association Id................................... 1
Authentication Algorithm......................... Open System
Reason Code...................................... 1
Status Code...................................... 0
Session Timeout.................................. 60
Client CCX version............................... No CCX support
QoS Level........................................ Silver
Avg data Rate.................................... 0
Burst data Rate.................................. 0
Avg Real time data Rate.......................... 0
Burst Real Time data Rate........................ 0
802.1P Priority Tag.............................. disabled
CTS Security Group Tag........................... Not Applicable
KTS CAC Capability............................... No
WMM Support...................................... Enabled
  APSD ACs.......................................  BK  BE  VI  VO
Power Save....................................... OFF
Supported Rates.................................. 6.0,9.0,12.0,18.0,24.0,36.0,
    ............................................. 48.0,54.0
Mobility State................................... Local
Mobility Move Count.............................. 0
Security Policy Completed........................ Yes
Policy Manager State............................. RUN
Policy Manager Rule Created...................... Yes
Audit Session ID................................. none
AAA Role Type.................................... none
Local Policy Applied............................. POLICY-MICROSOFT
IPv4 ACL Name.................................... none
FlexConnect ACL Applied Status................... Unavailable
IPv4 ACL Applied Status.......................... Unavailable
IPv6 ACL Name.................................... none
IPv6 ACL Applied Status.......................... Unavailable
Layer2 ACL Name.................................. none
Layer2 ACL Applied Status........................ Unavailable
mDNS Status...................................... Enabled
mDNS Profile Name................................ default-mdns-profile
No. of mDNS Services Advertised.................. 0
Policy Type...................................... N/A
Encryption Cipher................................ None
Protected Management Frame ...................... No
Management Frame Protection...................... No
EAP Type......................................... Unknown
Interface........................................ management
VLAN............................................. 0
Quarantine VLAN.................................. 0
Access VLAN...................................... 0
Local Bridging VLAN.............................. 0
Client Capabilities:
      CF Pollable................................ Not implemented
      CF Poll Request............................ Not implemented
      Short Preamble............................. Not implemented
      PBCC....................................... Not implemented
      Channel Agility............................ Not implemented
      Listen Interval............................ 1
      Fast BSS Transition........................ Not implemented
      11v Support................................ Not Supported
Client Wifi Direct Capabilities:
      WFD capable................................ No
      Manged WFD capable......................... No
      Cross Connection Capable................... No
      Support Concurrent Operation............... No
Fast BSS Transition Details:
Client Statistics:
      Number of Bytes Received................... 0
      Number of Bytes Sent....................... 0
      Total Number of Bytes Sent................. 0
      Total Number of Bytes Recv................. 0
      Number of Bytes Sent (last 90s)............ 240377
      Number of Bytes Recv (last 90s)............ 87463
      Number of Packets Received................. 0
      Number of Packets Sent..................... 0
      Number of Interim-Update Sent.............. 0
      Number of EAP Id Request Msg Timeouts...... 0
      Number of EAP Id Request Msg Failures...... 0
      Number of EAP Request Msg Timeouts......... 0
      Number of EAP Request Msg Failures......... 0
      Number of EAP Key Msg Timeouts............. 0
      Number of EAP Key Msg Failures............. 0
      Number of Data Retries..................... 0
      Number of RTS Retries...................... 0
      Number of Duplicate Received Packets....... 0
      Number of Decrypt Failed Packets........... 0
      Number of Mic Failured Packets............. 0
      Number of Mic Missing Packets.............. 0
      Number of RA Packets Dropped............... 0
      Number of Policy Errors.................... 0
      Radio Signal Strength Indicator............ Unavailable
      Signal to Noise Ratio...................... Unavailable
Client Rate Limiting Statistics:
      Number of Data Packets Received............ 0
      Number of Data Rx Packets Dropped.......... 0
      Number of Data Bytes Received.............. 0
      Number of Data Rx Bytes Dropped............ 0
      Number of Realtime Packets Received........ 0
      Number of Realtime Rx Packets Dropped...... 0
      Number of Realtime Bytes Received.......... 0
      Number of Realtime Rx Bytes Dropped........ 0
      Number of Data Packets Sent................ 0
      Number of Data Tx Packets Dropped.......... 0
      Number of Data Bytes Sent.................. 0
      Number of Data Tx Bytes Dropped............ 0
      Number of Realtime Packets Sent............ 0
      Number of Realtime Tx Packets Dropped...... 0
      Number of Realtime Bytes Sent.............. 0
      Number of Realtime Tx Bytes Dropped........ 0
Nearby AP Statistics:
      APf872.eaa6.e203(slot 0)
        antenna0: 99 secs ago.................... -42 dBm
        antenna1: 99 secs ago.................... -42 dBm
      APf872.eaa6.e203(slot 1)
        antenna0: 39 secs ago.................... -36 dBm
        antenna1: 39 secs ago.................... -38 dBm
DNS Server details:
      DNS server IP ............................. 0.0.0.0
      DNS server IP ............................. 0.0.0.0
Assisted Roaming Prediction List details:

Client Dhcp Required:     True
Allowed (URL)IP Addresses
-------------------------

AVC Profile Name: ............................... none



My Windows machine was disconnected after 60 seconds which was monitored from the continuous ping (Destination host unreachable).
 

No comments:

Post a Comment