version 3.4
hostname "GER1WLANMGT"
clock timezone  0
location "Building1.floor1" 
mms config 0
controller config 261
crypto-local pki ServerCert ger1wlanmgt ger1wlanmgtcert_key.pem
ip access-list eth validuserethacl
  permit any 
!
netservice svc-snmp-trap udp 162
netservice svc-smb-tcp tcp 445
netservice svc-ike udp 500
netservice svc-l2tp udp 1701
netservice svc-syslog udp 514
netservice svc-dhcp udp 67 68 alg dhcp
netservice svc-https tcp 443
netservice svc-pptp tcp 1723
netservice svc-telnet tcp 23
netservice svc-sccp tcp 2000 alg sccp
netservice svc-tftp udp 69 alg tftp
netservice svc-sip-tcp tcp 5060
netservice svc-kerberos udp 88
netservice svc-pop3 tcp 110
netservice svc-adp udp 8200
netservice svc-cfgm-tcp tcp 8211
netservice svc-noe udp 32512 alg noe
netservice svc-http-proxy3 tcp 8888
netservice svc-msrpc-tcp tcp 135 139
netservice svc-rtsp tcp 554 alg rtsp
netservice svc-dns udp 53 alg dns
netservice svc-vocera udp 5002 alg vocera
netservice svc-h323-tcp tcp 1720
netservice svc-h323-udp udp 1718 1719
netservice svc-http tcp 80
netservice svc-nterm tcp 1026 1028
netservice svc-sip-udp udp 5060
netservice svc-http-proxy2 tcp 8080
netservice svc-papi udp 8211
netservice svc-noe-oxo udp 5000 alg noe
netservice svc-ftp tcp 21 alg ftp
netservice svc-natt udp 4500
netservice svc-svp 119 alg svp
netservice svc-gre 47
netservice svc-smtp tcp 25
netservice svc-smb-udp udp 445
netservice svc-sips tcp 5061 alg sips
netservice svc-esp 50
netservice svc-bootp udp 67 69
netservice svc-snmp udp 161
netservice svc-v6-dhcp udp 546 547
netservice svc-icmp 1
netservice svc-ntp udp 123
netservice svc-msrpc-udp udp 135 139
netservice svc-ssh tcp 22
netservice svc-http-proxy1 tcp 3128
netservice svc-v6-icmp 58
netdestination Internal-Networks
  network 10.0.0.0 255.255.255.0
  network 192.168.0.0 255.255.0.0
  network 159.234.0.0 255.255.0.0
!
time-range night-hours periodic
 weekday 18:01 to  23:59
 weekday 00:00 to  07:59
!
time-range Business-Hours periodic
 weekday 08:00 to  20:00
!
time-range weekend periodic
 weekend 00:00 to  23:59
!
time-range working-hours periodic
 weekday 08:00 to  18:00
!
ip access-list session control
  user any udp 68 deny 
  any any svc-icmp permit 
  any any svc-dns permit 
  any any svc-papi permit 
  any any svc-cfgm-tcp permit 
  any any svc-adp permit 
  any any svc-tftp permit 
  any any svc-dhcp permit 
  any any svc-natt permit 
!
ip access-list session Associate-Policy
  any any any permit 
!
ip access-list session validuser
  any any any permit 
!
ip access-list session vocera-acl
  any any svc-vocera permit queue high 
!
ip access-list session icmp-acl
  any any svc-icmp permit 
!
ip access-list session captiveportal
  user   alias controller svc-https dst-nat 8081 
  user any svc-http dst-nat 8080 
  user any svc-https dst-nat 8081 
  user any svc-http-proxy1 dst-nat 8088 
  user any svc-http-proxy2 dst-nat 8088 
  user any svc-http-proxy3 dst-nat 8088 
!
ip access-list session allowall
  any any any permit 
!
ip access-list session https-acl
  any any svc-https permit 
!
ip access-list session sip-acl
  any any svc-sip-udp permit queue high 
  any any svc-sip-tcp permit queue high 
!
ip access-list session dns-acl
  any any svc-dns permit 
!
