Check

Faheem

Networking 

netservice ise-https-android tcp 8084
netservice ise-https-provisioning tcp 8905
netservice ise-https-redirect tcp 8443
!
netdestination ISE_PSN_DMZ
 host 10.0.77.36
 !
 
ip access-list session ISE-ONBOARDING
   consumer any udp 68 deny
   any host 10.0.77.36 ise-https-redirect allow
   any host 10.0.77.36 ise-https-android allow
   any host 10.0.77.36 ise-https-provisioning allow
   consumer any icmp echo allow
   consumer host 10.0.206.21 tcp 53 allow
   consumer host 10.0.206.21 udp 53 allow
   any host 72.163.1.80 any deny
   any community 72.163.0.0 255.255.0.0 any deny
!

aaa authentication captive-portal "GUEST-PERMIT-DMZ-CAPTIVE-PORTAL"
   no user-logon
!
user-role GUEST-PERMIT-DMZ
   access-list session ra-guard
   access-list session logon-control
   access-list session ISE-ONBOARDING
   access-list session captiveportal
   access-list session v6-logon-control
   access-list session captiveportal6
   captive-portal GUEST-PERMIT-DMZ-CAPTIVE-PORTAL

!
aaa rfc-3576-server "10.0.66.36"
key  PSK
!
aaa authentication-server radius "LAB_ISEPSN_666"
   host "10.0.66.36"
   key PSK
   called-station-id sort macaddr include-ssid allow delimiter colon!
!
aaa server-group "LAB_ISEPSN_SVG"
auth-server LAB_ISEPSN_666
!

aaa authentication dot1x "DOT1X-L2-01222025"
   max-requests 2
   timer wpa-key-period 3000
   timer wpa2-key-delay 100
   timer wpa-groupkey-delay 100
!

aaa authentication mac "WIRELESS_DMZ_L2_MAC_AUTH"
!
aaa profile "01222025_AAA_PROF"
   initial-role "GUEST-PERMIT-DMZ"
   authentication-mac "WIRELESS_DMZ_L2_MAC_AUTH"
   mac-default-role "GUEST-PERMIT-DMZ"
   authentication-dot1x "DOT1X-L2-01222025"
   dot1x-default-role "GUEST-PERMIT-DMZ"
   dot1x-server-group "LAB_ISEPSN_SVG"
   radius-accounting "LAB_ISEPSN_SVG"
   radius-roam-accounting
   radius-interim-accounting
   rfc-3576-server "10.0.66.36"
   enforce-dhcp
!

wlan ssid-profile "01222025_SSID_PROF"
   essid "01222025"
   wpa-passphrase PSK
   opmode wpa2-psk-aes
   a-basic-rates 12 24
   a-tx-rates 12 18 24 36 48 54
   g-basic-rates 24
   g-tx-rates 12 18 24 36 48 54
   wmm
   wmm-vo-dscp "48"
   wmm-vi-dscp "32"
   wmm-be-dscp "0"
   wmm-bk-dscp "8"
   g-beacon-rate 24
   a-beacon-rate 24
   multicast-rate 24
   qbss-load-enable
   advertise-location
   advertise-ap-name
!
wlan virtual-ap "01222025"
   aaa-profile "01222025_AAA_PROF"
   vlan 12
   ssid-profile "01222025_SSID_PROF"
!

ap-group "BROOKLYN-RETAIL-2-AP-GROUP"
virtual-ap  "01222025"
!

ACL logic check

Leave a Comment

© 2025 Tech Info Park by Faheem Mushtaq