ip access-list session tftp-acl
  any any svc-tftp permit 
!
ip access-list session skinny-acl
  any any svc-sccp permit queue high 
!
ip access-list session srcnat
  user any any src-nat 
!
ip access-list session vpnlogon
  user any svc-ike permit 
  user any svc-esp permit 
  any any svc-l2tp permit 
  any any svc-pptp permit 
  any any svc-gre permit 
!
ip access-list session logon-control
  user any udp 68 deny 
  any any svc-icmp permit 
  any any svc-dns permit 
  any any svc-dhcp permit 
  any any svc-natt permit 
!
ip access-list session cplogout
  user   alias controller svc-https dst-nat 8081 
!
ip access-list session guest
!
ip access-list session http-acl
  any any svc-http permit 
!
ip access-list session dhcp-acl
  any any svc-dhcp permit 
!
ip access-list session noe-acl
  any any svc-noe permit queue high 
!
ip access-list session svp-acl
  any any svc-svp permit queue high 
  user host 224.0.1.116 any permit 
!
ip access-list session ap-acl
  any any svc-gre permit 
  any any svc-syslog permit 
  any user svc-snmp permit 
  user any svc-snmp-trap permit 
  user any svc-ntp permit 
!
ip access-list session h323-acl
  any any svc-h323-tcp permit queue high 
  any any svc-h323-udp permit queue high 
!
ipv6 access-list session v6-icmp-acl
  any any svc-v6-icmp permit 
!
ipv6 access-list session v6-https-acl
  any any svc-https permit 
!
ipv6 access-list session v6-dhcp-acl
  any any svc-v6-dhcp permit 
!
ipv6 access-list session v6-dns-acl
  any any svc-dns permit 
!
ipv6 access-list session v6-allowall
  any any any permit 
!
ipv6 access-list session v6-http-acl
  any any svc-http permit 
!
ipv6 access-list session v6-logon-control
  user any udp 68 deny 
  any any svc-v6-icmp permit 
  any any svc-v6-dhcp permit 
  any any svc-dns permit 
!
vpn-dialer default-dialer
  ike authentication PRE-SHARE 98231830d18eaa53b77f88455cea4bcc6f05ea2bb80f9ba1
!
user-role ap-role
 session-acl control
 session-acl ap-acl
!
user-role denyall
!
user-role Associate
 vlan 5
 session-acl Associate-Policy
!
user-role trusted-ap
 session-acl allowall
!
user-role GastZugang-guest-logon
 captive-portal "GastZugang-cp_prof"
 session-acl logon-control
 session-acl captiveportal
!
user-role default-vpn-role
 session-acl allowall
 ipv6 session-acl v6-allowall
!
user-role cpbase
!
user-role voice
 session-acl sip-acl
 session-acl noe-acl
 session-acl svp-acl
 session-acl vocera-acl
 session-acl skinny-acl
 session-acl h323-acl
 session-acl dhcp-acl
 session-acl tftp-acl
 session-acl dns-acl
 session-acl icmp-acl
!
user-role guest-logon
 captive-portal "default"
 session-acl logon-control
 session-acl captiveportal
!
user-role guest
 session-acl http-acl
 session-acl https-acl
 session-acl dhcp-acl
 session-acl icmp-acl
 session-acl dns-acl
 ipv6 session-acl v6-http-acl
 ipv6 session-acl v6-https-acl
 ipv6 session-acl v6-dhcp-acl
 ipv6 session-acl v6-icmp-acl
 ipv6 session-acl v6-dns-acl
!
user-role stateful-dot1x
!
user-role authenticated
 session-acl allowall
 ipv6 session-acl v6-allowall
!
user-role stateful
 session-acl control
!
user-role logon
 session-acl logon-control
 session-acl captiveportal
 session-acl vpnlogon
 ipv6 session-acl v6-logon-control
!
ip radius source-interface loopback
!

no spanning-tree
interface mgmt
	shutdown
!

interface loopback
	ip address 159.234.165.249
!

dialer group evdo_us
  init-string ATQ0V1E0
  dial-string ATDT#777
!

dialer group gsm_us
  init-string AT+CGDCONT=1,"IP","ISP.CINGULAR"
  dial-string ATD*99#
!

dialer group vivo_br
  init-string AT+CGDCONT=1,"IP","zap.vivo.com.br"
  dial-string ATD*99#
!



vlan 5 
vlan 900 


interface fastethernet 1/0
	description "fe1/0"
	trusted
	trusted vlan 1-4094
	switchport access vlan 5
	switchport trunk native vlan 900
	switchport trunk allowed vlan 900
!

interface gigabitethernet  1/1
	description "gig1/1"
	trusted
	trusted vlan 1-4094
	switchport access vlan 5
!

interface vlan 1
	shutdown
!

interface vlan 5
	ip address 159.234.165.248 255.255.254.0
!

interface vlan 900
	ip address 172.16.165.254 255.255.255.0
!

ip default-gateway 159.234.165.254

ap mesh-recovery-profile cluster RecoverywcewO6f9zktTMA63 wpa-hexkey bbe0c98d041a6592265241403b09939da793a23ce5ec6ca5f4563a9481dee10d50c5563a9c7e56c3c3c581ae204d134dddf5985b974a628a3f09344254577d1755427403445e55762ba3a8eefc7d9386
wms
 general poll-interval 60000
 general poll-retries 3
 general ap-ageout-interval 30
 general sta-ageout-interval 30
 general learn-ap disable
 general persistent-known-interfering enable
 general propagate-wired-macs enable
 general stat-update enable
 general collect-stats disable
!
localip 0.0.0.0 ipsec 0697a8c2e54b4be8184ff289720c80cae29d0b67a2cf0402

vpdn group l2tp
!

ip dhcp excluded-address 172.16.165.250 172.16.165.254
ip dhcp pool ger1_guest_pool
 default-router 172.16.165.254
 dns-server import
 lease 1 0 0
 netbios-name-server import
 network 172.16.165.0 255.255.255.0
 authoritative
!
service dhcp
ip dhcp default-pool private

!

syslocation "Frankfurt, Germany"
syscontact "HelpDesk@tupperware.com"
vpdn group pptp
!

mux-address 0.0.0.0

adp discovery enable
adp igmp-join enable
adp igmp-vlan 0

voip prioritization disable
voip rtcp-inactivity disable
voip sip-midcall-req-timeout disable


ssh mgmt-auth username/password 
mgmt-user GastAdmin guest-provisioning 0cc279ac0112b4b6661b6f93ceb8f0721bc68729f523e35fd3
mgmt-user admin root 7d44ded501ac78ed1bec99cc2fb65b758086dc519eac89e3e2

ntp server 159.234.248.13 


no database synchronize
database synchronize rf-plan-data

ip mobile domain default
!

ip igmp
!

no firewall attack-rate cp 1024

!
firewall cp

!
firewall cp
packet-capture-defaults tcp disable udp disable sysmsg disable other disable
!
ip domain lookup
!
country DE
aaa authentication mac "default"
!
aaa authentication dot1x "Associate-1X-profile"
   termination eap-type eap-peap
   termination inner-eap-type eap-mschapv2
!
aaa authentication dot1x "default"
!
aaa authentication-server radius "IND1RADIUS"
   host 159.234.55.24
   key 7457df3345938e051740d4d67a63100b20030f1faf3f664cbc9c5378a6c245c5
   nas-ip 159.234.165.249
!
aaa authentication-server radius "TEAM-pki-is01"
   host 159.234.16.19
   key 6d98636e1d0043aaaad034a622e115c508fe1eb6b2cff02f6bfcb7994e3835968c507ba451643d9f
   nas-ip 159.234.165.249
!
aaa authentication-server radius "US1NTMGT05"
   host 159.234.2.15
   key 6200335717074798528868ce6cc0ed9fb04ecce6ce651ff03933e84053734bce
   nas-ip 159.234.165.249
!
aaa server-group "Associate-RADIUS"
   allow-fail-through
 auth-server IND1RADIUS
 auth-server US1NTMGT05
!
aaa server-group "default"
 auth-server Internal
 set role condition role value-of
!
aaa server-group "GastZugang"
 auth-server Internal
!
aaa profile "Associate-AAA-profile"
   authentication-dot1x "Associate-1X-profile"
   dot1x-default-role "Associate"
   dot1x-server-group "Associate-RADIUS"
!
aaa profile "default"
!
aaa profile "GastZugang-aaa_prof"
   initial-role "GastZugang-guest-logon"
!
aaa authentication captive-portal "default"
!
aaa authentication captive-portal "GastZugang-cp_prof"
   server-group "GastZugang"
   redirect-pause 1
!
aaa authentication wispr "default"
!
aaa authentication vpn
!
aaa authentication mgmt
!
aaa authentication stateful-ntlm "default"
!
aaa authentication stateful-kerberos "default"
!
aaa authentication stateful-dot1x
!
aaa authentication wired
!
web-server
   switch-cert "ger1wlanmgt"
!
papi-security
!
guest-access-email
!
aaa password-policy mgmt
!
ap system-profile "default"
!
ap regulatory-domain-profile "default"
   country-code DE
   valid-11g-channel 1
   valid-11g-channel 6
   valid-11g-channel 11
   valid-11a-channel 36
   valid-11a-channel 40
   valid-11a-channel 44
   valid-11a-channel 48
   valid-11a-channel 52
   valid-11a-channel 56
   valid-11a-channel 60
   valid-11a-channel 64
   valid-11a-channel 100
   valid-11a-channel 104
   valid-11a-channel 108
   valid-11a-channel 112
   valid-11a-channel 116
   valid-11a-channel 120
   valid-11a-channel 124
   valid-11a-channel 128
   valid-11a-channel 132
   valid-11a-channel 136
   valid-11a-channel 140
   valid-11g-40mhz-channel-pair 1+
   valid-11g-40mhz-channel-pair 5-
   valid-11g-40mhz-channel-pair 7+
   valid-11g-40mhz-channel-pair 11-
   valid-11a-40mhz-channel-pair 36+
   valid-11a-40mhz-channel-pair 40-
   valid-11a-40mhz-channel-pair 44+
   valid-11a-40mhz-channel-pair 48-
   valid-11a-40mhz-channel-pair 52+
   valid-11a-40mhz-channel-pair 56-
   valid-11a-40mhz-channel-pair 60+
   valid-11a-40mhz-channel-pair 64-
   valid-11a-40mhz-channel-pair 100+
   valid-11a-40mhz-channel-pair 104-
   valid-11a-40mhz-channel-pair 108+
   valid-11a-40mhz-channel-pair 112-
   valid-11a-40mhz-channel-pair 116+
   valid-11a-40mhz-channel-pair 120-
   valid-11a-40mhz-channel-pair 124+
   valid-11a-40mhz-channel-pair 128-
   valid-11a-40mhz-channel-pair 132+
   valid-11a-40mhz-channel-pair 136-
!
ap wired-ap-profile "default"
!
ap enet-link-profile "default"
!
ap mesh-ht-ssid-profile "default"
!
ap mesh-cluster-profile "default"
!
ap mesh-radio-profile "default"
!
ids general-profile "default"
!
ids rate-thresholds-profile "default"
!
ids signature-profile "default"
!
ids impersonation-profile "default"
!
ids unauthorized-device-profile "default"
!
ids signature-matching-profile "default"
!
ids dos-profile "default"
!
ids profile "default"
!
rf arm-profile "default"
!
rf arm-profile "no_arm_enable_MeSh"
   assignment disable
!
rf optimization-profile "default"
!
rf event-thresholds-profile "default"
!
rf dot11a-radio-profile "default"
!
rf dot11g-radio-profile "default"
!
wlan dot11k-profile "default"
!
wlan voip-cac-profile "default"
!
wlan ht-ssid-profile "default"
!
wlan ht-ssid-profile "GastZugang-htssid_prof"
!
wlan edca-parameters-profile station "default"
!
wlan edca-parameters-profile ap "default"
!
wlan ssid-profile "Associate-SSID"
   essid "Eingeschraenkt"
   opmode wpa-tkip
!
wlan ssid-profile "default"
!
wlan ssid-profile "GastZugang-ssid_prof"
   essid "GastZugang"
   ht-ssid-profile "GastZugang-htssid_prof"
!
wlan virtual-ap "Associate-VAP"
   aaa-profile "Associate-AAA-profile"
   ssid-profile "Associate-SSID"
   vlan 5
!
wlan virtual-ap "default"
   no vap-enable
!
wlan virtual-ap "GastZugang-vap_prof"
   aaa-profile "GastZugang-aaa_prof"
   ssid-profile "GastZugang-ssid_prof"
   vlan 900
!
ap-group "default"
   virtual-ap "default"
!
ap-group "GER1-APGroup"
   virtual-ap "Associate-VAP"
   virtual-ap "GastZugang-vap_prof"
!

snmp-server enable trap

process monitor log
end